diff options
author | Gerald Carter <jerry@samba.org> | 2006-01-13 20:24:50 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 11:06:07 -0500 |
commit | e7a1a0ead2013464dc8204e5b997ddc3ae46e973 (patch) | |
tree | 62ed9768e9473a8541cf48a9d846971e68413154 /source3/rpc_server/srv_svcctl_nt.c | |
parent | c5e7ddc63b1bf7d4b4e06baeff222c5859ae4061 (diff) | |
download | samba-e7a1a0ead2013464dc8204e5b997ddc3ae46e973.tar.gz samba-e7a1a0ead2013464dc8204e5b997ddc3ae46e973.tar.bz2 samba-e7a1a0ead2013464dc8204e5b997ddc3ae46e973.zip |
r12914: adding query/set ops for security descriptors on services.
(This used to be commit cefd2d7cb6140b068d66e2383e9acfa4c3c4b4c7)
Diffstat (limited to 'source3/rpc_server/srv_svcctl_nt.c')
-rw-r--r-- | source3/rpc_server/srv_svcctl_nt.c | 92 |
1 files changed, 92 insertions, 0 deletions
diff --git a/source3/rpc_server/srv_svcctl_nt.c b/source3/rpc_server/srv_svcctl_nt.c index 97c38753c3..4db8f7ed3f 100644 --- a/source3/rpc_server/srv_svcctl_nt.c +++ b/source3/rpc_server/srv_svcctl_nt.c @@ -771,3 +771,95 @@ WERROR _svcctl_unlock_service_db( pipes_struct *p, SVCCTL_Q_UNLOCK_SERVICE_DB *q return close_policy_hnd( p, &q_u->h_lock) ? WERR_OK : WERR_BADFID; } + +/******************************************************************** +********************************************************************/ + +WERROR _svcctl_query_service_sec( pipes_struct *p, SVCCTL_Q_QUERY_SERVICE_SEC *q_u, SVCCTL_R_QUERY_SERVICE_SEC *r_u ) +{ + SERVICE_INFO *info = find_service_info_by_hnd( p, &q_u->handle ); + SEC_DESC *sec_desc; + + + /* only support the SCM and individual services */ + + if ( !info || !(info->type & (SVC_HANDLE_IS_SERVICE|SVC_HANDLE_IS_SCM)) ) + return WERR_BADFID; + + /* check access reights (according to MSDN) */ + + if ( !(info->access_granted & STD_RIGHT_READ_CONTROL_ACCESS) ) + return WERR_ACCESS_DENIED; + + /* TODO: handle something besides DACL_SECURITY_INFORMATION */ + + if ( (q_u->security_flags & DACL_SECURITY_INFORMATION) != DACL_SECURITY_INFORMATION ) + return WERR_INVALID_PARAM; + + /* lookup the security descriptor and marshall it up for a reply */ + + if ( !(sec_desc = svcctl_get_secdesc( p->mem_ctx, info->name, get_root_nt_token() )) ) + return WERR_NOMEM; + + r_u->needed = sec_desc_size( sec_desc ); + + if ( r_u->needed > q_u->buffer_size ) { + ZERO_STRUCTP( &r_u->buffer ); + return WERR_INSUFFICIENT_BUFFER; + } + + rpcbuf_init( &r_u->buffer, q_u->buffer_size, p->mem_ctx ); + + if ( !sec_io_desc("", &sec_desc, &r_u->buffer.prs, 0 ) ) + return WERR_NOMEM; + + return WERR_OK; +} + +/******************************************************************** +********************************************************************/ + +WERROR _svcctl_set_service_sec( pipes_struct *p, SVCCTL_Q_SET_SERVICE_SEC *q_u, SVCCTL_R_SET_SERVICE_SEC *r_u ) +{ + SERVICE_INFO *info = find_service_info_by_hnd( p, &q_u->handle ); + SEC_DESC *sec_desc = NULL; + uint32 required_access; + + if ( !info || !(info->type & (SVC_HANDLE_IS_SERVICE|SVC_HANDLE_IS_SCM)) ) + return WERR_BADFID; + + /* check the access on the open handle */ + + switch ( q_u->security_flags ) { + case DACL_SECURITY_INFORMATION: + required_access = STD_RIGHT_WRITE_DAC_ACCESS; + break; + + case OWNER_SECURITY_INFORMATION: + case GROUP_SECURITY_INFORMATION: + required_access = STD_RIGHT_WRITE_OWNER_ACCESS; + break; + + case SACL_SECURITY_INFORMATION: + return WERR_INVALID_PARAM; + default: + return WERR_INVALID_PARAM; + } + + if ( !(info->access_granted & required_access) ) + return WERR_ACCESS_DENIED; + + /* read the security descfriptor */ + + if ( !sec_io_desc("", &sec_desc, &q_u->buffer.prs, 0 ) ) + return WERR_NOMEM; + + /* store the new SD */ + + if ( !svcctl_set_secdesc( p->mem_ctx, info->name, sec_desc, p->pipe_user.nt_user_token ) ) + return WERR_ACCESS_DENIED; + + return WERR_OK; +} + + |