diff options
-rw-r--r-- | source4/dsdb/samdb/samdb_privilege.c | 2 | ||||
-rw-r--r-- | source4/libcli/security/access_check.c | 30 | ||||
-rw-r--r-- | source4/libcli/security/privilege.c | 6 | ||||
-rw-r--r-- | source4/libcli/security/security_token.c | 22 |
4 files changed, 22 insertions, 38 deletions
diff --git a/source4/dsdb/samdb/samdb_privilege.c b/source4/dsdb/samdb/samdb_privilege.c index f2fc43967f..28cea8d208 100644 --- a/source4/dsdb/samdb/samdb_privilege.c +++ b/source4/dsdb/samdb/samdb_privilege.c @@ -63,7 +63,7 @@ static NTSTATUS samdb_privilege_setup_sid(void *samctx, TALLOC_CTX *mem_ctx, priv_str)); continue; } - sec_privilege_set(token, privilege); + security_token_set_privilege(token, privilege); } return NT_STATUS_OK; diff --git a/source4/libcli/security/access_check.c b/source4/libcli/security/access_check.c index cd877db9c5..f0a46cc23d 100644 --- a/source4/libcli/security/access_check.c +++ b/source4/libcli/security/access_check.c @@ -25,22 +25,6 @@ /* - check if a sid is in the supplied token -*/ -static BOOL sid_active_in_token(const struct dom_sid *sid, - const struct security_token *token) -{ - int i; - for (i=0;i<token->num_sids;i++) { - if (dom_sid_equal(sid, token->sids[i])) { - return True; - } - } - return False; -} - - -/* perform a SEC_FLAG_MAXIMUM_ALLOWED access check */ static uint32_t access_check_max_allowed(const struct security_descriptor *sd, @@ -49,9 +33,9 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd, uint32_t denied = 0, granted = 0; unsigned i; - if (sid_active_in_token(sd->owner_sid, token)) { + if (security_token_has_sid(token, sd->owner_sid)) { granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL | SEC_STD_DELETE; - } else if (sec_privilege_check(token, SEC_PRIV_RESTORE)) { + } else if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) { granted |= SEC_STD_DELETE; } @@ -62,7 +46,7 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd, continue; } - if (!sid_active_in_token(&ace->trustee, token)) { + if (!security_token_has_sid(token, &ace->trustee)) { continue; } @@ -105,7 +89,7 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd, } if (access_desired & SEC_FLAG_SYSTEM_SECURITY) { - if (sec_privilege_check(token, SEC_PRIV_SECURITY)) { + if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) { bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY; } else { return NT_STATUS_ACCESS_DENIED; @@ -125,11 +109,11 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd, /* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */ if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE)) && - sid_active_in_token(sd->owner_sid, token)) { + security_token_has_sid(token, sd->owner_sid)) { bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE); } if ((bits_remaining & SEC_STD_DELETE) && - sec_privilege_check(token, SEC_PRIV_RESTORE)) { + security_token_has_privilege(token, SEC_PRIV_RESTORE)) { bits_remaining &= ~SEC_STD_DELETE; } @@ -141,7 +125,7 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd, continue; } - if (!sid_active_in_token(&ace->trustee, token)) { + if (!security_token_has_sid(token, &ace->trustee)) { continue; } diff --git a/source4/libcli/security/privilege.c b/source4/libcli/security/privilege.c index f81ff6dccc..b4855b59e2 100644 --- a/source4/libcli/security/privilege.c +++ b/source4/libcli/security/privilege.c @@ -194,7 +194,7 @@ static uint64_t sec_privilege_mask(enum sec_privilege privilege) /* return True if a security_token has a particular privilege bit set */ -BOOL sec_privilege_check(const struct security_token *token, enum sec_privilege privilege) +BOOL security_token_has_privilege(const struct security_token *token, enum sec_privilege privilege) { uint64_t mask; @@ -212,7 +212,7 @@ BOOL sec_privilege_check(const struct security_token *token, enum sec_privilege /* set a bit in the privilege mask */ -void sec_privilege_set(struct security_token *token, enum sec_privilege privilege) +void security_token_set_privilege(struct security_token *token, enum sec_privilege privilege) { if (privilege < 1 || privilege > 64) { return; @@ -220,7 +220,7 @@ void sec_privilege_set(struct security_token *token, enum sec_privilege privileg token->privilege_mask |= sec_privilege_mask(privilege); } -void sec_privilege_debug(int dbg_lev, const struct security_token *token) +void security_token_debug_privileges(int dbg_lev, const struct security_token *token) { DEBUGADD(dbg_lev, (" Privileges (0x%16llX):\n", (unsigned long long) token->privilege_mask)); diff --git a/source4/libcli/security/security_token.c b/source4/libcli/security/security_token.c index 80644e1f2d..d872376bff 100644 --- a/source4/libcli/security/security_token.c +++ b/source4/libcli/security/security_token.c @@ -148,14 +148,14 @@ void security_token_debug(int dbg_lev, const struct security_token *token) dom_sid_string(mem_ctx, token->sids[i]))); } - sec_privilege_debug(dbg_lev, token); + security_token_debug_privileges(dbg_lev, token); talloc_free(mem_ctx); } /* These really should be cheaper... */ -BOOL security_token_is_sid(struct security_token *token, const struct dom_sid *sid) +BOOL security_token_is_sid(const struct security_token *token, const struct dom_sid *sid) { if (dom_sid_equal(token->user_sid, sid)) { return True; @@ -163,10 +163,10 @@ BOOL security_token_is_sid(struct security_token *token, const struct dom_sid *s return False; } -BOOL security_token_is_sid_string(struct security_token *token, const char *sid_string) +BOOL security_token_is_sid_string(const struct security_token *token, const char *sid_string) { BOOL ret; - struct dom_sid *sid = dom_sid_parse_talloc(token, sid_string); + struct dom_sid *sid = dom_sid_parse_talloc(NULL, sid_string); if (!sid) return False; ret = security_token_is_sid(token, sid); @@ -175,17 +175,17 @@ BOOL security_token_is_sid_string(struct security_token *token, const char *sid_ return ret; } -BOOL security_token_is_system(struct security_token *token) +BOOL security_token_is_system(const struct security_token *token) { return security_token_is_sid_string(token, SID_NT_SYSTEM); } -BOOL security_token_is_anonymous(struct security_token *token) +BOOL security_token_is_anonymous(const struct security_token *token) { return security_token_is_sid_string(token, SID_NT_ANONYMOUS); } -BOOL security_token_has_sid(struct security_token *token, struct dom_sid *sid) +BOOL security_token_has_sid(const struct security_token *token, const struct dom_sid *sid) { int i; for (i = 0; i < token->num_sids; i++) { @@ -196,10 +196,10 @@ BOOL security_token_has_sid(struct security_token *token, struct dom_sid *sid) return False; } -BOOL security_token_has_sid_string(struct security_token *token, const char *sid_string) +BOOL security_token_has_sid_string(const struct security_token *token, const char *sid_string) { BOOL ret; - struct dom_sid *sid = dom_sid_parse_talloc(token, sid_string); + struct dom_sid *sid = dom_sid_parse_talloc(NULL, sid_string); if (!sid) return False; ret = security_token_has_sid(token, sid); @@ -208,12 +208,12 @@ BOOL security_token_has_sid_string(struct security_token *token, const char *sid return ret; } -BOOL security_token_has_builtin_administrators(struct security_token *token) +BOOL security_token_has_builtin_administrators(const struct security_token *token) { return security_token_has_sid_string(token, SID_BUILTIN_ADMINISTRATORS); } -BOOL security_token_has_nt_authenticated_users(struct security_token *token) +BOOL security_token_has_nt_authenticated_users(const struct security_token *token) { return security_token_has_sid_string(token, SID_NT_AUTHENTICATED_USERS); } |