Owner and group defaulting.
[ira/wip.git] / libcli / security / security_descriptor.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    security descriptror utility functions
5
6    Copyright (C) Andrew Tridgell                2004
7       
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12    
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17    
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "libcli/security/security_descriptor.h"
24 #include "libcli/security/dom_sid.h"
25
26 /*
27   return a blank security descriptor (no owners, dacl or sacl)
28 */
29 struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx)
30 {
31         struct security_descriptor *sd;
32
33         sd = talloc(mem_ctx, struct security_descriptor);
34         if (!sd) {
35                 return NULL;
36         }
37
38         sd->revision = SD_REVISION;
39         /* we mark as self relative, even though it isn't while it remains
40            a pointer in memory because this simplifies the ndr code later.
41            All SDs that we store/emit are in fact SELF_RELATIVE
42         */
43         sd->type = SEC_DESC_SELF_RELATIVE;
44
45         sd->owner_sid = NULL;
46         sd->group_sid = NULL;
47         sd->sacl = NULL;
48         sd->dacl = NULL;
49
50         return sd;
51 }
52
53 struct security_acl *security_acl_dup(TALLOC_CTX *mem_ctx,
54                                              const struct security_acl *oacl)
55 {
56         struct security_acl *nacl;
57
58         nacl = talloc (mem_ctx, struct security_acl);
59         if (nacl == NULL) {
60                 return NULL;
61         }
62
63         nacl->aces = (struct security_ace *)talloc_memdup (nacl, oacl->aces, sizeof(struct security_ace) * oacl->num_aces);
64         if ((nacl->aces == NULL) && (oacl->num_aces > 0)) {
65                 goto failed;
66         }
67
68         nacl->revision = oacl->revision;
69         nacl->size = oacl->size;
70         nacl->num_aces = oacl->num_aces;
71         
72         return nacl;
73
74  failed:
75         talloc_free (nacl);
76         return NULL;
77         
78 }
79
80 /* 
81    talloc and copy a security descriptor
82  */
83 struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx, 
84                                                      const struct security_descriptor *osd)
85 {
86         struct security_descriptor *nsd;
87
88         nsd = talloc_zero(mem_ctx, struct security_descriptor);
89         if (!nsd) {
90                 return NULL;
91         }
92
93         if (osd->owner_sid) {
94                 nsd->owner_sid = dom_sid_dup(nsd, osd->owner_sid);
95                 if (nsd->owner_sid == NULL) {
96                         goto failed;
97                 }
98         }
99         
100         if (osd->group_sid) {
101                 nsd->group_sid = dom_sid_dup(nsd, osd->group_sid);
102                 if (nsd->group_sid == NULL) {
103                         goto failed;
104                 }
105         }
106
107         if (osd->sacl) {
108                 nsd->sacl = security_acl_dup(nsd, osd->sacl);
109                 if (nsd->sacl == NULL) {
110                         goto failed;
111                 }
112         }
113
114         if (osd->dacl) {
115                 nsd->dacl = security_acl_dup(nsd, osd->dacl);
116                 if (nsd->dacl == NULL) {
117                         goto failed;
118                 }
119         }
120
121         nsd->revision = osd->revision;
122         nsd->type = osd->type;
123
124         return nsd;
125
126  failed:
127         talloc_free(nsd);
128
129         return NULL;
130 }
131
132 /*
133   add an ACE to an ACL of a security_descriptor
134 */
135
136 static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
137                                             bool add_to_sacl,
138                                             const struct security_ace *ace)
139 {
140         struct security_acl *acl = NULL;
141
142         if (add_to_sacl) {
143                 acl = sd->sacl;
144         } else {
145                 acl = sd->dacl;
146         }
147
148         if (acl == NULL) {
149                 acl = talloc(sd, struct security_acl);
150                 if (acl == NULL) {
151                         return NT_STATUS_NO_MEMORY;
152                 }
153                 acl->revision = SECURITY_ACL_REVISION_NT4;
154                 acl->size     = 0;
155                 acl->num_aces = 0;
156                 acl->aces     = NULL;
157         }
158
159         acl->aces = talloc_realloc(acl, acl->aces,
160                                    struct security_ace, acl->num_aces+1);
161         if (acl->aces == NULL) {
162                 return NT_STATUS_NO_MEMORY;
163         }
164
165         acl->aces[acl->num_aces] = *ace;
166
167         switch (acl->aces[acl->num_aces].type) {
168         case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
169         case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
170         case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
171         case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
172                 acl->revision = SECURITY_ACL_REVISION_ADS;
173                 break;
174         default:
175                 break;
176         }
177
178         acl->num_aces++;
179
180         if (add_to_sacl) {
181                 sd->sacl = acl;
182                 sd->type |= SEC_DESC_SACL_PRESENT;
183         } else {
184                 sd->dacl = acl;
185                 sd->type |= SEC_DESC_DACL_PRESENT;
186         }
187
188         return NT_STATUS_OK;
189 }
190
191 /*
192   add an ACE to the SACL of a security_descriptor
193 */
194
195 NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd,
196                                       const struct security_ace *ace)
197 {
198         return security_descriptor_acl_add(sd, true, ace);
199 }
200
201 /*
202   add an ACE to the DACL of a security_descriptor
203 */
204
205 NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
206                                       const struct security_ace *ace)
207 {
208         return security_descriptor_acl_add(sd, false, ace);
209 }
210
211 /*
212   delete the ACE corresponding to the given trustee in an ACL of a
213   security_descriptor
214 */
215
216 static NTSTATUS security_descriptor_acl_del(struct security_descriptor *sd,
217                                             bool sacl_del,
218                                             const struct dom_sid *trustee)
219 {
220         int i;
221         bool found = false;
222         struct security_acl *acl = NULL;
223
224         if (sacl_del) {
225                 acl = sd->sacl;
226         } else {
227                 acl = sd->dacl;
228         }
229
230         if (acl == NULL) {
231                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
232         }
233
234         /* there can be multiple ace's for one trustee */
235         for (i=0;i<acl->num_aces;i++) {
236                 if (dom_sid_equal(trustee, &acl->aces[i].trustee)) {
237                         memmove(&acl->aces[i], &acl->aces[i+1],
238                                 sizeof(acl->aces[i]) * (acl->num_aces - (i+1)));
239                         acl->num_aces--;
240                         if (acl->num_aces == 0) {
241                                 acl->aces = NULL;
242                         }
243                         found = true;
244                 }
245         }
246
247         if (!found) {
248                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
249         }
250
251         acl->revision = SECURITY_ACL_REVISION_NT4;
252
253         for (i=0;i<acl->num_aces;i++) {
254                 switch (acl->aces[i].type) {
255                 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
256                 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
257                 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
258                 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
259                         acl->revision = SECURITY_ACL_REVISION_ADS;
260                         return NT_STATUS_OK;
261                 default:
262                         break; /* only for the switch statement */
263                 }
264         }
265
266         return NT_STATUS_OK;
267 }
268
269 /*
270   delete the ACE corresponding to the given trustee in the DACL of a
271   security_descriptor
272 */
273
274 NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd,
275                                       const struct dom_sid *trustee)
276 {
277         return security_descriptor_acl_del(sd, false, trustee);
278 }
279
280 /*
281   delete the ACE corresponding to the given trustee in the SACL of a
282   security_descriptor
283 */
284
285 NTSTATUS security_descriptor_sacl_del(struct security_descriptor *sd,
286                                       const struct dom_sid *trustee)
287 {
288         return security_descriptor_acl_del(sd, true, trustee);
289 }
290
291 /*
292   compare two security ace structures
293 */
294 bool security_ace_equal(const struct security_ace *ace1, 
295                         const struct security_ace *ace2)
296 {
297         if (ace1 == ace2) return true;
298         if (!ace1 || !ace2) return false;
299         if (ace1->type != ace2->type) return false;
300         if (ace1->flags != ace2->flags) return false;
301         if (ace1->access_mask != ace2->access_mask) return false;
302         if (!dom_sid_equal(&ace1->trustee, &ace2->trustee)) return false;
303
304         return true;    
305 }
306
307
308 /*
309   compare two security acl structures
310 */
311 bool security_acl_equal(const struct security_acl *acl1, 
312                         const struct security_acl *acl2)
313 {
314         int i;
315
316         if (acl1 == acl2) return true;
317         if (!acl1 || !acl2) return false;
318         if (acl1->revision != acl2->revision) return false;
319         if (acl1->num_aces != acl2->num_aces) return false;
320
321         for (i=0;i<acl1->num_aces;i++) {
322                 if (!security_ace_equal(&acl1->aces[i], &acl2->aces[i])) return false;
323         }
324         return true;    
325 }
326
327 /*
328   compare two security descriptors.
329 */
330 bool security_descriptor_equal(const struct security_descriptor *sd1, 
331                                const struct security_descriptor *sd2)
332 {
333         if (sd1 == sd2) return true;
334         if (!sd1 || !sd2) return false;
335         if (sd1->revision != sd2->revision) return false;
336         if (sd1->type != sd2->type) return false;
337
338         if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false;
339         if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false;
340         if (!security_acl_equal(sd1->sacl, sd2->sacl))      return false;
341         if (!security_acl_equal(sd1->dacl, sd2->dacl))      return false;
342
343         return true;    
344 }
345
346 /*
347   compare two security descriptors, but allow certain (missing) parts
348   to be masked out of the comparison
349 */
350 bool security_descriptor_mask_equal(const struct security_descriptor *sd1, 
351                                     const struct security_descriptor *sd2, 
352                                     uint32_t mask)
353 {
354         if (sd1 == sd2) return true;
355         if (!sd1 || !sd2) return false;
356         if (sd1->revision != sd2->revision) return false;
357         if ((sd1->type & mask) != (sd2->type & mask)) return false;
358
359         if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false;
360         if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false;
361         if ((mask & SEC_DESC_DACL_PRESENT) && !security_acl_equal(sd1->dacl, sd2->dacl))      return false;
362         if ((mask & SEC_DESC_SACL_PRESENT) && !security_acl_equal(sd1->sacl, sd2->sacl))      return false;
363
364         return true;    
365 }
366
367
368 static struct security_descriptor *security_descriptor_appendv(struct security_descriptor *sd,
369                                                                bool add_ace_to_sacl,
370                                                                va_list ap)
371 {
372         const char *sidstr;
373
374         while ((sidstr = va_arg(ap, const char *))) {
375                 struct dom_sid *sid;
376                 struct security_ace *ace = talloc_zero(sd, struct security_ace);
377                 NTSTATUS status;
378
379                 if (ace == NULL) {
380                         talloc_free(sd);
381                         return NULL;
382                 }
383                 ace->type = va_arg(ap, unsigned int);
384                 ace->access_mask = va_arg(ap, unsigned int);
385                 ace->flags = va_arg(ap, unsigned int);
386                 sid = dom_sid_parse_talloc(ace, sidstr);
387                 if (sid == NULL) {
388                         talloc_free(sd);
389                         return NULL;
390                 }
391                 ace->trustee = *sid;
392                 if (add_ace_to_sacl) {
393                         status = security_descriptor_sacl_add(sd, ace);
394                 } else {
395                         status = security_descriptor_dacl_add(sd, ace);
396                 }
397                 /* TODO: check: would talloc_free(ace) here be correct? */
398                 if (!NT_STATUS_IS_OK(status)) {
399                         talloc_free(sd);
400                         return NULL;
401                 }
402         }
403
404         return sd;
405 }
406
407 struct security_descriptor *security_descriptor_append(struct security_descriptor *sd,
408                                                        ...)
409 {
410         va_list ap;
411
412         va_start(ap, sd);
413         sd = security_descriptor_appendv(sd, false, ap);
414         va_end(ap);
415
416         return sd;
417 }
418
419 static struct security_descriptor *security_descriptor_createv(TALLOC_CTX *mem_ctx,
420                                                                uint16_t sd_type,
421                                                                const char *owner_sid,
422                                                                const char *group_sid,
423                                                                bool add_ace_to_sacl,
424                                                                va_list ap)
425 {
426         struct security_descriptor *sd;
427
428         sd = security_descriptor_initialise(mem_ctx);
429         if (sd == NULL) {
430                 return NULL;
431         }
432
433         sd->type |= sd_type;
434
435         if (owner_sid) {
436                 sd->owner_sid = dom_sid_parse_talloc(sd, owner_sid);
437                 if (sd->owner_sid == NULL) {
438                         talloc_free(sd);
439                         return NULL;
440                 }
441         }
442         if (group_sid) {
443                 sd->group_sid = dom_sid_parse_talloc(sd, group_sid);
444                 if (sd->group_sid == NULL) {
445                         talloc_free(sd);
446                         return NULL;
447                 }
448         }
449
450         return security_descriptor_appendv(sd, add_ace_to_sacl, ap);
451 }
452
453 /*
454   create a security descriptor using string SIDs. This is used by the
455   torture code to allow the easy creation of complex ACLs
456   This is a varargs function. The list of DACL ACEs ends with a NULL sid.
457
458   Each ACE contains a set of 4 parameters:
459   SID, ACCESS_TYPE, MASK, FLAGS
460
461   a typical call would be:
462
463     sd = security_descriptor_dacl_create(mem_ctx,
464                                          sd_type_flags,
465                                          mysid,
466                                          mygroup,
467                                          SID_NT_AUTHENTICATED_USERS,
468                                          SEC_ACE_TYPE_ACCESS_ALLOWED,
469                                          SEC_FILE_ALL,
470                                          SEC_ACE_FLAG_OBJECT_INHERIT,
471                                          NULL);
472   that would create a sd with one DACL ACE
473 */
474
475 struct security_descriptor *security_descriptor_dacl_create(TALLOC_CTX *mem_ctx,
476                                                             uint16_t sd_type,
477                                                             const char *owner_sid,
478                                                             const char *group_sid,
479                                                             ...)
480 {
481         struct security_descriptor *sd = NULL;
482         va_list ap;
483         va_start(ap, group_sid);
484         sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid,
485                                          group_sid, false, ap);
486         va_end(ap);
487
488         return sd;
489 }
490
491 struct security_descriptor *security_descriptor_sacl_create(TALLOC_CTX *mem_ctx,
492                                                             uint16_t sd_type,
493                                                             const char *owner_sid,
494                                                             const char *group_sid,
495                                                             ...)
496 {
497         struct security_descriptor *sd = NULL;
498         va_list ap;
499         va_start(ap, group_sid);
500         sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid,
501                                          group_sid, true, ap);
502         va_end(ap);
503
504         return sd;
505 }
506
507 struct security_ace *security_ace_create(TALLOC_CTX *mem_ctx,
508                                          const char *sid_str,
509                                          enum security_ace_type type,
510                                          uint32_t access_mask,
511                                          uint8_t flags)
512
513 {
514         struct dom_sid *sid;
515         struct security_ace *ace;
516
517         ace = talloc_zero(mem_ctx, struct security_ace);
518         if (ace == NULL) {
519                 return NULL;
520         }
521
522         sid = dom_sid_parse_talloc(ace, sid_str);
523         if (sid == NULL) {
524                 talloc_free(ace);
525                 return NULL;
526         }
527
528         ace->trustee = *sid;
529         ace->type = type;
530         ace->access_mask = access_mask;
531         ace->flags = flags;
532
533         return ace;
534 }