mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
r3810: create a LIB_SECURITY subsystem
- move dom_sid, security_descriptor, security_* funtions to one place
and rename some of them
metze
(This used to be commit b620bdd672
)
This commit is contained in:
parent
04a47a26ce
commit
856ee66537
@ -24,6 +24,7 @@
|
||||
#include "includes.h"
|
||||
#include "librpc/gen_ndr/ndr_samr.h"
|
||||
#include "librpc/gen_ndr/ndr_netlogon.h"
|
||||
#include "librpc/gen_ndr/ndr_security.h"
|
||||
#include "auth/auth.h"
|
||||
|
||||
#undef DBGC_CLASS
|
||||
@ -401,7 +402,7 @@ NTSTATUS create_nt_user_token(TALLOC_CTX *mem_ctx,
|
||||
for (i = 0; i < n_groupSIDs; i++) {
|
||||
size_t check_sid_idx;
|
||||
for (check_sid_idx = 1; check_sid_idx < ptoken->num_sids; check_sid_idx++) {
|
||||
if (sid_equal(ptoken->user_sids[check_sid_idx],
|
||||
if (dom_sid_equal(ptoken->user_sids[check_sid_idx],
|
||||
groupSIDs[i])) {
|
||||
break;
|
||||
}
|
||||
|
@ -51,7 +51,8 @@ sub smb_build_main($)
|
||||
"librpc/config.mk",
|
||||
"client/config.mk",
|
||||
"libcli/libsmb.mk",
|
||||
"libcli/config.mk"
|
||||
"libcli/config.mk",
|
||||
"libcli/security/config.mk"
|
||||
);
|
||||
|
||||
$| = 1;
|
||||
|
@ -120,3 +120,7 @@ struct test_join_ads_dc;
|
||||
struct netr_LMSessionKey;
|
||||
|
||||
struct ldb_message;
|
||||
|
||||
struct security_token;
|
||||
struct security_acl;
|
||||
struct security_ace;
|
||||
|
@ -51,8 +51,6 @@ ADD_OBJ_FILES = \
|
||||
lib/wins_srv.o \
|
||||
lib/util_str.o \
|
||||
lib/util_strlist.o \
|
||||
lib/util_sid.o \
|
||||
lib/util_secdesc.o \
|
||||
lib/util_uuid.o \
|
||||
lib/util_unistr.o \
|
||||
lib/util_file.o \
|
||||
@ -74,6 +72,6 @@ ADD_OBJ_FILES = \
|
||||
lib/db_wrap.o \
|
||||
lib/gencache.o
|
||||
REQUIRED_SUBSYSTEMS = \
|
||||
LIBLDB CHARSET LIBREPLACE LIBNETIF LIBCRYPTO EXT_LIB_DL
|
||||
LIBLDB CHARSET LIBREPLACE LIBNETIF LIBCRYPTO LIB_SECURITY EXT_LIB_DL
|
||||
# End SUBSYSTEM LIBBASIC
|
||||
##############################
|
||||
|
@ -1,85 +0,0 @@
|
||||
/*
|
||||
Unix SMB/CIFS implementation.
|
||||
Samba utility functions
|
||||
Copyright (C) Andrew Tridgell 1992-1998
|
||||
Copyright (C) Luke Kenneth Caseson Leighton 1998-1999
|
||||
Copyright (C) Jeremy Allison 1999
|
||||
Copyright (C) Stefan (metze) Metzmacher 2002
|
||||
Copyright (C) Simo Sorce 2002
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 2 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program; if not, write to the Free Software
|
||||
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
/*****************************************************************
|
||||
Compare the auth portion of two sids.
|
||||
*****************************************************************/
|
||||
|
||||
static int sid_compare_auth(const struct dom_sid *sid1, const struct dom_sid *sid2)
|
||||
{
|
||||
int i;
|
||||
|
||||
if (sid1 == sid2)
|
||||
return 0;
|
||||
if (!sid1)
|
||||
return -1;
|
||||
if (!sid2)
|
||||
return 1;
|
||||
|
||||
if (sid1->sid_rev_num != sid2->sid_rev_num)
|
||||
return sid1->sid_rev_num - sid2->sid_rev_num;
|
||||
|
||||
for (i = 0; i < 6; i++)
|
||||
if (sid1->id_auth[i] != sid2->id_auth[i])
|
||||
return sid1->id_auth[i] - sid2->id_auth[i];
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*****************************************************************
|
||||
Compare two sids.
|
||||
*****************************************************************/
|
||||
|
||||
static int sid_compare(const struct dom_sid *sid1, const struct dom_sid *sid2)
|
||||
{
|
||||
int i;
|
||||
|
||||
if (sid1 == sid2)
|
||||
return 0;
|
||||
if (!sid1)
|
||||
return -1;
|
||||
if (!sid2)
|
||||
return 1;
|
||||
|
||||
/* Compare most likely different rids, first: i.e start at end */
|
||||
if (sid1->num_auths != sid2->num_auths)
|
||||
return sid1->num_auths - sid2->num_auths;
|
||||
|
||||
for (i = sid1->num_auths-1; i >= 0; --i)
|
||||
if (sid1->sub_auths[i] != sid2->sub_auths[i])
|
||||
return sid1->sub_auths[i] - sid2->sub_auths[i];
|
||||
|
||||
return sid_compare_auth(sid1, sid2);
|
||||
}
|
||||
|
||||
/*****************************************************************
|
||||
Compare two sids.
|
||||
*****************************************************************/
|
||||
|
||||
BOOL sid_equal(const struct dom_sid *sid1, const struct dom_sid *sid2)
|
||||
{
|
||||
return sid_compare(sid1, sid2) == 0;
|
||||
}
|
@ -6,8 +6,7 @@ ADD_OBJ_FILES = libcli/util/asn1.o \
|
||||
libcli/util/clierror.o \
|
||||
libcli/util/nterr.o \
|
||||
libcli/util/smbdes.o \
|
||||
libcli/util/smbencrypt.o \
|
||||
libcli/util/dom_sid.o
|
||||
libcli/util/smbencrypt.o
|
||||
|
||||
[SUBSYSTEM::LIBCLI_NMB]
|
||||
ADD_OBJ_FILES = libcli/unexpected.o \
|
||||
|
@ -19,6 +19,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
#include "librpc/gen_ndr/ndr_security.h"
|
||||
#include "libcli/raw/libcliraw.h"
|
||||
|
||||
/****************************************************************************
|
||||
|
18
source4/libcli/security/config.mk
Normal file
18
source4/libcli/security/config.mk
Normal file
@ -0,0 +1,18 @@
|
||||
#################################
|
||||
# Start SUBSYSTEM LIB_SECURITY_NDR
|
||||
[SUBSYSTEM::LIB_SECURITY_NDR]
|
||||
ADD_OBJ_FILES = librpc/gen_ndr/ndr_security.o
|
||||
NOPROTO = YES
|
||||
# End SUBSYSTEM LIB_SECURITY_NDR
|
||||
#################################
|
||||
|
||||
#################################
|
||||
# Start SUBSYSTEM LIB_SECURITY
|
||||
[SUBSYSTEM::LIB_SECURITY]
|
||||
ADD_OBJ_FILES = libcli/security/security_token.o \
|
||||
libcli/security/security_descriptor.o \
|
||||
libcli/security/dom_sid.o \
|
||||
librpc/ndr/ndr_sec.o
|
||||
REQUIRED_SUBSYSTEMS = LIB_SECURITY_NDR
|
||||
# End SUBSYSTEM LIB_SECURITY
|
||||
#################################
|
@ -1,10 +1,12 @@
|
||||
/*
|
||||
Unix SMB/CIFS implementation.
|
||||
|
||||
routines to manipulate a "struct dom_sid"
|
||||
|
||||
Copyright (C) Andrew Tridgell 2004
|
||||
|
||||
Samba utility functions
|
||||
Copyright (C) Andrew Tridgell 1992-2004
|
||||
Copyright (C) Luke Kenneth Caseson Leighton 1998-1999
|
||||
Copyright (C) Jeremy Allison 1999
|
||||
Copyright (C) Stefan (metze) Metzmacher 2002-2004
|
||||
Copyright (C) Simo Sorce 2002
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 2 of the License, or
|
||||
@ -21,6 +23,67 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
#include "librpc/gen_ndr/ndr_security.h"
|
||||
|
||||
/*****************************************************************
|
||||
Compare the auth portion of two sids.
|
||||
*****************************************************************/
|
||||
|
||||
static int dom_sid_compare_auth(const struct dom_sid *sid1, const struct dom_sid *sid2)
|
||||
{
|
||||
int i;
|
||||
|
||||
if (sid1 == sid2)
|
||||
return 0;
|
||||
if (!sid1)
|
||||
return -1;
|
||||
if (!sid2)
|
||||
return 1;
|
||||
|
||||
if (sid1->sid_rev_num != sid2->sid_rev_num)
|
||||
return sid1->sid_rev_num - sid2->sid_rev_num;
|
||||
|
||||
for (i = 0; i < 6; i++)
|
||||
if (sid1->id_auth[i] != sid2->id_auth[i])
|
||||
return sid1->id_auth[i] - sid2->id_auth[i];
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*****************************************************************
|
||||
Compare two sids.
|
||||
*****************************************************************/
|
||||
|
||||
static int dom_sid_compare(const struct dom_sid *sid1, const struct dom_sid *sid2)
|
||||
{
|
||||
int i;
|
||||
|
||||
if (sid1 == sid2)
|
||||
return 0;
|
||||
if (!sid1)
|
||||
return -1;
|
||||
if (!sid2)
|
||||
return 1;
|
||||
|
||||
/* Compare most likely different rids, first: i.e start at end */
|
||||
if (sid1->num_auths != sid2->num_auths)
|
||||
return sid1->num_auths - sid2->num_auths;
|
||||
|
||||
for (i = sid1->num_auths-1; i >= 0; --i)
|
||||
if (sid1->sub_auths[i] != sid2->sub_auths[i])
|
||||
return sid1->sub_auths[i] - sid2->sub_auths[i];
|
||||
|
||||
return dom_sid_compare_auth(sid1, sid2);
|
||||
}
|
||||
|
||||
/*****************************************************************
|
||||
Compare two sids.
|
||||
*****************************************************************/
|
||||
|
||||
BOOL dom_sid_equal(const struct dom_sid *sid1, const struct dom_sid *sid2)
|
||||
{
|
||||
return dom_sid_compare(sid1, sid2) == 0;
|
||||
}
|
||||
|
||||
/*
|
||||
convert a dom_sid to a string
|
||||
@ -124,7 +187,7 @@ struct dom_sid *dom_sid_parse_talloc(TALLOC_CTX *mem_ctx, const char *sidstr)
|
||||
/*
|
||||
convert a string to a dom_sid, returning a talloc'd dom_sid
|
||||
*/
|
||||
struct dom_sid *dom_sid_dup(TALLOC_CTX *mem_ctx, struct dom_sid *dom_sid)
|
||||
struct dom_sid *dom_sid_dup(TALLOC_CTX *mem_ctx, const struct dom_sid *dom_sid)
|
||||
{
|
||||
struct dom_sid *ret;
|
||||
int i;
|
||||
@ -177,4 +240,3 @@ struct dom_sid *dom_sid_add_rid(TALLOC_CTX *mem_ctx,
|
||||
sid->num_auths++;
|
||||
return sid;
|
||||
}
|
||||
|
102
source4/libcli/security/security_descriptor.c
Normal file
102
source4/libcli/security/security_descriptor.c
Normal file
@ -0,0 +1,102 @@
|
||||
/*
|
||||
Unix SMB/CIFS implementation.
|
||||
|
||||
security descriptror utility functions
|
||||
|
||||
Copyright (C) Andrew Tridgell 2004
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 2 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program; if not, write to the Free Software
|
||||
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
#include "librpc/gen_ndr/ndr_security.h"
|
||||
|
||||
/*
|
||||
return a blank security descriptor (no owners, dacl or sacl)
|
||||
*/
|
||||
struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx)
|
||||
{
|
||||
struct security_descriptor *sd;
|
||||
|
||||
sd = talloc_p(mem_ctx, struct security_descriptor);
|
||||
if (!sd) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
sd->revision = SD_REVISION;
|
||||
/* we mark as self relative, even though it isn't while it remains
|
||||
a pointer in memory because this simplifies the ndr code later.
|
||||
All SDs that we store/emit are in fact SELF_RELATIVE
|
||||
*/
|
||||
sd->type = SEC_DESC_SELF_RELATIVE;
|
||||
|
||||
sd->owner_sid = NULL;
|
||||
sd->group_sid = NULL;
|
||||
sd->sacl = NULL;
|
||||
sd->dacl = NULL;
|
||||
|
||||
return sd;
|
||||
}
|
||||
|
||||
/*
|
||||
talloc and copy a security descriptor
|
||||
*/
|
||||
struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx,
|
||||
const struct security_descriptor *osd)
|
||||
{
|
||||
struct security_descriptor *nsd;
|
||||
|
||||
/* FIXME */
|
||||
DEBUG(1, ("security_descriptor_copy(): sorry unimplemented yet\n"));
|
||||
nsd = NULL;
|
||||
|
||||
return nsd;
|
||||
}
|
||||
|
||||
NTSTATUS security_check_dacl(struct security_token *st, struct security_descriptor *sd, uint32 access_mask)
|
||||
{
|
||||
size_t i,y;
|
||||
NTSTATUS status = NT_STATUS_ACCESS_DENIED;
|
||||
|
||||
DEBUG(1, ("security_check_dacl(): sorry untested yet\n"));
|
||||
return status;
|
||||
|
||||
if (!sd->dacl) {
|
||||
return NT_STATUS_INVALID_ACL;
|
||||
}
|
||||
|
||||
for (i=0; i < st->num_sids; i++) {
|
||||
for (y=0; y < sd->dacl->num_aces; y++) {
|
||||
if (dom_sid_equal(&st->sids[i], &sd->dacl->aces[y].trustee)) {
|
||||
switch (sd->dacl->aces[y].type) {
|
||||
case SEC_ACE_TYPE_ACCESS_ALLOWED:
|
||||
if (access_mask & sd->dacl->aces[y].access_mask) {
|
||||
status = NT_STATUS_OK;
|
||||
}
|
||||
break;
|
||||
case SEC_ACE_TYPE_ACCESS_DENIED:
|
||||
if (access_mask & sd->dacl->aces[y].access_mask) {
|
||||
return NT_STATUS_ACCESS_DENIED;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
return NT_STATUS_INVALID_ACL;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return status;
|
||||
}
|
@ -21,31 +21,36 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
#include "librpc/gen_ndr/ndr_security.h"
|
||||
|
||||
/*
|
||||
return a blank security descriptor (no owners, dacl or sacl)
|
||||
*/
|
||||
struct security_descriptor *sd_initialise(TALLOC_CTX *mem_ctx)
|
||||
struct security_token *security_token_initialise(TALLOC_CTX *mem_ctx)
|
||||
{
|
||||
struct security_descriptor *sd;
|
||||
struct security_token *st;
|
||||
|
||||
sd = talloc_p(mem_ctx, struct security_descriptor);
|
||||
if (!sd) {
|
||||
st = talloc_p(mem_ctx, struct security_token);
|
||||
if (!st) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
sd->revision = SD_REVISION;
|
||||
/* we mark as self relative, even though it isn't while it remains
|
||||
a pointer in memory because this simplifies the ndr code later.
|
||||
All SDs that we store/emit are in fact SELF_RELATIVE
|
||||
*/
|
||||
sd->type = SEC_DESC_SELF_RELATIVE;
|
||||
st->flags = 0;
|
||||
|
||||
sd->owner_sid = NULL;
|
||||
sd->group_sid = NULL;
|
||||
sd->sacl = NULL;
|
||||
sd->dacl = NULL;
|
||||
st->user_sid = NULL;
|
||||
st->group_sid = NULL;
|
||||
st->logon_sid = NULL;
|
||||
|
||||
return sd;
|
||||
st->num_sids = 0;
|
||||
st->sids = NULL;
|
||||
|
||||
st->num_restricted_sids = 0;
|
||||
st->restricted_sids = NULL;
|
||||
|
||||
st->num_privileges = 0;
|
||||
st->privileges = NULL;
|
||||
|
||||
st->dacl = NULL;
|
||||
|
||||
return st;
|
||||
}
|
||||
|
@ -5,7 +5,6 @@ INIT_OBJ_FILES = \
|
||||
librpc/ndr/ndr.o
|
||||
ADD_OBJ_FILES = \
|
||||
librpc/ndr/ndr_basic.o \
|
||||
librpc/ndr/ndr_sec.o \
|
||||
librpc/ndr/ndr_spoolss_buf.o \
|
||||
librpc/ndr/ndr_dcom.o
|
||||
# End SUBSYSTEM LIBNDR_RAW
|
||||
|
@ -7,7 +7,8 @@
|
||||
[
|
||||
uuid("46746756-7567-7567-5677-756756756756"),
|
||||
version(0.0),
|
||||
pointer_default(unique)
|
||||
pointer_default(unique),
|
||||
depends(security)
|
||||
]
|
||||
interface krb5pac
|
||||
{
|
||||
|
@ -8,7 +8,8 @@
|
||||
version(0.0),
|
||||
endpoint("ncacn_np:[\\pipe\\lsarpc]","ncacn_np:[\\pipe\\lsass]", "ncacn_ip_tcp:"),
|
||||
pointer_default(unique),
|
||||
helpstring("Local Server Authentication(?)")
|
||||
helpstring("Local Server Authentication(?)"),
|
||||
depends(security)
|
||||
] interface lsarpc
|
||||
{
|
||||
/******************/
|
||||
|
@ -6,37 +6,6 @@
|
||||
|
||||
interface misc
|
||||
{
|
||||
/* a NULL sid */
|
||||
const string SID_NULL = "S-1-0-0";
|
||||
|
||||
/* the world domain */
|
||||
const string SID_WORLD_DOMAIN = "S-1-1";
|
||||
const string SID_WORLD = "S-1-1-0";
|
||||
|
||||
/* SECURITY_CREATOR_SID_AUTHORITY */
|
||||
const string SID_CREATOR_OWNER_DOMAIN = "S-1-3";
|
||||
const string SID_CREATOR_OWNER = "S-1-3-0";
|
||||
const string SID_CREATOR_GROUP = "S-1-3-1";
|
||||
|
||||
/* SECURITY_NT_AUTHORITY */
|
||||
const string SID_NT_AUTHORITY = "S-1-5";
|
||||
const string SID_NETWORK = "S-1-5-2";
|
||||
const string SID_ANONYMOUS = "S-1-5-7";
|
||||
const string SID_AUTHENTICATED_USERS = "S-1-5-11";
|
||||
const string SID_SYSTEM = "S-1-5-18";
|
||||
|
||||
/* SECURITY_BUILTIN_DOMAIN_RID */
|
||||
const string SID_BUILTIN = "S-1-5-32";
|
||||
const string SID_BUILTIN_ADMINISTRATORS = "S-1-5-32-544";
|
||||
const string SID_BUILTIN_USERS = "S-1-5-32-545";
|
||||
const string SID_BUILTIN_GUESTS = "S-1-5-32-546";
|
||||
const string SID_BUILTIN_POWER_USERS = "S-1-5-32-547";
|
||||
const string SID_BUILTIN_ACCOUNT_OPERATORS = "S-1-5-32-548";
|
||||
const string SID_BUILTIN_SERVER_OPERATORS = "S-1-5-32-549";
|
||||
const string SID_BUILTIN_PRINT_OPERATORS = "S-1-5-32-550";
|
||||
const string SID_BUILTIN_BACKUP_OPERATORS = "S-1-5-32-551";
|
||||
const string SID_BUILTIN_REPLICATOR = "S-1-5-32-552";
|
||||
|
||||
/* server roles */
|
||||
typedef enum {
|
||||
ROLE_STANDALONE = 0,
|
||||
@ -54,70 +23,6 @@ interface misc
|
||||
uint8 node[6];
|
||||
} GUID;
|
||||
|
||||
/* a domain SID. Note that unlike Samba3 this contains a pointer,
|
||||
so you can't copy them using assignment */
|
||||
typedef [public,noprint] struct {
|
||||
uint8 sid_rev_num; /**< SID revision number */
|
||||
uint8 num_auths; /**< Number of sub-authorities */
|
||||
uint8 id_auth[6]; /**< Identifier Authority */
|
||||
uint32 sub_auths[num_auths];
|
||||
} dom_sid;
|
||||
|
||||
typedef [public] struct {
|
||||
uint8 type; /* xxxx_xxxx_ACE_TYPE - e.g allowed / denied etc */
|
||||
uint8 flags; /* xxxx_INHERIT_xxxx - e.g OBJECT_INHERIT_ACE */
|
||||
[value(ndr_size_security_ace(r))] uint16 size;
|
||||
uint32 access_mask;
|
||||
|
||||
#if 0
|
||||
/* the 'obj' part is present when type is XXXX_TYPE_XXXX_OBJECT */
|
||||
struct {
|
||||
uint32 flags;
|
||||
GUID object_guid;
|
||||
GUID inherit_guid;
|
||||
} *obj;
|
||||
#endif
|
||||
|
||||
dom_sid trustee;
|
||||
} security_ace;
|
||||
|
||||
typedef [public] struct {
|
||||
uint16 revision;
|
||||
[value(ndr_size_security_acl(r))] uint16 size;
|
||||
uint32 num_aces;
|
||||
security_ace aces[num_aces];
|
||||
} security_acl;
|
||||
|
||||
/* default revision for new ACLs */
|
||||
const int SD_REVISION = 1;
|
||||
|
||||
/* security_descriptor->type bits */
|
||||
const int SEC_DESC_OWNER_DEFAULTED = 0x0001;
|
||||
const int SEC_DESC_GROUP_DEFAULTED = 0x0002;
|
||||
const int SEC_DESC_DACL_PRESENT = 0x0004;
|
||||
const int SEC_DESC_DACL_DEFAULTED = 0x0008;
|
||||
const int SEC_DESC_SACL_PRESENT = 0x0010;
|
||||
const int SEC_DESC_SACL_DEFAULTED = 0x0020;
|
||||
const int SEC_DESC_DACL_TRUSTED = 0x0040;
|
||||
const int SEC_DESC_SERVER_SECURITY = 0x0080;
|
||||
const int SEC_DESC_DACL_AUTO_INHERIT_REQ = 0x0100;
|
||||
const int SEC_DESC_SACL_AUTO_INHERIT_REQ = 0x0200;
|
||||
const int SEC_DESC_DACL_AUTO_INHERITED = 0x0400;
|
||||
const int SEC_DESC_SACL_AUTO_INHERITED = 0x0800;
|
||||
const int SEC_DESC_DACL_PROTECTED = 0x1000;
|
||||
const int SEC_DESC_SACL_PROTECTED = 0x2000;
|
||||
const int SEC_DESC_RM_CONTROL_VALID = 0x4000;
|
||||
const int SEC_DESC_SELF_RELATIVE = 0x8000;
|
||||
|
||||
typedef [public,flag(NDR_LITTLE_ENDIAN)] struct {
|
||||
uint8 revision;
|
||||
uint16 type; /* SEC_DESC_xxxx flags */
|
||||
[relative] dom_sid *owner_sid;
|
||||
[relative] dom_sid *group_sid;
|
||||
[relative] security_acl *sacl; /* system ACL */
|
||||
[relative] security_acl *dacl; /* user (discretionary) ACL */
|
||||
} security_descriptor;
|
||||
|
||||
typedef [public] struct {
|
||||
uint32 handle_type;
|
||||
GUID uuid;
|
||||
|
@ -12,7 +12,7 @@
|
||||
version(1.0),
|
||||
endpoint("ncacn_np:[\\pipe\\samr]","ncacn_ip_tcp:", "ncalrpc:"),
|
||||
pointer_default(unique),
|
||||
depends(lsa)
|
||||
depends(lsa,security)
|
||||
] interface samr
|
||||
{
|
||||
/* account control (acct_flags) bits */
|
||||
|
123
source4/librpc/idl/security.idl
Normal file
123
source4/librpc/idl/security.idl
Normal file
@ -0,0 +1,123 @@
|
||||
#include "idl_types.h"
|
||||
|
||||
/*
|
||||
security IDL structures
|
||||
*/
|
||||
|
||||
interface security
|
||||
{
|
||||
/* a NULL sid */
|
||||
const string SID_NULL = "S-1-0-0";
|
||||
|
||||
/* the world domain */
|
||||
const string SID_WORLD_DOMAIN = "S-1-1";
|
||||
const string SID_WORLD = "S-1-1-0";
|
||||
|
||||
/* SECURITY_CREATOR_SID_AUTHORITY */
|
||||
const string SID_CREATOR_OWNER_DOMAIN = "S-1-3";
|
||||
const string SID_CREATOR_OWNER = "S-1-3-0";
|
||||
const string SID_CREATOR_GROUP = "S-1-3-1";
|
||||
|
||||
/* SECURITY_NT_AUTHORITY */
|
||||
const string SID_NT_AUTHORITY = "S-1-5";
|
||||
const string SID_NETWORK = "S-1-5-2";
|
||||
const string SID_ANONYMOUS = "S-1-5-7";
|
||||
const string SID_AUTHENTICATED_USERS = "S-1-5-11";
|
||||
const string SID_SYSTEM = "S-1-5-18";
|
||||
|
||||
/* SECURITY_BUILTIN_DOMAIN_RID */
|
||||
const string SID_BUILTIN = "S-1-5-32";
|
||||
const string SID_BUILTIN_ADMINISTRATORS = "S-1-5-32-544";
|
||||
const string SID_BUILTIN_USERS = "S-1-5-32-545";
|
||||
const string SID_BUILTIN_GUESTS = "S-1-5-32-546";
|
||||
const string SID_BUILTIN_POWER_USERS = "S-1-5-32-547";
|
||||
const string SID_BUILTIN_ACCOUNT_OPERATORS = "S-1-5-32-548";
|
||||
const string SID_BUILTIN_SERVER_OPERATORS = "S-1-5-32-549";
|
||||
const string SID_BUILTIN_PRINT_OPERATORS = "S-1-5-32-550";
|
||||
const string SID_BUILTIN_BACKUP_OPERATORS = "S-1-5-32-551";
|
||||
const string SID_BUILTIN_REPLICATOR = "S-1-5-32-552";
|
||||
|
||||
/* a domain SID. Note that unlike Samba3 this contains a pointer,
|
||||
so you can't copy them using assignment */
|
||||
typedef [public,noprint] struct {
|
||||
uint8 sid_rev_num; /**< SID revision number */
|
||||
uint8 num_auths; /**< Number of sub-authorities */
|
||||
uint8 id_auth[6]; /**< Identifier Authority */
|
||||
uint32 sub_auths[num_auths];
|
||||
} dom_sid;
|
||||
|
||||
typedef [public] struct {
|
||||
uint8 type; /* xxxx_xxxx_ACE_TYPE - e.g allowed / denied etc */
|
||||
uint8 flags; /* xxxx_INHERIT_xxxx - e.g OBJECT_INHERIT_ACE */
|
||||
[value(ndr_size_security_ace(r))] uint16 size;
|
||||
uint32 access_mask;
|
||||
|
||||
#if 0
|
||||
/* the 'obj' part is present when type is XXXX_TYPE_XXXX_OBJECT */
|
||||
struct {
|
||||
uint32 flags;
|
||||
GUID object_guid;
|
||||
GUID inherit_guid;
|
||||
} *obj;
|
||||
#endif
|
||||
|
||||
dom_sid trustee;
|
||||
} security_ace;
|
||||
|
||||
typedef [public] struct {
|
||||
uint16 revision;
|
||||
[value(ndr_size_security_acl(r))] uint16 size;
|
||||
uint32 num_aces;
|
||||
security_ace aces[num_aces];
|
||||
} security_acl;
|
||||
|
||||
/* default revision for new ACLs */
|
||||
const int SD_REVISION = 1;
|
||||
|
||||
/* security_descriptor->type bits */
|
||||
const int SEC_DESC_OWNER_DEFAULTED = 0x0001;
|
||||
const int SEC_DESC_GROUP_DEFAULTED = 0x0002;
|
||||
const int SEC_DESC_DACL_PRESENT = 0x0004;
|
||||
const int SEC_DESC_DACL_DEFAULTED = 0x0008;
|
||||
const int SEC_DESC_SACL_PRESENT = 0x0010;
|
||||
const int SEC_DESC_SACL_DEFAULTED = 0x0020;
|
||||
const int SEC_DESC_DACL_TRUSTED = 0x0040;
|
||||
const int SEC_DESC_SERVER_SECURITY = 0x0080;
|
||||
const int SEC_DESC_DACL_AUTO_INHERIT_REQ = 0x0100;
|
||||
const int SEC_DESC_SACL_AUTO_INHERIT_REQ = 0x0200;
|
||||
const int SEC_DESC_DACL_AUTO_INHERITED = 0x0400;
|
||||
const int SEC_DESC_SACL_AUTO_INHERITED = 0x0800;
|
||||
const int SEC_DESC_DACL_PROTECTED = 0x1000;
|
||||
const int SEC_DESC_SACL_PROTECTED = 0x2000;
|
||||
const int SEC_DESC_RM_CONTROL_VALID = 0x4000;
|
||||
const int SEC_DESC_SELF_RELATIVE = 0x8000;
|
||||
|
||||
typedef [public,flag(NDR_LITTLE_ENDIAN)] struct {
|
||||
uint8 revision;
|
||||
uint16 type; /* SEC_DESC_xxxx flags */
|
||||
[relative] dom_sid *owner_sid;
|
||||
[relative] dom_sid *group_sid;
|
||||
[relative] security_acl *sacl; /* system ACL */
|
||||
[relative] security_acl *dacl; /* user (discretionary) ACL */
|
||||
} security_descriptor;
|
||||
|
||||
typedef [public,printonly] struct {
|
||||
/* TODO */
|
||||
uint32 flags;
|
||||
} security_privilege;
|
||||
|
||||
typedef [public,printonly] struct {
|
||||
uint32 flags;
|
||||
dom_sid *user_sid;
|
||||
dom_sid *group_sid;
|
||||
dom_sid *logon_sid;
|
||||
uint32 num_sids;
|
||||
dom_sid sids[num_sids];
|
||||
uint32 num_restricted_sids;
|
||||
dom_sid restricted_sids[num_restricted_sids];
|
||||
uint32 num_privileges;
|
||||
security_privilege privileges[num_privileges];
|
||||
security_acl *dacl;
|
||||
} security_token;
|
||||
|
||||
}
|
@ -8,7 +8,8 @@
|
||||
version(1.0),
|
||||
endpoint("ncacn_np:[\\pipe\\spoolss]"),
|
||||
pointer_default(unique),
|
||||
helpstring("Spooler SubSystem")
|
||||
helpstring("Spooler SubSystem"),
|
||||
depends(security)
|
||||
] interface spoolss
|
||||
{
|
||||
typedef struct {
|
||||
|
@ -7,7 +7,8 @@
|
||||
[ uuid("4b324fc8-1670-01d3-1278-5a47bf6ee188"),
|
||||
version(3.0),
|
||||
pointer_default(unique),
|
||||
helpstring("Server Service")
|
||||
helpstring("Server Service"),
|
||||
depends(security)
|
||||
] interface srvsvc
|
||||
{
|
||||
/**************************/
|
||||
|
@ -23,6 +23,7 @@
|
||||
|
||||
|
||||
#include "includes.h"
|
||||
#include "librpc/gen_ndr/ndr_security.h"
|
||||
|
||||
/*
|
||||
parse a dom_sid2 - this is a dom_sid but with an extra copy of the num_auths field
|
||||
@ -112,18 +113,3 @@ size_t ndr_size_security_descriptor(struct security_descriptor *sd)
|
||||
ret += ndr_size_security_acl(sd->sacl);
|
||||
return ret;
|
||||
}
|
||||
|
||||
/*
|
||||
talloc and copy a security descriptor
|
||||
*/
|
||||
struct security_descriptor *copy_security_descriptor(TALLOC_CTX *mem_ctx,
|
||||
const struct security_descriptor *osd)
|
||||
{
|
||||
struct security_descriptor *nsd;
|
||||
|
||||
/* FIXME */
|
||||
DEBUG(1, ("copy_security_descriptor: sorry unimplemented yet\n"));
|
||||
nsd = NULL;
|
||||
|
||||
return nsd;
|
||||
}
|
||||
|
@ -198,7 +198,7 @@ NTSTATUS dcesrv_interface_register(struct dcesrv_context *dce_ctx,
|
||||
* we try to set it
|
||||
*/
|
||||
if (ep->sd == NULL) {
|
||||
ep->sd = copy_security_descriptor(dce_ctx, sd);
|
||||
ep->sd = security_descriptor_copy(dce_ctx, sd);
|
||||
}
|
||||
|
||||
/* if now there's no security descriptor given on the endpoint
|
||||
|
@ -888,7 +888,7 @@ struct security_descriptor *samdb_default_security_descriptor(TALLOC_CTX *mem_ct
|
||||
{
|
||||
struct security_descriptor *sd;
|
||||
|
||||
sd = sd_initialise(mem_ctx);
|
||||
sd = security_descriptor_initialise(mem_ctx);
|
||||
|
||||
return sd;
|
||||
}
|
||||
|
@ -24,6 +24,7 @@
|
||||
|
||||
#include "includes.h"
|
||||
#include "smb_server/smb_server.h"
|
||||
#include "librpc/gen_ndr/ndr_security.h"
|
||||
|
||||
|
||||
|
||||
|
@ -301,7 +301,7 @@ static BOOL samsync_handle_policy(TALLOC_CTX *mem_ctx, struct samsync_state *sam
|
||||
}
|
||||
}
|
||||
|
||||
if (!sid_equal(samsync_state->sid[SAM_DATABASE_DOMAIN], policy->sid)) {
|
||||
if (!dom_sid_equal(samsync_state->sid[SAM_DATABASE_DOMAIN], policy->sid)) {
|
||||
printf("Domain SID from POLICY (%s) does not match domain sid from SAMR (%s)\n",
|
||||
dom_sid_string(mem_ctx, policy->sid), dom_sid_string(mem_ctx, samsync_state->sid[SAM_DATABASE_DOMAIN]));
|
||||
return False;
|
||||
|
Loading…
Reference in New Issue
Block a user