2 Unix SMB/CIFS implementation.
4 security descriptror utility functions
6 Copyright (C) Andrew Tridgell 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "libcli/security/security_descriptor.h"
24 #include "libcli/security/dom_sid.h"
27 return a blank security descriptor (no owners, dacl or sacl)
29 struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx)
31 struct security_descriptor *sd;
33 sd = talloc(mem_ctx, struct security_descriptor);
38 sd->revision = SD_REVISION;
39 /* we mark as self relative, even though it isn't while it remains
40 a pointer in memory because this simplifies the ndr code later.
41 All SDs that we store/emit are in fact SELF_RELATIVE
43 sd->type = SEC_DESC_SELF_RELATIVE;
53 struct security_acl *security_acl_dup(TALLOC_CTX *mem_ctx,
54 const struct security_acl *oacl)
56 struct security_acl *nacl;
62 nacl = talloc (mem_ctx, struct security_acl);
67 nacl->aces = (struct security_ace *)talloc_memdup (nacl, oacl->aces, sizeof(struct security_ace) * oacl->num_aces);
68 if ((nacl->aces == NULL) && (oacl->num_aces > 0)) {
72 nacl->revision = oacl->revision;
73 nacl->size = oacl->size;
74 nacl->num_aces = oacl->num_aces;
84 struct security_acl *security_acl_concatenate(TALLOC_CTX *mem_ctx,
85 const struct security_acl *acl1,
86 const struct security_acl *acl2)
88 struct security_acl *nacl;
95 nacl = security_acl_dup(mem_ctx, acl2);
100 nacl = security_acl_dup(mem_ctx, acl1);
104 nacl = talloc (mem_ctx, struct security_acl);
109 nacl->revision = acl1->revision;
110 nacl->size = acl1->size + acl2->size;
111 nacl->num_aces = acl1->num_aces + acl2->num_aces;
113 if (nacl->num_aces == 0)
116 nacl->aces = (struct security_ace *)talloc_array (mem_ctx, struct security_ace, acl1->num_aces+acl2->num_aces);
117 if ((nacl->aces == NULL) && (nacl->num_aces > 0)) {
121 for (i = 0; i < acl1->num_aces; i++)
122 nacl->aces[i] = acl1->aces[i];
123 for (i = 0; i < acl2->num_aces; i++)
124 nacl->aces[i + acl1->num_aces] = acl2->aces[i];
135 talloc and copy a security descriptor
137 struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx,
138 const struct security_descriptor *osd)
140 struct security_descriptor *nsd;
142 nsd = talloc_zero(mem_ctx, struct security_descriptor);
147 if (osd->owner_sid) {
148 nsd->owner_sid = dom_sid_dup(nsd, osd->owner_sid);
149 if (nsd->owner_sid == NULL) {
154 if (osd->group_sid) {
155 nsd->group_sid = dom_sid_dup(nsd, osd->group_sid);
156 if (nsd->group_sid == NULL) {
162 nsd->sacl = security_acl_dup(nsd, osd->sacl);
163 if (nsd->sacl == NULL) {
169 nsd->dacl = security_acl_dup(nsd, osd->dacl);
170 if (nsd->dacl == NULL) {
175 nsd->revision = osd->revision;
176 nsd->type = osd->type;
187 add an ACE to an ACL of a security_descriptor
190 static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
192 const struct security_ace *ace)
194 struct security_acl *acl = NULL;
203 acl = talloc(sd, struct security_acl);
205 return NT_STATUS_NO_MEMORY;
207 acl->revision = SECURITY_ACL_REVISION_NT4;
213 acl->aces = talloc_realloc(acl, acl->aces,
214 struct security_ace, acl->num_aces+1);
215 if (acl->aces == NULL) {
216 return NT_STATUS_NO_MEMORY;
219 acl->aces[acl->num_aces] = *ace;
221 switch (acl->aces[acl->num_aces].type) {
222 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
223 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
224 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
225 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
226 acl->revision = SECURITY_ACL_REVISION_ADS;
236 sd->type |= SEC_DESC_SACL_PRESENT;
239 sd->type |= SEC_DESC_DACL_PRESENT;
246 add an ACE to the SACL of a security_descriptor
249 NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd,
250 const struct security_ace *ace)
252 return security_descriptor_acl_add(sd, true, ace);
256 add an ACE to the DACL of a security_descriptor
259 NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
260 const struct security_ace *ace)
262 return security_descriptor_acl_add(sd, false, ace);
266 delete the ACE corresponding to the given trustee in an ACL of a
270 static NTSTATUS security_descriptor_acl_del(struct security_descriptor *sd,
272 const struct dom_sid *trustee)
276 struct security_acl *acl = NULL;
285 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
288 /* there can be multiple ace's for one trustee */
289 for (i=0;i<acl->num_aces;i++) {
290 if (dom_sid_equal(trustee, &acl->aces[i].trustee)) {
291 memmove(&acl->aces[i], &acl->aces[i+1],
292 sizeof(acl->aces[i]) * (acl->num_aces - (i+1)));
294 if (acl->num_aces == 0) {
302 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
305 acl->revision = SECURITY_ACL_REVISION_NT4;
307 for (i=0;i<acl->num_aces;i++) {
308 switch (acl->aces[i].type) {
309 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
310 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
311 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
312 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
313 acl->revision = SECURITY_ACL_REVISION_ADS;
316 break; /* only for the switch statement */
324 delete the ACE corresponding to the given trustee in the DACL of a
328 NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd,
329 const struct dom_sid *trustee)
331 return security_descriptor_acl_del(sd, false, trustee);
335 delete the ACE corresponding to the given trustee in the SACL of a
339 NTSTATUS security_descriptor_sacl_del(struct security_descriptor *sd,
340 const struct dom_sid *trustee)
342 return security_descriptor_acl_del(sd, true, trustee);
346 compare two security ace structures
348 bool security_ace_equal(const struct security_ace *ace1,
349 const struct security_ace *ace2)
351 if (ace1 == ace2) return true;
352 if (!ace1 || !ace2) return false;
353 if (ace1->type != ace2->type) return false;
354 if (ace1->flags != ace2->flags) return false;
355 if (ace1->access_mask != ace2->access_mask) return false;
356 if (!dom_sid_equal(&ace1->trustee, &ace2->trustee)) return false;
363 compare two security acl structures
365 bool security_acl_equal(const struct security_acl *acl1,
366 const struct security_acl *acl2)
370 if (acl1 == acl2) return true;
371 if (!acl1 || !acl2) return false;
372 if (acl1->revision != acl2->revision) return false;
373 if (acl1->num_aces != acl2->num_aces) return false;
375 for (i=0;i<acl1->num_aces;i++) {
376 if (!security_ace_equal(&acl1->aces[i], &acl2->aces[i])) return false;
382 compare two security descriptors.
384 bool security_descriptor_equal(const struct security_descriptor *sd1,
385 const struct security_descriptor *sd2)
387 if (sd1 == sd2) return true;
388 if (!sd1 || !sd2) return false;
389 if (sd1->revision != sd2->revision) return false;
390 if (sd1->type != sd2->type) return false;
392 if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false;
393 if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false;
394 if (!security_acl_equal(sd1->sacl, sd2->sacl)) return false;
395 if (!security_acl_equal(sd1->dacl, sd2->dacl)) return false;
401 compare two security descriptors, but allow certain (missing) parts
402 to be masked out of the comparison
404 bool security_descriptor_mask_equal(const struct security_descriptor *sd1,
405 const struct security_descriptor *sd2,
408 if (sd1 == sd2) return true;
409 if (!sd1 || !sd2) return false;
410 if (sd1->revision != sd2->revision) return false;
411 if ((sd1->type & mask) != (sd2->type & mask)) return false;
413 if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false;
414 if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false;
415 if ((mask & SEC_DESC_DACL_PRESENT) && !security_acl_equal(sd1->dacl, sd2->dacl)) return false;
416 if ((mask & SEC_DESC_SACL_PRESENT) && !security_acl_equal(sd1->sacl, sd2->sacl)) return false;
422 static struct security_descriptor *security_descriptor_appendv(struct security_descriptor *sd,
423 bool add_ace_to_sacl,
428 while ((sidstr = va_arg(ap, const char *))) {
430 struct security_ace *ace = talloc_zero(sd, struct security_ace);
437 ace->type = va_arg(ap, unsigned int);
438 ace->access_mask = va_arg(ap, unsigned int);
439 ace->flags = va_arg(ap, unsigned int);
440 sid = dom_sid_parse_talloc(ace, sidstr);
446 if (add_ace_to_sacl) {
447 status = security_descriptor_sacl_add(sd, ace);
449 status = security_descriptor_dacl_add(sd, ace);
451 /* TODO: check: would talloc_free(ace) here be correct? */
452 if (!NT_STATUS_IS_OK(status)) {
461 struct security_descriptor *security_descriptor_append(struct security_descriptor *sd,
467 sd = security_descriptor_appendv(sd, false, ap);
473 static struct security_descriptor *security_descriptor_createv(TALLOC_CTX *mem_ctx,
475 const char *owner_sid,
476 const char *group_sid,
477 bool add_ace_to_sacl,
480 struct security_descriptor *sd;
482 sd = security_descriptor_initialise(mem_ctx);
490 sd->owner_sid = dom_sid_parse_talloc(sd, owner_sid);
491 if (sd->owner_sid == NULL) {
497 sd->group_sid = dom_sid_parse_talloc(sd, group_sid);
498 if (sd->group_sid == NULL) {
504 return security_descriptor_appendv(sd, add_ace_to_sacl, ap);
508 create a security descriptor using string SIDs. This is used by the
509 torture code to allow the easy creation of complex ACLs
510 This is a varargs function. The list of DACL ACEs ends with a NULL sid.
512 Each ACE contains a set of 4 parameters:
513 SID, ACCESS_TYPE, MASK, FLAGS
515 a typical call would be:
517 sd = security_descriptor_dacl_create(mem_ctx,
521 SID_NT_AUTHENTICATED_USERS,
522 SEC_ACE_TYPE_ACCESS_ALLOWED,
524 SEC_ACE_FLAG_OBJECT_INHERIT,
526 that would create a sd with one DACL ACE
529 struct security_descriptor *security_descriptor_dacl_create(TALLOC_CTX *mem_ctx,
531 const char *owner_sid,
532 const char *group_sid,
535 struct security_descriptor *sd = NULL;
537 va_start(ap, group_sid);
538 sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid,
539 group_sid, false, ap);
545 struct security_descriptor *security_descriptor_sacl_create(TALLOC_CTX *mem_ctx,
547 const char *owner_sid,
548 const char *group_sid,
551 struct security_descriptor *sd = NULL;
553 va_start(ap, group_sid);
554 sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid,
555 group_sid, true, ap);
561 struct security_ace *security_ace_create(TALLOC_CTX *mem_ctx,
563 enum security_ace_type type,
564 uint32_t access_mask,
569 struct security_ace *ace;
571 ace = talloc_zero(mem_ctx, struct security_ace);
576 sid = dom_sid_parse_talloc(ace, sid_str);
584 ace->access_mask = access_mask;