1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

134865 Commits

Author SHA1 Message Date
Douglas Bagnall
2923898e88 libcli/security/create_descriptor: calc_inherited handles new types
*_CALLBACK_OBJECT types inherit like other _OBJECT types.
*_CALLBACK types do nothing, like other non-OBJECT types.

We also explicitly throw unused alarm callback types and
SEC_ACE_TYPE_SYSTEM_MANDATORY_LABEL and
SEC_ACE_TYPE_SYSTEM_SCOPED_POLICY_ID into the fire.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
1cc8888b54 libcli/security: SDDL: add callback and resource ace type flags
With this, Conditional ACEs and Resource Attribute ACEs in SDDL will
be parsed.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
3959fba37a libcli/security: sddl_encode_ace encodes resource attribute ACEs
Will work when the ace_flags table is updated.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
ed52c9ed36 libcli/security: sddl_encode_ace encodes conditional ACEs
Will work when the ace_flags table is updated.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
6683d611e1 libcli/security: sdd_decode_ace handles resource attribute types
The decoding will not happen until "RA" is added to the ace_types table.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
84fa39722f libcli/security: sdd_decode_ace handles callback types
Conditional ACEs will not actually be decoded until the CALLBACK types
are added to the ace_types flag table.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
e88ea32c21 libcli/security: add conditional ace files to samba-security
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
d6bd491efc libcli:security: add code to interpret conditional ACES
This doesn't actually *do* anything yet, for two reasons:

 1. conditional ACEs are not checked in the
    libcli/security/access_check.c functions (or anywhere else), and
    will be treated just as they are now, as unknown types.

 2. this file isn't mentioned in the wscript, so aren't compiled.

 We'll get to point 2 first.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
4b8e9e3f0c libcli:security: add functions to decode and decode RA ACEs
Resource Attribute ACEs have similar syntactical components to
conditional ACEs -- enough so that it is worth reusing the same
functions, but not quite enough so that it is exactly simple.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
969cb79dae libcli/security: add conditional ACE SDDL functions
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
6f588a1fc5 libcli:security: helpers for converting claim types
There are three different forms for claims, and we need to convert
between them.

For now, we are only going to be converting between conditional ACE
type and the CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 type used by
resource ACEs and in the security token, and later we will add the PAC
claim types.

It doesn't help that these all have incompatible definitions, but we
do our best.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
94f0a1083a libcli:security: outline for sddl_conditional_ace.c
This is to show where we're going to end up.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
140f7466a4 libcli/security: add stub of conditional ACE code.
This is just the outline of what will come, but first we'll add
conditional ACE SDDL decoding in sddl_conditional_ace.c

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
672fc0a1ab libcli/security: find SDDL coda for RA and conditional ACEs
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
cdd9424e4f libcli/security: whitespace repair in sddl.c
tabs not spaces.

It appears that my emacs got its configuration mixed up and was using
spaces.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
a8e3f5d33f ndr_sec_helper: ace length should be multiple of 4
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
5e1ed7b71f ndr_sec_helper: ndr_size_security_ace: do less work
Almost always the ACE has an `ignored` DATA_BLOB as the coda, and the
length of the coda is the length field of the blob, which is usually
zero.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
df8eec384f librpc:security.idl: add conditional ace coda
Conditional ACEs go into a DATA_BLOB just like the default ignored
coda, but we add a union field with a different name to preserve
sanity.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
e8192dddf3 libcli/sec: reformat long line in wscript_build
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
40d9b08db4 librpc:security.idl: ace->coda can be resource attribute
And now we see why security_ace_coda was a union.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
498c411017 libcli/security: callback object aces are object aces
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
762646b5aa libcli/security: use tabs in sec_ace_object()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
e81e98c485 libcli/security: helper to find ACEs with meaningful codas
Only Resource Attribute ACEs and Conditional ACEs are expected to have
trailing data. Others sometimes might, but we don't care what it is.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
41e1b6957a libcli/security: helper to find resource attribute ACEs
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
617cfa0e96 libcli/security: helper to find callback/conditional aces
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
34aa33a1a4 security.idl: use sec_ace_object() in object switch
At some point sec_ace_object() is going to gain awareness of
SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT and the like.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
4ef7845b57 security.idl: extend security token with device SIDs
A device has SIDs too, and a modern security token needs to know
them in order to interpret conditional expressions like
"Device_member_of".

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Samuel Cabrero
d7394a90f5 testparm: Allow idmap ranges overlap for idmap_nss
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Sep 26 19:28:08 UTC 2023 on atb-devel-224
2023-09-26 19:28:08 +00:00
Volker Lendecke
fab08854af libsmb: Pass neg contexts through sync smbXcli_negprot_recv()
Looks much larger than it is, there's a lot of callers too feed NULL to.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Sep 25 19:59:17 UTC 2023 on atb-devel-224
2023-09-25 19:59:17 +00:00
Volker Lendecke
b693b6accc libsmb: Make libsmb/clispnego.c static to libads/
It's only called there. The "+" part of this patch might not conform
to README.Coding because it's a literal cut&paste.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-25 19:01:34 +00:00
Volker Lendecke
a0181938c1 libcli: Correct guard #define
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-25 19:01:34 +00:00
Volker Lendecke
cd2e6c4562 clifuse: Start implementing forget()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-25 19:01:34 +00:00
Volker Lendecke
27ae6bdbb1 clifuse: Use an empty array for holding the inode path
Cleaner these days.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-25 19:01:34 +00:00
Volker Lendecke
94dcda1ee2 examples: Slightly modernize printfs in teststat
long long works, but it's a bit too specific now that we have intmax_t

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-25 19:01:34 +00:00
Volker Lendecke
aef98c6356 libsmb: Remove two #defines just used once
To me these two did not create clarity.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-25 19:01:34 +00:00
Volker Lendecke
446a3b3e8a smbd: Modernize a few DBG statements
Changes on level from 4 to 3 in store_file_unix_basic().

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-25 19:01:34 +00:00
Volker Lendecke
94433d1d01 examples: Use explicit SMBCCTX
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-25 19:01:34 +00:00
Volker Lendecke
3b8cfda1c9 lib: Avoid a tdb handle leak
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-25 19:01:34 +00:00
Volker Lendecke
46f710c95f lib: Modernize tdb_fetch_lifetime()
Just came across this, avoid mallocs.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-25 19:01:34 +00:00
Volker Lendecke
e6136139be libsmb: Remove unused cli_is_dos_error()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-25 19:01:34 +00:00
Volker Lendecke
b0b1fc1974 libsmb: Remove unused cli_dos_error()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-25 19:01:34 +00:00
Volker Lendecke
05828c3e38 libsmb: Eliminate a reader of cli->raw_status
At some point we should get rid of cli->raw_status.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-25 19:01:34 +00:00
Volker Lendecke
3cfe1683dd libsmb: Remove SMBC_errno()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-25 19:01:34 +00:00
Volker Lendecke
15ff9c1819 libsmb: Remove a call to SMBC_errno()
This involves converting cli_printjob_del() to NTSTATUS and thus
touches a few callers.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-25 19:01:34 +00:00
Volker Lendecke
bb8ec33340 libsmb: Remove a call to SMBC_errno()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-25 19:01:34 +00:00
Volker Lendecke
9ec7245b1b libsmb: Remove a call to SMBC_errno()
All returns from cacl_get() now explicitly set the errno.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-25 19:01:34 +00:00
Volker Lendecke
2399b105fe libsmb: Remove unused cli_is_nt_error()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-25 19:01:34 +00:00
Volker Lendecke
aaf5821dac smbclient: Save lines with talloc_asprintf_addbuf()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-25 19:01:34 +00:00
Volker Lendecke
9c316623e5 libsmb: Extend cli_mknod to create NFS reparse points
Tested smbclient mkfifo manually against W2k22, the Windows NFS server
reports this as FIFO.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Sep 25 18:08:01 UTC 2023 on atb-devel-224
2023-09-25 18:08:01 +00:00
Volker Lendecke
af5756df6c libsmb: Remove reparse_symlink.c
Makes reparse_buffer_marshall static to reparse.c

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-25 17:09:37 +00:00