search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdb-scripts: Improve update and listing code
[samba4-gss.git] / libcli / security / security_descriptor.c
bloba7159e7da7e66aec4f48810ad693796d36073858
1 /*
2 Unix SMB/CIFS implementation.
3
4 security descriptor utility functions
5
6 Copyright (C) Andrew Tridgell 2004
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "replace.h"
23 #include "libcli/security/security.h"
24 #include "librpc/ndr/libndr.h"
25
26 /*
27 return a blank security descriptor (no owners, dacl or sacl)
28 */
29 struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx)
30 {
31 struct security_descriptor *sd;
32
33 sd = talloc(mem_ctx, struct security_descriptor);
34 if (!sd) {
35 return NULL;
36 }
37 *sd = (struct security_descriptor){
38 .revision = SD_REVISION,
39
40 /*
41 * we mark as self relative, even though it isn't
42 * while it remains a pointer in memory because this
43 * simplifies the ndr code later. All SDs that we
44 * store/emit are in fact SELF_RELATIVE
45 */
46 .type = SEC_DESC_SELF_RELATIVE,
47 };
48
49 return sd;
50 }
51
52 struct security_acl *security_acl_dup(TALLOC_CTX *mem_ctx,
53 const struct security_acl *oacl)
54 {
55 struct security_acl *nacl;
56
57 if (oacl == NULL) {
58 return NULL;
59 }
60
61 if (oacl->aces == NULL && oacl->num_aces > 0) {
62 return NULL;
63 }
64
65 nacl = talloc (mem_ctx, struct security_acl);
66 if (nacl == NULL) {
67 return NULL;
68 }
69
70 *nacl = (struct security_acl) {
71 .revision = oacl->revision,
72 .size = oacl->size,
73 .num_aces = oacl->num_aces,
74 };
75 if (nacl->num_aces == 0) {
76 return nacl;
77 }
78
79 nacl->aces = (struct security_ace *)talloc_memdup (nacl, oacl->aces, sizeof(struct security_ace) * oacl->num_aces);
80 if (nacl->aces == NULL) {
81 goto failed;
82 }
83
84 return nacl;
85
86 failed:
87 talloc_free (nacl);
88 return NULL;
89
90 }
91
92 struct security_acl *security_acl_concatenate(TALLOC_CTX *mem_ctx,
93 const struct security_acl *acl1,
94 const struct security_acl *acl2)
95 {
96 struct security_acl *nacl;
97 uint32_t i;
98
99 if (!acl1 && !acl2)
100 return NULL;
101
102 if (!acl1){
103 nacl = security_acl_dup(mem_ctx, acl2);
104 return nacl;
105 }
106
107 if (!acl2){
108 nacl = security_acl_dup(mem_ctx, acl1);
109 return nacl;
110 }
111
112 nacl = talloc (mem_ctx, struct security_acl);
113 if (nacl == NULL) {
114 return NULL;
115 }
116
117 nacl->revision = acl1->revision;
118 nacl->size = acl1->size + acl2->size;
119 nacl->num_aces = acl1->num_aces + acl2->num_aces;
120
121 if (nacl->num_aces == 0)
122 return nacl;
123
124 nacl->aces = (struct security_ace *)talloc_array (mem_ctx, struct security_ace, acl1->num_aces+acl2->num_aces);
125 if ((nacl->aces == NULL) && (nacl->num_aces > 0)) {
126 goto failed;
127 }
128
129 for (i = 0; i < acl1->num_aces; i++)
130 nacl->aces[i] = acl1->aces[i];
131 for (i = 0; i < acl2->num_aces; i++)
132 nacl->aces[i + acl1->num_aces] = acl2->aces[i];
133
134 return nacl;
135
136 failed:
137 talloc_free (nacl);
138 return NULL;
139
140 }
141
142 /*
143 talloc and copy a security descriptor
144 */
145 struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx,
146 const struct security_descriptor *osd)
147 {
148 struct security_descriptor *nsd;
149
150 nsd = talloc_zero(mem_ctx, struct security_descriptor);
151 if (!nsd) {
152 return NULL;
153 }
154
155 if (osd->owner_sid) {
156 nsd->owner_sid = dom_sid_dup(nsd, osd->owner_sid);
157 if (nsd->owner_sid == NULL) {
158 goto failed;
159 }
160 }
161
162 if (osd->group_sid) {
163 nsd->group_sid = dom_sid_dup(nsd, osd->group_sid);
164 if (nsd->group_sid == NULL) {
165 goto failed;
166 }
167 }
168
169 if (osd->sacl) {
170 nsd->sacl = security_acl_dup(nsd, osd->sacl);
171 if (nsd->sacl == NULL) {
172 goto failed;
173 }
174 }
175
176 if (osd->dacl) {
177 nsd->dacl = security_acl_dup(nsd, osd->dacl);
178 if (nsd->dacl == NULL) {
179 goto failed;
180 }
181 }
182
183 nsd->revision = osd->revision;
184 nsd->type = osd->type;
185
186 return nsd;
187
188 failed:
189 talloc_free(nsd);
190
191 return NULL;
192 }
193
194 NTSTATUS security_descriptor_for_client(TALLOC_CTX *mem_ctx,
195 const struct security_descriptor *ssd,
196 uint32_t sec_info,
197 uint32_t access_granted,
198 struct security_descriptor **_csd)
199 {
200 struct security_descriptor *csd = NULL;
201 uint32_t access_required = 0;
202
203 *_csd = NULL;
204
205 if (sec_info & (SECINFO_OWNER|SECINFO_GROUP)) {
206 access_required |= SEC_STD_READ_CONTROL;
207 }
208 if (sec_info & SECINFO_DACL) {
209 access_required |= SEC_STD_READ_CONTROL;
210 }
211 if (sec_info & SECINFO_SACL) {
212 access_required |= SEC_FLAG_SYSTEM_SECURITY;
213 }
214
215 if (access_required & (~access_granted)) {
216 return NT_STATUS_ACCESS_DENIED;
217 }
218
219 /*
220 * make a copy...
221 */
222 csd = security_descriptor_copy(mem_ctx, ssd);
223 if (csd == NULL) {
224 return NT_STATUS_NO_MEMORY;
225 }
226
227 /*
228 * ... and remove everything not wanted
229 */
230
231 if (!(sec_info & SECINFO_OWNER)) {
232 TALLOC_FREE(csd->owner_sid);
233 csd->type &= ~SEC_DESC_OWNER_DEFAULTED;
234 }
235 if (!(sec_info & SECINFO_GROUP)) {
236 TALLOC_FREE(csd->group_sid);
237 csd->type &= ~SEC_DESC_GROUP_DEFAULTED;
238 }
239 if (!(sec_info & SECINFO_DACL)) {
240 TALLOC_FREE(csd->dacl);
241 csd->type &= ~(
242 SEC_DESC_DACL_PRESENT |
243 SEC_DESC_DACL_DEFAULTED|
244 SEC_DESC_DACL_AUTO_INHERIT_REQ |
245 SEC_DESC_DACL_AUTO_INHERITED |
246 SEC_DESC_DACL_PROTECTED |
247 SEC_DESC_DACL_TRUSTED);
248 }
249 if (!(sec_info & SECINFO_SACL)) {
250 TALLOC_FREE(csd->sacl);
251 csd->type &= ~(
252 SEC_DESC_SACL_PRESENT |
253 SEC_DESC_SACL_DEFAULTED |
254 SEC_DESC_SACL_AUTO_INHERIT_REQ |
255 SEC_DESC_SACL_AUTO_INHERITED |
256 SEC_DESC_SACL_PROTECTED |
257 SEC_DESC_SERVER_SECURITY);
258 }
259
260 *_csd = csd;
261 return NT_STATUS_OK;
262 }
263
264 /*
265 add an ACE to an ACL of a security_descriptor
266 */
267
268 static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
269 bool add_to_sacl,
270 const struct security_ace *ace,
271 ssize_t _idx)
272 {
273 struct security_acl *acl = NULL;
274 ssize_t idx;
275
276 if (add_to_sacl) {
277 acl = sd->sacl;
278 } else {
279 acl = sd->dacl;
280 }
281
282 if (acl == NULL) {
283 acl = talloc(sd, struct security_acl);
284 if (acl == NULL) {
285 return NT_STATUS_NO_MEMORY;
286 }
287 acl->revision = SECURITY_ACL_REVISION_NT4;
288 acl->size = 0;
289 acl->num_aces = 0;
290 acl->aces = NULL;
291 }
292
293 if (_idx < 0) {
294 idx = (acl->num_aces + 1) + _idx;
295 } else {
296 idx = _idx;
297 }
298
299 if (idx < 0) {
300 return NT_STATUS_ARRAY_BOUNDS_EXCEEDED;
301 } else if (idx > acl->num_aces) {
302 return NT_STATUS_ARRAY_BOUNDS_EXCEEDED;
303 }
304
305 acl->aces = talloc_realloc(acl, acl->aces,
306 struct security_ace, acl->num_aces+1);
307 if (acl->aces == NULL) {
308 return NT_STATUS_NO_MEMORY;
309 }
310
311 ARRAY_INSERT_ELEMENT(acl->aces, acl->num_aces, *ace, idx);
312 acl->num_aces++;
313
314 if (sec_ace_object(acl->aces[idx].type)) {
315 acl->revision = SECURITY_ACL_REVISION_ADS;
316 }
317
318 if (add_to_sacl) {
319 sd->sacl = acl;
320 sd->type |= SEC_DESC_SACL_PRESENT;
321 } else {
322 sd->dacl = acl;
323 sd->type |= SEC_DESC_DACL_PRESENT;
324 }
325
326 return NT_STATUS_OK;
327 }
328
329 /*
330 add an ACE to the SACL of a security_descriptor
331 */
332
333 NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd,
334 const struct security_ace *ace)
335 {
336 return security_descriptor_acl_add(sd, true, ace, -1);
337 }
338
339 /*
340 insert an ACE at a given index to the SACL of a security_descriptor
341
342 idx can be negative, which means it's related to the new size from the
343 end, so -1 means the ace is appended at the end.
344 */
345
346 NTSTATUS security_descriptor_sacl_insert(struct security_descriptor *sd,
347 const struct security_ace *ace,
348 ssize_t idx)
349 {
350 return security_descriptor_acl_add(sd, true, ace, idx);
351 }
352
353 /*
354 add an ACE to the DACL of a security_descriptor
355 */
356
357 NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
358 const struct security_ace *ace)
359 {
360 return security_descriptor_acl_add(sd, false, ace, -1);
361 }
362
363 /*
364 insert an ACE at a given index to the DACL of a security_descriptor
365
366 idx can be negative, which means it's related to the new size from the
367 end, so -1 means the ace is appended at the end.
368 */
369
370 NTSTATUS security_descriptor_dacl_insert(struct security_descriptor *sd,
371 const struct security_ace *ace,
372 ssize_t idx)
373 {
374 return security_descriptor_acl_add(sd, false, ace, idx);
375 }
376
377 /*
378 delete the ACE corresponding to the given trustee in an ACL of a
379 security_descriptor
380 */
381
382 static NTSTATUS security_descriptor_acl_del(struct security_descriptor *sd,
383 bool sacl_del,
384 const struct dom_sid *trustee)
385 {
386 uint32_t i;
387 bool found = false;
388 struct security_acl *acl = NULL;
389
390 if (sacl_del) {
391 acl = sd->sacl;
392 } else {
393 acl = sd->dacl;
394 }
395
396 if (acl == NULL) {
397 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
398 }
399
400 /* there can be multiple ace's for one trustee */
401
402 i = 0;
403
404 while (i<acl->num_aces) {
405 if (dom_sid_equal(trustee, &acl->aces[i].trustee)) {
406 ARRAY_DEL_ELEMENT(acl->aces, i, acl->num_aces);
407 acl->num_aces--;
408 if (acl->num_aces == 0) {
409 acl->aces = NULL;
410 }
411 found = true;
412 } else {
413 i += 1;
414 }
415 }
416
417 if (!found) {
418 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
419 }
420
421 acl->revision = SECURITY_ACL_REVISION_NT4;
422
423 for (i=0;i<acl->num_aces;i++) {
424 if (sec_ace_object(acl->aces[i].type)) {
425 acl->revision = SECURITY_ACL_REVISION_ADS;
426 break;
427 }
428 }
429
430 return NT_STATUS_OK;
431 }
432
433 /*
434 delete the ACE corresponding to the given trustee in the DACL of a
435 security_descriptor
436 */
437
438 NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd,
439 const struct dom_sid *trustee)
440 {
441 return security_descriptor_acl_del(sd, false, trustee);
442 }
443
444 /*
445 delete the ACE corresponding to the given trustee in the SACL of a
446 security_descriptor
447 */
448
449 NTSTATUS security_descriptor_sacl_del(struct security_descriptor *sd,
450 const struct dom_sid *trustee)
451 {
452 return security_descriptor_acl_del(sd, true, trustee);
453 }
454
455 /*
456 delete the given ACE in the SACL or DACL of a security_descriptor
457 */
458 static NTSTATUS security_descriptor_acl_del_ace(struct security_descriptor *sd,
459 bool sacl_del,
460 const struct security_ace *ace)
461 {
462 uint32_t i;
463 bool found = false;
464 struct security_acl *acl = NULL;
465
466 if (sacl_del) {
467 acl = sd->sacl;
468 } else {
469 acl = sd->dacl;
470 }
471
472 if (acl == NULL) {
473 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
474 }
475
476 for (i=0;i<acl->num_aces;i++) {
477 if (security_ace_equal(ace, &acl->aces[i])) {
478 ARRAY_DEL_ELEMENT(acl->aces, i, acl->num_aces);
479 acl->num_aces--;
480 if (acl->num_aces == 0) {
481 acl->aces = NULL;
482 }
483 found = true;
484 i--;
485 }
486 }
487
488 if (!found) {
489 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
490 }
491
492 acl->revision = SECURITY_ACL_REVISION_NT4;
493
494 for (i=0;i<acl->num_aces;i++) {
495 if (sec_ace_object(acl->aces[i].type)) {
496 acl->revision = SECURITY_ACL_REVISION_ADS;
497 break;
498 }
499 }
500
501 return NT_STATUS_OK;
502 }
503
504 NTSTATUS security_descriptor_dacl_del_ace(struct security_descriptor *sd,
505 const struct security_ace *ace)
506 {
507 return security_descriptor_acl_del_ace(sd, false, ace);
508 }
509
510 NTSTATUS security_descriptor_sacl_del_ace(struct security_descriptor *sd,
511 const struct security_ace *ace)
512 {
513 return security_descriptor_acl_del_ace(sd, true, ace);
514 }
515
516 static bool security_ace_object_equal(const struct security_ace_object *object1,
517 const struct security_ace_object *object2)
518 {
519 if (object1 == object2) {
520 return true;
521 }
522 if ((object1 == NULL) || (object2 == NULL)) {
523 return false;
524 }
525 if (object1->flags != object2->flags) {
526 return false;
527 }
528 if (object1->flags & SEC_ACE_OBJECT_TYPE_PRESENT
529 && !GUID_equal(&object1->type.type, &object2->type.type)) {
530 return false;
531 }
532 if (object1->flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT
533 && !GUID_equal(&object1->inherited_type.inherited_type,
534 &object2->inherited_type.inherited_type)) {
535 return false;
536 }
537
538 return true;
539 }
540
541
542 static bool security_ace_claim_equal(const struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *claim1,
543 const struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *claim2)
544 {
545 uint32_t i;
546
547 if (claim1 == claim2) {
548 return true;
549 }
550 if (claim1 == NULL || claim2 == NULL) {
551 return false;
552 }
553 if (claim1->name != NULL && claim2->name != NULL) {
554 if (strcasecmp_m(claim1->name, claim2->name) != 0) {
555 return false;
556 }
557 } else if (claim1->name != NULL || claim2->name != NULL) {
558 return false;
559 }
560 if (claim1->value_type != claim2->value_type) {
561 return false;
562 }
563 if (claim1->flags != claim2->flags) {
564 return false;
565 }
566 if (claim1->value_count != claim2->value_count) {
567 return false;
568 }
569 for (i = 0; i < claim1->value_count; ++i) {
570 const union claim_values *values1 = claim1->values;
571 const union claim_values *values2 = claim2->values;
572
573 switch (claim1->value_type) {
574 case CLAIM_SECURITY_ATTRIBUTE_TYPE_INT64:
575 if (values1[i].int_value != NULL && values2[i].int_value != NULL) {
576 if (*values1[i].int_value != *values2[i].int_value) {
577 return false;
578 }
579 } else if (values1[i].int_value != NULL || values2[i].int_value != NULL) {
580 return false;
581 }
582 break;
583 case CLAIM_SECURITY_ATTRIBUTE_TYPE_UINT64:
584 case CLAIM_SECURITY_ATTRIBUTE_TYPE_BOOLEAN:
585 if (values1[i].uint_value != NULL && values2[i].uint_value != NULL) {
586 if (*values1[i].uint_value != *values2[i].uint_value) {
587 return false;
588 }
589 } else if (values1[i].uint_value != NULL || values2[i].uint_value != NULL) {
590 return false;
591 }
592 break;
593 case CLAIM_SECURITY_ATTRIBUTE_TYPE_STRING:
594 if (values1[i].string_value != NULL && values2[i].string_value != NULL) {
595 if (strcasecmp_m(values1[i].string_value, values2[i].string_value) != 0) {
596 return false;
597 }
598 } else if (values1[i].string_value != NULL || values2[i].string_value != NULL) {
599 return false;
600 }
601 break;
602 case CLAIM_SECURITY_ATTRIBUTE_TYPE_SID:
603 if (values1[i].sid_value != NULL && values2[i].sid_value != NULL) {
604 if (data_blob_cmp(values1[i].sid_value, values2[i].sid_value) != 0) {
605 return false;
606 }
607 } else if (values1[i].sid_value != NULL || values2[i].sid_value != NULL) {
608 return false;
609 }
610 break;
611 case CLAIM_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING:
612 if (values1[i].octet_value != NULL && values2[i].octet_value != NULL) {
613 if (data_blob_cmp(values1[i].octet_value, values2[i].octet_value) != 0) {
614 return false;
615 }
616 } else if (values1[i].octet_value != NULL || values2[i].octet_value != NULL) {
617 return false;
618 }
619 break;
620 default:
621 break;
622 }
623 }
624
625 return true;
626 }
627
628 /*
629 compare two security ace structures
630 */
631 bool security_ace_equal(const struct security_ace *ace1,
632 const struct security_ace *ace2)
633 {
634 if (ace1 == ace2) {
635 return true;
636 }
637 if ((ace1 == NULL) || (ace2 == NULL)) {
638 return false;
639 }
640 if (ace1->type != ace2->type) {
641 return false;
642 }
643 if (ace1->flags != ace2->flags) {
644 return false;
645 }
646 if (ace1->access_mask != ace2->access_mask) {
647 return false;
648 }
649 if (sec_ace_object(ace1->type) &&
650 !security_ace_object_equal(&ace1->object.object,
651 &ace2->object.object))
652 {
653 return false;
654 }
655 if (!dom_sid_equal(&ace1->trustee, &ace2->trustee)) {
656 return false;
657 }
658
659 if (sec_ace_callback(ace1->type)) {
660 if (data_blob_cmp(&ace1->coda.conditions, &ace2->coda.conditions) != 0) {
661 return false;
662 }
663 } else if (sec_ace_resource(ace1->type)) {
664 if (!security_ace_claim_equal(&ace1->coda.claim, &ace2->coda.claim)) {
665 return false;
666 }
667 } else {
668 /*
669 * Don’t require ace1->coda.ignored to match ace2->coda.ignored.
670 */
671 }
672
673 return true;
674 }
675
676
677 /*
678 compare two security acl structures
679 */
680 bool security_acl_equal(const struct security_acl *acl1,
681 const struct security_acl *acl2)
682 {
683 uint32_t i;
684
685 if (acl1 == acl2) return true;
686 if (!acl1 || !acl2) return false;
687 if (acl1->revision != acl2->revision) return false;
688 if (acl1->num_aces != acl2->num_aces) return false;
689
690 for (i=0;i<acl1->num_aces;i++) {
691 if (!security_ace_equal(&acl1->aces[i], &acl2->aces[i])) return false;
692 }
693 return true;
694 }
695
696 /*
697 compare two security descriptors.
698 */
699 bool security_descriptor_equal(const struct security_descriptor *sd1,
700 const struct security_descriptor *sd2)
701 {
702 if (sd1 == sd2) return true;
703 if (!sd1 || !sd2) return false;
704 if (sd1->revision != sd2->revision) return false;
705 if (sd1->type != sd2->type) return false;
706
707 if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false;
708 if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false;
709 if (!security_acl_equal(sd1->sacl, sd2->sacl)) return false;
710 if (!security_acl_equal(sd1->dacl, sd2->dacl)) return false;
711
712 return true;
713 }
714
715 /*
716 compare two security descriptors, but allow certain (missing) parts
717 to be masked out of the comparison
718 */
719 bool security_descriptor_mask_equal(const struct security_descriptor *sd1,
720 const struct security_descriptor *sd2,
721 uint32_t mask)
722 {
723 if (sd1 == sd2) return true;
724 if (!sd1 || !sd2) return false;
725 if (sd1->revision != sd2->revision) return false;
726 if ((sd1->type & mask) != (sd2->type & mask)) return false;
727
728 if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false;
729 if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false;
730 if ((mask & SEC_DESC_DACL_PRESENT) && !security_acl_equal(sd1->dacl, sd2->dacl)) return false;
731 if ((mask & SEC_DESC_SACL_PRESENT) && !security_acl_equal(sd1->sacl, sd2->sacl)) return false;
732
733 return true;
734 }
735
736
737 static struct security_descriptor *security_descriptor_appendv(struct security_descriptor *sd,
738 bool add_ace_to_sacl,
739 va_list ap)
740 {
741 const char *sidstr;
742
743 while ((sidstr = va_arg(ap, const char *))) {
744 struct dom_sid *sid;
745 struct security_ace *ace = talloc_zero(sd, struct security_ace);
746 NTSTATUS status;
747
748 if (ace == NULL) {
749 talloc_free(sd);
750 return NULL;
751 }
752 ace->type = va_arg(ap, unsigned int);
753 ace->access_mask = va_arg(ap, unsigned int);
754 ace->flags = va_arg(ap, unsigned int);
755 sid = dom_sid_parse_talloc(ace, sidstr);
756 if (sid == NULL) {
757 talloc_free(sd);
758 return NULL;
759 }
760 ace->trustee = *sid;
761 if (add_ace_to_sacl) {
762 status = security_descriptor_sacl_add(sd, ace);
763 } else {
764 status = security_descriptor_dacl_add(sd, ace);
765 }
766 /* TODO: check: would talloc_free(ace) here be correct? */
767 if (!NT_STATUS_IS_OK(status)) {
768 talloc_free(sd);
769 return NULL;
770 }
771 }
772
773 return sd;
774 }
775
776 static struct security_descriptor *security_descriptor_createv(TALLOC_CTX *mem_ctx,
777 uint16_t sd_type,
778 const char *owner_sid,
779 const char *group_sid,
780 bool add_ace_to_sacl,
781 va_list ap)
782 {
783 struct security_descriptor *sd;
784
785 sd = security_descriptor_initialise(mem_ctx);
786 if (sd == NULL) {
787 return NULL;
788 }
789
790 sd->type |= sd_type;
791
792 if (owner_sid) {
793 sd->owner_sid = dom_sid_parse_talloc(sd, owner_sid);
794 if (sd->owner_sid == NULL) {
795 talloc_free(sd);
796 return NULL;
797 }
798 }
799 if (group_sid) {
800 sd->group_sid = dom_sid_parse_talloc(sd, group_sid);
801 if (sd->group_sid == NULL) {
802 talloc_free(sd);
803 return NULL;
804 }
805 }
806
807 return security_descriptor_appendv(sd, add_ace_to_sacl, ap);
808 }
809
810 /*
811 create a security descriptor using string SIDs. This is used by the
812 torture code to allow the easy creation of complex ACLs
813 This is a varargs function. The list of DACL ACEs ends with a NULL sid.
814
815 Each ACE contains a set of 4 parameters:
816 SID, ACCESS_TYPE, MASK, FLAGS
817
818 a typical call would be:
819
820 sd = security_descriptor_dacl_create(mem_ctx,
821 sd_type_flags,
822 mysid,
823 mygroup,
824 SID_NT_AUTHENTICATED_USERS,
825 SEC_ACE_TYPE_ACCESS_ALLOWED,
826 SEC_FILE_ALL,
827 SEC_ACE_FLAG_OBJECT_INHERIT,
828 NULL);
829 that would create a sd with one DACL ACE
830 */
831
832 struct security_descriptor *security_descriptor_dacl_create(TALLOC_CTX *mem_ctx,
833 uint16_t sd_type,
834 const char *owner_sid,
835 const char *group_sid,
836 ...)
837 {
838 struct security_descriptor *sd = NULL;
839 va_list ap;
840 va_start(ap, group_sid);
841 sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid,
842 group_sid, false, ap);
843 va_end(ap);
844
845 return sd;
846 }
847
848 struct security_descriptor *security_descriptor_sacl_create(TALLOC_CTX *mem_ctx,
849 uint16_t sd_type,
850 const char *owner_sid,
851 const char *group_sid,
852 ...)
853 {
854 struct security_descriptor *sd = NULL;
855 va_list ap;
856 va_start(ap, group_sid);
857 sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid,
858 group_sid, true, ap);
859 va_end(ap);
860
861 return sd;
862 }
863
864 struct security_ace *security_ace_create(TALLOC_CTX *mem_ctx,
865 const char *sid_str,
866 enum security_ace_type type,
867 uint32_t access_mask,
868 uint8_t flags)
869
870 {
871 struct security_ace *ace;
872 bool ok;
873
874 ace = talloc_zero(mem_ctx, struct security_ace);
875 if (ace == NULL) {
876 return NULL;
877 }
878
879 ok = dom_sid_parse(sid_str, &ace->trustee);
880 if (!ok) {
881 talloc_free(ace);
882 return NULL;
883 }
884 ace->type = type;
885 ace->access_mask = access_mask;
886 ace->flags = flags;
887
888 return ace;
889 }
890
891 /*******************************************************************
892 Check for MS NFS ACEs in a sd
893 *******************************************************************/
894 bool security_descriptor_with_ms_nfs(const struct security_descriptor *psd)
895 {
896 uint32_t i;
897
898 if (psd->dacl == NULL) {
899 return false;
900 }
901
902 for (i = 0; i < psd->dacl->num_aces; i++) {
903 if (dom_sid_compare_domain(
904 &global_sid_Unix_NFS,
905 &psd->dacl->aces[i].trustee) == 0) {
906 return true;
907 }
908 }
909
910 return false;
911 }
GSS-enabled samba4