diff options
author | Stefan Metzmacher <metze@samba.org> | 2015-03-26 14:39:35 +0100 |
---|---|---|
committer | Günther Deschner <gd@samba.org> | 2015-03-30 13:41:25 +0200 |
commit | 2dcef48f242ffdcd980a4f6385ed07996ea915f4 (patch) | |
tree | c1a1de5e17446f015ee32aa4804070e38e7fb87a /libcli | |
parent | 77f0763c842a0653610a6fbc7f40bd8e54e38376 (diff) | |
download | samba-2dcef48f242ffdcd980a4f6385ed07996ea915f4.tar.gz |
libcli/security: add security_descriptor_for_client() helper function
This prepares a possibly stripped security descriptor for a client.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Diffstat (limited to 'libcli')
-rw-r--r-- | libcli/security/security_descriptor.c | 70 | ||||
-rw-r--r-- | libcli/security/security_descriptor.h | 5 |
2 files changed, 75 insertions, 0 deletions
diff --git a/libcli/security/security_descriptor.c b/libcli/security/security_descriptor.c index a75942c0770..0a2bb952b0e 100644 --- a/libcli/security/security_descriptor.c +++ b/libcli/security/security_descriptor.c @@ -182,6 +182,76 @@ struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx, return NULL; } +NTSTATUS security_descriptor_for_client(TALLOC_CTX *mem_ctx, + const struct security_descriptor *ssd, + uint32_t sec_info, + uint32_t access_granted, + struct security_descriptor **_csd) +{ + struct security_descriptor *csd = NULL; + uint32_t access_required = 0; + + *_csd = NULL; + + if (sec_info & (SECINFO_OWNER|SECINFO_GROUP)) { + access_required |= SEC_STD_READ_CONTROL; + } + if (sec_info & SECINFO_DACL) { + access_required |= SEC_STD_READ_CONTROL; + } + if (sec_info & SECINFO_SACL) { + access_required |= SEC_FLAG_SYSTEM_SECURITY; + } + + if (access_required & (~access_granted)) { + return NT_STATUS_ACCESS_DENIED; + } + + /* + * make a copy... + */ + csd = security_descriptor_copy(mem_ctx, ssd); + if (csd == NULL) { + return NT_STATUS_NO_MEMORY; + } + + /* + * ... and remove everthing not wanted + */ + + if (!(sec_info & SECINFO_OWNER)) { + TALLOC_FREE(csd->owner_sid); + csd->type &= ~SEC_DESC_OWNER_DEFAULTED; + } + if (!(sec_info & SECINFO_GROUP)) { + TALLOC_FREE(csd->group_sid); + csd->type &= ~SEC_DESC_GROUP_DEFAULTED; + } + if (!(sec_info & SECINFO_DACL)) { + TALLOC_FREE(csd->dacl); + csd->type &= ~( + SEC_DESC_DACL_PRESENT | + SEC_DESC_DACL_DEFAULTED| + SEC_DESC_DACL_AUTO_INHERIT_REQ | + SEC_DESC_DACL_AUTO_INHERITED | + SEC_DESC_DACL_PROTECTED | + SEC_DESC_DACL_TRUSTED); + } + if (!(sec_info & SECINFO_SACL)) { + TALLOC_FREE(csd->sacl); + csd->type &= ~( + SEC_DESC_SACL_PRESENT | + SEC_DESC_SACL_DEFAULTED | + SEC_DESC_SACL_AUTO_INHERIT_REQ | + SEC_DESC_SACL_AUTO_INHERITED | + SEC_DESC_SACL_PROTECTED | + SEC_DESC_SERVER_SECURITY); + } + + *_csd = csd; + return NT_STATUS_OK; +} + /* add an ACE to an ACL of a security_descriptor */ diff --git a/libcli/security/security_descriptor.h b/libcli/security/security_descriptor.h index 87643bc945a..dd5d5f38049 100644 --- a/libcli/security/security_descriptor.h +++ b/libcli/security/security_descriptor.h @@ -26,6 +26,11 @@ struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx); struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx, const struct security_descriptor *osd); +NTSTATUS security_descriptor_for_client(TALLOC_CTX *mem_ctx, + const struct security_descriptor *ssd, + uint32_t sec_info, + uint32_t access_granted, + struct security_descriptor **_csd); NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd, const struct security_ace *ace); NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd, |