*/
#include "includes.h"
-#include "librpc/gen_ndr/ndr_security.h"
+#include "libcli/security/security.h"
/*
return a blank security descriptor (no owners, dacl or sacl)
talloc and copy a security descriptor
*/
struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx,
- const struct security_descriptor *osd)
+ const struct security_descriptor *osd)
{
struct security_descriptor *nsd;
return nsd;
}
-NTSTATUS security_check_dacl(struct security_token *st, struct security_descriptor *sd, uint32 access_mask)
+/*
+ add an ACE to the DACL of a security_descriptor
+*/
+NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
+ const struct security_ace *ace)
{
- size_t i,y;
- NTSTATUS status = NT_STATUS_ACCESS_DENIED;
+ if (sd->dacl == NULL) {
+ sd->dacl = talloc_p(sd, struct security_acl);
+ if (sd->dacl == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ sd->dacl->revision = NT4_ACL_REVISION;
+ sd->dacl->size = 0;
+ sd->dacl->num_aces = 0;
+ sd->dacl->aces = NULL;
+ }
- DEBUG(1, ("security_check_dacl(): sorry untested yet\n"));
- return status;
+ sd->dacl->aces = talloc_realloc_p(sd->dacl, sd->dacl->aces,
+ struct security_ace, sd->dacl->num_aces+1);
+ if (sd->dacl->aces == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
- if (!sd->dacl) {
- return NT_STATUS_INVALID_ACL;
+ sd->dacl->aces[sd->dacl->num_aces] = *ace;
+ sd->dacl->aces[sd->dacl->num_aces].trustee.sub_auths =
+ talloc_memdup(sd->dacl->aces,
+ sd->dacl->aces[sd->dacl->num_aces].trustee.sub_auths,
+ sizeof(uint32_t) *
+ sd->dacl->aces[sd->dacl->num_aces].trustee.num_auths);
+ if (sd->dacl->aces[sd->dacl->num_aces].trustee.sub_auths == NULL) {
+ return NT_STATUS_NO_MEMORY;
}
+
+ sd->dacl->num_aces++;
+
+ sd->type |= SEC_DESC_DACL_PRESENT;
+
+ return NT_STATUS_OK;
+}
+
- for (i=0; i < st->num_sids; i++) {
- for (y=0; y < sd->dacl->num_aces; y++) {
- if (dom_sid_equal(&st->sids[i], &sd->dacl->aces[y].trustee)) {
- switch (sd->dacl->aces[y].type) {
- case SEC_ACE_TYPE_ACCESS_ALLOWED:
- if (access_mask & sd->dacl->aces[y].access_mask) {
- status = NT_STATUS_OK;
- }
- break;
- case SEC_ACE_TYPE_ACCESS_DENIED:
- if (access_mask & sd->dacl->aces[y].access_mask) {
- return NT_STATUS_ACCESS_DENIED;
- }
- break;
- default:
- return NT_STATUS_INVALID_ACL;
- }
+/*
+ delete the ACE corresponding to the given trustee in the DACL of a security_descriptor
+*/
+NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd,
+ struct dom_sid *trustee)
+{
+ int i;
+
+ if (sd->dacl == NULL) {
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ }
+
+ for (i=0;i<sd->dacl->num_aces;i++) {
+ if (dom_sid_equal(trustee, &sd->dacl->aces[i].trustee)) {
+ memmove(&sd->dacl->aces[i], &sd->dacl->aces[i+1],
+ sizeof(sd->dacl->aces[i]) * (sd->dacl->num_aces - (i+1)));
+ sd->dacl->num_aces--;
+ if (sd->dacl->num_aces == 0) {
+ sd->dacl->aces = NULL;
}
+ return NT_STATUS_OK;
+ }
+ }
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+}
+
+
+/*
+ compare two security ace structures
+*/
+BOOL security_ace_equal(const struct security_ace *ace1,
+ const struct security_ace *ace2)
+{
+ if (ace1 == ace2) return True;
+ if (!ace1 || !ace2) return False;
+ if (ace1->type != ace2->type) return False;
+ if (ace1->flags != ace2->flags) return False;
+ if (ace1->access_mask != ace2->access_mask) return False;
+ if (!dom_sid_equal(&ace1->trustee, &ace2->trustee)) return False;
+
+ return True;
+}
+
+
+/*
+ compare two security acl structures
+*/
+BOOL security_acl_equal(const struct security_acl *acl1,
+ const struct security_acl *acl2)
+{
+ int i;
+
+ if (acl1 == acl2) return True;
+ if (!acl1 || !acl2) return False;
+ if (acl1->revision != acl2->revision) return False;
+ if (acl1->num_aces != acl2->num_aces) return False;
+
+ for (i=0;i<acl1->num_aces;i++) {
+ if (!security_ace_equal(&acl1->aces[i], &acl2->aces[i])) return False;
+ }
+ return True;
+}
+
+/*
+ compare two security descriptors.
+*/
+BOOL security_descriptor_equal(const struct security_descriptor *sd1,
+ const struct security_descriptor *sd2)
+{
+ if (sd1 == sd2) return True;
+ if (!sd1 || !sd2) return False;
+ if (sd1->revision != sd2->revision) return False;
+ if (sd1->type != sd2->type) return False;
+
+ if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return False;
+ if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return False;
+ if (!security_acl_equal(sd1->sacl, sd2->sacl)) return False;
+ if (!security_acl_equal(sd1->dacl, sd2->dacl)) return False;
+
+ return True;
+}
+
+/*
+ compare two security descriptors, but allow certain (missing) parts
+ to be masked out of the comparison
+*/
+BOOL security_descriptor_mask_equal(const struct security_descriptor *sd1,
+ const struct security_descriptor *sd2,
+ uint32 mask)
+{
+ if (sd1 == sd2) return True;
+ if (!sd1 || !sd2) return False;
+ if (sd1->revision != sd2->revision) return False;
+ if ((sd1->type & mask) != (sd2->type & mask)) return False;
+
+ if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return False;
+ if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return False;
+ if ((mask & SEC_DESC_DACL_PRESENT) && !security_acl_equal(sd1->dacl, sd2->dacl)) return False;
+ if ((mask & SEC_DESC_SACL_PRESENT) && !security_acl_equal(sd1->sacl, sd2->sacl)) return False;
+
+ return True;
+}
+
+
+/*
+ create a security descriptor using string SIDs. This is used by the
+ torture code to allow the easy creation of complex ACLs
+ This is a varargs function. The list of ACEs ends with a NULL sid.
+
+ a typical call would be:
+
+ sd = security_descriptor_create(mem_ctx,
+ mysid,
+ mygroup,
+ SID_AUTHENTICATED_USERS,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ SEC_FILE_ALL,
+ SEC_ACE_FLAG_OBJECT_INHERIT,
+ NULL);
+ that would create a sd with one ACE
+*/
+struct security_descriptor *security_descriptor_create(TALLOC_CTX *mem_ctx,
+ const char *owner_sid,
+ const char *group_sid,
+ ...)
+{
+ va_list ap;
+ struct security_descriptor *sd;
+ const char *sidstr;
+
+ sd = security_descriptor_initialise(mem_ctx);
+ if (sd == NULL) return NULL;
+
+ if (owner_sid) {
+ sd->owner_sid = dom_sid_parse_talloc(mem_ctx, owner_sid);
+ if (sd->owner_sid == NULL) {
+ talloc_free(sd);
+ return NULL;
+ }
+ }
+ if (group_sid) {
+ sd->group_sid = dom_sid_parse_talloc(mem_ctx, group_sid);
+ if (sd->group_sid == NULL) {
+ talloc_free(sd);
+ return NULL;
+ }
+ }
+
+ va_start(ap, group_sid);
+ while ((sidstr = va_arg(ap, const char *))) {
+ struct dom_sid *sid;
+ struct security_ace *ace = talloc_p(sd, struct security_ace);
+ NTSTATUS status;
+
+ if (ace == NULL) {
+ talloc_free(sd);
+ va_end(ap);
+ return NULL;
+ }
+ ace->type = va_arg(ap, unsigned int);
+ ace->access_mask = va_arg(ap, unsigned int);
+ ace->flags = va_arg(ap, unsigned int);
+ sid = dom_sid_parse_talloc(ace, sidstr);
+ if (sid == NULL) {
+ va_end(ap);
+ talloc_free(sd);
+ return NULL;
+ }
+ ace->trustee = *sid;
+ status = security_descriptor_dacl_add(sd, ace);
+ if (!NT_STATUS_IS_OK(status)) {
+ va_end(ap);
+ talloc_free(sd);
+ return NULL;
}
}
+ va_end(ap);
- return status;
+ return sd;
}