svn commit: samba r12158 - in branches/SAMBA_4_0/source: lib/ldb/samba libcli/security torture/local

Fri Dec 9 23:43:03 GMT 2005

Author: tridge
Date: 2005-12-09 23:43:02 +0000 (Fri, 09 Dec 2005)
New Revision: 12158

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=12158

Log:

added ldif handlers for the ntSecurityDescriptor attribute, so when
displaying security descriptors in ldbsearch or ldbedit you can see
the SDDL version.

This also allows us to specify security descriptors in our
setup/*.ldif files in SDDL format, which is much more convenient than
the NDR binary format!

Modified:
   branches/SAMBA_4_0/source/lib/ldb/samba/ldif_handlers.c
   branches/SAMBA_4_0/source/libcli/security/sddl.c
   branches/SAMBA_4_0/source/torture/local/sddl.c


Changeset:
Modified: branches/SAMBA_4_0/source/lib/ldb/samba/ldif_handlers.c
===================================================================

--- branches/SAMBA_4_0/source/lib/ldb/samba/ldif_handlers.c	2005-12-09 23:40:14 UTC (rev 12157)
+++ branches/SAMBA_4_0/source/lib/ldb/samba/ldif_handlers.c	2005-12-09 23:43:02 UTC (rev 12158)
@@ -214,6 +214,65 @@
 	return ldb_handler_copy(ldb, mem_ctx, in, out);
 }
 
+
+/*
+  convert a ldif (SDDL) formatted ntSecurityDescriptor to a NDR formatted blob
+*/
+static int ldif_read_ntSecurityDescriptor(struct ldb_context *ldb, void *mem_ctx,
+					  const struct ldb_val *in, struct ldb_val *out)
+{
+	struct security_descriptor *sd;
+	NTSTATUS status;
+	const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
+	if (domain_sid == NULL) {
+		return ldb_handler_copy(ldb, mem_ctx, in, out);
+	}
+	sd = sddl_decode(mem_ctx, (const char *)in->data, domain_sid);
+	if (sd == NULL) {
+		return -1;
+	}
+	status = ndr_push_struct_blob(out, mem_ctx, sd, 
+				      (ndr_push_flags_fn_t)ndr_push_security_descriptor);
+	talloc_free(sd);
+	if (!NT_STATUS_IS_OK(status)) {
+		return -1;
+	}
+	return 0;
+}
+
+/*
+  convert a NDR formatted blob to a ldif formatted ntSecurityDescriptor (SDDL format)
+*/
+static int ldif_write_ntSecurityDescriptor(struct ldb_context *ldb, void *mem_ctx,
+					   const struct ldb_val *in, struct ldb_val *out)
+{
+	struct security_descriptor *sd;
+	NTSTATUS status;
+	const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
+
+	if (domain_sid == NULL) {
+		return ldb_handler_copy(ldb, mem_ctx, in, out);
+	}
+
+	sd = talloc(mem_ctx, struct security_descriptor);
+	if (sd == NULL) {
+		return -1;
+	}
+	status = ndr_pull_struct_blob(in, sd, sd, 
+				      (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
+	if (!NT_STATUS_IS_OK(status)) {
+		talloc_free(sd);
+		return -1;
+	}
+	out->data = (uint8_t *)sddl_encode(mem_ctx, sd, domain_sid);
+	talloc_free(sd);
+	if (out->data == NULL) {
+		return -1;
+	}
+	out->length = strlen((const char *)out->data);
+	return 0;
+}
+
 static const struct ldb_attrib_handler samba_handlers[] = {
 	{ 
 		.attr            = "objectSid",
@@ -232,6 +291,14 @@
 		.comparison_fn   = ldb_comparison_objectSid
 	},
 	{ 
+		.attr            = "ntSecurityDescriptor",
+		.flags           = 0,
+		.ldif_read_fn    = ldif_read_ntSecurityDescriptor,
+		.ldif_write_fn   = ldif_write_ntSecurityDescriptor,
+		.canonicalise_fn = ldb_handler_copy,
+		.comparison_fn   = ldb_comparison_binary
+	},
+	{ 
 		.attr            = "objectGUID",
 		.flags           = 0,
 		.ldif_read_fn    = ldif_read_objectGUID,

Modified: branches/SAMBA_4_0/source/libcli/security/sddl.c
===================================================================
--- branches/SAMBA_4_0/source/libcli/security/sddl.c	2005-12-09 23:40:14 UTC (rev 12157)
+++ branches/SAMBA_4_0/source/libcli/security/sddl.c	2005-12-09 23:43:02 UTC (rev 12158)
@@ -92,7 +92,7 @@
   It can either be a special 2 letter code, or in S-* format
 */
 static struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp,
-				       struct dom_sid *domain_sid)
+				       const struct dom_sid *domain_sid)
 {
 	const char *sddl = (*sddlp);
 	int i;
@@ -172,7 +172,7 @@
   note that this routine modifies the string
 */
 static BOOL sddl_decode_ace(TALLOC_CTX *mem_ctx, struct security_ace *ace, char *str,
-			    struct dom_sid *domain_sid)
+			    const struct dom_sid *domain_sid)
 {
 	const char *tok[6];
 	const char *s;
@@ -259,7 +259,7 @@
 */
 static struct security_acl *sddl_decode_acl(struct security_descriptor *sd, 
 					    const char **sddlp, uint32_t *flags,
-					    struct dom_sid *domain_sid)
+					    const struct dom_sid *domain_sid)
 {
 	const char *sddl = *sddlp;
 	struct security_acl *acl;
@@ -316,7 +316,7 @@
   decode a security descriptor in SDDL format
 */
 struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl,
-					struct dom_sid *domain_sid)
+					const struct dom_sid *domain_sid)
 {
 	struct security_descriptor *sd;
 	sd = talloc_zero(mem_ctx, struct security_descriptor);
@@ -408,7 +408,7 @@
   encode a sid in SDDL format
 */
 static char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
-			     struct dom_sid *domain_sid)
+			     const struct dom_sid *domain_sid)
 {
 	int i;
 	char *sidstr;
@@ -446,7 +446,7 @@
   encode an ACE in SDDL format
 */
 static char *sddl_encode_ace(TALLOC_CTX *mem_ctx, const struct security_ace *ace,
-			     struct dom_sid *domain_sid)
+			     const struct dom_sid *domain_sid)
 {
 	char *sddl;
 	TALLOC_CTX *tmp_ctx;
@@ -497,7 +497,7 @@
   encode an ACL in SDDL format
 */
 static char *sddl_encode_acl(TALLOC_CTX *mem_ctx, const struct security_acl *acl,
-			     uint32_t flags, struct dom_sid *domain_sid)
+			     uint32_t flags, const struct dom_sid *domain_sid)
 {
 	char *sddl;
 	int i;
@@ -527,7 +527,7 @@
   encode a security descriptor to SDDL format
 */
 char *sddl_encode(TALLOC_CTX *mem_ctx, const struct security_descriptor *sd,
-		  struct dom_sid *domain_sid)
+		  const struct dom_sid *domain_sid)
 {
 	char *sddl;
 	TALLOC_CTX *tmp_ctx;

Modified: branches/SAMBA_4_0/source/torture/local/sddl.c
===================================================================
--- branches/SAMBA_4_0/source/torture/local/sddl.c	2005-12-09 23:40:14 UTC (rev 12157)
+++ branches/SAMBA_4_0/source/torture/local/sddl.c	2005-12-09 23:43:02 UTC (rev 12158)
@@ -57,6 +57,13 @@
 		return False;
 	}
 
+#if 0
+	/* flags don't have a canonical order ... */
+	if (strcmp(sddl, sddl2) != 0) {
+		printf("Failed sddl equality test\norig: %s\n new: %s\n", sddl, sddl2);
+	}
+#endif
+
 	if (DEBUGLVL(2)) {
 		NDR_PRINT_DEBUG(security_descriptor, sd);
 	}

