Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 :
4 : security descriptor description language functions
5 :
6 : Copyright (C) Andrew Tridgell 2005
7 :
8 : This program is free software; you can redistribute it and/or modify
9 : it under the terms of the GNU General Public License as published by
10 : the Free Software Foundation; either version 3 of the License, or
11 : (at your option) any later version.
12 :
13 : This program is distributed in the hope that it will be useful,
14 : but WITHOUT ANY WARRANTY; without even the implied warranty of
15 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 : GNU General Public License for more details.
17 :
18 : You should have received a copy of the GNU General Public License
19 : along with this program. If not, see <http://www.gnu.org/licenses/>.
20 : */
21 :
22 : #include "replace.h"
23 : #include "lib/util/debug.h"
24 : #include "libcli/security/security.h"
25 : #include "libcli/security/conditional_ace.h"
26 : #include "librpc/gen_ndr/ndr_misc.h"
27 : #include "lib/util/smb_strtox.h"
28 : #include "libcli/security/sddl.h"
29 : #include "system/locale.h"
30 : #include "lib/util/util_str_hex.h"
31 :
32 :
33 : struct sddl_transition_state {
34 : const struct dom_sid *machine_sid;
35 : const struct dom_sid *domain_sid;
36 : const struct dom_sid *forest_sid;
37 : };
38 :
39 : struct flag_map {
40 : const char *name;
41 : uint32_t flag;
42 : };
43 :
44 87841463 : static bool sddl_map_flag(
45 : const struct flag_map *map,
46 : const char *str,
47 : size_t *plen,
48 : uint32_t *pflag)
49 : {
50 514406438 : while (map->name != NULL) {
51 473724581 : size_t len = strlen(map->name);
52 473724581 : int cmp = strncmp(map->name, str, len);
53 :
54 473724581 : if (cmp == 0) {
55 47159606 : *plen = len;
56 47159606 : *pflag = map->flag;
57 47159606 : return true;
58 : }
59 426564975 : map += 1;
60 : }
61 36376658 : return false;
62 : }
63 :
64 : /*
65 : map a series of letter codes into a uint32_t
66 : */
67 8396840 : static bool sddl_map_flags(const struct flag_map *map, const char *str,
68 : uint32_t *pflags, size_t *plen,
69 : bool unknown_flag_is_part_of_next_thing)
70 : {
71 8396840 : const char *str0 = str;
72 8396840 : if (plen != NULL) {
73 2223971 : *plen = 0;
74 : }
75 8396840 : *pflags = 0;
76 8701761 : while (str[0] != '\0' && isupper((unsigned char)str[0])) {
77 90190 : size_t len;
78 90190 : uint32_t flags;
79 90190 : bool found;
80 :
81 304931 : found = sddl_map_flag(map, str, &len, &flags);
82 304931 : if (!found) {
83 0 : break;
84 : }
85 :
86 304921 : *pflags |= flags;
87 304921 : if (plen != NULL) {
88 54107 : *plen += len;
89 : }
90 304921 : str += len;
91 : }
92 : /*
93 : * For ACL flags, unknown_flag_is_part_of_next_thing is set,
94 : * and we expect some more stuff that isn't flags.
95 : *
96 : * For ACE flags, unknown_flag_is_part_of_next_thing is unset,
97 : * and the flags have been tokenised into their own little
98 : * string. We don't expect anything here, even whitespace.
99 : */
100 8396840 : if (*str == '\0' || unknown_flag_is_part_of_next_thing) {
101 7668636 : return true;
102 : }
103 3 : DBG_WARNING("Unknown flag - '%s' in '%s'\n", str, str0);
104 0 : return false;
105 : }
106 :
107 :
108 : /*
109 : a mapping between the 2 letter SID codes and sid strings
110 : */
111 : static const struct {
112 : const char *code;
113 : const char *sid;
114 : uint32_t machine_rid;
115 : uint32_t domain_rid;
116 : uint32_t forest_rid;
117 : } sid_codes[] = {
118 : { .code = "WD", .sid = SID_WORLD },
119 :
120 : { .code = "CO", .sid = SID_CREATOR_OWNER },
121 : { .code = "CG", .sid = SID_CREATOR_GROUP },
122 : { .code = "OW", .sid = SID_OWNER_RIGHTS },
123 :
124 : { .code = "NU", .sid = SID_NT_NETWORK },
125 : { .code = "IU", .sid = SID_NT_INTERACTIVE },
126 : { .code = "SU", .sid = SID_NT_SERVICE },
127 : { .code = "AN", .sid = SID_NT_ANONYMOUS },
128 : { .code = "ED", .sid = SID_NT_ENTERPRISE_DCS },
129 : { .code = "PS", .sid = SID_NT_SELF },
130 : { .code = "AU", .sid = SID_NT_AUTHENTICATED_USERS },
131 : { .code = "RC", .sid = SID_NT_RESTRICTED },
132 : { .code = "SY", .sid = SID_NT_SYSTEM },
133 : { .code = "LS", .sid = SID_NT_LOCAL_SERVICE },
134 : { .code = "NS", .sid = SID_NT_NETWORK_SERVICE },
135 : { .code = "WR", .sid = SID_SECURITY_RESTRICTED_CODE },
136 :
137 : { .code = "BA", .sid = SID_BUILTIN_ADMINISTRATORS },
138 : { .code = "BU", .sid = SID_BUILTIN_USERS },
139 : { .code = "BG", .sid = SID_BUILTIN_GUESTS },
140 : { .code = "PU", .sid = SID_BUILTIN_POWER_USERS },
141 : { .code = "AO", .sid = SID_BUILTIN_ACCOUNT_OPERATORS },
142 : { .code = "SO", .sid = SID_BUILTIN_SERVER_OPERATORS },
143 : { .code = "PO", .sid = SID_BUILTIN_PRINT_OPERATORS },
144 : { .code = "BO", .sid = SID_BUILTIN_BACKUP_OPERATORS },
145 : { .code = "RE", .sid = SID_BUILTIN_REPLICATOR },
146 : { .code = "RU", .sid = SID_BUILTIN_PREW2K },
147 : { .code = "RD", .sid = SID_BUILTIN_REMOTE_DESKTOP_USERS },
148 : { .code = "NO", .sid = SID_BUILTIN_NETWORK_CONF_OPERATORS },
149 :
150 : { .code = "MU", .sid = SID_BUILTIN_PERFMON_USERS },
151 : { .code = "LU", .sid = SID_BUILTIN_PERFLOG_USERS },
152 : { .code = "IS", .sid = SID_BUILTIN_IUSERS },
153 : { .code = "CY", .sid = SID_BUILTIN_CRYPTO_OPERATORS },
154 : { .code = "ER", .sid = SID_BUILTIN_EVENT_LOG_READERS },
155 : { .code = "CD", .sid = SID_BUILTIN_CERT_SERV_DCOM_ACCESS },
156 : { .code = "RA", .sid = SID_BUILTIN_RDS_REMOTE_ACCESS_SERVERS },
157 : { .code = "ES", .sid = SID_BUILTIN_RDS_ENDPOINT_SERVERS },
158 : { .code = "MS", .sid = SID_BUILTIN_RDS_MANAGEMENT_SERVERS },
159 : { .code = "HA", .sid = SID_BUILTIN_HYPER_V_ADMINS },
160 : { .code = "AA", .sid = SID_BUILTIN_ACCESS_CONTROL_ASSISTANCE_OPS },
161 : { .code = "RM", .sid = SID_BUILTIN_REMOTE_MANAGEMENT_USERS },
162 :
163 : { .code = "UD", .sid = SID_USER_MODE_DRIVERS },
164 :
165 : { .code = "AC", .sid = SID_SECURITY_BUILTIN_PACKAGE_ANY_PACKAGE },
166 :
167 : { .code = "LW", .sid = SID_SECURITY_MANDATORY_LOW },
168 : { .code = "ME", .sid = SID_SECURITY_MANDATORY_MEDIUM },
169 : { .code = "MP", .sid = SID_SECURITY_MANDATORY_MEDIUM_PLUS },
170 : { .code = "HI", .sid = SID_SECURITY_MANDATORY_HIGH },
171 : { .code = "SI", .sid = SID_SECURITY_MANDATORY_SYSTEM },
172 :
173 : { .code = "AS", .sid = SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY },
174 : { .code = "SS", .sid = SID_SERVICE_ASSERTED_IDENTITY },
175 :
176 : { .code = "RO", .forest_rid = DOMAIN_RID_ENTERPRISE_READONLY_DCS },
177 :
178 : { .code = "LA", .machine_rid = DOMAIN_RID_ADMINISTRATOR },
179 : { .code = "LG", .machine_rid = DOMAIN_RID_GUEST },
180 :
181 : { .code = "DA", .domain_rid = DOMAIN_RID_ADMINS },
182 : { .code = "DU", .domain_rid = DOMAIN_RID_USERS },
183 : { .code = "DG", .domain_rid = DOMAIN_RID_GUESTS },
184 : { .code = "DC", .domain_rid = DOMAIN_RID_DOMAIN_MEMBERS },
185 : { .code = "DD", .domain_rid = DOMAIN_RID_DCS },
186 : { .code = "CA", .domain_rid = DOMAIN_RID_CERT_ADMINS },
187 : { .code = "SA", .forest_rid = DOMAIN_RID_SCHEMA_ADMINS },
188 : { .code = "EA", .forest_rid = DOMAIN_RID_ENTERPRISE_ADMINS },
189 : { .code = "PA", .domain_rid = DOMAIN_RID_POLICY_ADMINS },
190 :
191 : { .code = "CN", .domain_rid = DOMAIN_RID_CLONEABLE_CONTROLLERS },
192 :
193 : { .code = "AP", .domain_rid = DOMAIN_RID_PROTECTED_USERS },
194 : { .code = "KA", .domain_rid = DOMAIN_RID_KEY_ADMINS },
195 : { .code = "EK", .forest_rid = DOMAIN_RID_ENTERPRISE_KEY_ADMINS },
196 :
197 : { .code = "RS", .domain_rid = DOMAIN_RID_RAS_SERVERS }
198 : };
199 :
200 : /*
201 : decode a SID
202 : It can either be a special 2 letter code, or in S-* format
203 : */
204 6212824 : static struct dom_sid *sddl_transition_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp,
205 : struct sddl_transition_state *state)
206 : {
207 6212824 : const char *sddl = (*sddlp);
208 520439 : size_t i;
209 :
210 : /* see if its in the numeric format */
211 6212824 : if (strncasecmp(sddl, "S-", 2) == 0) {
212 303388 : struct dom_sid *sid = NULL;
213 303388 : char *sid_str = NULL;
214 303388 : const char *end = NULL;
215 35658 : bool ok;
216 303388 : size_t len = strspn(sddl + 2, "-0123456789ABCDEFabcdefxX") + 2;
217 303388 : if (len < 5) { /* S-1-x */
218 0 : return NULL;
219 : }
220 303381 : if (sddl[len - 1] == 'D' && sddl[len] == ':') {
221 : /*
222 : * we have run into the "D:" dacl marker, mistaking it
223 : * for a hex digit. There is no other way for this
224 : * pair to occur at the end of a SID in SDDL.
225 : */
226 7385 : len--;
227 : }
228 :
229 303381 : sid_str = talloc_strndup(mem_ctx, sddl, len);
230 303381 : if (sid_str == NULL) {
231 0 : return NULL;
232 : }
233 303381 : if (sid_str[0] == 's') {
234 : /*
235 : * In SDDL, but not in the dom_sid parsers, a
236 : * lowercase "s-1-1-0" is accepted.
237 : */
238 10 : sid_str[0] = 'S';
239 : }
240 303381 : sid = talloc(mem_ctx, struct dom_sid);
241 303381 : if (sid == NULL) {
242 0 : TALLOC_FREE(sid_str);
243 0 : return NULL;
244 35651 : };
245 303381 : ok = dom_sid_parse_endp(sid_str, sid, &end);
246 303381 : if (!ok) {
247 116 : DBG_WARNING("could not parse SID '%s'\n", sid_str);
248 116 : TALLOC_FREE(sid_str);
249 116 : TALLOC_FREE(sid);
250 116 : return NULL;
251 : }
252 303265 : if (end - sid_str != len) {
253 0 : DBG_WARNING("trailing junk after SID '%s'\n", sid_str);
254 0 : TALLOC_FREE(sid_str);
255 0 : TALLOC_FREE(sid);
256 0 : return NULL;
257 : }
258 303265 : TALLOC_FREE(sid_str);
259 303265 : (*sddlp) += len;
260 303265 : return sid;
261 : }
262 :
263 : /* now check for one of the special codes */
264 138073578 : for (i=0;i<ARRAY_SIZE(sid_codes);i++) {
265 138073531 : if (strncmp(sid_codes[i].code, sddl, 2) == 0) break;
266 : }
267 5909436 : if (i == ARRAY_SIZE(sid_codes)) {
268 47 : DEBUG(1,("Unknown sddl sid code '%2.2s'\n", sddl));
269 47 : return NULL;
270 : }
271 :
272 5909389 : (*sddlp) += 2;
273 :
274 :
275 5909389 : if (sid_codes[i].machine_rid != 0) {
276 2292 : return dom_sid_add_rid(mem_ctx, state->machine_sid,
277 1970 : sid_codes[i].machine_rid);
278 : }
279 :
280 5907097 : if (sid_codes[i].domain_rid != 0) {
281 1465419 : return dom_sid_add_rid(mem_ctx, state->domain_sid,
282 1335822 : sid_codes[i].domain_rid);
283 : }
284 :
285 4441678 : if (sid_codes[i].forest_rid != 0) {
286 27217 : return dom_sid_add_rid(mem_ctx, state->forest_sid,
287 23108 : sid_codes[i].forest_rid);
288 : }
289 :
290 4414461 : return dom_sid_parse_talloc(mem_ctx, sid_codes[i].sid);
291 : }
292 :
293 838 : struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp,
294 : const struct dom_sid *domain_sid)
295 : {
296 838 : struct sddl_transition_state state = {
297 : /*
298 : * TODO: verify .machine_rid values really belong to
299 : * to the machine_sid on a member, once
300 : * we pass machine_sid from the caller...
301 : */
302 : .machine_sid = domain_sid,
303 : .domain_sid = domain_sid,
304 : .forest_sid = domain_sid,
305 : };
306 838 : return sddl_transition_decode_sid(mem_ctx, sddlp, &state);
307 : }
308 :
309 :
310 : static const struct flag_map ace_types[] = {
311 : { "AU", SEC_ACE_TYPE_SYSTEM_AUDIT },
312 : { "AL", SEC_ACE_TYPE_SYSTEM_ALARM },
313 : { "OA", SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT },
314 : { "OD", SEC_ACE_TYPE_ACCESS_DENIED_OBJECT },
315 : { "OU", SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT },
316 : { "OL", SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT },
317 : { "A", SEC_ACE_TYPE_ACCESS_ALLOWED },
318 : { "D", SEC_ACE_TYPE_ACCESS_DENIED },
319 :
320 : { "XA", SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK },
321 : { "XD", SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK },
322 : { "ZA", SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT },
323 : /*
324 : * SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT exists but has
325 : * no SDDL flag.
326 : *
327 : * ZA and XU are switched in [MS-DTYP] as of version 36.0,
328 : * but this should be corrected in later versions.
329 : */
330 : { "XU", SEC_ACE_TYPE_SYSTEM_AUDIT_CALLBACK },
331 :
332 : { "RA", SEC_ACE_TYPE_SYSTEM_RESOURCE_ATTRIBUTE },
333 : { NULL, 0 }
334 : };
335 :
336 : static const struct flag_map ace_flags[] = {
337 : { "OI", SEC_ACE_FLAG_OBJECT_INHERIT },
338 : { "CI", SEC_ACE_FLAG_CONTAINER_INHERIT },
339 : { "NP", SEC_ACE_FLAG_NO_PROPAGATE_INHERIT },
340 : { "IO", SEC_ACE_FLAG_INHERIT_ONLY },
341 : { "ID", SEC_ACE_FLAG_INHERITED_ACE },
342 : { "SA", SEC_ACE_FLAG_SUCCESSFUL_ACCESS },
343 : { "FA", SEC_ACE_FLAG_FAILED_ACCESS },
344 : { NULL, 0 },
345 : };
346 :
347 : static const struct flag_map ace_access_mask[] = {
348 : { "CC", SEC_ADS_CREATE_CHILD },
349 : { "DC", SEC_ADS_DELETE_CHILD },
350 : { "LC", SEC_ADS_LIST },
351 : { "SW", SEC_ADS_SELF_WRITE },
352 : { "RP", SEC_ADS_READ_PROP },
353 : { "WP", SEC_ADS_WRITE_PROP },
354 : { "DT", SEC_ADS_DELETE_TREE },
355 : { "LO", SEC_ADS_LIST_OBJECT },
356 : { "CR", SEC_ADS_CONTROL_ACCESS },
357 : { "SD", SEC_STD_DELETE },
358 : { "RC", SEC_STD_READ_CONTROL },
359 : { "WD", SEC_STD_WRITE_DAC },
360 : { "WO", SEC_STD_WRITE_OWNER },
361 : { "GA", SEC_GENERIC_ALL },
362 : { "GX", SEC_GENERIC_EXECUTE },
363 : { "GW", SEC_GENERIC_WRITE },
364 : { "GR", SEC_GENERIC_READ },
365 : { NULL, 0 }
366 : };
367 :
368 : static const struct flag_map decode_ace_access_mask[] = {
369 : { "FA", FILE_GENERIC_ALL },
370 : { "FR", FILE_GENERIC_READ },
371 : { "FW", FILE_GENERIC_WRITE },
372 : { "FX", FILE_GENERIC_EXECUTE },
373 : { NULL, 0 },
374 : };
375 :
376 :
377 12443 : static char *sddl_match_file_rights(TALLOC_CTX *mem_ctx,
378 : uint32_t flags)
379 : {
380 1032 : int i;
381 :
382 : /* try to find an exact match */
383 28584 : for (i=0;decode_ace_access_mask[i].name;i++) {
384 24584 : if (decode_ace_access_mask[i].flag == flags) {
385 8443 : return talloc_strdup(mem_ctx,
386 8001 : decode_ace_access_mask[i].name);
387 : }
388 : }
389 3410 : return NULL;
390 : }
391 :
392 6172866 : static bool sddl_decode_access(const char *str, uint32_t *pmask)
393 : {
394 6172866 : const char *str0 = str;
395 6172866 : char *end = NULL;
396 6172866 : uint32_t mask = 0;
397 504378 : unsigned long long numeric_mask;
398 504378 : int err;
399 : /*
400 : * The access mask can be a number or a series of flags.
401 : *
402 : * Canonically the number is expressed in hexadecimal (with 0x), but
403 : * per MS-DTYP and Windows behaviour, octal and decimal numbers are
404 : * also accepted.
405 : *
406 : * Windows has two behaviours we choose not to replicate:
407 : *
408 : * 1. numbers exceeding 0xffffffff are truncated at that point,
409 : * turning on all access flags.
410 : *
411 : * 2. negative numbers are accepted, so e.g. -2 becomes 0xfffffffe.
412 : */
413 6172866 : numeric_mask = smb_strtoull(str, &end, 0, &err, SMB_STR_STANDARD);
414 6172866 : if (err == 0) {
415 46170 : if (numeric_mask > UINT32_MAX) {
416 1 : DBG_WARNING("Bad numeric flag value - %llu in %s\n",
417 : numeric_mask, str0);
418 1 : return false;
419 : }
420 46169 : if (end - str > sizeof("037777777777")) {
421 : /* here's the tricky thing: if a number is big
422 : * enough to overflow the uint64, it might end
423 : * up small enough to fit in the uint32, and
424 : * we'd miss that it overflowed. So we count
425 : * the digits -- any more than 12 (for
426 : * "037777777777") is too long for 32 bits,
427 : * and the shortest 64-bit wrapping string is
428 : * 19 (for "0x1" + 16 zeros).
429 : */
430 0 : DBG_WARNING("Bad numeric flag value in '%s'\n", str0);
431 0 : return false;
432 : }
433 46169 : if (*end != '\0') {
434 3 : DBG_WARNING("Bad characters in '%s'\n", str0);
435 3 : return false;
436 : }
437 46166 : *pmask = numeric_mask;
438 46166 : return true;
439 : }
440 : /* It's not a positive number, so we'll look for flags */
441 :
442 46808508 : while ((str[0] != '\0') &&
443 40681834 : (isupper((unsigned char)str[0]) || str[0] == ' ')) {
444 40681827 : uint32_t flags = 0;
445 40681827 : size_t len = 0;
446 4305169 : bool found;
447 40681835 : while (str[0] == ' ') {
448 : /*
449 : * Following Windows we accept spaces between flags
450 : * but not after flags. Not tabs, though, never tabs.
451 : */
452 10 : str++;
453 10 : if (str[0] == '\0') {
454 2 : DBG_WARNING("trailing whitespace in flags "
455 : "- '%s'\n", str0);
456 15 : return false;
457 : }
458 : }
459 40681825 : found = sddl_map_flag(
460 : ace_access_mask, str, &len, &flags);
461 40681825 : found |= sddl_map_flag(
462 : decode_ace_access_mask, str, &len, &flags);
463 40681825 : if (!found) {
464 13 : DEBUG(1, ("Unknown flag - %s in %s\n", str, str0));
465 13 : return false;
466 : }
467 40681812 : mask |= flags;
468 40681812 : str += len;
469 : }
470 6126681 : if (*str != '\0') {
471 7 : DBG_WARNING("Bad characters in '%s'\n", str0);
472 7 : return false;
473 : }
474 6126674 : *pmask = mask;
475 6126674 : return true;
476 : }
477 :
478 :
479 2322083 : static bool sddl_decode_guid(const char *str, struct GUID *guid)
480 : {
481 2322083 : if (strlen(str) != 36) {
482 0 : return false;
483 : }
484 2322070 : return parse_guid_string(str, guid);
485 : }
486 :
487 :
488 :
489 1297 : static DATA_BLOB sddl_decode_conditions(TALLOC_CTX *mem_ctx,
490 : const char *conditions,
491 : size_t *length,
492 : const char **msg,
493 : size_t *msg_offset)
494 : {
495 1297 : DATA_BLOB blob = {0};
496 1297 : struct ace_condition_script *script = NULL;
497 1297 : script = ace_conditions_compile_sddl(mem_ctx,
498 : conditions,
499 : msg,
500 : msg_offset,
501 : length);
502 1297 : if (script != NULL) {
503 1279 : bool ok = conditional_ace_encode_binary(mem_ctx,
504 : script,
505 : &blob);
506 1279 : if (! ok) {
507 0 : DBG_ERR("could not blobify '%s'\n", conditions);
508 : }
509 : }
510 1297 : return blob;
511 : }
512 :
513 :
514 : /*
515 : decode an ACE
516 : return true on success, false on failure
517 : note that this routine modifies the string
518 : */
519 6172887 : static bool sddl_decode_ace(TALLOC_CTX *mem_ctx,
520 : struct security_ace *ace,
521 : char **sddl_copy,
522 : struct sddl_transition_state *state,
523 : const char **msg, size_t *msg_offset)
524 : {
525 504398 : const char *tok[7];
526 504398 : const char *s;
527 504398 : uint32_t v;
528 504398 : struct dom_sid *sid;
529 504398 : bool ok;
530 504398 : size_t len;
531 6172887 : size_t count = 0;
532 6172887 : char *str = *sddl_copy;
533 6172887 : bool has_extra_data = false;
534 6172887 : ZERO_STRUCTP(ace);
535 :
536 6172887 : if (*str != '(') {
537 0 : return false;
538 : }
539 6172887 : str++;
540 : /*
541 : * First we split apart the 6 (or 7) tokens.
542 : *
543 : * 0. ace type
544 : * 1. ace flags
545 : * 2. access mask
546 : * 3. object guid
547 : * 4. inherit guid
548 : * 5. sid
549 : *
550 : * 6/extra_data rare optional extra data
551 : */
552 6172887 : tok[0] = str;
553 227654733 : while (*str != '\0') {
554 227654732 : if (*str == ';') {
555 30865841 : *str = '\0';
556 30865841 : str++;
557 30865841 : count++;
558 30865841 : tok[count] = str;
559 30865841 : if (count == 6) {
560 : /*
561 : * this looks like a conditional ACE
562 : * or resource ACE, but we can't say
563 : * for sure until we look at the ACE
564 : * type (tok[0]), after the loop.
565 : */
566 686 : has_extra_data = true;
567 686 : break;
568 : }
569 30864425 : continue;
570 : }
571 : /*
572 : * we are not expecting a ')' in the 6 sections of an
573 : * ordinary ACE, except ending the last one.
574 : */
575 196788891 : if (*str == ')') {
576 6171470 : count++;
577 6171470 : *str = '\0';
578 6171470 : str++;
579 6171470 : break;
580 : }
581 190617421 : str++;
582 : }
583 6172887 : if (count != 6) {
584 : /* we hit the '\0' or ')' before all of ';;;;;)' */
585 5 : DBG_WARNING("malformed ACE with only %zu ';'\n", count);
586 5 : return false;
587 : }
588 :
589 : /* parse ace type */
590 6172882 : ok = sddl_map_flag(ace_types, tok[0], &len, &v);
591 6172882 : if (!ok) {
592 9 : DBG_WARNING("Unknown ACE type - %s\n", tok[0]);
593 9 : return false;
594 : }
595 6172873 : if (tok[0][len] != '\0') {
596 1 : DBG_WARNING("Garbage after ACE type - %s\n", tok[0]);
597 1 : return false;
598 : }
599 :
600 6172872 : ace->type = v;
601 :
602 : /*
603 : * Only callback and resource aces should have trailing data.
604 : */
605 6172872 : if (sec_ace_callback(ace->type)) {
606 1297 : if (! has_extra_data) {
607 0 : DBG_WARNING("callback ACE has no trailing data\n");
608 0 : return false;
609 : }
610 6171575 : } else if (sec_ace_resource(ace->type)) {
611 111 : if (! has_extra_data) {
612 0 : DBG_WARNING("resource ACE has no trailing data\n");
613 0 : return false;
614 : }
615 6171464 : } else if (has_extra_data) {
616 3 : DBG_WARNING("ACE has trailing section but is not a "
617 : "callback or resource ACE\n");
618 3 : return false;
619 : }
620 :
621 : /* ace flags */
622 6172869 : if (!sddl_map_flags(ace_flags, tok[1], &v, NULL, false)) {
623 0 : return false;
624 : }
625 6172866 : ace->flags = v;
626 :
627 : /* access mask */
628 6172866 : ok = sddl_decode_access(tok[2], &ace->access_mask);
629 6172866 : if (!ok) {
630 0 : return false;
631 : }
632 :
633 : /* object */
634 6172840 : if (tok[3][0] != 0) {
635 2222581 : ok = sddl_decode_guid(tok[3], &ace->object.object.type.type);
636 2222581 : if (!ok) {
637 0 : return false;
638 : }
639 2222574 : ace->object.object.flags |= SEC_ACE_OBJECT_TYPE_PRESENT;
640 : }
641 :
642 : /* inherit object */
643 6172833 : if (tok[4][0] != 0) {
644 99502 : ok = sddl_decode_guid(tok[4],
645 : &ace->object.object.inherited_type.inherited_type);
646 99502 : if (!ok) {
647 0 : return false;
648 : }
649 99496 : ace->object.object.flags |= SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT;
650 : }
651 :
652 : /* trustee */
653 6172827 : s = tok[5];
654 6172827 : sid = sddl_transition_decode_sid(mem_ctx, &s, state);
655 6172827 : if (sid == NULL) {
656 0 : return false;
657 : }
658 6172817 : ace->trustee = *sid;
659 6172817 : talloc_free(sid);
660 6172817 : if (*s != '\0') {
661 0 : return false;
662 : }
663 :
664 6172815 : if (sec_ace_callback(ace->type)) {
665 : /*
666 : * This is either a conditional ACE or some unknown
667 : * type of callback ACE that will be rejected by the
668 : * conditional ACE compiler.
669 : */
670 611 : size_t length;
671 1297 : DATA_BLOB conditions = {0};
672 1297 : s = tok[6];
673 :
674 1297 : conditions = sddl_decode_conditions(mem_ctx, s, &length, msg, msg_offset);
675 1297 : if (conditions.data == NULL) {
676 18 : DBG_WARNING("Conditional ACE compilation failure at %zu: %s\n",
677 : *msg_offset, *msg);
678 18 : *msg_offset += s - *sddl_copy;
679 18 : return false;
680 : }
681 1279 : ace->coda.conditions = conditions;
682 :
683 : /*
684 : * We have found the end of the conditions, and the
685 : * next character should be the ')' to end the ACE.
686 : */
687 1279 : if (s[length] != ')') {
688 0 : DBG_WARNING("Conditional ACE has trailing bytes\n");
689 0 : return false;
690 : }
691 1279 : str = discard_const_p(char, s + length + 1);
692 6171518 : } else if (sec_ace_resource(ace->type)) {
693 111 : size_t length;
694 111 : struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *claim = NULL;
695 :
696 111 : if (! dom_sid_equal(&ace->trustee, &global_sid_World)) {
697 : /* these are just the rules */
698 0 : DBG_WARNING("Resource Attribute ACE trustee must be "
699 : "'S-1-1-0' or 'WD'.\n");
700 22 : return false;
701 : }
702 :
703 111 : s = tok[6];
704 111 : claim = sddl_decode_resource_attr(mem_ctx, s, &length);
705 111 : if (claim == NULL) {
706 22 : DBG_WARNING("Resource Attribute ACE parse failure\n");
707 22 : return false;
708 : }
709 89 : ace->coda.claim = *claim;
710 :
711 : /*
712 : * We want a ')' to end the ACE.
713 : */
714 89 : if (s[length] != ')') {
715 0 : DBG_WARNING("Resource ACE has trailing bytes\n");
716 0 : return false;
717 : }
718 89 : str = discard_const_p(char, s + length + 1);
719 : }
720 :
721 6172775 : *sddl_copy = str;
722 6172775 : return true;
723 : }
724 :
725 : static const struct flag_map acl_flags[] = {
726 : { "P", SEC_DESC_DACL_PROTECTED },
727 : { "AR", SEC_DESC_DACL_AUTO_INHERIT_REQ },
728 : { "AI", SEC_DESC_DACL_AUTO_INHERITED },
729 : { NULL, 0 }
730 : };
731 :
732 : /*
733 : decode an ACL
734 : */
735 3263863 : static struct security_acl *sddl_decode_acl(struct security_descriptor *sd,
736 : const char **sddlp, uint32_t *flags,
737 : struct sddl_transition_state *state,
738 : const char **msg, size_t *msg_offset)
739 : {
740 3263863 : const char *sddl = *sddlp;
741 3263863 : char *sddl_copy = NULL;
742 3263863 : char *aces_start = NULL;
743 303227 : struct security_acl *acl;
744 303227 : size_t len;
745 3263863 : *flags = 0;
746 :
747 3263863 : acl = talloc_zero(sd, struct security_acl);
748 3263863 : if (acl == NULL) {
749 0 : return NULL;
750 : }
751 3263863 : acl->revision = SECURITY_ACL_REVISION_ADS;
752 :
753 3263863 : if (isupper((unsigned char)sddl[0]) && sddl[1] == ':') {
754 : /* its an empty ACL */
755 960488 : return acl;
756 : }
757 :
758 : /* work out the ACL flags */
759 2223971 : if (!sddl_map_flags(acl_flags, sddl, flags, &len, true)) {
760 0 : talloc_free(acl);
761 0 : return NULL;
762 : }
763 2223971 : sddl += len;
764 :
765 2223971 : if (sddl[0] != '(') {
766 : /* it is empty apart from the flags. */
767 1057627 : *sddlp = sddl;
768 1057627 : return acl;
769 : }
770 :
771 : /*
772 : * now the ACEs
773 : *
774 : * For this we make a copy of the rest of the SDDL, which the ACE
775 : * tokeniser will mutilate by putting '\0' where it finds ';'.
776 : *
777 : * We need to copy the rest of the SDDL string because it is not
778 : * possible in general to find where an ACL ends if there are
779 : * conditional ACEs.
780 : */
781 :
782 1166344 : sddl_copy = talloc_strdup(acl, sddl);
783 1166344 : if (sddl_copy == NULL) {
784 0 : TALLOC_FREE(acl);
785 0 : return NULL;
786 : }
787 1670633 : aces_start = sddl_copy;
788 :
789 7339119 : while (*sddl_copy == '(') {
790 504398 : bool ok;
791 6172887 : acl->aces = talloc_realloc(acl, acl->aces, struct security_ace,
792 : acl->num_aces+1);
793 6172887 : if (acl->aces == NULL) {
794 0 : talloc_free(acl);
795 0 : return NULL;
796 : }
797 6172887 : ok = sddl_decode_ace(acl->aces, &acl->aces[acl->num_aces],
798 : &sddl_copy, state, msg, msg_offset);
799 6172887 : if (!ok) {
800 112 : *msg_offset += sddl_copy - aces_start;
801 112 : talloc_steal(sd, *msg);
802 112 : talloc_free(acl);
803 112 : return NULL;
804 : }
805 6172775 : acl->num_aces++;
806 : }
807 1166232 : sddl += sddl_copy - aces_start;
808 1166232 : TALLOC_FREE(aces_start);
809 1166232 : (*sddlp) = sddl;
810 1166232 : return acl;
811 : }
812 :
813 : /*
814 : * Decode a security descriptor in SDDL format, catching compilation
815 : * error messages, if any.
816 : *
817 : * The message will be a direct talloc child of mem_ctx or NULL.
818 : */
819 2221662 : struct security_descriptor *sddl_decode_err_msg(TALLOC_CTX *mem_ctx, const char *sddl,
820 : const struct dom_sid *domain_sid,
821 : const char **msg, size_t *msg_offset)
822 : {
823 2221662 : struct sddl_transition_state state = {
824 : /*
825 : * TODO: verify .machine_rid values really belong to
826 : * to the machine_sid on a member, once
827 : * we pass machine_sid from the caller...
828 : */
829 : .machine_sid = domain_sid,
830 : .domain_sid = domain_sid,
831 : .forest_sid = domain_sid,
832 : };
833 2221662 : const char *start = sddl;
834 219017 : struct security_descriptor *sd;
835 2221662 : sd = talloc_zero(mem_ctx, struct security_descriptor);
836 2221662 : if (sd == NULL) {
837 0 : goto failed;
838 : }
839 2221662 : sd->revision = SECURITY_DESCRIPTOR_REVISION_1;
840 2221662 : sd->type = SEC_DESC_SELF_RELATIVE;
841 :
842 2221662 : if (msg != NULL) {
843 2221662 : if (msg_offset == NULL) {
844 0 : DBG_ERR("Programmer misbehaviour\n");
845 0 : goto failed;
846 : }
847 2221662 : *msg = NULL;
848 2221662 : *msg_offset = 0;
849 : }
850 :
851 5524414 : while (*sddl) {
852 318812 : uint32_t flags;
853 3303275 : char c = sddl[0];
854 3303549 : if (sddl[1] != ':') goto failed;
855 :
856 3303026 : sddl += 2;
857 3303026 : switch (c) {
858 2213664 : case 'D':
859 2213664 : if (sd->dacl != NULL) goto failed;
860 2213664 : sd->dacl = sddl_decode_acl(sd, &sddl, &flags, &state, msg, msg_offset);
861 2213664 : if (sd->dacl == NULL) goto failed;
862 2213577 : sd->type |= flags | SEC_DESC_DACL_PRESENT;
863 2213577 : break;
864 1050199 : case 'S':
865 1050199 : if (sd->sacl != NULL) goto failed;
866 1050199 : sd->sacl = sddl_decode_acl(sd, &sddl, &flags, &state, msg, msg_offset);
867 1050199 : if (sd->sacl == NULL) goto failed;
868 : /* this relies on the SEC_DESC_SACL_* flags being
869 : 1 bit shifted from the SEC_DESC_DACL_* flags */
870 1050174 : sd->type |= (flags<<1) | SEC_DESC_SACL_PRESENT;
871 1050174 : break;
872 20706 : case 'O':
873 20706 : if (sd->owner_sid != NULL) goto failed;
874 20706 : sd->owner_sid = sddl_transition_decode_sid(sd, &sddl, &state);
875 20706 : if (sd->owner_sid == NULL) goto failed;
876 12710 : break;
877 18453 : case 'G':
878 18453 : if (sd->group_sid != NULL) goto failed;
879 18453 : sd->group_sid = sddl_transition_decode_sid(sd, &sddl, &state);
880 18453 : if (sd->group_sid == NULL) goto failed;
881 10778 : break;
882 4 : default:
883 4 : goto failed;
884 : }
885 : }
886 2002303 : return sd;
887 523 : failed:
888 523 : if (msg != NULL) {
889 523 : if (*msg != NULL) {
890 18 : *msg = talloc_steal(mem_ctx, *msg);
891 : }
892 : /*
893 : * The actual message (*msg) might still be NULL, but the
894 : * offset at least provides a clue.
895 : */
896 523 : *msg_offset += sddl - start;
897 : }
898 523 : DEBUG(2,("Badly formatted SDDL '%s'\n", sddl));
899 523 : talloc_free(sd);
900 523 : return NULL;
901 : }
902 :
903 :
904 : /*
905 : decode a security descriptor in SDDL format
906 : */
907 2172214 : struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl,
908 : const struct dom_sid *domain_sid)
909 : {
910 2172214 : const char *msg = NULL;
911 2172214 : size_t msg_offset = 0;
912 2172214 : struct security_descriptor *sd = sddl_decode_err_msg(mem_ctx, sddl, domain_sid,
913 : &msg, &msg_offset);
914 2172214 : DBG_NOTICE("could not decode '%s'\n", sddl);
915 2172214 : if (msg != NULL) {
916 1 : DBG_NOTICE(" %*c\n", (int)msg_offset, '^');
917 1 : DBG_NOTICE("error '%s'\n", msg);
918 1 : talloc_free(discard_const(msg));
919 : }
920 2172214 : return sd;
921 : }
922 :
923 : /*
924 : turn a set of flags into a string
925 : */
926 1932611 : static char *sddl_flags_to_string(TALLOC_CTX *mem_ctx, const struct flag_map *map,
927 : uint32_t flags, bool check_all)
928 : {
929 362105 : int i;
930 362105 : char *s;
931 :
932 : /* try to find an exact match */
933 16919222 : for (i=0;map[i].name;i++) {
934 15792573 : if (map[i].flag == flags) {
935 805962 : return talloc_strdup(mem_ctx, map[i].name);
936 : }
937 : }
938 :
939 1126649 : s = talloc_strdup(mem_ctx, "");
940 :
941 : /* now by bits */
942 12797466 : for (i=0;map[i].name;i++) {
943 11459097 : if ((flags & map[i].flag) != 0) {
944 4839617 : s = talloc_asprintf_append_buffer(s, "%s", map[i].name);
945 4839617 : if (s == NULL) goto failed;
946 4839617 : flags &= ~map[i].flag;
947 : }
948 : }
949 :
950 1126649 : if (check_all && flags != 0) {
951 12443 : goto failed;
952 : }
953 :
954 903518 : return s;
955 :
956 12443 : failed:
957 12443 : talloc_free(s);
958 12443 : return NULL;
959 : }
960 :
961 : /*
962 : encode a sid in SDDL format
963 : */
964 784596 : static char *sddl_transition_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
965 : struct sddl_transition_state *state)
966 : {
967 784596 : bool in_machine = dom_sid_in_domain(state->machine_sid, sid);
968 784596 : bool in_domain = dom_sid_in_domain(state->domain_sid, sid);
969 784596 : bool in_forest = dom_sid_in_domain(state->forest_sid, sid);
970 144044 : struct dom_sid_buf buf;
971 784596 : const char *sidstr = dom_sid_str_buf(sid, &buf);
972 784596 : uint32_t rid = 0;
973 144044 : size_t i;
974 :
975 784596 : if (sid->num_auths > 1) {
976 478799 : rid = sid->sub_auths[sid->num_auths-1];
977 : }
978 :
979 26995061 : for (i=0;i<ARRAY_SIZE(sid_codes);i++) {
980 : /* seen if its a well known sid */
981 26923155 : if (sid_codes[i].sid != NULL) {
982 4269703 : int cmp;
983 :
984 23340466 : cmp = strcmp(sidstr, sid_codes[i].sid);
985 23340466 : if (cmp != 0) {
986 22914171 : continue;
987 : }
988 :
989 426295 : return talloc_strdup(mem_ctx, sid_codes[i].code);
990 : }
991 :
992 3582689 : if (rid == 0) {
993 408 : continue;
994 : }
995 :
996 3582281 : if (in_machine && sid_codes[i].machine_rid == rid) {
997 2255 : return talloc_strdup(mem_ctx, sid_codes[i].code);
998 : }
999 3580026 : if (in_domain && sid_codes[i].domain_rid == rid) {
1000 111118 : return talloc_strdup(mem_ctx, sid_codes[i].code);
1001 : }
1002 3468908 : if (in_forest && sid_codes[i].forest_rid == rid) {
1003 173022 : return talloc_strdup(mem_ctx, sid_codes[i].code);
1004 : }
1005 : }
1006 :
1007 71906 : return talloc_strdup(mem_ctx, sidstr);
1008 : }
1009 :
1010 203 : char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
1011 : const struct dom_sid *domain_sid)
1012 : {
1013 203 : struct sddl_transition_state state = {
1014 : /*
1015 : * TODO: verify .machine_rid values really belong to
1016 : * to the machine_sid on a member, once
1017 : * we pass machine_sid from the caller...
1018 : */
1019 : .machine_sid = domain_sid,
1020 : .domain_sid = domain_sid,
1021 : .forest_sid = domain_sid,
1022 : };
1023 203 : return sddl_transition_encode_sid(mem_ctx, sid, &state);
1024 : }
1025 :
1026 :
1027 :
1028 : /*
1029 : encode an ACE in SDDL format
1030 : */
1031 601864 : static char *sddl_transition_encode_ace(TALLOC_CTX *mem_ctx, const struct security_ace *ace,
1032 : struct sddl_transition_state *state)
1033 : {
1034 601864 : char *sddl = NULL;
1035 112490 : TALLOC_CTX *tmp_ctx;
1036 112490 : struct GUID_txt_buf object_buf, iobject_buf;
1037 601864 : const char *sddl_type="", *sddl_flags="", *sddl_mask="",
1038 601864 : *sddl_object="", *sddl_iobject="", *sddl_trustee="";
1039 601864 : tmp_ctx = talloc_new(mem_ctx);
1040 601864 : if (tmp_ctx == NULL) {
1041 0 : DEBUG(0, ("talloc_new failed\n"));
1042 0 : return NULL;
1043 : }
1044 :
1045 601864 : sddl_type = sddl_flags_to_string(tmp_ctx, ace_types, ace->type, true);
1046 601864 : if (sddl_type == NULL) {
1047 0 : goto failed;
1048 : }
1049 :
1050 601864 : sddl_flags = sddl_flags_to_string(tmp_ctx, ace_flags, ace->flags,
1051 : true);
1052 601864 : if (sddl_flags == NULL) {
1053 0 : goto failed;
1054 : }
1055 :
1056 714354 : sddl_mask = sddl_flags_to_string(tmp_ctx, ace_access_mask,
1057 601864 : ace->access_mask, true);
1058 601864 : if (sddl_mask == NULL) {
1059 13475 : sddl_mask = sddl_match_file_rights(tmp_ctx,
1060 12443 : ace->access_mask);
1061 12443 : if (sddl_mask == NULL) {
1062 4000 : sddl_mask = talloc_asprintf(tmp_ctx, "0x%x",
1063 4000 : ace->access_mask);
1064 : }
1065 12443 : if (sddl_mask == NULL) {
1066 0 : goto failed;
1067 : }
1068 : }
1069 :
1070 601864 : if (sec_ace_object(ace->type)) {
1071 204021 : const struct security_ace_object *object = &ace->object.object;
1072 :
1073 204021 : if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
1074 182991 : sddl_object = GUID_buf_string(
1075 : &object->type.type, &object_buf);
1076 : }
1077 :
1078 204021 : if (ace->object.object.flags &
1079 : SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) {
1080 145879 : sddl_iobject = GUID_buf_string(
1081 : &object->inherited_type.inherited_type,
1082 : &iobject_buf);
1083 : }
1084 : }
1085 601864 : sddl_trustee = sddl_transition_encode_sid(tmp_ctx, &ace->trustee, state);
1086 601864 : if (sddl_trustee == NULL) {
1087 0 : goto failed;
1088 : }
1089 :
1090 601864 : if (sec_ace_callback(ace->type)) {
1091 : /* encode the conditional part */
1092 664 : struct ace_condition_script *s = NULL;
1093 664 : const char *sddl_conditions = NULL;
1094 :
1095 664 : s = parse_conditional_ace(tmp_ctx, ace->coda.conditions);
1096 :
1097 664 : if (s == NULL) {
1098 0 : goto failed;
1099 : }
1100 :
1101 664 : sddl_conditions = sddl_from_conditional_ace(tmp_ctx, s);
1102 664 : if (sddl_conditions == NULL) {
1103 0 : goto failed;
1104 : }
1105 :
1106 664 : sddl = talloc_asprintf(mem_ctx, "%s;%s;%s;%s;%s;%s;%s",
1107 : sddl_type, sddl_flags, sddl_mask,
1108 : sddl_object, sddl_iobject,
1109 : sddl_trustee, sddl_conditions);
1110 601200 : } else if (sec_ace_resource(ace->type)) {
1111 : /* encode the resource part */
1112 7 : const char *coda = NULL;
1113 7 : coda = sddl_resource_attr_from_claim(tmp_ctx,
1114 : &ace->coda.claim);
1115 :
1116 7 : if (coda == NULL) {
1117 0 : DBG_WARNING("resource ACE has invalid claim\n");
1118 0 : goto failed;
1119 : }
1120 7 : sddl = talloc_asprintf(mem_ctx, "%s;%s;%s;%s;%s;%s;%s",
1121 : sddl_type, sddl_flags, sddl_mask,
1122 : sddl_object, sddl_iobject,
1123 : sddl_trustee, coda);
1124 : } else {
1125 601193 : sddl = talloc_asprintf(mem_ctx, "%s;%s;%s;%s;%s;%s",
1126 : sddl_type, sddl_flags, sddl_mask,
1127 : sddl_object, sddl_iobject, sddl_trustee);
1128 : }
1129 601864 : failed:
1130 601864 : talloc_free(tmp_ctx);
1131 601864 : return sddl;
1132 : }
1133 :
1134 13 : char *sddl_encode_ace(TALLOC_CTX *mem_ctx, const struct security_ace *ace,
1135 : const struct dom_sid *domain_sid)
1136 : {
1137 13 : struct sddl_transition_state state = {
1138 : /*
1139 : * TODO: verify .machine_rid values really belong to
1140 : * to the machine_sid on a member, once
1141 : * we pass machine_sid from the caller...
1142 : */
1143 : .machine_sid = domain_sid,
1144 : .domain_sid = domain_sid,
1145 : .forest_sid = domain_sid,
1146 : };
1147 13 : return sddl_transition_encode_ace(mem_ctx, ace, &state);
1148 : }
1149 :
1150 : /*
1151 : encode an ACL in SDDL format
1152 : */
1153 127019 : static char *sddl_encode_acl(TALLOC_CTX *mem_ctx, const struct security_acl *acl,
1154 : uint32_t flags, struct sddl_transition_state *state)
1155 : {
1156 24635 : char *sddl;
1157 24635 : uint32_t i;
1158 :
1159 : /* add any ACL flags */
1160 127019 : sddl = sddl_flags_to_string(mem_ctx, acl_flags, flags, false);
1161 127019 : if (sddl == NULL) goto failed;
1162 :
1163 : /* now the ACEs, encoded in braces */
1164 728870 : for (i=0;i<acl->num_aces;i++) {
1165 601851 : char *ace = sddl_transition_encode_ace(sddl, &acl->aces[i], state);
1166 601851 : if (ace == NULL) goto failed;
1167 601851 : sddl = talloc_asprintf_append_buffer(sddl, "(%s)", ace);
1168 601851 : if (sddl == NULL) goto failed;
1169 601851 : talloc_free(ace);
1170 : }
1171 :
1172 102384 : return sddl;
1173 :
1174 0 : failed:
1175 0 : talloc_free(sddl);
1176 0 : return NULL;
1177 : }
1178 :
1179 :
1180 : /*
1181 : encode a security descriptor to SDDL format
1182 : */
1183 92667 : char *sddl_encode(TALLOC_CTX *mem_ctx, const struct security_descriptor *sd,
1184 : const struct dom_sid *domain_sid)
1185 : {
1186 92667 : struct sddl_transition_state state = {
1187 : /*
1188 : * TODO: verify .machine_rid values really belong to
1189 : * to the machine_sid on a member, once
1190 : * we pass machine_sid from the caller...
1191 : */
1192 : .machine_sid = domain_sid,
1193 : .domain_sid = domain_sid,
1194 : .forest_sid = domain_sid,
1195 : };
1196 16088 : char *sddl;
1197 16088 : TALLOC_CTX *tmp_ctx;
1198 :
1199 : /* start with a blank string */
1200 92667 : sddl = talloc_strdup(mem_ctx, "");
1201 92667 : if (sddl == NULL) goto failed;
1202 :
1203 92667 : tmp_ctx = talloc_new(mem_ctx);
1204 :
1205 92667 : if (sd->owner_sid != NULL) {
1206 91737 : char *sid = sddl_transition_encode_sid(tmp_ctx, sd->owner_sid, &state);
1207 91737 : if (sid == NULL) goto failed;
1208 91737 : sddl = talloc_asprintf_append_buffer(sddl, "O:%s", sid);
1209 91737 : if (sddl == NULL) goto failed;
1210 : }
1211 :
1212 92667 : if (sd->group_sid != NULL) {
1213 90792 : char *sid = sddl_transition_encode_sid(tmp_ctx, sd->group_sid, &state);
1214 90792 : if (sid == NULL) goto failed;
1215 90792 : sddl = talloc_asprintf_append_buffer(sddl, "G:%s", sid);
1216 90792 : if (sddl == NULL) goto failed;
1217 : }
1218 :
1219 92667 : if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl != NULL) {
1220 86344 : char *acl = sddl_encode_acl(tmp_ctx, sd->dacl, sd->type, &state);
1221 86344 : if (acl == NULL) goto failed;
1222 86344 : sddl = talloc_asprintf_append_buffer(sddl, "D:%s", acl);
1223 86344 : if (sddl == NULL) goto failed;
1224 : }
1225 :
1226 92667 : if ((sd->type & SEC_DESC_SACL_PRESENT) && sd->sacl != NULL) {
1227 40675 : char *acl = sddl_encode_acl(tmp_ctx, sd->sacl, sd->type>>1, &state);
1228 40675 : if (acl == NULL) goto failed;
1229 40675 : sddl = talloc_asprintf_append_buffer(sddl, "S:%s", acl);
1230 40675 : if (sddl == NULL) goto failed;
1231 : }
1232 :
1233 92667 : talloc_free(tmp_ctx);
1234 92667 : return sddl;
1235 :
1236 0 : failed:
1237 0 : talloc_free(sddl);
1238 0 : return NULL;
1239 : }
|
