| 1 | /* |
|---|
| 2 | * This file contains refactored Samba code used to interpret Windows |
|---|
| 3 | * Security Descriptors. See: |
|---|
| 4 | * http://websvn.samba.org/cgi-bin/viewcvs.cgi/trunk/source/ |
|---|
| 5 | * |
|---|
| 6 | * Copyright (C) 2005,2009 Timothy D. Morgan |
|---|
| 7 | * Copyright (C) 1992-2005 Samba development team |
|---|
| 8 | * |
|---|
| 9 | * This program is free software; you can redistribute it and/or modify |
|---|
| 10 | * it under the terms of the GNU General Public License as published by |
|---|
| 11 | * the Free Software Foundation; version 3 of the License. |
|---|
| 12 | * |
|---|
| 13 | * This program is distributed in the hope that it will be useful, |
|---|
| 14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
|---|
| 15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|---|
| 16 | * GNU General Public License for more details. |
|---|
| 17 | * |
|---|
| 18 | * You should have received a copy of the GNU General Public License |
|---|
| 19 | * along with this program; if not, write to the Free Software |
|---|
| 20 | * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. |
|---|
| 21 | * |
|---|
| 22 | * $Id: winsec.h 133 2009-01-12 17:07:58Z tim $ |
|---|
| 23 | */ |
|---|
| 24 | |
|---|
| 25 | #include <stdlib.h> |
|---|
| 26 | #include <stdbool.h> |
|---|
| 27 | #include <stdio.h> |
|---|
| 28 | #include <string.h> |
|---|
| 29 | #include <errno.h> |
|---|
| 30 | #include <fcntl.h> |
|---|
| 31 | #include <sys/stat.h> |
|---|
| 32 | #include <sys/types.h> |
|---|
| 33 | #include <unistd.h> |
|---|
| 34 | |
|---|
| 35 | #include "smb_deps.h" |
|---|
| 36 | |
|---|
| 37 | |
|---|
| 38 | #define MAXSUBAUTHS 15 |
|---|
| 39 | |
|---|
| 40 | #define SEC_DESC_HEADER_SIZE (2 * sizeof(uint16) + 4 * sizeof(uint32)) |
|---|
| 41 | /*thanks for Jim McDonough <jmcd@us.ibm.com>*/ |
|---|
| 42 | #define SEC_DESC_DACL_PRESENT 0x0004 |
|---|
| 43 | #define SEC_DESC_SACL_PRESENT 0x0010 |
|---|
| 44 | |
|---|
| 45 | #define SEC_ACE_OBJECT_PRESENT 0x00000001 |
|---|
| 46 | #define SEC_ACE_OBJECT_INHERITED_PRESENT 0x00000002 |
|---|
| 47 | #define SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT 0x5 |
|---|
| 48 | #define SEC_ACE_TYPE_ACCESS_DENIED_OBJECT 0x6 |
|---|
| 49 | #define SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT 0x7 |
|---|
| 50 | #define SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT 0x8 |
|---|
| 51 | |
|---|
| 52 | |
|---|
| 53 | typedef struct sid_info |
|---|
| 54 | { |
|---|
| 55 | uint8 sid_rev_num; /**< SID revision number */ |
|---|
| 56 | uint8 num_auths; /**< Number of sub-authorities */ |
|---|
| 57 | uint8 id_auth[6]; /**< Identifier Authority */ |
|---|
| 58 | /* |
|---|
| 59 | * Pointer to sub-authorities. |
|---|
| 60 | * |
|---|
| 61 | * @note The values in these uint32's are in *native* byteorder, not |
|---|
| 62 | * neccessarily little-endian...... JRA. |
|---|
| 63 | */ |
|---|
| 64 | uint32 sub_auths[MAXSUBAUTHS]; |
|---|
| 65 | } DOM_SID; |
|---|
| 66 | |
|---|
| 67 | |
|---|
| 68 | typedef struct security_info_info |
|---|
| 69 | { |
|---|
| 70 | uint32 mask; |
|---|
| 71 | |
|---|
| 72 | } SEC_ACCESS; |
|---|
| 73 | |
|---|
| 74 | typedef struct security_ace_info |
|---|
| 75 | { |
|---|
| 76 | uint8 type; /* xxxx_xxxx_ACE_TYPE - e.g allowed / denied etc */ |
|---|
| 77 | uint8 flags; /* xxxx_INHERIT_xxxx - e.g OBJECT_INHERIT_ACE */ |
|---|
| 78 | uint16 size; |
|---|
| 79 | |
|---|
| 80 | SEC_ACCESS info; |
|---|
| 81 | |
|---|
| 82 | /* this stuff may be present when type is XXXX_TYPE_XXXX_OBJECT */ |
|---|
| 83 | uint32 obj_flags; /* xxxx_ACE_OBJECT_xxxx e.g present/inherited present etc */ |
|---|
| 84 | struct uuid obj_guid; /* object GUID */ |
|---|
| 85 | struct uuid inh_guid; /* inherited object GUID */ |
|---|
| 86 | /* eof object stuff */ |
|---|
| 87 | |
|---|
| 88 | DOM_SID trustee; |
|---|
| 89 | |
|---|
| 90 | } SEC_ACE; |
|---|
| 91 | |
|---|
| 92 | typedef struct security_acl_info |
|---|
| 93 | { |
|---|
| 94 | uint16 revision; /* 0x0003 */ |
|---|
| 95 | uint16 size; /* size in bytes of the entire ACL structure */ |
|---|
| 96 | uint32 num_aces; /* number of Access Control Entries */ |
|---|
| 97 | |
|---|
| 98 | SEC_ACE *ace; |
|---|
| 99 | |
|---|
| 100 | } SEC_ACL; |
|---|
| 101 | |
|---|
| 102 | typedef struct security_descriptor_info |
|---|
| 103 | { |
|---|
| 104 | uint16 revision; /* 0x0001 */ |
|---|
| 105 | uint16 type; /* SEC_DESC_xxxx flags */ |
|---|
| 106 | |
|---|
| 107 | uint32 off_owner_sid; /* offset to owner sid */ |
|---|
| 108 | uint32 off_grp_sid ; /* offset to group sid */ |
|---|
| 109 | uint32 off_sacl ; /* offset to system list of permissions */ |
|---|
| 110 | uint32 off_dacl ; /* offset to list of permissions */ |
|---|
| 111 | |
|---|
| 112 | SEC_ACL *dacl; /* user ACL */ |
|---|
| 113 | SEC_ACL *sacl; /* system ACL */ |
|---|
| 114 | DOM_SID *owner_sid; |
|---|
| 115 | DOM_SID *grp_sid; |
|---|
| 116 | |
|---|
| 117 | } SEC_DESC; |
|---|
| 118 | |
|---|
| 119 | |
|---|
| 120 | |
|---|
| 121 | bool smb_io_dom_sid(const char *desc, DOM_SID *sid, prs_struct *ps, int depth); |
|---|
| 122 | bool sec_io_access(const char *desc, SEC_ACCESS *t, prs_struct *ps, int depth); |
|---|
| 123 | bool sec_io_ace(const char *desc, SEC_ACE *psa, prs_struct *ps, int depth); |
|---|
| 124 | bool sec_io_acl(const char *desc, SEC_ACL **ppsa, prs_struct *ps, int depth); |
|---|
| 125 | bool sec_io_desc(const char *desc, SEC_DESC **ppsd, prs_struct *ps, int depth); |
|---|
| 126 | |
|---|
| 127 | size_t sid_size(const DOM_SID *sid); |
|---|
| 128 | int sid_compare_auth(const DOM_SID *sid1, const DOM_SID *sid2); |
|---|
| 129 | int sid_compare(const DOM_SID *sid1, const DOM_SID *sid2); |
|---|
| 130 | bool sec_ace_equal(SEC_ACE *s1, SEC_ACE *s2); |
|---|
| 131 | bool sec_acl_equal(SEC_ACL *s1, SEC_ACL *s2); |
|---|
| 132 | bool sec_desc_equal(SEC_DESC *s1, SEC_DESC *s2); |
|---|
| 133 | bool sid_equal(const DOM_SID *sid1, const DOM_SID *sid2); |
|---|
| 134 | bool sec_ace_object(uint8 type); |
|---|
