diff options
Diffstat (limited to 'source3/rpc_server')
| -rw-r--r-- | source3/rpc_server/srv_lsa_nt.c | 10 | ||||
| -rw-r--r-- | source3/rpc_server/srv_samr_nt.c | 19 | ||||
| -rw-r--r-- | source3/rpc_server/srv_srvsvc_nt.c | 30 | ||||
| -rw-r--r-- | source3/rpc_server/srv_svcctl_nt.c | 9 |
4 files changed, 43 insertions, 25 deletions
diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c index 94517f3478..0e9d121242 100644 --- a/source3/rpc_server/srv_lsa_nt.c +++ b/source3/rpc_server/srv_lsa_nt.c @@ -290,22 +290,18 @@ static NTSTATUS lsa_get_generic_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *s DOM_SID adm_sid; SEC_ACE ace[3]; - SEC_ACCESS mask; SEC_ACL *psa = NULL; - init_sec_access(&mask, LSA_POLICY_EXECUTE); - init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, LSA_POLICY_EXECUTE, 0); sid_copy(&adm_sid, get_global_sam_sid()); sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS); - init_sec_access(&mask, LSA_POLICY_ALL_ACCESS); - init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, LSA_POLICY_ALL_ACCESS, 0); sid_copy(&local_adm_sid, &global_sid_Builtin); sid_append_rid(&local_adm_sid, BUILTIN_ALIAS_RID_ADMINS); - init_sec_access(&mask, LSA_POLICY_ALL_ACCESS); - init_sec_ace(&ace[2], &local_adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + init_sec_ace(&ace[2], &local_adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, LSA_POLICY_ALL_ACCESS, 0); if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, 3, ace)) == NULL) return NT_STATUS_NO_MEMORY; diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 1b1e98c049..6455f02374 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -113,36 +113,35 @@ static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd { DOM_SID domadmin_sid; SEC_ACE ace[5]; /* at most 5 entries */ - SEC_ACCESS mask; size_t i = 0; SEC_ACL *psa = NULL; /* basic access for Everyone */ - init_sec_access(&mask, map->generic_execute | map->generic_read ); - init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, + map->generic_execute | map->generic_read, 0); /* add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */ - init_sec_access(&mask, map->generic_all); - - init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators, + SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0); + init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators, + SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0); /* Add Full Access for Domain Admins if we are a DC */ if ( IS_DC ) { sid_copy( &domadmin_sid, get_global_sam_sid() ); sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS ); - init_sec_ace(&ace[i++], &domadmin_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + init_sec_ace(&ace[i++], &domadmin_sid, + SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0); } /* if we have a sid, give it some special access */ if ( sid ) { - init_sec_access( &mask, sid_access ); - init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED, sid_access, 0); } /* create the security descriptor */ diff --git a/source3/rpc_server/srv_srvsvc_nt.c b/source3/rpc_server/srv_srvsvc_nt.c index bb9c3687fb..47688b114c 100644 --- a/source3/rpc_server/srv_srvsvc_nt.c +++ b/source3/rpc_server/srv_srvsvc_nt.c @@ -1700,7 +1700,9 @@ WERROR _srvsvc_NetShareAdd(pipes_struct *p, DEBUG(5,("_srvsvc_NetShareAdd: %d\n", __LINE__)); - *r->out.parm_error = 0; + if (r->out.parm_error) { + *r->out.parm_error = 0; + } get_current_user(&user,p); @@ -2148,6 +2150,8 @@ WERROR _srvsvc_NetSetFileSecurity(pipes_struct *p, connection_struct *conn = NULL; int snum; char *oldcwd = NULL; + struct security_descriptor *psd = NULL; + uint32_t security_info_sent = 0; ZERO_STRUCT(st); @@ -2196,9 +2200,29 @@ WERROR _srvsvc_NetSetFileSecurity(pipes_struct *p, goto error_exit; } + psd = r->in.sd_buf->sd; + security_info_sent = r->in.securityinformation; + + if (psd->owner_sid==0) { + security_info_sent &= ~OWNER_SECURITY_INFORMATION; + } + if (psd->group_sid==0) { + security_info_sent &= ~GROUP_SECURITY_INFORMATION; + } + if (psd->sacl==0) { + security_info_sent &= ~SACL_SECURITY_INFORMATION; + } + if (psd->dacl==0) { + security_info_sent &= ~DACL_SECURITY_INFORMATION; + } + + /* Convert all the generic bits. */ + security_acl_map_generic(psd->dacl, &file_generic_mapping); + security_acl_map_generic(psd->sacl, &file_generic_mapping); + nt_status = SMB_VFS_FSET_NT_ACL(fsp, - r->in.securityinformation, - r->in.sd_buf->sd); + security_info_sent, + psd); if (!NT_STATUS_IS_OK(nt_status) ) { DEBUG(3,("_srvsvc_NetSetFileSecurity: Unable to set NT ACL " diff --git a/source3/rpc_server/srv_svcctl_nt.c b/source3/rpc_server/srv_svcctl_nt.c index 6bb538a311..a57d0ff4a4 100644 --- a/source3/rpc_server/srv_svcctl_nt.c +++ b/source3/rpc_server/srv_svcctl_nt.c @@ -140,7 +140,6 @@ static NTSTATUS svcctl_access_check( SEC_DESC *sec_desc, NT_USER_TOKEN *token, static SEC_DESC* construct_scm_sd( TALLOC_CTX *ctx ) { SEC_ACE ace[2]; - SEC_ACCESS mask; size_t i = 0; SEC_DESC *sd; SEC_ACL *acl; @@ -148,13 +147,13 @@ static SEC_DESC* construct_scm_sd( TALLOC_CTX *ctx ) /* basic access for Everyone */ - init_sec_access(&mask, SC_MANAGER_READ_ACCESS ); - init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + init_sec_ace(&ace[i++], &global_sid_World, + SEC_ACE_TYPE_ACCESS_ALLOWED, SC_MANAGER_READ_ACCESS, 0); /* Full Access 'BUILTIN\Administrators' */ - init_sec_access(&mask,SC_MANAGER_ALL_ACCESS ); - init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators, + SEC_ACE_TYPE_ACCESS_ALLOWED, SC_MANAGER_ALL_ACCESS, 0); /* create the security descriptor */ |