diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2010-08-27 12:19:09 +1000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2010-09-11 18:46:08 +1000 |
| commit | cbd72ab93bc35aa71a55b190cd999dda4106be07 (patch) | |
| tree | 72327385378a4efdd39c2a4f46b096f33a5b11cc | |
| parent | 33ce8633d6a5e5cc54209c92397025114f0a46ea (diff) | |
| download | samba-cbd72ab93bc35aa71a55b190cd999dda4106be07.tar.gz samba-cbd72ab93bc35aa71a55b190cd999dda4106be07.tar.bz2 samba-cbd72ab93bc35aa71a55b190cd999dda4106be07.zip | |
libcli/security Don't export privs[] as a global variable
Instead, provide access functions for the LSA and net sam callers
for the information they need.
They still only enumerate the first 8 privileges that have traditionally
been exposed.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
| -rw-r--r-- | libcli/security/privileges.c | 43 | ||||
| -rw-r--r-- | libcli/security/privileges.h | 25 | ||||
| -rw-r--r-- | source3/rpc_server/srv_lsa_nt.c | 7 | ||||
| -rw-r--r-- | source3/utils/net_sam.c | 6 |
4 files changed, 31 insertions, 50 deletions
diff --git a/libcli/security/privileges.c b/libcli/security/privileges.c index 24a58e49e8..a33ef57a60 100644 --- a/libcli/security/privileges.c +++ b/libcli/security/privileges.c @@ -55,7 +55,12 @@ const uint64_t se_take_ownership = SE_TAKE_OWNERSHIP; #define NUM_SHORT_LIST_PRIVS 8 -PRIVS privs[] = { +static const struct { + enum sec_privilege luid; + uint64_t privilege_mask; + const char *name; + const char *description; +} privs[] = { {SEC_PRIV_MACHINE_ACCOUNT, SE_MACHINE_ACCOUNT, "SeMachineAccountPrivilege", "Add machines to domain"}, {SEC_PRIV_TAKE_OWNERSHIP, SE_TAKE_OWNERSHIP, "SeTakeOwnershipPrivilege", "Take ownership of files or other objects"}, @@ -404,7 +409,7 @@ bool user_has_any_privilege(struct security_token *token, const uint64_t *privil } /******************************************************************* - return the number of elements in the privlege array + return the number of elements in the 'short' privlege array (traditional source3 behaviour) *******************************************************************/ int num_privileges_in_short_list( void ) @@ -412,27 +417,6 @@ int num_privileges_in_short_list( void ) return NUM_SHORT_LIST_PRIVS; } -/********************************************************************* - Generate the struct lsa_LUIDAttribute structure based on a bitmask - The assumption here is that the privilege has already been validated - so we are guaranteed to find it in the list. -*********************************************************************/ - -enum sec_privilege get_privilege_luid( uint64_t *privilege_mask ) -{ - int i; - - uint32_t num_privs = ARRAY_SIZE(privs); - - for ( i=0; i<num_privs; i++ ) { - if ( se_priv_equal( &privs[i].privilege_mask, privilege_mask ) ) { - return privs[i].luid; - } - } - - return 0; -} - /**************************************************************************** Convert a LUID to a named string ****************************************************************************/ @@ -613,7 +597,7 @@ enum sec_privilege sec_privilege_from_mask(uint64_t mask) } /* - map a privilege name to a privilege id. Return -1 if not found + assist in walking the table of privileges - return the LUID (low 32 bits) by index */ enum sec_privilege sec_privilege_from_index(int idx) { @@ -623,6 +607,17 @@ enum sec_privilege sec_privilege_from_index(int idx) return -1; } +/* + assist in walking the table of privileges - return the string constant by index +*/ +const char *sec_privilege_name_from_index(int idx) +{ + if (idx >= 0 && idx<ARRAY_SIZE(privs)) { + return privs[idx].name; + } + return NULL; +} + /* return a privilege mask given a privilege id diff --git a/libcli/security/privileges.h b/libcli/security/privileges.h index e1cfbbb404..e715c468c2 100644 --- a/libcli/security/privileges.h +++ b/libcli/security/privileges.h @@ -63,13 +63,6 @@ typedef struct { struct lsa_LUIDAttribute *set; } PRIVILEGE_SET; -typedef struct { - enum sec_privilege luid; - uint64_t privilege_mask; - const char *name; - const char *description; -} PRIVS; - /*************************************************************************** copy an uint64_t structure ****************************************************************************/ @@ -137,18 +130,11 @@ bool user_has_privileges(const struct security_token *token, const uint64_t *pri bool user_has_any_privilege(struct security_token *token, const uint64_t *privilege_mask); /******************************************************************* - return the number of elements in the privlege array + return the number of elements in the 'short' privlege array (traditional source3 behaviour) *******************************************************************/ -int count_all_privileges( void ); - -/********************************************************************* - Generate the struct lsa_LUIDAttribute structure based on a bitmask - The assumption here is that the privilege has already been validated - so we are guaranteed to find it in the list. -*********************************************************************/ +int num_privileges_in_short_list( void ); -enum sec_privilege get_privilege_luid( uint64_t *privilege_mask ); /**************************************************************************** Convert a LUID to a named string ****************************************************************************/ @@ -181,11 +167,16 @@ enum sec_privilege sec_privilege_id(const char *name); enum sec_privilege sec_privilege_from_mask(uint64_t mask); /* - map a privilege name to a privilege id. Return -1 if not found + assist in walking the table of privileges - return the LUID (low 32 bits) by index */ enum sec_privilege sec_privilege_from_index(int idx); /* + assist in walking the table of privileges - return the string constant by index +*/ +const char *sec_privilege_name_from_index(int idx); + +/* return true if a security_token has a particular privilege bit set */ bool security_token_has_privilege(const struct security_token *token, enum sec_privilege privilege); diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c index 6eee899530..c787502a35 100644 --- a/source3/rpc_server/srv_lsa_nt.c +++ b/source3/rpc_server/srv_lsa_nt.c @@ -39,8 +39,6 @@ #define MAX_LOOKUP_SIDS 0x5000 /* 20480 */ -extern PRIVS privs[]; - enum lsa_handle_type { LSA_HANDLE_POLICY_TYPE = 1, LSA_HANDLE_ACCOUNT_TYPE }; struct lsa_info { @@ -1454,7 +1452,6 @@ NTSTATUS _lsa_EnumPrivs(struct pipes_struct *p, uint32 enum_context = *r->in.resume_handle; int num_privs = num_privileges_in_short_list(); struct lsa_PrivEntry *entries = NULL; - struct lsa_LUIDAttribute luid; /* remember that the enum_context starts at 0 and not 1 */ @@ -1495,9 +1492,9 @@ NTSTATUS _lsa_EnumPrivs(struct pipes_struct *p, entries[i].luid.high = 0; } else { - init_lsa_StringLarge(&entries[i].name, privs[i].name); + init_lsa_StringLarge(&entries[i].name, sec_privilege_name_from_index(i)); - entries[i].luid.low = get_privilege_luid( &privs[i].privilege_mask ); + entries[i].luid.low = sec_privilege_from_index(i); entries[i].luid.high = 0; } } diff --git a/source3/utils/net_sam.c b/source3/utils/net_sam.c index 99eac045e0..6a9e261ea0 100644 --- a/source3/utils/net_sam.c +++ b/source3/utils/net_sam.c @@ -631,8 +631,6 @@ static int net_sam_policy(struct net_context *c, int argc, const char **argv) return net_run_function(c, argc, argv, "net sam policy", func); } -extern PRIVS privs[]; - static int net_sam_rights_list(struct net_context *c, int argc, const char **argv) { @@ -647,10 +645,10 @@ static int net_sam_rights_list(struct net_context *c, int argc, if (argc == 0) { int i; - int num = count_all_privileges(); + int num = num_privileges_in_short_list(); for (i=0; i<num; i++) { - d_printf("%s\n", privs[i].name); + d_printf("%s\n", sec_privilege_name_from_index(i)); } return 0; } |