summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2004-12-01 05:22:24 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:06:15 -0500
commit1a7283a8fa5a7d97abc5b10f3d73ce99a4a7b905 (patch)
tree799e5ede5ea15e3fc81f18b35b219b66002c7ed3 /source4
parentb6c4b63dc59d10e7f93e726282b6f93f64dd7bb8 (diff)
downloadsamba-1a7283a8fa5a7d97abc5b10f3d73ce99a4a7b905.tar.gz
samba-1a7283a8fa5a7d97abc5b10f3d73ce99a4a7b905.tar.bz2
samba-1a7283a8fa5a7d97abc5b10f3d73ce99a4a7b905.zip
r4025: added a sec_access_check() function for checking security descriptors
against a users security token and access_mask (This used to be commit c4d21cd4b1ccffd5aaa70a551c57f6eab1ca9c6d)
Diffstat (limited to 'source4')
-rw-r--r--source4/libcli/security/access_check.c162
-rw-r--r--source4/libcli/security/config.mk1
-rw-r--r--source4/libcli/security/security_descriptor.c39
3 files changed, 163 insertions, 39 deletions
diff --git a/source4/libcli/security/access_check.c b/source4/libcli/security/access_check.c
new file mode 100644
index 0000000000..d8809aebc6
--- /dev/null
+++ b/source4/libcli/security/access_check.c
@@ -0,0 +1,162 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ security access checking routines
+
+ Copyright (C) Andrew Tridgell 2004
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+#include "librpc/gen_ndr/ndr_security.h"
+
+
+/*
+ check if a sid is in the supplied token
+*/
+static BOOL sid_active_in_token(struct dom_sid *sid, struct nt_user_token *token)
+{
+ int i;
+ for (i=0;i<token->num_sids;i++) {
+ if (dom_sid_equal(sid, token->user_sids[i])) {
+ return True;
+ }
+ }
+ return False;
+}
+
+
+/*
+ perform a SEC_FLAG_MAXIMUM_ALLOWED access check
+*/
+static NTSTATUS access_check_max_allowed(struct security_descriptor *sd,
+ struct nt_user_token *token,
+ uint32_t *access_granted)
+{
+ uint32_t denied = 0, granted = 0;
+ int i;
+
+ for (i = 0;i<sd->dacl->num_aces; i++) {
+ struct security_ace *ace = &sd->dacl->aces[i];
+
+ if (!sid_active_in_token(&ace->trustee, token)) {
+ continue;
+ }
+
+ switch (ace->type) {
+ case SEC_ACE_TYPE_ACCESS_ALLOWED:
+ granted |= ace->access_mask;
+ break;
+ case SEC_ACE_TYPE_ACCESS_DENIED:
+ case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
+ denied |= ace->access_mask;
+ break;
+ }
+ }
+
+ granted &= ~denied;
+
+ if (granted == 0) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ *access_granted = granted;
+
+ return NT_STATUS_OK;
+}
+
+/*
+ the main entry point for access checking.
+*/
+NTSTATUS sec_access_check(struct security_descriptor *sd,
+ struct nt_user_token *token,
+ uint32_t access_desired,
+ uint32_t *access_granted)
+{
+ int i;
+ uint32_t bits_remaining;
+
+ bits_remaining = access_desired;
+
+ /* the owner always gets SEC_STD_WRITE_DAC & SEC_STD_READ_CONTROL */
+ if (bits_remaining & (SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL)) {
+ if (sid_active_in_token(sd->owner_sid, token)) {
+ bits_remaining &=
+ ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL);
+ }
+ }
+
+#if 0
+ /* this is where we should check for the "system security" privilege, once we
+ move to the full security_token and not just the nt_user_token */
+ if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
+ if (privilege_in_token(SE_PRIVILEGE_SYSTEM_SECURITY, token)) {
+ bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
+ } else {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ }
+#endif
+
+ /* dacl not present allows access */
+ if (!(sd->type & SEC_DESC_DACL_PRESENT)) {
+ *access_granted = access_desired;
+ return NT_STATUS_OK;
+ }
+
+ /* empty dacl denies access */
+ if (sd->dacl == NULL || sd->dacl->num_aces == 0) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ /* handle the maximum allowed case separately */
+ if (access_desired == SEC_FLAG_MAXIMUM_ALLOWED) {
+ return access_check_max_allowed(sd, token, access_granted);
+ }
+
+ /* check each ace in turn. */
+ for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
+ struct security_ace *ace = &sd->dacl->aces[i];
+
+ if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
+ continue;
+ }
+
+ if (!sid_active_in_token(&ace->trustee, token)) {
+ continue;
+ }
+
+ switch (ace->type) {
+ case SEC_ACE_TYPE_ACCESS_ALLOWED:
+ bits_remaining &= ~ace->access_mask;
+ break;
+ case SEC_ACE_TYPE_ACCESS_DENIED:
+ case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
+ if (bits_remaining & ace->access_mask) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ break;
+ }
+ }
+
+ if (bits_remaining != 0) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ *access_granted = access_desired;
+
+ return NT_STATUS_OK;
+}
diff --git a/source4/libcli/security/config.mk b/source4/libcli/security/config.mk
index 908a993ce6..900dbe780a 100644
--- a/source4/libcli/security/config.mk
+++ b/source4/libcli/security/config.mk
@@ -12,6 +12,7 @@ NOPROTO = YES
ADD_OBJ_FILES = libcli/security/security_token.o \
libcli/security/security_descriptor.o \
libcli/security/dom_sid.o \
+ libcli/security/access_check.o \
librpc/ndr/ndr_sec.o
REQUIRED_SUBSYSTEMS = LIB_SECURITY_NDR
# End SUBSYSTEM LIB_SECURITY
diff --git a/source4/libcli/security/security_descriptor.c b/source4/libcli/security/security_descriptor.c
index a4056e5e71..1783c62f37 100644
--- a/source4/libcli/security/security_descriptor.c
+++ b/source4/libcli/security/security_descriptor.c
@@ -65,45 +65,6 @@ struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx,
return nsd;
}
-NTSTATUS security_check_dacl(struct security_token *st,
- struct security_descriptor *sd,
- uint32 access_mask)
-{
- size_t i,y;
- NTSTATUS status = NT_STATUS_ACCESS_DENIED;
-
- DEBUG(1, ("security_check_dacl(): sorry untested yet\n"));
- return status;
-
- if (!sd->dacl) {
- return NT_STATUS_INVALID_ACL;
- }
-
- for (i=0; i < st->num_sids; i++) {
- for (y=0; y < sd->dacl->num_aces; y++) {
- if (dom_sid_equal(&st->sids[i], &sd->dacl->aces[y].trustee)) {
- switch (sd->dacl->aces[y].type) {
- case SEC_ACE_TYPE_ACCESS_ALLOWED:
- if (access_mask & sd->dacl->aces[y].access_mask) {
- status = NT_STATUS_OK;
- }
- break;
- case SEC_ACE_TYPE_ACCESS_DENIED:
- if (access_mask & sd->dacl->aces[y].access_mask) {
- return NT_STATUS_ACCESS_DENIED;
- }
- break;
- default:
- return NT_STATUS_INVALID_ACL;
- }
- }
- }
- }
-
- return status;
-}
-
-
/*
add an ACE to the DACL of a security_descriptor
*/