2 Unix SMB/CIFS implementation.
4 security descriptor description language functions
6 Copyright (C) Andrew Tridgell 2005
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "libcli/security/security.h"
24 #include "librpc/gen_ndr/ndr_misc.h"
25 #include "system/locale.h"
33 map a series of letter codes into a uint32_t
35 static bool sddl_map_flags(const struct flag_map
*map
, const char *str
,
36 uint32_t *flags
, size_t *len
)
38 const char *str0
= str
;
41 while (str
[0] && isupper(str
[0])) {
43 for (i
=0;map
[i
].name
;i
++) {
44 size_t l
= strlen(map
[i
].name
);
45 if (strncmp(map
[i
].name
, str
, l
) == 0) {
46 *flags
|= map
[i
].flag
;
52 if (map
[i
].name
== NULL
) {
53 DEBUG(1, ("Unknown flag - %s in %s\n", str
, str0
));
61 a mapping between the 2 letter SID codes and sid strings
68 { "AO", SID_BUILTIN_ACCOUNT_OPERATORS
},
69 { "BA", SID_BUILTIN_ADMINISTRATORS
},
70 { "RU", SID_BUILTIN_PREW2K
},
71 { "PO", SID_BUILTIN_PRINT_OPERATORS
},
72 { "RS", SID_BUILTIN_RAS_SERVERS
},
74 { "AU", SID_NT_AUTHENTICATED_USERS
},
75 { "SY", SID_NT_SYSTEM
},
76 { "PS", SID_NT_SELF
},
78 { "ED", SID_NT_ENTERPRISE_DCS
},
80 { "CO", SID_CREATOR_OWNER
},
81 { "CG", SID_CREATOR_GROUP
},
83 { "AN", SID_NT_ANONYMOUS
},
84 { "BG", SID_BUILTIN_GUESTS
},
85 { "BO", SID_BUILTIN_BACKUP_OPERATORS
},
86 { "BU", SID_BUILTIN_USERS
},
87 { "IU", SID_NT_INTERACTIVE
},
88 { "LS", SID_NT_LOCAL_SERVICE
},
89 { "NO", SID_BUILTIN_NETWORK_CONF_OPERATORS
},
90 { "NS", SID_NT_NETWORK_SERVICE
},
91 { "NU", SID_NT_NETWORK
},
92 { "PU", SID_BUILTIN_POWER_USERS
},
93 { "RC", SID_NT_RESTRICTED
},
94 { "RD", SID_BUILTIN_REMOTE_DESKTOP_USERS
},
95 { "RE", SID_BUILTIN_REPLICATOR
},
96 { "SO", SID_BUILTIN_ACCOUNT_OPERATORS
},
97 { "SU", SID_NT_SERVICE
},
99 { "DA", NULL
, DOMAIN_RID_ADMINS
},
100 { "EA", NULL
, DOMAIN_RID_ENTERPRISE_ADMINS
},
101 { "DD", NULL
, DOMAIN_RID_DCS
},
102 { "DU", NULL
, DOMAIN_RID_USERS
},
103 { "CA", NULL
, DOMAIN_RID_CERT_ADMINS
},
105 { "DC", NULL
, DOMAIN_RID_DOMAIN_MEMBERS
},
106 { "DG", NULL
, DOMAIN_RID_GUESTS
},
107 { "LA", NULL
, DOMAIN_RID_ADMINISTRATOR
},
108 { "LG", NULL
, DOMAIN_RID_GUEST
},
109 { "PA", NULL
, DOMAIN_RID_POLICY_ADMINS
},
110 { "SA", NULL
, DOMAIN_RID_SCHEMA_ADMINS
},
115 It can either be a special 2 letter code, or in S-* format
117 static struct dom_sid
*sddl_decode_sid(TALLOC_CTX
*mem_ctx
, const char **sddlp
,
118 const struct dom_sid
*domain_sid
)
120 const char *sddl
= (*sddlp
);
123 /* see if its in the numeric format */
124 if (strncmp(sddl
, "S-", 2) == 0) {
127 size_t len
= strspn(sddl
+2, "-0123456789");
128 sid_str
= talloc_strndup(mem_ctx
, sddl
, len
+2);
133 sid
= dom_sid_parse_talloc(mem_ctx
, sid_str
);
134 talloc_free(sid_str
);
138 /* now check for one of the special codes */
139 for (i
=0;i
<ARRAY_SIZE(sid_codes
);i
++) {
140 if (strncmp(sid_codes
[i
].code
, sddl
, 2) == 0) break;
142 if (i
== ARRAY_SIZE(sid_codes
)) {
143 DEBUG(1,("Unknown sddl sid code '%2.2s'\n", sddl
));
149 if (sid_codes
[i
].sid
== NULL
) {
150 return dom_sid_add_rid(mem_ctx
, domain_sid
, sid_codes
[i
].rid
);
153 return dom_sid_parse_talloc(mem_ctx
, sid_codes
[i
].sid
);
156 static const struct flag_map ace_types
[] = {
157 { "AU", SEC_ACE_TYPE_SYSTEM_AUDIT
},
158 { "AL", SEC_ACE_TYPE_SYSTEM_ALARM
},
159 { "OA", SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT
},
160 { "OD", SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
},
161 { "OU", SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT
},
162 { "OL", SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT
},
163 { "A", SEC_ACE_TYPE_ACCESS_ALLOWED
},
164 { "D", SEC_ACE_TYPE_ACCESS_DENIED
},
168 static const struct flag_map ace_flags
[] = {
169 { "OI", SEC_ACE_FLAG_OBJECT_INHERIT
},
170 { "CI", SEC_ACE_FLAG_CONTAINER_INHERIT
},
171 { "NP", SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
},
172 { "IO", SEC_ACE_FLAG_INHERIT_ONLY
},
173 { "ID", SEC_ACE_FLAG_INHERITED_ACE
},
174 { "SA", SEC_ACE_FLAG_SUCCESSFUL_ACCESS
},
175 { "FA", SEC_ACE_FLAG_FAILED_ACCESS
},
179 static const struct flag_map ace_access_mask
[] = {
180 { "RP", SEC_ADS_READ_PROP
},
181 { "WP", SEC_ADS_WRITE_PROP
},
182 { "CR", SEC_ADS_CONTROL_ACCESS
},
183 { "CC", SEC_ADS_CREATE_CHILD
},
184 { "DC", SEC_ADS_DELETE_CHILD
},
185 { "LC", SEC_ADS_LIST
},
186 { "LO", SEC_ADS_LIST_OBJECT
},
187 { "RC", SEC_STD_READ_CONTROL
},
188 { "WO", SEC_STD_WRITE_OWNER
},
189 { "WD", SEC_STD_WRITE_DAC
},
190 { "SD", SEC_STD_DELETE
},
191 { "DT", SEC_ADS_DELETE_TREE
},
192 { "SW", SEC_ADS_SELF_WRITE
},
193 { "GA", SEC_GENERIC_ALL
},
194 { "GR", SEC_GENERIC_READ
},
195 { "GW", SEC_GENERIC_WRITE
},
196 { "GX", SEC_GENERIC_EXECUTE
},
202 return true on success, false on failure
203 note that this routine modifies the string
205 static bool sddl_decode_ace(TALLOC_CTX
*mem_ctx
, struct security_ace
*ace
, char *str
,
206 const struct dom_sid
*domain_sid
)
216 /* parse out the 6 tokens */
219 char *ptr
= strchr(str
, ';');
220 if (ptr
== NULL
) return false;
227 if (!sddl_map_flags(ace_types
, tok
[0], &v
, NULL
)) {
233 if (!sddl_map_flags(ace_flags
, tok
[1], &v
, NULL
)) {
239 if (strncmp(tok
[2], "0x", 2) == 0) {
240 ace
->access_mask
= strtol(tok
[2], NULL
, 16);
242 if (!sddl_map_flags(ace_access_mask
, tok
[2], &v
, NULL
)) {
245 ace
->access_mask
= v
;
249 if (tok
[3][0] != 0) {
250 NTSTATUS status
= GUID_from_string(tok
[3],
251 &ace
->object
.object
.type
.type
);
252 if (!NT_STATUS_IS_OK(status
)) {
255 ace
->object
.object
.flags
|= SEC_ACE_OBJECT_TYPE_PRESENT
;
259 if (tok
[4][0] != 0) {
260 NTSTATUS status
= GUID_from_string(tok
[4],
261 &ace
->object
.object
.inherited_type
.inherited_type
);
262 if (!NT_STATUS_IS_OK(status
)) {
265 ace
->object
.object
.flags
|= SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT
;
270 sid
= sddl_decode_sid(mem_ctx
, &s
, domain_sid
);
280 static const struct flag_map acl_flags
[] = {
281 { "P", SEC_DESC_DACL_PROTECTED
},
282 { "AR", SEC_DESC_DACL_AUTO_INHERIT_REQ
},
283 { "AI", SEC_DESC_DACL_AUTO_INHERITED
},
290 static struct security_acl
*sddl_decode_acl(struct security_descriptor
*sd
,
291 const char **sddlp
, uint32_t *flags
,
292 const struct dom_sid
*domain_sid
)
294 const char *sddl
= *sddlp
;
295 struct security_acl
*acl
;
300 acl
= talloc_zero(sd
, struct security_acl
);
301 if (acl
== NULL
) return NULL
;
302 acl
->revision
= SECURITY_ACL_REVISION_NT4
;
304 if (isupper(sddl
[0]) && sddl
[1] == ':') {
305 /* its an empty ACL */
309 /* work out the ACL flags */
310 if (!sddl_map_flags(acl_flags
, sddl
, flags
, &len
)) {
317 while (*sddl
== '(') {
319 len
= strcspn(sddl
+1, ")");
320 astr
= talloc_strndup(acl
, sddl
+1, len
);
321 if (astr
== NULL
|| sddl
[len
+1] != ')') {
325 acl
->aces
= talloc_realloc(acl
, acl
->aces
, struct security_ace
,
327 if (acl
->aces
== NULL
) {
331 if (!sddl_decode_ace(acl
->aces
, &acl
->aces
[acl
->num_aces
],
336 switch (acl
->aces
[acl
->num_aces
].type
) {
337 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT
:
338 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
:
339 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT
:
340 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT
:
341 acl
->revision
= SECURITY_ACL_REVISION_ADS
;
356 decode a security descriptor in SDDL format
358 struct security_descriptor
*sddl_decode(TALLOC_CTX
*mem_ctx
, const char *sddl
,
359 const struct dom_sid
*domain_sid
)
361 struct security_descriptor
*sd
;
362 sd
= talloc_zero(mem_ctx
, struct security_descriptor
);
364 sd
->revision
= SECURITY_DESCRIPTOR_REVISION_1
;
365 sd
->type
= SEC_DESC_SELF_RELATIVE
;
370 if (sddl
[1] != ':') goto failed
;
375 if (sd
->dacl
!= NULL
) goto failed
;
376 sd
->dacl
= sddl_decode_acl(sd
, &sddl
, &flags
, domain_sid
);
377 if (sd
->dacl
== NULL
) goto failed
;
378 sd
->type
|= flags
| SEC_DESC_DACL_PRESENT
;
381 if (sd
->sacl
!= NULL
) goto failed
;
382 sd
->sacl
= sddl_decode_acl(sd
, &sddl
, &flags
, domain_sid
);
383 if (sd
->sacl
== NULL
) goto failed
;
384 /* this relies on the SEC_DESC_SACL_* flags being
385 1 bit shifted from the SEC_DESC_DACL_* flags */
386 sd
->type
|= (flags
<<1) | SEC_DESC_SACL_PRESENT
;
389 if (sd
->owner_sid
!= NULL
) goto failed
;
390 sd
->owner_sid
= sddl_decode_sid(sd
, &sddl
, domain_sid
);
391 if (sd
->owner_sid
== NULL
) goto failed
;
394 if (sd
->group_sid
!= NULL
) goto failed
;
395 sd
->group_sid
= sddl_decode_sid(sd
, &sddl
, domain_sid
);
396 if (sd
->group_sid
== NULL
) goto failed
;
404 DEBUG(2,("Badly formatted SDDL '%s'\n", sddl
));
410 turn a set of flags into a string
412 static char *sddl_flags_to_string(TALLOC_CTX
*mem_ctx
, const struct flag_map
*map
,
413 uint32_t flags
, bool check_all
)
418 /* try to find an exact match */
419 for (i
=0;map
[i
].name
;i
++) {
420 if (map
[i
].flag
== flags
) {
421 return talloc_strdup(mem_ctx
, map
[i
].name
);
425 s
= talloc_strdup(mem_ctx
, "");
428 for (i
=0;map
[i
].name
;i
++) {
429 if ((flags
& map
[i
].flag
) != 0) {
430 s
= talloc_asprintf_append_buffer(s
, "%s", map
[i
].name
);
431 if (s
== NULL
) goto failed
;
432 flags
&= ~map
[i
].flag
;
436 if (check_all
&& flags
!= 0) {
448 encode a sid in SDDL format
450 static char *sddl_encode_sid(TALLOC_CTX
*mem_ctx
, const struct dom_sid
*sid
,
451 const struct dom_sid
*domain_sid
)
456 sidstr
= dom_sid_string(mem_ctx
, sid
);
457 if (sidstr
== NULL
) return NULL
;
459 /* seen if its a well known sid */
460 for (i
=0;sid_codes
[i
].sid
;i
++) {
461 if (strcmp(sidstr
, sid_codes
[i
].sid
) == 0) {
463 return talloc_strdup(mem_ctx
, sid_codes
[i
].code
);
467 /* or a well known rid in our domain */
468 if (dom_sid_in_domain(domain_sid
, sid
)) {
469 uint32_t rid
= sid
->sub_auths
[sid
->num_auths
-1];
470 for (;i
<ARRAY_SIZE(sid_codes
);i
++) {
471 if (rid
== sid_codes
[i
].rid
) {
473 return talloc_strdup(mem_ctx
, sid_codes
[i
].code
);
480 /* TODO: encode well known sids as two letter codes */
481 return dom_sid_string(mem_ctx
, sid
);
486 encode an ACE in SDDL format
488 static char *sddl_encode_ace(TALLOC_CTX
*mem_ctx
, const struct security_ace
*ace
,
489 const struct dom_sid
*domain_sid
)
493 const char *s_type
="", *s_flags
="", *s_mask
="",
494 *s_object
="", *s_iobject
="", *s_trustee
="";
496 tmp_ctx
= talloc_new(mem_ctx
);
497 if (tmp_ctx
== NULL
) {
498 DEBUG(0, ("talloc_new failed\n"));
502 s_type
= sddl_flags_to_string(tmp_ctx
, ace_types
, ace
->type
, true);
503 if (s_type
== NULL
) goto failed
;
505 s_flags
= sddl_flags_to_string(tmp_ctx
, ace_flags
, ace
->flags
, true);
506 if (s_flags
== NULL
) goto failed
;
508 s_mask
= sddl_flags_to_string(tmp_ctx
, ace_access_mask
, ace
->access_mask
, true);
509 if (s_mask
== NULL
) {
510 s_mask
= talloc_asprintf(tmp_ctx
, "0x%08x", ace
->access_mask
);
511 if (s_mask
== NULL
) goto failed
;
514 if (ace
->type
== SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT
||
515 ace
->type
== SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
||
516 ace
->type
== SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT
||
517 ace
->type
== SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT
) {
518 if (ace
->object
.object
.flags
& SEC_ACE_OBJECT_TYPE_PRESENT
) {
519 s_object
= GUID_string(tmp_ctx
, &ace
->object
.object
.type
.type
);
520 if (s_object
== NULL
) goto failed
;
523 if (ace
->object
.object
.flags
& SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT
) {
524 s_iobject
= GUID_string(tmp_ctx
, &ace
->object
.object
.inherited_type
.inherited_type
);
525 if (s_iobject
== NULL
) goto failed
;
529 s_trustee
= sddl_encode_sid(tmp_ctx
, &ace
->trustee
, domain_sid
);
530 if (s_trustee
== NULL
) goto failed
;
532 sddl
= talloc_asprintf(mem_ctx
, "%s;%s;%s;%s;%s;%s",
533 s_type
, s_flags
, s_mask
, s_object
, s_iobject
, s_trustee
);
536 talloc_free(tmp_ctx
);
541 encode an ACL in SDDL format
543 static char *sddl_encode_acl(TALLOC_CTX
*mem_ctx
, const struct security_acl
*acl
,
544 uint32_t flags
, const struct dom_sid
*domain_sid
)
549 /* add any ACL flags */
550 sddl
= sddl_flags_to_string(mem_ctx
, acl_flags
, flags
, false);
551 if (sddl
== NULL
) goto failed
;
553 /* now the ACEs, encoded in braces */
554 for (i
=0;i
<acl
->num_aces
;i
++) {
555 char *ace
= sddl_encode_ace(sddl
, &acl
->aces
[i
], domain_sid
);
556 if (ace
== NULL
) goto failed
;
557 sddl
= talloc_asprintf_append_buffer(sddl
, "(%s)", ace
);
558 if (sddl
== NULL
) goto failed
;
571 encode a security descriptor to SDDL format
573 char *sddl_encode(TALLOC_CTX
*mem_ctx
, const struct security_descriptor
*sd
,
574 const struct dom_sid
*domain_sid
)
579 /* start with a blank string */
580 sddl
= talloc_strdup(mem_ctx
, "");
581 if (sddl
== NULL
) goto failed
;
583 tmp_ctx
= talloc_new(mem_ctx
);
585 if (sd
->owner_sid
!= NULL
) {
586 char *sid
= sddl_encode_sid(tmp_ctx
, sd
->owner_sid
, domain_sid
);
587 if (sid
== NULL
) goto failed
;
588 sddl
= talloc_asprintf_append_buffer(sddl
, "O:%s", sid
);
589 if (sddl
== NULL
) goto failed
;
592 if (sd
->group_sid
!= NULL
) {
593 char *sid
= sddl_encode_sid(tmp_ctx
, sd
->group_sid
, domain_sid
);
594 if (sid
== NULL
) goto failed
;
595 sddl
= talloc_asprintf_append_buffer(sddl
, "G:%s", sid
);
596 if (sddl
== NULL
) goto failed
;
599 if ((sd
->type
& SEC_DESC_DACL_PRESENT
) && sd
->dacl
!= NULL
) {
600 char *acl
= sddl_encode_acl(tmp_ctx
, sd
->dacl
, sd
->type
, domain_sid
);
601 if (acl
== NULL
) goto failed
;
602 sddl
= talloc_asprintf_append_buffer(sddl
, "D:%s", acl
);
603 if (sddl
== NULL
) goto failed
;
606 if ((sd
->type
& SEC_DESC_SACL_PRESENT
) && sd
->sacl
!= NULL
) {
607 char *acl
= sddl_encode_acl(tmp_ctx
, sd
->sacl
, sd
->type
>>1, domain_sid
);
608 if (acl
== NULL
) goto failed
;
609 sddl
= talloc_asprintf_append_buffer(sddl
, "S:%s", acl
);
610 if (sddl
== NULL
) goto failed
;
613 talloc_free(tmp_ctx
);