Context Navigation

← Previous Revision
Latest Revision
Next Revision →
Blame
Revision Log

source: branches/samba-3.2.x/source/lib/secace.c@ 621

Visit:

Last change on this file since 621 was 133, checked in by Paul Smedley, 17 years ago
Update trunk to 3.2.0pre3
File size: 8.6 KB

Line
1	/*
2	* Unix SMB/Netbios implementation.
3	* SEC_ACE handling functions
4	* Copyright (C) Andrew Tridgell 1992-1998,
5	* Copyright (C) Jeremy R. Allison 1995-2003.
6	* Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
7	* Copyright (C) Paul Ashton 1997-1998.
8	*
9	* This program is free software; you can redistribute it and/or modify
10	* it under the terms of the GNU General Public License as published by
11	* the Free Software Foundation; either version 3 of the License, or
12	* (at your option) any later version.
13	*
14	* This program is distributed in the hope that it will be useful,
15	* but WITHOUT ANY WARRANTY; without even the implied warranty of
16	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17	* GNU General Public License for more details.
18	*
19	* You should have received a copy of the GNU General Public License
20	* along with this program; if not, see <http://www.gnu.org/licenses/>.
21	*/
22
23	#include "includes.h"
24
25	/*******************************************************************
26	Check if ACE has OBJECT type.
27	********************************************************************/
28
29	bool sec_ace_object(uint8 type)
30	{
31	if (type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT \|\|
32	type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT \|\|
33	type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT \|\|
34	type == SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT) {
35	return True;
36	}
37	return False;
38	}
39
40	/*******************************************************************
41	copy a SEC_ACE structure.
42	********************************************************************/
43	void sec_ace_copy(SEC_ACE ace_dest, SEC_ACE ace_src)
44	{
45	ace_dest->type = ace_src->type;
46	ace_dest->flags = ace_src->flags;
47	ace_dest->size = ace_src->size;
48	ace_dest->access_mask = ace_src->access_mask;
49	ace_dest->object = ace_src->object;
50	sid_copy(&ace_dest->trustee, &ace_src->trustee);
51	}
52
53	/*******************************************************************
54	Sets up a SEC_ACE structure.
55	********************************************************************/
56
57	void init_sec_ace(SEC_ACE t, const DOM_SID sid, enum security_ace_type type,
58	uint32 mask, uint8 flag)
59	{
60	t->type = type;
61	t->flags = flag;
62	t->size = ndr_size_dom_sid(sid, 0) + 8;
63	t->access_mask = mask;
64
65	ZERO_STRUCTP(&t->trustee);
66	sid_copy(&t->trustee, sid);
67	}
68
69	/*******************************************************************
70	adds new SID with its permissions to ACE list
71	********************************************************************/
72
73	NTSTATUS sec_ace_add_sid(TALLOC_CTX ctx, SEC_ACE pp_new, SEC_ACE old, unsigned num, DOM_SID sid, uint32 mask)
74	{
75	unsigned int i = 0;
76
77	if (!ctx \|\| !pp_new \|\| !old \|\| !sid \|\| !num) return NT_STATUS_INVALID_PARAMETER;
78
79	*num += 1;
80
81	if((pp_new[0] = TALLOC_ZERO_ARRAY(ctx, SEC_ACE, *num )) == 0)
82	return NT_STATUS_NO_MEMORY;
83
84	for (i = 0; i < *num - 1; i ++)
85	sec_ace_copy(&(*pp_new)[i], &old[i]);
86
87	(*pp_new)[i].type = SEC_ACE_TYPE_ACCESS_ALLOWED;
88	(*pp_new)[i].flags = 0;
89	(*pp_new)[i].size = SEC_ACE_HEADER_SIZE + ndr_size_dom_sid(sid, 0);
90	(*pp_new)[i].access_mask = mask;
91	sid_copy(&(*pp_new)[i].trustee, sid);
92	return NT_STATUS_OK;
93	}
94
95	/*******************************************************************
96	modify SID's permissions at ACL
97	********************************************************************/
98
99	NTSTATUS sec_ace_mod_sid(SEC_ACE ace, size_t num, DOM_SID sid, uint32 mask)
100	{
101	unsigned int i = 0;
102
103	if (!ace \|\| !sid) return NT_STATUS_INVALID_PARAMETER;
104
105	for (i = 0; i < num; i ++) {
106	if (sid_compare(&ace[i].trustee, sid) == 0) {
107	ace[i].access_mask = mask;
108	return NT_STATUS_OK;
109	}
110	}
111	return NT_STATUS_NOT_FOUND;
112	}
113
114	/*******************************************************************
115	delete SID from ACL
116	********************************************************************/
117
118	NTSTATUS sec_ace_del_sid(TALLOC_CTX ctx, SEC_ACE pp_new, SEC_ACE old, uint32 num, DOM_SID sid)
119	{
120	unsigned int i = 0;
121	unsigned int n_del = 0;
122
123	if (!ctx \|\| !pp_new \|\| !old \|\| !sid \|\| !num) return NT_STATUS_INVALID_PARAMETER;
124
125	if (*num) {
126	if((pp_new[0] = TALLOC_ZERO_ARRAY(ctx, SEC_ACE, *num )) == 0)
127	return NT_STATUS_NO_MEMORY;
128	} else {
129	pp_new[0] = NULL;
130	}
131
132	for (i = 0; i < *num; i ++) {
133	if (sid_compare(&old[i].trustee, sid) != 0)
134	sec_ace_copy(&(*pp_new)[i], &old[i]);
135	else
136	n_del ++;
137	}
138	if (n_del == 0)
139	return NT_STATUS_NOT_FOUND;
140	else {
141	*num -= n_del;
142	return NT_STATUS_OK;
143	}
144	}
145
146	/*******************************************************************
147	Compares two SEC_ACE structures
148	********************************************************************/
149
150	bool sec_ace_equal(SEC_ACE s1, SEC_ACE s2)
151	{
152	/* Trivial case */
153
154	if (!s1 && !s2) {
155	return True;
156	}
157
158	if (!s1 \|\| !s2) {
159	return False;
160	}
161
162	/* Check top level stuff */
163
164	if (s1->type != s2->type \|\| s1->flags != s2->flags \|\|
165	s1->access_mask != s2->access_mask) {
166	return False;
167	}
168
169	/* Check SID */
170
171	if (!sid_equal(&s1->trustee, &s2->trustee)) {
172	return False;
173	}
174
175	return True;
176	}
177
178	int nt_ace_inherit_comp( SEC_ACE a1, SEC_ACE a2)
179	{
180	int a1_inh = a1->flags & SEC_ACE_FLAG_INHERITED_ACE;
181	int a2_inh = a2->flags & SEC_ACE_FLAG_INHERITED_ACE;
182
183	if (a1_inh == a2_inh)
184	return 0;
185
186	if (!a1_inh && a2_inh)
187	return -1;
188	return 1;
189	}
190
191	/*******************************************************************
192	Comparison function to apply the order explained below in a group.
193	*******************************************************************/
194
195	int nt_ace_canon_comp( SEC_ACE a1, SEC_ACE a2)
196	{
197	if ((a1->type == SEC_ACE_TYPE_ACCESS_DENIED) &&
198	(a2->type != SEC_ACE_TYPE_ACCESS_DENIED))
199	return -1;
200
201	if ((a2->type == SEC_ACE_TYPE_ACCESS_DENIED) &&
202	(a1->type != SEC_ACE_TYPE_ACCESS_DENIED))
203	return 1;
204
205	/* Both access denied or access allowed. */
206
207	/* 1. ACEs that apply to the object itself */
208
209	if (!(a1->flags & SEC_ACE_FLAG_INHERIT_ONLY) &&
210	(a2->flags & SEC_ACE_FLAG_INHERIT_ONLY))
211	return -1;
212	else if (!(a2->flags & SEC_ACE_FLAG_INHERIT_ONLY) &&
213	(a1->flags & SEC_ACE_FLAG_INHERIT_ONLY))
214	return 1;
215
216	/* 2. ACEs that apply to a subobject of the object, such as
217	* a property set or property. */
218
219	if (a1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT\|SEC_ACE_FLAG_OBJECT_INHERIT) &&
220	!(a2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT\|SEC_ACE_FLAG_OBJECT_INHERIT)))
221	return -1;
222	else if (a2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT\|SEC_ACE_FLAG_OBJECT_INHERIT) &&
223	!(a1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT\|SEC_ACE_FLAG_OBJECT_INHERIT)))
224	return 1;
225
226	return 0;
227	}
228
229	/*******************************************************************
230	Functions to convert a SEC_DESC ACE DACL list into canonical order.
231	JRA.
232
233	--- from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/order_of_aces_in_a_dacl.asp
234
235	The following describes the preferred order:
236
237	To ensure that noninherited ACEs have precedence over inherited ACEs,
238	place all noninherited ACEs in a group before any inherited ACEs.
239	This ordering ensures, for example, that a noninherited access-denied ACE
240	is enforced regardless of any inherited ACE that allows access.
241
242	Within the groups of noninherited ACEs and inherited ACEs, order ACEs according to ACE type, as the following shows:
243	1. Access-denied ACEs that apply to the object itself
244	2. Access-denied ACEs that apply to a subobject of the object, such as a property set or property
245	3. Access-allowed ACEs that apply to the object itself
246	4. Access-allowed ACEs that apply to a subobject of the object"
247
248	********************************************************************/
249
250	void dacl_sort_into_canonical_order(SEC_ACE *srclist, unsigned int num_aces)
251	{
252	unsigned int i;
253
254	if (!srclist \|\| num_aces == 0)
255	return;
256
257	/* Sort so that non-inherited ACE's come first. */
258	qsort( srclist, num_aces, sizeof(srclist[0]), QSORT_CAST nt_ace_inherit_comp);
259
260	/* Find the boundary between non-inherited ACEs. */
261	for (i = 0; i < num_aces; i++ ) {
262	SEC_ACE *curr_ace = &srclist[i];
263
264	if (curr_ace->flags & SEC_ACE_FLAG_INHERITED_ACE)
265	break;
266	}
267
268	/* i now points at entry number of the first inherited ACE. */
269
270	/* Sort the non-inherited ACEs. */
271	if (i)
272	qsort( srclist, i, sizeof(srclist[0]), QSORT_CAST nt_ace_canon_comp);
273
274	/* Now sort the inherited ACEs. */
275	if (num_aces - i)
276	qsort( &srclist[i], num_aces - i, sizeof(srclist[0]), QSORT_CAST nt_ace_canon_comp);
277	}
278
279	/*******************************************************************
280	Check if this ACE has a SID in common with the token.
281	********************************************************************/
282
283	bool token_sid_in_ace(const NT_USER_TOKEN token, const SEC_ACE ace)
284	{
285	size_t i;
286
287	for (i = 0; i < token->num_sids; i++) {
288	if (sid_equal(&ace->trustee, &token->user_sids[i]))
289	return True;
290	}
291
292	return False;
293	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: