1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

2123 Commits

Author SHA1 Message Date
Douglas Bagnall
206db403b4 libcli/security:sddl_decode_ace: add more messages
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-15 22:07:35 +00:00
Douglas Bagnall
f712f8d371 libcli/security: adjust log verbosity in sddl_decode
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-15 22:07:35 +00:00
Douglas Bagnall
74c6cf44b9 libcli/security:sddl_decode_ace: turn DBG_WARNINGs into messages
This allows the messages to be more reliably presented by client tools
in a useful way.

The messages lose the trailing \n, and some were slightly tweaked (e.g.
s/Resource ACE/Resource Attribute ACE/).

They will still show up in logs for callers of sddl_decode(), but at
NOTICE level rather than WARNING.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-15 22:07:35 +00:00
Douglas Bagnall
b18fe675c0 libcli/security:sddl_decode_err_msg(): don't pretend msg is optional (CID1548624)
Having it optionally NULL just complicates the code, and Coverity
rightly complained.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-15 22:07:35 +00:00
Joseph Sutton
935f4edd81 libcli/security: Optionally disallow device‐specific attributes and operators where they are not applicable
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-09 08:00:30 +00:00
Joseph Sutton
db36a930e6 libcli/security: Mark arrays ‘const’
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-09 08:00:30 +00:00
Joseph Sutton
e388e9a856 ilbcli/security: Fix duplicated words
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-09 08:00:30 +00:00
Joseph Sutton
e822a4efb7 libcli/security: Include missing headers
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-09 08:00:30 +00:00
Joseph Sutton
9c35b3747e libcli/security: Reassign flags
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-09 08:00:30 +00:00
Ralph Boehme
ddc9cb779f smbd: s/FILE_ATTRIBUTES_INVALID/FILE_ATTRIBUTE_INVALID/g
No idea what got me into having an "S" in the define when I added it.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-11-05 18:34:38 +00:00
Joseph Sutton
4131179a04 libcli/security: Allow empty composites and resource attribute lists
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-02 03:08:37 +00:00
Joseph Sutton
5df344a890 libcli/security: Remove reference to conditional ACE recursive composites
These have been unsupported since commit
3b6c1f1a9c.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-02 03:08:37 +00:00
Douglas Bagnall
ffa08426e0 libcli/security: conditional ace err messages don't hardcode offset
Usually the conditions are embedded in part of some SDDL, and the
offset from the beginning of the condtions is a bit useless and
confusing. Callers of sddl_decode_err_msg get the offset from the
beginning of the SDDL which is a different and more useful number.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:46 +00:00
Douglas Bagnall
c31d41d721 libcli/security: sddl: guard against inconsistent msg pointers
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:46 +00:00
Douglas Bagnall
c63a898977 libcli/security: sddl: remove unreachable debug
As it stands, ace_conditions_compile_sddl() won't produce a message when
it succeeds (i.e. return non-NULL), so this debug is just clutter.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:46 +00:00
Douglas Bagnall
67fa97d61f libcli/security: sddl_decode_ace/acl pass through messages
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:46 +00:00
Douglas Bagnall
93347aa5af libcli/security: add sddl_decode_err_msg()
This will return an error message, if it can, along with an indicative
position.

For conditional ACEs the message might be accurate, and the position
fine-grained. For example, you might be able to construct the message
like this:

D:(XA;;CC;;;S-1-2-3;(@User.Title == !(@User.Title)))
                                    ^
 16: unexpected operator

For non-conditional ACEs, the position typically points to the beginning
of the ACE, like this:

D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A; OICI; GRGWGX;;;AU)
                                  ^
 unknown error

Here the error is in the spaces either side of " OICI; ", but the pointer
points to the beginning of the ACE.

The old sddl_decode() function becomes a wrapper around the new function,
which inherits the guts of the old function.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Douglas Bagnall
9b57d5cd5c libcli/security: sddl_conditional_ace: ensure message is talloced
It is simpler for the message to have consistent parentage; it
is easier to drop one message we'll never see than to talloc it.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Douglas Bagnall
cc11165ecb libcli/security: sddl: check a talloc_zero
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Douglas Bagnall
5319c5bdac libcli/security: SDDL accepts lowercase "s-" in SIDs
This is what Windows does, and it removes a couple of knownfails.

We can change it here cheaply without affecting the core dom_sid code,
which is good because there seem to be other places where we need the
uppercase S (for example in ldap search <SID=> queries).

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
a396b705c8 librpc:ndr: Introduce ‘ndr_flags_type’ type
Instead of ‘int’ or ‘uint32_t’, neither of which convey much meaning,
consistently use a newly added type to hold NDR_ flags.

Update the NDR 4.0.0 ABI.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
c4f281e9ae librpc:ndr: Introduce ‘libndr_flags’ type
The LIBNDR_FLAG_ namespace is getting dangerously full, with only a
single flag value (1 << 9) remaining for use. After that flag is put
into use, we won’t be able to add any new flags without increasing the
flag width to 64‐bit.

Up to now we’ve used a haphazard mix of int, unsigned, and uint32_t to
store these flags. Introduce a new type, ‘libndr_flags’, to be used
consistently to hold LIBNDR flags. If in the future we find we need to
move to 64‐bit flags, this type gives us an opportunity to do that.

Bump the NDR version to 4.0.0 — an major version increment, for we’re
changing the function ABI and adding the new symbol
ndr_print_libndr_flags.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
76e27c3ab1 libcli/security: Add sid_attrs_contains_sid()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
69edfd7b11 libcli/security: Make use of sids_contains_sid()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
04611d9ebc libcli/security: Add sids_contains_sid()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
ce3f04dca9 libcli/security: Make use of sids_contains_sid_attrs()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
5ff72d0e04 libcli/security: Rename sids_contains_sid() to sids_contains_sid_attrs()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
487e21ec89 s4:dsdb: Make sids_contains_sid() usable by other Samba modules
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
ce9fbceadb libcli/security: Correct function documentation
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
01b8966993 libcli/security: Remove unnecessary return statement
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Ralph Boehme
8a8f1f3c6c libcli/smb: add IO_REPARSE_TAG_RESERVED_ZERO
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
2023-10-31 04:38:42 +00:00
Noel Power
2b2fdd5323 remove problematic include (seems to bring in conflicted definitions)
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:38 +00:00
Noel Power
86d4342180 libcli/wsp: Test AQS parser
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:38 +00:00
Noel Power
b28fb85a1f libcli/wsp: Add support for simplified Advanced Query Syntax
Add support to parse AQS-like (Advanced query syntax)

AQS - see https://learn.microsoft.com/en-gb/windows/win32/search/-search-3x-advancedquerysyntax

The basic (AQS) syntax is supported e.g. a query is built of a sequence of
queries connected by AND, OR and NOT where the query elements are
essentially restrictions defined by a property. There are some
limitations on the operators supported[1] and additionally some things
like enumerated ranges are not supported at all and range values are not
delimited as specified [2]. Some special cases that you see in the
windows search UI are exceptions [3] which are handled more or less as keywords

Some examples:

The following are all exactly the same query just expressed using
different variations of the syntax

'ALL:($<p403 OR $<p404) AND System.Kind:picture AND Scope:"FILE://somemachine/someshare" AND > System.Size:10241-102401'

'ALL:$<p403 OR ALL:$<p404 AND System.Kind:picture AND Scope:"FILE://somemachine/someshare" AND > System.Size:>=10241 AND System.Size:<102401'

'ALL:$<p403 OR ALL:$<p404 AND System.Kind:picture AND Scope:"FILE://somemachine/someshare" AND > System.Size:small'

The queries above by default select the property System.ItemUrl as the
one and only column returned, the query parameter however accepts a
variation to the AQS like syntax to allow arbitrary columns to be
selected e.g.

'SELECT System.ItemName, System.ItemURL, System.Size WHERE ALL:$<p403 OR ALL:$<p404 AND System.Kind:picture AND Scope:"FILE://somemachine/someshare" AND System.Size:small'

[1] supported operators
    -------------------
    =    Equals
    !=   Not Equals
    >    Greater than
    <    Less than
    >=   Greater than or equals
    <=   Less than or equals

    $=   equals
    $<   starts with
[2] ranges are specified as value-value instead of value..value (seems
    my flex/bison skills are not good enough and couldn't get that to
    work with '..'

[3] The windows UI has shortcut ranges (presumably represented as enumerated
    ranges) providing date ranges like 'today', 'tomorrow',
   'lastweek' etc. and similarly sizes like "empty, tiny, small, large..."

   These are supported (but implemented as keywords)

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:38 +00:00
Ralph Boehme
180f25f7bb libcli/smb: add FSCTL_PIPE_WAIT
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:38 +00:00
Ralph Boehme
a16f3f7e6a libcli: Implement a tstream dcerpc_binding_handle
This implements a dcerpc_binding_handle that does just pass request and
response blob passing.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:38 +00:00
Noel Power
8cc1e25a00 libcli/smb: Allow dynamic setting of the max_data in SMB Pipe transaction.
Some services like WSP can send larger messages than the current 'Max Ioctl'
limit, this results in the server producing a BUFFER_OVERFLOW status (and
additionally clipping the message sent). Add support to allow a client to
modify the hardcoded 'Max Ioctl' default value to allow the server to
successfully send larger responses.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:38 +00:00
Ralph Boehme
4d1088faea libcli/util: add struct tstream_context to tstream_read_pdu_blob_full_fn_t
Add struct tstream_context to tstream_read_pdu_blob_full_fn_t and update
all callers of tstream_read_pdu_blob_send() to use the correct callback.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:38 +00:00
Ralph Boehme
8800f4f8a3 libcli/util: add tstream_full_request_u32 and tstream_full_request_u16
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:38 +00:00
Joseph Sutton
093ce69e15 libcli: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:37 +00:00
Joseph Sutton
47975ea896 libcli/security: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:37 +00:00
Joseph Sutton
b4de22a74d libcli/security: Fix leak on reallocation failure in conditional_ace_encode_binary()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:37 +00:00
Joseph Sutton
8f4c17e9b5 libcli/security: Fix leak on reallocation failure in pull_composite()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:37 +00:00
Stefan Metzmacher
8e8f2fa9c7 libcli/named_pipe_auth: let tstream_npa_existing_socket use tstream_bsd_fail_readv_first_error(true)
This avoids doing useless work in case the client connection
is already broken.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 09:36:38 +00:00
Stefan Metzmacher
09daeba696 libcli/util: let win_errstr() fallback to hresult_errstr()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-17 19:20:38 +00:00
Joseph Sutton
b28a268b45 smbXcli: Remove unreachable code (CID 1444978)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-13 02:18:31 +00:00
Joseph Sutton
704c71daf5 libcli/security: Initialize conditional ACE token
If the ‘flags’ member is not initialized, we invoke undefined behaviour
when trying to push or evaluate the parsed conditional ACE.

One way this issue can manifest is in the mysterious failure of Unicode
comparisons owing to the CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE
flag being set when it shouldn’t.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Volker Lendecke
09c787c34a libcli: Make security_token_debug() use just one DEBUG statement
This avoids messing up the debug logs when multiple processes are
writing into the same file.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-10-10 23:23:40 +00:00
Volker Lendecke
1ad84c70fe libcli: Convert security_token_debug_privileges() to talloc_asprintf
Reduces the number of DEBUGADD calls which leads to messed debug logs
between processes.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-10-10 23:23:40 +00:00
Volker Lendecke
d7f5267c2b libsmb: Remove unused smb2_create_blob_remove()
Trivial to re-add if needed.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-10-10 23:23:40 +00:00