2 Unix SMB/CIFS implementation.
4 security descriptror utility functions
6 Copyright (C) Andrew Tridgell 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 #include "libcli/security/security.h"
27 return a blank security descriptor (no owners, dacl or sacl)
29 struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx)
31 struct security_descriptor *sd;
33 sd = talloc_p(mem_ctx, struct security_descriptor);
38 sd->revision = SD_REVISION;
39 /* we mark as self relative, even though it isn't while it remains
40 a pointer in memory because this simplifies the ndr code later.
41 All SDs that we store/emit are in fact SELF_RELATIVE
43 sd->type = SEC_DESC_SELF_RELATIVE;
54 talloc and copy a security descriptor
56 struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx,
57 const struct security_descriptor *osd)
59 struct security_descriptor *nsd;
62 DEBUG(1, ("security_descriptor_copy(): sorry unimplemented yet\n"));
69 add an ACE to the DACL of a security_descriptor
71 NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
72 const struct security_ace *ace)
74 if (sd->dacl == NULL) {
75 sd->dacl = talloc_p(sd, struct security_acl);
76 if (sd->dacl == NULL) {
77 return NT_STATUS_NO_MEMORY;
79 sd->dacl->revision = NT4_ACL_REVISION;
81 sd->dacl->num_aces = 0;
82 sd->dacl->aces = NULL;
85 sd->dacl->aces = talloc_realloc_p(sd->dacl, sd->dacl->aces,
86 struct security_ace, sd->dacl->num_aces+1);
87 if (sd->dacl->aces == NULL) {
88 return NT_STATUS_NO_MEMORY;
91 sd->dacl->aces[sd->dacl->num_aces] = *ace;
92 sd->dacl->aces[sd->dacl->num_aces].trustee.sub_auths =
93 talloc_memdup(sd->dacl->aces,
94 sd->dacl->aces[sd->dacl->num_aces].trustee.sub_auths,
96 sd->dacl->aces[sd->dacl->num_aces].trustee.num_auths);
97 if (sd->dacl->aces[sd->dacl->num_aces].trustee.sub_auths == NULL) {
98 return NT_STATUS_NO_MEMORY;
101 sd->dacl->num_aces++;
103 sd->type |= SEC_DESC_DACL_PRESENT;
110 delete the ACE corresponding to the given trustee in the DACL of a security_descriptor
112 NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd,
113 struct dom_sid *trustee)
117 if (sd->dacl == NULL) {
118 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
121 for (i=0;i<sd->dacl->num_aces;i++) {
122 if (dom_sid_equal(trustee, &sd->dacl->aces[i].trustee)) {
123 memmove(&sd->dacl->aces[i], &sd->dacl->aces[i+1],
124 sizeof(sd->dacl->aces[i]) * (sd->dacl->num_aces - (i+1)));
125 sd->dacl->num_aces--;
126 if (sd->dacl->num_aces == 0) {
127 sd->dacl->aces = NULL;
132 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
137 compare two security ace structures
139 BOOL security_ace_equal(const struct security_ace *ace1,
140 const struct security_ace *ace2)
142 if (ace1 == ace2) return True;
143 if (!ace1 || !ace2) return False;
144 if (ace1->type != ace2->type) return False;
145 if (ace1->flags != ace2->flags) return False;
146 if (ace1->access_mask != ace2->access_mask) return False;
147 if (!dom_sid_equal(&ace1->trustee, &ace2->trustee)) return False;
154 compare two security acl structures
156 BOOL security_acl_equal(const struct security_acl *acl1,
157 const struct security_acl *acl2)
161 if (acl1 == acl2) return True;
162 if (!acl1 || !acl2) return False;
163 if (acl1->revision != acl2->revision) return False;
164 if (acl1->num_aces != acl2->num_aces) return False;
166 for (i=0;i<acl1->num_aces;i++) {
167 if (!security_ace_equal(&acl1->aces[i], &acl2->aces[i])) return False;
173 compare two security descriptors.
175 BOOL security_descriptor_equal(const struct security_descriptor *sd1,
176 const struct security_descriptor *sd2)
178 if (sd1 == sd2) return True;
179 if (!sd1 || !sd2) return False;
180 if (sd1->revision != sd2->revision) return False;
181 if (sd1->type != sd2->type) return False;
183 if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return False;
184 if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return False;
185 if (!security_acl_equal(sd1->sacl, sd2->sacl)) return False;
186 if (!security_acl_equal(sd1->dacl, sd2->dacl)) return False;
192 compare two security descriptors, but allow certain (missing) parts
193 to be masked out of the comparison
195 BOOL security_descriptor_mask_equal(const struct security_descriptor *sd1,
196 const struct security_descriptor *sd2,
199 if (sd1 == sd2) return True;
200 if (!sd1 || !sd2) return False;
201 if (sd1->revision != sd2->revision) return False;
202 if ((sd1->type & mask) != (sd2->type & mask)) return False;
204 if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return False;
205 if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return False;
206 if ((mask & SEC_DESC_DACL_PRESENT) && !security_acl_equal(sd1->dacl, sd2->dacl)) return False;
207 if ((mask & SEC_DESC_SACL_PRESENT) && !security_acl_equal(sd1->sacl, sd2->sacl)) return False;
214 create a security descriptor using string SIDs. This is used by the
215 torture code to allow the easy creation of complex ACLs
216 This is a varargs function. The list of ACEs ends with a NULL sid.
218 a typical call would be:
220 sd = security_descriptor_create(mem_ctx,
223 SID_AUTHENTICATED_USERS,
224 SEC_ACE_TYPE_ACCESS_ALLOWED,
226 SEC_ACE_FLAG_OBJECT_INHERIT,
228 that would create a sd with one ACE
230 struct security_descriptor *security_descriptor_create(TALLOC_CTX *mem_ctx,
231 const char *owner_sid,
232 const char *group_sid,
236 struct security_descriptor *sd;
239 sd = security_descriptor_initialise(mem_ctx);
240 if (sd == NULL) return NULL;
243 sd->owner_sid = dom_sid_parse_talloc(mem_ctx, owner_sid);
244 if (sd->owner_sid == NULL) {
250 sd->group_sid = dom_sid_parse_talloc(mem_ctx, group_sid);
251 if (sd->group_sid == NULL) {
257 va_start(ap, group_sid);
258 while ((sidstr = va_arg(ap, const char *))) {
260 struct security_ace *ace = talloc_p(sd, struct security_ace);
268 ace->type = va_arg(ap, unsigned int);
269 ace->access_mask = va_arg(ap, unsigned int);
270 ace->flags = va_arg(ap, unsigned int);
271 sid = dom_sid_parse_talloc(ace, sidstr);
278 status = security_descriptor_dacl_add(sd, ace);
279 if (!NT_STATUS_IS_OK(status)) {