summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2011-05-30 13:23:56 +1000
committerAndrew Bartlett <abartlet@samba.org>2011-05-31 00:32:07 +0200
commit381423b1bdba4c7d1931b162d872134c42e432cf (patch)
tree4105e5635e42347c8065fd6f13d98f06d6e1e043
parente5dd03d1991f125fa3cfddac9a41d2f9e6391c42 (diff)
downloadsamba-381423b1bdba4c7d1931b162d872134c42e432cf.tar.gz
libcli/security: move secdesc.c to the top level libcli/security
This code does not rely on lp_ or other source3 only functions, so can be part of the common library. Andrew Bartlett
-rw-r--r--libcli/security/secdesc.c (renamed from source3/lib/secdesc.c)93
-rw-r--r--libcli/security/secdesc.h102
-rw-r--r--libcli/security/security.h1
-rw-r--r--libcli/security/wscript_build2
-rw-r--r--source3/Makefile.in2
-rw-r--r--source3/include/proto.h41
-rw-r--r--source3/libsmb/clisecdesc.c1
-rw-r--r--source3/registry/reg_backend_db.c1
-rw-r--r--source3/registry/regfio.c1
-rw-r--r--source3/rpc_server/winreg/srv_winreg_nt.c1
-rwxr-xr-xsource3/wscript_build1
11 files changed, 159 insertions, 87 deletions
diff --git a/source3/lib/secdesc.c b/libcli/security/secdesc.c
index 001eccb5763..5d75f073f44 100644
--- a/source3/lib/secdesc.c
+++ b/libcli/security/secdesc.c
@@ -1,28 +1,28 @@
-/*
+/*
* Unix SMB/Netbios implementation.
* SEC_DESC handling functions
* Copyright (C) Andrew Tridgell 1992-1998,
* Copyright (C) Jeremy R. Allison 1995-2003.
* Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
* Copyright (C) Paul Ashton 1997-1998.
- *
+ *
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
- *
+ *
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
- *
+ *
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
-#include "../librpc/gen_ndr/ndr_security.h"
-#include "../libcli/security/security.h"
+#include "librpc/gen_ndr/ndr_security.h"
+#include "libcli/security/security.h"
#define ALL_SECURITY_INFORMATION (SECINFO_OWNER|SECINFO_GROUP|\
SECINFO_DACL|SECINFO_SACL|\
@@ -68,7 +68,7 @@ uint32_t get_sec_info(const struct security_descriptor *sd)
/*******************************************************************
- Merge part of security descriptor old_sec in to the empty sections of
+ Merge part of security descriptor old_sec in to the empty sections of
security descriptor new_sec.
********************************************************************/
@@ -78,7 +78,7 @@ struct sec_desc_buf *sec_desc_merge_buf(TALLOC_CTX *ctx, struct sec_desc_buf *ne
struct sec_desc_buf *return_sdb;
struct security_acl *dacl, *sacl;
struct security_descriptor *psd = NULL;
- uint16 secdesc_type;
+ uint16_t secdesc_type;
size_t secdesc_size;
/* Copy over owner and group sids. There seems to be no flag for
@@ -89,11 +89,11 @@ struct sec_desc_buf *sec_desc_merge_buf(TALLOC_CTX *ctx, struct sec_desc_buf *ne
group_sid = new_sdb->sd->group_sid ? new_sdb->sd->group_sid :
old_sdb->sd->group_sid;
-
+
secdesc_type = new_sdb->sd->type;
/* Ignore changes to the system ACL. This has the effect of making
- changes through the security tab audit button not sticking.
+ changes through the security tab audit button not sticking.
Perhaps in future Samba could implement these settings somehow. */
sacl = NULL;
@@ -122,7 +122,7 @@ struct security_descriptor *sec_desc_merge(TALLOC_CTX *ctx, struct security_desc
struct dom_sid *owner_sid, *group_sid;
struct security_acl *dacl, *sacl;
struct security_descriptor *psd = NULL;
- uint16 secdesc_type;
+ uint16_t secdesc_type;
size_t secdesc_size;
/* Copy over owner and group sids. There seems to be no flag for
@@ -162,20 +162,20 @@ struct security_descriptor *sec_desc_merge(TALLOC_CTX *ctx, struct security_desc
Creates a struct security_descriptor structure
********************************************************************/
-#define SEC_DESC_HEADER_SIZE (2 * sizeof(uint16) + 4 * sizeof(uint32))
+#define SEC_DESC_HEADER_SIZE (2 * sizeof(uint16_t) + 4 * sizeof(uint32_t))
struct security_descriptor *make_sec_desc(TALLOC_CTX *ctx,
enum security_descriptor_revision revision,
- uint16 type,
+ uint16_t type,
const struct dom_sid *owner_sid, const struct dom_sid *grp_sid,
struct security_acl *sacl, struct security_acl *dacl, size_t *sd_size)
{
struct security_descriptor *dst;
- uint32 offset = 0;
+ uint32_t offset = 0;
*sd_size = 0;
- if(( dst = TALLOC_ZERO_P(ctx, struct security_descriptor)) == NULL)
+ if(( dst = talloc_zero(ctx, struct security_descriptor)) == NULL)
return NULL;
dst->revision = revision;
@@ -254,7 +254,7 @@ struct security_descriptor *dup_sec_desc(TALLOC_CTX *ctx, const struct security_
********************************************************************/
NTSTATUS marshall_sec_desc(TALLOC_CTX *mem_ctx,
struct security_descriptor *secdesc,
- uint8 **data, size_t *len)
+ uint8_t **data, size_t *len)
{
DATA_BLOB blob;
enum ndr_err_code ndr_err;
@@ -303,7 +303,7 @@ NTSTATUS marshall_sec_desc_buf(TALLOC_CTX *mem_ctx,
/*******************************************************************
Parse a byte stream into a secdesc
********************************************************************/
-NTSTATUS unmarshall_sec_desc(TALLOC_CTX *mem_ctx, uint8 *data, size_t len,
+NTSTATUS unmarshall_sec_desc(TALLOC_CTX *mem_ctx, uint8_t *data, size_t len,
struct security_descriptor **psecdesc)
{
DATA_BLOB blob;
@@ -314,7 +314,7 @@ NTSTATUS unmarshall_sec_desc(TALLOC_CTX *mem_ctx, uint8 *data, size_t len,
return NT_STATUS_INVALID_PARAMETER;
}
- result = TALLOC_ZERO_P(mem_ctx, struct security_descriptor);
+ result = talloc_zero(mem_ctx, struct security_descriptor);
if (result == NULL) {
return NT_STATUS_NO_MEMORY;
}
@@ -350,7 +350,7 @@ NTSTATUS unmarshall_sec_desc_buf(TALLOC_CTX *mem_ctx, uint8_t *data, size_t len,
return NT_STATUS_INVALID_PARAMETER;
}
- result = TALLOC_ZERO_P(mem_ctx, struct sec_desc_buf);
+ result = talloc_zero(mem_ctx, struct sec_desc_buf);
if (result == NULL) {
return NT_STATUS_NO_MEMORY;
}
@@ -391,12 +391,12 @@ struct sec_desc_buf *make_sec_desc_buf(TALLOC_CTX *ctx, size_t len, struct secur
{
struct sec_desc_buf *dst;
- if((dst = TALLOC_ZERO_P(ctx, struct sec_desc_buf)) == NULL)
+ if((dst = talloc_zero(ctx, struct sec_desc_buf)) == NULL)
return NULL;
/* max buffer size (allocated size) */
- dst->sd_size = (uint32)len;
-
+ dst->sd_size = (uint32_t)len;
+
if(sec_desc && ((dst->sd = dup_sec_desc(ctx, sec_desc)) == NULL)) {
return NULL;
}
@@ -420,7 +420,7 @@ struct sec_desc_buf *dup_sec_desc_buf(TALLOC_CTX *ctx, struct sec_desc_buf *src)
Add a new SID with its permissions to struct security_descriptor.
********************************************************************/
-NTSTATUS sec_desc_add_sid(TALLOC_CTX *ctx, struct security_descriptor **psd, const struct dom_sid *sid, uint32 mask, size_t *sd_size)
+NTSTATUS sec_desc_add_sid(TALLOC_CTX *ctx, struct security_descriptor **psd, const struct dom_sid *sid, uint32_t mask, size_t *sd_size)
{
struct security_descriptor *sd = 0;
struct security_acl *dacl = 0;
@@ -433,14 +433,14 @@ NTSTATUS sec_desc_add_sid(TALLOC_CTX *ctx, struct security_descriptor **psd, con
*sd_size = 0;
status = sec_ace_add_sid(ctx, &ace, psd[0]->dacl->aces, &psd[0]->dacl->num_aces, sid, mask);
-
+
if (!NT_STATUS_IS_OK(status))
return status;
if (!(dacl = make_sec_acl(ctx, psd[0]->dacl->revision, psd[0]->dacl->num_aces, ace)))
return NT_STATUS_UNSUCCESSFUL;
-
- if (!(sd = make_sec_desc(ctx, psd[0]->revision, psd[0]->type, psd[0]->owner_sid,
+
+ if (!(sd = make_sec_desc(ctx, psd[0]->revision, psd[0]->type, psd[0]->owner_sid,
psd[0]->group_sid, psd[0]->sacl, dacl, sd_size)))
return NT_STATUS_UNSUCCESSFUL;
@@ -453,7 +453,7 @@ NTSTATUS sec_desc_add_sid(TALLOC_CTX *ctx, struct security_descriptor **psd, con
Modify a SID's permissions in a struct security_descriptor.
********************************************************************/
-NTSTATUS sec_desc_mod_sid(struct security_descriptor *sd, struct dom_sid *sid, uint32 mask)
+NTSTATUS sec_desc_mod_sid(struct security_descriptor *sd, struct dom_sid *sid, uint32_t mask)
{
NTSTATUS status;
@@ -464,7 +464,7 @@ NTSTATUS sec_desc_mod_sid(struct security_descriptor *sd, struct dom_sid *sid, u
if (!NT_STATUS_IS_OK(status))
return status;
-
+
return NT_STATUS_OK;
}
@@ -483,7 +483,7 @@ NTSTATUS sec_desc_del_sid(TALLOC_CTX *ctx, struct security_descriptor **psd, str
return NT_STATUS_INVALID_PARAMETER;
*sd_size = 0;
-
+
status = sec_ace_del_sid(ctx, &ace, psd[0]->dacl->aces, &psd[0]->dacl->num_aces, sid);
if (!NT_STATUS_IS_OK(status))
@@ -491,8 +491,8 @@ NTSTATUS sec_desc_del_sid(TALLOC_CTX *ctx, struct security_descriptor **psd, str
if (!(dacl = make_sec_acl(ctx, psd[0]->dacl->revision, psd[0]->dacl->num_aces, ace)))
return NT_STATUS_UNSUCCESSFUL;
-
- if (!(sd = make_sec_desc(ctx, psd[0]->revision, psd[0]->type, psd[0]->owner_sid,
+
+ if (!(sd = make_sec_desc(ctx, psd[0]->revision, psd[0]->type, psd[0]->owner_sid,
psd[0]->group_sid, psd[0]->sacl, dacl, sd_size)))
return NT_STATUS_UNSUCCESSFUL;
@@ -560,6 +560,8 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
struct security_ace *new_ace_list = NULL;
unsigned int new_ace_list_ndx = 0, i;
+ TALLOC_CTX *frame;
+
*ppsd = NULL;
*psize = 0;
@@ -574,20 +576,22 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
return NT_STATUS_NO_MEMORY;
}
- if (!(new_ace_list = TALLOC_ARRAY(ctx, struct security_ace,
- 2*the_acl->num_aces))) {
+ if (!(new_ace_list = talloc_array(ctx, struct security_ace,
+ 2*the_acl->num_aces))) {
return NT_STATUS_NO_MEMORY;
}
} else {
new_ace_list = NULL;
}
+ frame = talloc_stackframe();
+
for (i = 0; i < the_acl->num_aces; i++) {
const struct security_ace *ace = &the_acl->aces[i];
struct security_ace *new_ace = &new_ace_list[new_ace_list_ndx];
const struct dom_sid *ptrustee = &ace->trustee;
const struct dom_sid *creator = NULL;
- uint8 new_flags = ace->flags;
+ uint8_t new_flags = ace->flags;
if (!is_inheritable_ace(ace, container)) {
continue;
@@ -621,15 +625,15 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
/* First add the regular ACE entry. */
init_sec_ace(new_ace, ptrustee, ace->type,
- ace->access_mask, 0);
+ ace->access_mask, 0);
DEBUG(5,("se_create_child_secdesc(): %s:%d/0x%02x/0x%08x"
- " inherited as %s:%d/0x%02x/0x%08x\n",
- sid_string_dbg(&ace->trustee),
- ace->type, ace->flags, ace->access_mask,
- sid_string_dbg(&new_ace->trustee),
- new_ace->type, new_ace->flags,
- new_ace->access_mask));
+ " inherited as %s:%d/0x%02x/0x%08x\n",
+ dom_sid_string(frame, &ace->trustee),
+ ace->type, ace->flags, ace->access_mask,
+ dom_sid_string(frame, &new_ace->trustee),
+ new_ace->type, new_ace->flags,
+ new_ace->access_mask));
new_ace_list_ndx++;
@@ -638,6 +642,7 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
ptrustee = creator;
new_flags |= SEC_ACE_FLAG_INHERIT_ONLY;
+
} else if (container &&
!(ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT)) {
ptrustee = &ace->trustee;
@@ -648,15 +653,17 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
DEBUG(5, ("se_create_child_secdesc(): %s:%d/0x%02x/0x%08x "
" inherited as %s:%d/0x%02x/0x%08x\n",
- sid_string_dbg(&ace->trustee),
+ dom_sid_string(frame, &ace->trustee),
ace->type, ace->flags, ace->access_mask,
- sid_string_dbg(&ace->trustee),
+ dom_sid_string(frame, &ace->trustee),
new_ace->type, new_ace->flags,
new_ace->access_mask));
new_ace_list_ndx++;
}
+ talloc_free(frame);
+
/* Create child security descriptor to return */
if (new_ace_list_ndx) {
new_dacl = make_sec_acl(ctx,
diff --git a/libcli/security/secdesc.h b/libcli/security/secdesc.h
new file mode 100644
index 00000000000..eae8100fc64
--- /dev/null
+++ b/libcli/security/secdesc.h
@@ -0,0 +1,102 @@
+#ifndef _SECDESC_H_
+#define _SECDESC_H_
+
+/* The following definitions come from libcli/security/secdesc.c */
+#include "librpc/gen_ndr/security.h"
+
+/*******************************************************************
+ Given a security_descriptor return the sec_info.
+********************************************************************/
+uint32_t get_sec_info(const struct security_descriptor *sd);
+
+/*******************************************************************
+ Merge part of security descriptor old_sec in to the empty sections of
+ security descriptor new_sec.
+********************************************************************/
+struct sec_desc_buf *sec_desc_merge_buf(TALLOC_CTX *ctx, struct sec_desc_buf *new_sdb, struct sec_desc_buf *old_sdb);
+struct security_descriptor *sec_desc_merge(TALLOC_CTX *ctx, struct security_descriptor *new_sdb, struct security_descriptor *old_sdb);
+
+/*******************************************************************
+ Creates a struct security_descriptor structure
+********************************************************************/
+struct security_descriptor *make_sec_desc(TALLOC_CTX *ctx,
+ enum security_descriptor_revision revision,
+ uint16_t type,
+ const struct dom_sid *owner_sid, const struct dom_sid *grp_sid,
+ struct security_acl *sacl, struct security_acl *dacl, size_t *sd_size);
+
+/*******************************************************************
+ Duplicate a struct security_descriptor structure.
+********************************************************************/
+struct security_descriptor *dup_sec_desc(TALLOC_CTX *ctx, const struct security_descriptor *src);
+
+/*******************************************************************
+ Convert a secdesc into a byte stream
+********************************************************************/
+NTSTATUS marshall_sec_desc(TALLOC_CTX *mem_ctx,
+ struct security_descriptor *secdesc,
+ uint8_t **data, size_t *len);
+
+/*******************************************************************
+ Convert a secdesc_buf into a byte stream
+********************************************************************/
+NTSTATUS marshall_sec_desc_buf(TALLOC_CTX *mem_ctx,
+ struct sec_desc_buf *secdesc_buf,
+ uint8_t **data, size_t *len);
+
+/*******************************************************************
+ Parse a byte stream into a secdesc
+********************************************************************/
+NTSTATUS unmarshall_sec_desc(TALLOC_CTX *mem_ctx, uint8_t *data, size_t len,
+ struct security_descriptor **psecdesc);
+
+/*******************************************************************
+ Parse a byte stream into a sec_desc_buf
+********************************************************************/
+NTSTATUS unmarshall_sec_desc_buf(TALLOC_CTX *mem_ctx, uint8_t *data, size_t len,
+ struct sec_desc_buf **psecdesc_buf);
+
+/*******************************************************************
+ Creates a struct security_descriptor structure with typical defaults.
+********************************************************************/
+struct security_descriptor *make_standard_sec_desc(TALLOC_CTX *ctx, const struct dom_sid *owner_sid, const struct dom_sid *grp_sid,
+ struct security_acl *dacl, size_t *sd_size);
+
+/*******************************************************************
+ Creates a struct sec_desc_buf structure.
+********************************************************************/
+struct sec_desc_buf *make_sec_desc_buf(TALLOC_CTX *ctx, size_t len, struct security_descriptor *sec_desc);
+
+/*******************************************************************
+ Duplicates a struct sec_desc_buf structure.
+********************************************************************/
+struct sec_desc_buf *dup_sec_desc_buf(TALLOC_CTX *ctx, struct sec_desc_buf *src);
+
+/*******************************************************************
+ Add a new SID with its permissions to struct security_descriptor.
+********************************************************************/
+NTSTATUS sec_desc_add_sid(TALLOC_CTX *ctx, struct security_descriptor **psd, const struct dom_sid *sid, uint32_t mask, size_t *sd_size);
+
+/*******************************************************************
+ Modify a SID's permissions in a struct security_descriptor.
+********************************************************************/
+NTSTATUS sec_desc_mod_sid(struct security_descriptor *sd, struct dom_sid *sid, uint32_t mask);
+
+/*******************************************************************
+ Delete a SID from a struct security_descriptor.
+********************************************************************/
+NTSTATUS sec_desc_del_sid(TALLOC_CTX *ctx, struct security_descriptor **psd, struct dom_sid *sid, size_t *sd_size);
+bool sd_has_inheritable_components(const struct security_descriptor *parent_ctr, bool container);
+NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
+ struct security_descriptor **ppsd,
+ size_t *psize,
+ const struct security_descriptor *parent_ctr,
+ const struct dom_sid *owner_sid,
+ const struct dom_sid *group_sid,
+ bool container);
+NTSTATUS se_create_child_secdesc_buf(TALLOC_CTX *ctx,
+ struct sec_desc_buf **ppsdb,
+ const struct security_descriptor *parent_ctr,
+ bool container);
+
+#endif /* _SECDESC_H_ */
diff --git a/libcli/security/security.h b/libcli/security/security.h
index 1a9f4fa3866..659d34157b0 100644
--- a/libcli/security/security.h
+++ b/libcli/security/security.h
@@ -100,6 +100,7 @@ struct object_tree {
#include "libcli/security/dom_sid.h"
#include "libcli/security/secace.h"
#include "libcli/security/secacl.h"
+#include "libcli/security/secdesc.h"
#include "libcli/security/security_descriptor.h"
#include "libcli/security/security_token.h"
#include "libcli/security/sddl.h"
diff --git a/libcli/security/wscript_build b/libcli/security/wscript_build
index 3f2e06a908b..940ee700f26 100644
--- a/libcli/security/wscript_build
+++ b/libcli/security/wscript_build
@@ -2,7 +2,7 @@
bld.SAMBA_LIBRARY('security',
- source='dom_sid.c display_sec.c secace.c secacl.c security_descriptor.c sddl.c privileges.c security_token.c access_check.c object_tree.c create_descriptor.c util_sid.c session.c',
+ source='dom_sid.c display_sec.c secace.c secacl.c security_descriptor.c sddl.c privileges.c security_token.c access_check.c object_tree.c create_descriptor.c util_sid.c session.c secdesc.c',
private_library=True,
deps='talloc ndr NDR_SECURITY'
)
diff --git a/source3/Makefile.in b/source3/Makefile.in
index ab59ad01042..822ffc509f7 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -474,7 +474,7 @@ LIB_OBJ = $(LIBSAMBAUTIL_OBJ) $(UTIL_OBJ) $(CRYPTO_OBJ) \
lib/module.o lib/events.o @LIBTEVENT_OBJ0@ \
lib/server_contexts.o \
lib/ldap_escape.o @CHARSET_STATIC@ \
- lib/secdesc.o ../libcli/security/access_check.o \
+ ../libcli/security/secdesc.o ../libcli/security/access_check.o \
../libcli/security/secace.o ../libcli/security/object_tree.o \
../libcli/security/sddl.o \
../libcli/security/secacl.o @PTHREADPOOL_OBJ@ \
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 8cd3ec2ea81..ba9497e6ca9 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -236,47 +236,6 @@ ssize_t sys_recvfile(int fromfd,
size_t count);
ssize_t drain_socket(int sockfd, size_t count);
-/* The following definitions come from lib/secdesc.c */
-
-uint32_t get_sec_info(const struct security_descriptor *sd);
-struct security_descriptor *sec_desc_merge(TALLOC_CTX *ctx, struct security_descriptor *new_sdb, struct security_descriptor *old_sdb);
-struct sec_desc_buf *sec_desc_merge_buf(TALLOC_CTX *ctx, struct sec_desc_buf *new_sdb, struct sec_desc_buf *old_sdb);
-struct security_descriptor *make_sec_desc(TALLOC_CTX *ctx,
- enum security_descriptor_revision revision,
- uint16 type,
- const struct dom_sid *owner_sid, const struct dom_sid *grp_sid,
- struct security_acl *sacl, struct security_acl *dacl, size_t *sd_size);
-struct security_descriptor *dup_sec_desc(TALLOC_CTX *ctx, const struct security_descriptor *src);
-NTSTATUS marshall_sec_desc(TALLOC_CTX *mem_ctx,
- struct security_descriptor *secdesc,
- uint8 **data, size_t *len);
-NTSTATUS marshall_sec_desc_buf(TALLOC_CTX *mem_ctx,
- struct sec_desc_buf *secdesc_buf,
- uint8_t **data, size_t *len);
-NTSTATUS unmarshall_sec_desc(TALLOC_CTX *mem_ctx, uint8 *data, size_t len,
- struct security_descriptor **psecdesc);
-NTSTATUS unmarshall_sec_desc_buf(TALLOC_CTX *mem_ctx, uint8_t *data, size_t len,
- struct sec_desc_buf **psecdesc_buf);
-struct security_descriptor *make_standard_sec_desc(TALLOC_CTX *ctx, const struct dom_sid *owner_sid, const struct dom_sid *grp_sid,
- struct security_acl *dacl, size_t *sd_size);
-struct sec_desc_buf *make_sec_desc_buf(TALLOC_CTX *ctx, size_t len, struct security_descriptor *sec_desc);
-struct sec_desc_buf *dup_sec_desc_buf(TALLOC_CTX *ctx, struct sec_desc_buf *src);
-NTSTATUS sec_desc_add_sid(TALLOC_CTX *ctx, struct security_descriptor **psd, const struct dom_sid *sid, uint32 mask, size_t *sd_size);
-NTSTATUS sec_desc_mod_sid(struct security_descriptor *sd, struct dom_sid *sid, uint32 mask);
-NTSTATUS sec_desc_del_sid(TALLOC_CTX *ctx, struct security_descriptor **psd, struct dom_sid *sid, size_t *sd_size);
-bool sd_has_inheritable_components(const struct security_descriptor *parent_ctr, bool container);
-NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
- struct security_descriptor **ppsd,
- size_t *psize,
- const struct security_descriptor *parent_ctr,
- const struct dom_sid *owner_sid,
- const struct dom_sid *group_sid,
- bool container);
-NTSTATUS se_create_child_secdesc_buf(TALLOC_CTX *ctx,
- struct sec_desc_buf **ppsdb,
- const struct security_descriptor *parent_ctr,
- bool container);
-
/* The following definitions come from lib/sendfile.c */
ssize_t sys_sendfile(int tofd, int fromfd, const DATA_BLOB *header, SMB_OFF_T offset, size_t count);
diff --git a/source3/libsmb/clisecdesc.c b/source3/libsmb/clisecdesc.c
index c998c70826d..d703b1f7744 100644
--- a/source3/libsmb/clisecdesc.c
+++ b/source3/libsmb/clisecdesc.c
@@ -19,6 +19,7 @@
#include "includes.h"
#include "libsmb/libsmb.h"
+#include "../libcli/security/secdesc.h"
/****************************************************************************
query the security descriptor for a open file
diff --git a/source3/registry/reg_backend_db.c b/source3/registry/reg_backend_db.c
index 1db745d962a..566ab0bc6b8 100644
--- a/source3/registry/reg_backend_db.c
+++ b/source3/registry/reg_backend_db.c
@@ -30,6 +30,7 @@
#include "nt_printing.h"
#include "util_tdb.h"
#include "dbwrap.h"
+#include "../libcli/security/secdesc.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_REGISTRY
diff --git a/source3/registry/regfio.c b/source3/registry/regfio.c
index c4d2a6d4d34..8715ab56730 100644
--- a/source3/registry/regfio.c
+++ b/source3/registry/regfio.c
@@ -22,6 +22,7 @@
#include "regfio.h"
#include "../librpc/gen_ndr/ndr_security.h"
#include "../libcli/security/security_descriptor.h"
+#include "../libcli/security/secdesc.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_REGISTRY
diff --git a/source3/rpc_server/winreg/srv_winreg_nt.c b/source3/rpc_server/winreg/srv_winreg_nt.c
index 1b3cab88447..6f319e99054 100644
--- a/source3/rpc_server/winreg/srv_winreg_nt.c
+++ b/source3/rpc_server/winreg/srv_winreg_nt.c
@@ -30,6 +30,7 @@
#include "rpc_misc.h"
#include "auth.h"
#include "lib/privileges.h"
+#include "libcli/security/secdesc.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_RPC_SRV
diff --git a/source3/wscript_build b/source3/wscript_build
index cbb94797f0f..543aef71584 100755
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -87,7 +87,6 @@ LIB_SRC = '''
lib/module.c lib/events.c
lib/server_contexts.c
lib/ldap_escape.c
- lib/secdesc.c
lib/fncall.c
libads/krb5_errs.c lib/system_smbd.c lib/audit.c
lib/file_id.c lib/idmap_cache.c'''