diff options
Diffstat (limited to 'source4/libcli')
-rw-r--r-- | source4/libcli/config.mk | 3 | ||||
-rw-r--r-- | source4/libcli/raw/rawacl.c | 1 | ||||
-rw-r--r-- | source4/libcli/security/config.mk | 18 | ||||
-rw-r--r-- | source4/libcli/security/dom_sid.c (renamed from source4/libcli/util/dom_sid.c) | 76 | ||||
-rw-r--r-- | source4/libcli/security/security_descriptor.c | 102 | ||||
-rw-r--r-- | source4/libcli/security/security_token.c | 56 |
6 files changed, 247 insertions, 9 deletions
diff --git a/source4/libcli/config.mk b/source4/libcli/config.mk index c931d061fb..e48e5b5066 100644 --- a/source4/libcli/config.mk +++ b/source4/libcli/config.mk @@ -6,8 +6,7 @@ ADD_OBJ_FILES = libcli/util/asn1.o \ libcli/util/clierror.o \ libcli/util/nterr.o \ libcli/util/smbdes.o \ - libcli/util/smbencrypt.o \ - libcli/util/dom_sid.o + libcli/util/smbencrypt.o [SUBSYSTEM::LIBCLI_NMB] ADD_OBJ_FILES = libcli/unexpected.o \ diff --git a/source4/libcli/raw/rawacl.c b/source4/libcli/raw/rawacl.c index 35c7ce2049..642d0ba72b 100644 --- a/source4/libcli/raw/rawacl.c +++ b/source4/libcli/raw/rawacl.c @@ -19,6 +19,7 @@ */ #include "includes.h" +#include "librpc/gen_ndr/ndr_security.h" #include "libcli/raw/libcliraw.h" /**************************************************************************** diff --git a/source4/libcli/security/config.mk b/source4/libcli/security/config.mk new file mode 100644 index 0000000000..908a993ce6 --- /dev/null +++ b/source4/libcli/security/config.mk @@ -0,0 +1,18 @@ +################################# +# Start SUBSYSTEM LIB_SECURITY_NDR +[SUBSYSTEM::LIB_SECURITY_NDR] +ADD_OBJ_FILES = librpc/gen_ndr/ndr_security.o +NOPROTO = YES +# End SUBSYSTEM LIB_SECURITY_NDR +################################# + +################################# +# Start SUBSYSTEM LIB_SECURITY +[SUBSYSTEM::LIB_SECURITY] +ADD_OBJ_FILES = libcli/security/security_token.o \ + libcli/security/security_descriptor.o \ + libcli/security/dom_sid.o \ + librpc/ndr/ndr_sec.o +REQUIRED_SUBSYSTEMS = LIB_SECURITY_NDR +# End SUBSYSTEM LIB_SECURITY +################################# diff --git a/source4/libcli/util/dom_sid.c b/source4/libcli/security/dom_sid.c index 1faf3debab..701fa88017 100644 --- a/source4/libcli/util/dom_sid.c +++ b/source4/libcli/security/dom_sid.c @@ -1,10 +1,12 @@ /* Unix SMB/CIFS implementation. - - routines to manipulate a "struct dom_sid" - - Copyright (C) Andrew Tridgell 2004 - + Samba utility functions + Copyright (C) Andrew Tridgell 1992-2004 + Copyright (C) Luke Kenneth Caseson Leighton 1998-1999 + Copyright (C) Jeremy Allison 1999 + Copyright (C) Stefan (metze) Metzmacher 2002-2004 + Copyright (C) Simo Sorce 2002 + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or @@ -21,6 +23,67 @@ */ #include "includes.h" +#include "librpc/gen_ndr/ndr_security.h" + +/***************************************************************** + Compare the auth portion of two sids. +*****************************************************************/ + +static int dom_sid_compare_auth(const struct dom_sid *sid1, const struct dom_sid *sid2) +{ + int i; + + if (sid1 == sid2) + return 0; + if (!sid1) + return -1; + if (!sid2) + return 1; + + if (sid1->sid_rev_num != sid2->sid_rev_num) + return sid1->sid_rev_num - sid2->sid_rev_num; + + for (i = 0; i < 6; i++) + if (sid1->id_auth[i] != sid2->id_auth[i]) + return sid1->id_auth[i] - sid2->id_auth[i]; + + return 0; +} + +/***************************************************************** + Compare two sids. +*****************************************************************/ + +static int dom_sid_compare(const struct dom_sid *sid1, const struct dom_sid *sid2) +{ + int i; + + if (sid1 == sid2) + return 0; + if (!sid1) + return -1; + if (!sid2) + return 1; + + /* Compare most likely different rids, first: i.e start at end */ + if (sid1->num_auths != sid2->num_auths) + return sid1->num_auths - sid2->num_auths; + + for (i = sid1->num_auths-1; i >= 0; --i) + if (sid1->sub_auths[i] != sid2->sub_auths[i]) + return sid1->sub_auths[i] - sid2->sub_auths[i]; + + return dom_sid_compare_auth(sid1, sid2); +} + +/***************************************************************** + Compare two sids. +*****************************************************************/ + +BOOL dom_sid_equal(const struct dom_sid *sid1, const struct dom_sid *sid2) +{ + return dom_sid_compare(sid1, sid2) == 0; +} /* convert a dom_sid to a string @@ -124,7 +187,7 @@ struct dom_sid *dom_sid_parse_talloc(TALLOC_CTX *mem_ctx, const char *sidstr) /* convert a string to a dom_sid, returning a talloc'd dom_sid */ -struct dom_sid *dom_sid_dup(TALLOC_CTX *mem_ctx, struct dom_sid *dom_sid) +struct dom_sid *dom_sid_dup(TALLOC_CTX *mem_ctx, const struct dom_sid *dom_sid) { struct dom_sid *ret; int i; @@ -177,4 +240,3 @@ struct dom_sid *dom_sid_add_rid(TALLOC_CTX *mem_ctx, sid->num_auths++; return sid; } - diff --git a/source4/libcli/security/security_descriptor.c b/source4/libcli/security/security_descriptor.c new file mode 100644 index 0000000000..255836066a --- /dev/null +++ b/source4/libcli/security/security_descriptor.c @@ -0,0 +1,102 @@ +/* + Unix SMB/CIFS implementation. + + security descriptror utility functions + + Copyright (C) Andrew Tridgell 2004 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#include "librpc/gen_ndr/ndr_security.h" + +/* + return a blank security descriptor (no owners, dacl or sacl) +*/ +struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx) +{ + struct security_descriptor *sd; + + sd = talloc_p(mem_ctx, struct security_descriptor); + if (!sd) { + return NULL; + } + + sd->revision = SD_REVISION; + /* we mark as self relative, even though it isn't while it remains + a pointer in memory because this simplifies the ndr code later. + All SDs that we store/emit are in fact SELF_RELATIVE + */ + sd->type = SEC_DESC_SELF_RELATIVE; + + sd->owner_sid = NULL; + sd->group_sid = NULL; + sd->sacl = NULL; + sd->dacl = NULL; + + return sd; +} + +/* + talloc and copy a security descriptor + */ +struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx, + const struct security_descriptor *osd) +{ + struct security_descriptor *nsd; + + /* FIXME */ + DEBUG(1, ("security_descriptor_copy(): sorry unimplemented yet\n")); + nsd = NULL; + + return nsd; +} + +NTSTATUS security_check_dacl(struct security_token *st, struct security_descriptor *sd, uint32 access_mask) +{ + size_t i,y; + NTSTATUS status = NT_STATUS_ACCESS_DENIED; + + DEBUG(1, ("security_check_dacl(): sorry untested yet\n")); + return status; + + if (!sd->dacl) { + return NT_STATUS_INVALID_ACL; + } + + for (i=0; i < st->num_sids; i++) { + for (y=0; y < sd->dacl->num_aces; y++) { + if (dom_sid_equal(&st->sids[i], &sd->dacl->aces[y].trustee)) { + switch (sd->dacl->aces[y].type) { + case SEC_ACE_TYPE_ACCESS_ALLOWED: + if (access_mask & sd->dacl->aces[y].access_mask) { + status = NT_STATUS_OK; + } + break; + case SEC_ACE_TYPE_ACCESS_DENIED: + if (access_mask & sd->dacl->aces[y].access_mask) { + return NT_STATUS_ACCESS_DENIED; + } + break; + default: + return NT_STATUS_INVALID_ACL; + } + } + } + } + + return status; +} diff --git a/source4/libcli/security/security_token.c b/source4/libcli/security/security_token.c new file mode 100644 index 0000000000..9e26f5a385 --- /dev/null +++ b/source4/libcli/security/security_token.c @@ -0,0 +1,56 @@ +/* + Unix SMB/CIFS implementation. + + security descriptror utility functions + + Copyright (C) Andrew Tridgell 2004 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#include "librpc/gen_ndr/ndr_security.h" + +/* + return a blank security descriptor (no owners, dacl or sacl) +*/ +struct security_token *security_token_initialise(TALLOC_CTX *mem_ctx) +{ + struct security_token *st; + + st = talloc_p(mem_ctx, struct security_token); + if (!st) { + return NULL; + } + + st->flags = 0; + + st->user_sid = NULL; + st->group_sid = NULL; + st->logon_sid = NULL; + + st->num_sids = 0; + st->sids = NULL; + + st->num_restricted_sids = 0; + st->restricted_sids = NULL; + + st->num_privileges = 0; + st->privileges = NULL; + + st->dacl = NULL; + + return st; +} |