diff options
author | Christian Merten <christian@merten.dev> | 2022-09-19 22:47:10 +0200 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2022-09-27 16:46:35 +0000 |
commit | 7efe673fbdcd27ddd23f36281c5f5338681a68fe (patch) | |
tree | 88ba52f125451d39a7ad538911eae8d926e45363 /libcli | |
parent | b600b0c8d9690cb5eeded1e5925c8e667c11af04 (diff) | |
download | samba-7efe673fbdcd27ddd23f36281c5f5338681a68fe.tar.gz |
libcli security_descriptor: Add function to delete a given ace from a security descriptor
Two functions have been added to delete a given ace from the SACL or the DACL of a security descriptor.
Signed-off-by: Christian Merten <christian@merten.dev>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'libcli')
-rw-r--r-- | libcli/security/security_descriptor.c | 66 | ||||
-rw-r--r-- | libcli/security/security_descriptor.h | 4 |
2 files changed, 70 insertions, 0 deletions
diff --git a/libcli/security/security_descriptor.c b/libcli/security/security_descriptor.c index ba142016389..64c2d027876 100644 --- a/libcli/security/security_descriptor.c +++ b/libcli/security/security_descriptor.c @@ -420,6 +420,72 @@ NTSTATUS security_descriptor_sacl_del(struct security_descriptor *sd, } /* + delete the given ACE in the SACL or DACL of a security_descriptor +*/ +static NTSTATUS security_descriptor_acl_del_ace(struct security_descriptor *sd, + bool sacl_del, + const struct security_ace *ace) +{ + uint32_t i; + bool found = false; + struct security_acl *acl = NULL; + + if (sacl_del) { + acl = sd->sacl; + } else { + acl = sd->dacl; + } + + if (acl == NULL) { + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + } + + for (i=0;i<acl->num_aces;i++) { + if (security_ace_equal(ace, &acl->aces[i])) { + ARRAY_DEL_ELEMENT(acl->aces, i, acl->num_aces); + acl->num_aces--; + if (acl->num_aces == 0) { + acl->aces = NULL; + } + found = true; + i--; + } + } + + if (!found) { + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + } + + acl->revision = SECURITY_ACL_REVISION_NT4; + + for (i=0;i<acl->num_aces;i++) { + switch (acl->aces[i].type) { + case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: + case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: + case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT: + case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT: + acl->revision = SECURITY_ACL_REVISION_ADS; + return NT_STATUS_OK; + default: + break; /* only for the switch statement */ + } + } + + return NT_STATUS_OK; +} + +NTSTATUS security_descriptor_dacl_del_ace(struct security_descriptor *sd, + const struct security_ace *ace) +{ + return security_descriptor_acl_del_ace(sd, false, ace); +} + +NTSTATUS security_descriptor_sacl_del_ace(struct security_descriptor *sd, + const struct security_ace *ace) +{ + return security_descriptor_acl_del_ace(sd, true, ace); +} +/* compare two security ace structures */ bool security_ace_equal(const struct security_ace *ace1, diff --git a/libcli/security/security_descriptor.h b/libcli/security/security_descriptor.h index 7e6df87fefa..46545321d15 100644 --- a/libcli/security/security_descriptor.h +++ b/libcli/security/security_descriptor.h @@ -39,6 +39,10 @@ NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd, const struct dom_sid *trustee); NTSTATUS security_descriptor_sacl_del(struct security_descriptor *sd, const struct dom_sid *trustee); +NTSTATUS security_descriptor_dacl_del_ace(struct security_descriptor *sd, + const struct security_ace *ace); +NTSTATUS security_descriptor_sacl_del_ace(struct security_descriptor *sd, + const struct security_ace *ace); bool security_ace_equal(const struct security_ace *ace1, const struct security_ace *ace2); bool security_acl_equal(const struct security_acl *acl1, |