From 856ee665374071c89f5ecf540dcc3d68ccf2ff16 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 17 Nov 2004 14:35:29 +0000 Subject: r3810: create a LIB_SECURITY subsystem - move dom_sid, security_descriptor, security_* funtions to one place and rename some of them metze (This used to be commit b620bdd672cfdf0e009492e648b0709e6b6d8596) --- source4/auth/auth_util.c | 3 +- source4/build/smb_build/main.pm | 3 +- source4/include/structs.h | 4 + source4/lib/basic.mk | 4 +- source4/lib/util_secdesc.c | 51 ------ source4/lib/util_sid.c | 85 --------- source4/libcli/config.mk | 3 +- source4/libcli/raw/rawacl.c | 1 + source4/libcli/security/config.mk | 18 ++ source4/libcli/security/dom_sid.c | 242 ++++++++++++++++++++++++++ source4/libcli/security/security_descriptor.c | 102 +++++++++++ source4/libcli/security/security_token.c | 56 ++++++ source4/libcli/util/dom_sid.c | 180 ------------------- source4/librpc/config.mk | 1 - source4/librpc/idl/krb5pac.idl | 3 +- source4/librpc/idl/lsa.idl | 3 +- source4/librpc/idl/misc.idl | 95 ---------- source4/librpc/idl/samr.idl | 2 +- source4/librpc/idl/security.idl | 123 +++++++++++++ source4/librpc/idl/spoolss.idl | 3 +- source4/librpc/idl/srvsvc.idl | 3 +- source4/librpc/ndr/ndr_sec.c | 16 +- source4/rpc_server/dcerpc_server.c | 2 +- source4/rpc_server/samr/samdb.c | 2 +- source4/smb_server/nttrans.c | 1 + source4/torture/rpc/samsync.c | 2 +- 26 files changed, 566 insertions(+), 442 deletions(-) delete mode 100644 source4/lib/util_secdesc.c delete mode 100644 source4/lib/util_sid.c create mode 100644 source4/libcli/security/config.mk create mode 100644 source4/libcli/security/dom_sid.c create mode 100644 source4/libcli/security/security_descriptor.c create mode 100644 source4/libcli/security/security_token.c delete mode 100644 source4/libcli/util/dom_sid.c create mode 100644 source4/librpc/idl/security.idl diff --git a/source4/auth/auth_util.c b/source4/auth/auth_util.c index 9418b613eb..e929e59cc7 100644 --- a/source4/auth/auth_util.c +++ b/source4/auth/auth_util.c @@ -24,6 +24,7 @@ #include "includes.h" #include "librpc/gen_ndr/ndr_samr.h" #include "librpc/gen_ndr/ndr_netlogon.h" +#include "librpc/gen_ndr/ndr_security.h" #include "auth/auth.h" #undef DBGC_CLASS @@ -401,7 +402,7 @@ NTSTATUS create_nt_user_token(TALLOC_CTX *mem_ctx, for (i = 0; i < n_groupSIDs; i++) { size_t check_sid_idx; for (check_sid_idx = 1; check_sid_idx < ptoken->num_sids; check_sid_idx++) { - if (sid_equal(ptoken->user_sids[check_sid_idx], + if (dom_sid_equal(ptoken->user_sids[check_sid_idx], groupSIDs[i])) { break; } diff --git a/source4/build/smb_build/main.pm b/source4/build/smb_build/main.pm index 3991e395f5..12f132239b 100644 --- a/source4/build/smb_build/main.pm +++ b/source4/build/smb_build/main.pm @@ -51,7 +51,8 @@ sub smb_build_main($) "librpc/config.mk", "client/config.mk", "libcli/libsmb.mk", - "libcli/config.mk" + "libcli/config.mk", + "libcli/security/config.mk" ); $| = 1; diff --git a/source4/include/structs.h b/source4/include/structs.h index 9e64361dbf..61749111d9 100644 --- a/source4/include/structs.h +++ b/source4/include/structs.h @@ -120,3 +120,7 @@ struct test_join_ads_dc; struct netr_LMSessionKey; struct ldb_message; + +struct security_token; +struct security_acl; +struct security_ace; diff --git a/source4/lib/basic.mk b/source4/lib/basic.mk index 7360eddf94..1f790a8ca2 100644 --- a/source4/lib/basic.mk +++ b/source4/lib/basic.mk @@ -51,8 +51,6 @@ ADD_OBJ_FILES = \ lib/wins_srv.o \ lib/util_str.o \ lib/util_strlist.o \ - lib/util_sid.o \ - lib/util_secdesc.o \ lib/util_uuid.o \ lib/util_unistr.o \ lib/util_file.o \ @@ -74,6 +72,6 @@ ADD_OBJ_FILES = \ lib/db_wrap.o \ lib/gencache.o REQUIRED_SUBSYSTEMS = \ - LIBLDB CHARSET LIBREPLACE LIBNETIF LIBCRYPTO EXT_LIB_DL + LIBLDB CHARSET LIBREPLACE LIBNETIF LIBCRYPTO LIB_SECURITY EXT_LIB_DL # End SUBSYSTEM LIBBASIC ############################## diff --git a/source4/lib/util_secdesc.c b/source4/lib/util_secdesc.c deleted file mode 100644 index 92887b21d9..0000000000 --- a/source4/lib/util_secdesc.c +++ /dev/null @@ -1,51 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - security descriptror utility functions - - Copyright (C) Andrew Tridgell 2004 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -#include "includes.h" - -/* - return a blank security descriptor (no owners, dacl or sacl) -*/ -struct security_descriptor *sd_initialise(TALLOC_CTX *mem_ctx) -{ - struct security_descriptor *sd; - - sd = talloc_p(mem_ctx, struct security_descriptor); - if (!sd) { - return NULL; - } - - sd->revision = SD_REVISION; - /* we mark as self relative, even though it isn't while it remains - a pointer in memory because this simplifies the ndr code later. - All SDs that we store/emit are in fact SELF_RELATIVE - */ - sd->type = SEC_DESC_SELF_RELATIVE; - - sd->owner_sid = NULL; - sd->group_sid = NULL; - sd->sacl = NULL; - sd->dacl = NULL; - - return sd; -} - diff --git a/source4/lib/util_sid.c b/source4/lib/util_sid.c deleted file mode 100644 index cb2ec3eb75..0000000000 --- a/source4/lib/util_sid.c +++ /dev/null @@ -1,85 +0,0 @@ -/* - Unix SMB/CIFS implementation. - Samba utility functions - Copyright (C) Andrew Tridgell 1992-1998 - Copyright (C) Luke Kenneth Caseson Leighton 1998-1999 - Copyright (C) Jeremy Allison 1999 - Copyright (C) Stefan (metze) Metzmacher 2002 - Copyright (C) Simo Sorce 2002 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -#include "includes.h" - -/***************************************************************** - Compare the auth portion of two sids. -*****************************************************************/ - -static int sid_compare_auth(const struct dom_sid *sid1, const struct dom_sid *sid2) -{ - int i; - - if (sid1 == sid2) - return 0; - if (!sid1) - return -1; - if (!sid2) - return 1; - - if (sid1->sid_rev_num != sid2->sid_rev_num) - return sid1->sid_rev_num - sid2->sid_rev_num; - - for (i = 0; i < 6; i++) - if (sid1->id_auth[i] != sid2->id_auth[i]) - return sid1->id_auth[i] - sid2->id_auth[i]; - - return 0; -} - -/***************************************************************** - Compare two sids. -*****************************************************************/ - -static int sid_compare(const struct dom_sid *sid1, const struct dom_sid *sid2) -{ - int i; - - if (sid1 == sid2) - return 0; - if (!sid1) - return -1; - if (!sid2) - return 1; - - /* Compare most likely different rids, first: i.e start at end */ - if (sid1->num_auths != sid2->num_auths) - return sid1->num_auths - sid2->num_auths; - - for (i = sid1->num_auths-1; i >= 0; --i) - if (sid1->sub_auths[i] != sid2->sub_auths[i]) - return sid1->sub_auths[i] - sid2->sub_auths[i]; - - return sid_compare_auth(sid1, sid2); -} - -/***************************************************************** - Compare two sids. -*****************************************************************/ - -BOOL sid_equal(const struct dom_sid *sid1, const struct dom_sid *sid2) -{ - return sid_compare(sid1, sid2) == 0; -} diff --git a/source4/libcli/config.mk b/source4/libcli/config.mk index c931d061fb..e48e5b5066 100644 --- a/source4/libcli/config.mk +++ b/source4/libcli/config.mk @@ -6,8 +6,7 @@ ADD_OBJ_FILES = libcli/util/asn1.o \ libcli/util/clierror.o \ libcli/util/nterr.o \ libcli/util/smbdes.o \ - libcli/util/smbencrypt.o \ - libcli/util/dom_sid.o + libcli/util/smbencrypt.o [SUBSYSTEM::LIBCLI_NMB] ADD_OBJ_FILES = libcli/unexpected.o \ diff --git a/source4/libcli/raw/rawacl.c b/source4/libcli/raw/rawacl.c index 35c7ce2049..642d0ba72b 100644 --- a/source4/libcli/raw/rawacl.c +++ b/source4/libcli/raw/rawacl.c @@ -19,6 +19,7 @@ */ #include "includes.h" +#include "librpc/gen_ndr/ndr_security.h" #include "libcli/raw/libcliraw.h" /**************************************************************************** diff --git a/source4/libcli/security/config.mk b/source4/libcli/security/config.mk new file mode 100644 index 0000000000..908a993ce6 --- /dev/null +++ b/source4/libcli/security/config.mk @@ -0,0 +1,18 @@ +################################# +# Start SUBSYSTEM LIB_SECURITY_NDR +[SUBSYSTEM::LIB_SECURITY_NDR] +ADD_OBJ_FILES = librpc/gen_ndr/ndr_security.o +NOPROTO = YES +# End SUBSYSTEM LIB_SECURITY_NDR +################################# + +################################# +# Start SUBSYSTEM LIB_SECURITY +[SUBSYSTEM::LIB_SECURITY] +ADD_OBJ_FILES = libcli/security/security_token.o \ + libcli/security/security_descriptor.o \ + libcli/security/dom_sid.o \ + librpc/ndr/ndr_sec.o +REQUIRED_SUBSYSTEMS = LIB_SECURITY_NDR +# End SUBSYSTEM LIB_SECURITY +################################# diff --git a/source4/libcli/security/dom_sid.c b/source4/libcli/security/dom_sid.c new file mode 100644 index 0000000000..701fa88017 --- /dev/null +++ b/source4/libcli/security/dom_sid.c @@ -0,0 +1,242 @@ +/* + Unix SMB/CIFS implementation. + Samba utility functions + Copyright (C) Andrew Tridgell 1992-2004 + Copyright (C) Luke Kenneth Caseson Leighton 1998-1999 + Copyright (C) Jeremy Allison 1999 + Copyright (C) Stefan (metze) Metzmacher 2002-2004 + Copyright (C) Simo Sorce 2002 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#include "librpc/gen_ndr/ndr_security.h" + +/***************************************************************** + Compare the auth portion of two sids. +*****************************************************************/ + +static int dom_sid_compare_auth(const struct dom_sid *sid1, const struct dom_sid *sid2) +{ + int i; + + if (sid1 == sid2) + return 0; + if (!sid1) + return -1; + if (!sid2) + return 1; + + if (sid1->sid_rev_num != sid2->sid_rev_num) + return sid1->sid_rev_num - sid2->sid_rev_num; + + for (i = 0; i < 6; i++) + if (sid1->id_auth[i] != sid2->id_auth[i]) + return sid1->id_auth[i] - sid2->id_auth[i]; + + return 0; +} + +/***************************************************************** + Compare two sids. +*****************************************************************/ + +static int dom_sid_compare(const struct dom_sid *sid1, const struct dom_sid *sid2) +{ + int i; + + if (sid1 == sid2) + return 0; + if (!sid1) + return -1; + if (!sid2) + return 1; + + /* Compare most likely different rids, first: i.e start at end */ + if (sid1->num_auths != sid2->num_auths) + return sid1->num_auths - sid2->num_auths; + + for (i = sid1->num_auths-1; i >= 0; --i) + if (sid1->sub_auths[i] != sid2->sub_auths[i]) + return sid1->sub_auths[i] - sid2->sub_auths[i]; + + return dom_sid_compare_auth(sid1, sid2); +} + +/***************************************************************** + Compare two sids. +*****************************************************************/ + +BOOL dom_sid_equal(const struct dom_sid *sid1, const struct dom_sid *sid2) +{ + return dom_sid_compare(sid1, sid2) == 0; +} + +/* + convert a dom_sid to a string +*/ +char *dom_sid_string(TALLOC_CTX *mem_ctx, const struct dom_sid *sid) +{ + int i, ofs, maxlen; + uint32_t ia; + char *ret; + + if (!sid) { + return talloc_strdup(mem_ctx, "(NULL SID)"); + } + + maxlen = sid->num_auths * 11 + 25; + ret = talloc(mem_ctx, maxlen); + if (!ret) return talloc_strdup(mem_ctx, "(SID ERR)"); + + ia = (sid->id_auth[5]) + + (sid->id_auth[4] << 8 ) + + (sid->id_auth[3] << 16) + + (sid->id_auth[2] << 24); + + ofs = snprintf(ret, maxlen, "S-%u-%lu", + (uint_t)sid->sid_rev_num, (unsigned long)ia); + + for (i = 0; i < sid->num_auths; i++) { + ofs += snprintf(ret + ofs, maxlen - ofs, "-%lu", (unsigned long)sid->sub_auths[i]); + } + + return ret; +} + + +/* + convert a string to a dom_sid, returning a talloc'd dom_sid +*/ +struct dom_sid *dom_sid_parse_talloc(TALLOC_CTX *mem_ctx, const char *sidstr) +{ + struct dom_sid *ret; + uint_t rev, ia, num_sub_auths, i; + char *p; + + if (strncasecmp(sidstr, "S-", 2)) { + return NULL; + } + + sidstr += 2; + + rev = strtol(sidstr, &p, 10); + if (*p != '-') { + return NULL; + } + sidstr = p+1; + + ia = strtol(sidstr, &p, 10); + if (p == sidstr) { + return NULL; + } + sidstr = p; + + num_sub_auths = 0; + for (i=0;sidstr[i];i++) { + if (sidstr[i] == '-') num_sub_auths++; + } + + ret = talloc_p(mem_ctx, struct dom_sid); + if (!ret) { + return NULL; + } + + ret->sub_auths = talloc_array_p(mem_ctx, uint32_t, num_sub_auths); + if (!ret->sub_auths) { + return NULL; + } + + ret->sid_rev_num = rev; + ret->id_auth[0] = 0; + ret->id_auth[1] = 0; + ret->id_auth[2] = ia >> 24; + ret->id_auth[3] = ia >> 16; + ret->id_auth[4] = ia >> 8; + ret->id_auth[5] = ia; + ret->num_auths = num_sub_auths; + + for (i=0;isub_auths[i] = strtoul(sidstr, &p, 10); + if (p == sidstr) { + return NULL; + } + sidstr = p; + } + + return ret; +} + +/* + convert a string to a dom_sid, returning a talloc'd dom_sid +*/ +struct dom_sid *dom_sid_dup(TALLOC_CTX *mem_ctx, const struct dom_sid *dom_sid) +{ + struct dom_sid *ret; + int i; + ret = talloc_p(mem_ctx, struct dom_sid); + if (!ret) { + return NULL; + } + + ret->sub_auths = talloc_array_p(mem_ctx, uint32_t, dom_sid->num_auths); + if (!ret->sub_auths) { + return NULL; + } + + ret->sid_rev_num = dom_sid->sid_rev_num; + ret->id_auth[0] = dom_sid->id_auth[0]; + ret->id_auth[1] = dom_sid->id_auth[1]; + ret->id_auth[2] = dom_sid->id_auth[2]; + ret->id_auth[3] = dom_sid->id_auth[3]; + ret->id_auth[4] = dom_sid->id_auth[4]; + ret->id_auth[5] = dom_sid->id_auth[5]; + ret->num_auths = dom_sid->num_auths; + + for (i=0;inum_auths;i++) { + ret->sub_auths[i] = dom_sid->sub_auths[i]; + } + + return ret; +} + +/* + add a rid to a domain dom_sid to make a full dom_sid +*/ +struct dom_sid *dom_sid_add_rid(TALLOC_CTX *mem_ctx, + const struct dom_sid *domain_sid, + uint32_t rid) +{ + struct dom_sid *sid; + + sid = talloc_p(mem_ctx, struct dom_sid); + if (!sid) return NULL; + + *sid = *domain_sid; + /*TODO: use realloc! */ + sid->sub_auths = talloc_array_p(mem_ctx, uint32_t, sid->num_auths+1); + if (!sid->sub_auths) { + return NULL; + } + memcpy(sid->sub_auths, domain_sid->sub_auths, sid->num_auths*sizeof(uint32_t)); + sid->sub_auths[sid->num_auths] = rid; + sid->num_auths++; + return sid; +} diff --git a/source4/libcli/security/security_descriptor.c b/source4/libcli/security/security_descriptor.c new file mode 100644 index 0000000000..255836066a --- /dev/null +++ b/source4/libcli/security/security_descriptor.c @@ -0,0 +1,102 @@ +/* + Unix SMB/CIFS implementation. + + security descriptror utility functions + + Copyright (C) Andrew Tridgell 2004 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#include "librpc/gen_ndr/ndr_security.h" + +/* + return a blank security descriptor (no owners, dacl or sacl) +*/ +struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx) +{ + struct security_descriptor *sd; + + sd = talloc_p(mem_ctx, struct security_descriptor); + if (!sd) { + return NULL; + } + + sd->revision = SD_REVISION; + /* we mark as self relative, even though it isn't while it remains + a pointer in memory because this simplifies the ndr code later. + All SDs that we store/emit are in fact SELF_RELATIVE + */ + sd->type = SEC_DESC_SELF_RELATIVE; + + sd->owner_sid = NULL; + sd->group_sid = NULL; + sd->sacl = NULL; + sd->dacl = NULL; + + return sd; +} + +/* + talloc and copy a security descriptor + */ +struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx, + const struct security_descriptor *osd) +{ + struct security_descriptor *nsd; + + /* FIXME */ + DEBUG(1, ("security_descriptor_copy(): sorry unimplemented yet\n")); + nsd = NULL; + + return nsd; +} + +NTSTATUS security_check_dacl(struct security_token *st, struct security_descriptor *sd, uint32 access_mask) +{ + size_t i,y; + NTSTATUS status = NT_STATUS_ACCESS_DENIED; + + DEBUG(1, ("security_check_dacl(): sorry untested yet\n")); + return status; + + if (!sd->dacl) { + return NT_STATUS_INVALID_ACL; + } + + for (i=0; i < st->num_sids; i++) { + for (y=0; y < sd->dacl->num_aces; y++) { + if (dom_sid_equal(&st->sids[i], &sd->dacl->aces[y].trustee)) { + switch (sd->dacl->aces[y].type) { + case SEC_ACE_TYPE_ACCESS_ALLOWED: + if (access_mask & sd->dacl->aces[y].access_mask) { + status = NT_STATUS_OK; + } + break; + case SEC_ACE_TYPE_ACCESS_DENIED: + if (access_mask & sd->dacl->aces[y].access_mask) { + return NT_STATUS_ACCESS_DENIED; + } + break; + default: + return NT_STATUS_INVALID_ACL; + } + } + } + } + + return status; +} diff --git a/source4/libcli/security/security_token.c b/source4/libcli/security/security_token.c new file mode 100644 index 0000000000..9e26f5a385 --- /dev/null +++ b/source4/libcli/security/security_token.c @@ -0,0 +1,56 @@ +/* + Unix SMB/CIFS implementation. + + security descriptror utility functions + + Copyright (C) Andrew Tridgell 2004 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#include "librpc/gen_ndr/ndr_security.h" + +/* + return a blank security descriptor (no owners, dacl or sacl) +*/ +struct security_token *security_token_initialise(TALLOC_CTX *mem_ctx) +{ + struct security_token *st; + + st = talloc_p(mem_ctx, struct security_token); + if (!st) { + return NULL; + } + + st->flags = 0; + + st->user_sid = NULL; + st->group_sid = NULL; + st->logon_sid = NULL; + + st->num_sids = 0; + st->sids = NULL; + + st->num_restricted_sids = 0; + st->restricted_sids = NULL; + + st->num_privileges = 0; + st->privileges = NULL; + + st->dacl = NULL; + + return st; +} diff --git a/source4/libcli/util/dom_sid.c b/source4/libcli/util/dom_sid.c deleted file mode 100644 index 1faf3debab..0000000000 --- a/source4/libcli/util/dom_sid.c +++ /dev/null @@ -1,180 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - routines to manipulate a "struct dom_sid" - - Copyright (C) Andrew Tridgell 2004 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -#include "includes.h" - -/* - convert a dom_sid to a string -*/ -char *dom_sid_string(TALLOC_CTX *mem_ctx, const struct dom_sid *sid) -{ - int i, ofs, maxlen; - uint32_t ia; - char *ret; - - if (!sid) { - return talloc_strdup(mem_ctx, "(NULL SID)"); - } - - maxlen = sid->num_auths * 11 + 25; - ret = talloc(mem_ctx, maxlen); - if (!ret) return talloc_strdup(mem_ctx, "(SID ERR)"); - - ia = (sid->id_auth[5]) + - (sid->id_auth[4] << 8 ) + - (sid->id_auth[3] << 16) + - (sid->id_auth[2] << 24); - - ofs = snprintf(ret, maxlen, "S-%u-%lu", - (uint_t)sid->sid_rev_num, (unsigned long)ia); - - for (i = 0; i < sid->num_auths; i++) { - ofs += snprintf(ret + ofs, maxlen - ofs, "-%lu", (unsigned long)sid->sub_auths[i]); - } - - return ret; -} - - -/* - convert a string to a dom_sid, returning a talloc'd dom_sid -*/ -struct dom_sid *dom_sid_parse_talloc(TALLOC_CTX *mem_ctx, const char *sidstr) -{ - struct dom_sid *ret; - uint_t rev, ia, num_sub_auths, i; - char *p; - - if (strncasecmp(sidstr, "S-", 2)) { - return NULL; - } - - sidstr += 2; - - rev = strtol(sidstr, &p, 10); - if (*p != '-') { - return NULL; - } - sidstr = p+1; - - ia = strtol(sidstr, &p, 10); - if (p == sidstr) { - return NULL; - } - sidstr = p; - - num_sub_auths = 0; - for (i=0;sidstr[i];i++) { - if (sidstr[i] == '-') num_sub_auths++; - } - - ret = talloc_p(mem_ctx, struct dom_sid); - if (!ret) { - return NULL; - } - - ret->sub_auths = talloc_array_p(mem_ctx, uint32_t, num_sub_auths); - if (!ret->sub_auths) { - return NULL; - } - - ret->sid_rev_num = rev; - ret->id_auth[0] = 0; - ret->id_auth[1] = 0; - ret->id_auth[2] = ia >> 24; - ret->id_auth[3] = ia >> 16; - ret->id_auth[4] = ia >> 8; - ret->id_auth[5] = ia; - ret->num_auths = num_sub_auths; - - for (i=0;isub_auths[i] = strtoul(sidstr, &p, 10); - if (p == sidstr) { - return NULL; - } - sidstr = p; - } - - return ret; -} - -/* - convert a string to a dom_sid, returning a talloc'd dom_sid -*/ -struct dom_sid *dom_sid_dup(TALLOC_CTX *mem_ctx, struct dom_sid *dom_sid) -{ - struct dom_sid *ret; - int i; - ret = talloc_p(mem_ctx, struct dom_sid); - if (!ret) { - return NULL; - } - - ret->sub_auths = talloc_array_p(mem_ctx, uint32_t, dom_sid->num_auths); - if (!ret->sub_auths) { - return NULL; - } - - ret->sid_rev_num = dom_sid->sid_rev_num; - ret->id_auth[0] = dom_sid->id_auth[0]; - ret->id_auth[1] = dom_sid->id_auth[1]; - ret->id_auth[2] = dom_sid->id_auth[2]; - ret->id_auth[3] = dom_sid->id_auth[3]; - ret->id_auth[4] = dom_sid->id_auth[4]; - ret->id_auth[5] = dom_sid->id_auth[5]; - ret->num_auths = dom_sid->num_auths; - - for (i=0;inum_auths;i++) { - ret->sub_auths[i] = dom_sid->sub_auths[i]; - } - - return ret; -} - -/* - add a rid to a domain dom_sid to make a full dom_sid -*/ -struct dom_sid *dom_sid_add_rid(TALLOC_CTX *mem_ctx, - const struct dom_sid *domain_sid, - uint32_t rid) -{ - struct dom_sid *sid; - - sid = talloc_p(mem_ctx, struct dom_sid); - if (!sid) return NULL; - - *sid = *domain_sid; - /*TODO: use realloc! */ - sid->sub_auths = talloc_array_p(mem_ctx, uint32_t, sid->num_auths+1); - if (!sid->sub_auths) { - return NULL; - } - memcpy(sid->sub_auths, domain_sid->sub_auths, sid->num_auths*sizeof(uint32_t)); - sid->sub_auths[sid->num_auths] = rid; - sid->num_auths++; - return sid; -} - diff --git a/source4/librpc/config.mk b/source4/librpc/config.mk index 2588590275..d527eabb2a 100644 --- a/source4/librpc/config.mk +++ b/source4/librpc/config.mk @@ -5,7 +5,6 @@ INIT_OBJ_FILES = \ librpc/ndr/ndr.o ADD_OBJ_FILES = \ librpc/ndr/ndr_basic.o \ - librpc/ndr/ndr_sec.o \ librpc/ndr/ndr_spoolss_buf.o \ librpc/ndr/ndr_dcom.o # End SUBSYSTEM LIBNDR_RAW diff --git a/source4/librpc/idl/krb5pac.idl b/source4/librpc/idl/krb5pac.idl index d3a28df27b..6efd8526b2 100644 --- a/source4/librpc/idl/krb5pac.idl +++ b/source4/librpc/idl/krb5pac.idl @@ -7,7 +7,8 @@ [ uuid("46746756-7567-7567-5677-756756756756"), version(0.0), - pointer_default(unique) + pointer_default(unique), + depends(security) ] interface krb5pac { diff --git a/source4/librpc/idl/lsa.idl b/source4/librpc/idl/lsa.idl index 05da1bec8b..d3d3ad3da6 100644 --- a/source4/librpc/idl/lsa.idl +++ b/source4/librpc/idl/lsa.idl @@ -8,7 +8,8 @@ version(0.0), endpoint("ncacn_np:[\\pipe\\lsarpc]","ncacn_np:[\\pipe\\lsass]", "ncacn_ip_tcp:"), pointer_default(unique), - helpstring("Local Server Authentication(?)") + helpstring("Local Server Authentication(?)"), + depends(security) ] interface lsarpc { /******************/ diff --git a/source4/librpc/idl/misc.idl b/source4/librpc/idl/misc.idl index dd31f0f54a..61adf04630 100644 --- a/source4/librpc/idl/misc.idl +++ b/source4/librpc/idl/misc.idl @@ -6,37 +6,6 @@ interface misc { - /* a NULL sid */ - const string SID_NULL = "S-1-0-0"; - - /* the world domain */ - const string SID_WORLD_DOMAIN = "S-1-1"; - const string SID_WORLD = "S-1-1-0"; - - /* SECURITY_CREATOR_SID_AUTHORITY */ - const string SID_CREATOR_OWNER_DOMAIN = "S-1-3"; - const string SID_CREATOR_OWNER = "S-1-3-0"; - const string SID_CREATOR_GROUP = "S-1-3-1"; - - /* SECURITY_NT_AUTHORITY */ - const string SID_NT_AUTHORITY = "S-1-5"; - const string SID_NETWORK = "S-1-5-2"; - const string SID_ANONYMOUS = "S-1-5-7"; - const string SID_AUTHENTICATED_USERS = "S-1-5-11"; - const string SID_SYSTEM = "S-1-5-18"; - - /* SECURITY_BUILTIN_DOMAIN_RID */ - const string SID_BUILTIN = "S-1-5-32"; - const string SID_BUILTIN_ADMINISTRATORS = "S-1-5-32-544"; - const string SID_BUILTIN_USERS = "S-1-5-32-545"; - const string SID_BUILTIN_GUESTS = "S-1-5-32-546"; - const string SID_BUILTIN_POWER_USERS = "S-1-5-32-547"; - const string SID_BUILTIN_ACCOUNT_OPERATORS = "S-1-5-32-548"; - const string SID_BUILTIN_SERVER_OPERATORS = "S-1-5-32-549"; - const string SID_BUILTIN_PRINT_OPERATORS = "S-1-5-32-550"; - const string SID_BUILTIN_BACKUP_OPERATORS = "S-1-5-32-551"; - const string SID_BUILTIN_REPLICATOR = "S-1-5-32-552"; - /* server roles */ typedef enum { ROLE_STANDALONE = 0, @@ -54,70 +23,6 @@ interface misc uint8 node[6]; } GUID; - /* a domain SID. Note that unlike Samba3 this contains a pointer, - so you can't copy them using assignment */ - typedef [public,noprint] struct { - uint8 sid_rev_num; /**< SID revision number */ - uint8 num_auths; /**< Number of sub-authorities */ - uint8 id_auth[6]; /**< Identifier Authority */ - uint32 sub_auths[num_auths]; - } dom_sid; - - typedef [public] struct { - uint8 type; /* xxxx_xxxx_ACE_TYPE - e.g allowed / denied etc */ - uint8 flags; /* xxxx_INHERIT_xxxx - e.g OBJECT_INHERIT_ACE */ - [value(ndr_size_security_ace(r))] uint16 size; - uint32 access_mask; - -#if 0 - /* the 'obj' part is present when type is XXXX_TYPE_XXXX_OBJECT */ - struct { - uint32 flags; - GUID object_guid; - GUID inherit_guid; - } *obj; -#endif - - dom_sid trustee; - } security_ace; - - typedef [public] struct { - uint16 revision; - [value(ndr_size_security_acl(r))] uint16 size; - uint32 num_aces; - security_ace aces[num_aces]; - } security_acl; - - /* default revision for new ACLs */ - const int SD_REVISION = 1; - - /* security_descriptor->type bits */ - const int SEC_DESC_OWNER_DEFAULTED = 0x0001; - const int SEC_DESC_GROUP_DEFAULTED = 0x0002; - const int SEC_DESC_DACL_PRESENT = 0x0004; - const int SEC_DESC_DACL_DEFAULTED = 0x0008; - const int SEC_DESC_SACL_PRESENT = 0x0010; - const int SEC_DESC_SACL_DEFAULTED = 0x0020; - const int SEC_DESC_DACL_TRUSTED = 0x0040; - const int SEC_DESC_SERVER_SECURITY = 0x0080; - const int SEC_DESC_DACL_AUTO_INHERIT_REQ = 0x0100; - const int SEC_DESC_SACL_AUTO_INHERIT_REQ = 0x0200; - const int SEC_DESC_DACL_AUTO_INHERITED = 0x0400; - const int SEC_DESC_SACL_AUTO_INHERITED = 0x0800; - const int SEC_DESC_DACL_PROTECTED = 0x1000; - const int SEC_DESC_SACL_PROTECTED = 0x2000; - const int SEC_DESC_RM_CONTROL_VALID = 0x4000; - const int SEC_DESC_SELF_RELATIVE = 0x8000; - - typedef [public,flag(NDR_LITTLE_ENDIAN)] struct { - uint8 revision; - uint16 type; /* SEC_DESC_xxxx flags */ - [relative] dom_sid *owner_sid; - [relative] dom_sid *group_sid; - [relative] security_acl *sacl; /* system ACL */ - [relative] security_acl *dacl; /* user (discretionary) ACL */ - } security_descriptor; - typedef [public] struct { uint32 handle_type; GUID uuid; diff --git a/source4/librpc/idl/samr.idl b/source4/librpc/idl/samr.idl index a7bbe07b6a..358218c2a0 100644 --- a/source4/librpc/idl/samr.idl +++ b/source4/librpc/idl/samr.idl @@ -12,7 +12,7 @@ version(1.0), endpoint("ncacn_np:[\\pipe\\samr]","ncacn_ip_tcp:", "ncalrpc:"), pointer_default(unique), - depends(lsa) + depends(lsa,security) ] interface samr { /* account control (acct_flags) bits */ diff --git a/source4/librpc/idl/security.idl b/source4/librpc/idl/security.idl new file mode 100644 index 0000000000..ba75c0f54b --- /dev/null +++ b/source4/librpc/idl/security.idl @@ -0,0 +1,123 @@ +#include "idl_types.h" + +/* + security IDL structures +*/ + +interface security +{ + /* a NULL sid */ + const string SID_NULL = "S-1-0-0"; + + /* the world domain */ + const string SID_WORLD_DOMAIN = "S-1-1"; + const string SID_WORLD = "S-1-1-0"; + + /* SECURITY_CREATOR_SID_AUTHORITY */ + const string SID_CREATOR_OWNER_DOMAIN = "S-1-3"; + const string SID_CREATOR_OWNER = "S-1-3-0"; + const string SID_CREATOR_GROUP = "S-1-3-1"; + + /* SECURITY_NT_AUTHORITY */ + const string SID_NT_AUTHORITY = "S-1-5"; + const string SID_NETWORK = "S-1-5-2"; + const string SID_ANONYMOUS = "S-1-5-7"; + const string SID_AUTHENTICATED_USERS = "S-1-5-11"; + const string SID_SYSTEM = "S-1-5-18"; + + /* SECURITY_BUILTIN_DOMAIN_RID */ + const string SID_BUILTIN = "S-1-5-32"; + const string SID_BUILTIN_ADMINISTRATORS = "S-1-5-32-544"; + const string SID_BUILTIN_USERS = "S-1-5-32-545"; + const string SID_BUILTIN_GUESTS = "S-1-5-32-546"; + const string SID_BUILTIN_POWER_USERS = "S-1-5-32-547"; + const string SID_BUILTIN_ACCOUNT_OPERATORS = "S-1-5-32-548"; + const string SID_BUILTIN_SERVER_OPERATORS = "S-1-5-32-549"; + const string SID_BUILTIN_PRINT_OPERATORS = "S-1-5-32-550"; + const string SID_BUILTIN_BACKUP_OPERATORS = "S-1-5-32-551"; + const string SID_BUILTIN_REPLICATOR = "S-1-5-32-552"; + + /* a domain SID. Note that unlike Samba3 this contains a pointer, + so you can't copy them using assignment */ + typedef [public,noprint] struct { + uint8 sid_rev_num; /**< SID revision number */ + uint8 num_auths; /**< Number of sub-authorities */ + uint8 id_auth[6]; /**< Identifier Authority */ + uint32 sub_auths[num_auths]; + } dom_sid; + + typedef [public] struct { + uint8 type; /* xxxx_xxxx_ACE_TYPE - e.g allowed / denied etc */ + uint8 flags; /* xxxx_INHERIT_xxxx - e.g OBJECT_INHERIT_ACE */ + [value(ndr_size_security_ace(r))] uint16 size; + uint32 access_mask; + +#if 0 + /* the 'obj' part is present when type is XXXX_TYPE_XXXX_OBJECT */ + struct { + uint32 flags; + GUID object_guid; + GUID inherit_guid; + } *obj; +#endif + + dom_sid trustee; + } security_ace; + + typedef [public] struct { + uint16 revision; + [value(ndr_size_security_acl(r))] uint16 size; + uint32 num_aces; + security_ace aces[num_aces]; + } security_acl; + + /* default revision for new ACLs */ + const int SD_REVISION = 1; + + /* security_descriptor->type bits */ + const int SEC_DESC_OWNER_DEFAULTED = 0x0001; + const int SEC_DESC_GROUP_DEFAULTED = 0x0002; + const int SEC_DESC_DACL_PRESENT = 0x0004; + const int SEC_DESC_DACL_DEFAULTED = 0x0008; + const int SEC_DESC_SACL_PRESENT = 0x0010; + const int SEC_DESC_SACL_DEFAULTED = 0x0020; + const int SEC_DESC_DACL_TRUSTED = 0x0040; + const int SEC_DESC_SERVER_SECURITY = 0x0080; + const int SEC_DESC_DACL_AUTO_INHERIT_REQ = 0x0100; + const int SEC_DESC_SACL_AUTO_INHERIT_REQ = 0x0200; + const int SEC_DESC_DACL_AUTO_INHERITED = 0x0400; + const int SEC_DESC_SACL_AUTO_INHERITED = 0x0800; + const int SEC_DESC_DACL_PROTECTED = 0x1000; + const int SEC_DESC_SACL_PROTECTED = 0x2000; + const int SEC_DESC_RM_CONTROL_VALID = 0x4000; + const int SEC_DESC_SELF_RELATIVE = 0x8000; + + typedef [public,flag(NDR_LITTLE_ENDIAN)] struct { + uint8 revision; + uint16 type; /* SEC_DESC_xxxx flags */ + [relative] dom_sid *owner_sid; + [relative] dom_sid *group_sid; + [relative] security_acl *sacl; /* system ACL */ + [relative] security_acl *dacl; /* user (discretionary) ACL */ + } security_descriptor; + + typedef [public,printonly] struct { + /* TODO */ + uint32 flags; + } security_privilege; + + typedef [public,printonly] struct { + uint32 flags; + dom_sid *user_sid; + dom_sid *group_sid; + dom_sid *logon_sid; + uint32 num_sids; + dom_sid sids[num_sids]; + uint32 num_restricted_sids; + dom_sid restricted_sids[num_restricted_sids]; + uint32 num_privileges; + security_privilege privileges[num_privileges]; + security_acl *dacl; + } security_token; + +} diff --git a/source4/librpc/idl/spoolss.idl b/source4/librpc/idl/spoolss.idl index 91a7632422..41b992c5a2 100644 --- a/source4/librpc/idl/spoolss.idl +++ b/source4/librpc/idl/spoolss.idl @@ -8,7 +8,8 @@ version(1.0), endpoint("ncacn_np:[\\pipe\\spoolss]"), pointer_default(unique), - helpstring("Spooler SubSystem") + helpstring("Spooler SubSystem"), + depends(security) ] interface spoolss { typedef struct { diff --git a/source4/librpc/idl/srvsvc.idl b/source4/librpc/idl/srvsvc.idl index 02e3dd6578..ee5b369534 100644 --- a/source4/librpc/idl/srvsvc.idl +++ b/source4/librpc/idl/srvsvc.idl @@ -7,7 +7,8 @@ [ uuid("4b324fc8-1670-01d3-1278-5a47bf6ee188"), version(3.0), pointer_default(unique), - helpstring("Server Service") + helpstring("Server Service"), + depends(security) ] interface srvsvc { /**************************/ diff --git a/source4/librpc/ndr/ndr_sec.c b/source4/librpc/ndr/ndr_sec.c index c91c2762c2..798d3a7cf1 100644 --- a/source4/librpc/ndr/ndr_sec.c +++ b/source4/librpc/ndr/ndr_sec.c @@ -23,6 +23,7 @@ #include "includes.h" +#include "librpc/gen_ndr/ndr_security.h" /* parse a dom_sid2 - this is a dom_sid but with an extra copy of the num_auths field @@ -112,18 +113,3 @@ size_t ndr_size_security_descriptor(struct security_descriptor *sd) ret += ndr_size_security_acl(sd->sacl); return ret; } - -/* - talloc and copy a security descriptor - */ -struct security_descriptor *copy_security_descriptor(TALLOC_CTX *mem_ctx, - const struct security_descriptor *osd) -{ - struct security_descriptor *nsd; - - /* FIXME */ - DEBUG(1, ("copy_security_descriptor: sorry unimplemented yet\n")); - nsd = NULL; - - return nsd; -} diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c index 11e385153e..de8ac73304 100644 --- a/source4/rpc_server/dcerpc_server.c +++ b/source4/rpc_server/dcerpc_server.c @@ -198,7 +198,7 @@ NTSTATUS dcesrv_interface_register(struct dcesrv_context *dce_ctx, * we try to set it */ if (ep->sd == NULL) { - ep->sd = copy_security_descriptor(dce_ctx, sd); + ep->sd = security_descriptor_copy(dce_ctx, sd); } /* if now there's no security descriptor given on the endpoint diff --git a/source4/rpc_server/samr/samdb.c b/source4/rpc_server/samr/samdb.c index 488c48cd50..7501d94ae6 100644 --- a/source4/rpc_server/samr/samdb.c +++ b/source4/rpc_server/samr/samdb.c @@ -888,7 +888,7 @@ struct security_descriptor *samdb_default_security_descriptor(TALLOC_CTX *mem_ct { struct security_descriptor *sd; - sd = sd_initialise(mem_ctx); + sd = security_descriptor_initialise(mem_ctx); return sd; } diff --git a/source4/smb_server/nttrans.c b/source4/smb_server/nttrans.c index b623578514..49c41181a8 100644 --- a/source4/smb_server/nttrans.c +++ b/source4/smb_server/nttrans.c @@ -24,6 +24,7 @@ #include "includes.h" #include "smb_server/smb_server.h" +#include "librpc/gen_ndr/ndr_security.h" diff --git a/source4/torture/rpc/samsync.c b/source4/torture/rpc/samsync.c index 4efb5044dd..7f9cf321dc 100644 --- a/source4/torture/rpc/samsync.c +++ b/source4/torture/rpc/samsync.c @@ -301,7 +301,7 @@ static BOOL samsync_handle_policy(TALLOC_CTX *mem_ctx, struct samsync_state *sam } } - if (!sid_equal(samsync_state->sid[SAM_DATABASE_DOMAIN], policy->sid)) { + if (!dom_sid_equal(samsync_state->sid[SAM_DATABASE_DOMAIN], policy->sid)) { printf("Domain SID from POLICY (%s) does not match domain sid from SAMR (%s)\n", dom_sid_string(mem_ctx, policy->sid), dom_sid_string(mem_ctx, samsync_state->sid[SAM_DATABASE_DOMAIN])); return False; -- cgit