Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 :
4 : security descriptor description language functions
5 :
6 : Copyright (C) Andrew Tridgell 2005
7 :
8 : This program is free software; you can redistribute it and/or modify
9 : it under the terms of the GNU General Public License as published by
10 : the Free Software Foundation; either version 3 of the License, or
11 : (at your option) any later version.
12 :
13 : This program is distributed in the hope that it will be useful,
14 : but WITHOUT ANY WARRANTY; without even the implied warranty of
15 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 : GNU General Public License for more details.
17 :
18 : You should have received a copy of the GNU General Public License
19 : along with this program. If not, see <http://www.gnu.org/licenses/>.
20 : */
21 :
22 : #include "replace.h"
23 : #include "lib/util/debug.h"
24 : #include "libcli/security/security.h"
25 : #include "libcli/security/conditional_ace.h"
26 : #include "librpc/gen_ndr/ndr_misc.h"
27 : #include "lib/util/smb_strtox.h"
28 : #include "libcli/security/sddl.h"
29 : #include "system/locale.h"
30 : #include "lib/util/util_str_hex.h"
31 :
32 :
33 : struct sddl_transition_state {
34 : const struct dom_sid *machine_sid;
35 : const struct dom_sid *domain_sid;
36 : const struct dom_sid *forest_sid;
37 : };
38 :
39 : struct flag_map {
40 : const char *name;
41 : uint32_t flag;
42 : };
43 :
44 87763299 : static bool sddl_map_flag(
45 : const struct flag_map *map,
46 : const char *str,
47 : size_t *plen,
48 : uint32_t *pflag)
49 : {
50 514002772 : while (map->name != NULL) {
51 473356865 : size_t len = strlen(map->name);
52 473356865 : int cmp = strncmp(map->name, str, len);
53 :
54 473356865 : if (cmp == 0) {
55 47117392 : *plen = len;
56 47117392 : *pflag = map->flag;
57 47117392 : return true;
58 : }
59 426239473 : map += 1;
60 : }
61 36340707 : return false;
62 : }
63 :
64 : /*
65 : map a series of letter codes into a uint32_t
66 : */
67 8391393 : static bool sddl_map_flags(const struct flag_map *map, const char *str,
68 : uint32_t *pflags, size_t *plen,
69 : bool unknown_flag_is_part_of_next_thing)
70 : {
71 8391393 : const char *str0 = str;
72 8391393 : if (plen != NULL) {
73 2224985 : *plen = 0;
74 : }
75 8391393 : *pflags = 0;
76 8696512 : while (str[0] != '\0' && isupper((unsigned char)str[0])) {
77 90191 : size_t len;
78 90191 : uint32_t flags;
79 90191 : bool found;
80 :
81 305130 : found = sddl_map_flag(map, str, &len, &flags);
82 305130 : if (!found) {
83 0 : break;
84 : }
85 :
86 305119 : *pflags |= flags;
87 305119 : if (plen != NULL) {
88 54107 : *plen += len;
89 : }
90 305119 : str += len;
91 : }
92 : /*
93 : * For ACL flags, unknown_flag_is_part_of_next_thing is set,
94 : * and we expect some more stuff that isn't flags.
95 : *
96 : * For ACE flags, unknown_flag_is_part_of_next_thing is unset,
97 : * and the flags have been tokenised into their own little
98 : * string. We don't expect anything here, even whitespace.
99 : */
100 8391393 : if (*str == '\0' || unknown_flag_is_part_of_next_thing) {
101 7663187 : return true;
102 : }
103 3 : DBG_WARNING("Unknown flag - '%s' in '%s'\n", str, str0);
104 0 : return false;
105 : }
106 :
107 :
108 : /*
109 : a mapping between the 2 letter SID codes and sid strings
110 : */
111 : static const struct {
112 : const char *code;
113 : const char *sid;
114 : uint32_t machine_rid;
115 : uint32_t domain_rid;
116 : uint32_t forest_rid;
117 : } sid_codes[] = {
118 : { .code = "WD", .sid = SID_WORLD },
119 :
120 : { .code = "CO", .sid = SID_CREATOR_OWNER },
121 : { .code = "CG", .sid = SID_CREATOR_GROUP },
122 : { .code = "OW", .sid = SID_OWNER_RIGHTS },
123 :
124 : { .code = "NU", .sid = SID_NT_NETWORK },
125 : { .code = "IU", .sid = SID_NT_INTERACTIVE },
126 : { .code = "SU", .sid = SID_NT_SERVICE },
127 : { .code = "AN", .sid = SID_NT_ANONYMOUS },
128 : { .code = "ED", .sid = SID_NT_ENTERPRISE_DCS },
129 : { .code = "PS", .sid = SID_NT_SELF },
130 : { .code = "AU", .sid = SID_NT_AUTHENTICATED_USERS },
131 : { .code = "RC", .sid = SID_NT_RESTRICTED },
132 : { .code = "SY", .sid = SID_NT_SYSTEM },
133 : { .code = "LS", .sid = SID_NT_LOCAL_SERVICE },
134 : { .code = "NS", .sid = SID_NT_NETWORK_SERVICE },
135 : { .code = "WR", .sid = SID_SECURITY_RESTRICTED_CODE },
136 :
137 : { .code = "BA", .sid = SID_BUILTIN_ADMINISTRATORS },
138 : { .code = "BU", .sid = SID_BUILTIN_USERS },
139 : { .code = "BG", .sid = SID_BUILTIN_GUESTS },
140 : { .code = "PU", .sid = SID_BUILTIN_POWER_USERS },
141 : { .code = "AO", .sid = SID_BUILTIN_ACCOUNT_OPERATORS },
142 : { .code = "SO", .sid = SID_BUILTIN_SERVER_OPERATORS },
143 : { .code = "PO", .sid = SID_BUILTIN_PRINT_OPERATORS },
144 : { .code = "BO", .sid = SID_BUILTIN_BACKUP_OPERATORS },
145 : { .code = "RE", .sid = SID_BUILTIN_REPLICATOR },
146 : { .code = "RU", .sid = SID_BUILTIN_PREW2K },
147 : { .code = "RD", .sid = SID_BUILTIN_REMOTE_DESKTOP_USERS },
148 : { .code = "NO", .sid = SID_BUILTIN_NETWORK_CONF_OPERATORS },
149 :
150 : { .code = "MU", .sid = SID_BUILTIN_PERFMON_USERS },
151 : { .code = "LU", .sid = SID_BUILTIN_PERFLOG_USERS },
152 : { .code = "IS", .sid = SID_BUILTIN_IUSERS },
153 : { .code = "CY", .sid = SID_BUILTIN_CRYPTO_OPERATORS },
154 : { .code = "ER", .sid = SID_BUILTIN_EVENT_LOG_READERS },
155 : { .code = "CD", .sid = SID_BUILTIN_CERT_SERV_DCOM_ACCESS },
156 : { .code = "RA", .sid = SID_BUILTIN_RDS_REMOTE_ACCESS_SERVERS },
157 : { .code = "ES", .sid = SID_BUILTIN_RDS_ENDPOINT_SERVERS },
158 : { .code = "MS", .sid = SID_BUILTIN_RDS_MANAGEMENT_SERVERS },
159 : { .code = "HA", .sid = SID_BUILTIN_HYPER_V_ADMINS },
160 : { .code = "AA", .sid = SID_BUILTIN_ACCESS_CONTROL_ASSISTANCE_OPS },
161 : { .code = "RM", .sid = SID_BUILTIN_REMOTE_MANAGEMENT_USERS },
162 :
163 : { .code = "UD", .sid = SID_USER_MODE_DRIVERS },
164 :
165 : { .code = "AC", .sid = SID_SECURITY_BUILTIN_PACKAGE_ANY_PACKAGE },
166 :
167 : { .code = "LW", .sid = SID_SECURITY_MANDATORY_LOW },
168 : { .code = "ME", .sid = SID_SECURITY_MANDATORY_MEDIUM },
169 : { .code = "MP", .sid = SID_SECURITY_MANDATORY_MEDIUM_PLUS },
170 : { .code = "HI", .sid = SID_SECURITY_MANDATORY_HIGH },
171 : { .code = "SI", .sid = SID_SECURITY_MANDATORY_SYSTEM },
172 :
173 : { .code = "AS", .sid = SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY },
174 : { .code = "SS", .sid = SID_SERVICE_ASSERTED_IDENTITY },
175 :
176 : { .code = "RO", .forest_rid = DOMAIN_RID_ENTERPRISE_READONLY_DCS },
177 :
178 : { .code = "LA", .machine_rid = DOMAIN_RID_ADMINISTRATOR },
179 : { .code = "LG", .machine_rid = DOMAIN_RID_GUEST },
180 :
181 : { .code = "DA", .domain_rid = DOMAIN_RID_ADMINS },
182 : { .code = "DU", .domain_rid = DOMAIN_RID_USERS },
183 : { .code = "DG", .domain_rid = DOMAIN_RID_GUESTS },
184 : { .code = "DC", .domain_rid = DOMAIN_RID_DOMAIN_MEMBERS },
185 : { .code = "DD", .domain_rid = DOMAIN_RID_DCS },
186 : { .code = "CA", .domain_rid = DOMAIN_RID_CERT_ADMINS },
187 : { .code = "SA", .forest_rid = DOMAIN_RID_SCHEMA_ADMINS },
188 : { .code = "EA", .forest_rid = DOMAIN_RID_ENTERPRISE_ADMINS },
189 : { .code = "PA", .domain_rid = DOMAIN_RID_POLICY_ADMINS },
190 :
191 : { .code = "CN", .domain_rid = DOMAIN_RID_CLONEABLE_CONTROLLERS },
192 :
193 : { .code = "AP", .domain_rid = DOMAIN_RID_PROTECTED_USERS },
194 : { .code = "KA", .domain_rid = DOMAIN_RID_KEY_ADMINS },
195 : { .code = "EK", .forest_rid = DOMAIN_RID_ENTERPRISE_KEY_ADMINS },
196 :
197 : { .code = "RS", .domain_rid = DOMAIN_RID_RAS_SERVERS }
198 : };
199 :
200 : /*
201 : decode a SID
202 : It can either be a special 2 letter code, or in S-* format
203 : */
204 6206404 : static struct dom_sid *sddl_transition_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp,
205 : struct sddl_transition_state *state)
206 : {
207 6206404 : const char *sddl = (*sddlp);
208 520443 : size_t i;
209 :
210 : /* see if its in the numeric format */
211 6206404 : if (strncasecmp(sddl, "S-", 2) == 0) {
212 303778 : struct dom_sid *sid = NULL;
213 303778 : char *sid_str = NULL;
214 303778 : const char *end = NULL;
215 35658 : bool ok;
216 303778 : size_t len = strspn(sddl + 2, "-0123456789ABCDEFabcdefxX") + 2;
217 303778 : if (len < 5) { /* S-1-x */
218 0 : return NULL;
219 : }
220 303771 : if (sddl[len - 1] == 'D' && sddl[len] == ':') {
221 : /*
222 : * we have run into the "D:" dacl marker, mistaking it
223 : * for a hex digit. There is no other way for this
224 : * pair to occur at the end of a SID in SDDL.
225 : */
226 7385 : len--;
227 : }
228 :
229 303771 : sid_str = talloc_strndup(mem_ctx, sddl, len);
230 303771 : if (sid_str == NULL) {
231 0 : return NULL;
232 : }
233 303771 : if (sid_str[0] == 's') {
234 : /*
235 : * In SDDL, but not in the dom_sid parsers, a
236 : * lowercase "s-1-1-0" is accepted.
237 : */
238 10 : sid_str[0] = 'S';
239 : }
240 303771 : sid = talloc(mem_ctx, struct dom_sid);
241 303771 : if (sid == NULL) {
242 0 : TALLOC_FREE(sid_str);
243 0 : return NULL;
244 35651 : };
245 303771 : ok = dom_sid_parse_endp(sid_str, sid, &end);
246 303771 : if (!ok) {
247 116 : DBG_WARNING("could not parse SID '%s'\n", sid_str);
248 116 : TALLOC_FREE(sid_str);
249 116 : TALLOC_FREE(sid);
250 116 : return NULL;
251 : }
252 303655 : if (end - sid_str != len) {
253 0 : DBG_WARNING("trailing junk after SID '%s'\n", sid_str);
254 0 : TALLOC_FREE(sid_str);
255 0 : TALLOC_FREE(sid);
256 0 : return NULL;
257 : }
258 303655 : TALLOC_FREE(sid_str);
259 303655 : (*sddlp) += len;
260 303655 : return sid;
261 : }
262 :
263 : /* now check for one of the special codes */
264 137927881 : for (i=0;i<ARRAY_SIZE(sid_codes);i++) {
265 137927834 : if (strncmp(sid_codes[i].code, sddl, 2) == 0) break;
266 : }
267 5902626 : if (i == ARRAY_SIZE(sid_codes)) {
268 47 : DEBUG(1,("Unknown sddl sid code '%2.2s'\n", sddl));
269 47 : return NULL;
270 : }
271 :
272 5902579 : (*sddlp) += 2;
273 :
274 :
275 5902579 : if (sid_codes[i].machine_rid != 0) {
276 2292 : return dom_sid_add_rid(mem_ctx, state->machine_sid,
277 1970 : sid_codes[i].machine_rid);
278 : }
279 :
280 5900287 : if (sid_codes[i].domain_rid != 0) {
281 1464954 : return dom_sid_add_rid(mem_ctx, state->domain_sid,
282 1335357 : sid_codes[i].domain_rid);
283 : }
284 :
285 4435333 : if (sid_codes[i].forest_rid != 0) {
286 27307 : return dom_sid_add_rid(mem_ctx, state->forest_sid,
287 23198 : sid_codes[i].forest_rid);
288 : }
289 :
290 4408026 : return dom_sid_parse_talloc(mem_ctx, sid_codes[i].sid);
291 : }
292 :
293 851 : struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp,
294 : const struct dom_sid *domain_sid)
295 : {
296 851 : struct sddl_transition_state state = {
297 : /*
298 : * TODO: verify .machine_rid values really belong
299 : * to the machine_sid on a member, once
300 : * we pass machine_sid from the caller...
301 : */
302 : .machine_sid = domain_sid,
303 : .domain_sid = domain_sid,
304 : .forest_sid = domain_sid,
305 : };
306 851 : return sddl_transition_decode_sid(mem_ctx, sddlp, &state);
307 : }
308 :
309 :
310 : static const struct flag_map ace_types[] = {
311 : { "AU", SEC_ACE_TYPE_SYSTEM_AUDIT },
312 : { "AL", SEC_ACE_TYPE_SYSTEM_ALARM },
313 : { "OA", SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT },
314 : { "OD", SEC_ACE_TYPE_ACCESS_DENIED_OBJECT },
315 : { "OU", SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT },
316 : { "OL", SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT },
317 : { "A", SEC_ACE_TYPE_ACCESS_ALLOWED },
318 : { "D", SEC_ACE_TYPE_ACCESS_DENIED },
319 :
320 : { "XA", SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK },
321 : { "XD", SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK },
322 : { "ZA", SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT },
323 : /*
324 : * SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT exists but has
325 : * no SDDL flag.
326 : *
327 : * ZA and XU are switched in [MS-DTYP] as of version 36.0,
328 : * but this should be corrected in later versions.
329 : */
330 : { "XU", SEC_ACE_TYPE_SYSTEM_AUDIT_CALLBACK },
331 :
332 : { "RA", SEC_ACE_TYPE_SYSTEM_RESOURCE_ATTRIBUTE },
333 : { NULL, 0 }
334 : };
335 :
336 : static const struct flag_map ace_flags[] = {
337 : { "OI", SEC_ACE_FLAG_OBJECT_INHERIT },
338 : { "CI", SEC_ACE_FLAG_CONTAINER_INHERIT },
339 : { "NP", SEC_ACE_FLAG_NO_PROPAGATE_INHERIT },
340 : { "IO", SEC_ACE_FLAG_INHERIT_ONLY },
341 : { "ID", SEC_ACE_FLAG_INHERITED_ACE },
342 : { "SA", SEC_ACE_FLAG_SUCCESSFUL_ACCESS },
343 : { "FA", SEC_ACE_FLAG_FAILED_ACCESS },
344 : { NULL, 0 },
345 : };
346 :
347 : static const struct flag_map ace_access_mask[] = {
348 : { "CC", SEC_ADS_CREATE_CHILD },
349 : { "DC", SEC_ADS_DELETE_CHILD },
350 : { "LC", SEC_ADS_LIST },
351 : { "SW", SEC_ADS_SELF_WRITE },
352 : { "RP", SEC_ADS_READ_PROP },
353 : { "WP", SEC_ADS_WRITE_PROP },
354 : { "DT", SEC_ADS_DELETE_TREE },
355 : { "LO", SEC_ADS_LIST_OBJECT },
356 : { "CR", SEC_ADS_CONTROL_ACCESS },
357 : { "SD", SEC_STD_DELETE },
358 : { "RC", SEC_STD_READ_CONTROL },
359 : { "WD", SEC_STD_WRITE_DAC },
360 : { "WO", SEC_STD_WRITE_OWNER },
361 : { "GA", SEC_GENERIC_ALL },
362 : { "GX", SEC_GENERIC_EXECUTE },
363 : { "GW", SEC_GENERIC_WRITE },
364 : { "GR", SEC_GENERIC_READ },
365 : { NULL, 0 }
366 : };
367 :
368 : static const struct flag_map decode_ace_access_mask[] = {
369 : { "FA", FILE_GENERIC_ALL },
370 : { "FR", FILE_GENERIC_READ },
371 : { "FW", FILE_GENERIC_WRITE },
372 : { "FX", FILE_GENERIC_EXECUTE },
373 : { NULL, 0 },
374 : };
375 :
376 :
377 13043 : static char *sddl_match_file_rights(TALLOC_CTX *mem_ctx,
378 : uint32_t flags)
379 : {
380 1032 : int i;
381 :
382 : /* try to find an exact match */
383 30736 : for (i=0;decode_ace_access_mask[i].name;i++) {
384 26348 : if (decode_ace_access_mask[i].flag == flags) {
385 8655 : return talloc_strdup(mem_ctx,
386 8213 : decode_ace_access_mask[i].name);
387 : }
388 : }
389 3798 : return NULL;
390 : }
391 :
392 6166405 : static bool sddl_decode_access(const char *str, uint32_t *pmask)
393 : {
394 6166405 : const char *str0 = str;
395 6166405 : char *end = NULL;
396 6166405 : uint32_t mask = 0;
397 504378 : unsigned long long numeric_mask;
398 504378 : int err;
399 : /*
400 : * The access mask can be a number or a series of flags.
401 : *
402 : * Canonically the number is expressed in hexadecimal (with 0x), but
403 : * per MS-DTYP and Windows behaviour, octal and decimal numbers are
404 : * also accepted.
405 : *
406 : * Windows has two behaviours we choose not to replicate:
407 : *
408 : * 1. numbers exceeding 0xffffffff are truncated at that point,
409 : * turning on all access flags.
410 : *
411 : * 2. negative numbers are accepted, so e.g. -2 becomes 0xfffffffe.
412 : */
413 6166405 : numeric_mask = smb_strtoull(str, &end, 0, &err, SMB_STR_STANDARD);
414 6166405 : if (err == 0) {
415 46251 : if (numeric_mask > UINT32_MAX) {
416 1 : DBG_WARNING("Bad numeric flag value - %llu in %s\n",
417 : numeric_mask, str0);
418 1 : return false;
419 : }
420 46250 : if (end - str > sizeof("037777777777")) {
421 : /* here's the tricky thing: if a number is big
422 : * enough to overflow the uint64, it might end
423 : * up small enough to fit in the uint32, and
424 : * we'd miss that it overflowed. So we count
425 : * the digits -- any more than 12 (for
426 : * "037777777777") is too long for 32 bits,
427 : * and the shortest 64-bit wrapping string is
428 : * 19 (for "0x1" + 16 zeros).
429 : */
430 0 : DBG_WARNING("Bad numeric flag value in '%s'\n", str0);
431 0 : return false;
432 : }
433 46250 : if (*end != '\0') {
434 3 : DBG_WARNING("Bad characters in '%s'\n", str0);
435 3 : return false;
436 : }
437 46247 : *pmask = numeric_mask;
438 46247 : return true;
439 : }
440 : /* It's not a positive number, so we'll look for flags */
441 :
442 46766015 : while ((str[0] != '\0') &&
443 40645883 : (isupper((unsigned char)str[0]) || str[0] == ' ')) {
444 40645876 : uint32_t flags = 0;
445 40645876 : size_t len = 0;
446 4305169 : bool found;
447 40645884 : while (str[0] == ' ') {
448 : /*
449 : * Following Windows we accept spaces between flags
450 : * but not after flags. Not tabs, though, never tabs.
451 : */
452 10 : str++;
453 10 : if (str[0] == '\0') {
454 2 : DBG_WARNING("trailing whitespace in flags "
455 : "- '%s'\n", str0);
456 15 : return false;
457 : }
458 : }
459 40645874 : found = sddl_map_flag(
460 : ace_access_mask, str, &len, &flags);
461 40645874 : found |= sddl_map_flag(
462 : decode_ace_access_mask, str, &len, &flags);
463 40645874 : if (!found) {
464 13 : DEBUG(1, ("Unknown flag - %s in %s\n", str, str0));
465 13 : return false;
466 : }
467 40645861 : mask |= flags;
468 40645861 : str += len;
469 : }
470 6120139 : if (*str != '\0') {
471 7 : DBG_WARNING("Bad characters in '%s'\n", str0);
472 7 : return false;
473 : }
474 6120132 : *pmask = mask;
475 6120132 : return true;
476 : }
477 :
478 :
479 2319009 : static bool sddl_decode_guid(const char *str, struct GUID *guid)
480 : {
481 2319009 : if (strlen(str) != 36) {
482 0 : return false;
483 : }
484 2318996 : return parse_guid_string(str, guid);
485 : }
486 :
487 :
488 :
489 1312 : static DATA_BLOB sddl_decode_conditions(TALLOC_CTX *mem_ctx,
490 : const enum ace_condition_flags ace_condition_flags,
491 : const char *conditions,
492 : size_t *length,
493 : const char **msg,
494 : size_t *msg_offset)
495 : {
496 1312 : DATA_BLOB blob = {0};
497 1312 : struct ace_condition_script *script = NULL;
498 1312 : script = ace_conditions_compile_sddl(mem_ctx,
499 : ace_condition_flags,
500 : conditions,
501 : msg,
502 : msg_offset,
503 : length);
504 1312 : if (script != NULL) {
505 1292 : bool ok = conditional_ace_encode_binary(mem_ctx,
506 : script,
507 : &blob);
508 1292 : if (! ok) {
509 0 : DBG_ERR("could not blobify '%s'\n", conditions);
510 : }
511 : }
512 1312 : return blob;
513 : }
514 :
515 :
516 : /*
517 : decode an ACE
518 : return true on success, false on failure
519 : note that this routine modifies the string
520 : */
521 6166427 : static bool sddl_decode_ace(TALLOC_CTX *mem_ctx,
522 : struct security_ace *ace,
523 : const enum ace_condition_flags ace_condition_flags,
524 : char **sddl_copy,
525 : struct sddl_transition_state *state,
526 : const char **msg, size_t *msg_offset)
527 : {
528 504399 : const char *tok[7];
529 504399 : const char *s;
530 504399 : uint32_t v;
531 504399 : struct dom_sid *sid;
532 504399 : bool ok;
533 504399 : size_t len;
534 6166427 : size_t count = 0;
535 6166427 : char *str = *sddl_copy;
536 6166427 : bool has_extra_data = false;
537 6166427 : ZERO_STRUCTP(ace);
538 :
539 6166427 : *msg_offset = 1;
540 6166427 : if (*str != '(') {
541 0 : *msg = talloc_strdup(mem_ctx, "Not an ACE");
542 0 : return false;
543 : }
544 6166427 : str++;
545 : /*
546 : * First we split apart the 6 (or 7) tokens.
547 : *
548 : * 0. ace type
549 : * 1. ace flags
550 : * 2. access mask
551 : * 3. object guid
552 : * 4. inherit guid
553 : * 5. sid
554 : *
555 : * 6/extra_data rare optional extra data
556 : */
557 6166427 : tok[0] = str;
558 227417545 : while (*str != '\0') {
559 227417544 : if (*str == ';') {
560 30833555 : *str = '\0';
561 30833555 : str++;
562 30833555 : count++;
563 30833555 : tok[count] = str;
564 30833555 : if (count == 6) {
565 : /*
566 : * this looks like a conditional ACE
567 : * or resource ACE, but we can't say
568 : * for sure until we look at the ACE
569 : * type (tok[0]), after the loop.
570 : */
571 701 : has_extra_data = true;
572 701 : break;
573 : }
574 30832124 : continue;
575 : }
576 : /*
577 : * we are not expecting a ')' in the 6 sections of an
578 : * ordinary ACE, except ending the last one.
579 : */
580 196583989 : if (*str == ')') {
581 6164995 : count++;
582 6164995 : *str = '\0';
583 6164995 : str++;
584 6164995 : break;
585 : }
586 190418994 : str++;
587 : }
588 6166427 : if (count != 6) {
589 : /* we hit the '\0' or ')' before all of ';;;;;)' */
590 6 : *msg = talloc_asprintf(mem_ctx,
591 : "malformed ACE with only %zu ';'",
592 : MIN(count - 1, count));
593 6 : return false;
594 : }
595 :
596 : /* parse ace type */
597 6166421 : ok = sddl_map_flag(ace_types, tok[0], &len, &v);
598 6166421 : if (!ok) {
599 9 : *msg = talloc_asprintf(mem_ctx,
600 : "Unknown ACE type - %s", tok[0]);
601 9 : return false;
602 : }
603 6166412 : if (tok[0][len] != '\0') {
604 1 : *msg = talloc_asprintf(mem_ctx,
605 : "Garbage after ACE type - %s", tok[0]);
606 1 : return false;
607 : }
608 :
609 6166411 : ace->type = v;
610 :
611 : /*
612 : * Only callback and resource aces should have trailing data.
613 : */
614 6166411 : if (sec_ace_callback(ace->type)) {
615 1312 : if (! has_extra_data) {
616 0 : *msg = talloc_strdup(
617 : mem_ctx,
618 : "callback ACE has no trailing data");
619 0 : *msg_offset = str - *sddl_copy;
620 0 : return false;
621 : }
622 6165099 : } else if (sec_ace_resource(ace->type)) {
623 111 : if (! has_extra_data) {
624 0 : *msg = talloc_strdup(
625 : mem_ctx,
626 : "resource attribute ACE has no trailing data");
627 0 : *msg_offset = str - *sddl_copy;
628 0 : return false;
629 : }
630 6164988 : } else if (has_extra_data) {
631 3 : *msg = talloc_strdup(
632 : mem_ctx,
633 : "ACE has trailing section but is not a "
634 : "callback or resource ACE");
635 3 : *msg_offset = str - *sddl_copy;
636 3 : return false;
637 : }
638 :
639 : /* ace flags */
640 6166408 : if (!sddl_map_flags(ace_flags, tok[1], &v, NULL, false)) {
641 3 : *msg = talloc_strdup(mem_ctx,
642 : "could not parse flags");
643 3 : *msg_offset = tok[1] - *sddl_copy;
644 3 : return false;
645 : }
646 6166405 : ace->flags = v;
647 :
648 : /* access mask */
649 6166405 : ok = sddl_decode_access(tok[2], &ace->access_mask);
650 6166405 : if (!ok) {
651 26 : *msg = talloc_strdup(mem_ctx,
652 : "could not parse access string");
653 26 : *msg_offset = tok[2] - *sddl_copy;
654 26 : return false;
655 : }
656 :
657 : /* object */
658 6166379 : if (tok[3][0] != 0) {
659 2219347 : ok = sddl_decode_guid(tok[3], &ace->object.object.type.type);
660 2219347 : if (!ok) {
661 7 : *msg = talloc_strdup(mem_ctx,
662 : "could not parse object GUID");
663 7 : *msg_offset = tok[3] - *sddl_copy;
664 7 : return false;
665 : }
666 2219340 : ace->object.object.flags |= SEC_ACE_OBJECT_TYPE_PRESENT;
667 : }
668 :
669 : /* inherit object */
670 6166372 : if (tok[4][0] != 0) {
671 99662 : ok = sddl_decode_guid(tok[4],
672 : &ace->object.object.inherited_type.inherited_type);
673 99662 : if (!ok) {
674 6 : *msg = talloc_strdup(
675 : mem_ctx,
676 : "could not parse inherited object GUID");
677 6 : *msg_offset = tok[4] - *sddl_copy;
678 6 : return false;
679 : }
680 99656 : ace->object.object.flags |= SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT;
681 : }
682 :
683 : /* trustee */
684 6166366 : s = tok[5];
685 6166366 : sid = sddl_transition_decode_sid(mem_ctx, &s, state);
686 6166366 : if (sid == NULL) {
687 10 : *msg = talloc_strdup(
688 : mem_ctx,
689 : "could not parse trustee SID");
690 10 : *msg_offset = tok[5] - *sddl_copy;
691 10 : return false;
692 : }
693 6166356 : ace->trustee = *sid;
694 6166356 : talloc_free(sid);
695 6166356 : if (*s != '\0') {
696 2 : *msg = talloc_strdup(
697 : mem_ctx,
698 : "garbage after trustee SID");
699 2 : *msg_offset = s - *sddl_copy;
700 2 : return false;
701 : }
702 :
703 6166354 : if (sec_ace_callback(ace->type)) {
704 : /*
705 : * This is either a conditional ACE or some unknown
706 : * type of callback ACE that will be rejected by the
707 : * conditional ACE compiler.
708 : */
709 611 : size_t length;
710 1312 : DATA_BLOB conditions = {0};
711 1312 : s = tok[6];
712 :
713 1312 : conditions = sddl_decode_conditions(mem_ctx,
714 : ace_condition_flags,
715 : s,
716 : &length,
717 : msg,
718 : msg_offset);
719 1312 : if (conditions.data == NULL) {
720 20 : DBG_NOTICE("Conditional ACE compilation failure at %zu: %s\n",
721 : *msg_offset, *msg);
722 20 : *msg_offset += s - *sddl_copy;
723 20 : return false;
724 : }
725 1292 : ace->coda.conditions = conditions;
726 :
727 : /*
728 : * We have found the end of the conditions, and the
729 : * next character should be the ')' to end the ACE.
730 : */
731 1292 : if (s[length] != ')') {
732 0 : *msg = talloc_strdup(
733 : mem_ctx,
734 : "Conditional ACE has trailing bytes");
735 0 : *msg_offset = s + length - *sddl_copy;
736 0 : return false;
737 : }
738 1292 : str = discard_const_p(char, s + length + 1);
739 6165042 : } else if (sec_ace_resource(ace->type)) {
740 111 : size_t length;
741 111 : struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *claim = NULL;
742 :
743 111 : if (! dom_sid_equal(&ace->trustee, &global_sid_World)) {
744 : /* these are just the rules */
745 0 : *msg = talloc_strdup(
746 : mem_ctx,
747 : "Resource Attribute ACE trustee must be "
748 : "'S-1-1-0' or 'WD'.");
749 0 : *msg_offset = tok[5] - *sddl_copy;
750 22 : return false;
751 : }
752 :
753 111 : s = tok[6];
754 111 : claim = sddl_decode_resource_attr(mem_ctx, s, &length);
755 111 : if (claim == NULL) {
756 22 : *msg = talloc_strdup(
757 : mem_ctx,
758 : "Resource Attribute ACE parse failure");
759 22 : *msg_offset = s - *sddl_copy;
760 22 : return false;
761 : }
762 89 : ace->coda.claim = *claim;
763 :
764 : /*
765 : * We want a ')' to end the ACE.
766 : */
767 89 : if (s[length] != ')') {
768 0 : *msg = talloc_strdup(
769 : mem_ctx,
770 : "Resource Attribute ACE has trailing bytes");
771 0 : *msg_offset = s + length - *sddl_copy;
772 0 : return false;
773 : }
774 89 : str = discard_const_p(char, s + length + 1);
775 : }
776 :
777 6166312 : *sddl_copy = str;
778 6166312 : return true;
779 : }
780 :
781 : static const struct flag_map acl_flags[] = {
782 : { "P", SEC_DESC_DACL_PROTECTED },
783 : { "AR", SEC_DESC_DACL_AUTO_INHERIT_REQ },
784 : { "AI", SEC_DESC_DACL_AUTO_INHERITED },
785 : { NULL, 0 }
786 : };
787 :
788 : /*
789 : decode an ACL
790 : */
791 3266690 : static struct security_acl *sddl_decode_acl(struct security_descriptor *sd,
792 : const enum ace_condition_flags ace_condition_flags,
793 : const char **sddlp, uint32_t *flags,
794 : struct sddl_transition_state *state,
795 : const char **msg, size_t *msg_offset)
796 : {
797 3266690 : const char *sddl = *sddlp;
798 3266690 : char *sddl_copy = NULL;
799 3266690 : char *aces_start = NULL;
800 303229 : struct security_acl *acl;
801 303229 : size_t len;
802 3266690 : *flags = 0;
803 :
804 3266690 : acl = talloc_zero(sd, struct security_acl);
805 3266690 : if (acl == NULL) {
806 0 : return NULL;
807 : }
808 3266690 : acl->revision = SECURITY_ACL_REVISION_ADS;
809 :
810 3266690 : if (isupper((unsigned char)sddl[0]) && sddl[1] == ':') {
811 : /* its an empty ACL */
812 962301 : return acl;
813 : }
814 :
815 : /* work out the ACL flags */
816 2224985 : if (!sddl_map_flags(acl_flags, sddl, flags, &len, true)) {
817 0 : *msg = talloc_strdup(sd, "bad ACL flags");
818 0 : *msg_offset = 0;
819 0 : talloc_free(acl);
820 0 : return NULL;
821 : }
822 2224985 : sddl += len;
823 :
824 2224985 : if (sddl[0] != '(') {
825 : /*
826 : * it is empty apart from the flags
827 : * (or the flags are bad, and we will find out when
828 : * we try to parse the next bit as a top-level fragment)
829 : */
830 1059441 : *sddlp = sddl;
831 1059441 : return acl;
832 : }
833 :
834 : /*
835 : * now the ACEs
836 : *
837 : * For this we make a copy of the rest of the SDDL, which the ACE
838 : * tokeniser will mutilate by putting '\0' where it finds ';'.
839 : *
840 : * We need to copy the rest of the SDDL string because it is not
841 : * possible in general to find where an ACL ends if there are
842 : * conditional ACEs.
843 : */
844 :
845 1165544 : sddl_copy = talloc_strdup(acl, sddl);
846 1165544 : if (sddl_copy == NULL) {
847 0 : TALLOC_FREE(acl);
848 0 : return NULL;
849 : }
850 1669833 : aces_start = sddl_copy;
851 :
852 7331856 : while (*sddl_copy == '(') {
853 504399 : bool ok;
854 6166427 : acl->aces = talloc_realloc(acl, acl->aces, struct security_ace,
855 : acl->num_aces+1);
856 6166427 : if (acl->aces == NULL) {
857 0 : talloc_free(acl);
858 0 : return NULL;
859 : }
860 6166427 : ok = sddl_decode_ace(acl->aces, &acl->aces[acl->num_aces],
861 : ace_condition_flags,
862 : &sddl_copy, state, msg, msg_offset);
863 6166427 : if (!ok) {
864 115 : *msg_offset += sddl_copy - aces_start;
865 115 : talloc_steal(sd, *msg);
866 115 : talloc_free(acl);
867 115 : return NULL;
868 : }
869 6166312 : acl->num_aces++;
870 : }
871 1165429 : sddl += sddl_copy - aces_start;
872 1165429 : TALLOC_FREE(aces_start);
873 1165429 : (*sddlp) = sddl;
874 1165429 : return acl;
875 : }
876 :
877 : /*
878 : * Decode a security descriptor in SDDL format, catching compilation
879 : * error messages, if any.
880 : *
881 : * The message will be a direct talloc child of mem_ctx or NULL.
882 : */
883 2222676 : struct security_descriptor *sddl_decode_err_msg(TALLOC_CTX *mem_ctx, const char *sddl,
884 : const struct dom_sid *domain_sid,
885 : const enum ace_condition_flags ace_condition_flags,
886 : const char **msg, size_t *msg_offset)
887 : {
888 2222676 : struct sddl_transition_state state = {
889 : /*
890 : * TODO: verify .machine_rid values really belong
891 : * to the machine_sid on a member, once
892 : * we pass machine_sid from the caller...
893 : */
894 : .machine_sid = domain_sid,
895 : .domain_sid = domain_sid,
896 : .forest_sid = domain_sid,
897 : };
898 2222676 : const char *start = sddl;
899 2222676 : struct security_descriptor *sd = NULL;
900 :
901 2222676 : if (msg == NULL || msg_offset == NULL) {
902 0 : DBG_ERR("Programmer misbehaviour: use sddl_decode() "
903 : "or provide msg pointers.\n");
904 0 : return NULL;
905 : }
906 2222676 : *msg = NULL;
907 2222676 : *msg_offset = 0;
908 :
909 2222676 : sd = talloc_zero(mem_ctx, struct security_descriptor);
910 2222676 : if (sd == NULL) {
911 0 : return NULL;
912 : }
913 2222676 : sd->revision = SECURITY_DESCRIPTOR_REVISION_1;
914 2222676 : sd->type = SEC_DESC_SELF_RELATIVE;
915 :
916 5528280 : while (*sddl) {
917 318819 : uint32_t flags;
918 3306131 : char c = sddl[0];
919 3306131 : if (sddl[1] != ':') {
920 250 : *msg = talloc_strdup(mem_ctx,
921 : "expected '[OGDS]:' section start "
922 : "(or the previous section ended prematurely)");
923 401 : goto failed;
924 : }
925 3305881 : sddl += 2;
926 3305881 : switch (c) {
927 2214678 : case 'D':
928 2214678 : if (sd->dacl != NULL) goto failed;
929 2214678 : sd->dacl = sddl_decode_acl(sd, ace_condition_flags, &sddl, &flags, &state, msg, msg_offset);
930 2214678 : if (sd->dacl == NULL) goto failed;
931 2214588 : sd->type |= flags | SEC_DESC_DACL_PRESENT;
932 2214588 : break;
933 1052012 : case 'S':
934 1052012 : if (sd->sacl != NULL) goto failed;
935 1052012 : sd->sacl = sddl_decode_acl(sd, ace_condition_flags, &sddl, &flags, &state, msg, msg_offset);
936 1052012 : if (sd->sacl == NULL) goto failed;
937 : /* this relies on the SEC_DESC_SACL_* flags being
938 : 1 bit shifted from the SEC_DESC_DACL_* flags */
939 1051987 : sd->type |= (flags<<1) | SEC_DESC_SACL_PRESENT;
940 1051987 : break;
941 20726 : case 'O':
942 20726 : if (sd->owner_sid != NULL) goto failed;
943 20726 : sd->owner_sid = sddl_transition_decode_sid(sd, &sddl, &state);
944 20726 : if (sd->owner_sid == NULL) goto failed;
945 12728 : break;
946 18461 : case 'G':
947 18461 : if (sd->group_sid != NULL) goto failed;
948 18461 : sd->group_sid = sddl_transition_decode_sid(sd, &sddl, &state);
949 18461 : if (sd->group_sid == NULL) goto failed;
950 10784 : break;
951 4 : default:
952 4 : *msg = talloc_strdup(mem_ctx, "unexpected character (expected [OGDS])");
953 4 : goto failed;
954 : }
955 : }
956 2003313 : return sd;
957 527 : failed:
958 527 : if (*msg != NULL) {
959 369 : *msg = talloc_steal(mem_ctx, *msg);
960 : }
961 : /*
962 : * The actual message (*msg) might still be NULL, but the
963 : * offset at least provides a clue.
964 : */
965 527 : *msg_offset += sddl - start;
966 :
967 527 : if (*msg_offset > strlen(sddl)) {
968 : /*
969 : * It's not that we *don't* trust our pointer difference
970 : * arithmetic, just that we *shouldn't*. Let's render it
971 : * harmless, before Python tries printing 18 quadrillion
972 : * spaces.
973 : */
974 12 : DBG_WARNING("sddl error message offset %zu is too big\n",
975 : *msg_offset);
976 12 : *msg_offset = 0;
977 : }
978 527 : DEBUG(2,("Badly formatted SDDL '%s'\n", sddl));
979 527 : talloc_free(sd);
980 527 : return NULL;
981 : }
982 :
983 :
984 : /*
985 : decode a security descriptor in SDDL format
986 : */
987 2173159 : struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl,
988 : const struct dom_sid *domain_sid)
989 : {
990 2173159 : const char *msg = NULL;
991 2173159 : size_t msg_offset = 0;
992 2173159 : struct security_descriptor *sd = sddl_decode_err_msg(mem_ctx,
993 : sddl,
994 : domain_sid,
995 : ACE_CONDITION_FLAG_ALLOW_DEVICE,
996 : &msg,
997 : &msg_offset);
998 2173159 : if (sd == NULL) {
999 309 : DBG_NOTICE("could not decode '%s'\n", sddl);
1000 309 : if (msg != NULL) {
1001 233 : DBG_NOTICE(" %*c\n",
1002 : (int)msg_offset, '^');
1003 233 : DBG_NOTICE("error '%s'\n", msg);
1004 233 : talloc_free(discard_const(msg));
1005 : }
1006 : }
1007 2173159 : return sd;
1008 : }
1009 :
1010 : /*
1011 : turn a set of flags into a string
1012 : */
1013 1934609 : static char *sddl_flags_to_string(TALLOC_CTX *mem_ctx, const struct flag_map *map,
1014 : uint32_t flags, bool check_all)
1015 : {
1016 362105 : int i;
1017 362105 : char *s;
1018 :
1019 : /* try to find an exact match */
1020 16939720 : for (i=0;map[i].name;i++) {
1021 15811849 : if (map[i].flag == flags) {
1022 806738 : return talloc_strdup(mem_ctx, map[i].name);
1023 : }
1024 : }
1025 :
1026 1127871 : s = talloc_strdup(mem_ctx, "");
1027 :
1028 : /* now by bits */
1029 12812714 : for (i=0;map[i].name;i++) {
1030 11473123 : if ((flags & map[i].flag) != 0) {
1031 4845205 : s = talloc_asprintf_append_buffer(s, "%s", map[i].name);
1032 4845205 : if (s == NULL) goto failed;
1033 4845205 : flags &= ~map[i].flag;
1034 : }
1035 : }
1036 :
1037 1127871 : if (check_all && flags != 0) {
1038 13043 : goto failed;
1039 : }
1040 :
1041 904140 : return s;
1042 :
1043 13043 : failed:
1044 13043 : talloc_free(s);
1045 13043 : return NULL;
1046 : }
1047 :
1048 : /*
1049 : encode a sid in SDDL format
1050 : */
1051 785260 : static char *sddl_transition_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
1052 : struct sddl_transition_state *state)
1053 : {
1054 785260 : bool in_machine = dom_sid_in_domain(state->machine_sid, sid);
1055 785260 : bool in_domain = dom_sid_in_domain(state->domain_sid, sid);
1056 785260 : bool in_forest = dom_sid_in_domain(state->forest_sid, sid);
1057 144044 : struct dom_sid_buf buf;
1058 785260 : const char *sidstr = dom_sid_str_buf(sid, &buf);
1059 785260 : uint32_t rid = 0;
1060 144044 : size_t i;
1061 :
1062 785260 : if (sid->num_auths > 1) {
1063 479065 : rid = sid->sub_auths[sid->num_auths-1];
1064 : }
1065 :
1066 27013917 : for (i=0;i<ARRAY_SIZE(sid_codes);i++) {
1067 : /* seen if its a well known sid */
1068 26941745 : if (sid_codes[i].sid != NULL) {
1069 4269703 : int cmp;
1070 :
1071 23354534 : cmp = strcmp(sidstr, sid_codes[i].sid);
1072 23354534 : if (cmp != 0) {
1073 22927841 : continue;
1074 : }
1075 :
1076 426693 : return talloc_strdup(mem_ctx, sid_codes[i].code);
1077 : }
1078 :
1079 3587211 : if (rid == 0) {
1080 408 : continue;
1081 : }
1082 :
1083 3586803 : if (in_machine && sid_codes[i].machine_rid == rid) {
1084 2255 : return talloc_strdup(mem_ctx, sid_codes[i].code);
1085 : }
1086 3584548 : if (in_domain && sid_codes[i].domain_rid == rid) {
1087 111118 : return talloc_strdup(mem_ctx, sid_codes[i].code);
1088 : }
1089 3473430 : if (in_forest && sid_codes[i].forest_rid == rid) {
1090 173022 : return talloc_strdup(mem_ctx, sid_codes[i].code);
1091 : }
1092 : }
1093 :
1094 72172 : return talloc_strdup(mem_ctx, sidstr);
1095 : }
1096 :
1097 217 : char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
1098 : const struct dom_sid *domain_sid)
1099 : {
1100 217 : struct sddl_transition_state state = {
1101 : /*
1102 : * TODO: verify .machine_rid values really belong
1103 : * to the machine_sid on a member, once
1104 : * we pass machine_sid from the caller...
1105 : */
1106 : .machine_sid = domain_sid,
1107 : .domain_sid = domain_sid,
1108 : .forest_sid = domain_sid,
1109 : };
1110 217 : return sddl_transition_encode_sid(mem_ctx, sid, &state);
1111 : }
1112 :
1113 :
1114 :
1115 : /*
1116 : encode an ACE in SDDL format
1117 : */
1118 602486 : static char *sddl_transition_encode_ace(TALLOC_CTX *mem_ctx, const struct security_ace *ace,
1119 : struct sddl_transition_state *state)
1120 : {
1121 602486 : char *sddl = NULL;
1122 112490 : TALLOC_CTX *tmp_ctx;
1123 112490 : struct GUID_txt_buf object_buf, iobject_buf;
1124 602486 : const char *sddl_type="", *sddl_flags="", *sddl_mask="",
1125 602486 : *sddl_object="", *sddl_iobject="", *sddl_trustee="";
1126 602486 : tmp_ctx = talloc_new(mem_ctx);
1127 602486 : if (tmp_ctx == NULL) {
1128 0 : DEBUG(0, ("talloc_new failed\n"));
1129 0 : return NULL;
1130 : }
1131 :
1132 602486 : sddl_type = sddl_flags_to_string(tmp_ctx, ace_types, ace->type, true);
1133 602486 : if (sddl_type == NULL) {
1134 0 : goto failed;
1135 : }
1136 :
1137 602486 : sddl_flags = sddl_flags_to_string(tmp_ctx, ace_flags, ace->flags,
1138 : true);
1139 602486 : if (sddl_flags == NULL) {
1140 0 : goto failed;
1141 : }
1142 :
1143 714976 : sddl_mask = sddl_flags_to_string(tmp_ctx, ace_access_mask,
1144 602486 : ace->access_mask, true);
1145 602486 : if (sddl_mask == NULL) {
1146 14075 : sddl_mask = sddl_match_file_rights(tmp_ctx,
1147 13043 : ace->access_mask);
1148 13043 : if (sddl_mask == NULL) {
1149 4388 : sddl_mask = talloc_asprintf(tmp_ctx, "0x%x",
1150 4388 : ace->access_mask);
1151 : }
1152 13043 : if (sddl_mask == NULL) {
1153 0 : goto failed;
1154 : }
1155 : }
1156 :
1157 602486 : if (sec_ace_object(ace->type)) {
1158 204021 : const struct security_ace_object *object = &ace->object.object;
1159 :
1160 204021 : if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
1161 182991 : sddl_object = GUID_buf_string(
1162 : &object->type.type, &object_buf);
1163 : }
1164 :
1165 204021 : if (ace->object.object.flags &
1166 : SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) {
1167 145879 : sddl_iobject = GUID_buf_string(
1168 : &object->inherited_type.inherited_type,
1169 : &iobject_buf);
1170 : }
1171 : }
1172 602486 : sddl_trustee = sddl_transition_encode_sid(tmp_ctx, &ace->trustee, state);
1173 602486 : if (sddl_trustee == NULL) {
1174 0 : goto failed;
1175 : }
1176 :
1177 602486 : if (sec_ace_callback(ace->type)) {
1178 : /* encode the conditional part */
1179 682 : struct ace_condition_script *s = NULL;
1180 682 : const char *sddl_conditions = NULL;
1181 :
1182 682 : s = parse_conditional_ace(tmp_ctx, ace->coda.conditions);
1183 :
1184 682 : if (s == NULL) {
1185 0 : goto failed;
1186 : }
1187 :
1188 682 : sddl_conditions = sddl_from_conditional_ace(tmp_ctx, s);
1189 682 : if (sddl_conditions == NULL) {
1190 0 : goto failed;
1191 : }
1192 :
1193 682 : sddl = talloc_asprintf(mem_ctx, "%s;%s;%s;%s;%s;%s;%s",
1194 : sddl_type, sddl_flags, sddl_mask,
1195 : sddl_object, sddl_iobject,
1196 : sddl_trustee, sddl_conditions);
1197 601804 : } else if (sec_ace_resource(ace->type)) {
1198 : /* encode the resource part */
1199 7 : const char *coda = NULL;
1200 7 : coda = sddl_resource_attr_from_claim(tmp_ctx,
1201 : &ace->coda.claim);
1202 :
1203 7 : if (coda == NULL) {
1204 0 : DBG_WARNING("resource ACE has invalid claim\n");
1205 0 : goto failed;
1206 : }
1207 7 : sddl = talloc_asprintf(mem_ctx, "%s;%s;%s;%s;%s;%s;%s",
1208 : sddl_type, sddl_flags, sddl_mask,
1209 : sddl_object, sddl_iobject,
1210 : sddl_trustee, coda);
1211 : } else {
1212 601797 : sddl = talloc_asprintf(mem_ctx, "%s;%s;%s;%s;%s;%s",
1213 : sddl_type, sddl_flags, sddl_mask,
1214 : sddl_object, sddl_iobject, sddl_trustee);
1215 : }
1216 602486 : failed:
1217 602486 : talloc_free(tmp_ctx);
1218 602486 : return sddl;
1219 : }
1220 :
1221 13 : char *sddl_encode_ace(TALLOC_CTX *mem_ctx, const struct security_ace *ace,
1222 : const struct dom_sid *domain_sid)
1223 : {
1224 13 : struct sddl_transition_state state = {
1225 : /*
1226 : * TODO: verify .machine_rid values really belong
1227 : * to the machine_sid on a member, once
1228 : * we pass machine_sid from the caller...
1229 : */
1230 : .machine_sid = domain_sid,
1231 : .domain_sid = domain_sid,
1232 : .forest_sid = domain_sid,
1233 : };
1234 13 : return sddl_transition_encode_ace(mem_ctx, ace, &state);
1235 : }
1236 :
1237 : /*
1238 : encode an ACL in SDDL format
1239 : */
1240 127151 : static char *sddl_encode_acl(TALLOC_CTX *mem_ctx, const struct security_acl *acl,
1241 : uint32_t flags, struct sddl_transition_state *state)
1242 : {
1243 24635 : char *sddl;
1244 24635 : uint32_t i;
1245 :
1246 : /* add any ACL flags */
1247 127151 : sddl = sddl_flags_to_string(mem_ctx, acl_flags, flags, false);
1248 127151 : if (sddl == NULL) goto failed;
1249 :
1250 : /* now the ACEs, encoded in braces */
1251 729624 : for (i=0;i<acl->num_aces;i++) {
1252 602473 : char *ace = sddl_transition_encode_ace(sddl, &acl->aces[i], state);
1253 602473 : if (ace == NULL) goto failed;
1254 602473 : sddl = talloc_asprintf_append_buffer(sddl, "(%s)", ace);
1255 602473 : if (sddl == NULL) goto failed;
1256 602473 : talloc_free(ace);
1257 : }
1258 :
1259 102516 : return sddl;
1260 :
1261 0 : failed:
1262 0 : talloc_free(sddl);
1263 0 : return NULL;
1264 : }
1265 :
1266 :
1267 : /*
1268 : encode a security descriptor to SDDL format
1269 : */
1270 92799 : char *sddl_encode(TALLOC_CTX *mem_ctx, const struct security_descriptor *sd,
1271 : const struct dom_sid *domain_sid)
1272 : {
1273 92799 : struct sddl_transition_state state = {
1274 : /*
1275 : * TODO: verify .machine_rid values really belong
1276 : * to the machine_sid on a member, once
1277 : * we pass machine_sid from the caller...
1278 : */
1279 : .machine_sid = domain_sid,
1280 : .domain_sid = domain_sid,
1281 : .forest_sid = domain_sid,
1282 : };
1283 16088 : char *sddl;
1284 16088 : TALLOC_CTX *tmp_ctx;
1285 :
1286 : /* start with a blank string */
1287 92799 : sddl = talloc_strdup(mem_ctx, "");
1288 92799 : if (sddl == NULL) goto failed;
1289 :
1290 92799 : tmp_ctx = talloc_new(mem_ctx);
1291 :
1292 92799 : if (sd->owner_sid != NULL) {
1293 91757 : char *sid = sddl_transition_encode_sid(tmp_ctx, sd->owner_sid, &state);
1294 91757 : if (sid == NULL) goto failed;
1295 91757 : sddl = talloc_asprintf_append_buffer(sddl, "O:%s", sid);
1296 91757 : if (sddl == NULL) goto failed;
1297 : }
1298 :
1299 92799 : if (sd->group_sid != NULL) {
1300 90800 : char *sid = sddl_transition_encode_sid(tmp_ctx, sd->group_sid, &state);
1301 90800 : if (sid == NULL) goto failed;
1302 90800 : sddl = talloc_asprintf_append_buffer(sddl, "G:%s", sid);
1303 90800 : if (sddl == NULL) goto failed;
1304 : }
1305 :
1306 92799 : if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl != NULL) {
1307 86476 : char *acl = sddl_encode_acl(tmp_ctx, sd->dacl, sd->type, &state);
1308 86476 : if (acl == NULL) goto failed;
1309 86476 : sddl = talloc_asprintf_append_buffer(sddl, "D:%s", acl);
1310 86476 : if (sddl == NULL) goto failed;
1311 : }
1312 :
1313 92799 : if ((sd->type & SEC_DESC_SACL_PRESENT) && sd->sacl != NULL) {
1314 40675 : char *acl = sddl_encode_acl(tmp_ctx, sd->sacl, sd->type>>1, &state);
1315 40675 : if (acl == NULL) goto failed;
1316 40675 : sddl = talloc_asprintf_append_buffer(sddl, "S:%s", acl);
1317 40675 : if (sddl == NULL) goto failed;
1318 : }
1319 :
1320 92799 : talloc_free(tmp_ctx);
1321 92799 : return sddl;
1322 :
1323 0 : failed:
1324 0 : talloc_free(sddl);
1325 0 : return NULL;
1326 : }
|
