[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Wed Apr 21 00:05:01 UTC 2021


The branch, master has been updated
       via  58c6c031f5d libcli: Fix parsing access flags from multiple tables
       via  b113a3bbcd0 torture: Show sddl_decode() failure for "GWFX" access mask
       via  e0303556436 libcli: Factor out sddl_map_flag()
      from  416c9bbc4f8 util: Ensure debugger is not started until it is allowed to attach

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 58c6c031f5d81b2c0aff5b282fe758cd668aeff3
Author: Volker Lendecke <vl at samba.org>
Date:   Mon Apr 19 16:00:27 2021 +0200

    libcli: Fix parsing access flags from multiple tables
    
    We have to look at all available mappings for parsing sddl for each
    special flag set. "GW" and "FX" come from two different tables, but
    the previous code settled on one table and then expected both "GW" and
    "FX" to come from that same table. Change the code to look at all
    tables per special flag set.
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Wed Apr 21 00:04:36 UTC 2021 on sn-devel-184

commit b113a3bbcd03ab6a62883fbca85ee8749e038887
Author: Volker Lendecke <vl at samba.org>
Date:   Mon Apr 19 16:04:00 2021 +0200

    torture: Show sddl_decode() failure for "GWFX" access mask
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit e030355643624440a7107e14fe57bb37a86903de
Author: Volker Lendecke <vl at samba.org>
Date:   Mon Apr 19 14:46:21 2021 +0200

    libcli: Factor out sddl_map_flag()
    
    We have to look at more than one map, "FRSD" is not correctly handled
    right now for example. This factors out walking a map to make walking
    multiple maps easier.
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 libcli/security/sddl.c      | 97 ++++++++++++++++++++++++++++++++++-----------
 python/samba/tests/sddl.py  |  7 ++++
 selftest/selftesthelpers.py |  2 +-
 3 files changed, 82 insertions(+), 24 deletions(-)


Changeset truncated at 500 lines:

diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c
index 618b2a91be5..26049ec458a 100644
--- a/libcli/security/sddl.c
+++ b/libcli/security/sddl.c
@@ -29,30 +29,53 @@ struct flag_map {
 	uint32_t flag;
 };
 
+static bool sddl_map_flag(
+	const struct flag_map *map,
+	const char *str,
+	size_t *plen,
+	uint32_t *pflag)
+{
+	while (map->name != NULL) {
+		size_t len = strlen(map->name);
+		int cmp = strncmp(map->name, str, len);
+
+		if (cmp == 0) {
+			*plen = len;
+			*pflag = map->flag;
+			return true;
+		}
+		map += 1;
+	}
+	return false;
+}
+
 /*
   map a series of letter codes into a uint32_t
 */
 static bool sddl_map_flags(const struct flag_map *map, const char *str, 
-			   uint32_t *flags, size_t *len)
+			   uint32_t *pflags, size_t *plen)
 {
 	const char *str0 = str;
-	if (len) *len = 0;
-	*flags = 0;
+	if (plen != NULL) {
+		*plen = 0;
+	}
+	*pflags = 0;
 	while (str[0] && isupper(str[0])) {
-		int i;
-		for (i=0;map[i].name;i++) {
-			size_t l = strlen(map[i].name);
-			if (strncmp(map[i].name, str, l) == 0) {
-				*flags |= map[i].flag;
-				str += l;
-				if (len) *len += l;
-				break;
-			}
-		}
-		if (map[i].name == NULL) {
+		size_t len;
+		uint32_t flags;
+		bool found;
+
+		found = sddl_map_flag(map, str, &len, &flags);
+		if (!found) {
 			DEBUG(1, ("Unknown flag - %s in %s\n", str, str0));
 			return false;
 		}
+
+		*pflags |= flags;
+		if (plen != NULL) {
+			*plen += len;
+		}
+		str += len;
 	}
 	return true;
 }
@@ -211,6 +234,39 @@ static const struct flag_map decode_ace_access_mask[] = {
 	{ NULL, 0 },
 };
 
+static bool sddl_decode_access(const char *str, uint32_t *pmask)
+{
+	const char *str0 = str;
+	uint32_t mask = 0;
+	int cmp;
+
+	cmp = strncmp(str, "0x", 2);
+	if (cmp == 0) {
+		*pmask = strtol(str, NULL, 16);
+		return true;
+	}
+
+	while ((str[0] != '\0') && isupper(str[0])) {
+		uint32_t flags = 0;
+		size_t len = 0;
+		bool found;
+
+		found = sddl_map_flag(
+			ace_access_mask, str, &len, &flags);
+		found |= sddl_map_flag(
+			decode_ace_access_mask, str, &len, &flags);
+		if (!found) {
+			DEBUG(1, ("Unknown flag - %s in %s\n", str, str0));
+			return false;
+		}
+		mask |= flags;
+		str += len;
+	}
+
+	*pmask = mask;
+	return true;
+}
+
 /*
   decode an ACE
   return true on success, false on failure
@@ -224,6 +280,7 @@ static bool sddl_decode_ace(TALLOC_CTX *mem_ctx, struct security_ace *ace, char
 	int i;
 	uint32_t v;
 	struct dom_sid *sid;
+	bool ok;
 
 	ZERO_STRUCTP(ace);
 
@@ -250,15 +307,9 @@ static bool sddl_decode_ace(TALLOC_CTX *mem_ctx, struct security_ace *ace, char
 	ace->flags = v;
 	
 	/* access mask */
-	if (strncmp(tok[2], "0x", 2) == 0) {
-		ace->access_mask = strtol(tok[2], NULL, 16);
-	} else {
-		if (!sddl_map_flags(ace_access_mask, tok[2], &v, NULL) &&
-		    !sddl_map_flags(
-			    decode_ace_access_mask, tok[2], &v, NULL)) {
-			return false;
-		}
-		ace->access_mask = v;
+	ok = sddl_decode_access(tok[2], &ace->access_mask);
+	if (!ok) {
+		return false;
 	}
 
 	/* object */
diff --git a/python/samba/tests/sddl.py b/python/samba/tests/sddl.py
index 006a49dbee3..83df59719c8 100644
--- a/python/samba/tests/sddl.py
+++ b/python/samba/tests/sddl.py
@@ -178,3 +178,10 @@ class SddlDecodeEncode(TestCase):
             sddl = sd.as_sddl(sid)
             sd2 = security.descriptor.from_sddl(sddl, sid)
             self.assertEqual(sd, sd2)
+
+    def test_multiflag(self):
+        sid = security.dom_sid("S-1-2-3-4")
+        raised = False
+        sd = security.descriptor.from_sddl("D:(A;;GWFX;;;DA)", sid)
+        sddl = sd.as_sddl(sid)
+        self.assertEqual(sd, security.descriptor.from_sddl(sddl, sid))
diff --git a/selftest/selftesthelpers.py b/selftest/selftesthelpers.py
index 7b4c084b6de..23f1b9ccd68 100644
--- a/selftest/selftesthelpers.py
+++ b/selftest/selftesthelpers.py
@@ -109,7 +109,7 @@ def plantestsuite_loadlist(name, env, cmdline):
         raise AssertionError("loadlist test %s does not support not --list" % name)
     if "$LOADLIST" not in cmdline:
         raise AssertionError("loadlist test %s does not support --load-list" % name)
-    print(("%s | %s" % (cmdline.replace("$LOADLIST", ""), add_prefix(name, env, support_list))).replace("$LISTOPT", "--list"))
+    print(("%s | %s" % (cmdline.replace("$LOADLIST", ""), add_prefix(name, env, support_list))).replace("$LISTOPT", "--list "))
     print(cmdline.replace("$LISTOPT", "") + " 2>&1 " + " | " + add_prefix(name, env, False))
 
 


-- 
Samba Shared Repository



More information about the samba-cvs mailing list