libcli/security: sdd_decode_ace handles resource attribute types

The decoding will not happen until "RA" is added to the ace_types table.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c
index 624e01210d3633bfbb62e62639f8554f8dfbd594..b028bc9878b1a98d271da5df9ab8c66815129ec5 100644 (file)
--- a/libcli/security/sddl.c
+++ b/libcli/security/sddl.c
@@ -589,6 +589,11 @@ static bool sddl_decode_ace(TALLOC_CTX *mem_ctx,
                        DBG_WARNING("callback ACE has no trailing data\n");
                        return false;
                }
+       } else if (sec_ace_resource(ace->type)) {
+               if (! has_extra_data) {
+                       DBG_WARNING("resource ACE has no trailing data\n");
+                       return false;
+               }
        } else if (has_extra_data) {
                DBG_WARNING("ACE has trailing section but is not a "
                            "callback or resource ACE\n");
@@ -665,6 +670,33 @@ static bool sddl_decode_ace(TALLOC_CTX *mem_ctx,
                        return false;
                }
                str = discard_const_p(char, s + length + 1);
+       } else if (sec_ace_resource(ace->type)) {
+               size_t length;
+               struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *claim = NULL;
+
+               if (! dom_sid_equal(&ace->trustee, &global_sid_World)) {
+                       /* these are just the rules */
+                       DBG_WARNING("Resource Attribute ACE trustee must be "
+                                   "'S-1-1-0' or 'WD'.\n");
+                       return false;
+               }
+
+               s = tok[6];
+               claim = sddl_decode_resource_attr(mem_ctx, s, &length);
+               if (claim == NULL) {
+                       DBG_WARNING("Resource Attribute ACE parse failure\n");
+                       return false;
+               }
+               ace->coda.claim = *claim;
+
+               /*
+                * We want a ')' to end the ACE.
+                */
+               if (s[length] != ')') {
+                       DBG_WARNING("Resource ACE has trailing bytes\n");
+                       return false;
+               }
+               str = discard_const_p(char, s + length + 1);
        }
 
        *sddl_copy = str;