2 Unix SMB/CIFS implementation.
4 security descriptror utility functions
6 Copyright (C) Andrew Tridgell 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 #include "librpc/gen_ndr/security.h"
25 #include "libcli/security/proto.h"
28 return a blank security descriptor (no owners, dacl or sacl)
30 struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx)
32 struct security_descriptor *sd;
34 sd = talloc(mem_ctx, struct security_descriptor);
39 sd->revision = SD_REVISION;
40 /* we mark as self relative, even though it isn't while it remains
41 a pointer in memory because this simplifies the ndr code later.
42 All SDs that we store/emit are in fact SELF_RELATIVE
44 sd->type = SEC_DESC_SELF_RELATIVE;
54 static struct security_acl *security_acl_dup(TALLOC_CTX *mem_ctx,
55 const struct security_acl *oacl)
57 struct security_acl *nacl;
60 nacl = talloc (mem_ctx, struct security_acl);
65 nacl->aces = talloc_memdup (nacl, oacl->aces, sizeof(struct security_ace) * oacl->num_aces);
66 if ((nacl->aces == NULL) && (oacl->num_aces > 0)) {
70 /* remapping array in trustee dom_sid from old acl to new acl */
72 for (i = 0; i < oacl->num_aces; i++) {
73 nacl->aces[i].trustee.sub_auths =
74 talloc_memdup(nacl->aces, nacl->aces[i].trustee.sub_auths,
75 sizeof(uint32_t) * nacl->aces[i].trustee.num_auths);
77 if ((nacl->aces[i].trustee.sub_auths == NULL) && (nacl->aces[i].trustee.num_auths > 0)) {
82 nacl->revision = oacl->revision;
83 nacl->size = oacl->size;
84 nacl->num_aces = oacl->num_aces;
95 talloc and copy a security descriptor
97 struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx,
98 const struct security_descriptor *osd)
100 struct security_descriptor *nsd;
102 nsd = talloc_zero(mem_ctx, struct security_descriptor);
107 if (osd->owner_sid) {
108 nsd->owner_sid = dom_sid_dup(nsd, osd->owner_sid);
109 if (nsd->owner_sid == NULL) {
114 if (osd->group_sid) {
115 nsd->group_sid = dom_sid_dup(nsd, osd->group_sid);
116 if (nsd->group_sid == NULL) {
122 nsd->sacl = security_acl_dup(nsd, osd->sacl);
123 if (nsd->sacl == NULL) {
129 nsd->dacl = security_acl_dup(nsd, osd->dacl);
130 if (nsd->dacl == NULL) {
144 add an ACE to the DACL of a security_descriptor
146 NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
147 const struct security_ace *ace)
149 if (sd->dacl == NULL) {
150 sd->dacl = talloc(sd, struct security_acl);
151 if (sd->dacl == NULL) {
152 return NT_STATUS_NO_MEMORY;
154 sd->dacl->revision = NT4_ACL_REVISION;
156 sd->dacl->num_aces = 0;
157 sd->dacl->aces = NULL;
160 sd->dacl->aces = talloc_realloc(sd->dacl, sd->dacl->aces,
161 struct security_ace, sd->dacl->num_aces+1);
162 if (sd->dacl->aces == NULL) {
163 return NT_STATUS_NO_MEMORY;
166 sd->dacl->aces[sd->dacl->num_aces] = *ace;
167 sd->dacl->aces[sd->dacl->num_aces].trustee.sub_auths =
168 talloc_memdup(sd->dacl->aces,
169 sd->dacl->aces[sd->dacl->num_aces].trustee.sub_auths,
171 sd->dacl->aces[sd->dacl->num_aces].trustee.num_auths);
172 if (sd->dacl->aces[sd->dacl->num_aces].trustee.sub_auths == NULL) {
173 return NT_STATUS_NO_MEMORY;
176 sd->dacl->num_aces++;
178 sd->type |= SEC_DESC_DACL_PRESENT;
185 delete the ACE corresponding to the given trustee in the DACL of a security_descriptor
187 NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd,
188 struct dom_sid *trustee)
192 if (sd->dacl == NULL) {
193 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
196 for (i=0;i<sd->dacl->num_aces;i++) {
197 if (dom_sid_equal(trustee, &sd->dacl->aces[i].trustee)) {
198 memmove(&sd->dacl->aces[i], &sd->dacl->aces[i+1],
199 sizeof(sd->dacl->aces[i]) * (sd->dacl->num_aces - (i+1)));
200 sd->dacl->num_aces--;
201 if (sd->dacl->num_aces == 0) {
202 sd->dacl->aces = NULL;
207 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
212 compare two security ace structures
214 BOOL security_ace_equal(const struct security_ace *ace1,
215 const struct security_ace *ace2)
217 if (ace1 == ace2) return True;
218 if (!ace1 || !ace2) return False;
219 if (ace1->type != ace2->type) return False;
220 if (ace1->flags != ace2->flags) return False;
221 if (ace1->access_mask != ace2->access_mask) return False;
222 if (!dom_sid_equal(&ace1->trustee, &ace2->trustee)) return False;
229 compare two security acl structures
231 BOOL security_acl_equal(const struct security_acl *acl1,
232 const struct security_acl *acl2)
236 if (acl1 == acl2) return True;
237 if (!acl1 || !acl2) return False;
238 if (acl1->revision != acl2->revision) return False;
239 if (acl1->num_aces != acl2->num_aces) return False;
241 for (i=0;i<acl1->num_aces;i++) {
242 if (!security_ace_equal(&acl1->aces[i], &acl2->aces[i])) return False;
248 compare two security descriptors.
250 BOOL security_descriptor_equal(const struct security_descriptor *sd1,
251 const struct security_descriptor *sd2)
253 if (sd1 == sd2) return True;
254 if (!sd1 || !sd2) return False;
255 if (sd1->revision != sd2->revision) return False;
256 if (sd1->type != sd2->type) return False;
258 if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return False;
259 if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return False;
260 if (!security_acl_equal(sd1->sacl, sd2->sacl)) return False;
261 if (!security_acl_equal(sd1->dacl, sd2->dacl)) return False;
267 compare two security descriptors, but allow certain (missing) parts
268 to be masked out of the comparison
270 BOOL security_descriptor_mask_equal(const struct security_descriptor *sd1,
271 const struct security_descriptor *sd2,
274 if (sd1 == sd2) return True;
275 if (!sd1 || !sd2) return False;
276 if (sd1->revision != sd2->revision) return False;
277 if ((sd1->type & mask) != (sd2->type & mask)) return False;
279 if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return False;
280 if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return False;
281 if ((mask & SEC_DESC_DACL_PRESENT) && !security_acl_equal(sd1->dacl, sd2->dacl)) return False;
282 if ((mask & SEC_DESC_SACL_PRESENT) && !security_acl_equal(sd1->sacl, sd2->sacl)) return False;
289 create a security descriptor using string SIDs. This is used by the
290 torture code to allow the easy creation of complex ACLs
291 This is a varargs function. The list of DACL ACEs ends with a NULL sid.
293 Each ACE contains a set of 4 parameters:
294 SID, ACCESS_TYPE, MASK, FLAGS
296 a typical call would be:
298 sd = security_descriptor_create(mem_ctx,
301 SID_NT_AUTHENTICATED_USERS,
302 SEC_ACE_TYPE_ACCESS_ALLOWED,
304 SEC_ACE_FLAG_OBJECT_INHERIT,
306 that would create a sd with one DACL ACE
308 struct security_descriptor *security_descriptor_create(TALLOC_CTX *mem_ctx,
309 const char *owner_sid,
310 const char *group_sid,
314 struct security_descriptor *sd;
317 sd = security_descriptor_initialise(mem_ctx);
318 if (sd == NULL) return NULL;
321 sd->owner_sid = dom_sid_parse_talloc(sd, owner_sid);
322 if (sd->owner_sid == NULL) {
328 sd->group_sid = dom_sid_parse_talloc(sd, group_sid);
329 if (sd->group_sid == NULL) {
335 va_start(ap, group_sid);
336 while ((sidstr = va_arg(ap, const char *))) {
338 struct security_ace *ace = talloc(sd, struct security_ace);
346 ace->type = va_arg(ap, unsigned int);
347 ace->access_mask = va_arg(ap, unsigned int);
348 ace->flags = va_arg(ap, unsigned int);
349 sid = dom_sid_parse_talloc(ace, sidstr);
356 status = security_descriptor_dacl_add(sd, ace);
357 /* TODO: check: would talloc_free(ace) here be correct? */
358 if (!NT_STATUS_IS_OK(status)) {