diff options
author | Andrew Bartlett <abartlet@samba.org> | 2010-08-30 15:27:40 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2010-09-11 18:46:11 +1000 |
commit | ad5ec58a714aba1f6c0894ca4e7207f1c5072949 (patch) | |
tree | a175fa95ba3251c95650addccb06ee3ca7ee64e3 | |
parent | 4080ff7af5eec946a01c52f8d9ba01f1ef81fe71 (diff) | |
download | samba-ad5ec58a714aba1f6c0894ca4e7207f1c5072949.tar.gz samba-ad5ec58a714aba1f6c0894ca4e7207f1c5072949.tar.bz2 samba-ad5ec58a714aba1f6c0894ca4e7207f1c5072949.zip |
s3-privs Hide the bitmap-based grant_privilege and revoke_privilege
The new wrappers avoid anything but the core privileges code
dealing with the bitmap values directly.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
-rw-r--r-- | source3/include/proto.h | 4 | ||||
-rw-r--r-- | source3/lib/privileges.c | 40 | ||||
-rw-r--r-- | source3/rpc_server/srv_lsa_nt.c | 15 | ||||
-rw-r--r-- | source3/utils/net_sam.c | 13 |
4 files changed, 44 insertions, 28 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h index 4081a82686..65a27dc404 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -637,10 +637,10 @@ bool get_privileges_for_sids(uint64_t *privileges, struct dom_sid *slist, int sc NTSTATUS privilege_enumerate_accounts(struct dom_sid **sids, int *num_sids); NTSTATUS privilege_enum_sids(enum sec_privilege privilege, TALLOC_CTX *mem_ctx, struct dom_sid **sids, int *num_sids); -bool grant_privilege(const struct dom_sid *sid, const uint64_t priv_mask); +bool grant_privilege_set(const struct dom_sid *sid, struct lsa_PrivilegeSet *set); bool grant_privilege_by_name(struct dom_sid *sid, const char *name); -bool revoke_privilege(const struct dom_sid *sid, const uint64_t priv_mask); bool revoke_all_privileges( struct dom_sid *sid ); +bool revoke_privilege_set(const struct dom_sid *sid, struct lsa_PrivilegeSet *set); bool revoke_privilege_by_name(struct dom_sid *sid, const char *name); NTSTATUS privilege_create_account(const struct dom_sid *sid ); NTSTATUS privilege_delete_account(const struct dom_sid *sid); diff --git a/source3/lib/privileges.c b/source3/lib/privileges.c index 436e456932..181ea5c986 100644 --- a/source3/lib/privileges.c +++ b/source3/lib/privileges.c @@ -280,7 +280,7 @@ NTSTATUS privilege_enum_sids(enum sec_privilege privilege, TALLOC_CTX *mem_ctx, Add privilege to sid ****************************************************************************/ -bool grant_privilege(const struct dom_sid *sid, const uint64_t priv_mask) +static bool grant_privilege_bitmap(const struct dom_sid *sid, const uint64_t priv_mask) { uint64_t old_mask, new_mask; @@ -317,14 +317,27 @@ bool grant_privilege_by_name(struct dom_sid *sid, const char *name) return False; } - return grant_privilege( sid, mask ); + return grant_privilege_bitmap( sid, mask ); +} + +/*************************************************************************** + Grant a privilege set (list of LUID values) from a sid +****************************************************************************/ + +bool grant_privilege_set(const struct dom_sid *sid, struct lsa_PrivilegeSet *set) +{ + uint64_t privilege_mask; + if (!privilege_set_to_se_priv(&privilege_mask, set)) { + return false; + } + return grant_privilege_bitmap(sid, privilege_mask); } /*************************************************************************** Remove privilege from sid ****************************************************************************/ -bool revoke_privilege(const struct dom_sid *sid, const uint64_t priv_mask) +static bool revoke_privilege_bitmap(const struct dom_sid *sid, const uint64_t priv_mask) { uint64_t mask; @@ -344,13 +357,26 @@ bool revoke_privilege(const struct dom_sid *sid, const uint64_t priv_mask) return set_privileges( sid, &mask ); } +/*************************************************************************** + Remove a privilege set (list of LUID values) from a sid +****************************************************************************/ + +bool revoke_privilege_set(const struct dom_sid *sid, struct lsa_PrivilegeSet *set) +{ + uint64_t privilege_mask; + if (!privilege_set_to_se_priv(&privilege_mask, set)) { + return false; + } + return revoke_privilege_bitmap(sid, privilege_mask); +} + /********************************************************************* Revoke all privileges *********************************************************************/ bool revoke_all_privileges( struct dom_sid *sid ) { - return revoke_privilege( sid, SE_ALL_PRIVS); + return revoke_privilege_bitmap( sid, SE_ALL_PRIVS); } /********************************************************************* @@ -367,7 +393,7 @@ bool revoke_privilege_by_name(struct dom_sid *sid, const char *name) return False; } - return revoke_privilege(sid, mask); + return revoke_privilege_bitmap(sid, mask); } @@ -377,7 +403,7 @@ bool revoke_privilege_by_name(struct dom_sid *sid, const char *name) NTSTATUS privilege_create_account(const struct dom_sid *sid ) { - return ( grant_privilege(sid, 0) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL); + return ( grant_privilege_bitmap(sid, 0) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL); } /*************************************************************************** @@ -509,5 +535,5 @@ bool grant_all_privileges( const struct dom_sid *sid ) return False; } - return grant_privilege( sid, mask ); + return grant_privilege_bitmap( sid, mask ); } diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c index 896ca66c6d..d0cf4e4716 100644 --- a/source3/rpc_server/srv_lsa_nt.c +++ b/source3/rpc_server/srv_lsa_nt.c @@ -1990,7 +1990,6 @@ NTSTATUS _lsa_AddPrivilegesToAccount(struct pipes_struct *p, struct lsa_AddPrivilegesToAccount *r) { struct lsa_info *info = NULL; - uint64_t mask; struct lsa_PrivilegeSet *set = NULL; /* find the connection policy handle. */ @@ -2006,13 +2005,10 @@ NTSTATUS _lsa_AddPrivilegesToAccount(struct pipes_struct *p, } set = r->in.privs; - if ( !privilege_set_to_se_priv( &mask, set ) ) - return NT_STATUS_NO_SUCH_PRIVILEGE; - if ( !grant_privilege( &info->sid, mask ) ) { - DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege(%s) failed!\n", + if ( !grant_privilege_set( &info->sid, set ) ) { + DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege_set(%s) failed!\n", sid_string_dbg(&info->sid) )); - DEBUG(3,("Privilege mask: 0x%llx\n", (unsigned long long)mask)); return NT_STATUS_NO_SUCH_PRIVILEGE; } @@ -2028,7 +2024,6 @@ NTSTATUS _lsa_RemovePrivilegesFromAccount(struct pipes_struct *p, struct lsa_RemovePrivilegesFromAccount *r) { struct lsa_info *info = NULL; - uint64_t mask; struct lsa_PrivilegeSet *set = NULL; /* find the connection policy handle. */ @@ -2045,13 +2040,9 @@ NTSTATUS _lsa_RemovePrivilegesFromAccount(struct pipes_struct *p, set = r->in.privs; - if ( !privilege_set_to_se_priv( &mask, set ) ) - return NT_STATUS_NO_SUCH_PRIVILEGE; - - if ( !revoke_privilege( &info->sid, mask ) ) { + if ( !revoke_privilege_set( &info->sid, set) ) { DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n", sid_string_dbg(&info->sid) )); - DEBUG(3,("Privilege mask: 0x%llx\n", (unsigned long long)mask)); return NT_STATUS_NO_SUCH_PRIVILEGE; } diff --git a/source3/utils/net_sam.c b/source3/utils/net_sam.c index 53e8c96f63..a5be714631 100644 --- a/source3/utils/net_sam.c +++ b/source3/utils/net_sam.c @@ -692,7 +692,6 @@ static int net_sam_rights_grant(struct net_context *c, int argc, struct dom_sid sid; enum lsa_SidType type; const char *dom, *name; - uint64_t mask; int i; if (argc < 2 || c->display_usage) { @@ -709,12 +708,13 @@ static int net_sam_rights_grant(struct net_context *c, int argc, } for (i=1; i < argc; i++) { - if (!se_priv_from_name(argv[i], &mask)) { + enum sec_privilege privilege = sec_privilege_id(argv[i]); + if (privilege == SEC_PRIV_INVALID) { d_fprintf(stderr, _("%s unknown\n"), argv[i]); return -1; } - if (!grant_privilege(&sid, mask)) { + if (!grant_privilege_by_name(&sid, argv[i])) { d_fprintf(stderr, _("Could not grant privilege\n")); return -1; } @@ -731,7 +731,6 @@ static int net_sam_rights_revoke(struct net_context *c, int argc, struct dom_sid sid; enum lsa_SidType type; const char *dom, *name; - uint64_t mask; int i; if (argc < 2 || c->display_usage) { @@ -748,13 +747,13 @@ static int net_sam_rights_revoke(struct net_context *c, int argc, } for (i=1; i < argc; i++) { - - if (!se_priv_from_name(argv[i], &mask)) { + enum sec_privilege privilege = sec_privilege_id(argv[i]); + if (privilege == SEC_PRIV_INVALID) { d_fprintf(stderr, _("%s unknown\n"), argv[i]); return -1; } - if (!revoke_privilege(&sid, mask)) { + if (!revoke_privilege_by_name(&sid, argv[i])) { d_fprintf(stderr, _("Could not revoke privilege\n")); return -1; } |