1 /*
2 Unix SMB/CIFS implementation.
3
4 security descriptror utility functions
5
6 Copyright (C) Andrew Tridgell 2004
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "libcli/security/security.h"
24
25 /*
26 return a blank security descriptor (no owners, dacl or sacl)
27 */
security_descriptor_initialise(TALLOC_CTX * mem_ctx)28 struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx)
29 {
30 struct security_descriptor *sd;
31
32 sd = talloc(mem_ctx, struct security_descriptor);
33 if (!sd) {
34 return NULL;
35 }
36
37 sd->revision = SD_REVISION;
38 /* we mark as self relative, even though it isn't while it remains
39 a pointer in memory because this simplifies the ndr code later.
40 All SDs that we store/emit are in fact SELF_RELATIVE
41 */
42 sd->type = SEC_DESC_SELF_RELATIVE;
43
44 sd->owner_sid = NULL;
45 sd->group_sid = NULL;
46 sd->sacl = NULL;
47 sd->dacl = NULL;
48
49 return sd;
50 }
51
security_acl_dup(TALLOC_CTX * mem_ctx,const struct security_acl * oacl)52 struct security_acl *security_acl_dup(TALLOC_CTX *mem_ctx,
53 const struct security_acl *oacl)
54 {
55 struct security_acl *nacl;
56
57 if (oacl == NULL) {
58 return NULL;
59 }
60
61 if (oacl->aces == NULL && oacl->num_aces > 0) {
62 return NULL;
63 }
64
65 nacl = talloc (mem_ctx, struct security_acl);
66 if (nacl == NULL) {
67 return NULL;
68 }
69
70 *nacl = (struct security_acl) {
71 .revision = oacl->revision,
72 .size = oacl->size,
73 .num_aces = oacl->num_aces,
74 };
75 if (nacl->num_aces == 0) {
76 return nacl;
77 }
78
79 nacl->aces = (struct security_ace *)talloc_memdup (nacl, oacl->aces, sizeof(struct security_ace) * oacl->num_aces);
80 if (nacl->aces == NULL) {
81 goto failed;
82 }
83
84 return nacl;
85
86 failed:
87 talloc_free (nacl);
88 return NULL;
89
90 }
91
security_acl_concatenate(TALLOC_CTX * mem_ctx,const struct security_acl * acl1,const struct security_acl * acl2)92 struct security_acl *security_acl_concatenate(TALLOC_CTX *mem_ctx,
93 const struct security_acl *acl1,
94 const struct security_acl *acl2)
95 {
96 struct security_acl *nacl;
97 uint32_t i;
98
99 if (!acl1 && !acl2)
100 return NULL;
101
102 if (!acl1){
103 nacl = security_acl_dup(mem_ctx, acl2);
104 return nacl;
105 }
106
107 if (!acl2){
108 nacl = security_acl_dup(mem_ctx, acl1);
109 return nacl;
110 }
111
112 nacl = talloc (mem_ctx, struct security_acl);
113 if (nacl == NULL) {
114 return NULL;
115 }
116
117 nacl->revision = acl1->revision;
118 nacl->size = acl1->size + acl2->size;
119 nacl->num_aces = acl1->num_aces + acl2->num_aces;
120
121 if (nacl->num_aces == 0)
122 return nacl;
123
124 nacl->aces = (struct security_ace *)talloc_array (mem_ctx, struct security_ace, acl1->num_aces+acl2->num_aces);
125 if ((nacl->aces == NULL) && (nacl->num_aces > 0)) {
126 goto failed;
127 }
128
129 for (i = 0; i < acl1->num_aces; i++)
130 nacl->aces[i] = acl1->aces[i];
131 for (i = 0; i < acl2->num_aces; i++)
132 nacl->aces[i + acl1->num_aces] = acl2->aces[i];
133
134 return nacl;
135
136 failed:
137 talloc_free (nacl);
138 return NULL;
139
140 }
141
142 /*
143 talloc and copy a security descriptor
144 */
security_descriptor_copy(TALLOC_CTX * mem_ctx,const struct security_descriptor * osd)145 struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx,
146 const struct security_descriptor *osd)
147 {
148 struct security_descriptor *nsd;
149
150 nsd = talloc_zero(mem_ctx, struct security_descriptor);
151 if (!nsd) {
152 return NULL;
153 }
154
155 if (osd->owner_sid) {
156 nsd->owner_sid = dom_sid_dup(nsd, osd->owner_sid);
157 if (nsd->owner_sid == NULL) {
158 goto failed;
159 }
160 }
161
162 if (osd->group_sid) {
163 nsd->group_sid = dom_sid_dup(nsd, osd->group_sid);
164 if (nsd->group_sid == NULL) {
165 goto failed;
166 }
167 }
168
169 if (osd->sacl) {
170 nsd->sacl = security_acl_dup(nsd, osd->sacl);
171 if (nsd->sacl == NULL) {
172 goto failed;
173 }
174 }
175
176 if (osd->dacl) {
177 nsd->dacl = security_acl_dup(nsd, osd->dacl);
178 if (nsd->dacl == NULL) {
179 goto failed;
180 }
181 }
182
183 nsd->revision = osd->revision;
184 nsd->type = osd->type;
185
186 return nsd;
187
188 failed:
189 talloc_free(nsd);
190
191 return NULL;
192 }
193
security_descriptor_for_client(TALLOC_CTX * mem_ctx,const struct security_descriptor * ssd,uint32_t sec_info,uint32_t access_granted,struct security_descriptor ** _csd)194 NTSTATUS security_descriptor_for_client(TALLOC_CTX *mem_ctx,
195 const struct security_descriptor *ssd,
196 uint32_t sec_info,
197 uint32_t access_granted,
198 struct security_descriptor **_csd)
199 {
200 struct security_descriptor *csd = NULL;
201 uint32_t access_required = 0;
202
203 *_csd = NULL;
204
205 if (sec_info & (SECINFO_OWNER|SECINFO_GROUP)) {
206 access_required |= SEC_STD_READ_CONTROL;
207 }
208 if (sec_info & SECINFO_DACL) {
209 access_required |= SEC_STD_READ_CONTROL;
210 }
211 if (sec_info & SECINFO_SACL) {
212 access_required |= SEC_FLAG_SYSTEM_SECURITY;
213 }
214
215 if (access_required & (~access_granted)) {
216 return NT_STATUS_ACCESS_DENIED;
217 }
218
219 /*
220 * make a copy...
221 */
222 csd = security_descriptor_copy(mem_ctx, ssd);
223 if (csd == NULL) {
224 return NT_STATUS_NO_MEMORY;
225 }
226
227 /*
228 * ... and remove everthing not wanted
229 */
230
231 if (!(sec_info & SECINFO_OWNER)) {
232 TALLOC_FREE(csd->owner_sid);
233 csd->type &= ~SEC_DESC_OWNER_DEFAULTED;
234 }
235 if (!(sec_info & SECINFO_GROUP)) {
236 TALLOC_FREE(csd->group_sid);
237 csd->type &= ~SEC_DESC_GROUP_DEFAULTED;
238 }
239 if (!(sec_info & SECINFO_DACL)) {
240 TALLOC_FREE(csd->dacl);
241 csd->type &= ~(
242 SEC_DESC_DACL_PRESENT |
243 SEC_DESC_DACL_DEFAULTED|
244 SEC_DESC_DACL_AUTO_INHERIT_REQ |
245 SEC_DESC_DACL_AUTO_INHERITED |
246 SEC_DESC_DACL_PROTECTED |
247 SEC_DESC_DACL_TRUSTED);
248 }
249 if (!(sec_info & SECINFO_SACL)) {
250 TALLOC_FREE(csd->sacl);
251 csd->type &= ~(
252 SEC_DESC_SACL_PRESENT |
253 SEC_DESC_SACL_DEFAULTED |
254 SEC_DESC_SACL_AUTO_INHERIT_REQ |
255 SEC_DESC_SACL_AUTO_INHERITED |
256 SEC_DESC_SACL_PROTECTED |
257 SEC_DESC_SERVER_SECURITY);
258 }
259
260 *_csd = csd;
261 return NT_STATUS_OK;
262 }
263
264 /*
265 add an ACE to an ACL of a security_descriptor
266 */
267
security_descriptor_acl_add(struct security_descriptor * sd,bool add_to_sacl,const struct security_ace * ace)268 static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
269 bool add_to_sacl,
270 const struct security_ace *ace)
271 {
272 struct security_acl *acl = NULL;
273
274 if (add_to_sacl) {
275 acl = sd->sacl;
276 } else {
277 acl = sd->dacl;
278 }
279
280 if (acl == NULL) {
281 acl = talloc(sd, struct security_acl);
282 if (acl == NULL) {
283 return NT_STATUS_NO_MEMORY;
284 }
285 acl->revision = SECURITY_ACL_REVISION_NT4;
286 acl->size = 0;
287 acl->num_aces = 0;
288 acl->aces = NULL;
289 }
290
291 acl->aces = talloc_realloc(acl, acl->aces,
292 struct security_ace, acl->num_aces+1);
293 if (acl->aces == NULL) {
294 return NT_STATUS_NO_MEMORY;
295 }
296
297 acl->aces[acl->num_aces] = *ace;
298
299 switch (acl->aces[acl->num_aces].type) {
300 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
301 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
302 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
303 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
304 acl->revision = SECURITY_ACL_REVISION_ADS;
305 break;
306 default:
307 break;
308 }
309
310 acl->num_aces++;
311
312 if (add_to_sacl) {
313 sd->sacl = acl;
314 sd->type |= SEC_DESC_SACL_PRESENT;
315 } else {
316 sd->dacl = acl;
317 sd->type |= SEC_DESC_DACL_PRESENT;
318 }
319
320 return NT_STATUS_OK;
321 }
322
323 /*
324 add an ACE to the SACL of a security_descriptor
325 */
326
security_descriptor_sacl_add(struct security_descriptor * sd,const struct security_ace * ace)327 NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd,
328 const struct security_ace *ace)
329 {
330 return security_descriptor_acl_add(sd, true, ace);
331 }
332
333 /*
334 add an ACE to the DACL of a security_descriptor
335 */
336
security_descriptor_dacl_add(struct security_descriptor * sd,const struct security_ace * ace)337 NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
338 const struct security_ace *ace)
339 {
340 return security_descriptor_acl_add(sd, false, ace);
341 }
342
343 /*
344 delete the ACE corresponding to the given trustee in an ACL of a
345 security_descriptor
346 */
347
security_descriptor_acl_del(struct security_descriptor * sd,bool sacl_del,const struct dom_sid * trustee)348 static NTSTATUS security_descriptor_acl_del(struct security_descriptor *sd,
349 bool sacl_del,
350 const struct dom_sid *trustee)
351 {
352 uint32_t i;
353 bool found = false;
354 struct security_acl *acl = NULL;
355
356 if (sacl_del) {
357 acl = sd->sacl;
358 } else {
359 acl = sd->dacl;
360 }
361
362 if (acl == NULL) {
363 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
364 }
365
366 /* there can be multiple ace's for one trustee */
367 for (i=0;i<acl->num_aces;i++) {
368 if (dom_sid_equal(trustee, &acl->aces[i].trustee)) {
369 memmove(&acl->aces[i], &acl->aces[i+1],
370 sizeof(acl->aces[i]) * (acl->num_aces - (i+1)));
371 acl->num_aces--;
372 if (acl->num_aces == 0) {
373 acl->aces = NULL;
374 }
375 found = true;
376 }
377 }
378
379 if (!found) {
380 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
381 }
382
383 acl->revision = SECURITY_ACL_REVISION_NT4;
384
385 for (i=0;i<acl->num_aces;i++) {
386 switch (acl->aces[i].type) {
387 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
388 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
389 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
390 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
391 acl->revision = SECURITY_ACL_REVISION_ADS;
392 return NT_STATUS_OK;
393 default:
394 break; /* only for the switch statement */
395 }
396 }
397
398 return NT_STATUS_OK;
399 }
400
401 /*
402 delete the ACE corresponding to the given trustee in the DACL of a
403 security_descriptor
404 */
405
security_descriptor_dacl_del(struct security_descriptor * sd,const struct dom_sid * trustee)406 NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd,
407 const struct dom_sid *trustee)
408 {
409 return security_descriptor_acl_del(sd, false, trustee);
410 }
411
412 /*
413 delete the ACE corresponding to the given trustee in the SACL of a
414 security_descriptor
415 */
416
security_descriptor_sacl_del(struct security_descriptor * sd,const struct dom_sid * trustee)417 NTSTATUS security_descriptor_sacl_del(struct security_descriptor *sd,
418 const struct dom_sid *trustee)
419 {
420 return security_descriptor_acl_del(sd, true, trustee);
421 }
422
423 /*
424 compare two security ace structures
425 */
security_ace_equal(const struct security_ace * ace1,const struct security_ace * ace2)426 bool security_ace_equal(const struct security_ace *ace1,
427 const struct security_ace *ace2)
428 {
429 if (ace1 == ace2) {
430 return true;
431 }
432 if ((ace1 == NULL) || (ace2 == NULL)) {
433 return false;
434 }
435 if (ace1->type != ace2->type) {
436 return false;
437 }
438 if (ace1->flags != ace2->flags) {
439 return false;
440 }
441 if (ace1->access_mask != ace2->access_mask) {
442 return false;
443 }
444 if (!dom_sid_equal(&ace1->trustee, &ace2->trustee)) {
445 return false;
446 }
447
448 return true;
449 }
450
451
452 /*
453 compare two security acl structures
454 */
security_acl_equal(const struct security_acl * acl1,const struct security_acl * acl2)455 bool security_acl_equal(const struct security_acl *acl1,
456 const struct security_acl *acl2)
457 {
458 uint32_t i;
459
460 if (acl1 == acl2) return true;
461 if (!acl1 || !acl2) return false;
462 if (acl1->revision != acl2->revision) return false;
463 if (acl1->num_aces != acl2->num_aces) return false;
464
465 for (i=0;i<acl1->num_aces;i++) {
466 if (!security_ace_equal(&acl1->aces[i], &acl2->aces[i])) return false;
467 }
468 return true;
469 }
470
471 /*
472 compare two security descriptors.
473 */
security_descriptor_equal(const struct security_descriptor * sd1,const struct security_descriptor * sd2)474 bool security_descriptor_equal(const struct security_descriptor *sd1,
475 const struct security_descriptor *sd2)
476 {
477 if (sd1 == sd2) return true;
478 if (!sd1 || !sd2) return false;
479 if (sd1->revision != sd2->revision) return false;
480 if (sd1->type != sd2->type) return false;
481
482 if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false;
483 if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false;
484 if (!security_acl_equal(sd1->sacl, sd2->sacl)) return false;
485 if (!security_acl_equal(sd1->dacl, sd2->dacl)) return false;
486
487 return true;
488 }
489
490 /*
491 compare two security descriptors, but allow certain (missing) parts
492 to be masked out of the comparison
493 */
security_descriptor_mask_equal(const struct security_descriptor * sd1,const struct security_descriptor * sd2,uint32_t mask)494 bool security_descriptor_mask_equal(const struct security_descriptor *sd1,
495 const struct security_descriptor *sd2,
496 uint32_t mask)
497 {
498 if (sd1 == sd2) return true;
499 if (!sd1 || !sd2) return false;
500 if (sd1->revision != sd2->revision) return false;
501 if ((sd1->type & mask) != (sd2->type & mask)) return false;
502
503 if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false;
504 if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false;
505 if ((mask & SEC_DESC_DACL_PRESENT) && !security_acl_equal(sd1->dacl, sd2->dacl)) return false;
506 if ((mask & SEC_DESC_SACL_PRESENT) && !security_acl_equal(sd1->sacl, sd2->sacl)) return false;
507
508 return true;
509 }
510
511
security_descriptor_appendv(struct security_descriptor * sd,bool add_ace_to_sacl,va_list ap)512 static struct security_descriptor *security_descriptor_appendv(struct security_descriptor *sd,
513 bool add_ace_to_sacl,
514 va_list ap)
515 {
516 const char *sidstr;
517
518 while ((sidstr = va_arg(ap, const char *))) {
519 struct dom_sid *sid;
520 struct security_ace *ace = talloc_zero(sd, struct security_ace);
521 NTSTATUS status;
522
523 if (ace == NULL) {
524 talloc_free(sd);
525 return NULL;
526 }
527 ace->type = va_arg(ap, unsigned int);
528 ace->access_mask = va_arg(ap, unsigned int);
529 ace->flags = va_arg(ap, unsigned int);
530 sid = dom_sid_parse_talloc(ace, sidstr);
531 if (sid == NULL) {
532 talloc_free(sd);
533 return NULL;
534 }
535 ace->trustee = *sid;
536 if (add_ace_to_sacl) {
537 status = security_descriptor_sacl_add(sd, ace);
538 } else {
539 status = security_descriptor_dacl_add(sd, ace);
540 }
541 /* TODO: check: would talloc_free(ace) here be correct? */
542 if (!NT_STATUS_IS_OK(status)) {
543 talloc_free(sd);
544 return NULL;
545 }
546 }
547
548 return sd;
549 }
550
security_descriptor_append(struct security_descriptor * sd,...)551 struct security_descriptor *security_descriptor_append(struct security_descriptor *sd,
552 ...)
553 {
554 va_list ap;
555
556 va_start(ap, sd);
557 sd = security_descriptor_appendv(sd, false, ap);
558 va_end(ap);
559
560 return sd;
561 }
562
security_descriptor_createv(TALLOC_CTX * mem_ctx,uint16_t sd_type,const char * owner_sid,const char * group_sid,bool add_ace_to_sacl,va_list ap)563 static struct security_descriptor *security_descriptor_createv(TALLOC_CTX *mem_ctx,
564 uint16_t sd_type,
565 const char *owner_sid,
566 const char *group_sid,
567 bool add_ace_to_sacl,
568 va_list ap)
569 {
570 struct security_descriptor *sd;
571
572 sd = security_descriptor_initialise(mem_ctx);
573 if (sd == NULL) {
574 return NULL;
575 }
576
577 sd->type |= sd_type;
578
579 if (owner_sid) {
580 sd->owner_sid = dom_sid_parse_talloc(sd, owner_sid);
581 if (sd->owner_sid == NULL) {
582 talloc_free(sd);
583 return NULL;
584 }
585 }
586 if (group_sid) {
587 sd->group_sid = dom_sid_parse_talloc(sd, group_sid);
588 if (sd->group_sid == NULL) {
589 talloc_free(sd);
590 return NULL;
591 }
592 }
593
594 return security_descriptor_appendv(sd, add_ace_to_sacl, ap);
595 }
596
597 /*
598 create a security descriptor using string SIDs. This is used by the
599 torture code to allow the easy creation of complex ACLs
600 This is a varargs function. The list of DACL ACEs ends with a NULL sid.
601
602 Each ACE contains a set of 4 parameters:
603 SID, ACCESS_TYPE, MASK, FLAGS
604
605 a typical call would be:
606
607 sd = security_descriptor_dacl_create(mem_ctx,
608 sd_type_flags,
609 mysid,
610 mygroup,
611 SID_NT_AUTHENTICATED_USERS,
612 SEC_ACE_TYPE_ACCESS_ALLOWED,
613 SEC_FILE_ALL,
614 SEC_ACE_FLAG_OBJECT_INHERIT,
615 NULL);
616 that would create a sd with one DACL ACE
617 */
618
security_descriptor_dacl_create(TALLOC_CTX * mem_ctx,uint16_t sd_type,const char * owner_sid,const char * group_sid,...)619 struct security_descriptor *security_descriptor_dacl_create(TALLOC_CTX *mem_ctx,
620 uint16_t sd_type,
621 const char *owner_sid,
622 const char *group_sid,
623 ...)
624 {
625 struct security_descriptor *sd = NULL;
626 va_list ap;
627 va_start(ap, group_sid);
628 sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid,
629 group_sid, false, ap);
630 va_end(ap);
631
632 return sd;
633 }
634
security_descriptor_sacl_create(TALLOC_CTX * mem_ctx,uint16_t sd_type,const char * owner_sid,const char * group_sid,...)635 struct security_descriptor *security_descriptor_sacl_create(TALLOC_CTX *mem_ctx,
636 uint16_t sd_type,
637 const char *owner_sid,
638 const char *group_sid,
639 ...)
640 {
641 struct security_descriptor *sd = NULL;
642 va_list ap;
643 va_start(ap, group_sid);
644 sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid,
645 group_sid, true, ap);
646 va_end(ap);
647
648 return sd;
649 }
650
security_ace_create(TALLOC_CTX * mem_ctx,const char * sid_str,enum security_ace_type type,uint32_t access_mask,uint8_t flags)651 struct security_ace *security_ace_create(TALLOC_CTX *mem_ctx,
652 const char *sid_str,
653 enum security_ace_type type,
654 uint32_t access_mask,
655 uint8_t flags)
656
657 {
658 struct security_ace *ace;
659 bool ok;
660
661 ace = talloc_zero(mem_ctx, struct security_ace);
662 if (ace == NULL) {
663 return NULL;
664 }
665
666 ok = dom_sid_parse(sid_str, &ace->trustee);
667 if (!ok) {
668 talloc_free(ace);
669 return NULL;
670 }
671 ace->type = type;
672 ace->access_mask = access_mask;
673 ace->flags = flags;
674
675 return ace;
676 }
677
678 /*******************************************************************
679 Check for MS NFS ACEs in a sd
680 *******************************************************************/
security_descriptor_with_ms_nfs(const struct security_descriptor * psd)681 bool security_descriptor_with_ms_nfs(const struct security_descriptor *psd)
682 {
683 int i;
684
685 if (psd->dacl == NULL) {
686 return false;
687 }
688
689 for (i = 0; i < psd->dacl->num_aces; i++) {
690 if (dom_sid_compare_domain(
691 &global_sid_Unix_NFS,
692 &psd->dacl->aces[i].trustee) == 0) {
693 return true;
694 }
695 }
696
697 return false;
698 }
699