summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/include/proto.h1
-rw-r--r--source3/lib/privileges.c67
-rw-r--r--source3/rpc_server/srv_lsa_nt.c74
3 files changed, 36 insertions, 106 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 65a27dc404..e15dc7b5a1 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -634,6 +634,7 @@ void pidfile_unlink(void);
/* The following definitions come from lib/privileges.c */
bool get_privileges_for_sids(uint64_t *privileges, struct dom_sid *slist, int scount);
+NTSTATUS get_privileges_for_sid_as_set(TALLOC_CTX *mem_ctx, PRIVILEGE_SET **privileges, struct dom_sid *sid);
NTSTATUS privilege_enumerate_accounts(struct dom_sid **sids, int *num_sids);
NTSTATUS privilege_enum_sids(enum sec_privilege privilege, TALLOC_CTX *mem_ctx,
struct dom_sid **sids, int *num_sids);
diff --git a/source3/lib/privileges.c b/source3/lib/privileges.c
index 181ea5c986..31b0e7dc55 100644
--- a/source3/lib/privileges.c
+++ b/source3/lib/privileges.c
@@ -149,6 +149,23 @@ bool get_privileges_for_sids(uint64_t *privileges, struct dom_sid *slist, int sc
return found;
}
+NTSTATUS get_privileges_for_sid_as_set(TALLOC_CTX *mem_ctx, PRIVILEGE_SET **privileges, struct dom_sid *sid)
+{
+ uint64_t mask;
+ if (!get_privileges(sid, &mask)) {
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ }
+
+ *privileges = talloc_zero(mem_ctx, PRIVILEGE_SET);
+ if (!*privileges) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!se_priv_to_privilege_set(*privileges, mask)) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ return NT_STATUS_OK;
+}
/*********************************************************************
traversal functions for privilege_enumerate_accounts
@@ -435,56 +452,6 @@ NTSTATUS privilege_delete_account(const struct dom_sid *sid)
}
/****************************************************************************
- initialise a privilege list and set the talloc context
- ****************************************************************************/
-
-NTSTATUS privilege_set_init(PRIVILEGE_SET *priv_set)
-{
- TALLOC_CTX *mem_ctx;
-
- ZERO_STRUCTP( priv_set );
-
- mem_ctx = talloc_init("privilege set");
- if ( !mem_ctx ) {
- DEBUG(0,("privilege_set_init: failed to initialize talloc ctx!\n"));
- return NT_STATUS_NO_MEMORY;
- }
-
- priv_set->mem_ctx = mem_ctx;
-
- return NT_STATUS_OK;
-}
-
-/****************************************************************************
- initialise a privilege list and with someone else's talloc context
-****************************************************************************/
-
-NTSTATUS privilege_set_init_by_ctx(TALLOC_CTX *mem_ctx, PRIVILEGE_SET *priv_set)
-{
- ZERO_STRUCTP( priv_set );
-
- priv_set->mem_ctx = mem_ctx;
- priv_set->ext_ctx = True;
-
- return NT_STATUS_OK;
-}
-
-/****************************************************************************
- Free all memory used by a PRIVILEGE_SET
-****************************************************************************/
-
-void privilege_set_free(PRIVILEGE_SET *priv_set)
-{
- if ( !priv_set )
- return;
-
- if ( !( priv_set->ext_ctx ) )
- talloc_destroy( priv_set->mem_ctx );
-
- ZERO_STRUCTP( priv_set );
-}
-
-/****************************************************************************
duplicate alloc luid_attr
****************************************************************************/
diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index d0cf4e4716..49bdca7b7f 100644
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -11,6 +11,7 @@
* Copyright (C) Gerald (Jerry) Carter 2005.
* Copyright (C) Volker Lendecke 2005.
* Copyright (C) Guenther Deschner 2008.
+ * Copyright (C) Andrew Bartlett 2010.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -1831,11 +1832,8 @@ NTSTATUS _lsa_EnumPrivsAccount(struct pipes_struct *p,
{
NTSTATUS status = NT_STATUS_OK;
struct lsa_info *info=NULL;
- uint64_t mask;
- PRIVILEGE_SET privileges;
+ PRIVILEGE_SET *privileges;
struct lsa_PrivilegeSet *priv_set = NULL;
- struct lsa_LUIDAttribute *luid_attrs = NULL;
- int i;
/* find the connection policy handle. */
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
@@ -1848,48 +1846,23 @@ NTSTATUS _lsa_EnumPrivsAccount(struct pipes_struct *p,
if (!(info->access & LSA_ACCOUNT_VIEW))
return NT_STATUS_ACCESS_DENIED;
- get_privileges_for_sids(&mask, &info->sid, 1);
-
- privilege_set_init( &privileges );
-
- priv_set = TALLOC_ZERO_P(p->mem_ctx, struct lsa_PrivilegeSet);
- if (!priv_set) {
- status = NT_STATUS_NO_MEMORY;
- goto done;
+ status = get_privileges_for_sid_as_set(p->mem_ctx, &privileges, &info->sid);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
- if ( se_priv_to_privilege_set( &privileges, mask ) ) {
-
- DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
- sid_string_dbg(&info->sid),
- privileges.count));
-
- luid_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx,
- struct lsa_LUIDAttribute,
- privileges.count);
- if (!luid_attrs) {
- status = NT_STATUS_NO_MEMORY;
- goto done;
- }
-
- for (i=0; i<privileges.count; i++) {
- luid_attrs[i] = privileges.set[i];
- }
-
- priv_set->count = privileges.count;
- priv_set->unknown = 0;
- priv_set->set = luid_attrs;
-
- } else {
- priv_set->count = 0;
- priv_set->unknown = 0;
- priv_set->set = NULL;
+ *r->out.privs = priv_set = TALLOC_ZERO_P(p->mem_ctx, struct lsa_PrivilegeSet);
+ if (!priv_set) {
+ return NT_STATUS_NO_MEMORY;
}
- *r->out.privs = priv_set;
+ DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
+ sid_string_dbg(&info->sid),
+ privileges->count));
- done:
- privilege_set_free( &privileges );
+ priv_set->count = privileges->count;
+ priv_set->unknown = 0;
+ priv_set->set = talloc_move(priv_set, &privileges->set);
return status;
}
@@ -2339,8 +2312,7 @@ NTSTATUS _lsa_EnumAccountRights(struct pipes_struct *p,
NTSTATUS status;
struct lsa_info *info = NULL;
struct dom_sid sid;
- PRIVILEGE_SET privileges;
- uint64_t mask;
+ PRIVILEGE_SET *privileges;
/* find the connection policy handle. */
@@ -2358,29 +2330,19 @@ NTSTATUS _lsa_EnumAccountRights(struct pipes_struct *p,
/* according to an NT4 PDC, you can add privileges to SIDs even without
call_lsa_create_account() first. And you can use any arbitrary SID. */
- sid_copy( &sid, r->in.sid );
-
/* according to MS-LSAD 3.1.4.5.10 it is required to return
* NT_STATUS_OBJECT_NAME_NOT_FOUND if the account sid was not found in
* the lsa database */
- if (!get_privileges_for_sids(&mask, &sid, 1)) {
- return NT_STATUS_OBJECT_NAME_NOT_FOUND;
- }
-
- status = privilege_set_init(&privileges);
+ status = get_privileges_for_sid_as_set(p->mem_ctx, &privileges, r->in.sid);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- se_priv_to_privilege_set(&privileges, mask);
-
DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
- sid_string_dbg(&sid), privileges.count));
-
- status = init_lsa_right_set(p->mem_ctx, r->out.rights, &privileges);
+ sid_string_dbg(&sid), privileges->count));
- privilege_set_free( &privileges );
+ status = init_lsa_right_set(p->mem_ctx, r->out.rights, privileges);
return status;
}