From 2eff2de2f81374483df99757046f1d5ee4050155 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 21 Apr 2009 14:27:25 +0200 Subject: Move the security_descriptor utility code to the top-level. --- libcli/security/config.mk | 2 +- libcli/security/security_descriptor.c | 533 ++++++++++++++++++++++++++ libcli/security/security_descriptor.h | 64 ++++ source3/Makefile.in | 2 +- source3/include/includes.h | 1 + source4/libcli/security/config.mk | 3 +- source4/libcli/security/security.h | 1 + source4/libcli/security/security_descriptor.c | 533 -------------------------- 8 files changed, 602 insertions(+), 537 deletions(-) create mode 100644 libcli/security/security_descriptor.c create mode 100644 libcli/security/security_descriptor.h delete mode 100644 source4/libcli/security/security_descriptor.c diff --git a/libcli/security/config.mk b/libcli/security/config.mk index 7ade01510c..060429bd67 100644 --- a/libcli/security/config.mk +++ b/libcli/security/config.mk @@ -2,4 +2,4 @@ PRIVATE_DEPENDENCIES = TALLOC LIBSECURITY_COMMON_OBJ_FILES = $(addprefix $(libclicommonsrcdir)/security/, \ - dom_sid.o display_sec.o secace.o secacl.o) + dom_sid.o display_sec.o secace.o secacl.o security_descriptor.o) diff --git a/libcli/security/security_descriptor.c b/libcli/security/security_descriptor.c new file mode 100644 index 0000000000..8e9c7eb4a9 --- /dev/null +++ b/libcli/security/security_descriptor.c @@ -0,0 +1,533 @@ +/* + Unix SMB/CIFS implementation. + + security descriptror utility functions + + Copyright (C) Andrew Tridgell 2004 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "includes.h" +#include "libcli/security/security.h" + +/* + return a blank security descriptor (no owners, dacl or sacl) +*/ +struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx) +{ + struct security_descriptor *sd; + + sd = talloc(mem_ctx, struct security_descriptor); + if (!sd) { + return NULL; + } + + sd->revision = SD_REVISION; + /* we mark as self relative, even though it isn't while it remains + a pointer in memory because this simplifies the ndr code later. + All SDs that we store/emit are in fact SELF_RELATIVE + */ + sd->type = SEC_DESC_SELF_RELATIVE; + + sd->owner_sid = NULL; + sd->group_sid = NULL; + sd->sacl = NULL; + sd->dacl = NULL; + + return sd; +} + +static struct security_acl *security_acl_dup(TALLOC_CTX *mem_ctx, + const struct security_acl *oacl) +{ + struct security_acl *nacl; + + nacl = talloc (mem_ctx, struct security_acl); + if (nacl == NULL) { + return NULL; + } + + nacl->aces = (struct security_ace *)talloc_memdup (nacl, oacl->aces, sizeof(struct security_ace) * oacl->num_aces); + if ((nacl->aces == NULL) && (oacl->num_aces > 0)) { + goto failed; + } + + nacl->revision = oacl->revision; + nacl->size = oacl->size; + nacl->num_aces = oacl->num_aces; + + return nacl; + + failed: + talloc_free (nacl); + return NULL; + +} + +/* + talloc and copy a security descriptor + */ +struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx, + const struct security_descriptor *osd) +{ + struct security_descriptor *nsd; + + nsd = talloc_zero(mem_ctx, struct security_descriptor); + if (!nsd) { + return NULL; + } + + if (osd->owner_sid) { + nsd->owner_sid = dom_sid_dup(nsd, osd->owner_sid); + if (nsd->owner_sid == NULL) { + goto failed; + } + } + + if (osd->group_sid) { + nsd->group_sid = dom_sid_dup(nsd, osd->group_sid); + if (nsd->group_sid == NULL) { + goto failed; + } + } + + if (osd->sacl) { + nsd->sacl = security_acl_dup(nsd, osd->sacl); + if (nsd->sacl == NULL) { + goto failed; + } + } + + if (osd->dacl) { + nsd->dacl = security_acl_dup(nsd, osd->dacl); + if (nsd->dacl == NULL) { + goto failed; + } + } + + nsd->revision = osd->revision; + nsd->type = osd->type; + + return nsd; + + failed: + talloc_free(nsd); + + return NULL; +} + +/* + add an ACE to an ACL of a security_descriptor +*/ + +static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd, + bool add_to_sacl, + const struct security_ace *ace) +{ + struct security_acl *acl = NULL; + + if (add_to_sacl) { + acl = sd->sacl; + } else { + acl = sd->dacl; + } + + if (acl == NULL) { + acl = talloc(sd, struct security_acl); + if (acl == NULL) { + return NT_STATUS_NO_MEMORY; + } + acl->revision = SECURITY_ACL_REVISION_NT4; + acl->size = 0; + acl->num_aces = 0; + acl->aces = NULL; + } + + acl->aces = talloc_realloc(acl, acl->aces, + struct security_ace, acl->num_aces+1); + if (acl->aces == NULL) { + return NT_STATUS_NO_MEMORY; + } + + acl->aces[acl->num_aces] = *ace; + + switch (acl->aces[acl->num_aces].type) { + case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: + case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: + case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT: + case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT: + acl->revision = SECURITY_ACL_REVISION_ADS; + break; + default: + break; + } + + acl->num_aces++; + + if (add_to_sacl) { + sd->sacl = acl; + sd->type |= SEC_DESC_SACL_PRESENT; + } else { + sd->dacl = acl; + sd->type |= SEC_DESC_DACL_PRESENT; + } + + return NT_STATUS_OK; +} + +/* + add an ACE to the SACL of a security_descriptor +*/ + +NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd, + const struct security_ace *ace) +{ + return security_descriptor_acl_add(sd, true, ace); +} + +/* + add an ACE to the DACL of a security_descriptor +*/ + +NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd, + const struct security_ace *ace) +{ + return security_descriptor_acl_add(sd, false, ace); +} + +/* + delete the ACE corresponding to the given trustee in an ACL of a + security_descriptor +*/ + +static NTSTATUS security_descriptor_acl_del(struct security_descriptor *sd, + bool sacl_del, + const struct dom_sid *trustee) +{ + int i; + bool found = false; + struct security_acl *acl = NULL; + + if (sacl_del) { + acl = sd->sacl; + } else { + acl = sd->dacl; + } + + if (acl == NULL) { + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + } + + /* there can be multiple ace's for one trustee */ + for (i=0;inum_aces;i++) { + if (dom_sid_equal(trustee, &acl->aces[i].trustee)) { + memmove(&acl->aces[i], &acl->aces[i+1], + sizeof(acl->aces[i]) * (acl->num_aces - (i+1))); + acl->num_aces--; + if (acl->num_aces == 0) { + acl->aces = NULL; + } + found = true; + } + } + + if (!found) { + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + } + + acl->revision = SECURITY_ACL_REVISION_NT4; + + for (i=0;inum_aces;i++) { + switch (acl->aces[i].type) { + case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: + case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: + case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT: + case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT: + acl->revision = SECURITY_ACL_REVISION_ADS; + return NT_STATUS_OK; + default: + break; /* only for the switch statement */ + } + } + + return NT_STATUS_OK; +} + +/* + delete the ACE corresponding to the given trustee in the DACL of a + security_descriptor +*/ + +NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd, + const struct dom_sid *trustee) +{ + return security_descriptor_acl_del(sd, false, trustee); +} + +/* + delete the ACE corresponding to the given trustee in the SACL of a + security_descriptor +*/ + +NTSTATUS security_descriptor_sacl_del(struct security_descriptor *sd, + const struct dom_sid *trustee) +{ + return security_descriptor_acl_del(sd, true, trustee); +} + +/* + compare two security ace structures +*/ +bool security_ace_equal(const struct security_ace *ace1, + const struct security_ace *ace2) +{ + if (ace1 == ace2) return true; + if (!ace1 || !ace2) return false; + if (ace1->type != ace2->type) return false; + if (ace1->flags != ace2->flags) return false; + if (ace1->access_mask != ace2->access_mask) return false; + if (!dom_sid_equal(&ace1->trustee, &ace2->trustee)) return false; + + return true; +} + + +/* + compare two security acl structures +*/ +bool security_acl_equal(const struct security_acl *acl1, + const struct security_acl *acl2) +{ + int i; + + if (acl1 == acl2) return true; + if (!acl1 || !acl2) return false; + if (acl1->revision != acl2->revision) return false; + if (acl1->num_aces != acl2->num_aces) return false; + + for (i=0;inum_aces;i++) { + if (!security_ace_equal(&acl1->aces[i], &acl2->aces[i])) return false; + } + return true; +} + +/* + compare two security descriptors. +*/ +bool security_descriptor_equal(const struct security_descriptor *sd1, + const struct security_descriptor *sd2) +{ + if (sd1 == sd2) return true; + if (!sd1 || !sd2) return false; + if (sd1->revision != sd2->revision) return false; + if (sd1->type != sd2->type) return false; + + if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false; + if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false; + if (!security_acl_equal(sd1->sacl, sd2->sacl)) return false; + if (!security_acl_equal(sd1->dacl, sd2->dacl)) return false; + + return true; +} + +/* + compare two security descriptors, but allow certain (missing) parts + to be masked out of the comparison +*/ +bool security_descriptor_mask_equal(const struct security_descriptor *sd1, + const struct security_descriptor *sd2, + uint32_t mask) +{ + if (sd1 == sd2) return true; + if (!sd1 || !sd2) return false; + if (sd1->revision != sd2->revision) return false; + if ((sd1->type & mask) != (sd2->type & mask)) return false; + + if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false; + if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false; + if ((mask & SEC_DESC_DACL_PRESENT) && !security_acl_equal(sd1->dacl, sd2->dacl)) return false; + if ((mask & SEC_DESC_SACL_PRESENT) && !security_acl_equal(sd1->sacl, sd2->sacl)) return false; + + return true; +} + + +static struct security_descriptor *security_descriptor_appendv(struct security_descriptor *sd, + bool add_ace_to_sacl, + va_list ap) +{ + const char *sidstr; + + while ((sidstr = va_arg(ap, const char *))) { + struct dom_sid *sid; + struct security_ace *ace = talloc(sd, struct security_ace); + NTSTATUS status; + + if (ace == NULL) { + talloc_free(sd); + return NULL; + } + ace->type = va_arg(ap, unsigned int); + ace->access_mask = va_arg(ap, unsigned int); + ace->flags = va_arg(ap, unsigned int); + sid = dom_sid_parse_talloc(ace, sidstr); + if (sid == NULL) { + talloc_free(sd); + return NULL; + } + ace->trustee = *sid; + if (add_ace_to_sacl) { + status = security_descriptor_sacl_add(sd, ace); + } else { + status = security_descriptor_dacl_add(sd, ace); + } + /* TODO: check: would talloc_free(ace) here be correct? */ + if (!NT_STATUS_IS_OK(status)) { + talloc_free(sd); + return NULL; + } + } + + return sd; +} + +struct security_descriptor *security_descriptor_append(struct security_descriptor *sd, + ...) +{ + va_list ap; + + va_start(ap, sd); + sd = security_descriptor_appendv(sd, false, ap); + va_end(ap); + + return sd; +} + +static struct security_descriptor *security_descriptor_createv(TALLOC_CTX *mem_ctx, + uint16_t sd_type, + const char *owner_sid, + const char *group_sid, + bool add_ace_to_sacl, + va_list ap) +{ + struct security_descriptor *sd; + + sd = security_descriptor_initialise(mem_ctx); + if (sd == NULL) { + return NULL; + } + + sd->type |= sd_type; + + if (owner_sid) { + sd->owner_sid = dom_sid_parse_talloc(sd, owner_sid); + if (sd->owner_sid == NULL) { + talloc_free(sd); + return NULL; + } + } + if (group_sid) { + sd->group_sid = dom_sid_parse_talloc(sd, group_sid); + if (sd->group_sid == NULL) { + talloc_free(sd); + return NULL; + } + } + + return security_descriptor_appendv(sd, add_ace_to_sacl, ap); +} + +/* + create a security descriptor using string SIDs. This is used by the + torture code to allow the easy creation of complex ACLs + This is a varargs function. The list of DACL ACEs ends with a NULL sid. + + Each ACE contains a set of 4 parameters: + SID, ACCESS_TYPE, MASK, FLAGS + + a typical call would be: + + sd = security_descriptor_dacl_create(mem_ctx, + sd_type_flags, + mysid, + mygroup, + SID_NT_AUTHENTICATED_USERS, + SEC_ACE_TYPE_ACCESS_ALLOWED, + SEC_FILE_ALL, + SEC_ACE_FLAG_OBJECT_INHERIT, + NULL); + that would create a sd with one DACL ACE +*/ + +struct security_descriptor *security_descriptor_dacl_create(TALLOC_CTX *mem_ctx, + uint16_t sd_type, + const char *owner_sid, + const char *group_sid, + ...) +{ + struct security_descriptor *sd = NULL; + va_list ap; + va_start(ap, group_sid); + sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid, + group_sid, false, ap); + va_end(ap); + + return sd; +} + +struct security_descriptor *security_descriptor_sacl_create(TALLOC_CTX *mem_ctx, + uint16_t sd_type, + const char *owner_sid, + const char *group_sid, + ...) +{ + struct security_descriptor *sd = NULL; + va_list ap; + va_start(ap, group_sid); + sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid, + group_sid, true, ap); + va_end(ap); + + return sd; +} + +struct security_ace *security_ace_create(TALLOC_CTX *mem_ctx, + const char *sid_str, + enum security_ace_type type, + uint32_t access_mask, + uint8_t flags) + +{ + struct dom_sid *sid; + struct security_ace *ace; + + ace = talloc_zero(mem_ctx, struct security_ace); + if (ace == NULL) { + return NULL; + } + + sid = dom_sid_parse_talloc(ace, sid_str); + if (sid == NULL) { + talloc_free(ace); + return NULL; + } + + ace->trustee = *sid; + ace->type = type; + ace->access_mask = access_mask; + ace->flags = flags; + + return ace; +} diff --git a/libcli/security/security_descriptor.h b/libcli/security/security_descriptor.h new file mode 100644 index 0000000000..c535f5d253 --- /dev/null +++ b/libcli/security/security_descriptor.h @@ -0,0 +1,64 @@ +/* + Unix SMB/CIFS implementation. + Samba utility functions + + Copyright (C) 2009 Jelmer Vernooij + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __SECURITY_DESCRIPTOR_H__ +#define __SECURITY_DESCRIPTOR_H__ + +#include "librpc/gen_ndr/security.h" + +struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx); +struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx, + const struct security_descriptor *osd); +NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd, + const struct security_ace *ace); +NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd, + const struct security_ace *ace); +NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd, + const struct dom_sid *trustee); +NTSTATUS security_descriptor_sacl_del(struct security_descriptor *sd, + const struct dom_sid *trustee); +bool security_ace_equal(const struct security_ace *ace1, + const struct security_ace *ace2); +bool security_acl_equal(const struct security_acl *acl1, + const struct security_acl *acl2); +bool security_descriptor_equal(const struct security_descriptor *sd1, + const struct security_descriptor *sd2); +bool security_descriptor_mask_equal(const struct security_descriptor *sd1, + const struct security_descriptor *sd2, + uint32_t mask); +struct security_descriptor *security_descriptor_append(struct security_descriptor *sd, + ...); +struct security_descriptor *security_descriptor_dacl_create(TALLOC_CTX *mem_ctx, + uint16_t sd_type, + const char *owner_sid, + const char *group_sid, + ...); +struct security_descriptor *security_descriptor_sacl_create(TALLOC_CTX *mem_ctx, + uint16_t sd_type, + const char *owner_sid, + const char *group_sid, + ...); +struct security_ace *security_ace_create(TALLOC_CTX *mem_ctx, + const char *sid_str, + enum security_ace_type type, + uint32_t access_mask, + uint8_t flags); + +#endif /* __SECURITY_DESCRIPTOR_H__ */ diff --git a/source3/Makefile.in b/source3/Makefile.in index 51a469b2b9..ca42d5b95d 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -388,7 +388,7 @@ LIB_OBJ = $(LIBSAMBAUTIL_OBJ) $(UTIL_OBJ) $(CRYPTO_OBJ) \ ../libcli/security/secacl.o \ libads/krb5_errs.o lib/system_smbd.o lib/audit.o $(LIBNDR_OBJ) \ lib/file_id.o lib/idmap_cache.o \ - ../libcli/security/dom_sid.o + ../libcli/security/dom_sid.o ../libcli/security/security_descriptor.o LIB_DUMMY_OBJ = lib/dummysmbd.o lib/dummyroot.o LIB_NONSMBD_OBJ = $(LIB_OBJ) $(LIB_DUMMY_OBJ) diff --git a/source3/include/includes.h b/source3/include/includes.h index 943de8db7b..596c772d9e 100644 --- a/source3/include/includes.h +++ b/source3/include/includes.h @@ -702,6 +702,7 @@ enum flush_reason_enum { #endif #include "libcli/security/secace.h" #include "libcli/security/secacl.h" +#include "libcli/security/security_descriptor.h" #if defined(HAVE_POSIX_ACLS) #include "modules/vfs_posixacl.h" diff --git a/source4/libcli/security/config.mk b/source4/libcli/security/config.mk index 9d23fe9588..d08c25d66f 100644 --- a/source4/libcli/security/config.mk +++ b/source4/libcli/security/config.mk @@ -2,7 +2,6 @@ PUBLIC_DEPENDENCIES = LIBNDR LIBSECURITY_COMMON LIBSECURITY_OBJ_FILES = $(addprefix $(libclisrcdir)/security/, \ - security_token.o security_descriptor.o \ - access_check.o privilege.o sddl.o) \ + security_token.o access_check.o privilege.o sddl.o) \ $(eval $(call proto_header_template,$(libclisrcdir)/security/proto.h,$(LIBSECURITY_OBJ_FILES:.o=.c))) diff --git a/source4/libcli/security/security.h b/source4/libcli/security/security.h index 2608c9f7ed..6dbbe014e7 100644 --- a/source4/libcli/security/security.h +++ b/source4/libcli/security/security.h @@ -33,3 +33,4 @@ struct auth_session_info; #include "libcli/security/secace.h" #include "libcli/security/secacl.h" #include "libcli/security/proto.h" +#include "libcli/security/security_descriptor.h" diff --git a/source4/libcli/security/security_descriptor.c b/source4/libcli/security/security_descriptor.c deleted file mode 100644 index 8e9c7eb4a9..0000000000 --- a/source4/libcli/security/security_descriptor.c +++ /dev/null @@ -1,533 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - security descriptror utility functions - - Copyright (C) Andrew Tridgell 2004 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ - -#include "includes.h" -#include "libcli/security/security.h" - -/* - return a blank security descriptor (no owners, dacl or sacl) -*/ -struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx) -{ - struct security_descriptor *sd; - - sd = talloc(mem_ctx, struct security_descriptor); - if (!sd) { - return NULL; - } - - sd->revision = SD_REVISION; - /* we mark as self relative, even though it isn't while it remains - a pointer in memory because this simplifies the ndr code later. - All SDs that we store/emit are in fact SELF_RELATIVE - */ - sd->type = SEC_DESC_SELF_RELATIVE; - - sd->owner_sid = NULL; - sd->group_sid = NULL; - sd->sacl = NULL; - sd->dacl = NULL; - - return sd; -} - -static struct security_acl *security_acl_dup(TALLOC_CTX *mem_ctx, - const struct security_acl *oacl) -{ - struct security_acl *nacl; - - nacl = talloc (mem_ctx, struct security_acl); - if (nacl == NULL) { - return NULL; - } - - nacl->aces = (struct security_ace *)talloc_memdup (nacl, oacl->aces, sizeof(struct security_ace) * oacl->num_aces); - if ((nacl->aces == NULL) && (oacl->num_aces > 0)) { - goto failed; - } - - nacl->revision = oacl->revision; - nacl->size = oacl->size; - nacl->num_aces = oacl->num_aces; - - return nacl; - - failed: - talloc_free (nacl); - return NULL; - -} - -/* - talloc and copy a security descriptor - */ -struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx, - const struct security_descriptor *osd) -{ - struct security_descriptor *nsd; - - nsd = talloc_zero(mem_ctx, struct security_descriptor); - if (!nsd) { - return NULL; - } - - if (osd->owner_sid) { - nsd->owner_sid = dom_sid_dup(nsd, osd->owner_sid); - if (nsd->owner_sid == NULL) { - goto failed; - } - } - - if (osd->group_sid) { - nsd->group_sid = dom_sid_dup(nsd, osd->group_sid); - if (nsd->group_sid == NULL) { - goto failed; - } - } - - if (osd->sacl) { - nsd->sacl = security_acl_dup(nsd, osd->sacl); - if (nsd->sacl == NULL) { - goto failed; - } - } - - if (osd->dacl) { - nsd->dacl = security_acl_dup(nsd, osd->dacl); - if (nsd->dacl == NULL) { - goto failed; - } - } - - nsd->revision = osd->revision; - nsd->type = osd->type; - - return nsd; - - failed: - talloc_free(nsd); - - return NULL; -} - -/* - add an ACE to an ACL of a security_descriptor -*/ - -static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd, - bool add_to_sacl, - const struct security_ace *ace) -{ - struct security_acl *acl = NULL; - - if (add_to_sacl) { - acl = sd->sacl; - } else { - acl = sd->dacl; - } - - if (acl == NULL) { - acl = talloc(sd, struct security_acl); - if (acl == NULL) { - return NT_STATUS_NO_MEMORY; - } - acl->revision = SECURITY_ACL_REVISION_NT4; - acl->size = 0; - acl->num_aces = 0; - acl->aces = NULL; - } - - acl->aces = talloc_realloc(acl, acl->aces, - struct security_ace, acl->num_aces+1); - if (acl->aces == NULL) { - return NT_STATUS_NO_MEMORY; - } - - acl->aces[acl->num_aces] = *ace; - - switch (acl->aces[acl->num_aces].type) { - case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: - case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: - case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT: - case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT: - acl->revision = SECURITY_ACL_REVISION_ADS; - break; - default: - break; - } - - acl->num_aces++; - - if (add_to_sacl) { - sd->sacl = acl; - sd->type |= SEC_DESC_SACL_PRESENT; - } else { - sd->dacl = acl; - sd->type |= SEC_DESC_DACL_PRESENT; - } - - return NT_STATUS_OK; -} - -/* - add an ACE to the SACL of a security_descriptor -*/ - -NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd, - const struct security_ace *ace) -{ - return security_descriptor_acl_add(sd, true, ace); -} - -/* - add an ACE to the DACL of a security_descriptor -*/ - -NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd, - const struct security_ace *ace) -{ - return security_descriptor_acl_add(sd, false, ace); -} - -/* - delete the ACE corresponding to the given trustee in an ACL of a - security_descriptor -*/ - -static NTSTATUS security_descriptor_acl_del(struct security_descriptor *sd, - bool sacl_del, - const struct dom_sid *trustee) -{ - int i; - bool found = false; - struct security_acl *acl = NULL; - - if (sacl_del) { - acl = sd->sacl; - } else { - acl = sd->dacl; - } - - if (acl == NULL) { - return NT_STATUS_OBJECT_NAME_NOT_FOUND; - } - - /* there can be multiple ace's for one trustee */ - for (i=0;inum_aces;i++) { - if (dom_sid_equal(trustee, &acl->aces[i].trustee)) { - memmove(&acl->aces[i], &acl->aces[i+1], - sizeof(acl->aces[i]) * (acl->num_aces - (i+1))); - acl->num_aces--; - if (acl->num_aces == 0) { - acl->aces = NULL; - } - found = true; - } - } - - if (!found) { - return NT_STATUS_OBJECT_NAME_NOT_FOUND; - } - - acl->revision = SECURITY_ACL_REVISION_NT4; - - for (i=0;inum_aces;i++) { - switch (acl->aces[i].type) { - case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: - case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: - case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT: - case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT: - acl->revision = SECURITY_ACL_REVISION_ADS; - return NT_STATUS_OK; - default: - break; /* only for the switch statement */ - } - } - - return NT_STATUS_OK; -} - -/* - delete the ACE corresponding to the given trustee in the DACL of a - security_descriptor -*/ - -NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd, - const struct dom_sid *trustee) -{ - return security_descriptor_acl_del(sd, false, trustee); -} - -/* - delete the ACE corresponding to the given trustee in the SACL of a - security_descriptor -*/ - -NTSTATUS security_descriptor_sacl_del(struct security_descriptor *sd, - const struct dom_sid *trustee) -{ - return security_descriptor_acl_del(sd, true, trustee); -} - -/* - compare two security ace structures -*/ -bool security_ace_equal(const struct security_ace *ace1, - const struct security_ace *ace2) -{ - if (ace1 == ace2) return true; - if (!ace1 || !ace2) return false; - if (ace1->type != ace2->type) return false; - if (ace1->flags != ace2->flags) return false; - if (ace1->access_mask != ace2->access_mask) return false; - if (!dom_sid_equal(&ace1->trustee, &ace2->trustee)) return false; - - return true; -} - - -/* - compare two security acl structures -*/ -bool security_acl_equal(const struct security_acl *acl1, - const struct security_acl *acl2) -{ - int i; - - if (acl1 == acl2) return true; - if (!acl1 || !acl2) return false; - if (acl1->revision != acl2->revision) return false; - if (acl1->num_aces != acl2->num_aces) return false; - - for (i=0;inum_aces;i++) { - if (!security_ace_equal(&acl1->aces[i], &acl2->aces[i])) return false; - } - return true; -} - -/* - compare two security descriptors. -*/ -bool security_descriptor_equal(const struct security_descriptor *sd1, - const struct security_descriptor *sd2) -{ - if (sd1 == sd2) return true; - if (!sd1 || !sd2) return false; - if (sd1->revision != sd2->revision) return false; - if (sd1->type != sd2->type) return false; - - if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false; - if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false; - if (!security_acl_equal(sd1->sacl, sd2->sacl)) return false; - if (!security_acl_equal(sd1->dacl, sd2->dacl)) return false; - - return true; -} - -/* - compare two security descriptors, but allow certain (missing) parts - to be masked out of the comparison -*/ -bool security_descriptor_mask_equal(const struct security_descriptor *sd1, - const struct security_descriptor *sd2, - uint32_t mask) -{ - if (sd1 == sd2) return true; - if (!sd1 || !sd2) return false; - if (sd1->revision != sd2->revision) return false; - if ((sd1->type & mask) != (sd2->type & mask)) return false; - - if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false; - if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false; - if ((mask & SEC_DESC_DACL_PRESENT) && !security_acl_equal(sd1->dacl, sd2->dacl)) return false; - if ((mask & SEC_DESC_SACL_PRESENT) && !security_acl_equal(sd1->sacl, sd2->sacl)) return false; - - return true; -} - - -static struct security_descriptor *security_descriptor_appendv(struct security_descriptor *sd, - bool add_ace_to_sacl, - va_list ap) -{ - const char *sidstr; - - while ((sidstr = va_arg(ap, const char *))) { - struct dom_sid *sid; - struct security_ace *ace = talloc(sd, struct security_ace); - NTSTATUS status; - - if (ace == NULL) { - talloc_free(sd); - return NULL; - } - ace->type = va_arg(ap, unsigned int); - ace->access_mask = va_arg(ap, unsigned int); - ace->flags = va_arg(ap, unsigned int); - sid = dom_sid_parse_talloc(ace, sidstr); - if (sid == NULL) { - talloc_free(sd); - return NULL; - } - ace->trustee = *sid; - if (add_ace_to_sacl) { - status = security_descriptor_sacl_add(sd, ace); - } else { - status = security_descriptor_dacl_add(sd, ace); - } - /* TODO: check: would talloc_free(ace) here be correct? */ - if (!NT_STATUS_IS_OK(status)) { - talloc_free(sd); - return NULL; - } - } - - return sd; -} - -struct security_descriptor *security_descriptor_append(struct security_descriptor *sd, - ...) -{ - va_list ap; - - va_start(ap, sd); - sd = security_descriptor_appendv(sd, false, ap); - va_end(ap); - - return sd; -} - -static struct security_descriptor *security_descriptor_createv(TALLOC_CTX *mem_ctx, - uint16_t sd_type, - const char *owner_sid, - const char *group_sid, - bool add_ace_to_sacl, - va_list ap) -{ - struct security_descriptor *sd; - - sd = security_descriptor_initialise(mem_ctx); - if (sd == NULL) { - return NULL; - } - - sd->type |= sd_type; - - if (owner_sid) { - sd->owner_sid = dom_sid_parse_talloc(sd, owner_sid); - if (sd->owner_sid == NULL) { - talloc_free(sd); - return NULL; - } - } - if (group_sid) { - sd->group_sid = dom_sid_parse_talloc(sd, group_sid); - if (sd->group_sid == NULL) { - talloc_free(sd); - return NULL; - } - } - - return security_descriptor_appendv(sd, add_ace_to_sacl, ap); -} - -/* - create a security descriptor using string SIDs. This is used by the - torture code to allow the easy creation of complex ACLs - This is a varargs function. The list of DACL ACEs ends with a NULL sid. - - Each ACE contains a set of 4 parameters: - SID, ACCESS_TYPE, MASK, FLAGS - - a typical call would be: - - sd = security_descriptor_dacl_create(mem_ctx, - sd_type_flags, - mysid, - mygroup, - SID_NT_AUTHENTICATED_USERS, - SEC_ACE_TYPE_ACCESS_ALLOWED, - SEC_FILE_ALL, - SEC_ACE_FLAG_OBJECT_INHERIT, - NULL); - that would create a sd with one DACL ACE -*/ - -struct security_descriptor *security_descriptor_dacl_create(TALLOC_CTX *mem_ctx, - uint16_t sd_type, - const char *owner_sid, - const char *group_sid, - ...) -{ - struct security_descriptor *sd = NULL; - va_list ap; - va_start(ap, group_sid); - sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid, - group_sid, false, ap); - va_end(ap); - - return sd; -} - -struct security_descriptor *security_descriptor_sacl_create(TALLOC_CTX *mem_ctx, - uint16_t sd_type, - const char *owner_sid, - const char *group_sid, - ...) -{ - struct security_descriptor *sd = NULL; - va_list ap; - va_start(ap, group_sid); - sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid, - group_sid, true, ap); - va_end(ap); - - return sd; -} - -struct security_ace *security_ace_create(TALLOC_CTX *mem_ctx, - const char *sid_str, - enum security_ace_type type, - uint32_t access_mask, - uint8_t flags) - -{ - struct dom_sid *sid; - struct security_ace *ace; - - ace = talloc_zero(mem_ctx, struct security_ace); - if (ace == NULL) { - return NULL; - } - - sid = dom_sid_parse_talloc(ace, sid_str); - if (sid == NULL) { - talloc_free(ace); - return NULL; - } - - ace->trustee = *sid; - ace->type = type; - ace->access_mask = access_mask; - ace->flags = flags; - - return ace; -} -- cgit