summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/lib/util_seaccess.c13
-rw-r--r--source3/printing/nt_printing.c5
-rw-r--r--source3/rpc_server/srv_srvsvc_nt.c27
3 files changed, 17 insertions, 28 deletions
diff --git a/source3/lib/util_seaccess.c b/source3/lib/util_seaccess.c
index f10c84c276..ec1b56ae86 100644
--- a/source3/lib/util_seaccess.c
+++ b/source3/lib/util_seaccess.c
@@ -30,7 +30,7 @@ extern int DEBUGLEVEL;
Check if this ACE has a SID in common with the token.
**********************************************************************************/
-static BOOL token_sid_in_ace( NT_USER_TOKEN *token, SEC_ACE *ace)
+static BOOL token_sid_in_ace(const NT_USER_TOKEN *token, const SEC_ACE *ace)
{
size_t i;
@@ -204,7 +204,7 @@ void se_map_generic(uint32 *access_mask, struct generic_mapping *mapping)
"Access-Checking" document in MSDN.
*****************************************************************************/
-BOOL se_access_check(SEC_DESC *sd, struct current_user *user,
+BOOL se_access_check(SEC_DESC *sd, NT_USER_TOKEN *token,
uint32 acc_desired, uint32 *acc_granted,
NTSTATUS *status)
{
@@ -212,17 +212,20 @@ BOOL se_access_check(SEC_DESC *sd, struct current_user *user,
size_t i;
SEC_ACL *the_acl;
fstring sid_str;
- NT_USER_TOKEN *token = user->nt_user_token ? user->nt_user_token : &anonymous_token;
uint32 tmp_acc_desired = acc_desired;
if (!status || !acc_granted)
return False;
+ if (!token)
+ token = &anonymous_token;
+
*status = NT_STATUS_OK;
*acc_granted = 0;
- DEBUG(10,("se_access_check: requested access %x, for uid %u\n",
- (unsigned int)acc_desired, (unsigned int)user->uid ));
+ DEBUG(10,("se_access_check: requested access %x, for NT token with %u entries and first sid %s.\n",
+ (unsigned int)acc_desired, (unsigned int)token->num_sids,
+ sid_to_string(sid_str, &token->user_sids[0])));
/*
* No security descriptor or security descriptor with no DACL
diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c
index 1a1c71fe39..58fc7e25ae 100644
--- a/source3/printing/nt_printing.c
+++ b/source3/printing/nt_printing.c
@@ -3691,7 +3691,8 @@ BOOL print_access_check(struct current_user *user, int snum, int access_type)
/* If user is NULL then use the current_user structure */
- if (!user) user = &current_user;
+ if (!user)
+ user = &current_user;
/* Always allow root or printer admins to do anything */
@@ -3740,7 +3741,7 @@ BOOL print_access_check(struct current_user *user, int snum, int access_type)
map_printer_permissions(secdesc->sec);
- result = se_access_check(secdesc->sec, user, access_type,
+ result = se_access_check(secdesc->sec, user->nt_user_token, access_type,
&access_granted, &status);
DEBUG(4, ("access check was %s\n", result ? "SUCCESS" : "FAILURE"));
diff --git a/source3/rpc_server/srv_srvsvc_nt.c b/source3/rpc_server/srv_srvsvc_nt.c
index 7bc94c5575..2877b7af05 100644
--- a/source3/rpc_server/srv_srvsvc_nt.c
+++ b/source3/rpc_server/srv_srvsvc_nt.c
@@ -308,8 +308,7 @@ BOOL share_access_check(connection_struct *conn, int snum, uint16 vuid, uint32 d
TALLOC_CTX *mem_ctx = NULL;
SEC_DESC *psd = NULL;
size_t sd_size;
- struct current_user tmp_user;
- struct current_user *puser = NULL;
+ NT_USER_TOKEN *token = NULL;
user_struct *vuser = get_valid_user_struct(vuid);
BOOL ret = True;
@@ -322,26 +321,12 @@ BOOL share_access_check(connection_struct *conn, int snum, uint16 vuid, uint32 d
if (!psd)
goto out;
- ZERO_STRUCT(tmp_user);
- if (vuser) {
- tmp_user.vuid = vuid;
- tmp_user.uid = vuser->uid;
- tmp_user.gid = vuser->gid;
- tmp_user.ngroups = vuser->n_groups;
- tmp_user.groups = vuser->groups;
- tmp_user.nt_user_token = vuser->nt_user_token;
- } else {
- tmp_user.vuid = vuid;
- tmp_user.uid = conn->uid;
- tmp_user.gid = conn->gid;
- tmp_user.ngroups = conn->ngroups;
- tmp_user.groups = conn->groups;
- tmp_user.nt_user_token = conn->nt_user_token;
- }
-
- puser = &tmp_user;
+ if (vuser)
+ token = vuser->nt_user_token;
+ else
+ token = conn->nt_user_token;
- ret = se_access_check(psd, puser, desired_access, &granted, &status);
+ ret = se_access_check(psd, token, desired_access, &granted, &status);
out: