summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/dsdb/samdb/ldb_modules/kludge_acl.c15
-rw-r--r--source4/dsdb/samdb/samdb_privilege.c4
-rw-r--r--source4/libcli/security/security_token.c72
3 files changed, 52 insertions, 39 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/kludge_acl.c b/source4/dsdb/samdb/ldb_modules/kludge_acl.c
index 53acb77899..f7efdb65e4 100644
--- a/source4/dsdb/samdb/ldb_modules/kludge_acl.c
+++ b/source4/dsdb/samdb/ldb_modules/kludge_acl.c
@@ -65,19 +65,22 @@ static enum user_is what_is_user(struct ldb_module *module)
return ANONYMOUS;
}
- if (is_system_token(session_info->security_token)) {
+ if (security_token_is_system(session_info->security_token)) {
return SYSTEM;
}
- if (is_administrator_token(session_info->security_token)) {
+ if (security_token_is_anonymous(session_info->security_token)) {
+ return ANONYMOUS;
+ }
+
+ if (security_token_has_builtin_administrators(session_info->security_token)) {
return ADMINISTRATOR;
}
- if (is_authenticated_token(session_info->security_token)) {
+
+ if (security_token_has_nt_authenticated_users(session_info->security_token)) {
return USER;
}
- if (is_anonymous_token(session_info->security_token)) {
- return ANONYMOUS;
- }
+
return ANONYMOUS;
}
diff --git a/source4/dsdb/samdb/samdb_privilege.c b/source4/dsdb/samdb/samdb_privilege.c
index c1a6f2005b..d4c1471e1c 100644
--- a/source4/dsdb/samdb/samdb_privilege.c
+++ b/source4/dsdb/samdb/samdb_privilege.c
@@ -83,12 +83,12 @@ _PUBLIC_ NTSTATUS samdb_privilege_setup(struct security_token *token)
NTSTATUS status;
/* Shortcuts to prevent recursion and avoid lookups */
- if (is_system_token(token)) {
+ if (security_token_is_system(token)) {
token->privilege_mask = ~0;
return NT_STATUS_OK;
}
- if (is_anonymous_token(token)) {
+ if (security_token_is_anonymous(token)) {
token->privilege_mask = 0;
return NT_STATUS_OK;
}
diff --git a/source4/libcli/security/security_token.c b/source4/libcli/security/security_token.c
index 7ee3a68916..5fcde246ef 100644
--- a/source4/libcli/security/security_token.c
+++ b/source4/libcli/security/security_token.c
@@ -170,55 +170,65 @@ void security_token_debug(int dbg_lev, const struct security_token *token)
/* These really should be cheaper... */
-BOOL is_system_token(struct security_token *token)
+BOOL security_token_is_sid(struct security_token *token, const struct dom_sid *sid)
{
- TALLOC_CTX *mem_ctx = talloc_new(token);
- if (dom_sid_equal(token->user_sid, dom_sid_parse_talloc(mem_ctx, SID_NT_SYSTEM))) {
- talloc_free(mem_ctx);
+ if (dom_sid_equal(token->user_sid, sid)) {
return True;
}
- talloc_free(mem_ctx);
return False;
}
-BOOL is_anonymous_token(struct security_token *token)
+BOOL security_token_is_sid_string(struct security_token *token, const char *sid_string)
{
- TALLOC_CTX *mem_ctx = talloc_new(token);
- if (dom_sid_equal(token->user_sid, dom_sid_parse_talloc(mem_ctx, SID_NT_ANONYMOUS))) {
- talloc_free(mem_ctx);
- return True;
- }
- talloc_free(mem_ctx);
- return False;
+ BOOL ret;
+ struct dom_sid *sid = dom_sid_parse_talloc(token, sid_string);
+ if (!sid) return False;
+
+ ret = security_token_is_sid(token, sid);
+
+ talloc_free(sid);
+ return ret;
}
-BOOL is_authenticated_token(struct security_token *token)
+BOOL security_token_is_system(struct security_token *token)
{
- TALLOC_CTX *mem_ctx = talloc_new(token);
- int i;
- struct dom_sid *authenticated = dom_sid_parse_talloc(mem_ctx, SID_NT_AUTHENTICATED_USERS);
- for (i = 0; i < token->num_sids; i++) {
- if (dom_sid_equal(token->sids[i], authenticated)) {
- talloc_free(mem_ctx);
- return True;
- }
- }
- talloc_free(mem_ctx);
- return False;
+ return security_token_is_sid_string(token, SID_NT_SYSTEM);
}
-BOOL is_administrator_token(struct security_token *token)
+BOOL security_token_is_anonymous(struct security_token *token)
+{
+ return security_token_is_sid_string(token, SID_NT_ANONYMOUS);
+}
+
+BOOL security_token_has_sid(struct security_token *token, struct dom_sid *sid)
{
- TALLOC_CTX *mem_ctx = talloc_new(token);
int i;
- struct dom_sid *administrators = dom_sid_parse_talloc(mem_ctx, SID_BUILTIN_ADMINISTRATORS);
for (i = 0; i < token->num_sids; i++) {
- if (dom_sid_equal(token->sids[i], administrators)) {
- talloc_free(mem_ctx);
+ if (dom_sid_equal(token->sids[i], sid)) {
return True;
}
}
- talloc_free(mem_ctx);
return False;
}
+BOOL security_token_has_sid_string(struct security_token *token, const char *sid_string)
+{
+ BOOL ret;
+ struct dom_sid *sid = dom_sid_parse_talloc(token, sid_string);
+ if (!sid) return False;
+
+ ret = security_token_has_sid(token, sid);
+
+ talloc_free(sid);
+ return ret;
+}
+
+BOOL security_token_has_builtin_administrators(struct security_token *token)
+{
+ return security_token_has_sid_string(token, SID_BUILTIN_ADMINISTRATORS);
+}
+
+BOOL security_token_has_nt_authenticated_users(struct security_token *token)
+{
+ return security_token_has_sid_string(token, SID_NT_AUTHENTICATED_USERS);
+}