diff options
author | Jeremy Allison <jra@samba.org> | 2000-08-04 19:56:58 +0000 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2000-08-04 19:56:58 +0000 |
commit | b3b512264d90f58a9a9c50cef33d9b860f54c51a (patch) | |
tree | 2fabb2c76ea62950aeea630432b679b49c523a3e /source3/lib | |
parent | e2031ab34c3133128d38b06e82ea3b35d9cefeed (diff) | |
download | samba-b3b512264d90f58a9a9c50cef33d9b860f54c51a.tar.gz samba-b3b512264d90f58a9a9c50cef33d9b860f54c51a.tar.bz2 samba-b3b512264d90f58a9a9c50cef33d9b860f54c51a.zip |
Fixed up se_access_check() to use the token list from the user struct
as the SID list. Now to go through and tidy up the algorithm.
Jeremy.
(This used to be commit 1f7300df6713a6728feb1600ca7e62fc213232fc)
Diffstat (limited to 'source3/lib')
-rw-r--r-- | source3/lib/util_seaccess.c | 114 |
1 files changed, 32 insertions, 82 deletions
diff --git a/source3/lib/util_seaccess.c b/source3/lib/util_seaccess.c index 52696d2d30..28e8a43c4e 100644 --- a/source3/lib/util_seaccess.c +++ b/source3/lib/util_seaccess.c @@ -3,6 +3,7 @@ Version 2.0 Copyright (C) Luke Kenneth Casson Leighton 1996-2000. Copyright (C) Tim Potter 2000. + Copyright (C) Jeremy Allison 2000. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -25,6 +26,22 @@ extern int DEBUGLEVEL; +/* + * Guest token used when there is no NT_USER_TOKEN available. + */ + +static DOM_SID builtin_guest = { + 1, /* sid_rev_num */ + 2, /* num_auths */ + { 0, 0, 0, 0, 0, 5}, /* id_auth[6] */ + { 32, 546, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} /* sub_auth[15] */ +}; + +static NT_USER_TOKEN guest_token = { + 1, + &builtin_guest +}; + /* Process an access allowed ACE */ static BOOL ace_grant(uint32 mask, uint32 *acc_desired, uint32 *acc_granted) @@ -207,14 +224,11 @@ static BOOL check_ace(SEC_ACE *ace, BOOL is_owner, DOM_SID *sid, BOOL se_access_check(SEC_DESC *sd, struct current_user *user, uint32 acc_desired, uint32 *acc_granted, uint32 *status) { - DOM_SID user_sid, group_sid; - DOM_SID owner_sid; - DOM_SID **group_sids = NULL; int i, j; - uint ngroup_sids = 0; SEC_ACL *acl; uint8 check_ace_type; fstring sid_str; + NT_USER_TOKEN *token = user->nt_user_token ? user->nt_user_token : &guest_token; if (!status || !acc_granted) return False; @@ -250,70 +264,21 @@ BOOL se_access_check(SEC_DESC *sd, struct current_user *user, goto done; } - /* Create user sid */ + /* The user sid is the first in the token */ - if (!uid_to_sid(&user_sid, user->uid)) { - DEBUG(3, ("could not lookup sid for uid %d\n", user->uid)); - goto done; - } - - DEBUG(3, ("se_access_check: user sid is %s\n", sid_to_string(sid_str, &user_sid) )); + DEBUG(3, ("se_access_check: user sid is %s\n", sid_to_string(sid_str, &token->user_sids[0]) )); /* If we're the owner, then we can do anything */ - if (sid_equal(&user_sid, sd->owner_sid)) { + if (sid_equal(&token->user_sids[0], sd->owner_sid)) { *status = NT_STATUS_NOPROBLEMO; *acc_granted = acc_desired; acc_desired = 0; DEBUG(3, ("is owner, access allowed\n")); - - goto done; - } - - /* Create group sid */ - - if (!gid_to_sid(&group_sid, user->gid)) { - DEBUG(3, ("could not lookup sid for gid %d\n", user->gid)); goto done; } - sid_to_string(sid_str, &group_sid); - DEBUG(3, ("group sid is %s\n", sid_str)); - - /* Create array of group sids */ - - add_sid_to_array(&ngroup_sids, &group_sids, &group_sid); - - for (i = 0; i < user->ngroups; i++) { - if (user->groups[i] != user->gid) { - if (gid_to_sid(&group_sid, user->groups[i])) { - - /* If we're a group member then we can also - do anything */ - - if (sid_equal(&group_sid, sd->grp_sid)) { - *status = NT_STATUS_NOPROBLEMO; - *acc_granted = acc_desired; - acc_desired = 0; - DEBUG(3, ("is group member " - "access allowed\n")); - - goto done; - } - - add_sid_to_array(&ngroup_sids, &group_sids, - &group_sid); - } else { - DEBUG(3, ("could not lookup sid for gid %d\n", - user->gid)); - } - - sid_to_string(sid_str, &group_sid); - DEBUG(3, ("supplementary group %s\n", sid_str)); - } - } - - /* ACL must have something in it */ + /* ACL must have something in it */ acl = sd->dacl; @@ -340,34 +305,21 @@ BOOL se_access_check(SEC_DESC *sd, struct current_user *user, check_ace_type = SEC_ACE_TYPE_ACCESS_DENIED; - check_aces: - - for (i = 0; i < acl->num_aces; i++) { - SEC_ACE *ace = &acl->ace[i]; - BOOL is_group_owner; - - /* Check user sid */ - - if (ace->type == check_ace_type && - check_ace(ace, False, &user_sid, &acc_desired, - acc_granted, status)) { - goto done; - } + check_aces: - /* Check group sids */ + for (i = 0; i < acl->num_aces; i++) { + SEC_ACE *ace = &acl->ace[i]; - for (j = 0; j < ngroup_sids; j++) { + /* Check sids */ - is_group_owner = sd->grp_sid ? - sid_equal(group_sids[j], sd->grp_sid) : False; + for (j = 0; j < token->num_sids; j++) { + BOOL is_owner = sid_equal(&token->user_sids[j], sd->owner_sid); - if (ace->type == check_ace_type && - check_ace(ace, is_group_owner, group_sids[j], - &acc_desired, acc_granted, status)) { + if (ace->type == check_ace_type && check_ace(ace, is_owner, &token->user_sids[j], &acc_desired, acc_granted, status)) { goto done; - } - } - } + } + } + } /* Check access allowed ACEs */ @@ -378,8 +330,6 @@ BOOL se_access_check(SEC_DESC *sd, struct current_user *user, done: - free_sid_array(ngroup_sids, group_sids); - /* If any access desired bits are still on, return access denied and turn off any bits already granted. */ |