00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
00013
00014
00015
00016
00017
00018
00019
00020
00021
00022
00023
00024 #include "includes.h"
00025
00026
00027
00028
00029
00030 BOOL sec_ace_object(uint8 type)
00031 {
00032 if (type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT ||
00033 type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT ||
00034 type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT ||
00035 type == SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT) {
00036 return True;
00037 }
00038 return False;
00039 }
00040
00041
00042
00043
00044 void sec_ace_copy(SEC_ACE *ace_dest, SEC_ACE *ace_src)
00045 {
00046 ace_dest->type = ace_src->type;
00047 ace_dest->flags = ace_src->flags;
00048 ace_dest->size = ace_src->size;
00049 ace_dest->access_mask = ace_src->access_mask;
00050 ace_dest->obj_flags = ace_src->obj_flags;
00051 memcpy(&ace_dest->obj_guid, &ace_src->obj_guid, sizeof(struct GUID));
00052 memcpy(&ace_dest->inh_guid, &ace_src->inh_guid, sizeof(struct GUID));
00053 sid_copy(&ace_dest->trustee, &ace_src->trustee);
00054 }
00055
00056
00057
00058
00059
00060 void init_sec_ace(SEC_ACE *t, const DOM_SID *sid, uint8 type, SEC_ACCESS mask, uint8 flag)
00061 {
00062 t->type = type;
00063 t->flags = flag;
00064 t->size = sid_size(sid) + 8;
00065 t->access_mask = mask;
00066
00067 ZERO_STRUCTP(&t->trustee);
00068 sid_copy(&t->trustee, sid);
00069 }
00070
00071
00072
00073
00074
00075 NTSTATUS sec_ace_add_sid(TALLOC_CTX *ctx, SEC_ACE **pp_new, SEC_ACE *old, unsigned *num, DOM_SID *sid, uint32 mask)
00076 {
00077 unsigned int i = 0;
00078
00079 if (!ctx || !pp_new || !old || !sid || !num) return NT_STATUS_INVALID_PARAMETER;
00080
00081 *num += 1;
00082
00083 if((pp_new[0] = TALLOC_ZERO_ARRAY(ctx, SEC_ACE, *num )) == 0)
00084 return NT_STATUS_NO_MEMORY;
00085
00086 for (i = 0; i < *num - 1; i ++)
00087 sec_ace_copy(&(*pp_new)[i], &old[i]);
00088
00089 (*pp_new)[i].type = 0;
00090 (*pp_new)[i].flags = 0;
00091 (*pp_new)[i].size = SEC_ACE_HEADER_SIZE + sid_size(sid);
00092 (*pp_new)[i].access_mask = mask;
00093 sid_copy(&(*pp_new)[i].trustee, sid);
00094 return NT_STATUS_OK;
00095 }
00096
00097
00098
00099
00100
00101 NTSTATUS sec_ace_mod_sid(SEC_ACE *ace, size_t num, DOM_SID *sid, uint32 mask)
00102 {
00103 unsigned int i = 0;
00104
00105 if (!ace || !sid) return NT_STATUS_INVALID_PARAMETER;
00106
00107 for (i = 0; i < num; i ++) {
00108 if (sid_compare(&ace[i].trustee, sid) == 0) {
00109 ace[i].access_mask = mask;
00110 return NT_STATUS_OK;
00111 }
00112 }
00113 return NT_STATUS_NOT_FOUND;
00114 }
00115
00116
00117
00118
00119
00120 NTSTATUS sec_ace_del_sid(TALLOC_CTX *ctx, SEC_ACE **pp_new, SEC_ACE *old, uint32 *num, DOM_SID *sid)
00121 {
00122 unsigned int i = 0;
00123 unsigned int n_del = 0;
00124
00125 if (!ctx || !pp_new || !old || !sid || !num) return NT_STATUS_INVALID_PARAMETER;
00126
00127 if (*num) {
00128 if((pp_new[0] = TALLOC_ZERO_ARRAY(ctx, SEC_ACE, *num )) == 0)
00129 return NT_STATUS_NO_MEMORY;
00130 } else {
00131 pp_new[0] = NULL;
00132 }
00133
00134 for (i = 0; i < *num; i ++) {
00135 if (sid_compare(&old[i].trustee, sid) != 0)
00136 sec_ace_copy(&(*pp_new)[i], &old[i]);
00137 else
00138 n_del ++;
00139 }
00140 if (n_del == 0)
00141 return NT_STATUS_NOT_FOUND;
00142 else {
00143 *num -= n_del;
00144 return NT_STATUS_OK;
00145 }
00146 }
00147
00148
00149
00150
00151
00152 BOOL sec_ace_equal(SEC_ACE *s1, SEC_ACE *s2)
00153 {
00154
00155
00156 if (!s1 && !s2) {
00157 return True;
00158 }
00159
00160 if (!s1 || !s2) {
00161 return False;
00162 }
00163
00164
00165
00166 if (s1->type != s2->type || s1->flags != s2->flags ||
00167 s1->access_mask != s2->access_mask) {
00168 return False;
00169 }
00170
00171
00172
00173 if (!sid_equal(&s1->trustee, &s2->trustee)) {
00174 return False;
00175 }
00176
00177 return True;
00178 }
00179
00180 int nt_ace_inherit_comp( SEC_ACE *a1, SEC_ACE *a2)
00181 {
00182 int a1_inh = a1->flags & SEC_ACE_FLAG_INHERITED_ACE;
00183 int a2_inh = a2->flags & SEC_ACE_FLAG_INHERITED_ACE;
00184
00185 if (a1_inh == a2_inh)
00186 return 0;
00187
00188 if (!a1_inh && a2_inh)
00189 return -1;
00190 return 1;
00191 }
00192
00193
00194
00195
00196
00197 int nt_ace_canon_comp( SEC_ACE *a1, SEC_ACE *a2)
00198 {
00199 if ((a1->type == SEC_ACE_TYPE_ACCESS_DENIED) &&
00200 (a2->type != SEC_ACE_TYPE_ACCESS_DENIED))
00201 return -1;
00202
00203 if ((a2->type == SEC_ACE_TYPE_ACCESS_DENIED) &&
00204 (a1->type != SEC_ACE_TYPE_ACCESS_DENIED))
00205 return 1;
00206
00207
00208
00209
00210
00211 if (!(a1->flags & SEC_ACE_FLAG_INHERIT_ONLY) &&
00212 (a2->flags & SEC_ACE_FLAG_INHERIT_ONLY))
00213 return -1;
00214 else if (!(a2->flags & SEC_ACE_FLAG_INHERIT_ONLY) &&
00215 (a1->flags & SEC_ACE_FLAG_INHERIT_ONLY))
00216 return 1;
00217
00218
00219
00220
00221 if (a1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT) &&
00222 !(a2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT)))
00223 return -1;
00224 else if (a2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT) &&
00225 !(a1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT)))
00226 return 1;
00227
00228 return 0;
00229 }
00230
00231
00232
00233
00234
00235
00236
00237
00238
00239
00240
00241
00242
00243
00244
00245
00246
00247
00248
00249
00250
00251
00252 void dacl_sort_into_canonical_order(SEC_ACE *srclist, unsigned int num_aces)
00253 {
00254 unsigned int i;
00255
00256 if (!srclist || num_aces == 0)
00257 return;
00258
00259
00260 qsort( srclist, num_aces, sizeof(srclist[0]), QSORT_CAST nt_ace_inherit_comp);
00261
00262
00263 for (i = 0; i < num_aces; i++ ) {
00264 SEC_ACE *curr_ace = &srclist[i];
00265
00266 if (curr_ace->flags & SEC_ACE_FLAG_INHERITED_ACE)
00267 break;
00268 }
00269
00270
00271
00272
00273 if (i)
00274 qsort( srclist, i, sizeof(srclist[0]), QSORT_CAST nt_ace_canon_comp);
00275
00276
00277 if (num_aces - i)
00278 qsort( &srclist[i], num_aces - i, sizeof(srclist[0]), QSORT_CAST nt_ace_canon_comp);
00279 }
00280
00281
00282
00283
00284
00285 BOOL token_sid_in_ace(const NT_USER_TOKEN *token, const SEC_ACE *ace)
00286 {
00287 size_t i;
00288
00289 for (i = 0; i < token->num_sids; i++) {
00290 if (sid_equal(&ace->trustee, &token->user_sids[i]))
00291 return True;
00292 }
00293
00294 return False;
00295 }