375a2d31ffe50e3584d1ab1404d8d9e88d648ef8
[kai/samba.git] / source3 / libgpo / gpo_reg.c
1 /*
2  *  Unix SMB/CIFS implementation.
3  *  Group Policy Object Support
4  *  Copyright (C) Guenther Deschner 2007-2008
5  *
6  *  This program is free software; you can redistribute it and/or modify
7  *  it under the terms of the GNU General Public License as published by
8  *  the Free Software Foundation; either version 3 of the License, or
9  *  (at your option) any later version.
10  *
11  *  This program is distributed in the hope that it will be useful,
12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  *  GNU General Public License for more details.
15  *
16  *  You should have received a copy of the GNU General Public License
17  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
18  */
19
20 #include "includes.h"
21 #include "../libgpo/gpo.h"
22 #include "libgpo/gpo_proto.h"
23 #include "registry.h"
24 #include "registry/reg_api.h"
25 #include "registry/reg_backend_db.h"
26 #include "registry/reg_api_util.h"
27 #include "registry/reg_init_basic.h"
28
29
30 /****************************************************************
31 ****************************************************************/
32
33 struct security_token *registry_create_system_token(TALLOC_CTX *mem_ctx)
34 {
35         struct security_token *token = NULL;
36
37         token = TALLOC_ZERO_P(mem_ctx, struct security_token);
38         if (!token) {
39                 DEBUG(1,("talloc failed\n"));
40                 return NULL;
41         }
42
43         token->privilege_mask = SE_ALL_PRIVS;
44
45         if (!NT_STATUS_IS_OK(add_sid_to_array(token, &global_sid_System,
46                          &token->sids, &token->num_sids))) {
47                 DEBUG(1,("Error adding nt-authority system sid to token\n"));
48                 return NULL;
49         }
50
51         return token;
52 }
53
54 /****************************************************************
55 ****************************************************************/
56
57 WERROR gp_init_reg_ctx(TALLOC_CTX *mem_ctx,
58                        const char *initial_path,
59                        uint32_t desired_access,
60                        const struct security_token *token,
61                        struct gp_registry_context **reg_ctx)
62 {
63         struct gp_registry_context *tmp_ctx;
64         WERROR werr;
65
66         if (!reg_ctx) {
67                 return WERR_INVALID_PARAM;
68         }
69
70         werr = registry_init_basic();
71         if (!W_ERROR_IS_OK(werr)) {
72                 return werr;
73         }
74
75         tmp_ctx = TALLOC_ZERO_P(mem_ctx, struct gp_registry_context);
76         W_ERROR_HAVE_NO_MEMORY(tmp_ctx);
77
78         if (token) {
79                 tmp_ctx->token = token;
80         } else {
81                 tmp_ctx->token = registry_create_system_token(mem_ctx);
82         }
83         if (!tmp_ctx->token) {
84                 TALLOC_FREE(tmp_ctx);
85                 return WERR_NOMEM;
86         }
87
88         werr = regdb_open();
89         if (!W_ERROR_IS_OK(werr)) {
90                 return werr;
91         }
92
93         if (initial_path) {
94                 tmp_ctx->path = talloc_strdup(mem_ctx, initial_path);
95                 if (!tmp_ctx->path) {
96                         TALLOC_FREE(tmp_ctx);
97                         return WERR_NOMEM;
98                 }
99
100                 werr = reg_open_path(mem_ctx, tmp_ctx->path, desired_access,
101                                      tmp_ctx->token, &tmp_ctx->curr_key);
102                 if (!W_ERROR_IS_OK(werr)) {
103                         TALLOC_FREE(tmp_ctx);
104                         return werr;
105                 }
106         }
107
108         *reg_ctx = tmp_ctx;
109
110         return WERR_OK;
111 }
112
113 /****************************************************************
114 ****************************************************************/
115
116 void gp_free_reg_ctx(struct gp_registry_context *reg_ctx)
117 {
118         TALLOC_FREE(reg_ctx);
119 }
120
121 /****************************************************************
122 ****************************************************************/
123
124 WERROR gp_store_reg_subkey(TALLOC_CTX *mem_ctx,
125                            const char *subkeyname,
126                            struct registry_key *curr_key,
127                            struct registry_key **new_key)
128 {
129         enum winreg_CreateAction action = REG_ACTION_NONE;
130         WERROR werr;
131
132         werr = reg_createkey(mem_ctx, curr_key, subkeyname,
133                              REG_KEY_WRITE, new_key, &action);
134         if (W_ERROR_IS_OK(werr) && (action != REG_CREATED_NEW_KEY)) {
135                 return WERR_OK;
136         }
137
138         return werr;
139 }
140
141 /****************************************************************
142 ****************************************************************/
143
144 WERROR gp_read_reg_subkey(TALLOC_CTX *mem_ctx,
145                           struct gp_registry_context *reg_ctx,
146                           const char *subkeyname,
147                           struct registry_key **key)
148 {
149         const char *tmp = NULL;
150
151         if (!reg_ctx || !subkeyname || !key) {
152                 return WERR_INVALID_PARAM;
153         }
154
155         tmp = talloc_asprintf(mem_ctx, "%s\\%s", reg_ctx->path, subkeyname);
156         W_ERROR_HAVE_NO_MEMORY(tmp);
157
158         return reg_open_path(mem_ctx, tmp, REG_KEY_READ,
159                              reg_ctx->token, key);
160 }
161
162 /****************************************************************
163 ****************************************************************/
164
165 WERROR gp_store_reg_val_sz(TALLOC_CTX *mem_ctx,
166                            struct registry_key *key,
167                            const char *val_name,
168                            const char *val)
169 {
170         struct registry_value reg_val;
171
172         reg_val.type = REG_SZ;
173         if (!push_reg_sz(mem_ctx, &reg_val.data, val)) {
174                 return WERR_NOMEM;
175         }
176
177         return reg_setvalue(key, val_name, &reg_val);
178 }
179
180 /****************************************************************
181 ****************************************************************/
182
183 static WERROR gp_store_reg_val_dword(TALLOC_CTX *mem_ctx,
184                                      struct registry_key *key,
185                                      const char *val_name,
186                                      uint32_t val)
187 {
188         struct registry_value reg_val;
189
190         reg_val.type = REG_DWORD;
191         reg_val.data = data_blob_talloc(mem_ctx, NULL, 4);
192         SIVAL(reg_val.data.data, 0, val);
193
194         return reg_setvalue(key, val_name, &reg_val);
195 }
196
197 /****************************************************************
198 ****************************************************************/
199
200 WERROR gp_read_reg_val_sz(TALLOC_CTX *mem_ctx,
201                           struct registry_key *key,
202                           const char *val_name,
203                           const char **val)
204 {
205         WERROR werr;
206         struct registry_value *reg_val = NULL;
207
208         werr = reg_queryvalue(mem_ctx, key, val_name, &reg_val);
209         W_ERROR_NOT_OK_RETURN(werr);
210
211         if (reg_val->type != REG_SZ) {
212                 return WERR_INVALID_DATATYPE;
213         }
214
215         if (!pull_reg_sz(mem_ctx, &reg_val->data, val)) {
216                 return WERR_NOMEM;
217         }
218
219         return WERR_OK;
220 }
221
222 /****************************************************************
223 ****************************************************************/
224
225 static WERROR gp_read_reg_val_dword(TALLOC_CTX *mem_ctx,
226                                     struct registry_key *key,
227                                     const char *val_name,
228                                     uint32_t *val)
229 {
230         WERROR werr;
231         struct registry_value *reg_val = NULL;
232
233         werr = reg_queryvalue(mem_ctx, key, val_name, &reg_val);
234         W_ERROR_NOT_OK_RETURN(werr);
235
236         if (reg_val->type != REG_DWORD) {
237                 return WERR_INVALID_DATATYPE;
238         }
239
240         if (reg_val->data.length < 4) {
241                 return WERR_INSUFFICIENT_BUFFER;
242         }
243         *val = IVAL(reg_val->data.data, 0);
244
245         return WERR_OK;
246 }
247
248 /****************************************************************
249 ****************************************************************/
250
251 static WERROR gp_store_reg_gpovals(TALLOC_CTX *mem_ctx,
252                                    struct registry_key *key,
253                                    struct GROUP_POLICY_OBJECT *gpo)
254 {
255         WERROR werr;
256
257         if (!key || !gpo) {
258                 return WERR_INVALID_PARAM;
259         }
260
261         werr = gp_store_reg_val_dword(mem_ctx, key, "Version",
262                                       gpo->version);
263         W_ERROR_NOT_OK_RETURN(werr);
264
265         werr = gp_store_reg_val_dword(mem_ctx, key, "WQLFilterPass",
266                                       true); /* fake */
267         W_ERROR_NOT_OK_RETURN(werr);
268
269         werr = gp_store_reg_val_dword(mem_ctx, key, "AccessDenied",
270                                       false); /* fake */
271         W_ERROR_NOT_OK_RETURN(werr);
272
273         werr = gp_store_reg_val_dword(mem_ctx, key, "GPO-Disabled",
274                                       (gpo->options & GPO_FLAG_DISABLE));
275         W_ERROR_NOT_OK_RETURN(werr);
276
277         werr = gp_store_reg_val_dword(mem_ctx, key, "Options",
278                                       gpo->options);
279         W_ERROR_NOT_OK_RETURN(werr);
280
281         werr = gp_store_reg_val_sz(mem_ctx, key, "GPOID",
282                                    gpo->name);
283         W_ERROR_NOT_OK_RETURN(werr);
284
285         werr = gp_store_reg_val_sz(mem_ctx, key, "SOM",
286                                    gpo->link);
287         W_ERROR_NOT_OK_RETURN(werr);
288
289         werr = gp_store_reg_val_sz(mem_ctx, key, "DisplayName",
290                                    gpo->display_name);
291         W_ERROR_NOT_OK_RETURN(werr);
292
293         werr = gp_store_reg_val_sz(mem_ctx, key, "WQL-Id",
294                                    NULL);
295         W_ERROR_NOT_OK_RETURN(werr);
296
297         return werr;
298 }
299
300 /****************************************************************
301 ****************************************************************/
302
303 static const char *gp_reg_groupmembership_path(TALLOC_CTX *mem_ctx,
304                                                const struct dom_sid *sid,
305                                                uint32_t flags)
306 {
307         if (flags & GPO_LIST_FLAG_MACHINE) {
308                 return "GroupMembership";
309         }
310
311         return talloc_asprintf(mem_ctx, "%s\\%s", sid_string_tos(sid),
312                                "GroupMembership");
313 }
314
315 /****************************************************************
316 ****************************************************************/
317
318 static WERROR gp_reg_del_groupmembership(TALLOC_CTX *mem_ctx,
319                                          struct registry_key *key,
320                                          const struct security_token *token,
321                                          uint32_t flags)
322 {
323         const char *path = NULL;
324
325         path = gp_reg_groupmembership_path(mem_ctx, &token->sids[0],
326                                            flags);
327         W_ERROR_HAVE_NO_MEMORY(path);
328
329         return reg_deletekey_recursive(key, path);
330
331 }
332
333 /****************************************************************
334 ****************************************************************/
335
336 static WERROR gp_reg_store_groupmembership(TALLOC_CTX *mem_ctx,
337                                            struct gp_registry_context *reg_ctx,
338                                            const struct security_token *token,
339                                            uint32_t flags)
340 {
341         struct registry_key *key = NULL;
342         WERROR werr;
343         int i = 0;
344         const char *valname = NULL;
345         const char *path = NULL;
346         const char *val = NULL;
347         int count = 0;
348
349         path = gp_reg_groupmembership_path(mem_ctx, &token->sids[0],
350                                            flags);
351         W_ERROR_HAVE_NO_MEMORY(path);
352
353         gp_reg_del_groupmembership(mem_ctx, reg_ctx->curr_key, token, flags);
354
355         werr = gp_store_reg_subkey(mem_ctx, path,
356                                    reg_ctx->curr_key, &key);
357         W_ERROR_NOT_OK_RETURN(werr);
358
359         for (i=0; i<token->num_sids; i++) {
360
361                 valname = talloc_asprintf(mem_ctx, "Group%d", count++);
362                 W_ERROR_HAVE_NO_MEMORY(valname);
363
364                 val = sid_string_talloc(mem_ctx, &token->sids[i]);
365                 W_ERROR_HAVE_NO_MEMORY(val);
366                 werr = gp_store_reg_val_sz(mem_ctx, key, valname, val);
367                 W_ERROR_NOT_OK_RETURN(werr);
368         }
369
370         werr = gp_store_reg_val_dword(mem_ctx, key, "Count", count);
371         W_ERROR_NOT_OK_RETURN(werr);
372
373         return WERR_OK;
374 }
375
376 /****************************************************************
377 ****************************************************************/
378 #if 0
379 /* not used yet */
380 static WERROR gp_reg_read_groupmembership(TALLOC_CTX *mem_ctx,
381                                           struct gp_registry_context *reg_ctx,
382                                           const struct dom_sid *object_sid,
383                                           struct security_token **token,
384                                           uint32_t flags)
385 {
386         struct registry_key *key = NULL;
387         WERROR werr;
388         int i = 0;
389         const char *valname = NULL;
390         const char *val = NULL;
391         const char *path = NULL;
392         uint32_t count = 0;
393         int num_token_sids = 0;
394         struct security_token *tmp_token = NULL;
395
396         tmp_token = TALLOC_ZERO_P(mem_ctx, struct security_token);
397         W_ERROR_HAVE_NO_MEMORY(tmp_token);
398
399         path = gp_reg_groupmembership_path(mem_ctx, object_sid, flags);
400         W_ERROR_HAVE_NO_MEMORY(path);
401
402         werr = gp_read_reg_subkey(mem_ctx, reg_ctx, path, &key);
403         W_ERROR_NOT_OK_RETURN(werr);
404
405         werr = gp_read_reg_val_dword(mem_ctx, key, "Count", &count);
406         W_ERROR_NOT_OK_RETURN(werr);
407
408         for (i=0; i<count; i++) {
409
410                 valname = talloc_asprintf(mem_ctx, "Group%d", i);
411                 W_ERROR_HAVE_NO_MEMORY(valname);
412
413                 werr = gp_read_reg_val_sz(mem_ctx, key, valname, &val);
414                 W_ERROR_NOT_OK_RETURN(werr);
415
416                 if (!string_to_sid(&tmp_token->sids[num_token_sids++],
417                                    val)) {
418                         return WERR_INSUFFICIENT_BUFFER;
419                 }
420         }
421
422         tmp_token->num_sids = num_token_sids;
423
424         *token = tmp_token;
425
426         return WERR_OK;
427 }
428 #endif
429 /****************************************************************
430 ****************************************************************/
431
432 static const char *gp_req_state_path(TALLOC_CTX *mem_ctx,
433                                      const struct dom_sid *sid,
434                                      uint32_t flags)
435 {
436         if (flags & GPO_LIST_FLAG_MACHINE) {
437                 return GPO_REG_STATE_MACHINE;
438         }
439
440         return talloc_asprintf(mem_ctx, "%s\\%s", "State", sid_string_tos(sid));
441 }
442
443 /****************************************************************
444 ****************************************************************/
445
446 static WERROR gp_del_reg_state(TALLOC_CTX *mem_ctx,
447                                struct registry_key *key,
448                                const char *path)
449 {
450         return reg_deletesubkeys_recursive(key, path);
451 }
452
453 /****************************************************************
454 ****************************************************************/
455
456 WERROR gp_reg_state_store(TALLOC_CTX *mem_ctx,
457                           uint32_t flags,
458                           const char *dn,
459                           const struct security_token *token,
460                           struct GROUP_POLICY_OBJECT *gpo_list)
461 {
462         struct gp_registry_context *reg_ctx = NULL;
463         WERROR werr = WERR_GENERAL_FAILURE;
464         const char *subkeyname = NULL;
465         struct GROUP_POLICY_OBJECT *gpo;
466         int count = 0;
467         struct registry_key *key;
468
469         werr = gp_init_reg_ctx(mem_ctx, KEY_GROUP_POLICY, REG_KEY_WRITE,
470                                token, &reg_ctx);
471         W_ERROR_NOT_OK_RETURN(werr);
472
473         werr = gp_secure_key(mem_ctx, flags, reg_ctx->curr_key,
474                              &token->sids[0]);
475         if (!W_ERROR_IS_OK(werr)) {
476                 DEBUG(0,("failed to secure key: %s\n", win_errstr(werr)));
477                 goto done;
478         }
479
480         werr = gp_reg_store_groupmembership(mem_ctx, reg_ctx, token, flags);
481         if (!W_ERROR_IS_OK(werr)) {
482                 DEBUG(0,("failed to store group membership: %s\n", win_errstr(werr)));
483                 goto done;
484         }
485
486         subkeyname = gp_req_state_path(mem_ctx, &token->sids[0], flags);
487         if (!subkeyname) {
488                 werr = WERR_NOMEM;
489                 goto done;
490         }
491
492         werr = gp_del_reg_state(mem_ctx, reg_ctx->curr_key, subkeyname);
493         if (!W_ERROR_IS_OK(werr)) {
494                 DEBUG(0,("failed to delete old state: %s\n", win_errstr(werr)));
495                 /* goto done; */
496         }
497
498         werr = gp_store_reg_subkey(mem_ctx, subkeyname,
499                                    reg_ctx->curr_key, &reg_ctx->curr_key);
500         if (!W_ERROR_IS_OK(werr)) {
501                 goto done;
502         }
503
504         werr = gp_store_reg_val_sz(mem_ctx, reg_ctx->curr_key,
505                                    "Distinguished-Name", dn);
506         if (!W_ERROR_IS_OK(werr)) {
507                 goto done;
508         }
509
510         /* store link list */
511
512         werr = gp_store_reg_subkey(mem_ctx, "GPLink-List",
513                                    reg_ctx->curr_key, &key);
514         if (!W_ERROR_IS_OK(werr)) {
515                 goto done;
516         }
517
518         /* store gpo list */
519
520         werr = gp_store_reg_subkey(mem_ctx, "GPO-List",
521                                    reg_ctx->curr_key, &reg_ctx->curr_key);
522         if (!W_ERROR_IS_OK(werr)) {
523                 goto done;
524         }
525
526         for (gpo = gpo_list; gpo; gpo = gpo->next) {
527
528                 subkeyname = talloc_asprintf(mem_ctx, "%d", count++);
529                 if (!subkeyname) {
530                         werr = WERR_NOMEM;
531                         goto done;
532                 }
533
534                 werr = gp_store_reg_subkey(mem_ctx, subkeyname,
535                                            reg_ctx->curr_key, &key);
536                 if (!W_ERROR_IS_OK(werr)) {
537                         goto done;
538                 }
539
540                 werr = gp_store_reg_gpovals(mem_ctx, key, gpo);
541                 if (!W_ERROR_IS_OK(werr)) {
542                         DEBUG(0,("gp_reg_state_store: "
543                                 "gpo_store_reg_gpovals failed for %s: %s\n",
544                                 gpo->display_name, win_errstr(werr)));
545                         goto done;
546                 }
547         }
548  done:
549         gp_free_reg_ctx(reg_ctx);
550         return werr;
551 }
552
553 /****************************************************************
554 ****************************************************************/
555
556 static WERROR gp_read_reg_gpovals(TALLOC_CTX *mem_ctx,
557                                   struct registry_key *key,
558                                   struct GROUP_POLICY_OBJECT *gpo)
559 {
560         WERROR werr;
561
562         if (!key || !gpo) {
563                 return WERR_INVALID_PARAM;
564         }
565
566         werr = gp_read_reg_val_dword(mem_ctx, key, "Version",
567                                      &gpo->version);
568         W_ERROR_NOT_OK_RETURN(werr);
569
570         werr = gp_read_reg_val_dword(mem_ctx, key, "Options",
571                                      &gpo->options);
572         W_ERROR_NOT_OK_RETURN(werr);
573
574         werr = gp_read_reg_val_sz(mem_ctx, key, "GPOID",
575                                   &gpo->name);
576         W_ERROR_NOT_OK_RETURN(werr);
577
578         werr = gp_read_reg_val_sz(mem_ctx, key, "SOM",
579                                   &gpo->link);
580         W_ERROR_NOT_OK_RETURN(werr);
581
582         werr = gp_read_reg_val_sz(mem_ctx, key, "DisplayName",
583                                   &gpo->display_name);
584         W_ERROR_NOT_OK_RETURN(werr);
585
586         return werr;
587 }
588
589 /****************************************************************
590 ****************************************************************/
591
592 static WERROR gp_read_reg_gpo(TALLOC_CTX *mem_ctx,
593                               struct registry_key *key,
594                               struct GROUP_POLICY_OBJECT **gpo_ret)
595 {
596         struct GROUP_POLICY_OBJECT *gpo = NULL;
597         WERROR werr;
598
599         if (!gpo_ret || !key) {
600                 return WERR_INVALID_PARAM;
601         }
602
603         gpo = TALLOC_ZERO_P(mem_ctx, struct GROUP_POLICY_OBJECT);
604         W_ERROR_HAVE_NO_MEMORY(gpo);
605
606         werr = gp_read_reg_gpovals(mem_ctx, key, gpo);
607         W_ERROR_NOT_OK_RETURN(werr);
608
609         *gpo_ret = gpo;
610
611         return werr;
612 }
613
614 /****************************************************************
615 ****************************************************************/
616
617 WERROR gp_reg_state_read(TALLOC_CTX *mem_ctx,
618                          uint32_t flags,
619                          const struct dom_sid *sid,
620                          struct GROUP_POLICY_OBJECT **gpo_list)
621 {
622         struct gp_registry_context *reg_ctx = NULL;
623         WERROR werr = WERR_GENERAL_FAILURE;
624         const char *subkeyname = NULL;
625         struct GROUP_POLICY_OBJECT *gpo = NULL;
626         int count = 0;
627         struct registry_key *key = NULL;
628         const char *path = NULL;
629         const char *gp_state_path = NULL;
630
631         if (!gpo_list) {
632                 return WERR_INVALID_PARAM;
633         }
634
635         ZERO_STRUCTP(gpo_list);
636
637         gp_state_path = gp_req_state_path(mem_ctx, sid, flags);
638         if (!gp_state_path) {
639                 werr = WERR_NOMEM;
640                 goto done;
641         }
642
643         path = talloc_asprintf(mem_ctx, "%s\\%s\\%s",
644                                KEY_GROUP_POLICY,
645                                gp_state_path,
646                                "GPO-List");
647         if (!path) {
648                 werr = WERR_NOMEM;
649                 goto done;
650         }
651
652         werr = gp_init_reg_ctx(mem_ctx, path, REG_KEY_READ, NULL, &reg_ctx);
653         if (!W_ERROR_IS_OK(werr)) {
654                 goto done;
655         }
656
657         while (1) {
658
659                 subkeyname = talloc_asprintf(mem_ctx, "%d", count++);
660                 if (!subkeyname) {
661                         werr = WERR_NOMEM;
662                         goto done;
663                 }
664
665                 werr = gp_read_reg_subkey(mem_ctx, reg_ctx, subkeyname, &key);
666                 if (W_ERROR_EQUAL(werr, WERR_BADFILE)) {
667                         werr = WERR_OK;
668                         break;
669                 }
670                 if (!W_ERROR_IS_OK(werr)) {
671                         DEBUG(0,("gp_reg_state_read: "
672                                 "gp_read_reg_subkey gave: %s\n",
673                                 win_errstr(werr)));
674                         goto done;
675                 }
676
677                 werr = gp_read_reg_gpo(mem_ctx, key, &gpo);
678                 if (!W_ERROR_IS_OK(werr)) {
679                         goto done;
680                 }
681
682                 DLIST_ADD(*gpo_list, gpo);
683         }
684
685  done:
686         gp_free_reg_ctx(reg_ctx);
687         return werr;
688 }
689
690 /****************************************************************
691 ****************************************************************/
692
693 static WERROR gp_reg_generate_sd(TALLOC_CTX *mem_ctx,
694                                  const struct dom_sid *sid,
695                                  struct security_descriptor **sd,
696                                  size_t *sd_size)
697 {
698         struct security_ace ace[6];
699         uint32_t mask;
700
701         struct security_acl *theacl = NULL;
702
703         uint8_t inherit_flags;
704
705         mask = REG_KEY_ALL;
706         init_sec_ace(&ace[0],
707                      &global_sid_System,
708                      SEC_ACE_TYPE_ACCESS_ALLOWED,
709                      mask, 0);
710
711         mask = REG_KEY_ALL;
712         init_sec_ace(&ace[1],
713                      &global_sid_Builtin_Administrators,
714                      SEC_ACE_TYPE_ACCESS_ALLOWED,
715                      mask, 0);
716
717         mask = REG_KEY_READ;
718         init_sec_ace(&ace[2],
719                      sid ? sid : &global_sid_Authenticated_Users,
720                      SEC_ACE_TYPE_ACCESS_ALLOWED,
721                      mask, 0);
722
723         inherit_flags = SEC_ACE_FLAG_OBJECT_INHERIT |
724                         SEC_ACE_FLAG_CONTAINER_INHERIT |
725                         SEC_ACE_FLAG_INHERIT_ONLY;
726
727         mask = REG_KEY_ALL;
728         init_sec_ace(&ace[3],
729                      &global_sid_System,
730                      SEC_ACE_TYPE_ACCESS_ALLOWED,
731                      mask, inherit_flags);
732
733         mask = REG_KEY_ALL;
734         init_sec_ace(&ace[4],
735                      &global_sid_Builtin_Administrators,
736                      SEC_ACE_TYPE_ACCESS_ALLOWED,
737                      mask, inherit_flags);
738
739         mask = REG_KEY_READ;
740         init_sec_ace(&ace[5],
741                      sid ? sid : &global_sid_Authenticated_Users,
742                      SEC_ACE_TYPE_ACCESS_ALLOWED,
743                      mask, inherit_flags);
744
745         theacl = make_sec_acl(mem_ctx, NT4_ACL_REVISION, 6, ace);
746         W_ERROR_HAVE_NO_MEMORY(theacl);
747
748         *sd = make_sec_desc(mem_ctx, SD_REVISION,
749                             SEC_DESC_SELF_RELATIVE |
750                             SEC_DESC_DACL_AUTO_INHERITED | /* really ? */
751                             SEC_DESC_DACL_AUTO_INHERIT_REQ, /* really ? */
752                             NULL, NULL, NULL,
753                             theacl, sd_size);
754         W_ERROR_HAVE_NO_MEMORY(*sd);
755
756         return WERR_OK;
757 }
758
759 /****************************************************************
760 ****************************************************************/
761
762 WERROR gp_secure_key(TALLOC_CTX *mem_ctx,
763                      uint32_t flags,
764                      struct registry_key *key,
765                      const struct dom_sid *sid)
766 {
767         struct security_descriptor *sd = NULL;
768         size_t sd_size = 0;
769         const struct dom_sid *sd_sid = NULL;
770         WERROR werr;
771
772         if (!(flags & GPO_LIST_FLAG_MACHINE)) {
773                 sd_sid = sid;
774         }
775
776         werr = gp_reg_generate_sd(mem_ctx, sd_sid, &sd, &sd_size);
777         W_ERROR_NOT_OK_RETURN(werr);
778
779         return reg_setkeysecurity(key, sd);
780 }
781
782 /****************************************************************
783 ****************************************************************/
784
785 void dump_reg_val(int lvl, const char *direction,
786                   const char *key, const char *subkey,
787                   struct registry_value *val)
788 {
789         int i = 0;
790         const char *type_str = NULL;
791
792         if (!val) {
793                 DEBUG(lvl,("no val!\n"));
794                 return;
795         }
796
797         type_str = str_regtype(val->type);
798
799         DEBUG(lvl,("\tdump_reg_val:\t%s '%s'\n\t\t\t'%s' %s: ",
800                 direction, key, subkey, type_str));
801
802         switch (val->type) {
803                 case REG_DWORD: {
804                         uint32_t v;
805                         if (val->data.length < 4) {
806                                 break;
807                         }
808                         v = IVAL(val->data.data, 0);
809                         DEBUG(lvl,("%d (0x%08x)\n",
810                                 (int)v, v));
811                         break;
812                 }
813                 case REG_QWORD: {
814                         uint64_t v;
815                         if (val->data.length < 8) {
816                                 break;
817                         }
818                         v = BVAL(val->data.data, 0);
819                         DEBUG(lvl,("%d (0x%016llx)\n",
820                                 (int)v,
821                                 (unsigned long long)v));
822                         break;
823                 }
824                 case REG_SZ: {
825                         const char *s;
826                         if (!pull_reg_sz(talloc_tos(), &val->data, &s)) {
827                                 break;
828                         }
829                         DEBUG(lvl,("%s (length: %d)\n",
830                                    s, (int)strlen_m(s)));
831                         break;
832                 }
833                 case REG_MULTI_SZ: {
834                         const char **a;
835                         if (!pull_reg_multi_sz(talloc_tos(), &val->data, &a)) {
836                                 break;
837                         }
838                         for (i=0; a[i] != NULL; i++) {
839                                 ;;
840                         }
841                         DEBUG(lvl,("(num_strings: %d)\n", i));
842                         for (i=0; a[i] != NULL; i++) {
843                                 DEBUGADD(lvl,("\t%s\n", a[i]));
844                         }
845                         break;
846                 }
847                 case REG_NONE:
848                         DEBUG(lvl,("\n"));
849                         break;
850                 case REG_BINARY:
851                         dump_data(lvl, val->data.data,
852                                   val->data.length);
853                         break;
854                 default:
855                         DEBUG(lvl,("unsupported type: %d\n", val->type));
856                         break;
857         }
858 }
859
860 /****************************************************************
861 ****************************************************************/
862
863 void dump_reg_entry(uint32_t flags,
864                     const char *dir,
865                     struct gp_registry_entry *entry)
866 {
867         if (!(flags & GPO_INFO_FLAG_VERBOSE))
868                 return;
869
870         dump_reg_val(1, dir,
871                      entry->key,
872                      entry->value,
873                      entry->data);
874 }
875
876 /****************************************************************
877 ****************************************************************/
878
879 void dump_reg_entries(uint32_t flags,
880                       const char *dir,
881                       struct gp_registry_entry *entries,
882                       size_t num_entries)
883 {
884         size_t i;
885
886         if (!(flags & GPO_INFO_FLAG_VERBOSE))
887                 return;
888
889         for (i=0; i < num_entries; i++) {
890                 dump_reg_entry(flags, dir, &entries[i]);
891         }
892 }
893
894 /****************************************************************
895 ****************************************************************/
896
897 bool add_gp_registry_entry_to_array(TALLOC_CTX *mem_ctx,
898                                     struct gp_registry_entry *entry,
899                                     struct gp_registry_entry **entries,
900                                     size_t *num)
901 {
902         *entries = TALLOC_REALLOC_ARRAY(mem_ctx, *entries,
903                                         struct gp_registry_entry,
904                                         (*num)+1);
905
906         if (*entries == NULL) {
907                 *num = 0;
908                 return false;
909         }
910
911         (*entries)[*num].action = entry->action;
912         (*entries)[*num].key = entry->key;
913         (*entries)[*num].value = entry->value;
914         (*entries)[*num].data = entry->data;
915
916         *num += 1;
917         return true;
918 }
919
920 /****************************************************************
921 ****************************************************************/
922
923 static const char *gp_reg_action_str(enum gp_reg_action action)
924 {
925         switch (action) {
926                 case GP_REG_ACTION_NONE:
927                         return "GP_REG_ACTION_NONE";
928                 case GP_REG_ACTION_ADD_VALUE:
929                         return "GP_REG_ACTION_ADD_VALUE";
930                 case GP_REG_ACTION_ADD_KEY:
931                         return "GP_REG_ACTION_ADD_KEY";
932                 case GP_REG_ACTION_DEL_VALUES:
933                         return "GP_REG_ACTION_DEL_VALUES";
934                 case GP_REG_ACTION_DEL_VALUE:
935                         return "GP_REG_ACTION_DEL_VALUE";
936                 case GP_REG_ACTION_DEL_ALL_VALUES:
937                         return "GP_REG_ACTION_DEL_ALL_VALUES";
938                 case GP_REG_ACTION_DEL_KEYS:
939                         return "GP_REG_ACTION_DEL_KEYS";
940                 case GP_REG_ACTION_SEC_KEY_SET:
941                         return "GP_REG_ACTION_SEC_KEY_SET";
942                 case GP_REG_ACTION_SEC_KEY_RESET:
943                         return "GP_REG_ACTION_SEC_KEY_RESET";
944                 default:
945                         return "unknown";
946         }
947 }
948
949 /****************************************************************
950 ****************************************************************/
951
952 WERROR reg_apply_registry_entry(TALLOC_CTX *mem_ctx,
953                                 struct registry_key *root_key,
954                                 struct gp_registry_context *reg_ctx,
955                                 struct gp_registry_entry *entry,
956                                 const struct security_token *token,
957                                 uint32_t flags)
958 {
959         WERROR werr;
960         struct registry_key *key = NULL;
961
962         if (flags & GPO_INFO_FLAG_VERBOSE) {
963                 printf("about to store key:    [%s]\n", entry->key);
964                 printf("               value:  [%s]\n", entry->value);
965                 printf("               data:   [%s]\n", str_regtype(entry->data->type));
966                 printf("               action: [%s]\n", gp_reg_action_str(entry->action));
967         }
968
969         werr = gp_store_reg_subkey(mem_ctx, entry->key,
970                                    root_key, &key);
971                                    /* reg_ctx->curr_key, &key); */
972         if (!W_ERROR_IS_OK(werr)) {
973                 DEBUG(0,("gp_store_reg_subkey failed: %s\n", win_errstr(werr)));
974                 return werr;
975         }
976
977         switch (entry->action) {
978                 case GP_REG_ACTION_NONE:
979                 case GP_REG_ACTION_ADD_KEY:
980                         return WERR_OK;
981
982                 case GP_REG_ACTION_SEC_KEY_SET:
983                         werr = gp_secure_key(mem_ctx, flags,
984                                              key,
985                                              &token->sids[0]);
986                         if (!W_ERROR_IS_OK(werr)) {
987                                 DEBUG(0,("reg_apply_registry_entry: "
988                                         "gp_secure_key failed: %s\n",
989                                         win_errstr(werr)));
990                                 return werr;
991                         }
992                         break;
993                 case GP_REG_ACTION_ADD_VALUE:
994                         werr = reg_setvalue(key, entry->value, entry->data);
995                         if (!W_ERROR_IS_OK(werr)) {
996                                 DEBUG(0,("reg_apply_registry_entry: "
997                                         "reg_setvalue failed: %s\n",
998                                         win_errstr(werr)));
999                                 dump_reg_entry(flags, "STORE", entry);
1000                                 return werr;
1001                         }
1002                         break;
1003                 case GP_REG_ACTION_DEL_VALUE:
1004                         werr = reg_deletevalue(key, entry->value);
1005                         if (!W_ERROR_IS_OK(werr)) {
1006                                 DEBUG(0,("reg_apply_registry_entry: "
1007                                         "reg_deletevalue failed: %s\n",
1008                                         win_errstr(werr)));
1009                                 dump_reg_entry(flags, "STORE", entry);
1010                                 return werr;
1011                         }
1012                         break;
1013                 case GP_REG_ACTION_DEL_ALL_VALUES:
1014                         werr = reg_deleteallvalues(key);
1015                         if (!W_ERROR_IS_OK(werr)) {
1016                                 DEBUG(0,("reg_apply_registry_entry: "
1017                                         "reg_deleteallvalues failed: %s\n",
1018                                         win_errstr(werr)));
1019                                 dump_reg_entry(flags, "STORE", entry);
1020                                 return werr;
1021                         }
1022                         break;
1023                 case GP_REG_ACTION_DEL_VALUES:
1024                 case GP_REG_ACTION_DEL_KEYS:
1025                 case GP_REG_ACTION_SEC_KEY_RESET:
1026                         DEBUG(0,("reg_apply_registry_entry: "
1027                                 "not yet supported: %s (%d)\n",
1028                                 gp_reg_action_str(entry->action),
1029                                 entry->action));
1030                         return WERR_NOT_SUPPORTED;
1031                 default:
1032                         DEBUG(0,("invalid action: %d\n", entry->action));
1033                         return WERR_INVALID_PARAM;
1034         }
1035
1036         return werr;
1037 }
1038