diff options
Diffstat (limited to 'source4')
-rw-r--r-- | source4/libcli/security/sddl.c | 170 | ||||
-rw-r--r-- | source4/torture/local/sddl.c | 22 |
2 files changed, 191 insertions, 1 deletions
diff --git a/source4/libcli/security/sddl.c b/source4/libcli/security/sddl.c index fa0e15a7b6..7ae7d83839 100644 --- a/source4/libcli/security/sddl.c +++ b/source4/libcli/security/sddl.c @@ -263,6 +263,8 @@ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd, struct security_acl *acl; size_t len; + *flags = 0; + acl = talloc_zero(sd, struct security_acl); if (acl == NULL) return NULL; acl->revision = SECURITY_ACL_REVISION_NT4; @@ -361,3 +363,171 @@ failed: talloc_free(sd); return NULL; } + +/* + turn a set of flags into a string +*/ +static char *sddl_flags_to_string(TALLOC_CTX *mem_ctx, const struct flag_map *map, + uint32_t flags, BOOL check_all) +{ + int i; + char *s; + + /* try to find an exact match */ + for (i=0;map[i].name;i++) { + if (map[i].flag == flags) { + return talloc_strdup(mem_ctx, map[i].name); + } + } + + s = talloc_strdup(mem_ctx, ""); + + /* now by bits */ + for (i=0;map[i].name;i++) { + if ((flags & map[i].flag) != 0) { + s = talloc_asprintf_append(s, "%s", map[i].name); + if (s == NULL) goto failed; + flags &= ~map[i].flag; + } + } + + if (check_all && flags != 0) { + goto failed; + } + + return s; + +failed: + talloc_free(s); + return NULL; +} + +/* + encode a sid in SDDL format +*/ +static char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, + struct dom_sid *domain_sid) +{ + /* TODO: encode well known sids as two letter codes */ + return dom_sid_string(mem_ctx, sid); +} + + +/* + encode an ACE in SDDL format +*/ +static char *sddl_encode_ace(TALLOC_CTX *mem_ctx, const struct security_ace *ace, + struct dom_sid *domain_sid) +{ + char *sddl; + TALLOC_CTX *tmp_ctx; + const char *s_type="", *s_flags="", *s_mask="", + *s_object="", *s_iobject="", *s_trustee=""; + + tmp_ctx = talloc_new(mem_ctx); + + s_type = sddl_flags_to_string(tmp_ctx, ace_types, ace->type, True); + if (s_type == NULL) goto failed; + + s_flags = sddl_flags_to_string(tmp_ctx, ace_flags, ace->flags, True); + if (s_flags == NULL) goto failed; + + s_mask = sddl_flags_to_string(tmp_ctx, ace_access_mask, ace->access_mask, True); + if (s_mask == NULL) goto failed; + + s_object = GUID_string(tmp_ctx, &ace->object.object.type.type); + + s_iobject = GUID_string(tmp_ctx, &ace->object.object.inherited_type.inherited_type); + + s_trustee = sddl_encode_sid(tmp_ctx, &ace->trustee, domain_sid); + + sddl = talloc_asprintf(mem_ctx, "%s;%s;%s;%s;%s;%s", + s_type, s_flags, s_mask, s_object, s_iobject, s_trustee); + +failed: + talloc_free(tmp_ctx); + return sddl; +} + +/* + encode an ACL in SDDL format +*/ +static char *sddl_encode_acl(TALLOC_CTX *mem_ctx, const struct security_acl *acl, + uint32_t flags, struct dom_sid *domain_sid) +{ + char *sddl; + int i; + + /* add any ACL flags */ + sddl = sddl_flags_to_string(mem_ctx, acl_flags, flags, False); + if (sddl == NULL) goto failed; + + /* now the ACEs, encoded in braces */ + for (i=0;i<acl->num_aces;i++) { + char *ace = sddl_encode_ace(sddl, &acl->aces[i], domain_sid); + if (ace == NULL) goto failed; + sddl = talloc_asprintf_append(sddl, "(%s)", ace); + if (sddl == NULL) goto failed; + talloc_free(ace); + } + + return sddl; + +failed: + talloc_free(sddl); + return NULL; +} + + +/* + encode a security descriptor to SDDL format +*/ +char *sddl_encode(TALLOC_CTX *mem_ctx, const struct security_descriptor *sd, + struct dom_sid *domain_sid) +{ + char *sddl; + TALLOC_CTX *tmp_ctx; + + /* start with a blank string */ + sddl = talloc_strdup(mem_ctx, ""); + if (sddl == NULL) goto failed; + + tmp_ctx = talloc_new(mem_ctx); + + if (sd->owner_sid != NULL) { + char *sid = sddl_encode_sid(tmp_ctx, sd->owner_sid, domain_sid); + if (sid == NULL) goto failed; + sddl = talloc_asprintf_append(sddl, "O:%s", sid); + if (sddl == NULL) goto failed; + } + + if (sd->group_sid != NULL) { + char *sid = sddl_encode_sid(tmp_ctx, sd->group_sid, domain_sid); + if (sid == NULL) goto failed; + sddl = talloc_asprintf_append(sddl, "G:%s", sid); + if (sddl == NULL) goto failed; + } + + if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl != NULL) { + char *acl = sddl_encode_acl(tmp_ctx, sd->dacl, sd->type, domain_sid); + if (acl == NULL) goto failed; + sddl = talloc_asprintf_append(sddl, "D:%s", acl); + if (sddl == NULL) goto failed; + } + + if ((sd->type & SEC_DESC_SACL_PRESENT) && sd->sacl != NULL) { + char *acl = sddl_encode_acl(tmp_ctx, sd->sacl, sd->type>>1, domain_sid); + if (acl == NULL) goto failed; + sddl = talloc_asprintf_append(sddl, "S:%s", acl); + if (sddl == NULL) goto failed; + } + + talloc_free(tmp_ctx); + return sddl; + +failed: + talloc_free(sddl); + return NULL; +} + + diff --git a/source4/torture/local/sddl.c b/source4/torture/local/sddl.c index f09af3f83a..8d5874d878 100644 --- a/source4/torture/local/sddl.c +++ b/source4/torture/local/sddl.c @@ -29,14 +29,34 @@ */ static BOOL test_sddl(TALLOC_CTX *mem_ctx, const char *sddl) { - struct security_descriptor *sd; + struct security_descriptor *sd, *sd2; struct dom_sid *domain; + const char *sddl2; + domain = dom_sid_parse_talloc(mem_ctx, "S-1-2-3-4"); sd = sddl_decode(mem_ctx, sddl, domain); if (sd == NULL) { printf("Failed to decode '%s'\n", sddl); return False; } + + sddl2 = sddl_encode(mem_ctx, sd, domain); + if (sddl2 == NULL) { + printf("Failed to re-encode '%s'\n", sddl); + return False; + } + + sd2 = sddl_decode(mem_ctx, sddl2, domain); + if (sd2 == NULL) { + printf("Failed to decode2 '%s'\n", sddl2); + return False; + } + + if (!security_descriptor_equal(sd, sd2)) { + printf("Failed equality test for '%s'\n", sddl); + return False; + } + if (DEBUGLVL(2)) { NDR_PRINT_DEBUG(security_descriptor, sd); } |