2 Unix SMB/CIFS implementation.
4 security descriptor description language functions
6 Copyright (C) Andrew Tridgell 2005
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "libcli/security/security.h"
24 #include "librpc/gen_ndr/ndr_misc.h"
25 #include "system/locale.h"
33 map a series of letter codes into a uint32_t
35 static bool sddl_map_flags(const struct flag_map
*map
, const char *str
,
36 uint32_t *flags
, size_t *len
)
38 const char *str0
= str
;
41 while (str
[0] && isupper(str
[0])) {
43 for (i
=0;map
[i
].name
;i
++) {
44 size_t l
= strlen(map
[i
].name
);
45 if (strncmp(map
[i
].name
, str
, l
) == 0) {
46 *flags
|= map
[i
].flag
;
52 if (map
[i
].name
== NULL
) {
53 DEBUG(1, ("Unknown flag - %s in %s\n", str
, str0
));
61 a mapping between the 2 letter SID codes and sid strings
68 { "AO", SID_BUILTIN_ACCOUNT_OPERATORS
},
69 { "BA", SID_BUILTIN_ADMINISTRATORS
},
70 { "RU", SID_BUILTIN_PREW2K
},
71 { "PO", SID_BUILTIN_PRINT_OPERATORS
},
72 { "RS", SID_BUILTIN_RAS_SERVERS
},
74 { "AU", SID_NT_AUTHENTICATED_USERS
},
75 { "SY", SID_NT_SYSTEM
},
76 { "PS", SID_NT_SELF
},
78 { "ED", SID_NT_ENTERPRISE_DCS
},
80 { "CO", SID_CREATOR_OWNER
},
81 { "CG", SID_CREATOR_GROUP
},
83 { "DA", NULL
, DOMAIN_RID_ADMINS
},
84 { "EA", NULL
, DOMAIN_RID_ENTERPRISE_ADMINS
},
85 { "DD", NULL
, DOMAIN_RID_DCS
},
86 { "DU", NULL
, DOMAIN_RID_USERS
},
87 { "CA", NULL
, DOMAIN_RID_CERT_ADMINS
},
92 It can either be a special 2 letter code, or in S-* format
94 static struct dom_sid
*sddl_decode_sid(TALLOC_CTX
*mem_ctx
, const char **sddlp
,
95 const struct dom_sid
*domain_sid
)
97 const char *sddl
= (*sddlp
);
100 /* see if its in the numeric format */
101 if (strncmp(sddl
, "S-", 2) == 0) {
104 size_t len
= strspn(sddl
+2, "-0123456789");
105 sid_str
= talloc_strndup(mem_ctx
, sddl
, len
+2);
110 sid
= dom_sid_parse_talloc(mem_ctx
, sid_str
);
111 talloc_free(sid_str
);
115 /* now check for one of the special codes */
116 for (i
=0;i
<ARRAY_SIZE(sid_codes
);i
++) {
117 if (strncmp(sid_codes
[i
].code
, sddl
, 2) == 0) break;
119 if (i
== ARRAY_SIZE(sid_codes
)) {
120 DEBUG(1,("Unknown sddl sid code '%2.2s'\n", sddl
));
126 if (sid_codes
[i
].sid
== NULL
) {
127 return dom_sid_add_rid(mem_ctx
, domain_sid
, sid_codes
[i
].rid
);
130 return dom_sid_parse_talloc(mem_ctx
, sid_codes
[i
].sid
);
133 static const struct flag_map ace_types
[] = {
134 { "AU", SEC_ACE_TYPE_SYSTEM_AUDIT
},
135 { "AL", SEC_ACE_TYPE_SYSTEM_ALARM
},
136 { "OA", SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT
},
137 { "OD", SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
},
138 { "OU", SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT
},
139 { "OL", SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT
},
140 { "A", SEC_ACE_TYPE_ACCESS_ALLOWED
},
141 { "D", SEC_ACE_TYPE_ACCESS_DENIED
},
145 static const struct flag_map ace_flags
[] = {
146 { "OI", SEC_ACE_FLAG_OBJECT_INHERIT
},
147 { "CI", SEC_ACE_FLAG_CONTAINER_INHERIT
},
148 { "NP", SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
},
149 { "IO", SEC_ACE_FLAG_INHERIT_ONLY
},
150 { "ID", SEC_ACE_FLAG_INHERITED_ACE
},
151 { "SA", SEC_ACE_FLAG_SUCCESSFUL_ACCESS
},
152 { "FA", SEC_ACE_FLAG_FAILED_ACCESS
},
156 static const struct flag_map ace_access_mask
[] = {
157 { "RP", SEC_ADS_READ_PROP
},
158 { "WP", SEC_ADS_WRITE_PROP
},
159 { "CR", SEC_ADS_CONTROL_ACCESS
},
160 { "CC", SEC_ADS_CREATE_CHILD
},
161 { "DC", SEC_ADS_DELETE_CHILD
},
162 { "LC", SEC_ADS_LIST
},
163 { "LO", SEC_ADS_LIST_OBJECT
},
164 { "RC", SEC_STD_READ_CONTROL
},
165 { "WO", SEC_STD_WRITE_OWNER
},
166 { "WD", SEC_STD_WRITE_DAC
},
167 { "SD", SEC_STD_DELETE
},
168 { "DT", SEC_ADS_DELETE_TREE
},
169 { "SW", SEC_ADS_SELF_WRITE
},
170 { "GA", SEC_GENERIC_ALL
},
171 { "GR", SEC_GENERIC_READ
},
172 { "GW", SEC_GENERIC_WRITE
},
173 { "GX", SEC_GENERIC_EXECUTE
},
179 return true on success, false on failure
180 note that this routine modifies the string
182 static bool sddl_decode_ace(TALLOC_CTX
*mem_ctx
, struct security_ace
*ace
, char *str
,
183 const struct dom_sid
*domain_sid
)
193 /* parse out the 6 tokens */
196 char *ptr
= strchr(str
, ';');
197 if (ptr
== NULL
) return false;
204 if (!sddl_map_flags(ace_types
, tok
[0], &v
, NULL
)) {
210 if (!sddl_map_flags(ace_flags
, tok
[1], &v
, NULL
)) {
216 if (strncmp(tok
[2], "0x", 2) == 0) {
217 ace
->access_mask
= strtol(tok
[2], NULL
, 16);
219 if (!sddl_map_flags(ace_access_mask
, tok
[2], &v
, NULL
)) {
222 ace
->access_mask
= v
;
226 if (tok
[3][0] != 0) {
227 NTSTATUS status
= GUID_from_string(tok
[3],
228 &ace
->object
.object
.type
.type
);
229 if (!NT_STATUS_IS_OK(status
)) {
232 ace
->object
.object
.flags
|= SEC_ACE_OBJECT_TYPE_PRESENT
;
236 if (tok
[4][0] != 0) {
237 NTSTATUS status
= GUID_from_string(tok
[4],
238 &ace
->object
.object
.inherited_type
.inherited_type
);
239 if (!NT_STATUS_IS_OK(status
)) {
242 ace
->object
.object
.flags
|= SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT
;
247 sid
= sddl_decode_sid(mem_ctx
, &s
, domain_sid
);
257 static const struct flag_map acl_flags
[] = {
258 { "P", SEC_DESC_DACL_PROTECTED
},
259 { "AR", SEC_DESC_DACL_AUTO_INHERIT_REQ
},
260 { "AI", SEC_DESC_DACL_AUTO_INHERITED
},
267 static struct security_acl
*sddl_decode_acl(struct security_descriptor
*sd
,
268 const char **sddlp
, uint32_t *flags
,
269 const struct dom_sid
*domain_sid
)
271 const char *sddl
= *sddlp
;
272 struct security_acl
*acl
;
277 acl
= talloc_zero(sd
, struct security_acl
);
278 if (acl
== NULL
) return NULL
;
279 acl
->revision
= SECURITY_ACL_REVISION_NT4
;
281 if (isupper(sddl
[0]) && sddl
[1] == ':') {
282 /* its an empty ACL */
286 /* work out the ACL flags */
287 if (!sddl_map_flags(acl_flags
, sddl
, flags
, &len
)) {
294 while (*sddl
== '(') {
296 len
= strcspn(sddl
+1, ")");
297 astr
= talloc_strndup(acl
, sddl
+1, len
);
298 if (astr
== NULL
|| sddl
[len
+1] != ')') {
302 acl
->aces
= talloc_realloc(acl
, acl
->aces
, struct security_ace
,
304 if (acl
->aces
== NULL
) {
308 if (!sddl_decode_ace(acl
->aces
, &acl
->aces
[acl
->num_aces
],
313 switch (acl
->aces
[acl
->num_aces
].type
) {
314 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT
:
315 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
:
316 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT
:
317 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT
:
318 acl
->revision
= SECURITY_ACL_REVISION_ADS
;
333 decode a security descriptor in SDDL format
335 struct security_descriptor
*sddl_decode(TALLOC_CTX
*mem_ctx
, const char *sddl
,
336 const struct dom_sid
*domain_sid
)
338 struct security_descriptor
*sd
;
339 sd
= talloc_zero(mem_ctx
, struct security_descriptor
);
341 sd
->revision
= SECURITY_DESCRIPTOR_REVISION_1
;
342 sd
->type
= SEC_DESC_SELF_RELATIVE
;
347 if (sddl
[1] != ':') goto failed
;
352 if (sd
->dacl
!= NULL
) goto failed
;
353 sd
->dacl
= sddl_decode_acl(sd
, &sddl
, &flags
, domain_sid
);
354 if (sd
->dacl
== NULL
) goto failed
;
355 sd
->type
|= flags
| SEC_DESC_DACL_PRESENT
;
358 if (sd
->sacl
!= NULL
) goto failed
;
359 sd
->sacl
= sddl_decode_acl(sd
, &sddl
, &flags
, domain_sid
);
360 if (sd
->sacl
== NULL
) goto failed
;
361 /* this relies on the SEC_DESC_SACL_* flags being
362 1 bit shifted from the SEC_DESC_DACL_* flags */
363 sd
->type
|= (flags
<<1) | SEC_DESC_SACL_PRESENT
;
366 if (sd
->owner_sid
!= NULL
) goto failed
;
367 sd
->owner_sid
= sddl_decode_sid(sd
, &sddl
, domain_sid
);
368 if (sd
->owner_sid
== NULL
) goto failed
;
371 if (sd
->group_sid
!= NULL
) goto failed
;
372 sd
->group_sid
= sddl_decode_sid(sd
, &sddl
, domain_sid
);
373 if (sd
->group_sid
== NULL
) goto failed
;
381 DEBUG(2,("Badly formatted SDDL '%s'\n", sddl
));
387 turn a set of flags into a string
389 static char *sddl_flags_to_string(TALLOC_CTX
*mem_ctx
, const struct flag_map
*map
,
390 uint32_t flags
, bool check_all
)
395 /* try to find an exact match */
396 for (i
=0;map
[i
].name
;i
++) {
397 if (map
[i
].flag
== flags
) {
398 return talloc_strdup(mem_ctx
, map
[i
].name
);
402 s
= talloc_strdup(mem_ctx
, "");
405 for (i
=0;map
[i
].name
;i
++) {
406 if ((flags
& map
[i
].flag
) != 0) {
407 s
= talloc_asprintf_append_buffer(s
, "%s", map
[i
].name
);
408 if (s
== NULL
) goto failed
;
409 flags
&= ~map
[i
].flag
;
413 if (check_all
&& flags
!= 0) {
425 encode a sid in SDDL format
427 static char *sddl_encode_sid(TALLOC_CTX
*mem_ctx
, const struct dom_sid
*sid
,
428 const struct dom_sid
*domain_sid
)
433 sidstr
= dom_sid_string(mem_ctx
, sid
);
434 if (sidstr
== NULL
) return NULL
;
436 /* seen if its a well known sid */
437 for (i
=0;sid_codes
[i
].sid
;i
++) {
438 if (strcmp(sidstr
, sid_codes
[i
].sid
) == 0) {
440 return talloc_strdup(mem_ctx
, sid_codes
[i
].code
);
444 /* or a well known rid in our domain */
445 if (dom_sid_in_domain(domain_sid
, sid
)) {
446 uint32_t rid
= sid
->sub_auths
[sid
->num_auths
-1];
447 for (;i
<ARRAY_SIZE(sid_codes
);i
++) {
448 if (rid
== sid_codes
[i
].rid
) {
450 return talloc_strdup(mem_ctx
, sid_codes
[i
].code
);
457 /* TODO: encode well known sids as two letter codes */
458 return dom_sid_string(mem_ctx
, sid
);
463 encode an ACE in SDDL format
465 static char *sddl_encode_ace(TALLOC_CTX
*mem_ctx
, const struct security_ace
*ace
,
466 const struct dom_sid
*domain_sid
)
470 const char *s_type
="", *s_flags
="", *s_mask
="",
471 *s_object
="", *s_iobject
="", *s_trustee
="";
473 tmp_ctx
= talloc_new(mem_ctx
);
474 if (tmp_ctx
== NULL
) {
475 DEBUG(0, ("talloc_new failed\n"));
479 s_type
= sddl_flags_to_string(tmp_ctx
, ace_types
, ace
->type
, true);
480 if (s_type
== NULL
) goto failed
;
482 s_flags
= sddl_flags_to_string(tmp_ctx
, ace_flags
, ace
->flags
, true);
483 if (s_flags
== NULL
) goto failed
;
485 s_mask
= sddl_flags_to_string(tmp_ctx
, ace_access_mask
, ace
->access_mask
, true);
486 if (s_mask
== NULL
) {
487 s_mask
= talloc_asprintf(tmp_ctx
, "0x%08x", ace
->access_mask
);
488 if (s_mask
== NULL
) goto failed
;
491 if (ace
->type
== SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT
||
492 ace
->type
== SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
||
493 ace
->type
== SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT
||
494 ace
->type
== SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT
) {
495 if (ace
->object
.object
.flags
& SEC_ACE_OBJECT_TYPE_PRESENT
) {
496 s_object
= GUID_string(tmp_ctx
, &ace
->object
.object
.type
.type
);
497 if (s_object
== NULL
) goto failed
;
500 if (ace
->object
.object
.flags
& SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT
) {
501 s_iobject
= GUID_string(tmp_ctx
, &ace
->object
.object
.inherited_type
.inherited_type
);
502 if (s_iobject
== NULL
) goto failed
;
506 s_trustee
= sddl_encode_sid(tmp_ctx
, &ace
->trustee
, domain_sid
);
507 if (s_trustee
== NULL
) goto failed
;
509 sddl
= talloc_asprintf(mem_ctx
, "%s;%s;%s;%s;%s;%s",
510 s_type
, s_flags
, s_mask
, s_object
, s_iobject
, s_trustee
);
513 talloc_free(tmp_ctx
);
518 encode an ACL in SDDL format
520 static char *sddl_encode_acl(TALLOC_CTX
*mem_ctx
, const struct security_acl
*acl
,
521 uint32_t flags
, const struct dom_sid
*domain_sid
)
526 /* add any ACL flags */
527 sddl
= sddl_flags_to_string(mem_ctx
, acl_flags
, flags
, false);
528 if (sddl
== NULL
) goto failed
;
530 /* now the ACEs, encoded in braces */
531 for (i
=0;i
<acl
->num_aces
;i
++) {
532 char *ace
= sddl_encode_ace(sddl
, &acl
->aces
[i
], domain_sid
);
533 if (ace
== NULL
) goto failed
;
534 sddl
= talloc_asprintf_append_buffer(sddl
, "(%s)", ace
);
535 if (sddl
== NULL
) goto failed
;
548 encode a security descriptor to SDDL format
550 char *sddl_encode(TALLOC_CTX
*mem_ctx
, const struct security_descriptor
*sd
,
551 const struct dom_sid
*domain_sid
)
556 /* start with a blank string */
557 sddl
= talloc_strdup(mem_ctx
, "");
558 if (sddl
== NULL
) goto failed
;
560 tmp_ctx
= talloc_new(mem_ctx
);
562 if (sd
->owner_sid
!= NULL
) {
563 char *sid
= sddl_encode_sid(tmp_ctx
, sd
->owner_sid
, domain_sid
);
564 if (sid
== NULL
) goto failed
;
565 sddl
= talloc_asprintf_append_buffer(sddl
, "O:%s", sid
);
566 if (sddl
== NULL
) goto failed
;
569 if (sd
->group_sid
!= NULL
) {
570 char *sid
= sddl_encode_sid(tmp_ctx
, sd
->group_sid
, domain_sid
);
571 if (sid
== NULL
) goto failed
;
572 sddl
= talloc_asprintf_append_buffer(sddl
, "G:%s", sid
);
573 if (sddl
== NULL
) goto failed
;
576 if ((sd
->type
& SEC_DESC_DACL_PRESENT
) && sd
->dacl
!= NULL
) {
577 char *acl
= sddl_encode_acl(tmp_ctx
, sd
->dacl
, sd
->type
, domain_sid
);
578 if (acl
== NULL
) goto failed
;
579 sddl
= talloc_asprintf_append_buffer(sddl
, "D:%s", acl
);
580 if (sddl
== NULL
) goto failed
;
583 if ((sd
->type
& SEC_DESC_SACL_PRESENT
) && sd
->sacl
!= NULL
) {
584 char *acl
= sddl_encode_acl(tmp_ctx
, sd
->sacl
, sd
->type
>>1, domain_sid
);
585 if (acl
== NULL
) goto failed
;
586 sddl
= talloc_asprintf_append_buffer(sddl
, "S:%s", acl
);
587 if (sddl
== NULL
) goto failed
;
590 talloc_free(tmp_ctx
);