diff options
author | Andreas Schneider <asn@samba.org> | 2010-05-11 11:02:59 +0200 |
---|---|---|
committer | Simo Sorce <idra@samba.org> | 2010-07-27 10:27:12 -0400 |
commit | ae405eed4fa1857e90f240671c539088be51d562 (patch) | |
tree | 0aa3f1c913a7bbc44742887275e66b376761d067 | |
parent | e2d3c0efa9a972d76279c3f834784525de1439b0 (diff) | |
download | samba-ae405eed4fa1857e90f240671c539088be51d562.tar.gz samba-ae405eed4fa1857e90f240671c539088be51d562.tar.bz2 samba-ae405eed4fa1857e90f240671c539088be51d562.zip |
s3-printing: Removed unused security descriptor functions.
Signed-off-by: Jim McDonough <jmcd@samba.org>
-rw-r--r-- | source3/include/proto.h | 2 | ||||
-rw-r--r-- | source3/printing/nt_printing.c | 306 |
2 files changed, 0 insertions, 308 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h index 00ec31abc3..67f9976397 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -4738,8 +4738,6 @@ WERROR add_printer_data( NT_PRINTER_INFO_LEVEL_2 *p2, const char *key, const cha struct regval_blob* get_printer_data( NT_PRINTER_INFO_LEVEL_2 *p2, const char *key, const char *value ); bool driver_info_ctr_to_info8(struct spoolss_AddDriverInfoCtr *r, struct spoolss_DriverInfo8 *_info8); -WERROR nt_printing_setsec(const char *sharename, struct sec_desc_buf *secdesc_ctr); -bool nt_printing_getsec(TALLOC_CTX *ctx, const char *sharename, struct sec_desc_buf **secdesc_ctr); void map_printer_permissions(struct security_descriptor *sd); void map_job_permissions(struct security_descriptor *sd); bool print_time_access_check(struct auth_serversupplied_info *server_info, diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c index 51ae10649d..63cdefc077 100644 --- a/source3/printing/nt_printing.c +++ b/source3/printing/nt_printing.c @@ -3389,312 +3389,6 @@ bool delete_driver_files(struct auth_serversupplied_info *server_info, return ret; } -/**************************************************************************** - Store a security desc for a printer. -****************************************************************************/ - -WERROR nt_printing_setsec(const char *sharename, struct sec_desc_buf *secdesc_ctr) -{ - struct sec_desc_buf *new_secdesc_ctr = NULL; - struct sec_desc_buf *old_secdesc_ctr = NULL; - TALLOC_CTX *mem_ctx = NULL; - TDB_DATA kbuf; - TDB_DATA dbuf; - DATA_BLOB blob; - WERROR status; - NTSTATUS nt_status; - - mem_ctx = talloc_init("nt_printing_setsec"); - if (mem_ctx == NULL) - return WERR_NOMEM; - - /* The old owner and group sids of the security descriptor are not - present when new ACEs are added or removed by changing printer - permissions through NT. If they are NULL in the new security - descriptor then copy them over from the old one. */ - - if (!secdesc_ctr->sd->owner_sid || !secdesc_ctr->sd->group_sid) { - struct dom_sid *owner_sid, *group_sid; - struct security_acl *dacl, *sacl; - struct security_descriptor *psd = NULL; - size_t size; - - if (!nt_printing_getsec(mem_ctx, sharename, &old_secdesc_ctr)) { - status = WERR_NOMEM; - goto out; - } - - /* Pick out correct owner and group sids */ - - owner_sid = secdesc_ctr->sd->owner_sid ? - secdesc_ctr->sd->owner_sid : - old_secdesc_ctr->sd->owner_sid; - - group_sid = secdesc_ctr->sd->group_sid ? - secdesc_ctr->sd->group_sid : - old_secdesc_ctr->sd->group_sid; - - dacl = secdesc_ctr->sd->dacl ? - secdesc_ctr->sd->dacl : - old_secdesc_ctr->sd->dacl; - - sacl = secdesc_ctr->sd->sacl ? - secdesc_ctr->sd->sacl : - old_secdesc_ctr->sd->sacl; - - /* Make a deep copy of the security descriptor */ - - psd = make_sec_desc(mem_ctx, secdesc_ctr->sd->revision, secdesc_ctr->sd->type, - owner_sid, group_sid, - sacl, - dacl, - &size); - - if (!psd) { - status = WERR_NOMEM; - goto out; - } - - new_secdesc_ctr = make_sec_desc_buf(mem_ctx, size, psd); - } - - if (!new_secdesc_ctr) { - new_secdesc_ctr = secdesc_ctr; - } - - /* Store the security descriptor in a tdb */ - - nt_status = marshall_sec_desc_buf(mem_ctx, new_secdesc_ctr, - &blob.data, &blob.length); - if (!NT_STATUS_IS_OK(nt_status)) { - status = ntstatus_to_werror(nt_status); - goto out; - } - - kbuf = make_printers_secdesc_tdbkey(mem_ctx, sharename ); - - dbuf.dptr = (unsigned char *)blob.data; - dbuf.dsize = blob.length; - - if (tdb_trans_store(tdb_printers, kbuf, dbuf, TDB_REPLACE)==0) { - status = WERR_OK; - } else { - DEBUG(1,("Failed to store secdesc for %s\n", sharename)); - status = WERR_BADFUNC; - } - - /* Free malloc'ed memory */ - talloc_free(blob.data); - - out: - - if (mem_ctx) - talloc_destroy(mem_ctx); - return status; -} - -/**************************************************************************** - Construct a default security descriptor buffer for a printer. -****************************************************************************/ - -static struct sec_desc_buf *construct_default_printer_sdb(TALLOC_CTX *ctx) -{ - struct security_ace ace[7]; /* max number of ace entries */ - int i = 0; - uint32_t sa; - struct security_acl *psa = NULL; - struct sec_desc_buf *sdb = NULL; - struct security_descriptor *psd = NULL; - struct dom_sid adm_sid; - size_t sd_size; - - /* Create an ACE where Everyone is allowed to print */ - - sa = PRINTER_ACE_PRINT; - init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, - sa, SEC_ACE_FLAG_CONTAINER_INHERIT); - - /* Add the domain admins group if we are a DC */ - - if ( IS_DC ) { - struct dom_sid domadmins_sid; - - sid_compose(&domadmins_sid, get_global_sam_sid(), - DOMAIN_RID_ADMINS); - - sa = PRINTER_ACE_FULL_CONTROL; - init_sec_ace(&ace[i++], &domadmins_sid, - SEC_ACE_TYPE_ACCESS_ALLOWED, sa, - SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY); - init_sec_ace(&ace[i++], &domadmins_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, - sa, SEC_ACE_FLAG_CONTAINER_INHERIT); - } - else if (secrets_fetch_domain_sid(lp_workgroup(), &adm_sid)) { - sid_append_rid(&adm_sid, DOMAIN_RID_ADMINISTRATOR); - - sa = PRINTER_ACE_FULL_CONTROL; - init_sec_ace(&ace[i++], &adm_sid, - SEC_ACE_TYPE_ACCESS_ALLOWED, sa, - SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY); - init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, - sa, SEC_ACE_FLAG_CONTAINER_INHERIT); - } - - /* add BUILTIN\Administrators as FULL CONTROL */ - - sa = PRINTER_ACE_FULL_CONTROL; - init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators, - SEC_ACE_TYPE_ACCESS_ALLOWED, sa, - SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY); - init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators, - SEC_ACE_TYPE_ACCESS_ALLOWED, - sa, SEC_ACE_FLAG_CONTAINER_INHERIT); - - /* add BUILTIN\Print Operators as FULL CONTROL */ - - sa = PRINTER_ACE_FULL_CONTROL; - init_sec_ace(&ace[i++], &global_sid_Builtin_Print_Operators, - SEC_ACE_TYPE_ACCESS_ALLOWED, sa, - SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY); - init_sec_ace(&ace[i++], &global_sid_Builtin_Print_Operators, - SEC_ACE_TYPE_ACCESS_ALLOWED, - sa, SEC_ACE_FLAG_CONTAINER_INHERIT); - - /* Make the security descriptor owned by the BUILTIN\Administrators */ - - /* The ACL revision number in rpc_secdesc.h differs from the one - created by NT when setting ACE entries in printer - descriptors. NT4 complains about the property being edited by a - NT5 machine. */ - - if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) != NULL) { - psd = make_sec_desc(ctx, SD_REVISION, SEC_DESC_SELF_RELATIVE, - &global_sid_Builtin_Administrators, - &global_sid_Builtin_Administrators, - NULL, psa, &sd_size); - } - - if (!psd) { - DEBUG(0,("construct_default_printer_sd: Failed to make SEC_DESC.\n")); - return NULL; - } - - sdb = make_sec_desc_buf(ctx, sd_size, psd); - - DEBUG(4,("construct_default_printer_sdb: size = %u.\n", - (unsigned int)sd_size)); - - return sdb; -} - -/**************************************************************************** - Get a security desc for a printer. -****************************************************************************/ - -bool nt_printing_getsec(TALLOC_CTX *ctx, const char *sharename, struct sec_desc_buf **secdesc_ctr) -{ - TDB_DATA kbuf; - TDB_DATA dbuf; - DATA_BLOB blob; - char *temp; - NTSTATUS status; - - if (strlen(sharename) > 2 && (temp = strchr(sharename + 2, '\\'))) { - sharename = temp + 1; - } - - /* Fetch security descriptor from tdb */ - - kbuf = make_printers_secdesc_tdbkey(ctx, sharename); - - dbuf = tdb_fetch(tdb_printers, kbuf); - if (dbuf.dptr) { - - status = unmarshall_sec_desc_buf(ctx, dbuf.dptr, dbuf.dsize, - secdesc_ctr); - SAFE_FREE(dbuf.dptr); - - if (NT_STATUS_IS_OK(status)) { - return true; - } - } - - *secdesc_ctr = construct_default_printer_sdb(ctx); - if (!*secdesc_ctr) { - return false; - } - - status = marshall_sec_desc_buf(ctx, *secdesc_ctr, - &blob.data, &blob.length); - if (NT_STATUS_IS_OK(status)) { - dbuf.dptr = (unsigned char *)blob.data; - dbuf.dsize = blob.length; - tdb_trans_store(tdb_printers, kbuf, dbuf, TDB_REPLACE); - talloc_free(blob.data); - } - - /* If security descriptor is owned by S-1-1-0 and winbindd is up, - this security descriptor has been created when winbindd was - down. Take ownership of security descriptor. */ - - if (sid_equal((*secdesc_ctr)->sd->owner_sid, &global_sid_World)) { - struct dom_sid owner_sid; - - /* Change sd owner to workgroup administrator */ - - if (secrets_fetch_domain_sid(lp_workgroup(), &owner_sid)) { - struct sec_desc_buf *new_secdesc_ctr = NULL; - struct security_descriptor *psd = NULL; - size_t size; - - /* Create new sd */ - - sid_append_rid(&owner_sid, DOMAIN_RID_ADMINISTRATOR); - - psd = make_sec_desc(ctx, (*secdesc_ctr)->sd->revision, (*secdesc_ctr)->sd->type, - &owner_sid, - (*secdesc_ctr)->sd->group_sid, - (*secdesc_ctr)->sd->sacl, - (*secdesc_ctr)->sd->dacl, - &size); - - if (!psd) { - return False; - } - - new_secdesc_ctr = make_sec_desc_buf(ctx, size, psd); - if (!new_secdesc_ctr) { - return False; - } - - /* Swap with other one */ - - *secdesc_ctr = new_secdesc_ctr; - - /* Set it */ - - nt_printing_setsec(sharename, *secdesc_ctr); - } - } - - if (DEBUGLEVEL >= 10) { - struct security_acl *the_acl = (*secdesc_ctr)->sd->dacl; - int i; - - DEBUG(10, ("secdesc_ctr for %s has %d aces:\n", - sharename, the_acl->num_aces)); - - for (i = 0; i < the_acl->num_aces; i++) { - DEBUG(10, ("%s %d %d 0x%08x\n", - sid_string_dbg(&the_acl->aces[i].trustee), - the_acl->aces[i].type, the_acl->aces[i].flags, - the_acl->aces[i].access_mask)); - } - } - - return True; -} - /* error code: 0: everything OK 1: level not implemented |