From 99b288156f021db7bb771f3a5bf78def61d699f2 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 1 Mar 2009 17:59:30 +0100 Subject: Move secace.c to top-level. --- libcli/security/secace.c | 281 ++++++++++++++++++++++++++++++++++++ source3/Makefile.in | 3 +- source3/include/rpc_secdes.h | 1 - source3/lib/secace.c | 293 -------------------------------------- source3/lib/util_nttoken.c | 16 +++ source4/libcli/security/config.mk | 3 +- 6 files changed, 301 insertions(+), 296 deletions(-) create mode 100644 libcli/security/secace.c delete mode 100644 source3/lib/secace.c diff --git a/libcli/security/secace.c b/libcli/security/secace.c new file mode 100644 index 0000000000..4e8eddcb0b --- /dev/null +++ b/libcli/security/secace.c @@ -0,0 +1,281 @@ +/* + * Unix SMB/Netbios implementation. + * struct security_ace handling functions + * Copyright (C) Andrew Tridgell 1992-1998, + * Copyright (C) Jeremy R. Allison 1995-2003. + * Copyright (C) Luke Kenneth Casson Leighton 1996-1998, + * Copyright (C) Paul Ashton 1997-1998. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see . + */ + +#include "includes.h" +#include "librpc/gen_ndr/ndr_security.h" +#include "libcli/security/security.h" + +#define SEC_ACE_HEADER_SIZE (2 * sizeof(uint8_t) + sizeof(uint16_t) + sizeof(uint32_t)) + +/** + * Check if ACE has OBJECT type. + */ +bool sec_ace_object(uint8_t type) +{ + if (type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT || + type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT || + type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT || + type == SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT) { + return true; + } + return false; +} + +/** + * copy a struct security_ace structure. + */ +void sec_ace_copy(struct security_ace *ace_dest, struct security_ace *ace_src) +{ + ace_dest->type = ace_src->type; + ace_dest->flags = ace_src->flags; + ace_dest->size = ace_src->size; + ace_dest->access_mask = ace_src->access_mask; + ace_dest->object = ace_src->object; + ace_dest->trustee = ace_src->trustee; +} + +/******************************************************************* + Sets up a struct security_ace structure. +********************************************************************/ + +void init_sec_ace(struct security_ace *t, const struct dom_sid *sid, enum security_ace_type type, + uint32_t mask, uint8_t flag) +{ + t->type = type; + t->flags = flag; + t->size = ndr_size_dom_sid(sid, NULL, 0) + 8; + t->access_mask = mask; + + t->trustee = *sid; +} + +/******************************************************************* + adds new SID with its permissions to ACE list +********************************************************************/ + +NTSTATUS sec_ace_add_sid(TALLOC_CTX *ctx, struct security_ace **pp_new, struct security_ace *old, unsigned *num, struct dom_sid *sid, uint32_t mask) +{ + unsigned int i = 0; + + if (!ctx || !pp_new || !old || !sid || !num) return NT_STATUS_INVALID_PARAMETER; + + *num += 1; + + if((pp_new[0] = talloc_zero_array(ctx, struct security_ace, *num )) == 0) + return NT_STATUS_NO_MEMORY; + + for (i = 0; i < *num - 1; i ++) + sec_ace_copy(&(*pp_new)[i], &old[i]); + + (*pp_new)[i].type = SEC_ACE_TYPE_ACCESS_ALLOWED; + (*pp_new)[i].flags = 0; + (*pp_new)[i].size = SEC_ACE_HEADER_SIZE + ndr_size_dom_sid(sid, NULL, 0); + (*pp_new)[i].access_mask = mask; + (*pp_new)[i].trustee = *sid; + return NT_STATUS_OK; +} + +/******************************************************************* + modify SID's permissions at ACL +********************************************************************/ + +NTSTATUS sec_ace_mod_sid(struct security_ace *ace, size_t num, struct dom_sid *sid, uint32_t mask) +{ + unsigned int i = 0; + + if (!ace || !sid) return NT_STATUS_INVALID_PARAMETER; + + for (i = 0; i < num; i ++) { + if (dom_sid_equal(&ace[i].trustee, sid)) { + ace[i].access_mask = mask; + return NT_STATUS_OK; + } + } + return NT_STATUS_NOT_FOUND; +} + +/******************************************************************* + delete SID from ACL +********************************************************************/ + +NTSTATUS sec_ace_del_sid(TALLOC_CTX *ctx, struct security_ace **pp_new, struct security_ace *old, uint32_t *num, struct dom_sid *sid) +{ + unsigned int i = 0; + unsigned int n_del = 0; + + if (!ctx || !pp_new || !old || !sid || !num) return NT_STATUS_INVALID_PARAMETER; + + if (*num) { + if((pp_new[0] = talloc_zero_array(ctx, struct security_ace, *num )) == 0) + return NT_STATUS_NO_MEMORY; + } else { + pp_new[0] = NULL; + } + + for (i = 0; i < *num; i ++) { + if (!dom_sid_equal(&old[i].trustee, sid)) + sec_ace_copy(&(*pp_new)[i], &old[i]); + else + n_del ++; + } + if (n_del == 0) + return NT_STATUS_NOT_FOUND; + else { + *num -= n_del; + return NT_STATUS_OK; + } +} + +/******************************************************************* + Compares two struct security_ace structures +********************************************************************/ + +bool sec_ace_equal(struct security_ace *s1, struct security_ace *s2) +{ + /* Trivial case */ + + if (!s1 && !s2) { + return true; + } + + if (!s1 || !s2) { + return false; + } + + /* Check top level stuff */ + + if (s1->type != s2->type || s1->flags != s2->flags || + s1->access_mask != s2->access_mask) { + return false; + } + + /* Check SID */ + + if (!dom_sid_equal(&s1->trustee, &s2->trustee)) { + return false; + } + + return true; +} + +int nt_ace_inherit_comp( struct security_ace *a1, struct security_ace *a2) +{ + int a1_inh = a1->flags & SEC_ACE_FLAG_INHERITED_ACE; + int a2_inh = a2->flags & SEC_ACE_FLAG_INHERITED_ACE; + + if (a1_inh == a2_inh) + return 0; + + if (!a1_inh && a2_inh) + return -1; + return 1; +} + +/******************************************************************* + Comparison function to apply the order explained below in a group. +*******************************************************************/ + +int nt_ace_canon_comp( struct security_ace *a1, struct security_ace *a2) +{ + if ((a1->type == SEC_ACE_TYPE_ACCESS_DENIED) && + (a2->type != SEC_ACE_TYPE_ACCESS_DENIED)) + return -1; + + if ((a2->type == SEC_ACE_TYPE_ACCESS_DENIED) && + (a1->type != SEC_ACE_TYPE_ACCESS_DENIED)) + return 1; + + /* Both access denied or access allowed. */ + + /* 1. ACEs that apply to the object itself */ + + if (!(a1->flags & SEC_ACE_FLAG_INHERIT_ONLY) && + (a2->flags & SEC_ACE_FLAG_INHERIT_ONLY)) + return -1; + else if (!(a2->flags & SEC_ACE_FLAG_INHERIT_ONLY) && + (a1->flags & SEC_ACE_FLAG_INHERIT_ONLY)) + return 1; + + /* 2. ACEs that apply to a subobject of the object, such as + * a property set or property. */ + + if (a1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT) && + !(a2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT))) + return -1; + else if (a2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT) && + !(a1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT))) + return 1; + + return 0; +} + +/******************************************************************* + Functions to convert a SEC_DESC ACE DACL list into canonical order. + JRA. + +--- from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/order_of_aces_in_a_dacl.asp + +The following describes the preferred order: + + To ensure that noninherited ACEs have precedence over inherited ACEs, + place all noninherited ACEs in a group before any inherited ACEs. + This ordering ensures, for example, that a noninherited access-denied ACE + is enforced regardless of any inherited ACE that allows access. + + Within the groups of noninherited ACEs and inherited ACEs, order ACEs according to ACE type, as the following shows: + 1. Access-denied ACEs that apply to the object itself + 2. Access-denied ACEs that apply to a subobject of the object, such as a property set or property + 3. Access-allowed ACEs that apply to the object itself + 4. Access-allowed ACEs that apply to a subobject of the object" + +********************************************************************/ + +void dacl_sort_into_canonical_order(struct security_ace *srclist, unsigned int num_aces) +{ + unsigned int i; + + if (!srclist || num_aces == 0) + return; + + /* Sort so that non-inherited ACE's come first. */ + qsort( srclist, num_aces, sizeof(srclist[0]), QSORT_CAST nt_ace_inherit_comp); + + /* Find the boundary between non-inherited ACEs. */ + for (i = 0; i < num_aces; i++ ) { + struct security_ace *curr_ace = &srclist[i]; + + if (curr_ace->flags & SEC_ACE_FLAG_INHERITED_ACE) + break; + } + + /* i now points at entry number of the first inherited ACE. */ + + /* Sort the non-inherited ACEs. */ + if (i) + qsort( srclist, i, sizeof(srclist[0]), QSORT_CAST nt_ace_canon_comp); + + /* Now sort the inherited ACEs. */ + if (num_aces - i) + qsort( &srclist[i], num_aces - i, sizeof(srclist[0]), QSORT_CAST nt_ace_canon_comp); +} + + diff --git a/source3/Makefile.in b/source3/Makefile.in index d957d70edb..30990f4c54 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -370,7 +370,8 @@ LIB_OBJ = $(LIBSAMBAUTIL_OBJ) $(UTIL_OBJ) $(CRYPTO_OBJ) \ lib/adt_tree.o lib/gencache.o \ lib/module.o lib/events.o @LIBTEVENT_OBJ0@ \ lib/ldap_escape.o @CHARSET_STATIC@ \ - lib/secdesc.o lib/util_seaccess.o lib/secace.o lib/secacl.o \ + lib/secdesc.o lib/util_seaccess.o ../libcli/security/secace.o \ + lib/secacl.o \ libads/krb5_errs.o lib/system_smbd.o lib/audit.o $(LIBNDR_OBJ) \ lib/file_id.o lib/idmap_cache.o \ ../libcli/security/dom_sid.o diff --git a/source3/include/rpc_secdes.h b/source3/include/rpc_secdes.h index 4bf0d9cb9d..37f7464a4a 100644 --- a/source3/include/rpc_secdes.h +++ b/source3/include/rpc_secdes.h @@ -69,7 +69,6 @@ /* SEC_ACE */ typedef struct security_ace SEC_ACE; -#define SEC_ACE_HEADER_SIZE (2 * sizeof(uint8) + sizeof(uint16) + sizeof(uint32)) #ifndef ACL_REVISION #define ACL_REVISION 0x3 diff --git a/source3/lib/secace.c b/source3/lib/secace.c deleted file mode 100644 index 878fac252b..0000000000 --- a/source3/lib/secace.c +++ /dev/null @@ -1,293 +0,0 @@ -/* - * Unix SMB/Netbios implementation. - * SEC_ACE handling functions - * Copyright (C) Andrew Tridgell 1992-1998, - * Copyright (C) Jeremy R. Allison 1995-2003. - * Copyright (C) Luke Kenneth Casson Leighton 1996-1998, - * Copyright (C) Paul Ashton 1997-1998. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, see . - */ - -#include "includes.h" - -/******************************************************************* - Check if ACE has OBJECT type. -********************************************************************/ - -bool sec_ace_object(uint8 type) -{ - if (type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT || - type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT || - type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT || - type == SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT) { - return True; - } - return False; -} - -/******************************************************************* - copy a SEC_ACE structure. -********************************************************************/ -void sec_ace_copy(SEC_ACE *ace_dest, SEC_ACE *ace_src) -{ - ace_dest->type = ace_src->type; - ace_dest->flags = ace_src->flags; - ace_dest->size = ace_src->size; - ace_dest->access_mask = ace_src->access_mask; - ace_dest->object = ace_src->object; - sid_copy(&ace_dest->trustee, &ace_src->trustee); -} - -/******************************************************************* - Sets up a SEC_ACE structure. -********************************************************************/ - -void init_sec_ace(SEC_ACE *t, const DOM_SID *sid, enum security_ace_type type, - uint32_t mask, uint8 flag) -{ - t->type = type; - t->flags = flag; - t->size = ndr_size_dom_sid(sid, NULL, 0) + 8; - t->access_mask = mask; - - ZERO_STRUCTP(&t->trustee); - sid_copy(&t->trustee, sid); -} - -/******************************************************************* - adds new SID with its permissions to ACE list -********************************************************************/ - -NTSTATUS sec_ace_add_sid(TALLOC_CTX *ctx, SEC_ACE **pp_new, SEC_ACE *old, unsigned *num, DOM_SID *sid, uint32 mask) -{ - unsigned int i = 0; - - if (!ctx || !pp_new || !old || !sid || !num) return NT_STATUS_INVALID_PARAMETER; - - *num += 1; - - if((pp_new[0] = TALLOC_ZERO_ARRAY(ctx, SEC_ACE, *num )) == 0) - return NT_STATUS_NO_MEMORY; - - for (i = 0; i < *num - 1; i ++) - sec_ace_copy(&(*pp_new)[i], &old[i]); - - (*pp_new)[i].type = SEC_ACE_TYPE_ACCESS_ALLOWED; - (*pp_new)[i].flags = 0; - (*pp_new)[i].size = SEC_ACE_HEADER_SIZE + ndr_size_dom_sid(sid, NULL, 0); - (*pp_new)[i].access_mask = mask; - sid_copy(&(*pp_new)[i].trustee, sid); - return NT_STATUS_OK; -} - -/******************************************************************* - modify SID's permissions at ACL -********************************************************************/ - -NTSTATUS sec_ace_mod_sid(SEC_ACE *ace, size_t num, DOM_SID *sid, uint32 mask) -{ - unsigned int i = 0; - - if (!ace || !sid) return NT_STATUS_INVALID_PARAMETER; - - for (i = 0; i < num; i ++) { - if (sid_compare(&ace[i].trustee, sid) == 0) { - ace[i].access_mask = mask; - return NT_STATUS_OK; - } - } - return NT_STATUS_NOT_FOUND; -} - -/******************************************************************* - delete SID from ACL -********************************************************************/ - -NTSTATUS sec_ace_del_sid(TALLOC_CTX *ctx, SEC_ACE **pp_new, SEC_ACE *old, uint32 *num, DOM_SID *sid) -{ - unsigned int i = 0; - unsigned int n_del = 0; - - if (!ctx || !pp_new || !old || !sid || !num) return NT_STATUS_INVALID_PARAMETER; - - if (*num) { - if((pp_new[0] = TALLOC_ZERO_ARRAY(ctx, SEC_ACE, *num )) == 0) - return NT_STATUS_NO_MEMORY; - } else { - pp_new[0] = NULL; - } - - for (i = 0; i < *num; i ++) { - if (sid_compare(&old[i].trustee, sid) != 0) - sec_ace_copy(&(*pp_new)[i], &old[i]); - else - n_del ++; - } - if (n_del == 0) - return NT_STATUS_NOT_FOUND; - else { - *num -= n_del; - return NT_STATUS_OK; - } -} - -/******************************************************************* - Compares two SEC_ACE structures -********************************************************************/ - -bool sec_ace_equal(SEC_ACE *s1, SEC_ACE *s2) -{ - /* Trivial case */ - - if (!s1 && !s2) { - return True; - } - - if (!s1 || !s2) { - return False; - } - - /* Check top level stuff */ - - if (s1->type != s2->type || s1->flags != s2->flags || - s1->access_mask != s2->access_mask) { - return False; - } - - /* Check SID */ - - if (!sid_equal(&s1->trustee, &s2->trustee)) { - return False; - } - - return True; -} - -int nt_ace_inherit_comp( SEC_ACE *a1, SEC_ACE *a2) -{ - int a1_inh = a1->flags & SEC_ACE_FLAG_INHERITED_ACE; - int a2_inh = a2->flags & SEC_ACE_FLAG_INHERITED_ACE; - - if (a1_inh == a2_inh) - return 0; - - if (!a1_inh && a2_inh) - return -1; - return 1; -} - -/******************************************************************* - Comparison function to apply the order explained below in a group. -*******************************************************************/ - -int nt_ace_canon_comp( SEC_ACE *a1, SEC_ACE *a2) -{ - if ((a1->type == SEC_ACE_TYPE_ACCESS_DENIED) && - (a2->type != SEC_ACE_TYPE_ACCESS_DENIED)) - return -1; - - if ((a2->type == SEC_ACE_TYPE_ACCESS_DENIED) && - (a1->type != SEC_ACE_TYPE_ACCESS_DENIED)) - return 1; - - /* Both access denied or access allowed. */ - - /* 1. ACEs that apply to the object itself */ - - if (!(a1->flags & SEC_ACE_FLAG_INHERIT_ONLY) && - (a2->flags & SEC_ACE_FLAG_INHERIT_ONLY)) - return -1; - else if (!(a2->flags & SEC_ACE_FLAG_INHERIT_ONLY) && - (a1->flags & SEC_ACE_FLAG_INHERIT_ONLY)) - return 1; - - /* 2. ACEs that apply to a subobject of the object, such as - * a property set or property. */ - - if (a1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT) && - !(a2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT))) - return -1; - else if (a2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT) && - !(a1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT))) - return 1; - - return 0; -} - -/******************************************************************* - Functions to convert a SEC_DESC ACE DACL list into canonical order. - JRA. - ---- from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/order_of_aces_in_a_dacl.asp - -The following describes the preferred order: - - To ensure that noninherited ACEs have precedence over inherited ACEs, - place all noninherited ACEs in a group before any inherited ACEs. - This ordering ensures, for example, that a noninherited access-denied ACE - is enforced regardless of any inherited ACE that allows access. - - Within the groups of noninherited ACEs and inherited ACEs, order ACEs according to ACE type, as the following shows: - 1. Access-denied ACEs that apply to the object itself - 2. Access-denied ACEs that apply to a subobject of the object, such as a property set or property - 3. Access-allowed ACEs that apply to the object itself - 4. Access-allowed ACEs that apply to a subobject of the object" - -********************************************************************/ - -void dacl_sort_into_canonical_order(SEC_ACE *srclist, unsigned int num_aces) -{ - unsigned int i; - - if (!srclist || num_aces == 0) - return; - - /* Sort so that non-inherited ACE's come first. */ - qsort( srclist, num_aces, sizeof(srclist[0]), QSORT_CAST nt_ace_inherit_comp); - - /* Find the boundary between non-inherited ACEs. */ - for (i = 0; i < num_aces; i++ ) { - SEC_ACE *curr_ace = &srclist[i]; - - if (curr_ace->flags & SEC_ACE_FLAG_INHERITED_ACE) - break; - } - - /* i now points at entry number of the first inherited ACE. */ - - /* Sort the non-inherited ACEs. */ - if (i) - qsort( srclist, i, sizeof(srclist[0]), QSORT_CAST nt_ace_canon_comp); - - /* Now sort the inherited ACEs. */ - if (num_aces - i) - qsort( &srclist[i], num_aces - i, sizeof(srclist[0]), QSORT_CAST nt_ace_canon_comp); -} - -/******************************************************************* - Check if this ACE has a SID in common with the token. -********************************************************************/ - -bool token_sid_in_ace(const NT_USER_TOKEN *token, const SEC_ACE *ace) -{ - size_t i; - - for (i = 0; i < token->num_sids; i++) { - if (sid_equal(&ace->trustee, &token->user_sids[i])) - return True; - } - - return False; -} diff --git a/source3/lib/util_nttoken.c b/source3/lib/util_nttoken.c index 774ef498b7..76e7402422 100644 --- a/source3/lib/util_nttoken.c +++ b/source3/lib/util_nttoken.c @@ -115,3 +115,19 @@ NTSTATUS merge_nt_token(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } + +/******************************************************************* + Check if this ACE has a SID in common with the token. +********************************************************************/ + +bool token_sid_in_ace(const NT_USER_TOKEN *token, const struct security_ace *ace) +{ + size_t i; + + for (i = 0; i < token->num_sids; i++) { + if (sid_equal(&ace->trustee, &token->user_sids[i])) + return true; + } + + return false; +} diff --git a/source4/libcli/security/config.mk b/source4/libcli/security/config.mk index cd5b75bb81..d99b83c2b5 100644 --- a/source4/libcli/security/config.mk +++ b/source4/libcli/security/config.mk @@ -3,6 +3,7 @@ PUBLIC_DEPENDENCIES = LIBNDR LIBSECURITY_COMMON LIBSECURITY_OBJ_FILES = $(addprefix $(libclisrcdir)/security/, \ security_token.o security_descriptor.o \ - access_check.o privilege.o sddl.o) + access_check.o privilege.o sddl.o) \ + ../libcli/security/secace.o $(eval $(call proto_header_template,$(libclisrcdir)/security/proto.h,$(LIBSECURITY_OBJ_FILES:.o=.c))) -- cgit From 9bd0cf8d60b9bbaafa20f33bb1baf222620fb0b0 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 1 Mar 2009 18:02:24 +0100 Subject: Keep using Samba3's charset.h for now. --- source3/include/includes.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/include/includes.h b/source3/include/includes.h index 7f8c408265..523a11e255 100644 --- a/source3/include/includes.h +++ b/source3/include/includes.h @@ -594,7 +594,7 @@ struct smb_iconv_convenience *lp_iconv_convenience(void *lp_ctx); #include "trans2.h" #include "../libcli/util/error.h" #include "ntioctl.h" -#include "../lib/util/charset/charset.h" +#include "charset.h" #include "dynconfig.h" #include "util_getent.h" #include "debugparse.h" -- cgit From d3c2de093a35d0168fead27787a3da44a39fbea9 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 1 Mar 2009 18:05:22 +0100 Subject: Also re-add removed codepoint_t; I'm clearly not having my day today. --- source3/include/smb.h | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/source3/include/smb.h b/source3/include/smb.h index 189e370496..f02088731d 100644 --- a/source3/include/smb.h +++ b/source3/include/smb.h @@ -167,6 +167,10 @@ typedef uint16 smb_ucs2_t; #define COPY_UCS2_CHAR(dest,src) (((unsigned char *)(dest))[0] = ((unsigned char *)(src))[0],\ ((unsigned char *)(dest))[1] = ((unsigned char *)(src))[1], (dest)) +/* Large data type for manipulating uint32 unicode codepoints */ +typedef uint32 codepoint_t; +#define INVALID_CODEPOINT ((codepoint_t)-1) + /* pipe string names */ #define PIPE_LANMAN "\\PIPE\\LANMAN" @@ -1827,6 +1831,18 @@ struct unix_error_map { #define SAFE_NETBIOS_CHARS ". -_" +/* generic iconv conversion structure */ +typedef struct _smb_iconv_t { + size_t (*direct)(void *cd, const char **inbuf, size_t *inbytesleft, + char **outbuf, size_t *outbytesleft); + size_t (*pull)(void *cd, const char **inbuf, size_t *inbytesleft, + char **outbuf, size_t *outbytesleft); + size_t (*push)(void *cd, const char **inbuf, size_t *inbytesleft, + char **outbuf, size_t *outbytesleft); + void *cd_direct, *cd_pull, *cd_push; + char *from_name, *to_name; +} *smb_iconv_t; + /* The maximum length of a trust account password. Used when we randomly create it, 15 char passwords exceed NT4's max password length */ -- cgit From e9bba3e288a204732775427dd4098d7dea2cafd9 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 1 Mar 2009 18:15:15 +0100 Subject: dom_sid.h: Include dependency security.h that provides the dom_sid struct. --- libcli/security/dom_sid.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libcli/security/dom_sid.h b/libcli/security/dom_sid.h index 9d96392777..e89253554e 100644 --- a/libcli/security/dom_sid.h +++ b/libcli/security/dom_sid.h @@ -23,6 +23,8 @@ #ifndef _DOM_SID_H_ #define _DOM_SID_H_ +#include "librpc/gen_ndr/security.h" + int dom_sid_compare(const struct dom_sid *sid1, const struct dom_sid *sid2); bool dom_sid_equal(const struct dom_sid *sid1, const struct dom_sid *sid2); bool dom_sid_parse(const char *sidstr, struct dom_sid *ret); -- cgit From da6721e3231fb93b934440c2d92abab834289c82 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 1 Mar 2009 18:15:36 +0100 Subject: Move secacl to top-level. --- libcli/security/secacl.c | 122 ++++++++++++++++++++++++++++++++++++++ source3/Makefile.in | 2 +- source3/include/rpc_secdes.h | 1 - source3/lib/secacl.c | 118 ------------------------------------ source4/libcli/security/config.mk | 3 +- 5 files changed, 125 insertions(+), 121 deletions(-) create mode 100644 libcli/security/secacl.c delete mode 100644 source3/lib/secacl.c diff --git a/libcli/security/secacl.c b/libcli/security/secacl.c new file mode 100644 index 0000000000..45640773b0 --- /dev/null +++ b/libcli/security/secacl.c @@ -0,0 +1,122 @@ +/* + * Unix SMB/Netbios implementation. + * SEC_ACL handling routines + * Copyright (C) Andrew Tridgell 1992-1998, + * Copyright (C) Jeremy R. Allison 1995-2003. + * Copyright (C) Luke Kenneth Casson Leighton 1996-1998, + * Copyright (C) Paul Ashton 1997-1998. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see . + */ + +#include "includes.h" +#include "libcli/security/security.h" + +#define SEC_ACL_HEADER_SIZE (2 * sizeof(uint16_t) + sizeof(uint32_t)) + +/******************************************************************* + Create a SEC_ACL structure. +********************************************************************/ + +struct security_acl *make_sec_acl(TALLOC_CTX *ctx, + enum security_acl_revision revision, + int num_aces, struct security_ace *ace_list) +{ + struct security_acl *dst; + int i; + + if((dst = talloc_zero(ctx, struct security_acl)) == NULL) + return NULL; + + dst->revision = revision; + dst->num_aces = num_aces; + dst->size = SEC_ACL_HEADER_SIZE; + + /* Now we need to return a non-NULL address for the ace list even + if the number of aces required is zero. This is because there + is a distinct difference between a NULL ace and an ace with zero + entries in it. This is achieved by checking that num_aces is a + positive number. */ + + if ((num_aces) && + ((dst->aces = talloc_array(ctx, struct security_ace, num_aces)) + == NULL)) { + return NULL; + } + + for (i = 0; i < num_aces; i++) { + dst->aces[i] = ace_list[i]; /* Structure copy. */ + dst->size += ace_list[i].size; + } + + return dst; +} + +/******************************************************************* + Duplicate a SEC_ACL structure. +********************************************************************/ + +struct security_acl *dup_sec_acl(TALLOC_CTX *ctx, struct security_acl *src) +{ + if(src == NULL) + return NULL; + + return make_sec_acl(ctx, src->revision, src->num_aces, src->aces); +} + +/******************************************************************* + Compares two SEC_ACL structures +********************************************************************/ + +bool sec_acl_equal(struct security_acl *s1, struct security_acl *s2) +{ + unsigned int i, j; + + /* Trivial cases */ + + if (!s1 && !s2) return true; + if (!s1 || !s2) return false; + + /* Check top level stuff */ + + if (s1->revision != s2->revision) { + DEBUG(10, ("sec_acl_equal(): revision differs (%d != %d)\n", + s1->revision, s2->revision)); + return false; + } + + if (s1->num_aces != s2->num_aces) { + DEBUG(10, ("sec_acl_equal(): num_aces differs (%d != %d)\n", + s1->revision, s2->revision)); + return false; + } + + /* The ACEs could be in any order so check each ACE in s1 against + each ACE in s2. */ + + for (i = 0; i < s1->num_aces; i++) { + bool found = false; + + for (j = 0; j < s2->num_aces; j++) { + if (sec_ace_equal(&s1->aces[i], &s2->aces[j])) { + found = true; + break; + } + } + + if (!found) return false; + } + + return true; +} diff --git a/source3/Makefile.in b/source3/Makefile.in index 30990f4c54..f1272559b7 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -371,7 +371,7 @@ LIB_OBJ = $(LIBSAMBAUTIL_OBJ) $(UTIL_OBJ) $(CRYPTO_OBJ) \ lib/module.o lib/events.o @LIBTEVENT_OBJ0@ \ lib/ldap_escape.o @CHARSET_STATIC@ \ lib/secdesc.o lib/util_seaccess.o ../libcli/security/secace.o \ - lib/secacl.o \ + ../libcli/security/secacl.o \ libads/krb5_errs.o lib/system_smbd.o lib/audit.o $(LIBNDR_OBJ) \ lib/file_id.o lib/idmap_cache.o \ ../libcli/security/dom_sid.o diff --git a/source3/include/rpc_secdes.h b/source3/include/rpc_secdes.h index 37f7464a4a..c74d621f35 100644 --- a/source3/include/rpc_secdes.h +++ b/source3/include/rpc_secdes.h @@ -77,7 +77,6 @@ typedef struct security_ace SEC_ACE; #ifndef _SEC_ACL /* SEC_ACL */ typedef struct security_acl SEC_ACL; -#define SEC_ACL_HEADER_SIZE (2 * sizeof(uint16) + sizeof(uint32)) #define _SEC_ACL #endif diff --git a/source3/lib/secacl.c b/source3/lib/secacl.c deleted file mode 100644 index 5e82242e1b..0000000000 --- a/source3/lib/secacl.c +++ /dev/null @@ -1,118 +0,0 @@ -/* - * Unix SMB/Netbios implementation. - * SEC_ACL handling routines - * Copyright (C) Andrew Tridgell 1992-1998, - * Copyright (C) Jeremy R. Allison 1995-2003. - * Copyright (C) Luke Kenneth Casson Leighton 1996-1998, - * Copyright (C) Paul Ashton 1997-1998. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, see . - */ - -#include "includes.h" - -/******************************************************************* - Create a SEC_ACL structure. -********************************************************************/ - -SEC_ACL *make_sec_acl(TALLOC_CTX *ctx, enum security_acl_revision revision, - int num_aces, SEC_ACE *ace_list) -{ - SEC_ACL *dst; - int i; - - if((dst = TALLOC_ZERO_P(ctx,SEC_ACL)) == NULL) - return NULL; - - dst->revision = revision; - dst->num_aces = num_aces; - dst->size = SEC_ACL_HEADER_SIZE; - - /* Now we need to return a non-NULL address for the ace list even - if the number of aces required is zero. This is because there - is a distinct difference between a NULL ace and an ace with zero - entries in it. This is achieved by checking that num_aces is a - positive number. */ - - if ((num_aces) && - ((dst->aces = TALLOC_ARRAY(ctx, SEC_ACE, num_aces)) - == NULL)) { - return NULL; - } - - for (i = 0; i < num_aces; i++) { - dst->aces[i] = ace_list[i]; /* Structure copy. */ - dst->size += ace_list[i].size; - } - - return dst; -} - -/******************************************************************* - Duplicate a SEC_ACL structure. -********************************************************************/ - -SEC_ACL *dup_sec_acl(TALLOC_CTX *ctx, SEC_ACL *src) -{ - if(src == NULL) - return NULL; - - return make_sec_acl(ctx, src->revision, src->num_aces, src->aces); -} - -/******************************************************************* - Compares two SEC_ACL structures -********************************************************************/ - -bool sec_acl_equal(SEC_ACL *s1, SEC_ACL *s2) -{ - unsigned int i, j; - - /* Trivial cases */ - - if (!s1 && !s2) return True; - if (!s1 || !s2) return False; - - /* Check top level stuff */ - - if (s1->revision != s2->revision) { - DEBUG(10, ("sec_acl_equal(): revision differs (%d != %d)\n", - s1->revision, s2->revision)); - return False; - } - - if (s1->num_aces != s2->num_aces) { - DEBUG(10, ("sec_acl_equal(): num_aces differs (%d != %d)\n", - s1->revision, s2->revision)); - return False; - } - - /* The ACEs could be in any order so check each ACE in s1 against - each ACE in s2. */ - - for (i = 0; i < s1->num_aces; i++) { - bool found = False; - - for (j = 0; j < s2->num_aces; j++) { - if (sec_ace_equal(&s1->aces[i], &s2->aces[j])) { - found = True; - break; - } - } - - if (!found) return False; - } - - return True; -} diff --git a/source4/libcli/security/config.mk b/source4/libcli/security/config.mk index d99b83c2b5..d6d9ad5545 100644 --- a/source4/libcli/security/config.mk +++ b/source4/libcli/security/config.mk @@ -4,6 +4,7 @@ PUBLIC_DEPENDENCIES = LIBNDR LIBSECURITY_COMMON LIBSECURITY_OBJ_FILES = $(addprefix $(libclisrcdir)/security/, \ security_token.o security_descriptor.o \ access_check.o privilege.o sddl.o) \ - ../libcli/security/secace.o + ../libcli/security/secace.o \ + ../libcli/security/secacl.o $(eval $(call proto_header_template,$(libclisrcdir)/security/proto.h,$(LIBSECURITY_OBJ_FILES:.o=.c))) -- cgit From 8568b4fa9ff8f6f1a24547ec2ed5e2942b213d9e Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 1 Mar 2009 20:06:55 +0100 Subject: Add header files for secace and secacl. --- libcli/security/secace.h | 39 ++++++++++++++++++++++++++++++++++++++ libcli/security/secacl.h | 33 ++++++++++++++++++++++++++++++++ source3/include/includes.h | 2 ++ source3/include/proto.h | 23 +--------------------- source4/libcli/security/security.h | 3 ++- 5 files changed, 77 insertions(+), 23 deletions(-) create mode 100644 libcli/security/secace.h create mode 100644 libcli/security/secacl.h diff --git a/libcli/security/secace.h b/libcli/security/secace.h new file mode 100644 index 0000000000..8b6625d07d --- /dev/null +++ b/libcli/security/secace.h @@ -0,0 +1,39 @@ +/* + Unix SMB/CIFS implementation. + Samba utility functions + + Copyright (C) 2009 Jelmer Vernooij + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _ACE_H_ +#define _ACE_H_ + +#include "librpc/gen_ndr/security.h" + +bool sec_ace_object(uint8_t type); +void sec_ace_copy(struct security_ace *ace_dest, struct security_ace *ace_src); +void init_sec_ace(struct security_ace *t, const struct dom_sid *sid, enum security_ace_type type, + uint32_t mask, uint8_t flag); +NTSTATUS sec_ace_add_sid(TALLOC_CTX *ctx, struct security_ace **pp_new, struct security_ace *old, unsigned *num, struct dom_sid *sid, uint32_t mask); +NTSTATUS sec_ace_mod_sid(struct security_ace *ace, size_t num, struct dom_sid *sid, uint32_t mask); +NTSTATUS sec_ace_del_sid(TALLOC_CTX *ctx, struct security_ace **pp_new, struct security_ace *old, uint32_t *num, struct dom_sid *sid); +bool sec_ace_equal(struct security_ace *s1, struct security_ace *s2); +int nt_ace_inherit_comp( struct security_ace *a1, struct security_ace *a2); +int nt_ace_canon_comp( struct security_ace *a1, struct security_ace *a2); +void dacl_sort_into_canonical_order(struct security_ace *srclist, unsigned int num_aces); + +#endif /*_ACE_H_*/ + diff --git a/libcli/security/secacl.h b/libcli/security/secacl.h new file mode 100644 index 0000000000..9f1e8fa183 --- /dev/null +++ b/libcli/security/secacl.h @@ -0,0 +1,33 @@ +/* + Unix SMB/CIFS implementation. + Samba utility functions + + Copyright (C) 2009 Jelmer Vernooij + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _SECACL_H_ +#define _SECACL_H_ + +#include "librpc/gen_ndr/security.h" + +struct security_acl *make_sec_acl(TALLOC_CTX *ctx, enum security_acl_revision revision, + int num_aces, struct security_ace *ace_list); +struct security_acl *dup_sec_acl(TALLOC_CTX *ctx, struct security_acl *src); +bool sec_acl_equal(struct security_acl *s1, struct security_acl *s2); + + +#endif /*_SECACL_H_*/ + diff --git a/source3/include/includes.h b/source3/include/includes.h index 523a11e255..63c77ec182 100644 --- a/source3/include/includes.h +++ b/source3/include/includes.h @@ -703,6 +703,8 @@ enum flush_reason_enum { #ifndef NO_PROTO_H #include "proto.h" #endif +#include "libcli/security/secace.h" +#include "libcli/security/secacl.h" #if defined(HAVE_POSIX_ACLS) #include "modules/vfs_posixacl.h" diff --git a/source3/include/proto.h b/source3/include/proto.h index eeb6f1928d..60f8ace74d 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -650,28 +650,6 @@ ssize_t sys_recvfile(int fromfd, size_t count); ssize_t drain_socket(int sockfd, size_t count); -/* The following definitions come from lib/secace.c */ - -bool sec_ace_object(uint8 type); -void sec_ace_copy(SEC_ACE *ace_dest, SEC_ACE *ace_src); -void init_sec_ace(SEC_ACE *t, const DOM_SID *sid, enum security_ace_type type, - uint32 mask, uint8 flag); -NTSTATUS sec_ace_add_sid(TALLOC_CTX *ctx, SEC_ACE **pp_new, SEC_ACE *old, unsigned *num, DOM_SID *sid, uint32 mask); -NTSTATUS sec_ace_mod_sid(SEC_ACE *ace, size_t num, DOM_SID *sid, uint32 mask); -NTSTATUS sec_ace_del_sid(TALLOC_CTX *ctx, SEC_ACE **pp_new, SEC_ACE *old, uint32 *num, DOM_SID *sid); -bool sec_ace_equal(SEC_ACE *s1, SEC_ACE *s2); -int nt_ace_inherit_comp( SEC_ACE *a1, SEC_ACE *a2); -int nt_ace_canon_comp( SEC_ACE *a1, SEC_ACE *a2); -void dacl_sort_into_canonical_order(SEC_ACE *srclist, unsigned int num_aces); -bool token_sid_in_ace(const NT_USER_TOKEN *token, const SEC_ACE *ace); - -/* The following definitions come from lib/secacl.c */ - -SEC_ACL *make_sec_acl(TALLOC_CTX *ctx, enum security_acl_revision revision, - int num_aces, SEC_ACE *ace_list); -SEC_ACL *dup_sec_acl(TALLOC_CTX *ctx, SEC_ACL *src); -bool sec_acl_equal(SEC_ACL *s1, SEC_ACL *s2); - /* The following definitions come from lib/secdesc.c */ bool sec_desc_equal(SEC_DESC *s1, SEC_DESC *s2); @@ -1252,6 +1230,7 @@ NTSTATUS merge_nt_token(TALLOC_CTX *mem_ctx, const struct nt_user_token *token_1, const struct nt_user_token *token_2, struct nt_user_token **token_out); +bool token_sid_in_ace(const NT_USER_TOKEN *token, const SEC_ACE *ace); /* The following definitions come from lib/util_pw.c */ diff --git a/source4/libcli/security/security.h b/source4/libcli/security/security.h index 517f3e8ebe..2608c9f7ed 100644 --- a/source4/libcli/security/security.h +++ b/source4/libcli/security/security.h @@ -30,5 +30,6 @@ struct auth_session_info; /* Moved the dom_sid functions to the top level dir with manual proto header */ #include "libcli/security/dom_sid.h" - +#include "libcli/security/secace.h" +#include "libcli/security/secacl.h" #include "libcli/security/proto.h" -- cgit