diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2010-09-18 10:58:10 +1000 |
|---|---|---|
| committer | Andrew Tridgell <tridge@samba.org> | 2010-10-14 02:35:05 +0000 |
| commit | 353d9bc3e42bc051119c205ac981fc819c6877b4 (patch) | |
| tree | 6bcaf5daf50383e1b5f97c2575ee4ad917afbcdf /source4/libcli | |
| parent | 058daa1cf5742fc95fc15141bbd5fad96d02dee6 (diff) | |
| download | samba-353d9bc3e42bc051119c205ac981fc819c6877b4.tar.gz samba-353d9bc3e42bc051119c205ac981fc819c6877b4.tar.bz2 samba-353d9bc3e42bc051119c205ac981fc819c6877b4.zip | |
s4-acl Merge sec_access_check() with se_access_check() from source3/
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Diffstat (limited to 'source4/libcli')
| -rw-r--r-- | source4/libcli/security/access_check.c | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/source4/libcli/security/access_check.c b/source4/libcli/security/access_check.c index e8b8ee8771..5ae318be43 100644 --- a/source4/libcli/security/access_check.c +++ b/source4/libcli/security/access_check.c @@ -84,9 +84,11 @@ static const struct GUID *get_ace_object_type(struct security_ace *ace) } /* - the main entry point for access checking. + The main entry point for access checking. If returning ACCESS_DENIED + this function returns the denied bits in the uint32_t pointed + to by the access_granted pointer. */ -NTSTATUS sec_access_check(const struct security_descriptor *sd, +NTSTATUS se_access_check(const struct security_descriptor *sd, const struct security_token *token, uint32_t access_desired, uint32_t *access_granted) @@ -99,10 +101,17 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd, /* handle the maximum allowed flag */ if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) { + uint32_t orig_access_desired = access_desired; + access_desired |= access_check_max_allowed(sd, token); access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED; *access_granted = access_desired; bits_remaining = access_desired & ~SEC_STD_DELETE; + + DEBUG(10,("se_access_check: MAX desired = 0x%x, granted = 0x%x, remaining = 0x%x\n", + orig_access_desired, + *access_granted, + bits_remaining)); } if (access_desired & SEC_FLAG_SYSTEM_SECURITY) { @@ -124,6 +133,10 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd, security_token_has_sid(token, sd->owner_sid)) { bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE); } + if ((bits_remaining & SEC_STD_DELETE) && + (security_token_has_privilege(token, SEC_PRIV_RESTORE))) { + bits_remaining &= ~SEC_STD_DELETE; + } if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) && security_token_has_privilege(token, SEC_PRIV_RESTORE)) { bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE); @@ -166,6 +179,7 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd, done: if (bits_remaining != 0) { + *access_granted = bits_remaining; return NT_STATUS_ACCESS_DENIED; } |