summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2007-10-10 13:12:53 +0200
committerStefan Metzmacher <metze@samba.org>2007-12-21 05:42:51 +0100
commita6c4b9d1793c7ea1965a23e1d23b73012acd151b (patch)
tree6cad5d745f37a8e37673fde74f1dc822dbe61061
parent50bf95197705a3e3ca6b69fc9584ed0564c305d1 (diff)
downloadsamba-a6c4b9d1793c7ea1965a23e1d23b73012acd151b.tar.gz
samba-a6c4b9d1793c7ea1965a23e1d23b73012acd151b.tar.bz2
samba-a6c4b9d1793c7ea1965a23e1d23b73012acd151b.zip
r25607: Allow to set security descriptor type flags at creation time with
security_descriptor_create(). Guenther (This used to be commit 7dd0d28d254f78891b0807492baafa188b42df16)
-rw-r--r--source4/lib/registry/tests/registry.c1
-rw-r--r--source4/libcli/security/security_descriptor.c4
-rw-r--r--source4/libnet/libnet_become_dc.c1
-rw-r--r--source4/torture/raw/acls.c40
-rw-r--r--source4/torture/rpc/samba3rpc.c2
-rw-r--r--source4/torture/rpc/winreg.c1
6 files changed, 28 insertions, 21 deletions
diff --git a/source4/lib/registry/tests/registry.c b/source4/lib/registry/tests/registry.c
index 9b1c6ff249..d2838e363f 100644
--- a/source4/lib/registry/tests/registry.c
+++ b/source4/lib/registry/tests/registry.c
@@ -400,6 +400,7 @@ static bool test_security(struct torture_context *tctx, const void *_data)
return false;
osd = security_descriptor_create(tctx,
+ 0,
NULL, NULL,
SID_NT_AUTHENTICATED_USERS,
SEC_ACE_TYPE_ACCESS_ALLOWED,
diff --git a/source4/libcli/security/security_descriptor.c b/source4/libcli/security/security_descriptor.c
index 1d8549a605..9723e8ccca 100644
--- a/source4/libcli/security/security_descriptor.c
+++ b/source4/libcli/security/security_descriptor.c
@@ -327,6 +327,7 @@ bool security_descriptor_mask_equal(const struct security_descriptor *sd1,
a typical call would be:
sd = security_descriptor_create(mem_ctx,
+ sd_type_flags,
mysid,
mygroup,
SID_NT_AUTHENTICATED_USERS,
@@ -379,6 +380,7 @@ struct security_descriptor *security_descriptor_append(struct security_descripto
}
struct security_descriptor *security_descriptor_create(TALLOC_CTX *mem_ctx,
+ uint16_t sd_type,
const char *owner_sid,
const char *group_sid,
...)
@@ -390,6 +392,8 @@ struct security_descriptor *security_descriptor_create(TALLOC_CTX *mem_ctx,
sd = security_descriptor_initialise(mem_ctx);
if (sd == NULL) return NULL;
+ sd->type |= sd_type;
+
if (owner_sid) {
sd->owner_sid = dom_sid_parse_talloc(sd, owner_sid);
if (sd->owner_sid == NULL) {
diff --git a/source4/libnet/libnet_become_dc.c b/source4/libnet/libnet_become_dc.c
index cd782066db..a6ca3551ce 100644
--- a/source4/libnet/libnet_become_dc.c
+++ b/source4/libnet/libnet_become_dc.c
@@ -1737,6 +1737,7 @@ static void becomeDC_drsuapi1_add_entry_send(struct libnet_BecomeDC_state *s)
if (composite_nomem(domain_admins_sid_str, c)) return;
v = security_descriptor_create(vd,
+ 0,
/* owner: domain admins */
domain_admins_sid_str,
/* owner group: domain admins */
diff --git a/source4/torture/raw/acls.c b/source4/torture/raw/acls.c
index 2c3f4a52c6..0136056bdf 100644
--- a/source4/torture/raw/acls.c
+++ b/source4/torture/raw/acls.c
@@ -298,7 +298,7 @@ static bool test_creator_sid(struct torture_context *tctx,
printf("set a sec desc allowing no write by CREATOR_OWNER\n");
sd = security_descriptor_create(tctx,
- NULL, NULL,
+ 0, NULL, NULL,
SID_CREATOR_OWNER,
SEC_ACE_TYPE_ACCESS_ALLOWED,
SEC_RIGHTS_FILE_READ | SEC_STD_ALL,
@@ -335,7 +335,7 @@ static bool test_creator_sid(struct torture_context *tctx,
printf("set a sec desc allowing no write by owner\n");
sd = security_descriptor_create(tctx,
- owner_sid, NULL,
+ 0, owner_sid, NULL,
owner_sid,
SEC_ACE_TYPE_ACCESS_ALLOWED,
SEC_RIGHTS_FILE_READ | SEC_STD_ALL,
@@ -390,7 +390,7 @@ static bool test_creator_sid(struct torture_context *tctx,
printf("set a sec desc allowing generic read by owner\n");
sd = security_descriptor_create(tctx,
- NULL, NULL,
+ 0, NULL, NULL,
owner_sid,
SEC_ACE_TYPE_ACCESS_ALLOWED,
SEC_GENERIC_READ | SEC_STD_ALL,
@@ -403,7 +403,7 @@ static bool test_creator_sid(struct torture_context *tctx,
printf("check that generic read has been mapped correctly\n");
sd2 = security_descriptor_create(tctx,
- owner_sid, NULL,
+ 0, owner_sid, NULL,
owner_sid,
SEC_ACE_TYPE_ACCESS_ALLOWED,
SEC_RIGHTS_FILE_READ | SEC_STD_ALL,
@@ -568,7 +568,7 @@ static bool test_generic_bits(struct torture_context *tctx,
printf("testing generic bits 0x%08x\n",
file_mappings[i].gen_bits);
sd = security_descriptor_create(tctx,
- owner_sid, NULL,
+ 0, owner_sid, NULL,
owner_sid,
SEC_ACE_TYPE_ACCESS_ALLOWED,
file_mappings[i].gen_bits,
@@ -584,7 +584,7 @@ static bool test_generic_bits(struct torture_context *tctx,
CHECK_STATUS(status, NT_STATUS_OK);
sd2 = security_descriptor_create(tctx,
- owner_sid, NULL,
+ 0, owner_sid, NULL,
owner_sid,
SEC_ACE_TYPE_ACCESS_ALLOWED,
file_mappings[i].specific_bits,
@@ -616,7 +616,7 @@ static bool test_generic_bits(struct torture_context *tctx,
printf("testing generic bits 0x%08x (anonymous)\n",
file_mappings[i].gen_bits);
sd = security_descriptor_create(tctx,
- SID_NT_ANONYMOUS, NULL,
+ 0, SID_NT_ANONYMOUS, NULL,
owner_sid,
SEC_ACE_TYPE_ACCESS_ALLOWED,
file_mappings[i].gen_bits,
@@ -632,7 +632,7 @@ static bool test_generic_bits(struct torture_context *tctx,
CHECK_STATUS(status, NT_STATUS_OK);
sd2 = security_descriptor_create(tctx,
- SID_NT_ANONYMOUS, NULL,
+ 0, SID_NT_ANONYMOUS, NULL,
owner_sid,
SEC_ACE_TYPE_ACCESS_ALLOWED,
file_mappings[i].specific_bits,
@@ -733,7 +733,7 @@ static bool test_generic_bits(struct torture_context *tctx,
printf("testing generic bits 0x%08x\n",
file_mappings[i].gen_bits);
sd = security_descriptor_create(tctx,
- owner_sid, NULL,
+ 0, owner_sid, NULL,
owner_sid,
SEC_ACE_TYPE_ACCESS_ALLOWED,
dir_mappings[i].gen_bits,
@@ -749,7 +749,7 @@ static bool test_generic_bits(struct torture_context *tctx,
CHECK_STATUS(status, NT_STATUS_OK);
sd2 = security_descriptor_create(tctx,
- owner_sid, NULL,
+ 0, owner_sid, NULL,
owner_sid,
SEC_ACE_TYPE_ACCESS_ALLOWED,
dir_mappings[i].specific_bits,
@@ -781,7 +781,7 @@ static bool test_generic_bits(struct torture_context *tctx,
printf("testing generic bits 0x%08x (anonymous)\n",
file_mappings[i].gen_bits);
sd = security_descriptor_create(tctx,
- SID_NT_ANONYMOUS, NULL,
+ 0, SID_NT_ANONYMOUS, NULL,
owner_sid,
SEC_ACE_TYPE_ACCESS_ALLOWED,
file_mappings[i].gen_bits,
@@ -797,7 +797,7 @@ static bool test_generic_bits(struct torture_context *tctx,
CHECK_STATUS(status, NT_STATUS_OK);
sd2 = security_descriptor_create(tctx,
- SID_NT_ANONYMOUS, NULL,
+ 0, SID_NT_ANONYMOUS, NULL,
owner_sid,
SEC_ACE_TYPE_ACCESS_ALLOWED,
file_mappings[i].specific_bits,
@@ -908,7 +908,7 @@ static bool test_owner_bits(struct torture_context *tctx,
printf("SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_take_ownership_privilege?"Yes":"No");
sd = security_descriptor_create(tctx,
- NULL, NULL,
+ 0, NULL, NULL,
owner_sid,
SEC_ACE_TYPE_ACCESS_ALLOWED,
SEC_FILE_WRITE_DATA,
@@ -1115,7 +1115,7 @@ static bool test_inheritance(struct torture_context *tctx,
printf("owner_sid is %s\n", owner_sid);
sd_def = security_descriptor_create(tctx,
- owner_sid, NULL,
+ 0, owner_sid, NULL,
owner_sid,
SEC_ACE_TYPE_ACCESS_ALLOWED,
SEC_RIGHTS_FILE_ALL,
@@ -1130,7 +1130,7 @@ static bool test_inheritance(struct torture_context *tctx,
for (i=0;i<ARRAY_SIZE(test_flags);i++) {
sd = security_descriptor_create(tctx,
- NULL, NULL,
+ 0, NULL, NULL,
SID_CREATOR_OWNER,
SEC_ACE_TYPE_ACCESS_ALLOWED,
SEC_FILE_WRITE_DATA,
@@ -1263,7 +1263,7 @@ static bool test_inheritance(struct torture_context *tctx,
printf("testing access checks on inherited create with %s\n", fname1);
sd = security_descriptor_create(tctx,
- NULL, NULL,
+ 0, NULL, NULL,
owner_sid,
SEC_ACE_TYPE_ACCESS_ALLOWED,
SEC_FILE_WRITE_DATA | SEC_STD_WRITE_DAC,
@@ -1296,7 +1296,7 @@ static bool test_inheritance(struct torture_context *tctx,
smbcli_close(cli->tree, fnum2);
sd2 = security_descriptor_create(tctx,
- owner_sid, NULL,
+ 0, owner_sid, NULL,
owner_sid,
SEC_ACE_TYPE_ACCESS_ALLOWED,
SEC_FILE_WRITE_DATA | SEC_STD_WRITE_DAC,
@@ -1432,7 +1432,7 @@ static bool test_inheritance_dynamic(struct torture_context *tctx,
printf("owner_sid is %s\n", owner_sid);
sd = security_descriptor_create(tctx,
- NULL, NULL,
+ 0, NULL, NULL,
owner_sid,
SEC_ACE_TYPE_ACCESS_ALLOWED,
SEC_FILE_WRITE_DATA | SEC_STD_DELETE | SEC_FILE_READ_ATTRIBUTE,
@@ -1472,7 +1472,7 @@ static bool test_inheritance_dynamic(struct torture_context *tctx,
printf("update parent sd\n");
sd = security_descriptor_create(tctx,
- NULL, NULL,
+ 0, NULL, NULL,
owner_sid,
SEC_ACE_TYPE_ACCESS_ALLOWED,
SEC_FILE_WRITE_DATA | SEC_STD_DELETE | SEC_FILE_READ_ATTRIBUTE | SEC_FILE_EXECUTE,
@@ -1587,7 +1587,7 @@ static bool test_sd_get_set(struct torture_context *tctx,
/* first create a file with full access for everyone */
sd = security_descriptor_create(tctx,
- SID_NT_ANONYMOUS, SID_BUILTIN_USERS,
+ 0, SID_NT_ANONYMOUS, SID_BUILTIN_USERS,
SID_WORLD,
SEC_ACE_TYPE_ACCESS_ALLOWED,
SEC_GENERIC_ALL,
diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c
index 8c52199e66..fe75fabad6 100644
--- a/source4/torture/rpc/samba3rpc.c
+++ b/source4/torture/rpc/samba3rpc.c
@@ -2004,7 +2004,7 @@ bool try_tcon(TALLOC_CTX *mem_ctx,
}
sd = security_descriptor_create(
- tmp_ctx, "S-1-5-32-544",
+ tmp_ctx, 0, "S-1-5-32-544",
dom_sid_string(mem_ctx, dom_sid_add_rid(mem_ctx, domain_sid,
DOMAIN_RID_USERS)),
dom_sid_string(mem_ctx, user_sid),
diff --git a/source4/torture/rpc/winreg.c b/source4/torture/rpc/winreg.c
index 44df6dab74..8086986917 100644
--- a/source4/torture/rpc/winreg.c
+++ b/source4/torture/rpc/winreg.c
@@ -138,6 +138,7 @@ static bool test_CreateKey_sd(struct dcerpc_pipe *p,
struct winreg_SecBuf secbuf;
sd = security_descriptor_create(tctx,
+ 0,
NULL, NULL,
SID_NT_AUTHENTICATED_USERS,
SEC_ACE_TYPE_ACCESS_ALLOWED,