summaryrefslogtreecommitdiff
path: root/libcli/security
Commit message (Collapse)AuthorAgeFilesLines
* libcli: Update error check for new string conversion wrapperSwen Schillig2019-04-111-3/+3
| | | | | | | | | | | The new string conversion wrappers detect and flag errors which occured during the string to integer conversion. Those modifications required an update of the callees error checks. Signed-off-by: Swen Schillig <swen@linux.ibm.com> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Christof Schmitt <cs@samba.org>
* build: Remove bld.gen_python_environments()Andrew Bartlett2019-03-211-7/+6
| | | | | | | This was part of --extra-python support. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* lib: Remove "struct sid_parse_ret" againVolker Lendecke2019-03-122-7/+4
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* lib: Make sid_parse return the parsed lengthVolker Lendecke2019-03-122-4/+7
| | | | | | | | | Use a temporary struct as a return value to make the compiler catch all callers. If we just changed bool->ssize_t, this would just generate a warning. struct sid_parse_ret will go away in the next commit Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/security: fix handling of deny type ACEs in access_check_max_allowed()Ralph Boehme2019-03-041-1/+1
| | | | | | | | | | Deny ACEs must always be evaluated against explicitly granted rights from previous ACEs. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli/security: correct access check and maximum access calculation for ↵Ralph Boehme2019-03-041-67/+73
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Owner Rights ACEs We basically must process the Owner Rights ACEs as any other ACE wrt to the order of adding granted permissions and checking denied permissions. According to MS-DTYP 2.5.3.2 Owner Rights ACEs must be evaluated in the main loop over the ACEs in an ACL and the corresponding access_mask must be directly applied to bits_remaining. We currently defer this to after the loop over the ACEs in ACL, this is wrong. We just have to do some initial magic to determine if an ACL contains and Owner Rights ACEs, and in case it doesn't we grant SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL at the *beginning*. MS-DTYP: -- the owner of an object is always granted READ_CONTROL and WRITE_DAC. CALL SidInToken(Token, SecurityDescriptor.Owner, PrincipalSelfSubst) IF SidInToken returns True THEN IF DACL does not contain ACEs from object owner THEN Remove READ_CONTROL and WRITE_DAC from RemainingAccess Set GrantedAccess to GrantedAccess or READ_CONTROL or WRITE_OWNER END IF END IF BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli: Use wrapper for string to integer conversionSwen Schillig2019-03-011-6/+8
| | | | | | | | | | | | In order to detect an value overflow error during the string to integer conversion with strtoul/strtoull, the errno variable must be set to zero before the execution and checked after the conversion is performed. This is achieved by using the wrapper function strtoul_err and strtoull_err. Signed-off-by: Swen Schillig <swen@linux.ibm.com> Reviewed-by: Ralph Böhme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli/security: add "Owner Rights" calculation to access_check_max_allowed()Ralph Boehme2019-02-281-5/+28
| | | | | | | | | | | | This was missing in 44590c1b70c0a24f853c02d5fcdb3c609401e2ca. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13812 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org> Autobuild-User(master): David Disseldorp <ddiss@samba.org> Autobuild-Date(master): Thu Feb 28 19:18:16 UTC 2019 on sn-devel-144
* sddl: Use C99 initializer for sid_codesAndreas Schneider2019-01-281-49/+49
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* libcli:security: Return early if there are no aces to duplicateAndreas Schneider2018-12-121-5/+10
| | | | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Wed Dec 12 22:18:52 CET 2018 on sn-devel-144
* libcli:security: Do not duplicate invalid acesAndreas Schneider2018-12-121-0/+4
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
* libcli/security: add dom_sid_lookup_is_predefined_domain()Ralph Boehme2018-12-052-0/+34
| | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12164 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Ralph Boehme <slow@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: David Mulder <dmulder@suse.com> Reviewed-by: Andreas Schneider <asn@samba.org>
* libcli: Use dom_sid_str_bufVolker Lendecke2018-11-271-2/+5
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli: Use dom_sid_str_bufVolker Lendecke2018-11-271-4/+5
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli: Use dom_sid_str_bufVolker Lendecke2018-11-091-11/+7
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* lib: Make dom_sid_string_buf staticVolker Lendecke2018-11-032-2/+1
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Nov 3 00:23:31 CET 2018 on sn-devel-144
* lib: Add dom_sid_str_bufVolker Lendecke2018-11-022-0/+12
| | | | | | | | | | | | | | | This is modeled after server_id_str_buf, which as an API to me is easier to use: I can rely on the compiler to get the buffer size right. It is designed to violate README.Coding's "Make use of helper variables", but as this API is simple enough and the output should never be a surprise at all, I think that's worth it. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Nov 2 20:11:11 CET 2018 on sn-devel-144
* lib: Add error checks in dom_sid_string_bufVolker Lendecke2018-11-021-9/+23
| | | | | | | Also, avoid casts by using PRIxxx macros Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* lib: Avoid an "includes.h"Volker Lendecke2018-10-251-1/+4
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2018-10919 security: Fix checking of object-specific CONTROL_ACCESS rightsTim Beale2018-08-141-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | An 'Object Access Allowed' ACE that assigned 'Control Access' (CR) rights to a specific attribute would not actually grant access. What was happening was the remaining_access mask for the object_tree nodes would be Read Property (RP) + Control Access (CR). The ACE mapped to the schemaIDGUID for a given attribute, which would end up being a child node in the tree. So the CR bit was cleared for a child node, but not the rest of the tree. We would then check the user had the RP access right, which it did. However, the RP right was cleared for another node in the tree, which still had the CR bit set in its remaining_access bitmap, so Samba would not grant access. Generally, the remaining_access only ever has one bit set, which means this isn't a problem normally. However, in the Control Access case there are 2 separate bits being checked, i.e. RP + CR. One option to fix this problem would be to clear the remaining_access for the tree instead of just the node. However, the Windows spec is actually pretty clear on this: if the ACE has a CR right present, then you can stop any further access checks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* CVE-2018-10919 security: Add more comments to the object-specific access checksTim Beale2018-08-141-8/+22
| | | | | | | | | | | Reading the spec and then reading the code makes sense, but we could comment the code more so it makes sense on its own. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* CVE-2018-10919 security: Move object-specific access checks into separate ↵Tim Beale2018-08-141-27/+59
| | | | | | | | | | | | | | | | | | function Object-specific access checks refer to a specific section of the MS-ADTS, and the code closely matches the spec. We need to extend this logic to properly handle the Control-Access Right (CR), so it makes sense to split the logic out into its own function. This patch just moves the code, and should not alter the logic (apart from ading in the boolean grant_access return variable. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* libcli: remove unused se_create_child_secdesc_buf()Ralph Boehme2018-05-092-32/+0
| | | | | | | | | | | Commit e2c9ad93cb914186b89e2055f1bed3cceee1f768 removed the last caller of this. Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Wed May 9 19:18:44 CEST 2018 on sn-devel-144
* libcli/security: add dom_sid_is_valid_account_domain()Stefan Metzmacher2018-03-192-0/+64
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* libcli/security: fix some SID values in commentsStefan Metzmacher2018-03-161-3/+3
| | | | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Mar 16 19:47:15 CET 2018 on sn-devel-144
* libcli/security: only announce a session as GUEST if 'Builtin\Guests' is ↵Ralph Boehme2018-03-151-7/+11
| | | | | | | | | there without 'Authenticated User' BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* libcli/security: add dom_sid_lookup_predefined_{sid,name}()Stefan Metzmacher2018-02-212-0/+512
| | | | | | | | | | This basically implements [MS-LSAT] 3.1.1.1.1 Predefined Translation Database and Corresponding View. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* lib: Save a few bytes of .textVolker Lendecke2017-11-131-1/+1
| | | | | | | | Looks surprising, but this does save bytes if you look at the object with "size". Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli: Fix a signed/unsigned hickupVolker Lendecke2017-11-131-1/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli/security: Move debug message to DBG_DEBUG()Andrew Bartlett2017-09-071-1/+1
| | | | | | | This message shows up a lot at level 6 for no particularly good reason Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* python: Port samba.security to Python 3 compatible form.Lumir Balhar2017-09-062-12/+22
| | | | | | Signed-off-by: Lumir Balhar <lbalhar@redhat.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* libcli/security: fix dom_sid_in_domain()Ralph Boehme2017-04-121-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Ensure the SID has exactly one component more then the domain SID, eg Domain SID: S-1-5-21-1-2-3 SID: S-1-5-21-1-2-3-4 This will return true. If the SID has more components, eg SID: S-1-5-21-1-2-3-4-5, or SID: S-1-5-21-1-2-3-4-5-6-7-8 dom_sid_in_domain() must return false. This was verified against Windows: lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000002 (2) domains : * domains: ARRAY(2) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0012 (18) size : 0x0014 (20) string : * string : 'W4EDOM-L4' sid : * sid : S-1-5-21-278041429-3399921908-1452754838 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000004 (4) names : * names: ARRAY(4) names: struct lsa_TranslatedName sid_type : SID_NAME_USER (1) name: struct lsa_String length : 0x001a (26) size : 0x001a (26) string : * string : 'Administrator' sid_index : 0x00000001 (1) names: struct lsa_TranslatedName sid_type : SID_NAME_UNKNOWN (8) name: struct lsa_String length : 0x005c (92) size : 0x005e (94) string : * string : 'S-1-5-21-278041429-3399921908-1452754838-500-1' sid_index : 0xffffffff (4294967295) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x001c (28) size : 0x001c (28) string : * string : 'Administrators' sid_index : 0x00000000 (0) names: struct lsa_TranslatedName sid_type : SID_NAME_UNKNOWN (8) name: struct lsa_String length : 0x001c (28) size : 0x001e (30) string : * string : 'S-1-5-32-544-9' sid_index : 0xffffffff (4294967295) count : * count : 0x00000002 (2) result : STATUS_SOME_UNMAPPED Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Ralph Boehme <slow@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli/security: add SID_NAME_LABEL to sid_type_lookup()Stefan Metzmacher2017-03-231-1/+2
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli: Add an overflow checkVolker Lendecke2017-01-231-0/+4
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli: Do not overwrite pointer on realloc failureVolker Lendecke2017-01-231-3/+5
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* lib: Add required prerequisites for librpc/gen_ndr/security.hVolker Lendecke2016-12-281-0/+3
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Uri Simchoni <uri@samba.org>
* lib: security: se_access_check() incorrectly processes owner rights ↵Jeremy Allison2016-12-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (S-1-3-4) DENY ace entries Reported and proposed fix by Shilpa K <shilpa.krishnareddy@gmail.com>. When processing DENY ACE entries for owner rights SIDs (S-1-3-4) the code OR's in the deny access mask bits without taking into account if they were being requested in the requested access mask. E.g. The current logic has: An ACL containining: [0] SID: S-1-3-4 TYPE: DENY MASK: WRITE_DATA [1] SID: S-1-3-4 TYPE: ALLOW MASK: ALLOW_ALL prohibits an open request by the owner for READ_DATA - even though this is explicitly allowed. Furthermore a non-canonical ACL containing: [0] SID: User SID 1-5-21-something TYPE: ALLOW MASK: READ_DATA [1] SID: S-1-3-4 TYPE: DENY MASK: READ_DATA [2] SID: User SID 1-5-21-something TYPE: ALLOW MASK: WRITE_DATA prohibits an open request by the owner for READ_DATA|WRITE_DATA - even though READ_DATA is explicitly allowed in ACE no 0 and is thus already filtered out of the "access-still-needed" mask when the deny ACE no 1 is evaluated. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12466 Signed-off-by: Jeremy Allison <jra@samba.org> Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* lib: Make dom_sid_parse_endp init "endp" on all "ok" pathsVolker Lendecke2016-12-061-1/+2
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli: Remove code cloneMoritz Beller2016-10-131-1/+1
| | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12373 Signed-off-by: Moritz Beller <moritzbeller@gmx.de> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Simo <simo@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Thu Oct 13 18:13:45 CEST 2016 on sn-devel-144
* lib: Annotate well known SID namesSteve French2016-09-291-1/+35
| | | | | | | | Add Samba specific well known SIDs for Unix UID and GID owner. Signed-off-by: Steve French <smfrench@gmail.com> Reviewed-by: Guenther Deschner <gd@samba.org>
* libcli/security: implement SECURITY_GUESTStefan Metzmacher2016-04-284-0/+12
| | | | | | | | | | SECURITY_GUEST is not exactly the same as SECURITY_ANONYMOUS. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* libcli: Fix debug message, print sid string for new_ace trustee.Noel Power2016-02-161-1/+1
| | | | | | Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Uri Simchoni <uri@samba.org> Reviewed-by: Amitay Isaacs <amitay@gmail.com>
* security: Add Asserted Identity sids (S-1-18)Günther Deschner2016-01-152-0/+11
| | | | | | | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=11677 definitions taken from [MS-DTYP]: Windows Data Types, 2.4.2.4 Well-Known SID Structures. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* lib: Remove unused sid_blob_parseVolker Lendecke2015-08-262-15/+6
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* lib: Make sid_parse take a uint8_tVolker Lendecke2015-08-262-2/+2
| | | | | | | | sid_parse takes a binary blob, uint8_t reflects this a bit better than char * does Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* lib: Use dom_sid_equal where appropriateVolker Lendecke2015-08-201-1/+2
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ira Cooper <ira@samba.org>
* lib: Remove some unused codeVolker Lendecke2015-08-142-20/+0
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
* lib: Remove some unused codeVolker Lendecke2015-08-142-24/+0
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
* s4: Fix bad review I did in dom_sid_parse_length() code.Jeremy Allison2015-04-291-1/+2
| | | | | | | | | | | | Volker, apologies for the mistake. Spotted by Andrew Bartlett <abartlet@samba.org> Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Apr 29 08:20:23 CEST 2015 on sn-devel-104
* lib: Simplify dom_sid_parse_lengthVolker Lendecke2015-04-281-8/+3
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
View Lorry Controller Status