static BOOL sddl_map_flags(const struct flag_map *map, const char *str,
uint32_t *flags, size_t *len)
{
+ const char *str0 = str;
if (len) *len = 0;
*flags = 0;
while (str[0] && isupper(str[0])) {
}
}
if (map[i].name == NULL) {
- DEBUG(2, ("Unknown flag - %s\n", str));
+ DEBUG(1, ("Unknown flag - %s in %s\n", str, str0));
return False;
}
}
static const struct {
const char *code;
const char *sid;
+ uint32_t rid;
} sid_codes[] = {
{ "AO", SID_BUILTIN_ACCOUNT_OPERATORS },
+ { "BA", SID_BUILTIN_ADMINISTRATORS },
+ { "RU", SID_BUILTIN_PREW2K },
+ { "PO", SID_BUILTIN_PRINT_OPERATORS },
+ { "RS", SID_BUILTIN_RAS_SERVERS },
+
+ { "AU", SID_NT_AUTHENTICATED_USERS },
+ { "SY", SID_NT_SYSTEM },
+ { "PS", SID_NT_SELF },
+ { "WD", SID_WORLD },
+ { "ED", SID_NT_ENTERPRISE_DCS },
+
+ { "CO", SID_CREATOR_OWNER },
+ { "CG", SID_CREATOR_GROUP },
+
+ { "DA", NULL, DOMAIN_RID_ADMINS },
+ { "EA", NULL, DOMAIN_RID_ENTERPRISE_ADMINS },
+ { "DD", NULL, DOMAIN_RID_DCS },
+ { "DU", NULL, DOMAIN_RID_USERS },
+ { "CA", NULL, DOMAIN_RID_CERT_ADMINS },
};
/*
decode a SID
It can either be a special 2 letter code, or in S-* format
*/
-static struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp)
+static struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp,
+ struct dom_sid *domain_sid)
{
const char *sddl = (*sddlp);
int i;
/* now check for one of the special codes */
for (i=0;i<ARRAY_SIZE(sid_codes);i++) {
- if (strncmp(sid_codes[i].code, sddl, 2)) break;
+ if (strncmp(sid_codes[i].code, sddl, 2) == 0) break;
}
if (i == ARRAY_SIZE(sid_codes)) {
- DEBUG(2,("Unknown sddl sid code '%2.2s'\n", sddl));
+ DEBUG(1,("Unknown sddl sid code '%2.2s'\n", sddl));
return NULL;
}
(*sddlp) += 2;
+
+ if (sid_codes[i].sid == NULL) {
+ return dom_sid_add_rid(mem_ctx, domain_sid, sid_codes[i].rid);
+ }
+
return dom_sid_parse_talloc(mem_ctx, sid_codes[i].sid);
}
static const struct flag_map ace_types[] = {
- { "A", SEC_ACE_TYPE_ACCESS_ALLOWED },
- { "D", SEC_ACE_TYPE_ACCESS_DENIED },
{ "AU", SEC_ACE_TYPE_SYSTEM_AUDIT },
{ "AL", SEC_ACE_TYPE_SYSTEM_ALARM },
{ "OA", SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT },
{ "OD", SEC_ACE_TYPE_ACCESS_DENIED_OBJECT },
{ "OU", SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT },
{ "OL", SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT },
+ { "A", SEC_ACE_TYPE_ACCESS_ALLOWED },
+ { "D", SEC_ACE_TYPE_ACCESS_DENIED },
{ NULL, 0 }
};
{ "SD", SEC_STD_DELETE },
{ "DT", SEC_ADS_DELETE_TREE },
{ "SW", SEC_ADS_SELF_WRITE },
+ { "GA", SEC_GENERIC_ALL },
+ { "GR", SEC_GENERIC_READ },
+ { "GW", SEC_GENERIC_WRITE },
+ { "GX", SEC_GENERIC_EXECUTE },
{ NULL, 0 }
};
return True on success, False on failure
note that this routine modifies the string
*/
-static BOOL sddl_decode_ace(TALLOC_CTX *mem_ctx, struct security_ace *ace, char *str)
+static BOOL sddl_decode_ace(TALLOC_CTX *mem_ctx, struct security_ace *ace, char *str,
+ struct dom_sid *domain_sid)
{
- ZERO_STRUCTP(ace);
const char *tok[6];
const char *s;
int i;
uint32_t v;
struct dom_sid *sid;
+ ZERO_STRUCTP(ace);
+
/* parse out the 6 tokens */
tok[0] = str;
for (i=0;i<5;i++) {
/* object */
if (tok[3][0] != 0) {
- /* TODO: add object parsing ... */
- return False;
+ NTSTATUS status = GUID_from_string(tok[3],
+ &ace->object.object.type.type);
+ if (!NT_STATUS_IS_OK(status)) {
+ return False;
+ }
}
/* inherit object */
if (tok[4][0] != 0) {
- /* TODO: add object parsing ... */
- return False;
+ NTSTATUS status = GUID_from_string(tok[4],
+ &ace->object.object.inherited_type.inherited_type);
+ if (!NT_STATUS_IS_OK(status)) {
+ return False;
+ }
}
/* trustee */
s = tok[5];
- sid = sddl_decode_sid(mem_ctx, &s);
+ sid = sddl_decode_sid(mem_ctx, &s, domain_sid);
if (sid == NULL) {
return False;
}
decode an ACL
*/
static struct security_acl *sddl_decode_acl(struct security_descriptor *sd,
- const char **sddlp, uint32_t *flags)
+ const char **sddlp, uint32_t *flags,
+ struct dom_sid *domain_sid)
{
const char *sddl = *sddlp;
struct security_acl *acl;
if (acl == NULL) return NULL;
acl->revision = SECURITY_ACL_REVISION_NT4;
+ if (isupper(sddl[0]) && sddl[1] == ':') {
+ /* its an empty ACL */
+ return acl;
+ }
+
/* work out the ACL flags */
if (!sddl_map_flags(acl_flags, sddl, flags, &len)) {
talloc_free(acl);
talloc_free(acl);
return NULL;
}
- if (!sddl_decode_ace(acl->aces, &acl->aces[acl->num_aces], astr)) {
+ if (!sddl_decode_ace(acl->aces, &acl->aces[acl->num_aces],
+ astr, domain_sid)) {
talloc_free(acl);
return NULL;
}
/*
decode a security descriptor in SDDL format
*/
-struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl)
+struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl,
+ struct dom_sid *domain_sid)
{
struct security_descriptor *sd;
sd = talloc_zero(mem_ctx, struct security_descriptor);
switch (c) {
case 'D':
if (sd->dacl != NULL) goto failed;
- sd->dacl = sddl_decode_acl(sd, &sddl, &flags);
+ sd->dacl = sddl_decode_acl(sd, &sddl, &flags, domain_sid);
if (sd->dacl == NULL) goto failed;
sd->type |= flags | SEC_DESC_DACL_PRESENT;
break;
case 'S':
if (sd->sacl != NULL) goto failed;
- sd->sacl = sddl_decode_acl(sd, &sddl, &flags);
+ sd->sacl = sddl_decode_acl(sd, &sddl, &flags, domain_sid);
if (sd->sacl == NULL) goto failed;
/* this relies on the SEC_DESC_SACL_* flags being
1 bit shifted from the SEC_DESC_DACL_* flags */
break;
case 'O':
if (sd->owner_sid != NULL) goto failed;
- sd->owner_sid = sddl_decode_sid(sd, &sddl);
+ sd->owner_sid = sddl_decode_sid(sd, &sddl, domain_sid);
if (sd->owner_sid == NULL) goto failed;
break;
case 'G':
if (sd->group_sid != NULL) goto failed;
- sd->group_sid = sddl_decode_sid(sd, &sddl);
+ sd->group_sid = sddl_decode_sid(sd, &sddl, domain_sid);
if (sd->group_sid == NULL) goto failed;
break;
}
static BOOL test_sddl(TALLOC_CTX *mem_ctx, const char *sddl)
{
struct security_descriptor *sd;
- sd = sddl_decode(mem_ctx, sddl);
+ struct dom_sid *domain;
+ domain = dom_sid_parse_talloc(mem_ctx, "S-1-2-3-4");
+ sd = sddl_decode(mem_ctx, sddl, domain);
if (sd == NULL) {
printf("Failed to decode '%s'\n", sddl);
return False;
NDR_PRINT_DEBUG(security_descriptor, sd);
}
talloc_free(sd);
+ talloc_free(domain);
return True;
}
static const char *examples[] = {
-"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)"
+ "D:(A;;CC;;;BA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)",
+ "D:(A;;GA;;;SY)",
+ "D:(A;;RP;;;WD)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)(A;CI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)(A;CI;LC;;;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(A;;RPRC;;;RU)(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(A;;LCRPLORC;;;ED)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RPLCLORC;;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)S:(AU;SA;WDWOWP;;;WD)(AU;SA;CR;;;BA)(AU;SA;CR;;;DU)(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)",
+ "D:(A;;RPLCLORC;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)",
+ "D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPCRLCLORCSDDT;;;CO)(OA;;WP;4c164200-20c0-11d0-a768-00aa006e0529;;CO)(A;;RPLCLORC;;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(A;;CCDC;;;PS)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;PS)(OA;;RPWP;77B5B886-944A-11d1-AEBD-0000F80367C1;;PS)(OA;;SW;72e39547-7b18-11d1-adef-00c04fd8d5cd;;PS)(OA;;SW;72e39547-7b18-11d1-adef-00c04fd8d5cd;;CO)(OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;CO)(OA;;WP;3e0abfd0-126a-11d0-a060-00aa006c33ed;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;;WP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;;WP;bf967950-0de6-11d0-a285-00aa003049e2;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)",
+ "D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)",
+ "D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;;;PS)(OA;;CR;ab721a55-1e2f-11d0-9819-00aa0040529b;;AU)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)",
+ "D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;CO)",
+ "D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)S:(AU;SA;CRWP;;;WD)",
+ "D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;;;PS)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RPWP;77B5B886-944A-11d1-AEBD-0000F80367C1;;PS)(OA;;RPWP;E45795B2-9455-11d1-AEBD-0000F80367C1;;PS)(OA;;RPWP;E45795B3-9455-11d1-AEBD-0000F80367C1;;PS)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;RS)(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;;RS)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;RS)(A;;RC;;;AU)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;77B5B886-944A-11d1-AEBD-0000F80367C1;;AU)(OA;;RP;E45795B3-9455-11d1-AEBD-0000F80367C1;;AU)(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;RS)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;WPRP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)",
+ "D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)",
+ "D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)(A;;LCRPLORC;;;ED)",
+ "D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(A;;RPLCLORC;;;AU)(A;;LCRPLORC;;;ED)(OA;;CCDC;4828CC14-1437-45bc-9B07-AD6F015E5F28;;AO)",
+ "D:(A;;RPWPCRCCDCLCLORCWOWDSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)",
+ "D:(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)",
+ "D:S:",
+ "D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)"
};
/* test a set of example SDDL strings */
git.samba.org / ira / wip.git / commitdiff