summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
Diffstat (limited to 'source3')
-rw-r--r--source3/Makefile.in3
-rw-r--r--source3/include/rpc_secdes.h1
-rw-r--r--source3/lib/secace.c293
-rw-r--r--source3/lib/util_nttoken.c16
4 files changed, 18 insertions, 295 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in
index d957d70edb..30990f4c54 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -370,7 +370,8 @@ LIB_OBJ = $(LIBSAMBAUTIL_OBJ) $(UTIL_OBJ) $(CRYPTO_OBJ) \
lib/adt_tree.o lib/gencache.o \
lib/module.o lib/events.o @LIBTEVENT_OBJ0@ \
lib/ldap_escape.o @CHARSET_STATIC@ \
- lib/secdesc.o lib/util_seaccess.o lib/secace.o lib/secacl.o \
+ lib/secdesc.o lib/util_seaccess.o ../libcli/security/secace.o \
+ lib/secacl.o \
libads/krb5_errs.o lib/system_smbd.o lib/audit.o $(LIBNDR_OBJ) \
lib/file_id.o lib/idmap_cache.o \
../libcli/security/dom_sid.o
diff --git a/source3/include/rpc_secdes.h b/source3/include/rpc_secdes.h
index 4bf0d9cb9d..37f7464a4a 100644
--- a/source3/include/rpc_secdes.h
+++ b/source3/include/rpc_secdes.h
@@ -69,7 +69,6 @@
/* SEC_ACE */
typedef struct security_ace SEC_ACE;
-#define SEC_ACE_HEADER_SIZE (2 * sizeof(uint8) + sizeof(uint16) + sizeof(uint32))
#ifndef ACL_REVISION
#define ACL_REVISION 0x3
diff --git a/source3/lib/secace.c b/source3/lib/secace.c
deleted file mode 100644
index 878fac252b..0000000000
--- a/source3/lib/secace.c
+++ /dev/null
@@ -1,293 +0,0 @@
-/*
- * Unix SMB/Netbios implementation.
- * SEC_ACE handling functions
- * Copyright (C) Andrew Tridgell 1992-1998,
- * Copyright (C) Jeremy R. Allison 1995-2003.
- * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
- * Copyright (C) Paul Ashton 1997-1998.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, see <http://www.gnu.org/licenses/>.
- */
-
-#include "includes.h"
-
-/*******************************************************************
- Check if ACE has OBJECT type.
-********************************************************************/
-
-bool sec_ace_object(uint8 type)
-{
- if (type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT ||
- type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT ||
- type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT ||
- type == SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT) {
- return True;
- }
- return False;
-}
-
-/*******************************************************************
- copy a SEC_ACE structure.
-********************************************************************/
-void sec_ace_copy(SEC_ACE *ace_dest, SEC_ACE *ace_src)
-{
- ace_dest->type = ace_src->type;
- ace_dest->flags = ace_src->flags;
- ace_dest->size = ace_src->size;
- ace_dest->access_mask = ace_src->access_mask;
- ace_dest->object = ace_src->object;
- sid_copy(&ace_dest->trustee, &ace_src->trustee);
-}
-
-/*******************************************************************
- Sets up a SEC_ACE structure.
-********************************************************************/
-
-void init_sec_ace(SEC_ACE *t, const DOM_SID *sid, enum security_ace_type type,
- uint32_t mask, uint8 flag)
-{
- t->type = type;
- t->flags = flag;
- t->size = ndr_size_dom_sid(sid, NULL, 0) + 8;
- t->access_mask = mask;
-
- ZERO_STRUCTP(&t->trustee);
- sid_copy(&t->trustee, sid);
-}
-
-/*******************************************************************
- adds new SID with its permissions to ACE list
-********************************************************************/
-
-NTSTATUS sec_ace_add_sid(TALLOC_CTX *ctx, SEC_ACE **pp_new, SEC_ACE *old, unsigned *num, DOM_SID *sid, uint32 mask)
-{
- unsigned int i = 0;
-
- if (!ctx || !pp_new || !old || !sid || !num) return NT_STATUS_INVALID_PARAMETER;
-
- *num += 1;
-
- if((pp_new[0] = TALLOC_ZERO_ARRAY(ctx, SEC_ACE, *num )) == 0)
- return NT_STATUS_NO_MEMORY;
-
- for (i = 0; i < *num - 1; i ++)
- sec_ace_copy(&(*pp_new)[i], &old[i]);
-
- (*pp_new)[i].type = SEC_ACE_TYPE_ACCESS_ALLOWED;
- (*pp_new)[i].flags = 0;
- (*pp_new)[i].size = SEC_ACE_HEADER_SIZE + ndr_size_dom_sid(sid, NULL, 0);
- (*pp_new)[i].access_mask = mask;
- sid_copy(&(*pp_new)[i].trustee, sid);
- return NT_STATUS_OK;
-}
-
-/*******************************************************************
- modify SID's permissions at ACL
-********************************************************************/
-
-NTSTATUS sec_ace_mod_sid(SEC_ACE *ace, size_t num, DOM_SID *sid, uint32 mask)
-{
- unsigned int i = 0;
-
- if (!ace || !sid) return NT_STATUS_INVALID_PARAMETER;
-
- for (i = 0; i < num; i ++) {
- if (sid_compare(&ace[i].trustee, sid) == 0) {
- ace[i].access_mask = mask;
- return NT_STATUS_OK;
- }
- }
- return NT_STATUS_NOT_FOUND;
-}
-
-/*******************************************************************
- delete SID from ACL
-********************************************************************/
-
-NTSTATUS sec_ace_del_sid(TALLOC_CTX *ctx, SEC_ACE **pp_new, SEC_ACE *old, uint32 *num, DOM_SID *sid)
-{
- unsigned int i = 0;
- unsigned int n_del = 0;
-
- if (!ctx || !pp_new || !old || !sid || !num) return NT_STATUS_INVALID_PARAMETER;
-
- if (*num) {
- if((pp_new[0] = TALLOC_ZERO_ARRAY(ctx, SEC_ACE, *num )) == 0)
- return NT_STATUS_NO_MEMORY;
- } else {
- pp_new[0] = NULL;
- }
-
- for (i = 0; i < *num; i ++) {
- if (sid_compare(&old[i].trustee, sid) != 0)
- sec_ace_copy(&(*pp_new)[i], &old[i]);
- else
- n_del ++;
- }
- if (n_del == 0)
- return NT_STATUS_NOT_FOUND;
- else {
- *num -= n_del;
- return NT_STATUS_OK;
- }
-}
-
-/*******************************************************************
- Compares two SEC_ACE structures
-********************************************************************/
-
-bool sec_ace_equal(SEC_ACE *s1, SEC_ACE *s2)
-{
- /* Trivial case */
-
- if (!s1 && !s2) {
- return True;
- }
-
- if (!s1 || !s2) {
- return False;
- }
-
- /* Check top level stuff */
-
- if (s1->type != s2->type || s1->flags != s2->flags ||
- s1->access_mask != s2->access_mask) {
- return False;
- }
-
- /* Check SID */
-
- if (!sid_equal(&s1->trustee, &s2->trustee)) {
- return False;
- }
-
- return True;
-}
-
-int nt_ace_inherit_comp( SEC_ACE *a1, SEC_ACE *a2)
-{
- int a1_inh = a1->flags & SEC_ACE_FLAG_INHERITED_ACE;
- int a2_inh = a2->flags & SEC_ACE_FLAG_INHERITED_ACE;
-
- if (a1_inh == a2_inh)
- return 0;
-
- if (!a1_inh && a2_inh)
- return -1;
- return 1;
-}
-
-/*******************************************************************
- Comparison function to apply the order explained below in a group.
-*******************************************************************/
-
-int nt_ace_canon_comp( SEC_ACE *a1, SEC_ACE *a2)
-{
- if ((a1->type == SEC_ACE_TYPE_ACCESS_DENIED) &&
- (a2->type != SEC_ACE_TYPE_ACCESS_DENIED))
- return -1;
-
- if ((a2->type == SEC_ACE_TYPE_ACCESS_DENIED) &&
- (a1->type != SEC_ACE_TYPE_ACCESS_DENIED))
- return 1;
-
- /* Both access denied or access allowed. */
-
- /* 1. ACEs that apply to the object itself */
-
- if (!(a1->flags & SEC_ACE_FLAG_INHERIT_ONLY) &&
- (a2->flags & SEC_ACE_FLAG_INHERIT_ONLY))
- return -1;
- else if (!(a2->flags & SEC_ACE_FLAG_INHERIT_ONLY) &&
- (a1->flags & SEC_ACE_FLAG_INHERIT_ONLY))
- return 1;
-
- /* 2. ACEs that apply to a subobject of the object, such as
- * a property set or property. */
-
- if (a1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT) &&
- !(a2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT)))
- return -1;
- else if (a2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT) &&
- !(a1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT)))
- return 1;
-
- return 0;
-}
-
-/*******************************************************************
- Functions to convert a SEC_DESC ACE DACL list into canonical order.
- JRA.
-
---- from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/order_of_aces_in_a_dacl.asp
-
-The following describes the preferred order:
-
- To ensure that noninherited ACEs have precedence over inherited ACEs,
- place all noninherited ACEs in a group before any inherited ACEs.
- This ordering ensures, for example, that a noninherited access-denied ACE
- is enforced regardless of any inherited ACE that allows access.
-
- Within the groups of noninherited ACEs and inherited ACEs, order ACEs according to ACE type, as the following shows:
- 1. Access-denied ACEs that apply to the object itself
- 2. Access-denied ACEs that apply to a subobject of the object, such as a property set or property
- 3. Access-allowed ACEs that apply to the object itself
- 4. Access-allowed ACEs that apply to a subobject of the object"
-
-********************************************************************/
-
-void dacl_sort_into_canonical_order(SEC_ACE *srclist, unsigned int num_aces)
-{
- unsigned int i;
-
- if (!srclist || num_aces == 0)
- return;
-
- /* Sort so that non-inherited ACE's come first. */
- qsort( srclist, num_aces, sizeof(srclist[0]), QSORT_CAST nt_ace_inherit_comp);
-
- /* Find the boundary between non-inherited ACEs. */
- for (i = 0; i < num_aces; i++ ) {
- SEC_ACE *curr_ace = &srclist[i];
-
- if (curr_ace->flags & SEC_ACE_FLAG_INHERITED_ACE)
- break;
- }
-
- /* i now points at entry number of the first inherited ACE. */
-
- /* Sort the non-inherited ACEs. */
- if (i)
- qsort( srclist, i, sizeof(srclist[0]), QSORT_CAST nt_ace_canon_comp);
-
- /* Now sort the inherited ACEs. */
- if (num_aces - i)
- qsort( &srclist[i], num_aces - i, sizeof(srclist[0]), QSORT_CAST nt_ace_canon_comp);
-}
-
-/*******************************************************************
- Check if this ACE has a SID in common with the token.
-********************************************************************/
-
-bool token_sid_in_ace(const NT_USER_TOKEN *token, const SEC_ACE *ace)
-{
- size_t i;
-
- for (i = 0; i < token->num_sids; i++) {
- if (sid_equal(&ace->trustee, &token->user_sids[i]))
- return True;
- }
-
- return False;
-}
diff --git a/source3/lib/util_nttoken.c b/source3/lib/util_nttoken.c
index 774ef498b7..76e7402422 100644
--- a/source3/lib/util_nttoken.c
+++ b/source3/lib/util_nttoken.c
@@ -115,3 +115,19 @@ NTSTATUS merge_nt_token(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
+
+/*******************************************************************
+ Check if this ACE has a SID in common with the token.
+********************************************************************/
+
+bool token_sid_in_ace(const NT_USER_TOKEN *token, const struct security_ace *ace)
+{
+ size_t i;
+
+ for (i = 0; i < token->num_sids; i++) {
+ if (sid_equal(&ace->trustee, &token->user_sids[i]))
+ return true;
+ }
+
+ return false;
+}