search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4-drs: allow replication of renames
[Samba/aatanasov.git] / libcli / security / security_descriptor.c
blobf18a326e9973d6a09e3bc93c1ae7ec76157a3633
1 /*
2 Unix SMB/CIFS implementation.
3
4 security descriptror utility functions
5
6 Copyright (C) Andrew Tridgell 2004
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "libcli/security/security_descriptor.h"
24 #include "libcli/security/dom_sid.h"
25
26 /*
27 return a blank security descriptor (no owners, dacl or sacl)
28 */
29 struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx)
30 {
31 struct security_descriptor *sd;
32
33 sd = talloc(mem_ctx, struct security_descriptor);
34 if (!sd) {
35 return NULL;
36 }
37
38 sd->revision = SD_REVISION;
39 /* we mark as self relative, even though it isn't while it remains
40 a pointer in memory because this simplifies the ndr code later.
41 All SDs that we store/emit are in fact SELF_RELATIVE
42 */
43 sd->type = SEC_DESC_SELF_RELATIVE;
44
45 sd->owner_sid = NULL;
46 sd->group_sid = NULL;
47 sd->sacl = NULL;
48 sd->dacl = NULL;
49
50 return sd;
51 }
52
53 static struct security_acl *security_acl_dup(TALLOC_CTX *mem_ctx,
54 const struct security_acl *oacl)
55 {
56 struct security_acl *nacl;
57
58 nacl = talloc (mem_ctx, struct security_acl);
59 if (nacl == NULL) {
60 return NULL;
61 }
62
63 nacl->aces = (struct security_ace *)talloc_memdup (nacl, oacl->aces, sizeof(struct security_ace) * oacl->num_aces);
64 if ((nacl->aces == NULL) && (oacl->num_aces > 0)) {
65 goto failed;
66 }
67
68 nacl->revision = oacl->revision;
69 nacl->size = oacl->size;
70 nacl->num_aces = oacl->num_aces;
71
72 return nacl;
73
74 failed:
75 talloc_free (nacl);
76 return NULL;
77
78 }
79
80 /*
81 talloc and copy a security descriptor
82 */
83 struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx,
84 const struct security_descriptor *osd)
85 {
86 struct security_descriptor *nsd;
87
88 nsd = talloc_zero(mem_ctx, struct security_descriptor);
89 if (!nsd) {
90 return NULL;
91 }
92
93 if (osd->owner_sid) {
94 nsd->owner_sid = dom_sid_dup(nsd, osd->owner_sid);
95 if (nsd->owner_sid == NULL) {
96 goto failed;
97 }
98 }
99
100 if (osd->group_sid) {
101 nsd->group_sid = dom_sid_dup(nsd, osd->group_sid);
102 if (nsd->group_sid == NULL) {
103 goto failed;
104 }
105 }
106
107 if (osd->sacl) {
108 nsd->sacl = security_acl_dup(nsd, osd->sacl);
109 if (nsd->sacl == NULL) {
110 goto failed;
111 }
112 }
113
114 if (osd->dacl) {
115 nsd->dacl = security_acl_dup(nsd, osd->dacl);
116 if (nsd->dacl == NULL) {
117 goto failed;
118 }
119 }
120
121 nsd->revision = osd->revision;
122 nsd->type = osd->type;
123
124 return nsd;
125
126 failed:
127 talloc_free(nsd);
128
129 return NULL;
130 }
131
132 /*
133 add an ACE to an ACL of a security_descriptor
134 */
135
136 static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
137 bool add_to_sacl,
138 const struct security_ace *ace)
139 {
140 struct security_acl *acl = NULL;
141
142 if (add_to_sacl) {
143 acl = sd->sacl;
144 } else {
145 acl = sd->dacl;
146 }
147
148 if (acl == NULL) {
149 acl = talloc(sd, struct security_acl);
150 if (acl == NULL) {
151 return NT_STATUS_NO_MEMORY;
152 }
153 acl->revision = SECURITY_ACL_REVISION_NT4;
154 acl->size = 0;
155 acl->num_aces = 0;
156 acl->aces = NULL;
157 }
158
159 acl->aces = talloc_realloc(acl, acl->aces,
160 struct security_ace, acl->num_aces+1);
161 if (acl->aces == NULL) {
162 return NT_STATUS_NO_MEMORY;
163 }
164
165 acl->aces[acl->num_aces] = *ace;
166
167 switch (acl->aces[acl->num_aces].type) {
168 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
169 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
170 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
171 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
172 acl->revision = SECURITY_ACL_REVISION_ADS;
173 break;
174 default:
175 break;
176 }
177
178 acl->num_aces++;
179
180 if (add_to_sacl) {
181 sd->sacl = acl;
182 sd->type |= SEC_DESC_SACL_PRESENT;
183 } else {
184 sd->dacl = acl;
185 sd->type |= SEC_DESC_DACL_PRESENT;
186 }
187
188 return NT_STATUS_OK;
189 }
190
191 /*
192 add an ACE to the SACL of a security_descriptor
193 */
194
195 NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd,
196 const struct security_ace *ace)
197 {
198 return security_descriptor_acl_add(sd, true, ace);
199 }
200
201 /*
202 add an ACE to the DACL of a security_descriptor
203 */
204
205 NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
206 const struct security_ace *ace)
207 {
208 return security_descriptor_acl_add(sd, false, ace);
209 }
210
211 /*
212 delete the ACE corresponding to the given trustee in an ACL of a
213 security_descriptor
214 */
215
216 static NTSTATUS security_descriptor_acl_del(struct security_descriptor *sd,
217 bool sacl_del,
218 const struct dom_sid *trustee)
219 {
220 int i;
221 bool found = false;
222 struct security_acl *acl = NULL;
223
224 if (sacl_del) {
225 acl = sd->sacl;
226 } else {
227 acl = sd->dacl;
228 }
229
230 if (acl == NULL) {
231 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
232 }
233
234 /* there can be multiple ace's for one trustee */
235 for (i=0;i<acl->num_aces;i++) {
236 if (dom_sid_equal(trustee, &acl->aces[i].trustee)) {
237 memmove(&acl->aces[i], &acl->aces[i+1],
238 sizeof(acl->aces[i]) * (acl->num_aces - (i+1)));
239 acl->num_aces--;
240 if (acl->num_aces == 0) {
241 acl->aces = NULL;
242 }
243 found = true;
244 }
245 }
246
247 if (!found) {
248 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
249 }
250
251 acl->revision = SECURITY_ACL_REVISION_NT4;
252
253 for (i=0;i<acl->num_aces;i++) {
254 switch (acl->aces[i].type) {
255 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
256 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
257 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
258 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
259 acl->revision = SECURITY_ACL_REVISION_ADS;
260 return NT_STATUS_OK;
261 default:
262 break; /* only for the switch statement */
263 }
264 }
265
266 return NT_STATUS_OK;
267 }
268
269 /*
270 delete the ACE corresponding to the given trustee in the DACL of a
271 security_descriptor
272 */
273
274 NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd,
275 const struct dom_sid *trustee)
276 {
277 return security_descriptor_acl_del(sd, false, trustee);
278 }
279
280 /*
281 delete the ACE corresponding to the given trustee in the SACL of a
282 security_descriptor
283 */
284
285 NTSTATUS security_descriptor_sacl_del(struct security_descriptor *sd,
286 const struct dom_sid *trustee)
287 {
288 return security_descriptor_acl_del(sd, true, trustee);
289 }
290
291 /*
292 compare two security ace structures
293 */
294 bool security_ace_equal(const struct security_ace *ace1,
295 const struct security_ace *ace2)
296 {
297 if (ace1 == ace2) return true;
298 if (!ace1 || !ace2) return false;
299 if (ace1->type != ace2->type) return false;
300 if (ace1->flags != ace2->flags) return false;
301 if (ace1->access_mask != ace2->access_mask) return false;
302 if (!dom_sid_equal(&ace1->trustee, &ace2->trustee)) return false;
303
304 return true;
305 }
306
307
308 /*
309 compare two security acl structures
310 */
311 bool security_acl_equal(const struct security_acl *acl1,
312 const struct security_acl *acl2)
313 {
314 int i;
315
316 if (acl1 == acl2) return true;
317 if (!acl1 || !acl2) return false;
318 if (acl1->revision != acl2->revision) return false;
319 if (acl1->num_aces != acl2->num_aces) return false;
320
321 for (i=0;i<acl1->num_aces;i++) {
322 if (!security_ace_equal(&acl1->aces[i], &acl2->aces[i])) return false;
323 }
324 return true;
325 }
326
327 /*
328 compare two security descriptors.
329 */
330 bool security_descriptor_equal(const struct security_descriptor *sd1,
331 const struct security_descriptor *sd2)
332 {
333 if (sd1 == sd2) return true;
334 if (!sd1 || !sd2) return false;
335 if (sd1->revision != sd2->revision) return false;
336 if (sd1->type != sd2->type) return false;
337
338 if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false;
339 if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false;
340 if (!security_acl_equal(sd1->sacl, sd2->sacl)) return false;
341 if (!security_acl_equal(sd1->dacl, sd2->dacl)) return false;
342
343 return true;
344 }
345
346 /*
347 compare two security descriptors, but allow certain (missing) parts
348 to be masked out of the comparison
349 */
350 bool security_descriptor_mask_equal(const struct security_descriptor *sd1,
351 const struct security_descriptor *sd2,
352 uint32_t mask)
353 {
354 if (sd1 == sd2) return true;
355 if (!sd1 || !sd2) return false;
356 if (sd1->revision != sd2->revision) return false;
357 if ((sd1->type & mask) != (sd2->type & mask)) return false;
358
359 if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false;
360 if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false;
361 if ((mask & SEC_DESC_DACL_PRESENT) && !security_acl_equal(sd1->dacl, sd2->dacl)) return false;
362 if ((mask & SEC_DESC_SACL_PRESENT) && !security_acl_equal(sd1->sacl, sd2->sacl)) return false;
363
364 return true;
365 }
366
367
368 static struct security_descriptor *security_descriptor_appendv(struct security_descriptor *sd,
369 bool add_ace_to_sacl,
370 va_list ap)
371 {
372 const char *sidstr;
373
374 while ((sidstr = va_arg(ap, const char *))) {
375 struct dom_sid *sid;
376 struct security_ace *ace = talloc_zero(sd, struct security_ace);
377 NTSTATUS status;
378
379 if (ace == NULL) {
380 talloc_free(sd);
381 return NULL;
382 }
383 ace->type = va_arg(ap, unsigned int);
384 ace->access_mask = va_arg(ap, unsigned int);
385 ace->flags = va_arg(ap, unsigned int);
386 sid = dom_sid_parse_talloc(ace, sidstr);
387 if (sid == NULL) {
388 talloc_free(sd);
389 return NULL;
390 }
391 ace->trustee = *sid;
392 if (add_ace_to_sacl) {
393 status = security_descriptor_sacl_add(sd, ace);
394 } else {
395 status = security_descriptor_dacl_add(sd, ace);
396 }
397 /* TODO: check: would talloc_free(ace) here be correct? */
398 if (!NT_STATUS_IS_OK(status)) {
399 talloc_free(sd);
400 return NULL;
401 }
402 }
403
404 return sd;
405 }
406
407 struct security_descriptor *security_descriptor_append(struct security_descriptor *sd,
408 ...)
409 {
410 va_list ap;
411
412 va_start(ap, sd);
413 sd = security_descriptor_appendv(sd, false, ap);
414 va_end(ap);
415
416 return sd;
417 }
418
419 static struct security_descriptor *security_descriptor_createv(TALLOC_CTX *mem_ctx,
420 uint16_t sd_type,
421 const char *owner_sid,
422 const char *group_sid,
423 bool add_ace_to_sacl,
424 va_list ap)
425 {
426 struct security_descriptor *sd;
427
428 sd = security_descriptor_initialise(mem_ctx);
429 if (sd == NULL) {
430 return NULL;
431 }
432
433 sd->type |= sd_type;
434
435 if (owner_sid) {
436 sd->owner_sid = dom_sid_parse_talloc(sd, owner_sid);
437 if (sd->owner_sid == NULL) {
438 talloc_free(sd);
439 return NULL;
440 }
441 }
442 if (group_sid) {
443 sd->group_sid = dom_sid_parse_talloc(sd, group_sid);
444 if (sd->group_sid == NULL) {
445 talloc_free(sd);
446 return NULL;
447 }
448 }
449
450 return security_descriptor_appendv(sd, add_ace_to_sacl, ap);
451 }
452
453 /*
454 create a security descriptor using string SIDs. This is used by the
455 torture code to allow the easy creation of complex ACLs
456 This is a varargs function. The list of DACL ACEs ends with a NULL sid.
457
458 Each ACE contains a set of 4 parameters:
459 SID, ACCESS_TYPE, MASK, FLAGS
460
461 a typical call would be:
462
463 sd = security_descriptor_dacl_create(mem_ctx,
464 sd_type_flags,
465 mysid,
466 mygroup,
467 SID_NT_AUTHENTICATED_USERS,
468 SEC_ACE_TYPE_ACCESS_ALLOWED,
469 SEC_FILE_ALL,
470 SEC_ACE_FLAG_OBJECT_INHERIT,
471 NULL);
472 that would create a sd with one DACL ACE
473 */
474
475 struct security_descriptor *security_descriptor_dacl_create(TALLOC_CTX *mem_ctx,
476 uint16_t sd_type,
477 const char *owner_sid,
478 const char *group_sid,
479 ...)
480 {
481 struct security_descriptor *sd = NULL;
482 va_list ap;
483 va_start(ap, group_sid);
484 sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid,
485 group_sid, false, ap);
486 va_end(ap);
487
488 return sd;
489 }
490
491 struct security_descriptor *security_descriptor_sacl_create(TALLOC_CTX *mem_ctx,
492 uint16_t sd_type,
493 const char *owner_sid,
494 const char *group_sid,
495 ...)
496 {
497 struct security_descriptor *sd = NULL;
498 va_list ap;
499 va_start(ap, group_sid);
500 sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid,
501 group_sid, true, ap);
502 va_end(ap);
503
504 return sd;
505 }
506
507 struct security_ace *security_ace_create(TALLOC_CTX *mem_ctx,
508 const char *sid_str,
509 enum security_ace_type type,
510 uint32_t access_mask,
511 uint8_t flags)
512
513 {
514 struct dom_sid *sid;
515 struct security_ace *ace;
516
517 ace = talloc_zero(mem_ctx, struct security_ace);
518 if (ace == NULL) {
519 return NULL;
520 }
521
522 sid = dom_sid_parse_talloc(ace, sid_str);
523 if (sid == NULL) {
524 talloc_free(ace);
525 return NULL;
526 }
527
528 ace->trustee = *sid;
529 ace->type = type;
530 ace->access_mask = access_mask;
531 ace->flags = flags;
532
533 return ace;
534 }
aatanasov's samba4 branch