sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-11 16:58:40 +03:00
Code

libcli/security: prepare security_descriptor_acl_add() to place the ace at a position

Browse Source 
Often it is important to insert an ace at a specific position in the
ACL. As a default we still append by default by using -1, which is the
generic version of passing the number of existing aces.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This commit is contained in:
Stefan Metzmacher 2023-03-16 10:00:11 +01:00
parent 9d8ff0d1e0
commit c3cb915a67
1 changed files with 20 additions and 7 deletions

27
libcli/security/security_descriptor.c

@ -268,9 +268,11 @@ NTSTATUS security_descriptor_for_client(TALLOC_CTX *mem_ctx,
static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd, static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
bool add_to_sacl, bool add_to_sacl,
const struct security_ace *ace) const struct security_ace *ace,
ssize_t _idx)
{ {
struct security_acl *acl = NULL; struct security_acl *acl = NULL;
ssize_t idx;
if (add_to_sacl) { if (add_to_sacl) {
acl = sd->sacl; acl = sd->sacl;
@ -289,15 +291,28 @@ static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
acl->aces = NULL; acl->aces = NULL;
} }
if (_idx < 0) {
idx = (acl->num_aces + 1) + _idx;
} else {
idx = _idx;
}
if (idx < 0) {
return NT_STATUS_ARRAY_BOUNDS_EXCEEDED;
} else if (idx > acl->num_aces) {
return NT_STATUS_ARRAY_BOUNDS_EXCEEDED;
}
acl->aces = talloc_realloc(acl, acl->aces, acl->aces = talloc_realloc(acl, acl->aces,
struct security_ace, acl->num_aces+1); struct security_ace, acl->num_aces+1);
if (acl->aces == NULL) { if (acl->aces == NULL) {
return NT_STATUS_NO_MEMORY; return NT_STATUS_NO_MEMORY;
} }
acl->aces[acl->num_aces] = *ace; ARRAY_INSERT_ELEMENT(acl->aces, acl->num_aces, *ace, idx);
acl->num_aces++;
switch (acl->aces[acl->num_aces].type) { switch (acl->aces[idx].type) {
case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT: case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
@ -308,8 +323,6 @@ static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
break; break;
} }
acl->num_aces++;
if (add_to_sacl) { if (add_to_sacl) {
sd->sacl = acl; sd->sacl = acl;
sd->type |= SEC_DESC_SACL_PRESENT; sd->type |= SEC_DESC_SACL_PRESENT;
@ -328,7 +341,7 @@ static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd, NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd,
const struct security_ace *ace) const struct security_ace *ace)
{ {
return security_descriptor_acl_add(sd, true, ace); return security_descriptor_acl_add(sd, true, ace, -1);
} }
/* /*
@ -338,7 +351,7 @@ NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd,
NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd, NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
const struct security_ace *ace) const struct security_ace *ace)
{ {
return security_descriptor_acl_add(sd, false, ace); return security_descriptor_acl_add(sd, false, ace, -1);
} }
/* /*