diff options
author | Andrew Tridgell <tridge@samba.org> | 2004-12-11 05:41:19 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:06:31 -0500 |
commit | 6ca874f71ad77c82d6e161a3e4772100de2ad6c5 (patch) | |
tree | 6379d5d502d779df1da563911d40249030268ac6 | |
parent | 280bb1cf0fc84c61e20f6f557cecbeba726e2749 (diff) | |
download | samba-6ca874f71ad77c82d6e161a3e4772100de2ad6c5.tar.gz samba-6ca874f71ad77c82d6e161a3e4772100de2ad6c5.tar.bz2 samba-6ca874f71ad77c82d6e161a3e4772100de2ad6c5.zip |
r4147: converted from NT_USER_TOKEN to struct security_token
this is mostly just a tidyup, but also adds the privilege_mask, which
I will be using shortly in ACL checking.
note that I had to move the definition of struct security_token out of
security.idl as pidl doesn't yet handle arrays of pointers, and the
usual workaround (to use a intermediate structure) would make things
too cumbersome for this structure, especially given we never encode it
to NDR.
(This used to be commit 7b446af09b8050746bfc2c50e9d56aa94397cc1a)
-rw-r--r-- | source4/auth/auth.h | 9 | ||||
-rw-r--r-- | source4/auth/auth_util.c | 128 | ||||
-rw-r--r-- | source4/include/smb.h | 23 | ||||
-rw-r--r-- | source4/libcli/auth/gensec_krb5.c | 29 | ||||
-rw-r--r-- | source4/libcli/security/access_check.c | 16 | ||||
-rw-r--r-- | source4/libcli/security/config.mk | 1 | ||||
-rw-r--r-- | source4/libcli/security/privilege.c | 84 | ||||
-rw-r--r-- | source4/libcli/security/security_token.c | 15 | ||||
-rw-r--r-- | source4/librpc/idl/security.idl | 73 | ||||
-rw-r--r-- | source4/ntvfs/posix/pvfs_acl.c | 2 | ||||
-rw-r--r-- | source4/ntvfs/unixuid/vfs_unixuid.c | 18 | ||||
-rw-r--r-- | source4/torture/raw/acls.c | 8 | ||||
-rw-r--r-- | source4/utils/ntlm_auth.c | 9 |
13 files changed, 225 insertions, 190 deletions
diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 741cd55542..3f1d11cb45 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -97,15 +97,10 @@ struct auth_serversupplied_info uint32 acct_flags; }; -struct auth_session_info -{ +struct auth_session_info { int refcount; - /* NT group information taken from the info3 structure */ - - NT_USER_TOKEN *nt_user_token; - + struct security_token *security_token; struct auth_serversupplied_info *server_info; - DATA_BLOB session_key; /* needed to key the schannel credentials */ diff --git a/source4/auth/auth_util.c b/source4/auth/auth_util.c index 503e1dee82..4a60c3f847 100644 --- a/source4/auth/auth_util.c +++ b/source4/auth/auth_util.c @@ -298,127 +298,111 @@ BOOL make_user_info_guest(TALLOC_CTX *mem_ctx, } /**************************************************************************** - prints a NT_USER_TOKEN to debug output. + prints a struct security_token to debug output. ****************************************************************************/ - -void debug_nt_user_token(int dbg_class, int dbg_lev, const NT_USER_TOKEN *token) +void debug_security_token(int dbg_class, int dbg_lev, const struct security_token *token) { TALLOC_CTX *mem_ctx; size_t i; if (!token) { - DEBUGC(dbg_class, dbg_lev, ("NT user token: (NULL)\n")); + DEBUGC(dbg_class, dbg_lev, ("Security token: (NULL)\n")); return; } - mem_ctx = talloc_init("debug_nt_user_token()"); + mem_ctx = talloc_init("debug_security_token()"); if (!mem_ctx) { return; } - DEBUGC(dbg_class, dbg_lev, ("NT user token of user %s\n", - dom_sid_string(mem_ctx, token->user_sids[0]) )); - DEBUGADDC(dbg_class, dbg_lev, ("contains %lu SIDs\n", (unsigned long)token->num_sids)); - for (i = 0; i < token->num_sids; i++) - DEBUGADDC(dbg_class, dbg_lev, ("SID[%3lu]: %s\n", (unsigned long)i, - dom_sid_string(mem_ctx, token->user_sids[i]))); + DEBUGC(dbg_class, dbg_lev, ("Security token of user %s\n", + dom_sid_string(mem_ctx, token->user_sid) )); + DEBUGADDC(dbg_class, dbg_lev, ("contains %lu SIDs\n", + (unsigned long)token->num_sids)); + for (i = 0; i < token->num_sids; i++) { + DEBUGADDC(dbg_class, dbg_lev, + ("SID[%3lu]: %s\n", (unsigned long)i, + dom_sid_string(mem_ctx, token->sids[i]))); + } talloc_destroy(mem_ctx); } /**************************************************************************** - prints a NT_USER_TOKEN to debug output. + prints a struct auth_session_info security token to debug output. ****************************************************************************/ - -void debug_session_info(int dbg_class, int dbg_lev, const struct auth_session_info *session_info) +void debug_session_info(int dbg_class, int dbg_lev, + const struct auth_session_info *session_info) { if (!session_info) { DEBUGC(dbg_class, dbg_lev, ("Session Info: (NULL)\n")); return; } - debug_nt_user_token(dbg_class, dbg_lev, session_info->nt_user_token); + debug_security_token(dbg_class, dbg_lev, session_info->security_token); } /**************************************************************************** Create the SID list for this user. ****************************************************************************/ - -NTSTATUS create_nt_user_token(TALLOC_CTX *mem_ctx, - struct dom_sid *user_sid, struct dom_sid *group_sid, - int n_groupSIDs, struct dom_sid **groupSIDs, - BOOL is_guest, struct nt_user_token **token) +NTSTATUS create_security_token(TALLOC_CTX *mem_ctx, + struct dom_sid *user_sid, struct dom_sid *group_sid, + int n_groupSIDs, struct dom_sid **groupSIDs, + BOOL is_guest, struct security_token **token) { - NTSTATUS nt_status = NT_STATUS_OK; - struct nt_user_token *ptoken; + struct security_token *ptoken; int i; - int sid_ndx; - - if (!(ptoken = talloc_p(mem_ctx, struct nt_user_token))) { - DEBUG(0, ("create_nt_token: Out of memory allocating token\n")); - nt_status = NT_STATUS_NO_MEMORY; - return nt_status; - } - ptoken->num_sids = 0; + ptoken = security_token_initialise(mem_ctx); + if (ptoken == NULL) { + return NT_STATUS_NO_MEMORY; + } - if (!(ptoken->user_sids = talloc_array_p(mem_ctx, struct dom_sid*, n_groupSIDs + 5))) { - DEBUG(0, ("create_nt_token: Out of memory allocating SIDs\n")); - nt_status = NT_STATUS_NO_MEMORY; - return nt_status; + ptoken->sids = talloc_array_p(ptoken, struct dom_sid *, n_groupSIDs + 5); + if (!ptoken->sids) { + return NT_STATUS_NO_MEMORY; } - - /* - * Note - user SID *MUST* be first in token ! - * se_access_check depends on this. - * - * Primary group SID is second in token. Convention. - */ - ptoken->user_sids[PRIMARY_USER_SID_INDEX] = user_sid; - ptoken->num_sids++; - ptoken->user_sids[PRIMARY_GROUP_SID_INDEX] = group_sid; - ptoken->num_sids++; + ptoken->user_sid = user_sid; + ptoken->group_sid = group_sid; + ptoken->privilege_mask = 0; + + ptoken->sids[0] = user_sid; + ptoken->sids[1] = group_sid; /* * Finally add the "standard" SIDs. * The only difference between guest and "anonymous" (which we * don't really support) is the addition of Authenticated_Users. */ - ptoken->user_sids[2] = dom_sid_parse_talloc(mem_ctx, SID_WORLD); - ptoken->user_sids[3] = dom_sid_parse_talloc(mem_ctx, SID_NT_NETWORK); - - if (is_guest) { - ptoken->user_sids[4] = dom_sid_parse_talloc(mem_ctx, SID_BUILTIN_GUESTS); - ptoken->num_sids++; - } else { - ptoken->user_sids[4] = dom_sid_parse_talloc(mem_ctx, SID_NT_AUTHENTICATED_USERS); - ptoken->num_sids++; - } - - sid_ndx = 5; /* next available spot */ + ptoken->sids[2] = dom_sid_parse_talloc(mem_ctx, SID_WORLD); + ptoken->sids[3] = dom_sid_parse_talloc(mem_ctx, SID_NT_NETWORK); + ptoken->sids[4] = dom_sid_parse_talloc(mem_ctx, + is_guest?SID_BUILTIN_GUESTS: + SID_NT_AUTHENTICATED_USERS); + ptoken->num_sids = 5; for (i = 0; i < n_groupSIDs; i++) { size_t check_sid_idx; - for (check_sid_idx = 1; check_sid_idx < ptoken->num_sids; check_sid_idx++) { - if (dom_sid_equal(ptoken->user_sids[check_sid_idx], - groupSIDs[i])) { + for (check_sid_idx = 1; + check_sid_idx < ptoken->num_sids; + check_sid_idx++) { + if (dom_sid_equal(ptoken->sids[check_sid_idx], groupSIDs[i])) { break; } } - if (check_sid_idx >= ptoken->num_sids) /* Not found already */ { - ptoken->user_sids[sid_ndx++] = groupSIDs[i]; - ptoken->num_sids++; + if (check_sid_idx == ptoken->num_sids) { + ptoken->sids[ptoken->num_sids++] = groupSIDs[i]; } } - debug_nt_user_token(DBGC_AUTH, 10, ptoken); + debug_security_token(DBGC_AUTH, 10, ptoken); *token = ptoken; - return nt_status; + return NT_STATUS_OK; } /*************************************************************************** @@ -699,13 +683,13 @@ NTSTATUS make_session_info(TALLOC_CTX *mem_ctx, /* we should search for local groups here */ - nt_status = create_nt_user_token((*session_info), - server_info->user_sid, - server_info->primary_group_sid, - server_info->n_domain_groups, - server_info->domain_groups, - False, - &(*session_info)->nt_user_token); + nt_status = create_security_token((*session_info), + server_info->user_sid, + server_info->primary_group_sid, + server_info->n_domain_groups, + server_info->domain_groups, + False, + &(*session_info)->security_token); return nt_status; } diff --git a/source4/include/smb.h b/source4/include/smb.h index 5017384eef..5dc553c3fa 100644 --- a/source4/include/smb.h +++ b/source4/include/smb.h @@ -189,23 +189,14 @@ enum smb_signing_state {SMB_SIGNING_OFF, SMB_SIGNING_SUPPORTED, incorrect parameters - what does it mean? maybe created temporary file? */ #define NTCREATEX_ACTION_UNKNOWN 5 -/* - * The complete list of SIDS belonging to this user. - * Created when a vuid is registered. - * The definition of the user_sids array is as follows : - * - * token->user_sids[0] = primary user SID. - * token->user_sids[1] = primary group SID. - * token->user_sids[2..num_sids] = supplementary group SIDS. - */ - -#define PRIMARY_USER_SID_INDEX 0 -#define PRIMARY_GROUP_SID_INDEX 1 -typedef struct nt_user_token { - size_t num_sids; - struct dom_sid **user_sids; -} NT_USER_TOKEN; +struct security_token { + struct dom_sid *user_sid; + struct dom_sid *group_sid; + uint32_t num_sids; + struct dom_sid **sids; + uint64_t privilege_mask; +}; /* used to hold an arbitrary blob of data */ typedef struct data_blob { diff --git a/source4/libcli/auth/gensec_krb5.c b/source4/libcli/auth/gensec_krb5.c index c47d4f26b6..602e42a5ff 100644 --- a/source4/libcli/auth/gensec_krb5.c +++ b/source4/libcli/auth/gensec_krb5.c @@ -609,7 +609,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security struct auth_serversupplied_info *server_info = NULL; struct auth_session_info *session_info = NULL; struct PAC_LOGON_INFO *logon_info; - struct nt_user_token *ptoken; + struct security_token *ptoken; struct dom_sid *sid; char *p; char *principal; @@ -684,15 +684,15 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security talloc_free(server_info); - ptoken = talloc_p(session_info, struct nt_user_token); - if (!ptoken) { + ptoken = security_token_initialise(session_info); + if (ptoken == NULL) { return NT_STATUS_NO_MEMORY; } - ptoken->num_sids = 0; - - ptoken->user_sids = talloc_array_p(ptoken, struct dom_sid*, logon_info->groups_count + 2); - if (!ptoken->user_sids) { + ptoken->num_sids = 0; + ptoken->sids = talloc_array_p(ptoken, struct dom_sid *, + logon_info->groups_count + 2); + if (!ptoken->sids) { return NT_STATUS_NO_MEMORY; } @@ -702,21 +702,24 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security sid = dom_sid_dup(server_info, logon_info->dom_sid); server_info->primary_group_sid = dom_sid_add_rid(server_info, sid, logon_info->group_rid); - ptoken->user_sids[0] = talloc_reference(session_info, server_info->user_sid); + ptoken->user_sid = server_info->user_sid; + ptoken->group_sid = server_info->primary_group_sid; + ptoken->sids[0] = talloc_reference(ptoken, ptoken->user_sid); ptoken->num_sids++; - ptoken->user_sids[1] = talloc_reference(session_info, server_info->primary_group_sid); + ptoken->sids[1] = talloc_reference(ptoken, ptoken->group_sid); ptoken->num_sids++; - for (;ptoken->num_sids < (logon_info->groups_count + 2); ptoken->num_sids++) { + for (;ptoken->num_sids < (logon_info->groups_count + 2); + ptoken->num_sids++) { sid = dom_sid_dup(session_info, logon_info->dom_sid); - ptoken->user_sids[ptoken->num_sids] + ptoken->sids[ptoken->num_sids] = dom_sid_add_rid(session_info, sid, logon_info->groups[ptoken->num_sids - 2].rid); } - debug_nt_user_token(DBGC_AUTH, 0, ptoken); + debug_security_token(DBGC_AUTH, 0, ptoken); - session_info->nt_user_token = ptoken; + session_info->security_token = ptoken; } else { TALLOC_CTX *mem_ctx = talloc_named(gensec_krb5_state, 0, "PAC-less session info discovery for %s@%s", username, realm); if (!mem_ctx) { diff --git a/source4/libcli/security/access_check.c b/source4/libcli/security/access_check.c index 425a5c2b6d..c646ee693b 100644 --- a/source4/libcli/security/access_check.c +++ b/source4/libcli/security/access_check.c @@ -27,11 +27,12 @@ /* check if a sid is in the supplied token */ -static BOOL sid_active_in_token(struct dom_sid *sid, struct nt_user_token *token) +static BOOL sid_active_in_token(const struct dom_sid *sid, + const struct security_token *token) { int i; for (i=0;i<token->num_sids;i++) { - if (dom_sid_equal(sid, token->user_sids[i])) { + if (dom_sid_equal(sid, token->sids[i])) { return True; } } @@ -42,16 +43,15 @@ static BOOL sid_active_in_token(struct dom_sid *sid, struct nt_user_token *token /* perform a SEC_FLAG_MAXIMUM_ALLOWED access check */ -static uint32_t access_check_max_allowed(struct security_descriptor *sd, - struct nt_user_token *token) +static uint32_t access_check_max_allowed(const struct security_descriptor *sd, + const struct security_token *token) { uint32_t denied = 0, granted = 0; unsigned i; if (sid_active_in_token(sd->owner_sid, token)) { - granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL; + granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL | SEC_STD_DELETE; } - granted |= SEC_STD_DELETE; for (i = 0;i<sd->dacl->num_aces; i++) { struct security_ace *ace = &sd->dacl->aces[i]; @@ -77,8 +77,8 @@ static uint32_t access_check_max_allowed(struct security_descriptor *sd, /* the main entry point for access checking. */ -NTSTATUS sec_access_check(struct security_descriptor *sd, - struct nt_user_token *token, +NTSTATUS sec_access_check(const struct security_descriptor *sd, + const struct security_token *token, uint32_t access_desired, uint32_t *access_granted) { diff --git a/source4/libcli/security/config.mk b/source4/libcli/security/config.mk index 900dbe780a..d6896535d6 100644 --- a/source4/libcli/security/config.mk +++ b/source4/libcli/security/config.mk @@ -13,6 +13,7 @@ ADD_OBJ_FILES = libcli/security/security_token.o \ libcli/security/security_descriptor.o \ libcli/security/dom_sid.o \ libcli/security/access_check.o \ + libcli/security/privilege.o \ librpc/ndr/ndr_sec.o REQUIRED_SUBSYSTEMS = LIB_SECURITY_NDR # End SUBSYSTEM LIB_SECURITY diff --git a/source4/libcli/security/privilege.c b/source4/libcli/security/privilege.c new file mode 100644 index 0000000000..1962aaa374 --- /dev/null +++ b/source4/libcli/security/privilege.c @@ -0,0 +1,84 @@ +/* + Unix SMB/CIFS implementation. + + manipulate privileges + + Copyright (C) Andrew Tridgell 2004 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#include "librpc/gen_ndr/ndr_security.h" + + +static const struct { + enum sec_privilege privilege; + const char *name; +} privilege_names[] = { + {SEC_PRIV_SECURITY, "SeSecurityPrivilege"}, + {SEC_PRIV_BACKUP, "SeBackupPrivilege"}, + {SEC_PRIV_RESTORE, "SeRestorePrivilege"}, + {SEC_PRIV_SYSTEMTIME, "SeSystemtimePrivilege"}, + {SEC_PRIV_SHUTDOWN, "SeShutdownPrivilege"}, + {SEC_PRIV_REMOTE_SHUTDOWN, "SeRemoteShutdownPrivilege"}, + {SEC_PRIV_TAKE_OWNERSHIP, "SeTakeOwnershipPrivilege"}, + {SEC_PRIV_DEBUG, "SeDebugPrivilege"}, + {SEC_PRIV_SYSTEM_ENVIRONMENT, "SeSystemEnvironmentPrivilege"}, + {SEC_PRIV_SYSTEM_PROFILE, "SeSystemProfilePrivilege"}, + {SEC_PRIV_PROFILE_SINGLE_PROCESS, "SeProfileSingleProcessPrivilege"}, + {SEC_PRIV_INCREASE_BASE_PRIORITY, "SeIncreaseBasePriorityPrivilege"}, + {SEC_PRIV_LOAD_DRIVER, "SeLoadDriverPrivilege"}, + {SEC_PRIV_CREATE_PAGEFILE, "SeCreatePagefilePrivilege"}, + {SEC_PRIV_INCREASE_QUOTA, "SeIncreaseQuotaPrivilege"}, + {SEC_PRIV_CHANGE_NOTIFY, "SeChangeNotifyPrivilege"}, + {SEC_PRIV_UNDOCK, "SeUndockPrivilege"}, + {SEC_PRIV_MANAGE_VOLUME, "SeManageVolumePrivilege"}, + {SEC_PRIV_IMPERSONATE, "SeImpersonatePrivilege"}, + {SEC_PRIV_CREATE_GLOBAL, "SeCreateGlobalPrivilege"}, + {SEC_PRIV_ENABLE_DELEGATION, "SeEnableDelegationPrivilege"}, + {SEC_PRIV_INTERACTIVE_LOGON, "SeInteractiveLogonRight"}, + {SEC_PRIV_NETWORK_LOGON, "SeNetworkLogonRight"}, + {SEC_PRIV_REMOTE_INTERACTIVE_LOGON, "SeRemoteInteractiveLogonRight"} +}; + + +/* + map a privilege id to the wire string constant +*/ +const char *sec_privilege_name(unsigned int privilege) +{ + int i; + for (i=0;i<ARRAY_SIZE(privilege_names);i++) { + if (privilege_names[i].privilege == privilege) { + return privilege_names[i].name; + } + } + return NULL; +} + +/* + map a privilege name to a privilege id. Return -1 if not found +*/ +int sec_privilege_id(const char *name) +{ + int i; + for (i=0;i<ARRAY_SIZE(privilege_names);i++) { + if (strcasecmp(privilege_names[i].name, name) == 0) { + return (int)privilege_names[i].privilege; + } + } + return -1; +} diff --git a/source4/libcli/security/security_token.c b/source4/libcli/security/security_token.c index 9e26f5a385..a8ce989de7 100644 --- a/source4/libcli/security/security_token.c +++ b/source4/libcli/security/security_token.c @@ -24,7 +24,7 @@ #include "librpc/gen_ndr/ndr_security.h" /* - return a blank security descriptor (no owners, dacl or sacl) + return a blank security token */ struct security_token *security_token_initialise(TALLOC_CTX *mem_ctx) { @@ -35,22 +35,11 @@ struct security_token *security_token_initialise(TALLOC_CTX *mem_ctx) return NULL; } - st->flags = 0; - st->user_sid = NULL; st->group_sid = NULL; - st->logon_sid = NULL; - st->num_sids = 0; st->sids = NULL; - - st->num_restricted_sids = 0; - st->restricted_sids = NULL; - - st->num_privileges = 0; - st->privileges = NULL; - - st->dacl = NULL; + st->privilege_mask = 0; return st; } diff --git a/source4/librpc/idl/security.idl b/source4/librpc/idl/security.idl index 419c199f8f..662d874c86 100644 --- a/source4/librpc/idl/security.idl +++ b/source4/librpc/idl/security.idl @@ -148,32 +148,35 @@ interface security /* - privilege names + privilege IDs. Please keep the IDs below 64. If we get more + than 64 then we need to change security_token */ - const string SEC_PRIV_SECURITY = "SeSecurityPrivilege"; - const string SEC_PRIV_BACKUP = "SeBackupPrivilege"; - const string SEC_PRIV_RESTORE = "SeRestorePrivilege"; - const string SEC_PRIV_SYSTEMTIME = "SeSystemtimePrivilege"; - const string SEC_PRIV_SHUTDOWN = "SeShutdownPrivilege"; - const string SEC_PRIV_REMOTE_SHUTDOWN = "SeRemoteShutdownPrivilege"; - const string SEC_PRIV_TAKE_OWNERSHIP = "SeTakeOwnershipPrivilege"; - const string SEC_PRIV_DEBUG = "SeDebugPrivilege"; - const string SEC_PRIV_SYSTEM_ENVIRONMENT = "SeSystemEnvironmentPrivilege"; - const string SEC_PRIV_SYSTEM_PROFILE = "SeSystemProfilePrivilege"; - const string SEC_PRIV_PROFILE_SINGLE_PROCESS = "SeProfileSingleProcessPrivilege"; - const string SEC_PRIV_INCREASE_BASE_PRIORITY = "SeIncreaseBasePriorityPrivilege"; - const string SEC_PRIV_LOAD_DRIVER = "SeLoadDriverPrivilege"; - const string SEC_PRIV_CREATE_PAGEFILE = "SeCreatePagefilePrivilege"; - const string SEC_PRIV_INCREASE_QUOTA = "SeIncreaseQuotaPrivilege"; - const string SEC_PRIV_CHANGE_NOTIFY = "SeChangeNotifyPrivilege"; - const string SEC_PRIV_UNDOCK = "SeUndockPrivilege"; - const string SEC_PRIV_MANAGE_VOLUME = "SeManageVolumePrivilege"; - const string SEC_PRIV_IMPERSONATE = "SeImpersonatePrivilege"; - const string SEC_PRIV_CREATE_GLOBAL = "SeCreateGlobalPrivilege"; - const string SEC_PRIV_ENABLE_DELEGATION = "SeEnableDelegationPrivilege"; - const string SEC_PRIV_INTERACTIVE_LOGON = "SeInteractiveLogonRight"; - const string SEC_PRIV_NETWORK_LOGON = "SeNetworkLogonRight"; - const string SEC_PRIV_REMOTE_INTERACTIVE_LOGON = "SeRemoteInteractiveLogonRight"; + typedef enum { + SEC_PRIV_SECURITY = 1, + SEC_PRIV_BACKUP = 2, + SEC_PRIV_RESTORE = 3, + SEC_PRIV_SYSTEMTIME = 4, + SEC_PRIV_SHUTDOWN = 5, + SEC_PRIV_REMOTE_SHUTDOWN = 6, + SEC_PRIV_TAKE_OWNERSHIP = 7, + SEC_PRIV_DEBUG = 8, + SEC_PRIV_SYSTEM_ENVIRONMENT = 9, + SEC_PRIV_SYSTEM_PROFILE = 10, + SEC_PRIV_PROFILE_SINGLE_PROCESS = 11, + SEC_PRIV_INCREASE_BASE_PRIORITY = 12, + SEC_PRIV_LOAD_DRIVER = 13, + SEC_PRIV_CREATE_PAGEFILE = 14, + SEC_PRIV_INCREASE_QUOTA = 15, + SEC_PRIV_CHANGE_NOTIFY = 16, + SEC_PRIV_UNDOCK = 17, + SEC_PRIV_MANAGE_VOLUME = 18, + SEC_PRIV_IMPERSONATE = 19, + SEC_PRIV_CREATE_GLOBAL = 20, + SEC_PRIV_ENABLE_DELEGATION = 21, + SEC_PRIV_INTERACTIVE_LOGON = 22, + SEC_PRIV_NETWORK_LOGON = 23, + SEC_PRIV_REMOTE_INTERACTIVE_LOGON = 24 + } sec_privilege; /* a domain SID. Note that unlike Samba3 this contains a pointer, @@ -273,24 +276,4 @@ interface security [range(0,0x40000),value(ndr_size_security_descriptor(r->sd))] uint32 sd_size; [subcontext(4)] security_descriptor *sd; } sec_desc_buf; - - typedef [public,printonly] struct { - /* TODO */ - uint32 flags; - } security_privilege; - - typedef [public,printonly] struct { - uint32 flags; - dom_sid *user_sid; - dom_sid *group_sid; - dom_sid *logon_sid; - uint32 num_sids; - dom_sid sids[num_sids]; - uint32 num_restricted_sids; - dom_sid restricted_sids[num_restricted_sids]; - uint32 num_privileges; - security_privilege privileges[num_privileges]; - security_acl *dacl; - } security_token; - } diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c index 6eb4c13804..e2d779f91c 100644 --- a/source4/ntvfs/posix/pvfs_acl.c +++ b/source4/ntvfs/posix/pvfs_acl.c @@ -350,7 +350,7 @@ NTSTATUS pvfs_access_check(struct pvfs_state *pvfs, struct pvfs_filename *name, uint32_t *access_mask) { - struct nt_user_token *token = req->session->session_info->nt_user_token; + struct security_token *token = req->session->session_info->security_token; struct xattr_NTACL *acl; NTSTATUS status; struct security_descriptor *sd; diff --git a/source4/ntvfs/unixuid/vfs_unixuid.c b/source4/ntvfs/unixuid/vfs_unixuid.c index 0535475dd3..1c4572969f 100644 --- a/source4/ntvfs/unixuid/vfs_unixuid.c +++ b/source4/ntvfs/unixuid/vfs_unixuid.c @@ -28,7 +28,7 @@ struct unixuid_private { struct sidmap_context *sidmap; struct unix_sec_ctx *last_sec_ctx; - struct nt_user_token *last_token; + struct security_token *last_token; }; @@ -90,11 +90,11 @@ static NTSTATUS set_unix_security(struct unix_sec_ctx *sec) } /* - form a unix_sec_ctx from the current nt_user_token + form a unix_sec_ctx from the current security_token */ static NTSTATUS nt_token_to_unix_security(struct ntvfs_module_context *ntvfs, struct smbsrv_request *req, - struct nt_user_token *token, + struct security_token *token, struct unix_sec_ctx **sec) { struct unixuid_private *private = ntvfs->private_data; @@ -108,13 +108,13 @@ static NTSTATUS nt_token_to_unix_security(struct ntvfs_module_context *ntvfs, } status = sidmap_sid_to_unixuid(private->sidmap, - token->user_sids[0], &(*sec)->uid); + token->user_sid, &(*sec)->uid); if (!NT_STATUS_IS_OK(status)) { return status; } status = sidmap_sid_to_unixgid(private->sidmap, - token->user_sids[1], &(*sec)->gid); + token->group_sid, &(*sec)->gid); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -127,7 +127,7 @@ static NTSTATUS nt_token_to_unix_security(struct ntvfs_module_context *ntvfs, for (i=0;i<(*sec)->ngroups;i++) { status = sidmap_sid_to_unixgid(private->sidmap, - token->user_sids[i+2], &(*sec)->groups[i]); + token->sids[i+2], &(*sec)->groups[i]); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -143,7 +143,7 @@ static NTSTATUS unixuid_setup_security(struct ntvfs_module_context *ntvfs, struct smbsrv_request *req, struct unix_sec_ctx **sec) { struct unixuid_private *private = ntvfs->private_data; - struct nt_user_token *token = req->session->session_info->nt_user_token; + struct security_token *token = req->session->session_info->security_token; void *ctx = talloc(req, 0); struct unix_sec_ctx *newsec; NTSTATUS status; @@ -157,7 +157,7 @@ static NTSTATUS unixuid_setup_security(struct ntvfs_module_context *ntvfs, return NT_STATUS_NO_MEMORY; } - if (req->session->session_info->nt_user_token == private->last_token) { + if (req->session->session_info->security_token == private->last_token) { newsec = private->last_sec_ctx; } else { status = nt_token_to_unix_security(ntvfs, req, token, &newsec); @@ -169,7 +169,7 @@ static NTSTATUS unixuid_setup_security(struct ntvfs_module_context *ntvfs, talloc_free(private->last_sec_ctx); } private->last_sec_ctx = newsec; - private->last_token = req->session->session_info->nt_user_token; + private->last_token = req->session->session_info->security_token; talloc_steal(private, newsec); } diff --git a/source4/torture/raw/acls.c b/source4/torture/raw/acls.c index 9e518f8fc9..9ef611c01f 100644 --- a/source4/torture/raw/acls.c +++ b/source4/torture/raw/acls.c @@ -517,14 +517,18 @@ static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) owner_sid = dom_sid_string(mem_ctx, sd_orig->owner_sid); - status = smblsa_sid_check_privilege(cli, owner_sid, SEC_PRIV_RESTORE); + status = smblsa_sid_check_privilege(cli, + owner_sid, + sec_privilege_name(SEC_PRIV_RESTORE)); has_restore_privilege = NT_STATUS_IS_OK(status); if (!NT_STATUS_IS_OK(status)) { printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status)); } printf("SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No"); - status = smblsa_sid_check_privilege(cli, owner_sid, SEC_PRIV_TAKE_OWNERSHIP); + status = smblsa_sid_check_privilege(cli, + owner_sid, + sec_privilege_name(SEC_PRIV_TAKE_OWNERSHIP)); has_take_ownership_privilege = NT_STATUS_IS_OK(status); if (!NT_STATUS_IS_OK(status)) { printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status)); diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 448559e350..c99dcb1b7a 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -431,10 +431,11 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, /* get the string onto the context */ grouplist = talloc_strdup(session_info, ""); - for (i=0; i< session_info->nt_user_token->num_sids; i++) { - grouplist = talloc_asprintf_append(grouplist, "%s,", - dom_sid_string(session_info, - session_info->nt_user_token->user_sids[i])); + for (i=0; i<session_info->security_token->num_sids; i++) { + struct security_token *token = session_info->security_token; + const char *sidstr = dom_sid_string(session_info, + token->sids[i]); + grouplist = talloc_asprintf_append(grouplist, "%s,", sidstr); } mux_printf(mux_id, "GL %s\n", grouplist); |