libcli/security: make sddl_encode_sid an external function

Mirroring the last commit for sddl_decode_sid, we want to be able to
encode SIDs from sibling source files.

The dom_sid functions are insufficient for this because they don't know
the SDDL short aliases, like "WD".

sddl_transition_encode_sid() is used internally.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c
index 84d34b94c90c95e1d7541bb120eb2eb1713fb9a8..31c730c03f67b39569d734973b161cca92684018 100644 (file)
--- a/libcli/security/sddl.c
+++ b/libcli/security/sddl.c
@@ -784,8 +784,8 @@ failed:
 /*
   encode a sid in SDDL format
 */
-static char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
-                            struct sddl_transition_state *state)
+static char *sddl_transition_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
+                                       struct sddl_transition_state *state)
 {
        bool in_machine = dom_sid_in_domain(state->machine_sid, sid);
        bool in_domain = dom_sid_in_domain(state->domain_sid, sid);
@@ -830,6 +830,23 @@ static char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
        return talloc_strdup(mem_ctx, sidstr);
 }
 
+char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
+                     const struct dom_sid *domain_sid)
+{
+       struct sddl_transition_state state = {
+               /*
+                * TODO: verify .machine_rid values really belong to
+                * to the machine_sid on a member, once
+                * we pass machine_sid from the caller...
+                */
+               .machine_sid = domain_sid,
+               .domain_sid = domain_sid,
+               .forest_sid = domain_sid,
+       };
+       return sddl_transition_encode_sid(mem_ctx, sid, &state);
+}
+
+
 
 /*
   encode an ACE in SDDL format
@@ -890,7 +907,7 @@ static char *sddl_transition_encode_ace(TALLOC_CTX *mem_ctx, const struct securi
                }
        }
 
-       sddl_trustee = sddl_encode_sid(tmp_ctx, &ace->trustee, state);
+       sddl_trustee = sddl_transition_encode_sid(tmp_ctx, &ace->trustee, state);
        if (sddl_trustee == NULL) {
                goto failed;
        }
@@ -976,14 +993,14 @@ char *sddl_encode(TALLOC_CTX *mem_ctx, const struct security_descriptor *sd,
        tmp_ctx = talloc_new(mem_ctx);
 
        if (sd->owner_sid != NULL) {
-               char *sid = sddl_encode_sid(tmp_ctx, sd->owner_sid, &state);
+               char *sid = sddl_transition_encode_sid(tmp_ctx, sd->owner_sid, &state);
                if (sid == NULL) goto failed;
                sddl = talloc_asprintf_append_buffer(sddl, "O:%s", sid);
                if (sddl == NULL) goto failed;
        }
 
        if (sd->group_sid != NULL) {
-               char *sid = sddl_encode_sid(tmp_ctx, sd->group_sid, &state);
+               char *sid = sddl_transition_encode_sid(tmp_ctx, sd->group_sid, &state);
                if (sid == NULL) goto failed;
                sddl = talloc_asprintf_append_buffer(sddl, "G:%s", sid);
                if (sddl == NULL) goto failed;

diff --git a/libcli/security/sddl.h b/libcli/security/sddl.h
index 810b072fec3a6894d4524990136a3fde69ba5010..824b7032546147837f492015e5c76d3083ba873f 100644 (file)
--- a/libcli/security/sddl.h
+++ b/libcli/security/sddl.h
@@ -33,4 +33,7 @@ char *sddl_encode_ace(TALLOC_CTX *mem_ctx, const struct security_ace *ace,
 struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp,
                                const struct dom_sid *domain_sid);
 
+char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
+                     const struct dom_sid *domain_sid);
+
 #endif /* __SDDL_H__ */