[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Thu Nov 9 09:02:02 UTC 2023
The branch, master has been updated
via fb867873d87 netcmd: Disallow device‐specific attributes and operators for allowed‐to‐authenticate‐from fields
via c5932c4794b netcmd: Add ‘allow_device_in_sddl’ parameter to SDDLField()
via 7f0f930a427 s4:librpc: Add ‘allow_device_in_sddl’ parameter to security.descriptor.from_sddl()
via 935f4edd81f libcli/security: Optionally disallow device‐specific attributes and operators where they are not applicable
via a08a724a28e netcmd:tests: Test authentication policies containing device‐specific attributes and operators
via db36a930e62 libcli/security: Mark arrays ‘const’
via e388e9a8560 ilbcli/security: Fix duplicated words
via e822a4efb73 libcli/security: Include missing headers
via 9c35b3747e4 libcli/security: Reassign flags
via 5f9f9242ce7 s4:librpc: Fix leak
via a11e0c02a45 s4:librpc: Remove trailing whitespace
via d0ca1bcd983 third_party/heimdal: Import lorikeet-heimdal-202311082119 (commit 844610f06bac2b7b2a208cbabc7414bde23abac7)
via 5ebd1b8daef tests/krb5: Test Kerberos principal names containing non–BMP Unicode characters
via 0b059dafd91 tests/krb5: Add ‘expected_sname’ parameter to _fast_as_req()
via e802cce43e9 tests/krb5: Encode KerberosString objects as UTF‐8
via ff83d4b08f4 tests/krb5: Move ‘rfc4120_pyasn1’ to ‘rfc4120_pyasn1_generated’
via 05ffdaeec77 librpc: add missing service control defines
via fd319adcc1d s4-torture: add test for svcctl_ControlServiceExW()
via 51c21f72afd librpc: add svcctl_ServiceStopReason enums
via 80b4893aa12 s4-torture: add test for svcctl_QueryServiceConfigEx
via cfedb32258b librpc: use SERVICE_CONTROL enum in ControlService calls
via 7292e378781 librpc: add various new commands and types to SVCCTL IDL.
via cb348e5be11 svcctl: rename SERVICE_FAILURE_ACTIONS to SERVICE_FAILURE_ACTIONSW
via 6d8867925f1 svcctl: unify operation names and always prefix with svcctl_
from 963fc353e70 vfs_gpfs: Implement CAP_DAC_OVERRIDE for fstatat
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit fb867873d872f78c652099637d3ee74d09426821
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 7 15:44:21 2023 +1300
netcmd: Disallow device‐specific attributes and operators for allowed‐to‐authenticate‐from fields
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Nov 9 09:01:25 UTC 2023 on atb-devel-224
commit c5932c4794b13a7975ec3c951e576a71152f4835
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 7 15:43:29 2023 +1300
netcmd: Add ‘allow_device_in_sddl’ parameter to SDDLField()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7f0f930a427be94c82922c4947554a94534d9be9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 7 15:42:38 2023 +1300
s4:librpc: Add ‘allow_device_in_sddl’ parameter to security.descriptor.from_sddl()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 935f4edd81f8115c390daa8f35c35dda64e99cfb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Nov 3 14:57:02 2023 +1300
libcli/security: Optionally disallow device‐specific attributes and operators where they are not applicable
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a08a724a28e4796eb0c739a560b0192a8ac2e00d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 7 16:50:49 2023 +1300
netcmd:tests: Test authentication policies containing device‐specific attributes and operators
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit db36a930e62a00fb97c5b111c7d008522e32b110
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 7 15:35:28 2023 +1300
libcli/security: Mark arrays ‘const’
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e388e9a8560171b08181482025b1234aa17d4fb3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 7 13:39:04 2023 +1300
ilbcli/security: Fix duplicated words
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e822a4efb73c4f8576732b7eaef778db979fc26a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 7 11:57:21 2023 +1300
libcli/security: Include missing headers
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9c35b3747e487b351fa631b92197f90a353ec513
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 7 11:48:58 2023 +1300
libcli/security: Reassign flags
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5f9f9242ce709c17422d07bd58e8fccd9f6737ad
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 7 12:16:12 2023 +1300
s4:librpc: Fix leak
We should not leak error messages returned by sddl_decode_err_msg().
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a11e0c02a452aac5624f50880725544b38f66caa
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 7 12:15:37 2023 +1300
s4:librpc: Remove trailing whitespace
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d0ca1bcd9833dcf96fde4af5ca9fb76888f293cb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 2 16:34:52 2023 +1300
third_party/heimdal: Import lorikeet-heimdal-202311082119 (commit 844610f06bac2b7b2a208cbabc7414bde23abac7)
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5ebd1b8daefd2235a8aa68613fe234bddb2e65b6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 26 17:11:43 2023 +1300
tests/krb5: Test Kerberos principal names containing non–BMP Unicode characters
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0b059dafd91d23a2cfb188395bd024cec937dfde
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 8 12:41:16 2023 +1300
tests/krb5: Add ‘expected_sname’ parameter to _fast_as_req()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e802cce43e9834137fcef9ccf1efd42de01f590b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 26 16:43:09 2023 +1300
tests/krb5: Encode KerberosString objects as UTF‐8
Windows treats Kerberos strings as UTF‐8, but by default, pyasn1 encodes
strings as ISO-8859-1. (There is a UTF8String type that gets encoded as
UTF‐8, but it has a different ASN.1 encoding from GeneralString, and so
can’t be used). asn1ate provides no way to override the encoding.
Except…
It turns out we can force UTF‐8 encoding by cunningly overriding
KerberosString.__getattribute__().
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ff83d4b08f455897118b65884a97ca0d3a12fa92
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 26 13:08:09 2023 +1300
tests/krb5: Move ‘rfc4120_pyasn1’ to ‘rfc4120_pyasn1_generated’
‘rfc4120_pyasn1_generated’ is not to be used directly. Its contents are
now reexported from ‘rfc4120_pyasn1’, which becomes a simple wrapper.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 05ffdaeec77443cf878884651240656c4b9d8420
Author: Günther Deschner <gd at samba.org>
Date: Tue Apr 21 09:40:12 2020 +0200
librpc: add missing service control defines
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fd319adcc1d33a11aaf71cfaefece944f773b812
Author: Günther Deschner <gd at samba.org>
Date: Mon Apr 20 18:16:32 2020 +0200
s4-torture: add test for svcctl_ControlServiceExW()
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 51c21f72afdca42a1c93185eff36fb3ff1d1bd0e
Author: Günther Deschner <gd at samba.org>
Date: Mon Apr 20 18:51:14 2020 +0200
librpc: add svcctl_ServiceStopReason enums
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 80b4893aa12458f294ccadae9ec26792842f69f0
Author: Günther Deschner <gd at samba.org>
Date: Mon Apr 20 15:09:01 2020 +0200
s4-torture: add test for svcctl_QueryServiceConfigEx
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cfedb32258bcc71248821b9af5ca18b363ebfb02
Author: Günther Deschner <gd at samba.org>
Date: Mon Apr 20 18:51:37 2020 +0200
librpc: use SERVICE_CONTROL enum in ControlService calls
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7292e37878179fb0b654c18ed7bd2e77adf14323
Author: Günther Deschner <gd at samba.org>
Date: Wed Mar 4 15:23:50 2020 +0100
librpc: add various new commands and types to SVCCTL IDL.
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cb348e5be1158bfd45a5b0ec5b652fcf13062101
Author: Günther Deschner <gd at samba.org>
Date: Thu Mar 12 13:37:28 2020 +0100
svcctl: rename SERVICE_FAILURE_ACTIONS to SERVICE_FAILURE_ACTIONSW
(there will be a SERVICE_FAILURE_ACTIONSA variant also)
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6d8867925f1f76935675266e39714b22794cd59e
Author: Günther Deschner <gd at samba.org>
Date: Wed Mar 4 13:47:13 2020 +0100
svcctl: unify operation names and always prefix with svcctl_
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
lib/fuzzing/fuzz_conditional_ace_blob.c | 1 +
lib/fuzzing/fuzz_sddl_conditional_ace.c | 2 +
libcli/security/conditional_ace.h | 6 +
libcli/security/sddl.c | 35 +-
libcli/security/sddl.h | 5 +
libcli/security/sddl_conditional_ace.c | 70 +-
libcli/security/tests/test_sddl_conditional_ace.c | 21 +-
librpc/idl/conditional_ace.idl | 4 +
librpc/idl/svcctl.idl | 375 ++-
python/samba/netcmd/domain/models/auth_policy.py | 4 +-
python/samba/netcmd/domain/models/fields.py | 22 +-
python/samba/tests/krb5/as_req_tests.py | 6 +
python/samba/tests/krb5/kdc_tgs_tests.py | 74 +-
python/samba/tests/krb5/rfc4120_pyasn1.py | 2800 +-------------------
...c4120_pyasn1.py => rfc4120_pyasn1_generated.py} | 0
.../samba/tests/samba_tool/domain_auth_policy.py | 103 +-
python/samba/tests/source.py | 4 +-
selftest/knownfail | 4 +
selftest/knownfail_mit_kdc | 7 +
source3/rpc_server/svcctl/srv_svcctl_nt.c | 219 +-
source4/librpc/ndr/py_security.c | 58 +-
source4/torture/rpc/svcctl.c | 92 +
third_party/heimdal/admin/add.c | 2 +-
third_party/heimdal/lib/hx509/ca.c | 3 +-
third_party/heimdal/lib/hx509/hxtool-commands.in | 16 +
third_party/heimdal/lib/hx509/hxtool.c | 19 +
third_party/heimdal/lib/hx509/libhx509-exports.def | 5 +
third_party/heimdal/lib/hx509/req.c | 175 +-
third_party/heimdal/lib/hx509/test_req.in | 48 +
third_party/heimdal/lib/hx509/version-script.map | 5 +
third_party/heimdal/lib/wind/test-utf8.c | 22 +-
third_party/heimdal/lib/wind/utf8.c | 108 +-
third_party/heimdal/tests/kdc/check-bx509.in | 52 +-
33 files changed, 1547 insertions(+), 2820 deletions(-)
copy python/samba/tests/krb5/{rfc4120_pyasn1.py => rfc4120_pyasn1_generated.py} (100%)
Changeset truncated at 500 lines:
diff --git a/lib/fuzzing/fuzz_conditional_ace_blob.c b/lib/fuzzing/fuzz_conditional_ace_blob.c
index aed1cd37c73..70bb5723c51 100644
--- a/lib/fuzzing/fuzz_conditional_ace_blob.c
+++ b/lib/fuzzing/fuzz_conditional_ace_blob.c
@@ -95,6 +95,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *input, size_t len)
}
s2 = ace_conditions_compile_sddl(mem_ctx,
+ ACE_CONDITION_FLAG_ALLOW_DEVICE,
sddl,
&message,
&message_offset,
diff --git a/lib/fuzzing/fuzz_sddl_conditional_ace.c b/lib/fuzzing/fuzz_sddl_conditional_ace.c
index e21c2ec9b12..636ebf1da9e 100644
--- a/lib/fuzzing/fuzz_sddl_conditional_ace.c
+++ b/lib/fuzzing/fuzz_sddl_conditional_ace.c
@@ -57,6 +57,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *input, size_t len)
mem_ctx = talloc_new(NULL);
s1 = ace_conditions_compile_sddl(mem_ctx,
+ ACE_CONDITION_FLAG_ALLOW_DEVICE,
sddl_string,
&message,
&message_offset,
@@ -98,6 +99,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *input, size_t len)
}
s2 = ace_conditions_compile_sddl(mem_ctx,
+ ACE_CONDITION_FLAG_ALLOW_DEVICE,
resddl,
&message,
&message_offset,
diff --git a/libcli/security/conditional_ace.h b/libcli/security/conditional_ace.h
index ea6c3592f53..e5920567934 100644
--- a/libcli/security/conditional_ace.h
+++ b/libcli/security/conditional_ace.h
@@ -21,6 +21,11 @@
#ifndef _CONDITIONAL_ACE_H_
#define _CONDITIONAL_ACE_H_
+#include <talloc.h>
+#include "lib/util/data_blob.h"
+
+#include "librpc/gen_ndr/conditional_ace.h"
+
struct ace_condition_script *parse_conditional_ace(TALLOC_CTX *mem_ctx,
DATA_BLOB data);
@@ -41,6 +46,7 @@ bool conditional_ace_encode_binary(TALLOC_CTX *mem_ctx,
DATA_BLOB *dest);
struct ace_condition_script * ace_conditions_compile_sddl(TALLOC_CTX *mem_ctx,
+ const enum ace_condition_flags ace_condition_flags,
const char *sddl,
const char **message,
size_t *message_offset,
diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c
index 15943e6aa24..97e579cfe32 100644
--- a/libcli/security/sddl.c
+++ b/libcli/security/sddl.c
@@ -295,7 +295,7 @@ struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp,
{
struct sddl_transition_state state = {
/*
- * TODO: verify .machine_rid values really belong to
+ * TODO: verify .machine_rid values really belong
* to the machine_sid on a member, once
* we pass machine_sid from the caller...
*/
@@ -487,6 +487,7 @@ static bool sddl_decode_guid(const char *str, struct GUID *guid)
static DATA_BLOB sddl_decode_conditions(TALLOC_CTX *mem_ctx,
+ const enum ace_condition_flags ace_condition_flags,
const char *conditions,
size_t *length,
const char **msg,
@@ -495,6 +496,7 @@ static DATA_BLOB sddl_decode_conditions(TALLOC_CTX *mem_ctx,
DATA_BLOB blob = {0};
struct ace_condition_script *script = NULL;
script = ace_conditions_compile_sddl(mem_ctx,
+ ace_condition_flags,
conditions,
msg,
msg_offset,
@@ -518,6 +520,7 @@ static DATA_BLOB sddl_decode_conditions(TALLOC_CTX *mem_ctx,
*/
static bool sddl_decode_ace(TALLOC_CTX *mem_ctx,
struct security_ace *ace,
+ const enum ace_condition_flags ace_condition_flags,
char **sddl_copy,
struct sddl_transition_state *state,
const char **msg, size_t *msg_offset)
@@ -671,7 +674,12 @@ static bool sddl_decode_ace(TALLOC_CTX *mem_ctx,
DATA_BLOB conditions = {0};
s = tok[6];
- conditions = sddl_decode_conditions(mem_ctx, s, &length, msg, msg_offset);
+ conditions = sddl_decode_conditions(mem_ctx,
+ ace_condition_flags,
+ s,
+ &length,
+ msg,
+ msg_offset);
if (conditions.data == NULL) {
DBG_WARNING("Conditional ACE compilation failure at %zu: %s\n",
*msg_offset, *msg);
@@ -733,6 +741,7 @@ static const struct flag_map acl_flags[] = {
decode an ACL
*/
static struct security_acl *sddl_decode_acl(struct security_descriptor *sd,
+ const enum ace_condition_flags ace_condition_flags,
const char **sddlp, uint32_t *flags,
struct sddl_transition_state *state,
const char **msg, size_t *msg_offset)
@@ -795,6 +804,7 @@ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd,
return NULL;
}
ok = sddl_decode_ace(acl->aces, &acl->aces[acl->num_aces],
+ ace_condition_flags,
&sddl_copy, state, msg, msg_offset);
if (!ok) {
*msg_offset += sddl_copy - aces_start;
@@ -818,11 +828,12 @@ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd,
*/
struct security_descriptor *sddl_decode_err_msg(TALLOC_CTX *mem_ctx, const char *sddl,
const struct dom_sid *domain_sid,
+ const enum ace_condition_flags ace_condition_flags,
const char **msg, size_t *msg_offset)
{
struct sddl_transition_state state = {
/*
- * TODO: verify .machine_rid values really belong to
+ * TODO: verify .machine_rid values really belong
* to the machine_sid on a member, once
* we pass machine_sid from the caller...
*/
@@ -857,13 +868,13 @@ struct security_descriptor *sddl_decode_err_msg(TALLOC_CTX *mem_ctx, const char
switch (c) {
case 'D':
if (sd->dacl != NULL) goto failed;
- sd->dacl = sddl_decode_acl(sd, &sddl, &flags, &state, msg, msg_offset);
+ sd->dacl = sddl_decode_acl(sd, ace_condition_flags, &sddl, &flags, &state, msg, msg_offset);
if (sd->dacl == NULL) goto failed;
sd->type |= flags | SEC_DESC_DACL_PRESENT;
break;
case 'S':
if (sd->sacl != NULL) goto failed;
- sd->sacl = sddl_decode_acl(sd, &sddl, &flags, &state, msg, msg_offset);
+ sd->sacl = sddl_decode_acl(sd, ace_condition_flags, &sddl, &flags, &state, msg, msg_offset);
if (sd->sacl == NULL) goto failed;
/* this relies on the SEC_DESC_SACL_* flags being
1 bit shifted from the SEC_DESC_DACL_* flags */
@@ -909,8 +920,12 @@ struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl,
{
const char *msg = NULL;
size_t msg_offset = 0;
- struct security_descriptor *sd = sddl_decode_err_msg(mem_ctx, sddl, domain_sid,
- &msg, &msg_offset);
+ struct security_descriptor *sd = sddl_decode_err_msg(mem_ctx,
+ sddl,
+ domain_sid,
+ ACE_CONDITION_FLAG_ALLOW_DEVICE,
+ &msg,
+ &msg_offset);
DBG_NOTICE("could not decode '%s'\n", sddl);
if (msg != NULL) {
DBG_NOTICE(" %*c\n", (int)msg_offset, '^');
@@ -1012,7 +1027,7 @@ char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
{
struct sddl_transition_state state = {
/*
- * TODO: verify .machine_rid values really belong to
+ * TODO: verify .machine_rid values really belong
* to the machine_sid on a member, once
* we pass machine_sid from the caller...
*/
@@ -1136,7 +1151,7 @@ char *sddl_encode_ace(TALLOC_CTX *mem_ctx, const struct security_ace *ace,
{
struct sddl_transition_state state = {
/*
- * TODO: verify .machine_rid values really belong to
+ * TODO: verify .machine_rid values really belong
* to the machine_sid on a member, once
* we pass machine_sid from the caller...
*/
@@ -1185,7 +1200,7 @@ char *sddl_encode(TALLOC_CTX *mem_ctx, const struct security_descriptor *sd,
{
struct sddl_transition_state state = {
/*
- * TODO: verify .machine_rid values really belong to
+ * TODO: verify .machine_rid values really belong
* to the machine_sid on a member, once
* we pass machine_sid from the caller...
*/
diff --git a/libcli/security/sddl.h b/libcli/security/sddl.h
index c4dc72d834d..03c8a27924d 100644
--- a/libcli/security/sddl.h
+++ b/libcli/security/sddl.h
@@ -21,12 +21,17 @@
#ifndef __SDDL_H__
#define __SDDL_H__
+#include <talloc.h>
+#include "lib/util/data_blob.h"
+
+#include "librpc/gen_ndr/conditional_ace.h"
#include "librpc/gen_ndr/security.h"
struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl,
const struct dom_sid *domain_sid);
struct security_descriptor *sddl_decode_err_msg(TALLOC_CTX *mem_ctx, const char *sddl,
const struct dom_sid *domain_sid,
+ const enum ace_condition_flags ace_condition_flags,
const char **msg, size_t *msg_offset);
char *sddl_encode(TALLOC_CTX *mem_ctx, const struct security_descriptor *sd,
const struct dom_sid *domain_sid);
diff --git a/libcli/security/sddl_conditional_ace.c b/libcli/security/sddl_conditional_ace.c
index 3d9db329aea..b5787f4a3ca 100644
--- a/libcli/security/sddl_conditional_ace.c
+++ b/libcli/security/sddl_conditional_ace.c
@@ -37,8 +37,10 @@
#define SDDL_FLAG_EXPECTING_NON_LOCAL_ATTR 16
#define SDDL_FLAG_EXPECTING_LITERAL 32
#define SDDL_FLAG_EXPECTING_PAREN 64
-#define SDDL_FLAG_EXPECTING_PAREN_LITERAL 256
-#define SDDL_FLAG_NOT_EXPECTING_END_PAREN 512
+#define SDDL_FLAG_EXPECTING_PAREN_LITERAL 128
+#define SDDL_FLAG_NOT_EXPECTING_END_PAREN 256
+
+#define SDDL_FLAG_DEVICE 512
#define SDDL_FLAG_IS_UNARY_OP (1 << 20)
#define SDDL_FLAG_IS_BINARY_OP (1 << 21)
@@ -114,6 +116,7 @@ struct ace_condition_sddl_compiler_context {
struct dom_sid *domain_sid;
uint32_t state;
uint8_t last_token_type;
+ bool allow_device;
};
struct sddl_data {
@@ -123,7 +126,7 @@ struct sddl_data {
uint8_t nargs;
};
-static struct sddl_data sddl_strings[256] = {
+static const struct sddl_data sddl_strings[256] = {
/* operators */
[CONDITIONAL_ACE_TOKEN_MEMBER_OF] = {
"Member_of",
@@ -133,7 +136,7 @@ static struct sddl_data sddl_strings[256] = {
},
[CONDITIONAL_ACE_TOKEN_DEVICE_MEMBER_OF] = {
"Device_Member_of",
- SDDL_FLAGS_MEMBER_OP,
+ SDDL_FLAGS_MEMBER_OP|SDDL_FLAG_DEVICE,
SDDL_PRECEDENCE_COMMON,
1
},
@@ -146,7 +149,7 @@ static struct sddl_data sddl_strings[256] = {
},
[CONDITIONAL_ACE_TOKEN_DEVICE_MEMBER_OF_ANY] = {
"Device_Member_of_Any",
- SDDL_FLAGS_MEMBER_OP,
+ SDDL_FLAGS_MEMBER_OP|SDDL_FLAG_DEVICE,
SDDL_PRECEDENCE_COMMON,
1
},
@@ -158,7 +161,7 @@ static struct sddl_data sddl_strings[256] = {
},
[CONDITIONAL_ACE_TOKEN_NOT_DEVICE_MEMBER_OF] = {
"Not_Device_Member_of",
- SDDL_FLAGS_MEMBER_OP,
+ SDDL_FLAGS_MEMBER_OP|SDDL_FLAG_DEVICE,
SDDL_PRECEDENCE_COMMON,
1
},
@@ -170,7 +173,7 @@ static struct sddl_data sddl_strings[256] = {
},
[CONDITIONAL_ACE_TOKEN_NOT_DEVICE_MEMBER_OF_ANY] = {
"Not_Device_Member_of_Any",
- SDDL_FLAGS_MEMBER_OP,
+ SDDL_FLAGS_MEMBER_OP|SDDL_FLAG_DEVICE,
SDDL_PRECEDENCE_COMMON,
1
},
@@ -356,7 +359,7 @@ static struct sddl_data sddl_strings[256] = {
},
[CONDITIONAL_ACE_DEVICE_ATTRIBUTE] = {
"device attribute",
- SDDL_FLAGS_ATTRIBUTE,
+ SDDL_FLAGS_ATTRIBUTE|SDDL_FLAG_DEVICE,
SDDL_NOT_AN_OP,
0
},
@@ -390,7 +393,7 @@ struct sddl_attr_type{
* styles them in title case ("@User."), but Windows itself seems to
* prefer all-caps, so that is how we render them.
*/
-static struct sddl_attr_type sddl_attr_types[] = {
+static const struct sddl_attr_type sddl_attr_types[] = {
{"USER.", CONDITIONAL_ACE_USER_ATTRIBUTE},
{"RESOURCE.", CONDITIONAL_ACE_RESOURCE_ATTRIBUTE},
{"DEVICE.", CONDITIONAL_ACE_DEVICE_ATTRIBUTE},
@@ -2187,7 +2190,7 @@ static bool parse_word(struct ace_condition_sddl_compiler_context *comp)
*/
int uc = toupper(c);
for (i = 0; i < 256; i++) {
- struct sddl_data *d = &sddl_strings[i];
+ const struct sddl_data *d = &sddl_strings[i];
if (sddl_strings[i].op_precedence != SDDL_NOT_AN_OP &&
uc == toupper((unsigned char)d->name[0])) {
if (d->flags & SDDL_FLAG_IS_UNARY_OP) {
@@ -2256,6 +2259,20 @@ static bool parse_word(struct ace_condition_sddl_compiler_context *comp)
size_t o = candidates[j];
if (sddl_strings[o].name[i] == '\0') {
/* it is this one */
+
+ if (!comp->allow_device &&
+ (sddl_strings[o].flags & SDDL_FLAG_DEVICE))
+ {
+ comp_error(
+ comp,
+ "a device‐relative expression "
+ "will never evaluate to true "
+ "in this context (did you "
+ "intend a user‐relative "
+ "expression?)");
+ return false;
+ }
+
token.type = o;
token.data.sddl_op.start = comp->offset;
comp->offset += i;
@@ -2327,7 +2344,19 @@ static bool parse_attr2(struct ace_condition_sddl_compiler_context *comp)
(const char *) (comp->sddl + comp->offset),
attr_len);
if (ret == 0) {
- token.type = sddl_attr_types[i].code;
+ const uint8_t code = sddl_attr_types[i].code;
+
+ if (!comp->allow_device &&
+ (sddl_strings[code].flags & SDDL_FLAG_DEVICE))
+ {
+ comp_error(comp,
+ "a device attribute is not "
+ "applicable in this context (did "
+ "you intend a user attribute?)");
+ return false;
+ }
+
+ token.type = code;
comp->offset += attr_len;
break;
}
@@ -2676,6 +2705,7 @@ static bool parse_expression(struct ace_condition_sddl_compiler_context *comp)
static bool init_compiler_context(
TALLOC_CTX *mem_ctx,
struct ace_condition_sddl_compiler_context *comp,
+ const enum ace_condition_flags ace_condition_flags,
const char *sddl,
size_t max_length,
size_t max_stack)
@@ -2713,6 +2743,7 @@ static bool init_compiler_context(
comp->target_len = &program->length;
comp->length = strlen(sddl);
comp->state = SDDL_FLAG_EXPECTING_PAREN;
+ comp->allow_device = ace_condition_flags & ACE_CONDITION_FLAG_ALLOW_DEVICE;
return true;
}
@@ -2721,6 +2752,7 @@ static bool init_compiler_context(
*
* @param mem_ctx
* @param sddl - the string to be parsed
+ * @param ace_condition_flags - flags controlling compiler behaviour
* @param message - on error, a pointer to a compiler message
* @param message_offset - where the error occurred
* @param consumed_length - how much of the SDDL was used
@@ -2728,6 +2760,7 @@ static bool init_compiler_context(
*/
struct ace_condition_script * ace_conditions_compile_sddl(
TALLOC_CTX *mem_ctx,
+ const enum ace_condition_flags ace_condition_flags,
const char *sddl,
const char **message,
size_t *message_offset,
@@ -2741,6 +2774,7 @@ struct ace_condition_script * ace_conditions_compile_sddl(
ok = init_compiler_context(mem_ctx,
&comp,
+ ace_condition_flags,
sddl,
CONDITIONAL_ACE_MAX_LENGTH,
CONDITIONAL_ACE_MAX_TOKENS);
@@ -3026,7 +3060,12 @@ struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *sddl_decode_resource_attr (
size_t len;
struct ace_condition_unicode attr_name = {};
- ok = init_compiler_context(mem_ctx, &comp, str, 3, 3);
+ ok = init_compiler_context(mem_ctx,
+ &comp,
+ ACE_CONDITION_FLAG_ALLOW_DEVICE,
+ str,
+ 3,
+ 3);
if (!ok) {
return NULL;
}
@@ -3302,7 +3341,12 @@ struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *parse_sddl_literal_as_claim(
struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *claim = NULL;
struct ace_condition_sddl_compiler_context comp = {};
- ok = init_compiler_context(mem_ctx, &comp, str, 2, 2);
+ ok = init_compiler_context(mem_ctx,
+ &comp,
+ ACE_CONDITION_FLAG_ALLOW_DEVICE,
+ str,
+ 2,
+ 2);
if (!ok) {
return NULL;
}
diff --git a/libcli/security/tests/test_sddl_conditional_ace.c b/libcli/security/tests/test_sddl_conditional_ace.c
index 0fddf198105..3c976108ea2 100644
--- a/libcli/security/tests/test_sddl_conditional_ace.c
+++ b/libcli/security/tests/test_sddl_conditional_ace.c
@@ -94,8 +94,12 @@ static void test_sddl_compile(void **state)
DATA_BLOB compiled;
size_t length;
- s = ace_conditions_compile_sddl(mem_ctx, sddl, &message,
- &message_offset, &length);
+ s = ace_conditions_compile_sddl(mem_ctx,
+ ACE_CONDITION_FLAG_ALLOW_DEVICE,
+ sddl,
+ &message,
+ &message_offset,
+ &length);
if (message != NULL) {
print_error_message(sddl, message, message_offset);
}
@@ -130,8 +134,12 @@ static void test_sddl_compile2(void **state)
DATA_BLOB compiled;
size_t length;
- s = ace_conditions_compile_sddl(mem_ctx, sddl, &message,
- &message_offset, &length);
+ s = ace_conditions_compile_sddl(mem_ctx,
+ ACE_CONDITION_FLAG_ALLOW_DEVICE,
+ sddl,
+ &message,
+ &message_offset,
+ &length);
if (message != NULL) {
print_error_message(sddl, message, message_offset);
}
@@ -624,6 +632,7 @@ static void test_round_trips(void **state)
DATA_BLOB e1, e2, e3;
fputs("=======================\n", stderr);
s1 = ace_conditions_compile_sddl(mem_ctx,
+ ACE_CONDITION_FLAG_ALLOW_DEVICE,
sddl[i],
&message,
&message_offset,
@@ -679,6 +688,7 @@ static void test_round_trips(void **state)
}
print_message("SDDL: %s\n", resddl1);
s3 = ace_conditions_compile_sddl(mem_ctx,
+ ACE_CONDITION_FLAG_ALLOW_DEVICE,
resddl1,
&message,
&message_offset,
@@ -728,6 +738,7 @@ static void test_a_number_of_valid_strings(void **state)
size_t message_offset;
s = ace_conditions_compile_sddl(mem_ctx,
+ ACE_CONDITION_FLAG_ALLOW_DEVICE,
sddl[i],
&message,
&message_offset,
@@ -803,6 +814,7 @@ static void test_a_number_of_invalid_strings(void **state)
const char *message = NULL;
size_t message_offset;
s = ace_conditions_compile_sddl(mem_ctx,
+ ACE_CONDITION_FLAG_ALLOW_DEVICE,
sddl[i],
&message,
&message_offset,
@@ -847,6 +859,7 @@ static void test_valid_strings_with_trailing_crap(void **state)
const char *message = NULL;
size_t message_offset;
s = ace_conditions_compile_sddl(mem_ctx,
+ ACE_CONDITION_FLAG_ALLOW_DEVICE,
pairs[i].sddl,
&message,
&message_offset,
diff --git a/librpc/idl/conditional_ace.idl b/librpc/idl/conditional_ace.idl
index 28c1b91545d..e36fe9b43a1 100644
--
Samba Shared Repository
More information about the samba-cvs
mailing list