sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Code

r12158: added ldif handlers for the ntSecurityDescriptor attribute, so when

Browse Source 
displaying security descriptors in ldbsearch or ldbedit you can see
the SDDL version.

This also allows us to specify security descriptors in our
setup/*.ldif files in SDDL format, which is much more convenient than
the NDR binary format!
This commit is contained in:
Andrew Tridgell 2005-12-09 23:43:02 +00:00 committed by Gerald (Jerry) Carter
parent 2be62eb2dd
commit 8185731c18
3 changed files with 82 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
source/lib/ldb/samba/ldif_handlers.c
View File

@ -214,6 +214,65 @@ static int ldb_canonicalise_objectGUID(struct ldb_context *ldb, void *mem_ctx,
return ldb_handler_copy(ldb, mem_ctx, in, out);
}
/*
convert a ldif (SDDL) formatted ntSecurityDescriptor to a NDR formatted blob
*/
static int ldif_read_ntSecurityDescriptor(struct ldb_context *ldb, void *mem_ctx,
const struct ldb_val *in, struct ldb_val *out)
{
struct security_descriptor *sd;
NTSTATUS status;
const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
if (domain_sid == NULL) {
return ldb_handler_copy(ldb, mem_ctx, in, out);
}
sd = sddl_decode(mem_ctx, (const char *)in->data, domain_sid);
if (sd == NULL) {
return -1;
}
status = ndr_push_struct_blob(out, mem_ctx, sd,
(ndr_push_flags_fn_t)ndr_push_security_descriptor);
talloc_free(sd);
if (!NT_STATUS_IS_OK(status)) {
return -1;
}
return 0;
}
/*
convert a NDR formatted blob to a ldif formatted ntSecurityDescriptor (SDDL format)
*/
static int ldif_write_ntSecurityDescriptor(struct ldb_context *ldb, void *mem_ctx,
const struct ldb_val *in, struct ldb_val *out)
{
struct security_descriptor *sd;
NTSTATUS status;
const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
if (domain_sid == NULL) {
return ldb_handler_copy(ldb, mem_ctx, in, out);
}
sd = talloc(mem_ctx, struct security_descriptor);
if (sd == NULL) {
return -1;
}
status = ndr_pull_struct_blob(in, sd, sd,
(ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(sd);
return -1;
}
out->data = (uint8_t *)sddl_encode(mem_ctx, sd, domain_sid);
talloc_free(sd);
if (out->data == NULL) {
return -1;
}
out->length = strlen((const char *)out->data);
return 0;
}
static const struct ldb_attrib_handler samba_handlers[] = {
{
.attr = "objectSid",
@ -231,6 +290,14 @@ static const struct ldb_attrib_handler samba_handlers[] = {
.canonicalise_fn = ldb_canonicalise_objectSid,
.comparison_fn = ldb_comparison_objectSid
},
{
.attr = "ntSecurityDescriptor",
.flags = 0,
.ldif_read_fn = ldif_read_ntSecurityDescriptor,
.ldif_write_fn = ldif_write_ntSecurityDescriptor,
.canonicalise_fn = ldb_handler_copy,
.comparison_fn = ldb_comparison_binary
},
{
.attr = "objectGUID",
.flags = 0,

16
source/libcli/security/sddl.c
View File

@ -92,7 +92,7 @@ static const struct {
It can either be a special 2 letter code, or in S-* format
*/
static struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp,
struct dom_sid *domain_sid)
const struct dom_sid *domain_sid)
{
const char *sddl = (*sddlp);
int i;
@ -172,7 +172,7 @@ static const struct flag_map ace_access_mask[] = {
note that this routine modifies the string
*/
static BOOL sddl_decode_ace(TALLOC_CTX *mem_ctx, struct security_ace *ace, char *str,
struct dom_sid *domain_sid)
const struct dom_sid *domain_sid)
{
const char *tok[6];
const char *s;
@ -259,7 +259,7 @@ static const struct flag_map acl_flags[] = {
*/
static struct security_acl *sddl_decode_acl(struct security_descriptor *sd,
const char **sddlp, uint32_t *flags,
struct dom_sid *domain_sid)
const struct dom_sid *domain_sid)
{
const char *sddl = *sddlp;
struct security_acl *acl;
@ -316,7 +316,7 @@ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd,
decode a security descriptor in SDDL format
*/
struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl,
struct dom_sid *domain_sid)
const struct dom_sid *domain_sid)
{
struct security_descriptor *sd;
sd = talloc_zero(mem_ctx, struct security_descriptor);
@ -408,7 +408,7 @@ failed:
encode a sid in SDDL format
*/
static char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
struct dom_sid *domain_sid)
const struct dom_sid *domain_sid)
{
int i;
char *sidstr;
@ -446,7 +446,7 @@ static char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
encode an ACE in SDDL format
*/
static char *sddl_encode_ace(TALLOC_CTX *mem_ctx, const struct security_ace *ace,
struct dom_sid *domain_sid)
const struct dom_sid *domain_sid)
{
char *sddl;
TALLOC_CTX *tmp_ctx;
@ -497,7 +497,7 @@ failed:
encode an ACL in SDDL format
*/
static char *sddl_encode_acl(TALLOC_CTX *mem_ctx, const struct security_acl *acl,
uint32_t flags, struct dom_sid *domain_sid)
uint32_t flags, const struct dom_sid *domain_sid)
{
char *sddl;
int i;
@ -527,7 +527,7 @@ failed:
encode a security descriptor to SDDL format
*/
char *sddl_encode(TALLOC_CTX *mem_ctx, const struct security_descriptor *sd,
struct dom_sid *domain_sid)
const struct dom_sid *domain_sid)
{
char *sddl;
TALLOC_CTX *tmp_ctx;

7
source/torture/local/sddl.c
View File

@ -57,6 +57,13 @@ static BOOL test_sddl(TALLOC_CTX *mem_ctx, const char *sddl)
return False;
}
#if 0
/* flags don't have a canonical order ... */
if (strcmp(sddl, sddl2) != 0) {
printf("Failed sddl equality test\norig: %s\n new: %s\n", sddl, sddl2);
}
#endif
if (DEBUGLVL(2)) {
NDR_PRINT_DEBUG(security_descriptor, sd);
}