[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Thu Sep 7 05:51:01 UTC 2023
The branch, master has been updated
via f893cf85cc3 security.idl: extend security token for claims
via 7f57b5ed5b6 librpc:security.idl: add Resource Attribute claim types
via 0d6c7bea422 librpc:security.idl: add enums for resource attribute aces
via 895893478eb libcli:sec:display: use macro for more ace types
via 601d60e3915 libcli:sec:display: print callback ace types
via 416f6ef7262 librpc:security.idl: add more ACE enum types, with annotations
via a84e89aa712 libcli/security: create_descriptor handles unknown ACE types
via 676a7152d14 librpc/idl: add conditional ACE structures and constants
via 2bf404eb5a9 libcli/security: make sddl_encode_sid an external function
via 6d012757a07 libcli/security: make sddl_decode_sid an external function
via 1de2af9f30a pytests:security: don't use invalid domain SID S-2-0-0
via a420aa919cc s4:samdb: Avoid memory leaks in partition_metadata_get_uint64()
from 3fc35827569 smb2_server: move struct msghdr to smbd_smb2_send_queue
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit f893cf85cc387b66c496661e11073b1215270022
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Aug 23 12:04:29 2023 +1200
security.idl: extend security token for claims
A security token contains the context needed to make access decisions
for a particular client, which has until now been a number of SIDs and
flags. Claims are arbitrary attributes that can be tacked onto the
security token. Typically they will arrive via a Kerberos PAC, but we
don't need to worry about that now -- only that they are stored on the
token.
The security token in [MS-DTYP] 2.5.2 is described in abstract terms
(it is not transmitted on the wire) as behaving *as if* it held claims
in three arrays of CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 structures. We
take that suggestion literally. This is *almost* the same as storing
the [MS-ADTS] 2.2.18 claims wire structures that the claims are
presumably derived from, and doing that might seem like a small
optimisation. But we don't do that because of subtle differences and
we already need CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 in security.idl
for resource attribute ACEs.
The three stored claim types are user claims, device claims, and local
claims. Local claims relate to local Windows accounts and are unlikely
to occur in Samba. Nevertheless we have the array there just in case.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Sep 7 05:50:24 UTC 2023 on atb-devel-224
commit 7f57b5ed5b6300ed631033cff4f49a4e0cae5573
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Aug 23 12:03:53 2023 +1200
librpc:security.idl: add Resource Attribute claim types
This will be used in Resource Attribute ACEs, and in security tokens
when security tokens become claim-aware.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0d6c7bea4227b88328c407f630bc638909c3f036
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Jul 13 21:31:50 2023 +1200
librpc:security.idl: add enums for resource attribute aces
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 895893478ebd71708477b49ca1102515fc512d8f
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Sep 6 09:36:45 2023 +1200
libcli:sec:display: use macro for more ace types
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 601d60e391598f9115abce947e06820a1e72cb34
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Dec 14 10:56:42 2022 +1300
libcli:sec:display: print callback ace types
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 416f6ef72626bfc5619f2a17b8eb551e5e30602e
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Dec 2 12:44:54 2022 +1300
librpc:security.idl: add more ACE enum types, with annotations
The callback types are used for conditional ACEs. The others are just
there and we might as well know them.
Several ACE types are "reserved for future use" by Microsoft.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a84e89aa712bfb0ed2b0ba64d98dc919193d8055
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Jul 21 14:36:20 2023 +1200
libcli/security: create_descriptor handles unknown ACE types
Because we're going to add more ACE types.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 676a7152d141ca576fe2f0a75bc9c3e3ad197481
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Feb 9 10:44:46 2023 +1300
librpc/idl: add conditional ACE structures and constants
This will be used to decode the expressions on conditional ACEs.
At the moment it changes nothing.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2bf404eb5a999a174c1821402eb553da8576489d
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Jul 21 16:40:38 2023 +1200
libcli/security: make sddl_encode_sid an external function
Mirroring the last commit for sddl_decode_sid, we want to be able to
encode SIDs from sibling source files.
The dom_sid functions are insufficient for this because they don't know
the SDDL short aliases, like "WD".
sddl_transition_encode_sid() is used internally.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6d012757a076063bcd123966f697fc8b0d1b2736
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Dec 2 12:43:21 2022 +1300
libcli/security: make sddl_decode_sid an external function
We are going to need it in for parsing SDDL for conditional ACEs and
resource ACEs, which will go in a separate file because it's huge.
This means changing the interface for `sddl_decode_sid` to that from
before 7d466a913f2c0038b30424403a7355db849fee7a which introduced
sddl_transition_state to deal ease the shift to disambiguated machine/
domain/forest SIDs. Internal callers use `sddl_transition_decode_sid()`
which is the old function; external callers use the same shim pattern as
the other externally available functions.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1de2af9f30a830883b9bd63a7322c9653fb0c8c6
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Jun 2 13:07:48 2023 +1200
pytests:security: don't use invalid domain SID S-2-0-0
The '2' is a version number, but there is not yet a version 2, so we
can't even say what the rest of the string should look like.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a420aa919cc41cd9a3be5e5a074116e3313469cb
Author: Andreas Schneider <asn at samba.org>
Date: Wed Sep 6 09:14:49 2023 +0200
s4:samdb: Avoid memory leaks in partition_metadata_get_uint64()
==395==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 96 byte(s) in 1 object(s) allocated from:
#0 0x7f4c5dedc03f in malloc (/lib64/libasan.so.8+0xdc03f) (BuildId: b10bafa0ba3304197db35cc24e0024cb0492168a)
#1 0x7f4c5d252b3e in __talloc_with_prefix ../../lib/talloc/talloc.c:783
#2 0x7f4c5d2543cc in __talloc ../../lib/talloc/talloc.c:825
#3 0x7f4c5d2543cc in _talloc_named_const ../../lib/talloc/talloc.c:982
#4 0x7f4c5d2543cc in talloc_named_const ../../lib/talloc/talloc.c:1751
#5 0x7f4c504acc53 in partition_metadata_get_uint64 ../../source4/dsdb/samdb/ldb_modules/partition_metadata.c:50
#6 0x7f4c504add29 in partition_metadata_sequence_number_increment ../../source4/dsdb/samdb/ldb_modules/partition_metadata.c:398
#7 0x7f4c504a66aa in partition_sequence_number ../../source4/dsdb/samdb/ldb_modules/partition.c:1401
#8 0x7f4c504a66aa in partition_extended ../../source4/dsdb/samdb/ldb_modules/partition.c:1680
#9 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559
#10 0x7f4c503980c8 in replmd_extended ../../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:8455
#11 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559
#12 0x7f4c502fae5c in samldb_extended ../../source4/dsdb/samdb/ldb_modules/samldb.c:5718
#13 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559
#14 0x7f4c52f0b94c in acl_extended ../../source4/dsdb/samdb/ldb_modules/acl.c:2854
#15 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559
#16 0x7f4c52eb019c in descriptor_extended ../../source4/dsdb/samdb/ldb_modules/descriptor.c:1450
#17 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559
#18 0x7f4c52ed8687 in log_extended ../../source4/dsdb/samdb/ldb_modules/audit_log.c:1824
#19 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559
#20 0x7f4c505aa337 in unlazy_op ../../source4/dsdb/samdb/ldb_modules/lazy_commit.c:40
#21 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559
#22 0x7f4c502d0f82 in schema_load_extended ../../source4/dsdb/samdb/ldb_modules/schema_load.c:593
#23 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559
#24 0x7f4c5035a010 in rootdse_extended ../../source4/dsdb/samdb/ldb_modules/rootdse.c:1780
#25 0x7f4c5c4914ef in ldb_request ../../lib/ldb/common/ldb.c:1244
#26 0x7f4c5c492a2d in ldb_extended ../../lib/ldb/common/ldb.c:1714
#27 0x7f4c5c492bdf in ldb_sequence_number ../../lib/ldb/common/ldb.c:1943
#28 0x7f4c503a9abd in replmd_add ../../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:1316
#29 0x7f4c5c4989f4 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:543
#30 0x7f4c50458783 in rdn_name_add ../../lib/ldb/modules/rdn_name.c:206
#31 0x7f4c5c4989f4 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:543
#32 0x7f4c504f4852 in attr_handler ../../source4/dsdb/samdb/ldb_modules/objectclass_attrs.c:334
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
-----------------------------------------------------------------------
Summary of changes:
libcli/security/create_descriptor.c | 8 +
libcli/security/display_sec.c | 30 +-
libcli/security/sddl.c | 55 ++-
libcli/security/sddl.h | 6 +
librpc/idl/conditional_ace.idl | 442 +++++++++++++++++++++
librpc/idl/security.idl | 88 +++-
librpc/idl/wscript_build | 1 +
python/samba/tests/security.py | 30 +-
.../dsdb/samdb/ldb_modules/partition_metadata.c | 15 +-
9 files changed, 622 insertions(+), 53 deletions(-)
create mode 100644 librpc/idl/conditional_ace.idl
Changeset truncated at 500 lines:
diff --git a/libcli/security/create_descriptor.c b/libcli/security/create_descriptor.c
index aeb3ea3d3bb..ab304a59a1c 100644
--- a/libcli/security/create_descriptor.c
+++ b/libcli/security/create_descriptor.c
@@ -215,6 +215,11 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx,
}
break;
+
+ default:
+ DBG_WARNING("ACE type %d is not handled\n", ace->type);
+ TALLOC_FREE(tmp_acl);
+ return NULL;
}
if (ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) {
@@ -327,6 +332,9 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx,
case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
tmp_ace->type = SEC_ACE_TYPE_SYSTEM_AUDIT;
break;
+ default:
+ /* all the _CALLBACK types */
+ break;
}
}
diff --git a/libcli/security/display_sec.c b/libcli/security/display_sec.c
index 3fc338fb233..be89a33f176 100644
--- a/libcli/security/display_sec.c
+++ b/libcli/security/display_sec.c
@@ -148,21 +148,21 @@ void display_sec_ace(struct security_ace *ace)
case SEC_ACE_TYPE_SYSTEM_ALARM:
printf("SYSTEM ALARM");
break;
- case SEC_ACE_TYPE_ALLOWED_COMPOUND:
- printf("SEC_ACE_TYPE_ALLOWED_COMPOUND");
- break;
- case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
- printf("SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT");
- break;
- case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
- printf("SEC_ACE_TYPE_ACCESS_DENIED_OBJECT");
- break;
- case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
- printf("SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT");
- break;
- case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
- printf("SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT");
- break;
+#define ACE_CASE(x) case x: printf(#x); break
+ ACE_CASE(SEC_ACE_TYPE_ALLOWED_COMPOUND);
+ ACE_CASE(SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT);
+ ACE_CASE(SEC_ACE_TYPE_ACCESS_DENIED_OBJECT);
+ ACE_CASE(SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT);
+ ACE_CASE(SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT);
+ ACE_CASE(SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK);
+ ACE_CASE(SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK);
+ ACE_CASE(SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT);
+ ACE_CASE(SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT);
+ ACE_CASE(SEC_ACE_TYPE_SYSTEM_AUDIT_CALLBACK);
+ ACE_CASE(SEC_ACE_TYPE_SYSTEM_ALARM_CALLBACK);
+ ACE_CASE(SEC_ACE_TYPE_SYSTEM_AUDIT_CALLBACK_OBJECT);
+ ACE_CASE(SEC_ACE_TYPE_SYSTEM_ALARM_CALLBACK_OBJECT);
+#undef ACE_CASE
default:
printf("????");
break;
diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c
index 5e85836ad57..31c730c03f6 100644
--- a/libcli/security/sddl.c
+++ b/libcli/security/sddl.c
@@ -24,6 +24,7 @@
#include "libcli/security/security.h"
#include "librpc/gen_ndr/ndr_misc.h"
#include "lib/util/smb_strtox.h"
+#include "libcli/security/sddl.h"
#include "system/locale.h"
#include "lib/util/util_str_hex.h"
@@ -199,8 +200,8 @@ static const struct {
decode a SID
It can either be a special 2 letter code, or in S-* format
*/
-static struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp,
- struct sddl_transition_state *state)
+static struct dom_sid *sddl_transition_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp,
+ struct sddl_transition_state *state)
{
const char *sddl = (*sddlp);
size_t i;
@@ -281,6 +282,23 @@ static struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp,
return dom_sid_parse_talloc(mem_ctx, sid_codes[i].sid);
}
+struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp,
+ const struct dom_sid *domain_sid)
+{
+ struct sddl_transition_state state = {
+ /*
+ * TODO: verify .machine_rid values really belong to
+ * to the machine_sid on a member, once
+ * we pass machine_sid from the caller...
+ */
+ .machine_sid = domain_sid,
+ .domain_sid = domain_sid,
+ .forest_sid = domain_sid,
+ };
+ return sddl_transition_decode_sid(mem_ctx, sddlp, &state);
+}
+
+
static const struct flag_map ace_types[] = {
{ "AU", SEC_ACE_TYPE_SYSTEM_AUDIT },
{ "AL", SEC_ACE_TYPE_SYSTEM_ALARM },
@@ -561,7 +579,7 @@ static bool sddl_decode_ace(TALLOC_CTX *mem_ctx,
/* trustee */
s = tok[5];
- sid = sddl_decode_sid(mem_ctx, &s, state);
+ sid = sddl_transition_decode_sid(mem_ctx, &s, state);
if (sid == NULL) {
return false;
}
@@ -704,12 +722,12 @@ struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl,
break;
case 'O':
if (sd->owner_sid != NULL) goto failed;
- sd->owner_sid = sddl_decode_sid(sd, &sddl, &state);
+ sd->owner_sid = sddl_transition_decode_sid(sd, &sddl, &state);
if (sd->owner_sid == NULL) goto failed;
break;
case 'G':
if (sd->group_sid != NULL) goto failed;
- sd->group_sid = sddl_decode_sid(sd, &sddl, &state);
+ sd->group_sid = sddl_transition_decode_sid(sd, &sddl, &state);
if (sd->group_sid == NULL) goto failed;
break;
default:
@@ -766,8 +784,8 @@ failed:
/*
encode a sid in SDDL format
*/
-static char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
- struct sddl_transition_state *state)
+static char *sddl_transition_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
+ struct sddl_transition_state *state)
{
bool in_machine = dom_sid_in_domain(state->machine_sid, sid);
bool in_domain = dom_sid_in_domain(state->domain_sid, sid);
@@ -812,6 +830,23 @@ static char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
return talloc_strdup(mem_ctx, sidstr);
}
+char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
+ const struct dom_sid *domain_sid)
+{
+ struct sddl_transition_state state = {
+ /*
+ * TODO: verify .machine_rid values really belong to
+ * to the machine_sid on a member, once
+ * we pass machine_sid from the caller...
+ */
+ .machine_sid = domain_sid,
+ .domain_sid = domain_sid,
+ .forest_sid = domain_sid,
+ };
+ return sddl_transition_encode_sid(mem_ctx, sid, &state);
+}
+
+
/*
encode an ACE in SDDL format
@@ -872,7 +907,7 @@ static char *sddl_transition_encode_ace(TALLOC_CTX *mem_ctx, const struct securi
}
}
- sddl_trustee = sddl_encode_sid(tmp_ctx, &ace->trustee, state);
+ sddl_trustee = sddl_transition_encode_sid(tmp_ctx, &ace->trustee, state);
if (sddl_trustee == NULL) {
goto failed;
}
@@ -958,14 +993,14 @@ char *sddl_encode(TALLOC_CTX *mem_ctx, const struct security_descriptor *sd,
tmp_ctx = talloc_new(mem_ctx);
if (sd->owner_sid != NULL) {
- char *sid = sddl_encode_sid(tmp_ctx, sd->owner_sid, &state);
+ char *sid = sddl_transition_encode_sid(tmp_ctx, sd->owner_sid, &state);
if (sid == NULL) goto failed;
sddl = talloc_asprintf_append_buffer(sddl, "O:%s", sid);
if (sddl == NULL) goto failed;
}
if (sd->group_sid != NULL) {
- char *sid = sddl_encode_sid(tmp_ctx, sd->group_sid, &state);
+ char *sid = sddl_transition_encode_sid(tmp_ctx, sd->group_sid, &state);
if (sid == NULL) goto failed;
sddl = talloc_asprintf_append_buffer(sddl, "G:%s", sid);
if (sddl == NULL) goto failed;
diff --git a/libcli/security/sddl.h b/libcli/security/sddl.h
index 6720ec6453e..824b7032546 100644
--- a/libcli/security/sddl.h
+++ b/libcli/security/sddl.h
@@ -30,4 +30,10 @@ char *sddl_encode(TALLOC_CTX *mem_ctx, const struct security_descriptor *sd,
char *sddl_encode_ace(TALLOC_CTX *mem_ctx, const struct security_ace *ace,
const struct dom_sid *domain_sid);
+struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp,
+ const struct dom_sid *domain_sid);
+
+char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
+ const struct dom_sid *domain_sid);
+
#endif /* __SDDL_H__ */
diff --git a/librpc/idl/conditional_ace.idl b/librpc/idl/conditional_ace.idl
new file mode 100644
index 00000000000..84d51a0c4c4
--- /dev/null
+++ b/librpc/idl/conditional_ace.idl
@@ -0,0 +1,442 @@
+#include "idl_types.h"
+
+/*
+ IDL structures and constants for conditional aces.
+*/
+
+import "security.idl";
+
+interface conditional_ace
+{
+ /*
+ * Conditional ACEs have an expression at the end of the ACE.
+ * We know it is there because the ACE type has CALLBACK in
+ * its name, and we know how long it is because the size field
+ * in the ACE points somewhere beyond the otherwise accounted
+ * for objects:
+ *
+ * | type | flags | size | access_mask | trustee | |
+ * `---------------------------------->|
+ *
+ * If the first 4 bytes of the extra bit (called "coda" in our
+ * structs) are {'a', 'r', 't', 'x'}, the callback ACE is a
+ * conditional ACE. On Windows it is possible to register
+ * other kinds of callback ACEs with different magic strings
+ * that get handled by callback functions. There is little
+ * evidence of this ever happening, but that explains the
+ * name.
+ *
+ * After the "artx", a conditional ACE consists of a series of
+ * tokens that describe an expression tree in reverse Polish
+ * order. The expression can work with claim and SID values
+ * from the security token, comparing them to each other and
+ * to literal values. [MS-DTYP] is reasonably clear about how
+ * they work.
+ */
+
+ /*
+ * Token types from [MS-DTYP] 2.4.4.17 "Conditional ACEs".
+ */
+ typedef [enum8bit] enum {
+ /*
+ * Microsoft counts padding zeroes as a kind of token.
+ * There should be up to three of these at the end, to
+ * round out the size to a multiple of four.
+ */
+ CONDITIONAL_ACE_TOKEN_INVALID_OR_PADDING = 0x00,
+
+ /* Literal tokens
+ * ==============
+ *
+ * Literal integers. These are *all* stored using 10
+ * bytes:
+ *
+ * - 8 bytes for the value, limited to the correct range
+ * (e.g. -128 to 127 for INT8)
+ * - 1 byte for sign, probably just used for display
+ * - 1 byte for base, just used for display
+ *
+ * SDDL integers are all stored using 64 bits, but
+ * different token types can be used to pretend they
+ * have smaller width. In comparisons (which is all
+ * they can be used for) the type does not matter. The
+ * only special thing a non-64 bit literal can do is
+ * to cause a parsing error by being out of range (it
+ * is an open question as to how you would end up with
+ * short integers, let alone invalid ones, as the SDDL
+ * syntax does not have a way of specifying them).
+ */
+ CONDITIONAL_ACE_TOKEN_INT8 = 0x01,
+ CONDITIONAL_ACE_TOKEN_INT16 = 0x02,
+ CONDITIONAL_ACE_TOKEN_INT32 = 0x03,
+ CONDITIONAL_ACE_TOKEN_INT64 = 0x04,
+
+ /*
+ * Literal strings and structured types.
+ *
+ * These have an unsigned 32 bit byte length, followed
+ * by data.
+ *
+ * for unicode the data is UTF-16.
+ * octet strings are bytes.
+ * the composite type is a list type.
+ * the sid type has an ordinary binary sid after the length.
+ */
+ CONDITIONAL_ACE_TOKEN_UNICODE = 0x10,
+ CONDITIONAL_ACE_TOKEN_OCTET_STRING = 0x18,
+ CONDITIONAL_ACE_TOKEN_COMPOSITE = 0x50,
+ CONDITIONAL_ACE_TOKEN_SID = 0x51,
+
+ CONDITIONAL_ACE_LOCAL_ATTRIBUTE = 0xf8,
+ CONDITIONAL_ACE_USER_ATTRIBUTE = 0xf9,
+ CONDITIONAL_ACE_RESOURCE_ATTRIBUTE = 0xfa,
+ CONDITIONAL_ACE_DEVICE_ATTRIBUTE = 0xfb,
+
+ /*
+ * Unary relational operator tokens
+ * ================================
+ *
+ * For the membership ops, the operand can be a single
+ * SID or a composite list of SIDs.
+ *
+ * Member_Of: true if the security token user SIDs
+ * array contains all of the SIDs in the operand.
+ */
+ CONDITIONAL_ACE_TOKEN_MEMBER_OF = 0x89,
+ /*
+ * Device_Member_Of: true if the security token device
+ * SIDs array contains all of the SIDs in the operand.
+ */
+ CONDITIONAL_ACE_TOKEN_DEVICE_MEMBER_OF = 0x8a,
+ /*
+ * Member_Of_Any: true if the user SIDs array contains any of
+ * the SIDs in the operand.
+ */
+ CONDITIONAL_ACE_TOKEN_MEMBER_OF_ANY = 0x8b,
+ /*
+ * Device_Member_Of_Any: true if the device SIDs array
+ * contains any of the SIDs in the operand.
+ */
+ CONDITIONAL_ACE_TOKEN_DEVICE_MEMBER_OF_ANY = 0x8c,
+
+ /*
+ * Logical inverses of the member-of crew.
+ */
+ CONDITIONAL_ACE_TOKEN_NOT_MEMBER_OF = 0x90,
+ CONDITIONAL_ACE_TOKEN_NOT_DEVICE_MEMBER_OF = 0x91,
+ CONDITIONAL_ACE_TOKEN_NOT_MEMBER_OF_ANY = 0x92,
+ CONDITIONAL_ACE_TOKEN_NOT_DEVICE_MEMBER_OF_ANY = 0x93,
+
+ /*
+ * Binary relational operators
+ * ===========================
+ *
+ * The left hand side argument (LHS) is an attribute.
+ * The RHS is an attribute or a value or composite
+ * list of values (depending on the operation).
+ *
+ * If the types mismatch, the result is UNKNOWN.
+ */
+ CONDITIONAL_ACE_TOKEN_EQUAL = 0x80, /* == */
+ CONDITIONAL_ACE_TOKEN_NOT_EQUAL = 0x81, /* != */
+ CONDITIONAL_ACE_TOKEN_LESS_THAN = 0x82, /* < */
+ CONDITIONAL_ACE_TOKEN_LESS_OR_EQUAL = 0x83, /* <= */
+ CONDITIONAL_ACE_TOKEN_GREATER_THAN = 0x84, /* > */
+ CONDITIONAL_ACE_TOKEN_GREATER_OR_EQUAL = 0x85, /* >= */
+
+ /*
+ * "contains" implies "all of", in contrast to the "any of"
+ * operators.
+ */
+ CONDITIONAL_ACE_TOKEN_CONTAINS = 0x86,
+ CONDITIONAL_ACE_TOKEN_ANY_OF = 0x88,
+ CONDITIONAL_ACE_TOKEN_NOT_CONTAINS = 0x8e,
+ CONDITIONAL_ACE_TOKEN_NOT_ANY_OF = 0x8f,
+
+ /*
+ * Unary logical operators
+ * =======================
+ *
+ * The operand for the existence operators must be a
+ * local attribute or a resource attribute.
+ */
+ CONDITIONAL_ACE_TOKEN_EXISTS = 0x87, /* Exists */
+ CONDITIONAL_ACE_TOKEN_NOT_EXISTS = 0x8d, /* Not_Exists */
+ /* NOT operator */
+ CONDITIONAL_ACE_TOKEN_NOT = 0xa2, /* ! */
+
+ /*
+ * Binary logical operators
+ * ========================
+ */
+ CONDITIONAL_ACE_TOKEN_AND = 0xa0, /* && */
+ CONDITIONAL_ACE_TOKEN_OR = 0xa1, /* || */
+
+ /*
+ * Samba specific pseudo-tokens
+ * ============================
+ *
+ * In running the conditional ace we maintain a stack
+ * that is used as operands to the operators. Some of
+ * the values on the stack are literals found inline
+ * in the data, some are primitives resulting from
+ * attribute look-up operations, and some are logical
+ * results from comparison operations, which are in
+ * the ternary form just mentioned. [MS-DTYP]
+ * describes no token form for these ternary values,
+ * as they are not used on the wire (that is, you
+ * can't have a literal 'true' in a conditional ace).
+ * So we add a token representation for Boolean result
+ * types to use on the stack, using an available
+ * opcode. The result of a lookup can also be 'NULL',
+ * or an error, and we have opcodes for those too.
+ *
+ * These token types raise an error if they show up in
+ * a conditional ACE, just like any other unknown
+ * token type. They are for internal use only.
+ *
+ * In [MS-DTYP] these are called "Result Value".
+ */
+
+ CONDITIONAL_ACE_SAMBA_RESULT_BOOL = 0x0f,
+ CONDITIONAL_ACE_SAMBA_RESULT_NULL = 0x0e,
+ CONDITIONAL_ACE_SAMBA_RESULT_ERROR = 0x0d,
+
+ /*
+ * Samba specific parentheses pseudo-tokens
+ * ========================================
+ *
+ * These are useful for compiling SDDL, but will never show
+ * up in the compiled ACE or during evaluation.
+ */
+ CONDITIONAL_ACE_SAMBA_SDDL_PAREN = 0x09,
+ CONDITIONAL_ACE_SAMBA_SDDL_PAREN_END = 0x08
+ } token_type;
+
+ /*
+ * Integer attributes.
+ * ==================
+ *
+ * Integers are stored with a base indicator and a sign
+ * indicator.
+ *
+ * Integer base is stored for display purposes. For example,
+ * the number 17 will be shown as "021" with option 1, "17"
+ * with 2, and "0x11" with 3. Comparisons are not affected.
+ */
+ typedef [enum8bit] enum {
+ CONDITIONAL_ACE_INT_BASE_8 = 0x01,
+ CONDITIONAL_ACE_INT_BASE_10 = 0x02,
+ CONDITIONAL_ACE_INT_BASE_16 = 0x03
+ } int_base;
+
+ /*
+ * Integer sign, mostly for display purposes[1]. It seems
+ * negative numbers should be flagged here as negative (i.e.
+ * with 2), while positive numbers should be flagged with
+ * "none" (3), unless you want them to show up with a plus
+ * sign in SDDL.
+ *
+ * [1] it is possible this has some real significance, perhaps
+ * acting as an unsigned flag. TO BE DETERMINED.
+ */
+ typedef [enum8bit] enum {
+ CONDITIONAL_ACE_INT_SIGN_POSITIVE = 0x01,
+ CONDITIONAL_ACE_INT_SIGN_NEGATIVE = 0x02,
+ CONDITIONAL_ACE_INT_SIGN_NONE = 0x03
+ } int_sign;
+
+ /*
+ * Ternary logical values
+ *
+ * Conditional ACEs use a ternary logic where values can be
+ * unknown as well as true or false.
+ *
+ * The "Bool" result token can take any of these three values.
+ * There is no literal Boolean value, but an integer of value
+ * 0 or 1 can be compared with a Boolean result.
+ */
+ typedef enum {
+ ACE_CONDITION_FALSE = 0,
+ ACE_CONDITION_TRUE = 1,
+ ACE_CONDITION_UNKNOWN = -1
+ } ternary_logic_value;
+ /*
+ * Sub-structures for struct ace_condition_token -> data,
+ * which vary according to the token->type.
+ *
+ * These are not used on the wire.
+ */
+ typedef [flag(NDR_NOALIGN)] struct {
+ int64 value;
+ } ace_condition_result;
+
+ typedef struct {
+ int64 value;
+ uint8 base;
+ uint8 sign;
+ } ace_condition_int;
+
+ typedef struct {
--
Samba Shared Repository
More information about the samba-cvs
mailing list