summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2010-08-30 15:27:40 +1000
committerAndrew Bartlett <abartlet@samba.org>2010-09-11 18:46:11 +1000
commitad5ec58a714aba1f6c0894ca4e7207f1c5072949 (patch)
treea175fa95ba3251c95650addccb06ee3ca7ee64e3
parent4080ff7af5eec946a01c52f8d9ba01f1ef81fe71 (diff)
downloadsamba-ad5ec58a714aba1f6c0894ca4e7207f1c5072949.tar.gz
samba-ad5ec58a714aba1f6c0894ca4e7207f1c5072949.tar.bz2
samba-ad5ec58a714aba1f6c0894ca4e7207f1c5072949.zip
s3-privs Hide the bitmap-based grant_privilege and revoke_privilege
The new wrappers avoid anything but the core privileges code dealing with the bitmap values directly. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
-rw-r--r--source3/include/proto.h4
-rw-r--r--source3/lib/privileges.c40
-rw-r--r--source3/rpc_server/srv_lsa_nt.c15
-rw-r--r--source3/utils/net_sam.c13
4 files changed, 44 insertions, 28 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 4081a82686..65a27dc404 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -637,10 +637,10 @@ bool get_privileges_for_sids(uint64_t *privileges, struct dom_sid *slist, int sc
NTSTATUS privilege_enumerate_accounts(struct dom_sid **sids, int *num_sids);
NTSTATUS privilege_enum_sids(enum sec_privilege privilege, TALLOC_CTX *mem_ctx,
struct dom_sid **sids, int *num_sids);
-bool grant_privilege(const struct dom_sid *sid, const uint64_t priv_mask);
+bool grant_privilege_set(const struct dom_sid *sid, struct lsa_PrivilegeSet *set);
bool grant_privilege_by_name(struct dom_sid *sid, const char *name);
-bool revoke_privilege(const struct dom_sid *sid, const uint64_t priv_mask);
bool revoke_all_privileges( struct dom_sid *sid );
+bool revoke_privilege_set(const struct dom_sid *sid, struct lsa_PrivilegeSet *set);
bool revoke_privilege_by_name(struct dom_sid *sid, const char *name);
NTSTATUS privilege_create_account(const struct dom_sid *sid );
NTSTATUS privilege_delete_account(const struct dom_sid *sid);
diff --git a/source3/lib/privileges.c b/source3/lib/privileges.c
index 436e456932..181ea5c986 100644
--- a/source3/lib/privileges.c
+++ b/source3/lib/privileges.c
@@ -280,7 +280,7 @@ NTSTATUS privilege_enum_sids(enum sec_privilege privilege, TALLOC_CTX *mem_ctx,
Add privilege to sid
****************************************************************************/
-bool grant_privilege(const struct dom_sid *sid, const uint64_t priv_mask)
+static bool grant_privilege_bitmap(const struct dom_sid *sid, const uint64_t priv_mask)
{
uint64_t old_mask, new_mask;
@@ -317,14 +317,27 @@ bool grant_privilege_by_name(struct dom_sid *sid, const char *name)
return False;
}
- return grant_privilege( sid, mask );
+ return grant_privilege_bitmap( sid, mask );
+}
+
+/***************************************************************************
+ Grant a privilege set (list of LUID values) from a sid
+****************************************************************************/
+
+bool grant_privilege_set(const struct dom_sid *sid, struct lsa_PrivilegeSet *set)
+{
+ uint64_t privilege_mask;
+ if (!privilege_set_to_se_priv(&privilege_mask, set)) {
+ return false;
+ }
+ return grant_privilege_bitmap(sid, privilege_mask);
}
/***************************************************************************
Remove privilege from sid
****************************************************************************/
-bool revoke_privilege(const struct dom_sid *sid, const uint64_t priv_mask)
+static bool revoke_privilege_bitmap(const struct dom_sid *sid, const uint64_t priv_mask)
{
uint64_t mask;
@@ -344,13 +357,26 @@ bool revoke_privilege(const struct dom_sid *sid, const uint64_t priv_mask)
return set_privileges( sid, &mask );
}
+/***************************************************************************
+ Remove a privilege set (list of LUID values) from a sid
+****************************************************************************/
+
+bool revoke_privilege_set(const struct dom_sid *sid, struct lsa_PrivilegeSet *set)
+{
+ uint64_t privilege_mask;
+ if (!privilege_set_to_se_priv(&privilege_mask, set)) {
+ return false;
+ }
+ return revoke_privilege_bitmap(sid, privilege_mask);
+}
+
/*********************************************************************
Revoke all privileges
*********************************************************************/
bool revoke_all_privileges( struct dom_sid *sid )
{
- return revoke_privilege( sid, SE_ALL_PRIVS);
+ return revoke_privilege_bitmap( sid, SE_ALL_PRIVS);
}
/*********************************************************************
@@ -367,7 +393,7 @@ bool revoke_privilege_by_name(struct dom_sid *sid, const char *name)
return False;
}
- return revoke_privilege(sid, mask);
+ return revoke_privilege_bitmap(sid, mask);
}
@@ -377,7 +403,7 @@ bool revoke_privilege_by_name(struct dom_sid *sid, const char *name)
NTSTATUS privilege_create_account(const struct dom_sid *sid )
{
- return ( grant_privilege(sid, 0) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL);
+ return ( grant_privilege_bitmap(sid, 0) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL);
}
/***************************************************************************
@@ -509,5 +535,5 @@ bool grant_all_privileges( const struct dom_sid *sid )
return False;
}
- return grant_privilege( sid, mask );
+ return grant_privilege_bitmap( sid, mask );
}
diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index 896ca66c6d..d0cf4e4716 100644
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -1990,7 +1990,6 @@ NTSTATUS _lsa_AddPrivilegesToAccount(struct pipes_struct *p,
struct lsa_AddPrivilegesToAccount *r)
{
struct lsa_info *info = NULL;
- uint64_t mask;
struct lsa_PrivilegeSet *set = NULL;
/* find the connection policy handle. */
@@ -2006,13 +2005,10 @@ NTSTATUS _lsa_AddPrivilegesToAccount(struct pipes_struct *p,
}
set = r->in.privs;
- if ( !privilege_set_to_se_priv( &mask, set ) )
- return NT_STATUS_NO_SUCH_PRIVILEGE;
- if ( !grant_privilege( &info->sid, mask ) ) {
- DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege(%s) failed!\n",
+ if ( !grant_privilege_set( &info->sid, set ) ) {
+ DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege_set(%s) failed!\n",
sid_string_dbg(&info->sid) ));
- DEBUG(3,("Privilege mask: 0x%llx\n", (unsigned long long)mask));
return NT_STATUS_NO_SUCH_PRIVILEGE;
}
@@ -2028,7 +2024,6 @@ NTSTATUS _lsa_RemovePrivilegesFromAccount(struct pipes_struct *p,
struct lsa_RemovePrivilegesFromAccount *r)
{
struct lsa_info *info = NULL;
- uint64_t mask;
struct lsa_PrivilegeSet *set = NULL;
/* find the connection policy handle. */
@@ -2045,13 +2040,9 @@ NTSTATUS _lsa_RemovePrivilegesFromAccount(struct pipes_struct *p,
set = r->in.privs;
- if ( !privilege_set_to_se_priv( &mask, set ) )
- return NT_STATUS_NO_SUCH_PRIVILEGE;
-
- if ( !revoke_privilege( &info->sid, mask ) ) {
+ if ( !revoke_privilege_set( &info->sid, set) ) {
DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
sid_string_dbg(&info->sid) ));
- DEBUG(3,("Privilege mask: 0x%llx\n", (unsigned long long)mask));
return NT_STATUS_NO_SUCH_PRIVILEGE;
}
diff --git a/source3/utils/net_sam.c b/source3/utils/net_sam.c
index 53e8c96f63..a5be714631 100644
--- a/source3/utils/net_sam.c
+++ b/source3/utils/net_sam.c
@@ -692,7 +692,6 @@ static int net_sam_rights_grant(struct net_context *c, int argc,
struct dom_sid sid;
enum lsa_SidType type;
const char *dom, *name;
- uint64_t mask;
int i;
if (argc < 2 || c->display_usage) {
@@ -709,12 +708,13 @@ static int net_sam_rights_grant(struct net_context *c, int argc,
}
for (i=1; i < argc; i++) {
- if (!se_priv_from_name(argv[i], &mask)) {
+ enum sec_privilege privilege = sec_privilege_id(argv[i]);
+ if (privilege == SEC_PRIV_INVALID) {
d_fprintf(stderr, _("%s unknown\n"), argv[i]);
return -1;
}
- if (!grant_privilege(&sid, mask)) {
+ if (!grant_privilege_by_name(&sid, argv[i])) {
d_fprintf(stderr, _("Could not grant privilege\n"));
return -1;
}
@@ -731,7 +731,6 @@ static int net_sam_rights_revoke(struct net_context *c, int argc,
struct dom_sid sid;
enum lsa_SidType type;
const char *dom, *name;
- uint64_t mask;
int i;
if (argc < 2 || c->display_usage) {
@@ -748,13 +747,13 @@ static int net_sam_rights_revoke(struct net_context *c, int argc,
}
for (i=1; i < argc; i++) {
-
- if (!se_priv_from_name(argv[i], &mask)) {
+ enum sec_privilege privilege = sec_privilege_id(argv[i]);
+ if (privilege == SEC_PRIV_INVALID) {
d_fprintf(stderr, _("%s unknown\n"), argv[i]);
return -1;
}
- if (!revoke_privilege(&sid, mask)) {
+ if (!revoke_privilege_by_name(&sid, argv[i])) {
d_fprintf(stderr, _("Could not revoke privilege\n"));
return -1;
}