summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2004-12-11 05:41:19 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:06:31 -0500
commit6ca874f71ad77c82d6e161a3e4772100de2ad6c5 (patch)
tree6379d5d502d779df1da563911d40249030268ac6
parent280bb1cf0fc84c61e20f6f557cecbeba726e2749 (diff)
downloadsamba-6ca874f71ad77c82d6e161a3e4772100de2ad6c5.tar.gz
samba-6ca874f71ad77c82d6e161a3e4772100de2ad6c5.tar.bz2
samba-6ca874f71ad77c82d6e161a3e4772100de2ad6c5.zip
r4147: converted from NT_USER_TOKEN to struct security_token
this is mostly just a tidyup, but also adds the privilege_mask, which I will be using shortly in ACL checking. note that I had to move the definition of struct security_token out of security.idl as pidl doesn't yet handle arrays of pointers, and the usual workaround (to use a intermediate structure) would make things too cumbersome for this structure, especially given we never encode it to NDR. (This used to be commit 7b446af09b8050746bfc2c50e9d56aa94397cc1a)
-rw-r--r--source4/auth/auth.h9
-rw-r--r--source4/auth/auth_util.c128
-rw-r--r--source4/include/smb.h23
-rw-r--r--source4/libcli/auth/gensec_krb5.c29
-rw-r--r--source4/libcli/security/access_check.c16
-rw-r--r--source4/libcli/security/config.mk1
-rw-r--r--source4/libcli/security/privilege.c84
-rw-r--r--source4/libcli/security/security_token.c15
-rw-r--r--source4/librpc/idl/security.idl73
-rw-r--r--source4/ntvfs/posix/pvfs_acl.c2
-rw-r--r--source4/ntvfs/unixuid/vfs_unixuid.c18
-rw-r--r--source4/torture/raw/acls.c8
-rw-r--r--source4/utils/ntlm_auth.c9
13 files changed, 225 insertions, 190 deletions
diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index 741cd55542..3f1d11cb45 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -97,15 +97,10 @@ struct auth_serversupplied_info
uint32 acct_flags;
};
-struct auth_session_info
-{
+struct auth_session_info {
int refcount;
- /* NT group information taken from the info3 structure */
-
- NT_USER_TOKEN *nt_user_token;
-
+ struct security_token *security_token;
struct auth_serversupplied_info *server_info;
-
DATA_BLOB session_key;
/* needed to key the schannel credentials */
diff --git a/source4/auth/auth_util.c b/source4/auth/auth_util.c
index 503e1dee82..4a60c3f847 100644
--- a/source4/auth/auth_util.c
+++ b/source4/auth/auth_util.c
@@ -298,127 +298,111 @@ BOOL make_user_info_guest(TALLOC_CTX *mem_ctx,
}
/****************************************************************************
- prints a NT_USER_TOKEN to debug output.
+ prints a struct security_token to debug output.
****************************************************************************/
-
-void debug_nt_user_token(int dbg_class, int dbg_lev, const NT_USER_TOKEN *token)
+void debug_security_token(int dbg_class, int dbg_lev, const struct security_token *token)
{
TALLOC_CTX *mem_ctx;
size_t i;
if (!token) {
- DEBUGC(dbg_class, dbg_lev, ("NT user token: (NULL)\n"));
+ DEBUGC(dbg_class, dbg_lev, ("Security token: (NULL)\n"));
return;
}
- mem_ctx = talloc_init("debug_nt_user_token()");
+ mem_ctx = talloc_init("debug_security_token()");
if (!mem_ctx) {
return;
}
- DEBUGC(dbg_class, dbg_lev, ("NT user token of user %s\n",
- dom_sid_string(mem_ctx, token->user_sids[0]) ));
- DEBUGADDC(dbg_class, dbg_lev, ("contains %lu SIDs\n", (unsigned long)token->num_sids));
- for (i = 0; i < token->num_sids; i++)
- DEBUGADDC(dbg_class, dbg_lev, ("SID[%3lu]: %s\n", (unsigned long)i,
- dom_sid_string(mem_ctx, token->user_sids[i])));
+ DEBUGC(dbg_class, dbg_lev, ("Security token of user %s\n",
+ dom_sid_string(mem_ctx, token->user_sid) ));
+ DEBUGADDC(dbg_class, dbg_lev, ("contains %lu SIDs\n",
+ (unsigned long)token->num_sids));
+ for (i = 0; i < token->num_sids; i++) {
+ DEBUGADDC(dbg_class, dbg_lev,
+ ("SID[%3lu]: %s\n", (unsigned long)i,
+ dom_sid_string(mem_ctx, token->sids[i])));
+ }
talloc_destroy(mem_ctx);
}
/****************************************************************************
- prints a NT_USER_TOKEN to debug output.
+ prints a struct auth_session_info security token to debug output.
****************************************************************************/
-
-void debug_session_info(int dbg_class, int dbg_lev, const struct auth_session_info *session_info)
+void debug_session_info(int dbg_class, int dbg_lev,
+ const struct auth_session_info *session_info)
{
if (!session_info) {
DEBUGC(dbg_class, dbg_lev, ("Session Info: (NULL)\n"));
return;
}
- debug_nt_user_token(dbg_class, dbg_lev, session_info->nt_user_token);
+ debug_security_token(dbg_class, dbg_lev, session_info->security_token);
}
/****************************************************************************
Create the SID list for this user.
****************************************************************************/
-
-NTSTATUS create_nt_user_token(TALLOC_CTX *mem_ctx,
- struct dom_sid *user_sid, struct dom_sid *group_sid,
- int n_groupSIDs, struct dom_sid **groupSIDs,
- BOOL is_guest, struct nt_user_token **token)
+NTSTATUS create_security_token(TALLOC_CTX *mem_ctx,
+ struct dom_sid *user_sid, struct dom_sid *group_sid,
+ int n_groupSIDs, struct dom_sid **groupSIDs,
+ BOOL is_guest, struct security_token **token)
{
- NTSTATUS nt_status = NT_STATUS_OK;
- struct nt_user_token *ptoken;
+ struct security_token *ptoken;
int i;
- int sid_ndx;
-
- if (!(ptoken = talloc_p(mem_ctx, struct nt_user_token))) {
- DEBUG(0, ("create_nt_token: Out of memory allocating token\n"));
- nt_status = NT_STATUS_NO_MEMORY;
- return nt_status;
- }
- ptoken->num_sids = 0;
+ ptoken = security_token_initialise(mem_ctx);
+ if (ptoken == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
- if (!(ptoken->user_sids = talloc_array_p(mem_ctx, struct dom_sid*, n_groupSIDs + 5))) {
- DEBUG(0, ("create_nt_token: Out of memory allocating SIDs\n"));
- nt_status = NT_STATUS_NO_MEMORY;
- return nt_status;
+ ptoken->sids = talloc_array_p(ptoken, struct dom_sid *, n_groupSIDs + 5);
+ if (!ptoken->sids) {
+ return NT_STATUS_NO_MEMORY;
}
-
- /*
- * Note - user SID *MUST* be first in token !
- * se_access_check depends on this.
- *
- * Primary group SID is second in token. Convention.
- */
- ptoken->user_sids[PRIMARY_USER_SID_INDEX] = user_sid;
- ptoken->num_sids++;
- ptoken->user_sids[PRIMARY_GROUP_SID_INDEX] = group_sid;
- ptoken->num_sids++;
+ ptoken->user_sid = user_sid;
+ ptoken->group_sid = group_sid;
+ ptoken->privilege_mask = 0;
+
+ ptoken->sids[0] = user_sid;
+ ptoken->sids[1] = group_sid;
/*
* Finally add the "standard" SIDs.
* The only difference between guest and "anonymous" (which we
* don't really support) is the addition of Authenticated_Users.
*/
- ptoken->user_sids[2] = dom_sid_parse_talloc(mem_ctx, SID_WORLD);
- ptoken->user_sids[3] = dom_sid_parse_talloc(mem_ctx, SID_NT_NETWORK);
-
- if (is_guest) {
- ptoken->user_sids[4] = dom_sid_parse_talloc(mem_ctx, SID_BUILTIN_GUESTS);
- ptoken->num_sids++;
- } else {
- ptoken->user_sids[4] = dom_sid_parse_talloc(mem_ctx, SID_NT_AUTHENTICATED_USERS);
- ptoken->num_sids++;
- }
-
- sid_ndx = 5; /* next available spot */
+ ptoken->sids[2] = dom_sid_parse_talloc(mem_ctx, SID_WORLD);
+ ptoken->sids[3] = dom_sid_parse_talloc(mem_ctx, SID_NT_NETWORK);
+ ptoken->sids[4] = dom_sid_parse_talloc(mem_ctx,
+ is_guest?SID_BUILTIN_GUESTS:
+ SID_NT_AUTHENTICATED_USERS);
+ ptoken->num_sids = 5;
for (i = 0; i < n_groupSIDs; i++) {
size_t check_sid_idx;
- for (check_sid_idx = 1; check_sid_idx < ptoken->num_sids; check_sid_idx++) {
- if (dom_sid_equal(ptoken->user_sids[check_sid_idx],
- groupSIDs[i])) {
+ for (check_sid_idx = 1;
+ check_sid_idx < ptoken->num_sids;
+ check_sid_idx++) {
+ if (dom_sid_equal(ptoken->sids[check_sid_idx], groupSIDs[i])) {
break;
}
}
- if (check_sid_idx >= ptoken->num_sids) /* Not found already */ {
- ptoken->user_sids[sid_ndx++] = groupSIDs[i];
- ptoken->num_sids++;
+ if (check_sid_idx == ptoken->num_sids) {
+ ptoken->sids[ptoken->num_sids++] = groupSIDs[i];
}
}
- debug_nt_user_token(DBGC_AUTH, 10, ptoken);
+ debug_security_token(DBGC_AUTH, 10, ptoken);
*token = ptoken;
- return nt_status;
+ return NT_STATUS_OK;
}
/***************************************************************************
@@ -699,13 +683,13 @@ NTSTATUS make_session_info(TALLOC_CTX *mem_ctx,
/* we should search for local groups here */
- nt_status = create_nt_user_token((*session_info),
- server_info->user_sid,
- server_info->primary_group_sid,
- server_info->n_domain_groups,
- server_info->domain_groups,
- False,
- &(*session_info)->nt_user_token);
+ nt_status = create_security_token((*session_info),
+ server_info->user_sid,
+ server_info->primary_group_sid,
+ server_info->n_domain_groups,
+ server_info->domain_groups,
+ False,
+ &(*session_info)->security_token);
return nt_status;
}
diff --git a/source4/include/smb.h b/source4/include/smb.h
index 5017384eef..5dc553c3fa 100644
--- a/source4/include/smb.h
+++ b/source4/include/smb.h
@@ -189,23 +189,14 @@ enum smb_signing_state {SMB_SIGNING_OFF, SMB_SIGNING_SUPPORTED,
incorrect parameters - what does it mean? maybe created temporary file? */
#define NTCREATEX_ACTION_UNKNOWN 5
-/*
- * The complete list of SIDS belonging to this user.
- * Created when a vuid is registered.
- * The definition of the user_sids array is as follows :
- *
- * token->user_sids[0] = primary user SID.
- * token->user_sids[1] = primary group SID.
- * token->user_sids[2..num_sids] = supplementary group SIDS.
- */
-
-#define PRIMARY_USER_SID_INDEX 0
-#define PRIMARY_GROUP_SID_INDEX 1
-typedef struct nt_user_token {
- size_t num_sids;
- struct dom_sid **user_sids;
-} NT_USER_TOKEN;
+struct security_token {
+ struct dom_sid *user_sid;
+ struct dom_sid *group_sid;
+ uint32_t num_sids;
+ struct dom_sid **sids;
+ uint64_t privilege_mask;
+};
/* used to hold an arbitrary blob of data */
typedef struct data_blob {
diff --git a/source4/libcli/auth/gensec_krb5.c b/source4/libcli/auth/gensec_krb5.c
index c47d4f26b6..602e42a5ff 100644
--- a/source4/libcli/auth/gensec_krb5.c
+++ b/source4/libcli/auth/gensec_krb5.c
@@ -609,7 +609,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
struct auth_serversupplied_info *server_info = NULL;
struct auth_session_info *session_info = NULL;
struct PAC_LOGON_INFO *logon_info;
- struct nt_user_token *ptoken;
+ struct security_token *ptoken;
struct dom_sid *sid;
char *p;
char *principal;
@@ -684,15 +684,15 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
talloc_free(server_info);
- ptoken = talloc_p(session_info, struct nt_user_token);
- if (!ptoken) {
+ ptoken = security_token_initialise(session_info);
+ if (ptoken == NULL) {
return NT_STATUS_NO_MEMORY;
}
- ptoken->num_sids = 0;
-
- ptoken->user_sids = talloc_array_p(ptoken, struct dom_sid*, logon_info->groups_count + 2);
- if (!ptoken->user_sids) {
+ ptoken->num_sids = 0;
+ ptoken->sids = talloc_array_p(ptoken, struct dom_sid *,
+ logon_info->groups_count + 2);
+ if (!ptoken->sids) {
return NT_STATUS_NO_MEMORY;
}
@@ -702,21 +702,24 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
sid = dom_sid_dup(server_info, logon_info->dom_sid);
server_info->primary_group_sid = dom_sid_add_rid(server_info, sid, logon_info->group_rid);
- ptoken->user_sids[0] = talloc_reference(session_info, server_info->user_sid);
+ ptoken->user_sid = server_info->user_sid;
+ ptoken->group_sid = server_info->primary_group_sid;
+ ptoken->sids[0] = talloc_reference(ptoken, ptoken->user_sid);
ptoken->num_sids++;
- ptoken->user_sids[1] = talloc_reference(session_info, server_info->primary_group_sid);
+ ptoken->sids[1] = talloc_reference(ptoken, ptoken->group_sid);
ptoken->num_sids++;
- for (;ptoken->num_sids < (logon_info->groups_count + 2); ptoken->num_sids++) {
+ for (;ptoken->num_sids < (logon_info->groups_count + 2);
+ ptoken->num_sids++) {
sid = dom_sid_dup(session_info, logon_info->dom_sid);
- ptoken->user_sids[ptoken->num_sids]
+ ptoken->sids[ptoken->num_sids]
= dom_sid_add_rid(session_info, sid,
logon_info->groups[ptoken->num_sids - 2].rid);
}
- debug_nt_user_token(DBGC_AUTH, 0, ptoken);
+ debug_security_token(DBGC_AUTH, 0, ptoken);
- session_info->nt_user_token = ptoken;
+ session_info->security_token = ptoken;
} else {
TALLOC_CTX *mem_ctx = talloc_named(gensec_krb5_state, 0, "PAC-less session info discovery for %s@%s", username, realm);
if (!mem_ctx) {
diff --git a/source4/libcli/security/access_check.c b/source4/libcli/security/access_check.c
index 425a5c2b6d..c646ee693b 100644
--- a/source4/libcli/security/access_check.c
+++ b/source4/libcli/security/access_check.c
@@ -27,11 +27,12 @@
/*
check if a sid is in the supplied token
*/
-static BOOL sid_active_in_token(struct dom_sid *sid, struct nt_user_token *token)
+static BOOL sid_active_in_token(const struct dom_sid *sid,
+ const struct security_token *token)
{
int i;
for (i=0;i<token->num_sids;i++) {
- if (dom_sid_equal(sid, token->user_sids[i])) {
+ if (dom_sid_equal(sid, token->sids[i])) {
return True;
}
}
@@ -42,16 +43,15 @@ static BOOL sid_active_in_token(struct dom_sid *sid, struct nt_user_token *token
/*
perform a SEC_FLAG_MAXIMUM_ALLOWED access check
*/
-static uint32_t access_check_max_allowed(struct security_descriptor *sd,
- struct nt_user_token *token)
+static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
+ const struct security_token *token)
{
uint32_t denied = 0, granted = 0;
unsigned i;
if (sid_active_in_token(sd->owner_sid, token)) {
- granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL;
+ granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL | SEC_STD_DELETE;
}
- granted |= SEC_STD_DELETE;
for (i = 0;i<sd->dacl->num_aces; i++) {
struct security_ace *ace = &sd->dacl->aces[i];
@@ -77,8 +77,8 @@ static uint32_t access_check_max_allowed(struct security_descriptor *sd,
/*
the main entry point for access checking.
*/
-NTSTATUS sec_access_check(struct security_descriptor *sd,
- struct nt_user_token *token,
+NTSTATUS sec_access_check(const struct security_descriptor *sd,
+ const struct security_token *token,
uint32_t access_desired,
uint32_t *access_granted)
{
diff --git a/source4/libcli/security/config.mk b/source4/libcli/security/config.mk
index 900dbe780a..d6896535d6 100644
--- a/source4/libcli/security/config.mk
+++ b/source4/libcli/security/config.mk
@@ -13,6 +13,7 @@ ADD_OBJ_FILES = libcli/security/security_token.o \
libcli/security/security_descriptor.o \
libcli/security/dom_sid.o \
libcli/security/access_check.o \
+ libcli/security/privilege.o \
librpc/ndr/ndr_sec.o
REQUIRED_SUBSYSTEMS = LIB_SECURITY_NDR
# End SUBSYSTEM LIB_SECURITY
diff --git a/source4/libcli/security/privilege.c b/source4/libcli/security/privilege.c
new file mode 100644
index 0000000000..1962aaa374
--- /dev/null
+++ b/source4/libcli/security/privilege.c
@@ -0,0 +1,84 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ manipulate privileges
+
+ Copyright (C) Andrew Tridgell 2004
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+#include "librpc/gen_ndr/ndr_security.h"
+
+
+static const struct {
+ enum sec_privilege privilege;
+ const char *name;
+} privilege_names[] = {
+ {SEC_PRIV_SECURITY, "SeSecurityPrivilege"},
+ {SEC_PRIV_BACKUP, "SeBackupPrivilege"},
+ {SEC_PRIV_RESTORE, "SeRestorePrivilege"},
+ {SEC_PRIV_SYSTEMTIME, "SeSystemtimePrivilege"},
+ {SEC_PRIV_SHUTDOWN, "SeShutdownPrivilege"},
+ {SEC_PRIV_REMOTE_SHUTDOWN, "SeRemoteShutdownPrivilege"},
+ {SEC_PRIV_TAKE_OWNERSHIP, "SeTakeOwnershipPrivilege"},
+ {SEC_PRIV_DEBUG, "SeDebugPrivilege"},
+ {SEC_PRIV_SYSTEM_ENVIRONMENT, "SeSystemEnvironmentPrivilege"},
+ {SEC_PRIV_SYSTEM_PROFILE, "SeSystemProfilePrivilege"},
+ {SEC_PRIV_PROFILE_SINGLE_PROCESS, "SeProfileSingleProcessPrivilege"},
+ {SEC_PRIV_INCREASE_BASE_PRIORITY, "SeIncreaseBasePriorityPrivilege"},
+ {SEC_PRIV_LOAD_DRIVER, "SeLoadDriverPrivilege"},
+ {SEC_PRIV_CREATE_PAGEFILE, "SeCreatePagefilePrivilege"},
+ {SEC_PRIV_INCREASE_QUOTA, "SeIncreaseQuotaPrivilege"},
+ {SEC_PRIV_CHANGE_NOTIFY, "SeChangeNotifyPrivilege"},
+ {SEC_PRIV_UNDOCK, "SeUndockPrivilege"},
+ {SEC_PRIV_MANAGE_VOLUME, "SeManageVolumePrivilege"},
+ {SEC_PRIV_IMPERSONATE, "SeImpersonatePrivilege"},
+ {SEC_PRIV_CREATE_GLOBAL, "SeCreateGlobalPrivilege"},
+ {SEC_PRIV_ENABLE_DELEGATION, "SeEnableDelegationPrivilege"},
+ {SEC_PRIV_INTERACTIVE_LOGON, "SeInteractiveLogonRight"},
+ {SEC_PRIV_NETWORK_LOGON, "SeNetworkLogonRight"},
+ {SEC_PRIV_REMOTE_INTERACTIVE_LOGON, "SeRemoteInteractiveLogonRight"}
+};
+
+
+/*
+ map a privilege id to the wire string constant
+*/
+const char *sec_privilege_name(unsigned int privilege)
+{
+ int i;
+ for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
+ if (privilege_names[i].privilege == privilege) {
+ return privilege_names[i].name;
+ }
+ }
+ return NULL;
+}
+
+/*
+ map a privilege name to a privilege id. Return -1 if not found
+*/
+int sec_privilege_id(const char *name)
+{
+ int i;
+ for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
+ if (strcasecmp(privilege_names[i].name, name) == 0) {
+ return (int)privilege_names[i].privilege;
+ }
+ }
+ return -1;
+}
diff --git a/source4/libcli/security/security_token.c b/source4/libcli/security/security_token.c
index 9e26f5a385..a8ce989de7 100644
--- a/source4/libcli/security/security_token.c
+++ b/source4/libcli/security/security_token.c
@@ -24,7 +24,7 @@
#include "librpc/gen_ndr/ndr_security.h"
/*
- return a blank security descriptor (no owners, dacl or sacl)
+ return a blank security token
*/
struct security_token *security_token_initialise(TALLOC_CTX *mem_ctx)
{
@@ -35,22 +35,11 @@ struct security_token *security_token_initialise(TALLOC_CTX *mem_ctx)
return NULL;
}
- st->flags = 0;
-
st->user_sid = NULL;
st->group_sid = NULL;
- st->logon_sid = NULL;
-
st->num_sids = 0;
st->sids = NULL;
-
- st->num_restricted_sids = 0;
- st->restricted_sids = NULL;
-
- st->num_privileges = 0;
- st->privileges = NULL;
-
- st->dacl = NULL;
+ st->privilege_mask = 0;
return st;
}
diff --git a/source4/librpc/idl/security.idl b/source4/librpc/idl/security.idl
index 419c199f8f..662d874c86 100644
--- a/source4/librpc/idl/security.idl
+++ b/source4/librpc/idl/security.idl
@@ -148,32 +148,35 @@ interface security
/*
- privilege names
+ privilege IDs. Please keep the IDs below 64. If we get more
+ than 64 then we need to change security_token
*/
- const string SEC_PRIV_SECURITY = "SeSecurityPrivilege";
- const string SEC_PRIV_BACKUP = "SeBackupPrivilege";
- const string SEC_PRIV_RESTORE = "SeRestorePrivilege";
- const string SEC_PRIV_SYSTEMTIME = "SeSystemtimePrivilege";
- const string SEC_PRIV_SHUTDOWN = "SeShutdownPrivilege";
- const string SEC_PRIV_REMOTE_SHUTDOWN = "SeRemoteShutdownPrivilege";
- const string SEC_PRIV_TAKE_OWNERSHIP = "SeTakeOwnershipPrivilege";
- const string SEC_PRIV_DEBUG = "SeDebugPrivilege";
- const string SEC_PRIV_SYSTEM_ENVIRONMENT = "SeSystemEnvironmentPrivilege";
- const string SEC_PRIV_SYSTEM_PROFILE = "SeSystemProfilePrivilege";
- const string SEC_PRIV_PROFILE_SINGLE_PROCESS = "SeProfileSingleProcessPrivilege";
- const string SEC_PRIV_INCREASE_BASE_PRIORITY = "SeIncreaseBasePriorityPrivilege";
- const string SEC_PRIV_LOAD_DRIVER = "SeLoadDriverPrivilege";
- const string SEC_PRIV_CREATE_PAGEFILE = "SeCreatePagefilePrivilege";
- const string SEC_PRIV_INCREASE_QUOTA = "SeIncreaseQuotaPrivilege";
- const string SEC_PRIV_CHANGE_NOTIFY = "SeChangeNotifyPrivilege";
- const string SEC_PRIV_UNDOCK = "SeUndockPrivilege";
- const string SEC_PRIV_MANAGE_VOLUME = "SeManageVolumePrivilege";
- const string SEC_PRIV_IMPERSONATE = "SeImpersonatePrivilege";
- const string SEC_PRIV_CREATE_GLOBAL = "SeCreateGlobalPrivilege";
- const string SEC_PRIV_ENABLE_DELEGATION = "SeEnableDelegationPrivilege";
- const string SEC_PRIV_INTERACTIVE_LOGON = "SeInteractiveLogonRight";
- const string SEC_PRIV_NETWORK_LOGON = "SeNetworkLogonRight";
- const string SEC_PRIV_REMOTE_INTERACTIVE_LOGON = "SeRemoteInteractiveLogonRight";
+ typedef enum {
+ SEC_PRIV_SECURITY = 1,
+ SEC_PRIV_BACKUP = 2,
+ SEC_PRIV_RESTORE = 3,
+ SEC_PRIV_SYSTEMTIME = 4,
+ SEC_PRIV_SHUTDOWN = 5,
+ SEC_PRIV_REMOTE_SHUTDOWN = 6,
+ SEC_PRIV_TAKE_OWNERSHIP = 7,
+ SEC_PRIV_DEBUG = 8,
+ SEC_PRIV_SYSTEM_ENVIRONMENT = 9,
+ SEC_PRIV_SYSTEM_PROFILE = 10,
+ SEC_PRIV_PROFILE_SINGLE_PROCESS = 11,
+ SEC_PRIV_INCREASE_BASE_PRIORITY = 12,
+ SEC_PRIV_LOAD_DRIVER = 13,
+ SEC_PRIV_CREATE_PAGEFILE = 14,
+ SEC_PRIV_INCREASE_QUOTA = 15,
+ SEC_PRIV_CHANGE_NOTIFY = 16,
+ SEC_PRIV_UNDOCK = 17,
+ SEC_PRIV_MANAGE_VOLUME = 18,
+ SEC_PRIV_IMPERSONATE = 19,
+ SEC_PRIV_CREATE_GLOBAL = 20,
+ SEC_PRIV_ENABLE_DELEGATION = 21,
+ SEC_PRIV_INTERACTIVE_LOGON = 22,
+ SEC_PRIV_NETWORK_LOGON = 23,
+ SEC_PRIV_REMOTE_INTERACTIVE_LOGON = 24
+ } sec_privilege;
/* a domain SID. Note that unlike Samba3 this contains a pointer,
@@ -273,24 +276,4 @@ interface security
[range(0,0x40000),value(ndr_size_security_descriptor(r->sd))] uint32 sd_size;
[subcontext(4)] security_descriptor *sd;
} sec_desc_buf;
-
- typedef [public,printonly] struct {
- /* TODO */
- uint32 flags;
- } security_privilege;
-
- typedef [public,printonly] struct {
- uint32 flags;
- dom_sid *user_sid;
- dom_sid *group_sid;
- dom_sid *logon_sid;
- uint32 num_sids;
- dom_sid sids[num_sids];
- uint32 num_restricted_sids;
- dom_sid restricted_sids[num_restricted_sids];
- uint32 num_privileges;
- security_privilege privileges[num_privileges];
- security_acl *dacl;
- } security_token;
-
}
diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c
index 6eb4c13804..e2d779f91c 100644
--- a/source4/ntvfs/posix/pvfs_acl.c
+++ b/source4/ntvfs/posix/pvfs_acl.c
@@ -350,7 +350,7 @@ NTSTATUS pvfs_access_check(struct pvfs_state *pvfs,
struct pvfs_filename *name,
uint32_t *access_mask)
{
- struct nt_user_token *token = req->session->session_info->nt_user_token;
+ struct security_token *token = req->session->session_info->security_token;
struct xattr_NTACL *acl;
NTSTATUS status;
struct security_descriptor *sd;
diff --git a/source4/ntvfs/unixuid/vfs_unixuid.c b/source4/ntvfs/unixuid/vfs_unixuid.c
index 0535475dd3..1c4572969f 100644
--- a/source4/ntvfs/unixuid/vfs_unixuid.c
+++ b/source4/ntvfs/unixuid/vfs_unixuid.c
@@ -28,7 +28,7 @@
struct unixuid_private {
struct sidmap_context *sidmap;
struct unix_sec_ctx *last_sec_ctx;
- struct nt_user_token *last_token;
+ struct security_token *last_token;
};
@@ -90,11 +90,11 @@ static NTSTATUS set_unix_security(struct unix_sec_ctx *sec)
}
/*
- form a unix_sec_ctx from the current nt_user_token
+ form a unix_sec_ctx from the current security_token
*/
static NTSTATUS nt_token_to_unix_security(struct ntvfs_module_context *ntvfs,
struct smbsrv_request *req,
- struct nt_user_token *token,
+ struct security_token *token,
struct unix_sec_ctx **sec)
{
struct unixuid_private *private = ntvfs->private_data;
@@ -108,13 +108,13 @@ static NTSTATUS nt_token_to_unix_security(struct ntvfs_module_context *ntvfs,
}
status = sidmap_sid_to_unixuid(private->sidmap,
- token->user_sids[0], &(*sec)->uid);
+ token->user_sid, &(*sec)->uid);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
status = sidmap_sid_to_unixgid(private->sidmap,
- token->user_sids[1], &(*sec)->gid);
+ token->group_sid, &(*sec)->gid);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -127,7 +127,7 @@ static NTSTATUS nt_token_to_unix_security(struct ntvfs_module_context *ntvfs,
for (i=0;i<(*sec)->ngroups;i++) {
status = sidmap_sid_to_unixgid(private->sidmap,
- token->user_sids[i+2], &(*sec)->groups[i]);
+ token->sids[i+2], &(*sec)->groups[i]);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -143,7 +143,7 @@ static NTSTATUS unixuid_setup_security(struct ntvfs_module_context *ntvfs,
struct smbsrv_request *req, struct unix_sec_ctx **sec)
{
struct unixuid_private *private = ntvfs->private_data;
- struct nt_user_token *token = req->session->session_info->nt_user_token;
+ struct security_token *token = req->session->session_info->security_token;
void *ctx = talloc(req, 0);
struct unix_sec_ctx *newsec;
NTSTATUS status;
@@ -157,7 +157,7 @@ static NTSTATUS unixuid_setup_security(struct ntvfs_module_context *ntvfs,
return NT_STATUS_NO_MEMORY;
}
- if (req->session->session_info->nt_user_token == private->last_token) {
+ if (req->session->session_info->security_token == private->last_token) {
newsec = private->last_sec_ctx;
} else {
status = nt_token_to_unix_security(ntvfs, req, token, &newsec);
@@ -169,7 +169,7 @@ static NTSTATUS unixuid_setup_security(struct ntvfs_module_context *ntvfs,
talloc_free(private->last_sec_ctx);
}
private->last_sec_ctx = newsec;
- private->last_token = req->session->session_info->nt_user_token;
+ private->last_token = req->session->session_info->security_token;
talloc_steal(private, newsec);
}
diff --git a/source4/torture/raw/acls.c b/source4/torture/raw/acls.c
index 9e518f8fc9..9ef611c01f 100644
--- a/source4/torture/raw/acls.c
+++ b/source4/torture/raw/acls.c
@@ -517,14 +517,18 @@ static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
owner_sid = dom_sid_string(mem_ctx, sd_orig->owner_sid);
- status = smblsa_sid_check_privilege(cli, owner_sid, SEC_PRIV_RESTORE);
+ status = smblsa_sid_check_privilege(cli,
+ owner_sid,
+ sec_privilege_name(SEC_PRIV_RESTORE));
has_restore_privilege = NT_STATUS_IS_OK(status);
if (!NT_STATUS_IS_OK(status)) {
printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
}
printf("SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No");
- status = smblsa_sid_check_privilege(cli, owner_sid, SEC_PRIV_TAKE_OWNERSHIP);
+ status = smblsa_sid_check_privilege(cli,
+ owner_sid,
+ sec_privilege_name(SEC_PRIV_TAKE_OWNERSHIP));
has_take_ownership_privilege = NT_STATUS_IS_OK(status);
if (!NT_STATUS_IS_OK(status)) {
printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c
index 448559e350..c99dcb1b7a 100644
--- a/source4/utils/ntlm_auth.c
+++ b/source4/utils/ntlm_auth.c
@@ -431,10 +431,11 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
/* get the string onto the context */
grouplist = talloc_strdup(session_info, "");
- for (i=0; i< session_info->nt_user_token->num_sids; i++) {
- grouplist = talloc_asprintf_append(grouplist, "%s,",
- dom_sid_string(session_info,
- session_info->nt_user_token->user_sids[i]));
+ for (i=0; i<session_info->security_token->num_sids; i++) {
+ struct security_token *token = session_info->security_token;
+ const char *sidstr = dom_sid_string(session_info,
+ token->sids[i]);
+ grouplist = talloc_asprintf_append(grouplist, "%s,", sidstr);
}
mux_printf(mux_id, "GL %s\n", grouplist);