summaryrefslogtreecommitdiff
path: root/source4/libcli/security
diff options
context:
space:
mode:
Diffstat (limited to 'source4/libcli/security')
-rw-r--r--source4/libcli/security/sddl.c45
1 files changed, 42 insertions, 3 deletions
diff --git a/source4/libcli/security/sddl.c b/source4/libcli/security/sddl.c
index 7ae7d83839..a1b8346969 100644
--- a/source4/libcli/security/sddl.c
+++ b/source4/libcli/security/sddl.c
@@ -146,7 +146,6 @@ static const struct flag_map ace_flags[] = {
};
static const struct flag_map ace_access_mask[] = {
- { "RC", SEC_STD_READ_CONTROL },
{ "RP", SEC_ADS_READ_PROP },
{ "WP", SEC_ADS_WRITE_PROP },
{ "CR", SEC_ADS_CONTROL_ACCESS },
@@ -154,6 +153,7 @@ static const struct flag_map ace_access_mask[] = {
{ "DC", SEC_ADS_DELETE_CHILD },
{ "LC", SEC_ADS_LIST },
{ "LO", SEC_ADS_LIST_OBJECT },
+ { "RC", SEC_STD_READ_CONTROL },
{ "WO", SEC_STD_WRITE_OWNER },
{ "WD", SEC_STD_WRITE_DAC },
{ "SD", SEC_STD_DELETE },
@@ -408,6 +408,33 @@ failed:
static char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
struct dom_sid *domain_sid)
{
+ int i;
+ char *sidstr;
+
+ sidstr = dom_sid_string(mem_ctx, sid);
+ if (sidstr == NULL) return NULL;
+
+ /* seen if its a well known sid */
+ for (i=0;sid_codes[i].sid;i++) {
+ if (strcmp(sidstr, sid_codes[i].sid) == 0) {
+ talloc_free(sidstr);
+ return talloc_strdup(mem_ctx, sid_codes[i].code);
+ }
+ }
+
+ /* or a well known rid in our domain */
+ if (dom_sid_in_domain(domain_sid, sid)) {
+ uint32_t rid = sid->sub_auths[sid->num_auths-1];
+ for (;i<ARRAY_SIZE(sid_codes);i++) {
+ if (rid == sid_codes[i].rid) {
+ talloc_free(sidstr);
+ return talloc_strdup(mem_ctx, sid_codes[i].code);
+ }
+ }
+ }
+
+ talloc_free(sidstr);
+
/* TODO: encode well known sids as two letter codes */
return dom_sid_string(mem_ctx, sid);
}
@@ -435,11 +462,23 @@ static char *sddl_encode_ace(TALLOC_CTX *mem_ctx, const struct security_ace *ace
s_mask = sddl_flags_to_string(tmp_ctx, ace_access_mask, ace->access_mask, True);
if (s_mask == NULL) goto failed;
- s_object = GUID_string(tmp_ctx, &ace->object.object.type.type);
+ if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT ||
+ ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT ||
+ ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT ||
+ ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT) {
+ if (!GUID_all_zero(&ace->object.object.type.type)) {
+ s_object = GUID_string(tmp_ctx, &ace->object.object.type.type);
+ if (s_object == NULL) goto failed;
+ }
- s_iobject = GUID_string(tmp_ctx, &ace->object.object.inherited_type.inherited_type);
+ if (!GUID_all_zero(&ace->object.object.inherited_type.inherited_type)) {
+ s_iobject = GUID_string(tmp_ctx, &ace->object.object.inherited_type.inherited_type);
+ if (s_iobject == NULL) goto failed;
+ }
+ }
s_trustee = sddl_encode_sid(tmp_ctx, &ace->trustee, domain_sid);
+ if (s_trustee == NULL) goto failed;
sddl = talloc_asprintf(mem_ctx, "%s;%s;%s;%s;%s;%s",
s_type, s_flags, s_mask, s_object, s_iobject, s_trustee);