From 2dcef48f242ffdcd980a4f6385ed07996ea915f4 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 26 Mar 2015 14:39:35 +0100 Subject: libcli/security: add security_descriptor_for_client() helper function This prepares a possibly stripped security descriptor for a client. Signed-off-by: Stefan Metzmacher Reviewed-by: Guenther Deschner --- libcli/security/security_descriptor.c | 70 +++++++++++++++++++++++++++++++++++ libcli/security/security_descriptor.h | 5 +++ 2 files changed, 75 insertions(+) (limited to 'libcli') diff --git a/libcli/security/security_descriptor.c b/libcli/security/security_descriptor.c index a75942c0770..0a2bb952b0e 100644 --- a/libcli/security/security_descriptor.c +++ b/libcli/security/security_descriptor.c @@ -182,6 +182,76 @@ struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx, return NULL; } +NTSTATUS security_descriptor_for_client(TALLOC_CTX *mem_ctx, + const struct security_descriptor *ssd, + uint32_t sec_info, + uint32_t access_granted, + struct security_descriptor **_csd) +{ + struct security_descriptor *csd = NULL; + uint32_t access_required = 0; + + *_csd = NULL; + + if (sec_info & (SECINFO_OWNER|SECINFO_GROUP)) { + access_required |= SEC_STD_READ_CONTROL; + } + if (sec_info & SECINFO_DACL) { + access_required |= SEC_STD_READ_CONTROL; + } + if (sec_info & SECINFO_SACL) { + access_required |= SEC_FLAG_SYSTEM_SECURITY; + } + + if (access_required & (~access_granted)) { + return NT_STATUS_ACCESS_DENIED; + } + + /* + * make a copy... + */ + csd = security_descriptor_copy(mem_ctx, ssd); + if (csd == NULL) { + return NT_STATUS_NO_MEMORY; + } + + /* + * ... and remove everthing not wanted + */ + + if (!(sec_info & SECINFO_OWNER)) { + TALLOC_FREE(csd->owner_sid); + csd->type &= ~SEC_DESC_OWNER_DEFAULTED; + } + if (!(sec_info & SECINFO_GROUP)) { + TALLOC_FREE(csd->group_sid); + csd->type &= ~SEC_DESC_GROUP_DEFAULTED; + } + if (!(sec_info & SECINFO_DACL)) { + TALLOC_FREE(csd->dacl); + csd->type &= ~( + SEC_DESC_DACL_PRESENT | + SEC_DESC_DACL_DEFAULTED| + SEC_DESC_DACL_AUTO_INHERIT_REQ | + SEC_DESC_DACL_AUTO_INHERITED | + SEC_DESC_DACL_PROTECTED | + SEC_DESC_DACL_TRUSTED); + } + if (!(sec_info & SECINFO_SACL)) { + TALLOC_FREE(csd->sacl); + csd->type &= ~( + SEC_DESC_SACL_PRESENT | + SEC_DESC_SACL_DEFAULTED | + SEC_DESC_SACL_AUTO_INHERIT_REQ | + SEC_DESC_SACL_AUTO_INHERITED | + SEC_DESC_SACL_PROTECTED | + SEC_DESC_SERVER_SECURITY); + } + + *_csd = csd; + return NT_STATUS_OK; +} + /* add an ACE to an ACL of a security_descriptor */ diff --git a/libcli/security/security_descriptor.h b/libcli/security/security_descriptor.h index 87643bc945a..dd5d5f38049 100644 --- a/libcli/security/security_descriptor.h +++ b/libcli/security/security_descriptor.h @@ -26,6 +26,11 @@ struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx); struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx, const struct security_descriptor *osd); +NTSTATUS security_descriptor_for_client(TALLOC_CTX *mem_ctx, + const struct security_descriptor *ssd, + uint32_t sec_info, + uint32_t access_granted, + struct security_descriptor **_csd); NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd, const struct security_ace *ace); NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd, -- cgit v1.2.1