2 Unix SMB/CIFS implementation.
4 security descriptror utility functions
6 Copyright (C) Andrew Tridgell 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "libcli/security/security_descriptor.h"
24 #include "libcli/security/dom_sid.h"
27 return a blank security descriptor (no owners, dacl or sacl)
29 struct security_descriptor
*security_descriptor_initialise(TALLOC_CTX
*mem_ctx
)
31 struct security_descriptor
*sd
;
33 sd
= talloc(mem_ctx
, struct security_descriptor
);
38 sd
->revision
= SD_REVISION
;
39 /* we mark as self relative, even though it isn't while it remains
40 a pointer in memory because this simplifies the ndr code later.
41 All SDs that we store/emit are in fact SELF_RELATIVE
43 sd
->type
= SEC_DESC_SELF_RELATIVE
;
53 static struct security_acl
*security_acl_dup(TALLOC_CTX
*mem_ctx
,
54 const struct security_acl
*oacl
)
56 struct security_acl
*nacl
;
58 nacl
= talloc (mem_ctx
, struct security_acl
);
63 nacl
->aces
= (struct security_ace
*)talloc_memdup (nacl
, oacl
->aces
, sizeof(struct security_ace
) * oacl
->num_aces
);
64 if ((nacl
->aces
== NULL
) && (oacl
->num_aces
> 0)) {
68 nacl
->revision
= oacl
->revision
;
69 nacl
->size
= oacl
->size
;
70 nacl
->num_aces
= oacl
->num_aces
;
81 talloc and copy a security descriptor
83 struct security_descriptor
*security_descriptor_copy(TALLOC_CTX
*mem_ctx
,
84 const struct security_descriptor
*osd
)
86 struct security_descriptor
*nsd
;
88 nsd
= talloc_zero(mem_ctx
, struct security_descriptor
);
94 nsd
->owner_sid
= dom_sid_dup(nsd
, osd
->owner_sid
);
95 if (nsd
->owner_sid
== NULL
) {
100 if (osd
->group_sid
) {
101 nsd
->group_sid
= dom_sid_dup(nsd
, osd
->group_sid
);
102 if (nsd
->group_sid
== NULL
) {
108 nsd
->sacl
= security_acl_dup(nsd
, osd
->sacl
);
109 if (nsd
->sacl
== NULL
) {
115 nsd
->dacl
= security_acl_dup(nsd
, osd
->dacl
);
116 if (nsd
->dacl
== NULL
) {
121 nsd
->revision
= osd
->revision
;
122 nsd
->type
= osd
->type
;
133 add an ACE to an ACL of a security_descriptor
136 static NTSTATUS
security_descriptor_acl_add(struct security_descriptor
*sd
,
138 const struct security_ace
*ace
)
140 struct security_acl
*acl
= NULL
;
149 acl
= talloc(sd
, struct security_acl
);
151 return NT_STATUS_NO_MEMORY
;
153 acl
->revision
= SECURITY_ACL_REVISION_NT4
;
159 acl
->aces
= talloc_realloc(acl
, acl
->aces
,
160 struct security_ace
, acl
->num_aces
+1);
161 if (acl
->aces
== NULL
) {
162 return NT_STATUS_NO_MEMORY
;
165 acl
->aces
[acl
->num_aces
] = *ace
;
167 switch (acl
->aces
[acl
->num_aces
].type
) {
168 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT
:
169 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
:
170 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT
:
171 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT
:
172 acl
->revision
= SECURITY_ACL_REVISION_ADS
;
182 sd
->type
|= SEC_DESC_SACL_PRESENT
;
185 sd
->type
|= SEC_DESC_DACL_PRESENT
;
192 add an ACE to the SACL of a security_descriptor
195 NTSTATUS
security_descriptor_sacl_add(struct security_descriptor
*sd
,
196 const struct security_ace
*ace
)
198 return security_descriptor_acl_add(sd
, true, ace
);
202 add an ACE to the DACL of a security_descriptor
205 NTSTATUS
security_descriptor_dacl_add(struct security_descriptor
*sd
,
206 const struct security_ace
*ace
)
208 return security_descriptor_acl_add(sd
, false, ace
);
212 delete the ACE corresponding to the given trustee in an ACL of a
216 static NTSTATUS
security_descriptor_acl_del(struct security_descriptor
*sd
,
218 const struct dom_sid
*trustee
)
222 struct security_acl
*acl
= NULL
;
231 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
234 /* there can be multiple ace's for one trustee */
235 for (i
=0;i
<acl
->num_aces
;i
++) {
236 if (dom_sid_equal(trustee
, &acl
->aces
[i
].trustee
)) {
237 memmove(&acl
->aces
[i
], &acl
->aces
[i
+1],
238 sizeof(acl
->aces
[i
]) * (acl
->num_aces
- (i
+1)));
240 if (acl
->num_aces
== 0) {
248 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
251 acl
->revision
= SECURITY_ACL_REVISION_NT4
;
253 for (i
=0;i
<acl
->num_aces
;i
++) {
254 switch (acl
->aces
[i
].type
) {
255 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT
:
256 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
:
257 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT
:
258 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT
:
259 acl
->revision
= SECURITY_ACL_REVISION_ADS
;
262 break; /* only for the switch statement */
270 delete the ACE corresponding to the given trustee in the DACL of a
274 NTSTATUS
security_descriptor_dacl_del(struct security_descriptor
*sd
,
275 const struct dom_sid
*trustee
)
277 return security_descriptor_acl_del(sd
, false, trustee
);
281 delete the ACE corresponding to the given trustee in the SACL of a
285 NTSTATUS
security_descriptor_sacl_del(struct security_descriptor
*sd
,
286 const struct dom_sid
*trustee
)
288 return security_descriptor_acl_del(sd
, true, trustee
);
292 compare two security ace structures
294 bool security_ace_equal(const struct security_ace
*ace1
,
295 const struct security_ace
*ace2
)
297 if (ace1
== ace2
) return true;
298 if (!ace1
|| !ace2
) return false;
299 if (ace1
->type
!= ace2
->type
) return false;
300 if (ace1
->flags
!= ace2
->flags
) return false;
301 if (ace1
->access_mask
!= ace2
->access_mask
) return false;
302 if (!dom_sid_equal(&ace1
->trustee
, &ace2
->trustee
)) return false;
309 compare two security acl structures
311 bool security_acl_equal(const struct security_acl
*acl1
,
312 const struct security_acl
*acl2
)
316 if (acl1
== acl2
) return true;
317 if (!acl1
|| !acl2
) return false;
318 if (acl1
->revision
!= acl2
->revision
) return false;
319 if (acl1
->num_aces
!= acl2
->num_aces
) return false;
321 for (i
=0;i
<acl1
->num_aces
;i
++) {
322 if (!security_ace_equal(&acl1
->aces
[i
], &acl2
->aces
[i
])) return false;
328 compare two security descriptors.
330 bool security_descriptor_equal(const struct security_descriptor
*sd1
,
331 const struct security_descriptor
*sd2
)
333 if (sd1
== sd2
) return true;
334 if (!sd1
|| !sd2
) return false;
335 if (sd1
->revision
!= sd2
->revision
) return false;
336 if (sd1
->type
!= sd2
->type
) return false;
338 if (!dom_sid_equal(sd1
->owner_sid
, sd2
->owner_sid
)) return false;
339 if (!dom_sid_equal(sd1
->group_sid
, sd2
->group_sid
)) return false;
340 if (!security_acl_equal(sd1
->sacl
, sd2
->sacl
)) return false;
341 if (!security_acl_equal(sd1
->dacl
, sd2
->dacl
)) return false;
347 compare two security descriptors, but allow certain (missing) parts
348 to be masked out of the comparison
350 bool security_descriptor_mask_equal(const struct security_descriptor
*sd1
,
351 const struct security_descriptor
*sd2
,
354 if (sd1
== sd2
) return true;
355 if (!sd1
|| !sd2
) return false;
356 if (sd1
->revision
!= sd2
->revision
) return false;
357 if ((sd1
->type
& mask
) != (sd2
->type
& mask
)) return false;
359 if (!dom_sid_equal(sd1
->owner_sid
, sd2
->owner_sid
)) return false;
360 if (!dom_sid_equal(sd1
->group_sid
, sd2
->group_sid
)) return false;
361 if ((mask
& SEC_DESC_DACL_PRESENT
) && !security_acl_equal(sd1
->dacl
, sd2
->dacl
)) return false;
362 if ((mask
& SEC_DESC_SACL_PRESENT
) && !security_acl_equal(sd1
->sacl
, sd2
->sacl
)) return false;
368 static struct security_descriptor
*security_descriptor_appendv(struct security_descriptor
*sd
,
369 bool add_ace_to_sacl
,
374 while ((sidstr
= va_arg(ap
, const char *))) {
376 struct security_ace
*ace
= talloc_zero(sd
, struct security_ace
);
383 ace
->type
= va_arg(ap
, unsigned int);
384 ace
->access_mask
= va_arg(ap
, unsigned int);
385 ace
->flags
= va_arg(ap
, unsigned int);
386 sid
= dom_sid_parse_talloc(ace
, sidstr
);
392 if (add_ace_to_sacl
) {
393 status
= security_descriptor_sacl_add(sd
, ace
);
395 status
= security_descriptor_dacl_add(sd
, ace
);
397 /* TODO: check: would talloc_free(ace) here be correct? */
398 if (!NT_STATUS_IS_OK(status
)) {
407 struct security_descriptor
*security_descriptor_append(struct security_descriptor
*sd
,
413 sd
= security_descriptor_appendv(sd
, false, ap
);
419 static struct security_descriptor
*security_descriptor_createv(TALLOC_CTX
*mem_ctx
,
421 const char *owner_sid
,
422 const char *group_sid
,
423 bool add_ace_to_sacl
,
426 struct security_descriptor
*sd
;
428 sd
= security_descriptor_initialise(mem_ctx
);
436 sd
->owner_sid
= dom_sid_parse_talloc(sd
, owner_sid
);
437 if (sd
->owner_sid
== NULL
) {
443 sd
->group_sid
= dom_sid_parse_talloc(sd
, group_sid
);
444 if (sd
->group_sid
== NULL
) {
450 return security_descriptor_appendv(sd
, add_ace_to_sacl
, ap
);
454 create a security descriptor using string SIDs. This is used by the
455 torture code to allow the easy creation of complex ACLs
456 This is a varargs function. The list of DACL ACEs ends with a NULL sid.
458 Each ACE contains a set of 4 parameters:
459 SID, ACCESS_TYPE, MASK, FLAGS
461 a typical call would be:
463 sd = security_descriptor_dacl_create(mem_ctx,
467 SID_NT_AUTHENTICATED_USERS,
468 SEC_ACE_TYPE_ACCESS_ALLOWED,
470 SEC_ACE_FLAG_OBJECT_INHERIT,
472 that would create a sd with one DACL ACE
475 struct security_descriptor
*security_descriptor_dacl_create(TALLOC_CTX
*mem_ctx
,
477 const char *owner_sid
,
478 const char *group_sid
,
481 struct security_descriptor
*sd
= NULL
;
483 va_start(ap
, group_sid
);
484 sd
= security_descriptor_createv(mem_ctx
, sd_type
, owner_sid
,
485 group_sid
, false, ap
);
491 struct security_descriptor
*security_descriptor_sacl_create(TALLOC_CTX
*mem_ctx
,
493 const char *owner_sid
,
494 const char *group_sid
,
497 struct security_descriptor
*sd
= NULL
;
499 va_start(ap
, group_sid
);
500 sd
= security_descriptor_createv(mem_ctx
, sd_type
, owner_sid
,
501 group_sid
, true, ap
);
507 struct security_ace
*security_ace_create(TALLOC_CTX
*mem_ctx
,
509 enum security_ace_type type
,
510 uint32_t access_mask
,
515 struct security_ace
*ace
;
517 ace
= talloc_zero(mem_ctx
, struct security_ace
);
522 sid
= dom_sid_parse_talloc(ace
, sid_str
);
530 ace
->access_mask
= access_mask
;