2 Unix SMB/CIFS implementation.
4 security descriptror utility functions
6 Copyright (C) Andrew Tridgell 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "libcli/security/security.h"
26 return a blank security descriptor (no owners, dacl or sacl)
28 struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx)
30 struct security_descriptor *sd;
32 sd = talloc(mem_ctx, struct security_descriptor);
37 sd->revision = SD_REVISION;
38 /* we mark as self relative, even though it isn't while it remains
39 a pointer in memory because this simplifies the ndr code later.
40 All SDs that we store/emit are in fact SELF_RELATIVE
42 sd->type = SEC_DESC_SELF_RELATIVE;
52 struct security_acl *security_acl_dup(TALLOC_CTX *mem_ctx,
53 const struct security_acl *oacl)
55 struct security_acl *nacl;
61 if (oacl->aces == NULL && oacl->num_aces > 0) {
65 nacl = talloc (mem_ctx, struct security_acl);
70 *nacl = (struct security_acl) {
71 .revision = oacl->revision,
73 .num_aces = oacl->num_aces,
75 if (nacl->num_aces == 0) {
79 nacl->aces = (struct security_ace *)talloc_memdup (nacl, oacl->aces, sizeof(struct security_ace) * oacl->num_aces);
80 if (nacl->aces == NULL) {
92 struct security_acl *security_acl_concatenate(TALLOC_CTX *mem_ctx,
93 const struct security_acl *acl1,
94 const struct security_acl *acl2)
96 struct security_acl *nacl;
103 nacl = security_acl_dup(mem_ctx, acl2);
108 nacl = security_acl_dup(mem_ctx, acl1);
112 nacl = talloc (mem_ctx, struct security_acl);
117 nacl->revision = acl1->revision;
118 nacl->size = acl1->size + acl2->size;
119 nacl->num_aces = acl1->num_aces + acl2->num_aces;
121 if (nacl->num_aces == 0)
124 nacl->aces = (struct security_ace *)talloc_array (mem_ctx, struct security_ace, acl1->num_aces+acl2->num_aces);
125 if ((nacl->aces == NULL) && (nacl->num_aces > 0)) {
129 for (i = 0; i < acl1->num_aces; i++)
130 nacl->aces[i] = acl1->aces[i];
131 for (i = 0; i < acl2->num_aces; i++)
132 nacl->aces[i + acl1->num_aces] = acl2->aces[i];
143 talloc and copy a security descriptor
145 struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx,
146 const struct security_descriptor *osd)
148 struct security_descriptor *nsd;
150 nsd = talloc_zero(mem_ctx, struct security_descriptor);
155 if (osd->owner_sid) {
156 nsd->owner_sid = dom_sid_dup(nsd, osd->owner_sid);
157 if (nsd->owner_sid == NULL) {
162 if (osd->group_sid) {
163 nsd->group_sid = dom_sid_dup(nsd, osd->group_sid);
164 if (nsd->group_sid == NULL) {
170 nsd->sacl = security_acl_dup(nsd, osd->sacl);
171 if (nsd->sacl == NULL) {
177 nsd->dacl = security_acl_dup(nsd, osd->dacl);
178 if (nsd->dacl == NULL) {
183 nsd->revision = osd->revision;
184 nsd->type = osd->type;
194 NTSTATUS security_descriptor_for_client(TALLOC_CTX *mem_ctx,
195 const struct security_descriptor *ssd,
197 uint32_t access_granted,
198 struct security_descriptor **_csd)
200 struct security_descriptor *csd = NULL;
201 uint32_t access_required = 0;
205 if (sec_info & (SECINFO_OWNER|SECINFO_GROUP)) {
206 access_required |= SEC_STD_READ_CONTROL;
208 if (sec_info & SECINFO_DACL) {
209 access_required |= SEC_STD_READ_CONTROL;
211 if (sec_info & SECINFO_SACL) {
212 access_required |= SEC_FLAG_SYSTEM_SECURITY;
215 if (access_required & (~access_granted)) {
216 return NT_STATUS_ACCESS_DENIED;
222 csd = security_descriptor_copy(mem_ctx, ssd);
224 return NT_STATUS_NO_MEMORY;
228 * ... and remove everthing not wanted
231 if (!(sec_info & SECINFO_OWNER)) {
232 TALLOC_FREE(csd->owner_sid);
233 csd->type &= ~SEC_DESC_OWNER_DEFAULTED;
235 if (!(sec_info & SECINFO_GROUP)) {
236 TALLOC_FREE(csd->group_sid);
237 csd->type &= ~SEC_DESC_GROUP_DEFAULTED;
239 if (!(sec_info & SECINFO_DACL)) {
240 TALLOC_FREE(csd->dacl);
242 SEC_DESC_DACL_PRESENT |
243 SEC_DESC_DACL_DEFAULTED|
244 SEC_DESC_DACL_AUTO_INHERIT_REQ |
245 SEC_DESC_DACL_AUTO_INHERITED |
246 SEC_DESC_DACL_PROTECTED |
247 SEC_DESC_DACL_TRUSTED);
249 if (!(sec_info & SECINFO_SACL)) {
250 TALLOC_FREE(csd->sacl);
252 SEC_DESC_SACL_PRESENT |
253 SEC_DESC_SACL_DEFAULTED |
254 SEC_DESC_SACL_AUTO_INHERIT_REQ |
255 SEC_DESC_SACL_AUTO_INHERITED |
256 SEC_DESC_SACL_PROTECTED |
257 SEC_DESC_SERVER_SECURITY);
265 add an ACE to an ACL of a security_descriptor
268 static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
270 const struct security_ace *ace,
273 struct security_acl *acl = NULL;
283 acl = talloc(sd, struct security_acl);
285 return NT_STATUS_NO_MEMORY;
287 acl->revision = SECURITY_ACL_REVISION_NT4;
294 idx = (acl->num_aces + 1) + _idx;
300 return NT_STATUS_ARRAY_BOUNDS_EXCEEDED;
301 } else if (idx > acl->num_aces) {
302 return NT_STATUS_ARRAY_BOUNDS_EXCEEDED;
305 acl->aces = talloc_realloc(acl, acl->aces,
306 struct security_ace, acl->num_aces+1);
307 if (acl->aces == NULL) {
308 return NT_STATUS_NO_MEMORY;
311 ARRAY_INSERT_ELEMENT(acl->aces, acl->num_aces, *ace, idx);
314 switch (acl->aces[idx].type) {
315 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
316 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
317 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
318 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
319 acl->revision = SECURITY_ACL_REVISION_ADS;
327 sd->type |= SEC_DESC_SACL_PRESENT;
330 sd->type |= SEC_DESC_DACL_PRESENT;
337 add an ACE to the SACL of a security_descriptor
340 NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd,
341 const struct security_ace *ace)
343 return security_descriptor_acl_add(sd, true, ace, -1);
347 insert an ACE at a given index to the SACL of a security_descriptor
349 idx can be negative, which means it's related to the new size from the
350 end, so -1 means the ace is appended at the end.
353 NTSTATUS security_descriptor_sacl_insert(struct security_descriptor *sd,
354 const struct security_ace *ace,
357 return security_descriptor_acl_add(sd, true, ace, idx);
361 add an ACE to the DACL of a security_descriptor
364 NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
365 const struct security_ace *ace)
367 return security_descriptor_acl_add(sd, false, ace, -1);
371 insert an ACE at a given index to the DACL of a security_descriptor
373 idx can be negative, which means it's related to the new size from the
374 end, so -1 means the ace is appended at the end.
377 NTSTATUS security_descriptor_dacl_insert(struct security_descriptor *sd,
378 const struct security_ace *ace,
381 return security_descriptor_acl_add(sd, false, ace, idx);
385 delete the ACE corresponding to the given trustee in an ACL of a
389 static NTSTATUS security_descriptor_acl_del(struct security_descriptor *sd,
391 const struct dom_sid *trustee)
395 struct security_acl *acl = NULL;
404 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
407 /* there can be multiple ace's for one trustee */
408 for (i=0;i<acl->num_aces;i++) {
409 if (dom_sid_equal(trustee, &acl->aces[i].trustee)) {
410 ARRAY_DEL_ELEMENT(acl->aces, i, acl->num_aces);
412 if (acl->num_aces == 0) {
420 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
423 acl->revision = SECURITY_ACL_REVISION_NT4;
425 for (i=0;i<acl->num_aces;i++) {
426 switch (acl->aces[i].type) {
427 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
428 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
429 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
430 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
431 acl->revision = SECURITY_ACL_REVISION_ADS;
434 break; /* only for the switch statement */
442 delete the ACE corresponding to the given trustee in the DACL of a
446 NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd,
447 const struct dom_sid *trustee)
449 return security_descriptor_acl_del(sd, false, trustee);
453 delete the ACE corresponding to the given trustee in the SACL of a
457 NTSTATUS security_descriptor_sacl_del(struct security_descriptor *sd,
458 const struct dom_sid *trustee)
460 return security_descriptor_acl_del(sd, true, trustee);
464 delete the given ACE in the SACL or DACL of a security_descriptor
466 static NTSTATUS security_descriptor_acl_del_ace(struct security_descriptor *sd,
468 const struct security_ace *ace)
472 struct security_acl *acl = NULL;
481 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
484 for (i=0;i<acl->num_aces;i++) {
485 if (security_ace_equal(ace, &acl->aces[i])) {
486 ARRAY_DEL_ELEMENT(acl->aces, i, acl->num_aces);
488 if (acl->num_aces == 0) {
497 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
500 acl->revision = SECURITY_ACL_REVISION_NT4;
502 for (i=0;i<acl->num_aces;i++) {
503 switch (acl->aces[i].type) {
504 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
505 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
506 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
507 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
508 acl->revision = SECURITY_ACL_REVISION_ADS;
511 break; /* only for the switch statement */
518 NTSTATUS security_descriptor_dacl_del_ace(struct security_descriptor *sd,
519 const struct security_ace *ace)
521 return security_descriptor_acl_del_ace(sd, false, ace);
524 NTSTATUS security_descriptor_sacl_del_ace(struct security_descriptor *sd,
525 const struct security_ace *ace)
527 return security_descriptor_acl_del_ace(sd, true, ace);
530 compare two security ace structures
532 bool security_ace_equal(const struct security_ace *ace1,
533 const struct security_ace *ace2)
538 if ((ace1 == NULL) || (ace2 == NULL)) {
541 if (ace1->type != ace2->type) {
544 if (ace1->flags != ace2->flags) {
547 if (ace1->access_mask != ace2->access_mask) {
550 if (!dom_sid_equal(&ace1->trustee, &ace2->trustee)) {
559 compare two security acl structures
561 bool security_acl_equal(const struct security_acl *acl1,
562 const struct security_acl *acl2)
566 if (acl1 == acl2) return true;
567 if (!acl1 || !acl2) return false;
568 if (acl1->revision != acl2->revision) return false;
569 if (acl1->num_aces != acl2->num_aces) return false;
571 for (i=0;i<acl1->num_aces;i++) {
572 if (!security_ace_equal(&acl1->aces[i], &acl2->aces[i])) return false;
578 compare two security descriptors.
580 bool security_descriptor_equal(const struct security_descriptor *sd1,
581 const struct security_descriptor *sd2)
583 if (sd1 == sd2) return true;
584 if (!sd1 || !sd2) return false;
585 if (sd1->revision != sd2->revision) return false;
586 if (sd1->type != sd2->type) return false;
588 if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false;
589 if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false;
590 if (!security_acl_equal(sd1->sacl, sd2->sacl)) return false;
591 if (!security_acl_equal(sd1->dacl, sd2->dacl)) return false;
597 compare two security descriptors, but allow certain (missing) parts
598 to be masked out of the comparison
600 bool security_descriptor_mask_equal(const struct security_descriptor *sd1,
601 const struct security_descriptor *sd2,
604 if (sd1 == sd2) return true;
605 if (!sd1 || !sd2) return false;
606 if (sd1->revision != sd2->revision) return false;
607 if ((sd1->type & mask) != (sd2->type & mask)) return false;
609 if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false;
610 if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false;
611 if ((mask & SEC_DESC_DACL_PRESENT) && !security_acl_equal(sd1->dacl, sd2->dacl)) return false;
612 if ((mask & SEC_DESC_SACL_PRESENT) && !security_acl_equal(sd1->sacl, sd2->sacl)) return false;
618 static struct security_descriptor *security_descriptor_appendv(struct security_descriptor *sd,
619 bool add_ace_to_sacl,
624 while ((sidstr = va_arg(ap, const char *))) {
626 struct security_ace *ace = talloc_zero(sd, struct security_ace);
633 ace->type = va_arg(ap, unsigned int);
634 ace->access_mask = va_arg(ap, unsigned int);
635 ace->flags = va_arg(ap, unsigned int);
636 sid = dom_sid_parse_talloc(ace, sidstr);
642 if (add_ace_to_sacl) {
643 status = security_descriptor_sacl_add(sd, ace);
645 status = security_descriptor_dacl_add(sd, ace);
647 /* TODO: check: would talloc_free(ace) here be correct? */
648 if (!NT_STATUS_IS_OK(status)) {
657 static struct security_descriptor *security_descriptor_createv(TALLOC_CTX *mem_ctx,
659 const char *owner_sid,
660 const char *group_sid,
661 bool add_ace_to_sacl,
664 struct security_descriptor *sd;
666 sd = security_descriptor_initialise(mem_ctx);
674 sd->owner_sid = dom_sid_parse_talloc(sd, owner_sid);
675 if (sd->owner_sid == NULL) {
681 sd->group_sid = dom_sid_parse_talloc(sd, group_sid);
682 if (sd->group_sid == NULL) {
688 return security_descriptor_appendv(sd, add_ace_to_sacl, ap);
692 create a security descriptor using string SIDs. This is used by the
693 torture code to allow the easy creation of complex ACLs
694 This is a varargs function. The list of DACL ACEs ends with a NULL sid.
696 Each ACE contains a set of 4 parameters:
697 SID, ACCESS_TYPE, MASK, FLAGS
699 a typical call would be:
701 sd = security_descriptor_dacl_create(mem_ctx,
705 SID_NT_AUTHENTICATED_USERS,
706 SEC_ACE_TYPE_ACCESS_ALLOWED,
708 SEC_ACE_FLAG_OBJECT_INHERIT,
710 that would create a sd with one DACL ACE
713 struct security_descriptor *security_descriptor_dacl_create(TALLOC_CTX *mem_ctx,
715 const char *owner_sid,
716 const char *group_sid,
719 struct security_descriptor *sd = NULL;
721 va_start(ap, group_sid);
722 sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid,
723 group_sid, false, ap);
729 struct security_descriptor *security_descriptor_sacl_create(TALLOC_CTX *mem_ctx,
731 const char *owner_sid,
732 const char *group_sid,
735 struct security_descriptor *sd = NULL;
737 va_start(ap, group_sid);
738 sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid,
739 group_sid, true, ap);
745 struct security_ace *security_ace_create(TALLOC_CTX *mem_ctx,
747 enum security_ace_type type,
748 uint32_t access_mask,
752 struct security_ace *ace;
755 ace = talloc_zero(mem_ctx, struct security_ace);
760 ok = dom_sid_parse(sid_str, &ace->trustee);
766 ace->access_mask = access_mask;
772 /*******************************************************************
773 Check for MS NFS ACEs in a sd
774 *******************************************************************/
775 bool security_descriptor_with_ms_nfs(const struct security_descriptor *psd)
779 if (psd->dacl == NULL) {
783 for (i = 0; i < psd->dacl->num_aces; i++) {
784 if (dom_sid_compare_domain(
785 &global_sid_Unix_NFS,
786 &psd->dacl->aces[i].trustee) == 0) {