From: Douglas Bagnall Date: Thu, 26 Oct 2023 03:55:33 +0000 (+1300) Subject: libcli/security: add sddl_decode_err_msg() X-Git-Tag: talloc-2.4.2~905 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=93347aa5af151c4441b768580d174a0d26fb5b91;p=thirdparty%2Fsamba.git libcli/security: add sddl_decode_err_msg() This will return an error message, if it can, along with an indicative position. For conditional ACEs the message might be accurate, and the position fine-grained. For example, you might be able to construct the message like this: D:(XA;;CC;;;S-1-2-3;(@User.Title == !(@User.Title))) ^ 16: unexpected operator For non-conditional ACEs, the position typically points to the beginning of the ACE, like this: D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A; OICI; GRGWGX;;;AU) ^ unknown error Here the error is in the spaces either side of " OICI; ", but the pointer points to the beginning of the ACE. The old sddl_decode() function becomes a wrapper around the new function, which inherits the guts of the old function. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c index 04cc577d2c8..9bd8d805c33 100644 --- a/libcli/security/sddl.c +++ b/libcli/security/sddl.c @@ -810,10 +810,14 @@ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd, } /* - decode a security descriptor in SDDL format -*/ -struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl, - const struct dom_sid *domain_sid) + * Decode a security descriptor in SDDL format, catching compilation + * error messages, if any. + * + * The message will be a direct talloc child of mem_ctx or NULL. + */ +struct security_descriptor *sddl_decode_err_msg(TALLOC_CTX *mem_ctx, const char *sddl, + const struct dom_sid *domain_sid, + const char **msg, size_t *msg_offset) { struct sddl_transition_state state = { /* @@ -877,6 +881,26 @@ failed: return NULL; } + +/* + decode a security descriptor in SDDL format +*/ +struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl, + const struct dom_sid *domain_sid) +{ + const char *msg = NULL; + size_t msg_offset = 0; + struct security_descriptor *sd = sddl_decode_err_msg(mem_ctx, sddl, domain_sid, + &msg, &msg_offset); + DBG_NOTICE("could not decode '%s'\n", sddl); + if (msg != NULL) { + DBG_NOTICE(" %*c\n", (int)msg_offset, '^'); + DBG_NOTICE("error '%s'\n", msg); + talloc_free(discard_const(msg)); + } + return sd; +} + /* turn a set of flags into a string */ diff --git a/libcli/security/sddl.h b/libcli/security/sddl.h index 824b7032546..c4dc72d834d 100644 --- a/libcli/security/sddl.h +++ b/libcli/security/sddl.h @@ -25,6 +25,9 @@ struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl, const struct dom_sid *domain_sid); +struct security_descriptor *sddl_decode_err_msg(TALLOC_CTX *mem_ctx, const char *sddl, + const struct dom_sid *domain_sid, + const char **msg, size_t *msg_offset); char *sddl_encode(TALLOC_CTX *mem_ctx, const struct security_descriptor *sd, const struct dom_sid *domain_sid); char *sddl_encode_ace(TALLOC_CTX *mem_ctx, const struct security_ace *ace,