summaryrefslogtreecommitdiff
path: root/source4/libcli
diff options
context:
space:
mode:
authorNadezhda Ivanova <nadezhda.ivanova@postpath.com>2009-12-17 17:25:11 +0200
committerNadezhda Ivanova <nadezhda.ivanova@postpath.com>2009-12-17 17:25:11 +0200
commitc0883fb4518570c85bf0a33ea0ce244f23c07c62 (patch)
tree0efb36221f487e0171d23e40216e385955c85a9c /source4/libcli
parent619ad0c6ecf88a861ad1a1e1d5564bd1f91855cc (diff)
downloadsamba-c0883fb4518570c85bf0a33ea0ce244f23c07c62.tar.gz
samba-c0883fb4518570c85bf0a33ea0ce244f23c07c62.tar.bz2
samba-c0883fb4518570c85bf0a33ea0ce244f23c07c62.zip
Fixed incorrect checking of PRINCIPAL_SELF permissions.
If an ace has the PRINCIPAL_SELF as trustee, this sid has to be replaced with the onjectSid of the object being checked. PRINCIPAL_SELF is the way to grant rights to an account over itself.
Diffstat (limited to 'source4/libcli')
-rw-r--r--source4/libcli/security/access_check.c15
1 files changed, 12 insertions, 3 deletions
diff --git a/source4/libcli/security/access_check.c b/source4/libcli/security/access_check.c
index fb78e0aa47..19fb160d58 100644
--- a/source4/libcli/security/access_check.c
+++ b/source4/libcli/security/access_check.c
@@ -180,12 +180,14 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
const struct security_token *token,
uint32_t access_desired,
uint32_t *access_granted,
- struct object_tree *tree)
+ struct object_tree *tree,
+ struct dom_sid *replace_sid)
{
int i;
uint32_t bits_remaining;
struct object_tree *node;
const struct GUID *type;
+ struct dom_sid *ps_sid = dom_sid_parse_talloc(NULL, SID_NT_SELF);
*access_granted = access_desired;
bits_remaining = access_desired;
@@ -228,13 +230,20 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
/* check each ace in turn. */
for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
+ struct dom_sid *trustee;
struct security_ace *ace = &sd->dacl->aces[i];
if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
continue;
}
-
- if (!security_token_has_sid(token, &ace->trustee)) {
+ if (dom_sid_equal(&ace->trustee, ps_sid) && replace_sid) {
+ trustee = replace_sid;
+ }
+ else
+ {
+ trustee = &ace->trustee;
+ }
+ if (!security_token_has_sid(token, trustee)) {
continue;
}