From: Douglas Bagnall Date: Thu, 24 Aug 2023 04:10:35 +0000 (+1200) Subject: libcli/security: sdd_decode_ace handles resource attribute types X-Git-Tag: tevent-0.16.0~472 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6683d611e14b358f2cbb2c5f4576cd780e07993f;p=thirdparty%2Fsamba.git libcli/security: sdd_decode_ace handles resource attribute types The decoding will not happen until "RA" is added to the ace_types table. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c index 624e01210d3..b028bc9878b 100644 --- a/libcli/security/sddl.c +++ b/libcli/security/sddl.c @@ -589,6 +589,11 @@ static bool sddl_decode_ace(TALLOC_CTX *mem_ctx, DBG_WARNING("callback ACE has no trailing data\n"); return false; } + } else if (sec_ace_resource(ace->type)) { + if (! has_extra_data) { + DBG_WARNING("resource ACE has no trailing data\n"); + return false; + } } else if (has_extra_data) { DBG_WARNING("ACE has trailing section but is not a " "callback or resource ACE\n"); @@ -665,6 +670,33 @@ static bool sddl_decode_ace(TALLOC_CTX *mem_ctx, return false; } str = discard_const_p(char, s + length + 1); + } else if (sec_ace_resource(ace->type)) { + size_t length; + struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *claim = NULL; + + if (! dom_sid_equal(&ace->trustee, &global_sid_World)) { + /* these are just the rules */ + DBG_WARNING("Resource Attribute ACE trustee must be " + "'S-1-1-0' or 'WD'.\n"); + return false; + } + + s = tok[6]; + claim = sddl_decode_resource_attr(mem_ctx, s, &length); + if (claim == NULL) { + DBG_WARNING("Resource Attribute ACE parse failure\n"); + return false; + } + ace->coda.claim = *claim; + + /* + * We want a ')' to end the ACE. + */ + if (s[length] != ')') { + DBG_WARNING("Resource ACE has trailing bytes\n"); + return false; + } + str = discard_const_p(char, s + length + 1); } *sddl_copy = str;