[PATCH] A few cosmetic patches to libcli/security

Volker Lendecke Volker.Lendecke at SerNet.DE
Tue May 27 01:19:04 MDT 2014


Hi!

Review & push would be appreciated!

Thanks,

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
-------------- next part --------------
From db31721286b26ca249a0e1543513c1d981dfd3a1 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Mon, 26 May 2014 20:48:05 +0000
Subject: [PATCH 1/6] libcli: Fix a memleak

struct security_ace has a struct dom_sid, not a pointer to it. So we don't have
to talloc it first and then not free it.

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 libcli/security/security_descriptor.c |    8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/libcli/security/security_descriptor.c b/libcli/security/security_descriptor.c
index 574dd4e..96de87f 100644
--- a/libcli/security/security_descriptor.c
+++ b/libcli/security/security_descriptor.c
@@ -564,21 +564,19 @@ struct security_ace *security_ace_create(TALLOC_CTX *mem_ctx,
 					 uint8_t flags)
 
 {
-	struct dom_sid *sid;
 	struct security_ace *ace;
+	bool ret;
 
 	ace = talloc_zero(mem_ctx, struct security_ace);
 	if (ace == NULL) {
 		return NULL;
 	}
 
-	sid = dom_sid_parse_talloc(ace, sid_str);
-	if (sid == NULL) {
+	ret = dom_sid_parse(sid_str, &ace->trustee);
+	if (!ret) {
 		talloc_free(ace);
 		return NULL;
 	}
-
-	ace->trustee = *sid;
 	ace->type = type;
 	ace->access_mask = access_mask;
 	ace->flags = flags;
-- 
1.7.9.5


From a0be88e52b4c4a2533b8f40e9d9cdcbb757029d7 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Mon, 26 May 2014 20:57:31 +0000
Subject: [PATCH 2/6] libcli: Avoid a talloc/free

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 libcli/security/security_token.c |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/libcli/security/security_token.c b/libcli/security/security_token.c
index 40f1382..95a09b3 100644
--- a/libcli/security/security_token.c
+++ b/libcli/security/security_token.c
@@ -84,12 +84,14 @@ bool security_token_is_sid(const struct security_token *token, const struct dom_
 bool security_token_is_sid_string(const struct security_token *token, const char *sid_string)
 {
 	bool ret;
-	struct dom_sid *sid = dom_sid_parse_talloc(NULL, sid_string);
-	if (!sid) return false;
+	struct dom_sid sid;
 
-	ret = security_token_is_sid(token, sid);
+	ret = dom_sid_parse(sid_string, &sid);
+	if (!ret) {
+		return false;
+	}
 
-	talloc_free(sid);
+	ret = security_token_is_sid(token, &sid);
 	return ret;
 }
 
-- 
1.7.9.5


From 764b8378bb992370684049293cffa1ac40b2314a Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Mon, 26 May 2014 20:57:31 +0000
Subject: [PATCH 3/6] libcli: Avoid a talloc/free

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 libcli/security/security_token.c |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/libcli/security/security_token.c b/libcli/security/security_token.c
index 95a09b3..6812d42 100644
--- a/libcli/security/security_token.c
+++ b/libcli/security/security_token.c
@@ -119,12 +119,14 @@ bool security_token_has_sid(const struct security_token *token, const struct dom
 bool security_token_has_sid_string(const struct security_token *token, const char *sid_string)
 {
 	bool ret;
-	struct dom_sid *sid = dom_sid_parse_talloc(NULL, sid_string);
-	if (!sid) return false;
+	struct dom_sid sid;
 
-	ret = security_token_has_sid(token, sid);
+	ret = dom_sid_parse(sid_string, &sid);
+	if (!ret) {
+		return false;
+	}
 
-	talloc_free(sid);
+	ret = security_token_has_sid(token, &sid);
 	return ret;
 }
 
-- 
1.7.9.5


From d6f2caeef5a2a629b8384b262abdf6b47853b396 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Mon, 26 May 2014 21:01:38 +0000
Subject: [PATCH 4/6] libcli: Avoid an explicit memset call

On x86 with -O3, this saves surprising 160 bytes .text

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 libcli/security/util_sid.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libcli/security/util_sid.c b/libcli/security/util_sid.c
index 9a24a4a..8e42826 100644
--- a/libcli/security/util_sid.c
+++ b/libcli/security/util_sid.c
@@ -225,10 +225,10 @@ void sid_copy(struct dom_sid *dst, const struct dom_sid *src)
 {
 	int i;
 
-	ZERO_STRUCTP(dst);
-
-	dst->sid_rev_num = src->sid_rev_num;
-	dst->num_auths = src->num_auths;
+	*dst = (struct dom_sid) {
+		.sid_rev_num = src->sid_rev_num,
+		.num_auths = src->num_auths,
+	};
 
 	memcpy(&dst->id_auth[0], &src->id_auth[0], sizeof(src->id_auth));
 
-- 
1.7.9.5


From bb9b57987f681594fe85bdacebf3bc1be54ff58c Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Tue, 27 May 2014 07:03:18 +0000
Subject: [PATCH 5/6] libcli: Simplify desc_expand_generic()

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 libcli/security/create_descriptor.c |   19 ++++++-------------
 1 file changed, 6 insertions(+), 13 deletions(-)

diff --git a/libcli/security/create_descriptor.c b/libcli/security/create_descriptor.c
index 23e7e9b..33c9b10 100644
--- a/libcli/security/create_descriptor.c
+++ b/libcli/security/create_descriptor.c
@@ -125,19 +125,15 @@ static bool desc_ace_has_generic(TALLOC_CTX *mem_ctx,
 
 /* creates an ace in which the generic information is expanded */
 
-static void desc_expand_generic(TALLOC_CTX *mem_ctx,
-				struct security_ace *new_ace,
+static void desc_expand_generic(struct security_ace *new_ace,
 				struct dom_sid *owner,
 				struct dom_sid *group)
 {
-	struct dom_sid *co, *cg;
-	co = dom_sid_parse_talloc(mem_ctx,  SID_CREATOR_OWNER);
-	cg = dom_sid_parse_talloc(mem_ctx,  SID_CREATOR_GROUP);
 	new_ace->access_mask = map_generic_rights_ds(new_ace->access_mask);
-	if (dom_sid_equal(&new_ace->trustee, co)) {
+	if (dom_sid_equal(&new_ace->trustee, &global_sid_Creator_Owner)) {
 		new_ace->trustee = *owner;
 	}
-	if (dom_sid_equal(&new_ace->trustee, cg)) {
+	if (dom_sid_equal(&new_ace->trustee, &global_sid_Creator_Group)) {
 		new_ace->trustee = *group;
 	}
 	new_ace->flags = 0x0;
@@ -222,8 +218,7 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx,
 						    return NULL;
 					    }
 					    tmp_acl->aces[tmp_acl->num_aces] = *ace;
-					    desc_expand_generic(tmp_ctx,
-								&tmp_acl->aces[tmp_acl->num_aces],
+					    desc_expand_generic(&tmp_acl->aces[tmp_acl->num_aces],
 								owner,
 								group);
 					    tmp_acl->aces[tmp_acl->num_aces].flags = SEC_ACE_FLAG_INHERITED_ACE;
@@ -294,8 +289,7 @@ static struct security_acl *process_user_acl(TALLOC_CTX *mem_ctx,
 		 * and another one where these are translated */
 		if (desc_ace_has_generic(tmp_ctx, ace)) {
 			if (!(ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT)) {
-				desc_expand_generic(tmp_ctx,
-						    &tmp_acl->aces[tmp_acl->num_aces-1],
+				desc_expand_generic(&tmp_acl->aces[tmp_acl->num_aces-1],
 						    owner,
 						    group);
 			} else {
@@ -306,8 +300,7 @@ static struct security_acl *process_user_acl(TALLOC_CTX *mem_ctx,
 							       tmp_acl->num_aces+1);
 				/* add a new ACE with expanded generic info */
 				tmp_acl->aces[tmp_acl->num_aces] = *ace;
-				desc_expand_generic(tmp_ctx,
-						    &tmp_acl->aces[tmp_acl->num_aces],
+				desc_expand_generic(&tmp_acl->aces[tmp_acl->num_aces],
 						    owner,
 						    group);
 				tmp_acl->num_aces++;
-- 
1.7.9.5


From b53287f50e84426cd6e15c811527bf00b0a27a53 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Tue, 27 May 2014 07:04:38 +0000
Subject: [PATCH 6/6] libcli: Simplify desc_ace_has_generic()

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 libcli/security/create_descriptor.c |   15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/libcli/security/create_descriptor.c b/libcli/security/create_descriptor.c
index 33c9b10..03c0658 100644
--- a/libcli/security/create_descriptor.c
+++ b/libcli/security/create_descriptor.c
@@ -107,17 +107,14 @@ static bool object_in_list(struct GUID *object_list, struct GUID *object)
 /* returns true if the ACE gontains generic information
  * that needs to be processed additionally */
  
-static bool desc_ace_has_generic(TALLOC_CTX *mem_ctx,
-			     struct security_ace *ace)
+static bool desc_ace_has_generic(struct security_ace *ace)
 {
-	struct dom_sid *co, *cg;
-	co = dom_sid_parse_talloc(mem_ctx,  SID_CREATOR_OWNER);
-	cg = dom_sid_parse_talloc(mem_ctx,  SID_CREATOR_GROUP);
 	if (ace->access_mask & SEC_GENERIC_ALL || ace->access_mask & SEC_GENERIC_READ ||
 	    ace->access_mask & SEC_GENERIC_WRITE || ace->access_mask & SEC_GENERIC_EXECUTE) {
 		return true;
 	}
-	if (dom_sid_equal(&ace->trustee, co) || dom_sid_equal(&ace->trustee, cg)) {
+	if (dom_sid_equal(&ace->trustee, &global_sid_Creator_Owner) ||
+	    dom_sid_equal(&ace->trustee, &global_sid_Creator_Group)) {
 		return true;
 	}
 	return false;
@@ -175,7 +172,7 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx,
 			tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERITED_ACE;
 			/* remove IO flag from the child's ace */
 			if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY &&
-			    !desc_ace_has_generic(tmp_ctx, ace)) {
+			    !desc_ace_has_generic(ace)) {
 				tmp_acl->aces[tmp_acl->num_aces].flags &= ~SEC_ACE_FLAG_INHERIT_ONLY;
 			}
 
@@ -208,7 +205,7 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx,
 			tmp_acl->num_aces++;
 			if (is_container) {
 				if (!(ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) &&
-				    (desc_ace_has_generic(tmp_ctx, ace))) {
+				    (desc_ace_has_generic(ace))) {
 					    tmp_acl->aces = talloc_realloc(tmp_acl,
 									   tmp_acl->aces,
 									   struct security_ace,
@@ -287,7 +284,7 @@ static struct security_acl *process_user_acl(TALLOC_CTX *mem_ctx,
 		/* if the ACE contains CO, CG, GA, GE, GR or GW, and is inheritable
 		 * it has to be expanded to two aces, the original as IO,
 		 * and another one where these are translated */
-		if (desc_ace_has_generic(tmp_ctx, ace)) {
+		if (desc_ace_has_generic(ace)) {
 			if (!(ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT)) {
 				desc_expand_generic(&tmp_acl->aces[tmp_acl->num_aces-1],
 						    owner,
-- 
1.7.9.5



More information about the samba-technical mailing list