diff options
author | Christian Merten <christian@merten.dev> | 2022-09-19 22:50:58 +0200 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2022-09-27 16:46:35 +0000 |
commit | 1a9aac53e8ee081cf6d2028de759563120619554 (patch) | |
tree | 273b4c6c931bf6768b53bfd3add2cd81cb7681c4 /libcli | |
parent | 7efe673fbdcd27ddd23f36281c5f5338681a68fe (diff) | |
download | samba-1a9aac53e8ee081cf6d2028de759563120619554.tar.gz |
libcli security_descriptor: Compare object type and inherited object type when comparing ACEs
Fixed security_ace_equal returning true, despite differing object type, by checking (inherited) object type
of both ACEs is equal.
Signed-off-by: Christian Merten <christian@merten.dev>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'libcli')
-rw-r--r-- | libcli/security/security_descriptor.c | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/libcli/security/security_descriptor.c b/libcli/security/security_descriptor.c index 64c2d027876..23d436dbaeb 100644 --- a/libcli/security/security_descriptor.c +++ b/libcli/security/security_descriptor.c @@ -21,6 +21,7 @@ #include "includes.h" #include "libcli/security/security.h" +#include "librpc/ndr/libndr.h" /* return a blank security descriptor (no owners, dacl or sacl) @@ -485,6 +486,32 @@ NTSTATUS security_descriptor_sacl_del_ace(struct security_descriptor *sd, { return security_descriptor_acl_del_ace(sd, true, ace); } + +static bool security_ace_object_equal(const struct security_ace_object *object1, + const struct security_ace_object *object2) +{ + if (object1 == object2) { + return true; + } + if ((object1 == NULL) || (object2 == NULL)) { + return false; + } + if (object1->flags != object2->flags) { + return false; + } + if (object1->flags & SEC_ACE_OBJECT_TYPE_PRESENT + && !GUID_equal(&object1->type.type, &object2->type.type)) { + return false; + } + if (object1->flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT + && !GUID_equal(&object1->inherited_type.inherited_type, + &object2->inherited_type.inherited_type)) { + return false; + } + + return true; +} + /* compare two security ace structures */ @@ -506,6 +533,14 @@ bool security_ace_equal(const struct security_ace *ace1, if (ace1->access_mask != ace2->access_mask) { return false; } + if ((ace1->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT + || ace1->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT + || ace1->type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT + || ace1->type == SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT) + && !security_ace_object_equal(&ace1->object.object, + &ace2->object.object)) { + return false; + } if (!dom_sid_equal(&ace1->trustee, &ace2->trustee)) { return false; } |