source4/libcli/security/security_descriptor.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    security descriptror utility functions
   5
   6    Copyright (C) Andrew Tridgell                2004
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 3 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20 */
  21
  22 #include "includes.h"
  23 #include "libcli/security/security.h"
  24
  25 /*
  26   return a blank security descriptor (no owners, dacl or sacl)
  27 */
  28 struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx)
  29 {
  30         struct security_descriptor *sd;
  31
  32         sd = talloc(mem_ctx, struct security_descriptor);
  33         if (!sd) {
  34                 return NULL;
  35         }
  36
  37         sd->revision = SD_REVISION;
  38         /* we mark as self relative, even though it isn't while it remains
  39            a pointer in memory because this simplifies the ndr code later.
  40            All SDs that we store/emit are in fact SELF_RELATIVE
  41         */
  42         sd->type = SEC_DESC_SELF_RELATIVE;
  43
  44         sd->owner_sid = NULL;
  45         sd->group_sid = NULL;
  46         sd->sacl = NULL;
  47         sd->dacl = NULL;
  48
  49         return sd;
  50 }
  51
  52 static struct security_acl *security_acl_dup(TALLOC_CTX *mem_ctx,
  53                                              const struct security_acl *oacl)
  54 {
  55         struct security_acl *nacl;
  56         int i;
  57
  58         nacl = talloc (mem_ctx, struct security_acl);
  59         if (nacl == NULL) {
  60                 return NULL;
  61         }
  62
  63         nacl->aces = (struct security_ace *)talloc_memdup (nacl, oacl->aces, sizeof(struct security_ace) * oacl->num_aces);
  64         if ((nacl->aces == NULL) && (oacl->num_aces > 0)) {
  65                 goto failed;
  66         }
  67
  68         /* remapping array in trustee dom_sid from old acl to new acl */
  69
  70         for (i = 0; i < oacl->num_aces; i++) {
  71                 nacl->aces[i].trustee.sub_auths =
  72                         (uint32_t *)talloc_memdup(nacl->aces, nacl->aces[i].trustee.sub_auths,
  73                                       sizeof(uint32_t) * nacl->aces[i].trustee.num_auths);
  74
  75                 if ((nacl->aces[i].trustee.sub_auths == NULL) && (nacl->aces[i].trustee.num_auths > 0)) {
  76                         goto failed;
  77                 }
  78         }
  79
  80         nacl->revision = oacl->revision;
  81         nacl->size = oacl->size;
  82         nacl->num_aces = oacl->num_aces;
  83
  84         return nacl;
  85
  86  failed:
  87         talloc_free (nacl);
  88         return NULL;
  89
  90 }
  91
  92 /*
  93    talloc and copy a security descriptor
  94  */
  95 struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx,
  96                                                      const struct security_descriptor *osd)
  97 {
  98         struct security_descriptor *nsd;
  99
 100         nsd = talloc_zero(mem_ctx, struct security_descriptor);
 101         if (!nsd) {
 102                 return NULL;
 103         }
 104
 105         if (osd->owner_sid) {
 106                 nsd->owner_sid = dom_sid_dup(nsd, osd->owner_sid);
 107                 if (nsd->owner_sid == NULL) {
 108                         goto failed;
 109                 }
 110         }
 111
 112         if (osd->group_sid) {
 113                 nsd->group_sid = dom_sid_dup(nsd, osd->group_sid);
 114                 if (nsd->group_sid == NULL) {
 115                         goto failed;
 116                 }
 117         }
 118
 119         if (osd->sacl) {
 120                 nsd->sacl = security_acl_dup(nsd, osd->sacl);
 121                 if (nsd->sacl == NULL) {
 122                         goto failed;
 123                 }
 124         }
 125
 126         if (osd->dacl) {
 127                 nsd->dacl = security_acl_dup(nsd, osd->dacl);
 128                 if (nsd->dacl == NULL) {
 129                         goto failed;
 130                 }
 131         }
 132
 133         return nsd;
 134
 135  failed:
 136         talloc_free(nsd);
 137
 138         return NULL;
 139 }
 140
 141 /*
 142   add an ACE to the DACL of a security_descriptor
 143 */
 144 NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
 145                                       const struct security_ace *ace)
 146 {
 147         if (sd->dacl == NULL) {
 148                 sd->dacl = talloc(sd, struct security_acl);
 149                 if (sd->dacl == NULL) {
 150                         return NT_STATUS_NO_MEMORY;
 151                 }
 152                 sd->dacl->revision = SECURITY_ACL_REVISION_NT4;
 153                 sd->dacl->size     = 0;
 154                 sd->dacl->num_aces = 0;
 155                 sd->dacl->aces     = NULL;
 156         }
 157
 158         sd->dacl->aces = talloc_realloc(sd->dacl, sd->dacl->aces,
 159                                           struct security_ace, sd->dacl->num_aces+1);
 160         if (sd->dacl->aces == NULL) {
 161                 return NT_STATUS_NO_MEMORY;
 162         }
 163
 164         sd->dacl->aces[sd->dacl->num_aces] = *ace;
 165         sd->dacl->aces[sd->dacl->num_aces].trustee.sub_auths =
 166                 (uint32_t *)talloc_memdup(sd->dacl->aces,
 167                               sd->dacl->aces[sd->dacl->num_aces].trustee.sub_auths,
 168                               sizeof(uint32_t) *
 169                               sd->dacl->aces[sd->dacl->num_aces].trustee.num_auths);
 170         if (sd->dacl->aces[sd->dacl->num_aces].trustee.sub_auths == NULL) {
 171                 return NT_STATUS_NO_MEMORY;
 172         }
 173
 174         switch (sd->dacl->aces[sd->dacl->num_aces].type) {
 175         case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
 176         case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
 177         case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
 178         case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
 179                 sd->dacl->revision = SECURITY_ACL_REVISION_ADS;
 180                 break;
 181         default:
 182                 break;
 183         }
 184
 185         sd->dacl->num_aces++;
 186
 187         sd->type |= SEC_DESC_DACL_PRESENT;
 188
 189         return NT_STATUS_OK;
 190 }
 191
 192
 193 /*
 194   delete the ACE corresponding to the given trustee in the DACL of a security_descriptor
 195 */
 196 NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd,
 197                                       struct dom_sid *trustee)
 198 {
 199         int i;
 200         bool found = false;
 201
 202         if (sd->dacl == NULL) {
 203                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
 204         }
 205
 206         /* there can be multiple ace's for one trustee */
 207         for (i=0;i<sd->dacl->num_aces;i++) {
 208                 if (dom_sid_equal(trustee, &sd->dacl->aces[i].trustee)) {
 209                         memmove(&sd->dacl->aces[i], &sd->dacl->aces[i+1],
 210                                 sizeof(sd->dacl->aces[i]) * (sd->dacl->num_aces - (i+1)));
 211                         sd->dacl->num_aces--;
 212                         if (sd->dacl->num_aces == 0) {
 213                                 sd->dacl->aces = NULL;
 214                         }
 215                         found = true;
 216                 }
 217         }
 218
 219         if (!found) {
 220                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
 221         }
 222
 223         sd->dacl->revision = SECURITY_ACL_REVISION_NT4;
 224
 225         for (i=0;i<sd->dacl->num_aces;i++) {
 226                 switch (sd->dacl->aces[i].type) {
 227                 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
 228                 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
 229                 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
 230                 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
 231                         sd->dacl->revision = SECURITY_ACL_REVISION_ADS;
 232                         return NT_STATUS_OK;
 233                 default:
 234                         break; /* only for the switch statement */
 235                 }
 236         }
 237
 238         return NT_STATUS_OK;
 239 }
 240
 241
 242 /*
 243   compare two security ace structures
 244 */
 245 bool security_ace_equal(const struct security_ace *ace1,
 246                         const struct security_ace *ace2)
 247 {
 248         if (ace1 == ace2) return true;
 249         if (!ace1 || !ace2) return false;
 250         if (ace1->type != ace2->type) return false;
 251         if (ace1->flags != ace2->flags) return false;
 252         if (ace1->access_mask != ace2->access_mask) return false;
 253         if (!dom_sid_equal(&ace1->trustee, &ace2->trustee)) return false;
 254
 255         return true;
 256 }
 257
 258
 259 /*
 260   compare two security acl structures
 261 */
 262 bool security_acl_equal(const struct security_acl *acl1,
 263                         const struct security_acl *acl2)
 264 {
 265         int i;
 266
 267         if (acl1 == acl2) return true;
 268         if (!acl1 || !acl2) return false;
 269         if (acl1->revision != acl2->revision) return false;
 270         if (acl1->num_aces != acl2->num_aces) return false;
 271
 272         for (i=0;i<acl1->num_aces;i++) {
 273                 if (!security_ace_equal(&acl1->aces[i], &acl2->aces[i])) return false;
 274         }
 275         return true;
 276 }
 277
 278 /*
 279   compare two security descriptors.
 280 */
 281 bool security_descriptor_equal(const struct security_descriptor *sd1,
 282                                const struct security_descriptor *sd2)
 283 {
 284         if (sd1 == sd2) return true;
 285         if (!sd1 || !sd2) return false;
 286         if (sd1->revision != sd2->revision) return false;
 287         if (sd1->type != sd2->type) return false;
 288
 289         if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false;
 290         if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false;
 291         if (!security_acl_equal(sd1->sacl, sd2->sacl))      return false;
 292         if (!security_acl_equal(sd1->dacl, sd2->dacl))      return false;
 293
 294         return true;
 295 }
 296
 297 /*
 298   compare two security descriptors, but allow certain (missing) parts
 299   to be masked out of the comparison
 300 */
 301 bool security_descriptor_mask_equal(const struct security_descriptor *sd1,
 302                                     const struct security_descriptor *sd2,
 303                                     uint32_t mask)
 304 {
 305         if (sd1 == sd2) return true;
 306         if (!sd1 || !sd2) return false;
 307         if (sd1->revision != sd2->revision) return false;
 308         if ((sd1->type & mask) != (sd2->type & mask)) return false;
 309
 310         if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false;
 311         if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false;
 312         if ((mask & SEC_DESC_DACL_PRESENT) && !security_acl_equal(sd1->dacl, sd2->dacl))      return false;
 313         if ((mask & SEC_DESC_SACL_PRESENT) && !security_acl_equal(sd1->sacl, sd2->sacl))      return false;
 314
 315         return true;
 316 }
 317
 318
 319 /*
 320   create a security descriptor using string SIDs. This is used by the
 321   torture code to allow the easy creation of complex ACLs
 322   This is a varargs function. The list of DACL ACEs ends with a NULL sid.
 323
 324   Each ACE contains a set of 4 parameters:
 325   SID, ACCESS_TYPE, MASK, FLAGS
 326
 327   a typical call would be:
 328
 329     sd = security_descriptor_create(mem_ctx,
 330                                     mysid,
 331                                     mygroup,
 332                                     SID_NT_AUTHENTICATED_USERS,
 333                                     SEC_ACE_TYPE_ACCESS_ALLOWED,
 334                                     SEC_FILE_ALL,
 335                                     SEC_ACE_FLAG_OBJECT_INHERIT,
 336                                     NULL);
 337   that would create a sd with one DACL ACE
 338 */
 339 struct security_descriptor *security_descriptor_create(TALLOC_CTX *mem_ctx,
 340                                                        const char *owner_sid,
 341                                                        const char *group_sid,
 342                                                        ...)
 343 {
 344         va_list ap;
 345         struct security_descriptor *sd;
 346         const char *sidstr;
 347
 348         sd = security_descriptor_initialise(mem_ctx);
 349         if (sd == NULL) return NULL;
 350
 351         if (owner_sid) {
 352                 sd->owner_sid = dom_sid_parse_talloc(sd, owner_sid);
 353                 if (sd->owner_sid == NULL) {
 354                         talloc_free(sd);
 355                         return NULL;
 356                 }
 357         }
 358         if (group_sid) {
 359                 sd->group_sid = dom_sid_parse_talloc(sd, group_sid);
 360                 if (sd->group_sid == NULL) {
 361                         talloc_free(sd);
 362                         return NULL;
 363                 }
 364         }
 365
 366         va_start(ap, group_sid);
 367         while ((sidstr = va_arg(ap, const char *))) {
 368                 struct dom_sid *sid;
 369                 struct security_ace *ace = talloc(sd, struct security_ace);
 370                 NTSTATUS status;
 371
 372                 if (ace == NULL) {
 373                         talloc_free(sd);
 374                         va_end(ap);
 375                         return NULL;
 376                 }
 377                 ace->type = va_arg(ap, unsigned int);
 378                 ace->access_mask = va_arg(ap, unsigned int);
 379                 ace->flags = va_arg(ap, unsigned int);
 380                 sid = dom_sid_parse_talloc(ace, sidstr);
 381                 if (sid == NULL) {
 382                         va_end(ap);
 383                         talloc_free(sd);
 384                         return NULL;
 385                 }
 386                 ace->trustee = *sid;
 387                 status = security_descriptor_dacl_add(sd, ace);
 388                 /* TODO: check: would talloc_free(ace) here be correct? */
 389                 if (!NT_STATUS_IS_OK(status)) {
 390                         va_end(ap);
 391                         talloc_free(sd);
 392                         return NULL;
 393                 }
 394         }
 395         va_end(ap);
 396
 397         return sd;
 398 }