libcli/security/sddl.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    security descriptor description language functions
   5
   6    Copyright (C) Andrew Tridgell                2005
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 3 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20 */
  21
  22 #include "replace.h"
  23 #include "lib/util/debug.h"
  24 #include "libcli/security/security.h"
  25 #include "librpc/gen_ndr/ndr_misc.h"
  26 #include "lib/util/smb_strtox.h"
  27 #include "system/locale.h"
  28 #include "lib/util/util_str_hex.h"
  29
  30
  31 struct sddl_transition_state {
  32         const struct dom_sid *machine_sid;
  33         const struct dom_sid *domain_sid;
  34         const struct dom_sid *forest_sid;
  35 };
  36
  37 struct flag_map {
  38         const char *name;
  39         uint32_t flag;
  40 };
  41
  42 static bool sddl_map_flag(
  43         const struct flag_map *map,
  44         const char *str,
  45         size_t *plen,
  46         uint32_t *pflag)
  47 {
  48         while (map->name != NULL) {
  49                 size_t len = strlen(map->name);
  50                 int cmp = strncmp(map->name, str, len);
  51
  52                 if (cmp == 0) {
  53                         *plen = len;
  54                         *pflag = map->flag;
  55                         return true;
  56                 }
  57                 map += 1;
  58         }
  59         return false;
  60 }
  61
  62 /*
  63   map a series of letter codes into a uint32_t
  64 */
  65 static bool sddl_map_flags(const struct flag_map *map, const char *str,
  66                            uint32_t *pflags, size_t *plen,
  67                            bool unknown_flag_is_part_of_next_thing)
  68 {
  69         const char *str0 = str;
  70         if (plen != NULL) {
  71                 *plen = 0;
  72         }
  73         *pflags = 0;
  74         while (str[0] != '\0' && isupper((unsigned char)str[0])) {
  75                 size_t len;
  76                 uint32_t flags;
  77                 bool found;
  78
  79                 found = sddl_map_flag(map, str, &len, &flags);
  80                 if (!found) {
  81                         break;
  82                 }
  83
  84                 *pflags |= flags;
  85                 if (plen != NULL) {
  86                         *plen += len;
  87                 }
  88                 str += len;
  89         }
  90         /*
  91          * For ACL flags, unknown_flag_is_part_of_next_thing is set,
  92          * and we expect some more stuff that isn't flags.
  93          *
  94          * For ACE flags, unknown_flag_is_part_of_next_thing is unset,
  95          * and the flags have been tokenised into their own little
  96          * string. We don't expect anything here, even whitespace.
  97          */
  98         if (*str == '\0' || unknown_flag_is_part_of_next_thing) {
  99                 return true;
 100         }
 101         DBG_WARNING("Unknown flag - '%s' in '%s'\n", str, str0);
 102         return false;
 103 }
 104
 105
 106 /*
 107   a mapping between the 2 letter SID codes and sid strings
 108 */
 109 static const struct {
 110         const char *code;
 111         const char *sid;
 112         uint32_t machine_rid;
 113         uint32_t domain_rid;
 114         uint32_t forest_rid;
 115 } sid_codes[] = {
 116         { .code = "WD", .sid = SID_WORLD },
 117
 118         { .code = "CO", .sid = SID_CREATOR_OWNER },
 119         { .code = "CG", .sid = SID_CREATOR_GROUP },
 120         { .code = "OW", .sid = SID_OWNER_RIGHTS },
 121
 122         { .code = "NU", .sid = SID_NT_NETWORK },
 123         { .code = "IU", .sid = SID_NT_INTERACTIVE },
 124         { .code = "SU", .sid = SID_NT_SERVICE },
 125         { .code = "AN", .sid = SID_NT_ANONYMOUS },
 126         { .code = "ED", .sid = SID_NT_ENTERPRISE_DCS },
 127         { .code = "PS", .sid = SID_NT_SELF },
 128         { .code = "AU", .sid = SID_NT_AUTHENTICATED_USERS },
 129         { .code = "RC", .sid = SID_NT_RESTRICTED },
 130         { .code = "SY", .sid = SID_NT_SYSTEM },
 131         { .code = "LS", .sid = SID_NT_LOCAL_SERVICE },
 132         { .code = "NS", .sid = SID_NT_NETWORK_SERVICE },
 133         { .code = "WR", .sid = SID_SECURITY_RESTRICTED_CODE },
 134
 135         { .code = "BA", .sid = SID_BUILTIN_ADMINISTRATORS },
 136         { .code = "BU", .sid = SID_BUILTIN_USERS },
 137         { .code = "BG", .sid = SID_BUILTIN_GUESTS },
 138         { .code = "PU", .sid = SID_BUILTIN_POWER_USERS },
 139         { .code = "AO", .sid = SID_BUILTIN_ACCOUNT_OPERATORS },
 140         { .code = "SO", .sid = SID_BUILTIN_SERVER_OPERATORS },
 141         { .code = "PO", .sid = SID_BUILTIN_PRINT_OPERATORS },
 142         { .code = "BO", .sid = SID_BUILTIN_BACKUP_OPERATORS },
 143         { .code = "RE", .sid = SID_BUILTIN_REPLICATOR },
 144         { .code = "RU", .sid = SID_BUILTIN_PREW2K },
 145         { .code = "RD", .sid = SID_BUILTIN_REMOTE_DESKTOP_USERS },
 146         { .code = "NO", .sid = SID_BUILTIN_NETWORK_CONF_OPERATORS },
 147
 148         { .code = "MU", .sid = SID_BUILTIN_PERFMON_USERS },
 149         { .code = "LU", .sid = SID_BUILTIN_PERFLOG_USERS },
 150         { .code = "IS", .sid = SID_BUILTIN_IUSERS },
 151         { .code = "CY", .sid = SID_BUILTIN_CRYPTO_OPERATORS },
 152         { .code = "ER", .sid = SID_BUILTIN_EVENT_LOG_READERS },
 153         { .code = "CD", .sid = SID_BUILTIN_CERT_SERV_DCOM_ACCESS },
 154         { .code = "RA", .sid = SID_BUILTIN_RDS_REMOTE_ACCESS_SERVERS },
 155         { .code = "ES", .sid = SID_BUILTIN_RDS_ENDPOINT_SERVERS },
 156         { .code = "MS", .sid = SID_BUILTIN_RDS_MANAGEMENT_SERVERS },
 157         { .code = "HA", .sid = SID_BUILTIN_HYPER_V_ADMINS },
 158         { .code = "AA", .sid = SID_BUILTIN_ACCESS_CONTROL_ASSISTANCE_OPS },
 159         { .code = "RM", .sid = SID_BUILTIN_REMOTE_MANAGEMENT_USERS },
 160
 161         { .code = "UD", .sid = SID_USER_MODE_DRIVERS },
 162
 163         { .code = "AC", .sid = SID_SECURITY_BUILTIN_PACKAGE_ANY_PACKAGE },
 164
 165         { .code = "LW", .sid = SID_SECURITY_MANDATORY_LOW },
 166         { .code = "ME", .sid = SID_SECURITY_MANDATORY_MEDIUM },
 167         { .code = "MP", .sid = SID_SECURITY_MANDATORY_MEDIUM_PLUS },
 168         { .code = "HI", .sid = SID_SECURITY_MANDATORY_HIGH },
 169         { .code = "SI", .sid = SID_SECURITY_MANDATORY_SYSTEM },
 170
 171         { .code = "AS", .sid = SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY },
 172         { .code = "SS", .sid = SID_SERVICE_ASSERTED_IDENTITY },
 173
 174         { .code = "RO", .forest_rid = DOMAIN_RID_ENTERPRISE_READONLY_DCS },
 175
 176         { .code = "LA", .machine_rid = DOMAIN_RID_ADMINISTRATOR },
 177         { .code = "LG", .machine_rid = DOMAIN_RID_GUEST },
 178
 179         { .code = "DA", .domain_rid = DOMAIN_RID_ADMINS },
 180         { .code = "DU", .domain_rid = DOMAIN_RID_USERS },
 181         { .code = "DG", .domain_rid = DOMAIN_RID_GUESTS },
 182         { .code = "DC", .domain_rid = DOMAIN_RID_DOMAIN_MEMBERS },
 183         { .code = "DD", .domain_rid = DOMAIN_RID_DCS },
 184         { .code = "CA", .domain_rid = DOMAIN_RID_CERT_ADMINS },
 185         { .code = "SA", .forest_rid = DOMAIN_RID_SCHEMA_ADMINS },
 186         { .code = "EA", .forest_rid = DOMAIN_RID_ENTERPRISE_ADMINS },
 187         { .code = "PA", .domain_rid = DOMAIN_RID_POLICY_ADMINS },
 188
 189         { .code = "CN", .domain_rid = DOMAIN_RID_CLONEABLE_CONTROLLERS },
 190
 191         { .code = "AP", .domain_rid = DOMAIN_RID_PROTECTED_USERS },
 192         { .code = "KA", .domain_rid = DOMAIN_RID_KEY_ADMINS },
 193         { .code = "EK", .forest_rid = DOMAIN_RID_ENTERPRISE_KEY_ADMINS },
 194
 195         { .code = "RS", .domain_rid = DOMAIN_RID_RAS_SERVERS }
 196 };
 197
 198 /*
 199   decode a SID
 200   It can either be a special 2 letter code, or in S-* format
 201 */
 202 static struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp,
 203                                        struct sddl_transition_state *state)
 204 {
 205         const char *sddl = (*sddlp);
 206         size_t i;
 207
 208         /* see if its in the numeric format */
 209         if (strncmp(sddl, "S-", 2) == 0) {
 210                 struct dom_sid *sid = NULL;
 211                 char *sid_str = NULL;
 212                 const char *end = NULL;
 213                 bool ok;
 214                 size_t len = strspn(sddl + 2, "-0123456789ABCDEFabcdefxX") + 2;
 215                 if (len < 5) { /* S-1-x */
 216                         return NULL;
 217                 }
 218                 if (sddl[len - 1] == 'D' && sddl[len] == ':') {
 219                         /*
 220                          * we have run into the "D:" dacl marker, mistaking it
 221                          * for a hex digit. There is no other way for this
 222                          * pair to occur at the end of a SID in SDDL.
 223                          */
 224                         len--;
 225                 }
 226
 227                 sid_str = talloc_strndup(mem_ctx, sddl, len);
 228                 if (sid_str == NULL) {
 229                         return NULL;
 230                 }
 231                 sid = talloc(mem_ctx, struct dom_sid);
 232                 if (sid == NULL) {
 233                         TALLOC_FREE(sid_str);
 234                         return NULL;
 235                 };
 236                 ok = dom_sid_parse_endp(sid_str, sid, &end);
 237                 if (!ok) {
 238                         DBG_WARNING("could not parse SID '%s'\n", sid_str);
 239                         TALLOC_FREE(sid_str);
 240                         TALLOC_FREE(sid);
 241                         return NULL;
 242                 }
 243                 if (end - sid_str != len) {
 244                         DBG_WARNING("trailing junk after SID '%s'\n", sid_str);
 245                         TALLOC_FREE(sid_str);
 246                         TALLOC_FREE(sid);
 247                         return NULL;
 248                 }
 249                 TALLOC_FREE(sid_str);
 250                 (*sddlp) += len;
 251                 return sid;
 252         }
 253
 254         /* now check for one of the special codes */
 255         for (i=0;i<ARRAY_SIZE(sid_codes);i++) {
 256                 if (strncmp(sid_codes[i].code, sddl, 2) == 0) break;
 257         }
 258         if (i == ARRAY_SIZE(sid_codes)) {
 259                 DEBUG(1,("Unknown sddl sid code '%2.2s'\n", sddl));
 260                 return NULL;
 261         }
 262
 263         (*sddlp) += 2;
 264
 265
 266         if (sid_codes[i].machine_rid != 0) {
 267                 return dom_sid_add_rid(mem_ctx, state->machine_sid,
 268                                        sid_codes[i].machine_rid);
 269         }
 270
 271         if (sid_codes[i].domain_rid != 0) {
 272                 return dom_sid_add_rid(mem_ctx, state->domain_sid,
 273                                        sid_codes[i].domain_rid);
 274         }
 275
 276         if (sid_codes[i].forest_rid != 0) {
 277                 return dom_sid_add_rid(mem_ctx, state->forest_sid,
 278                                        sid_codes[i].forest_rid);
 279         }
 280
 281         return dom_sid_parse_talloc(mem_ctx, sid_codes[i].sid);
 282 }
 283
 284 static const struct flag_map ace_types[] = {
 285         { "AU", SEC_ACE_TYPE_SYSTEM_AUDIT },
 286         { "AL", SEC_ACE_TYPE_SYSTEM_ALARM },
 287         { "OA", SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT },
 288         { "OD", SEC_ACE_TYPE_ACCESS_DENIED_OBJECT },
 289         { "OU", SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT },
 290         { "OL", SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT },
 291         { "A",  SEC_ACE_TYPE_ACCESS_ALLOWED },
 292         { "D",  SEC_ACE_TYPE_ACCESS_DENIED },
 293         { NULL, 0 }
 294 };
 295
 296 static const struct flag_map ace_flags[] = {
 297         { "OI", SEC_ACE_FLAG_OBJECT_INHERIT },
 298         { "CI", SEC_ACE_FLAG_CONTAINER_INHERIT },
 299         { "NP", SEC_ACE_FLAG_NO_PROPAGATE_INHERIT },
 300         { "IO", SEC_ACE_FLAG_INHERIT_ONLY },
 301         { "ID", SEC_ACE_FLAG_INHERITED_ACE },
 302         { "SA", SEC_ACE_FLAG_SUCCESSFUL_ACCESS },
 303         { "FA", SEC_ACE_FLAG_FAILED_ACCESS },
 304         { NULL, 0 },
 305 };
 306
 307 static const struct flag_map ace_access_mask[] = {
 308         { "CC", SEC_ADS_CREATE_CHILD },
 309         { "DC", SEC_ADS_DELETE_CHILD },
 310         { "LC", SEC_ADS_LIST },
 311         { "SW", SEC_ADS_SELF_WRITE },
 312         { "RP", SEC_ADS_READ_PROP },
 313         { "WP", SEC_ADS_WRITE_PROP },
 314         { "DT", SEC_ADS_DELETE_TREE },
 315         { "LO", SEC_ADS_LIST_OBJECT },
 316         { "CR", SEC_ADS_CONTROL_ACCESS },
 317         { "SD", SEC_STD_DELETE },
 318         { "RC", SEC_STD_READ_CONTROL },
 319         { "WD", SEC_STD_WRITE_DAC },
 320         { "WO", SEC_STD_WRITE_OWNER },
 321         { "GA", SEC_GENERIC_ALL },
 322         { "GX", SEC_GENERIC_EXECUTE },
 323         { "GW", SEC_GENERIC_WRITE },
 324         { "GR", SEC_GENERIC_READ },
 325         { NULL, 0 }
 326 };
 327
 328 static const struct flag_map decode_ace_access_mask[] = {
 329         { "FA", FILE_GENERIC_ALL },
 330         { "FR", FILE_GENERIC_READ },
 331         { "FW", FILE_GENERIC_WRITE },
 332         { "FX", FILE_GENERIC_EXECUTE },
 333         { NULL, 0 },
 334 };
 335
 336
 337 static char *sddl_match_file_rights(TALLOC_CTX *mem_ctx,
 338                                 uint32_t flags)
 339 {
 340         int i;
 341
 342         /* try to find an exact match */
 343         for (i=0;decode_ace_access_mask[i].name;i++) {
 344                 if (decode_ace_access_mask[i].flag == flags) {
 345                         return talloc_strdup(mem_ctx,
 346                                         decode_ace_access_mask[i].name);
 347                 }
 348         }
 349         return NULL;
 350 }
 351
 352 static bool sddl_decode_access(const char *str, uint32_t *pmask)
 353 {
 354         const char *str0 = str;
 355         char *end = NULL;
 356         uint32_t mask = 0;
 357         unsigned long long numeric_mask;
 358         int err;
 359         /*
 360          * The access mask can be a number or a series of flags.
 361          *
 362          * Canonically the number is expressed in hexadecimal (with 0x), but
 363          * per MS-DTYP and Windows behaviour, octal and decimal numbers are
 364          * also accepted.
 365          *
 366          * Windows has two behaviours we choose not to replicate:
 367          *
 368          * 1. numbers exceeding 0xffffffff are truncated at that point,
 369          *    turning on all access flags.
 370          *
 371          * 2. negative numbers are accepted, so e.g. -2 becomes 0xfffffffe.
 372          */
 373         numeric_mask = smb_strtoull(str, &end, 0, &err, SMB_STR_STANDARD);
 374         if (err == 0) {
 375                 if (numeric_mask > UINT32_MAX) {
 376                         DBG_WARNING("Bad numeric flag value - %llu in %s\n",
 377                                     numeric_mask, str0);
 378                         return false;
 379                 }
 380                 if (end - str > sizeof("037777777777")) {
 381                         /* here's the tricky thing: if a number is big
 382                          * enough to overflow the uint64, it might end
 383                          * up small enough to fit in the uint32, and
 384                          * we'd miss that it overflowed. So we count
 385                          * the digits -- any more than 12 (for
 386                          * "037777777777") is too long for 32 bits,
 387                          * and the shortest 64-bit wrapping string is
 388                          * 19 (for "0x1" + 16 zeros).
 389                          */
 390                         DBG_WARNING("Bad numeric flag value in '%s'\n", str0);
 391                         return false;
 392                 }
 393                 if (*end != '\0') {
 394                         DBG_WARNING("Bad characters in '%s'\n", str0);
 395                         return false;
 396                 }
 397                 *pmask = numeric_mask;
 398                 return true;
 399         }
 400         /* It's not a positive number, so we'll look for flags */
 401
 402         while ((str[0] != '\0') &&
 403                (isupper((unsigned char)str[0]) || str[0] == ' ')) {
 404                 uint32_t flags = 0;
 405                 size_t len = 0;
 406                 bool found;
 407                 while (str[0] == ' ') {
 408                         /*
 409                          * Following Windows we accept spaces between flags
 410                          * but not after flags. Not tabs, though, never tabs.
 411                          */
 412                         str++;
 413                         if (str[0] == '\0') {
 414                                 DBG_WARNING("trailing whitespace in flags "
 415                                             "- '%s'\n", str0);
 416                                 return false;
 417                         }
 418                 }
 419                 found = sddl_map_flag(
 420                         ace_access_mask, str, &len, &flags);
 421                 found |= sddl_map_flag(
 422                         decode_ace_access_mask, str, &len, &flags);
 423                 if (!found) {
 424                         DEBUG(1, ("Unknown flag - %s in %s\n", str, str0));
 425                         return false;
 426                 }
 427                 mask |= flags;
 428                 str += len;
 429         }
 430         if (*str != '\0') {
 431                 DBG_WARNING("Bad characters in '%s'\n", str0);
 432                 return false;
 433         }
 434         *pmask = mask;
 435         return true;
 436 }
 437
 438
 439 static bool sddl_decode_guid(const char *str, struct GUID *guid)
 440 {
 441         if (strlen(str) != 36) {
 442                 return false;
 443         }
 444         return parse_guid_string(str, guid);
 445 }
 446
 447
 448 /*
 449   decode an ACE
 450   return true on success, false on failure
 451   note that this routine modifies the string
 452 */
 453 static bool sddl_decode_ace(TALLOC_CTX *mem_ctx, struct security_ace *ace, char *str,
 454                             struct sddl_transition_state *state)
 455 {
 456         const char *tok[6];
 457         const char *s;
 458         int i;
 459         uint32_t v;
 460         struct dom_sid *sid;
 461         bool ok;
 462         size_t len;
 463
 464         ZERO_STRUCTP(ace);
 465
 466         /* parse out the 6 tokens */
 467         tok[0] = str;
 468         for (i=0;i<5;i++) {
 469                 char *ptr = strchr(str, ';');
 470                 if (ptr == NULL) return false;
 471                 *ptr = 0;
 472                 str = ptr+1;
 473                 tok[i+1] = str;
 474         }
 475
 476         /* parse ace type */
 477         ok = sddl_map_flag(ace_types, tok[0], &len, &v);
 478         if (!ok) {
 479                 DBG_WARNING("Unknown ACE type - %s\n", tok[0]);
 480                 return false;
 481         }
 482         if (tok[0][len] != '\0') {
 483                 DBG_WARNING("Garbage after ACE type - %s\n", tok[0]);
 484                 return false;
 485         }
 486
 487         ace->type = v;
 488
 489         /* ace flags */
 490         if (!sddl_map_flags(ace_flags, tok[1], &v, NULL, false)) {
 491                 return false;
 492         }
 493         ace->flags = v;
 494
 495         /* access mask */
 496         ok = sddl_decode_access(tok[2], &ace->access_mask);
 497         if (!ok) {
 498                 return false;
 499         }
 500
 501         /* object */
 502         if (tok[3][0] != 0) {
 503                 ok = sddl_decode_guid(tok[3], &ace->object.object.type.type);
 504                 if (!ok) {
 505                         return false;
 506                 }
 507                 ace->object.object.flags |= SEC_ACE_OBJECT_TYPE_PRESENT;
 508         }
 509
 510         /* inherit object */
 511         if (tok[4][0] != 0) {
 512                 ok = sddl_decode_guid(tok[4],
 513                                       &ace->object.object.inherited_type.inherited_type);
 514                 if (!ok) {
 515                         return false;
 516                 }
 517                 ace->object.object.flags |= SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT;
 518         }
 519
 520         /* trustee */
 521         s = tok[5];
 522         sid = sddl_decode_sid(mem_ctx, &s, state);
 523         if (sid == NULL) {
 524                 return false;
 525         }
 526         ace->trustee = *sid;
 527         talloc_free(sid);
 528         if (*s != '\0') {
 529                 return false;
 530         }
 531         return true;
 532 }
 533
 534 static const struct flag_map acl_flags[] = {
 535         { "P", SEC_DESC_DACL_PROTECTED },
 536         { "AR", SEC_DESC_DACL_AUTO_INHERIT_REQ },
 537         { "AI", SEC_DESC_DACL_AUTO_INHERITED },
 538         { NULL, 0 }
 539 };
 540
 541 /*
 542   decode an ACL
 543 */
 544 static struct security_acl *sddl_decode_acl(struct security_descriptor *sd,
 545                                             const char **sddlp, uint32_t *flags,
 546                                             struct sddl_transition_state *state)
 547 {
 548         const char *sddl = *sddlp;
 549         struct security_acl *acl;
 550         size_t len;
 551
 552         *flags = 0;
 553
 554         acl = talloc_zero(sd, struct security_acl);
 555         if (acl == NULL) return NULL;
 556         acl->revision = SECURITY_ACL_REVISION_ADS;
 557
 558         if (isupper(sddl[0]) && sddl[1] == ':') {
 559                 /* its an empty ACL */
 560                 return acl;
 561         }
 562
 563         /* work out the ACL flags */
 564         if (!sddl_map_flags(acl_flags, sddl, flags, &len, true)) {
 565                 talloc_free(acl);
 566                 return NULL;
 567         }
 568         sddl += len;
 569
 570         /* now the ACEs */
 571         while (*sddl == '(') {
 572                 char *astr;
 573                 len = strcspn(sddl+1, ")");
 574                 astr = talloc_strndup(acl, sddl+1, len);
 575                 if (astr == NULL || sddl[len+1] != ')') {
 576                         talloc_free(acl);
 577                         return NULL;
 578                 }
 579                 acl->aces = talloc_realloc(acl, acl->aces, struct security_ace,
 580                                            acl->num_aces+1);
 581                 if (acl->aces == NULL) {
 582                         talloc_free(acl);
 583                         return NULL;
 584                 }
 585                 if (!sddl_decode_ace(acl->aces, &acl->aces[acl->num_aces],
 586                                      astr, state)) {
 587                         talloc_free(acl);
 588                         return NULL;
 589                 }
 590                 switch (acl->aces[acl->num_aces].type) {
 591                 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
 592                 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
 593                 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
 594                 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
 595                         acl->revision = SECURITY_ACL_REVISION_ADS;
 596                         break;
 597                 default:
 598                         break;
 599                 }
 600                 talloc_free(astr);
 601                 sddl += len+2;
 602                 acl->num_aces++;
 603         }
 604
 605         (*sddlp) = sddl;
 606         return acl;
 607 }
 608
 609 /*
 610   decode a security descriptor in SDDL format
 611 */
 612 struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl,
 613                                         const struct dom_sid *domain_sid)
 614 {
 615         struct sddl_transition_state state = {
 616                 /*
 617                  * TODO: verify .machine_rid values really belong to
 618                  * to the machine_sid on a member, once
 619                  * we pass machine_sid from the caller...
 620                  */
 621                 .machine_sid = domain_sid,
 622                 .domain_sid = domain_sid,
 623                 .forest_sid = domain_sid,
 624         };
 625         struct security_descriptor *sd;
 626         sd = talloc_zero(mem_ctx, struct security_descriptor);
 627
 628         sd->revision = SECURITY_DESCRIPTOR_REVISION_1;
 629         sd->type     = SEC_DESC_SELF_RELATIVE;
 630
 631         while (*sddl) {
 632                 uint32_t flags;
 633                 char c = sddl[0];
 634                 if (sddl[1] != ':') goto failed;
 635
 636                 sddl += 2;
 637                 switch (c) {
 638                 case 'D':
 639                         if (sd->dacl != NULL) goto failed;
 640                         sd->dacl = sddl_decode_acl(sd, &sddl, &flags, &state);
 641                         if (sd->dacl == NULL) goto failed;
 642                         sd->type |= flags | SEC_DESC_DACL_PRESENT;
 643                         break;
 644                 case 'S':
 645                         if (sd->sacl != NULL) goto failed;
 646                         sd->sacl = sddl_decode_acl(sd, &sddl, &flags, &state);
 647                         if (sd->sacl == NULL) goto failed;
 648                         /* this relies on the SEC_DESC_SACL_* flags being
 649                            1 bit shifted from the SEC_DESC_DACL_* flags */
 650                         sd->type |= (flags<<1) | SEC_DESC_SACL_PRESENT;
 651                         break;
 652                 case 'O':
 653                         if (sd->owner_sid != NULL) goto failed;
 654                         sd->owner_sid = sddl_decode_sid(sd, &sddl, &state);
 655                         if (sd->owner_sid == NULL) goto failed;
 656                         break;
 657                 case 'G':
 658                         if (sd->group_sid != NULL) goto failed;
 659                         sd->group_sid = sddl_decode_sid(sd, &sddl, &state);
 660                         if (sd->group_sid == NULL) goto failed;
 661                         break;
 662                 default:
 663                         goto failed;
 664                 }
 665         }
 666
 667         return sd;
 668
 669 failed:
 670         DEBUG(2,("Badly formatted SDDL '%s'\n", sddl));
 671         talloc_free(sd);
 672         return NULL;
 673 }
 674
 675 /*
 676   turn a set of flags into a string
 677 */
 678 static char *sddl_flags_to_string(TALLOC_CTX *mem_ctx, const struct flag_map *map,
 679                                   uint32_t flags, bool check_all)
 680 {
 681         int i;
 682         char *s;
 683
 684         /* try to find an exact match */
 685         for (i=0;map[i].name;i++) {
 686                 if (map[i].flag == flags) {
 687                         return talloc_strdup(mem_ctx, map[i].name);
 688                 }
 689         }
 690
 691         s = talloc_strdup(mem_ctx, "");
 692
 693         /* now by bits */
 694         for (i=0;map[i].name;i++) {
 695                 if ((flags & map[i].flag) != 0) {
 696                         s = talloc_asprintf_append_buffer(s, "%s", map[i].name);
 697                         if (s == NULL) goto failed;
 698                         flags &= ~map[i].flag;
 699                 }
 700         }
 701
 702         if (check_all && flags != 0) {
 703                 goto failed;
 704         }
 705
 706         return s;
 707
 708 failed:
 709         talloc_free(s);
 710         return NULL;
 711 }
 712
 713 /*
 714   encode a sid in SDDL format
 715 */
 716 static char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
 717                              struct sddl_transition_state *state)
 718 {
 719         bool in_machine = dom_sid_in_domain(state->machine_sid, sid);
 720         bool in_domain = dom_sid_in_domain(state->domain_sid, sid);
 721         bool in_forest = dom_sid_in_domain(state->forest_sid, sid);
 722         struct dom_sid_buf buf;
 723         const char *sidstr = dom_sid_str_buf(sid, &buf);
 724         uint32_t rid = 0;
 725         size_t i;
 726
 727         if (sid->num_auths > 1) {
 728                 rid = sid->sub_auths[sid->num_auths-1];
 729         }
 730
 731         for (i=0;i<ARRAY_SIZE(sid_codes);i++) {
 732                 /* seen if its a well known sid */
 733                 if (sid_codes[i].sid != NULL) {
 734                         int cmp;
 735
 736                         cmp = strcmp(sidstr, sid_codes[i].sid);
 737                         if (cmp != 0) {
 738                                 continue;
 739                         }
 740
 741                         return talloc_strdup(mem_ctx, sid_codes[i].code);
 742                 }
 743
 744                 if (rid == 0) {
 745                         continue;
 746                 }
 747
 748                 if (in_machine && sid_codes[i].machine_rid == rid) {
 749                         return talloc_strdup(mem_ctx, sid_codes[i].code);
 750                 }
 751                 if (in_domain && sid_codes[i].domain_rid == rid) {
 752                         return talloc_strdup(mem_ctx, sid_codes[i].code);
 753                 }
 754                 if (in_forest && sid_codes[i].forest_rid == rid) {
 755                         return talloc_strdup(mem_ctx, sid_codes[i].code);
 756                 }
 757         }
 758
 759         return talloc_strdup(mem_ctx, sidstr);
 760 }
 761
 762
 763 /*
 764   encode an ACE in SDDL format
 765 */
 766 static char *sddl_transition_encode_ace(TALLOC_CTX *mem_ctx, const struct security_ace *ace,
 767                                         struct sddl_transition_state *state)
 768 {
 769         char *sddl = NULL;
 770         TALLOC_CTX *tmp_ctx;
 771         struct GUID_txt_buf object_buf, iobject_buf;
 772         const char *sddl_type="", *sddl_flags="", *sddl_mask="",
 773                 *sddl_object="", *sddl_iobject="", *sddl_trustee="";
 774
 775         tmp_ctx = talloc_new(mem_ctx);
 776         if (tmp_ctx == NULL) {
 777                 DEBUG(0, ("talloc_new failed\n"));
 778                 return NULL;
 779         }
 780
 781         sddl_type = sddl_flags_to_string(tmp_ctx, ace_types, ace->type, true);
 782         if (sddl_type == NULL) {
 783                 goto failed;
 784         }
 785
 786         sddl_flags = sddl_flags_to_string(tmp_ctx, ace_flags, ace->flags,
 787                                           true);
 788         if (sddl_flags == NULL) {
 789                 goto failed;
 790         }
 791
 792         sddl_mask = sddl_flags_to_string(tmp_ctx, ace_access_mask,
 793                                          ace->access_mask, true);
 794         if (sddl_mask == NULL) {
 795                 sddl_mask = sddl_match_file_rights(tmp_ctx,
 796                                 ace->access_mask);
 797                 if (sddl_mask == NULL) {
 798                         sddl_mask = talloc_asprintf(tmp_ctx, "0x%x",
 799                                                     ace->access_mask);
 800                 }
 801                 if (sddl_mask == NULL) {
 802                         goto failed;
 803                 }
 804         }
 805
 806         if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT ||
 807             ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT ||
 808             ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT ||
 809             ace->type == SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT) {
 810                 const struct security_ace_object *object = &ace->object.object;
 811
 812                 if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
 813                         sddl_object = GUID_buf_string(
 814                                 &object->type.type, &object_buf);
 815                 }
 816
 817                 if (ace->object.object.flags &
 818                     SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) {
 819                         sddl_iobject = GUID_buf_string(
 820                                 &object->inherited_type.inherited_type,
 821                                 &iobject_buf);
 822                 }
 823         }
 824
 825         sddl_trustee = sddl_encode_sid(tmp_ctx, &ace->trustee, state);
 826         if (sddl_trustee == NULL) {
 827                 goto failed;
 828         }
 829
 830         sddl = talloc_asprintf(mem_ctx, "%s;%s;%s;%s;%s;%s",
 831                                sddl_type, sddl_flags, sddl_mask, sddl_object,
 832                                sddl_iobject, sddl_trustee);
 833
 834 failed:
 835         talloc_free(tmp_ctx);
 836         return sddl;
 837 }
 838
 839 char *sddl_encode_ace(TALLOC_CTX *mem_ctx, const struct security_ace *ace,
 840                       const struct dom_sid *domain_sid)
 841 {
 842         struct sddl_transition_state state = {
 843                 /*
 844                  * TODO: verify .machine_rid values really belong to
 845                  * to the machine_sid on a member, once
 846                  * we pass machine_sid from the caller...
 847                  */
 848                 .machine_sid = domain_sid,
 849                 .domain_sid = domain_sid,
 850                 .forest_sid = domain_sid,
 851         };
 852         return sddl_transition_encode_ace(mem_ctx, ace, &state);
 853 }
 854
 855 /*
 856   encode an ACL in SDDL format
 857 */
 858 static char *sddl_encode_acl(TALLOC_CTX *mem_ctx, const struct security_acl *acl,
 859                              uint32_t flags, struct sddl_transition_state *state)
 860 {
 861         char *sddl;
 862         uint32_t i;
 863
 864         /* add any ACL flags */
 865         sddl = sddl_flags_to_string(mem_ctx, acl_flags, flags, false);
 866         if (sddl == NULL) goto failed;
 867
 868         /* now the ACEs, encoded in braces */
 869         for (i=0;i<acl->num_aces;i++) {
 870                 char *ace = sddl_transition_encode_ace(sddl, &acl->aces[i], state);
 871                 if (ace == NULL) goto failed;
 872                 sddl = talloc_asprintf_append_buffer(sddl, "(%s)", ace);
 873                 if (sddl == NULL) goto failed;
 874                 talloc_free(ace);
 875         }
 876
 877         return sddl;
 878
 879 failed:
 880         talloc_free(sddl);
 881         return NULL;
 882 }
 883
 884
 885 /*
 886   encode a security descriptor to SDDL format
 887 */
 888 char *sddl_encode(TALLOC_CTX *mem_ctx, const struct security_descriptor *sd,
 889                   const struct dom_sid *domain_sid)
 890 {
 891         struct sddl_transition_state state = {
 892                 /*
 893                  * TODO: verify .machine_rid values really belong to
 894                  * to the machine_sid on a member, once
 895                  * we pass machine_sid from the caller...
 896                  */
 897                 .machine_sid = domain_sid,
 898                 .domain_sid = domain_sid,
 899                 .forest_sid = domain_sid,
 900         };
 901         char *sddl;
 902         TALLOC_CTX *tmp_ctx;
 903
 904         /* start with a blank string */
 905         sddl = talloc_strdup(mem_ctx, "");
 906         if (sddl == NULL) goto failed;
 907
 908         tmp_ctx = talloc_new(mem_ctx);
 909
 910         if (sd->owner_sid != NULL) {
 911                 char *sid = sddl_encode_sid(tmp_ctx, sd->owner_sid, &state);
 912                 if (sid == NULL) goto failed;
 913                 sddl = talloc_asprintf_append_buffer(sddl, "O:%s", sid);
 914                 if (sddl == NULL) goto failed;
 915         }
 916
 917         if (sd->group_sid != NULL) {
 918                 char *sid = sddl_encode_sid(tmp_ctx, sd->group_sid, &state);
 919                 if (sid == NULL) goto failed;
 920                 sddl = talloc_asprintf_append_buffer(sddl, "G:%s", sid);
 921                 if (sddl == NULL) goto failed;
 922         }
 923
 924         if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl != NULL) {
 925                 char *acl = sddl_encode_acl(tmp_ctx, sd->dacl, sd->type, &state);
 926                 if (acl == NULL) goto failed;
 927                 sddl = talloc_asprintf_append_buffer(sddl, "D:%s", acl);
 928                 if (sddl == NULL) goto failed;
 929         }
 930
 931         if ((sd->type & SEC_DESC_SACL_PRESENT) && sd->sacl != NULL) {
 932                 char *acl = sddl_encode_acl(tmp_ctx, sd->sacl, sd->type>>1, &state);
 933                 if (acl == NULL) goto failed;
 934                 sddl = talloc_asprintf_append_buffer(sddl, "S:%s", acl);
 935                 if (sddl == NULL) goto failed;
 936         }
 937
 938         talloc_free(tmp_ctx);
 939         return sddl;
 940
 941 failed:
 942         talloc_free(sddl);
 943         return NULL;
 944 }