search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
drsuapi.idl: fix source_dsa spelling
[samba4-gss.git] / libcli / security / security_descriptor.c
blob60e206bf7da7aa68a5ade84b7b87413bb76ffb20
1 /*
2 Unix SMB/CIFS implementation.
3
4 security descriptor utility functions
5
6 Copyright (C) Andrew Tridgell 2004
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "replace.h"
23 #include "libcli/security/security.h"
24 #include "librpc/ndr/libndr.h"
25
26 /*
27 return a blank security descriptor (no owners, dacl or sacl)
28 */
29 struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx)
30 {
31 struct security_descriptor *sd;
32
33 sd = talloc(mem_ctx, struct security_descriptor);
34 if (!sd) {
35 return NULL;
36 }
37 *sd = (struct security_descriptor){
38 .revision = SD_REVISION,
39
40 /*
41 * we mark as self relative, even though it isn't
42 * while it remains a pointer in memory because this
43 * simplifies the ndr code later. All SDs that we
44 * store/emit are in fact SELF_RELATIVE
45 */
46 .type = SEC_DESC_SELF_RELATIVE,
47 };
48
49 return sd;
50 }
51
52 struct security_acl *security_acl_dup(TALLOC_CTX *mem_ctx,
53 const struct security_acl *oacl)
54 {
55 struct security_acl *nacl;
56
57 if (oacl == NULL) {
58 return NULL;
59 }
60
61 if (oacl->aces == NULL && oacl->num_aces > 0) {
62 return NULL;
63 }
64
65 nacl = talloc (mem_ctx, struct security_acl);
66 if (nacl == NULL) {
67 return NULL;
68 }
69
70 *nacl = (struct security_acl) {
71 .revision = oacl->revision,
72 .size = oacl->size,
73 .num_aces = oacl->num_aces,
74 };
75 if (nacl->num_aces == 0) {
76 return nacl;
77 }
78
79 nacl->aces = (struct security_ace *)talloc_memdup (nacl, oacl->aces, sizeof(struct security_ace) * oacl->num_aces);
80 if (nacl->aces == NULL) {
81 goto failed;
82 }
83
84 return nacl;
85
86 failed:
87 talloc_free (nacl);
88 return NULL;
89
90 }
91
92 struct security_acl *security_acl_concatenate(TALLOC_CTX *mem_ctx,
93 const struct security_acl *acl1,
94 const struct security_acl *acl2)
95 {
96 struct security_acl *nacl;
97 uint32_t i;
98
99 if (!acl1 && !acl2)
100 return NULL;
101
102 if (!acl1){
103 nacl = security_acl_dup(mem_ctx, acl2);
104 return nacl;
105 }
106
107 if (!acl2){
108 nacl = security_acl_dup(mem_ctx, acl1);
109 return nacl;
110 }
111
112 nacl = talloc (mem_ctx, struct security_acl);
113 if (nacl == NULL) {
114 return NULL;
115 }
116
117 nacl->revision = acl1->revision;
118 nacl->size = acl1->size + acl2->size;
119 nacl->num_aces = acl1->num_aces + acl2->num_aces;
120
121 if (nacl->num_aces == 0)
122 return nacl;
123
124 nacl->aces = (struct security_ace *)talloc_array (mem_ctx, struct security_ace, acl1->num_aces+acl2->num_aces);
125 if ((nacl->aces == NULL) && (nacl->num_aces > 0)) {
126 goto failed;
127 }
128
129 for (i = 0; i < acl1->num_aces; i++)
130 nacl->aces[i] = acl1->aces[i];
131 for (i = 0; i < acl2->num_aces; i++)
132 nacl->aces[i + acl1->num_aces] = acl2->aces[i];
133
134 return nacl;
135
136 failed:
137 talloc_free (nacl);
138 return NULL;
139
140 }
141
142 /*
143 talloc and copy a security descriptor
144 */
145 struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx,
146 const struct security_descriptor *osd)
147 {
148 struct security_descriptor *nsd;
149
150 nsd = talloc_zero(mem_ctx, struct security_descriptor);
151 if (!nsd) {
152 return NULL;
153 }
154
155 if (osd->owner_sid) {
156 nsd->owner_sid = dom_sid_dup(nsd, osd->owner_sid);
157 if (nsd->owner_sid == NULL) {
158 goto failed;
159 }
160 }
161
162 if (osd->group_sid) {
163 nsd->group_sid = dom_sid_dup(nsd, osd->group_sid);
164 if (nsd->group_sid == NULL) {
165 goto failed;
166 }
167 }
168
169 if (osd->sacl) {
170 nsd->sacl = security_acl_dup(nsd, osd->sacl);
171 if (nsd->sacl == NULL) {
172 goto failed;
173 }
174 }
175
176 if (osd->dacl) {
177 nsd->dacl = security_acl_dup(nsd, osd->dacl);
178 if (nsd->dacl == NULL) {
179 goto failed;
180 }
181 }
182
183 nsd->revision = osd->revision;
184 nsd->type = osd->type;
185
186 return nsd;
187
188 failed:
189 talloc_free(nsd);
190
191 return NULL;
192 }
193
194 NTSTATUS security_descriptor_for_client(TALLOC_CTX *mem_ctx,
195 const struct security_descriptor *ssd,
196 uint32_t sec_info,
197 uint32_t access_granted,
198 struct security_descriptor **_csd)
199 {
200 struct security_descriptor *csd = NULL;
201 uint32_t access_required = 0;
202
203 *_csd = NULL;
204
205 if (sec_info & (SECINFO_OWNER|SECINFO_GROUP)) {
206 access_required |= SEC_STD_READ_CONTROL;
207 }
208 if (sec_info & SECINFO_DACL) {
209 access_required |= SEC_STD_READ_CONTROL;
210 }
211 if (sec_info & SECINFO_SACL) {
212 access_required |= SEC_FLAG_SYSTEM_SECURITY;
213 }
214
215 if (access_required & (~access_granted)) {
216 return NT_STATUS_ACCESS_DENIED;
217 }
218
219 /*
220 * make a copy...
221 */
222 csd = security_descriptor_copy(mem_ctx, ssd);
223 if (csd == NULL) {
224 return NT_STATUS_NO_MEMORY;
225 }
226
227 /*
228 * ... and remove everything not wanted
229 */
230
231 if (!(sec_info & SECINFO_OWNER)) {
232 TALLOC_FREE(csd->owner_sid);
233 csd->type &= ~SEC_DESC_OWNER_DEFAULTED;
234 }
235 if (!(sec_info & SECINFO_GROUP)) {
236 TALLOC_FREE(csd->group_sid);
237 csd->type &= ~SEC_DESC_GROUP_DEFAULTED;
238 }
239 if (!(sec_info & SECINFO_DACL)) {
240 TALLOC_FREE(csd->dacl);
241 csd->type &= ~(
242 SEC_DESC_DACL_PRESENT |
243 SEC_DESC_DACL_DEFAULTED|
244 SEC_DESC_DACL_AUTO_INHERIT_REQ |
245 SEC_DESC_DACL_AUTO_INHERITED |
246 SEC_DESC_DACL_PROTECTED |
247 SEC_DESC_DACL_TRUSTED);
248 }
249 if (!(sec_info & SECINFO_SACL)) {
250 TALLOC_FREE(csd->sacl);
251 csd->type &= ~(
252 SEC_DESC_SACL_PRESENT |
253 SEC_DESC_SACL_DEFAULTED |
254 SEC_DESC_SACL_AUTO_INHERIT_REQ |
255 SEC_DESC_SACL_AUTO_INHERITED |
256 SEC_DESC_SACL_PROTECTED |
257 SEC_DESC_SERVER_SECURITY);
258 }
259
260 *_csd = csd;
261 return NT_STATUS_OK;
262 }
263
264 /*
265 add an ACE to an ACL of a security_descriptor
266 */
267
268 static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
269 bool add_to_sacl,
270 const struct security_ace *ace,
271 ssize_t _idx)
272 {
273 struct security_acl *acl = NULL;
274 ssize_t idx;
275
276 if (add_to_sacl) {
277 acl = sd->sacl;
278 } else {
279 acl = sd->dacl;
280 }
281
282 if (acl == NULL) {
283 acl = talloc(sd, struct security_acl);
284 if (acl == NULL) {
285 return NT_STATUS_NO_MEMORY;
286 }
287 acl->revision = SECURITY_ACL_REVISION_NT4;
288 acl->size = 0;
289 acl->num_aces = 0;
290 acl->aces = NULL;
291 }
292
293 if (_idx < 0) {
294 idx = (acl->num_aces + 1) + _idx;
295 } else {
296 idx = _idx;
297 }
298
299 if (idx < 0) {
300 return NT_STATUS_ARRAY_BOUNDS_EXCEEDED;
301 }
302 if (idx > acl->num_aces) {
303 return NT_STATUS_ARRAY_BOUNDS_EXCEEDED;
304 }
305
306 acl->aces = talloc_realloc(acl, acl->aces,
307 struct security_ace, acl->num_aces+1);
308 if (acl->aces == NULL) {
309 return NT_STATUS_NO_MEMORY;
310 }
311
312 ARRAY_INSERT_ELEMENT(acl->aces, acl->num_aces, *ace, idx);
313 acl->num_aces++;
314
315 if (sec_ace_object(acl->aces[idx].type)) {
316 acl->revision = SECURITY_ACL_REVISION_ADS;
317 }
318
319 if (add_to_sacl) {
320 sd->sacl = acl;
321 sd->type |= SEC_DESC_SACL_PRESENT;
322 } else {
323 sd->dacl = acl;
324 sd->type |= SEC_DESC_DACL_PRESENT;
325 }
326
327 return NT_STATUS_OK;
328 }
329
330 /*
331 add an ACE to the SACL of a security_descriptor
332 */
333
334 NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd,
335 const struct security_ace *ace)
336 {
337 return security_descriptor_acl_add(sd, true, ace, -1);
338 }
339
340 /*
341 insert an ACE at a given index to the SACL of a security_descriptor
342
343 idx can be negative, which means it's related to the new size from the
344 end, so -1 means the ace is appended at the end.
345 */
346
347 NTSTATUS security_descriptor_sacl_insert(struct security_descriptor *sd,
348 const struct security_ace *ace,
349 ssize_t idx)
350 {
351 return security_descriptor_acl_add(sd, true, ace, idx);
352 }
353
354 /*
355 add an ACE to the DACL of a security_descriptor
356 */
357
358 NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
359 const struct security_ace *ace)
360 {
361 return security_descriptor_acl_add(sd, false, ace, -1);
362 }
363
364 /*
365 insert an ACE at a given index to the DACL of a security_descriptor
366
367 idx can be negative, which means it's related to the new size from the
368 end, so -1 means the ace is appended at the end.
369 */
370
371 NTSTATUS security_descriptor_dacl_insert(struct security_descriptor *sd,
372 const struct security_ace *ace,
373 ssize_t idx)
374 {
375 return security_descriptor_acl_add(sd, false, ace, idx);
376 }
377
378 /*
379 delete the ACE corresponding to the given trustee in an ACL of a
380 security_descriptor
381 */
382
383 static NTSTATUS security_descriptor_acl_del(struct security_descriptor *sd,
384 bool sacl_del,
385 const struct dom_sid *trustee)
386 {
387 uint32_t i;
388 bool found = false;
389 struct security_acl *acl = NULL;
390
391 if (sacl_del) {
392 acl = sd->sacl;
393 } else {
394 acl = sd->dacl;
395 }
396
397 if (acl == NULL) {
398 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
399 }
400
401 /* there can be multiple ace's for one trustee */
402
403 i = 0;
404
405 while (i<acl->num_aces) {
406 if (dom_sid_equal(trustee, &acl->aces[i].trustee)) {
407 ARRAY_DEL_ELEMENT(acl->aces, i, acl->num_aces);
408 acl->num_aces--;
409 if (acl->num_aces == 0) {
410 acl->aces = NULL;
411 }
412 found = true;
413 } else {
414 i += 1;
415 }
416 }
417
418 if (!found) {
419 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
420 }
421
422 acl->revision = SECURITY_ACL_REVISION_NT4;
423
424 for (i=0;i<acl->num_aces;i++) {
425 if (sec_ace_object(acl->aces[i].type)) {
426 acl->revision = SECURITY_ACL_REVISION_ADS;
427 break;
428 }
429 }
430
431 return NT_STATUS_OK;
432 }
433
434 /*
435 delete the ACE corresponding to the given trustee in the DACL of a
436 security_descriptor
437 */
438
439 NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd,
440 const struct dom_sid *trustee)
441 {
442 return security_descriptor_acl_del(sd, false, trustee);
443 }
444
445 /*
446 delete the ACE corresponding to the given trustee in the SACL of a
447 security_descriptor
448 */
449
450 NTSTATUS security_descriptor_sacl_del(struct security_descriptor *sd,
451 const struct dom_sid *trustee)
452 {
453 return security_descriptor_acl_del(sd, true, trustee);
454 }
455
456 /*
457 delete the given ACE in the SACL or DACL of a security_descriptor
458 */
459 static NTSTATUS security_descriptor_acl_del_ace(struct security_descriptor *sd,
460 bool sacl_del,
461 const struct security_ace *ace)
462 {
463 uint32_t i;
464 bool found = false;
465 struct security_acl *acl = NULL;
466
467 if (sacl_del) {
468 acl = sd->sacl;
469 } else {
470 acl = sd->dacl;
471 }
472
473 if (acl == NULL) {
474 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
475 }
476
477 for (i=0;i<acl->num_aces;i++) {
478 if (security_ace_equal(ace, &acl->aces[i])) {
479 ARRAY_DEL_ELEMENT(acl->aces, i, acl->num_aces);
480 acl->num_aces--;
481 if (acl->num_aces == 0) {
482 acl->aces = NULL;
483 }
484 found = true;
485 i--;
486 }
487 }
488
489 if (!found) {
490 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
491 }
492
493 acl->revision = SECURITY_ACL_REVISION_NT4;
494
495 for (i=0;i<acl->num_aces;i++) {
496 if (sec_ace_object(acl->aces[i].type)) {
497 acl->revision = SECURITY_ACL_REVISION_ADS;
498 break;
499 }
500 }
501
502 return NT_STATUS_OK;
503 }
504
505 NTSTATUS security_descriptor_dacl_del_ace(struct security_descriptor *sd,
506 const struct security_ace *ace)
507 {
508 return security_descriptor_acl_del_ace(sd, false, ace);
509 }
510
511 NTSTATUS security_descriptor_sacl_del_ace(struct security_descriptor *sd,
512 const struct security_ace *ace)
513 {
514 return security_descriptor_acl_del_ace(sd, true, ace);
515 }
516
517 static bool security_ace_object_equal(const struct security_ace_object *object1,
518 const struct security_ace_object *object2)
519 {
520 if (object1 == object2) {
521 return true;
522 }
523 if ((object1 == NULL) || (object2 == NULL)) {
524 return false;
525 }
526 if (object1->flags != object2->flags) {
527 return false;
528 }
529 if (object1->flags & SEC_ACE_OBJECT_TYPE_PRESENT
530 && !GUID_equal(&object1->type.type, &object2->type.type)) {
531 return false;
532 }
533 if (object1->flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT
534 && !GUID_equal(&object1->inherited_type.inherited_type,
535 &object2->inherited_type.inherited_type)) {
536 return false;
537 }
538
539 return true;
540 }
541
542
543 static bool security_ace_claim_equal(const struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *claim1,
544 const struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *claim2)
545 {
546 uint32_t i;
547
548 if (claim1 == claim2) {
549 return true;
550 }
551 if (claim1 == NULL || claim2 == NULL) {
552 return false;
553 }
554 if (claim1->name != NULL && claim2->name != NULL) {
555 if (strcasecmp_m(claim1->name, claim2->name) != 0) {
556 return false;
557 }
558 } else if (claim1->name != NULL || claim2->name != NULL) {
559 return false;
560 }
561 if (claim1->value_type != claim2->value_type) {
562 return false;
563 }
564 if (claim1->flags != claim2->flags) {
565 return false;
566 }
567 if (claim1->value_count != claim2->value_count) {
568 return false;
569 }
570 for (i = 0; i < claim1->value_count; ++i) {
571 const union claim_values *values1 = claim1->values;
572 const union claim_values *values2 = claim2->values;
573
574 switch (claim1->value_type) {
575 case CLAIM_SECURITY_ATTRIBUTE_TYPE_INT64:
576 if (values1[i].int_value != NULL && values2[i].int_value != NULL) {
577 if (*values1[i].int_value != *values2[i].int_value) {
578 return false;
579 }
580 } else if (values1[i].int_value != NULL || values2[i].int_value != NULL) {
581 return false;
582 }
583 break;
584 case CLAIM_SECURITY_ATTRIBUTE_TYPE_UINT64:
585 case CLAIM_SECURITY_ATTRIBUTE_TYPE_BOOLEAN:
586 if (values1[i].uint_value != NULL && values2[i].uint_value != NULL) {
587 if (*values1[i].uint_value != *values2[i].uint_value) {
588 return false;
589 }
590 } else if (values1[i].uint_value != NULL || values2[i].uint_value != NULL) {
591 return false;
592 }
593 break;
594 case CLAIM_SECURITY_ATTRIBUTE_TYPE_STRING:
595 if (values1[i].string_value != NULL && values2[i].string_value != NULL) {
596 if (strcasecmp_m(values1[i].string_value, values2[i].string_value) != 0) {
597 return false;
598 }
599 } else if (values1[i].string_value != NULL || values2[i].string_value != NULL) {
600 return false;
601 }
602 break;
603 case CLAIM_SECURITY_ATTRIBUTE_TYPE_SID:
604 if (values1[i].sid_value != NULL && values2[i].sid_value != NULL) {
605 if (data_blob_cmp(values1[i].sid_value, values2[i].sid_value) != 0) {
606 return false;
607 }
608 } else if (values1[i].sid_value != NULL || values2[i].sid_value != NULL) {
609 return false;
610 }
611 break;
612 case CLAIM_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING:
613 if (values1[i].octet_value != NULL && values2[i].octet_value != NULL) {
614 if (data_blob_cmp(values1[i].octet_value, values2[i].octet_value) != 0) {
615 return false;
616 }
617 } else if (values1[i].octet_value != NULL || values2[i].octet_value != NULL) {
618 return false;
619 }
620 break;
621 default:
622 break;
623 }
624 }
625
626 return true;
627 }
628
629 /*
630 compare two security ace structures
631 */
632 bool security_ace_equal(const struct security_ace *ace1,
633 const struct security_ace *ace2)
634 {
635 if (ace1 == ace2) {
636 return true;
637 }
638 if ((ace1 == NULL) || (ace2 == NULL)) {
639 return false;
640 }
641 if (ace1->type != ace2->type) {
642 return false;
643 }
644 if (ace1->flags != ace2->flags) {
645 return false;
646 }
647 if (ace1->access_mask != ace2->access_mask) {
648 return false;
649 }
650 if (sec_ace_object(ace1->type) &&
651 !security_ace_object_equal(&ace1->object.object,
652 &ace2->object.object))
653 {
654 return false;
655 }
656 if (!dom_sid_equal(&ace1->trustee, &ace2->trustee)) {
657 return false;
658 }
659
660 if (sec_ace_callback(ace1->type)) {
661 if (data_blob_cmp(&ace1->coda.conditions, &ace2->coda.conditions) != 0) {
662 return false;
663 }
664 } else if (sec_ace_resource(ace1->type)) {
665 if (!security_ace_claim_equal(&ace1->coda.claim, &ace2->coda.claim)) {
666 return false;
667 }
668 } else {
669 /*
670 * Don’t require ace1->coda.ignored to match ace2->coda.ignored.
671 */
672 }
673
674 return true;
675 }
676
677
678 /*
679 compare two security acl structures
680 */
681 bool security_acl_equal(const struct security_acl *acl1,
682 const struct security_acl *acl2)
683 {
684 uint32_t i;
685
686 if (acl1 == acl2) return true;
687 if (!acl1 || !acl2) return false;
688 if (acl1->revision != acl2->revision) return false;
689 if (acl1->num_aces != acl2->num_aces) return false;
690
691 for (i=0;i<acl1->num_aces;i++) {
692 if (!security_ace_equal(&acl1->aces[i], &acl2->aces[i])) return false;
693 }
694 return true;
695 }
696
697 /*
698 compare two security descriptors.
699 */
700 bool security_descriptor_equal(const struct security_descriptor *sd1,
701 const struct security_descriptor *sd2)
702 {
703 if (sd1 == sd2) return true;
704 if (!sd1 || !sd2) return false;
705 if (sd1->revision != sd2->revision) return false;
706 if (sd1->type != sd2->type) return false;
707
708 if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false;
709 if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false;
710 if (!security_acl_equal(sd1->sacl, sd2->sacl)) return false;
711 if (!security_acl_equal(sd1->dacl, sd2->dacl)) return false;
712
713 return true;
714 }
715
716 /*
717 compare two security descriptors, but allow certain (missing) parts
718 to be masked out of the comparison
719 */
720 bool security_descriptor_mask_equal(const struct security_descriptor *sd1,
721 const struct security_descriptor *sd2,
722 uint32_t mask)
723 {
724 if (sd1 == sd2) return true;
725 if (!sd1 || !sd2) return false;
726 if (sd1->revision != sd2->revision) return false;
727 if ((sd1->type & mask) != (sd2->type & mask)) return false;
728
729 if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false;
730 if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false;
731 if ((mask & SEC_DESC_DACL_PRESENT) && !security_acl_equal(sd1->dacl, sd2->dacl)) return false;
732 if ((mask & SEC_DESC_SACL_PRESENT) && !security_acl_equal(sd1->sacl, sd2->sacl)) return false;
733
734 return true;
735 }
736
737
738 static struct security_descriptor *security_descriptor_appendv(struct security_descriptor *sd,
739 bool add_ace_to_sacl,
740 va_list ap)
741 {
742 const char *sidstr;
743
744 while ((sidstr = va_arg(ap, const char *))) {
745 struct dom_sid *sid;
746 struct security_ace *ace = talloc_zero(sd, struct security_ace);
747 NTSTATUS status;
748
749 if (ace == NULL) {
750 talloc_free(sd);
751 return NULL;
752 }
753 ace->type = va_arg(ap, unsigned int);
754 ace->access_mask = va_arg(ap, unsigned int);
755 ace->flags = va_arg(ap, unsigned int);
756 sid = dom_sid_parse_talloc(ace, sidstr);
757 if (sid == NULL) {
758 talloc_free(sd);
759 return NULL;
760 }
761 ace->trustee = *sid;
762 if (add_ace_to_sacl) {
763 status = security_descriptor_sacl_add(sd, ace);
764 } else {
765 status = security_descriptor_dacl_add(sd, ace);
766 }
767 /* TODO: check: would talloc_free(ace) here be correct? */
768 if (!NT_STATUS_IS_OK(status)) {
769 talloc_free(sd);
770 return NULL;
771 }
772 }
773
774 return sd;
775 }
776
777 static struct security_descriptor *security_descriptor_createv(TALLOC_CTX *mem_ctx,
778 uint16_t sd_type,
779 const char *owner_sid,
780 const char *group_sid,
781 bool add_ace_to_sacl,
782 va_list ap)
783 {
784 struct security_descriptor *sd;
785
786 sd = security_descriptor_initialise(mem_ctx);
787 if (sd == NULL) {
788 return NULL;
789 }
790
791 sd->type |= sd_type;
792
793 if (owner_sid) {
794 sd->owner_sid = dom_sid_parse_talloc(sd, owner_sid);
795 if (sd->owner_sid == NULL) {
796 talloc_free(sd);
797 return NULL;
798 }
799 }
800 if (group_sid) {
801 sd->group_sid = dom_sid_parse_talloc(sd, group_sid);
802 if (sd->group_sid == NULL) {
803 talloc_free(sd);
804 return NULL;
805 }
806 }
807
808 return security_descriptor_appendv(sd, add_ace_to_sacl, ap);
809 }
810
811 /*
812 create a security descriptor using string SIDs. This is used by the
813 torture code to allow the easy creation of complex ACLs
814 This is a varargs function. The list of DACL ACEs ends with a NULL sid.
815
816 Each ACE contains a set of 4 parameters:
817 SID, ACCESS_TYPE, MASK, FLAGS
818
819 a typical call would be:
820
821 sd = security_descriptor_dacl_create(mem_ctx,
822 sd_type_flags,
823 mysid,
824 mygroup,
825 SID_NT_AUTHENTICATED_USERS,
826 SEC_ACE_TYPE_ACCESS_ALLOWED,
827 SEC_FILE_ALL,
828 SEC_ACE_FLAG_OBJECT_INHERIT,
829 NULL);
830 that would create a sd with one DACL ACE
831 */
832
833 struct security_descriptor *security_descriptor_dacl_create(TALLOC_CTX *mem_ctx,
834 uint16_t sd_type,
835 const char *owner_sid,
836 const char *group_sid,
837 ...)
838 {
839 struct security_descriptor *sd = NULL;
840 va_list ap;
841 va_start(ap, group_sid);
842 sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid,
843 group_sid, false, ap);
844 va_end(ap);
845
846 return sd;
847 }
848
849 struct security_descriptor *security_descriptor_sacl_create(TALLOC_CTX *mem_ctx,
850 uint16_t sd_type,
851 const char *owner_sid,
852 const char *group_sid,
853 ...)
854 {
855 struct security_descriptor *sd = NULL;
856 va_list ap;
857 va_start(ap, group_sid);
858 sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid,
859 group_sid, true, ap);
860 va_end(ap);
861
862 return sd;
863 }
864
865 struct security_ace *security_ace_create(TALLOC_CTX *mem_ctx,
866 const char *sid_str,
867 enum security_ace_type type,
868 uint32_t access_mask,
869 uint8_t flags)
870
871 {
872 struct security_ace *ace;
873 bool ok;
874
875 ace = talloc_zero(mem_ctx, struct security_ace);
876 if (ace == NULL) {
877 return NULL;
878 }
879
880 ok = dom_sid_parse(sid_str, &ace->trustee);
881 if (!ok) {
882 talloc_free(ace);
883 return NULL;
884 }
885 ace->type = type;
886 ace->access_mask = access_mask;
887 ace->flags = flags;
888
889 return ace;
890 }
891
892 /*******************************************************************
893 Check for MS NFS ACEs in a sd
894 *******************************************************************/
895 bool security_descriptor_with_ms_nfs(const struct security_descriptor *psd)
896 {
897 uint32_t i;
898
899 if (psd->dacl == NULL) {
900 return false;
901 }
902
903 for (i = 0; i < psd->dacl->num_aces; i++) {
904 if (dom_sid_compare_domain(
905 &global_sid_Unix_NFS,
906 &psd->dacl->aces[i].trustee) == 0) {
907 return true;
908 }
909 }
910
911 return false;
912 }
GSS-enabled samba4