From d36bab52d0fd68a8d28238dbba7e7ea35b936e6c Mon Sep 17 00:00:00 2001
From: Noel Power <noel.power@suse.com>
Date: Thu, 25 Aug 2022 14:29:09 +0100
Subject: s3/utils: when encoding ace string use "FA", "FR", "FW", "FX" string
 rights

prior to this patch rights matching "FA", "FR", "FW", "FX" were
outputted as the hex string representing the bit value.

While outputting the hex string is perfectly fine, it makes it harder
to compare icacls output (which always uses the special string values)

Additionally adjust various tests to deal with use of shortcut access masks
as sddl format now uses FA, FR, FW & FX strings (like icalcs does) instead
of hex representation of the bit mask.

adjust
  samba4.blackbox.samba-tool_ntacl
  samba3.blackbox.large_acl
  samba.tests.samba_tool.ntacl
  samba.tests.ntacls
  samba.tests.posixacl

so various string comparisons of the sddl format now pass

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

[abartlet@samba.org Adapted to new stricter SDDL behaviour around leading zeros in hex
 numbers, eg 0x001]
---
 libcli/security/sddl.c | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

(limited to 'libcli')

diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c
index ee024b2b0d7..e14b2748384 100644
--- a/libcli/security/sddl.c
+++ b/libcli/security/sddl.c
@@ -333,6 +333,22 @@ static const struct flag_map decode_ace_access_mask[] = {
 	{ NULL, 0 },
 };
 
+
+static char *sddl_match_file_rights(TALLOC_CTX *mem_ctx,
+				uint32_t flags)
+{
+	int i;
+
+	/* try to find an exact match */
+	for (i=0;decode_ace_access_mask[i].name;i++) {
+		if (decode_ace_access_mask[i].flag == flags) {
+			return talloc_strdup(mem_ctx,
+					decode_ace_access_mask[i].name);
+		}
+	}
+	return NULL;
+}
+
 static bool sddl_decode_access(const char *str, uint32_t *pmask)
 {
 	const char *str0 = str;
@@ -776,8 +792,12 @@ static char *sddl_transition_encode_ace(TALLOC_CTX *mem_ctx, const struct securi
 	sddl_mask = sddl_flags_to_string(tmp_ctx, ace_access_mask,
 					 ace->access_mask, true);
 	if (sddl_mask == NULL) {
-		sddl_mask = talloc_asprintf(tmp_ctx, "0x%x",
-					     ace->access_mask);
+		sddl_mask = sddl_match_file_rights(tmp_ctx,
+				ace->access_mask);
+		if (sddl_mask == NULL) {
+			sddl_mask = talloc_asprintf(tmp_ctx, "0x%x",
+						    ace->access_mask);
+		}
 		if (sddl_mask == NULL) {
 			goto failed;
 		}
-- 
cgit v1.2.1