1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

2240 Commits

Author SHA1 Message Date
Douglas Bagnall
38e7b4dcbd libcli/security: add a parser for resource attribute ACE byte strings
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
9ef71399ce libcli/security: sddl_conditional_ace: remove check_resource_attr_type()
This is unneeded, as now all the checks are done in the relevant
parse_* functions.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
059610a62e libcli/security: sddl_conditional_ace: add parse_bool for RA aces
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
800f770e11 libcli/security: sddl_conditional_ace: add parse_uint for RA aces
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
33caae4381 libcli/security: un-invert parse_resource_attr_list, check type first
We were reusing parse_literal() because it almost does what we need,
but it is different enough that check_resource_attr_type() is large
and complicated, and can't handle all the cases (in particular octet-
strings and SIDs are different in resource ACEs).

This way is better because we know the type in advance, so we can use
that to choose the parser, which will help with octet-strings that are
only digits.

In this commit we're leaving the check there, but it soon won't do
anything that the parse_* functions don't, and we will remove it.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
cda9371b59 libcli/security/test_sddl_conditional_ace: adjust RA octet parse tests
We are going to parse octet strings like Windows (as opposed to like
Windows docs), so the tests need changing.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
4ab9cb1907 libcli/security:sddl_condtional_ace: log compiler errors at some debug levels
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
f18ffd1182 libcli/security: initialise conditional ACE token flags
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Andreas Schneider
9621a3d7a6 Use python.h from libreplace
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15513

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-20 15:37:33 +00:00
Noel Power
d0d026bdb5 libcli/security: Debug only when we failed to decode
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-16 01:51:39 +00:00
Joseph Sutton
542e5a3039 util/charset: Rename utf16_len_n() to utf16_null_terminated_len_n()
The new name indicates that — contrary to functions such as strnlen() —
the length may include the terminator.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-15 22:07:36 +00:00
Douglas Bagnall
609965b6ea libcli/security:sddl_decode message offset safety latch
the message offset is largely calculated using the differences
between pointers in many places scattered throughout the code.

If we got one of these wrong, we could easily have a SIZE_MAX-ish
offset, which would be unfortunate if we came decided to display
the offset using spaces.

We can sanely limit the offset to the length of the SDDL.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-15 22:07:35 +00:00
Douglas Bagnall
1f4e018ef1 libcli/security/test_sddl_conditional_ace: add message tests
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-15 22:07:35 +00:00
Douglas Bagnall
2b4f97249f libcli/security:sddl_parse: add some top level error messages
the way we parse things, we can't really distinguish between complete
nonsense and an ACL that seems to end early because of bad flags. That
is, "D:ZZ(A;;;;;WD)" looks the same as "ZZ" to the parser. But at least
we can point to the right place in the string.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-15 22:07:35 +00:00
Douglas Bagnall
15fcf9b769 libcl/security:sddl_decode_acl: expand a comment
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-15 22:07:35 +00:00
Douglas Bagnall
01f8b61035 libcli/security:sddl_decode_ace: fix ';' count message
The wrong number of semicolons is usually one less than count (which
counts sections separated by semicolons), except when count is zero.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-15 22:07:35 +00:00
Douglas Bagnall
dd41357fcd libcl/security:sddl_decode_acl: add a message
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-15 22:07:35 +00:00
Douglas Bagnall
206db403b4 libcli/security:sddl_decode_ace: add more messages
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-15 22:07:35 +00:00
Douglas Bagnall
f712f8d371 libcli/security: adjust log verbosity in sddl_decode
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-15 22:07:35 +00:00
Douglas Bagnall
74c6cf44b9 libcli/security:sddl_decode_ace: turn DBG_WARNINGs into messages
This allows the messages to be more reliably presented by client tools
in a useful way.

The messages lose the trailing \n, and some were slightly tweaked (e.g.
s/Resource ACE/Resource Attribute ACE/).

They will still show up in logs for callers of sddl_decode(), but at
NOTICE level rather than WARNING.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-15 22:07:35 +00:00
Douglas Bagnall
b18fe675c0 libcli/security:sddl_decode_err_msg(): don't pretend msg is optional (CID1548624)
Having it optionally NULL just complicates the code, and Coverity
rightly complained.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-15 22:07:35 +00:00
Joseph Sutton
935f4edd81 libcli/security: Optionally disallow device‐specific attributes and operators where they are not applicable
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-09 08:00:30 +00:00
Joseph Sutton
db36a930e6 libcli/security: Mark arrays ‘const’
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-09 08:00:30 +00:00
Joseph Sutton
e388e9a856 ilbcli/security: Fix duplicated words
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-09 08:00:30 +00:00
Joseph Sutton
e822a4efb7 libcli/security: Include missing headers
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-09 08:00:30 +00:00
Joseph Sutton
9c35b3747e libcli/security: Reassign flags
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-09 08:00:30 +00:00
Ralph Boehme
ddc9cb779f smbd: s/FILE_ATTRIBUTES_INVALID/FILE_ATTRIBUTE_INVALID/g
No idea what got me into having an "S" in the define when I added it.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-11-05 18:34:38 +00:00
Joseph Sutton
4131179a04 libcli/security: Allow empty composites and resource attribute lists
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-02 03:08:37 +00:00
Joseph Sutton
5df344a890 libcli/security: Remove reference to conditional ACE recursive composites
These have been unsupported since commit
3b6c1f1a9c.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-02 03:08:37 +00:00
Douglas Bagnall
ffa08426e0 libcli/security: conditional ace err messages don't hardcode offset
Usually the conditions are embedded in part of some SDDL, and the
offset from the beginning of the condtions is a bit useless and
confusing. Callers of sddl_decode_err_msg get the offset from the
beginning of the SDDL which is a different and more useful number.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:46 +00:00
Douglas Bagnall
c31d41d721 libcli/security: sddl: guard against inconsistent msg pointers
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:46 +00:00
Douglas Bagnall
c63a898977 libcli/security: sddl: remove unreachable debug
As it stands, ace_conditions_compile_sddl() won't produce a message when
it succeeds (i.e. return non-NULL), so this debug is just clutter.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:46 +00:00
Douglas Bagnall
67fa97d61f libcli/security: sddl_decode_ace/acl pass through messages
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:46 +00:00
Douglas Bagnall
93347aa5af libcli/security: add sddl_decode_err_msg()
This will return an error message, if it can, along with an indicative
position.

For conditional ACEs the message might be accurate, and the position
fine-grained. For example, you might be able to construct the message
like this:

D:(XA;;CC;;;S-1-2-3;(@User.Title == !(@User.Title)))
                                    ^
 16: unexpected operator

For non-conditional ACEs, the position typically points to the beginning
of the ACE, like this:

D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A; OICI; GRGWGX;;;AU)
                                  ^
 unknown error

Here the error is in the spaces either side of " OICI; ", but the pointer
points to the beginning of the ACE.

The old sddl_decode() function becomes a wrapper around the new function,
which inherits the guts of the old function.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Douglas Bagnall
9b57d5cd5c libcli/security: sddl_conditional_ace: ensure message is talloced
It is simpler for the message to have consistent parentage; it
is easier to drop one message we'll never see than to talloc it.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Douglas Bagnall
cc11165ecb libcli/security: sddl: check a talloc_zero
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Douglas Bagnall
5319c5bdac libcli/security: SDDL accepts lowercase "s-" in SIDs
This is what Windows does, and it removes a couple of knownfails.

We can change it here cheaply without affecting the core dom_sid code,
which is good because there seem to be other places where we need the
uppercase S (for example in ldap search <SID=> queries).

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
a396b705c8 librpc:ndr: Introduce ‘ndr_flags_type’ type
Instead of ‘int’ or ‘uint32_t’, neither of which convey much meaning,
consistently use a newly added type to hold NDR_ flags.

Update the NDR 4.0.0 ABI.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
c4f281e9ae librpc:ndr: Introduce ‘libndr_flags’ type
The LIBNDR_FLAG_ namespace is getting dangerously full, with only a
single flag value (1 << 9) remaining for use. After that flag is put
into use, we won’t be able to add any new flags without increasing the
flag width to 64‐bit.

Up to now we’ve used a haphazard mix of int, unsigned, and uint32_t to
store these flags. Introduce a new type, ‘libndr_flags’, to be used
consistently to hold LIBNDR flags. If in the future we find we need to
move to 64‐bit flags, this type gives us an opportunity to do that.

Bump the NDR version to 4.0.0 — an major version increment, for we’re
changing the function ABI and adding the new symbol
ndr_print_libndr_flags.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
76e27c3ab1 libcli/security: Add sid_attrs_contains_sid()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
69edfd7b11 libcli/security: Make use of sids_contains_sid()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
04611d9ebc libcli/security: Add sids_contains_sid()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
ce3f04dca9 libcli/security: Make use of sids_contains_sid_attrs()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
5ff72d0e04 libcli/security: Rename sids_contains_sid() to sids_contains_sid_attrs()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
487e21ec89 s4:dsdb: Make sids_contains_sid() usable by other Samba modules
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
ce9fbceadb libcli/security: Correct function documentation
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
01b8966993 libcli/security: Remove unnecessary return statement
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Ralph Boehme
8a8f1f3c6c libcli/smb: add IO_REPARSE_TAG_RESERVED_ZERO
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
2023-10-31 04:38:42 +00:00
Noel Power
2b2fdd5323 remove problematic include (seems to bring in conflicted definitions)
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:38 +00:00
Noel Power
86d4342180 libcli/wsp: Test AQS parser
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:38 +00:00
Noel Power
b28fb85a1f libcli/wsp: Add support for simplified Advanced Query Syntax
Add support to parse AQS-like (Advanced query syntax)

AQS - see https://learn.microsoft.com/en-gb/windows/win32/search/-search-3x-advancedquerysyntax

The basic (AQS) syntax is supported e.g. a query is built of a sequence of
queries connected by AND, OR and NOT where the query elements are
essentially restrictions defined by a property. There are some
limitations on the operators supported[1] and additionally some things
like enumerated ranges are not supported at all and range values are not
delimited as specified [2]. Some special cases that you see in the
windows search UI are exceptions [3] which are handled more or less as keywords

Some examples:

The following are all exactly the same query just expressed using
different variations of the syntax

'ALL:($<p403 OR $<p404) AND System.Kind:picture AND Scope:"FILE://somemachine/someshare" AND > System.Size:10241-102401'

'ALL:$<p403 OR ALL:$<p404 AND System.Kind:picture AND Scope:"FILE://somemachine/someshare" AND > System.Size:>=10241 AND System.Size:<102401'

'ALL:$<p403 OR ALL:$<p404 AND System.Kind:picture AND Scope:"FILE://somemachine/someshare" AND > System.Size:small'

The queries above by default select the property System.ItemUrl as the
one and only column returned, the query parameter however accepts a
variation to the AQS like syntax to allow arbitrary columns to be
selected e.g.

'SELECT System.ItemName, System.ItemURL, System.Size WHERE ALL:$<p403 OR ALL:$<p404 AND System.Kind:picture AND Scope:"FILE://somemachine/someshare" AND System.Size:small'

[1] supported operators
    -------------------
    =    Equals
    !=   Not Equals
    >    Greater than
    <    Less than
    >=   Greater than or equals
    <=   Less than or equals

    $=   equals
    $<   starts with
[2] ranges are specified as value-value instead of value..value (seems
    my flex/bison skills are not good enough and couldn't get that to
    work with '..'

[3] The windows UI has shortcut ranges (presumably represented as enumerated
    ranges) providing date ranges like 'today', 'tomorrow',
   'lastweek' etc. and similarly sizes like "empty, tiny, small, large..."

   These are supported (but implemented as keywords)

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:38 +00:00
Ralph Boehme
180f25f7bb libcli/smb: add FSCTL_PIPE_WAIT
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:38 +00:00
Ralph Boehme
a16f3f7e6a libcli: Implement a tstream dcerpc_binding_handle
This implements a dcerpc_binding_handle that does just pass request and
response blob passing.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:38 +00:00
Noel Power
8cc1e25a00 libcli/smb: Allow dynamic setting of the max_data in SMB Pipe transaction.
Some services like WSP can send larger messages than the current 'Max Ioctl'
limit, this results in the server producing a BUFFER_OVERFLOW status (and
additionally clipping the message sent). Add support to allow a client to
modify the hardcoded 'Max Ioctl' default value to allow the server to
successfully send larger responses.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:38 +00:00
Ralph Boehme
4d1088faea libcli/util: add struct tstream_context to tstream_read_pdu_blob_full_fn_t
Add struct tstream_context to tstream_read_pdu_blob_full_fn_t and update
all callers of tstream_read_pdu_blob_send() to use the correct callback.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:38 +00:00
Ralph Boehme
8800f4f8a3 libcli/util: add tstream_full_request_u32 and tstream_full_request_u16
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:38 +00:00
Joseph Sutton
093ce69e15 libcli: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:37 +00:00
Joseph Sutton
47975ea896 libcli/security: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:37 +00:00
Joseph Sutton
b4de22a74d libcli/security: Fix leak on reallocation failure in conditional_ace_encode_binary()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:37 +00:00
Joseph Sutton
8f4c17e9b5 libcli/security: Fix leak on reallocation failure in pull_composite()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:37 +00:00
Stefan Metzmacher
8e8f2fa9c7 libcli/named_pipe_auth: let tstream_npa_existing_socket use tstream_bsd_fail_readv_first_error(true)
This avoids doing useless work in case the client connection
is already broken.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 09:36:38 +00:00
Stefan Metzmacher
09daeba696 libcli/util: let win_errstr() fallback to hresult_errstr()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-17 19:20:38 +00:00
Joseph Sutton
b28a268b45 smbXcli: Remove unreachable code (CID 1444978)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-13 02:18:31 +00:00
Joseph Sutton
704c71daf5 libcli/security: Initialize conditional ACE token
If the ‘flags’ member is not initialized, we invoke undefined behaviour
when trying to push or evaluate the parsed conditional ACE.

One way this issue can manifest is in the mysterious failure of Unicode
comparisons owing to the CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE
flag being set when it shouldn’t.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Volker Lendecke
09c787c34a libcli: Make security_token_debug() use just one DEBUG statement
This avoids messing up the debug logs when multiple processes are
writing into the same file.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-10-10 23:23:40 +00:00
Volker Lendecke
1ad84c70fe libcli: Convert security_token_debug_privileges() to talloc_asprintf
Reduces the number of DEBUGADD calls which leads to messed debug logs
between processes.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-10-10 23:23:40 +00:00
Volker Lendecke
d7f5267c2b libsmb: Remove unused smb2_create_blob_remove()
Trivial to re-add if needed.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-10-10 23:23:40 +00:00
Volker Lendecke
6f91cce14e libsmb: Allow NULL print_name in reparse_data_buffer_marshall()
read_symlink_reparse() does this.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-10-04 20:31:36 +00:00
Joseph Sutton
bbb259e1d0 libcli/security: Handle new ACE types with sec_ace_object()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
4437eb149e libcli/security: Have security_ace_equal() handle callback and resource ACEs
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
e4d45d4103 libcli/security: Parenthesize macro parameter
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
9ecd17c84b libcli/security: Conform to Samba’s brace style
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Douglas Bagnall
5ff8046597 libcli/security: fix talloc context for integer values (CID 1545156)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-29 02:18:34 +00:00
Douglas Bagnall
b210788933 libcli/security: test_run_condtional_ace: va_end() on errors
CID 1545154, CID 1545155.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-29 02:18:34 +00:00
Douglas Bagnall
272f26e3ad libcli/security: conditional ACEs check again for NULL/empty claims
CID 1545152.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-29 02:18:34 +00:00
Joseph Sutton
ce43dd0571 ndr: Display values for failed range checks
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9914

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
4896930559 libcli/security: Test hex‐escapes that should be literals
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
c755bbd6bc libcli/security: Fix code formatting
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
ac34f48ab1 libcli/security: Use ACL revision constants
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
37ed208701 libcli/security: Refer to UTF‐16 code units rather than to codepoints
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
a064e2f258 libcli/security: Remove unused flag SDDL_FLAG_IS_FAKE_OP
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
8d4f60c844 libcli/security: Remove unused flag SDDL_FLAG_IS_LITERAL
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
55e198fc6d libcli/security: Remove unused flag SDDL_FLAG_IS_ATTR
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
e1a45ec341 libcli/security: Remove unused flag SDDL_FLAG_EXPECTING_END
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
21f765c1b9 libcli/security: Remove unused macro
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
56def24b4c libcli:security: Add Compounded Authentication and Claims Valid SID constants
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
214f6c6462 libcli:security: Correct Asserted Identity SID definitions
These definitions were the wrong way round.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
2782df62ad libcli:security: Use SELF SID constant
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
cdbb5ab7d0 libcli:security: Add SELF SID constant
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
9cb3beee75 libcli/security: Emit error message if program is too large
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
f035985dbd libcli/security: Add function to convert token claims to security attribute claims
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
a4010c9b65 libcli/security: Add some missing declarations
so that users of this header file don’t have to declare them.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
48606c8aed libcli/security: Const‐qualify function parameters
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
f5568a0a5e libcli/security: Remove bool_value member
‘bool_value’ has the same type as ‘uint_value’. Removing the former
avoids our having more duplicate code than is strictly necessary.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
40c5ed60ba libcli/security: Use correct union member
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
c9aab312b7 libcli/security: Add header guard
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Douglas Bagnall
3b6c1f1a9c libcli/security: condtional ACE recursive composites are not supported
We can't add them via SDDL on Windows, and they aren't useful for
claims.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Sep 27 00:41:26 UTC 2023 on atb-devel-224
2023-09-27 00:41:26 +00:00
Douglas Bagnall
38247d39e1 libcli/security: conditional ace sddl: do not read nested composites
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:36 +00:00
Douglas Bagnall
96dbc71e13 libcli/security: conditional ace sddl: do not write nested composites
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:36 +00:00
Douglas Bagnall
65674cde60 libcli/security: conditional ACE sddl doesn't have string escapes
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:36 +00:00
Douglas Bagnall
310c25404b libcl/security: conditional ACE sddl >= ops take literal parens only
You can't do things like '(a == b) == (c < d)'.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:36 +00:00
Douglas Bagnall
5650b511c1 libcli/security/sddl_conditional_ace: ban empty expressions in SDDL
The trouble is with expressions like "(!(()))", which boil down to a
single NOT operation with no argument, which is invalid and can't be
run or expressed as SDDL.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:36 +00:00
Andrew Bartlett
0ac979b2cc conditional_aces: Avoid manual parsing for ace_condition_unicode
A consequence of this is that we remove the confusing "length"
from the IDL, as it was the internal UTF8 length, not a wire
value.  We use null terminated strings internally now.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-09-26 23:45:36 +00:00
Andrew Bartlett
b9e90bae69 conditional_aces: Avoid manual parsing for ace_condition_int
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-09-26 23:45:36 +00:00
Andrew Bartlett
ab531abc52 libcli/security: Check for sddl_from_conditional_ace() failure in test_sddl_conditional_ace
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-09-26 23:45:36 +00:00
Andrew Bartlett
03d63fb09b libcli/security: Make failure parsing where consumed == -1 clear
This was caught by the next condition, but this is clearer.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-09-26 23:45:36 +00:00
Andrew Bartlett
fe835fc348 Make blob->data pointer in ace_sid_to_claim_v1_sid() a child of the DATA_BLOB
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-09-26 23:45:36 +00:00
Andrew Bartlett
793b86f4cb conditional_aces: Avoid manual parsing for ace_condition_bytes, use DATA_BLOB
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-09-26 23:45:36 +00:00
Andrew Bartlett
94d1cfbd85 conditional_aces: Avoid manual parsing for ace_condition_sid
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-09-26 23:45:36 +00:00
Douglas Bagnall
1e45a4d10a libcli/security: access_check handles CALLBACK_OBJECT types
These are like an object type if the callback (i.e. condtional ACE
conditions) succeeds, otherwise they are ignored.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:36 +00:00
Douglas Bagnall
c5345f18d7 libcli/security: se_access_check uses new callback checks
With the last caller of check_callback_ace_access() gone, so is that
function.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:36 +00:00
Douglas Bagnall
5d6f0927f5 libcli/security: sec_access_check_ds uses new callback ACE checks
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:36 +00:00
Douglas Bagnall
117d4c5500 libcli/security: access_check with MAXIMUM_ALLOWED checks callbacks
To help clarify the logic, we make new functions that separate the
deny and allow cases, which helps keep track of what 'yes' and 'no'
mean and which incorporate the logic of token->evaluate_claims
handling, which determines when we want to run a conditional ACE, when
we want to ignore it, and when we want to take offence. In the case
when we decide to run it, we then need to decide whether to apply it
or ignore it based on the result. This last bit differs between allow
and deny aces, hence the two functions.

These functions will replace check_callback_ace_access() over the next
few commits.

In the case where token->evaluate_claims is
CLAIMS_EVALUATION_INVALID_STATE and the DACL contains a conditional
ACE, the maximum allowed is 0, as if it was a "deny everything" ACE.

This is an unexpected case. Most likely the evaluate_claims state
will be NEVER or ALWAYS. In the NEVER case the conditional ACE is
skipped, as would have happened in all cases before 4.20, while in the
ALWAYS case the conditional ACE is run and applied if successful.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:36 +00:00
Douglas Bagnall
588a339df7 libcli/security: adjust tests for evaluate_claims flag
Most tests were prepared in advance, but we left these ones to test
the change.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:36 +00:00
Andrew Bartlett
e3f28c2ecf libcli/security: Hook in ability to disable conditional ACE evaluation
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-09-26 23:45:36 +00:00
Andrew Bartlett
dc7dc6f549 libcli/security: Rename dup_nt_token() -> security_token_duplicate()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-09-26 23:45:36 +00:00
Andrew Bartlett
13d3c6156f libcli/security: Move dup_nt_token() to libcli/security
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-09-26 23:45:36 +00:00
Andrew Bartlett
e2cc29d132 libcli/security: Pass in claims evaluation state when building any security token
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
b7bd1f438b libcli/security: conditional ace access checks for file server
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
327861dc1f libcli/security: conditional ace access checks for AD
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
b7ae4304b1 libcli/security: cmocka test for running conditional ACEs
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
e2a4f20d40 libcli/security/conditional ACEs: compare composites as sets
... or at least settishly.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
c13684e672 libcli/security/tests: add some test strings
These will soon be used by python/samba/tests/sddl_conditional_ace.py,
and are a format understood by the Windows programs in
libcli/security/tests/windows.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
d7c0948d1a libcli/security: windows-sddl-test: fix read of text examples
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
ee38602170 libcli/security: windows-sddl-test: fix typo in --help
found by Rob van der Linde.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
28d2337774 pytest:security_descriptors: test collected conditional ACEs
These tests were named in the superclass, but were not actually run,
nor was the file in git.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
901f77c543 pytest: security descriptors: test some conditional and RA ACEs
We have two sets of tests: one that will succeed, and one that is going
to remain a knownfail. The latter involves Resource Attribute ACEs that
have the TX type, meaning "byte string".

In MS-DTYP, a bytestring is defined like "#6869210a", with a hash,
followed by an even number of hex digits. In other places on the web, it
is mentioned that zeroes in the string can be replaced by hashes, like so
"#686921#a". We discover via indirect fuzzing that a TX RA ACE can also
take bare integers, like "6869210a" or "2023". As it would be tricky to
support this, and there is no evidence of this occurring in the wild, we
will probably leave this as a knownfail.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
7b9462faf0 pytest: security_descriptors: tests without revision number hack
ACL revision 4 (SECURITY_ACL_REVISION_ADS) is effectively a superset
of revision 2 (SECURITY_ACL_REVISION_NT4), so any revision 2
ACL can be called revision 4 without any problem. But not vice versa:
a revision 4 ACL can contain ACE types that a revision 2 ACL can't. The
extra ACE types relate to objects.

Samba currently simplifies things by calling all its ACLs revision 4,
even if (as is commonly the case) the ACLs contain only revision 2 ACEs.
On the other hand, Windows will use revision 2 whenever it can. In other
tests we skip past this by forcing Windows ACLs to v4 before comparison.
This test is to remind us of the incompatibility.

It would not be hard to fix.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
63be840120 pytest: security_descriptors test for repetitive ACLs
If there are multiple identical ACEs in an SDDL ACL, Windows will decode
them all and put extra trailing zeroes at the end of the ACL.

In contrast, Samba will decode the ACEs and not put extra zeroes at the
end.

The problem comes when Samba tries to read a binary ACL from Windows that
has the extra zeroes, because Samba's ACL size calculation is based on
the size of its constituent ACEs, not the ACL size field.

There is no good reason for an ACL to have repeated ACEs, but they could
be added accidentally.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
e4865a3ba1 libcli/security: test SDDL compilation in cmocka
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
b08093ed9d lbcli/security: callback object ACES fall back with no GUID
As with other object ACEs, if there is not a GUID to refer to the ACE
becomes the corresponding non-object ACE.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
2923898e88 libcli/security/create_descriptor: calc_inherited handles new types
*_CALLBACK_OBJECT types inherit like other _OBJECT types.
*_CALLBACK types do nothing, like other non-OBJECT types.

We also explicitly throw unused alarm callback types and
SEC_ACE_TYPE_SYSTEM_MANDATORY_LABEL and
SEC_ACE_TYPE_SYSTEM_SCOPED_POLICY_ID into the fire.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
1cc8888b54 libcli/security: SDDL: add callback and resource ace type flags
With this, Conditional ACEs and Resource Attribute ACEs in SDDL will
be parsed.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
3959fba37a libcli/security: sddl_encode_ace encodes resource attribute ACEs
Will work when the ace_flags table is updated.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
ed52c9ed36 libcli/security: sddl_encode_ace encodes conditional ACEs
Will work when the ace_flags table is updated.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
6683d611e1 libcli/security: sdd_decode_ace handles resource attribute types
The decoding will not happen until "RA" is added to the ace_types table.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
84fa39722f libcli/security: sdd_decode_ace handles callback types
Conditional ACEs will not actually be decoded until the CALLBACK types
are added to the ace_types flag table.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
e88ea32c21 libcli/security: add conditional ace files to samba-security
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
d6bd491efc libcli:security: add code to interpret conditional ACES
This doesn't actually *do* anything yet, for two reasons:

 1. conditional ACEs are not checked in the
    libcli/security/access_check.c functions (or anywhere else), and
    will be treated just as they are now, as unknown types.

 2. this file isn't mentioned in the wscript, so aren't compiled.

 We'll get to point 2 first.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
4b8e9e3f0c libcli:security: add functions to decode and decode RA ACEs
Resource Attribute ACEs have similar syntactical components to
conditional ACEs -- enough so that it is worth reusing the same
functions, but not quite enough so that it is exactly simple.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
969cb79dae libcli/security: add conditional ACE SDDL functions
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
6f588a1fc5 libcli:security: helpers for converting claim types
There are three different forms for claims, and we need to convert
between them.

For now, we are only going to be converting between conditional ACE
type and the CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 type used by
resource ACEs and in the security token, and later we will add the PAC
claim types.

It doesn't help that these all have incompatible definitions, but we
do our best.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
94f0a1083a libcli:security: outline for sddl_conditional_ace.c
This is to show where we're going to end up.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
140f7466a4 libcli/security: add stub of conditional ACE code.
This is just the outline of what will come, but first we'll add
conditional ACE SDDL decoding in sddl_conditional_ace.c

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
672fc0a1ab libcli/security: find SDDL coda for RA and conditional ACEs
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
cdd9424e4f libcli/security: whitespace repair in sddl.c
tabs not spaces.

It appears that my emacs got its configuration mixed up and was using
spaces.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
e8192dddf3 libcli/sec: reformat long line in wscript_build
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
498c411017 libcli/security: callback object aces are object aces
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
762646b5aa libcli/security: use tabs in sec_ace_object()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
e81e98c485 libcli/security: helper to find ACEs with meaningful codas
Only Resource Attribute ACEs and Conditional ACEs are expected to have
trailing data. Others sometimes might, but we don't care what it is.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00