Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 :
4 : security descriptror utility functions
5 :
6 : Copyright (C) Andrew Tridgell 2004
7 :
8 : This program is free software; you can redistribute it and/or modify
9 : it under the terms of the GNU General Public License as published by
10 : the Free Software Foundation; either version 3 of the License, or
11 : (at your option) any later version.
12 :
13 : This program is distributed in the hope that it will be useful,
14 : but WITHOUT ANY WARRANTY; without even the implied warranty of
15 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 : GNU General Public License for more details.
17 :
18 : You should have received a copy of the GNU General Public License
19 : along with this program. If not, see <http://www.gnu.org/licenses/>.
20 : */
21 :
22 : #include "includes.h"
23 : #include "libcli/security/security.h"
24 :
25 : /*
26 : return a blank security descriptor (no owners, dacl or sacl)
27 : */
28 1670751 : struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx)
29 : {
30 : struct security_descriptor *sd;
31 :
32 1670751 : sd = talloc(mem_ctx, struct security_descriptor);
33 1670751 : if (!sd) {
34 0 : return NULL;
35 : }
36 :
37 1670751 : sd->revision = SD_REVISION;
38 : /* we mark as self relative, even though it isn't while it remains
39 : a pointer in memory because this simplifies the ndr code later.
40 : All SDs that we store/emit are in fact SELF_RELATIVE
41 : */
42 1670751 : sd->type = SEC_DESC_SELF_RELATIVE;
43 :
44 1670751 : sd->owner_sid = NULL;
45 1670751 : sd->group_sid = NULL;
46 1670751 : sd->sacl = NULL;
47 1670751 : sd->dacl = NULL;
48 :
49 1670751 : return sd;
50 : }
51 :
52 5544639 : struct security_acl *security_acl_dup(TALLOC_CTX *mem_ctx,
53 : const struct security_acl *oacl)
54 : {
55 : struct security_acl *nacl;
56 :
57 5544639 : if (oacl == NULL) {
58 675801 : return NULL;
59 : }
60 :
61 4868838 : if (oacl->aces == NULL && oacl->num_aces > 0) {
62 0 : return NULL;
63 : }
64 :
65 4868838 : nacl = talloc (mem_ctx, struct security_acl);
66 4868838 : if (nacl == NULL) {
67 0 : return NULL;
68 : }
69 :
70 4868838 : *nacl = (struct security_acl) {
71 4868838 : .revision = oacl->revision,
72 4868838 : .size = oacl->size,
73 4868838 : .num_aces = oacl->num_aces,
74 : };
75 4868838 : if (nacl->num_aces == 0) {
76 1045686 : return nacl;
77 : }
78 :
79 3823152 : nacl->aces = (struct security_ace *)talloc_memdup (nacl, oacl->aces, sizeof(struct security_ace) * oacl->num_aces);
80 3823152 : if (nacl->aces == NULL) {
81 0 : goto failed;
82 : }
83 :
84 3823152 : return nacl;
85 :
86 0 : failed:
87 0 : talloc_free (nacl);
88 0 : return NULL;
89 :
90 : }
91 :
92 1998228 : struct security_acl *security_acl_concatenate(TALLOC_CTX *mem_ctx,
93 : const struct security_acl *acl1,
94 : const struct security_acl *acl2)
95 : {
96 : struct security_acl *nacl;
97 : uint32_t i;
98 :
99 1998228 : if (!acl1 && !acl2)
100 366526 : return NULL;
101 :
102 1631702 : if (!acl1){
103 69759 : nacl = security_acl_dup(mem_ctx, acl2);
104 69759 : return nacl;
105 : }
106 :
107 1561943 : if (!acl2){
108 37545 : nacl = security_acl_dup(mem_ctx, acl1);
109 37545 : return nacl;
110 : }
111 :
112 1524398 : nacl = talloc (mem_ctx, struct security_acl);
113 1524398 : if (nacl == NULL) {
114 0 : return NULL;
115 : }
116 :
117 1524398 : nacl->revision = acl1->revision;
118 1524398 : nacl->size = acl1->size + acl2->size;
119 1524398 : nacl->num_aces = acl1->num_aces + acl2->num_aces;
120 :
121 1524398 : if (nacl->num_aces == 0)
122 0 : return nacl;
123 :
124 1524398 : nacl->aces = (struct security_ace *)talloc_array (mem_ctx, struct security_ace, acl1->num_aces+acl2->num_aces);
125 1524398 : if ((nacl->aces == NULL) && (nacl->num_aces > 0)) {
126 0 : goto failed;
127 : }
128 :
129 3809384 : for (i = 0; i < acl1->num_aces; i++)
130 2284986 : nacl->aces[i] = acl1->aces[i];
131 8235976 : for (i = 0; i < acl2->num_aces; i++)
132 6711578 : nacl->aces[i + acl1->num_aces] = acl2->aces[i];
133 :
134 1524398 : return nacl;
135 :
136 0 : failed:
137 0 : talloc_free (nacl);
138 0 : return NULL;
139 :
140 : }
141 :
142 : /*
143 : talloc and copy a security descriptor
144 : */
145 2602 : struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx,
146 : const struct security_descriptor *osd)
147 : {
148 : struct security_descriptor *nsd;
149 :
150 2602 : nsd = talloc_zero(mem_ctx, struct security_descriptor);
151 2602 : if (!nsd) {
152 0 : return NULL;
153 : }
154 :
155 2602 : if (osd->owner_sid) {
156 2474 : nsd->owner_sid = dom_sid_dup(nsd, osd->owner_sid);
157 2474 : if (nsd->owner_sid == NULL) {
158 0 : goto failed;
159 : }
160 : }
161 :
162 2602 : if (osd->group_sid) {
163 2394 : nsd->group_sid = dom_sid_dup(nsd, osd->group_sid);
164 2394 : if (nsd->group_sid == NULL) {
165 0 : goto failed;
166 : }
167 : }
168 :
169 2602 : if (osd->sacl) {
170 4 : nsd->sacl = security_acl_dup(nsd, osd->sacl);
171 4 : if (nsd->sacl == NULL) {
172 0 : goto failed;
173 : }
174 : }
175 :
176 2602 : if (osd->dacl) {
177 2600 : nsd->dacl = security_acl_dup(nsd, osd->dacl);
178 2600 : if (nsd->dacl == NULL) {
179 0 : goto failed;
180 : }
181 : }
182 :
183 2602 : nsd->revision = osd->revision;
184 2602 : nsd->type = osd->type;
185 :
186 2602 : return nsd;
187 :
188 0 : failed:
189 0 : talloc_free(nsd);
190 :
191 0 : return NULL;
192 : }
193 :
194 12 : NTSTATUS security_descriptor_for_client(TALLOC_CTX *mem_ctx,
195 : const struct security_descriptor *ssd,
196 : uint32_t sec_info,
197 : uint32_t access_granted,
198 : struct security_descriptor **_csd)
199 : {
200 12 : struct security_descriptor *csd = NULL;
201 12 : uint32_t access_required = 0;
202 :
203 12 : *_csd = NULL;
204 :
205 12 : if (sec_info & (SECINFO_OWNER|SECINFO_GROUP)) {
206 0 : access_required |= SEC_STD_READ_CONTROL;
207 : }
208 12 : if (sec_info & SECINFO_DACL) {
209 0 : access_required |= SEC_STD_READ_CONTROL;
210 : }
211 12 : if (sec_info & SECINFO_SACL) {
212 0 : access_required |= SEC_FLAG_SYSTEM_SECURITY;
213 : }
214 :
215 12 : if (access_required & (~access_granted)) {
216 0 : return NT_STATUS_ACCESS_DENIED;
217 : }
218 :
219 : /*
220 : * make a copy...
221 : */
222 12 : csd = security_descriptor_copy(mem_ctx, ssd);
223 12 : if (csd == NULL) {
224 0 : return NT_STATUS_NO_MEMORY;
225 : }
226 :
227 : /*
228 : * ... and remove everthing not wanted
229 : */
230 :
231 12 : if (!(sec_info & SECINFO_OWNER)) {
232 12 : TALLOC_FREE(csd->owner_sid);
233 12 : csd->type &= ~SEC_DESC_OWNER_DEFAULTED;
234 : }
235 12 : if (!(sec_info & SECINFO_GROUP)) {
236 12 : TALLOC_FREE(csd->group_sid);
237 12 : csd->type &= ~SEC_DESC_GROUP_DEFAULTED;
238 : }
239 12 : if (!(sec_info & SECINFO_DACL)) {
240 12 : TALLOC_FREE(csd->dacl);
241 12 : csd->type &= ~(
242 : SEC_DESC_DACL_PRESENT |
243 : SEC_DESC_DACL_DEFAULTED|
244 : SEC_DESC_DACL_AUTO_INHERIT_REQ |
245 : SEC_DESC_DACL_AUTO_INHERITED |
246 : SEC_DESC_DACL_PROTECTED |
247 : SEC_DESC_DACL_TRUSTED);
248 : }
249 12 : if (!(sec_info & SECINFO_SACL)) {
250 12 : TALLOC_FREE(csd->sacl);
251 12 : csd->type &= ~(
252 : SEC_DESC_SACL_PRESENT |
253 : SEC_DESC_SACL_DEFAULTED |
254 : SEC_DESC_SACL_AUTO_INHERIT_REQ |
255 : SEC_DESC_SACL_AUTO_INHERITED |
256 : SEC_DESC_SACL_PROTECTED |
257 : SEC_DESC_SERVER_SECURITY);
258 : }
259 :
260 12 : *_csd = csd;
261 12 : return NT_STATUS_OK;
262 : }
263 :
264 : /*
265 : add an ACE to an ACL of a security_descriptor
266 : */
267 :
268 556657 : static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
269 : bool add_to_sacl,
270 : const struct security_ace *ace,
271 : ssize_t _idx)
272 : {
273 556657 : struct security_acl *acl = NULL;
274 : ssize_t idx;
275 :
276 556657 : if (add_to_sacl) {
277 3636 : acl = sd->sacl;
278 : } else {
279 553021 : acl = sd->dacl;
280 : }
281 :
282 556657 : if (acl == NULL) {
283 150678 : acl = talloc(sd, struct security_acl);
284 150678 : if (acl == NULL) {
285 0 : return NT_STATUS_NO_MEMORY;
286 : }
287 150678 : acl->revision = SECURITY_ACL_REVISION_NT4;
288 150678 : acl->size = 0;
289 150678 : acl->num_aces = 0;
290 150678 : acl->aces = NULL;
291 : }
292 :
293 556657 : if (_idx < 0) {
294 552878 : idx = (acl->num_aces + 1) + _idx;
295 : } else {
296 3779 : idx = _idx;
297 : }
298 :
299 556657 : if (idx < 0) {
300 0 : return NT_STATUS_ARRAY_BOUNDS_EXCEEDED;
301 556657 : } else if (idx > acl->num_aces) {
302 0 : return NT_STATUS_ARRAY_BOUNDS_EXCEEDED;
303 : }
304 :
305 556657 : acl->aces = talloc_realloc(acl, acl->aces,
306 : struct security_ace, acl->num_aces+1);
307 556657 : if (acl->aces == NULL) {
308 0 : return NT_STATUS_NO_MEMORY;
309 : }
310 :
311 556657 : ARRAY_INSERT_ELEMENT(acl->aces, acl->num_aces, *ace, idx);
312 556657 : acl->num_aces++;
313 :
314 556657 : switch (acl->aces[idx].type) {
315 75274 : case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
316 : case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
317 : case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
318 : case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
319 75274 : acl->revision = SECURITY_ACL_REVISION_ADS;
320 75274 : break;
321 481383 : default:
322 481383 : break;
323 : }
324 :
325 556657 : if (add_to_sacl) {
326 3636 : sd->sacl = acl;
327 3636 : sd->type |= SEC_DESC_SACL_PRESENT;
328 : } else {
329 553021 : sd->dacl = acl;
330 553021 : sd->type |= SEC_DESC_DACL_PRESENT;
331 : }
332 :
333 556657 : return NT_STATUS_OK;
334 : }
335 :
336 : /*
337 : add an ACE to the SACL of a security_descriptor
338 : */
339 :
340 0 : NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd,
341 : const struct security_ace *ace)
342 : {
343 0 : return security_descriptor_acl_add(sd, true, ace, -1);
344 : }
345 :
346 : /*
347 : insert an ACE at a given index to the SACL of a security_descriptor
348 :
349 : idx can be negative, which means it's related to the new size from the
350 : end, so -1 means the ace is appended at the end.
351 : */
352 :
353 3636 : NTSTATUS security_descriptor_sacl_insert(struct security_descriptor *sd,
354 : const struct security_ace *ace,
355 : ssize_t idx)
356 : {
357 3636 : return security_descriptor_acl_add(sd, true, ace, idx);
358 : }
359 :
360 : /*
361 : add an ACE to the DACL of a security_descriptor
362 : */
363 :
364 6085 : NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
365 : const struct security_ace *ace)
366 : {
367 6085 : return security_descriptor_acl_add(sd, false, ace, -1);
368 : }
369 :
370 : /*
371 : insert an ACE at a given index to the DACL of a security_descriptor
372 :
373 : idx can be negative, which means it's related to the new size from the
374 : end, so -1 means the ace is appended at the end.
375 : */
376 :
377 546936 : NTSTATUS security_descriptor_dacl_insert(struct security_descriptor *sd,
378 : const struct security_ace *ace,
379 : ssize_t idx)
380 : {
381 546936 : return security_descriptor_acl_add(sd, false, ace, idx);
382 : }
383 :
384 : /*
385 : delete the ACE corresponding to the given trustee in an ACL of a
386 : security_descriptor
387 : */
388 :
389 2 : static NTSTATUS security_descriptor_acl_del(struct security_descriptor *sd,
390 : bool sacl_del,
391 : const struct dom_sid *trustee)
392 : {
393 : uint32_t i;
394 2 : bool found = false;
395 2 : struct security_acl *acl = NULL;
396 :
397 2 : if (sacl_del) {
398 0 : acl = sd->sacl;
399 : } else {
400 2 : acl = sd->dacl;
401 : }
402 :
403 2 : if (acl == NULL) {
404 0 : return NT_STATUS_OBJECT_NAME_NOT_FOUND;
405 : }
406 :
407 : /* there can be multiple ace's for one trustee */
408 12 : for (i=0;i<acl->num_aces;i++) {
409 10 : if (dom_sid_equal(trustee, &acl->aces[i].trustee)) {
410 2 : ARRAY_DEL_ELEMENT(acl->aces, i, acl->num_aces);
411 2 : acl->num_aces--;
412 2 : if (acl->num_aces == 0) {
413 0 : acl->aces = NULL;
414 : }
415 2 : found = true;
416 : }
417 : }
418 :
419 2 : if (!found) {
420 0 : return NT_STATUS_OBJECT_NAME_NOT_FOUND;
421 : }
422 :
423 2 : acl->revision = SECURITY_ACL_REVISION_NT4;
424 :
425 10 : for (i=0;i<acl->num_aces;i++) {
426 8 : switch (acl->aces[i].type) {
427 0 : case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
428 : case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
429 : case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
430 : case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
431 0 : acl->revision = SECURITY_ACL_REVISION_ADS;
432 0 : return NT_STATUS_OK;
433 8 : default:
434 8 : break; /* only for the switch statement */
435 : }
436 : }
437 :
438 2 : return NT_STATUS_OK;
439 : }
440 :
441 : /*
442 : delete the ACE corresponding to the given trustee in the DACL of a
443 : security_descriptor
444 : */
445 :
446 2 : NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd,
447 : const struct dom_sid *trustee)
448 : {
449 2 : return security_descriptor_acl_del(sd, false, trustee);
450 : }
451 :
452 : /*
453 : delete the ACE corresponding to the given trustee in the SACL of a
454 : security_descriptor
455 : */
456 :
457 0 : NTSTATUS security_descriptor_sacl_del(struct security_descriptor *sd,
458 : const struct dom_sid *trustee)
459 : {
460 0 : return security_descriptor_acl_del(sd, true, trustee);
461 : }
462 :
463 : /*
464 : delete the given ACE in the SACL or DACL of a security_descriptor
465 : */
466 64575 : static NTSTATUS security_descriptor_acl_del_ace(struct security_descriptor *sd,
467 : bool sacl_del,
468 : const struct security_ace *ace)
469 : {
470 : uint32_t i;
471 64575 : bool found = false;
472 64575 : struct security_acl *acl = NULL;
473 :
474 64575 : if (sacl_del) {
475 0 : acl = sd->sacl;
476 : } else {
477 64575 : acl = sd->dacl;
478 : }
479 :
480 64575 : if (acl == NULL) {
481 0 : return NT_STATUS_OBJECT_NAME_NOT_FOUND;
482 : }
483 :
484 1682138 : for (i=0;i<acl->num_aces;i++) {
485 1617563 : if (security_ace_equal(ace, &acl->aces[i])) {
486 64575 : ARRAY_DEL_ELEMENT(acl->aces, i, acl->num_aces);
487 64575 : acl->num_aces--;
488 64575 : if (acl->num_aces == 0) {
489 0 : acl->aces = NULL;
490 : }
491 64575 : found = true;
492 64575 : i--;
493 : }
494 : }
495 :
496 64575 : if (!found) {
497 36997 : return NT_STATUS_OBJECT_NAME_NOT_FOUND;
498 : }
499 :
500 27578 : acl->revision = SECURITY_ACL_REVISION_NT4;
501 :
502 115369 : for (i=0;i<acl->num_aces;i++) {
503 115252 : switch (acl->aces[i].type) {
504 27461 : case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
505 : case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
506 : case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
507 : case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
508 27461 : acl->revision = SECURITY_ACL_REVISION_ADS;
509 27461 : return NT_STATUS_OK;
510 87791 : default:
511 87791 : break; /* only for the switch statement */
512 : }
513 : }
514 :
515 117 : return NT_STATUS_OK;
516 : }
517 :
518 64575 : NTSTATUS security_descriptor_dacl_del_ace(struct security_descriptor *sd,
519 : const struct security_ace *ace)
520 : {
521 64575 : return security_descriptor_acl_del_ace(sd, false, ace);
522 : }
523 :
524 0 : NTSTATUS security_descriptor_sacl_del_ace(struct security_descriptor *sd,
525 : const struct security_ace *ace)
526 : {
527 0 : return security_descriptor_acl_del_ace(sd, true, ace);
528 : }
529 : /*
530 : compare two security ace structures
531 : */
532 1643010 : bool security_ace_equal(const struct security_ace *ace1,
533 : const struct security_ace *ace2)
534 : {
535 1643010 : if (ace1 == ace2) {
536 0 : return true;
537 : }
538 1643010 : if ((ace1 == NULL) || (ace2 == NULL)) {
539 0 : return false;
540 : }
541 1643010 : if (ace1->type != ace2->type) {
542 544334 : return false;
543 : }
544 1098676 : if (ace1->flags != ace2->flags) {
545 833445 : return false;
546 : }
547 265231 : if (ace1->access_mask != ace2->access_mask) {
548 123041 : return false;
549 : }
550 142190 : if (!dom_sid_equal(&ace1->trustee, &ace2->trustee)) {
551 75694 : return false;
552 : }
553 :
554 66496 : return true;
555 : }
556 :
557 :
558 : /*
559 : compare two security acl structures
560 : */
561 2236 : bool security_acl_equal(const struct security_acl *acl1,
562 : const struct security_acl *acl2)
563 : {
564 : uint32_t i;
565 :
566 2236 : if (acl1 == acl2) return true;
567 1149 : if (!acl1 || !acl2) return false;
568 1143 : if (acl1->revision != acl2->revision) return false;
569 865 : if (acl1->num_aces != acl2->num_aces) return false;
570 :
571 2133 : for (i=0;i<acl1->num_aces;i++) {
572 1504 : if (!security_ace_equal(&acl1->aces[i], &acl2->aces[i])) return false;
573 : }
574 629 : return true;
575 : }
576 :
577 : /*
578 : compare two security descriptors.
579 : */
580 1310 : bool security_descriptor_equal(const struct security_descriptor *sd1,
581 : const struct security_descriptor *sd2)
582 : {
583 1310 : if (sd1 == sd2) return true;
584 1310 : if (!sd1 || !sd2) return false;
585 1310 : if (sd1->revision != sd2->revision) return false;
586 1310 : if (sd1->type != sd2->type) return false;
587 :
588 1113 : if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false;
589 1087 : if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false;
590 1087 : if (!security_acl_equal(sd1->sacl, sd2->sacl)) return false;
591 1087 : if (!security_acl_equal(sd1->dacl, sd2->dacl)) return false;
592 :
593 567 : return true;
594 : }
595 :
596 : /*
597 : compare two security descriptors, but allow certain (missing) parts
598 : to be masked out of the comparison
599 : */
600 0 : bool security_descriptor_mask_equal(const struct security_descriptor *sd1,
601 : const struct security_descriptor *sd2,
602 : uint32_t mask)
603 : {
604 0 : if (sd1 == sd2) return true;
605 0 : if (!sd1 || !sd2) return false;
606 0 : if (sd1->revision != sd2->revision) return false;
607 0 : if ((sd1->type & mask) != (sd2->type & mask)) return false;
608 :
609 0 : if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false;
610 0 : if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false;
611 0 : if ((mask & SEC_DESC_DACL_PRESENT) && !security_acl_equal(sd1->dacl, sd2->dacl)) return false;
612 0 : if ((mask & SEC_DESC_SACL_PRESENT) && !security_acl_equal(sd1->sacl, sd2->sacl)) return false;
613 :
614 0 : return true;
615 : }
616 :
617 :
618 133 : static struct security_descriptor *security_descriptor_appendv(struct security_descriptor *sd,
619 : bool add_ace_to_sacl,
620 : va_list ap)
621 : {
622 : const char *sidstr;
623 :
624 441 : while ((sidstr = va_arg(ap, const char *))) {
625 : struct dom_sid *sid;
626 177 : struct security_ace *ace = talloc_zero(sd, struct security_ace);
627 : NTSTATUS status;
628 :
629 177 : if (ace == NULL) {
630 0 : talloc_free(sd);
631 0 : return NULL;
632 : }
633 177 : ace->type = va_arg(ap, unsigned int);
634 177 : ace->access_mask = va_arg(ap, unsigned int);
635 177 : ace->flags = va_arg(ap, unsigned int);
636 177 : sid = dom_sid_parse_talloc(ace, sidstr);
637 177 : if (sid == NULL) {
638 0 : talloc_free(sd);
639 0 : return NULL;
640 : }
641 177 : ace->trustee = *sid;
642 177 : if (add_ace_to_sacl) {
643 0 : status = security_descriptor_sacl_add(sd, ace);
644 : } else {
645 177 : status = security_descriptor_dacl_add(sd, ace);
646 : }
647 : /* TODO: check: would talloc_free(ace) here be correct? */
648 177 : if (!NT_STATUS_IS_OK(status)) {
649 0 : talloc_free(sd);
650 0 : return NULL;
651 : }
652 : }
653 :
654 133 : return sd;
655 : }
656 :
657 133 : static struct security_descriptor *security_descriptor_createv(TALLOC_CTX *mem_ctx,
658 : uint16_t sd_type,
659 : const char *owner_sid,
660 : const char *group_sid,
661 : bool add_ace_to_sacl,
662 : va_list ap)
663 : {
664 : struct security_descriptor *sd;
665 :
666 133 : sd = security_descriptor_initialise(mem_ctx);
667 133 : if (sd == NULL) {
668 0 : return NULL;
669 : }
670 :
671 133 : sd->type |= sd_type;
672 :
673 133 : if (owner_sid) {
674 92 : sd->owner_sid = dom_sid_parse_talloc(sd, owner_sid);
675 92 : if (sd->owner_sid == NULL) {
676 0 : talloc_free(sd);
677 0 : return NULL;
678 : }
679 : }
680 133 : if (group_sid) {
681 9 : sd->group_sid = dom_sid_parse_talloc(sd, group_sid);
682 9 : if (sd->group_sid == NULL) {
683 0 : talloc_free(sd);
684 0 : return NULL;
685 : }
686 : }
687 :
688 133 : return security_descriptor_appendv(sd, add_ace_to_sacl, ap);
689 : }
690 :
691 : /*
692 : create a security descriptor using string SIDs. This is used by the
693 : torture code to allow the easy creation of complex ACLs
694 : This is a varargs function. The list of DACL ACEs ends with a NULL sid.
695 :
696 : Each ACE contains a set of 4 parameters:
697 : SID, ACCESS_TYPE, MASK, FLAGS
698 :
699 : a typical call would be:
700 :
701 : sd = security_descriptor_dacl_create(mem_ctx,
702 : sd_type_flags,
703 : mysid,
704 : mygroup,
705 : SID_NT_AUTHENTICATED_USERS,
706 : SEC_ACE_TYPE_ACCESS_ALLOWED,
707 : SEC_FILE_ALL,
708 : SEC_ACE_FLAG_OBJECT_INHERIT,
709 : NULL);
710 : that would create a sd with one DACL ACE
711 : */
712 :
713 133 : struct security_descriptor *security_descriptor_dacl_create(TALLOC_CTX *mem_ctx,
714 : uint16_t sd_type,
715 : const char *owner_sid,
716 : const char *group_sid,
717 : ...)
718 : {
719 133 : struct security_descriptor *sd = NULL;
720 : va_list ap;
721 133 : va_start(ap, group_sid);
722 133 : sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid,
723 : group_sid, false, ap);
724 133 : va_end(ap);
725 :
726 133 : return sd;
727 : }
728 :
729 0 : struct security_descriptor *security_descriptor_sacl_create(TALLOC_CTX *mem_ctx,
730 : uint16_t sd_type,
731 : const char *owner_sid,
732 : const char *group_sid,
733 : ...)
734 : {
735 0 : struct security_descriptor *sd = NULL;
736 : va_list ap;
737 0 : va_start(ap, group_sid);
738 0 : sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid,
739 : group_sid, true, ap);
740 0 : va_end(ap);
741 :
742 0 : return sd;
743 : }
744 :
745 0 : struct security_ace *security_ace_create(TALLOC_CTX *mem_ctx,
746 : const char *sid_str,
747 : enum security_ace_type type,
748 : uint32_t access_mask,
749 : uint8_t flags)
750 :
751 : {
752 : struct security_ace *ace;
753 : bool ok;
754 :
755 0 : ace = talloc_zero(mem_ctx, struct security_ace);
756 0 : if (ace == NULL) {
757 0 : return NULL;
758 : }
759 :
760 0 : ok = dom_sid_parse(sid_str, &ace->trustee);
761 0 : if (!ok) {
762 0 : talloc_free(ace);
763 0 : return NULL;
764 : }
765 0 : ace->type = type;
766 0 : ace->access_mask = access_mask;
767 0 : ace->flags = flags;
768 :
769 0 : return ace;
770 : }
771 :
772 : /*******************************************************************
773 : Check for MS NFS ACEs in a sd
774 : *******************************************************************/
775 4764 : bool security_descriptor_with_ms_nfs(const struct security_descriptor *psd)
776 : {
777 : uint32_t i;
778 :
779 4764 : if (psd->dacl == NULL) {
780 4 : return false;
781 : }
782 :
783 34248 : for (i = 0; i < psd->dacl->num_aces; i++) {
784 29488 : if (dom_sid_compare_domain(
785 : &global_sid_Unix_NFS,
786 29488 : &psd->dacl->aces[i].trustee) == 0) {
787 0 : return true;
788 : }
789 : }
790 :
791 4760 : return false;
792 : }
|
