#ifndef _DOM_SID_H_
#define _DOM_SID_H_
+#include "librpc/gen_ndr/security.h"
+
int dom_sid_compare(const struct dom_sid *sid1, const struct dom_sid *sid2);
bool dom_sid_equal(const struct dom_sid *sid1, const struct dom_sid *sid2);
bool dom_sid_parse(const char *sidstr, struct dom_sid *ret);
/*
* Unix SMB/Netbios implementation.
- * SEC_ACE handling functions
+ * struct security_ace handling functions
* Copyright (C) Andrew Tridgell 1992-1998,
* Copyright (C) Jeremy R. Allison 1995-2003.
* Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
*/
#include "includes.h"
+#include "librpc/gen_ndr/ndr_security.h"
+#include "libcli/security/security.h"
-/*******************************************************************
- Check if ACE has OBJECT type.
-********************************************************************/
+#define SEC_ACE_HEADER_SIZE (2 * sizeof(uint8_t) + sizeof(uint16_t) + sizeof(uint32_t))
-bool sec_ace_object(uint8 type)
+/**
+ * Check if ACE has OBJECT type.
+ */
+bool sec_ace_object(uint8_t type)
{
if (type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT ||
type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT ||
type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT ||
type == SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT) {
- return True;
+ return true;
}
- return False;
+ return false;
}
-/*******************************************************************
- copy a SEC_ACE structure.
-********************************************************************/
-void sec_ace_copy(SEC_ACE *ace_dest, SEC_ACE *ace_src)
+/**
+ * copy a struct security_ace structure.
+ */
+void sec_ace_copy(struct security_ace *ace_dest, struct security_ace *ace_src)
{
ace_dest->type = ace_src->type;
ace_dest->flags = ace_src->flags;
ace_dest->size = ace_src->size;
ace_dest->access_mask = ace_src->access_mask;
ace_dest->object = ace_src->object;
- sid_copy(&ace_dest->trustee, &ace_src->trustee);
+ ace_dest->trustee = ace_src->trustee;
}
/*******************************************************************
- Sets up a SEC_ACE structure.
+ Sets up a struct security_ace structure.
********************************************************************/
-void init_sec_ace(SEC_ACE *t, const DOM_SID *sid, enum security_ace_type type,
- uint32_t mask, uint8 flag)
+void init_sec_ace(struct security_ace *t, const struct dom_sid *sid, enum security_ace_type type,
+ uint32_t mask, uint8_t flag)
{
t->type = type;
t->flags = flag;
t->size = ndr_size_dom_sid(sid, NULL, 0) + 8;
t->access_mask = mask;
- ZERO_STRUCTP(&t->trustee);
- sid_copy(&t->trustee, sid);
+ t->trustee = *sid;
}
/*******************************************************************
adds new SID with its permissions to ACE list
********************************************************************/
-NTSTATUS sec_ace_add_sid(TALLOC_CTX *ctx, SEC_ACE **pp_new, SEC_ACE *old, unsigned *num, DOM_SID *sid, uint32 mask)
+NTSTATUS sec_ace_add_sid(TALLOC_CTX *ctx, struct security_ace **pp_new, struct security_ace *old, unsigned *num, struct dom_sid *sid, uint32_t mask)
{
unsigned int i = 0;
*num += 1;
- if((pp_new[0] = TALLOC_ZERO_ARRAY(ctx, SEC_ACE, *num )) == 0)
+ if((pp_new[0] = talloc_zero_array(ctx, struct security_ace, *num )) == 0)
return NT_STATUS_NO_MEMORY;
for (i = 0; i < *num - 1; i ++)
(*pp_new)[i].flags = 0;
(*pp_new)[i].size = SEC_ACE_HEADER_SIZE + ndr_size_dom_sid(sid, NULL, 0);
(*pp_new)[i].access_mask = mask;
- sid_copy(&(*pp_new)[i].trustee, sid);
+ (*pp_new)[i].trustee = *sid;
return NT_STATUS_OK;
}
modify SID's permissions at ACL
********************************************************************/
-NTSTATUS sec_ace_mod_sid(SEC_ACE *ace, size_t num, DOM_SID *sid, uint32 mask)
+NTSTATUS sec_ace_mod_sid(struct security_ace *ace, size_t num, struct dom_sid *sid, uint32_t mask)
{
unsigned int i = 0;
if (!ace || !sid) return NT_STATUS_INVALID_PARAMETER;
for (i = 0; i < num; i ++) {
- if (sid_compare(&ace[i].trustee, sid) == 0) {
+ if (dom_sid_equal(&ace[i].trustee, sid)) {
ace[i].access_mask = mask;
return NT_STATUS_OK;
}
delete SID from ACL
********************************************************************/
-NTSTATUS sec_ace_del_sid(TALLOC_CTX *ctx, SEC_ACE **pp_new, SEC_ACE *old, uint32 *num, DOM_SID *sid)
+NTSTATUS sec_ace_del_sid(TALLOC_CTX *ctx, struct security_ace **pp_new, struct security_ace *old, uint32_t *num, struct dom_sid *sid)
{
unsigned int i = 0;
unsigned int n_del = 0;
if (!ctx || !pp_new || !old || !sid || !num) return NT_STATUS_INVALID_PARAMETER;
if (*num) {
- if((pp_new[0] = TALLOC_ZERO_ARRAY(ctx, SEC_ACE, *num )) == 0)
+ if((pp_new[0] = talloc_zero_array(ctx, struct security_ace, *num )) == 0)
return NT_STATUS_NO_MEMORY;
} else {
pp_new[0] = NULL;
}
for (i = 0; i < *num; i ++) {
- if (sid_compare(&old[i].trustee, sid) != 0)
+ if (!dom_sid_equal(&old[i].trustee, sid))
sec_ace_copy(&(*pp_new)[i], &old[i]);
else
n_del ++;
}
/*******************************************************************
- Compares two SEC_ACE structures
+ Compares two struct security_ace structures
********************************************************************/
-bool sec_ace_equal(SEC_ACE *s1, SEC_ACE *s2)
+bool sec_ace_equal(struct security_ace *s1, struct security_ace *s2)
{
/* Trivial case */
if (!s1 && !s2) {
- return True;
+ return true;
}
if (!s1 || !s2) {
- return False;
+ return false;
}
/* Check top level stuff */
if (s1->type != s2->type || s1->flags != s2->flags ||
s1->access_mask != s2->access_mask) {
- return False;
+ return false;
}
/* Check SID */
- if (!sid_equal(&s1->trustee, &s2->trustee)) {
- return False;
+ if (!dom_sid_equal(&s1->trustee, &s2->trustee)) {
+ return false;
}
- return True;
+ return true;
}
-int nt_ace_inherit_comp( SEC_ACE *a1, SEC_ACE *a2)
+int nt_ace_inherit_comp( struct security_ace *a1, struct security_ace *a2)
{
int a1_inh = a1->flags & SEC_ACE_FLAG_INHERITED_ACE;
int a2_inh = a2->flags & SEC_ACE_FLAG_INHERITED_ACE;
Comparison function to apply the order explained below in a group.
*******************************************************************/
-int nt_ace_canon_comp( SEC_ACE *a1, SEC_ACE *a2)
+int nt_ace_canon_comp( struct security_ace *a1, struct security_ace *a2)
{
if ((a1->type == SEC_ACE_TYPE_ACCESS_DENIED) &&
(a2->type != SEC_ACE_TYPE_ACCESS_DENIED))
********************************************************************/
-void dacl_sort_into_canonical_order(SEC_ACE *srclist, unsigned int num_aces)
+void dacl_sort_into_canonical_order(struct security_ace *srclist, unsigned int num_aces)
{
unsigned int i;
/* Find the boundary between non-inherited ACEs. */
for (i = 0; i < num_aces; i++ ) {
- SEC_ACE *curr_ace = &srclist[i];
+ struct security_ace *curr_ace = &srclist[i];
if (curr_ace->flags & SEC_ACE_FLAG_INHERITED_ACE)
break;
qsort( &srclist[i], num_aces - i, sizeof(srclist[0]), QSORT_CAST nt_ace_canon_comp);
}
-/*******************************************************************
- Check if this ACE has a SID in common with the token.
-********************************************************************/
-
-bool token_sid_in_ace(const NT_USER_TOKEN *token, const SEC_ACE *ace)
-{
- size_t i;
- for (i = 0; i < token->num_sids; i++) {
- if (sid_equal(&ace->trustee, &token->user_sids[i]))
- return True;
- }
-
- return False;
-}
--- /dev/null
+/*
+ Unix SMB/CIFS implementation.
+ Samba utility functions
+
+ Copyright (C) 2009 Jelmer Vernooij <jelmer@samba.org>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _ACE_H_
+#define _ACE_H_
+
+#include "librpc/gen_ndr/security.h"
+
+bool sec_ace_object(uint8_t type);
+void sec_ace_copy(struct security_ace *ace_dest, struct security_ace *ace_src);
+void init_sec_ace(struct security_ace *t, const struct dom_sid *sid, enum security_ace_type type,
+ uint32_t mask, uint8_t flag);
+NTSTATUS sec_ace_add_sid(TALLOC_CTX *ctx, struct security_ace **pp_new, struct security_ace *old, unsigned *num, struct dom_sid *sid, uint32_t mask);
+NTSTATUS sec_ace_mod_sid(struct security_ace *ace, size_t num, struct dom_sid *sid, uint32_t mask);
+NTSTATUS sec_ace_del_sid(TALLOC_CTX *ctx, struct security_ace **pp_new, struct security_ace *old, uint32_t *num, struct dom_sid *sid);
+bool sec_ace_equal(struct security_ace *s1, struct security_ace *s2);
+int nt_ace_inherit_comp( struct security_ace *a1, struct security_ace *a2);
+int nt_ace_canon_comp( struct security_ace *a1, struct security_ace *a2);
+void dacl_sort_into_canonical_order(struct security_ace *srclist, unsigned int num_aces);
+
+#endif /*_ACE_H_*/
+
*/
#include "includes.h"
+#include "libcli/security/security.h"
+
+#define SEC_ACL_HEADER_SIZE (2 * sizeof(uint16_t) + sizeof(uint32_t))
/*******************************************************************
Create a SEC_ACL structure.
********************************************************************/
-SEC_ACL *make_sec_acl(TALLOC_CTX *ctx, enum security_acl_revision revision,
- int num_aces, SEC_ACE *ace_list)
+struct security_acl *make_sec_acl(TALLOC_CTX *ctx,
+ enum security_acl_revision revision,
+ int num_aces, struct security_ace *ace_list)
{
- SEC_ACL *dst;
+ struct security_acl *dst;
int i;
- if((dst = TALLOC_ZERO_P(ctx,SEC_ACL)) == NULL)
+ if((dst = talloc_zero(ctx, struct security_acl)) == NULL)
return NULL;
dst->revision = revision;
positive number. */
if ((num_aces) &&
- ((dst->aces = TALLOC_ARRAY(ctx, SEC_ACE, num_aces))
+ ((dst->aces = talloc_array(ctx, struct security_ace, num_aces))
== NULL)) {
return NULL;
}
Duplicate a SEC_ACL structure.
********************************************************************/
-SEC_ACL *dup_sec_acl(TALLOC_CTX *ctx, SEC_ACL *src)
+struct security_acl *dup_sec_acl(TALLOC_CTX *ctx, struct security_acl *src)
{
if(src == NULL)
return NULL;
Compares two SEC_ACL structures
********************************************************************/
-bool sec_acl_equal(SEC_ACL *s1, SEC_ACL *s2)
+bool sec_acl_equal(struct security_acl *s1, struct security_acl *s2)
{
unsigned int i, j;
/* Trivial cases */
- if (!s1 && !s2) return True;
- if (!s1 || !s2) return False;
+ if (!s1 && !s2) return true;
+ if (!s1 || !s2) return false;
/* Check top level stuff */
if (s1->revision != s2->revision) {
DEBUG(10, ("sec_acl_equal(): revision differs (%d != %d)\n",
s1->revision, s2->revision));
- return False;
+ return false;
}
if (s1->num_aces != s2->num_aces) {
DEBUG(10, ("sec_acl_equal(): num_aces differs (%d != %d)\n",
s1->revision, s2->revision));
- return False;
+ return false;
}
/* The ACEs could be in any order so check each ACE in s1 against
each ACE in s2. */
for (i = 0; i < s1->num_aces; i++) {
- bool found = False;
+ bool found = false;
for (j = 0; j < s2->num_aces; j++) {
if (sec_ace_equal(&s1->aces[i], &s2->aces[j])) {
- found = True;
+ found = true;
break;
}
}
- if (!found) return False;
+ if (!found) return false;
}
- return True;
+ return true;
}
--- /dev/null
+/*
+ Unix SMB/CIFS implementation.
+ Samba utility functions
+
+ Copyright (C) 2009 Jelmer Vernooij <jelmer@samba.org>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _SECACL_H_
+#define _SECACL_H_
+
+#include "librpc/gen_ndr/security.h"
+
+struct security_acl *make_sec_acl(TALLOC_CTX *ctx, enum security_acl_revision revision,
+ int num_aces, struct security_ace *ace_list);
+struct security_acl *dup_sec_acl(TALLOC_CTX *ctx, struct security_acl *src);
+bool sec_acl_equal(struct security_acl *s1, struct security_acl *s2);
+
+
+#endif /*_SECACL_H_*/
+
lib/conn_tdb.o lib/adt_tree.o lib/gencache.o \
lib/module.o lib/events.o @LIBTEVENT_OBJ0@ \
lib/ldap_escape.o @CHARSET_STATIC@ \
- lib/secdesc.o lib/util_seaccess.o lib/secace.o lib/secacl.o \
+ lib/secdesc.o lib/util_seaccess.o ../libcli/security/secace.o \
+ ../libcli/security/secacl.o \
libads/krb5_errs.o lib/system_smbd.o lib/audit.o $(LIBNDR_OBJ) \
lib/file_id.o lib/idmap_cache.o \
../libcli/security/dom_sid.o
#include "trans2.h"
#include "../libcli/util/error.h"
#include "ntioctl.h"
-#include "../lib/util/charset/charset.h"
+#include "charset.h"
#include "dynconfig.h"
#include "util_getent.h"
#include "debugparse.h"
#ifndef NO_PROTO_H
#include "proto.h"
#endif
+#include "libcli/security/secace.h"
+#include "libcli/security/secacl.h"
#if defined(HAVE_POSIX_ACLS)
#include "modules/vfs_posixacl.h"
size_t count);
ssize_t drain_socket(int sockfd, size_t count);
-/* The following definitions come from lib/secace.c */
-
-bool sec_ace_object(uint8 type);
-void sec_ace_copy(SEC_ACE *ace_dest, SEC_ACE *ace_src);
-void init_sec_ace(SEC_ACE *t, const DOM_SID *sid, enum security_ace_type type,
- uint32 mask, uint8 flag);
-NTSTATUS sec_ace_add_sid(TALLOC_CTX *ctx, SEC_ACE **pp_new, SEC_ACE *old, unsigned *num, DOM_SID *sid, uint32 mask);
-NTSTATUS sec_ace_mod_sid(SEC_ACE *ace, size_t num, DOM_SID *sid, uint32 mask);
-NTSTATUS sec_ace_del_sid(TALLOC_CTX *ctx, SEC_ACE **pp_new, SEC_ACE *old, uint32 *num, DOM_SID *sid);
-bool sec_ace_equal(SEC_ACE *s1, SEC_ACE *s2);
-int nt_ace_inherit_comp( SEC_ACE *a1, SEC_ACE *a2);
-int nt_ace_canon_comp( SEC_ACE *a1, SEC_ACE *a2);
-void dacl_sort_into_canonical_order(SEC_ACE *srclist, unsigned int num_aces);
-bool token_sid_in_ace(const NT_USER_TOKEN *token, const SEC_ACE *ace);
-
-/* The following definitions come from lib/secacl.c */
-
-SEC_ACL *make_sec_acl(TALLOC_CTX *ctx, enum security_acl_revision revision,
- int num_aces, SEC_ACE *ace_list);
-SEC_ACL *dup_sec_acl(TALLOC_CTX *ctx, SEC_ACL *src);
-bool sec_acl_equal(SEC_ACL *s1, SEC_ACL *s2);
-
/* The following definitions come from lib/secdesc.c */
bool sec_desc_equal(SEC_DESC *s1, SEC_DESC *s2);
const struct nt_user_token *token_1,
const struct nt_user_token *token_2,
struct nt_user_token **token_out);
+bool token_sid_in_ace(const NT_USER_TOKEN *token, const SEC_ACE *ace);
/* The following definitions come from lib/util_pw.c */
/* SEC_ACE */
typedef struct security_ace SEC_ACE;
-#define SEC_ACE_HEADER_SIZE (2 * sizeof(uint8) + sizeof(uint16) + sizeof(uint32))
#ifndef ACL_REVISION
#define ACL_REVISION 0x3
#ifndef _SEC_ACL
/* SEC_ACL */
typedef struct security_acl SEC_ACL;
-#define SEC_ACL_HEADER_SIZE (2 * sizeof(uint16) + sizeof(uint32))
#define _SEC_ACL
#endif
#define COPY_UCS2_CHAR(dest,src) (((unsigned char *)(dest))[0] = ((unsigned char *)(src))[0],\
((unsigned char *)(dest))[1] = ((unsigned char *)(src))[1], (dest))
+/* Large data type for manipulating uint32 unicode codepoints */
+typedef uint32 codepoint_t;
+#define INVALID_CODEPOINT ((codepoint_t)-1)
+
/* pipe string names */
#define PIPE_LANMAN "\\PIPE\\LANMAN"
#define SAFE_NETBIOS_CHARS ". -_"
+/* generic iconv conversion structure */
+typedef struct _smb_iconv_t {
+ size_t (*direct)(void *cd, const char **inbuf, size_t *inbytesleft,
+ char **outbuf, size_t *outbytesleft);
+ size_t (*pull)(void *cd, const char **inbuf, size_t *inbytesleft,
+ char **outbuf, size_t *outbytesleft);
+ size_t (*push)(void *cd, const char **inbuf, size_t *inbytesleft,
+ char **outbuf, size_t *outbytesleft);
+ void *cd_direct, *cd_pull, *cd_push;
+ char *from_name, *to_name;
+} *smb_iconv_t;
+
/* The maximum length of a trust account password.
Used when we randomly create it, 15 char passwords
exceed NT4's max password length */
return NT_STATUS_OK;
}
+
+/*******************************************************************
+ Check if this ACE has a SID in common with the token.
+********************************************************************/
+
+bool token_sid_in_ace(const NT_USER_TOKEN *token, const struct security_ace *ace)
+{
+ size_t i;
+
+ for (i = 0; i < token->num_sids; i++) {
+ if (sid_equal(&ace->trustee, &token->user_sids[i]))
+ return true;
+ }
+
+ return false;
+}
LIBSECURITY_OBJ_FILES = $(addprefix $(libclisrcdir)/security/, \
security_token.o security_descriptor.o \
- access_check.o privilege.o sddl.o)
+ access_check.o privilege.o sddl.o) \
+ ../libcli/security/secace.o \
+ ../libcli/security/secacl.o
$(eval $(call proto_header_template,$(libclisrcdir)/security/proto.h,$(LIBSECURITY_OBJ_FILES:.o=.c)))
/* Moved the dom_sid functions to the top level dir with manual proto header */
#include "libcli/security/dom_sid.h"
-
+#include "libcli/security/secace.h"
+#include "libcli/security/secacl.h"
#include "libcli/security/proto.h"
git.samba.org / samba.git / commitdiff