diff options
author | Jeremy Allison <jra@samba.org> | 2001-09-26 00:05:03 +0000 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2001-09-26 00:05:03 +0000 |
commit | 0f4281b9b4a4056e9e087deb15e60ea482af7a74 (patch) | |
tree | 209555a82bbba203434a9818785f780bdca15890 | |
parent | 6ddcd8a3bcef32694d9d753ff91cced71f5ca3a8 (diff) | |
download | samba-0f4281b9b4a4056e9e087deb15e60ea482af7a74.tar.gz samba-0f4281b9b4a4056e9e087deb15e60ea482af7a74.tar.bz2 samba-0f4281b9b4a4056e9e087deb15e60ea482af7a74.zip |
Added Elrond patch to make se_access_check use NT datastructures, not Samba.
Jeremy.
(This used to be commit bca6419447e926e51aeecf3e484228f640cecb84)
-rw-r--r-- | source3/lib/util_seaccess.c | 13 | ||||
-rw-r--r-- | source3/printing/nt_printing.c | 5 | ||||
-rw-r--r-- | source3/rpc_server/srv_srvsvc_nt.c | 27 |
3 files changed, 17 insertions, 28 deletions
diff --git a/source3/lib/util_seaccess.c b/source3/lib/util_seaccess.c index f10c84c276..ec1b56ae86 100644 --- a/source3/lib/util_seaccess.c +++ b/source3/lib/util_seaccess.c @@ -30,7 +30,7 @@ extern int DEBUGLEVEL; Check if this ACE has a SID in common with the token. **********************************************************************************/ -static BOOL token_sid_in_ace( NT_USER_TOKEN *token, SEC_ACE *ace) +static BOOL token_sid_in_ace(const NT_USER_TOKEN *token, const SEC_ACE *ace) { size_t i; @@ -204,7 +204,7 @@ void se_map_generic(uint32 *access_mask, struct generic_mapping *mapping) "Access-Checking" document in MSDN. *****************************************************************************/ -BOOL se_access_check(SEC_DESC *sd, struct current_user *user, +BOOL se_access_check(SEC_DESC *sd, NT_USER_TOKEN *token, uint32 acc_desired, uint32 *acc_granted, NTSTATUS *status) { @@ -212,17 +212,20 @@ BOOL se_access_check(SEC_DESC *sd, struct current_user *user, size_t i; SEC_ACL *the_acl; fstring sid_str; - NT_USER_TOKEN *token = user->nt_user_token ? user->nt_user_token : &anonymous_token; uint32 tmp_acc_desired = acc_desired; if (!status || !acc_granted) return False; + if (!token) + token = &anonymous_token; + *status = NT_STATUS_OK; *acc_granted = 0; - DEBUG(10,("se_access_check: requested access %x, for uid %u\n", - (unsigned int)acc_desired, (unsigned int)user->uid )); + DEBUG(10,("se_access_check: requested access %x, for NT token with %u entries and first sid %s.\n", + (unsigned int)acc_desired, (unsigned int)token->num_sids, + sid_to_string(sid_str, &token->user_sids[0]))); /* * No security descriptor or security descriptor with no DACL diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c index 1a1c71fe39..58fc7e25ae 100644 --- a/source3/printing/nt_printing.c +++ b/source3/printing/nt_printing.c @@ -3691,7 +3691,8 @@ BOOL print_access_check(struct current_user *user, int snum, int access_type) /* If user is NULL then use the current_user structure */ - if (!user) user = ¤t_user; + if (!user) + user = ¤t_user; /* Always allow root or printer admins to do anything */ @@ -3740,7 +3741,7 @@ BOOL print_access_check(struct current_user *user, int snum, int access_type) map_printer_permissions(secdesc->sec); - result = se_access_check(secdesc->sec, user, access_type, + result = se_access_check(secdesc->sec, user->nt_user_token, access_type, &access_granted, &status); DEBUG(4, ("access check was %s\n", result ? "SUCCESS" : "FAILURE")); diff --git a/source3/rpc_server/srv_srvsvc_nt.c b/source3/rpc_server/srv_srvsvc_nt.c index 7bc94c5575..2877b7af05 100644 --- a/source3/rpc_server/srv_srvsvc_nt.c +++ b/source3/rpc_server/srv_srvsvc_nt.c @@ -308,8 +308,7 @@ BOOL share_access_check(connection_struct *conn, int snum, uint16 vuid, uint32 d TALLOC_CTX *mem_ctx = NULL; SEC_DESC *psd = NULL; size_t sd_size; - struct current_user tmp_user; - struct current_user *puser = NULL; + NT_USER_TOKEN *token = NULL; user_struct *vuser = get_valid_user_struct(vuid); BOOL ret = True; @@ -322,26 +321,12 @@ BOOL share_access_check(connection_struct *conn, int snum, uint16 vuid, uint32 d if (!psd) goto out; - ZERO_STRUCT(tmp_user); - if (vuser) { - tmp_user.vuid = vuid; - tmp_user.uid = vuser->uid; - tmp_user.gid = vuser->gid; - tmp_user.ngroups = vuser->n_groups; - tmp_user.groups = vuser->groups; - tmp_user.nt_user_token = vuser->nt_user_token; - } else { - tmp_user.vuid = vuid; - tmp_user.uid = conn->uid; - tmp_user.gid = conn->gid; - tmp_user.ngroups = conn->ngroups; - tmp_user.groups = conn->groups; - tmp_user.nt_user_token = conn->nt_user_token; - } - - puser = &tmp_user; + if (vuser) + token = vuser->nt_user_token; + else + token = conn->nt_user_token; - ret = se_access_check(psd, puser, desired_access, &granted, &status); + ret = se_access_check(psd, token, desired_access, &granted, &status); out: |