summaryrefslogtreecommitdiff
path: root/source3/rpc_server/samr
diff options
context:
space:
mode:
Diffstat (limited to 'source3/rpc_server/samr')
-rw-r--r--source3/rpc_server/samr/srv_samr_nt.c114
1 files changed, 1 insertions, 113 deletions
diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c
index 2d8564d786..2e4f883a58 100644
--- a/source3/rpc_server/samr/srv_samr_nt.c
+++ b/source3/rpc_server/samr/srv_samr_nt.c
@@ -44,6 +44,7 @@
#include "passdb.h"
#include "auth.h"
#include "ntdomain.h"
+#include "rpc_server/srv_access_check.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_RPC_SRV
@@ -180,119 +181,6 @@ static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, struct security_descriptor
}
/*******************************************************************
- Checks if access to an object should be granted, and returns that
- level of access for further checks.
-
- If the user has either of needed_priv_1 or needed_priv_2 then they
- get the rights in rights_mask in addition to any calulated rights.
-
- This handles the unusual case where we need to allow two different
- privileges to obtain exactly the same rights, which occours only in
- SAMR.
-********************************************************************/
-
-NTSTATUS access_check_object( struct security_descriptor *psd, struct security_token *token,
- enum sec_privilege needed_priv_1, enum sec_privilege needed_priv_2,
- uint32 rights_mask,
- uint32 des_access, uint32 *acc_granted,
- const char *debug )
-{
- NTSTATUS status = NT_STATUS_ACCESS_DENIED;
- uint32 saved_mask = 0;
-
- /* check privileges; certain SAM access bits should be overridden
- by privileges (mostly having to do with creating/modifying/deleting
- users and groups) */
-
- if ((needed_priv_1 != SEC_PRIV_INVALID && security_token_has_privilege(token, needed_priv_1)) ||
- (needed_priv_2 != SEC_PRIV_INVALID && security_token_has_privilege(token, needed_priv_2))) {
- saved_mask = (des_access & rights_mask);
- des_access &= ~saved_mask;
-
- DEBUG(4,("access_check_object: user rights access mask [0x%x]\n",
- rights_mask));
- }
-
-
- /* check the security descriptor first */
-
- status = se_access_check(psd, token, des_access, acc_granted);
- if (NT_STATUS_IS_OK(status)) {
- goto done;
- }
-
- /* give root a free pass */
-
- if ( geteuid() == sec_initial_uid() ) {
-
- DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", debug, des_access));
- DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n"));
-
- *acc_granted = des_access;
-
- status = NT_STATUS_OK;
- goto done;
- }
-
-
-done:
- /* add in any bits saved during the privilege check (only
- matters is status is ok) */
-
- *acc_granted |= rights_mask;
-
- DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n",
- debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED",
- des_access, *acc_granted));
-
- return status;
-}
-
-
-/*******************************************************************
- Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
-********************************************************************/
-
-void map_max_allowed_access(const struct security_token *nt_token,
- const struct security_unix_token *unix_token,
- uint32_t *pacc_requested)
-{
- if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) {
- return;
- }
- *pacc_requested &= ~MAXIMUM_ALLOWED_ACCESS;
-
- /* At least try for generic read|execute - Everyone gets that. */
- *pacc_requested = GENERIC_READ_ACCESS|GENERIC_EXECUTE_ACCESS;
-
- /* root gets anything. */
- if (unix_token->uid == sec_initial_uid()) {
- *pacc_requested |= GENERIC_ALL_ACCESS;
- return;
- }
-
- /* Full Access for 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
-
- if (security_token_has_sid(nt_token, &global_sid_Builtin_Administrators) ||
- security_token_has_sid(nt_token, &global_sid_Builtin_Account_Operators)) {
- *pacc_requested |= GENERIC_ALL_ACCESS;
- return;
- }
-
- /* Full access for DOMAIN\Domain Admins. */
- if ( IS_DC ) {
- struct dom_sid domadmin_sid;
- sid_compose(&domadmin_sid, get_global_sam_sid(),
- DOMAIN_RID_ADMINS);
- if (security_token_has_sid(nt_token, &domadmin_sid)) {
- *pacc_requested |= GENERIC_ALL_ACCESS;
- return;
- }
- }
- /* TODO ! Check privileges. */
-}
-
-/*******************************************************************
Fetch or create a dispinfo struct.
********************************************************************/