2 Unix SMB/CIFS implementation.
4 security descriptror utility functions
6 Copyright (C) Andrew Tridgell 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "libcli/security/security.h"
26 return a blank security descriptor (no owners, dacl or sacl)
28 struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx)
30 struct security_descriptor *sd;
32 sd = talloc(mem_ctx, struct security_descriptor);
37 sd->revision = SD_REVISION;
38 /* we mark as self relative, even though it isn't while it remains
39 a pointer in memory because this simplifies the ndr code later.
40 All SDs that we store/emit are in fact SELF_RELATIVE
42 sd->type = SEC_DESC_SELF_RELATIVE;
52 static struct security_acl *security_acl_dup(TALLOC_CTX *mem_ctx,
53 const struct security_acl *oacl)
55 struct security_acl *nacl;
58 nacl = talloc (mem_ctx, struct security_acl);
63 nacl->aces = (struct security_ace *)talloc_memdup (nacl, oacl->aces, sizeof(struct security_ace) * oacl->num_aces);
64 if ((nacl->aces == NULL) && (oacl->num_aces > 0)) {
68 /* remapping array in trustee dom_sid from old acl to new acl */
70 for (i = 0; i < oacl->num_aces; i++) {
71 nacl->aces[i].trustee.sub_auths =
72 (uint32_t *)talloc_memdup(nacl->aces, nacl->aces[i].trustee.sub_auths,
73 sizeof(uint32_t) * nacl->aces[i].trustee.num_auths);
75 if ((nacl->aces[i].trustee.sub_auths == NULL) && (nacl->aces[i].trustee.num_auths > 0)) {
80 nacl->revision = oacl->revision;
81 nacl->size = oacl->size;
82 nacl->num_aces = oacl->num_aces;
93 talloc and copy a security descriptor
95 struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx,
96 const struct security_descriptor *osd)
98 struct security_descriptor *nsd;
100 nsd = talloc_zero(mem_ctx, struct security_descriptor);
105 if (osd->owner_sid) {
106 nsd->owner_sid = dom_sid_dup(nsd, osd->owner_sid);
107 if (nsd->owner_sid == NULL) {
112 if (osd->group_sid) {
113 nsd->group_sid = dom_sid_dup(nsd, osd->group_sid);
114 if (nsd->group_sid == NULL) {
120 nsd->sacl = security_acl_dup(nsd, osd->sacl);
121 if (nsd->sacl == NULL) {
127 nsd->dacl = security_acl_dup(nsd, osd->dacl);
128 if (nsd->dacl == NULL) {
133 nsd->revision = osd->revision;
134 nsd->type = osd->type;
145 add an ACE to an ACL of a security_descriptor
148 static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
150 const struct security_ace *ace)
152 struct security_acl *acl = NULL;
161 acl = talloc(sd, struct security_acl);
163 return NT_STATUS_NO_MEMORY;
165 acl->revision = SECURITY_ACL_REVISION_NT4;
171 acl->aces = talloc_realloc(acl, acl->aces,
172 struct security_ace, acl->num_aces+1);
173 if (acl->aces == NULL) {
174 return NT_STATUS_NO_MEMORY;
177 acl->aces[acl->num_aces] = *ace;
178 acl->aces[acl->num_aces].trustee.sub_auths =
179 (uint32_t *)talloc_memdup(acl->aces,
180 acl->aces[acl->num_aces].trustee.sub_auths,
182 acl->aces[acl->num_aces].trustee.num_auths);
183 if (acl->aces[acl->num_aces].trustee.sub_auths == NULL) {
184 return NT_STATUS_NO_MEMORY;
187 switch (acl->aces[acl->num_aces].type) {
188 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
189 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
190 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
191 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
192 acl->revision = SECURITY_ACL_REVISION_ADS;
202 sd->type |= SEC_DESC_SACL_PRESENT;
205 sd->type |= SEC_DESC_DACL_PRESENT;
212 add an ACE to the SACL of a security_descriptor
215 NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd,
216 const struct security_ace *ace)
218 return security_descriptor_acl_add(sd, true, ace);
222 add an ACE to the DACL of a security_descriptor
225 NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
226 const struct security_ace *ace)
228 return security_descriptor_acl_add(sd, false, ace);
232 delete the ACE corresponding to the given trustee in an ACL of a
236 static NTSTATUS security_descriptor_acl_del(struct security_descriptor *sd,
238 const struct dom_sid *trustee)
242 struct security_acl *acl = NULL;
251 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
254 /* there can be multiple ace's for one trustee */
255 for (i=0;i<acl->num_aces;i++) {
256 if (dom_sid_equal(trustee, &acl->aces[i].trustee)) {
257 memmove(&acl->aces[i], &acl->aces[i+1],
258 sizeof(acl->aces[i]) * (acl->num_aces - (i+1)));
260 if (acl->num_aces == 0) {
268 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
271 acl->revision = SECURITY_ACL_REVISION_NT4;
273 for (i=0;i<acl->num_aces;i++) {
274 switch (acl->aces[i].type) {
275 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
276 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
277 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
278 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
279 acl->revision = SECURITY_ACL_REVISION_ADS;
282 break; /* only for the switch statement */
290 delete the ACE corresponding to the given trustee in the DACL of a
294 NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd,
295 const struct dom_sid *trustee)
297 return security_descriptor_acl_del(sd, false, trustee);
301 delete the ACE corresponding to the given trustee in the SACL of a
305 NTSTATUS security_descriptor_sacl_del(struct security_descriptor *sd,
306 const struct dom_sid *trustee)
308 return security_descriptor_acl_del(sd, true, trustee);
312 compare two security ace structures
314 bool security_ace_equal(const struct security_ace *ace1,
315 const struct security_ace *ace2)
317 if (ace1 == ace2) return true;
318 if (!ace1 || !ace2) return false;
319 if (ace1->type != ace2->type) return false;
320 if (ace1->flags != ace2->flags) return false;
321 if (ace1->access_mask != ace2->access_mask) return false;
322 if (!dom_sid_equal(&ace1->trustee, &ace2->trustee)) return false;
329 compare two security acl structures
331 bool security_acl_equal(const struct security_acl *acl1,
332 const struct security_acl *acl2)
336 if (acl1 == acl2) return true;
337 if (!acl1 || !acl2) return false;
338 if (acl1->revision != acl2->revision) return false;
339 if (acl1->num_aces != acl2->num_aces) return false;
341 for (i=0;i<acl1->num_aces;i++) {
342 if (!security_ace_equal(&acl1->aces[i], &acl2->aces[i])) return false;
348 compare two security descriptors.
350 bool security_descriptor_equal(const struct security_descriptor *sd1,
351 const struct security_descriptor *sd2)
353 if (sd1 == sd2) return true;
354 if (!sd1 || !sd2) return false;
355 if (sd1->revision != sd2->revision) return false;
356 if (sd1->type != sd2->type) return false;
358 if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false;
359 if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false;
360 if (!security_acl_equal(sd1->sacl, sd2->sacl)) return false;
361 if (!security_acl_equal(sd1->dacl, sd2->dacl)) return false;
367 compare two security descriptors, but allow certain (missing) parts
368 to be masked out of the comparison
370 bool security_descriptor_mask_equal(const struct security_descriptor *sd1,
371 const struct security_descriptor *sd2,
374 if (sd1 == sd2) return true;
375 if (!sd1 || !sd2) return false;
376 if (sd1->revision != sd2->revision) return false;
377 if ((sd1->type & mask) != (sd2->type & mask)) return false;
379 if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false;
380 if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false;
381 if ((mask & SEC_DESC_DACL_PRESENT) && !security_acl_equal(sd1->dacl, sd2->dacl)) return false;
382 if ((mask & SEC_DESC_SACL_PRESENT) && !security_acl_equal(sd1->sacl, sd2->sacl)) return false;
388 static struct security_descriptor *security_descriptor_appendv(struct security_descriptor *sd,
389 bool add_ace_to_sacl,
394 while ((sidstr = va_arg(ap, const char *))) {
396 struct security_ace *ace = talloc(sd, struct security_ace);
403 ace->type = va_arg(ap, unsigned int);
404 ace->access_mask = va_arg(ap, unsigned int);
405 ace->flags = va_arg(ap, unsigned int);
406 sid = dom_sid_parse_talloc(ace, sidstr);
412 if (add_ace_to_sacl) {
413 status = security_descriptor_sacl_add(sd, ace);
415 status = security_descriptor_dacl_add(sd, ace);
417 /* TODO: check: would talloc_free(ace) here be correct? */
418 if (!NT_STATUS_IS_OK(status)) {
427 struct security_descriptor *security_descriptor_append(struct security_descriptor *sd,
433 sd = security_descriptor_appendv(sd, false, ap);
439 static struct security_descriptor *security_descriptor_createv(TALLOC_CTX *mem_ctx,
441 const char *owner_sid,
442 const char *group_sid,
443 bool add_ace_to_sacl,
446 struct security_descriptor *sd;
448 sd = security_descriptor_initialise(mem_ctx);
456 sd->owner_sid = dom_sid_parse_talloc(sd, owner_sid);
457 if (sd->owner_sid == NULL) {
463 sd->group_sid = dom_sid_parse_talloc(sd, group_sid);
464 if (sd->group_sid == NULL) {
470 return security_descriptor_appendv(sd, add_ace_to_sacl, ap);
474 create a security descriptor using string SIDs. This is used by the
475 torture code to allow the easy creation of complex ACLs
476 This is a varargs function. The list of DACL ACEs ends with a NULL sid.
478 Each ACE contains a set of 4 parameters:
479 SID, ACCESS_TYPE, MASK, FLAGS
481 a typical call would be:
483 sd = security_descriptor_dacl_create(mem_ctx,
487 SID_NT_AUTHENTICATED_USERS,
488 SEC_ACE_TYPE_ACCESS_ALLOWED,
490 SEC_ACE_FLAG_OBJECT_INHERIT,
492 that would create a sd with one DACL ACE
495 struct security_descriptor *security_descriptor_dacl_create(TALLOC_CTX *mem_ctx,
497 const char *owner_sid,
498 const char *group_sid,
501 struct security_descriptor *sd = NULL;
503 va_start(ap, group_sid);
504 sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid,
505 group_sid, false, ap);
511 struct security_descriptor *security_descriptor_sacl_create(TALLOC_CTX *mem_ctx,
513 const char *owner_sid,
514 const char *group_sid,
517 struct security_descriptor *sd = NULL;
519 va_start(ap, group_sid);
520 sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid,
521 group_sid, true, ap);
527 struct security_ace *security_ace_create(TALLOC_CTX *mem_ctx,
529 enum security_ace_type type,
530 uint32_t access_mask,
535 struct security_ace *ace;
537 ace = talloc_zero(mem_ctx, struct security_ace);
542 sid = dom_sid_parse_talloc(ace, sid_str);
550 ace->access_mask = access_mask;