From 8dfec3305cc1babeb5d822dc806c0f5dede7da46 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 2 Dec 2005 03:16:42 +0000 Subject: r12005: added a SDDL (Security Descriptor Description Language) parser. Not all flags are covered yet, and object aces aren't done yet. This is needed for ACL support in ldb, as the default security descriptor for each object class is given by the defaultSecurityDescriptor attribute in the schema, which is stored in SDDL format (This used to be commit dbdeecea01a8b362a9a525a3689cb03662a86776) --- source4/libcli/security/sddl.c | 315 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 315 insertions(+) create mode 100644 source4/libcli/security/sddl.c (limited to 'source4/libcli/security/sddl.c') diff --git a/source4/libcli/security/sddl.c b/source4/libcli/security/sddl.c new file mode 100644 index 0000000000..17df393de4 --- /dev/null +++ b/source4/libcli/security/sddl.c @@ -0,0 +1,315 @@ +/* + Unix SMB/CIFS implementation. + + security descriptor description language functions + + Copyright (C) Andrew Tridgell 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#include "system/iconv.h" +#include "librpc/gen_ndr/ndr_security.h" + +struct flag_map { + const char *name; + uint32_t flag; +}; + +/* + map a series of letter codes into a uint32_t +*/ +static BOOL sddl_map_flags(const struct flag_map *map, const char *str, + uint32_t *flags, size_t *len) +{ + if (len) *len = 0; + *flags = 0; + while (str[0] && isupper(str[0])) { + int i; + for (i=0;map[i].name;i++) { + size_t l = strlen(map[i].name); + if (strncmp(map[i].name, str, l) == 0) { + *flags |= map[i].flag; + str += l; + if (len) *len += l; + break; + } + } + if (map[i].name == NULL) { + DEBUG(2, ("Unknown flag - %s\n", str)); + return False; + } + } + return True; +} + +/* + a mapping between the 2 letter SID codes and sid strings +*/ +static const struct { + const char *code; + const char *sid; +} sid_codes[] = { + { "AO", SID_BUILTIN_ACCOUNT_OPERATORS }, +}; + +/* + decode a SID + It can either be a special 2 letter code, or in S-* format +*/ +static struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp) +{ + const char *sddl = (*sddlp); + int i; + + /* see if its in the numeric format */ + if (strncmp(sddl, "S-", 2) == 0) { + size_t len = strspn(sddl+2, "-0123456789"); + (*sddlp) += len+2; + return dom_sid_parse_talloc(mem_ctx, sddl); + } + + /* now check for one of the special codes */ + for (i=0;itype = v; + + /* ace flags */ + if (!sddl_map_flags(ace_flags, tok[1], &v, NULL)) { + return False; + } + ace->flags = v; + + /* access mask */ + if (strncmp(tok[2], "0x", 2) == 0) { + ace->access_mask = strtol(tok[2], NULL, 16); + } else { + if (!sddl_map_flags(ace_access_mask, tok[2], &v, NULL)) { + return False; + } + ace->access_mask = v; + } + + /* object */ + if (tok[3][0] != 0) { + /* TODO: add object parsing ... */ + return False; + } + + /* inherit object */ + if (tok[4][0] != 0) { + /* TODO: add object parsing ... */ + return False; + } + + /* trustee */ + s = tok[5]; + sid = sddl_decode_sid(mem_ctx, &s); + if (sid == NULL) { + return False; + } + ace->trustee = *sid; + talloc_steal(mem_ctx, sid->sub_auths); + talloc_free(sid); + + return True; +} + +static const struct flag_map acl_flags[] = { + { "P", SEC_DESC_DACL_PROTECTED }, + { "AR", SEC_DESC_DACL_AUTO_INHERIT_REQ }, + { "AI", SEC_DESC_DACL_AUTO_INHERITED }, + { NULL, 0 } +}; + +/* + decode an ACL +*/ +static struct security_acl *sddl_decode_acl(struct security_descriptor *sd, + const char **sddlp, uint32_t *flags) +{ + const char *sddl = *sddlp; + struct security_acl *acl; + size_t len; + + acl = talloc_zero(sd, struct security_acl); + if (acl == NULL) return NULL; + acl->revision = SECURITY_ACL_REVISION_NT4; + + /* work out the ACL flags */ + if (!sddl_map_flags(acl_flags, sddl, flags, &len)) { + talloc_free(acl); + return NULL; + } + sddl += len; + + /* now the ACEs */ + while (*sddl == '(') { + len = strcspn(sddl+1, ")"); + char *astr = talloc_strndup(acl, sddl+1, len); + if (astr == NULL || sddl[len+1] != ')') { + talloc_free(acl); + return NULL; + } + acl->aces = talloc_realloc(acl, acl->aces, struct security_ace, + acl->num_aces+1); + if (acl->aces == NULL) { + talloc_free(acl); + return NULL; + } + if (!sddl_decode_ace(acl->aces, &acl->aces[acl->num_aces], astr)) { + talloc_free(acl); + return NULL; + } + talloc_free(astr); + sddl += len+2; + acl->num_aces++; + } + + (*sddlp) = sddl; + return acl; +} + +/* + decode a security descriptor in SDDL format +*/ +struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl) +{ + struct security_descriptor *sd; + sd = talloc_zero(mem_ctx, struct security_descriptor); + + sd->revision = SECURITY_DESCRIPTOR_REVISION_1; + sd->type = SEC_DESC_SELF_RELATIVE; + + while (*sddl) { + uint32_t flags; + char c = sddl[0]; + if (sddl[1] != ':') goto failed; + + sddl += 2; + switch (c) { + case 'D': + if (sd->dacl != NULL) goto failed; + sd->dacl = sddl_decode_acl(sd, &sddl, &flags); + if (sd->dacl == NULL) goto failed; + sd->type |= flags | SEC_DESC_DACL_PRESENT; + break; + case 'S': + if (sd->sacl != NULL) goto failed; + sd->sacl = sddl_decode_acl(sd, &sddl, &flags); + if (sd->sacl == NULL) goto failed; + /* this relies on the SEC_DESC_SACL_* flags being + 1 bit shifted from the SEC_DESC_DACL_* flags */ + sd->type |= (flags<<1) | SEC_DESC_SACL_PRESENT; + break; + case 'O': + if (sd->owner_sid != NULL) goto failed; + sd->owner_sid = sddl_decode_sid(sd, &sddl); + if (sd->owner_sid == NULL) goto failed; + break; + case 'G': + if (sd->group_sid != NULL) goto failed; + sd->group_sid = sddl_decode_sid(sd, &sddl); + if (sd->group_sid == NULL) goto failed; + break; + } + } + + return sd; + +failed: + DEBUG(2,("Badly formatted SDDL '%s'\n", sddl)); + talloc_free(sd); + return NULL; +} -- cgit From f5ed8cc829b0522ea4bd8142abc80f5133136834 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 2 Dec 2005 04:26:51 +0000 Subject: r12010: - added support for domain specific SID codes in SDDL strings - added a bunch more tests to LOCAL-SDDL (all the ones from our schema) - fixed 'mixed coded declarations' bug (This used to be commit c30e7698e8e1d9991d35bf86c0d4041a1814ad92) --- source4/libcli/security/sddl.c | 87 ++++++++++++++++++++++++++++++++---------- 1 file changed, 67 insertions(+), 20 deletions(-) (limited to 'source4/libcli/security/sddl.c') diff --git a/source4/libcli/security/sddl.c b/source4/libcli/security/sddl.c index 17df393de4..1a15d8853a 100644 --- a/source4/libcli/security/sddl.c +++ b/source4/libcli/security/sddl.c @@ -35,6 +35,7 @@ struct flag_map { static BOOL sddl_map_flags(const struct flag_map *map, const char *str, uint32_t *flags, size_t *len) { + const char *str0 = str; if (len) *len = 0; *flags = 0; while (str[0] && isupper(str[0])) { @@ -49,7 +50,7 @@ static BOOL sddl_map_flags(const struct flag_map *map, const char *str, } } if (map[i].name == NULL) { - DEBUG(2, ("Unknown flag - %s\n", str)); + DEBUG(1, ("Unknown flag - %s in %s\n", str, str0)); return False; } } @@ -62,15 +63,36 @@ static BOOL sddl_map_flags(const struct flag_map *map, const char *str, static const struct { const char *code; const char *sid; + uint32_t rid; } sid_codes[] = { { "AO", SID_BUILTIN_ACCOUNT_OPERATORS }, + { "BA", SID_BUILTIN_ADMINISTRATORS }, + { "RU", SID_BUILTIN_PREW2K }, + { "PO", SID_BUILTIN_PRINT_OPERATORS }, + { "RS", SID_BUILTIN_RAS_SERVERS }, + + { "AU", SID_NT_AUTHENTICATED_USERS }, + { "SY", SID_NT_SYSTEM }, + { "PS", SID_NT_SELF }, + { "WD", SID_WORLD }, + { "ED", SID_NT_ENTERPRISE_DCS }, + + { "CO", SID_CREATOR_OWNER }, + { "CG", SID_CREATOR_GROUP }, + + { "DA", NULL, DOMAIN_RID_ADMINS }, + { "EA", NULL, DOMAIN_RID_ENTERPRISE_ADMINS }, + { "DD", NULL, DOMAIN_RID_DCS }, + { "DU", NULL, DOMAIN_RID_USERS }, + { "CA", NULL, DOMAIN_RID_CERT_ADMINS }, }; /* decode a SID It can either be a special 2 letter code, or in S-* format */ -static struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp) +static struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp, + struct dom_sid *domain_sid) { const char *sddl = (*sddlp); int i; @@ -84,26 +106,31 @@ static struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp) /* now check for one of the special codes */ for (i=0;iobject.object.type.type); + if (!NT_STATUS_IS_OK(status)) { + return False; + } } /* inherit object */ if (tok[4][0] != 0) { - /* TODO: add object parsing ... */ - return False; + NTSTATUS status = GUID_from_string(tok[4], + &ace->object.object.inherited_type.inherited_type); + if (!NT_STATUS_IS_OK(status)) { + return False; + } } /* trustee */ s = tok[5]; - sid = sddl_decode_sid(mem_ctx, &s); + sid = sddl_decode_sid(mem_ctx, &s, domain_sid); if (sid == NULL) { return False; } @@ -217,7 +256,8 @@ static const struct flag_map acl_flags[] = { decode an ACL */ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd, - const char **sddlp, uint32_t *flags) + const char **sddlp, uint32_t *flags, + struct dom_sid *domain_sid) { const char *sddl = *sddlp; struct security_acl *acl; @@ -227,6 +267,11 @@ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd, if (acl == NULL) return NULL; acl->revision = SECURITY_ACL_REVISION_NT4; + if (isupper(sddl[0]) && sddl[1] == ':') { + /* its an empty ACL */ + return acl; + } + /* work out the ACL flags */ if (!sddl_map_flags(acl_flags, sddl, flags, &len)) { talloc_free(acl); @@ -248,7 +293,8 @@ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd, talloc_free(acl); return NULL; } - if (!sddl_decode_ace(acl->aces, &acl->aces[acl->num_aces], astr)) { + if (!sddl_decode_ace(acl->aces, &acl->aces[acl->num_aces], + astr, domain_sid)) { talloc_free(acl); return NULL; } @@ -264,7 +310,8 @@ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd, /* decode a security descriptor in SDDL format */ -struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl) +struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl, + struct dom_sid *domain_sid) { struct security_descriptor *sd; sd = talloc_zero(mem_ctx, struct security_descriptor); @@ -281,13 +328,13 @@ struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl) switch (c) { case 'D': if (sd->dacl != NULL) goto failed; - sd->dacl = sddl_decode_acl(sd, &sddl, &flags); + sd->dacl = sddl_decode_acl(sd, &sddl, &flags, domain_sid); if (sd->dacl == NULL) goto failed; sd->type |= flags | SEC_DESC_DACL_PRESENT; break; case 'S': if (sd->sacl != NULL) goto failed; - sd->sacl = sddl_decode_acl(sd, &sddl, &flags); + sd->sacl = sddl_decode_acl(sd, &sddl, &flags, domain_sid); if (sd->sacl == NULL) goto failed; /* this relies on the SEC_DESC_SACL_* flags being 1 bit shifted from the SEC_DESC_DACL_* flags */ @@ -295,12 +342,12 @@ struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl) break; case 'O': if (sd->owner_sid != NULL) goto failed; - sd->owner_sid = sddl_decode_sid(sd, &sddl); + sd->owner_sid = sddl_decode_sid(sd, &sddl, domain_sid); if (sd->owner_sid == NULL) goto failed; break; case 'G': if (sd->group_sid != NULL) goto failed; - sd->group_sid = sddl_decode_sid(sd, &sddl); + sd->group_sid = sddl_decode_sid(sd, &sddl, domain_sid); if (sd->group_sid == NULL) goto failed; break; } -- cgit From 540483c01b0b03ecd0c9b8824b124542a12fce24 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 2 Dec 2005 05:29:13 +0000 Subject: r12011: fixed another 'mixed code and declarations' bug (This used to be commit 1eca19d597ea21a073361fc6fc550919abf97574) --- source4/libcli/security/sddl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source4/libcli/security/sddl.c') diff --git a/source4/libcli/security/sddl.c b/source4/libcli/security/sddl.c index 1a15d8853a..fa0e15a7b6 100644 --- a/source4/libcli/security/sddl.c +++ b/source4/libcli/security/sddl.c @@ -281,8 +281,9 @@ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd, /* now the ACEs */ while (*sddl == '(') { + char *astr; len = strcspn(sddl+1, ")"); - char *astr = talloc_strndup(acl, sddl+1, len); + astr = talloc_strndup(acl, sddl+1, len); if (astr == NULL || sddl[len+1] != ')') { talloc_free(acl); return NULL; -- cgit From 79eae8ffff0105cd9d16195cfd3c2c025d2c663f Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 9 Dec 2005 04:54:30 +0000 Subject: r12137: added sddl_encode(), the reverse of the sddl_decode() function added a couple of days ago. Doesn't yet encode using the shorthand for well known SIDs. (This used to be commit 655a4ebe8e0ee18133103bfba0ca6d14cbf81d56) --- source4/libcli/security/sddl.c | 170 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 170 insertions(+) (limited to 'source4/libcli/security/sddl.c') diff --git a/source4/libcli/security/sddl.c b/source4/libcli/security/sddl.c index fa0e15a7b6..7ae7d83839 100644 --- a/source4/libcli/security/sddl.c +++ b/source4/libcli/security/sddl.c @@ -263,6 +263,8 @@ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd, struct security_acl *acl; size_t len; + *flags = 0; + acl = talloc_zero(sd, struct security_acl); if (acl == NULL) return NULL; acl->revision = SECURITY_ACL_REVISION_NT4; @@ -361,3 +363,171 @@ failed: talloc_free(sd); return NULL; } + +/* + turn a set of flags into a string +*/ +static char *sddl_flags_to_string(TALLOC_CTX *mem_ctx, const struct flag_map *map, + uint32_t flags, BOOL check_all) +{ + int i; + char *s; + + /* try to find an exact match */ + for (i=0;map[i].name;i++) { + if (map[i].flag == flags) { + return talloc_strdup(mem_ctx, map[i].name); + } + } + + s = talloc_strdup(mem_ctx, ""); + + /* now by bits */ + for (i=0;map[i].name;i++) { + if ((flags & map[i].flag) != 0) { + s = talloc_asprintf_append(s, "%s", map[i].name); + if (s == NULL) goto failed; + flags &= ~map[i].flag; + } + } + + if (check_all && flags != 0) { + goto failed; + } + + return s; + +failed: + talloc_free(s); + return NULL; +} + +/* + encode a sid in SDDL format +*/ +static char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, + struct dom_sid *domain_sid) +{ + /* TODO: encode well known sids as two letter codes */ + return dom_sid_string(mem_ctx, sid); +} + + +/* + encode an ACE in SDDL format +*/ +static char *sddl_encode_ace(TALLOC_CTX *mem_ctx, const struct security_ace *ace, + struct dom_sid *domain_sid) +{ + char *sddl; + TALLOC_CTX *tmp_ctx; + const char *s_type="", *s_flags="", *s_mask="", + *s_object="", *s_iobject="", *s_trustee=""; + + tmp_ctx = talloc_new(mem_ctx); + + s_type = sddl_flags_to_string(tmp_ctx, ace_types, ace->type, True); + if (s_type == NULL) goto failed; + + s_flags = sddl_flags_to_string(tmp_ctx, ace_flags, ace->flags, True); + if (s_flags == NULL) goto failed; + + s_mask = sddl_flags_to_string(tmp_ctx, ace_access_mask, ace->access_mask, True); + if (s_mask == NULL) goto failed; + + s_object = GUID_string(tmp_ctx, &ace->object.object.type.type); + + s_iobject = GUID_string(tmp_ctx, &ace->object.object.inherited_type.inherited_type); + + s_trustee = sddl_encode_sid(tmp_ctx, &ace->trustee, domain_sid); + + sddl = talloc_asprintf(mem_ctx, "%s;%s;%s;%s;%s;%s", + s_type, s_flags, s_mask, s_object, s_iobject, s_trustee); + +failed: + talloc_free(tmp_ctx); + return sddl; +} + +/* + encode an ACL in SDDL format +*/ +static char *sddl_encode_acl(TALLOC_CTX *mem_ctx, const struct security_acl *acl, + uint32_t flags, struct dom_sid *domain_sid) +{ + char *sddl; + int i; + + /* add any ACL flags */ + sddl = sddl_flags_to_string(mem_ctx, acl_flags, flags, False); + if (sddl == NULL) goto failed; + + /* now the ACEs, encoded in braces */ + for (i=0;inum_aces;i++) { + char *ace = sddl_encode_ace(sddl, &acl->aces[i], domain_sid); + if (ace == NULL) goto failed; + sddl = talloc_asprintf_append(sddl, "(%s)", ace); + if (sddl == NULL) goto failed; + talloc_free(ace); + } + + return sddl; + +failed: + talloc_free(sddl); + return NULL; +} + + +/* + encode a security descriptor to SDDL format +*/ +char *sddl_encode(TALLOC_CTX *mem_ctx, const struct security_descriptor *sd, + struct dom_sid *domain_sid) +{ + char *sddl; + TALLOC_CTX *tmp_ctx; + + /* start with a blank string */ + sddl = talloc_strdup(mem_ctx, ""); + if (sddl == NULL) goto failed; + + tmp_ctx = talloc_new(mem_ctx); + + if (sd->owner_sid != NULL) { + char *sid = sddl_encode_sid(tmp_ctx, sd->owner_sid, domain_sid); + if (sid == NULL) goto failed; + sddl = talloc_asprintf_append(sddl, "O:%s", sid); + if (sddl == NULL) goto failed; + } + + if (sd->group_sid != NULL) { + char *sid = sddl_encode_sid(tmp_ctx, sd->group_sid, domain_sid); + if (sid == NULL) goto failed; + sddl = talloc_asprintf_append(sddl, "G:%s", sid); + if (sddl == NULL) goto failed; + } + + if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl != NULL) { + char *acl = sddl_encode_acl(tmp_ctx, sd->dacl, sd->type, domain_sid); + if (acl == NULL) goto failed; + sddl = talloc_asprintf_append(sddl, "D:%s", acl); + if (sddl == NULL) goto failed; + } + + if ((sd->type & SEC_DESC_SACL_PRESENT) && sd->sacl != NULL) { + char *acl = sddl_encode_acl(tmp_ctx, sd->sacl, sd->type>>1, domain_sid); + if (acl == NULL) goto failed; + sddl = talloc_asprintf_append(sddl, "S:%s", acl); + if (sddl == NULL) goto failed; + } + + talloc_free(tmp_ctx); + return sddl; + +failed: + talloc_free(sddl); + return NULL; +} + + -- cgit From 781ed1f5ef38cc057c5efa3d09f6a388791b37f3 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 9 Dec 2005 05:21:47 +0000 Subject: r12138: added use of 2 letter SID codes in sddl_encode_sid() (This used to be commit a0662ae9d3f719d2db193490361923095bd4d419) --- source4/libcli/security/sddl.c | 45 +++++++++++++++++++++++++++++++++++++++--- 1 file changed, 42 insertions(+), 3 deletions(-) (limited to 'source4/libcli/security/sddl.c') diff --git a/source4/libcli/security/sddl.c b/source4/libcli/security/sddl.c index 7ae7d83839..a1b8346969 100644 --- a/source4/libcli/security/sddl.c +++ b/source4/libcli/security/sddl.c @@ -146,7 +146,6 @@ static const struct flag_map ace_flags[] = { }; static const struct flag_map ace_access_mask[] = { - { "RC", SEC_STD_READ_CONTROL }, { "RP", SEC_ADS_READ_PROP }, { "WP", SEC_ADS_WRITE_PROP }, { "CR", SEC_ADS_CONTROL_ACCESS }, @@ -154,6 +153,7 @@ static const struct flag_map ace_access_mask[] = { { "DC", SEC_ADS_DELETE_CHILD }, { "LC", SEC_ADS_LIST }, { "LO", SEC_ADS_LIST_OBJECT }, + { "RC", SEC_STD_READ_CONTROL }, { "WO", SEC_STD_WRITE_OWNER }, { "WD", SEC_STD_WRITE_DAC }, { "SD", SEC_STD_DELETE }, @@ -408,6 +408,33 @@ failed: static char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, struct dom_sid *domain_sid) { + int i; + char *sidstr; + + sidstr = dom_sid_string(mem_ctx, sid); + if (sidstr == NULL) return NULL; + + /* seen if its a well known sid */ + for (i=0;sid_codes[i].sid;i++) { + if (strcmp(sidstr, sid_codes[i].sid) == 0) { + talloc_free(sidstr); + return talloc_strdup(mem_ctx, sid_codes[i].code); + } + } + + /* or a well known rid in our domain */ + if (dom_sid_in_domain(domain_sid, sid)) { + uint32_t rid = sid->sub_auths[sid->num_auths-1]; + for (;iaccess_mask, True); if (s_mask == NULL) goto failed; - s_object = GUID_string(tmp_ctx, &ace->object.object.type.type); + if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT || + ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT || + ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT || + ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT) { + if (!GUID_all_zero(&ace->object.object.type.type)) { + s_object = GUID_string(tmp_ctx, &ace->object.object.type.type); + if (s_object == NULL) goto failed; + } - s_iobject = GUID_string(tmp_ctx, &ace->object.object.inherited_type.inherited_type); + if (!GUID_all_zero(&ace->object.object.inherited_type.inherited_type)) { + s_iobject = GUID_string(tmp_ctx, &ace->object.object.inherited_type.inherited_type); + if (s_iobject == NULL) goto failed; + } + } s_trustee = sddl_encode_sid(tmp_ctx, &ace->trustee, domain_sid); + if (s_trustee == NULL) goto failed; sddl = talloc_asprintf(mem_ctx, "%s;%s;%s;%s;%s;%s", s_type, s_flags, s_mask, s_object, s_iobject, s_trustee); -- cgit From 2e4d4a9e28ddd84e245e45c2c58f9cc6e8e2967f Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 9 Dec 2005 06:22:09 +0000 Subject: r12139: - fixed up the ace object flags checking - allow for arbitrary access masks in sddl_encode_ace() (This used to be commit 5e2b1bd6afafe2eb96e98c4636e0a62235693183) --- source4/libcli/security/sddl.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'source4/libcli/security/sddl.c') diff --git a/source4/libcli/security/sddl.c b/source4/libcli/security/sddl.c index a1b8346969..643cb7a82c 100644 --- a/source4/libcli/security/sddl.c +++ b/source4/libcli/security/sddl.c @@ -221,6 +221,7 @@ static BOOL sddl_decode_ace(TALLOC_CTX *mem_ctx, struct security_ace *ace, char if (!NT_STATUS_IS_OK(status)) { return False; } + ace->object.object.flags |= SEC_ACE_OBJECT_TYPE_PRESENT; } /* inherit object */ @@ -230,6 +231,7 @@ static BOOL sddl_decode_ace(TALLOC_CTX *mem_ctx, struct security_ace *ace, char if (!NT_STATUS_IS_OK(status)) { return False; } + ace->object.object.flags |= SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT; } /* trustee */ @@ -460,18 +462,21 @@ static char *sddl_encode_ace(TALLOC_CTX *mem_ctx, const struct security_ace *ace if (s_flags == NULL) goto failed; s_mask = sddl_flags_to_string(tmp_ctx, ace_access_mask, ace->access_mask, True); - if (s_mask == NULL) goto failed; + if (s_mask == NULL) { + s_mask = talloc_asprintf(tmp_ctx, "0x%08x", ace->access_mask); + if (s_mask == NULL) goto failed; + } if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT || ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT || ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT || ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT) { - if (!GUID_all_zero(&ace->object.object.type.type)) { + if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) { s_object = GUID_string(tmp_ctx, &ace->object.object.type.type); if (s_object == NULL) goto failed; } - if (!GUID_all_zero(&ace->object.object.inherited_type.inherited_type)) { + if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) { s_iobject = GUID_string(tmp_ctx, &ace->object.object.inherited_type.inherited_type); if (s_iobject == NULL) goto failed; } -- cgit From d811ea17bb3a487b8bdcd2f9aa8dc4ba5cb2ab01 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 9 Dec 2005 23:43:02 +0000 Subject: r12158: added ldif handlers for the ntSecurityDescriptor attribute, so when displaying security descriptors in ldbsearch or ldbedit you can see the SDDL version. This also allows us to specify security descriptors in our setup/*.ldif files in SDDL format, which is much more convenient than the NDR binary format! (This used to be commit 8185731c1846412c1b3366824cdb3d05b2d50b73) --- source4/libcli/security/sddl.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'source4/libcli/security/sddl.c') diff --git a/source4/libcli/security/sddl.c b/source4/libcli/security/sddl.c index 643cb7a82c..7d7fe856cd 100644 --- a/source4/libcli/security/sddl.c +++ b/source4/libcli/security/sddl.c @@ -92,7 +92,7 @@ static const struct { It can either be a special 2 letter code, or in S-* format */ static struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp, - struct dom_sid *domain_sid) + const struct dom_sid *domain_sid) { const char *sddl = (*sddlp); int i; @@ -172,7 +172,7 @@ static const struct flag_map ace_access_mask[] = { note that this routine modifies the string */ static BOOL sddl_decode_ace(TALLOC_CTX *mem_ctx, struct security_ace *ace, char *str, - struct dom_sid *domain_sid) + const struct dom_sid *domain_sid) { const char *tok[6]; const char *s; @@ -259,7 +259,7 @@ static const struct flag_map acl_flags[] = { */ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd, const char **sddlp, uint32_t *flags, - struct dom_sid *domain_sid) + const struct dom_sid *domain_sid) { const char *sddl = *sddlp; struct security_acl *acl; @@ -316,7 +316,7 @@ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd, decode a security descriptor in SDDL format */ struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl, - struct dom_sid *domain_sid) + const struct dom_sid *domain_sid) { struct security_descriptor *sd; sd = talloc_zero(mem_ctx, struct security_descriptor); @@ -408,7 +408,7 @@ failed: encode a sid in SDDL format */ static char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, - struct dom_sid *domain_sid) + const struct dom_sid *domain_sid) { int i; char *sidstr; @@ -446,7 +446,7 @@ static char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, encode an ACE in SDDL format */ static char *sddl_encode_ace(TALLOC_CTX *mem_ctx, const struct security_ace *ace, - struct dom_sid *domain_sid) + const struct dom_sid *domain_sid) { char *sddl; TALLOC_CTX *tmp_ctx; @@ -497,7 +497,7 @@ failed: encode an ACL in SDDL format */ static char *sddl_encode_acl(TALLOC_CTX *mem_ctx, const struct security_acl *acl, - uint32_t flags, struct dom_sid *domain_sid) + uint32_t flags, const struct dom_sid *domain_sid) { char *sddl; int i; @@ -527,7 +527,7 @@ failed: encode a security descriptor to SDDL format */ char *sddl_encode(TALLOC_CTX *mem_ctx, const struct security_descriptor *sd, - struct dom_sid *domain_sid) + const struct dom_sid *domain_sid) { char *sddl; TALLOC_CTX *tmp_ctx; -- cgit From 078ae0f8970a1b24a4f15f4dcffbc91d6f64143f Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 10 Dec 2005 09:18:03 +0000 Subject: r12161: Fix a memleak and do the -O1 janitor :-) (This used to be commit 82d87d62614a33ec9d2ed20e63d80a7af64e8678) --- source4/libcli/security/sddl.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'source4/libcli/security/sddl.c') diff --git a/source4/libcli/security/sddl.c b/source4/libcli/security/sddl.c index 7d7fe856cd..83dfeed5ac 100644 --- a/source4/libcli/security/sddl.c +++ b/source4/libcli/security/sddl.c @@ -448,12 +448,16 @@ static char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, static char *sddl_encode_ace(TALLOC_CTX *mem_ctx, const struct security_ace *ace, const struct dom_sid *domain_sid) { - char *sddl; + char *sddl = NULL; TALLOC_CTX *tmp_ctx; const char *s_type="", *s_flags="", *s_mask="", *s_object="", *s_iobject="", *s_trustee=""; tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) { + DEBUG(0, ("talloc_new failed\n")); + return NULL; + } s_type = sddl_flags_to_string(tmp_ctx, ace_types, ace->type, True); if (s_type == NULL) goto failed; -- cgit From d4de4c2d210d2e8c9b5aedf70695594809ad6a0b Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 30 Dec 2005 13:16:54 +0000 Subject: r12608: Remove some unused #include lines. (This used to be commit 70e7449318aa0e9d2639c76730a7d1683b2f4981) --- source4/libcli/security/sddl.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source4/libcli/security/sddl.c') diff --git a/source4/libcli/security/sddl.c b/source4/libcli/security/sddl.c index 83dfeed5ac..c434072529 100644 --- a/source4/libcli/security/sddl.c +++ b/source4/libcli/security/sddl.c @@ -22,7 +22,6 @@ #include "includes.h" #include "system/iconv.h" -#include "librpc/gen_ndr/ndr_security.h" struct flag_map { const char *name; -- cgit From 4ac2be99588b48b0652a524bf12fb1aa9c3f5fbb Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 7 Mar 2006 11:07:23 +0000 Subject: r13924: Split more prototypes out of include/proto.h + initial work on header file dependencies (This used to be commit 122835876748a3eaf5e8d31ad1abddab9acb8781) --- source4/libcli/security/sddl.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/libcli/security/sddl.c') diff --git a/source4/libcli/security/sddl.c b/source4/libcli/security/sddl.c index c434072529..a1e9985edd 100644 --- a/source4/libcli/security/sddl.c +++ b/source4/libcli/security/sddl.c @@ -22,6 +22,7 @@ #include "includes.h" #include "system/iconv.h" +#include "libcli/security/proto.h" struct flag_map { const char *name; -- cgit From 8528016978b084213ef53d66e1b6e831b1a01acc Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 16 Mar 2006 00:23:11 +0000 Subject: r14464: Don't include ndr_BASENAME.h files unless strictly required, instead try to include just the BASENAME.h files (containing only structs) (This used to be commit 3dd477ca5147f28a962b8437e2611a8222d706bd) --- source4/libcli/security/sddl.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/libcli/security/sddl.c') diff --git a/source4/libcli/security/sddl.c b/source4/libcli/security/sddl.c index a1e9985edd..862a25e20d 100644 --- a/source4/libcli/security/sddl.c +++ b/source4/libcli/security/sddl.c @@ -23,6 +23,7 @@ #include "includes.h" #include "system/iconv.h" #include "libcli/security/proto.h" +#include "librpc/gen_ndr/ndr_security.h" struct flag_map { const char *name; -- cgit From 35349a58df5b69446607fbd742a05f57f3515319 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 18 Mar 2006 15:42:57 +0000 Subject: r14542: Remove librpc, libndr and libnbt from includes.h (This used to be commit 51b4270513752d2eafbe77f9de598de16ef84a1f) --- source4/libcli/security/sddl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/libcli/security/sddl.c') diff --git a/source4/libcli/security/sddl.c b/source4/libcli/security/sddl.c index 862a25e20d..38192fc60c 100644 --- a/source4/libcli/security/sddl.c +++ b/source4/libcli/security/sddl.c @@ -22,8 +22,8 @@ #include "includes.h" #include "system/iconv.h" -#include "libcli/security/proto.h" #include "librpc/gen_ndr/ndr_security.h" +#include "libcli/security/proto.h" struct flag_map { const char *name; -- cgit From 1af925f394b1084779f5b1b5a10c2ec512d7e5be Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sun, 2 Apr 2006 12:02:01 +0000 Subject: r14860: create libcli/security/security.h metze (This used to be commit 9ec706238c173992dc938d537bdf1103bf519dbf) --- source4/libcli/security/sddl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/libcli/security/sddl.c') diff --git a/source4/libcli/security/sddl.c b/source4/libcli/security/sddl.c index 38192fc60c..46183ce237 100644 --- a/source4/libcli/security/sddl.c +++ b/source4/libcli/security/sddl.c @@ -23,7 +23,7 @@ #include "includes.h" #include "system/iconv.h" #include "librpc/gen_ndr/ndr_security.h" -#include "libcli/security/proto.h" +#include "libcli/security/security.h" struct flag_map { const char *name; -- cgit From e002300f238dd0937dd9f768e366c006945e8baa Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 29 Apr 2006 17:34:49 +0000 Subject: r15328: Move some functions around, remove dependencies. Remove some autogenerated headers (which had prototypes now autogenerated by pidl) Remove ndr_security.h from a few places - it's no longer necessary (This used to be commit c19c2b51d3e1ad347120b06a22bda5ec586c22e8) --- source4/libcli/security/sddl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/libcli/security/sddl.c') diff --git a/source4/libcli/security/sddl.c b/source4/libcli/security/sddl.c index 46183ce237..97e811f151 100644 --- a/source4/libcli/security/sddl.c +++ b/source4/libcli/security/sddl.c @@ -22,8 +22,8 @@ #include "includes.h" #include "system/iconv.h" -#include "librpc/gen_ndr/ndr_security.h" #include "libcli/security/security.h" +#include "librpc/gen_ndr/ndr_misc.h" struct flag_map { const char *name; -- cgit From 172a83d72491f90f6191be1040ef8b2e1789bd2e Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 13 May 2006 19:14:12 +0000 Subject: r15573: Fix build of systems that have iconv headers in non-standard locations Split of system/locale.h header from system/iconv.h Previously, iconv wasn't being used on these systems (This used to be commit aa6d66fda69779d1c2948a1aca85dbd5208f1cba) --- source4/libcli/security/sddl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/libcli/security/sddl.c') diff --git a/source4/libcli/security/sddl.c b/source4/libcli/security/sddl.c index 97e811f151..14dd7e0917 100644 --- a/source4/libcli/security/sddl.c +++ b/source4/libcli/security/sddl.c @@ -21,9 +21,9 @@ */ #include "includes.h" -#include "system/iconv.h" #include "libcli/security/security.h" #include "librpc/gen_ndr/ndr_misc.h" +#include "system/locale.h" struct flag_map { const char *name; -- cgit From 2246d32e70f38ce31d8432eeb436fb522661d1c5 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 15 Jan 2007 09:02:58 +0000 Subject: r20795: dom_sid_parse_talloc() gets an null terminated string as input, the SDDL string has the sid strings embedded, so we need to create a null terminated string... metze (This used to be commit 532395a18db84affa8a743b995e9fae2e3c312f2) --- source4/libcli/security/sddl.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'source4/libcli/security/sddl.c') diff --git a/source4/libcli/security/sddl.c b/source4/libcli/security/sddl.c index 14dd7e0917..423ccc92e9 100644 --- a/source4/libcli/security/sddl.c +++ b/source4/libcli/security/sddl.c @@ -100,9 +100,17 @@ static struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp, /* see if its in the numeric format */ if (strncmp(sddl, "S-", 2) == 0) { + struct dom_sid *sid; + char *sid_str; size_t len = strspn(sddl+2, "-0123456789"); + sid_str = talloc_strndup(mem_ctx, sddl, len+2); + if (!sid_str) { + return NULL; + } (*sddlp) += len+2; - return dom_sid_parse_talloc(mem_ctx, sddl); + sid = dom_sid_parse_talloc(mem_ctx, sid_str); + talloc_free(sid_str); + return sid; } /* now check for one of the special codes */ -- cgit From e754ec1d8a52ac717d0d511b28c8556d43eb2f86 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 15 Jan 2007 10:10:15 +0000 Subject: r20799: if any ace has the optional sub object, the acl revision needs to be SECURITY_ACL_REVISION_ADS (4) metze (This used to be commit a67bb4365958f4bfadbf47b2231992e2aadd26a1) --- source4/libcli/security/sddl.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'source4/libcli/security/sddl.c') diff --git a/source4/libcli/security/sddl.c b/source4/libcli/security/sddl.c index 423ccc92e9..2746ed8f81 100644 --- a/source4/libcli/security/sddl.c +++ b/source4/libcli/security/sddl.c @@ -312,6 +312,14 @@ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd, talloc_free(acl); return NULL; } + switch (acl->aces[acl->num_aces].type) { + case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: + case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: + case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT: + case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT: + acl->revision = SECURITY_ACL_REVISION_ADS; + break; + } talloc_free(astr); sddl += len+2; acl->num_aces++; -- cgit From d6fafdb23714551e844c2ce6006683f9f51e4ff1 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 15 Jan 2007 10:39:17 +0000 Subject: r20800: fix compiler warnings metze (This used to be commit 6ce994720cdd8b7dd0b789460b5ae7da19261696) --- source4/libcli/security/sddl.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source4/libcli/security/sddl.c') diff --git a/source4/libcli/security/sddl.c b/source4/libcli/security/sddl.c index 2746ed8f81..7d0e6ee748 100644 --- a/source4/libcli/security/sddl.c +++ b/source4/libcli/security/sddl.c @@ -319,6 +319,8 @@ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd, case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT: acl->revision = SECURITY_ACL_REVISION_ADS; break; + default: + break; } talloc_free(astr); sddl += len+2; -- cgit From 0479a2f1cbae51fcd8dbdc3c148c808421fb4d25 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 02:07:03 +0000 Subject: r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa) --- source4/libcli/security/sddl.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source4/libcli/security/sddl.c') diff --git a/source4/libcli/security/sddl.c b/source4/libcli/security/sddl.c index 7d0e6ee748..4342a7b87a 100644 --- a/source4/libcli/security/sddl.c +++ b/source4/libcli/security/sddl.c @@ -7,7 +7,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, @@ -16,8 +16,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" -- cgit From 9a012df08ee829c1d40fc88ba12a0ea479f60be0 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 14 Sep 2007 23:21:00 +0000 Subject: r25175: Change to talloc_asprintf_append_buffer(). Jeremy. (This used to be commit 0844dbf597191b3e4d35a696695b229e986daec4) --- source4/libcli/security/sddl.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'source4/libcli/security/sddl.c') diff --git a/source4/libcli/security/sddl.c b/source4/libcli/security/sddl.c index 4342a7b87a..d4efab9b64 100644 --- a/source4/libcli/security/sddl.c +++ b/source4/libcli/security/sddl.c @@ -405,7 +405,7 @@ static char *sddl_flags_to_string(TALLOC_CTX *mem_ctx, const struct flag_map *ma /* now by bits */ for (i=0;map[i].name;i++) { if ((flags & map[i].flag) != 0) { - s = talloc_asprintf_append(s, "%s", map[i].name); + s = talloc_asprintf_append_buffer(s, "%s", map[i].name); if (s == NULL) goto failed; flags &= ~map[i].flag; } @@ -532,7 +532,7 @@ static char *sddl_encode_acl(TALLOC_CTX *mem_ctx, const struct security_acl *acl for (i=0;inum_aces;i++) { char *ace = sddl_encode_ace(sddl, &acl->aces[i], domain_sid); if (ace == NULL) goto failed; - sddl = talloc_asprintf_append(sddl, "(%s)", ace); + sddl = talloc_asprintf_append_buffer(sddl, "(%s)", ace); if (sddl == NULL) goto failed; talloc_free(ace); } @@ -563,28 +563,28 @@ char *sddl_encode(TALLOC_CTX *mem_ctx, const struct security_descriptor *sd, if (sd->owner_sid != NULL) { char *sid = sddl_encode_sid(tmp_ctx, sd->owner_sid, domain_sid); if (sid == NULL) goto failed; - sddl = talloc_asprintf_append(sddl, "O:%s", sid); + sddl = talloc_asprintf_append_buffer(sddl, "O:%s", sid); if (sddl == NULL) goto failed; } if (sd->group_sid != NULL) { char *sid = sddl_encode_sid(tmp_ctx, sd->group_sid, domain_sid); if (sid == NULL) goto failed; - sddl = talloc_asprintf_append(sddl, "G:%s", sid); + sddl = talloc_asprintf_append_buffer(sddl, "G:%s", sid); if (sddl == NULL) goto failed; } if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl != NULL) { char *acl = sddl_encode_acl(tmp_ctx, sd->dacl, sd->type, domain_sid); if (acl == NULL) goto failed; - sddl = talloc_asprintf_append(sddl, "D:%s", acl); + sddl = talloc_asprintf_append_buffer(sddl, "D:%s", acl); if (sddl == NULL) goto failed; } if ((sd->type & SEC_DESC_SACL_PRESENT) && sd->sacl != NULL) { char *acl = sddl_encode_acl(tmp_ctx, sd->sacl, sd->type>>1, domain_sid); if (acl == NULL) goto failed; - sddl = talloc_asprintf_append(sddl, "S:%s", acl); + sddl = talloc_asprintf_append_buffer(sddl, "S:%s", acl); if (sddl == NULL) goto failed; } -- cgit From 2151cde58014ea2e822c13d2f8a369b45dc19ca8 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 6 Oct 2007 22:28:14 +0000 Subject: r25554: Convert last instances of BOOL, True and False to the standard types. (This used to be commit 566aa14139510788548a874e9213d91317f83ca9) --- source4/libcli/security/sddl.c | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) (limited to 'source4/libcli/security/sddl.c') diff --git a/source4/libcli/security/sddl.c b/source4/libcli/security/sddl.c index d4efab9b64..09522f182a 100644 --- a/source4/libcli/security/sddl.c +++ b/source4/libcli/security/sddl.c @@ -32,7 +32,7 @@ struct flag_map { /* map a series of letter codes into a uint32_t */ -static BOOL sddl_map_flags(const struct flag_map *map, const char *str, +static bool sddl_map_flags(const struct flag_map *map, const char *str, uint32_t *flags, size_t *len) { const char *str0 = str; @@ -51,10 +51,10 @@ static BOOL sddl_map_flags(const struct flag_map *map, const char *str, } if (map[i].name == NULL) { DEBUG(1, ("Unknown flag - %s in %s\n", str, str0)); - return False; + return false; } } - return True; + return true; } /* @@ -176,10 +176,10 @@ static const struct flag_map ace_access_mask[] = { /* decode an ACE - return True on success, False on failure + return true on success, false on failure note that this routine modifies the string */ -static BOOL sddl_decode_ace(TALLOC_CTX *mem_ctx, struct security_ace *ace, char *str, +static bool sddl_decode_ace(TALLOC_CTX *mem_ctx, struct security_ace *ace, char *str, const struct dom_sid *domain_sid) { const char *tok[6]; @@ -194,7 +194,7 @@ static BOOL sddl_decode_ace(TALLOC_CTX *mem_ctx, struct security_ace *ace, char tok[0] = str; for (i=0;i<5;i++) { char *ptr = strchr(str, ';'); - if (ptr == NULL) return False; + if (ptr == NULL) return false; *ptr = 0; str = ptr+1; tok[i+1] = str; @@ -202,13 +202,13 @@ static BOOL sddl_decode_ace(TALLOC_CTX *mem_ctx, struct security_ace *ace, char /* parse ace type */ if (!sddl_map_flags(ace_types, tok[0], &v, NULL)) { - return False; + return false; } ace->type = v; /* ace flags */ if (!sddl_map_flags(ace_flags, tok[1], &v, NULL)) { - return False; + return false; } ace->flags = v; @@ -217,7 +217,7 @@ static BOOL sddl_decode_ace(TALLOC_CTX *mem_ctx, struct security_ace *ace, char ace->access_mask = strtol(tok[2], NULL, 16); } else { if (!sddl_map_flags(ace_access_mask, tok[2], &v, NULL)) { - return False; + return false; } ace->access_mask = v; } @@ -227,7 +227,7 @@ static BOOL sddl_decode_ace(TALLOC_CTX *mem_ctx, struct security_ace *ace, char NTSTATUS status = GUID_from_string(tok[3], &ace->object.object.type.type); if (!NT_STATUS_IS_OK(status)) { - return False; + return false; } ace->object.object.flags |= SEC_ACE_OBJECT_TYPE_PRESENT; } @@ -237,7 +237,7 @@ static BOOL sddl_decode_ace(TALLOC_CTX *mem_ctx, struct security_ace *ace, char NTSTATUS status = GUID_from_string(tok[4], &ace->object.object.inherited_type.inherited_type); if (!NT_STATUS_IS_OK(status)) { - return False; + return false; } ace->object.object.flags |= SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT; } @@ -246,13 +246,13 @@ static BOOL sddl_decode_ace(TALLOC_CTX *mem_ctx, struct security_ace *ace, char s = tok[5]; sid = sddl_decode_sid(mem_ctx, &s, domain_sid); if (sid == NULL) { - return False; + return false; } ace->trustee = *sid; talloc_steal(mem_ctx, sid->sub_auths); talloc_free(sid); - return True; + return true; } static const struct flag_map acl_flags[] = { @@ -388,7 +388,7 @@ failed: turn a set of flags into a string */ static char *sddl_flags_to_string(TALLOC_CTX *mem_ctx, const struct flag_map *map, - uint32_t flags, BOOL check_all) + uint32_t flags, bool check_all) { int i; char *s; @@ -477,13 +477,13 @@ static char *sddl_encode_ace(TALLOC_CTX *mem_ctx, const struct security_ace *ace return NULL; } - s_type = sddl_flags_to_string(tmp_ctx, ace_types, ace->type, True); + s_type = sddl_flags_to_string(tmp_ctx, ace_types, ace->type, true); if (s_type == NULL) goto failed; - s_flags = sddl_flags_to_string(tmp_ctx, ace_flags, ace->flags, True); + s_flags = sddl_flags_to_string(tmp_ctx, ace_flags, ace->flags, true); if (s_flags == NULL) goto failed; - s_mask = sddl_flags_to_string(tmp_ctx, ace_access_mask, ace->access_mask, True); + s_mask = sddl_flags_to_string(tmp_ctx, ace_access_mask, ace->access_mask, true); if (s_mask == NULL) { s_mask = talloc_asprintf(tmp_ctx, "0x%08x", ace->access_mask); if (s_mask == NULL) goto failed; @@ -525,7 +525,7 @@ static char *sddl_encode_acl(TALLOC_CTX *mem_ctx, const struct security_acl *acl int i; /* add any ACL flags */ - sddl = sddl_flags_to_string(mem_ctx, acl_flags, flags, False); + sddl = sddl_flags_to_string(mem_ctx, acl_flags, flags, false); if (sddl == NULL) goto failed; /* now the ACEs, encoded in braces */ -- cgit