2
Unix SMB/CIFS implementation.
4
security descriptror utility functions
6
Copyright (C) Andrew Tridgell 2004
8
This program is free software; you can redistribute it and/or modify
9
it under the terms of the GNU General Public License as published by
10
the Free Software Foundation; either version 3 of the License, or
11
(at your option) any later version.
13
This program is distributed in the hope that it will be useful,
14
but WITHOUT ANY WARRANTY; without even the implied warranty of
15
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
GNU General Public License for more details.
18
You should have received a copy of the GNU General Public License
19
along with this program. If not, see <http://www.gnu.org/licenses/>.
23
#include "libcli/security/security.h"
26
return a blank security descriptor (no owners, dacl or sacl)
28
struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx)
30
struct security_descriptor *sd;
32
sd = talloc(mem_ctx, struct security_descriptor);
37
sd->revision = SD_REVISION;
38
/* we mark as self relative, even though it isn't while it remains
39
a pointer in memory because this simplifies the ndr code later.
40
All SDs that we store/emit are in fact SELF_RELATIVE
42
sd->type = SEC_DESC_SELF_RELATIVE;
52
static struct security_acl *security_acl_dup(TALLOC_CTX *mem_ctx,
53
const struct security_acl *oacl)
55
struct security_acl *nacl;
57
nacl = talloc (mem_ctx, struct security_acl);
62
nacl->aces = (struct security_ace *)talloc_memdup (nacl, oacl->aces, sizeof(struct security_ace) * oacl->num_aces);
63
if ((nacl->aces == NULL) && (oacl->num_aces > 0)) {
67
nacl->revision = oacl->revision;
68
nacl->size = oacl->size;
69
nacl->num_aces = oacl->num_aces;
80
talloc and copy a security descriptor
82
struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx,
83
const struct security_descriptor *osd)
85
struct security_descriptor *nsd;
87
nsd = talloc_zero(mem_ctx, struct security_descriptor);
93
nsd->owner_sid = dom_sid_dup(nsd, osd->owner_sid);
94
if (nsd->owner_sid == NULL) {
100
nsd->group_sid = dom_sid_dup(nsd, osd->group_sid);
101
if (nsd->group_sid == NULL) {
107
nsd->sacl = security_acl_dup(nsd, osd->sacl);
108
if (nsd->sacl == NULL) {
114
nsd->dacl = security_acl_dup(nsd, osd->dacl);
115
if (nsd->dacl == NULL) {
120
nsd->revision = osd->revision;
121
nsd->type = osd->type;
132
add an ACE to an ACL of a security_descriptor
135
static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
137
const struct security_ace *ace)
139
struct security_acl *acl = NULL;
148
acl = talloc(sd, struct security_acl);
150
return NT_STATUS_NO_MEMORY;
152
acl->revision = SECURITY_ACL_REVISION_NT4;
158
acl->aces = talloc_realloc(acl, acl->aces,
159
struct security_ace, acl->num_aces+1);
160
if (acl->aces == NULL) {
161
return NT_STATUS_NO_MEMORY;
164
acl->aces[acl->num_aces] = *ace;
166
switch (acl->aces[acl->num_aces].type) {
167
case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
168
case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
169
case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
170
case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
171
acl->revision = SECURITY_ACL_REVISION_ADS;
181
sd->type |= SEC_DESC_SACL_PRESENT;
184
sd->type |= SEC_DESC_DACL_PRESENT;
191
add an ACE to the SACL of a security_descriptor
194
NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd,
195
const struct security_ace *ace)
197
return security_descriptor_acl_add(sd, true, ace);
201
add an ACE to the DACL of a security_descriptor
204
NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
205
const struct security_ace *ace)
207
return security_descriptor_acl_add(sd, false, ace);
211
delete the ACE corresponding to the given trustee in an ACL of a
215
static NTSTATUS security_descriptor_acl_del(struct security_descriptor *sd,
217
const struct dom_sid *trustee)
221
struct security_acl *acl = NULL;
230
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
233
/* there can be multiple ace's for one trustee */
234
for (i=0;i<acl->num_aces;i++) {
235
if (dom_sid_equal(trustee, &acl->aces[i].trustee)) {
236
memmove(&acl->aces[i], &acl->aces[i+1],
237
sizeof(acl->aces[i]) * (acl->num_aces - (i+1)));
239
if (acl->num_aces == 0) {
247
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
250
acl->revision = SECURITY_ACL_REVISION_NT4;
252
for (i=0;i<acl->num_aces;i++) {
253
switch (acl->aces[i].type) {
254
case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
255
case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
256
case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
257
case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
258
acl->revision = SECURITY_ACL_REVISION_ADS;
261
break; /* only for the switch statement */
269
delete the ACE corresponding to the given trustee in the DACL of a
273
NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd,
274
const struct dom_sid *trustee)
276
return security_descriptor_acl_del(sd, false, trustee);
280
delete the ACE corresponding to the given trustee in the SACL of a
284
NTSTATUS security_descriptor_sacl_del(struct security_descriptor *sd,
285
const struct dom_sid *trustee)
287
return security_descriptor_acl_del(sd, true, trustee);
291
compare two security ace structures
293
bool security_ace_equal(const struct security_ace *ace1,
294
const struct security_ace *ace2)
296
if (ace1 == ace2) return true;
297
if (!ace1 || !ace2) return false;
298
if (ace1->type != ace2->type) return false;
299
if (ace1->flags != ace2->flags) return false;
300
if (ace1->access_mask != ace2->access_mask) return false;
301
if (!dom_sid_equal(&ace1->trustee, &ace2->trustee)) return false;
308
compare two security acl structures
310
bool security_acl_equal(const struct security_acl *acl1,
311
const struct security_acl *acl2)
315
if (acl1 == acl2) return true;
316
if (!acl1 || !acl2) return false;
317
if (acl1->revision != acl2->revision) return false;
318
if (acl1->num_aces != acl2->num_aces) return false;
320
for (i=0;i<acl1->num_aces;i++) {
321
if (!security_ace_equal(&acl1->aces[i], &acl2->aces[i])) return false;
327
compare two security descriptors.
329
bool security_descriptor_equal(const struct security_descriptor *sd1,
330
const struct security_descriptor *sd2)
332
if (sd1 == sd2) return true;
333
if (!sd1 || !sd2) return false;
334
if (sd1->revision != sd2->revision) return false;
335
if (sd1->type != sd2->type) return false;
337
if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false;
338
if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false;
339
if (!security_acl_equal(sd1->sacl, sd2->sacl)) return false;
340
if (!security_acl_equal(sd1->dacl, sd2->dacl)) return false;
346
compare two security descriptors, but allow certain (missing) parts
347
to be masked out of the comparison
349
bool security_descriptor_mask_equal(const struct security_descriptor *sd1,
350
const struct security_descriptor *sd2,
353
if (sd1 == sd2) return true;
354
if (!sd1 || !sd2) return false;
355
if (sd1->revision != sd2->revision) return false;
356
if ((sd1->type & mask) != (sd2->type & mask)) return false;
358
if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false;
359
if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false;
360
if ((mask & SEC_DESC_DACL_PRESENT) && !security_acl_equal(sd1->dacl, sd2->dacl)) return false;
361
if ((mask & SEC_DESC_SACL_PRESENT) && !security_acl_equal(sd1->sacl, sd2->sacl)) return false;
367
static struct security_descriptor *security_descriptor_appendv(struct security_descriptor *sd,
368
bool add_ace_to_sacl,
373
while ((sidstr = va_arg(ap, const char *))) {
375
struct security_ace *ace = talloc(sd, struct security_ace);
382
ace->type = va_arg(ap, unsigned int);
383
ace->access_mask = va_arg(ap, unsigned int);
384
ace->flags = va_arg(ap, unsigned int);
385
sid = dom_sid_parse_talloc(ace, sidstr);
391
if (add_ace_to_sacl) {
392
status = security_descriptor_sacl_add(sd, ace);
394
status = security_descriptor_dacl_add(sd, ace);
396
/* TODO: check: would talloc_free(ace) here be correct? */
397
if (!NT_STATUS_IS_OK(status)) {
406
struct security_descriptor *security_descriptor_append(struct security_descriptor *sd,
412
sd = security_descriptor_appendv(sd, false, ap);
418
static struct security_descriptor *security_descriptor_createv(TALLOC_CTX *mem_ctx,
420
const char *owner_sid,
421
const char *group_sid,
422
bool add_ace_to_sacl,
425
struct security_descriptor *sd;
427
sd = security_descriptor_initialise(mem_ctx);
435
sd->owner_sid = dom_sid_parse_talloc(sd, owner_sid);
436
if (sd->owner_sid == NULL) {
442
sd->group_sid = dom_sid_parse_talloc(sd, group_sid);
443
if (sd->group_sid == NULL) {
449
return security_descriptor_appendv(sd, add_ace_to_sacl, ap);
453
create a security descriptor using string SIDs. This is used by the
454
torture code to allow the easy creation of complex ACLs
455
This is a varargs function. The list of DACL ACEs ends with a NULL sid.
457
Each ACE contains a set of 4 parameters:
458
SID, ACCESS_TYPE, MASK, FLAGS
460
a typical call would be:
462
sd = security_descriptor_dacl_create(mem_ctx,
466
SID_NT_AUTHENTICATED_USERS,
467
SEC_ACE_TYPE_ACCESS_ALLOWED,
469
SEC_ACE_FLAG_OBJECT_INHERIT,
471
that would create a sd with one DACL ACE
474
struct security_descriptor *security_descriptor_dacl_create(TALLOC_CTX *mem_ctx,
476
const char *owner_sid,
477
const char *group_sid,
480
struct security_descriptor *sd = NULL;
482
va_start(ap, group_sid);
483
sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid,
484
group_sid, false, ap);
490
struct security_descriptor *security_descriptor_sacl_create(TALLOC_CTX *mem_ctx,
492
const char *owner_sid,
493
const char *group_sid,
496
struct security_descriptor *sd = NULL;
498
va_start(ap, group_sid);
499
sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid,
500
group_sid, true, ap);
506
struct security_ace *security_ace_create(TALLOC_CTX *mem_ctx,
508
enum security_ace_type type,
509
uint32_t access_mask,
514
struct security_ace *ace;
516
ace = talloc_zero(mem_ctx, struct security_ace);
521
sid = dom_sid_parse_talloc(ace, sid_str);
529
ace->access_mask = access_mask;