1 | /* |
---|
2 | * This file contains refactored Samba code used to interpret Windows |
---|
3 | * Security Descriptors. See: |
---|
4 | * http://websvn.samba.org/cgi-bin/viewcvs.cgi/trunk/source/ |
---|
5 | * |
---|
6 | * Revisions have been made based on information provided by Microsoft |
---|
7 | * at: |
---|
8 | * http://msdn.microsoft.com/en-us/library/cc230366(PROT.10).aspx |
---|
9 | * |
---|
10 | * Copyright (C) 2005,2009 Timothy D. Morgan |
---|
11 | * Copyright (C) 1992-2005 Samba development team |
---|
12 | * |
---|
13 | * This program is free software; you can redistribute it and/or modify |
---|
14 | * it under the terms of the GNU General Public License as published by |
---|
15 | * the Free Software Foundation; version 3 of the License. |
---|
16 | * |
---|
17 | * This program is distributed in the hope that it will be useful, |
---|
18 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
---|
19 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
---|
20 | * GNU General Public License for more details. |
---|
21 | * |
---|
22 | * You should have received a copy of the GNU General Public License |
---|
23 | * along with this program; if not, write to the Free Software |
---|
24 | * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. |
---|
25 | * |
---|
26 | * $Id: winsec.h 134 2009-01-16 18:36:04Z tim $ |
---|
27 | */ |
---|
28 | |
---|
29 | #ifndef _WINSEC_H |
---|
30 | #define _WINSEC_H |
---|
31 | |
---|
32 | #include <stdlib.h> |
---|
33 | #include <stdbool.h> |
---|
34 | #include <stdint.h> |
---|
35 | #include <stdio.h> |
---|
36 | #include <string.h> |
---|
37 | #include <errno.h> |
---|
38 | #include <fcntl.h> |
---|
39 | #include <sys/stat.h> |
---|
40 | #include <sys/types.h> |
---|
41 | #include <unistd.h> |
---|
42 | |
---|
43 | #include "smb_deps.h" |
---|
44 | |
---|
45 | |
---|
46 | /* This is the maximum number of subauths in a SID, as defined here: |
---|
47 | * http://msdn.microsoft.com/en-us/library/cc230371(PROT.10).aspx |
---|
48 | */ |
---|
49 | #define WINSEC_MAX_SUBAUTHS 15 |
---|
50 | |
---|
51 | #define WINSEC_DESC_HEADER_SIZE (5 * sizeof(uint32_t)) |
---|
52 | #define WINSEC_ACL_HEADER_SIZE (2 * sizeof(uint32_t)) |
---|
53 | #define WINSEC_ACE_MIN_SIZE 16 |
---|
54 | |
---|
55 | /* TODO: Fill in definitions of other flags */ |
---|
56 | /* This means offsets contained in the descriptor are relative to the |
---|
57 | * descriptor's offset. This had better be true in the registry. |
---|
58 | */ |
---|
59 | #define WINSEC_DESC_SELF_RELATIVE 0x8000 |
---|
60 | #define WINSEC_DESC_SACL_PRESENT 0x0010 |
---|
61 | #define WINSEC_DESC_DACL_PRESENT 0x0004 |
---|
62 | |
---|
63 | #define WINSEC_ACE_OBJECT_PRESENT 0x00000001 |
---|
64 | #define WINSEC_ACE_OBJECT_INHERITED_PRESENT 0x00000002 |
---|
65 | #define WINSEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT 0x5 |
---|
66 | #define WINSEC_ACE_TYPE_ACCESS_DENIED_OBJECT 0x6 |
---|
67 | #define WINSEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT 0x7 |
---|
68 | #define WINSEC_ACE_TYPE_SYSTEM_ALARM_OBJECT 0x8 |
---|
69 | |
---|
70 | |
---|
71 | typedef struct _winsec_uuid |
---|
72 | { |
---|
73 | uint32 time_low; |
---|
74 | uint16 time_mid; |
---|
75 | uint16 time_hi_and_version; |
---|
76 | uint8 clock_seq[2]; |
---|
77 | uint8 node[6]; |
---|
78 | } WINSEC_UUID; |
---|
79 | |
---|
80 | |
---|
81 | typedef struct _winsec_sid |
---|
82 | { |
---|
83 | uint8_t sid_rev_num; /* SID revision number */ |
---|
84 | uint8_t num_auths; /* Number of sub-authorities */ |
---|
85 | uint8_t id_auth[6]; /* Identifier Authority */ |
---|
86 | /* |
---|
87 | * Pointer to sub-authorities. |
---|
88 | * |
---|
89 | * @note The values in these uint32_t's are in *native* byteorder, not |
---|
90 | * neccessarily little-endian...... JRA. |
---|
91 | */ |
---|
92 | /* XXX: Make this dynamically allocated? */ |
---|
93 | uint32_t sub_auths[WINSEC_MAX_SUBAUTHS]; |
---|
94 | } WINSEC_DOM_SID; |
---|
95 | |
---|
96 | |
---|
97 | typedef struct _winsec_ace |
---|
98 | { |
---|
99 | uint8_t type; /* xxxx_xxxx_ACE_TYPE - e.g allowed / denied etc */ |
---|
100 | uint8_t flags; /* xxxx_INHERIT_xxxx - e.g OBJECT_INHERIT_ACE */ |
---|
101 | uint16_t size; |
---|
102 | uint32_t access_mask; |
---|
103 | |
---|
104 | /* this stuff may be present when type is XXXX_TYPE_XXXX_OBJECT */ |
---|
105 | uint32_t obj_flags; /* xxxx_ACE_OBJECT_xxxx e.g present/inherited present etc */ |
---|
106 | WINSEC_UUID* obj_guid; /* object GUID */ |
---|
107 | WINSEC_UUID* inh_guid; /* inherited object GUID */ |
---|
108 | /* eof object stuff */ |
---|
109 | |
---|
110 | WINSEC_DOM_SID* trustee; |
---|
111 | |
---|
112 | } WINSEC_ACE; |
---|
113 | |
---|
114 | typedef struct _winsec_acl |
---|
115 | { |
---|
116 | uint16_t revision; /* 0x0003 */ |
---|
117 | uint16_t size; /* size in bytes of the entire ACL structure */ |
---|
118 | uint32_t num_aces; /* number of Access Control Entries */ |
---|
119 | |
---|
120 | WINSEC_ACE** aces; |
---|
121 | |
---|
122 | } WINSEC_ACL; |
---|
123 | |
---|
124 | typedef struct _winsec_desc |
---|
125 | { |
---|
126 | uint8_t revision; /* 0x01 */ |
---|
127 | uint8_t sbz1; /* "If the Control field has the RM flag set, |
---|
128 | * then this field contains the resource |
---|
129 | * manager (RM) control value. ... Otherwise, |
---|
130 | * this field is reserved and MUST be set to |
---|
131 | * zero." -- Microsoft. See reference above. |
---|
132 | */ |
---|
133 | uint16_t control; /* WINSEC_DESC_* flags */ |
---|
134 | |
---|
135 | uint32_t off_owner_sid; /* offset to owner sid */ |
---|
136 | uint32_t off_grp_sid ; /* offset to group sid */ |
---|
137 | uint32_t off_sacl ; /* offset to system list of permissions */ |
---|
138 | uint32_t off_dacl ; /* offset to list of permissions */ |
---|
139 | |
---|
140 | WINSEC_DOM_SID* owner_sid; |
---|
141 | WINSEC_DOM_SID* grp_sid; |
---|
142 | WINSEC_ACL* sacl; /* system ACL */ |
---|
143 | WINSEC_ACL* dacl; /* user ACL */ |
---|
144 | |
---|
145 | } WINSEC_DESC; |
---|
146 | |
---|
147 | |
---|
148 | /* XXX: Need API functions to deallocate these structures */ |
---|
149 | WINSEC_DESC* winsec_parse_desc(const uint8_t* buf, uint32_t buf_len); |
---|
150 | WINSEC_ACL* winsec_parse_acl(const uint8_t* buf, uint32_t buf_len); |
---|
151 | WINSEC_ACE* winsec_parse_ace(const uint8_t* buf, uint32_t buf_len); |
---|
152 | WINSEC_DOM_SID* winsec_parse_dom_sid(const uint8_t* buf, uint32_t buf_len); |
---|
153 | WINSEC_UUID* winsec_parse_uuid(const uint8_t* buf, uint32_t buf_len); |
---|
154 | |
---|
155 | size_t winsec_sid_size(const WINSEC_DOM_SID* sid); |
---|
156 | int winsec_sid_compare_auth(const WINSEC_DOM_SID* sid1, const WINSEC_DOM_SID* sid2); |
---|
157 | int winsec_sid_compare(const WINSEC_DOM_SID* sid1, const WINSEC_DOM_SID* sid2); |
---|
158 | bool winsec_sid_equal(const WINSEC_DOM_SID* sid1, const WINSEC_DOM_SID* sid2); |
---|
159 | bool winsec_desc_equal(WINSEC_DESC* s1, WINSEC_DESC* s2); |
---|
160 | bool winsec_acl_equal(WINSEC_ACL* s1, WINSEC_ACL* s2); |
---|
161 | bool winsec_ace_equal(WINSEC_ACE* s1, WINSEC_ACE* s2); |
---|
162 | bool winsec_ace_object(uint8_t type); |
---|
163 | |
---|
164 | #endif /* _WINSEC_H */ |
---|