diff options
-rw-r--r-- | libcli/security/privileges.c | 9 | ||||
-rw-r--r-- | source3/smbd/nttrans.c | 10 | ||||
-rw-r--r-- | source3/smbd/open.c | 29 |
3 files changed, 21 insertions, 27 deletions
diff --git a/libcli/security/privileges.c b/libcli/security/privileges.c index 5d4cf77490..57c485dbe6 100644 --- a/libcli/security/privileges.c +++ b/libcli/security/privileges.c @@ -40,7 +40,7 @@ /* The use of strcasecmp here is safe, all the comparison strings are ASCII */ #undef strcasecmp -#define NUM_SHORT_LIST_PRIVS 8 +#define NUM_SHORT_LIST_PRIVS 9 static const struct { enum sec_privilege luid; @@ -58,16 +58,13 @@ static const struct { {SEC_PRIV_PRINT_OPERATOR, SEC_PRIV_PRINT_OPERATOR_BIT, "SePrintOperatorPrivilege", "Manage printers"}, {SEC_PRIV_ADD_USERS, SEC_PRIV_ADD_USERS_BIT, "SeAddUsersPrivilege", "Add users and groups to the domain"}, {SEC_PRIV_DISK_OPERATOR, SEC_PRIV_DISK_OPERATOR_BIT, "SeDiskOperatorPrivilege", "Manage disk shares"}, + {SEC_PRIV_SECURITY, SEC_PRIV_SECURITY_BIT, "SeSecurityPrivilege", "System security"}, + /* The list from here on is not displayed in the code from * source3, and is after index NUM_SHORT_LIST_PRIVS for that * reason */ - {SEC_PRIV_SECURITY, - SEC_PRIV_SECURITY_BIT, - "SeSecurityPrivilege", - "System security"}, - {SEC_PRIV_SYSTEMTIME, SEC_PRIV_SYSTEMTIME_BIT, "SeSystemtimePrivilege", diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index 3a9f6813ec..caba21161c 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -1837,6 +1837,16 @@ NTSTATUS smbd_do_query_security_desc(connection_struct *conn, * Get the permissions to return. */ + if ((security_info_wanted & SECINFO_SACL) && + !(fsp->access_mask & SEC_FLAG_SYSTEM_SECURITY)) { + return NT_STATUS_ACCESS_DENIED; + } + + if ((security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|SECINFO_GROUP)) && + !(fsp->access_mask & SEC_STD_READ_CONTROL)) { + return NT_STATUS_ACCESS_DENIED; + } + if (!lp_nt_acl_support(SNUM(conn))) { status = get_null_nt_acl(mem_ctx, &psd); } else { diff --git a/source3/smbd/open.c b/source3/smbd/open.c index 01f0cd699a..f5de607713 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -2506,8 +2506,9 @@ static NTSTATUS open_directory(connection_struct *conn, return status; } - /* We need to support SeSecurityPrivilege for this. */ - if (access_mask & SEC_FLAG_SYSTEM_SECURITY) { + if ((access_mask & SEC_FLAG_SYSTEM_SECURITY) & + !security_token_has_privilege(get_current_nttok(conn), + SEC_PRIV_SECURITY)) { DEBUG(10, ("open_directory: open on %s " "failed - SEC_FLAG_SYSTEM_SECURITY denied.\n", smb_fname_str_dbg(smb_dname))); @@ -3029,29 +3030,15 @@ static NTSTATUS create_file_unixpath(connection_struct *conn, goto fail; } -#if 0 - /* We need to support SeSecurityPrivilege for this. */ if ((access_mask & SEC_FLAG_SYSTEM_SECURITY) && - !user_has_privileges(current_user.nt_user_token, - &se_security)) { - status = NT_STATUS_PRIVILEGE_NOT_HELD; - goto fail; - } -#else - /* We need to support SeSecurityPrivilege for this. */ - if (access_mask & SEC_FLAG_SYSTEM_SECURITY) { - status = NT_STATUS_PRIVILEGE_NOT_HELD; - goto fail; - } - /* Don't allow a SACL set from an NTtrans create until we - * support SeSecurityPrivilege. */ - if (!VALID_STAT(smb_fname->st) && - lp_nt_acl_support(SNUM(conn)) && - sd && (sd->sacl != NULL)) { + !security_token_has_privilege(get_current_nttok(conn), + SEC_PRIV_SECURITY)) { + DEBUG(10, ("create_file_unixpath: open on %s " + "failed - SEC_FLAG_SYSTEM_SECURITY denied.\n", + smb_fname_str_dbg(smb_fname))); status = NT_STATUS_PRIVILEGE_NOT_HELD; goto fail; } -#endif if ((conn->fs_capabilities & FILE_NAMED_STREAMS) && is_ntfs_stream_smb_fname(smb_fname) |