2 Unix SMB/CIFS implementation.
4 security descriptror utility functions
6 Copyright (C) Andrew Tridgell 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "libcli/security/security.h"
26 return a blank security descriptor (no owners, dacl or sacl)
28 struct security_descriptor
*security_descriptor_initialise(TALLOC_CTX
*mem_ctx
)
30 struct security_descriptor
*sd
;
32 sd
= talloc(mem_ctx
, struct security_descriptor
);
37 sd
->revision
= SD_REVISION
;
38 /* we mark as self relative, even though it isn't while it remains
39 a pointer in memory because this simplifies the ndr code later.
40 All SDs that we store/emit are in fact SELF_RELATIVE
42 sd
->type
= SEC_DESC_SELF_RELATIVE
;
52 struct security_acl
*security_acl_dup(TALLOC_CTX
*mem_ctx
,
53 const struct security_acl
*oacl
)
55 struct security_acl
*nacl
;
61 if (oacl
->aces
== NULL
&& oacl
->num_aces
> 0) {
65 nacl
= talloc (mem_ctx
, struct security_acl
);
70 *nacl
= (struct security_acl
) {
71 .revision
= oacl
->revision
,
73 .num_aces
= oacl
->num_aces
,
75 if (nacl
->num_aces
== 0) {
79 nacl
->aces
= (struct security_ace
*)talloc_memdup (nacl
, oacl
->aces
, sizeof(struct security_ace
) * oacl
->num_aces
);
80 if (nacl
->aces
== NULL
) {
92 struct security_acl
*security_acl_concatenate(TALLOC_CTX
*mem_ctx
,
93 const struct security_acl
*acl1
,
94 const struct security_acl
*acl2
)
96 struct security_acl
*nacl
;
103 nacl
= security_acl_dup(mem_ctx
, acl2
);
108 nacl
= security_acl_dup(mem_ctx
, acl1
);
112 nacl
= talloc (mem_ctx
, struct security_acl
);
117 nacl
->revision
= acl1
->revision
;
118 nacl
->size
= acl1
->size
+ acl2
->size
;
119 nacl
->num_aces
= acl1
->num_aces
+ acl2
->num_aces
;
121 if (nacl
->num_aces
== 0)
124 nacl
->aces
= (struct security_ace
*)talloc_array (mem_ctx
, struct security_ace
, acl1
->num_aces
+acl2
->num_aces
);
125 if ((nacl
->aces
== NULL
) && (nacl
->num_aces
> 0)) {
129 for (i
= 0; i
< acl1
->num_aces
; i
++)
130 nacl
->aces
[i
] = acl1
->aces
[i
];
131 for (i
= 0; i
< acl2
->num_aces
; i
++)
132 nacl
->aces
[i
+ acl1
->num_aces
] = acl2
->aces
[i
];
143 talloc and copy a security descriptor
145 struct security_descriptor
*security_descriptor_copy(TALLOC_CTX
*mem_ctx
,
146 const struct security_descriptor
*osd
)
148 struct security_descriptor
*nsd
;
150 nsd
= talloc_zero(mem_ctx
, struct security_descriptor
);
155 if (osd
->owner_sid
) {
156 nsd
->owner_sid
= dom_sid_dup(nsd
, osd
->owner_sid
);
157 if (nsd
->owner_sid
== NULL
) {
162 if (osd
->group_sid
) {
163 nsd
->group_sid
= dom_sid_dup(nsd
, osd
->group_sid
);
164 if (nsd
->group_sid
== NULL
) {
170 nsd
->sacl
= security_acl_dup(nsd
, osd
->sacl
);
171 if (nsd
->sacl
== NULL
) {
177 nsd
->dacl
= security_acl_dup(nsd
, osd
->dacl
);
178 if (nsd
->dacl
== NULL
) {
183 nsd
->revision
= osd
->revision
;
184 nsd
->type
= osd
->type
;
194 NTSTATUS
security_descriptor_for_client(TALLOC_CTX
*mem_ctx
,
195 const struct security_descriptor
*ssd
,
197 uint32_t access_granted
,
198 struct security_descriptor
**_csd
)
200 struct security_descriptor
*csd
= NULL
;
201 uint32_t access_required
= 0;
205 if (sec_info
& (SECINFO_OWNER
|SECINFO_GROUP
)) {
206 access_required
|= SEC_STD_READ_CONTROL
;
208 if (sec_info
& SECINFO_DACL
) {
209 access_required
|= SEC_STD_READ_CONTROL
;
211 if (sec_info
& SECINFO_SACL
) {
212 access_required
|= SEC_FLAG_SYSTEM_SECURITY
;
215 if (access_required
& (~access_granted
)) {
216 return NT_STATUS_ACCESS_DENIED
;
222 csd
= security_descriptor_copy(mem_ctx
, ssd
);
224 return NT_STATUS_NO_MEMORY
;
228 * ... and remove everthing not wanted
231 if (!(sec_info
& SECINFO_OWNER
)) {
232 TALLOC_FREE(csd
->owner_sid
);
233 csd
->type
&= ~SEC_DESC_OWNER_DEFAULTED
;
235 if (!(sec_info
& SECINFO_GROUP
)) {
236 TALLOC_FREE(csd
->group_sid
);
237 csd
->type
&= ~SEC_DESC_GROUP_DEFAULTED
;
239 if (!(sec_info
& SECINFO_DACL
)) {
240 TALLOC_FREE(csd
->dacl
);
242 SEC_DESC_DACL_PRESENT
|
243 SEC_DESC_DACL_DEFAULTED
|
244 SEC_DESC_DACL_AUTO_INHERIT_REQ
|
245 SEC_DESC_DACL_AUTO_INHERITED
|
246 SEC_DESC_DACL_PROTECTED
|
247 SEC_DESC_DACL_TRUSTED
);
249 if (!(sec_info
& SECINFO_SACL
)) {
250 TALLOC_FREE(csd
->sacl
);
252 SEC_DESC_SACL_PRESENT
|
253 SEC_DESC_SACL_DEFAULTED
|
254 SEC_DESC_SACL_AUTO_INHERIT_REQ
|
255 SEC_DESC_SACL_AUTO_INHERITED
|
256 SEC_DESC_SACL_PROTECTED
|
257 SEC_DESC_SERVER_SECURITY
);
265 add an ACE to an ACL of a security_descriptor
268 static NTSTATUS
security_descriptor_acl_add(struct security_descriptor
*sd
,
270 const struct security_ace
*ace
)
272 struct security_acl
*acl
= NULL
;
281 acl
= talloc(sd
, struct security_acl
);
283 return NT_STATUS_NO_MEMORY
;
285 acl
->revision
= SECURITY_ACL_REVISION_NT4
;
291 acl
->aces
= talloc_realloc(acl
, acl
->aces
,
292 struct security_ace
, acl
->num_aces
+1);
293 if (acl
->aces
== NULL
) {
294 return NT_STATUS_NO_MEMORY
;
297 acl
->aces
[acl
->num_aces
] = *ace
;
299 switch (acl
->aces
[acl
->num_aces
].type
) {
300 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT
:
301 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
:
302 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT
:
303 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT
:
304 acl
->revision
= SECURITY_ACL_REVISION_ADS
;
314 sd
->type
|= SEC_DESC_SACL_PRESENT
;
317 sd
->type
|= SEC_DESC_DACL_PRESENT
;
324 add an ACE to the SACL of a security_descriptor
327 NTSTATUS
security_descriptor_sacl_add(struct security_descriptor
*sd
,
328 const struct security_ace
*ace
)
330 return security_descriptor_acl_add(sd
, true, ace
);
334 add an ACE to the DACL of a security_descriptor
337 NTSTATUS
security_descriptor_dacl_add(struct security_descriptor
*sd
,
338 const struct security_ace
*ace
)
340 return security_descriptor_acl_add(sd
, false, ace
);
344 delete the ACE corresponding to the given trustee in an ACL of a
348 static NTSTATUS
security_descriptor_acl_del(struct security_descriptor
*sd
,
350 const struct dom_sid
*trustee
)
354 struct security_acl
*acl
= NULL
;
363 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
366 /* there can be multiple ace's for one trustee */
367 for (i
=0;i
<acl
->num_aces
;i
++) {
368 if (dom_sid_equal(trustee
, &acl
->aces
[i
].trustee
)) {
369 ARRAY_DEL_ELEMENT(acl
->aces
, i
, acl
->num_aces
);
371 if (acl
->num_aces
== 0) {
379 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
382 acl
->revision
= SECURITY_ACL_REVISION_NT4
;
384 for (i
=0;i
<acl
->num_aces
;i
++) {
385 switch (acl
->aces
[i
].type
) {
386 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT
:
387 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
:
388 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT
:
389 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT
:
390 acl
->revision
= SECURITY_ACL_REVISION_ADS
;
393 break; /* only for the switch statement */
401 delete the ACE corresponding to the given trustee in the DACL of a
405 NTSTATUS
security_descriptor_dacl_del(struct security_descriptor
*sd
,
406 const struct dom_sid
*trustee
)
408 return security_descriptor_acl_del(sd
, false, trustee
);
412 delete the ACE corresponding to the given trustee in the SACL of a
416 NTSTATUS
security_descriptor_sacl_del(struct security_descriptor
*sd
,
417 const struct dom_sid
*trustee
)
419 return security_descriptor_acl_del(sd
, true, trustee
);
423 compare two security ace structures
425 bool security_ace_equal(const struct security_ace
*ace1
,
426 const struct security_ace
*ace2
)
431 if ((ace1
== NULL
) || (ace2
== NULL
)) {
434 if (ace1
->type
!= ace2
->type
) {
437 if (ace1
->flags
!= ace2
->flags
) {
440 if (ace1
->access_mask
!= ace2
->access_mask
) {
443 if (!dom_sid_equal(&ace1
->trustee
, &ace2
->trustee
)) {
452 compare two security acl structures
454 bool security_acl_equal(const struct security_acl
*acl1
,
455 const struct security_acl
*acl2
)
459 if (acl1
== acl2
) return true;
460 if (!acl1
|| !acl2
) return false;
461 if (acl1
->revision
!= acl2
->revision
) return false;
462 if (acl1
->num_aces
!= acl2
->num_aces
) return false;
464 for (i
=0;i
<acl1
->num_aces
;i
++) {
465 if (!security_ace_equal(&acl1
->aces
[i
], &acl2
->aces
[i
])) return false;
471 compare two security descriptors.
473 bool security_descriptor_equal(const struct security_descriptor
*sd1
,
474 const struct security_descriptor
*sd2
)
476 if (sd1
== sd2
) return true;
477 if (!sd1
|| !sd2
) return false;
478 if (sd1
->revision
!= sd2
->revision
) return false;
479 if (sd1
->type
!= sd2
->type
) return false;
481 if (!dom_sid_equal(sd1
->owner_sid
, sd2
->owner_sid
)) return false;
482 if (!dom_sid_equal(sd1
->group_sid
, sd2
->group_sid
)) return false;
483 if (!security_acl_equal(sd1
->sacl
, sd2
->sacl
)) return false;
484 if (!security_acl_equal(sd1
->dacl
, sd2
->dacl
)) return false;
490 compare two security descriptors, but allow certain (missing) parts
491 to be masked out of the comparison
493 bool security_descriptor_mask_equal(const struct security_descriptor
*sd1
,
494 const struct security_descriptor
*sd2
,
497 if (sd1
== sd2
) return true;
498 if (!sd1
|| !sd2
) return false;
499 if (sd1
->revision
!= sd2
->revision
) return false;
500 if ((sd1
->type
& mask
) != (sd2
->type
& mask
)) return false;
502 if (!dom_sid_equal(sd1
->owner_sid
, sd2
->owner_sid
)) return false;
503 if (!dom_sid_equal(sd1
->group_sid
, sd2
->group_sid
)) return false;
504 if ((mask
& SEC_DESC_DACL_PRESENT
) && !security_acl_equal(sd1
->dacl
, sd2
->dacl
)) return false;
505 if ((mask
& SEC_DESC_SACL_PRESENT
) && !security_acl_equal(sd1
->sacl
, sd2
->sacl
)) return false;
511 static struct security_descriptor
*security_descriptor_appendv(struct security_descriptor
*sd
,
512 bool add_ace_to_sacl
,
517 while ((sidstr
= va_arg(ap
, const char *))) {
519 struct security_ace
*ace
= talloc_zero(sd
, struct security_ace
);
526 ace
->type
= va_arg(ap
, unsigned int);
527 ace
->access_mask
= va_arg(ap
, unsigned int);
528 ace
->flags
= va_arg(ap
, unsigned int);
529 sid
= dom_sid_parse_talloc(ace
, sidstr
);
535 if (add_ace_to_sacl
) {
536 status
= security_descriptor_sacl_add(sd
, ace
);
538 status
= security_descriptor_dacl_add(sd
, ace
);
540 /* TODO: check: would talloc_free(ace) here be correct? */
541 if (!NT_STATUS_IS_OK(status
)) {
550 struct security_descriptor
*security_descriptor_append(struct security_descriptor
*sd
,
556 sd
= security_descriptor_appendv(sd
, false, ap
);
562 static struct security_descriptor
*security_descriptor_createv(TALLOC_CTX
*mem_ctx
,
564 const char *owner_sid
,
565 const char *group_sid
,
566 bool add_ace_to_sacl
,
569 struct security_descriptor
*sd
;
571 sd
= security_descriptor_initialise(mem_ctx
);
579 sd
->owner_sid
= dom_sid_parse_talloc(sd
, owner_sid
);
580 if (sd
->owner_sid
== NULL
) {
586 sd
->group_sid
= dom_sid_parse_talloc(sd
, group_sid
);
587 if (sd
->group_sid
== NULL
) {
593 return security_descriptor_appendv(sd
, add_ace_to_sacl
, ap
);
597 create a security descriptor using string SIDs. This is used by the
598 torture code to allow the easy creation of complex ACLs
599 This is a varargs function. The list of DACL ACEs ends with a NULL sid.
601 Each ACE contains a set of 4 parameters:
602 SID, ACCESS_TYPE, MASK, FLAGS
604 a typical call would be:
606 sd = security_descriptor_dacl_create(mem_ctx,
610 SID_NT_AUTHENTICATED_USERS,
611 SEC_ACE_TYPE_ACCESS_ALLOWED,
613 SEC_ACE_FLAG_OBJECT_INHERIT,
615 that would create a sd with one DACL ACE
618 struct security_descriptor
*security_descriptor_dacl_create(TALLOC_CTX
*mem_ctx
,
620 const char *owner_sid
,
621 const char *group_sid
,
624 struct security_descriptor
*sd
= NULL
;
626 va_start(ap
, group_sid
);
627 sd
= security_descriptor_createv(mem_ctx
, sd_type
, owner_sid
,
628 group_sid
, false, ap
);
634 struct security_descriptor
*security_descriptor_sacl_create(TALLOC_CTX
*mem_ctx
,
636 const char *owner_sid
,
637 const char *group_sid
,
640 struct security_descriptor
*sd
= NULL
;
642 va_start(ap
, group_sid
);
643 sd
= security_descriptor_createv(mem_ctx
, sd_type
, owner_sid
,
644 group_sid
, true, ap
);
650 struct security_ace
*security_ace_create(TALLOC_CTX
*mem_ctx
,
652 enum security_ace_type type
,
653 uint32_t access_mask
,
657 struct security_ace
*ace
;
660 ace
= talloc_zero(mem_ctx
, struct security_ace
);
665 ok
= dom_sid_parse(sid_str
, &ace
->trustee
);
671 ace
->access_mask
= access_mask
;
677 /*******************************************************************
678 Check for MS NFS ACEs in a sd
679 *******************************************************************/
680 bool security_descriptor_with_ms_nfs(const struct security_descriptor
*psd
)
684 if (psd
->dacl
== NULL
) {
688 for (i
= 0; i
< psd
->dacl
->num_aces
; i
++) {
689 if (dom_sid_compare_domain(
690 &global_sid_Unix_NFS
,
691 &psd
->dacl
->aces
[i
].trustee
) == 0) {