summaryrefslogtreecommitdiff
path: root/source4/libcli/security/access_check.c
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2010-09-18 10:58:10 +1000
committerAndrew Tridgell <tridge@samba.org>2010-10-14 02:35:05 +0000
commit353d9bc3e42bc051119c205ac981fc819c6877b4 (patch)
tree6bcaf5daf50383e1b5f97c2575ee4ad917afbcdf /source4/libcli/security/access_check.c
parent058daa1cf5742fc95fc15141bbd5fad96d02dee6 (diff)
downloadsamba-353d9bc3e42bc051119c205ac981fc819c6877b4.tar.gz
samba-353d9bc3e42bc051119c205ac981fc819c6877b4.tar.bz2
samba-353d9bc3e42bc051119c205ac981fc819c6877b4.zip
s4-acl Merge sec_access_check() with se_access_check() from source3/
Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
Diffstat (limited to 'source4/libcli/security/access_check.c')
-rw-r--r--source4/libcli/security/access_check.c18
1 files changed, 16 insertions, 2 deletions
diff --git a/source4/libcli/security/access_check.c b/source4/libcli/security/access_check.c
index e8b8ee8771..5ae318be43 100644
--- a/source4/libcli/security/access_check.c
+++ b/source4/libcli/security/access_check.c
@@ -84,9 +84,11 @@ static const struct GUID *get_ace_object_type(struct security_ace *ace)
}
/*
- the main entry point for access checking.
+ The main entry point for access checking. If returning ACCESS_DENIED
+ this function returns the denied bits in the uint32_t pointed
+ to by the access_granted pointer.
*/
-NTSTATUS sec_access_check(const struct security_descriptor *sd,
+NTSTATUS se_access_check(const struct security_descriptor *sd,
const struct security_token *token,
uint32_t access_desired,
uint32_t *access_granted)
@@ -99,10 +101,17 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd,
/* handle the maximum allowed flag */
if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
+ uint32_t orig_access_desired = access_desired;
+
access_desired |= access_check_max_allowed(sd, token);
access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
*access_granted = access_desired;
bits_remaining = access_desired & ~SEC_STD_DELETE;
+
+ DEBUG(10,("se_access_check: MAX desired = 0x%x, granted = 0x%x, remaining = 0x%x\n",
+ orig_access_desired,
+ *access_granted,
+ bits_remaining));
}
if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
@@ -124,6 +133,10 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd,
security_token_has_sid(token, sd->owner_sid)) {
bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE);
}
+ if ((bits_remaining & SEC_STD_DELETE) &&
+ (security_token_has_privilege(token, SEC_PRIV_RESTORE))) {
+ bits_remaining &= ~SEC_STD_DELETE;
+ }
if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
@@ -166,6 +179,7 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd,
done:
if (bits_remaining != 0) {
+ *access_granted = bits_remaining;
return NT_STATUS_ACCESS_DENIED;
}