Changeset 988 for vendor/current/libcli/security
- Timestamp:
- Nov 24, 2016, 1:14:11 PM (9 years ago)
- Location:
- vendor/current/libcli/security
- Files:
-
- 2 added
- 24 edited
-
access_check.c (modified) (8 diffs)
-
access_check.h (modified) (2 diffs)
-
create_descriptor.c (modified) (12 diffs)
-
display_sec.c (modified) (3 diffs)
-
dom_sid.c (modified) (8 diffs)
-
dom_sid.h (modified) (4 diffs)
-
object_tree.c (modified) (2 diffs)
-
privileges.c (modified) (1 diff)
-
privileges.h (modified) (1 diff)
-
pysecurity.c (modified) (1 diff)
-
sddl.c (modified) (1 diff)
-
secace.c (modified) (1 diff)
-
secace.h (modified) (1 diff)
-
secacl.c (modified) (5 diffs)
-
secacl.h (modified) (1 diff)
-
secdesc.c (added)
-
secdesc.h (added)
-
security.h (modified) (2 diffs)
-
security_descriptor.c (modified) (5 diffs)
-
security_descriptor.h (modified) (2 diffs)
-
security_token.c (modified) (2 diffs)
-
security_token.h (modified) (1 diff)
-
session.c (modified) (1 diff)
-
session.h (modified) (2 diffs)
-
util_sid.c (modified) (11 diffs)
-
wscript_build (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
vendor/current/libcli/security/access_check.c
r746 r988 160 160 uint32_t bits_remaining; 161 161 uint32_t explicitly_denied_bits = 0; 162 /* 163 * Up until Windows Server 2008, owner always had these rights. Now 164 * we have to use Owner Rights perms if they are on the file. 165 * 166 * In addition we have to accumulate these bits and apply them 167 * correctly. See bug #8795 168 */ 169 uint32_t owner_rights_allowed = 0; 170 uint32_t owner_rights_denied = 0; 171 bool owner_rights_default = true; 162 172 163 173 *access_granted = access_desired; … … 179 189 } 180 190 181 /* the owner always gets SEC_STD_WRITE_DAC and SEC_STD_READ_CONTROL */182 if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL)) &&183 security_token_has_sid(token, sd->owner_sid)) {184 bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL);185 }186 187 191 /* a NULL dacl allows access */ 188 192 if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) { … … 203 207 } 204 208 209 /* 210 * We need the Owner Rights permissions to ensure we 211 * give or deny the correct permissions to the owner. Replace 212 * owner_rights with the perms here if it is present. 213 * 214 * We don't care if we are not the owner because that is taken 215 * care of below when we check if our token has the owner SID. 216 * 217 */ 218 if (dom_sid_equal(&ace->trustee, &global_sid_Owner_Rights)) { 219 if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) { 220 owner_rights_allowed |= ace->access_mask; 221 owner_rights_default = false; 222 } else if (ace->type == SEC_ACE_TYPE_ACCESS_DENIED) { 223 owner_rights_denied |= ace->access_mask; 224 owner_rights_default = false; 225 } 226 continue; 227 } 228 205 229 if (!security_token_has_sid(token, &ace->trustee)) { 206 230 continue; … … 220 244 } 221 245 246 /* Explicitly denied bits always override */ 222 247 bits_remaining |= explicitly_denied_bits; 248 249 /* The owner always gets owner rights as defined above. */ 250 if (security_token_has_sid(token, sd->owner_sid)) { 251 if (owner_rights_default) { 252 /* 253 * Just remove them, no need to check if they are 254 * there. 255 */ 256 bits_remaining &= ~(SEC_STD_WRITE_DAC | 257 SEC_STD_READ_CONTROL); 258 } else { 259 bits_remaining &= ~owner_rights_allowed; 260 bits_remaining |= owner_rights_denied; 261 } 262 } 223 263 224 264 /* … … 235 275 } 236 276 237 /* TODO: remove this, as it is file server specific */238 if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&239 security_token_has_privilege(token, SEC_PRIV_RESTORE)) {240 bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);241 }242 if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) &&243 security_token_has_privilege(token, SEC_PRIV_BACKUP)) {244 bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);245 }246 247 277 if ((bits_remaining & SEC_STD_WRITE_OWNER) && 248 278 security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) { … … 259 289 } 260 290 291 /* 292 The main entry point for access checking FOR THE FILE SERVER ONLY ! 293 If returning ACCESS_DENIED this function returns the denied bits in 294 the uint32_t pointed to by the access_granted pointer. 295 */ 296 NTSTATUS se_file_access_check(const struct security_descriptor *sd, 297 const struct security_token *token, 298 bool priv_open_requested, 299 uint32_t access_desired, 300 uint32_t *access_granted) 301 { 302 uint32_t bits_remaining; 303 NTSTATUS status; 304 305 if (!priv_open_requested) { 306 /* Fall back to generic se_access_check(). */ 307 return se_access_check(sd, 308 token, 309 access_desired, 310 access_granted); 311 } 312 313 /* 314 * We need to handle the maximum allowed flag 315 * outside of se_access_check(), as we need to 316 * add in the access allowed by the privileges 317 * as well. 318 */ 319 320 if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) { 321 uint32_t orig_access_desired = access_desired; 322 323 access_desired |= access_check_max_allowed(sd, token); 324 access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED; 325 326 if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) { 327 access_desired |= SEC_RIGHTS_PRIV_BACKUP; 328 } 329 330 if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) { 331 access_desired |= SEC_RIGHTS_PRIV_RESTORE; 332 } 333 334 DEBUG(10,("se_file_access_check: MAX desired = 0x%x " 335 "mapped to 0x%x\n", 336 orig_access_desired, 337 access_desired)); 338 } 339 340 status = se_access_check(sd, 341 token, 342 access_desired, 343 access_granted); 344 345 if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { 346 return status; 347 } 348 349 bits_remaining = *access_granted; 350 351 /* Check if we should override with privileges. */ 352 if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) && 353 security_token_has_privilege(token, SEC_PRIV_BACKUP)) { 354 bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP); 355 } 356 if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) && 357 security_token_has_privilege(token, SEC_PRIV_RESTORE)) { 358 bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE); 359 } 360 if (bits_remaining != 0) { 361 *access_granted = bits_remaining; 362 return NT_STATUS_ACCESS_DENIED; 363 } 364 365 return NT_STATUS_OK; 366 } 261 367 262 368 static const struct GUID *get_ace_object_type(struct security_ace *ace) 263 369 { 264 struct GUID *type; 265 266 if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) 267 type = &ace->object.object.type.type; 268 else if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) 269 type = &ace->object.object.inherited_type.inherited_type; /* This doesn't look right. Is something wrong with the IDL? */ 270 else 271 type = NULL; 272 273 return type; 274 275 } 276 277 /* modified access check for the purposes of DS security 370 if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) { 371 return &ace->object.object.type.type; 372 } 373 374 return NULL; 375 } 376 377 /** 378 * @brief Perform directoryservice (DS) related access checks for a given user 379 * 380 * Perform DS access checks for the user represented by its security_token, on 381 * the provided security descriptor. If an tree associating GUID and access 382 * required is provided then object access (OA) are checked as well. * 383 * @param[in] sd The security descritor against which the required 384 * access are requested 385 * 386 * @param[in] token The security_token associated with the user to 387 * test 388 * 389 * @param[in] access_desired A bitfield of rights that must be granted for the 390 * given user in the specified SD. 391 * 392 * If one 393 * of the entry in the tree grants all the requested rights for the given GUID 394 * FIXME 395 * tree can be null if not null it's the 278 396 * Lots of code duplication, it will ve united in just one 279 397 * function eventually */ … … 286 404 struct dom_sid *replace_sid) 287 405 { 288 uint32_t i; 289 uint32_t bits_remaining; 290 struct object_tree *node; 291 const struct GUID *type; 292 struct dom_sid *ps_sid = dom_sid_parse_talloc(NULL, SID_NT_SELF); 293 294 *access_granted = access_desired; 295 bits_remaining = access_desired; 296 297 /* handle the maximum allowed flag */ 298 if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) { 299 access_desired |= access_check_max_allowed(sd, token); 300 access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED; 301 *access_granted = access_desired; 406 uint32_t i; 407 uint32_t bits_remaining; 408 struct object_tree *node; 409 const struct GUID *type; 410 struct dom_sid self_sid; 411 412 dom_sid_parse(SID_NT_SELF, &self_sid); 413 414 *access_granted = access_desired; 415 bits_remaining = access_desired; 416 417 /* handle the maximum allowed flag */ 418 if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) { 419 access_desired |= access_check_max_allowed(sd, token); 420 access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED; 421 *access_granted = access_desired; 302 422 bits_remaining = access_desired; 303 } 304 305 if (access_desired & SEC_FLAG_SYSTEM_SECURITY) { 306 if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) { 307 bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY; 308 } else { 309 talloc_free(ps_sid); 310 return NT_STATUS_PRIVILEGE_NOT_HELD; 311 } 312 } 423 } 424 425 if (access_desired & SEC_FLAG_SYSTEM_SECURITY) { 426 if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) { 427 bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY; 428 } else { 429 return NT_STATUS_PRIVILEGE_NOT_HELD; 430 } 431 } 313 432 314 433 /* the owner always gets SEC_STD_WRITE_DAC and SEC_STD_READ_CONTROL */ … … 318 437 } 319 438 320 /* TODO: remove this, as it is file server specific */ 321 if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) && 322 security_token_has_privilege(token, SEC_PRIV_RESTORE)) { 323 bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE); 324 } 325 if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) && 326 security_token_has_privilege(token, SEC_PRIV_BACKUP)) { 327 bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP); 328 } 329 330 /* a NULL dacl allows access */ 331 if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) { 332 *access_granted = access_desired; 333 talloc_free(ps_sid); 334 return NT_STATUS_OK; 335 } 336 337 if (sd->dacl == NULL) { 338 goto done; 339 } 340 341 /* check each ace in turn. */ 342 for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) { 439 /* SEC_PRIV_TAKE_OWNERSHIP grants SEC_STD_WRITE_OWNER */ 440 if ((bits_remaining & (SEC_STD_WRITE_OWNER)) && 441 security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) { 442 bits_remaining &= ~(SEC_STD_WRITE_OWNER); 443 } 444 445 /* a NULL dacl allows access */ 446 if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) { 447 *access_granted = access_desired; 448 return NT_STATUS_OK; 449 } 450 451 if (sd->dacl == NULL) { 452 goto done; 453 } 454 455 /* check each ace in turn. */ 456 for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) { 343 457 struct dom_sid *trustee; 344 458 struct security_ace *ace = &sd->dacl->aces[i]; 345 459 346 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) { 347 continue; 348 } 349 if (dom_sid_equal(&ace->trustee, ps_sid) && replace_sid) { 460 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) { 461 continue; 462 } 463 464 if (dom_sid_equal(&ace->trustee, &self_sid) && replace_sid) { 350 465 trustee = replace_sid; 351 } 352 else 353 { 466 } else { 354 467 trustee = &ace->trustee; 355 468 } 356 if (!security_token_has_sid(token, trustee)) { 357 continue; 358 } 359 360 switch (ace->type) { 361 case SEC_ACE_TYPE_ACCESS_ALLOWED: 362 if (tree) 363 object_tree_modify_access(tree, ace->access_mask); 364 365 bits_remaining &= ~ace->access_mask; 366 break; 367 case SEC_ACE_TYPE_ACCESS_DENIED: 368 if (bits_remaining & ace->access_mask) { 369 talloc_free(ps_sid); 370 return NT_STATUS_ACCESS_DENIED; 371 } 372 break; 373 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: 374 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: 375 /* check only in case we have provided a tree, 376 * the ACE has an object type and that type 377 * is in the tree */ 378 type = get_ace_object_type(ace); 379 380 if (!tree) 381 continue; 382 383 if (!type) 384 node = tree; 385 else 386 if (!(node = get_object_tree_by_GUID(tree, type))) 387 continue; 388 389 if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) { 390 object_tree_modify_access(node, ace->access_mask); 391 if (node->remaining_access == 0) { 392 talloc_free(ps_sid); 393 return NT_STATUS_OK; 394 } 395 } else { 396 if (node->remaining_access & ace->access_mask){ 397 talloc_free(ps_sid); 398 return NT_STATUS_ACCESS_DENIED; 399 } 400 } 401 break; 402 default: /* Other ACE types not handled/supported */ 403 break; 404 } 405 } 469 470 if (!security_token_has_sid(token, trustee)) { 471 continue; 472 } 473 474 switch (ace->type) { 475 case SEC_ACE_TYPE_ACCESS_ALLOWED: 476 if (tree) { 477 object_tree_modify_access(tree, ace->access_mask); 478 } 479 480 bits_remaining &= ~ace->access_mask; 481 break; 482 case SEC_ACE_TYPE_ACCESS_DENIED: 483 if (bits_remaining & ace->access_mask) { 484 return NT_STATUS_ACCESS_DENIED; 485 } 486 break; 487 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: 488 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: 489 /* 490 * check only in case we have provided a tree, 491 * the ACE has an object type and that type 492 * is in the tree 493 */ 494 type = get_ace_object_type(ace); 495 496 if (!tree) { 497 continue; 498 } 499 500 if (!type) { 501 node = tree; 502 } else { 503 if (!(node = get_object_tree_by_GUID(tree, type))) { 504 continue; 505 } 506 } 507 508 if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) { 509 object_tree_modify_access(node, ace->access_mask); 510 if (node->remaining_access == 0) { 511 return NT_STATUS_OK; 512 } 513 } else { 514 if (node->remaining_access & ace->access_mask){ 515 return NT_STATUS_ACCESS_DENIED; 516 } 517 } 518 break; 519 default: /* Other ACE types not handled/supported */ 520 break; 521 } 522 } 406 523 407 524 done: 408 talloc_free(ps_sid); 409 if (bits_remaining != 0) { 410 return NT_STATUS_ACCESS_DENIED; 411 } 412 413 return NT_STATUS_OK; 414 } 525 if (bits_remaining != 0) { 526 return NT_STATUS_ACCESS_DENIED; 527 } 528 529 return NT_STATUS_OK; 530 } -
vendor/current/libcli/security/access_check.h
r740 r988 55 55 uint32_t *access_granted); 56 56 57 /* 58 The main entry point for access checking FOR THE FILE SERVER ONLY ! 59 If returning ACCESS_DENIED this function returns the denied bits in 60 the uint32_t pointed to by the access_granted pointer. 61 */ 62 NTSTATUS se_file_access_check(const struct security_descriptor *sd, 63 const struct security_token *token, 64 bool priv_open_requested, 65 uint32_t access_desired, 66 uint32_t *access_granted); 67 57 68 /* modified access check for the purposes of DS security 58 69 * Lots of code duplication, it will ve united in just one … … 67 78 68 79 bool insert_in_object_tree(TALLOC_CTX *mem_ctx, 69 const struct GUID *guid,70 uint32_t init_access,71 struct object_tree **root,72 struct object_tree **new_node );80 const struct GUID *guid, 81 uint32_t init_access, 82 struct object_tree *root, 83 struct object_tree **new_node_out); 73 84 74 85 /* search by GUID */ -
vendor/current/libcli/security/create_descriptor.c
r740 r988 81 81 static bool object_in_list(struct GUID *object_list, struct GUID *object) 82 82 { 83 return true; 84 } 85 83 size_t i; 84 85 if (object_list == NULL) { 86 return true; 87 } 88 89 if (GUID_all_zero(object)) { 90 return true; 91 } 92 93 for (i=0; ; i++) { 94 if (GUID_all_zero(&object_list[i])) { 95 return false; 96 } 97 if (!GUID_equal(&object_list[i], object)) { 98 continue; 99 } 100 101 return true; 102 } 103 104 return false; 105 } 106 86 107 /* returns true if the ACE gontains generic information 87 108 * that needs to be processed additionally */ 88 109 89 static bool desc_ace_has_generic(TALLOC_CTX *mem_ctx, 90 struct security_ace *ace) 91 { 92 struct dom_sid *co, *cg; 93 co = dom_sid_parse_talloc(mem_ctx, SID_CREATOR_OWNER); 94 cg = dom_sid_parse_talloc(mem_ctx, SID_CREATOR_GROUP); 110 static bool desc_ace_has_generic(struct security_ace *ace) 111 { 95 112 if (ace->access_mask & SEC_GENERIC_ALL || ace->access_mask & SEC_GENERIC_READ || 96 113 ace->access_mask & SEC_GENERIC_WRITE || ace->access_mask & SEC_GENERIC_EXECUTE) { 97 114 return true; 98 115 } 99 if (dom_sid_equal(&ace->trustee, co) || dom_sid_equal(&ace->trustee, cg)) { 116 if (dom_sid_equal(&ace->trustee, &global_sid_Creator_Owner) || 117 dom_sid_equal(&ace->trustee, &global_sid_Creator_Group)) { 100 118 return true; 101 119 } … … 105 123 /* creates an ace in which the generic information is expanded */ 106 124 107 static void desc_expand_generic(TALLOC_CTX *mem_ctx, 108 struct security_ace *new_ace, 125 static void desc_expand_generic(struct security_ace *new_ace, 109 126 struct dom_sid *owner, 110 127 struct dom_sid *group) 111 128 { 112 struct dom_sid *co, *cg;113 co = dom_sid_parse_talloc(mem_ctx, SID_CREATOR_OWNER);114 cg = dom_sid_parse_talloc(mem_ctx, SID_CREATOR_GROUP);115 129 new_ace->access_mask = map_generic_rights_ds(new_ace->access_mask); 116 if (dom_sid_equal(&new_ace->trustee, co)) {130 if (dom_sid_equal(&new_ace->trustee, &global_sid_Creator_Owner)) { 117 131 new_ace->trustee = *owner; 118 132 } 119 if (dom_sid_equal(&new_ace->trustee, cg)) {133 if (dom_sid_equal(&new_ace->trustee, &global_sid_Creator_Group)) { 120 134 new_ace->trustee = *group; 121 135 } … … 133 147 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); 134 148 struct security_acl *tmp_acl = talloc_zero(mem_ctx, struct security_acl); 135 struct dom_sid *co, *cg;136 149 if (!tmp_acl) { 137 150 return NULL; … … 141 154 return NULL; 142 155 } 143 co = dom_sid_parse_talloc(tmp_ctx, SID_CREATOR_OWNER);144 cg = dom_sid_parse_talloc(tmp_ctx, SID_CREATOR_GROUP);145 156 146 157 for (i=0; i < acl->num_aces; i++) { … … 148 159 if ((ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT) || 149 160 (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) { 161 struct GUID inherited_object = GUID_zero(); 162 150 163 tmp_acl->aces = talloc_realloc(tmp_acl, tmp_acl->aces, 151 164 struct security_ace, … … 160 173 /* remove IO flag from the child's ace */ 161 174 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY && 162 !desc_ace_has_generic( tmp_ctx,ace)) {175 !desc_ace_has_generic(ace)) { 163 176 tmp_acl->aces[tmp_acl->num_aces].flags &= ~SEC_ACE_FLAG_INHERIT_ONLY; 164 177 } … … 167 180 tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY; 168 181 169 if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT || 170 ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT) { 171 if (!object_in_list(object_list, &ace->object.object.type.type)) { 182 switch (ace->type) { 183 case SEC_ACE_TYPE_ACCESS_ALLOWED: 184 case SEC_ACE_TYPE_ACCESS_DENIED: 185 case SEC_ACE_TYPE_SYSTEM_AUDIT: 186 case SEC_ACE_TYPE_SYSTEM_ALARM: 187 case SEC_ACE_TYPE_ALLOWED_COMPOUND: 188 break; 189 190 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: 191 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: 192 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT: 193 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT: 194 if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) { 195 inherited_object = ace->object.object.inherited_type.inherited_type; 196 } 197 198 if (!object_in_list(object_list, &inherited_object)) { 172 199 tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY; 173 200 } 174 201 175 } 202 break; 203 } 204 176 205 tmp_acl->num_aces++; 177 206 if (is_container) { 178 207 if (!(ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) && 179 (desc_ace_has_generic( tmp_ctx,ace))) {208 (desc_ace_has_generic(ace))) { 180 209 tmp_acl->aces = talloc_realloc(tmp_acl, 181 210 tmp_acl->aces, … … 187 216 } 188 217 tmp_acl->aces[tmp_acl->num_aces] = *ace; 189 desc_expand_generic(tmp_ctx, 190 &tmp_acl->aces[tmp_acl->num_aces], 218 desc_expand_generic(&tmp_acl->aces[tmp_acl->num_aces], 191 219 owner, 192 220 group); … … 218 246 struct security_acl *tmp_acl = talloc_zero(tmp_ctx, struct security_acl); 219 247 struct security_acl *new_acl; 220 struct dom_sid *co, *cg;221 248 222 249 if (!acl) … … 228 255 tmp_acl->revision = acl->revision; 229 256 DEBUG(6,(__location__ ": acl revision %d\n", acl->revision)); 230 231 co = dom_sid_parse_talloc(tmp_ctx, SID_CREATOR_OWNER);232 cg = dom_sid_parse_talloc(tmp_ctx, SID_CREATOR_GROUP);233 257 234 258 for (i=0; i < acl->num_aces; i++){ … … 261 285 * it has to be expanded to two aces, the original as IO, 262 286 * and another one where these are translated */ 263 if (desc_ace_has_generic( tmp_ctx,ace)) {287 if (desc_ace_has_generic(ace)) { 264 288 if (!(ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT)) { 265 desc_expand_generic(tmp_ctx, 266 &tmp_acl->aces[tmp_acl->num_aces-1], 289 desc_expand_generic(&tmp_acl->aces[tmp_acl->num_aces-1], 267 290 owner, 268 291 group); … … 275 298 /* add a new ACE with expanded generic info */ 276 299 tmp_acl->aces[tmp_acl->num_aces] = *ace; 277 desc_expand_generic(tmp_ctx, 278 &tmp_acl->aces[tmp_acl->num_aces], 300 desc_expand_generic(&tmp_acl->aces[tmp_acl->num_aces], 279 301 owner, 280 302 group); -
vendor/current/libcli/security/display_sec.c
r740 r988 1 /* 1 /* 2 2 Unix SMB/CIFS implementation. 3 3 Samba utility functions 4 4 Copyright (C) Andrew Tridgell 1992-1999 5 5 Copyright (C) Luke Kenneth Casson Leighton 1996 - 1999 6 6 7 7 This program is free software; you can redistribute it and/or modify 8 8 it under the terms of the GNU General Public License as published by 9 9 the Free Software Foundation; either version 3 of the License, or 10 10 (at your option) any later version. 11 12 This program is distributed in the hope that it will be useful, 11 12 This program is distributed in the hope that it will be useful, 13 13 but WITHOUT ANY WARRANTY; without even the implied warranty of 14 14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 15 GNU General Public License for more details. 16 16 17 17 You should have received a copy of the GNU General Public License 18 18 along with this program. If not, see <http://www.gnu.org/licenses/>. … … 238 238 239 239 printf("\tACL\tNum ACEs:\t%u\trevision:\t%x\n", 240 sec_acl->num_aces, sec_acl->revision);240 sec_acl->num_aces, sec_acl->revision); 241 241 printf("\t---\n"); 242 242 … … 284 284 if (type & SEC_DESC_SELF_RELATIVE) /* 0x8000 */ 285 285 printf("SEC_DESC_SELF_RELATIVE "); 286 286 287 287 printf("\n"); 288 288 } -
vendor/current/libcli/security/dom_sid.c
r740 r988 121 121 Return the first character not parsed in endp. 122 122 *****************************************************************/ 123 #define AUTHORITY_MASK (~(0xffffffffffffULL)) 123 124 124 125 bool dom_sid_parse_endp(const char *sidstr,struct dom_sid *sidout, … … 128 129 char *q; 129 130 /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */ 130 uint 32_t conv;131 uint64_t conv; 131 132 132 133 ZERO_STRUCTP(sidout); … … 143 144 } 144 145 145 conv = (uint32_t)strtoul(p, &q, 10);146 if (!q || (*q != '-') ) {146 conv = strtoul(p, &q, 10); 147 if (!q || (*q != '-') || conv > UINT8_MAX) { 147 148 goto format_error; 148 149 } … … 155 156 156 157 /* get identauth */ 157 conv = (uint32_t) strtoul(q, &q, 10);158 if (!q ) {158 conv = strtoull(q, &q, 0); 159 if (!q || conv & AUTHORITY_MASK) { 159 160 goto format_error; 160 161 } 161 162 162 /* identauth in decimal should be < 2^32*/163 /* When identauth >= UINT32_MAX, it's in hex with a leading 0x */ 163 164 /* NOTE - the conv value is in big-endian format. */ 164 sidout->id_auth[0] = 0;165 sidout->id_auth[1] = 0;166 sidout->id_auth[2] = (conv & 0x ff000000) >> 24;167 sidout->id_auth[3] = (conv & 0x00 ff0000) >> 16;168 sidout->id_auth[4] = (conv & 0x0000 ff00) >> 8;169 sidout->id_auth[5] = (conv & 0x000000 ff);165 sidout->id_auth[0] = (conv & 0xff0000000000ULL) >> 40; 166 sidout->id_auth[1] = (conv & 0x00ff00000000ULL) >> 32; 167 sidout->id_auth[2] = (conv & 0x0000ff000000ULL) >> 24; 168 sidout->id_auth[3] = (conv & 0x000000ff0000ULL) >> 16; 169 sidout->id_auth[4] = (conv & 0x00000000ff00ULL) >> 8; 170 sidout->id_auth[5] = (conv & 0x0000000000ffULL); 170 171 171 172 sidout->num_auths = 0; … … 184 185 } 185 186 186 conv = strtoul (q, &end, 10);187 if (end == q ) {187 conv = strtoull(q, &end, 10); 188 if (end == q || conv > UINT32_MAX) { 188 189 goto format_error; 189 190 } … … 243 244 struct dom_sid *dom_sid_parse_length(TALLOC_CTX *mem_ctx, const DATA_BLOB *sid) 244 245 { 245 struct dom_sid *ret; 246 char *p = talloc_strndup(mem_ctx, (char *)sid->data, sid->length); 247 if (!p) { 248 return NULL; 249 } 250 ret = dom_sid_parse_talloc(mem_ctx, p); 251 talloc_free(p); 252 return ret; 246 char p[sid->length+1]; 247 memcpy(p, sid->data, sid->length); 248 p[sid->length] = '\0'; 249 return dom_sid_parse_talloc(mem_ctx, p); 253 250 } 254 251 … … 365 362 { 366 363 int i, ofs; 367 uint 32_t ia;364 uint64_t ia; 368 365 369 366 if (!sid) { 370 strlcpy(buf, "(NULL SID)", buflen); 371 return 10; /* strlen("(NULL SID)") */ 372 } 373 374 ia = (sid->id_auth[5]) + 375 (sid->id_auth[4] << 8 ) + 376 (sid->id_auth[3] << 16) + 377 (sid->id_auth[2] << 24); 378 379 ofs = snprintf(buf, buflen, "S-%u-%lu", 380 (unsigned int)sid->sid_rev_num, (unsigned long)ia); 367 return strlcpy(buf, "(NULL SID)", buflen); 368 } 369 370 ia = ((uint64_t)sid->id_auth[5]) + 371 ((uint64_t)sid->id_auth[4] << 8 ) + 372 ((uint64_t)sid->id_auth[3] << 16) + 373 ((uint64_t)sid->id_auth[2] << 24) + 374 ((uint64_t)sid->id_auth[1] << 32) + 375 ((uint64_t)sid->id_auth[0] << 40); 376 377 ofs = snprintf(buf, buflen, "S-%hhu-", (unsigned char)sid->sid_rev_num); 378 if (ia >= UINT32_MAX) { 379 ofs += snprintf(buf + ofs, MAX(buflen - ofs, 0), "0x%llx", 380 (unsigned long long)ia); 381 } else { 382 ofs += snprintf(buf + ofs, MAX(buflen - ofs, 0), "%llu", 383 (unsigned long long)ia); 384 } 381 385 382 386 for (i = 0; i < sid->num_auths; i++) { 383 ofs += snprintf(buf + ofs, MAX(buflen - ofs, 0), "-% lu",384 (unsigned long)sid->sub_auths[i]);387 ofs += snprintf(buf + ofs, MAX(buflen - ofs, 0), "-%u", 388 (unsigned int)sid->sub_auths[i]); 385 389 } 386 390 return ofs; … … 407 411 */ 408 412 result = (char *)talloc_memdup(mem_ctx, buf, len+1); 413 if (result == NULL) { 414 return NULL; 415 } 409 416 410 417 /* -
vendor/current/libcli/security/dom_sid.h
r740 r988 29 29 extern const struct dom_sid global_sid_World_Domain; 30 30 extern const struct dom_sid global_sid_World; 31 extern const struct dom_sid global_sid_Local_Authority; 31 32 extern const struct dom_sid global_sid_Creator_Owner_Domain; 32 33 extern const struct dom_sid global_sid_NT_Authority; … … 36 37 extern const struct dom_sid global_sid_Authenticated_Users; 37 38 extern const struct dom_sid global_sid_Network; 39 extern const struct dom_sid global_sid_Asserted_Identity; 40 extern const struct dom_sid global_sid_Asserted_Identity_Service; 41 extern const struct dom_sid global_sid_Asserted_Identity_Authentication_Authority; 38 42 extern const struct dom_sid global_sid_Creator_Owner; 39 43 extern const struct dom_sid global_sid_Creator_Group; 44 extern const struct dom_sid global_sid_Owner_Rights; 40 45 extern const struct dom_sid global_sid_Anonymous; 41 46 extern const struct dom_sid global_sid_Builtin; … … 52 57 extern const struct dom_sid global_sid_Unix_Users; 53 58 extern const struct dom_sid global_sid_Unix_Groups; 59 extern const struct dom_sid global_sid_Unix_NFS; 60 extern const struct dom_sid global_sid_Unix_NFS_Users; 61 extern const struct dom_sid global_sid_Unix_NFS_Groups; 62 extern const struct dom_sid global_sid_Unix_NFS_Mode; 63 extern const struct dom_sid global_sid_Unix_NFS_Other; 54 64 55 65 int dom_sid_compare_auth(const struct dom_sid *sid1, … … 87 97 bool sid_peek_check_rid(const struct dom_sid *exp_dom_sid, const struct dom_sid *sid, uint32_t *rid); 88 98 void sid_copy(struct dom_sid *dst, const struct dom_sid *src); 89 bool sid_blob_parse(DATA_BLOB in, struct dom_sid *sid); 90 bool sid_parse(const char *inbuf, size_t len, struct dom_sid *sid); 99 bool sid_parse(const uint8_t *inbuf, size_t len, struct dom_sid *sid); 91 100 int sid_compare_domain(const struct dom_sid *sid1, const struct dom_sid *sid2); 92 bool sid_equal(const struct dom_sid *sid1, const struct dom_sid *sid2);93 101 NTSTATUS add_sid_to_array(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, 94 102 struct dom_sid **sids, uint32_t *num); -
vendor/current/libcli/security/object_tree.c
r740 r988 39 39 40 40 bool insert_in_object_tree(TALLOC_CTX *mem_ctx, 41 const struct GUID *guid,42 uint32_t init_access,43 struct object_tree **root,44 struct object_tree **new_node)41 const struct GUID *guid, 42 uint32_t init_access, 43 struct object_tree *root, 44 struct object_tree **new_node_out) 45 45 { 46 struct object_tree *new_node; 47 46 48 if (!guid || GUID_all_zero(guid)){ 47 49 return true; 48 50 } 49 51 50 if (! *root){51 *root = talloc_zero(mem_ctx, struct object_tree);52 if (! *root) {52 if (!root) { 53 root = talloc_zero(mem_ctx, struct object_tree); 54 if (!root) { 53 55 return false; 54 56 } 55 (*root)->guid = *guid; 56 *new_node = *root; 57 return true; 58 } 57 new_node = root; 58 } else { 59 int i; 59 60 60 if (!(*root)->children) { 61 (*root)->children = talloc_array(mem_ctx, struct object_tree, 1); 62 (*root)->children[0].guid = *guid; 63 (*root)->children[0].num_of_children = 0; 64 (*root)->children[0].children = NULL; 65 (*root)->num_of_children++; 66 (*root)->children[0].remaining_access = init_access; 67 *new_node = &((*root)->children[0]); 68 return true; 69 } 70 else { 71 int i; 72 for (i = 0; i < (*root)->num_of_children; i++) { 73 if (GUID_equal(&((*root)->children[i].guid), guid)) { 74 *new_node = &((*root)->children[i]); 61 for (i = 0; i < root->num_of_children; i++) { 62 if (GUID_equal(&root->children[i].guid, guid)) { 63 new_node = &root->children[i]; 64 new_node->remaining_access |= init_access; 65 *new_node_out = new_node; 75 66 return true; 76 67 } 77 68 } 78 (*root)->children = talloc_realloc(mem_ctx, (*root)->children, struct object_tree, 79 (*root)->num_of_children +1); 80 (*root)->children[(*root)->num_of_children].guid = *guid; 81 (*root)->children[(*root)->num_of_children].remaining_access = init_access; 82 *new_node = &((*root)->children[(*root)->num_of_children]); 83 (*root)->num_of_children++; 84 return true; 69 70 root->children = talloc_realloc(mem_ctx, root->children, 71 struct object_tree, 72 root->num_of_children + 1); 73 if (!root->children) { 74 return false; 75 } 76 new_node = &root->children[root->num_of_children]; 77 root->num_of_children++; 85 78 } 79 80 new_node->children = NULL; 81 new_node->guid = *guid; 82 new_node->remaining_access = init_access; 83 new_node->num_of_children = 0; 84 85 *new_node_out = new_node; 86 return true; 86 87 } 87 88 … … 97 98 return result; 98 99 } 99 else if (root->num_of_children > 0) { 100 for (i = 0; i < root->num_of_children; i++) { 100 for (i = 0; i < root->num_of_children; i++) { 101 101 if ((result = get_object_tree_by_GUID(&root->children[i], guid))) 102 102 break; 103 }104 103 } 105 104 return result; 106 105 } 107 106 108 /* Change the granted access per each ACE */ 109 107 /** 108 * @brief Modify the tree to mark specified access rights as granted 109 * 110 * This function will modify the root and the child of the tree pointed by 111 * root, so that for each tree element the bits set in access_mask are 112 * marked as granted. 113 * 114 * @param[in] root An object_tree structure that we want to modify 115 * 116 * @param[in] access_mask A bitfield of access right that we want to mark as 117 * granted in the whole tree. 118 */ 110 119 void object_tree_modify_access(struct object_tree *root, 111 120 uint32_t access_mask) 112 121 { 122 int i; 113 123 root->remaining_access &= ~access_mask; 114 if (root->num_of_children > 0) { 115 int i; 116 for (i = 0; i < root->num_of_children; i++) { 117 object_tree_modify_access(&root->children[i], access_mask); 118 } 124 for (i = 0; i < root->num_of_children; i++) { 125 object_tree_modify_access(&root->children[i], access_mask); 119 126 } 120 127 } -
vendor/current/libcli/security/privileges.c
r740 r988 423 423 } 424 424 425 bool security_token_system_privilege(const struct security_token *token) 426 { 427 if (token == NULL) { 428 return false; 429 } 430 431 if (token->privilege_mask == (uint64_t)~0) { 432 return true; 433 } 434 435 return false; 436 } 437 425 438 /* 426 439 set a bit in the privilege mask -
vendor/current/libcli/security/privileges.h
r740 r988 90 90 bool security_token_has_privilege(const struct security_token *token, enum sec_privilege privilege); 91 91 92 93 /** 94 * @brief Check if the security token has system privileges. 95 * 96 * @param[in] token The token to check. 97 * 98 * @return True if the token has system privileges, false if not. 99 */ 100 bool security_token_system_privilege(const struct security_token *token); 101 92 102 /* 93 103 set a bit in the privilege mask -
vendor/current/libcli/security/pysecurity.c
r740 r988 45 45 } 46 46 47 security_descriptor = py _talloc_get_type(py_sec_desc, struct security_descriptor);47 security_descriptor = pytalloc_get_type(py_sec_desc, struct security_descriptor); 48 48 if (!security_descriptor) { 49 49 PyErr_Format(PyExc_TypeError, 50 50 "Expected dcerpc.security.descriptor for security_descriptor argument got %s", 51 talloc_get_name(py _talloc_get_ptr(py_sec_desc)));51 talloc_get_name(pytalloc_get_ptr(py_sec_desc))); 52 52 return NULL; 53 53 } 54 54 55 security_token = py _talloc_get_type(py_security_token, struct security_token);55 security_token = pytalloc_get_type(py_security_token, struct security_token); 56 56 if (!security_token) { 57 57 PyErr_Format(PyExc_TypeError, 58 58 "Expected dcerpc.security.token for token argument, got %s", 59 talloc_get_name(py _talloc_get_ptr(py_security_token)));59 talloc_get_name(pytalloc_get_ptr(py_security_token))); 60 60 return NULL; 61 61 } -
vendor/current/libcli/security/sddl.c
r740 r988 82 82 { "LS", SID_NT_LOCAL_SERVICE }, 83 83 { "NS", SID_NT_NETWORK_SERVICE }, 84 { "IS", SID_NT_IUSR }, 84 85 85 86 { "BA", SID_BUILTIN_ADMINISTRATORS }, -
vendor/current/libcli/security/secace.c
r740 r988 68 68 69 69 t->trustee = *sid; 70 }71 72 /*******************************************************************73 adds new SID with its permissions to ACE list74 ********************************************************************/75 76 NTSTATUS sec_ace_add_sid(TALLOC_CTX *ctx, struct security_ace **pp_new, struct security_ace *old, unsigned *num, const struct dom_sid *sid, uint32_t mask)77 {78 unsigned int i = 0;79 80 if (!ctx || !pp_new || !old || !sid || !num) return NT_STATUS_INVALID_PARAMETER;81 82 *num += 1;83 84 if((pp_new[0] = talloc_zero_array(ctx, struct security_ace, *num )) == 0)85 return NT_STATUS_NO_MEMORY;86 87 for (i = 0; i < *num - 1; i ++)88 sec_ace_copy(&(*pp_new)[i], &old[i]);89 90 (*pp_new)[i].type = SEC_ACE_TYPE_ACCESS_ALLOWED;91 (*pp_new)[i].flags = 0;92 (*pp_new)[i].size = SEC_ACE_HEADER_SIZE + ndr_size_dom_sid(sid, 0);93 (*pp_new)[i].access_mask = mask;94 (*pp_new)[i].trustee = *sid;95 return NT_STATUS_OK;96 }97 98 /*******************************************************************99 modify SID's permissions at ACL100 ********************************************************************/101 102 NTSTATUS sec_ace_mod_sid(struct security_ace *ace, size_t num, const struct dom_sid *sid, uint32_t mask)103 {104 unsigned int i = 0;105 106 if (!ace || !sid) return NT_STATUS_INVALID_PARAMETER;107 108 for (i = 0; i < num; i ++) {109 if (dom_sid_equal(&ace[i].trustee, sid)) {110 ace[i].access_mask = mask;111 return NT_STATUS_OK;112 }113 }114 return NT_STATUS_NOT_FOUND;115 }116 117 /*******************************************************************118 delete SID from ACL119 ********************************************************************/120 121 NTSTATUS sec_ace_del_sid(TALLOC_CTX *ctx, struct security_ace **pp_new, struct security_ace *old, uint32_t *num, const struct dom_sid *sid)122 {123 unsigned int i = 0;124 unsigned int n_del = 0;125 126 if (!ctx || !pp_new || !old || !sid || !num) return NT_STATUS_INVALID_PARAMETER;127 128 if (*num) {129 if((pp_new[0] = talloc_zero_array(ctx, struct security_ace, *num )) == 0)130 return NT_STATUS_NO_MEMORY;131 } else {132 pp_new[0] = NULL;133 }134 135 for (i = 0; i < *num; i ++) {136 if (!dom_sid_equal(&old[i].trustee, sid))137 sec_ace_copy(&(*pp_new)[i], &old[i]);138 else139 n_del ++;140 }141 if (n_del == 0)142 return NT_STATUS_NOT_FOUND;143 else {144 *num -= n_del;145 return NT_STATUS_OK;146 }147 }148 149 /*******************************************************************150 Compares two struct security_ace structures151 ********************************************************************/152 153 bool sec_ace_equal(const struct security_ace *s1, const struct security_ace *s2)154 {155 /* Trivial case */156 157 if (!s1 && !s2) {158 return true;159 }160 161 if (!s1 || !s2) {162 return false;163 }164 165 /* Check top level stuff */166 167 if (s1->type != s2->type || s1->flags != s2->flags ||168 s1->access_mask != s2->access_mask) {169 return false;170 }171 172 /* Check SID */173 174 if (!dom_sid_equal(&s1->trustee, &s2->trustee)) {175 return false;176 }177 178 return true;179 70 } 180 71 -
vendor/current/libcli/security/secace.h
r740 r988 28 28 void init_sec_ace(struct security_ace *t, const struct dom_sid *sid, enum security_ace_type type, 29 29 uint32_t mask, uint8_t flag); 30 NTSTATUS sec_ace_add_sid(TALLOC_CTX *ctx, struct security_ace **pp_new, struct security_ace *old, unsigned *num, const struct dom_sid *sid, uint32_t mask);31 NTSTATUS sec_ace_mod_sid(struct security_ace *ace, size_t num, const struct dom_sid *sid, uint32_t mask);32 NTSTATUS sec_ace_del_sid(TALLOC_CTX *ctx, struct security_ace **pp_new, struct security_ace *old, uint32_t *num, const struct dom_sid *sid);33 bool sec_ace_equal(const struct security_ace *s1, const struct security_ace *s2);34 30 int nt_ace_inherit_comp( const struct security_ace *a1, const struct security_ace *a2); 35 31 int nt_ace_canon_comp( const struct security_ace *a1, const struct security_ace *a2); -
vendor/current/libcli/security/secacl.c
r740 r988 1 /* 1 /* 2 2 * Unix SMB/Netbios implementation. 3 3 * SEC_ACL handling routines … … 6 6 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998, 7 7 * Copyright (C) Paul Ashton 1997-1998. 8 * 8 * 9 9 * This program is free software; you can redistribute it and/or modify 10 10 * it under the terms of the GNU General Public License as published by 11 11 * the Free Software Foundation; either version 3 of the License, or 12 12 * (at your option) any later version. 13 * 13 * 14 14 * This program is distributed in the hope that it will be useful, 15 15 * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 17 * GNU General Public License for more details. 18 * 18 * 19 19 * You should have received a copy of the GNU General Public License 20 20 * along with this program; if not, see <http://www.gnu.org/licenses/>. … … 29 29 30 30 /******************************************************************* 31 Create a SEC_ACL structure. 31 Create a SEC_ACL structure. 32 32 ********************************************************************/ 33 33 34 struct security_acl *make_sec_acl(TALLOC_CTX *ctx, 35 36 34 struct security_acl *make_sec_acl(TALLOC_CTX *ctx, 35 enum security_acl_revision revision, 36 int num_aces, struct security_ace *ace_list) 37 37 { 38 38 struct security_acl *dst; 39 39 int i; 40 40 41 if((dst = talloc_zero(ctx, struct security_acl)) == NULL) 41 dst = talloc(ctx, struct security_acl); 42 if (dst == NULL) { 42 43 return NULL; 44 } 43 45 44 46 dst->revision = revision; 45 47 dst->num_aces = num_aces; 46 48 dst->size = SEC_ACL_HEADER_SIZE; 49 dst->aces = NULL; 47 50 48 51 /* Now we need to return a non-NULL address for the ace list even … … 52 55 positive number. */ 53 56 54 if ((num_aces) && 55 ((dst->aces = talloc_array(dst, struct security_ace, num_aces)) 56 == NULL)) { 57 if (num_aces == 0) { 58 return dst; 59 } 60 61 dst->aces = talloc_array(dst, struct security_ace, num_aces); 62 if (dst->aces == NULL) { 63 TALLOC_FREE(dst); 57 64 return NULL; 58 65 } 59 66 60 67 for (i = 0; i < num_aces; i++) { 61 68 dst->aces[i] = ace_list[i]; /* Structure copy. */ … … 65 72 return dst; 66 73 } 67 68 /*******************************************************************69 Duplicate a SEC_ACL structure.70 ********************************************************************/71 72 struct security_acl *dup_sec_acl(TALLOC_CTX *ctx, struct security_acl *src)73 {74 if(src == NULL)75 return NULL;76 77 return make_sec_acl(ctx, src->revision, src->num_aces, src->aces);78 } -
vendor/current/libcli/security/secacl.h
r740 r988 26 26 struct security_acl *make_sec_acl(TALLOC_CTX *ctx, enum security_acl_revision revision, 27 27 int num_aces, struct security_ace *ace_list); 28 struct security_acl *dup_sec_acl(TALLOC_CTX *ctx, struct security_acl *src);29 28 30 29 -
vendor/current/libcli/security/security.h
r740 r988 90 90 #define SHARE_READ_ONLY (FILE_GENERIC_READ|FILE_EXECUTE) 91 91 92 /** 93 * Remaining access is a bit mask of remaining access rights (bits) that have 94 * to be granted in order to fulfill the requested access. 95 * 96 * The GUID is optional, if specified it restricts this object tree and its 97 * childs to object/attributes that inherits from this GUID. 98 * For DS access an object inherits from a GUID if one of its class has this GUID 99 * in the schemaIDGUID attribute. 100 */ 92 101 struct object_tree { 93 102 uint32_t remaining_access; … … 101 110 #include "libcli/security/secace.h" 102 111 #include "libcli/security/secacl.h" 112 #include "libcli/security/secdesc.h" 103 113 #include "libcli/security/security_descriptor.h" 104 114 #include "libcli/security/security_token.h" -
vendor/current/libcli/security/security_descriptor.c
r740 r988 183 183 } 184 184 185 NTSTATUS security_descriptor_for_client(TALLOC_CTX *mem_ctx, 186 const struct security_descriptor *ssd, 187 uint32_t sec_info, 188 uint32_t access_granted, 189 struct security_descriptor **_csd) 190 { 191 struct security_descriptor *csd = NULL; 192 uint32_t access_required = 0; 193 194 *_csd = NULL; 195 196 if (sec_info & (SECINFO_OWNER|SECINFO_GROUP)) { 197 access_required |= SEC_STD_READ_CONTROL; 198 } 199 if (sec_info & SECINFO_DACL) { 200 access_required |= SEC_STD_READ_CONTROL; 201 } 202 if (sec_info & SECINFO_SACL) { 203 access_required |= SEC_FLAG_SYSTEM_SECURITY; 204 } 205 206 if (access_required & (~access_granted)) { 207 return NT_STATUS_ACCESS_DENIED; 208 } 209 210 /* 211 * make a copy... 212 */ 213 csd = security_descriptor_copy(mem_ctx, ssd); 214 if (csd == NULL) { 215 return NT_STATUS_NO_MEMORY; 216 } 217 218 /* 219 * ... and remove everthing not wanted 220 */ 221 222 if (!(sec_info & SECINFO_OWNER)) { 223 TALLOC_FREE(csd->owner_sid); 224 csd->type &= ~SEC_DESC_OWNER_DEFAULTED; 225 } 226 if (!(sec_info & SECINFO_GROUP)) { 227 TALLOC_FREE(csd->group_sid); 228 csd->type &= ~SEC_DESC_GROUP_DEFAULTED; 229 } 230 if (!(sec_info & SECINFO_DACL)) { 231 TALLOC_FREE(csd->dacl); 232 csd->type &= ~( 233 SEC_DESC_DACL_PRESENT | 234 SEC_DESC_DACL_DEFAULTED| 235 SEC_DESC_DACL_AUTO_INHERIT_REQ | 236 SEC_DESC_DACL_AUTO_INHERITED | 237 SEC_DESC_DACL_PROTECTED | 238 SEC_DESC_DACL_TRUSTED); 239 } 240 if (!(sec_info & SECINFO_SACL)) { 241 TALLOC_FREE(csd->sacl); 242 csd->type &= ~( 243 SEC_DESC_SACL_PRESENT | 244 SEC_DESC_SACL_DEFAULTED | 245 SEC_DESC_SACL_AUTO_INHERIT_REQ | 246 SEC_DESC_SACL_AUTO_INHERITED | 247 SEC_DESC_SACL_PROTECTED | 248 SEC_DESC_SERVER_SECURITY); 249 } 250 251 *_csd = csd; 252 return NT_STATUS_OK; 253 } 254 185 255 /* 186 256 add an ACE to an ACL of a security_descriptor … … 345 415 compare two security ace structures 346 416 */ 347 bool security_ace_equal(const struct security_ace *ace1, 417 bool security_ace_equal(const struct security_ace *ace1, 348 418 const struct security_ace *ace2) 349 419 { 350 if (ace1 == ace2) return true; 351 if (!ace1 || !ace2) return false; 352 if (ace1->type != ace2->type) return false; 353 if (ace1->flags != ace2->flags) return false; 354 if (ace1->access_mask != ace2->access_mask) return false; 355 if (!dom_sid_equal(&ace1->trustee, &ace2->trustee)) return false; 356 357 return true; 420 if (ace1 == ace2) { 421 return true; 422 } 423 if ((ace1 == NULL) || (ace2 == NULL)) { 424 return false; 425 } 426 if (ace1->type != ace2->type) { 427 return false; 428 } 429 if (ace1->flags != ace2->flags) { 430 return false; 431 } 432 if (ace1->access_mask != ace2->access_mask) { 433 return false; 434 } 435 if (!dom_sid_equal(&ace1->trustee, &ace2->trustee)) { 436 return false; 437 } 438 439 return true; 358 440 } 359 441 … … 565 647 566 648 { 567 struct dom_sid *sid;568 649 struct security_ace *ace; 650 bool ok; 569 651 570 652 ace = talloc_zero(mem_ctx, struct security_ace); … … 573 655 } 574 656 575 sid = dom_sid_parse_talloc(ace, sid_str);576 if ( sid == NULL) {657 ok = dom_sid_parse(sid_str, &ace->trustee); 658 if (!ok) { 577 659 talloc_free(ace); 578 660 return NULL; 579 661 } 580 581 ace->trustee = *sid;582 662 ace->type = type; 583 663 ace->access_mask = access_mask; … … 586 666 return ace; 587 667 } 668 669 /******************************************************************* 670 Check for MS NFS ACEs in a sd 671 *******************************************************************/ 672 bool security_descriptor_with_ms_nfs(const struct security_descriptor *psd) 673 { 674 int i; 675 676 if (psd->dacl == NULL) { 677 return false; 678 } 679 680 for (i = 0; i < psd->dacl->num_aces; i++) { 681 if (dom_sid_compare_domain( 682 &global_sid_Unix_NFS, 683 &psd->dacl->aces[i].trustee) == 0) { 684 return true; 685 } 686 } 687 688 return false; 689 } -
vendor/current/libcli/security/security_descriptor.h
r740 r988 27 27 struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx, 28 28 const struct security_descriptor *osd); 29 NTSTATUS security_descriptor_for_client(TALLOC_CTX *mem_ctx, 30 const struct security_descriptor *ssd, 31 uint32_t sec_info, 32 uint32_t access_granted, 33 struct security_descriptor **_csd); 29 34 NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd, 30 35 const struct security_ace *ace); … … 82 87 uint32_t (*generic_map)(uint32_t access_mask)); 83 88 89 bool security_descriptor_with_ms_nfs(const struct security_descriptor *psd); 90 84 91 #endif /* __SECURITY_DESCRIPTOR_H__ */ -
vendor/current/libcli/security/security_token.c
r740 r988 85 85 { 86 86 bool ret; 87 struct dom_sid *sid = dom_sid_parse_talloc(NULL, sid_string); 88 if (!sid) return false; 87 struct dom_sid sid; 89 88 90 ret = security_token_is_sid(token, sid); 89 ret = dom_sid_parse(sid_string, &sid); 90 if (!ret) { 91 return false; 92 } 91 93 92 talloc_free(sid);94 ret = security_token_is_sid(token, &sid); 93 95 return ret; 94 96 } … … 118 120 { 119 121 bool ret; 120 struct dom_sid *sid = dom_sid_parse_talloc(NULL, sid_string); 121 if (!sid) return false; 122 struct dom_sid sid; 122 123 123 ret = security_token_has_sid(token, sid); 124 ret = dom_sid_parse(sid_string, &sid); 125 if (!ret) { 126 return false; 127 } 124 128 125 talloc_free(sid);129 ret = security_token_has_sid(token, &sid); 126 130 return ret; 131 } 132 133 bool security_token_has_builtin_guests(const struct security_token *token) 134 { 135 return security_token_has_sid(token, &global_sid_Builtin_Guests); 127 136 } 128 137 -
vendor/current/libcli/security/security_token.h
r740 r988 52 52 bool security_token_has_sid_string(const struct security_token *token, const char *sid_string); 53 53 54 bool security_token_has_builtin_guests(const struct security_token *token); 55 54 56 bool security_token_has_builtin_administrators(const struct security_token *token); 55 57 -
vendor/current/libcli/security/session.c
r740 r988 39 39 } 40 40 41 if (security_token_has_builtin_guests(session_info->security_token)) { 42 return SECURITY_GUEST; 43 } 44 41 45 if (security_token_has_builtin_administrators(session_info->security_token)) { 42 46 return SECURITY_ADMINISTRATOR; -
vendor/current/libcli/security/session.h
r740 r988 25 25 enum security_user_level { 26 26 SECURITY_ANONYMOUS = 0, 27 SECURITY_GUEST = 1, 27 28 SECURITY_USER = 10, 28 29 SECURITY_RO_DOMAIN_CONTROLLER = 20, … … 36 37 struct auth_user_info; 37 38 struct auth_user_info_torture; 38 39 struct auth_session_info { 40 struct security_token *security_token; 41 struct security_unix_token *unix_token; 42 struct auth_user_info *info; 43 struct auth_user_info_unix *unix_info; 44 struct auth_user_info_torture *torture; 45 DATA_BLOB session_key; 46 struct cli_credentials *credentials; 47 }; 39 struct auth_session_info; 48 40 49 41 enum security_user_level security_session_user_level(struct auth_session_info *session_info, -
vendor/current/libcli/security/util_sid.c
r740 r988 39 39 const struct dom_sid global_sid_World = /* Everyone */ 40 40 { 1, 1, {0,0,0,0,0,1}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; 41 const struct dom_sid global_sid_Local_Authority = /* Local Authority */ 42 { 1, 0, {0,0,0,0,0,2}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; 41 43 const struct dom_sid global_sid_Creator_Owner_Domain = /* Creator Owner domain */ 42 44 { 1, 0, {0,0,0,0,0,3}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; … … 54 56 { 1, 1, {0,0,0,0,0,5}, {12,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; 55 57 #endif 58 59 const struct dom_sid global_sid_Asserted_Identity = /* Asserted Identity */ 60 { 1, 0, {0,0,0,0,0,18}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; 61 const struct dom_sid global_sid_Asserted_Identity_Service = /* Asserted Identity Service */ 62 { 1, 1, {0,0,0,0,0,18}, {1,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; 63 const struct dom_sid global_sid_Asserted_Identity_Authentication_Authority = /* Asserted Identity Authentication Authority */ 64 { 1, 1, {0,0,0,0,0,18}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; 65 56 66 const struct dom_sid global_sid_Network = /* Network rids */ 57 67 { 1, 1, {0,0,0,0,0,5}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; … … 61 71 const struct dom_sid global_sid_Creator_Group = /* Creator Group */ 62 72 { 1, 1, {0,0,0,0,0,3}, {1,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; 73 const struct dom_sid global_sid_Owner_Rights = /* Owner Rights */ 74 { 1, 1, {0,0,0,0,0,3}, {4,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; 63 75 const struct dom_sid global_sid_Anonymous = /* Anonymous login */ 64 76 { 1, 1, {0,0,0,0,0,5}, {7,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; … … 93 105 { 1, 1, {0,0,0,0,0,22}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; 94 106 107 /* 108 * http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx 109 */ 110 const struct dom_sid global_sid_Unix_NFS = /* MS NFS and Apple style */ 111 { 1, 1, {0,0,0,0,0,5}, {88,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; 112 const struct dom_sid global_sid_Unix_NFS_Users = /* Unix uid, MS NFS and Apple style */ 113 { 1, 2, {0,0,0,0,0,5}, {88,1,0,0,0,0,0,0,0,0,0,0,0,0,0}}; 114 const struct dom_sid global_sid_Unix_NFS_Groups = /* Unix gid, MS NFS and Apple style */ 115 { 1, 2, {0,0,0,0,0,5}, {88,2,0,0,0,0,0,0,0,0,0,0,0,0,0}}; 116 const struct dom_sid global_sid_Unix_NFS_Mode = /* Unix mode */ 117 { 1, 2, {0,0,0,0,0,5}, {88,3,0,0,0,0,0,0,0,0,0,0,0,0,0}}; 118 /* Unused, left here for documentary purposes */ 119 #if 0 120 const struct dom_sid global_sid_Unix_NFS_Other = /* Unix other, MS NFS and Apple style */ 121 { 1, 2, {0,0,0,0,0,5}, {88,4,0,0,0,0,0,0,0,0,0,0,0,0,0}}; 122 #endif 123 95 124 /* Unused, left here for documentary purposes */ 96 125 #if 0 … … 222 251 int i; 223 252 224 ZERO_STRUCTP(dst);225 226 dst->sid_rev_num = src->sid_rev_num;227 dst->num_auths = src->num_auths;253 *dst = (struct dom_sid) { 254 .sid_rev_num = src->sid_rev_num, 255 .num_auths = src->num_auths, 256 }; 228 257 229 258 memcpy(&dst->id_auth[0], &src->id_auth[0], sizeof(src->id_auth)); … … 234 263 235 264 /***************************************************************** 236 Parse a on-the-wire SID (in a DATA_BLOB) to a struct dom_sid. 237 *****************************************************************/ 238 239 bool sid_blob_parse(DATA_BLOB in, struct dom_sid *sid) 240 { 265 Parse a on-the-wire SID to a struct dom_sid. 266 *****************************************************************/ 267 268 bool sid_parse(const uint8_t *inbuf, size_t len, struct dom_sid *sid) 269 { 270 DATA_BLOB in = data_blob_const(inbuf, len); 241 271 enum ndr_err_code ndr_err; 242 ndr_err = ndr_pull_struct_blob_all(&in, NULL, sid, 243 (ndr_pull_flags_fn_t)ndr_pull_dom_sid); 272 273 ndr_err = ndr_pull_struct_blob_all( 274 &in, NULL, sid, (ndr_pull_flags_fn_t)ndr_pull_dom_sid); 244 275 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { 245 276 return false; 246 277 } 247 278 return true; 248 }249 250 /*****************************************************************251 Parse a on-the-wire SID to a struct dom_sid.252 *****************************************************************/253 254 bool sid_parse(const char *inbuf, size_t len, struct dom_sid *sid)255 {256 DATA_BLOB in = data_blob_const(inbuf, len);257 return sid_blob_parse(in, sid);258 279 } 259 280 … … 274 295 275 296 return dom_sid_compare_auth(sid1, sid2); 276 }277 278 /*****************************************************************279 Compare two sids.280 *****************************************************************/281 282 bool sid_equal(const struct dom_sid *sid1, const struct dom_sid *sid2)283 {284 return dom_sid_compare(sid1, sid2) == 0;285 297 } 286 298 … … 316 328 317 329 for (i=0; i<(*num_sids); i++) { 318 if (dom_sid_ compare(sid, &(*sids)[i]) == 0)330 if (dom_sid_equal(sid, &(*sids)[i])) { 319 331 return NT_STATUS_OK; 332 } 320 333 } 321 334 … … 338 351 and break out of the loop */ 339 352 340 if ( sid_equal(sid, &sid_list[i])) {353 if (dom_sid_equal(sid, &sid_list[i])) { 341 354 *num -= 1; 342 355 break; … … 345 358 346 359 /* This loop will copy the remainder of the array 347 if i < num of sids nithe array */348 349 for ( ; i<*num; i++ ) 360 if i < num of sids in the array */ 361 362 for ( ; i<*num; i++ ) { 350 363 sid_copy( &sid_list[i], &sid_list[i+1] ); 364 } 351 365 352 366 return; … … 378 392 { 379 393 static const struct dom_sid null_sid = {0}; 380 return sid_equal(sid, &null_sid);381 } 394 return dom_sid_equal(sid, &null_sid); 395 } -
vendor/current/libcli/security/wscript_build
r740 r988 2 2 3 3 4 bld.SAMBA_LIBRARY('s ecurity',5 source='dom_sid.c display_sec.c secace.c secacl.c security_descriptor.c sddl.c privileges.c security_token.c access_check.c object_tree.c create_descriptor.c util_sid.c session.c ',4 bld.SAMBA_LIBRARY('samba-security', 5 source='dom_sid.c display_sec.c secace.c secacl.c security_descriptor.c sddl.c privileges.c security_token.c access_check.c object_tree.c create_descriptor.c util_sid.c session.c secdesc.c', 6 6 private_library=True, 7 7 deps='talloc ndr NDR_SECURITY' 8 8 ) 9 9 10 if getattr(bld.env, '_SAMBA_BUILD_', 0) == 4: 11 bld.SAMBA_PYTHON('pysecurity', 12 source='pysecurity.c', 13 deps='security pytalloc-util', 14 realname='samba/security.so' 15 ) 10 bld.SAMBA_PYTHON('pysecurity', 11 source='pysecurity.c', 12 deps='samba-security pytalloc-util', 13 realname='samba/security.so' 14 )
Note:
See TracChangeset
for help on using the changeset viewer.
