source: trunk/server/libcli/security/security_descriptor.c

Last change on this file was 745, checked in by Silvan Scherrer, 13 years ago

Samba Server: updated trunk to 3.6.0
File size: 14.5 KB
Line 
1/*
2 Unix SMB/CIFS implementation.
3
4 security descriptror utility functions
5
6 Copyright (C) Andrew Tridgell 2004
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20*/
21
22#include "includes.h"
23#include "libcli/security/security.h"
24
25/*
26 return a blank security descriptor (no owners, dacl or sacl)
27*/
28struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx)
29{
30 struct security_descriptor *sd;
31
32 sd = talloc(mem_ctx, struct security_descriptor);
33 if (!sd) {
34 return NULL;
35 }
36
37 sd->revision = SD_REVISION;
38 /* we mark as self relative, even though it isn't while it remains
39 a pointer in memory because this simplifies the ndr code later.
40 All SDs that we store/emit are in fact SELF_RELATIVE
41 */
42 sd->type = SEC_DESC_SELF_RELATIVE;
43
44 sd->owner_sid = NULL;
45 sd->group_sid = NULL;
46 sd->sacl = NULL;
47 sd->dacl = NULL;
48
49 return sd;
50}
51
52struct security_acl *security_acl_dup(TALLOC_CTX *mem_ctx,
53 const struct security_acl *oacl)
54{
55 struct security_acl *nacl;
56
57 if (oacl == NULL) {
58 return NULL;
59 }
60
61 nacl = talloc (mem_ctx, struct security_acl);
62 if (nacl == NULL) {
63 return NULL;
64 }
65
66 nacl->aces = (struct security_ace *)talloc_memdup (nacl, oacl->aces, sizeof(struct security_ace) * oacl->num_aces);
67 if ((nacl->aces == NULL) && (oacl->num_aces > 0)) {
68 goto failed;
69 }
70
71 nacl->revision = oacl->revision;
72 nacl->size = oacl->size;
73 nacl->num_aces = oacl->num_aces;
74
75 return nacl;
76
77 failed:
78 talloc_free (nacl);
79 return NULL;
80
81}
82
83struct security_acl *security_acl_concatenate(TALLOC_CTX *mem_ctx,
84 const struct security_acl *acl1,
85 const struct security_acl *acl2)
86{
87 struct security_acl *nacl;
88 uint32_t i;
89
90 if (!acl1 && !acl2)
91 return NULL;
92
93 if (!acl1){
94 nacl = security_acl_dup(mem_ctx, acl2);
95 return nacl;
96 }
97
98 if (!acl2){
99 nacl = security_acl_dup(mem_ctx, acl1);
100 return nacl;
101 }
102
103 nacl = talloc (mem_ctx, struct security_acl);
104 if (nacl == NULL) {
105 return NULL;
106 }
107
108 nacl->revision = acl1->revision;
109 nacl->size = acl1->size + acl2->size;
110 nacl->num_aces = acl1->num_aces + acl2->num_aces;
111
112 if (nacl->num_aces == 0)
113 return nacl;
114
115 nacl->aces = (struct security_ace *)talloc_array (mem_ctx, struct security_ace, acl1->num_aces+acl2->num_aces);
116 if ((nacl->aces == NULL) && (nacl->num_aces > 0)) {
117 goto failed;
118 }
119
120 for (i = 0; i < acl1->num_aces; i++)
121 nacl->aces[i] = acl1->aces[i];
122 for (i = 0; i < acl2->num_aces; i++)
123 nacl->aces[i + acl1->num_aces] = acl2->aces[i];
124
125 return nacl;
126
127 failed:
128 talloc_free (nacl);
129 return NULL;
130
131}
132
133/*
134 talloc and copy a security descriptor
135 */
136struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx,
137 const struct security_descriptor *osd)
138{
139 struct security_descriptor *nsd;
140
141 nsd = talloc_zero(mem_ctx, struct security_descriptor);
142 if (!nsd) {
143 return NULL;
144 }
145
146 if (osd->owner_sid) {
147 nsd->owner_sid = dom_sid_dup(nsd, osd->owner_sid);
148 if (nsd->owner_sid == NULL) {
149 goto failed;
150 }
151 }
152
153 if (osd->group_sid) {
154 nsd->group_sid = dom_sid_dup(nsd, osd->group_sid);
155 if (nsd->group_sid == NULL) {
156 goto failed;
157 }
158 }
159
160 if (osd->sacl) {
161 nsd->sacl = security_acl_dup(nsd, osd->sacl);
162 if (nsd->sacl == NULL) {
163 goto failed;
164 }
165 }
166
167 if (osd->dacl) {
168 nsd->dacl = security_acl_dup(nsd, osd->dacl);
169 if (nsd->dacl == NULL) {
170 goto failed;
171 }
172 }
173
174 nsd->revision = osd->revision;
175 nsd->type = osd->type;
176
177 return nsd;
178
179 failed:
180 talloc_free(nsd);
181
182 return NULL;
183}
184
185/*
186 add an ACE to an ACL of a security_descriptor
187*/
188
189static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
190 bool add_to_sacl,
191 const struct security_ace *ace)
192{
193 struct security_acl *acl = NULL;
194
195 if (add_to_sacl) {
196 acl = sd->sacl;
197 } else {
198 acl = sd->dacl;
199 }
200
201 if (acl == NULL) {
202 acl = talloc(sd, struct security_acl);
203 if (acl == NULL) {
204 return NT_STATUS_NO_MEMORY;
205 }
206 acl->revision = SECURITY_ACL_REVISION_NT4;
207 acl->size = 0;
208 acl->num_aces = 0;
209 acl->aces = NULL;
210 }
211
212 acl->aces = talloc_realloc(acl, acl->aces,
213 struct security_ace, acl->num_aces+1);
214 if (acl->aces == NULL) {
215 return NT_STATUS_NO_MEMORY;
216 }
217
218 acl->aces[acl->num_aces] = *ace;
219
220 switch (acl->aces[acl->num_aces].type) {
221 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
222 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
223 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
224 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
225 acl->revision = SECURITY_ACL_REVISION_ADS;
226 break;
227 default:
228 break;
229 }
230
231 acl->num_aces++;
232
233 if (add_to_sacl) {
234 sd->sacl = acl;
235 sd->type |= SEC_DESC_SACL_PRESENT;
236 } else {
237 sd->dacl = acl;
238 sd->type |= SEC_DESC_DACL_PRESENT;
239 }
240
241 return NT_STATUS_OK;
242}
243
244/*
245 add an ACE to the SACL of a security_descriptor
246*/
247
248NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd,
249 const struct security_ace *ace)
250{
251 return security_descriptor_acl_add(sd, true, ace);
252}
253
254/*
255 add an ACE to the DACL of a security_descriptor
256*/
257
258NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
259 const struct security_ace *ace)
260{
261 return security_descriptor_acl_add(sd, false, ace);
262}
263
264/*
265 delete the ACE corresponding to the given trustee in an ACL of a
266 security_descriptor
267*/
268
269static NTSTATUS security_descriptor_acl_del(struct security_descriptor *sd,
270 bool sacl_del,
271 const struct dom_sid *trustee)
272{
273 uint32_t i;
274 bool found = false;
275 struct security_acl *acl = NULL;
276
277 if (sacl_del) {
278 acl = sd->sacl;
279 } else {
280 acl = sd->dacl;
281 }
282
283 if (acl == NULL) {
284 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
285 }
286
287 /* there can be multiple ace's for one trustee */
288 for (i=0;i<acl->num_aces;i++) {
289 if (dom_sid_equal(trustee, &acl->aces[i].trustee)) {
290 memmove(&acl->aces[i], &acl->aces[i+1],
291 sizeof(acl->aces[i]) * (acl->num_aces - (i+1)));
292 acl->num_aces--;
293 if (acl->num_aces == 0) {
294 acl->aces = NULL;
295 }
296 found = true;
297 }
298 }
299
300 if (!found) {
301 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
302 }
303
304 acl->revision = SECURITY_ACL_REVISION_NT4;
305
306 for (i=0;i<acl->num_aces;i++) {
307 switch (acl->aces[i].type) {
308 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
309 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
310 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
311 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
312 acl->revision = SECURITY_ACL_REVISION_ADS;
313 return NT_STATUS_OK;
314 default:
315 break; /* only for the switch statement */
316 }
317 }
318
319 return NT_STATUS_OK;
320}
321
322/*
323 delete the ACE corresponding to the given trustee in the DACL of a
324 security_descriptor
325*/
326
327NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd,
328 const struct dom_sid *trustee)
329{
330 return security_descriptor_acl_del(sd, false, trustee);
331}
332
333/*
334 delete the ACE corresponding to the given trustee in the SACL of a
335 security_descriptor
336*/
337
338NTSTATUS security_descriptor_sacl_del(struct security_descriptor *sd,
339 const struct dom_sid *trustee)
340{
341 return security_descriptor_acl_del(sd, true, trustee);
342}
343
344/*
345 compare two security ace structures
346*/
347bool security_ace_equal(const struct security_ace *ace1,
348 const struct security_ace *ace2)
349{
350 if (ace1 == ace2) return true;
351 if (!ace1 || !ace2) return false;
352 if (ace1->type != ace2->type) return false;
353 if (ace1->flags != ace2->flags) return false;
354 if (ace1->access_mask != ace2->access_mask) return false;
355 if (!dom_sid_equal(&ace1->trustee, &ace2->trustee)) return false;
356
357 return true;
358}
359
360
361/*
362 compare two security acl structures
363*/
364bool security_acl_equal(const struct security_acl *acl1,
365 const struct security_acl *acl2)
366{
367 uint32_t i;
368
369 if (acl1 == acl2) return true;
370 if (!acl1 || !acl2) return false;
371 if (acl1->revision != acl2->revision) return false;
372 if (acl1->num_aces != acl2->num_aces) return false;
373
374 for (i=0;i<acl1->num_aces;i++) {
375 if (!security_ace_equal(&acl1->aces[i], &acl2->aces[i])) return false;
376 }
377 return true;
378}
379
380/*
381 compare two security descriptors.
382*/
383bool security_descriptor_equal(const struct security_descriptor *sd1,
384 const struct security_descriptor *sd2)
385{
386 if (sd1 == sd2) return true;
387 if (!sd1 || !sd2) return false;
388 if (sd1->revision != sd2->revision) return false;
389 if (sd1->type != sd2->type) return false;
390
391 if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false;
392 if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false;
393 if (!security_acl_equal(sd1->sacl, sd2->sacl)) return false;
394 if (!security_acl_equal(sd1->dacl, sd2->dacl)) return false;
395
396 return true;
397}
398
399/*
400 compare two security descriptors, but allow certain (missing) parts
401 to be masked out of the comparison
402*/
403bool security_descriptor_mask_equal(const struct security_descriptor *sd1,
404 const struct security_descriptor *sd2,
405 uint32_t mask)
406{
407 if (sd1 == sd2) return true;
408 if (!sd1 || !sd2) return false;
409 if (sd1->revision != sd2->revision) return false;
410 if ((sd1->type & mask) != (sd2->type & mask)) return false;
411
412 if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false;
413 if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false;
414 if ((mask & SEC_DESC_DACL_PRESENT) && !security_acl_equal(sd1->dacl, sd2->dacl)) return false;
415 if ((mask & SEC_DESC_SACL_PRESENT) && !security_acl_equal(sd1->sacl, sd2->sacl)) return false;
416
417 return true;
418}
419
420
421static struct security_descriptor *security_descriptor_appendv(struct security_descriptor *sd,
422 bool add_ace_to_sacl,
423 va_list ap)
424{
425 const char *sidstr;
426
427 while ((sidstr = va_arg(ap, const char *))) {
428 struct dom_sid *sid;
429 struct security_ace *ace = talloc_zero(sd, struct security_ace);
430 NTSTATUS status;
431
432 if (ace == NULL) {
433 talloc_free(sd);
434 return NULL;
435 }
436 ace->type = va_arg(ap, unsigned int);
437 ace->access_mask = va_arg(ap, unsigned int);
438 ace->flags = va_arg(ap, unsigned int);
439 sid = dom_sid_parse_talloc(ace, sidstr);
440 if (sid == NULL) {
441 talloc_free(sd);
442 return NULL;
443 }
444 ace->trustee = *sid;
445 if (add_ace_to_sacl) {
446 status = security_descriptor_sacl_add(sd, ace);
447 } else {
448 status = security_descriptor_dacl_add(sd, ace);
449 }
450 /* TODO: check: would talloc_free(ace) here be correct? */
451 if (!NT_STATUS_IS_OK(status)) {
452 talloc_free(sd);
453 return NULL;
454 }
455 }
456
457 return sd;
458}
459
460struct security_descriptor *security_descriptor_append(struct security_descriptor *sd,
461 ...)
462{
463 va_list ap;
464
465 va_start(ap, sd);
466 sd = security_descriptor_appendv(sd, false, ap);
467 va_end(ap);
468
469 return sd;
470}
471
472static struct security_descriptor *security_descriptor_createv(TALLOC_CTX *mem_ctx,
473 uint16_t sd_type,
474 const char *owner_sid,
475 const char *group_sid,
476 bool add_ace_to_sacl,
477 va_list ap)
478{
479 struct security_descriptor *sd;
480
481 sd = security_descriptor_initialise(mem_ctx);
482 if (sd == NULL) {
483 return NULL;
484 }
485
486 sd->type |= sd_type;
487
488 if (owner_sid) {
489 sd->owner_sid = dom_sid_parse_talloc(sd, owner_sid);
490 if (sd->owner_sid == NULL) {
491 talloc_free(sd);
492 return NULL;
493 }
494 }
495 if (group_sid) {
496 sd->group_sid = dom_sid_parse_talloc(sd, group_sid);
497 if (sd->group_sid == NULL) {
498 talloc_free(sd);
499 return NULL;
500 }
501 }
502
503 return security_descriptor_appendv(sd, add_ace_to_sacl, ap);
504}
505
506/*
507 create a security descriptor using string SIDs. This is used by the
508 torture code to allow the easy creation of complex ACLs
509 This is a varargs function. The list of DACL ACEs ends with a NULL sid.
510
511 Each ACE contains a set of 4 parameters:
512 SID, ACCESS_TYPE, MASK, FLAGS
513
514 a typical call would be:
515
516 sd = security_descriptor_dacl_create(mem_ctx,
517 sd_type_flags,
518 mysid,
519 mygroup,
520 SID_NT_AUTHENTICATED_USERS,
521 SEC_ACE_TYPE_ACCESS_ALLOWED,
522 SEC_FILE_ALL,
523 SEC_ACE_FLAG_OBJECT_INHERIT,
524 NULL);
525 that would create a sd with one DACL ACE
526*/
527
528struct security_descriptor *security_descriptor_dacl_create(TALLOC_CTX *mem_ctx,
529 uint16_t sd_type,
530 const char *owner_sid,
531 const char *group_sid,
532 ...)
533{
534 struct security_descriptor *sd = NULL;
535 va_list ap;
536 va_start(ap, group_sid);
537 sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid,
538 group_sid, false, ap);
539 va_end(ap);
540
541 return sd;
542}
543
544struct security_descriptor *security_descriptor_sacl_create(TALLOC_CTX *mem_ctx,
545 uint16_t sd_type,
546 const char *owner_sid,
547 const char *group_sid,
548 ...)
549{
550 struct security_descriptor *sd = NULL;
551 va_list ap;
552 va_start(ap, group_sid);
553 sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid,
554 group_sid, true, ap);
555 va_end(ap);
556
557 return sd;
558}
559
560struct security_ace *security_ace_create(TALLOC_CTX *mem_ctx,
561 const char *sid_str,
562 enum security_ace_type type,
563 uint32_t access_mask,
564 uint8_t flags)
565
566{
567 struct dom_sid *sid;
568 struct security_ace *ace;
569
570 ace = talloc_zero(mem_ctx, struct security_ace);
571 if (ace == NULL) {
572 return NULL;
573 }
574
575 sid = dom_sid_parse_talloc(ace, sid_str);
576 if (sid == NULL) {
577 talloc_free(ace);
578 return NULL;
579 }
580
581 ace->trustee = *sid;
582 ace->type = type;
583 ace->access_mask = access_mask;
584 ace->flags = flags;
585
586 return ace;
587}
Note: See TracBrowser for help on using the repository browser.