1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00

r12010: - added support for domain specific SID codes in SDDL strings

- added a bunch more tests to LOCAL-SDDL (all the ones from our schema)

- fixed 'mixed coded declarations' bug
(This used to be commit c30e7698e8)
This commit is contained in:
Andrew Tridgell 2005-12-02 04:26:51 +00:00 committed by Gerald (Jerry) Carter
parent 86a6ce529f
commit f5ed8cc829
3 changed files with 101 additions and 22 deletions

View File

@ -35,6 +35,7 @@ struct flag_map {
static BOOL sddl_map_flags(const struct flag_map *map, const char *str,
uint32_t *flags, size_t *len)
{
const char *str0 = str;
if (len) *len = 0;
*flags = 0;
while (str[0] && isupper(str[0])) {
@ -49,7 +50,7 @@ static BOOL sddl_map_flags(const struct flag_map *map, const char *str,
}
}
if (map[i].name == NULL) {
DEBUG(2, ("Unknown flag - %s\n", str));
DEBUG(1, ("Unknown flag - %s in %s\n", str, str0));
return False;
}
}
@ -62,15 +63,36 @@ static BOOL sddl_map_flags(const struct flag_map *map, const char *str,
static const struct {
const char *code;
const char *sid;
uint32_t rid;
} sid_codes[] = {
{ "AO", SID_BUILTIN_ACCOUNT_OPERATORS },
{ "BA", SID_BUILTIN_ADMINISTRATORS },
{ "RU", SID_BUILTIN_PREW2K },
{ "PO", SID_BUILTIN_PRINT_OPERATORS },
{ "RS", SID_BUILTIN_RAS_SERVERS },
{ "AU", SID_NT_AUTHENTICATED_USERS },
{ "SY", SID_NT_SYSTEM },
{ "PS", SID_NT_SELF },
{ "WD", SID_WORLD },
{ "ED", SID_NT_ENTERPRISE_DCS },
{ "CO", SID_CREATOR_OWNER },
{ "CG", SID_CREATOR_GROUP },
{ "DA", NULL, DOMAIN_RID_ADMINS },
{ "EA", NULL, DOMAIN_RID_ENTERPRISE_ADMINS },
{ "DD", NULL, DOMAIN_RID_DCS },
{ "DU", NULL, DOMAIN_RID_USERS },
{ "CA", NULL, DOMAIN_RID_CERT_ADMINS },
};
/*
decode a SID
It can either be a special 2 letter code, or in S-* format
*/
static struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp)
static struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp,
struct dom_sid *domain_sid)
{
const char *sddl = (*sddlp);
int i;
@ -84,26 +106,31 @@ static struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp)
/* now check for one of the special codes */
for (i=0;i<ARRAY_SIZE(sid_codes);i++) {
if (strncmp(sid_codes[i].code, sddl, 2)) break;
if (strncmp(sid_codes[i].code, sddl, 2) == 0) break;
}
if (i == ARRAY_SIZE(sid_codes)) {
DEBUG(2,("Unknown sddl sid code '%2.2s'\n", sddl));
DEBUG(1,("Unknown sddl sid code '%2.2s'\n", sddl));
return NULL;
}
(*sddlp) += 2;
if (sid_codes[i].sid == NULL) {
return dom_sid_add_rid(mem_ctx, domain_sid, sid_codes[i].rid);
}
return dom_sid_parse_talloc(mem_ctx, sid_codes[i].sid);
}
static const struct flag_map ace_types[] = {
{ "A", SEC_ACE_TYPE_ACCESS_ALLOWED },
{ "D", SEC_ACE_TYPE_ACCESS_DENIED },
{ "AU", SEC_ACE_TYPE_SYSTEM_AUDIT },
{ "AL", SEC_ACE_TYPE_SYSTEM_ALARM },
{ "OA", SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT },
{ "OD", SEC_ACE_TYPE_ACCESS_DENIED_OBJECT },
{ "OU", SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT },
{ "OL", SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT },
{ "A", SEC_ACE_TYPE_ACCESS_ALLOWED },
{ "D", SEC_ACE_TYPE_ACCESS_DENIED },
{ NULL, 0 }
};
@ -132,6 +159,10 @@ static const struct flag_map ace_access_mask[] = {
{ "SD", SEC_STD_DELETE },
{ "DT", SEC_ADS_DELETE_TREE },
{ "SW", SEC_ADS_SELF_WRITE },
{ "GA", SEC_GENERIC_ALL },
{ "GR", SEC_GENERIC_READ },
{ "GW", SEC_GENERIC_WRITE },
{ "GX", SEC_GENERIC_EXECUTE },
{ NULL, 0 }
};
@ -140,15 +171,17 @@ static const struct flag_map ace_access_mask[] = {
return True on success, False on failure
note that this routine modifies the string
*/
static BOOL sddl_decode_ace(TALLOC_CTX *mem_ctx, struct security_ace *ace, char *str)
static BOOL sddl_decode_ace(TALLOC_CTX *mem_ctx, struct security_ace *ace, char *str,
struct dom_sid *domain_sid)
{
ZERO_STRUCTP(ace);
const char *tok[6];
const char *s;
int i;
uint32_t v;
struct dom_sid *sid;
ZERO_STRUCTP(ace);
/* parse out the 6 tokens */
tok[0] = str;
for (i=0;i<5;i++) {
@ -183,19 +216,25 @@ static BOOL sddl_decode_ace(TALLOC_CTX *mem_ctx, struct security_ace *ace, char
/* object */
if (tok[3][0] != 0) {
/* TODO: add object parsing ... */
return False;
NTSTATUS status = GUID_from_string(tok[3],
&ace->object.object.type.type);
if (!NT_STATUS_IS_OK(status)) {
return False;
}
}
/* inherit object */
if (tok[4][0] != 0) {
/* TODO: add object parsing ... */
return False;
NTSTATUS status = GUID_from_string(tok[4],
&ace->object.object.inherited_type.inherited_type);
if (!NT_STATUS_IS_OK(status)) {
return False;
}
}
/* trustee */
s = tok[5];
sid = sddl_decode_sid(mem_ctx, &s);
sid = sddl_decode_sid(mem_ctx, &s, domain_sid);
if (sid == NULL) {
return False;
}
@ -217,7 +256,8 @@ static const struct flag_map acl_flags[] = {
decode an ACL
*/
static struct security_acl *sddl_decode_acl(struct security_descriptor *sd,
const char **sddlp, uint32_t *flags)
const char **sddlp, uint32_t *flags,
struct dom_sid *domain_sid)
{
const char *sddl = *sddlp;
struct security_acl *acl;
@ -227,6 +267,11 @@ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd,
if (acl == NULL) return NULL;
acl->revision = SECURITY_ACL_REVISION_NT4;
if (isupper(sddl[0]) && sddl[1] == ':') {
/* its an empty ACL */
return acl;
}
/* work out the ACL flags */
if (!sddl_map_flags(acl_flags, sddl, flags, &len)) {
talloc_free(acl);
@ -248,7 +293,8 @@ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd,
talloc_free(acl);
return NULL;
}
if (!sddl_decode_ace(acl->aces, &acl->aces[acl->num_aces], astr)) {
if (!sddl_decode_ace(acl->aces, &acl->aces[acl->num_aces],
astr, domain_sid)) {
talloc_free(acl);
return NULL;
}
@ -264,7 +310,8 @@ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd,
/*
decode a security descriptor in SDDL format
*/
struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl)
struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl,
struct dom_sid *domain_sid)
{
struct security_descriptor *sd;
sd = talloc_zero(mem_ctx, struct security_descriptor);
@ -281,13 +328,13 @@ struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl)
switch (c) {
case 'D':
if (sd->dacl != NULL) goto failed;
sd->dacl = sddl_decode_acl(sd, &sddl, &flags);
sd->dacl = sddl_decode_acl(sd, &sddl, &flags, domain_sid);
if (sd->dacl == NULL) goto failed;
sd->type |= flags | SEC_DESC_DACL_PRESENT;
break;
case 'S':
if (sd->sacl != NULL) goto failed;
sd->sacl = sddl_decode_acl(sd, &sddl, &flags);
sd->sacl = sddl_decode_acl(sd, &sddl, &flags, domain_sid);
if (sd->sacl == NULL) goto failed;
/* this relies on the SEC_DESC_SACL_* flags being
1 bit shifted from the SEC_DESC_DACL_* flags */
@ -295,12 +342,12 @@ struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl)
break;
case 'O':
if (sd->owner_sid != NULL) goto failed;
sd->owner_sid = sddl_decode_sid(sd, &sddl);
sd->owner_sid = sddl_decode_sid(sd, &sddl, domain_sid);
if (sd->owner_sid == NULL) goto failed;
break;
case 'G':
if (sd->group_sid != NULL) goto failed;
sd->group_sid = sddl_decode_sid(sd, &sddl);
sd->group_sid = sddl_decode_sid(sd, &sddl, domain_sid);
if (sd->group_sid == NULL) goto failed;
break;
}

View File

@ -159,6 +159,19 @@ interface security
const string SID_BUILTIN_PRINT_OPERATORS = "S-1-5-32-550";
const string SID_BUILTIN_BACKUP_OPERATORS = "S-1-5-32-551";
const string SID_BUILTIN_REPLICATOR = "S-1-5-32-552";
const string SID_BUILTIN_RAS_SERVERS = "S-1-5-32-553";
const string SID_BUILTIN_PREW2K = "S-1-5-32-554";
/* well-known domain RIDs */
const int DOMAIN_RID_LOGON = 9;
const int DOMAIN_RID_ADMINISTRATOR = 500;
const int DOMAIN_RID_GUEST = 501;
const int DOMAIN_RID_ADMINS = 512;
const int DOMAIN_RID_USERS = 513;
const int DOMAIN_RID_DCS = 516;
const int DOMAIN_RID_CERT_ADMINS = 517;
const int DOMAIN_RID_SCHEMA_ADMINS = 518;
const int DOMAIN_RID_ENTERPRISE_ADMINS = 519;
/*

View File

@ -30,7 +30,9 @@
static BOOL test_sddl(TALLOC_CTX *mem_ctx, const char *sddl)
{
struct security_descriptor *sd;
sd = sddl_decode(mem_ctx, sddl);
struct dom_sid *domain;
domain = dom_sid_parse_talloc(mem_ctx, "S-1-2-3-4");
sd = sddl_decode(mem_ctx, sddl, domain);
if (sd == NULL) {
printf("Failed to decode '%s'\n", sddl);
return False;
@ -39,11 +41,28 @@ static BOOL test_sddl(TALLOC_CTX *mem_ctx, const char *sddl)
NDR_PRINT_DEBUG(security_descriptor, sd);
}
talloc_free(sd);
talloc_free(domain);
return True;
}
static const char *examples[] = {
"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)"
"D:(A;;CC;;;BA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)",
"D:(A;;GA;;;SY)",
"D:(A;;RP;;;WD)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)(A;CI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)(A;CI;LC;;;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(A;;RPRC;;;RU)(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(A;;LCRPLORC;;;ED)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RPLCLORC;;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)S:(AU;SA;WDWOWP;;;WD)(AU;SA;CR;;;BA)(AU;SA;CR;;;DU)(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)",
"D:(A;;RPLCLORC;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)",
"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPCRLCLORCSDDT;;;CO)(OA;;WP;4c164200-20c0-11d0-a768-00aa006e0529;;CO)(A;;RPLCLORC;;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(A;;CCDC;;;PS)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;PS)(OA;;RPWP;77B5B886-944A-11d1-AEBD-0000F80367C1;;PS)(OA;;SW;72e39547-7b18-11d1-adef-00c04fd8d5cd;;PS)(OA;;SW;72e39547-7b18-11d1-adef-00c04fd8d5cd;;CO)(OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;CO)(OA;;WP;3e0abfd0-126a-11d0-a060-00aa006c33ed;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;;WP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;;WP;bf967950-0de6-11d0-a285-00aa003049e2;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)",
"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)",
"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;;;PS)(OA;;CR;ab721a55-1e2f-11d0-9819-00aa0040529b;;AU)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)",
"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;CO)",
"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)S:(AU;SA;CRWP;;;WD)",
"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;;;PS)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RPWP;77B5B886-944A-11d1-AEBD-0000F80367C1;;PS)(OA;;RPWP;E45795B2-9455-11d1-AEBD-0000F80367C1;;PS)(OA;;RPWP;E45795B3-9455-11d1-AEBD-0000F80367C1;;PS)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;RS)(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;;RS)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;RS)(A;;RC;;;AU)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;77B5B886-944A-11d1-AEBD-0000F80367C1;;AU)(OA;;RP;E45795B3-9455-11d1-AEBD-0000F80367C1;;AU)(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;RS)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;WPRP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)",
"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)",
"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)(A;;LCRPLORC;;;ED)",
"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(A;;RPLCLORC;;;AU)(A;;LCRPLORC;;;ED)(OA;;CCDC;4828CC14-1437-45bc-9B07-AD6F015E5F28;;AO)",
"D:(A;;RPWPCRCCDCLCLORCWOWDSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)",
"D:(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)",
"D:S:",
"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)"
};
/* test a set of example SDDL strings */