2 Unix SMB/CIFS implementation.
4 security descriptror utility functions
6 Copyright (C) Andrew Tridgell 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "libcli/security/security.h"
26 return a blank security descriptor (no owners, dacl or sacl)
28 struct security_descriptor
*security_descriptor_initialise(TALLOC_CTX
*mem_ctx
)
30 struct security_descriptor
*sd
;
32 sd
= talloc(mem_ctx
, struct security_descriptor
);
37 sd
->revision
= SD_REVISION
;
38 /* we mark as self relative, even though it isn't while it remains
39 a pointer in memory because this simplifies the ndr code later.
40 All SDs that we store/emit are in fact SELF_RELATIVE
42 sd
->type
= SEC_DESC_SELF_RELATIVE
;
52 struct security_acl
*security_acl_dup(TALLOC_CTX
*mem_ctx
,
53 const struct security_acl
*oacl
)
55 struct security_acl
*nacl
;
61 nacl
= talloc (mem_ctx
, struct security_acl
);
66 nacl
->aces
= (struct security_ace
*)talloc_memdup (nacl
, oacl
->aces
, sizeof(struct security_ace
) * oacl
->num_aces
);
67 if ((nacl
->aces
== NULL
) && (oacl
->num_aces
> 0)) {
71 nacl
->revision
= oacl
->revision
;
72 nacl
->size
= oacl
->size
;
73 nacl
->num_aces
= oacl
->num_aces
;
83 struct security_acl
*security_acl_concatenate(TALLOC_CTX
*mem_ctx
,
84 const struct security_acl
*acl1
,
85 const struct security_acl
*acl2
)
87 struct security_acl
*nacl
;
94 nacl
= security_acl_dup(mem_ctx
, acl2
);
99 nacl
= security_acl_dup(mem_ctx
, acl1
);
103 nacl
= talloc (mem_ctx
, struct security_acl
);
108 nacl
->revision
= acl1
->revision
;
109 nacl
->size
= acl1
->size
+ acl2
->size
;
110 nacl
->num_aces
= acl1
->num_aces
+ acl2
->num_aces
;
112 if (nacl
->num_aces
== 0)
115 nacl
->aces
= (struct security_ace
*)talloc_array (mem_ctx
, struct security_ace
, acl1
->num_aces
+acl2
->num_aces
);
116 if ((nacl
->aces
== NULL
) && (nacl
->num_aces
> 0)) {
120 for (i
= 0; i
< acl1
->num_aces
; i
++)
121 nacl
->aces
[i
] = acl1
->aces
[i
];
122 for (i
= 0; i
< acl2
->num_aces
; i
++)
123 nacl
->aces
[i
+ acl1
->num_aces
] = acl2
->aces
[i
];
134 talloc and copy a security descriptor
136 struct security_descriptor
*security_descriptor_copy(TALLOC_CTX
*mem_ctx
,
137 const struct security_descriptor
*osd
)
139 struct security_descriptor
*nsd
;
141 nsd
= talloc_zero(mem_ctx
, struct security_descriptor
);
146 if (osd
->owner_sid
) {
147 nsd
->owner_sid
= dom_sid_dup(nsd
, osd
->owner_sid
);
148 if (nsd
->owner_sid
== NULL
) {
153 if (osd
->group_sid
) {
154 nsd
->group_sid
= dom_sid_dup(nsd
, osd
->group_sid
);
155 if (nsd
->group_sid
== NULL
) {
161 nsd
->sacl
= security_acl_dup(nsd
, osd
->sacl
);
162 if (nsd
->sacl
== NULL
) {
168 nsd
->dacl
= security_acl_dup(nsd
, osd
->dacl
);
169 if (nsd
->dacl
== NULL
) {
174 nsd
->revision
= osd
->revision
;
175 nsd
->type
= osd
->type
;
186 add an ACE to an ACL of a security_descriptor
189 static NTSTATUS
security_descriptor_acl_add(struct security_descriptor
*sd
,
191 const struct security_ace
*ace
)
193 struct security_acl
*acl
= NULL
;
202 acl
= talloc(sd
, struct security_acl
);
204 return NT_STATUS_NO_MEMORY
;
206 acl
->revision
= SECURITY_ACL_REVISION_NT4
;
212 acl
->aces
= talloc_realloc(acl
, acl
->aces
,
213 struct security_ace
, acl
->num_aces
+1);
214 if (acl
->aces
== NULL
) {
215 return NT_STATUS_NO_MEMORY
;
218 acl
->aces
[acl
->num_aces
] = *ace
;
220 switch (acl
->aces
[acl
->num_aces
].type
) {
221 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT
:
222 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
:
223 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT
:
224 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT
:
225 acl
->revision
= SECURITY_ACL_REVISION_ADS
;
235 sd
->type
|= SEC_DESC_SACL_PRESENT
;
238 sd
->type
|= SEC_DESC_DACL_PRESENT
;
245 add an ACE to the SACL of a security_descriptor
248 NTSTATUS
security_descriptor_sacl_add(struct security_descriptor
*sd
,
249 const struct security_ace
*ace
)
251 return security_descriptor_acl_add(sd
, true, ace
);
255 add an ACE to the DACL of a security_descriptor
258 NTSTATUS
security_descriptor_dacl_add(struct security_descriptor
*sd
,
259 const struct security_ace
*ace
)
261 return security_descriptor_acl_add(sd
, false, ace
);
265 delete the ACE corresponding to the given trustee in an ACL of a
269 static NTSTATUS
security_descriptor_acl_del(struct security_descriptor
*sd
,
271 const struct dom_sid
*trustee
)
275 struct security_acl
*acl
= NULL
;
284 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
287 /* there can be multiple ace's for one trustee */
288 for (i
=0;i
<acl
->num_aces
;i
++) {
289 if (dom_sid_equal(trustee
, &acl
->aces
[i
].trustee
)) {
290 memmove(&acl
->aces
[i
], &acl
->aces
[i
+1],
291 sizeof(acl
->aces
[i
]) * (acl
->num_aces
- (i
+1)));
293 if (acl
->num_aces
== 0) {
301 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
304 acl
->revision
= SECURITY_ACL_REVISION_NT4
;
306 for (i
=0;i
<acl
->num_aces
;i
++) {
307 switch (acl
->aces
[i
].type
) {
308 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT
:
309 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
:
310 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT
:
311 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT
:
312 acl
->revision
= SECURITY_ACL_REVISION_ADS
;
315 break; /* only for the switch statement */
323 delete the ACE corresponding to the given trustee in the DACL of a
327 NTSTATUS
security_descriptor_dacl_del(struct security_descriptor
*sd
,
328 const struct dom_sid
*trustee
)
330 return security_descriptor_acl_del(sd
, false, trustee
);
334 delete the ACE corresponding to the given trustee in the SACL of a
338 NTSTATUS
security_descriptor_sacl_del(struct security_descriptor
*sd
,
339 const struct dom_sid
*trustee
)
341 return security_descriptor_acl_del(sd
, true, trustee
);
345 compare two security ace structures
347 bool security_ace_equal(const struct security_ace
*ace1
,
348 const struct security_ace
*ace2
)
353 if ((ace1
== NULL
) || (ace2
== NULL
)) {
356 if (ace1
->type
!= ace2
->type
) {
359 if (ace1
->flags
!= ace2
->flags
) {
362 if (ace1
->access_mask
!= ace2
->access_mask
) {
365 if (!dom_sid_equal(&ace1
->trustee
, &ace2
->trustee
)) {
374 compare two security acl structures
376 bool security_acl_equal(const struct security_acl
*acl1
,
377 const struct security_acl
*acl2
)
381 if (acl1
== acl2
) return true;
382 if (!acl1
|| !acl2
) return false;
383 if (acl1
->revision
!= acl2
->revision
) return false;
384 if (acl1
->num_aces
!= acl2
->num_aces
) return false;
386 for (i
=0;i
<acl1
->num_aces
;i
++) {
387 if (!security_ace_equal(&acl1
->aces
[i
], &acl2
->aces
[i
])) return false;
393 compare two security descriptors.
395 bool security_descriptor_equal(const struct security_descriptor
*sd1
,
396 const struct security_descriptor
*sd2
)
398 if (sd1
== sd2
) return true;
399 if (!sd1
|| !sd2
) return false;
400 if (sd1
->revision
!= sd2
->revision
) return false;
401 if (sd1
->type
!= sd2
->type
) return false;
403 if (!dom_sid_equal(sd1
->owner_sid
, sd2
->owner_sid
)) return false;
404 if (!dom_sid_equal(sd1
->group_sid
, sd2
->group_sid
)) return false;
405 if (!security_acl_equal(sd1
->sacl
, sd2
->sacl
)) return false;
406 if (!security_acl_equal(sd1
->dacl
, sd2
->dacl
)) return false;
412 compare two security descriptors, but allow certain (missing) parts
413 to be masked out of the comparison
415 bool security_descriptor_mask_equal(const struct security_descriptor
*sd1
,
416 const struct security_descriptor
*sd2
,
419 if (sd1
== sd2
) return true;
420 if (!sd1
|| !sd2
) return false;
421 if (sd1
->revision
!= sd2
->revision
) return false;
422 if ((sd1
->type
& mask
) != (sd2
->type
& mask
)) return false;
424 if (!dom_sid_equal(sd1
->owner_sid
, sd2
->owner_sid
)) return false;
425 if (!dom_sid_equal(sd1
->group_sid
, sd2
->group_sid
)) return false;
426 if ((mask
& SEC_DESC_DACL_PRESENT
) && !security_acl_equal(sd1
->dacl
, sd2
->dacl
)) return false;
427 if ((mask
& SEC_DESC_SACL_PRESENT
) && !security_acl_equal(sd1
->sacl
, sd2
->sacl
)) return false;
433 static struct security_descriptor
*security_descriptor_appendv(struct security_descriptor
*sd
,
434 bool add_ace_to_sacl
,
439 while ((sidstr
= va_arg(ap
, const char *))) {
441 struct security_ace
*ace
= talloc_zero(sd
, struct security_ace
);
448 ace
->type
= va_arg(ap
, unsigned int);
449 ace
->access_mask
= va_arg(ap
, unsigned int);
450 ace
->flags
= va_arg(ap
, unsigned int);
451 sid
= dom_sid_parse_talloc(ace
, sidstr
);
457 if (add_ace_to_sacl
) {
458 status
= security_descriptor_sacl_add(sd
, ace
);
460 status
= security_descriptor_dacl_add(sd
, ace
);
462 /* TODO: check: would talloc_free(ace) here be correct? */
463 if (!NT_STATUS_IS_OK(status
)) {
472 struct security_descriptor
*security_descriptor_append(struct security_descriptor
*sd
,
478 sd
= security_descriptor_appendv(sd
, false, ap
);
484 static struct security_descriptor
*security_descriptor_createv(TALLOC_CTX
*mem_ctx
,
486 const char *owner_sid
,
487 const char *group_sid
,
488 bool add_ace_to_sacl
,
491 struct security_descriptor
*sd
;
493 sd
= security_descriptor_initialise(mem_ctx
);
501 sd
->owner_sid
= dom_sid_parse_talloc(sd
, owner_sid
);
502 if (sd
->owner_sid
== NULL
) {
508 sd
->group_sid
= dom_sid_parse_talloc(sd
, group_sid
);
509 if (sd
->group_sid
== NULL
) {
515 return security_descriptor_appendv(sd
, add_ace_to_sacl
, ap
);
519 create a security descriptor using string SIDs. This is used by the
520 torture code to allow the easy creation of complex ACLs
521 This is a varargs function. The list of DACL ACEs ends with a NULL sid.
523 Each ACE contains a set of 4 parameters:
524 SID, ACCESS_TYPE, MASK, FLAGS
526 a typical call would be:
528 sd = security_descriptor_dacl_create(mem_ctx,
532 SID_NT_AUTHENTICATED_USERS,
533 SEC_ACE_TYPE_ACCESS_ALLOWED,
535 SEC_ACE_FLAG_OBJECT_INHERIT,
537 that would create a sd with one DACL ACE
540 struct security_descriptor
*security_descriptor_dacl_create(TALLOC_CTX
*mem_ctx
,
542 const char *owner_sid
,
543 const char *group_sid
,
546 struct security_descriptor
*sd
= NULL
;
548 va_start(ap
, group_sid
);
549 sd
= security_descriptor_createv(mem_ctx
, sd_type
, owner_sid
,
550 group_sid
, false, ap
);
556 struct security_descriptor
*security_descriptor_sacl_create(TALLOC_CTX
*mem_ctx
,
558 const char *owner_sid
,
559 const char *group_sid
,
562 struct security_descriptor
*sd
= NULL
;
564 va_start(ap
, group_sid
);
565 sd
= security_descriptor_createv(mem_ctx
, sd_type
, owner_sid
,
566 group_sid
, true, ap
);
572 struct security_ace
*security_ace_create(TALLOC_CTX
*mem_ctx
,
574 enum security_ace_type type
,
575 uint32_t access_mask
,
579 struct security_ace
*ace
;
582 ace
= talloc_zero(mem_ctx
, struct security_ace
);
587 ok
= dom_sid_parse(sid_str
, &ace
->trustee
);
593 ace
->access_mask
= access_mask
;
599 /*******************************************************************
600 Check for MS NFS ACEs in a sd
601 *******************************************************************/
602 bool security_descriptor_with_ms_nfs(const struct security_descriptor
*psd
)
606 if (psd
->dacl
== NULL
) {
610 for (i
= 0; i
< psd
->dacl
->num_aces
; i
++) {
611 if (dom_sid_compare_domain(
612 &global_sid_Unix_NFS
,
613 &psd
->dacl
->aces
[i
].trustee
) == 0) {