2 Unix SMB/CIFS implementation.
4 security descriptor description language functions
6 Copyright (C) Andrew Tridgell 2005
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "libcli/security/security.h"
24 #include "librpc/gen_ndr/ndr_misc.h"
25 #include "system/locale.h"
33 map a series of letter codes into a uint32_t
35 static bool sddl_map_flags(const struct flag_map
*map
, const char *str
,
36 uint32_t *flags
, size_t *len
)
38 const char *str0
= str
;
41 while (str
[0] && isupper(str
[0])) {
43 for (i
=0;map
[i
].name
;i
++) {
44 size_t l
= strlen(map
[i
].name
);
45 if (strncmp(map
[i
].name
, str
, l
) == 0) {
46 *flags
|= map
[i
].flag
;
52 if (map
[i
].name
== NULL
) {
53 DEBUG(1, ("Unknown flag - %s in %s\n", str
, str0
));
61 a mapping between the 2 letter SID codes and sid strings
68 { .code
= "WD", .sid
= SID_WORLD
},
70 { .code
= "CO", .sid
= SID_CREATOR_OWNER
},
71 { .code
= "CG", .sid
= SID_CREATOR_GROUP
},
73 { .code
= "NU", .sid
= SID_NT_NETWORK
},
74 { .code
= "IU", .sid
= SID_NT_INTERACTIVE
},
75 { .code
= "SU", .sid
= SID_NT_SERVICE
},
76 { .code
= "AN", .sid
= SID_NT_ANONYMOUS
},
77 { .code
= "ED", .sid
= SID_NT_ENTERPRISE_DCS
},
78 { .code
= "PS", .sid
= SID_NT_SELF
},
79 { .code
= "AU", .sid
= SID_NT_AUTHENTICATED_USERS
},
80 { .code
= "RC", .sid
= SID_NT_RESTRICTED
},
81 { .code
= "SY", .sid
= SID_NT_SYSTEM
},
82 { .code
= "LS", .sid
= SID_NT_LOCAL_SERVICE
},
83 { .code
= "NS", .sid
= SID_NT_NETWORK_SERVICE
},
84 { .code
= "IS", .sid
= SID_NT_IUSR
},
86 { .code
= "BA", .sid
= SID_BUILTIN_ADMINISTRATORS
},
87 { .code
= "BU", .sid
= SID_BUILTIN_USERS
},
88 { .code
= "BG", .sid
= SID_BUILTIN_GUESTS
},
89 { .code
= "PU", .sid
= SID_BUILTIN_POWER_USERS
},
90 { .code
= "AO", .sid
= SID_BUILTIN_ACCOUNT_OPERATORS
},
91 { .code
= "SO", .sid
= SID_BUILTIN_SERVER_OPERATORS
},
92 { .code
= "PO", .sid
= SID_BUILTIN_PRINT_OPERATORS
},
93 { .code
= "BO", .sid
= SID_BUILTIN_BACKUP_OPERATORS
},
94 { .code
= "RE", .sid
= SID_BUILTIN_REPLICATOR
},
95 { .code
= "BR", .sid
= SID_BUILTIN_RAS_SERVERS
},
96 { .code
= "RU", .sid
= SID_BUILTIN_PREW2K
},
97 { .code
= "RD", .sid
= SID_BUILTIN_REMOTE_DESKTOP_USERS
},
98 { .code
= "NO", .sid
= SID_BUILTIN_NETWORK_CONF_OPERATORS
},
99 { .code
= "IF", .sid
= SID_BUILTIN_INCOMING_FOREST_TRUST
},
101 { .code
= "LA", .sid
= NULL
, .rid
= DOMAIN_RID_ADMINISTRATOR
},
102 { .code
= "LG", .sid
= NULL
, .rid
= DOMAIN_RID_GUEST
},
103 { .code
= "LK", .sid
= NULL
, .rid
= DOMAIN_RID_KRBTGT
},
105 { .code
= "ER", .sid
= NULL
, .rid
= DOMAIN_RID_ENTERPRISE_READONLY_DCS
},
106 { .code
= "DA", .sid
= NULL
, .rid
= DOMAIN_RID_ADMINS
},
107 { .code
= "DU", .sid
= NULL
, .rid
= DOMAIN_RID_USERS
},
108 { .code
= "DG", .sid
= NULL
, .rid
= DOMAIN_RID_GUESTS
},
109 { .code
= "DC", .sid
= NULL
, .rid
= DOMAIN_RID_DOMAIN_MEMBERS
},
110 { .code
= "DD", .sid
= NULL
, .rid
= DOMAIN_RID_DCS
},
111 { .code
= "CA", .sid
= NULL
, .rid
= DOMAIN_RID_CERT_ADMINS
},
112 { .code
= "SA", .sid
= NULL
, .rid
= DOMAIN_RID_SCHEMA_ADMINS
},
113 { .code
= "EA", .sid
= NULL
, .rid
= DOMAIN_RID_ENTERPRISE_ADMINS
},
114 { .code
= "PA", .sid
= NULL
, .rid
= DOMAIN_RID_POLICY_ADMINS
},
115 { .code
= "RO", .sid
= NULL
, .rid
= DOMAIN_RID_READONLY_DCS
},
116 { .code
= "RS", .sid
= NULL
, .rid
= DOMAIN_RID_RAS_SERVERS
}
121 It can either be a special 2 letter code, or in S-* format
123 static struct dom_sid
*sddl_decode_sid(TALLOC_CTX
*mem_ctx
, const char **sddlp
,
124 const struct dom_sid
*domain_sid
)
126 const char *sddl
= (*sddlp
);
129 /* see if its in the numeric format */
130 if (strncmp(sddl
, "S-", 2) == 0) {
133 size_t len
= strspn(sddl
+2, "-0123456789");
134 sid_str
= talloc_strndup(mem_ctx
, sddl
, len
+2);
139 sid
= dom_sid_parse_talloc(mem_ctx
, sid_str
);
140 talloc_free(sid_str
);
144 /* now check for one of the special codes */
145 for (i
=0;i
<ARRAY_SIZE(sid_codes
);i
++) {
146 if (strncmp(sid_codes
[i
].code
, sddl
, 2) == 0) break;
148 if (i
== ARRAY_SIZE(sid_codes
)) {
149 DEBUG(1,("Unknown sddl sid code '%2.2s'\n", sddl
));
155 if (sid_codes
[i
].sid
== NULL
) {
156 return dom_sid_add_rid(mem_ctx
, domain_sid
, sid_codes
[i
].rid
);
159 return dom_sid_parse_talloc(mem_ctx
, sid_codes
[i
].sid
);
162 static const struct flag_map ace_types
[] = {
163 { "AU", SEC_ACE_TYPE_SYSTEM_AUDIT
},
164 { "AL", SEC_ACE_TYPE_SYSTEM_ALARM
},
165 { "OA", SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT
},
166 { "OD", SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
},
167 { "OU", SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT
},
168 { "OL", SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT
},
169 { "A", SEC_ACE_TYPE_ACCESS_ALLOWED
},
170 { "D", SEC_ACE_TYPE_ACCESS_DENIED
},
174 static const struct flag_map ace_flags
[] = {
175 { "OI", SEC_ACE_FLAG_OBJECT_INHERIT
},
176 { "CI", SEC_ACE_FLAG_CONTAINER_INHERIT
},
177 { "NP", SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
},
178 { "IO", SEC_ACE_FLAG_INHERIT_ONLY
},
179 { "ID", SEC_ACE_FLAG_INHERITED_ACE
},
180 { "SA", SEC_ACE_FLAG_SUCCESSFUL_ACCESS
},
181 { "FA", SEC_ACE_FLAG_FAILED_ACCESS
},
185 static const struct flag_map ace_access_mask
[] = {
186 { "RP", SEC_ADS_READ_PROP
},
187 { "WP", SEC_ADS_WRITE_PROP
},
188 { "CR", SEC_ADS_CONTROL_ACCESS
},
189 { "CC", SEC_ADS_CREATE_CHILD
},
190 { "DC", SEC_ADS_DELETE_CHILD
},
191 { "LC", SEC_ADS_LIST
},
192 { "LO", SEC_ADS_LIST_OBJECT
},
193 { "RC", SEC_STD_READ_CONTROL
},
194 { "WO", SEC_STD_WRITE_OWNER
},
195 { "WD", SEC_STD_WRITE_DAC
},
196 { "SD", SEC_STD_DELETE
},
197 { "DT", SEC_ADS_DELETE_TREE
},
198 { "SW", SEC_ADS_SELF_WRITE
},
199 { "GA", SEC_GENERIC_ALL
},
200 { "GR", SEC_GENERIC_READ
},
201 { "GW", SEC_GENERIC_WRITE
},
202 { "GX", SEC_GENERIC_EXECUTE
},
208 return true on success, false on failure
209 note that this routine modifies the string
211 static bool sddl_decode_ace(TALLOC_CTX
*mem_ctx
, struct security_ace
*ace
, char *str
,
212 const struct dom_sid
*domain_sid
)
222 /* parse out the 6 tokens */
225 char *ptr
= strchr(str
, ';');
226 if (ptr
== NULL
) return false;
233 if (!sddl_map_flags(ace_types
, tok
[0], &v
, NULL
)) {
239 if (!sddl_map_flags(ace_flags
, tok
[1], &v
, NULL
)) {
245 if (strncmp(tok
[2], "0x", 2) == 0) {
246 ace
->access_mask
= strtol(tok
[2], NULL
, 16);
248 if (!sddl_map_flags(ace_access_mask
, tok
[2], &v
, NULL
)) {
251 ace
->access_mask
= v
;
255 if (tok
[3][0] != 0) {
256 NTSTATUS status
= GUID_from_string(tok
[3],
257 &ace
->object
.object
.type
.type
);
258 if (!NT_STATUS_IS_OK(status
)) {
261 ace
->object
.object
.flags
|= SEC_ACE_OBJECT_TYPE_PRESENT
;
265 if (tok
[4][0] != 0) {
266 NTSTATUS status
= GUID_from_string(tok
[4],
267 &ace
->object
.object
.inherited_type
.inherited_type
);
268 if (!NT_STATUS_IS_OK(status
)) {
271 ace
->object
.object
.flags
|= SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT
;
276 sid
= sddl_decode_sid(mem_ctx
, &s
, domain_sid
);
286 static const struct flag_map acl_flags
[] = {
287 { "P", SEC_DESC_DACL_PROTECTED
},
288 { "AR", SEC_DESC_DACL_AUTO_INHERIT_REQ
},
289 { "AI", SEC_DESC_DACL_AUTO_INHERITED
},
296 static struct security_acl
*sddl_decode_acl(struct security_descriptor
*sd
,
297 const char **sddlp
, uint32_t *flags
,
298 const struct dom_sid
*domain_sid
)
300 const char *sddl
= *sddlp
;
301 struct security_acl
*acl
;
306 acl
= talloc_zero(sd
, struct security_acl
);
307 if (acl
== NULL
) return NULL
;
308 acl
->revision
= SECURITY_ACL_REVISION_ADS
;
310 if (isupper(sddl
[0]) && sddl
[1] == ':') {
311 /* its an empty ACL */
315 /* work out the ACL flags */
316 if (!sddl_map_flags(acl_flags
, sddl
, flags
, &len
)) {
323 while (*sddl
== '(') {
325 len
= strcspn(sddl
+1, ")");
326 astr
= talloc_strndup(acl
, sddl
+1, len
);
327 if (astr
== NULL
|| sddl
[len
+1] != ')') {
331 acl
->aces
= talloc_realloc(acl
, acl
->aces
, struct security_ace
,
333 if (acl
->aces
== NULL
) {
337 if (!sddl_decode_ace(acl
->aces
, &acl
->aces
[acl
->num_aces
],
342 switch (acl
->aces
[acl
->num_aces
].type
) {
343 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT
:
344 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
:
345 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT
:
346 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT
:
347 acl
->revision
= SECURITY_ACL_REVISION_ADS
;
362 decode a security descriptor in SDDL format
364 struct security_descriptor
*sddl_decode(TALLOC_CTX
*mem_ctx
, const char *sddl
,
365 const struct dom_sid
*domain_sid
)
367 struct security_descriptor
*sd
;
368 sd
= talloc_zero(mem_ctx
, struct security_descriptor
);
370 sd
->revision
= SECURITY_DESCRIPTOR_REVISION_1
;
371 sd
->type
= SEC_DESC_SELF_RELATIVE
;
376 if (sddl
[1] != ':') goto failed
;
381 if (sd
->dacl
!= NULL
) goto failed
;
382 sd
->dacl
= sddl_decode_acl(sd
, &sddl
, &flags
, domain_sid
);
383 if (sd
->dacl
== NULL
) goto failed
;
384 sd
->type
|= flags
| SEC_DESC_DACL_PRESENT
;
387 if (sd
->sacl
!= NULL
) goto failed
;
388 sd
->sacl
= sddl_decode_acl(sd
, &sddl
, &flags
, domain_sid
);
389 if (sd
->sacl
== NULL
) goto failed
;
390 /* this relies on the SEC_DESC_SACL_* flags being
391 1 bit shifted from the SEC_DESC_DACL_* flags */
392 sd
->type
|= (flags
<<1) | SEC_DESC_SACL_PRESENT
;
395 if (sd
->owner_sid
!= NULL
) goto failed
;
396 sd
->owner_sid
= sddl_decode_sid(sd
, &sddl
, domain_sid
);
397 if (sd
->owner_sid
== NULL
) goto failed
;
400 if (sd
->group_sid
!= NULL
) goto failed
;
401 sd
->group_sid
= sddl_decode_sid(sd
, &sddl
, domain_sid
);
402 if (sd
->group_sid
== NULL
) goto failed
;
410 DEBUG(2,("Badly formatted SDDL '%s'\n", sddl
));
416 turn a set of flags into a string
418 static char *sddl_flags_to_string(TALLOC_CTX
*mem_ctx
, const struct flag_map
*map
,
419 uint32_t flags
, bool check_all
)
424 /* try to find an exact match */
425 for (i
=0;map
[i
].name
;i
++) {
426 if (map
[i
].flag
== flags
) {
427 return talloc_strdup(mem_ctx
, map
[i
].name
);
431 s
= talloc_strdup(mem_ctx
, "");
434 for (i
=0;map
[i
].name
;i
++) {
435 if ((flags
& map
[i
].flag
) != 0) {
436 s
= talloc_asprintf_append_buffer(s
, "%s", map
[i
].name
);
437 if (s
== NULL
) goto failed
;
438 flags
&= ~map
[i
].flag
;
442 if (check_all
&& flags
!= 0) {
454 encode a sid in SDDL format
456 static char *sddl_encode_sid(TALLOC_CTX
*mem_ctx
, const struct dom_sid
*sid
,
457 const struct dom_sid
*domain_sid
)
462 sidstr
= dom_sid_string(mem_ctx
, sid
);
463 if (sidstr
== NULL
) return NULL
;
465 /* seen if its a well known sid */
466 for (i
=0;sid_codes
[i
].sid
;i
++) {
467 if (strcmp(sidstr
, sid_codes
[i
].sid
) == 0) {
469 return talloc_strdup(mem_ctx
, sid_codes
[i
].code
);
473 /* or a well known rid in our domain */
474 if (dom_sid_in_domain(domain_sid
, sid
)) {
475 uint32_t rid
= sid
->sub_auths
[sid
->num_auths
-1];
476 for (;i
<ARRAY_SIZE(sid_codes
);i
++) {
477 if (rid
== sid_codes
[i
].rid
) {
479 return talloc_strdup(mem_ctx
, sid_codes
[i
].code
);
486 /* TODO: encode well known sids as two letter codes */
487 return dom_sid_string(mem_ctx
, sid
);
492 encode an ACE in SDDL format
494 static char *sddl_encode_ace(TALLOC_CTX
*mem_ctx
, const struct security_ace
*ace
,
495 const struct dom_sid
*domain_sid
)
499 const char *sddl_type
="", *sddl_flags
="", *sddl_mask
="",
500 *sddl_object
="", *sddl_iobject
="", *sddl_trustee
="";
502 tmp_ctx
= talloc_new(mem_ctx
);
503 if (tmp_ctx
== NULL
) {
504 DEBUG(0, ("talloc_new failed\n"));
508 sddl_type
= sddl_flags_to_string(tmp_ctx
, ace_types
, ace
->type
, true);
509 if (sddl_type
== NULL
) {
513 sddl_flags
= sddl_flags_to_string(tmp_ctx
, ace_flags
, ace
->flags
,
515 if (sddl_flags
== NULL
) {
519 sddl_mask
= sddl_flags_to_string(tmp_ctx
, ace_access_mask
,
520 ace
->access_mask
, true);
521 if (sddl_mask
== NULL
) {
522 sddl_mask
= talloc_asprintf(tmp_ctx
, "0x%08x",
524 if (sddl_mask
== NULL
) {
529 if (ace
->type
== SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT
||
530 ace
->type
== SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
||
531 ace
->type
== SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT
||
532 ace
->type
== SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT
) {
533 if (ace
->object
.object
.flags
& SEC_ACE_OBJECT_TYPE_PRESENT
) {
534 sddl_object
= GUID_string(
535 tmp_ctx
, &ace
->object
.object
.type
.type
);
536 if (sddl_object
== NULL
) {
541 if (ace
->object
.object
.flags
& SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT
) {
542 sddl_iobject
= GUID_string(tmp_ctx
, &ace
->object
.object
.inherited_type
.inherited_type
);
543 if (sddl_iobject
== NULL
) {
549 sddl_trustee
= sddl_encode_sid(tmp_ctx
, &ace
->trustee
, domain_sid
);
550 if (sddl_trustee
== NULL
) {
554 sddl
= talloc_asprintf(mem_ctx
, "%s;%s;%s;%s;%s;%s",
555 sddl_type
, sddl_flags
, sddl_mask
, sddl_object
,
556 sddl_iobject
, sddl_trustee
);
559 talloc_free(tmp_ctx
);
564 encode an ACL in SDDL format
566 static char *sddl_encode_acl(TALLOC_CTX
*mem_ctx
, const struct security_acl
*acl
,
567 uint32_t flags
, const struct dom_sid
*domain_sid
)
572 /* add any ACL flags */
573 sddl
= sddl_flags_to_string(mem_ctx
, acl_flags
, flags
, false);
574 if (sddl
== NULL
) goto failed
;
576 /* now the ACEs, encoded in braces */
577 for (i
=0;i
<acl
->num_aces
;i
++) {
578 char *ace
= sddl_encode_ace(sddl
, &acl
->aces
[i
], domain_sid
);
579 if (ace
== NULL
) goto failed
;
580 sddl
= talloc_asprintf_append_buffer(sddl
, "(%s)", ace
);
581 if (sddl
== NULL
) goto failed
;
594 encode a security descriptor to SDDL format
596 char *sddl_encode(TALLOC_CTX
*mem_ctx
, const struct security_descriptor
*sd
,
597 const struct dom_sid
*domain_sid
)
602 /* start with a blank string */
603 sddl
= talloc_strdup(mem_ctx
, "");
604 if (sddl
== NULL
) goto failed
;
606 tmp_ctx
= talloc_new(mem_ctx
);
608 if (sd
->owner_sid
!= NULL
) {
609 char *sid
= sddl_encode_sid(tmp_ctx
, sd
->owner_sid
, domain_sid
);
610 if (sid
== NULL
) goto failed
;
611 sddl
= talloc_asprintf_append_buffer(sddl
, "O:%s", sid
);
612 if (sddl
== NULL
) goto failed
;
615 if (sd
->group_sid
!= NULL
) {
616 char *sid
= sddl_encode_sid(tmp_ctx
, sd
->group_sid
, domain_sid
);
617 if (sid
== NULL
) goto failed
;
618 sddl
= talloc_asprintf_append_buffer(sddl
, "G:%s", sid
);
619 if (sddl
== NULL
) goto failed
;
622 if ((sd
->type
& SEC_DESC_DACL_PRESENT
) && sd
->dacl
!= NULL
) {
623 char *acl
= sddl_encode_acl(tmp_ctx
, sd
->dacl
, sd
->type
, domain_sid
);
624 if (acl
== NULL
) goto failed
;
625 sddl
= talloc_asprintf_append_buffer(sddl
, "D:%s", acl
);
626 if (sddl
== NULL
) goto failed
;
629 if ((sd
->type
& SEC_DESC_SACL_PRESENT
) && sd
->sacl
!= NULL
) {
630 char *acl
= sddl_encode_acl(tmp_ctx
, sd
->sacl
, sd
->type
>>1, domain_sid
);
631 if (acl
== NULL
) goto failed
;
632 sddl
= talloc_asprintf_append_buffer(sddl
, "S:%s", acl
);
633 if (sddl
== NULL
) goto failed
;
636 talloc_free(tmp_ctx
);