diff options
author | Andrew Bartlett <abartlet@samba.org> | 2010-09-11 16:58:45 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2010-09-11 18:46:13 +1000 |
commit | 0eea8ecfe262e515011e7637c5a574f23923f169 (patch) | |
tree | 1138c3247f29585df7af3579bb2cb1d018783ac6 /source4 | |
parent | 3b4db34011f06fb785153fa9070fb1da9d8f5c78 (diff) | |
download | samba-0eea8ecfe262e515011e7637c5a574f23923f169.tar.gz samba-0eea8ecfe262e515011e7637c5a574f23923f169.tar.bz2 samba-0eea8ecfe262e515011e7637c5a574f23923f169.zip |
s4-privs Seperate rights and privileges
These are related, but slightly different concepts. The biggest difference
is that rights are not enumerated as a system-wide list.
This moves the rights to security.idl due to dependencies.
Andrew Bartlett
Diffstat (limited to 'source4')
-rw-r--r-- | source4/dsdb/samdb/samdb_privilege.c | 8 | ||||
-rw-r--r-- | source4/rpc_server/lsa/dcesrv_lsa.c | 86 |
2 files changed, 55 insertions, 39 deletions
diff --git a/source4/dsdb/samdb/samdb_privilege.c b/source4/dsdb/samdb/samdb_privilege.c index 6186097d78..69c4ebea61 100644 --- a/source4/dsdb/samdb/samdb_privilege.c +++ b/source4/dsdb/samdb/samdb_privilege.c @@ -70,8 +70,12 @@ static NTSTATUS samdb_privilege_setup_sid(struct ldb_context *pdb, TALLOC_CTX *m const char *priv_str = (const char *)el->values[i].data; enum sec_privilege privilege = sec_privilege_id(priv_str); if (privilege == SEC_PRIV_INVALID) { - DEBUG(1,("Unknown privilege '%s' in samdb\n", - priv_str)); + uint32_t right_bit = sec_right_bit(priv_str); + security_token_set_right_bit(token, right_bit); + if (right_bit == 0) { + DEBUG(1,("Unknown privilege '%s' in samdb\n", + priv_str)); + } continue; } security_token_set_privilege(token, privilege); diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index 675aa178a7..81ad6f7a92 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -2410,7 +2410,7 @@ static NTSTATUS dcesrv_lsa_EnumPrivsAccount(struct dcesrv_call_state *dce_call, struct dcesrv_handle *h; struct lsa_account_state *astate; int ret; - unsigned int i; + unsigned int i, j; struct ldb_message **res; const char * const attrs[] = { "privilege", NULL}; struct ldb_message_element *el; @@ -2456,17 +2456,20 @@ static NTSTATUS dcesrv_lsa_EnumPrivsAccount(struct dcesrv_call_state *dce_call, return NT_STATUS_NO_MEMORY; } + j = 0; for (i=0;i<el->num_values;i++) { int id = sec_privilege_id((const char *)el->values[i].data); if (id == SEC_PRIV_INVALID) { - return NT_STATUS_INTERNAL_DB_CORRUPTION; + /* Perhaps an account right, not a privilege */ + continue; } - privs->set[i].attribute = 0; - privs->set[i].luid.low = id; - privs->set[i].luid.high = 0; + privs->set[j].attribute = 0; + privs->set[j].luid.low = id; + privs->set[j].luid.high = 0; + j++; } - privs->count = el->num_values; + privs->count = j; return NT_STATUS_OK; } @@ -2585,6 +2588,11 @@ static NTSTATUS dcesrv_lsa_AddRemoveAccountRights(struct dcesrv_call_state *dce_ for (i=0;i<rights->count;i++) { if (sec_privilege_id(rights->names[i].string) == SEC_PRIV_INVALID) { + if (sec_right_bit(rights->names[i].string) == 0) { + talloc_free(msg); + return NT_STATUS_NO_SUCH_PRIVILEGE; + } + talloc_free(msg); return NT_STATUS_NO_SUCH_PRIVILEGE; } @@ -2765,43 +2773,47 @@ static NTSTATUS dcesrv_lsa_SetQuotasForAccount(struct dcesrv_call_state *dce_cal static NTSTATUS dcesrv_lsa_GetSystemAccessAccount(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct lsa_GetSystemAccessAccount *r) { - uint32_t i; - NTSTATUS status; - struct lsa_EnumPrivsAccount enumPrivs; - struct lsa_PrivilegeSet *privs; + struct dcesrv_handle *h; + struct lsa_account_state *astate; + int ret; + unsigned int i; + struct ldb_message **res; + const char * const attrs[] = { "privilege", NULL}; + struct ldb_message_element *el; + const char *sidstr; - privs = talloc(mem_ctx, struct lsa_PrivilegeSet); - if (!privs) { - return NT_STATUS_NO_MEMORY; - } - privs->count = 0; - privs->unknown = 0; - privs->set = NULL; + *(r->out.access_mask) = 0x00000000; - enumPrivs.in.handle = r->in.handle; - enumPrivs.out.privs = &privs; + DCESRV_PULL_HANDLE(h, r->in.handle, LSA_HANDLE_ACCOUNT); - status = dcesrv_lsa_EnumPrivsAccount(dce_call, mem_ctx, &enumPrivs); - if (!NT_STATUS_IS_OK(status)) { - return status; - } + astate = h->data; - *(r->out.access_mask) = 0x00000000; + sidstr = ldap_encode_ndr_dom_sid(mem_ctx, astate->account_sid); + if (sidstr == NULL) { + return NT_STATUS_NO_MEMORY; + } - for (i = 0; i < privs->count; i++) { - int priv = privs->set[i].luid.low; + ret = gendb_search(astate->policy->pdb, mem_ctx, NULL, &res, attrs, + "objectSid=%s", sidstr); + if (ret < 0) { + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + if (ret != 1) { + return NT_STATUS_OK; + } - switch (priv) { - case SEC_PRIV_INTERACTIVE_LOGON: - *(r->out.access_mask) |= LSA_POLICY_MODE_INTERACTIVE; - break; - case SEC_PRIV_NETWORK_LOGON: - *(r->out.access_mask) |= LSA_POLICY_MODE_NETWORK; - break; - case SEC_PRIV_REMOTE_INTERACTIVE_LOGON: - *(r->out.access_mask) |= LSA_POLICY_MODE_REMOTE_INTERACTIVE; - break; + el = ldb_msg_find_element(res[0], "privilege"); + if (el == NULL || el->num_values == 0) { + return NT_STATUS_OK; + } + + for (i=0;i<el->num_values;i++) { + uint32_t right_bit = sec_right_bit((const char *)el->values[i].data); + if (right_bit == 0) { + /* Perhaps an privilege, not a right */ + continue; } + *(r->out.access_mask) |= right_bit; } return NT_STATUS_OK; @@ -3495,7 +3507,7 @@ static NTSTATUS dcesrv_lsa_EnumAccountsWithUserRight(struct dcesrv_call_state *d } privname = r->in.name->string; - if (sec_privilege_id(privname) == SEC_PRIV_INVALID) { + if (sec_privilege_id(privname) == SEC_PRIV_INVALID && sec_right_bit(privname) == 0) { return NT_STATUS_NO_SUCH_PRIVILEGE; } |