IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
We fuzz security descriptors in a couple of different ways, and this
maps seeds from one form into the other. The SDDL examples can also be
used in Windows tests.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Soon we will get Conditional ACEs and Resource Attribute ACES, each of
which have trailing bytes at the end of the ACE. Here's a diagram:
____ The ACE size field may indicate a size bigger
.type / | than the known parts, even when you take
.flags / | rounding to a multiple of four into account.
.size --' | This extra data is meaningful in some ACEs.
.access_mask |
.trustee (sid) _| <- known data ends here.
:
"coda" ___: <- the trailing part, Zero size unless the size
field points beyond the end of the known data.
Probably empty for ordinary ACE types.
Until now we have thrown away these extra bytes, because they have no
meaning in the ACE types we recognise. But with conditional and
resource attribute ACEs we need to catch and process these bytes, so
we add an extra field for that.
Thus we can drop the manually written ndr_pull_security_ace() that
discarded the trailing bytes, because we just allow it to be pulled
into an unused blob. In the very common case, the blob will be empty.
Microsoft does not use a common name across different ACE types to
describe this end-data -- "coda" is a Samba term.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Soon we will have Conditional ACEs and Resource Attribute ACEs. It is
expected --indeed mandatory-- that the SDDL representations of these
ACEs will contain parentheses, so we can't use '(' and ')' to decide
where ACEs stop and start.
This means shifting where we make a mutable copy of the SDDL string
from per-ACE to per-ACL, and allowing sddl_decode_ace() to decide when
its ACE is finished.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
On a typical machine where the size of ‘int’ is 32 bits or smaller, a
sub-authority of 2147483649 would be ordered before a sub-authority of
1, even though it is greater.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The two functions are identical in behaviour.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The revision has already been set at the start of this function.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Winbind can ask rpcd_lsad for LookupNames etc. This can recurse back
into winbind for getpwnam. We have the "_NO_WINBINDD" environment
variable set in winbind itself for this case, but this is lost on the
way into rpcd_lsad. Use a flag in global_sid_Samba_NPA_Flags to pass
this information to dcerpc_core, where it sets the variable on every
call if requested.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue May 16 11:54:32 UTC 2023 on atb-devel-224
This will be used as a flexible way to pass per-RPC-connection flags
over ncalrpc to the RPC server without having to modify
named_pipe_auth_req_info6 every time something new needs to be
passed. It's modeled after global_sid_Samba_SMB3.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
To be used in a few places when checking special-case Samba SIDs.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
These are produced by editing `python/samba/test/sddl.py to enable
`test_write_test_strings`, the running `make test TESTS='sddl\\b'`.
The windows executable from the C file added in a recent commit can
run these tests using the `-i` flag.
The Samba sddl.py tests can be induced to use them too, but that is
only useful for showing they are still in sync.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
prior to this patch rights matching "FA", "FR", "FW", "FX" were
outputted as the hex string representing the bit value.
While outputting the hex string is perfectly fine, it makes it harder
to compare icacls output (which always uses the special string values)
Additionally adjust various tests to deal with use of shortcut access masks
as sddl format now uses FA, FR, FW & FX strings (like icalcs does) instead
of hex representation of the bit mask.
adjust
samba4.blackbox.samba-tool_ntacl
samba3.blackbox.large_acl
samba.tests.samba_tool.ntacl
samba.tests.ntacls
samba.tests.posixacl
so various string comparisons of the sddl format now pass
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
[abartlet@samba.org Adapted to new stricter SDDL behaviour around leading zeros in hex
numbers, eg 0x001]
value for FA should be 0x001f01ff (instead of 0x00001ff)
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
sddl_decode_sid() will stop at the first non-SID character. Windows
doesn't allow white space here, and nor do we.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Before we just ignored things like negative numbers, because they'd
end up being seen as not-numbers, so treated as flags, then as
not-flags.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The C version tests the public SDDL API on Windows which seems to follow
Active Directory closely, though case in hex numbers is reversed vis-a-vis
defaultSecurityDescriptor.
The python version is less refined and tests powershell functions.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We don't see this happening on Windows.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Our previous behaviour (at least with glibc) was to clip off the extra
bits, so that 0x123456789 would become 0x23456789. That's kind of the
obvious thing, but is not what Windows does, which is to saturate the
value, rounding to 0xffffffff. The effect of this is to turn on all
the flags, which quite possibly not what you meant.
Now we just return an error.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The string "S:D:P" is parsed by us and Windows into a valid struct,
which has an empty DACL with the PROTECTED flag, and an empty SACL.
This is reconstructed in canonical order as "D:PS:", which Windows
will correctly parse, but Samba has assumed the "S" is a bad DACL
flag. Now we don't make that assumption.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These occur canonically when the indentifier authority is > 2^32, but
also are accepted by Windows for any number.
There is a tricky case with an "O:" or "G:" SID that is immediately
followed by a "D:" dacl, because the "D" looks like a hex digit. When
we detect this we need to subtract one from the length.
We also need to do look out for trailing garbage. This was not an
issue before because any string caught by the strspn(...,
"-0123456789") would be either rejected or fully comsumed by
dom_sid_parse_talloc(), but with hex digits, a string like
"S-1-1-2x0xabcxxx-X" would be successfully parsed as "S-1-1-2", and
the "x0xabcxxx-X" would be skipped over. That's why we switch to using
dom_sid_parse_endp(), so we can compare the consumed length to the
expected length.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
previously a string could have anything in it, so long as every second
character was ':'.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The man page notes:
The standards require that the argument c for these functions
is either EOF or a value that is representable in the type
unsigned char. If the argument c is of type char, it must be
cast to unsigned char, as in the following example:
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Following Windows, the numbers that would be octal (e.g. "0123") are
converted to decimal by skipping over the zeros.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We don't want octal numbers or overflows.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The second one came with code obsoleting the "BIG NOTE" about 10 years
ago, but that code later wandered off somewhere else.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This allows us to pass the new tests we just added.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
If there were two consecutive occurrences of an ACL to be deleted, we
would miss the second one.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Often it is important to insert an ace at a specific position in the
ACL. As a default we still append by default by using -1, which is the
generic version of passing the number of existing aces.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This means that encoding an ACE in string form will now match Windows.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Mar 21 01:19:16 UTC 2023 on atb-devel-224
In future we need to pass in 3 sids to sddl_encode()
Once we pass in a machine_sid from the caller we need to
have a test on a Windows member if the .machine_rid values
really belong to the local machine sid.
At least [MS-DTYP] 2.4.2.4 Well-Known SID Structures
pretents "LA" and "LG" are relative to the local machine sid.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Mar 20 10:53:41 UTC 2023 on atb-devel-224
We should walk the sid_codes array just once.
This makes further changes easier...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
In future we'll need more than 'domain_sid' in order
to do the correct transition of SDDL to/from security_descriptor.
In the end we most likely add an
sddl_transition_{create,encode,decode}() api in order
to allow the caller to create an sddl_transition_state
once and then pass it to multiple calls to encode/decode.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
This made sense before we used dom_sid_str_buf() in the DEBUG
statements.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Arrays of SIDs are handled not fully consistently throughout the
codebase. Sometimes SIDs in the first and second positions represent a
user and a primary group respectively; other times they don't mean
anything in particular. Using these index constants in situations of the
former sort can help to clarify our intent.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These functions are modelled on add_sid_to_array() and
add_sid_to_array_unique(). They differ in that they operate not on an
array of dom_sid, but of auth_SidAttr, and take an additional 'attrs'
parameter of type uint32_t.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Removed static flag from sddl_encode_ace and added to headers.
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Christian Merten <christian@merten.dev>
Fixed security_ace_equal returning true, despite differing object type, by checking (inherited) object type
of both ACEs is equal.
Signed-off-by: Christian Merten <christian@merten.dev>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Two functions have been added to delete a given ace from the SACL or the DACL of a security descriptor.
Signed-off-by: Christian Merten <christian@merten.dev>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
The implicit right of an object's owner to modify its security
descriptor no longer exists, according to the new access rules. However,
we continue to grant this implicit right for fileserver access checks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810
Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Change the values to match those used by Windows.
Verified with PowerShell commands of the form:
New-Object Security.Principal.SecurityIdentifier ER
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This should have been removed in ef990008f2, I just was not aware
it's there...
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
We have to look at all available mappings for parsing sddl for each
special flag set. "GW" and "FX" come from two different tables, but
the previous code settled on one table and then expected both "GW" and
"FX" to come from that same table. Change the code to look at all
tables per special flag set.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Apr 21 00:04:36 UTC 2021 on sn-devel-184
We have to look at more than one map, "FRSD" is not correctly handled
right now for example. This factors out walking a map to make walking
multiple maps easier.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Use GUID_buf_string() instead of GUID_string() for encoding objects,
no need to check for NULL anymore.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
See
https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings
for reference.
We can only use them for decoding, many of our tests depend on our
string representation of the flags.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
lib/util/safe_string.h is similar to source3/include/safe_string.h, but
the former has fewer checks. It is missing bcopy, strcasecmp, and
strncasecmp.
Add the missing elements to lib/util/safe_string.h remove the other
safe_string.h which is in the source3-specific path. To accomodate
existing uses of str(n?)casecmp, add #undef lines to source files where
they are used.
Signed-off-by: Matthew DeVore <matvore@google.com>
Reviewed-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Aug 28 02:18:40 UTC 2020 on sn-devel-184
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Aug 3 22:21:04 UTC 2020 on sn-devel-184
the "I" flag for unsigned int has been available since Python 2.3
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This has been unused since before
762e7e1dff in 2003.
Found by callcatcher
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
To avoid warning above produced by using
-Wcast-function-type we;
+ ensure PyCFunctions of type METH_NOARGS defined dummy arg
+ ensure PyCFunctions of type METH_KEYWORDS use PY_DISCARD_FUNC_SIG
macro
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
The new string conversion wrappers detect and flag errors
which occured during the string to integer conversion.
Those modifications required an update of the callees
error checks.
Signed-off-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Use a temporary struct as a return value to make the compiler catch all
callers. If we just changed bool->ssize_t, this would just generate a
warning. struct sid_parse_ret will go away in the next commit
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Deny ACEs must always be evaluated against explicitly granted rights
from previous ACEs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
We basically must process the Owner Rights ACEs as any other ACE wrt to the
order of adding granted permissions and checking denied permissions. According
to MS-DTYP 2.5.3.2 Owner Rights ACEs must be evaluated in the main loop over
the ACEs in an ACL and the corresponding access_mask must be directly applied
to bits_remaining. We currently defer this to after the loop over the ACEs in
ACL, this is wrong.
We just have to do some initial magic to determine if an ACL contains and
Owner Rights ACEs, and in case it doesn't we grant SEC_STD_WRITE_DAC |
SEC_STD_READ_CONTROL at the *beginning*. MS-DTYP:
-- the owner of an object is always granted READ_CONTROL and WRITE_DAC.
CALL SidInToken(Token, SecurityDescriptor.Owner, PrincipalSelfSubst)
IF SidInToken returns True THEN
IF DACL does not contain ACEs from object owner THEN
Remove READ_CONTROL and WRITE_DAC from RemainingAccess
Set GrantedAccess to GrantedAccess or READ_CONTROL or WRITE_OWNER
END IF
END IF
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
In order to detect an value overflow error during
the string to integer conversion with strtoul/strtoull,
the errno variable must be set to zero before the execution and
checked after the conversion is performed. This is achieved by
using the wrapper function strtoul_err and strtoull_err.
Signed-off-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This was missing in 44590c1b70.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13812
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Thu Feb 28 19:18:16 UTC 2019 on sn-devel-144
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Dec 12 22:18:52 CET 2018 on sn-devel-144
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12164
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Nov 3 00:23:31 CET 2018 on sn-devel-144
This is modeled after server_id_str_buf, which as an API to me is easier to
use: I can rely on the compiler to get the buffer size right.
It is designed to violate README.Coding's "Make use of helper variables", but
as this API is simple enough and the output should never be a surprise at all,
I think that's worth it.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Nov 2 20:11:11 CET 2018 on sn-devel-144
An 'Object Access Allowed' ACE that assigned 'Control Access' (CR)
rights to a specific attribute would not actually grant access.
What was happening was the remaining_access mask for the object_tree
nodes would be Read Property (RP) + Control Access (CR). The ACE mapped
to the schemaIDGUID for a given attribute, which would end up being a
child node in the tree. So the CR bit was cleared for a child node, but
not the rest of the tree. We would then check the user had the RP access
right, which it did. However, the RP right was cleared for another node
in the tree, which still had the CR bit set in its remaining_access
bitmap, so Samba would not grant access.
Generally, the remaining_access only ever has one bit set, which means
this isn't a problem normally. However, in the Control Access case there
are 2 separate bits being checked, i.e. RP + CR.
One option to fix this problem would be to clear the remaining_access
for the tree instead of just the node. However, the Windows spec is
actually pretty clear on this: if the ACE has a CR right present, then
you can stop any further access checks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reading the spec and then reading the code makes sense, but we could
comment the code more so it makes sense on its own.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Object-specific access checks refer to a specific section of the
MS-ADTS, and the code closely matches the spec. We need to extend this
logic to properly handle the Control-Access Right (CR), so it makes
sense to split the logic out into its own function.
This patch just moves the code, and should not alter the logic (apart
from ading in the boolean grant_access return variable.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Commit e2c9ad93cb removed the last caller
of this.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed May 9 19:18:44 CEST 2018 on sn-devel-144
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 16 19:47:15 CET 2018 on sn-devel-144
Looks surprising, but this does save bytes if you look at the object with
"size".
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This message shows up a lot at level 6 for no particularly good reason
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reported and proposed fix by Shilpa K <shilpa.krishnareddy@gmail.com>.
When processing DENY ACE entries for owner rights SIDs (S-1-3-4) the
code OR's in the deny access mask bits without taking into account if
they were being requested in the requested access mask.
E.g. The current logic has:
An ACL containining:
[0] SID: S-1-3-4
TYPE: DENY
MASK: WRITE_DATA
[1] SID: S-1-3-4
TYPE: ALLOW
MASK: ALLOW_ALL
prohibits an open request by the owner for READ_DATA - even though this
is explicitly allowed.
Furthermore a non-canonical ACL containing:
[0] SID: User SID 1-5-21-something
TYPE: ALLOW
MASK: READ_DATA
[1] SID: S-1-3-4
TYPE: DENY
MASK: READ_DATA
[2] SID: User SID 1-5-21-something
TYPE: ALLOW
MASK: WRITE_DATA
prohibits an open request by the owner for READ_DATA|WRITE_DATA - even
though READ_DATA is explicitly allowed in ACE no 0 and is thus already
filtered out of the "access-still-needed" mask when the deny ACE no 1 is
evaluated.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12466
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12373
Signed-off-by: Moritz Beller <moritzbeller@gmx.de>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Simo <simo@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Oct 13 18:13:45 CEST 2016 on sn-devel-144
Add Samba specific well known SIDs for
Unix UID and GID owner.
Signed-off-by: Steve French <smfrench@gmail.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
SECURITY_GUEST is not exactly the same as SECURITY_ANONYMOUS.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11677
definitions taken from [MS-DTYP]: Windows Data Types,
2.4.2.4 Well-Known SID Structures.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
sid_parse takes a binary blob, uint8_t reflects this a bit
better than char * does
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker, apologies for the mistake.
Spotted by Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Apr 29 08:20:23 CEST 2015 on sn-devel-104
This prepares a possibly stripped security descriptor for a client.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
TODO: we should import the whole lists from [MS-DTYP].
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10773
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Aug 22 02:52:50 CEST 2014 on sn-devel-104
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jun 10 21:46:15 CEST 2014 on sn-devel-104
This function is a duplicate of security_ace_equal(), and is no longer
used.
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 29 03:34:38 CEST 2014 on sn-devel-104
Both offer the same functionality, sec_ace_equal() will be removed.
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This change cleans up the white-space damage, and converts the single
line if-then statements to match Samba's coding conventions.
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
With sec_desc_del_sid() now gone, this can also be removed.
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The function is unused, and shares mostly the same behaviour as
security_descriptor_acl_del().
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
With make_sec_desc() converted to use security_acl_dup(), which offers
the same behaviour, this function is no longer needed.
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
It currently leaks memory onto the provided talloc context on error, fix
this.
Use X_acl_dup() functions provided by secuity_descriptor.c, rather than
the redundant secdesc.c calls. Also, use the IDL generated functions to
calculate the security descriptor structure size.
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
With all callers converted to use security_descriptor_copy(), this
function can be removed.
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Use security_descriptor_copy() instead, which is also provided by
libcli.
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
This function adds a new allow-type ACE to an existing ACE list. With
the removal of sec_desc_add_sid(), this is no longer used internally.
The same behaviour can be achieved via the much cleaner
security_ace_create() function.
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
This function adds an ACE to a security descriptor DACL. The same can be
achieved via the more flexible and much cleaner security_ace_create()
and security_descriptor_dacl_add() functions.
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
struct security_ace has a struct dom_sid, not a pointer to it. So we don't have
to talloc it first and then not free it.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue May 27 12:54:55 CEST 2014 on sn-devel-104
This avoids a complex if-expression
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Dec 14 00:10:21 CET 2013 on sn-devel-104
Restore and backup privileges are not relevant to ldap
access checks, and the TakeOwnership privilege should
grant write_owner right
Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Apr 2 20:05:13 CEST 2013 on sn-devel-104
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 28 19:43:41 CET 2013 on sn-devel-104
Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Feb 23 19:28:15 CET 2013 on sn-devel-104
Names seems to be a bit cryptic and misleading (at least for me).
So documenting them should remove at least partially this problem.
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The for loop does this implicitly when comparing for (i = 0; i < root->num_of_children; i++)
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This removes special-case for initalising the children array in
insert_in_object_tree(). talloc_realloc() handles the intial allocate
case perfectly well, so there is no need to have this duplicated.
This also restores having just one place were the rest of the elements
are intialised, to ensure uniform behaviour.
To do this, we have to rework insert_in_object_tree to have only one
output variable, both because having both root and new_node as output
variables was too confusing, and because otherwise the two pointers
were being allowed to point at the same memory.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The inherited_type is only used to decide if aces should be inherited
effectively or not (INHERIT_ONLY) for the specified object.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Matthieu Patou <mat@matws.net>
It is critically important that we initialise this element as otherwise
all access is permitted.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit a75805490d)
there is a libsecurity on OSF1 which clasheѕ with our security lib. see bug #9023.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Björn Jacke <bj@sernet.de>
Autobuild-Date(master): Fri Aug 10 14:22:21 CEST 2012 on sn-devel-104
Signed-off-by: Jeremy Allison <jra@samba.org>
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Wed Mar 14 02:26:34 CET 2012 on sn-devel-104
Signed-off-by: Jeremy Allison <jra@samba.org>
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Sat Mar 10 01:33:45 CET 2012 on sn-devel-104
Ensure we process the entire ACE list instead of returning ACCESS_DENIED
and terminating the walk - ensure we only return the exact bits that cause
the access to be denied. Some of the S3 fileserver needs to know if we
are only denied DELETE access before overriding it by looking at the
containing directory ACL.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Wed Jan 11 19:24:53 CET 2012 on sn-devel-104
The s3-waf build system is a key component of the top level build, but
with this commit is is no longer available directly. This reduces the
number of build system combinations in master as we prepare for the
Samba 4.0 release.
Andrew Bartlett
This changes auth_session_info_transport to just be a wrapper, rather
than a copy that has to be kept in sync.
As auth_session_info was already wrapped in python, this required
changes to the existing pyauth wrapper and it's users.
Andrew Bartlett
In the file server SEC_STD_DELETE is granted on the file/directory
or by FILE_DELETE_CHILD on the parent directory.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Mar 21 23:25:05 CET 2011 on sn-devel-104
Some tests showed that these ACEs are not removed if the DACL_PROTECTED flag is provided at the same time.
This is not documented but tests prove it and it has been observerd in deployment.
Logical consequence of the previous commit
Signed-off-by: Michael Adam <obnox@samba.org>
Autobuild-User: Michael Adam <obnox@samba.org>
Autobuild-Date: Mon Feb 7 19:24:19 CET 2011 on sn-devel-104
