diff options
author | Jeremy Allison <jra@samba.org> | 2010-10-20 16:31:18 -0700 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2010-10-21 00:15:57 +0000 |
commit | e00c2b3cdf6faa03b6ffcf87dc677fdbdd381fe3 (patch) | |
tree | 4a4995eb0b7398bac357927efb5b84a9c0869c72 /source3/smbd/open.c | |
parent | c0b9526aaf29442f85f62232e22aecfb484b1576 (diff) | |
download | samba-e00c2b3cdf6faa03b6ffcf87dc677fdbdd381fe3.tar.gz samba-e00c2b3cdf6faa03b6ffcf87dc677fdbdd381fe3.tar.bz2 samba-e00c2b3cdf6faa03b6ffcf87dc677fdbdd381fe3.zip |
Add code to implement SeSecurityPrivilege in net rpc rights, and in the
open and get/set NT security descriptor code.
Jeremy.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Thu Oct 21 00:15:57 UTC 2010 on sn-devel-104
Diffstat (limited to 'source3/smbd/open.c')
-rw-r--r-- | source3/smbd/open.c | 29 |
1 files changed, 8 insertions, 21 deletions
diff --git a/source3/smbd/open.c b/source3/smbd/open.c index 01f0cd699a..f5de607713 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -2506,8 +2506,9 @@ static NTSTATUS open_directory(connection_struct *conn, return status; } - /* We need to support SeSecurityPrivilege for this. */ - if (access_mask & SEC_FLAG_SYSTEM_SECURITY) { + if ((access_mask & SEC_FLAG_SYSTEM_SECURITY) & + !security_token_has_privilege(get_current_nttok(conn), + SEC_PRIV_SECURITY)) { DEBUG(10, ("open_directory: open on %s " "failed - SEC_FLAG_SYSTEM_SECURITY denied.\n", smb_fname_str_dbg(smb_dname))); @@ -3029,29 +3030,15 @@ static NTSTATUS create_file_unixpath(connection_struct *conn, goto fail; } -#if 0 - /* We need to support SeSecurityPrivilege for this. */ if ((access_mask & SEC_FLAG_SYSTEM_SECURITY) && - !user_has_privileges(current_user.nt_user_token, - &se_security)) { - status = NT_STATUS_PRIVILEGE_NOT_HELD; - goto fail; - } -#else - /* We need to support SeSecurityPrivilege for this. */ - if (access_mask & SEC_FLAG_SYSTEM_SECURITY) { - status = NT_STATUS_PRIVILEGE_NOT_HELD; - goto fail; - } - /* Don't allow a SACL set from an NTtrans create until we - * support SeSecurityPrivilege. */ - if (!VALID_STAT(smb_fname->st) && - lp_nt_acl_support(SNUM(conn)) && - sd && (sd->sacl != NULL)) { + !security_token_has_privilege(get_current_nttok(conn), + SEC_PRIV_SECURITY)) { + DEBUG(10, ("create_file_unixpath: open on %s " + "failed - SEC_FLAG_SYSTEM_SECURITY denied.\n", + smb_fname_str_dbg(smb_fname))); status = NT_STATUS_PRIVILEGE_NOT_HELD; goto fail; } -#endif if ((conn->fs_capabilities & FILE_NAMED_STREAMS) && is_ntfs_stream_smb_fname(smb_fname) |