diff options
author | Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | 2023-03-16 21:17:56 +1300 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2023-04-28 02:15:36 +0000 |
commit | 5abd687fceb09451986359253361bca0d649372b (patch) | |
tree | 20a2b18d7356b8043c6801aa754ad9ba3f1e16c2 /libcli | |
parent | 7c97df1786329eeaacb3bf7f4741ecec9b7d1304 (diff) | |
download | samba-5abd687fceb09451986359253361bca0d649372b.tar.gz |
lib/sec/sddl: allow empty non-trailing ACL with flags
The string "S:D:P" is parsed by us and Windows into a valid struct,
which has an empty DACL with the PROTECTED flag, and an empty SACL.
This is reconstructed in canonical order as "D:PS:", which Windows
will correctly parse, but Samba has assumed the "S" is a bad DACL
flag. Now we don't make that assumption.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'libcli')
-rw-r--r-- | libcli/security/sddl.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c index 6a9e6bdb22c..2df5680e549 100644 --- a/libcli/security/sddl.c +++ b/libcli/security/sddl.c @@ -60,7 +60,8 @@ static bool sddl_map_flag( map a series of letter codes into a uint32_t */ static bool sddl_map_flags(const struct flag_map *map, const char *str, - uint32_t *pflags, size_t *plen) + uint32_t *pflags, size_t *plen, + bool unknown_flag_is_part_of_next_thing) { const char *str0 = str; if (plen != NULL) { @@ -74,6 +75,9 @@ static bool sddl_map_flags(const struct flag_map *map, const char *str, found = sddl_map_flag(map, str, &len, &flags); if (!found) { + if (unknown_flag_is_part_of_next_thing) { + return true; + } DEBUG(1, ("Unknown flag - %s in %s\n", str, str0)); return false; } @@ -87,6 +91,7 @@ static bool sddl_map_flags(const struct flag_map *map, const char *str, return true; } + /* a mapping between the 2 letter SID codes and sid strings */ @@ -378,13 +383,13 @@ static bool sddl_decode_ace(TALLOC_CTX *mem_ctx, struct security_ace *ace, char } /* parse ace type */ - if (!sddl_map_flags(ace_types, tok[0], &v, NULL)) { + if (!sddl_map_flags(ace_types, tok[0], &v, NULL, false)) { return false; } ace->type = v; /* ace flags */ - if (!sddl_map_flags(ace_flags, tok[1], &v, NULL)) { + if (!sddl_map_flags(ace_flags, tok[1], &v, NULL, false)) { return false; } ace->flags = v; @@ -457,7 +462,7 @@ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd, } /* work out the ACL flags */ - if (!sddl_map_flags(acl_flags, sddl, flags, &len)) { + if (!sddl_map_flags(acl_flags, sddl, flags, &len, true)) { talloc_free(acl); return NULL; } |