source/lib/secace.c

   1 /*
   2  *  Unix SMB/Netbios implementation.
   3  *  SEC_ACE handling functions
   4  *  Copyright (C) Andrew Tridgell              1992-1998,
   5  *  Copyright (C) Jeremy R. Allison            1995-2003.
   6  *  Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
   7  *  Copyright (C) Paul Ashton                  1997-1998.
   8  *
   9  *  This program is free software; you can redistribute it and/or modify
  10  *  it under the terms of the GNU General Public License as published by
  11  *  the Free Software Foundation; either version 3 of the License, or
  12  *  (at your option) any later version.
  13  *
  14  *  This program is distributed in the hope that it will be useful,
  15  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  16  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17  *  GNU General Public License for more details.
  18  *
  19  *  You should have received a copy of the GNU General Public License
  20  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
  21  */
  22
  23 #include "includes.h"
  24
  25 /*******************************************************************
  26  Check if ACE has OBJECT type.
  27 ********************************************************************/
  28
  29 bool sec_ace_object(uint8 type)
  30 {
  31         if (type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT ||
  32             type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT ||
  33             type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT ||
  34             type == SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT) {
  35                 return True;
  36         }
  37         return False;
  38 }
  39
  40 /*******************************************************************
  41  copy a SEC_ACE structure.
  42 ********************************************************************/
  43 void sec_ace_copy(SEC_ACE *ace_dest, SEC_ACE *ace_src)
  44 {
  45         ace_dest->type  = ace_src->type;
  46         ace_dest->flags = ace_src->flags;
  47         ace_dest->size  = ace_src->size;
  48         ace_dest->access_mask = ace_src->access_mask;
  49         ace_dest->object = ace_src->object;
  50         sid_copy(&ace_dest->trustee, &ace_src->trustee);
  51 }
  52
  53 /*******************************************************************
  54  Sets up a SEC_ACE structure.
  55 ********************************************************************/
  56
  57 void init_sec_ace(SEC_ACE *t, const DOM_SID *sid, enum security_ace_type type,
  58                   uint32_t mask, uint8 flag)
  59 {
  60         t->type = type;
  61         t->flags = flag;
  62         t->size = ndr_size_dom_sid(sid, 0) + 8;
  63         t->access_mask = mask;
  64
  65         ZERO_STRUCTP(&t->trustee);
  66         sid_copy(&t->trustee, sid);
  67 }
  68
  69 /*******************************************************************
  70  adds new SID with its permissions to ACE list
  71 ********************************************************************/
  72
  73 NTSTATUS sec_ace_add_sid(TALLOC_CTX *ctx, SEC_ACE **pp_new, SEC_ACE *old, unsigned *num, DOM_SID *sid, uint32 mask)
  74 {
  75         unsigned int i = 0;
  76
  77         if (!ctx || !pp_new || !old || !sid || !num)  return NT_STATUS_INVALID_PARAMETER;
  78
  79         *num += 1;
  80
  81         if((pp_new[0] = TALLOC_ZERO_ARRAY(ctx, SEC_ACE, *num )) == 0)
  82                 return NT_STATUS_NO_MEMORY;
  83
  84         for (i = 0; i < *num - 1; i ++)
  85                 sec_ace_copy(&(*pp_new)[i], &old[i]);
  86
  87         (*pp_new)[i].type  = SEC_ACE_TYPE_ACCESS_ALLOWED;
  88         (*pp_new)[i].flags = 0;
  89         (*pp_new)[i].size  = SEC_ACE_HEADER_SIZE + ndr_size_dom_sid(sid, 0);
  90         (*pp_new)[i].access_mask = mask;
  91         sid_copy(&(*pp_new)[i].trustee, sid);
  92         return NT_STATUS_OK;
  93 }
  94
  95 /*******************************************************************
  96   modify SID's permissions at ACL
  97 ********************************************************************/
  98
  99 NTSTATUS sec_ace_mod_sid(SEC_ACE *ace, size_t num, DOM_SID *sid, uint32 mask)
 100 {
 101         unsigned int i = 0;
 102
 103         if (!ace || !sid)  return NT_STATUS_INVALID_PARAMETER;
 104
 105         for (i = 0; i < num; i ++) {
 106                 if (sid_compare(&ace[i].trustee, sid) == 0) {
 107                         ace[i].access_mask = mask;
 108                         return NT_STATUS_OK;
 109                 }
 110         }
 111         return NT_STATUS_NOT_FOUND;
 112 }
 113
 114 /*******************************************************************
 115  delete SID from ACL
 116 ********************************************************************/
 117
 118 NTSTATUS sec_ace_del_sid(TALLOC_CTX *ctx, SEC_ACE **pp_new, SEC_ACE *old, uint32 *num, DOM_SID *sid)
 119 {
 120         unsigned int i     = 0;
 121         unsigned int n_del = 0;
 122
 123         if (!ctx || !pp_new || !old || !sid || !num)  return NT_STATUS_INVALID_PARAMETER;
 124
 125         if (*num) {
 126                 if((pp_new[0] = TALLOC_ZERO_ARRAY(ctx, SEC_ACE, *num )) == 0)
 127                         return NT_STATUS_NO_MEMORY;
 128         } else {
 129                 pp_new[0] = NULL;
 130         }
 131
 132         for (i = 0; i < *num; i ++) {
 133                 if (sid_compare(&old[i].trustee, sid) != 0)
 134                         sec_ace_copy(&(*pp_new)[i], &old[i]);
 135                 else
 136                         n_del ++;
 137         }
 138         if (n_del == 0)
 139                 return NT_STATUS_NOT_FOUND;
 140         else {
 141                 *num -= n_del;
 142                 return NT_STATUS_OK;
 143         }
 144 }
 145
 146 /*******************************************************************
 147  Compares two SEC_ACE structures
 148 ********************************************************************/
 149
 150 bool sec_ace_equal(SEC_ACE *s1, SEC_ACE *s2)
 151 {
 152         /* Trivial case */
 153
 154         if (!s1 && !s2) {
 155                 return True;
 156         }
 157
 158         if (!s1 || !s2) {
 159                 return False;
 160         }
 161
 162         /* Check top level stuff */
 163
 164         if (s1->type != s2->type || s1->flags != s2->flags ||
 165             s1->access_mask != s2->access_mask) {
 166                 return False;
 167         }
 168
 169         /* Check SID */
 170
 171         if (!sid_equal(&s1->trustee, &s2->trustee)) {
 172                 return False;
 173         }
 174
 175         return True;
 176 }
 177
 178 int nt_ace_inherit_comp( SEC_ACE *a1, SEC_ACE *a2)
 179 {
 180         int a1_inh = a1->flags & SEC_ACE_FLAG_INHERITED_ACE;
 181         int a2_inh = a2->flags & SEC_ACE_FLAG_INHERITED_ACE;
 182
 183         if (a1_inh == a2_inh)
 184                 return 0;
 185
 186         if (!a1_inh && a2_inh)
 187                 return -1;
 188         return 1;
 189 }
 190
 191 /*******************************************************************
 192   Comparison function to apply the order explained below in a group.
 193 *******************************************************************/
 194
 195 int nt_ace_canon_comp( SEC_ACE *a1, SEC_ACE *a2)
 196 {
 197         if ((a1->type == SEC_ACE_TYPE_ACCESS_DENIED) &&
 198                                 (a2->type != SEC_ACE_TYPE_ACCESS_DENIED))
 199                 return -1;
 200
 201         if ((a2->type == SEC_ACE_TYPE_ACCESS_DENIED) &&
 202                                 (a1->type != SEC_ACE_TYPE_ACCESS_DENIED))
 203                 return 1;
 204
 205         /* Both access denied or access allowed. */
 206
 207         /* 1. ACEs that apply to the object itself */
 208
 209         if (!(a1->flags & SEC_ACE_FLAG_INHERIT_ONLY) &&
 210                         (a2->flags & SEC_ACE_FLAG_INHERIT_ONLY))
 211                 return -1;
 212         else if (!(a2->flags & SEC_ACE_FLAG_INHERIT_ONLY) &&
 213                         (a1->flags & SEC_ACE_FLAG_INHERIT_ONLY))
 214                 return 1;
 215
 216         /* 2. ACEs that apply to a subobject of the object, such as
 217          * a property set or property. */
 218
 219         if (a1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT) &&
 220                         !(a2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT)))
 221                 return -1;
 222         else if (a2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT) &&
 223                         !(a1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT)))
 224                 return 1;
 225
 226         return 0;
 227 }
 228
 229 /*******************************************************************
 230  Functions to convert a SEC_DESC ACE DACL list into canonical order.
 231  JRA.
 232
 233 --- from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/order_of_aces_in_a_dacl.asp
 234
 235 The following describes the preferred order:
 236
 237  To ensure that noninherited ACEs have precedence over inherited ACEs,
 238  place all noninherited ACEs in a group before any inherited ACEs.
 239  This ordering ensures, for example, that a noninherited access-denied ACE
 240  is enforced regardless of any inherited ACE that allows access.
 241
 242  Within the groups of noninherited ACEs and inherited ACEs, order ACEs according to ACE type, as the following shows:
 243         1. Access-denied ACEs that apply to the object itself
 244         2. Access-denied ACEs that apply to a subobject of the object, such as a property set or property
 245         3. Access-allowed ACEs that apply to the object itself
 246         4. Access-allowed ACEs that apply to a subobject of the object"
 247
 248 ********************************************************************/
 249
 250 void dacl_sort_into_canonical_order(SEC_ACE *srclist, unsigned int num_aces)
 251 {
 252         unsigned int i;
 253
 254         if (!srclist || num_aces == 0)
 255                 return;
 256
 257         /* Sort so that non-inherited ACE's come first. */
 258         qsort( srclist, num_aces, sizeof(srclist[0]), QSORT_CAST nt_ace_inherit_comp);
 259
 260         /* Find the boundary between non-inherited ACEs. */
 261         for (i = 0; i < num_aces; i++ ) {
 262                 SEC_ACE *curr_ace = &srclist[i];
 263
 264                 if (curr_ace->flags & SEC_ACE_FLAG_INHERITED_ACE)
 265                         break;
 266         }
 267
 268         /* i now points at entry number of the first inherited ACE. */
 269
 270         /* Sort the non-inherited ACEs. */
 271         if (i)
 272                 qsort( srclist, i, sizeof(srclist[0]), QSORT_CAST nt_ace_canon_comp);
 273
 274         /* Now sort the inherited ACEs. */
 275         if (num_aces - i)
 276                 qsort( &srclist[i], num_aces - i, sizeof(srclist[0]), QSORT_CAST nt_ace_canon_comp);
 277 }
 278
 279 /*******************************************************************
 280  Check if this ACE has a SID in common with the token.
 281 ********************************************************************/
 282
 283 bool token_sid_in_ace(const NT_USER_TOKEN *token, const SEC_ACE *ace)
 284 {
 285         size_t i;
 286
 287         for (i = 0; i < token->num_sids; i++) {
 288                 if (sid_equal(&ace->trustee, &token->user_sids[i]))
 289                         return True;
 290         }
 291
 292         return False;
 293 }