summaryrefslogtreecommitdiff
path: root/libcli/security
Commit message (Collapse)AuthorAgeFilesLines
* libcli: remove unused se_create_child_secdesc_buf()Ralph Boehme2018-05-092-32/+0
| | | | | | | | | | | Commit e2c9ad93cb914186b89e2055f1bed3cceee1f768 removed the last caller of this. Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Wed May 9 19:18:44 CEST 2018 on sn-devel-144
* libcli/security: add dom_sid_is_valid_account_domain()Stefan Metzmacher2018-03-192-0/+64
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* libcli/security: fix some SID values in commentsStefan Metzmacher2018-03-161-3/+3
| | | | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Mar 16 19:47:15 CET 2018 on sn-devel-144
* libcli/security: only announce a session as GUEST if 'Builtin\Guests' is ↵Ralph Boehme2018-03-151-7/+11
| | | | | | | | | there without 'Authenticated User' BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* libcli/security: add dom_sid_lookup_predefined_{sid,name}()Stefan Metzmacher2018-02-212-0/+512
| | | | | | | | | | This basically implements [MS-LSAT] 3.1.1.1.1 Predefined Translation Database and Corresponding View. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* lib: Save a few bytes of .textVolker Lendecke2017-11-131-1/+1
| | | | | | | | Looks surprising, but this does save bytes if you look at the object with "size". Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli: Fix a signed/unsigned hickupVolker Lendecke2017-11-131-1/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli/security: Move debug message to DBG_DEBUG()Andrew Bartlett2017-09-071-1/+1
| | | | | | | This message shows up a lot at level 6 for no particularly good reason Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* python: Port samba.security to Python 3 compatible form.Lumir Balhar2017-09-062-12/+22
| | | | | | Signed-off-by: Lumir Balhar <lbalhar@redhat.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* libcli/security: fix dom_sid_in_domain()Ralph Boehme2017-04-121-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Ensure the SID has exactly one component more then the domain SID, eg Domain SID: S-1-5-21-1-2-3 SID: S-1-5-21-1-2-3-4 This will return true. If the SID has more components, eg SID: S-1-5-21-1-2-3-4-5, or SID: S-1-5-21-1-2-3-4-5-6-7-8 dom_sid_in_domain() must return false. This was verified against Windows: lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000002 (2) domains : * domains: ARRAY(2) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0012 (18) size : 0x0014 (20) string : * string : 'W4EDOM-L4' sid : * sid : S-1-5-21-278041429-3399921908-1452754838 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000004 (4) names : * names: ARRAY(4) names: struct lsa_TranslatedName sid_type : SID_NAME_USER (1) name: struct lsa_String length : 0x001a (26) size : 0x001a (26) string : * string : 'Administrator' sid_index : 0x00000001 (1) names: struct lsa_TranslatedName sid_type : SID_NAME_UNKNOWN (8) name: struct lsa_String length : 0x005c (92) size : 0x005e (94) string : * string : 'S-1-5-21-278041429-3399921908-1452754838-500-1' sid_index : 0xffffffff (4294967295) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x001c (28) size : 0x001c (28) string : * string : 'Administrators' sid_index : 0x00000000 (0) names: struct lsa_TranslatedName sid_type : SID_NAME_UNKNOWN (8) name: struct lsa_String length : 0x001c (28) size : 0x001e (30) string : * string : 'S-1-5-32-544-9' sid_index : 0xffffffff (4294967295) count : * count : 0x00000002 (2) result : STATUS_SOME_UNMAPPED Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Ralph Boehme <slow@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli/security: add SID_NAME_LABEL to sid_type_lookup()Stefan Metzmacher2017-03-231-1/+2
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli: Add an overflow checkVolker Lendecke2017-01-231-0/+4
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli: Do not overwrite pointer on realloc failureVolker Lendecke2017-01-231-3/+5
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* lib: Add required prerequisites for librpc/gen_ndr/security.hVolker Lendecke2016-12-281-0/+3
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Uri Simchoni <uri@samba.org>
* lib: security: se_access_check() incorrectly processes owner rights ↵Jeremy Allison2016-12-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (S-1-3-4) DENY ace entries Reported and proposed fix by Shilpa K <shilpa.krishnareddy@gmail.com>. When processing DENY ACE entries for owner rights SIDs (S-1-3-4) the code OR's in the deny access mask bits without taking into account if they were being requested in the requested access mask. E.g. The current logic has: An ACL containining: [0] SID: S-1-3-4 TYPE: DENY MASK: WRITE_DATA [1] SID: S-1-3-4 TYPE: ALLOW MASK: ALLOW_ALL prohibits an open request by the owner for READ_DATA - even though this is explicitly allowed. Furthermore a non-canonical ACL containing: [0] SID: User SID 1-5-21-something TYPE: ALLOW MASK: READ_DATA [1] SID: S-1-3-4 TYPE: DENY MASK: READ_DATA [2] SID: User SID 1-5-21-something TYPE: ALLOW MASK: WRITE_DATA prohibits an open request by the owner for READ_DATA|WRITE_DATA - even though READ_DATA is explicitly allowed in ACE no 0 and is thus already filtered out of the "access-still-needed" mask when the deny ACE no 1 is evaluated. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12466 Signed-off-by: Jeremy Allison <jra@samba.org> Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* lib: Make dom_sid_parse_endp init "endp" on all "ok" pathsVolker Lendecke2016-12-061-1/+2
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli: Remove code cloneMoritz Beller2016-10-131-1/+1
| | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12373 Signed-off-by: Moritz Beller <moritzbeller@gmx.de> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Simo <simo@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Thu Oct 13 18:13:45 CEST 2016 on sn-devel-144
* lib: Annotate well known SID namesSteve French2016-09-291-1/+35
| | | | | | | | Add Samba specific well known SIDs for Unix UID and GID owner. Signed-off-by: Steve French <smfrench@gmail.com> Reviewed-by: Guenther Deschner <gd@samba.org>
* libcli/security: implement SECURITY_GUESTStefan Metzmacher2016-04-284-0/+12
| | | | | | | | | | SECURITY_GUEST is not exactly the same as SECURITY_ANONYMOUS. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* libcli: Fix debug message, print sid string for new_ace trustee.Noel Power2016-02-161-1/+1
| | | | | | Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Uri Simchoni <uri@samba.org> Reviewed-by: Amitay Isaacs <amitay@gmail.com>
* security: Add Asserted Identity sids (S-1-18)Günther Deschner2016-01-152-0/+11
| | | | | | | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=11677 definitions taken from [MS-DTYP]: Windows Data Types, 2.4.2.4 Well-Known SID Structures. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* lib: Remove unused sid_blob_parseVolker Lendecke2015-08-262-15/+6
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* lib: Make sid_parse take a uint8_tVolker Lendecke2015-08-262-2/+2
| | | | | | | | sid_parse takes a binary blob, uint8_t reflects this a bit better than char * does Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* lib: Use dom_sid_equal where appropriateVolker Lendecke2015-08-201-1/+2
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ira Cooper <ira@samba.org>
* lib: Remove some unused codeVolker Lendecke2015-08-142-20/+0
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
* lib: Remove some unused codeVolker Lendecke2015-08-142-24/+0
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
* s4: Fix bad review I did in dom_sid_parse_length() code.Jeremy Allison2015-04-291-1/+2
| | | | | | | | | | | | Volker, apologies for the mistake. Spotted by Andrew Bartlett <abartlet@samba.org> Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Apr 29 08:20:23 CEST 2015 on sn-devel-104
* lib: Simplify dom_sid_parse_lengthVolker Lendecke2015-04-281-8/+3
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli/security: add security_descriptor_for_client() helper functionStefan Metzmacher2015-03-302-0/+75
| | | | | | | This prepares a possibly stripped security descriptor for a client. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* libcli/security: support "IS" in SDDL for SID_NT_IUSRStefan Metzmacher2015-03-301-0/+1
| | | | | | | TODO: we should import the whole lists from [MS-DTYP]. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* Fix whitespaceVolker Lendecke2015-02-261-7/+7
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli/security: add a function that checks for MS NFS ACEsRalph Boehme2014-12-042-0/+24
| | | | | Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli/security: add NFS SID mappingsRalph Boehme2014-12-042-0/+22
| | | | | Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli/security: add better detection of SECINFO_[UN]PROTECTED_[D|S]ACL in ↵Stefan Metzmacher2014-08-221-16/+20
| | | | | | | | | | | | get_sec_info() Bug: https://bugzilla.samba.org/show_bug.cgi?id=10773 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Aug 22 02:52:50 CEST 2014 on sn-devel-104
* libcli: Add a NULL check in dom_sid_stringVolker Lendecke2014-06-101-0/+3
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Jun 10 21:46:15 CEST 2014 on sn-devel-104
* libcli/security: remove sec_ace_equalDavid Disseldorp2014-05-292-33/+0
| | | | | | | | | | | This function is a duplicate of security_ace_equal(), and is no longer used. Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu May 29 03:34:38 CEST 2014 on sn-devel-104
* secdesc: use security_ace_equal instead of sec_ace_equalDavid Disseldorp2014-05-291-1/+1
| | | | | | | Both offer the same functionality, sec_ace_equal() will be removed. Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/security: cleanup security_ace_equal()David Disseldorp2014-05-291-8/+20
| | | | | | | | This change cleans up the white-space damage, and converts the single line if-then statements to match Samba's coding conventions. Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/security: remove unused sec_ace_del_sid()David Disseldorp2014-05-292-33/+0
| | | | | | | With sec_desc_del_sid() now gone, this can also be removed. Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/security: remove unused sec_desc_del_sid()David Disseldorp2014-05-292-37/+0
| | | | | | | | The function is unused, and shares mostly the same behaviour as security_descriptor_acl_del(). Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/security: remove dup_sec_acl()David Disseldorp2014-05-292-13/+0
| | | | | | | | With make_sec_desc() converted to use security_acl_dup(), which offers the same behaviour, this function is no longer needed. Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/security: clean up and fix make_sec_descDavid Disseldorp2014-05-291-48/+29
| | | | | | | | | | | | It currently leaks memory onto the provided talloc context on error, fix this. Use X_acl_dup() functions provided by secuity_descriptor.c, rather than the redundant secdesc.c calls. Also, use the IDL generated functions to calculate the security descriptor structure size. Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/secdesc: remove dup_sec_desc()David Disseldorp2014-05-282-21/+0
| | | | | | | | | With all callers converted to use security_descriptor_copy(), this function can be removed. Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
* libcli/secdesc: replace dup_sec_desc() usageDavid Disseldorp2014-05-281-2/+5
| | | | | | | | | Use security_descriptor_copy() instead, which is also provided by libcli. Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
* libcli/sd: remove redundant sec_ace_add_sid()David Disseldorp2014-05-282-27/+0
| | | | | | | | | | | | This function adds a new allow-type ACE to an existing ACE list. With the removal of sec_desc_add_sid(), this is no longer used internally. The same behaviour can be achieved via the much cleaner security_ace_create() function. Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
* libcli/sd: remove redundant sec_desc_add_sid()David Disseldorp2014-05-282-38/+0
| | | | | | | | | | This function adds an ACE to a security descriptor DACL. The same can be achieved via the more flexible and much cleaner security_ace_create() and security_descriptor_dacl_add() functions. Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
* libcli: Simplify desc_ace_has_generic()Volker Lendecke2014-05-271-9/+6
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
* libcli: Simplify desc_expand_generic()Volker Lendecke2014-05-271-13/+6
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
* libcli: Avoid an explicit memset callVolker Lendecke2014-05-271-4/+4
| | | | | | | On x86 with -O3, this saves surprising 160 bytes .text Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
* libcli: Avoid a talloc/freeVolker Lendecke2014-05-271-4/+6
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
View Lorry Controller Status