2 Unix SMB/CIFS implementation.
4 security descriptror utility functions
6 Copyright (C) Andrew Tridgell 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "libcli/security/security.h"
26 return a blank security descriptor (no owners, dacl or sacl)
28 struct security_descriptor
*security_descriptor_initialise(TALLOC_CTX
*mem_ctx
)
30 struct security_descriptor
*sd
;
32 sd
= talloc(mem_ctx
, struct security_descriptor
);
37 sd
->revision
= SD_REVISION
;
38 /* we mark as self relative, even though it isn't while it remains
39 a pointer in memory because this simplifies the ndr code later.
40 All SDs that we store/emit are in fact SELF_RELATIVE
42 sd
->type
= SEC_DESC_SELF_RELATIVE
;
52 struct security_acl
*security_acl_dup(TALLOC_CTX
*mem_ctx
,
53 const struct security_acl
*oacl
)
55 struct security_acl
*nacl
;
61 if (oacl
->aces
== NULL
&& oacl
->num_aces
> 0) {
65 nacl
= talloc (mem_ctx
, struct security_acl
);
70 *nacl
= (struct security_acl
) {
71 .revision
= oacl
->revision
,
73 .num_aces
= oacl
->num_aces
,
75 if (nacl
->num_aces
== 0) {
79 nacl
->aces
= (struct security_ace
*)talloc_memdup (nacl
, oacl
->aces
, sizeof(struct security_ace
) * oacl
->num_aces
);
80 if (nacl
->aces
== NULL
) {
92 struct security_acl
*security_acl_concatenate(TALLOC_CTX
*mem_ctx
,
93 const struct security_acl
*acl1
,
94 const struct security_acl
*acl2
)
96 struct security_acl
*nacl
;
103 nacl
= security_acl_dup(mem_ctx
, acl2
);
108 nacl
= security_acl_dup(mem_ctx
, acl1
);
112 nacl
= talloc (mem_ctx
, struct security_acl
);
117 nacl
->revision
= acl1
->revision
;
118 nacl
->size
= acl1
->size
+ acl2
->size
;
119 nacl
->num_aces
= acl1
->num_aces
+ acl2
->num_aces
;
121 if (nacl
->num_aces
== 0)
124 nacl
->aces
= (struct security_ace
*)talloc_array (mem_ctx
, struct security_ace
, acl1
->num_aces
+acl2
->num_aces
);
125 if ((nacl
->aces
== NULL
) && (nacl
->num_aces
> 0)) {
129 for (i
= 0; i
< acl1
->num_aces
; i
++)
130 nacl
->aces
[i
] = acl1
->aces
[i
];
131 for (i
= 0; i
< acl2
->num_aces
; i
++)
132 nacl
->aces
[i
+ acl1
->num_aces
] = acl2
->aces
[i
];
143 talloc and copy a security descriptor
145 struct security_descriptor
*security_descriptor_copy(TALLOC_CTX
*mem_ctx
,
146 const struct security_descriptor
*osd
)
148 struct security_descriptor
*nsd
;
150 nsd
= talloc_zero(mem_ctx
, struct security_descriptor
);
155 if (osd
->owner_sid
) {
156 nsd
->owner_sid
= dom_sid_dup(nsd
, osd
->owner_sid
);
157 if (nsd
->owner_sid
== NULL
) {
162 if (osd
->group_sid
) {
163 nsd
->group_sid
= dom_sid_dup(nsd
, osd
->group_sid
);
164 if (nsd
->group_sid
== NULL
) {
170 nsd
->sacl
= security_acl_dup(nsd
, osd
->sacl
);
171 if (nsd
->sacl
== NULL
) {
177 nsd
->dacl
= security_acl_dup(nsd
, osd
->dacl
);
178 if (nsd
->dacl
== NULL
) {
183 nsd
->revision
= osd
->revision
;
184 nsd
->type
= osd
->type
;
194 NTSTATUS
security_descriptor_for_client(TALLOC_CTX
*mem_ctx
,
195 const struct security_descriptor
*ssd
,
197 uint32_t access_granted
,
198 struct security_descriptor
**_csd
)
200 struct security_descriptor
*csd
= NULL
;
201 uint32_t access_required
= 0;
205 if (sec_info
& (SECINFO_OWNER
|SECINFO_GROUP
)) {
206 access_required
|= SEC_STD_READ_CONTROL
;
208 if (sec_info
& SECINFO_DACL
) {
209 access_required
|= SEC_STD_READ_CONTROL
;
211 if (sec_info
& SECINFO_SACL
) {
212 access_required
|= SEC_FLAG_SYSTEM_SECURITY
;
215 if (access_required
& (~access_granted
)) {
216 return NT_STATUS_ACCESS_DENIED
;
222 csd
= security_descriptor_copy(mem_ctx
, ssd
);
224 return NT_STATUS_NO_MEMORY
;
228 * ... and remove everthing not wanted
231 if (!(sec_info
& SECINFO_OWNER
)) {
232 TALLOC_FREE(csd
->owner_sid
);
233 csd
->type
&= ~SEC_DESC_OWNER_DEFAULTED
;
235 if (!(sec_info
& SECINFO_GROUP
)) {
236 TALLOC_FREE(csd
->group_sid
);
237 csd
->type
&= ~SEC_DESC_GROUP_DEFAULTED
;
239 if (!(sec_info
& SECINFO_DACL
)) {
240 TALLOC_FREE(csd
->dacl
);
242 SEC_DESC_DACL_PRESENT
|
243 SEC_DESC_DACL_DEFAULTED
|
244 SEC_DESC_DACL_AUTO_INHERIT_REQ
|
245 SEC_DESC_DACL_AUTO_INHERITED
|
246 SEC_DESC_DACL_PROTECTED
|
247 SEC_DESC_DACL_TRUSTED
);
249 if (!(sec_info
& SECINFO_SACL
)) {
250 TALLOC_FREE(csd
->sacl
);
252 SEC_DESC_SACL_PRESENT
|
253 SEC_DESC_SACL_DEFAULTED
|
254 SEC_DESC_SACL_AUTO_INHERIT_REQ
|
255 SEC_DESC_SACL_AUTO_INHERITED
|
256 SEC_DESC_SACL_PROTECTED
|
257 SEC_DESC_SERVER_SECURITY
);
265 add an ACE to an ACL of a security_descriptor
268 static NTSTATUS
security_descriptor_acl_add(struct security_descriptor
*sd
,
270 const struct security_ace
*ace
)
272 struct security_acl
*acl
= NULL
;
281 acl
= talloc(sd
, struct security_acl
);
283 return NT_STATUS_NO_MEMORY
;
285 acl
->revision
= SECURITY_ACL_REVISION_NT4
;
291 acl
->aces
= talloc_realloc(acl
, acl
->aces
,
292 struct security_ace
, acl
->num_aces
+1);
293 if (acl
->aces
== NULL
) {
294 return NT_STATUS_NO_MEMORY
;
297 acl
->aces
[acl
->num_aces
] = *ace
;
299 switch (acl
->aces
[acl
->num_aces
].type
) {
300 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT
:
301 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
:
302 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT
:
303 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT
:
304 acl
->revision
= SECURITY_ACL_REVISION_ADS
;
314 sd
->type
|= SEC_DESC_SACL_PRESENT
;
317 sd
->type
|= SEC_DESC_DACL_PRESENT
;
324 add an ACE to the SACL of a security_descriptor
327 NTSTATUS
security_descriptor_sacl_add(struct security_descriptor
*sd
,
328 const struct security_ace
*ace
)
330 return security_descriptor_acl_add(sd
, true, ace
);
334 add an ACE to the DACL of a security_descriptor
337 NTSTATUS
security_descriptor_dacl_add(struct security_descriptor
*sd
,
338 const struct security_ace
*ace
)
340 return security_descriptor_acl_add(sd
, false, ace
);
344 delete the ACE corresponding to the given trustee in an ACL of a
348 static NTSTATUS
security_descriptor_acl_del(struct security_descriptor
*sd
,
350 const struct dom_sid
*trustee
)
354 struct security_acl
*acl
= NULL
;
363 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
366 /* there can be multiple ace's for one trustee */
367 for (i
=0;i
<acl
->num_aces
;i
++) {
368 if (dom_sid_equal(trustee
, &acl
->aces
[i
].trustee
)) {
369 memmove(&acl
->aces
[i
], &acl
->aces
[i
+1],
370 sizeof(acl
->aces
[i
]) * (acl
->num_aces
- (i
+1)));
372 if (acl
->num_aces
== 0) {
380 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
383 acl
->revision
= SECURITY_ACL_REVISION_NT4
;
385 for (i
=0;i
<acl
->num_aces
;i
++) {
386 switch (acl
->aces
[i
].type
) {
387 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT
:
388 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
:
389 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT
:
390 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT
:
391 acl
->revision
= SECURITY_ACL_REVISION_ADS
;
394 break; /* only for the switch statement */
402 delete the ACE corresponding to the given trustee in the DACL of a
406 NTSTATUS
security_descriptor_dacl_del(struct security_descriptor
*sd
,
407 const struct dom_sid
*trustee
)
409 return security_descriptor_acl_del(sd
, false, trustee
);
413 delete the ACE corresponding to the given trustee in the SACL of a
417 NTSTATUS
security_descriptor_sacl_del(struct security_descriptor
*sd
,
418 const struct dom_sid
*trustee
)
420 return security_descriptor_acl_del(sd
, true, trustee
);
424 compare two security ace structures
426 bool security_ace_equal(const struct security_ace
*ace1
,
427 const struct security_ace
*ace2
)
432 if ((ace1
== NULL
) || (ace2
== NULL
)) {
435 if (ace1
->type
!= ace2
->type
) {
438 if (ace1
->flags
!= ace2
->flags
) {
441 if (ace1
->access_mask
!= ace2
->access_mask
) {
444 if (!dom_sid_equal(&ace1
->trustee
, &ace2
->trustee
)) {
453 compare two security acl structures
455 bool security_acl_equal(const struct security_acl
*acl1
,
456 const struct security_acl
*acl2
)
460 if (acl1
== acl2
) return true;
461 if (!acl1
|| !acl2
) return false;
462 if (acl1
->revision
!= acl2
->revision
) return false;
463 if (acl1
->num_aces
!= acl2
->num_aces
) return false;
465 for (i
=0;i
<acl1
->num_aces
;i
++) {
466 if (!security_ace_equal(&acl1
->aces
[i
], &acl2
->aces
[i
])) return false;
472 compare two security descriptors.
474 bool security_descriptor_equal(const struct security_descriptor
*sd1
,
475 const struct security_descriptor
*sd2
)
477 if (sd1
== sd2
) return true;
478 if (!sd1
|| !sd2
) return false;
479 if (sd1
->revision
!= sd2
->revision
) return false;
480 if (sd1
->type
!= sd2
->type
) return false;
482 if (!dom_sid_equal(sd1
->owner_sid
, sd2
->owner_sid
)) return false;
483 if (!dom_sid_equal(sd1
->group_sid
, sd2
->group_sid
)) return false;
484 if (!security_acl_equal(sd1
->sacl
, sd2
->sacl
)) return false;
485 if (!security_acl_equal(sd1
->dacl
, sd2
->dacl
)) return false;
491 compare two security descriptors, but allow certain (missing) parts
492 to be masked out of the comparison
494 bool security_descriptor_mask_equal(const struct security_descriptor
*sd1
,
495 const struct security_descriptor
*sd2
,
498 if (sd1
== sd2
) return true;
499 if (!sd1
|| !sd2
) return false;
500 if (sd1
->revision
!= sd2
->revision
) return false;
501 if ((sd1
->type
& mask
) != (sd2
->type
& mask
)) return false;
503 if (!dom_sid_equal(sd1
->owner_sid
, sd2
->owner_sid
)) return false;
504 if (!dom_sid_equal(sd1
->group_sid
, sd2
->group_sid
)) return false;
505 if ((mask
& SEC_DESC_DACL_PRESENT
) && !security_acl_equal(sd1
->dacl
, sd2
->dacl
)) return false;
506 if ((mask
& SEC_DESC_SACL_PRESENT
) && !security_acl_equal(sd1
->sacl
, sd2
->sacl
)) return false;
512 static struct security_descriptor
*security_descriptor_appendv(struct security_descriptor
*sd
,
513 bool add_ace_to_sacl
,
518 while ((sidstr
= va_arg(ap
, const char *))) {
520 struct security_ace
*ace
= talloc_zero(sd
, struct security_ace
);
527 ace
->type
= va_arg(ap
, unsigned int);
528 ace
->access_mask
= va_arg(ap
, unsigned int);
529 ace
->flags
= va_arg(ap
, unsigned int);
530 sid
= dom_sid_parse_talloc(ace
, sidstr
);
536 if (add_ace_to_sacl
) {
537 status
= security_descriptor_sacl_add(sd
, ace
);
539 status
= security_descriptor_dacl_add(sd
, ace
);
541 /* TODO: check: would talloc_free(ace) here be correct? */
542 if (!NT_STATUS_IS_OK(status
)) {
551 struct security_descriptor
*security_descriptor_append(struct security_descriptor
*sd
,
557 sd
= security_descriptor_appendv(sd
, false, ap
);
563 static struct security_descriptor
*security_descriptor_createv(TALLOC_CTX
*mem_ctx
,
565 const char *owner_sid
,
566 const char *group_sid
,
567 bool add_ace_to_sacl
,
570 struct security_descriptor
*sd
;
572 sd
= security_descriptor_initialise(mem_ctx
);
580 sd
->owner_sid
= dom_sid_parse_talloc(sd
, owner_sid
);
581 if (sd
->owner_sid
== NULL
) {
587 sd
->group_sid
= dom_sid_parse_talloc(sd
, group_sid
);
588 if (sd
->group_sid
== NULL
) {
594 return security_descriptor_appendv(sd
, add_ace_to_sacl
, ap
);
598 create a security descriptor using string SIDs. This is used by the
599 torture code to allow the easy creation of complex ACLs
600 This is a varargs function. The list of DACL ACEs ends with a NULL sid.
602 Each ACE contains a set of 4 parameters:
603 SID, ACCESS_TYPE, MASK, FLAGS
605 a typical call would be:
607 sd = security_descriptor_dacl_create(mem_ctx,
611 SID_NT_AUTHENTICATED_USERS,
612 SEC_ACE_TYPE_ACCESS_ALLOWED,
614 SEC_ACE_FLAG_OBJECT_INHERIT,
616 that would create a sd with one DACL ACE
619 struct security_descriptor
*security_descriptor_dacl_create(TALLOC_CTX
*mem_ctx
,
621 const char *owner_sid
,
622 const char *group_sid
,
625 struct security_descriptor
*sd
= NULL
;
627 va_start(ap
, group_sid
);
628 sd
= security_descriptor_createv(mem_ctx
, sd_type
, owner_sid
,
629 group_sid
, false, ap
);
635 struct security_descriptor
*security_descriptor_sacl_create(TALLOC_CTX
*mem_ctx
,
637 const char *owner_sid
,
638 const char *group_sid
,
641 struct security_descriptor
*sd
= NULL
;
643 va_start(ap
, group_sid
);
644 sd
= security_descriptor_createv(mem_ctx
, sd_type
, owner_sid
,
645 group_sid
, true, ap
);
651 struct security_ace
*security_ace_create(TALLOC_CTX
*mem_ctx
,
653 enum security_ace_type type
,
654 uint32_t access_mask
,
658 struct security_ace
*ace
;
661 ace
= talloc_zero(mem_ctx
, struct security_ace
);
666 ok
= dom_sid_parse(sid_str
, &ace
->trustee
);
672 ace
->access_mask
= access_mask
;
678 /*******************************************************************
679 Check for MS NFS ACEs in a sd
680 *******************************************************************/
681 bool security_descriptor_with_ms_nfs(const struct security_descriptor
*psd
)
685 if (psd
->dacl
== NULL
) {
689 for (i
= 0; i
< psd
->dacl
->num_aces
; i
++) {
690 if (dom_sid_compare_domain(
691 &global_sid_Unix_NFS
,
692 &psd
->dacl
->aces
[i
].trustee
) == 0) {