IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
The new name indicates that — contrary to functions such as strnlen() —
the length may include the terminator.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
the message offset is largely calculated using the differences
between pointers in many places scattered throughout the code.
If we got one of these wrong, we could easily have a SIZE_MAX-ish
offset, which would be unfortunate if we came decided to display
the offset using spaces.
We can sanely limit the offset to the length of the SDDL.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
the way we parse things, we can't really distinguish between complete
nonsense and an ACL that seems to end early because of bad flags. That
is, "D:ZZ(A;;;;;WD)" looks the same as "ZZ" to the parser. But at least
we can point to the right place in the string.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The wrong number of semicolons is usually one less than count (which
counts sections separated by semicolons), except when count is zero.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This allows the messages to be more reliably presented by client tools
in a useful way.
The messages lose the trailing \n, and some were slightly tweaked (e.g.
s/Resource ACE/Resource Attribute ACE/).
They will still show up in logs for callers of sddl_decode(), but at
NOTICE level rather than WARNING.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Having it optionally NULL just complicates the code, and Coverity
rightly complained.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
No idea what got me into having an "S" in the define when I added it.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
These have been unsupported since commit
3b6c1f1a9c.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Usually the conditions are embedded in part of some SDDL, and the
offset from the beginning of the condtions is a bit useless and
confusing. Callers of sddl_decode_err_msg get the offset from the
beginning of the SDDL which is a different and more useful number.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
As it stands, ace_conditions_compile_sddl() won't produce a message when
it succeeds (i.e. return non-NULL), so this debug is just clutter.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This will return an error message, if it can, along with an indicative
position.
For conditional ACEs the message might be accurate, and the position
fine-grained. For example, you might be able to construct the message
like this:
D:(XA;;CC;;;S-1-2-3;(@User.Title == !(@User.Title)))
^
16: unexpected operator
For non-conditional ACEs, the position typically points to the beginning
of the ACE, like this:
D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A; OICI; GRGWGX;;;AU)
^
unknown error
Here the error is in the spaces either side of " OICI; ", but the pointer
points to the beginning of the ACE.
The old sddl_decode() function becomes a wrapper around the new function,
which inherits the guts of the old function.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
It is simpler for the message to have consistent parentage; it
is easier to drop one message we'll never see than to talloc it.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is what Windows does, and it removes a couple of knownfails.
We can change it here cheaply without affecting the core dom_sid code,
which is good because there seem to be other places where we need the
uppercase S (for example in ldap search <SID=> queries).
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Instead of ‘int’ or ‘uint32_t’, neither of which convey much meaning,
consistently use a newly added type to hold NDR_ flags.
Update the NDR 4.0.0 ABI.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The LIBNDR_FLAG_ namespace is getting dangerously full, with only a
single flag value (1 << 9) remaining for use. After that flag is put
into use, we won’t be able to add any new flags without increasing the
flag width to 64‐bit.
Up to now we’ve used a haphazard mix of int, unsigned, and uint32_t to
store these flags. Introduce a new type, ‘libndr_flags’, to be used
consistently to hold LIBNDR flags. If in the future we find we need to
move to 64‐bit flags, this type gives us an opportunity to do that.
Bump the NDR version to 4.0.0 — an major version increment, for we’re
changing the function ABI and adding the new symbol
ndr_print_libndr_flags.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Add support to parse AQS-like (Advanced query syntax)
AQS - see https://learn.microsoft.com/en-gb/windows/win32/search/-search-3x-advancedquerysyntax
The basic (AQS) syntax is supported e.g. a query is built of a sequence of
queries connected by AND, OR and NOT where the query elements are
essentially restrictions defined by a property. There are some
limitations on the operators supported[1] and additionally some things
like enumerated ranges are not supported at all and range values are not
delimited as specified [2]. Some special cases that you see in the
windows search UI are exceptions [3] which are handled more or less as keywords
Some examples:
The following are all exactly the same query just expressed using
different variations of the syntax
'ALL:($<p403 OR $<p404) AND System.Kind:picture AND Scope:"FILE://somemachine/someshare" AND > System.Size:10241-102401'
'ALL:$<p403 OR ALL:$<p404 AND System.Kind:picture AND Scope:"FILE://somemachine/someshare" AND > System.Size:>=10241 AND System.Size:<102401'
'ALL:$<p403 OR ALL:$<p404 AND System.Kind:picture AND Scope:"FILE://somemachine/someshare" AND > System.Size:small'
The queries above by default select the property System.ItemUrl as the
one and only column returned, the query parameter however accepts a
variation to the AQS like syntax to allow arbitrary columns to be
selected e.g.
'SELECT System.ItemName, System.ItemURL, System.Size WHERE ALL:$<p403 OR ALL:$<p404 AND System.Kind:picture AND Scope:"FILE://somemachine/someshare" AND System.Size:small'
[1] supported operators
-------------------
= Equals
!= Not Equals
> Greater than
< Less than
>= Greater than or equals
<= Less than or equals
$= equals
$< starts with
[2] ranges are specified as value-value instead of value..value (seems
my flex/bison skills are not good enough and couldn't get that to
work with '..'
[3] The windows UI has shortcut ranges (presumably represented as enumerated
ranges) providing date ranges like 'today', 'tomorrow',
'lastweek' etc. and similarly sizes like "empty, tiny, small, large..."
These are supported (but implemented as keywords)
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This implements a dcerpc_binding_handle that does just pass request and
response blob passing.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Some services like WSP can send larger messages than the current 'Max Ioctl'
limit, this results in the server producing a BUFFER_OVERFLOW status (and
additionally clipping the message sent). Add support to allow a client to
modify the hardcoded 'Max Ioctl' default value to allow the server to
successfully send larger responses.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Add struct tstream_context to tstream_read_pdu_blob_full_fn_t and update
all callers of tstream_read_pdu_blob_send() to use the correct callback.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
