[169] | 1 | /* |
---|
[261] | 2 | * Copyright (C) 2005-2006,2009-2011 Timothy D. Morgan |
---|
[132] | 3 | * Copyright (C) 1992-2005 Samba development team |
---|
| 4 | * (see individual files under Subversion for details.) |
---|
| 5 | * |
---|
| 6 | * This program is free software; you can redistribute it and/or modify |
---|
| 7 | * it under the terms of the GNU General Public License as published by |
---|
| 8 | * the Free Software Foundation; version 3 of the License. |
---|
| 9 | * |
---|
| 10 | * This program is distributed in the hope that it will be useful, |
---|
| 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
---|
| 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
---|
| 13 | * GNU General Public License for more details. |
---|
| 14 | * |
---|
| 15 | * You should have received a copy of the GNU General Public License |
---|
| 16 | * along with this program; if not, write to the Free Software |
---|
| 17 | * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. |
---|
| 18 | * |
---|
[133] | 19 | * $Id: winsec.c 261 2011-06-17 00:55:49Z tim $ |
---|
[132] | 20 | */ |
---|
| 21 | |
---|
[169] | 22 | /** @file */ |
---|
| 23 | |
---|
[147] | 24 | #include "winsec.h" |
---|
[132] | 25 | |
---|
| 26 | |
---|
[147] | 27 | /****************************************************************************** |
---|
| 28 | * Non-talloc() interface for parsing a descriptor. |
---|
| 29 | ******************************************************************************/ |
---|
| 30 | WINSEC_DESC* winsec_parse_descriptor(const uint8_t* buf, uint32_t buf_len) |
---|
| 31 | { |
---|
| 32 | return winsec_parse_desc(NULL, buf, buf_len); |
---|
| 33 | } |
---|
[132] | 34 | |
---|
[147] | 35 | |
---|
[134] | 36 | /****************************************************************************** |
---|
[147] | 37 | * Free a descriptor. Not needed if using talloc and a parent context is freed. |
---|
| 38 | ******************************************************************************/ |
---|
| 39 | void winsec_free_descriptor(WINSEC_DESC* desc) |
---|
| 40 | { |
---|
| 41 | talloc_free(desc); |
---|
| 42 | } |
---|
| 43 | |
---|
| 44 | |
---|
| 45 | /****************************************************************************** |
---|
[134] | 46 | * Parses a WINSEC_DESC structure and substructures. |
---|
| 47 | ******************************************************************************/ |
---|
[147] | 48 | WINSEC_DESC* winsec_parse_desc(void* talloc_ctx, |
---|
| 49 | const uint8_t* buf, uint32_t buf_len) |
---|
[132] | 50 | { |
---|
[134] | 51 | WINSEC_DESC* ret_val; |
---|
[132] | 52 | |
---|
[134] | 53 | if (buf == NULL || buf_len < WINSEC_DESC_HEADER_SIZE) |
---|
| 54 | return NULL; |
---|
[148] | 55 | |
---|
[147] | 56 | if((ret_val = talloc(talloc_ctx, WINSEC_DESC)) == NULL) |
---|
| 57 | return NULL; |
---|
[133] | 58 | |
---|
[134] | 59 | ret_val->revision = buf[0]; |
---|
| 60 | ret_val->sbz1 = buf[1]; |
---|
| 61 | ret_val->control = SVAL(buf, 0x2); |
---|
[133] | 62 | |
---|
[257] | 63 | /* XXX: should probably reject any non-self relative */ |
---|
[134] | 64 | if(!(ret_val->control & WINSEC_DESC_SELF_RELATIVE)) |
---|
| 65 | fprintf(stderr, "DEBUG: NOT self-relative!\n"); |
---|
[132] | 66 | |
---|
[134] | 67 | ret_val->off_owner_sid = IVAL(buf, 0x4); |
---|
| 68 | ret_val->off_grp_sid = IVAL(buf, 0x8); |
---|
| 69 | ret_val->off_sacl = IVAL(buf, 0xC); |
---|
| 70 | ret_val->off_dacl = IVAL(buf, 0x10); |
---|
[133] | 71 | |
---|
[134] | 72 | /* A basic sanity check to ensure our offsets are within our buffer. |
---|
| 73 | * Additional length checking is done in secondary parsing functions. |
---|
| 74 | */ |
---|
| 75 | if((ret_val->off_owner_sid >= buf_len) |
---|
| 76 | || (ret_val->off_grp_sid >= buf_len) |
---|
| 77 | || (ret_val->off_sacl >= buf_len) |
---|
| 78 | || (ret_val->off_dacl >= buf_len)) |
---|
[133] | 79 | { |
---|
[147] | 80 | talloc_free(ret_val); |
---|
[134] | 81 | return NULL; |
---|
[133] | 82 | } |
---|
[132] | 83 | |
---|
[148] | 84 | if(ret_val->off_owner_sid == 0) |
---|
| 85 | ret_val->owner_sid = NULL; |
---|
| 86 | else |
---|
[133] | 87 | { |
---|
[147] | 88 | ret_val->owner_sid = winsec_parse_dom_sid(ret_val, |
---|
| 89 | buf + ret_val->off_owner_sid, |
---|
[134] | 90 | buf_len - ret_val->off_owner_sid); |
---|
| 91 | if(ret_val->owner_sid == NULL) |
---|
[133] | 92 | { |
---|
[147] | 93 | talloc_free(ret_val); |
---|
[134] | 94 | return NULL; |
---|
[133] | 95 | } |
---|
| 96 | } |
---|
[132] | 97 | |
---|
[148] | 98 | if(ret_val->off_grp_sid == 0) |
---|
| 99 | ret_val->grp_sid = NULL; |
---|
| 100 | else |
---|
[133] | 101 | { |
---|
[147] | 102 | ret_val->grp_sid = winsec_parse_dom_sid(ret_val, buf + ret_val->off_grp_sid, |
---|
[134] | 103 | buf_len - ret_val->off_grp_sid); |
---|
| 104 | if(ret_val->grp_sid == NULL) |
---|
[133] | 105 | { |
---|
[147] | 106 | talloc_free(ret_val); |
---|
[134] | 107 | return NULL; |
---|
[133] | 108 | } |
---|
| 109 | } |
---|
[132] | 110 | |
---|
[148] | 111 | if((ret_val->control & WINSEC_DESC_SACL_PRESENT) && ret_val->off_sacl) |
---|
[133] | 112 | { |
---|
[147] | 113 | ret_val->sacl = winsec_parse_acl(ret_val, buf + ret_val->off_sacl, |
---|
[134] | 114 | buf_len - ret_val->off_sacl); |
---|
| 115 | if(ret_val->sacl == NULL) |
---|
[133] | 116 | { |
---|
[147] | 117 | talloc_free(ret_val); |
---|
[134] | 118 | return NULL; |
---|
[133] | 119 | } |
---|
| 120 | } |
---|
[148] | 121 | else |
---|
| 122 | ret_val->sacl = NULL; |
---|
[132] | 123 | |
---|
[148] | 124 | if((ret_val->control & WINSEC_DESC_DACL_PRESENT) && ret_val->off_dacl != 0) |
---|
[133] | 125 | { |
---|
[147] | 126 | ret_val->dacl = winsec_parse_acl(ret_val, buf + ret_val->off_dacl, |
---|
[134] | 127 | buf_len - ret_val->off_dacl); |
---|
| 128 | if(ret_val->dacl == NULL) |
---|
[133] | 129 | { |
---|
[147] | 130 | talloc_free(ret_val); |
---|
[134] | 131 | return NULL; |
---|
[133] | 132 | } |
---|
| 133 | } |
---|
[148] | 134 | else |
---|
| 135 | ret_val->dacl = NULL; |
---|
[132] | 136 | |
---|
[134] | 137 | return ret_val; |
---|
[132] | 138 | } |
---|
| 139 | |
---|
| 140 | |
---|
[134] | 141 | /****************************************************************************** |
---|
| 142 | * Parses a WINSEC_ACL structure and all substructures. |
---|
| 143 | ******************************************************************************/ |
---|
[147] | 144 | WINSEC_ACL* winsec_parse_acl(void* talloc_ctx, |
---|
| 145 | const uint8_t* buf, uint32_t buf_len) |
---|
[132] | 146 | { |
---|
[134] | 147 | uint32_t i, offset; |
---|
| 148 | WINSEC_ACL* ret_val; |
---|
[132] | 149 | |
---|
[134] | 150 | /* |
---|
| 151 | * Note that the size is always a multiple of 4 bytes due to the |
---|
| 152 | * nature of the data structure. |
---|
| 153 | */ |
---|
| 154 | if (buf == NULL || buf_len < 8) |
---|
| 155 | return NULL; |
---|
[148] | 156 | |
---|
[147] | 157 | if((ret_val = talloc(talloc_ctx, WINSEC_ACL)) == NULL) |
---|
| 158 | return NULL; |
---|
[134] | 159 | |
---|
| 160 | ret_val->revision = SVAL(buf, 0x0); |
---|
| 161 | ret_val->size = SVAL(buf, 0x2); |
---|
| 162 | ret_val->num_aces = IVAL(buf, 0x4); |
---|
[132] | 163 | |
---|
[134] | 164 | /* The num_aces can be at most around 4k because anything greater |
---|
| 165 | * wouldn't fit in the 16 bit size even if every ace was as small as |
---|
| 166 | * possible. |
---|
| 167 | */ |
---|
| 168 | if((ret_val->size > buf_len) || (ret_val->num_aces > 4095)) |
---|
| 169 | { |
---|
[147] | 170 | talloc_free(ret_val); |
---|
[134] | 171 | return NULL; |
---|
| 172 | } |
---|
[132] | 173 | |
---|
[134] | 174 | /* Even if the num_aces is zero, allocate memory as there's a difference |
---|
| 175 | * between a non-present DACL (allow all access) and a DACL with no ACE's |
---|
| 176 | * (allow no access). |
---|
| 177 | */ |
---|
[147] | 178 | if((ret_val->aces = talloc_array(ret_val, WINSEC_ACE*, |
---|
| 179 | ret_val->num_aces+1)) == NULL) |
---|
[133] | 180 | { |
---|
[147] | 181 | talloc_free(ret_val); |
---|
[134] | 182 | return NULL; |
---|
[133] | 183 | } |
---|
[132] | 184 | |
---|
[134] | 185 | offset = 8; |
---|
| 186 | for(i=0; i < ret_val->num_aces; i++) |
---|
| 187 | { |
---|
[147] | 188 | ret_val->aces[i] = winsec_parse_ace(ret_val->aces, |
---|
| 189 | buf+offset, buf_len-offset); |
---|
[134] | 190 | if(ret_val->aces[i] == NULL) |
---|
| 191 | { |
---|
[147] | 192 | talloc_free(ret_val); |
---|
[134] | 193 | return NULL; |
---|
| 194 | } |
---|
[132] | 195 | |
---|
[134] | 196 | offset += ret_val->aces[i]->size; |
---|
| 197 | if(offset > buf_len) |
---|
| 198 | { |
---|
[147] | 199 | talloc_free(ret_val); |
---|
[134] | 200 | return NULL; |
---|
| 201 | } |
---|
| 202 | } |
---|
[148] | 203 | ret_val->aces[ret_val->num_aces] = NULL; |
---|
[132] | 204 | |
---|
[134] | 205 | return ret_val; |
---|
[132] | 206 | } |
---|
| 207 | |
---|
| 208 | |
---|
[134] | 209 | /****************************************************************************** |
---|
| 210 | * Parses a WINSEC_ACE structure and all substructures. |
---|
| 211 | ******************************************************************************/ |
---|
[147] | 212 | WINSEC_ACE* winsec_parse_ace(void* talloc_ctx, |
---|
| 213 | const uint8_t* buf, uint32_t buf_len) |
---|
[132] | 214 | { |
---|
[134] | 215 | uint32_t offset; |
---|
| 216 | WINSEC_ACE* ret_val; |
---|
[132] | 217 | |
---|
[134] | 218 | if(buf == NULL || buf_len < WINSEC_ACE_MIN_SIZE) |
---|
| 219 | return NULL; |
---|
[132] | 220 | |
---|
[147] | 221 | if((ret_val = talloc(talloc_ctx, WINSEC_ACE)) == NULL) |
---|
[134] | 222 | return NULL; |
---|
[132] | 223 | |
---|
[134] | 224 | ret_val->type = buf[0]; |
---|
| 225 | ret_val->flags = buf[1]; |
---|
| 226 | ret_val->size = SVAL(buf, 0x2); |
---|
| 227 | ret_val->access_mask = IVAL(buf, 0x4); |
---|
[253] | 228 | ret_val->obj_guid = NULL; |
---|
| 229 | ret_val->inh_guid = NULL; |
---|
| 230 | |
---|
[134] | 231 | offset = 0x8; |
---|
[132] | 232 | |
---|
| 233 | /* check whether object access is present */ |
---|
[134] | 234 | if (winsec_ace_object(ret_val->type)) |
---|
[132] | 235 | { |
---|
[134] | 236 | ret_val->obj_flags = IVAL(buf, offset); |
---|
| 237 | offset += 4; |
---|
[132] | 238 | |
---|
[134] | 239 | if(ret_val->obj_flags & WINSEC_ACE_OBJECT_PRESENT) |
---|
| 240 | { |
---|
[147] | 241 | ret_val->obj_guid = winsec_parse_uuid(ret_val, |
---|
| 242 | buf+offset, buf_len-offset); |
---|
[134] | 243 | if(ret_val->obj_guid == NULL) |
---|
| 244 | { |
---|
[147] | 245 | talloc_free(ret_val); |
---|
[134] | 246 | return NULL; |
---|
| 247 | } |
---|
| 248 | offset += sizeof(WINSEC_UUID); |
---|
| 249 | } |
---|
[132] | 250 | |
---|
[134] | 251 | if(ret_val->obj_flags & WINSEC_ACE_OBJECT_INHERITED_PRESENT) |
---|
| 252 | { |
---|
[147] | 253 | ret_val->inh_guid = winsec_parse_uuid(ret_val, |
---|
| 254 | buf+offset, buf_len-offset); |
---|
[134] | 255 | if(ret_val->inh_guid == NULL) |
---|
| 256 | { |
---|
[147] | 257 | talloc_free(ret_val); |
---|
[134] | 258 | return NULL; |
---|
| 259 | } |
---|
| 260 | offset += sizeof(WINSEC_UUID); |
---|
| 261 | } |
---|
| 262 | } |
---|
[132] | 263 | |
---|
[147] | 264 | ret_val->trustee = winsec_parse_dom_sid(ret_val, buf+offset, buf_len-offset); |
---|
[134] | 265 | if(ret_val->trustee == NULL) |
---|
| 266 | { |
---|
[147] | 267 | talloc_free(ret_val); |
---|
| 268 | return NULL; |
---|
[132] | 269 | } |
---|
[134] | 270 | |
---|
| 271 | return ret_val; |
---|
[132] | 272 | } |
---|
| 273 | |
---|
| 274 | |
---|
[134] | 275 | /****************************************************************************** |
---|
| 276 | * Parses a WINSEC_DOM_SID structure. |
---|
| 277 | ******************************************************************************/ |
---|
[147] | 278 | WINSEC_DOM_SID* winsec_parse_dom_sid(void* talloc_ctx, |
---|
| 279 | const uint8_t* buf, uint32_t buf_len) |
---|
[132] | 280 | { |
---|
[134] | 281 | uint32_t i; |
---|
| 282 | WINSEC_DOM_SID* ret_val; |
---|
[132] | 283 | |
---|
[134] | 284 | if(buf == NULL || buf_len < 8) |
---|
| 285 | return NULL; |
---|
[132] | 286 | |
---|
[147] | 287 | /* if((ret_val = (WINSEC_DOM_SID*)zalloc(sizeof(WINSEC_DOM_SID))) == NULL)*/ |
---|
| 288 | if((ret_val = talloc(talloc_ctx, WINSEC_DOM_SID)) == NULL) |
---|
[134] | 289 | return NULL; |
---|
[132] | 290 | |
---|
[134] | 291 | ret_val->sid_rev_num = buf[0]; |
---|
| 292 | ret_val->num_auths = buf[1]; |
---|
| 293 | memcpy(ret_val->id_auth, buf+2, 6); |
---|
[132] | 294 | |
---|
[134] | 295 | /* XXX: should really issue a warning here... */ |
---|
| 296 | if (ret_val->num_auths > WINSEC_MAX_SUBAUTHS) |
---|
| 297 | ret_val->num_auths = WINSEC_MAX_SUBAUTHS; |
---|
| 298 | |
---|
| 299 | if(buf_len < ret_val->num_auths*sizeof(uint32_t)+8) |
---|
[132] | 300 | { |
---|
[147] | 301 | talloc_free(ret_val); |
---|
[134] | 302 | return NULL; |
---|
[132] | 303 | } |
---|
[134] | 304 | |
---|
| 305 | for(i=0; i < ret_val->num_auths; i++) |
---|
| 306 | ret_val->sub_auths[i] = IVAL(buf, 8+i*sizeof(uint32_t)); |
---|
[132] | 307 | |
---|
[134] | 308 | return ret_val; |
---|
| 309 | } |
---|
[132] | 310 | |
---|
| 311 | |
---|
[134] | 312 | /****************************************************************************** |
---|
| 313 | * Parses a WINSEC_UUID struct. |
---|
| 314 | ******************************************************************************/ |
---|
[147] | 315 | WINSEC_UUID* winsec_parse_uuid(void* talloc_ctx, |
---|
| 316 | const uint8_t* buf, uint32_t buf_len) |
---|
[134] | 317 | { |
---|
| 318 | WINSEC_UUID* ret_val; |
---|
| 319 | |
---|
| 320 | if(buf == NULL || buf_len < sizeof(WINSEC_UUID)) |
---|
[133] | 321 | return false; |
---|
[132] | 322 | |
---|
[147] | 323 | if((ret_val = talloc(talloc_ctx, WINSEC_UUID)) == NULL) |
---|
[134] | 324 | return NULL; |
---|
| 325 | |
---|
| 326 | ret_val->time_low = IVAL(buf, 0x0); |
---|
| 327 | ret_val->time_mid = SVAL(buf, 0x4); |
---|
| 328 | ret_val->time_hi_and_version = SVAL(buf, 0x6); |
---|
| 329 | |
---|
| 330 | memcpy(ret_val->clock_seq, buf+0x8, 2); |
---|
| 331 | memcpy(ret_val->node, buf+0xB, 6); |
---|
[132] | 332 | |
---|
[134] | 333 | return ret_val; |
---|
[132] | 334 | } |
---|
| 335 | |
---|
| 336 | |
---|
[134] | 337 | /****************************************************************************** |
---|
| 338 | * Calculates the size of a SID. |
---|
| 339 | ******************************************************************************/ |
---|
| 340 | size_t winsec_sid_size(const WINSEC_DOM_SID* sid) |
---|
[132] | 341 | { |
---|
[133] | 342 | if (sid == NULL) |
---|
| 343 | return 0; |
---|
[132] | 344 | |
---|
[134] | 345 | return sid->num_auths * sizeof(uint32_t) + 8; |
---|
[133] | 346 | } |
---|
[132] | 347 | |
---|
| 348 | |
---|
[134] | 349 | /****************************************************************************** |
---|
| 350 | * Compare the auth portion of two SIDs. |
---|
| 351 | ******************************************************************************/ |
---|
| 352 | int winsec_sid_compare_auth(const WINSEC_DOM_SID* sid1, const WINSEC_DOM_SID* sid2) |
---|
[133] | 353 | { |
---|
| 354 | int i; |
---|
[132] | 355 | |
---|
[133] | 356 | if (sid1 == sid2) |
---|
| 357 | return 0; |
---|
| 358 | if (!sid1) |
---|
| 359 | return -1; |
---|
| 360 | if (!sid2) |
---|
| 361 | return 1; |
---|
[132] | 362 | |
---|
[133] | 363 | if (sid1->sid_rev_num != sid2->sid_rev_num) |
---|
| 364 | return sid1->sid_rev_num - sid2->sid_rev_num; |
---|
[132] | 365 | |
---|
[133] | 366 | for (i = 0; i < 6; i++) |
---|
| 367 | if (sid1->id_auth[i] != sid2->id_auth[i]) |
---|
| 368 | return sid1->id_auth[i] - sid2->id_auth[i]; |
---|
[132] | 369 | |
---|
[133] | 370 | return 0; |
---|
| 371 | } |
---|
[132] | 372 | |
---|
| 373 | |
---|
[134] | 374 | /****************************************************************************** |
---|
| 375 | * Compare two SIDs. |
---|
| 376 | ******************************************************************************/ |
---|
| 377 | int winsec_sid_compare(const WINSEC_DOM_SID* sid1, const WINSEC_DOM_SID* sid2) |
---|
[133] | 378 | { |
---|
| 379 | int i; |
---|
[132] | 380 | |
---|
[133] | 381 | if (sid1 == sid2) |
---|
| 382 | return 0; |
---|
| 383 | if (!sid1) |
---|
| 384 | return -1; |
---|
| 385 | if (!sid2) |
---|
| 386 | return 1; |
---|
[132] | 387 | |
---|
[133] | 388 | /* Compare most likely different rids, first: i.e start at end */ |
---|
| 389 | if (sid1->num_auths != sid2->num_auths) |
---|
| 390 | return sid1->num_auths - sid2->num_auths; |
---|
[132] | 391 | |
---|
[133] | 392 | for (i = sid1->num_auths-1; i >= 0; --i) |
---|
| 393 | if (sid1->sub_auths[i] != sid2->sub_auths[i]) |
---|
| 394 | return sid1->sub_auths[i] - sid2->sub_auths[i]; |
---|
[132] | 395 | |
---|
[134] | 396 | return winsec_sid_compare_auth(sid1, sid2); |
---|
[133] | 397 | } |
---|
[132] | 398 | |
---|
| 399 | |
---|
[134] | 400 | /****************************************************************************** |
---|
| 401 | * Compare two SIDs. |
---|
| 402 | ******************************************************************************/ |
---|
| 403 | bool winsec_sid_equal(const WINSEC_DOM_SID* sid1, const WINSEC_DOM_SID* sid2) |
---|
[133] | 404 | { |
---|
[134] | 405 | return winsec_sid_compare(sid1, sid2) == 0; |
---|
[133] | 406 | } |
---|
[132] | 407 | |
---|
| 408 | |
---|
[134] | 409 | /****************************************************************************** |
---|
[253] | 410 | ******************************************************************************/ |
---|
| 411 | char* winsec_sid2str(const WINSEC_DOM_SID* sid) |
---|
| 412 | { |
---|
| 413 | uint32_t i, size = WINSEC_MAX_SUBAUTHS*11 + 24; |
---|
| 414 | uint32_t left = size; |
---|
| 415 | uint8_t comps = sid->num_auths; |
---|
| 416 | char* ret_val = malloc(size); |
---|
| 417 | |
---|
| 418 | if(ret_val == NULL) |
---|
| 419 | return NULL; |
---|
| 420 | |
---|
| 421 | if(comps > WINSEC_MAX_SUBAUTHS) |
---|
| 422 | comps = WINSEC_MAX_SUBAUTHS; |
---|
| 423 | |
---|
| 424 | left -= sprintf(ret_val, "S-%u-%u", sid->sid_rev_num, sid->id_auth[5]); |
---|
| 425 | |
---|
| 426 | for (i = 0; i < comps; i++) |
---|
| 427 | left -= snprintf(ret_val+(size-left), left, "-%u", sid->sub_auths[i]); |
---|
| 428 | |
---|
| 429 | return ret_val; |
---|
| 430 | } |
---|
| 431 | |
---|
| 432 | |
---|
| 433 | /****************************************************************************** |
---|
[134] | 434 | * Compares two WINSEC_DESC structures. |
---|
| 435 | ******************************************************************************/ |
---|
| 436 | bool winsec_desc_equal(WINSEC_DESC* s1, WINSEC_DESC* s2) |
---|
[133] | 437 | { |
---|
[134] | 438 | /* Trivial cases */ |
---|
| 439 | if (!s1 && !s2) |
---|
[133] | 440 | return true; |
---|
[134] | 441 | if (!s1 || !s2) |
---|
| 442 | return false; |
---|
[132] | 443 | |
---|
[134] | 444 | /* Check top level stuff */ |
---|
| 445 | if (s1->revision != s2->revision) |
---|
| 446 | return false; |
---|
[132] | 447 | |
---|
[134] | 448 | if (s1->control != s2->control) |
---|
[132] | 449 | return false; |
---|
| 450 | |
---|
[134] | 451 | /* Check owner and group */ |
---|
| 452 | if (!winsec_sid_equal(s1->owner_sid, s2->owner_sid)) |
---|
| 453 | return false; |
---|
| 454 | |
---|
| 455 | if (!winsec_sid_equal(s1->grp_sid, s2->grp_sid)) |
---|
| 456 | return false; |
---|
| 457 | |
---|
| 458 | /* Check ACLs present in one but not the other */ |
---|
| 459 | if ((s1->dacl && !s2->dacl) || (!s1->dacl && s2->dacl) || |
---|
| 460 | (s1->sacl && !s2->sacl) || (!s1->sacl && s2->sacl)) |
---|
[132] | 461 | { return false; } |
---|
| 462 | |
---|
[134] | 463 | /* Sigh - we have to do it the hard way by iterating over all |
---|
| 464 | the ACEs in the ACLs */ |
---|
| 465 | if(!winsec_acl_equal(s1->dacl, s2->dacl) || !winsec_acl_equal(s1->sacl, s2->sacl)) |
---|
[132] | 466 | return false; |
---|
| 467 | |
---|
| 468 | return true; |
---|
| 469 | } |
---|
| 470 | |
---|
| 471 | |
---|
[134] | 472 | |
---|
| 473 | /****************************************************************************** |
---|
| 474 | * Compares two WINSEC_ACL structures. |
---|
| 475 | ******************************************************************************/ |
---|
| 476 | bool winsec_acl_equal(WINSEC_ACL* s1, WINSEC_ACL* s2) |
---|
[132] | 477 | { |
---|
| 478 | unsigned int i, j; |
---|
| 479 | |
---|
| 480 | /* Trivial cases */ |
---|
| 481 | if (!s1 && !s2) |
---|
| 482 | return true; |
---|
| 483 | if (!s1 || !s2) |
---|
| 484 | return false; |
---|
| 485 | |
---|
| 486 | /* Check top level stuff */ |
---|
| 487 | if (s1->revision != s2->revision) |
---|
| 488 | return false; |
---|
| 489 | |
---|
| 490 | if (s1->num_aces != s2->num_aces) |
---|
| 491 | return false; |
---|
| 492 | |
---|
| 493 | /* The ACEs could be in any order so check each ACE in s1 against |
---|
| 494 | each ACE in s2. */ |
---|
| 495 | |
---|
[134] | 496 | for (i = 0; i < s1->num_aces; i++) |
---|
[132] | 497 | { |
---|
| 498 | bool found = false; |
---|
| 499 | |
---|
| 500 | for (j = 0; j < s2->num_aces; j++) |
---|
| 501 | { |
---|
[134] | 502 | if (winsec_ace_equal(s1->aces[i], s2->aces[j])) |
---|
[132] | 503 | { |
---|
| 504 | found = true; |
---|
| 505 | break; |
---|
| 506 | } |
---|
| 507 | } |
---|
| 508 | |
---|
| 509 | if (!found) |
---|
| 510 | return false; |
---|
| 511 | } |
---|
| 512 | |
---|
| 513 | return true; |
---|
| 514 | } |
---|
| 515 | |
---|
| 516 | |
---|
[134] | 517 | /****************************************************************************** |
---|
| 518 | * Compares two WINSEC_ACE structures. |
---|
| 519 | ******************************************************************************/ |
---|
| 520 | bool winsec_ace_equal(WINSEC_ACE* s1, WINSEC_ACE* s2) |
---|
[132] | 521 | { |
---|
| 522 | /* Trivial cases */ |
---|
[134] | 523 | if (!s1 && !s2) |
---|
[132] | 524 | return true; |
---|
[134] | 525 | if (!s1 || !s2) |
---|
[132] | 526 | return false; |
---|
| 527 | |
---|
| 528 | /* Check top level stuff */ |
---|
[134] | 529 | if (s1->type != s2->type || s1->flags != s2->flags || |
---|
| 530 | s1->access_mask != s2->access_mask) |
---|
| 531 | { return false; } |
---|
[132] | 532 | |
---|
[134] | 533 | /* Check SID */ |
---|
| 534 | if (!winsec_sid_equal(s1->trustee, s2->trustee)) |
---|
[132] | 535 | return false; |
---|
| 536 | |
---|
[134] | 537 | return true; |
---|
| 538 | } |
---|
[132] | 539 | |
---|
| 540 | |
---|
[134] | 541 | /****************************************************************************** |
---|
| 542 | * Check if ACE has OBJECT type. |
---|
| 543 | ******************************************************************************/ |
---|
| 544 | bool winsec_ace_object(uint8_t type) |
---|
| 545 | { |
---|
| 546 | if (type == WINSEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT || |
---|
| 547 | type == WINSEC_ACE_TYPE_ACCESS_DENIED_OBJECT || |
---|
| 548 | type == WINSEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT || |
---|
| 549 | type == WINSEC_ACE_TYPE_SYSTEM_ALARM_OBJECT) |
---|
| 550 | { return true; } |
---|
[132] | 551 | |
---|
[134] | 552 | return false; |
---|
[132] | 553 | } |
---|