[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Fri Apr 24 18:44:04 MDT 2015
The branch, master has been updated
via 4903064 s4: rpc: Refactor dcesrv_alter() function into setup and send steps.
via e4f2fa2 sharesec: Use common parse_ace function
via cea5045 sharesec: Print ACEs in similar format as expected in input
via 9e10ddd util_sd: Make server conncection optional
via 42c46ab smbcacls: Move sec_desc_print to common file
via 541ddde smbcacls: Move print_ace and parse_ace to common file
via a519b3e smbcacls: Move StringToSid to common file
via 7eeca44 smbcacls: Move SidToString to common file
via 9e1ebdc smbcacls: Use defines for security flags
via d0c4969 smbcacls: Make 'numeric' a local variable
from 3e5d527 docs: correctly depend on used xsl files and catalog for building manpages.t
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 49030649db3dfec5a9bc03e5dde4255a14499f16
Author: Jeremy Allison <jra at samba.org>
Date: Fri Apr 24 13:19:30 2015 -0700
s4: rpc: Refactor dcesrv_alter() function into setup and send steps.
Fixes bug:
https://bugzilla.samba.org/show_bug.cgi?id=11236
Based on code from Julien Kerihuel <j.kerihuel at openchange.org>
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sat Apr 25 02:43:22 CEST 2015 on sn-devel-104
commit e4f2fa2c67ead2edf23c55b4d2941e69849edac2
Author: Christof Schmitt <cs at samba.org>
Date: Fri Apr 24 10:00:19 2015 -0700
sharesec: Use common parse_ace function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11237
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit cea50454129b1a10d1350dde2f6440c249f89c85
Author: Christof Schmitt <cs at samba.org>
Date: Fri Apr 24 09:51:28 2015 -0700
sharesec: Print ACEs in similar format as expected in input
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11237
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 9e10ddd00e5d0bfe47930adb4627c7a5efc543fb
Author: Christof Schmitt <cs at samba.org>
Date: Fri Apr 24 09:49:23 2015 -0700
util_sd: Make server conncection optional
If cli is not set, only attempt numeric conversions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11237
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 42c46ab642fa989a4e7606b4abd213e2b6c808a7
Author: Christof Schmitt <cs at samba.org>
Date: Fri Apr 24 09:28:02 2015 -0700
smbcacls: Move sec_desc_print to common file
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11237
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 541ddde872b4bf37b6f63abef648bd5ffd6482c4
Author: Christof Schmitt <cs at samba.org>
Date: Fri Apr 24 09:22:14 2015 -0700
smbcacls: Move print_ace and parse_ace to common file
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11237
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit a519b3e6c6e4c57863e02975ff2cc8b36c34ea6f
Author: Christof Schmitt <cs at samba.org>
Date: Fri Apr 24 09:15:13 2015 -0700
smbcacls: Move StringToSid to common file
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11237
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 7eeca44f03e8bc52533ee7bf004261b096b5243f
Author: Christof Schmitt <cs at samba.org>
Date: Fri Apr 24 08:37:13 2015 -0700
smbcacls: Move SidToString to common file
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11237
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 9e1ebdc7ec3b0a7c49d8b7469c0d07486f797a74
Author: Christof Schmitt <cs at samba.org>
Date: Fri Apr 24 08:51:32 2015 -0700
smbcacls: Use defines for security flags
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11237
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit d0c496958192bef7446c760df689f1fecb28cb71
Author: Christof Schmitt <cs at samba.org>
Date: Fri Apr 24 08:31:41 2015 -0700
smbcacls: Make 'numeric' a local variable
This will allow moving code to a shared file without relying on a global
variable.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11237
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
-----------------------------------------------------------------------
Summary of changes:
source3/include/util_sd.h | 37 +++
source3/lib/util_sd.c | 614 +++++++++++++++++++++++++++++++++++++
source3/utils/sharesec.c | 193 +-----------
source3/utils/smbcacls.c | 603 +-----------------------------------
source3/wscript_build | 6 +-
source4/rpc_server/dcerpc_server.c | 114 +++----
6 files changed, 738 insertions(+), 829 deletions(-)
create mode 100644 source3/include/util_sd.h
create mode 100644 source3/lib/util_sd.c
Changeset truncated at 500 lines:
diff --git a/source3/include/util_sd.h b/source3/include/util_sd.h
new file mode 100644
index 0000000..7f82969
--- /dev/null
+++ b/source3/include/util_sd.h
@@ -0,0 +1,37 @@
+/*
+ Unix SMB/CIFS implementation.
+ Security Descriptor (SD) helper functions
+
+ Copyright (C) Andrew Tridgell 2000
+ Copyright (C) Tim Potter 2000
+ Copyright (C) Jeremy Allison 2000
+ Copyright (C) Jelmer Vernooij 2003
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef __UTIL_SD_H__
+#define __UTIL_SD_H__
+
+void SidToString(struct cli_state *cli, fstring str, const struct dom_sid *sid,
+ bool numeric);
+bool StringToSid(struct cli_state *cli, struct dom_sid *sid, const char *str);
+void print_ace(struct cli_state *cli, FILE *f, struct security_ace *ace,
+ bool numeric);
+bool parse_ace(struct cli_state *cli, struct security_ace *ace,
+ const char *orig_str);
+void sec_desc_print(struct cli_state *cli, FILE *f,
+ struct security_descriptor *sd, bool numeric);
+
+#endif
diff --git a/source3/lib/util_sd.c b/source3/lib/util_sd.c
new file mode 100644
index 0000000..8100539
--- /dev/null
+++ b/source3/lib/util_sd.c
@@ -0,0 +1,614 @@
+/*
+ Unix SMB/CIFS implementation.
+ Security Descriptor (SD) helper functions
+
+ Copyright (C) Andrew Tridgell 2000
+ Copyright (C) Tim Potter 2000
+ Copyright (C) Jeremy Allison 2000
+ Copyright (C) Jelmer Vernooij 2003
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "libsmb/libsmb.h"
+#include "util_sd.h"
+#include "librpc/gen_ndr/ndr_lsa.h"
+#include "../libcli/security/security.h"
+#include "rpc_client/cli_pipe.h"
+#include "rpc_client/cli_lsarpc.h"
+
+/* These values discovered by inspection */
+
+struct perm_value {
+ const char *perm;
+ uint32 mask;
+};
+
+static const struct perm_value special_values[] = {
+ { "R", SEC_RIGHTS_FILE_READ },
+ { "W", SEC_RIGHTS_FILE_WRITE },
+ { "X", SEC_RIGHTS_FILE_EXECUTE },
+ { "D", SEC_STD_DELETE },
+ { "P", SEC_STD_WRITE_DAC },
+ { "O", SEC_STD_WRITE_OWNER },
+ { NULL, 0 },
+};
+
+static const struct perm_value standard_values[] = {
+ { "READ", SEC_RIGHTS_DIR_READ|SEC_DIR_TRAVERSE },
+ { "CHANGE", SEC_RIGHTS_DIR_READ|SEC_STD_DELETE|\
+ SEC_RIGHTS_DIR_WRITE|SEC_DIR_TRAVERSE },
+ { "FULL", SEC_RIGHTS_DIR_ALL },
+ { NULL, 0 },
+};
+
+static const struct {
+ uint16_t mask;
+ const char *str;
+ const char *desc;
+} sec_desc_ctrl_bits[] = {
+ {SEC_DESC_OWNER_DEFAULTED, "OD", "Owner Defaulted"},
+ {SEC_DESC_GROUP_DEFAULTED, "GD", "Group Defaulted"},
+ {SEC_DESC_DACL_PRESENT, "DP", "DACL Present"},
+ {SEC_DESC_DACL_DEFAULTED, "DD", "DACL Defaulted"},
+ {SEC_DESC_SACL_PRESENT, "SP", "SACL Present"},
+ {SEC_DESC_SACL_DEFAULTED, "SD", "SACL Defaulted"},
+ {SEC_DESC_DACL_TRUSTED, "DT", "DACL Trusted"},
+ {SEC_DESC_SERVER_SECURITY, "SS", "Server Security"},
+ {SEC_DESC_DACL_AUTO_INHERIT_REQ, "DR", "DACL Inheritance Required"},
+ {SEC_DESC_SACL_AUTO_INHERIT_REQ, "SR", "SACL Inheritance Required"},
+ {SEC_DESC_DACL_AUTO_INHERITED, "DI", "DACL Auto Inherited"},
+ {SEC_DESC_SACL_AUTO_INHERITED, "SI", "SACL Auto Inherited"},
+ {SEC_DESC_DACL_PROTECTED, "PD", "DACL Protected"},
+ {SEC_DESC_SACL_PROTECTED, "PS", "SACL Protected"},
+ {SEC_DESC_RM_CONTROL_VALID, "RM", "RM Control Valid"},
+ {SEC_DESC_SELF_RELATIVE , "SR", "Self Relative"},
+};
+
+/* Open cli connection and policy handle */
+static NTSTATUS cli_lsa_lookup_sid(struct cli_state *cli,
+ const struct dom_sid *sid,
+ TALLOC_CTX *mem_ctx,
+ enum lsa_SidType *type,
+ char **domain, char **name)
+{
+ uint16 orig_cnum = cli_state_get_tid(cli);
+ struct rpc_pipe_client *p = NULL;
+ struct policy_handle handle;
+ NTSTATUS status;
+ TALLOC_CTX *frame = talloc_stackframe();
+ enum lsa_SidType *types;
+ char **domains;
+ char **names;
+
+ status = cli_tree_connect(cli, "IPC$", "?????", "", 0);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto tcon_fail;
+ }
+
+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
+ &p);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto fail;
+ }
+
+ status = rpccli_lsa_open_policy(p, talloc_tos(), True,
+ GENERIC_EXECUTE_ACCESS, &handle);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto fail;
+ }
+
+ status = rpccli_lsa_lookup_sids(p, talloc_tos(), &handle, 1, sid,
+ &domains, &names, &types);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto fail;
+ }
+
+ *type = types[0];
+ *domain = talloc_move(mem_ctx, &domains[0]);
+ *name = talloc_move(mem_ctx, &names[0]);
+
+ status = NT_STATUS_OK;
+ fail:
+ TALLOC_FREE(p);
+ cli_tdis(cli);
+ tcon_fail:
+ cli_state_set_tid(cli, orig_cnum);
+ TALLOC_FREE(frame);
+ return status;
+}
+
+/* convert a SID to a string, either numeric or username/group */
+void SidToString(struct cli_state *cli, fstring str, const struct dom_sid *sid,
+ bool numeric)
+{
+ char *domain = NULL;
+ char *name = NULL;
+ enum lsa_SidType type;
+ NTSTATUS status;
+
+ sid_to_fstring(str, sid);
+
+ if (numeric || cli == NULL) {
+ return;
+ }
+
+ status = cli_lsa_lookup_sid(cli, sid, talloc_tos(), &type,
+ &domain, &name);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ return;
+ }
+
+ if (*domain) {
+ slprintf(str, sizeof(fstring) - 1, "%s%s%s",
+ domain, lp_winbind_separator(), name);
+ } else {
+ fstrcpy(str, name);
+ }
+}
+
+static NTSTATUS cli_lsa_lookup_name(struct cli_state *cli,
+ const char *name,
+ enum lsa_SidType *type,
+ struct dom_sid *sid)
+{
+ uint16 orig_cnum = cli_state_get_tid(cli);
+ struct rpc_pipe_client *p;
+ struct policy_handle handle;
+ NTSTATUS status;
+ TALLOC_CTX *frame = talloc_stackframe();
+ struct dom_sid *sids;
+ enum lsa_SidType *types;
+
+ status = cli_tree_connect(cli, "IPC$", "?????", "", 0);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto tcon_fail;
+ }
+
+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
+ &p);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto fail;
+ }
+
+ status = rpccli_lsa_open_policy(p, talloc_tos(), True,
+ GENERIC_EXECUTE_ACCESS, &handle);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto fail;
+ }
+
+ status = rpccli_lsa_lookup_names(p, talloc_tos(), &handle, 1, &name,
+ NULL, 1, &sids, &types);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto fail;
+ }
+
+ *type = types[0];
+ *sid = sids[0];
+
+ status = NT_STATUS_OK;
+ fail:
+ TALLOC_FREE(p);
+ cli_tdis(cli);
+ tcon_fail:
+ cli_state_set_tid(cli, orig_cnum);
+ TALLOC_FREE(frame);
+ return status;
+}
+
+/* convert a string to a SID, either numeric or username/group */
+bool StringToSid(struct cli_state *cli, struct dom_sid *sid, const char *str)
+{
+ enum lsa_SidType type;
+
+ if (string_to_sid(sid, str)) {
+ return true;
+ }
+
+ if (cli == NULL) {
+ return false;
+ }
+
+ return NT_STATUS_IS_OK(cli_lsa_lookup_name(cli, str, &type, sid));
+}
+
+static void print_ace_flags(FILE *f, uint8_t flags)
+{
+ char *str = talloc_strdup(NULL, "");
+
+ if (!str) {
+ goto out;
+ }
+
+ if (flags & SEC_ACE_FLAG_OBJECT_INHERIT) {
+ str = talloc_asprintf(str, "%s%s",
+ str, "OI|");
+ if (!str) {
+ goto out;
+ }
+ }
+ if (flags & SEC_ACE_FLAG_CONTAINER_INHERIT) {
+ str = talloc_asprintf(str, "%s%s",
+ str, "CI|");
+ if (!str) {
+ goto out;
+ }
+ }
+ if (flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) {
+ str = talloc_asprintf(str, "%s%s",
+ str, "NP|");
+ if (!str) {
+ goto out;
+ }
+ }
+ if (flags & SEC_ACE_FLAG_INHERIT_ONLY) {
+ str = talloc_asprintf(str, "%s%s",
+ str, "IO|");
+ if (!str) {
+ goto out;
+ }
+ }
+ if (flags & SEC_ACE_FLAG_INHERITED_ACE) {
+ str = talloc_asprintf(str, "%s%s",
+ str, "I|");
+ if (!str) {
+ goto out;
+ }
+ }
+ /* Ignore define SEC_ACE_FLAG_SUCCESSFUL_ACCESS ( 0x40 )
+ and SEC_ACE_FLAG_FAILED_ACCESS ( 0x80 ) as they're
+ audit ace flags. */
+
+ if (str[strlen(str)-1] == '|') {
+ str[strlen(str)-1] = '\0';
+ fprintf(f, "/%s/", str);
+ } else {
+ fprintf(f, "/0x%x/", flags);
+ }
+ TALLOC_FREE(str);
+ return;
+
+ out:
+ fprintf(f, "/0x%x/", flags);
+}
+
+/* print an ACE on a FILE, using either numeric or ascii representation */
+void print_ace(struct cli_state *cli, FILE *f, struct security_ace *ace,
+ bool numeric)
+{
+ const struct perm_value *v;
+ fstring sidstr;
+ int do_print = 0;
+ uint32 got_mask;
+
+ SidToString(cli, sidstr, &ace->trustee, numeric);
+
+ fprintf(f, "%s:", sidstr);
+
+ if (numeric) {
+ fprintf(f, "%d/0x%x/0x%08x",
+ ace->type, ace->flags, ace->access_mask);
+ return;
+ }
+
+ /* Ace type */
+
+ if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) {
+ fprintf(f, "ALLOWED");
+ } else if (ace->type == SEC_ACE_TYPE_ACCESS_DENIED) {
+ fprintf(f, "DENIED");
+ } else {
+ fprintf(f, "%d", ace->type);
+ }
+
+ print_ace_flags(f, ace->flags);
+
+ /* Standard permissions */
+
+ for (v = standard_values; v->perm; v++) {
+ if (ace->access_mask == v->mask) {
+ fprintf(f, "%s", v->perm);
+ return;
+ }
+ }
+
+ /* Special permissions. Print out a hex value if we have
+ leftover bits in the mask. */
+
+ got_mask = ace->access_mask;
+
+ again:
+ for (v = special_values; v->perm; v++) {
+ if ((ace->access_mask & v->mask) == v->mask) {
+ if (do_print) {
+ fprintf(f, "%s", v->perm);
+ }
+ got_mask &= ~v->mask;
+ }
+ }
+
+ if (!do_print) {
+ if (got_mask != 0) {
+ fprintf(f, "0x%08x", ace->access_mask);
+ } else {
+ do_print = 1;
+ goto again;
+ }
+ }
+}
+
+static bool parse_ace_flags(const char *str, unsigned int *pflags)
+{
+ const char *p = str;
+ *pflags = 0;
+
+ while (*p) {
+ if (strnequal(p, "OI", 2)) {
+ *pflags |= SEC_ACE_FLAG_OBJECT_INHERIT;
+ p += 2;
+ } else if (strnequal(p, "CI", 2)) {
+ *pflags |= SEC_ACE_FLAG_CONTAINER_INHERIT;
+ p += 2;
+ } else if (strnequal(p, "NP", 2)) {
+ *pflags |= SEC_ACE_FLAG_NO_PROPAGATE_INHERIT;
+ p += 2;
+ } else if (strnequal(p, "IO", 2)) {
+ *pflags |= SEC_ACE_FLAG_INHERIT_ONLY;
+ p += 2;
+ } else if (*p == 'I') {
+ *pflags |= SEC_ACE_FLAG_INHERITED_ACE;
+ p += 1;
+ } else if (*p) {
+ return false;
+ }
+
+ switch (*p) {
+ case '|':
+ p++;
+ case '\0':
+ continue;
+ default:
+ return false;
+ }
+ }
+ return true;
+}
+
+/* parse an ACE in the same format as print_ace() */
+bool parse_ace(struct cli_state *cli, struct security_ace *ace,
+ const char *orig_str)
+{
+ char *p;
+ const char *cp;
+ char *tok;
+ unsigned int atype = 0;
+ unsigned int aflags = 0;
+ unsigned int amask = 0;
+ struct dom_sid sid;
+ uint32_t mask;
+ const struct perm_value *v;
+ char *str = SMB_STRDUP(orig_str);
+ TALLOC_CTX *frame = talloc_stackframe();
+
+ if (!str) {
+ TALLOC_FREE(frame);
+ return False;
+ }
+
+ ZERO_STRUCTP(ace);
+ p = strchr_m(str,':');
+ if (!p) {
+ printf("ACE '%s': missing ':'.\n", orig_str);
+ SAFE_FREE(str);
+ TALLOC_FREE(frame);
+ return False;
+ }
+ *p = '\0';
+ p++;
+ /* Try to parse numeric form */
+
+ if (sscanf(p, "%u/%u/%u", &atype, &aflags, &amask) == 3 &&
+ StringToSid(cli, &sid, str)) {
+ goto done;
+ }
+
+ /* Try to parse text form */
+
+ if (!StringToSid(cli, &sid, str)) {
+ printf("ACE '%s': failed to convert '%s' to SID\n",
+ orig_str, str);
+ SAFE_FREE(str);
+ TALLOC_FREE(frame);
+ return False;
+ }
+
+ cp = p;
+ if (!next_token_talloc(frame, &cp, &tok, "/")) {
+ printf("ACE '%s': failed to find '/' character.\n",
+ orig_str);
+ SAFE_FREE(str);
+ TALLOC_FREE(frame);
+ return False;
+ }
+
+ if (strncmp(tok, "ALLOWED", strlen("ALLOWED")) == 0) {
+ atype = SEC_ACE_TYPE_ACCESS_ALLOWED;
+ } else if (strncmp(tok, "DENIED", strlen("DENIED")) == 0) {
+ atype = SEC_ACE_TYPE_ACCESS_DENIED;
+ } else {
--
Samba Shared Repository
More information about the samba-cvs
mailing list