diff options
author | Nadezhda Ivanova <nadezhda.ivanova@postpath.com> | 2009-12-17 17:25:11 +0200 |
---|---|---|
committer | Nadezhda Ivanova <nadezhda.ivanova@postpath.com> | 2009-12-17 17:25:11 +0200 |
commit | c0883fb4518570c85bf0a33ea0ce244f23c07c62 (patch) | |
tree | 0efb36221f487e0171d23e40216e385955c85a9c /source4/libcli | |
parent | 619ad0c6ecf88a861ad1a1e1d5564bd1f91855cc (diff) | |
download | samba-c0883fb4518570c85bf0a33ea0ce244f23c07c62.tar.gz samba-c0883fb4518570c85bf0a33ea0ce244f23c07c62.tar.bz2 samba-c0883fb4518570c85bf0a33ea0ce244f23c07c62.zip |
Fixed incorrect checking of PRINCIPAL_SELF permissions.
If an ace has the PRINCIPAL_SELF as trustee, this sid has to be replaced with
the onjectSid of the object being checked. PRINCIPAL_SELF is the way to grant rights
to an account over itself.
Diffstat (limited to 'source4/libcli')
-rw-r--r-- | source4/libcli/security/access_check.c | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/source4/libcli/security/access_check.c b/source4/libcli/security/access_check.c index fb78e0aa47..19fb160d58 100644 --- a/source4/libcli/security/access_check.c +++ b/source4/libcli/security/access_check.c @@ -180,12 +180,14 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd, const struct security_token *token, uint32_t access_desired, uint32_t *access_granted, - struct object_tree *tree) + struct object_tree *tree, + struct dom_sid *replace_sid) { int i; uint32_t bits_remaining; struct object_tree *node; const struct GUID *type; + struct dom_sid *ps_sid = dom_sid_parse_talloc(NULL, SID_NT_SELF); *access_granted = access_desired; bits_remaining = access_desired; @@ -228,13 +230,20 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd, /* check each ace in turn. */ for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) { + struct dom_sid *trustee; struct security_ace *ace = &sd->dacl->aces[i]; if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) { continue; } - - if (!security_token_has_sid(token, &ace->trustee)) { + if (dom_sid_equal(&ace->trustee, ps_sid) && replace_sid) { + trustee = replace_sid; + } + else + { + trustee = &ace->trustee; + } + if (!security_token_has_sid(token, trustee)) { continue; } |