diff options
Diffstat (limited to 'source4/libcli/security/security_descriptor.c')
-rw-r--r-- | source4/libcli/security/security_descriptor.c | 128 |
1 files changed, 126 insertions, 2 deletions
diff --git a/source4/libcli/security/security_descriptor.c b/source4/libcli/security/security_descriptor.c index 255836066a..671174a824 100644 --- a/source4/libcli/security/security_descriptor.c +++ b/source4/libcli/security/security_descriptor.c @@ -54,7 +54,7 @@ struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx) talloc and copy a security descriptor */ struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx, - const struct security_descriptor *osd) + const struct security_descriptor *osd) { struct security_descriptor *nsd; @@ -65,7 +65,9 @@ struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx, return nsd; } -NTSTATUS security_check_dacl(struct security_token *st, struct security_descriptor *sd, uint32 access_mask) +NTSTATUS security_check_dacl(struct security_token *st, + struct security_descriptor *sd, + uint32 access_mask) { size_t i,y; NTSTATUS status = NT_STATUS_ACCESS_DENIED; @@ -100,3 +102,125 @@ NTSTATUS security_check_dacl(struct security_token *st, struct security_descript return status; } + + +/* + add an ACE to the DACL of a security_descriptor +*/ +NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd, + struct security_ace *ace) +{ + if (sd->dacl == NULL) { + sd->dacl = talloc_p(sd, struct security_acl); + if (sd->dacl == NULL) { + return NT_STATUS_NO_MEMORY; + } + sd->dacl->revision = SD_REVISION; + sd->dacl->size = 0; + sd->dacl->num_aces = 0; + sd->dacl->aces = NULL; + } + + sd->dacl->aces = talloc_realloc_p(sd->dacl, sd->dacl->aces, + struct security_ace, sd->dacl->num_aces+1); + if (sd->dacl->aces == NULL) { + return NT_STATUS_NO_MEMORY; + } + + sd->dacl->aces[sd->dacl->num_aces] = *ace; + sd->dacl->aces[sd->dacl->num_aces].trustee.sub_auths = + talloc_memdup(sd->dacl->aces, + sd->dacl->aces[sd->dacl->num_aces].trustee.sub_auths, + sizeof(uint32_t) * + sd->dacl->aces[sd->dacl->num_aces].trustee.num_auths); + if (sd->dacl->aces[sd->dacl->num_aces].trustee.sub_auths == NULL) { + return NT_STATUS_NO_MEMORY; + } + + sd->dacl->num_aces++; + + return NT_STATUS_OK; +} + + +/* + delete the ACE corresponding to the given trustee in the DACL of a security_descriptor +*/ +NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd, + struct dom_sid *trustee) +{ + int i; + + if (sd->dacl == NULL) { + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + } + + for (i=0;i<sd->dacl->num_aces;i++) { + if (dom_sid_equal(trustee, &sd->dacl->aces[i].trustee)) { + memmove(&sd->dacl->aces[i], &sd->dacl->aces[i+1], + sizeof(sd->dacl->aces[i]) * (sd->dacl->num_aces - (i+1))); + sd->dacl->num_aces--; + if (sd->dacl->num_aces == 0) { + sd->dacl->aces = NULL; + } + return NT_STATUS_OK; + } + } + return NT_STATUS_OBJECT_NAME_NOT_FOUND; +} + + +/* + compare two security ace structures +*/ +BOOL security_ace_equal(const struct security_ace *ace1, + const struct security_ace *ace2) +{ + if (ace1 == ace2) return True; + if (!ace1 || !ace2) return False; + if (ace1->type != ace2->type) return False; + if (ace1->flags != ace2->flags) return False; + if (ace1->access_mask != ace2->access_mask) return False; + if (!dom_sid_equal(&ace1->trustee, &ace2->trustee)) return False; + + return True; +} + + +/* + compare two security acl structures +*/ +BOOL security_acl_equal(const struct security_acl *acl1, + const struct security_acl *acl2) +{ + int i; + + if (acl1 == acl2) return True; + if (!acl1 || !acl2) return False; + if (acl1->revision != acl2->revision) return False; + if (acl1->num_aces != acl2->num_aces) return False; + + for (i=0;i<acl1->num_aces;i++) { + if (!security_ace_equal(&acl1->aces[i], &acl2->aces[i])) return False; + } + return True; +} + +/* + compare two security descriptors. +*/ +BOOL security_descriptor_equal(const struct security_descriptor *sd1, + const struct security_descriptor *sd2) +{ + if (sd1 == sd2) return True; + if (!sd1 || !sd2) return False; + if (sd1->revision != sd2->revision) return False; + if (sd1->type != sd2->type) return False; + + if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return False; + if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return False; + if (!security_acl_equal(sd1->sacl, sd2->sacl)) return False; + if (!security_acl_equal(sd1->dacl, sd2->dacl)) return False; + + return True; +} |