The branch, master has been updated
via caf0df2 s3-build Specify more of the smbconf dependencies
via 3aa9eea s3-build Make smbregistry depend on more of the subsystems
it needs
via 3557032 s3-build Add util_sec subsystem
via 83e62de s3-build Move dbwrap_rbt into dbwrap_util subsystem
via 0199100 s3-build Create dbwrap_util subsystem
via e65f4dd s3-build: Rearrange build system to seperate out simple
libraries
via c7131e6 s3-build Add dependency on 'ldap' and 'ber'
via 702d8d5 s3-lib Move free_namearray() into it's own file
via 3b7e1ac s3-lib Move realloc based string substitution functions out
of util_str.c
via a5a2373 s3-lib Move sstring_sub() to it's only user and make static
via 8d639fe s3-param Move init_iconv() to loadparm.c
via 381423b libcli/security: move secdesc.c to the top level
libcli/security
via e5dd03d s3-globals Remove smbd_event_context() (use
server_event_context())
via 8190558 heimdal: Remove getprogname and setprogname from the
heimdal import
via b19fe19 heimdal_build: Don't use heimdal's getprogname() and
setprogname()
via 33e8126 s3-param split service.c into param and smbd components
via ade01f0 s3-smbd Split conn.c into 3 files
via 4e374d1 s3-build: Move user_util.c into it's own subsystem
via 5314072 s3-lib Move string_init functions into their own file
via 8524924 s3-smbd provide struct smbd_server_connection * to
conn_snum_used
from c981d4f s3: Safely mark our sconn as smb2 if we have that protocol
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit caf0df2dde2f39c3b271a79fab9358475de6a6e4
Author: Andrew Bartlett <[email protected]>
Date: Mon May 30 18:39:27 2011 +1000
s3-build Specify more of the smbconf dependencies
This brings more functions into util_names.c, and util_names.c into
PARAM_WITHOUT_REG_SRC.
This is not yet a full list, that would formalise the implicit
dependency loop.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <[email protected]>
Autobuild-Date: Tue May 31 01:43:37 CEST 2011 on sn-devel-104
commit 3aa9eead2702880b1f645793b48f4e7d9e0fc17c
Author: Andrew Bartlett <[email protected]>
Date: Mon May 30 18:37:00 2011 +1000
s3-build Make smbregistry depend on more of the subsystems it needs
This is not the full list (that can be seen by setting
allow_undefined_symbols=True).
Andrew Bartlett
commit 355703249401aefe24caceb4e5622a9d249a745f
Author: Andrew Bartlett <[email protected]>
Date: Mon May 30 17:42:06 2011 +1000
s3-build Add util_sec subsystem
commit 83e62de9a79b4542f85611126a5589ed8ad2eb34
Author: Andrew Bartlett <[email protected]>
Date: Mon May 30 17:39:35 2011 +1000
s3-build Move dbwrap_rbt into dbwrap_util subsystem
commit 019910034854dc1ed70ba09a14d419ed45903715
Author: Andrew Bartlett <[email protected]>
Date: Mon May 30 17:27:23 2011 +1000
s3-build Create dbwrap_util subsystem
This contains the functions from dbwrap that don't require lp_
functions, and can therefore be put into a library (without dependency
loops).
Andrew Bartlett
commit e65f4dd9d4ca7019e537da8f4ab3061c76fd8204
Author: Andrew Bartlett <[email protected]>
Date: Mon May 30 16:55:30 2011 +1000
s3-build: Rearrange build system to seperate out simple libraries
This will slowly allow us to develop a proper dependency tree without
interlibrary loops and unresolved symbols.
Andrew Bartlett
commit c7131e6b736cf21a94b045c2ad854016c51c316b
Author: Andrew Bartlett <[email protected]>
Date: Mon May 30 16:28:17 2011 +1000
s3-build Add dependency on 'ldap' and 'ber'
These external libraries are required for the hooks in
lib/ldap_debug_handler.c
commit 702d8d5f87f36a6b62a8ad35af62fd0e7cb20384
Author: Andrew Bartlett <[email protected]>
Date: Mon May 30 16:18:51 2011 +1000
s3-lib Move free_namearray() into it's own file
This makes it easier to have conn_smbd strictly depend on all it's
dependencies.
Andrew Bartlett
commit 3b7e1ac31c764fc2023925288783c868eb6ec31e
Author: Andrew Bartlett <[email protected]>
Date: Mon May 30 16:16:08 2011 +1000
s3-lib Move realloc based string substitution functions out of util_str.c
This makes the dependency set for source3/lib/util_str.c simpiler,
which in turn makes it easier to build a dependency tree.
Andrew Bartlett
commit a5a2373979a9484bb68271e9c1c518f05a8ec564
Author: Andrew Bartlett <[email protected]>
Date: Mon May 30 16:15:01 2011 +1000
s3-lib Move sstring_sub() to it's only user and make static
This should not be used more generally, as it is specifically not for
multibyte strings, and uses malloc rather than talloc.
Andrew Bartlett
commit 8d639feed9493a099c57d494254f1ea262b28277
Author: Andrew Bartlett <[email protected]>
Date: Mon May 30 13:40:33 2011 +1000
s3-param Move init_iconv() to loadparm.c
This assists with some dependency loops
Andrew Bartlett
commit 381423b1bdba4c7d1931b162d872134c42e432cf
Author: Andrew Bartlett <[email protected]>
Date: Mon May 30 13:23:56 2011 +1000
libcli/security: move secdesc.c to the top level libcli/security
This code does not rely on lp_ or other source3 only functions, so can
be part of the common library.
Andrew Bartlett
commit e5dd03d1991f125fa3cfddac9a41d2f9e6391c42
Author: Andrew Bartlett <[email protected]>
Date: Wed May 25 18:51:56 2011 +1000
s3-globals Remove smbd_event_context() (use server_event_context())
This has been a wrapper around server_event_context() for some time
now, and removing this from dummmysmbd.c assists with library
dependencies.
Andrew Bartlett
commit 81905585c093b6d641a10f6c338949bcbaa724c0
Author: Andrew Bartlett <[email protected]>
Date: Wed May 25 16:45:53 2011 +1000
heimdal: Remove getprogname and setprogname from the heimdal import
commit b19fe1995ac5359b61eb9ff87bf6d800bb904cb8
Author: Andrew Bartlett <[email protected]>
Date: Wed May 25 16:44:50 2011 +1000
heimdal_build: Don't use heimdal's getprogname() and setprogname()
Writing into an __progname variable spooks me, and if we use the local
variable, then we duplciate the system one, which fails SYMBOLCHECK
Andrew Bartlett
commit 33e8126c3c810388d079008d6de8291a294b9bd8
Author: Andrew Bartlett <[email protected]>
Date: Wed May 25 15:01:04 2011 +1000
s3-param split service.c into param and smbd components
The dependency chain of find_service can't be satisfied sensibly
outside smbd, so don't include this in the main 'param' subsystem.
Also remove the duplicate find_service() and conn_snum_used() from
dummysmbd.c: The WAF build does not need these dummies any more, but
file.
Andrew Bartlett
commit ade01f083c502ecf7cba19303eb16d3c9a4be52a
Author: Andrew Bartlett <[email protected]>
Date: Wed May 25 14:58:24 2011 +1000
s3-smbd Split conn.c into 3 files
The idea with this split is to make it easier to handle dependencies,
avoiding having the loadparm code depend on the global server
variables, without resorting to dummy functions and linker tricks.
conn_clear_vuid_cache() is brought in from uid.c to make it static
Andrew Bartlett
commit 4e374d167992195b7a0e0f8c82aab755fd3d8379
Author: Andrew Bartlett <[email protected]>
Date: Wed May 25 14:55:08 2011 +1000
s3-build: Move user_util.c into it's own subsystem
commit 53140724f149058a8404727533ae792cbb8b1340
Author: Andrew Bartlett <[email protected]>
Date: Wed May 25 14:53:32 2011 +1000
s3-lib Move string_init functions into their own file
These have not been moved in common, as they are not talloc-based, but
it helps with dependencies if these are seperated from the rest of
util_str.c
Andrew Bartlett
commit 8524924a460349a9aa56db475d771b8884fbe517
Author: Andrew Bartlett <[email protected]>
Date: Wed May 25 13:00:22 2011 +1000
s3-smbd provide struct smbd_server_connection * to conn_snum_used
This provides the 'sconn' parameter to this key functions, that
is currently duplicated in dummysmbd.c, which causes duplicate symbol
issues in the waf build.
This has natrually caused a number of consequential changes across the
codebase, includning not passing a messaging context into initial
reload_services():
This causes problems because the global smbd_server_connection isn't
yet set up, as there isn't a connection here, just the initial
process.
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
libcli/security/secdesc.c | 719 +++++++++++++++++++++++++++
libcli/security/secdesc.h | 102 ++++
libcli/security/security.h | 1 +
libcli/security/wscript_build | 2 +-
source3/Makefile.in | 14 +-
source3/auth/wscript_build | 10 +-
source3/include/proto.h | 51 +--
source3/lib/charcnv.c | 14 -
source3/lib/dbwrap.c | 60 ---
source3/lib/dbwrap_util.c | 65 +++-
source3/lib/dummyparam.c | 35 ++
source3/lib/dummysmbd.c | 15 -
source3/lib/namearray.c | 39 ++
source3/lib/secdesc.c | 712 --------------------------
source3/lib/string_init.c | 77 +++
source3/lib/substitute.c | 29 ++
source3/lib/substitute_generic.c | 116 +++++
source3/lib/util.c | 178 -------
source3/lib/util_names.c | 163 ++++++-
source3/lib/util_str.c | 205 +--------
source3/libnet/libnet_samsync_ldif.c | 27 +
source3/libsmb/clisecdesc.c | 1 +
source3/modules/onefs_cbrl.c | 2 +-
source3/modules/vfs_aio_fork.c | 6 +-
source3/modules/vfs_preopen.c | 2 +-
source3/param/loadparm.c | 46 +-
source3/param/service.c | 276 ++++++++++
source3/registry/reg_backend_db.c | 1 +
source3/registry/regfio.c | 1 +
source3/rpc_server/dfs/srv_dfs_nt.c | 4 +-
source3/rpc_server/spoolss/srv_spoolss_nt.c | 1 +
source3/rpc_server/srvsvc/srv_srvsvc_nt.c | 3 +-
source3/rpc_server/winreg/srv_winreg_nt.c | 1 +
source3/smbd/aio.c | 4 +-
source3/smbd/blocking.c | 2 +-
source3/smbd/close.c | 2 +-
source3/smbd/conn.c | 227 ++-------
source3/smbd/conn_idle.c | 207 ++++++++
source3/smbd/conn_msg.c | 49 ++
source3/smbd/fileio.c | 2 +-
source3/smbd/globals.c | 2 +-
source3/smbd/ipc.c | 4 +-
source3/smbd/lanman.c | 2 +-
source3/smbd/msdfs.c | 5 +-
source3/smbd/oplock.c | 2 +-
source3/smbd/oplock_irix.c | 2 +-
source3/smbd/oplock_linux.c | 2 +-
source3/smbd/oplock_onefs.c | 2 +-
source3/smbd/pipes.c | 6 +-
source3/smbd/process.c | 26 +-
source3/smbd/proto.h | 7 +-
source3/smbd/server.c | 49 +-
source3/smbd/server_reload.c | 6 +-
source3/smbd/service.c | 228 +---------
source3/smbd/signing.c | 4 +-
source3/smbd/smb2_lock.c | 2 +-
source3/smbd/smb2_read.c | 2 +-
source3/smbd/smb2_server.c | 2 +-
source3/smbd/smb2_write.c | 2 +-
source3/smbd/uid.c | 44 --
source3/torture/vfstest.c | 10 -
source3/wscript_build | 118 ++++--
source4/heimdal/lib/roken/getprogname.c | 48 --
source4/heimdal/lib/roken/setprogname.c | 91 ----
source4/heimdal_build/replace.c | 17 +
source4/heimdal_build/wscript_build | 6 -
66 files changed, 2168 insertions(+), 1992 deletions(-)
create mode 100644 libcli/security/secdesc.c
create mode 100644 libcli/security/secdesc.h
create mode 100644 source3/lib/dummyparam.c
create mode 100644 source3/lib/namearray.c
delete mode 100644 source3/lib/secdesc.c
create mode 100644 source3/lib/string_init.c
create mode 100644 source3/lib/substitute_generic.c
create mode 100644 source3/param/service.c
create mode 100644 source3/smbd/conn_idle.c
create mode 100644 source3/smbd/conn_msg.c
delete mode 100644 source4/heimdal/lib/roken/getprogname.c
delete mode 100644 source4/heimdal/lib/roken/setprogname.c
Changeset truncated at 500 lines:
diff --git a/libcli/security/secdesc.c b/libcli/security/secdesc.c
new file mode 100644
index 0000000..5d75f07
--- /dev/null
+++ b/libcli/security/secdesc.c
@@ -0,0 +1,719 @@
+/*
+ * Unix SMB/Netbios implementation.
+ * SEC_DESC handling functions
+ * Copyright (C) Andrew Tridgell 1992-1998,
+ * Copyright (C) Jeremy R. Allison 1995-2003.
+ * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
+ * Copyright (C) Paul Ashton 1997-1998.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+#include "librpc/gen_ndr/ndr_security.h"
+#include "libcli/security/security.h"
+
+#define ALL_SECURITY_INFORMATION (SECINFO_OWNER|SECINFO_GROUP|\
+ SECINFO_DACL|SECINFO_SACL|\
+ SECINFO_UNPROTECTED_SACL|\
+ SECINFO_UNPROTECTED_DACL|\
+ SECINFO_PROTECTED_SACL|\
+ SECINFO_PROTECTED_DACL)
+
+/* Map generic permissions to file object specific permissions */
+
+const struct generic_mapping file_generic_mapping = {
+ FILE_GENERIC_READ,
+ FILE_GENERIC_WRITE,
+ FILE_GENERIC_EXECUTE,
+ FILE_GENERIC_ALL
+};
+
+/*******************************************************************
+ Given a security_descriptor return the sec_info.
+********************************************************************/
+
+uint32_t get_sec_info(const struct security_descriptor *sd)
+{
+ uint32_t sec_info = ALL_SECURITY_INFORMATION;
+
+ SMB_ASSERT(sd);
+
+ if (sd->owner_sid == NULL) {
+ sec_info &= ~SECINFO_OWNER;
+ }
+ if (sd->group_sid == NULL) {
+ sec_info &= ~SECINFO_GROUP;
+ }
+ if (sd->sacl == NULL) {
+ sec_info &= ~SECINFO_SACL;
+ }
+ if (sd->dacl == NULL) {
+ sec_info &= ~SECINFO_DACL;
+ }
+
+ return sec_info;
+}
+
+
+/*******************************************************************
+ Merge part of security descriptor old_sec in to the empty sections of
+ security descriptor new_sec.
+********************************************************************/
+
+struct sec_desc_buf *sec_desc_merge_buf(TALLOC_CTX *ctx, struct sec_desc_buf
*new_sdb, struct sec_desc_buf *old_sdb)
+{
+ struct dom_sid *owner_sid, *group_sid;
+ struct sec_desc_buf *return_sdb;
+ struct security_acl *dacl, *sacl;
+ struct security_descriptor *psd = NULL;
+ uint16_t secdesc_type;
+ size_t secdesc_size;
+
+ /* Copy over owner and group sids. There seems to be no flag for
+ this so just check the pointer values. */
+
+ owner_sid = new_sdb->sd->owner_sid ? new_sdb->sd->owner_sid :
+ old_sdb->sd->owner_sid;
+
+ group_sid = new_sdb->sd->group_sid ? new_sdb->sd->group_sid :
+ old_sdb->sd->group_sid;
+
+ secdesc_type = new_sdb->sd->type;
+
+ /* Ignore changes to the system ACL. This has the effect of making
+ changes through the security tab audit button not sticking.
+ Perhaps in future Samba could implement these settings somehow. */
+
+ sacl = NULL;
+ secdesc_type &= ~SEC_DESC_SACL_PRESENT;
+
+ /* Copy across discretionary ACL */
+
+ if (secdesc_type & SEC_DESC_DACL_PRESENT) {
+ dacl = new_sdb->sd->dacl;
+ } else {
+ dacl = old_sdb->sd->dacl;
+ }
+
+ /* Create new security descriptor from bits */
+
+ psd = make_sec_desc(ctx, new_sdb->sd->revision, secdesc_type,
+ owner_sid, group_sid, sacl, dacl, &secdesc_size);
+
+ return_sdb = make_sec_desc_buf(ctx, secdesc_size, psd);
+
+ return(return_sdb);
+}
+
+struct security_descriptor *sec_desc_merge(TALLOC_CTX *ctx, struct
security_descriptor *new_sdb, struct security_descriptor *old_sdb)
+{
+ struct dom_sid *owner_sid, *group_sid;
+ struct security_acl *dacl, *sacl;
+ struct security_descriptor *psd = NULL;
+ uint16_t secdesc_type;
+ size_t secdesc_size;
+
+ /* Copy over owner and group sids. There seems to be no flag for
+ this so just check the pointer values. */
+
+ owner_sid = new_sdb->owner_sid ? new_sdb->owner_sid :
+ old_sdb->owner_sid;
+
+ group_sid = new_sdb->group_sid ? new_sdb->group_sid :
+ old_sdb->group_sid;
+
+ secdesc_type = new_sdb->type;
+
+ /* Ignore changes to the system ACL. This has the effect of making
+ changes through the security tab audit button not sticking.
+ Perhaps in future Samba could implement these settings somehow. */
+
+ sacl = NULL;
+ secdesc_type &= ~SEC_DESC_SACL_PRESENT;
+
+ /* Copy across discretionary ACL */
+
+ if (secdesc_type & SEC_DESC_DACL_PRESENT) {
+ dacl = new_sdb->dacl;
+ } else {
+ dacl = old_sdb->dacl;
+ }
+
+ /* Create new security descriptor from bits */
+ psd = make_sec_desc(ctx, new_sdb->revision, secdesc_type,
+ owner_sid, group_sid, sacl, dacl, &secdesc_size);
+
+ return psd;
+}
+
+/*******************************************************************
+ Creates a struct security_descriptor structure
+********************************************************************/
+
+#define SEC_DESC_HEADER_SIZE (2 * sizeof(uint16_t) + 4 * sizeof(uint32_t))
+
+struct security_descriptor *make_sec_desc(TALLOC_CTX *ctx,
+ enum security_descriptor_revision revision,
+ uint16_t type,
+ const struct dom_sid *owner_sid, const struct dom_sid
*grp_sid,
+ struct security_acl *sacl, struct security_acl *dacl,
size_t *sd_size)
+{
+ struct security_descriptor *dst;
+ uint32_t offset = 0;
+
+ *sd_size = 0;
+
+ if(( dst = talloc_zero(ctx, struct security_descriptor)) == NULL)
+ return NULL;
+
+ dst->revision = revision;
+ dst->type = type;
+
+ if (sacl)
+ dst->type |= SEC_DESC_SACL_PRESENT;
+ if (dacl)
+ dst->type |= SEC_DESC_DACL_PRESENT;
+
+ dst->owner_sid = NULL;
+ dst->group_sid = NULL;
+ dst->sacl = NULL;
+ dst->dacl = NULL;
+
+ if(owner_sid && ((dst->owner_sid = dom_sid_dup(dst,owner_sid)) == NULL))
+ goto error_exit;
+
+ if(grp_sid && ((dst->group_sid = dom_sid_dup(dst,grp_sid)) == NULL))
+ goto error_exit;
+
+ if(sacl && ((dst->sacl = dup_sec_acl(dst, sacl)) == NULL))
+ goto error_exit;
+
+ if(dacl && ((dst->dacl = dup_sec_acl(dst, dacl)) == NULL))
+ goto error_exit;
+
+ offset = SEC_DESC_HEADER_SIZE;
+
+ /*
+ * Work out the linearization sizes.
+ */
+
+ if (dst->sacl != NULL) {
+ offset += dst->sacl->size;
+ }
+ if (dst->dacl != NULL) {
+ offset += dst->dacl->size;
+ }
+
+ if (dst->owner_sid != NULL) {
+ offset += ndr_size_dom_sid(dst->owner_sid, 0);
+ }
+
+ if (dst->group_sid != NULL) {
+ offset += ndr_size_dom_sid(dst->group_sid, 0);
+ }
+
+ *sd_size = (size_t)offset;
+ return dst;
+
+error_exit:
+
+ *sd_size = 0;
+ return NULL;
+}
+
+/*******************************************************************
+ Duplicate a struct security_descriptor structure.
+********************************************************************/
+
+struct security_descriptor *dup_sec_desc(TALLOC_CTX *ctx, const struct
security_descriptor *src)
+{
+ size_t dummy;
+
+ if(src == NULL)
+ return NULL;
+
+ return make_sec_desc( ctx, src->revision, src->type,
+ src->owner_sid, src->group_sid, src->sacl,
+ src->dacl, &dummy);
+}
+
+/*******************************************************************
+ Convert a secdesc into a byte stream
+********************************************************************/
+NTSTATUS marshall_sec_desc(TALLOC_CTX *mem_ctx,
+ struct security_descriptor *secdesc,
+ uint8_t **data, size_t *len)
+{
+ DATA_BLOB blob;
+ enum ndr_err_code ndr_err;
+
+ ndr_err = ndr_push_struct_blob(
+ &blob, mem_ctx, secdesc,
+ (ndr_push_flags_fn_t)ndr_push_security_descriptor);
+
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ DEBUG(0, ("ndr_push_security_descriptor failed: %s\n",
+ ndr_errstr(ndr_err)));
+ return ndr_map_error2ntstatus(ndr_err);
+ }
+
+ *data = blob.data;
+ *len = blob.length;
+ return NT_STATUS_OK;
+}
+
+/*******************************************************************
+ Convert a secdesc_buf into a byte stream
+********************************************************************/
+
+NTSTATUS marshall_sec_desc_buf(TALLOC_CTX *mem_ctx,
+ struct sec_desc_buf *secdesc_buf,
+ uint8_t **data, size_t *len)
+{
+ DATA_BLOB blob;
+ enum ndr_err_code ndr_err;
+
+ ndr_err = ndr_push_struct_blob(
+ &blob, mem_ctx, secdesc_buf,
+ (ndr_push_flags_fn_t)ndr_push_sec_desc_buf);
+
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ DEBUG(0, ("ndr_push_sec_desc_buf failed: %s\n",
+ ndr_errstr(ndr_err)));
+ return ndr_map_error2ntstatus(ndr_err);
+ }
+
+ *data = blob.data;
+ *len = blob.length;
+ return NT_STATUS_OK;
+}
+
+/*******************************************************************
+ Parse a byte stream into a secdesc
+********************************************************************/
+NTSTATUS unmarshall_sec_desc(TALLOC_CTX *mem_ctx, uint8_t *data, size_t len,
+ struct security_descriptor **psecdesc)
+{
+ DATA_BLOB blob;
+ enum ndr_err_code ndr_err;
+ struct security_descriptor *result;
+
+ if ((data == NULL) || (len == 0)) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ result = talloc_zero(mem_ctx, struct security_descriptor);
+ if (result == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ blob = data_blob_const(data, len);
+
+ ndr_err = ndr_pull_struct_blob(&blob, result, result,
+ (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
+
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ DEBUG(0, ("ndr_pull_security_descriptor failed: %s\n",
+ ndr_errstr(ndr_err)));
+ TALLOC_FREE(result);
+ return ndr_map_error2ntstatus(ndr_err);
+ }
+
+ *psecdesc = result;
+ return NT_STATUS_OK;
+}
+
+/*******************************************************************
+ Parse a byte stream into a sec_desc_buf
+********************************************************************/
+
+NTSTATUS unmarshall_sec_desc_buf(TALLOC_CTX *mem_ctx, uint8_t *data, size_t
len,
+ struct sec_desc_buf **psecdesc_buf)
+{
+ DATA_BLOB blob;
+ enum ndr_err_code ndr_err;
+ struct sec_desc_buf *result;
+
+ if ((data == NULL) || (len == 0)) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ result = talloc_zero(mem_ctx, struct sec_desc_buf);
+ if (result == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ blob = data_blob_const(data, len);
+
+ ndr_err = ndr_pull_struct_blob(&blob, result, result,
+ (ndr_pull_flags_fn_t)ndr_pull_sec_desc_buf);
+
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ DEBUG(0, ("ndr_pull_sec_desc_buf failed: %s\n",
+ ndr_errstr(ndr_err)));
+ TALLOC_FREE(result);
+ return ndr_map_error2ntstatus(ndr_err);
+ }
+
+ *psecdesc_buf = result;
+ return NT_STATUS_OK;
+}
+
+/*******************************************************************
+ Creates a struct security_descriptor structure with typical defaults.
+********************************************************************/
+
+struct security_descriptor *make_standard_sec_desc(TALLOC_CTX *ctx, const
struct dom_sid *owner_sid, const struct dom_sid *grp_sid,
+ struct security_acl *dacl, size_t *sd_size)
+{
+ return make_sec_desc(ctx, SECURITY_DESCRIPTOR_REVISION_1,
+ SEC_DESC_SELF_RELATIVE, owner_sid, grp_sid, NULL,
+ dacl, sd_size);
+}
+
+/*******************************************************************
+ Creates a struct sec_desc_buf structure.
+********************************************************************/
+
+struct sec_desc_buf *make_sec_desc_buf(TALLOC_CTX *ctx, size_t len, struct
security_descriptor *sec_desc)
+{
+ struct sec_desc_buf *dst;
+
+ if((dst = talloc_zero(ctx, struct sec_desc_buf)) == NULL)
+ return NULL;
+
+ /* max buffer size (allocated size) */
+ dst->sd_size = (uint32_t)len;
+
+ if(sec_desc && ((dst->sd = dup_sec_desc(ctx, sec_desc)) == NULL)) {
+ return NULL;
+ }
+
+ return dst;
+}
+
+/*******************************************************************
+ Duplicates a struct sec_desc_buf structure.
+********************************************************************/
+
+struct sec_desc_buf *dup_sec_desc_buf(TALLOC_CTX *ctx, struct sec_desc_buf
*src)
+{
+ if(src == NULL)
+ return NULL;
+
+ return make_sec_desc_buf( ctx, src->sd_size, src->sd);
+}
+
+/*******************************************************************
+ Add a new SID with its permissions to struct security_descriptor.
+********************************************************************/
+
+NTSTATUS sec_desc_add_sid(TALLOC_CTX *ctx, struct security_descriptor **psd,
const struct dom_sid *sid, uint32_t mask, size_t *sd_size)
+{
+ struct security_descriptor *sd = 0;
+ struct security_acl *dacl = 0;
+ struct security_ace *ace = 0;
+ NTSTATUS status;
+
+ if (!ctx || !psd || !sid || !sd_size)
+ return NT_STATUS_INVALID_PARAMETER;
+
+ *sd_size = 0;
+
+ status = sec_ace_add_sid(ctx, &ace, psd[0]->dacl->aces,
&psd[0]->dacl->num_aces, sid, mask);
+
+ if (!NT_STATUS_IS_OK(status))
+ return status;
+
+ if (!(dacl = make_sec_acl(ctx, psd[0]->dacl->revision,
psd[0]->dacl->num_aces, ace)))
+ return NT_STATUS_UNSUCCESSFUL;
+
+ if (!(sd = make_sec_desc(ctx, psd[0]->revision, psd[0]->type,
psd[0]->owner_sid,
+ psd[0]->group_sid, psd[0]->sacl, dacl, sd_size)))
+ return NT_STATUS_UNSUCCESSFUL;
+
+ *psd = sd;
+ sd = 0;
+ return NT_STATUS_OK;
+}
+
+/*******************************************************************
+ Modify a SID's permissions in a struct security_descriptor.
+********************************************************************/
+
+NTSTATUS sec_desc_mod_sid(struct security_descriptor *sd, struct dom_sid *sid,
uint32_t mask)
+{
+ NTSTATUS status;
+
+ if (!sd || !sid)
+ return NT_STATUS_INVALID_PARAMETER;
+
+ status = sec_ace_mod_sid(sd->dacl->aces, sd->dacl->num_aces, sid, mask);
+
+ if (!NT_STATUS_IS_OK(status))
+ return status;
+
+ return NT_STATUS_OK;
+}
+
+/*******************************************************************
+ Delete a SID from a struct security_descriptor.
+********************************************************************/
+
+NTSTATUS sec_desc_del_sid(TALLOC_CTX *ctx, struct security_descriptor **psd,
struct dom_sid *sid, size_t *sd_size)
+{
+ struct security_descriptor *sd = 0;
+ struct security_acl *dacl = 0;
+ struct security_ace *ace = 0;
+ NTSTATUS status;
+
+ if (!ctx || !psd[0] || !sid || !sd_size)
+ return NT_STATUS_INVALID_PARAMETER;
+
+ *sd_size = 0;
+
+ status = sec_ace_del_sid(ctx, &ace, psd[0]->dacl->aces,
&psd[0]->dacl->num_aces, sid);
+
+ if (!NT_STATUS_IS_OK(status))
+ return status;
+
+ if (!(dacl = make_sec_acl(ctx, psd[0]->dacl->revision,
psd[0]->dacl->num_aces, ace)))
+ return NT_STATUS_UNSUCCESSFUL;
+
--
Samba Shared Repository
