Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 :
4 : security descriptor description language functions
5 :
6 : Copyright (C) Andrew Tridgell 2005
7 :
8 : This program is free software; you can redistribute it and/or modify
9 : it under the terms of the GNU General Public License as published by
10 : the Free Software Foundation; either version 3 of the License, or
11 : (at your option) any later version.
12 :
13 : This program is distributed in the hope that it will be useful,
14 : but WITHOUT ANY WARRANTY; without even the implied warranty of
15 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 : GNU General Public License for more details.
17 :
18 : You should have received a copy of the GNU General Public License
19 : along with this program. If not, see <http://www.gnu.org/licenses/>.
20 : */
21 :
22 : #include "replace.h"
23 : #include "lib/util/debug.h"
24 : #include "libcli/security/security.h"
25 : #include "libcli/security/conditional_ace.h"
26 : #include "librpc/gen_ndr/ndr_misc.h"
27 : #include "lib/util/smb_strtox.h"
28 : #include "libcli/security/sddl.h"
29 : #include "system/locale.h"
30 : #include "lib/util/util_str_hex.h"
31 :
32 :
33 : struct sddl_transition_state {
34 : const struct dom_sid *machine_sid;
35 : const struct dom_sid *domain_sid;
36 : const struct dom_sid *forest_sid;
37 : };
38 :
39 : struct flag_map {
40 : const char *name;
41 : uint32_t flag;
42 : };
43 :
44 87694896 : static bool sddl_map_flag(
45 : const struct flag_map *map,
46 : const char *str,
47 : size_t *plen,
48 : uint32_t *pflag)
49 : {
50 513724224 : while (map->name != NULL) {
51 473109991 : size_t len = strlen(map->name);
52 473109991 : int cmp = strncmp(map->name, str, len);
53 :
54 473109991 : if (cmp == 0) {
55 47080663 : *plen = len;
56 47080663 : *pflag = map->flag;
57 47080663 : return true;
58 : }
59 426029328 : map += 1;
60 : }
61 36307330 : return false;
62 : }
63 :
64 : /*
65 : map a series of letter codes into a uint32_t
66 : */
67 8380112 : static bool sddl_map_flags(const struct flag_map *map, const char *str,
68 : uint32_t *pflags, size_t *plen,
69 : bool unknown_flag_is_part_of_next_thing)
70 : {
71 8380112 : const char *str0 = str;
72 8380112 : if (plen != NULL) {
73 2218859 : *plen = 0;
74 : }
75 8380112 : *pflags = 0;
76 8685331 : while (str[0] != '\0' && isupper((unsigned char)str[0])) {
77 90191 : size_t len;
78 90191 : uint32_t flags;
79 90191 : bool found;
80 :
81 305230 : found = sddl_map_flag(map, str, &len, &flags);
82 305230 : if (!found) {
83 0 : break;
84 : }
85 :
86 305219 : *pflags |= flags;
87 305219 : if (plen != NULL) {
88 54113 : *plen += len;
89 : }
90 305219 : str += len;
91 : }
92 : /*
93 : * For ACL flags, unknown_flag_is_part_of_next_thing is set,
94 : * and we expect some more stuff that isn't flags.
95 : *
96 : * For ACE flags, unknown_flag_is_part_of_next_thing is unset,
97 : * and the flags have been tokenised into their own little
98 : * string. We don't expect anything here, even whitespace.
99 : */
100 8380112 : if (*str == '\0' || unknown_flag_is_part_of_next_thing) {
101 7651649 : return true;
102 : }
103 3 : DBG_WARNING("Unknown flag - '%s' in '%s'\n", str, str0);
104 0 : return false;
105 : }
106 :
107 :
108 : /*
109 : a mapping between the 2 letter SID codes and sid strings
110 : */
111 : static const struct {
112 : const char *code;
113 : const char *sid;
114 : uint32_t machine_rid;
115 : uint32_t domain_rid;
116 : uint32_t forest_rid;
117 : } sid_codes[] = {
118 : { .code = "WD", .sid = SID_WORLD },
119 :
120 : { .code = "CO", .sid = SID_CREATOR_OWNER },
121 : { .code = "CG", .sid = SID_CREATOR_GROUP },
122 : { .code = "OW", .sid = SID_OWNER_RIGHTS },
123 :
124 : { .code = "NU", .sid = SID_NT_NETWORK },
125 : { .code = "IU", .sid = SID_NT_INTERACTIVE },
126 : { .code = "SU", .sid = SID_NT_SERVICE },
127 : { .code = "AN", .sid = SID_NT_ANONYMOUS },
128 : { .code = "ED", .sid = SID_NT_ENTERPRISE_DCS },
129 : { .code = "PS", .sid = SID_NT_SELF },
130 : { .code = "AU", .sid = SID_NT_AUTHENTICATED_USERS },
131 : { .code = "RC", .sid = SID_NT_RESTRICTED },
132 : { .code = "SY", .sid = SID_NT_SYSTEM },
133 : { .code = "LS", .sid = SID_NT_LOCAL_SERVICE },
134 : { .code = "NS", .sid = SID_NT_NETWORK_SERVICE },
135 : { .code = "WR", .sid = SID_SECURITY_RESTRICTED_CODE },
136 :
137 : { .code = "BA", .sid = SID_BUILTIN_ADMINISTRATORS },
138 : { .code = "BU", .sid = SID_BUILTIN_USERS },
139 : { .code = "BG", .sid = SID_BUILTIN_GUESTS },
140 : { .code = "PU", .sid = SID_BUILTIN_POWER_USERS },
141 : { .code = "AO", .sid = SID_BUILTIN_ACCOUNT_OPERATORS },
142 : { .code = "SO", .sid = SID_BUILTIN_SERVER_OPERATORS },
143 : { .code = "PO", .sid = SID_BUILTIN_PRINT_OPERATORS },
144 : { .code = "BO", .sid = SID_BUILTIN_BACKUP_OPERATORS },
145 : { .code = "RE", .sid = SID_BUILTIN_REPLICATOR },
146 : { .code = "RU", .sid = SID_BUILTIN_PREW2K },
147 : { .code = "RD", .sid = SID_BUILTIN_REMOTE_DESKTOP_USERS },
148 : { .code = "NO", .sid = SID_BUILTIN_NETWORK_CONF_OPERATORS },
149 :
150 : { .code = "MU", .sid = SID_BUILTIN_PERFMON_USERS },
151 : { .code = "LU", .sid = SID_BUILTIN_PERFLOG_USERS },
152 : { .code = "IS", .sid = SID_BUILTIN_IUSERS },
153 : { .code = "CY", .sid = SID_BUILTIN_CRYPTO_OPERATORS },
154 : { .code = "ER", .sid = SID_BUILTIN_EVENT_LOG_READERS },
155 : { .code = "CD", .sid = SID_BUILTIN_CERT_SERV_DCOM_ACCESS },
156 : { .code = "RA", .sid = SID_BUILTIN_RDS_REMOTE_ACCESS_SERVERS },
157 : { .code = "ES", .sid = SID_BUILTIN_RDS_ENDPOINT_SERVERS },
158 : { .code = "MS", .sid = SID_BUILTIN_RDS_MANAGEMENT_SERVERS },
159 : { .code = "HA", .sid = SID_BUILTIN_HYPER_V_ADMINS },
160 : { .code = "AA", .sid = SID_BUILTIN_ACCESS_CONTROL_ASSISTANCE_OPS },
161 : { .code = "RM", .sid = SID_BUILTIN_REMOTE_MANAGEMENT_USERS },
162 :
163 : { .code = "UD", .sid = SID_USER_MODE_DRIVERS },
164 :
165 : { .code = "AC", .sid = SID_SECURITY_BUILTIN_PACKAGE_ANY_PACKAGE },
166 :
167 : { .code = "LW", .sid = SID_SECURITY_MANDATORY_LOW },
168 : { .code = "ME", .sid = SID_SECURITY_MANDATORY_MEDIUM },
169 : { .code = "MP", .sid = SID_SECURITY_MANDATORY_MEDIUM_PLUS },
170 : { .code = "HI", .sid = SID_SECURITY_MANDATORY_HIGH },
171 : { .code = "SI", .sid = SID_SECURITY_MANDATORY_SYSTEM },
172 :
173 : { .code = "AS", .sid = SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY },
174 : { .code = "SS", .sid = SID_SERVICE_ASSERTED_IDENTITY },
175 :
176 : { .code = "RO", .forest_rid = DOMAIN_RID_ENTERPRISE_READONLY_DCS },
177 :
178 : { .code = "LA", .machine_rid = DOMAIN_RID_ADMINISTRATOR },
179 : { .code = "LG", .machine_rid = DOMAIN_RID_GUEST },
180 :
181 : { .code = "DA", .domain_rid = DOMAIN_RID_ADMINS },
182 : { .code = "DU", .domain_rid = DOMAIN_RID_USERS },
183 : { .code = "DG", .domain_rid = DOMAIN_RID_GUESTS },
184 : { .code = "DC", .domain_rid = DOMAIN_RID_DOMAIN_MEMBERS },
185 : { .code = "DD", .domain_rid = DOMAIN_RID_DCS },
186 : { .code = "CA", .domain_rid = DOMAIN_RID_CERT_ADMINS },
187 : { .code = "SA", .forest_rid = DOMAIN_RID_SCHEMA_ADMINS },
188 : { .code = "EA", .forest_rid = DOMAIN_RID_ENTERPRISE_ADMINS },
189 : { .code = "PA", .domain_rid = DOMAIN_RID_POLICY_ADMINS },
190 :
191 : { .code = "CN", .domain_rid = DOMAIN_RID_CLONEABLE_CONTROLLERS },
192 :
193 : { .code = "AP", .domain_rid = DOMAIN_RID_PROTECTED_USERS },
194 : { .code = "KA", .domain_rid = DOMAIN_RID_KEY_ADMINS },
195 : { .code = "EK", .forest_rid = DOMAIN_RID_ENTERPRISE_KEY_ADMINS },
196 :
197 : { .code = "RS", .domain_rid = DOMAIN_RID_RAS_SERVERS }
198 : };
199 :
200 : /*
201 : decode a SID
202 : It can either be a special 2 letter code, or in S-* format
203 : */
204 6201446 : static struct dom_sid *sddl_transition_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp,
205 : struct sddl_transition_state *state)
206 : {
207 6201446 : const char *sddl = (*sddlp);
208 520637 : size_t i;
209 :
210 : /* see if its in the numeric format */
211 6201446 : if (strncasecmp(sddl, "S-", 2) == 0) {
212 305344 : struct dom_sid *sid = NULL;
213 305344 : char *sid_str = NULL;
214 305344 : const char *end = NULL;
215 35658 : bool ok;
216 305344 : size_t len = strspn(sddl + 2, "-0123456789ABCDEFabcdefxX") + 2;
217 305344 : if (len < 5) { /* S-1-x */
218 0 : return NULL;
219 : }
220 305337 : if (sddl[len - 1] == 'D' && sddl[len] == ':') {
221 : /*
222 : * we have run into the "D:" dacl marker, mistaking it
223 : * for a hex digit. There is no other way for this
224 : * pair to occur at the end of a SID in SDDL.
225 : */
226 7385 : len--;
227 : }
228 :
229 305337 : sid_str = talloc_strndup(mem_ctx, sddl, len);
230 305337 : if (sid_str == NULL) {
231 0 : return NULL;
232 : }
233 305337 : if (sid_str[0] == 's') {
234 : /*
235 : * In SDDL, but not in the dom_sid parsers, a
236 : * lowercase "s-1-1-0" is accepted.
237 : */
238 10 : sid_str[0] = 'S';
239 : }
240 305337 : sid = talloc(mem_ctx, struct dom_sid);
241 305337 : if (sid == NULL) {
242 0 : TALLOC_FREE(sid_str);
243 0 : return NULL;
244 35651 : };
245 305337 : ok = dom_sid_parse_endp(sid_str, sid, &end);
246 305337 : if (!ok) {
247 116 : DBG_WARNING("could not parse SID '%s'\n", sid_str);
248 116 : TALLOC_FREE(sid_str);
249 116 : TALLOC_FREE(sid);
250 116 : return NULL;
251 : }
252 305221 : if (end - sid_str != len) {
253 0 : DBG_WARNING("trailing junk after SID '%s'\n", sid_str);
254 0 : TALLOC_FREE(sid_str);
255 0 : TALLOC_FREE(sid);
256 0 : return NULL;
257 : }
258 305221 : TALLOC_FREE(sid_str);
259 305221 : (*sddlp) += len;
260 305221 : return sid;
261 : }
262 :
263 : /* now check for one of the special codes */
264 137801398 : for (i=0;i<ARRAY_SIZE(sid_codes);i++) {
265 137801351 : if (strncmp(sid_codes[i].code, sddl, 2) == 0) break;
266 : }
267 5896102 : if (i == ARRAY_SIZE(sid_codes)) {
268 47 : DEBUG(1,("Unknown sddl sid code '%2.2s'\n", sddl));
269 47 : return NULL;
270 : }
271 :
272 5896055 : (*sddlp) += 2;
273 :
274 :
275 5896055 : if (sid_codes[i].machine_rid != 0) {
276 2305 : return dom_sid_add_rid(mem_ctx, state->machine_sid,
277 1983 : sid_codes[i].machine_rid);
278 : }
279 :
280 5893750 : if (sid_codes[i].domain_rid != 0) {
281 1466159 : return dom_sid_add_rid(mem_ctx, state->domain_sid,
282 1336518 : sid_codes[i].domain_rid);
283 : }
284 :
285 4427591 : if (sid_codes[i].forest_rid != 0) {
286 27706 : return dom_sid_add_rid(mem_ctx, state->forest_sid,
287 23553 : sid_codes[i].forest_rid);
288 : }
289 :
290 4399885 : return dom_sid_parse_talloc(mem_ctx, sid_codes[i].sid);
291 : }
292 :
293 894 : struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp,
294 : const struct dom_sid *domain_sid)
295 : {
296 894 : struct sddl_transition_state state = {
297 : /*
298 : * TODO: verify .machine_rid values really belong
299 : * to the machine_sid on a member, once
300 : * we pass machine_sid from the caller...
301 : */
302 : .machine_sid = domain_sid,
303 : .domain_sid = domain_sid,
304 : .forest_sid = domain_sid,
305 : };
306 894 : return sddl_transition_decode_sid(mem_ctx, sddlp, &state);
307 : }
308 :
309 :
310 : static const struct flag_map ace_types[] = {
311 : { "AU", SEC_ACE_TYPE_SYSTEM_AUDIT },
312 : { "AL", SEC_ACE_TYPE_SYSTEM_ALARM },
313 : { "OA", SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT },
314 : { "OD", SEC_ACE_TYPE_ACCESS_DENIED_OBJECT },
315 : { "OU", SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT },
316 : { "OL", SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT },
317 : { "A", SEC_ACE_TYPE_ACCESS_ALLOWED },
318 : { "D", SEC_ACE_TYPE_ACCESS_DENIED },
319 :
320 : { "XA", SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK },
321 : { "XD", SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK },
322 : { "ZA", SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT },
323 : /*
324 : * SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT exists but has
325 : * no SDDL flag.
326 : *
327 : * ZA and XU are switched in [MS-DTYP] as of version 36.0,
328 : * but this should be corrected in later versions.
329 : */
330 : { "XU", SEC_ACE_TYPE_SYSTEM_AUDIT_CALLBACK },
331 :
332 : { "RA", SEC_ACE_TYPE_SYSTEM_RESOURCE_ATTRIBUTE },
333 : { NULL, 0 }
334 : };
335 :
336 : static const struct flag_map ace_flags[] = {
337 : { "OI", SEC_ACE_FLAG_OBJECT_INHERIT },
338 : { "CI", SEC_ACE_FLAG_CONTAINER_INHERIT },
339 : { "NP", SEC_ACE_FLAG_NO_PROPAGATE_INHERIT },
340 : { "IO", SEC_ACE_FLAG_INHERIT_ONLY },
341 : { "ID", SEC_ACE_FLAG_INHERITED_ACE },
342 : { "SA", SEC_ACE_FLAG_SUCCESSFUL_ACCESS },
343 : { "FA", SEC_ACE_FLAG_FAILED_ACCESS },
344 : { NULL, 0 },
345 : };
346 :
347 : static const struct flag_map ace_access_mask[] = {
348 : { "CC", SEC_ADS_CREATE_CHILD },
349 : { "DC", SEC_ADS_DELETE_CHILD },
350 : { "LC", SEC_ADS_LIST },
351 : { "SW", SEC_ADS_SELF_WRITE },
352 : { "RP", SEC_ADS_READ_PROP },
353 : { "WP", SEC_ADS_WRITE_PROP },
354 : { "DT", SEC_ADS_DELETE_TREE },
355 : { "LO", SEC_ADS_LIST_OBJECT },
356 : { "CR", SEC_ADS_CONTROL_ACCESS },
357 : { "SD", SEC_STD_DELETE },
358 : { "RC", SEC_STD_READ_CONTROL },
359 : { "WD", SEC_STD_WRITE_DAC },
360 : { "WO", SEC_STD_WRITE_OWNER },
361 : { "GA", SEC_GENERIC_ALL },
362 : { "GX", SEC_GENERIC_EXECUTE },
363 : { "GW", SEC_GENERIC_WRITE },
364 : { "GR", SEC_GENERIC_READ },
365 : { NULL, 0 }
366 : };
367 :
368 : static const struct flag_map decode_ace_access_mask[] = {
369 : { "FA", FILE_GENERIC_ALL },
370 : { "FR", FILE_GENERIC_READ },
371 : { "FW", FILE_GENERIC_WRITE },
372 : { "FX", FILE_GENERIC_EXECUTE },
373 : { NULL, 0 },
374 : };
375 :
376 :
377 13043 : static char *sddl_match_file_rights(TALLOC_CTX *mem_ctx,
378 : uint32_t flags)
379 : {
380 1032 : int i;
381 :
382 : /* try to find an exact match */
383 30736 : for (i=0;decode_ace_access_mask[i].name;i++) {
384 26348 : if (decode_ace_access_mask[i].flag == flags) {
385 8655 : return talloc_strdup(mem_ctx,
386 8213 : decode_ace_access_mask[i].name);
387 : }
388 : }
389 3798 : return NULL;
390 : }
391 :
392 6161250 : static bool sddl_decode_access(const char *str, uint32_t *pmask)
393 : {
394 6161250 : const char *str0 = str;
395 6161250 : char *end = NULL;
396 6161250 : uint32_t mask = 0;
397 504551 : unsigned long long numeric_mask;
398 504551 : int err;
399 : /*
400 : * The access mask can be a number or a series of flags.
401 : *
402 : * Canonically the number is expressed in hexadecimal (with 0x), but
403 : * per MS-DTYP and Windows behaviour, octal and decimal numbers are
404 : * also accepted.
405 : *
406 : * Windows has two behaviours we choose not to replicate:
407 : *
408 : * 1. numbers exceeding 0xffffffff are truncated at that point,
409 : * turning on all access flags.
410 : *
411 : * 2. negative numbers are accepted, so e.g. -2 becomes 0xfffffffe.
412 : */
413 6161250 : numeric_mask = smb_strtoull(str, &end, 0, &err, SMB_STR_STANDARD);
414 6161250 : if (err == 0) {
415 46489 : if (numeric_mask > UINT32_MAX) {
416 1 : DBG_WARNING("Bad numeric flag value - %llu in %s\n",
417 : numeric_mask, str0);
418 1 : return false;
419 : }
420 46488 : if (end - str > sizeof("037777777777")) {
421 : /* here's the tricky thing: if a number is big
422 : * enough to overflow the uint64, it might end
423 : * up small enough to fit in the uint32, and
424 : * we'd miss that it overflowed. So we count
425 : * the digits -- any more than 12 (for
426 : * "037777777777") is too long for 32 bits,
427 : * and the shortest 64-bit wrapping string is
428 : * 19 (for "0x1" + 16 zeros).
429 : */
430 0 : DBG_WARNING("Bad numeric flag value in '%s'\n", str0);
431 0 : return false;
432 : }
433 46488 : if (*end != '\0') {
434 3 : DBG_WARNING("Bad characters in '%s'\n", str0);
435 3 : return false;
436 : }
437 46485 : *pmask = numeric_mask;
438 46485 : return true;
439 : }
440 : /* It's not a positive number, so we'll look for flags */
441 :
442 46728948 : while ((str[0] != '\0') &&
443 40614209 : (isupper((unsigned char)str[0]) || str[0] == ' ')) {
444 40614202 : uint32_t flags = 0;
445 40614202 : size_t len = 0;
446 4306872 : bool found;
447 40614210 : while (str[0] == ' ') {
448 : /*
449 : * Following Windows we accept spaces between flags
450 : * but not after flags. Not tabs, though, never tabs.
451 : */
452 10 : str++;
453 10 : if (str[0] == '\0') {
454 2 : DBG_WARNING("trailing whitespace in flags "
455 : "- '%s'\n", str0);
456 15 : return false;
457 : }
458 : }
459 40614200 : found = sddl_map_flag(
460 : ace_access_mask, str, &len, &flags);
461 40614200 : found |= sddl_map_flag(
462 : decode_ace_access_mask, str, &len, &flags);
463 40614200 : if (!found) {
464 13 : DEBUG(1, ("Unknown flag - %s in %s\n", str, str0));
465 13 : return false;
466 : }
467 40614187 : mask |= flags;
468 40614187 : str += len;
469 : }
470 6114746 : if (*str != '\0') {
471 7 : DBG_WARNING("Bad characters in '%s'\n", str0);
472 7 : return false;
473 : }
474 6114739 : *pmask = mask;
475 6114739 : return true;
476 : }
477 :
478 :
479 2317852 : static bool sddl_decode_guid(const char *str, struct GUID *guid)
480 : {
481 2317852 : if (strlen(str) != 36) {
482 0 : return false;
483 : }
484 2317839 : return parse_guid_string(str, guid);
485 : }
486 :
487 :
488 :
489 1382 : static DATA_BLOB sddl_decode_conditions(TALLOC_CTX *mem_ctx,
490 : const enum ace_condition_flags ace_condition_flags,
491 : const char *conditions,
492 : size_t *length,
493 : const char **msg,
494 : size_t *msg_offset)
495 : {
496 1382 : DATA_BLOB blob = {0};
497 1382 : struct ace_condition_script *script = NULL;
498 1382 : script = ace_conditions_compile_sddl(mem_ctx,
499 : ace_condition_flags,
500 : conditions,
501 : msg,
502 : msg_offset,
503 : length);
504 1382 : if (script != NULL) {
505 1362 : bool ok = conditional_ace_encode_binary(mem_ctx,
506 : script,
507 : &blob);
508 1362 : if (! ok) {
509 0 : DBG_ERR("could not blobify '%s'\n", conditions);
510 : }
511 : }
512 1382 : return blob;
513 : }
514 :
515 :
516 : /*
517 : decode an ACE
518 : return true on success, false on failure
519 : note that this routine modifies the string
520 : */
521 6161272 : static bool sddl_decode_ace(TALLOC_CTX *mem_ctx,
522 : struct security_ace *ace,
523 : const enum ace_condition_flags ace_condition_flags,
524 : char **sddl_copy,
525 : struct sddl_transition_state *state,
526 : const char **msg, size_t *msg_offset)
527 : {
528 504572 : const char *tok[7];
529 504572 : const char *s;
530 504572 : uint32_t v;
531 504572 : struct dom_sid *sid;
532 504572 : bool ok;
533 504572 : size_t len;
534 6161272 : size_t count = 0;
535 6161272 : char *str = *sddl_copy;
536 6161272 : bool has_extra_data = false;
537 6161272 : ZERO_STRUCTP(ace);
538 :
539 6161272 : *msg_offset = 1;
540 6161272 : if (*str != '(') {
541 0 : *msg = talloc_strdup(mem_ctx, "Not an ACE");
542 0 : return false;
543 : }
544 6161272 : str++;
545 : /*
546 : * First we split apart the 6 (or 7) tokens.
547 : *
548 : * 0. ace type
549 : * 1. ace flags
550 : * 2. access mask
551 : * 3. object guid
552 : * 4. inherit guid
553 : * 5. sid
554 : *
555 : * 6/extra_data rare optional extra data
556 : */
557 6161272 : tok[0] = str;
558 227282716 : while (*str != '\0') {
559 227282715 : if (*str == ';') {
560 30807844 : *str = '\0';
561 30807844 : str++;
562 30807844 : count++;
563 30807844 : tok[count] = str;
564 30807844 : if (count == 6) {
565 : /*
566 : * this looks like a conditional ACE
567 : * or resource ACE, but we can't say
568 : * for sure until we look at the ACE
569 : * type (tok[0]), after the loop.
570 : */
571 725 : has_extra_data = true;
572 725 : break;
573 : }
574 30806349 : continue;
575 : }
576 : /*
577 : * we are not expecting a ')' in the 6 sections of an
578 : * ordinary ACE, except ending the last one.
579 : */
580 196474871 : if (*str == ')') {
581 6159776 : count++;
582 6159776 : *str = '\0';
583 6159776 : str++;
584 6159776 : break;
585 : }
586 190315095 : str++;
587 : }
588 6161272 : if (count != 6) {
589 : /* we hit the '\0' or ')' before all of ';;;;;)' */
590 6 : *msg = talloc_asprintf(mem_ctx,
591 : "malformed ACE with only %zu ';'",
592 : MIN(count - 1, count));
593 6 : return false;
594 : }
595 :
596 : /* parse ace type */
597 6161266 : ok = sddl_map_flag(ace_types, tok[0], &len, &v);
598 6161266 : if (!ok) {
599 9 : *msg = talloc_asprintf(mem_ctx,
600 : "Unknown ACE type - %s", tok[0]);
601 9 : return false;
602 : }
603 6161257 : if (tok[0][len] != '\0') {
604 1 : *msg = talloc_asprintf(mem_ctx,
605 : "Garbage after ACE type - %s", tok[0]);
606 1 : return false;
607 : }
608 :
609 6161256 : ace->type = v;
610 :
611 : /*
612 : * Only callback and resource aces should have trailing data.
613 : */
614 6161256 : if (sec_ace_callback(ace->type)) {
615 1382 : if (! has_extra_data) {
616 0 : *msg = talloc_strdup(
617 : mem_ctx,
618 : "callback ACE has no trailing data");
619 0 : *msg_offset = str - *sddl_copy;
620 0 : return false;
621 : }
622 6159874 : } else if (sec_ace_resource(ace->type)) {
623 105 : if (! has_extra_data) {
624 0 : *msg = talloc_strdup(
625 : mem_ctx,
626 : "resource attribute ACE has no trailing data");
627 0 : *msg_offset = str - *sddl_copy;
628 0 : return false;
629 : }
630 6159769 : } else if (has_extra_data) {
631 3 : *msg = talloc_strdup(
632 : mem_ctx,
633 : "ACE has trailing section but is not a "
634 : "callback or resource ACE");
635 3 : *msg_offset = str - *sddl_copy;
636 3 : return false;
637 : }
638 :
639 : /* ace flags */
640 6161253 : if (!sddl_map_flags(ace_flags, tok[1], &v, NULL, false)) {
641 3 : *msg = talloc_strdup(mem_ctx,
642 : "could not parse flags");
643 3 : *msg_offset = tok[1] - *sddl_copy;
644 3 : return false;
645 : }
646 6161250 : ace->flags = v;
647 :
648 : /* access mask */
649 6161250 : ok = sddl_decode_access(tok[2], &ace->access_mask);
650 6161250 : if (!ok) {
651 26 : *msg = talloc_strdup(mem_ctx,
652 : "could not parse access string");
653 26 : *msg_offset = tok[2] - *sddl_copy;
654 26 : return false;
655 : }
656 :
657 : /* object */
658 6161224 : if (tok[3][0] != 0) {
659 2217292 : ok = sddl_decode_guid(tok[3], &ace->object.object.type.type);
660 2217292 : if (!ok) {
661 7 : *msg = talloc_strdup(mem_ctx,
662 : "could not parse object GUID");
663 7 : *msg_offset = tok[3] - *sddl_copy;
664 7 : return false;
665 : }
666 2217285 : ace->object.object.flags |= SEC_ACE_OBJECT_TYPE_PRESENT;
667 : }
668 :
669 : /* inherit object */
670 6161217 : if (tok[4][0] != 0) {
671 100560 : ok = sddl_decode_guid(tok[4],
672 : &ace->object.object.inherited_type.inherited_type);
673 100560 : if (!ok) {
674 6 : *msg = talloc_strdup(
675 : mem_ctx,
676 : "could not parse inherited object GUID");
677 6 : *msg_offset = tok[4] - *sddl_copy;
678 6 : return false;
679 : }
680 100554 : ace->object.object.flags |= SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT;
681 : }
682 :
683 : /* trustee */
684 6161211 : s = tok[5];
685 6161211 : sid = sddl_transition_decode_sid(mem_ctx, &s, state);
686 6161211 : if (sid == NULL) {
687 10 : *msg = talloc_strdup(
688 : mem_ctx,
689 : "could not parse trustee SID");
690 10 : *msg_offset = tok[5] - *sddl_copy;
691 10 : return false;
692 : }
693 6161201 : ace->trustee = *sid;
694 6161201 : talloc_free(sid);
695 6161201 : if (*s != '\0') {
696 2 : *msg = talloc_strdup(
697 : mem_ctx,
698 : "garbage after trustee SID");
699 2 : *msg_offset = s - *sddl_copy;
700 2 : return false;
701 : }
702 :
703 6161199 : if (sec_ace_callback(ace->type)) {
704 : /*
705 : * This is either a conditional ACE or some unknown
706 : * type of callback ACE that will be rejected by the
707 : * conditional ACE compiler.
708 : */
709 657 : size_t length;
710 1382 : DATA_BLOB conditions = {0};
711 1382 : s = tok[6];
712 :
713 1382 : conditions = sddl_decode_conditions(mem_ctx,
714 : ace_condition_flags,
715 : s,
716 : &length,
717 : msg,
718 : msg_offset);
719 1382 : if (conditions.data == NULL) {
720 20 : DBG_NOTICE("Conditional ACE compilation failure at %zu: %s\n",
721 : *msg_offset, *msg);
722 20 : *msg_offset += s - *sddl_copy;
723 20 : return false;
724 : }
725 1362 : ace->coda.conditions = conditions;
726 :
727 : /*
728 : * We have found the end of the conditions, and the
729 : * next character should be the ')' to end the ACE.
730 : */
731 1362 : if (s[length] != ')') {
732 0 : *msg = talloc_strdup(
733 : mem_ctx,
734 : "Conditional ACE has trailing bytes"
735 : " or lacks ')'");
736 0 : *msg_offset = s + length - *sddl_copy;
737 0 : return false;
738 : }
739 1362 : str = discard_const_p(char, s + length + 1);
740 6159817 : } else if (sec_ace_resource(ace->type)) {
741 105 : size_t length;
742 105 : struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *claim = NULL;
743 :
744 105 : if (! dom_sid_equal(&ace->trustee, &global_sid_World)) {
745 : /* these are just the rules */
746 0 : *msg = talloc_strdup(
747 : mem_ctx,
748 : "Resource Attribute ACE trustee must be "
749 : "'S-1-1-0' or 'WD'.");
750 0 : *msg_offset = tok[5] - *sddl_copy;
751 0 : return false;
752 : }
753 :
754 105 : s = tok[6];
755 105 : claim = sddl_decode_resource_attr(mem_ctx, s, &length);
756 105 : if (claim == NULL) {
757 0 : *msg = talloc_strdup(
758 : mem_ctx,
759 : "Resource Attribute ACE parse failure");
760 0 : *msg_offset = s - *sddl_copy;
761 0 : return false;
762 : }
763 105 : ace->coda.claim = *claim;
764 :
765 : /*
766 : * We want a ')' to end the ACE.
767 : */
768 105 : if (s[length] != ')') {
769 0 : *msg = talloc_strdup(
770 : mem_ctx,
771 : "Resource Attribute ACE has trailing bytes"
772 : " or lacks ')'");
773 0 : *msg_offset = s + length - *sddl_copy;
774 0 : return false;
775 : }
776 105 : str = discard_const_p(char, s + length + 1);
777 : }
778 :
779 6161179 : *sddl_copy = str;
780 6161179 : return true;
781 : }
782 :
783 : static const struct flag_map acl_flags[] = {
784 : { "P", SEC_DESC_DACL_PROTECTED },
785 : { "AR", SEC_DESC_DACL_AUTO_INHERIT_REQ },
786 : { "AI", SEC_DESC_DACL_AUTO_INHERITED },
787 : { NULL, 0 }
788 : };
789 :
790 : /*
791 : decode an ACL
792 : */
793 3255109 : static struct security_acl *sddl_decode_acl(struct security_descriptor *sd,
794 : const enum ace_condition_flags ace_condition_flags,
795 : const char **sddlp, uint32_t *flags,
796 : struct sddl_transition_state *state,
797 : const char **msg, size_t *msg_offset)
798 : {
799 3255109 : const char *sddl = *sddlp;
800 3255109 : char *sddl_copy = NULL;
801 3255109 : char *aces_start = NULL;
802 303313 : struct security_acl *acl;
803 303313 : size_t len;
804 3255109 : *flags = 0;
805 :
806 3255109 : acl = talloc_zero(sd, struct security_acl);
807 3255109 : if (acl == NULL) {
808 0 : return NULL;
809 : }
810 3255109 : acl->revision = SECURITY_ACL_REVISION_ADS;
811 :
812 3255109 : if (isupper((unsigned char)sddl[0]) && sddl[1] == ':') {
813 : /* its an empty ACL */
814 956846 : return acl;
815 : }
816 :
817 : /* work out the ACL flags */
818 2218859 : if (!sddl_map_flags(acl_flags, sddl, flags, &len, true)) {
819 0 : *msg = talloc_strdup(sd, "bad ACL flags");
820 0 : *msg_offset = 0;
821 0 : talloc_free(acl);
822 0 : return NULL;
823 : }
824 2218859 : sddl += len;
825 :
826 2218859 : if (sddl[0] != '(') {
827 : /*
828 : * it is empty apart from the flags
829 : * (or the flags are bad, and we will find out when
830 : * we try to parse the next bit as a top-level fragment)
831 : */
832 1054052 : *sddlp = sddl;
833 1054052 : return acl;
834 : }
835 :
836 : /*
837 : * now the ACEs
838 : *
839 : * For this we make a copy of the rest of the SDDL, which the ACE
840 : * tokeniser will mutilate by putting '\0' where it finds ';'.
841 : *
842 : * We need to copy the rest of the SDDL string because it is not
843 : * possible in general to find where an ACL ends if there are
844 : * conditional ACEs.
845 : */
846 :
847 1164807 : sddl_copy = talloc_strdup(acl, sddl);
848 1164807 : if (sddl_copy == NULL) {
849 0 : TALLOC_FREE(acl);
850 0 : return NULL;
851 : }
852 1669291 : aces_start = sddl_copy;
853 :
854 7325986 : while (*sddl_copy == '(') {
855 504572 : bool ok;
856 6161272 : if (acl->num_aces > UINT16_MAX / 16) {
857 : /*
858 : * We can't fit this many ACEs in a wire ACL
859 : * which has a 16 bit size field (and 16 is
860 : * the minimal size of an ACE with no subauths).
861 : */
862 0 : talloc_free(acl);
863 0 : return NULL;
864 : }
865 :
866 6161272 : acl->aces = talloc_realloc(acl, acl->aces, struct security_ace,
867 : acl->num_aces+1);
868 6161272 : if (acl->aces == NULL) {
869 0 : talloc_free(acl);
870 0 : return NULL;
871 : }
872 6161272 : ok = sddl_decode_ace(acl->aces, &acl->aces[acl->num_aces],
873 : ace_condition_flags,
874 : &sddl_copy, state, msg, msg_offset);
875 6161272 : if (!ok) {
876 93 : *msg_offset += sddl_copy - aces_start;
877 93 : talloc_steal(sd, *msg);
878 93 : talloc_free(acl);
879 93 : return NULL;
880 : }
881 6161179 : acl->num_aces++;
882 : }
883 1164714 : sddl += sddl_copy - aces_start;
884 1164714 : TALLOC_FREE(aces_start);
885 1164714 : (*sddlp) = sddl;
886 1164714 : return acl;
887 : }
888 :
889 : /*
890 : * Decode a security descriptor in SDDL format, catching compilation
891 : * error messages, if any.
892 : *
893 : * The message will be a direct talloc child of mem_ctx or NULL.
894 : */
895 2216553 : struct security_descriptor *sddl_decode_err_msg(TALLOC_CTX *mem_ctx, const char *sddl,
896 : const struct dom_sid *domain_sid,
897 : const enum ace_condition_flags ace_condition_flags,
898 : const char **msg, size_t *msg_offset)
899 : {
900 2216553 : struct sddl_transition_state state = {
901 : /*
902 : * TODO: verify .machine_rid values really belong
903 : * to the machine_sid on a member, once
904 : * we pass machine_sid from the caller...
905 : */
906 : .machine_sid = domain_sid,
907 : .domain_sid = domain_sid,
908 : .forest_sid = domain_sid,
909 : };
910 2216553 : const char *start = sddl;
911 2216553 : struct security_descriptor *sd = NULL;
912 :
913 2216553 : if (msg == NULL || msg_offset == NULL) {
914 0 : DBG_ERR("Programmer misbehaviour: use sddl_decode() "
915 : "or provide msg pointers.\n");
916 0 : return NULL;
917 : }
918 2216553 : *msg = NULL;
919 2216553 : *msg_offset = 0;
920 :
921 2216553 : sd = talloc_zero(mem_ctx, struct security_descriptor);
922 2216553 : if (sd == NULL) {
923 0 : return NULL;
924 : }
925 2216553 : sd->revision = SECURITY_DESCRIPTOR_REVISION_1;
926 2216553 : sd->type = SEC_DESC_SELF_RELATIVE;
927 :
928 5510752 : while (*sddl) {
929 318903 : uint32_t flags;
930 3294704 : char c = sddl[0];
931 3294704 : if (sddl[1] != ':') {
932 250 : *msg = talloc_strdup(mem_ctx,
933 : "expected '[OGDS]:' section start "
934 : "(or the previous section ended prematurely)");
935 401 : goto failed;
936 : }
937 3294454 : sddl += 2;
938 3294454 : switch (c) {
939 2208555 : case 'D':
940 2208555 : if (sd->dacl != NULL) goto failed;
941 2208555 : sd->dacl = sddl_decode_acl(sd, ace_condition_flags, &sddl, &flags, &state, msg, msg_offset);
942 2208555 : if (sd->dacl == NULL) goto failed;
943 2208465 : sd->type |= flags | SEC_DESC_DACL_PRESENT;
944 2208465 : break;
945 1046554 : case 'S':
946 1046554 : if (sd->sacl != NULL) goto failed;
947 1046554 : sd->sacl = sddl_decode_acl(sd, ace_condition_flags, &sddl, &flags, &state, msg, msg_offset);
948 1046554 : if (sd->sacl == NULL) goto failed;
949 : /* this relies on the SEC_DESC_SACL_* flags being
950 : 1 bit shifted from the SEC_DESC_DACL_* flags */
951 1046551 : sd->type |= (flags<<1) | SEC_DESC_SACL_PRESENT;
952 1046551 : break;
953 20830 : case 'O':
954 20830 : if (sd->owner_sid != NULL) goto failed;
955 20830 : sd->owner_sid = sddl_transition_decode_sid(sd, &sddl, &state);
956 20830 : if (sd->owner_sid == NULL) goto failed;
957 12832 : break;
958 18511 : case 'G':
959 18511 : if (sd->group_sid != NULL) goto failed;
960 18511 : sd->group_sid = sddl_transition_decode_sid(sd, &sddl, &state);
961 18511 : if (sd->group_sid == NULL) goto failed;
962 10834 : break;
963 4 : default:
964 4 : *msg = talloc_strdup(mem_ctx, "unexpected character (expected [OGDS])");
965 4 : goto failed;
966 : }
967 : }
968 1997100 : return sd;
969 505 : failed:
970 505 : if (*msg != NULL) {
971 347 : *msg = talloc_steal(mem_ctx, *msg);
972 : }
973 : /*
974 : * The actual message (*msg) might still be NULL, but the
975 : * offset at least provides a clue.
976 : */
977 505 : *msg_offset += sddl - start;
978 :
979 505 : if (*msg_offset > strlen(sddl)) {
980 : /*
981 : * It's not that we *don't* trust our pointer difference
982 : * arithmetic, just that we *shouldn't*. Let's render it
983 : * harmless, before Python tries printing 18 quadrillion
984 : * spaces.
985 : */
986 12 : DBG_WARNING("sddl error message offset %zu is too big\n",
987 : *msg_offset);
988 12 : *msg_offset = 0;
989 : }
990 505 : DEBUG(2,("Badly formatted SDDL '%s'\n", sddl));
991 505 : talloc_free(sd);
992 505 : return NULL;
993 : }
994 :
995 :
996 : /*
997 : decode a security descriptor in SDDL format
998 : */
999 2166910 : struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl,
1000 : const struct dom_sid *domain_sid)
1001 : {
1002 2166910 : const char *msg = NULL;
1003 2166910 : size_t msg_offset = 0;
1004 2166910 : struct security_descriptor *sd = sddl_decode_err_msg(mem_ctx,
1005 : sddl,
1006 : domain_sid,
1007 : ACE_CONDITION_FLAG_ALLOW_DEVICE,
1008 : &msg,
1009 : &msg_offset);
1010 2166910 : if (sd == NULL) {
1011 309 : DBG_NOTICE("could not decode '%s'\n", sddl);
1012 309 : if (msg != NULL) {
1013 233 : DBG_NOTICE(" %*c\n",
1014 : (int)msg_offset, '^');
1015 233 : DBG_NOTICE("error '%s'\n", msg);
1016 233 : talloc_free(discard_const(msg));
1017 : }
1018 : }
1019 2166910 : return sd;
1020 : }
1021 :
1022 : /*
1023 : turn a set of flags into a string
1024 : */
1025 1930098 : static char *sddl_flags_to_string(TALLOC_CTX *mem_ctx, const struct flag_map *map,
1026 : uint32_t flags, bool check_all)
1027 : {
1028 362169 : int i;
1029 362169 : char *s;
1030 :
1031 : /* try to find an exact match */
1032 16906098 : for (i=0;map[i].name;i++) {
1033 15780331 : if (map[i].flag == flags) {
1034 804331 : return talloc_strdup(mem_ctx, map[i].name);
1035 : }
1036 : }
1037 :
1038 1125767 : s = talloc_strdup(mem_ctx, "");
1039 :
1040 : /* now by bits */
1041 12800024 : for (i=0;map[i].name;i++) {
1042 11462493 : if ((flags & map[i].flag) != 0) {
1043 4845568 : s = talloc_asprintf_append_buffer(s, "%s", map[i].name);
1044 4845568 : if (s == NULL) goto failed;
1045 4845568 : flags &= ~map[i].flag;
1046 : }
1047 : }
1048 :
1049 1125767 : if (check_all && flags != 0) {
1050 13043 : goto failed;
1051 : }
1052 :
1053 901992 : return s;
1054 :
1055 13043 : failed:
1056 13043 : talloc_free(s);
1057 13043 : return NULL;
1058 : }
1059 :
1060 : /*
1061 : encode a sid in SDDL format
1062 : */
1063 782943 : static char *sddl_transition_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
1064 : struct sddl_transition_state *state)
1065 : {
1066 782943 : bool in_machine = dom_sid_in_domain(state->machine_sid, sid);
1067 782943 : bool in_domain = dom_sid_in_domain(state->domain_sid, sid);
1068 782943 : bool in_forest = dom_sid_in_domain(state->forest_sid, sid);
1069 144072 : struct dom_sid_buf buf;
1070 782943 : const char *sidstr = dom_sid_str_buf(sid, &buf);
1071 782943 : uint32_t rid = 0;
1072 144072 : size_t i;
1073 :
1074 782943 : if (sid->num_auths > 1) {
1075 478797 : rid = sid->sub_auths[sid->num_auths-1];
1076 : }
1077 :
1078 26980818 : for (i=0;i<ARRAY_SIZE(sid_codes);i++) {
1079 : /* seen if its a well known sid */
1080 26908907 : if (sid_codes[i].sid != NULL) {
1081 4270931 : int cmp;
1082 :
1083 23326133 : cmp = strcmp(sidstr, sid_codes[i].sid);
1084 23326133 : if (cmp != 0) {
1085 22901496 : continue;
1086 : }
1087 :
1088 424637 : return talloc_strdup(mem_ctx, sid_codes[i].code);
1089 : }
1090 :
1091 3582774 : if (rid == 0) {
1092 408 : continue;
1093 : }
1094 :
1095 3582366 : if (in_machine && sid_codes[i].machine_rid == rid) {
1096 2255 : return talloc_strdup(mem_ctx, sid_codes[i].code);
1097 : }
1098 3580111 : if (in_domain && sid_codes[i].domain_rid == rid) {
1099 111118 : return talloc_strdup(mem_ctx, sid_codes[i].code);
1100 : }
1101 3468993 : if (in_forest && sid_codes[i].forest_rid == rid) {
1102 173022 : return talloc_strdup(mem_ctx, sid_codes[i].code);
1103 : }
1104 : }
1105 :
1106 71911 : return talloc_strdup(mem_ctx, sidstr);
1107 : }
1108 :
1109 55 : char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
1110 : const struct dom_sid *domain_sid)
1111 : {
1112 55 : struct sddl_transition_state state = {
1113 : /*
1114 : * TODO: verify .machine_rid values really belong
1115 : * to the machine_sid on a member, once
1116 : * we pass machine_sid from the caller...
1117 : */
1118 : .machine_sid = domain_sid,
1119 : .domain_sid = domain_sid,
1120 : .forest_sid = domain_sid,
1121 : };
1122 55 : return sddl_transition_encode_sid(mem_ctx, sid, &state);
1123 : }
1124 :
1125 :
1126 :
1127 : /*
1128 : encode an ACE in SDDL format
1129 : */
1130 601298 : static char *sddl_transition_encode_ace(TALLOC_CTX *mem_ctx, const struct security_ace *ace,
1131 : struct sddl_transition_state *state)
1132 : {
1133 601298 : char *sddl = NULL;
1134 112510 : TALLOC_CTX *tmp_ctx;
1135 112510 : struct GUID_txt_buf object_buf, iobject_buf;
1136 601298 : const char *sddl_type="", *sddl_flags="", *sddl_mask="",
1137 601298 : *sddl_object="", *sddl_iobject="", *sddl_trustee="";
1138 601298 : tmp_ctx = talloc_new(mem_ctx);
1139 601298 : if (tmp_ctx == NULL) {
1140 0 : DEBUG(0, ("talloc_new failed\n"));
1141 0 : return NULL;
1142 : }
1143 :
1144 601298 : sddl_type = sddl_flags_to_string(tmp_ctx, ace_types, ace->type, true);
1145 601298 : if (sddl_type == NULL) {
1146 0 : goto failed;
1147 : }
1148 :
1149 601298 : sddl_flags = sddl_flags_to_string(tmp_ctx, ace_flags, ace->flags,
1150 : true);
1151 601298 : if (sddl_flags == NULL) {
1152 0 : goto failed;
1153 : }
1154 :
1155 713808 : sddl_mask = sddl_flags_to_string(tmp_ctx, ace_access_mask,
1156 601298 : ace->access_mask, true);
1157 601298 : if (sddl_mask == NULL) {
1158 14075 : sddl_mask = sddl_match_file_rights(tmp_ctx,
1159 13043 : ace->access_mask);
1160 13043 : if (sddl_mask == NULL) {
1161 4388 : sddl_mask = talloc_asprintf(tmp_ctx, "0x%x",
1162 4388 : ace->access_mask);
1163 : }
1164 13043 : if (sddl_mask == NULL) {
1165 0 : goto failed;
1166 : }
1167 : }
1168 :
1169 601298 : if (sec_ace_object(ace->type)) {
1170 204021 : const struct security_ace_object *object = &ace->object.object;
1171 :
1172 204021 : if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
1173 182991 : sddl_object = GUID_buf_string(
1174 : &object->type.type, &object_buf);
1175 : }
1176 :
1177 204021 : if (ace->object.object.flags &
1178 : SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) {
1179 145879 : sddl_iobject = GUID_buf_string(
1180 : &object->inherited_type.inherited_type,
1181 : &iobject_buf);
1182 : }
1183 : }
1184 601298 : sddl_trustee = sddl_transition_encode_sid(tmp_ctx, &ace->trustee, state);
1185 601298 : if (sddl_trustee == NULL) {
1186 0 : goto failed;
1187 : }
1188 :
1189 601298 : if (sec_ace_callback(ace->type)) {
1190 : /* encode the conditional part */
1191 90 : struct ace_condition_script *s = NULL;
1192 90 : const char *sddl_conditions = NULL;
1193 :
1194 90 : s = parse_conditional_ace(tmp_ctx, ace->coda.conditions);
1195 :
1196 90 : if (s == NULL) {
1197 0 : goto failed;
1198 : }
1199 :
1200 90 : sddl_conditions = sddl_from_conditional_ace(tmp_ctx, s);
1201 90 : if (sddl_conditions == NULL) {
1202 0 : goto failed;
1203 : }
1204 :
1205 90 : sddl = talloc_asprintf(mem_ctx, "%s;%s;%s;%s;%s;%s;%s",
1206 : sddl_type, sddl_flags, sddl_mask,
1207 : sddl_object, sddl_iobject,
1208 : sddl_trustee, sddl_conditions);
1209 601208 : } else if (sec_ace_resource(ace->type)) {
1210 : /* encode the resource part */
1211 7 : const char *coda = NULL;
1212 7 : coda = sddl_resource_attr_from_claim(tmp_ctx,
1213 : &ace->coda.claim);
1214 :
1215 7 : if (coda == NULL) {
1216 0 : DBG_WARNING("resource ACE has invalid claim\n");
1217 0 : goto failed;
1218 : }
1219 7 : sddl = talloc_asprintf(mem_ctx, "%s;%s;%s;%s;%s;%s;%s",
1220 : sddl_type, sddl_flags, sddl_mask,
1221 : sddl_object, sddl_iobject,
1222 : sddl_trustee, coda);
1223 : } else {
1224 601201 : sddl = talloc_asprintf(mem_ctx, "%s;%s;%s;%s;%s;%s",
1225 : sddl_type, sddl_flags, sddl_mask,
1226 : sddl_object, sddl_iobject, sddl_trustee);
1227 : }
1228 601298 : failed:
1229 601298 : talloc_free(tmp_ctx);
1230 601298 : return sddl;
1231 : }
1232 :
1233 13 : char *sddl_encode_ace(TALLOC_CTX *mem_ctx, const struct security_ace *ace,
1234 : const struct dom_sid *domain_sid)
1235 : {
1236 13 : struct sddl_transition_state state = {
1237 : /*
1238 : * TODO: verify .machine_rid values really belong
1239 : * to the machine_sid on a member, once
1240 : * we pass machine_sid from the caller...
1241 : */
1242 : .machine_sid = domain_sid,
1243 : .domain_sid = domain_sid,
1244 : .forest_sid = domain_sid,
1245 : };
1246 13 : return sddl_transition_encode_ace(mem_ctx, ace, &state);
1247 : }
1248 :
1249 : /*
1250 : encode an ACL in SDDL format
1251 : */
1252 126204 : static char *sddl_encode_acl(TALLOC_CTX *mem_ctx, const struct security_acl *acl,
1253 : uint32_t flags, struct sddl_transition_state *state)
1254 : {
1255 24639 : char *sddl;
1256 24639 : uint32_t i;
1257 :
1258 : /* add any ACL flags */
1259 126204 : sddl = sddl_flags_to_string(mem_ctx, acl_flags, flags, false);
1260 126204 : if (sddl == NULL) goto failed;
1261 :
1262 : /* now the ACEs, encoded in braces */
1263 727489 : for (i=0;i<acl->num_aces;i++) {
1264 601285 : char *ace = sddl_transition_encode_ace(sddl, &acl->aces[i], state);
1265 601285 : if (ace == NULL) goto failed;
1266 601285 : sddl = talloc_asprintf_append_buffer(sddl, "(%s)", ace);
1267 601285 : if (sddl == NULL) goto failed;
1268 601285 : talloc_free(ace);
1269 : }
1270 :
1271 101565 : return sddl;
1272 :
1273 0 : failed:
1274 0 : talloc_free(sddl);
1275 0 : return NULL;
1276 : }
1277 :
1278 :
1279 : /*
1280 : encode a security descriptor to SDDL format
1281 : */
1282 91842 : char *sddl_encode(TALLOC_CTX *mem_ctx, const struct security_descriptor *sd,
1283 : const struct dom_sid *domain_sid)
1284 : {
1285 91842 : struct sddl_transition_state state = {
1286 : /*
1287 : * TODO: verify .machine_rid values really belong
1288 : * to the machine_sid on a member, once
1289 : * we pass machine_sid from the caller...
1290 : */
1291 : .machine_sid = domain_sid,
1292 : .domain_sid = domain_sid,
1293 : .forest_sid = domain_sid,
1294 : };
1295 16092 : char *sddl;
1296 16092 : TALLOC_CTX *tmp_ctx;
1297 :
1298 : /* start with a blank string */
1299 91842 : sddl = talloc_strdup(mem_ctx, "");
1300 91842 : if (sddl == NULL) goto failed;
1301 :
1302 91842 : tmp_ctx = talloc_new(sddl);
1303 91842 : if (tmp_ctx == NULL) {
1304 0 : goto failed;
1305 : }
1306 :
1307 91842 : if (sd->owner_sid != NULL) {
1308 90812 : char *sid = sddl_transition_encode_sid(tmp_ctx, sd->owner_sid, &state);
1309 90812 : if (sid == NULL) goto failed;
1310 90812 : sddl = talloc_asprintf_append_buffer(sddl, "O:%s", sid);
1311 90812 : if (sddl == NULL) goto failed;
1312 : }
1313 :
1314 91842 : if (sd->group_sid != NULL) {
1315 90778 : char *sid = sddl_transition_encode_sid(tmp_ctx, sd->group_sid, &state);
1316 90778 : if (sid == NULL) goto failed;
1317 90778 : sddl = talloc_asprintf_append_buffer(sddl, "G:%s", sid);
1318 90778 : if (sddl == NULL) goto failed;
1319 : }
1320 :
1321 91842 : if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl != NULL) {
1322 85529 : char *acl = sddl_encode_acl(tmp_ctx, sd->dacl, sd->type, &state);
1323 85529 : if (acl == NULL) goto failed;
1324 85529 : sddl = talloc_asprintf_append_buffer(sddl, "D:%s", acl);
1325 85529 : if (sddl == NULL) goto failed;
1326 : }
1327 :
1328 91842 : if ((sd->type & SEC_DESC_SACL_PRESENT) && sd->sacl != NULL) {
1329 40675 : char *acl = sddl_encode_acl(tmp_ctx, sd->sacl, sd->type>>1, &state);
1330 40675 : if (acl == NULL) goto failed;
1331 40675 : sddl = talloc_asprintf_append_buffer(sddl, "S:%s", acl);
1332 40675 : if (sddl == NULL) goto failed;
1333 : }
1334 :
1335 91842 : talloc_free(tmp_ctx);
1336 91842 : return sddl;
1337 :
1338 0 : failed:
1339 0 : talloc_free(sddl);
1340 0 : return NULL;
1341 : }
|
