2 Unix SMB/CIFS implementation.
4 security descriptror utility functions
6 Copyright (C) Andrew Tridgell 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "libcli/security/security.h"
26 return a blank security descriptor (no owners, dacl or sacl)
28 struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx)
30 struct security_descriptor *sd;
32 sd = talloc(mem_ctx, struct security_descriptor);
37 sd->revision = SD_REVISION;
38 /* we mark as self relative, even though it isn't while it remains
39 a pointer in memory because this simplifies the ndr code later.
40 All SDs that we store/emit are in fact SELF_RELATIVE
42 sd->type = SEC_DESC_SELF_RELATIVE;
52 struct security_acl *security_acl_dup(TALLOC_CTX *mem_ctx,
53 const struct security_acl *oacl)
55 struct security_acl *nacl;
61 if (oacl->aces == NULL && oacl->num_aces > 0) {
65 nacl = talloc (mem_ctx, struct security_acl);
70 nacl->aces = (struct security_ace *)talloc_memdup (nacl, oacl->aces, sizeof(struct security_ace) * oacl->num_aces);
71 if ((nacl->aces == NULL) && (oacl->num_aces > 0)) {
75 nacl->revision = oacl->revision;
76 nacl->size = oacl->size;
77 nacl->num_aces = oacl->num_aces;
87 struct security_acl *security_acl_concatenate(TALLOC_CTX *mem_ctx,
88 const struct security_acl *acl1,
89 const struct security_acl *acl2)
91 struct security_acl *nacl;
98 nacl = security_acl_dup(mem_ctx, acl2);
103 nacl = security_acl_dup(mem_ctx, acl1);
107 nacl = talloc (mem_ctx, struct security_acl);
112 nacl->revision = acl1->revision;
113 nacl->size = acl1->size + acl2->size;
114 nacl->num_aces = acl1->num_aces + acl2->num_aces;
116 if (nacl->num_aces == 0)
119 nacl->aces = (struct security_ace *)talloc_array (mem_ctx, struct security_ace, acl1->num_aces+acl2->num_aces);
120 if ((nacl->aces == NULL) && (nacl->num_aces > 0)) {
124 for (i = 0; i < acl1->num_aces; i++)
125 nacl->aces[i] = acl1->aces[i];
126 for (i = 0; i < acl2->num_aces; i++)
127 nacl->aces[i + acl1->num_aces] = acl2->aces[i];
138 talloc and copy a security descriptor
140 struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx,
141 const struct security_descriptor *osd)
143 struct security_descriptor *nsd;
145 nsd = talloc_zero(mem_ctx, struct security_descriptor);
150 if (osd->owner_sid) {
151 nsd->owner_sid = dom_sid_dup(nsd, osd->owner_sid);
152 if (nsd->owner_sid == NULL) {
157 if (osd->group_sid) {
158 nsd->group_sid = dom_sid_dup(nsd, osd->group_sid);
159 if (nsd->group_sid == NULL) {
165 nsd->sacl = security_acl_dup(nsd, osd->sacl);
166 if (nsd->sacl == NULL) {
172 nsd->dacl = security_acl_dup(nsd, osd->dacl);
173 if (nsd->dacl == NULL) {
178 nsd->revision = osd->revision;
179 nsd->type = osd->type;
189 NTSTATUS security_descriptor_for_client(TALLOC_CTX *mem_ctx,
190 const struct security_descriptor *ssd,
192 uint32_t access_granted,
193 struct security_descriptor **_csd)
195 struct security_descriptor *csd = NULL;
196 uint32_t access_required = 0;
200 if (sec_info & (SECINFO_OWNER|SECINFO_GROUP)) {
201 access_required |= SEC_STD_READ_CONTROL;
203 if (sec_info & SECINFO_DACL) {
204 access_required |= SEC_STD_READ_CONTROL;
206 if (sec_info & SECINFO_SACL) {
207 access_required |= SEC_FLAG_SYSTEM_SECURITY;
210 if (access_required & (~access_granted)) {
211 return NT_STATUS_ACCESS_DENIED;
217 csd = security_descriptor_copy(mem_ctx, ssd);
219 return NT_STATUS_NO_MEMORY;
223 * ... and remove everthing not wanted
226 if (!(sec_info & SECINFO_OWNER)) {
227 TALLOC_FREE(csd->owner_sid);
228 csd->type &= ~SEC_DESC_OWNER_DEFAULTED;
230 if (!(sec_info & SECINFO_GROUP)) {
231 TALLOC_FREE(csd->group_sid);
232 csd->type &= ~SEC_DESC_GROUP_DEFAULTED;
234 if (!(sec_info & SECINFO_DACL)) {
235 TALLOC_FREE(csd->dacl);
237 SEC_DESC_DACL_PRESENT |
238 SEC_DESC_DACL_DEFAULTED|
239 SEC_DESC_DACL_AUTO_INHERIT_REQ |
240 SEC_DESC_DACL_AUTO_INHERITED |
241 SEC_DESC_DACL_PROTECTED |
242 SEC_DESC_DACL_TRUSTED);
244 if (!(sec_info & SECINFO_SACL)) {
245 TALLOC_FREE(csd->sacl);
247 SEC_DESC_SACL_PRESENT |
248 SEC_DESC_SACL_DEFAULTED |
249 SEC_DESC_SACL_AUTO_INHERIT_REQ |
250 SEC_DESC_SACL_AUTO_INHERITED |
251 SEC_DESC_SACL_PROTECTED |
252 SEC_DESC_SERVER_SECURITY);
260 add an ACE to an ACL of a security_descriptor
263 static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
265 const struct security_ace *ace)
267 struct security_acl *acl = NULL;
276 acl = talloc(sd, struct security_acl);
278 return NT_STATUS_NO_MEMORY;
280 acl->revision = SECURITY_ACL_REVISION_NT4;
286 acl->aces = talloc_realloc(acl, acl->aces,
287 struct security_ace, acl->num_aces+1);
288 if (acl->aces == NULL) {
289 return NT_STATUS_NO_MEMORY;
292 acl->aces[acl->num_aces] = *ace;
294 switch (acl->aces[acl->num_aces].type) {
295 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
296 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
297 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
298 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
299 acl->revision = SECURITY_ACL_REVISION_ADS;
309 sd->type |= SEC_DESC_SACL_PRESENT;
312 sd->type |= SEC_DESC_DACL_PRESENT;
319 add an ACE to the SACL of a security_descriptor
322 NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd,
323 const struct security_ace *ace)
325 return security_descriptor_acl_add(sd, true, ace);
329 add an ACE to the DACL of a security_descriptor
332 NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
333 const struct security_ace *ace)
335 return security_descriptor_acl_add(sd, false, ace);
339 delete the ACE corresponding to the given trustee in an ACL of a
343 static NTSTATUS security_descriptor_acl_del(struct security_descriptor *sd,
345 const struct dom_sid *trustee)
349 struct security_acl *acl = NULL;
358 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
361 /* there can be multiple ace's for one trustee */
362 for (i=0;i<acl->num_aces;i++) {
363 if (dom_sid_equal(trustee, &acl->aces[i].trustee)) {
364 memmove(&acl->aces[i], &acl->aces[i+1],
365 sizeof(acl->aces[i]) * (acl->num_aces - (i+1)));
367 if (acl->num_aces == 0) {
375 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
378 acl->revision = SECURITY_ACL_REVISION_NT4;
380 for (i=0;i<acl->num_aces;i++) {
381 switch (acl->aces[i].type) {
382 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
383 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
384 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
385 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
386 acl->revision = SECURITY_ACL_REVISION_ADS;
389 break; /* only for the switch statement */
397 delete the ACE corresponding to the given trustee in the DACL of a
401 NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd,
402 const struct dom_sid *trustee)
404 return security_descriptor_acl_del(sd, false, trustee);
408 delete the ACE corresponding to the given trustee in the SACL of a
412 NTSTATUS security_descriptor_sacl_del(struct security_descriptor *sd,
413 const struct dom_sid *trustee)
415 return security_descriptor_acl_del(sd, true, trustee);
419 compare two security ace structures
421 bool security_ace_equal(const struct security_ace *ace1,
422 const struct security_ace *ace2)
427 if ((ace1 == NULL) || (ace2 == NULL)) {
430 if (ace1->type != ace2->type) {
433 if (ace1->flags != ace2->flags) {
436 if (ace1->access_mask != ace2->access_mask) {
439 if (!dom_sid_equal(&ace1->trustee, &ace2->trustee)) {
448 compare two security acl structures
450 bool security_acl_equal(const struct security_acl *acl1,
451 const struct security_acl *acl2)
455 if (acl1 == acl2) return true;
456 if (!acl1 || !acl2) return false;
457 if (acl1->revision != acl2->revision) return false;
458 if (acl1->num_aces != acl2->num_aces) return false;
460 for (i=0;i<acl1->num_aces;i++) {
461 if (!security_ace_equal(&acl1->aces[i], &acl2->aces[i])) return false;
467 compare two security descriptors.
469 bool security_descriptor_equal(const struct security_descriptor *sd1,
470 const struct security_descriptor *sd2)
472 if (sd1 == sd2) return true;
473 if (!sd1 || !sd2) return false;
474 if (sd1->revision != sd2->revision) return false;
475 if (sd1->type != sd2->type) return false;
477 if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false;
478 if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false;
479 if (!security_acl_equal(sd1->sacl, sd2->sacl)) return false;
480 if (!security_acl_equal(sd1->dacl, sd2->dacl)) return false;
486 compare two security descriptors, but allow certain (missing) parts
487 to be masked out of the comparison
489 bool security_descriptor_mask_equal(const struct security_descriptor *sd1,
490 const struct security_descriptor *sd2,
493 if (sd1 == sd2) return true;
494 if (!sd1 || !sd2) return false;
495 if (sd1->revision != sd2->revision) return false;
496 if ((sd1->type & mask) != (sd2->type & mask)) return false;
498 if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false;
499 if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false;
500 if ((mask & SEC_DESC_DACL_PRESENT) && !security_acl_equal(sd1->dacl, sd2->dacl)) return false;
501 if ((mask & SEC_DESC_SACL_PRESENT) && !security_acl_equal(sd1->sacl, sd2->sacl)) return false;
507 static struct security_descriptor *security_descriptor_appendv(struct security_descriptor *sd,
508 bool add_ace_to_sacl,
513 while ((sidstr = va_arg(ap, const char *))) {
515 struct security_ace *ace = talloc_zero(sd, struct security_ace);
522 ace->type = va_arg(ap, unsigned int);
523 ace->access_mask = va_arg(ap, unsigned int);
524 ace->flags = va_arg(ap, unsigned int);
525 sid = dom_sid_parse_talloc(ace, sidstr);
531 if (add_ace_to_sacl) {
532 status = security_descriptor_sacl_add(sd, ace);
534 status = security_descriptor_dacl_add(sd, ace);
536 /* TODO: check: would talloc_free(ace) here be correct? */
537 if (!NT_STATUS_IS_OK(status)) {
546 struct security_descriptor *security_descriptor_append(struct security_descriptor *sd,
552 sd = security_descriptor_appendv(sd, false, ap);
558 static struct security_descriptor *security_descriptor_createv(TALLOC_CTX *mem_ctx,
560 const char *owner_sid,
561 const char *group_sid,
562 bool add_ace_to_sacl,
565 struct security_descriptor *sd;
567 sd = security_descriptor_initialise(mem_ctx);
575 sd->owner_sid = dom_sid_parse_talloc(sd, owner_sid);
576 if (sd->owner_sid == NULL) {
582 sd->group_sid = dom_sid_parse_talloc(sd, group_sid);
583 if (sd->group_sid == NULL) {
589 return security_descriptor_appendv(sd, add_ace_to_sacl, ap);
593 create a security descriptor using string SIDs. This is used by the
594 torture code to allow the easy creation of complex ACLs
595 This is a varargs function. The list of DACL ACEs ends with a NULL sid.
597 Each ACE contains a set of 4 parameters:
598 SID, ACCESS_TYPE, MASK, FLAGS
600 a typical call would be:
602 sd = security_descriptor_dacl_create(mem_ctx,
606 SID_NT_AUTHENTICATED_USERS,
607 SEC_ACE_TYPE_ACCESS_ALLOWED,
609 SEC_ACE_FLAG_OBJECT_INHERIT,
611 that would create a sd with one DACL ACE
614 struct security_descriptor *security_descriptor_dacl_create(TALLOC_CTX *mem_ctx,
616 const char *owner_sid,
617 const char *group_sid,
620 struct security_descriptor *sd = NULL;
622 va_start(ap, group_sid);
623 sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid,
624 group_sid, false, ap);
630 struct security_descriptor *security_descriptor_sacl_create(TALLOC_CTX *mem_ctx,
632 const char *owner_sid,
633 const char *group_sid,
636 struct security_descriptor *sd = NULL;
638 va_start(ap, group_sid);
639 sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid,
640 group_sid, true, ap);
646 struct security_ace *security_ace_create(TALLOC_CTX *mem_ctx,
648 enum security_ace_type type,
649 uint32_t access_mask,
653 struct security_ace *ace;
656 ace = talloc_zero(mem_ctx, struct security_ace);
661 ok = dom_sid_parse(sid_str, &ace->trustee);
667 ace->access_mask = access_mask;
673 /*******************************************************************
674 Check for MS NFS ACEs in a sd
675 *******************************************************************/
676 bool security_descriptor_with_ms_nfs(const struct security_descriptor *psd)
680 if (psd->dacl == NULL) {
684 for (i = 0; i < psd->dacl->num_aces; i++) {
685 if (dom_sid_compare_domain(
686 &global_sid_Unix_NFS,
687 &psd->dacl->aces[i].trustee) == 0) {