*/
#include "includes.h"
-#include "libcli/security/security.h"
+#include "librpc/gen_ndr/ndr_security.h"
/*
return a blank security descriptor (no owners, dacl or sacl)
return sd;
}
+static struct security_acl *security_acl_dup(TALLOC_CTX *mem_ctx,
+ const struct security_acl *oacl)
+{
+ struct security_acl *nacl;
+ int i;
+
+ nacl = talloc (mem_ctx, struct security_acl);
+ if (nacl == NULL) {
+ return NULL;
+ }
+
+ nacl->aces = talloc_memdup (nacl, oacl->aces, sizeof(struct security_ace) * oacl->num_aces);
+ if ((nacl->aces == NULL) && (oacl->num_aces > 0)) {
+ goto failed;
+ }
+
+ /* remapping array in trustee dom_sid from old acl to new acl */
+
+ for (i = 0; i < oacl->num_aces; i++) {
+ nacl->aces[i].trustee.sub_auths =
+ talloc_memdup(nacl->aces, nacl->aces[i].trustee.sub_auths,
+ sizeof(uint32_t) * nacl->aces[i].trustee.num_auths);
+
+ if ((nacl->aces[i].trustee.sub_auths == NULL) && (nacl->aces[i].trustee.num_auths > 0)) {
+ goto failed;
+ }
+ }
+
+ nacl->revision = oacl->revision;
+ nacl->size = oacl->size;
+ nacl->num_aces = oacl->num_aces;
+
+ return nacl;
+
+ failed:
+ talloc_free (nacl);
+ return NULL;
+
+}
+
/*
talloc and copy a security descriptor
*/
{
struct security_descriptor *nsd;
- /* FIXME */
- DEBUG(1, ("security_descriptor_copy(): sorry unimplemented yet\n"));
- nsd = NULL;
+ nsd = talloc_zero(mem_ctx, struct security_descriptor);
+ if (!nsd) {
+ return NULL;
+ }
+
+ if (osd->owner_sid) {
+ nsd->owner_sid = dom_sid_dup(nsd, osd->owner_sid);
+ if (nsd->owner_sid == NULL) {
+ goto failed;
+ }
+ }
+
+ if (osd->group_sid) {
+ nsd->group_sid = dom_sid_dup(nsd, osd->group_sid);
+ if (nsd->group_sid == NULL) {
+ goto failed;
+ }
+ }
+
+ if (osd->sacl) {
+ nsd->sacl = security_acl_dup(nsd, osd->sacl);
+ if (nsd->sacl == NULL) {
+ goto failed;
+ }
+ }
+
+ if (osd->dacl) {
+ nsd->dacl = security_acl_dup(nsd, osd->dacl);
+ if (nsd->dacl == NULL) {
+ goto failed;
+ }
+ }
return nsd;
+
+ failed:
+ talloc_free(nsd);
+
+ return NULL;
}
/*
/*
create a security descriptor using string SIDs. This is used by the
torture code to allow the easy creation of complex ACLs
- This is a varargs function. The list of ACEs ends with a NULL sid.
+ This is a varargs function. The list of DACL ACEs ends with a NULL sid.
+
+ Each ACE contains a set of 4 parameters:
+ SID, ACCESS_TYPE, MASK, FLAGS
a typical call would be:
sd = security_descriptor_create(mem_ctx,
mysid,
mygroup,
- SID_AUTHENTICATED_USERS,
+ SID_NT_AUTHENTICATED_USERS,
SEC_ACE_TYPE_ACCESS_ALLOWED,
SEC_FILE_ALL,
SEC_ACE_FLAG_OBJECT_INHERIT,
NULL);
- that would create a sd with one ACE
+ that would create a sd with one DACL ACE
*/
struct security_descriptor *security_descriptor_create(TALLOC_CTX *mem_ctx,
const char *owner_sid,
if (sd == NULL) return NULL;
if (owner_sid) {
- sd->owner_sid = dom_sid_parse_talloc(mem_ctx, owner_sid);
+ sd->owner_sid = dom_sid_parse_talloc(sd, owner_sid);
if (sd->owner_sid == NULL) {
talloc_free(sd);
return NULL;
}
}
if (group_sid) {
- sd->group_sid = dom_sid_parse_talloc(mem_ctx, group_sid);
+ sd->group_sid = dom_sid_parse_talloc(sd, group_sid);
if (sd->group_sid == NULL) {
talloc_free(sd);
return NULL;
}
ace->trustee = *sid;
status = security_descriptor_dacl_add(sd, ace);
+ /* TODO: check: would talloc_free(ace) here be correct? */
if (!NT_STATUS_IS_OK(status)) {
va_end(ap);
talloc_free(sd);