diff options
Diffstat (limited to 'source3')
33 files changed, 318 insertions, 315 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in index 51a469b2b9..ca42d5b95d 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -388,7 +388,7 @@ LIB_OBJ = $(LIBSAMBAUTIL_OBJ) $(UTIL_OBJ) $(CRYPTO_OBJ) \ ../libcli/security/secacl.o \ libads/krb5_errs.o lib/system_smbd.o lib/audit.o $(LIBNDR_OBJ) \ lib/file_id.o lib/idmap_cache.o \ - ../libcli/security/dom_sid.o + ../libcli/security/dom_sid.o ../libcli/security/security_descriptor.o LIB_DUMMY_OBJ = lib/dummysmbd.o lib/dummyroot.o LIB_NONSMBD_OBJ = $(LIB_OBJ) $(LIB_DUMMY_OBJ) diff --git a/source3/client/client.c b/source3/client/client.c index fcb9b27f1f..d74de35bc5 100644 --- a/source3/client/client.c +++ b/source3/client/client.c @@ -1389,7 +1389,7 @@ static bool do_mkdir(const char *name) return false; } - if (!cli_mkdir(targetcli, targetname)) { + if (!NT_STATUS_IS_OK(cli_mkdir(targetcli, targetname))) { d_printf("%s making remote directory %s\n", cli_errstr(targetcli),name); return false; diff --git a/source3/client/clitar.c b/source3/client/clitar.c index c9f3e87c4d..7512583e19 100644 --- a/source3/client/clitar.c +++ b/source3/client/clitar.c @@ -555,7 +555,7 @@ static bool ensurepath(const char *fname) safe_strcat(partpath, p, strlen(fname) + 1); if (!cli_chkpath(cli, partpath)) { - if (!cli_mkdir(cli, partpath)) { + if (!NT_STATUS_IS_OK(cli_mkdir(cli, partpath))) { SAFE_FREE(partpath); SAFE_FREE(ffname); DEBUG(0, ("Error mkdir %s\n", cli_errstr(cli))); diff --git a/source3/include/includes.h b/source3/include/includes.h index 943de8db7b..596c772d9e 100644 --- a/source3/include/includes.h +++ b/source3/include/includes.h @@ -702,6 +702,7 @@ enum flush_reason_enum { #endif #include "libcli/security/secace.h" #include "libcli/security/secacl.h" +#include "libcli/security/security_descriptor.h" #if defined(HAVE_POSIX_ACLS) #include "modules/vfs_posixacl.h" diff --git a/source3/include/proto.h b/source3/include/proto.h index fa6dafa1b0..3ddbf6f3b9 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -2338,7 +2338,7 @@ bool cli_ntrename(struct cli_state *cli, const char *fname_src, const char *fnam bool cli_nt_hardlink(struct cli_state *cli, const char *fname_src, const char *fname_dst); bool cli_unlink_full(struct cli_state *cli, const char *fname, uint16 attrs); bool cli_unlink(struct cli_state *cli, const char *fname); -bool cli_mkdir(struct cli_state *cli, const char *dname); +NTSTATUS cli_mkdir(struct cli_state *cli, const char *dname); bool cli_rmdir(struct cli_state *cli, const char *dname); int cli_nt_delete_on_close(struct cli_state *cli, int fnum, bool flag); int cli_nt_create_full(struct cli_state *cli, const char *fname, diff --git a/source3/include/rpc_secdes.h b/source3/include/rpc_secdes.h index c74d621f35..6db3f2d7c7 100644 --- a/source3/include/rpc_secdes.h +++ b/source3/include/rpc_secdes.h @@ -121,9 +121,6 @@ struct standard_mapping { #define STANDARD_RIGHTS_MASK 0x00FF0000 #define GENERIC_RIGHTS_MASK 0xF0000000 -#define SEC_RIGHT_SYSTEM_SECURITY 0x01000000 -#define SEC_RIGHT_MAXIMUM_ALLOWED 0x02000000 - /* Generic access rights */ #define GENERIC_RIGHT_ALL_ACCESS 0x10000000 @@ -194,39 +191,4 @@ struct standard_mapping { SA_RIGHT_FILE_WRITE_DATA | \ SA_RIGHT_FILE_READ_DATA) -/* - * Access Bits for registry ACLS - */ - -/* used by registry ACLs */ - -#define SEC_RIGHTS_QUERY_VALUE 0x00000001 -#define SEC_RIGHTS_SET_VALUE 0x00000002 -#define SEC_RIGHTS_CREATE_SUBKEY 0x00000004 -#define SEC_RIGHTS_ENUM_SUBKEYS 0x00000008 -#define SEC_RIGHTS_NOTIFY 0x00000010 -#define SEC_RIGHTS_CREATE_LINK 0x00000020 -#define SEC_RIGHTS_MAXIMUM_ALLOWED 0x02000000 - - -#define REG_KEY_READ \ - ( STANDARD_RIGHTS_READ_ACCESS |\ - SEC_RIGHTS_QUERY_VALUE |\ - SEC_RIGHTS_ENUM_SUBKEYS |\ - SEC_RIGHTS_NOTIFY ) - -#define REG_KEY_EXECUTE REG_KEY_READ - -#define REG_KEY_WRITE \ - ( STANDARD_RIGHTS_WRITE_ACCESS |\ - SEC_RIGHTS_SET_VALUE |\ - SEC_RIGHTS_CREATE_SUBKEY ) - -#define REG_KEY_ALL \ - ( STANDARD_RIGHTS_REQUIRED_ACCESS |\ - REG_KEY_READ |\ - REG_KEY_WRITE |\ - SEC_RIGHTS_CREATE_LINK ) - - #endif /* _RPC_SECDES_H */ diff --git a/source3/lib/smbconf/smbconf_reg.c b/source3/lib/smbconf/smbconf_reg.c index 0ecac97575..54ce5348a7 100644 --- a/source3/lib/smbconf/smbconf_reg.c +++ b/source3/lib/smbconf/smbconf_reg.c @@ -567,7 +567,7 @@ static WERROR smbconf_reg_init(struct smbconf_ctx *ctx, const char *path) } werr = reg_open_path(ctx, ctx->path, - SEC_RIGHTS_ENUM_SUBKEYS | REG_KEY_WRITE, + KEY_ENUMERATE_SUB_KEYS | REG_KEY_WRITE, token, &rpd(ctx)->base_key); if (!W_ERROR_IS_OK(werr)) { goto done; diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 894f5cba32..81990dfd81 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -703,7 +703,7 @@ static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx, } status = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true, - SEC_RIGHTS_MAXIMUM_ALLOWED, &lsa_pol); + SEC_FLAG_MAXIMUM_ALLOWED, &lsa_pol); if (!NT_STATUS_IS_OK(status)) { goto done; } @@ -888,7 +888,7 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx, &domain_pol, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, user_rid, &user_pol); if (!NT_STATUS_IS_OK(status)) { @@ -1167,7 +1167,7 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx, status = rpccli_samr_Connect2(pipe_hnd, mem_ctx, pipe_hnd->desthost, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &sam_pol); if (!NT_STATUS_IS_OK(status)) { goto done; @@ -1175,7 +1175,7 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx, status = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx, &sam_pol, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, r->in.domain_sid, &domain_pol); if (!NT_STATUS_IS_OK(status)) { @@ -1213,7 +1213,7 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx, status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx, &domain_pol, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, user_rid, &user_pol); if (!NT_STATUS_IS_OK(status)) { diff --git a/source3/libsmb/clifile.c b/source3/libsmb/clifile.c index 0a1168fd0f..5be18366b9 100644 --- a/source3/libsmb/clifile.c +++ b/source3/libsmb/clifile.c @@ -596,6 +596,7 @@ bool cli_unlink(struct cli_state *cli, const char *fname) return cli_unlink_full(cli, fname, aSYSTEM | aHIDDEN); } +#if 0 /**************************************************************************** Create a directory. ****************************************************************************/ @@ -631,6 +632,115 @@ bool cli_mkdir(struct cli_state *cli, const char *dname) return True; } +#endif + +/**************************************************************************** + Create a directory. +****************************************************************************/ + +static void cli_mkdir_done(struct tevent_req *subreq); + +struct cli_mkdir_state { + int dummy; +}; + +struct tevent_req *cli_mkdir_send(TALLOC_CTX *mem_ctx, + struct event_context *ev, + struct cli_state *cli, + const char *dname) +{ + struct tevent_req *req = NULL, *subreq = NULL; + struct cli_mkdir_state *state = NULL; + uint8_t additional_flags = 0; + uint8_t *bytes = NULL; + + req = tevent_req_create(mem_ctx, &state, struct cli_mkdir_state); + if (req == NULL) { + return NULL; + } + + bytes = talloc_array(state, uint8_t, 1); + if (!bytes) { + return NULL; + } + bytes[0] = 4; + bytes = smb_bytes_push_str(bytes, cli_ucs2(cli), dname, + strlen(dname)+1, NULL); + + if (tevent_req_nomem(bytes, req)) { + return tevent_req_post(req, ev); + } + + subreq = cli_smb_send(state, ev, cli, SMBmkdir, additional_flags, + 0, NULL, talloc_get_size(bytes), bytes); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } + tevent_req_set_callback(subreq, cli_mkdir_done, req); + return req; +} + +static void cli_mkdir_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + NTSTATUS status; + + status = cli_smb_recv(subreq, 0, NULL, NULL, NULL, NULL); + TALLOC_FREE(subreq); + if (!NT_STATUS_IS_OK(status)) { + tevent_req_nterror(req, status); + return; + } + tevent_req_done(req); +} + +NTSTATUS cli_mkdir_recv(struct tevent_req *req) +{ + return tevent_req_simple_recv_ntstatus(req); +} + +NTSTATUS cli_mkdir(struct cli_state *cli, const char *dname) +{ + TALLOC_CTX *frame = talloc_stackframe(); + struct event_context *ev; + struct tevent_req *req; + NTSTATUS status = NT_STATUS_OK; + + if (cli_has_async_calls(cli)) { + /* + * Can't use sync call while an async call is in flight + */ + status = NT_STATUS_INVALID_PARAMETER; + goto fail; + } + + ev = event_context_init(frame); + if (ev == NULL) { + status = NT_STATUS_NO_MEMORY; + goto fail; + } + + req = cli_mkdir_send(frame, ev, cli, dname); + if (req == NULL) { + status = NT_STATUS_NO_MEMORY; + goto fail; + } + + if (!tevent_req_poll(req, ev)) { + status = map_nt_error_from_unix(errno); + goto fail; + } + + status = cli_mkdir_recv(req); + + fail: + TALLOC_FREE(frame); + if (!NT_STATUS_IS_OK(status)) { + cli_set_error(cli, status); + } + return status; +} /**************************************************************************** Remove a directory. diff --git a/source3/libsmb/libsmb_dir.c b/source3/libsmb/libsmb_dir.c index 219bbe64e1..5afc8e48b6 100644 --- a/source3/libsmb/libsmb_dir.c +++ b/source3/libsmb/libsmb_dir.c @@ -1177,8 +1177,7 @@ SMBC_mkdir_ctx(SMBCCTX *context, } /*d_printf(">>>mkdir: resolved path as %s\n", targetpath);*/ - if (!cli_mkdir(targetcli, targetpath)) { - + if (!NT_STATUS_IS_OK(cli_mkdir(targetcli, targetpath))) { errno = SMBC_errno(context, targetcli); TALLOC_FREE(frame); return -1; diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c index eda37f2187..60849c812f 100644 --- a/source3/libsmb/libsmb_server.c +++ b/source3/libsmb/libsmb_server.c @@ -740,7 +740,7 @@ SMBC_attr_server(TALLOC_CTX *ctx, /* * Some systems don't support - * SEC_RIGHTS_MAXIMUM_ALLOWED, but NT sends 0x2000000 + * SEC_FLAG_MAXIMUM_ALLOWED, but NT sends 0x2000000 * so we might as well do it too. */ diff --git a/source3/registry/reg_api.c b/source3/registry/reg_api.c index c1a78c14dc..817d43be6b 100644 --- a/source3/registry/reg_api.c +++ b/source3/registry/reg_api.c @@ -272,7 +272,7 @@ WERROR reg_openkey(TALLOC_CTX *mem_ctx, struct registry_key *parent, err = regkey_open_onelevel(mem_ctx, direct_parent, name_component, parent->token, - SEC_RIGHTS_ENUM_SUBKEYS, &tmp); + KEY_ENUMERATE_SUB_KEYS, &tmp); SAFE_FREE(name_component); if (!W_ERROR_IS_OK(err)) { @@ -301,7 +301,7 @@ WERROR reg_enumkey(TALLOC_CTX *mem_ctx, struct registry_key *key, { WERROR err; - if (!(key->key->access_granted & SEC_RIGHTS_ENUM_SUBKEYS)) { + if (!(key->key->access_granted & KEY_ENUMERATE_SUB_KEYS)) { return WERR_ACCESS_DENIED; } @@ -332,7 +332,7 @@ WERROR reg_enumvalue(TALLOC_CTX *mem_ctx, struct registry_key *key, struct registry_value *val; WERROR err; - if (!(key->key->access_granted & SEC_RIGHTS_QUERY_VALUE)) { + if (!(key->key->access_granted & KEY_QUERY_VALUE)) { return WERR_ACCESS_DENIED; } @@ -370,7 +370,7 @@ WERROR reg_queryvalue(TALLOC_CTX *mem_ctx, struct registry_key *key, WERROR err; uint32 i; - if (!(key->key->access_granted & SEC_RIGHTS_QUERY_VALUE)) { + if (!(key->key->access_granted & KEY_QUERY_VALUE)) { return WERR_ACCESS_DENIED; } @@ -399,7 +399,7 @@ WERROR reg_queryinfokey(struct registry_key *key, uint32_t *num_subkeys, WERROR err; struct security_descriptor *secdesc; - if (!(key->key->access_granted & SEC_RIGHTS_QUERY_VALUE)) { + if (!(key->key->access_granted & KEY_QUERY_VALUE)) { return WERR_ACCESS_DENIED; } @@ -483,7 +483,7 @@ WERROR reg_createkey(TALLOC_CTX *ctx, struct registry_key *parent, *end = '\0'; err = reg_createkey(mem_ctx, key, path, - SEC_RIGHTS_ENUM_SUBKEYS, &tmp, &action); + KEY_ENUMERATE_SUB_KEYS, &tmp, &action); if (!W_ERROR_IS_OK(err)) { goto done; } @@ -521,7 +521,7 @@ WERROR reg_createkey(TALLOC_CTX *ctx, struct registry_key *parent, * with ENUM_SUBKEY access. */ - err = reg_openkey(mem_ctx, key, "", SEC_RIGHTS_CREATE_SUBKEY, + err = reg_openkey(mem_ctx, key, "", KEY_CREATE_SUB_KEY, &create_parent); if (!W_ERROR_IS_OK(err)) { goto done; @@ -582,7 +582,7 @@ WERROR reg_deletekey(struct registry_key *parent, const char *path) *end = '\0'; err = reg_openkey(mem_ctx, parent, name, - SEC_RIGHTS_CREATE_SUBKEY, &tmp_key); + KEY_CREATE_SUB_KEY, &tmp_key); W_ERROR_NOT_OK_GOTO_DONE(err); parent = tmp_key; @@ -608,7 +608,7 @@ WERROR reg_setvalue(struct registry_key *key, const char *name, DATA_BLOB value_data; int res; - if (!(key->key->access_granted & SEC_RIGHTS_SET_VALUE)) { + if (!(key->key->access_granted & KEY_SET_VALUE)) { return WERR_ACCESS_DENIED; } @@ -655,7 +655,7 @@ WERROR reg_deletevalue(struct registry_key *key, const char *name) { WERROR err; - if (!(key->key->access_granted & SEC_RIGHTS_SET_VALUE)) { + if (!(key->key->access_granted & KEY_SET_VALUE)) { return WERR_ACCESS_DENIED; } @@ -982,7 +982,7 @@ WERROR reg_deleteallvalues(struct registry_key *key) WERROR err; int i; - if (!(key->key->access_granted & SEC_RIGHTS_SET_VALUE)) { + if (!(key->key->access_granted & KEY_SET_VALUE)) { return WERR_ACCESS_DENIED; } @@ -1038,7 +1038,7 @@ WERROR reg_open_path(TALLOC_CTX *mem_ctx, const char *orig_path, *p = '\0'; - err = reg_openhive(mem_ctx, path, SEC_RIGHTS_ENUM_SUBKEYS, token, + err = reg_openhive(mem_ctx, path, KEY_ENUMERATE_SUB_KEYS, token, &hive); if (!W_ERROR_IS_OK(err)) { SAFE_FREE(path); @@ -1209,7 +1209,7 @@ WERROR reg_create_path(TALLOC_CTX *mem_ctx, const char *orig_path, err = reg_openhive(mem_ctx, path, (strchr(p+1, '\\') != NULL) ? - SEC_RIGHTS_ENUM_SUBKEYS : SEC_RIGHTS_CREATE_SUBKEY, + KEY_ENUMERATE_SUB_KEYS : KEY_CREATE_SUB_KEY, token, &hive); if (!W_ERROR_IS_OK(err)) { SAFE_FREE(path); @@ -1249,7 +1249,7 @@ WERROR reg_delete_path(const struct nt_user_token *token, err = reg_openhive(NULL, path, (strchr(p+1, '\\') != NULL) ? - SEC_RIGHTS_ENUM_SUBKEYS : SEC_RIGHTS_CREATE_SUBKEY, + KEY_ENUMERATE_SUB_KEYS : KEY_CREATE_SUB_KEY, token, &hive); if (!W_ERROR_IS_OK(err)) { SAFE_FREE(path); diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 90131e1624..a651cd21e2 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -84,17 +84,6 @@ typedef struct disp_info { * handler. */ } DISP_INFO; -/* We keep a static list of these by SID as modern clients close down - all resources between each request in a complete enumeration. */ - -struct samr_info { - /* for use by the \PIPE\samr policy */ - DOM_SID sid; - uint32 status; /* some sort of flag. best to record it. comes from opnum 0x39 */ - uint32 acc_granted; - DISP_INFO *disp_info; -}; - static const struct generic_mapping sam_generic_mapping = { GENERIC_RIGHTS_SAM_READ, GENERIC_RIGHTS_SAM_WRITE, @@ -240,36 +229,6 @@ done: return status; } -/******************************************************************* - Checks if access to a function can be granted -********************************************************************/ - -static NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_required, const char *debug) -{ - DEBUG(5,("%s: access check ((granted: %#010x; required: %#010x)\n", - debug, acc_granted, acc_required)); - - /* check the security descriptor first */ - - if ( (acc_granted&acc_required) == acc_required ) - return NT_STATUS_OK; - - /* give root a free pass */ - - if (geteuid() == sec_initial_uid()) { - - DEBUG(4,("%s: ACCESS should be DENIED (granted: %#010x; required: %#010x)\n", - debug, acc_granted, acc_required)); - DEBUGADD(4,("but overwritten by euid == 0\n")); - - return NT_STATUS_OK; - } - - DEBUG(2,("%s: ACCESS DENIED (granted: %#010x; required: %#010x)\n", - debug, acc_granted, acc_required)); - - return NT_STATUS_ACCESS_DENIED; -} /******************************************************************* Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set. @@ -387,37 +346,6 @@ static DISP_INFO *get_samr_dispinfo_by_sid(const struct dom_sid *psid) } /******************************************************************* - Create a samr_info struct. -********************************************************************/ - -static int samr_info_destructor(struct samr_info *info); - -static struct samr_info *get_samr_info_by_sid(TALLOC_CTX *mem_ctx, - DOM_SID *psid) -{ - struct samr_info *info; - - info = talloc_zero(mem_ctx, struct samr_info); - if (info == NULL) { - return NULL; - } - talloc_set_destructor(info, samr_info_destructor); - - DEBUG(10, ("get_samr_info_by_sid: created new info for sid %s\n", - sid_string_dbg(psid))); - - if (psid) { - sid_copy( &info->sid, psid); - } else { - DEBUG(10,("get_samr_info_by_sid: created new info for NULL sid.\n")); - } - - info->disp_info = get_samr_dispinfo_by_sid(psid); - - return info; -} - -/******************************************************************* Function to free the per SID data. ********************************************************************/ @@ -440,17 +368,6 @@ static void free_samr_cache(DISP_INFO *disp_info) unbecome_root(); } -static int samr_info_destructor(struct samr_info *info) -{ - /* Only free the dispinfo cache if no one bothered to set up - a timeout. */ - - if (info->disp_info && info->disp_info->cache_timeout_event == NULL) { - free_samr_cache(info->disp_info); - } - return 0; -} - /******************************************************************* Idle event handler. Throw away the disp info cache. ********************************************************************/ @@ -724,46 +641,25 @@ NTSTATUS _samr_GetUserPwInfo(pipes_struct *p, } /******************************************************************* -********************************************************************/ - -static bool get_lsa_policy_samr_sid( pipes_struct *p, struct policy_handle *pol, - DOM_SID *sid, uint32 *acc_granted, - DISP_INFO **ppdisp_info) -{ - struct samr_info *info = NULL; - - /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, pol, (void **)(void *)&info)) - return False; - - if (!info) - return False; - - *sid = info->sid; - *acc_granted = info->acc_granted; - if (ppdisp_info) { - *ppdisp_info = info->disp_info; - } - - return True; -} - -/******************************************************************* _samr_SetSecurity ********************************************************************/ NTSTATUS _samr_SetSecurity(pipes_struct *p, struct samr_SetSecurity *r) { - DOM_SID pol_sid; - uint32 acc_granted, i; + struct samr_user_info *uinfo; + uint32 i; SEC_ACL *dacl; bool ret; struct samu *sampass=NULL; NTSTATUS status; - if (!get_lsa_policy_samr_sid(p, r->in.handle, &pol_sid, &acc_granted, NULL)) - return NT_STATUS_INVALID_HANDLE; + uinfo = policy_handle_find(p, r->in.handle, + SAMR_USER_ACCESS_SET_ATTRIBUTES, NULL, + struct samr_user_info, &status); + if (!NT_STATUS_IS_OK(status)) { + return status; + } if (!(sampass = samu_new( p->mem_ctx))) { DEBUG(0,("No memory!\n")); @@ -772,18 +668,19 @@ NTSTATUS _samr_SetSecurity(pipes_struct *p, /* get the user record */ become_root(); - ret = pdb_getsampwsid(sampass, &pol_sid); + ret = pdb_getsampwsid(sampass, &uinfo->sid); unbecome_root(); if (!ret) { - DEBUG(4, ("User %s not found\n", sid_string_dbg(&pol_sid))); + DEBUG(4, ("User %s not found\n", + sid_string_dbg(&uinfo->sid))); TALLOC_FREE(sampass); return NT_STATUS_INVALID_HANDLE; } dacl = r->in.sdbuf->sd->dacl; for (i=0; i < dacl->num_aces; i++) { - if (sid_equal(&pol_sid, &dacl->aces[i].trustee)) { + if (sid_equal(&uinfo->sid, &dacl->aces[i].trustee)) { ret = pdb_set_pass_can_change(sampass, (dacl->aces[i].access_mask & SAMR_USER_ACCESS_CHANGE_PASSWORD) ? @@ -797,14 +694,9 @@ NTSTATUS _samr_SetSecurity(pipes_struct *p, return NT_STATUS_ACCESS_DENIED; } - status = access_check_samr_function(acc_granted, - SAMR_USER_ACCESS_SET_ATTRIBUTES, - "_samr_SetSecurity"); - if (NT_STATUS_IS_OK(status)) { - become_root(); - status = pdb_update_sam_account(sampass); - unbecome_root(); - } + become_root(); + status = pdb_update_sam_account(sampass); + unbecome_root(); TALLOC_FREE(sampass); @@ -852,60 +744,99 @@ static bool check_change_pw_access(TALLOC_CTX *mem_ctx, DOM_SID *user_sid) NTSTATUS _samr_QuerySecurity(pipes_struct *p, struct samr_QuerySecurity *r) { + struct samr_connect_info *cinfo; + struct samr_domain_info *dinfo; + struct samr_user_info *uinfo; + struct samr_group_info *ginfo; + struct samr_alias_info *ainfo; NTSTATUS status; - DOM_SID pol_sid; SEC_DESC * psd = NULL; - uint32 acc_granted; size_t sd_size; - /* Get the SID. */ - if (!get_lsa_policy_samr_sid(p, r->in.handle, &pol_sid, &acc_granted, NULL)) - return NT_STATUS_INVALID_HANDLE; - - DEBUG(10,("_samr_QuerySecurity: querying security on SID: %s\n", - sid_string_dbg(&pol_sid))); - - status = access_check_samr_function(acc_granted, - STD_RIGHT_READ_CONTROL_ACCESS, - "_samr_QuerySecurity"); - if (!NT_STATUS_IS_OK(status)) { - return status; + cinfo = policy_handle_find(p, r->in.handle, + STD_RIGHT_READ_CONTROL_ACCESS, NULL, + struct samr_connect_info, &status); + if (NT_STATUS_IS_OK(status)) { + DEBUG(5,("_samr_QuerySecurity: querying security on SAM\n")); + status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, + &sam_generic_mapping, NULL, 0); + goto done; } - /* Check what typ of SID is beeing queried (e.g Domain SID, User SID, Group SID) */ - - /* To query the security of the SAM it self an invalid SID with S-0-0 is passed to this function */ - if (pol_sid.sid_rev_num == 0) { - DEBUG(5,("_samr_QuerySecurity: querying security on SAM\n")); - status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); - } else if (sid_equal(&pol_sid,get_global_sam_sid())) { - /* check if it is our domain SID */ + dinfo = policy_handle_find(p, r->in.handle, + STD_RIGHT_READ_CONTROL_ACCESS, NULL, + struct samr_domain_info, &status); + if (NT_STATUS_IS_OK(status)) { DEBUG(5,("_samr_QuerySecurity: querying security on Domain " - "with SID: %s\n", sid_string_dbg(&pol_sid))); - status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0); - } else if (sid_equal(&pol_sid,&global_sid_Builtin)) { - /* check if it is the Builtin Domain */ - /* TODO: Builtin probably needs a different SD with restricted write access*/ - DEBUG(5,("_samr_QuerySecurity: querying security on Builtin " - "Domain with SID: %s\n", sid_string_dbg(&pol_sid))); - status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0); - } else if (sid_check_is_in_our_domain(&pol_sid) || - sid_check_is_in_builtin(&pol_sid)) { - /* TODO: different SDs have to be generated for aliases groups and users. - Currently all three get a default user SD */ - DEBUG(10,("_samr_QuerySecurity: querying security on Object " - "with SID: %s\n", sid_string_dbg(&pol_sid))); - if (check_change_pw_access(p->mem_ctx, &pol_sid)) { - status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, - &pol_sid, SAMR_USR_RIGHTS_WRITE_PW); + "with SID: %s\n", sid_string_dbg(&dinfo->sid))); + /* + * TODO: Builtin probably needs a different SD with restricted + * write access + */ + status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, + &dom_generic_mapping, NULL, 0); + goto done; + } + + uinfo = policy_handle_find(p, r->in.handle, + STD_RIGHT_READ_CONTROL_ACCESS, NULL, + struct samr_user_info, &status); + if (NT_STATUS_IS_OK(status)) { + DEBUG(10,("_samr_QuerySecurity: querying security on user " + "Object with SID: %s\n", + sid_string_dbg(&uinfo->sid))); + if (check_change_pw_access(p->mem_ctx, &uinfo->sid)) { + status = make_samr_object_sd( + p->mem_ctx, &psd, &sd_size, + &usr_generic_mapping, + &uinfo->sid, SAMR_USR_RIGHTS_WRITE_PW); } else { - status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_nopwchange_generic_mapping, - &pol_sid, SAMR_USR_RIGHTS_CANT_WRITE_PW); + status = make_samr_object_sd( + p->mem_ctx, &psd, &sd_size, + &usr_nopwchange_generic_mapping, + &uinfo->sid, SAMR_USR_RIGHTS_CANT_WRITE_PW); } - } else { - return NT_STATUS_OBJECT_TYPE_MISMATCH; + goto done; } + ginfo = policy_handle_find(p, r->in.handle, + STD_RIGHT_READ_CONTROL_ACCESS, NULL, + struct samr_group_info, &status); + if (NT_STATUS_IS_OK(status)) { + /* + * TODO: different SDs have to be generated for aliases groups + * and users. Currently all three get a default user SD + */ + DEBUG(10,("_samr_QuerySecurity: querying security on group " + "Object with SID: %s\n", + sid_string_dbg(&ginfo->sid))); + status = make_samr_object_sd( + p->mem_ctx, &psd, &sd_size, + &usr_nopwchange_generic_mapping, + &ginfo->sid, SAMR_USR_RIGHTS_CANT_WRITE_PW); + goto done; + } + + ainfo = policy_handle_find(p, r->in.handle, + STD_RIGHT_READ_CONTROL_ACCESS, NULL, + struct samr_alias_info, &status); + if (NT_STATUS_IS_OK(status)) { + /* + * TODO: different SDs have to be generated for aliases groups + * and users. Currently all three get a default user SD + */ + DEBUG(10,("_samr_QuerySecurity: querying security on alias " + "Object with SID: %s\n", + sid_string_dbg(&ainfo->sid))); + status = make_samr_object_sd( + p->mem_ctx, &psd, &sd_size, + &usr_nopwchange_generic_mapping, + &ainfo->sid, SAMR_USR_RIGHTS_CANT_WRITE_PW); + goto done; + } + + return NT_STATUS_OBJECT_TYPE_MISMATCH; +done: if ((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL) return NT_STATUS_NO_MEMORY; diff --git a/source3/rpcclient/cmd_lsarpc.c b/source3/rpcclient/cmd_lsarpc.c index cf2b1ae563..ef3187579a 100644 --- a/source3/rpcclient/cmd_lsarpc.c +++ b/source3/rpcclient/cmd_lsarpc.c @@ -42,7 +42,7 @@ static NTSTATUS name_to_sid(struct rpc_pipe_client *cli, } result = rpccli_lsa_open_policy(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) goto done; @@ -167,7 +167,7 @@ static NTSTATUS cmd_lsa_query_info_policy(struct rpc_pipe_client *cli, switch (info_class) { case 12: result = rpccli_lsa_open_policy2(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) @@ -180,7 +180,7 @@ static NTSTATUS cmd_lsa_query_info_policy(struct rpc_pipe_client *cli, break; default: result = rpccli_lsa_open_policy(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) @@ -220,7 +220,7 @@ static NTSTATUS cmd_lsa_lookup_names(struct rpc_pipe_client *cli, } result = rpccli_lsa_open_policy(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) @@ -268,7 +268,7 @@ static NTSTATUS cmd_lsa_lookup_names_level(struct rpc_pipe_client *cli, } result = rpccli_lsa_open_policy(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) @@ -320,7 +320,7 @@ static NTSTATUS cmd_lsa_lookup_sids(struct rpc_pipe_client *cli, TALLOC_CTX *mem } result = rpccli_lsa_open_policy(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) @@ -460,7 +460,7 @@ static NTSTATUS cmd_lsa_enum_privilege(struct rpc_pipe_client *cli, pref_max_length=atoi(argv[2]); result = rpccli_lsa_open_policy(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) @@ -512,7 +512,7 @@ static NTSTATUS cmd_lsa_get_dispname(struct rpc_pipe_client *cli, } result = rpccli_lsa_open_policy(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) @@ -565,7 +565,7 @@ static NTSTATUS cmd_lsa_enum_sids(struct rpc_pipe_client *cli, pref_max_length=atoi(argv[2]); result = rpccli_lsa_open_policy(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) @@ -618,7 +618,7 @@ static NTSTATUS cmd_lsa_create_account(struct rpc_pipe_client *cli, goto done; result = rpccli_lsa_open_policy2(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &dom_pol); if (!NT_STATUS_IS_OK(result)) @@ -666,7 +666,7 @@ static NTSTATUS cmd_lsa_enum_privsaccounts(struct rpc_pipe_client *cli, goto done; result = rpccli_lsa_open_policy2(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &dom_pol); if (!NT_STATUS_IS_OK(result)) @@ -728,7 +728,7 @@ static NTSTATUS cmd_lsa_enum_acct_rights(struct rpc_pipe_client *cli, goto done; result = rpccli_lsa_open_policy2(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &dom_pol); if (!NT_STATUS_IS_OK(result)) @@ -777,7 +777,7 @@ static NTSTATUS cmd_lsa_add_acct_rights(struct rpc_pipe_client *cli, goto done; result = rpccli_lsa_open_policy2(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &dom_pol); if (!NT_STATUS_IS_OK(result)) @@ -830,7 +830,7 @@ static NTSTATUS cmd_lsa_remove_acct_rights(struct rpc_pipe_client *cli, goto done; result = rpccli_lsa_open_policy2(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &dom_pol); if (!NT_STATUS_IS_OK(result)) @@ -880,7 +880,7 @@ static NTSTATUS cmd_lsa_lookup_priv_value(struct rpc_pipe_client *cli, } result = rpccli_lsa_open_policy2(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) @@ -922,7 +922,7 @@ static NTSTATUS cmd_lsa_query_secobj(struct rpc_pipe_client *cli, } result = rpccli_lsa_open_policy2(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (argc == 2) @@ -995,7 +995,7 @@ static NTSTATUS cmd_lsa_query_trustdominfobysid(struct rpc_pipe_client *cli, struct policy_handle pol; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; DOM_SID dom_sid; - uint32 access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED; + uint32 access_mask = SEC_FLAG_MAXIMUM_ALLOWED; union lsa_TrustedDomainInfo *info = NULL; enum lsa_TrustDomInfoEnum info_class = 1; uint8_t nt_hash[16]; @@ -1043,7 +1043,7 @@ static NTSTATUS cmd_lsa_query_trustdominfobyname(struct rpc_pipe_client *cli, { struct policy_handle pol; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - uint32 access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED; + uint32 access_mask = SEC_FLAG_MAXIMUM_ALLOWED; union lsa_TrustedDomainInfo *info = NULL; enum lsa_TrustDomInfoEnum info_class = 1; struct lsa_String trusted_domain; @@ -1091,7 +1091,7 @@ static NTSTATUS cmd_lsa_query_trustdominfo(struct rpc_pipe_client *cli, { struct policy_handle pol, trustdom_pol; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - uint32 access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED; + uint32 access_mask = SEC_FLAG_MAXIMUM_ALLOWED; union lsa_TrustedDomainInfo *info = NULL; DOM_SID dom_sid; enum lsa_TrustDomInfoEnum info_class = 1; @@ -1160,7 +1160,7 @@ static NTSTATUS cmd_lsa_get_username(struct rpc_pipe_client *cli, } result = rpccli_lsa_open_policy(cli, mem_ctx, true, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) { @@ -1210,7 +1210,7 @@ static NTSTATUS cmd_lsa_add_priv(struct rpc_pipe_client *cli, } result = rpccli_lsa_open_policy2(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &dom_pol); if (!NT_STATUS_IS_OK(result)) { @@ -1220,7 +1220,7 @@ static NTSTATUS cmd_lsa_add_priv(struct rpc_pipe_client *cli, result = rpccli_lsa_OpenAccount(cli, mem_ctx, &dom_pol, &sid, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &user_pol); if (!NT_STATUS_IS_OK(result)) { @@ -1294,7 +1294,7 @@ static NTSTATUS cmd_lsa_del_priv(struct rpc_pipe_client *cli, } result = rpccli_lsa_open_policy2(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &dom_pol); if (!NT_STATUS_IS_OK(result)) { @@ -1304,7 +1304,7 @@ static NTSTATUS cmd_lsa_del_priv(struct rpc_pipe_client *cli, result = rpccli_lsa_OpenAccount(cli, mem_ctx, &dom_pol, &sid, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &user_pol); if (!NT_STATUS_IS_OK(result)) { diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c index 83cec72318..96484f0982 100644 --- a/source3/rpcclient/cmd_samr.c +++ b/source3/rpcclient/cmd_samr.c @@ -2860,7 +2860,7 @@ static NTSTATUS cmd_samr_get_dispinfo_idx(struct rpc_pipe_client *cli, } status = rpccli_try_samr_connects(cli, mem_ctx, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &connect_handle); if (!NT_STATUS_IS_OK(status)) { @@ -2869,7 +2869,7 @@ static NTSTATUS cmd_samr_get_dispinfo_idx(struct rpc_pipe_client *cli, status = rpccli_samr_OpenDomain(cli, mem_ctx, &connect_handle, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &domain_sid, &domain_handle); diff --git a/source3/rpcclient/cmd_test.c b/source3/rpcclient/cmd_test.c index b7be038539..85e90a19b5 100644 --- a/source3/rpcclient/cmd_test.c +++ b/source3/rpcclient/cmd_test.c @@ -45,7 +45,7 @@ static NTSTATUS cmd_testme(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, } status = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, False, - SEC_RIGHTS_QUERY_VALUE, &pol); + KEY_QUERY_VALUE, &pol); if (!NT_STATUS_IS_OK(status)) goto done; diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c index 6fd6b4f6d9..ceeeae7ea6 100644 --- a/source3/rpcclient/rpcclient.c +++ b/source3/rpcclient/rpcclient.c @@ -156,7 +156,7 @@ static void fetch_machine_sid(struct cli_state *cli) } result = rpccli_lsa_open_policy(lsapipe, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) { goto error; diff --git a/source3/smbd/open.c b/source3/smbd/open.c index 451461744b..a0ae82a73c 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -2400,9 +2400,9 @@ static NTSTATUS open_directory(connection_struct *conn, } /* We need to support SeSecurityPrivilege for this. */ - if (access_mask & SEC_RIGHT_SYSTEM_SECURITY) { + if (access_mask & SEC_FLAG_SYSTEM_SECURITY) { DEBUG(10, ("open_directory: open on %s " - "failed - SEC_RIGHT_SYSTEM_SECURITY denied.\n", + "failed - SEC_FLAG_SYSTEM_SECURITY denied.\n", fname)); return NT_STATUS_PRIVILEGE_NOT_HELD; } @@ -2946,7 +2946,7 @@ static NTSTATUS create_file_unixpath(connection_struct *conn, #if 0 /* We need to support SeSecurityPrivilege for this. */ - if ((access_mask & SEC_RIGHT_SYSTEM_SECURITY) && + if ((access_mask & SEC_FLAG_SYSTEM_SECURITY) && !user_has_privileges(current_user.nt_user_token, &se_security)) { status = NT_STATUS_PRIVILEGE_NOT_HELD; @@ -2954,7 +2954,7 @@ static NTSTATUS create_file_unixpath(connection_struct *conn, } #else /* We need to support SeSecurityPrivilege for this. */ - if (access_mask & SEC_RIGHT_SYSTEM_SECURITY) { + if (access_mask & SEC_FLAG_SYSTEM_SECURITY) { status = NT_STATUS_PRIVILEGE_NOT_HELD; goto fail; } diff --git a/source3/torture/mangle_test.c b/source3/torture/mangle_test.c index 00457719a8..525a1eb3c3 100644 --- a/source3/torture/mangle_test.c +++ b/source3/torture/mangle_test.c @@ -180,7 +180,7 @@ bool torture_mangle(int dummy) cli_unlink(cli, "\\mangle_test\\*"); cli_rmdir(cli, "\\mangle_test"); - if (!cli_mkdir(cli, "\\mangle_test")) { + if (!NT_STATUS_IS_OK(cli_mkdir(cli, "\\mangle_test"))) { printf("ERROR: Failed to make directory\n"); return False; } diff --git a/source3/torture/torture.c b/source3/torture/torture.c index 07945fccf1..0328cfe545 100644 --- a/source3/torture/torture.c +++ b/source3/torture/torture.c @@ -2625,7 +2625,7 @@ static bool run_trans2test(int dummy) /* check if the server updates the directory modification time when creating a new file */ - if (!cli_mkdir(cli, dname)) { + if (!NT_STATUS_IS_OK(cli_mkdir(cli, dname))) { printf("ERROR: mkdir failed (%s)\n", cli_errstr(cli)); correct = False; } @@ -4584,12 +4584,12 @@ bool torture_chkpath_test(int dummy) cli_unlink(cli, "\\chkpath.dir\\*"); cli_rmdir(cli, "\\chkpath.dir"); - if (!cli_mkdir(cli, "\\chkpath.dir")) { + if (!NT_STATUS_IS_OK(cli_mkdir(cli, "\\chkpath.dir"))) { printf("mkdir1 failed : %s\n", cli_errstr(cli)); return False; } - if (!cli_mkdir(cli, "\\chkpath.dir\\dir2")) { + if (!NT_STATUS_IS_OK(cli_mkdir(cli, "\\chkpath.dir\\dir2"))) { printf("mkdir2 failed : %s\n", cli_errstr(cli)); return False; } @@ -4801,7 +4801,7 @@ static bool run_dirtest1(int dummy) for (i=0;i<1000;i++) { fstring fname; slprintf(fname, sizeof(fname), "\\LISTDIR\\d%d", i); - if (!cli_mkdir(cli, fname)) { + if (!NT_STATUS_IS_OK(cli_mkdir(cli, fname))) { fprintf(stderr,"Failed to open %s\n", fname); return False; } @@ -5279,7 +5279,7 @@ static bool run_uid_regression_test(int dummy) cli->vuid = old_vuid; /* Try an operation. */ - if (!cli_mkdir(cli, "\\uid_reg_test")) { + if (!NT_STATUS_IS_OK(cli_mkdir(cli, "\\uid_reg_test"))) { /* We expect bad uid. */ if (!check_error(__LINE__, cli, ERRSRV, ERRbaduid, NT_STATUS_NO_SUCH_USER)) { diff --git a/source3/torture/utable.c b/source3/torture/utable.c index e36b0388c4..aaa763a2a3 100644 --- a/source3/torture/utable.c +++ b/source3/torture/utable.c @@ -132,7 +132,7 @@ bool torture_casetable(int dummy) cli_unlink(cli, "\\utable\\*"); cli_rmdir(cli, "\\utable"); - if (!cli_mkdir(cli, "\\utable")) { + if (!NT_STATUS_IS_OK(cli_mkdir(cli, "\\utable"))) { printf("Failed to create utable directory!\n"); return False; } diff --git a/source3/utils/net_registry.c b/source3/utils/net_registry.c index e2f410b9ac..d6cdd982c3 100644 --- a/source3/utils/net_registry.c +++ b/source3/utils/net_registry.c @@ -411,11 +411,11 @@ static int net_registry_getsd(struct net_context *c, int argc, struct security_descriptor *secdesc = NULL; TALLOC_CTX *ctx = talloc_stackframe(); uint32_t access_mask = REG_KEY_READ | - SEC_RIGHT_MAXIMUM_ALLOWED | - SEC_RIGHT_SYSTEM_SECURITY; + SEC_FLAG_MAXIMUM_ALLOWED | + SEC_FLAG_SYSTEM_SECURITY; /* - * net_rpc_regsitry uses SEC_RIGHT_SYSTEM_SECURITY, but access + * net_rpc_regsitry uses SEC_FLAG_SYSTEM_SECURITY, but access * is denied with these perms right now... */ access_mask = REG_KEY_READ; diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c index 5dd3df9a69..29e2f4f05d 100644 --- a/source3/utils/net_rpc.c +++ b/source3/utils/net_rpc.c @@ -68,7 +68,7 @@ NTSTATUS net_get_remote_domain_sid(struct cli_state *cli, TALLOC_CTX *mem_ctx, } result = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, false, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) { d_fprintf(stderr, "open_policy failed: %s\n", @@ -1668,7 +1668,7 @@ static NTSTATUS get_sid_from_name(struct cli_state *cli, } result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, false, - SEC_RIGHTS_MAXIMUM_ALLOWED, &lsa_pol); + SEC_FLAG_MAXIMUM_ALLOWED, &lsa_pol); if (!NT_STATUS_IS_OK(result)) { goto done; @@ -2485,7 +2485,7 @@ static NTSTATUS rpc_list_alias_members(struct net_context *c, } result = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, true, - SEC_RIGHTS_MAXIMUM_ALLOWED, &lsa_pol); + SEC_FLAG_MAXIMUM_ALLOWED, &lsa_pol); if (!NT_STATUS_IS_OK(result)) { d_fprintf(stderr, "Couldn't open LSA policy handle\n"); @@ -3850,7 +3850,7 @@ static NTSTATUS rpc_aliaslist_dump(struct net_context *c, struct policy_handle lsa_pol; result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &lsa_pol); if (!NT_STATUS_IS_OK(result)) return result; @@ -5596,7 +5596,7 @@ static int rpc_trustdom_establish(struct net_context *c, int argc, return -1; } - nt_status = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, true, SEC_RIGHTS_QUERY_VALUE, + nt_status = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, true, KEY_QUERY_VALUE, &connect_hnd); if (NT_STATUS_IS_ERR(nt_status)) { DEBUG(0, ("Couldn't open policy handle. Error was %s\n", @@ -5854,7 +5854,7 @@ static int rpc_trustdom_vampire(struct net_context *c, int argc, return -1; }; - nt_status = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, false, SEC_RIGHTS_QUERY_VALUE, + nt_status = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, false, KEY_QUERY_VALUE, &connect_hnd); if (NT_STATUS_IS_ERR(nt_status)) { DEBUG(0, ("Couldn't open policy handle. Error was %s\n", @@ -6011,7 +6011,7 @@ static int rpc_trustdom_list(struct net_context *c, int argc, const char **argv) return -1; }; - nt_status = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, false, SEC_RIGHTS_QUERY_VALUE, + nt_status = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, false, KEY_QUERY_VALUE, &connect_hnd); if (NT_STATUS_IS_ERR(nt_status)) { DEBUG(0, ("Couldn't open policy handle. Error was %s\n", diff --git a/source3/utils/net_rpc_audit.c b/source3/utils/net_rpc_audit.c index aa7fc7c394..823fe06f1a 100644 --- a/source3/utils/net_rpc_audit.c +++ b/source3/utils/net_rpc_audit.c @@ -88,7 +88,7 @@ static NTSTATUS rpc_audit_get_internal(struct net_context *c, } result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) { @@ -170,7 +170,7 @@ static NTSTATUS rpc_audit_set_internal(struct net_context *c, } result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) { @@ -229,7 +229,7 @@ static NTSTATUS rpc_audit_enable_internal_ext(struct rpc_pipe_client *pipe_hnd, union lsa_PolicyInformation *info = NULL; result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) { @@ -314,7 +314,7 @@ static NTSTATUS rpc_audit_list_internal(struct net_context *c, int i; result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) { diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index c2e3630641..ed0311317d 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -211,7 +211,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv) CHECK_RPC_ERR(rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &lsa_pol), "error opening lsa policy handle"); @@ -326,7 +326,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv) CHECK_RPC_ERR_DEBUG( rpccli_samr_OpenUser(pipe_hnd, mem_ctx, &domain_pol, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, user_rid, &user_pol), ("could not re-open existing user %s: %s\n", diff --git a/source3/utils/net_rpc_printer.c b/source3/utils/net_rpc_printer.c index 9721628f02..477ddf7f26 100644 --- a/source3/utils/net_rpc_printer.c +++ b/source3/utils/net_rpc_printer.c @@ -406,7 +406,7 @@ NTSTATUS net_copy_file(struct net_context *c, DEBUGADD(3,("creating dir %s on the destination server\n", dst_name)); - if (!cli_mkdir(cli_share_dst, dst_name)) { + if (!NT_STATUS_IS_OK(cli_mkdir(cli_share_dst, dst_name))) { DEBUG(0,("cannot create directory %s: %s\n", dst_name, cli_errstr(cli_share_dst))); nt_status = NT_STATUS_NO_SUCH_FILE; @@ -555,7 +555,7 @@ static NTSTATUS check_arch_dir(struct cli_state *cli_share, const char *short_ar DEBUG(10,("creating print-driver dir for architecture: %s\n", short_archi)); - if (!cli_mkdir(cli_share, dir)) { + if (!NT_STATUS_IS_OK(cli_mkdir(cli_share, dir))) { DEBUG(1,("cannot create directory %s: %s\n", dir, cli_errstr(cli_share))); nt_status = NT_STATUS_NO_SUCH_FILE; diff --git a/source3/utils/net_rpc_registry.c b/source3/utils/net_rpc_registry.c index 60274728f3..cad605fdde 100644 --- a/source3/utils/net_rpc_registry.c +++ b/source3/utils/net_rpc_registry.c @@ -383,7 +383,7 @@ static NTSTATUS rpc_registry_setvalue_internal(struct net_context *c, struct registry_value value; status = registry_openkey(mem_ctx, pipe_hnd, argv[0], - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &hive_hnd, &key_hnd); if (!NT_STATUS_IS_OK(status)) { d_fprintf(stderr, "registry_openkey failed: %s\n", @@ -455,7 +455,7 @@ static NTSTATUS rpc_registry_deletevalue_internal(struct net_context *c, ZERO_STRUCT(valuename); status = registry_openkey(mem_ctx, pipe_hnd, argv[0], - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &hive_hnd, &key_hnd); if (!NT_STATUS_IS_OK(status)) { d_fprintf(stderr, "registry_openkey failed: %s\n", @@ -516,7 +516,7 @@ static NTSTATUS rpc_registry_getvalue_internal(struct net_context *c, ZERO_STRUCT(valuename); status = registry_openkey(tmp_ctx, pipe_hnd, argv[0], - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &hive_hnd, &key_hnd); if (!NT_STATUS_IS_OK(status)) { d_fprintf(stderr, "registry_openkey failed: %s\n", @@ -657,7 +657,7 @@ static NTSTATUS rpc_registry_createkey_internal(struct net_context *c, } status = rpccli_winreg_Connect(pipe_hnd, mem_ctx, hive, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &hive_hnd); if (!(NT_STATUS_IS_OK(status))) { return status; @@ -727,7 +727,7 @@ static NTSTATUS rpc_registry_deletekey_internal(struct net_context *c, } status = rpccli_winreg_Connect(pipe_hnd, mem_ctx, hive, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &hive_hnd); if (!(NT_STATUS_IS_OK(status))) { return status; @@ -1147,8 +1147,8 @@ static NTSTATUS rpc_registry_getsd_internal(struct net_context *c, DATA_BLOB blob; struct security_descriptor sec_desc; uint32_t access_mask = REG_KEY_READ | - SEC_RIGHT_MAXIMUM_ALLOWED | - SEC_RIGHT_SYSTEM_SECURITY; + SEC_FLAG_MAXIMUM_ALLOWED | + SEC_FLAG_SYSTEM_SECURITY; if (argc <1 || argc > 2 || c->display_usage) { d_printf("Usage: net rpc registry getsd <path> <secinfo>\n"); diff --git a/source3/utils/net_rpc_rights.c b/source3/utils/net_rpc_rights.c index 10166b6d2b..abf70e7ea2 100644 --- a/source3/utils/net_rpc_rights.c +++ b/source3/utils/net_rpc_rights.c @@ -34,7 +34,7 @@ static NTSTATUS sid_to_name(struct rpc_pipe_client *pipe_hnd, char **domains = NULL, **names = NULL; result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true, - SEC_RIGHTS_MAXIMUM_ALLOWED, &pol); + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if ( !NT_STATUS_IS_OK(result) ) return result; @@ -70,7 +70,7 @@ static NTSTATUS name_to_sid(struct rpc_pipe_client *pipe_hnd, } result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true, - SEC_RIGHTS_MAXIMUM_ALLOWED, &pol); + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if ( !NT_STATUS_IS_OK(result) ) return result; @@ -328,7 +328,7 @@ static NTSTATUS rpc_rights_list_internal(struct net_context *c, uint16 lang_id_desc; result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true, - SEC_RIGHTS_MAXIMUM_ALLOWED, &pol); + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if ( !NT_STATUS_IS_OK(result) ) return result; @@ -456,7 +456,7 @@ static NTSTATUS rpc_rights_grant_internal(struct net_context *c, goto done; result = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, true, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &dom_pol); if (!NT_STATUS_IS_OK(result)) @@ -522,7 +522,7 @@ static NTSTATUS rpc_rights_revoke_internal(struct net_context *c, return result; result = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, true, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &dom_pol); if (!NT_STATUS_IS_OK(result)) diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c index 2915ffb809..8bf9aac6f2 100644 --- a/source3/utils/net_util.c +++ b/source3/utils/net_util.c @@ -45,7 +45,7 @@ NTSTATUS net_rpc_lookup_name(struct net_context *c, } result = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, false, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) { d_fprintf(stderr, "open_policy failed: %s\n", diff --git a/source3/utils/netlookup.c b/source3/utils/netlookup.c index dd0efa4142..af219eb93c 100644 --- a/source3/utils/netlookup.c +++ b/source3/utils/netlookup.c @@ -131,7 +131,7 @@ static struct con_struct *create_cs(struct net_context *c, } nt_status = rpccli_lsa_open_policy(cs->lsapipe, ctx, true, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &cs->pol); if (!NT_STATUS_IS_OK(nt_status)) { diff --git a/source3/utils/smbcquotas.c b/source3/utils/smbcquotas.c index 78260acf76..1425d428ec 100644 --- a/source3/utils/smbcquotas.c +++ b/source3/utils/smbcquotas.c @@ -62,7 +62,7 @@ static bool cli_open_policy_hnd(void) if (!got_policy_hnd) { - /* Some systems don't support SEC_RIGHTS_MAXIMUM_ALLOWED, + /* Some systems don't support SEC_FLAG_MAXIMUM_ALLOWED, but NT sends 0x2000000 so we might as well do it too. */ if (!NT_STATUS_IS_OK(rpccli_lsa_open_policy(global_pipe_hnd, talloc_tos(), True, diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 9cf4597595..b59a391029 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -1852,7 +1852,7 @@ no_dssetup: } result = rpccli_lsa_open_policy2(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, &pol); + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (NT_STATUS_IS_OK(result)) { /* This particular query is exactly what Win2k clients use @@ -1894,7 +1894,7 @@ no_dssetup: domain->active_directory = False; result = rpccli_lsa_open_policy(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) { @@ -2068,7 +2068,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx, conn->samr_pipe->desthost, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &conn->sam_connect_handle); if (NT_STATUS_IS_OK(result)) { goto open_domain; @@ -2103,7 +2103,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx, conn->samr_pipe->desthost, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &conn->sam_connect_handle); if (NT_STATUS_IS_OK(result)) { goto open_domain; @@ -2125,7 +2125,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx, conn->samr_pipe->desthost, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &conn->sam_connect_handle); if (!NT_STATUS_IS_OK(result)) { DEBUG(10,("cm_connect_sam: rpccli_samr_Connect2 failed " @@ -2138,7 +2138,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, result = rpccli_samr_OpenDomain(conn->samr_pipe, mem_ctx, &conn->sam_connect_handle, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &domain->sid, &conn->sam_domain_handle); @@ -2203,7 +2203,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, domain->name, conn->cli->domain, conn->cli->user_name )); result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &conn->lsa_policy); if (NT_STATUS_IS_OK(result)) { goto done; @@ -2239,7 +2239,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, "schannel.\n", domain->name )); result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &conn->lsa_policy); if (NT_STATUS_IS_OK(result)) { goto done; @@ -2261,7 +2261,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, } result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &conn->lsa_policy); done: if (!NT_STATUS_IS_OK(result)) { diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c index 5edb0d98b0..50ccbae6b2 100644 --- a/source3/winbindd/winbindd_rpc.c +++ b/source3/winbindd/winbindd_rpc.c @@ -525,7 +525,7 @@ static NTSTATUS query_user(struct winbindd_domain *domain, /* Get user handle */ result = rpccli_samr_OpenUser(cli, mem_ctx, &dom_pol, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, user_rid, &user_pol); @@ -565,7 +565,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, { NTSTATUS result = NT_STATUS_UNSUCCESSFUL; struct policy_handle dom_pol, user_pol; - uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED; + uint32 des_access = SEC_FLAG_MAXIMUM_ALLOWED; struct samr_RidWithAttributeArray *rid_array = NULL; unsigned int i; uint32 user_rid; @@ -746,7 +746,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, NTSTATUS result = NT_STATUS_UNSUCCESSFUL; uint32 i, total_names = 0; struct policy_handle dom_pol, group_pol; - uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED; + uint32 des_access = SEC_FLAG_MAXIMUM_ALLOWED; uint32 *rid_mem = NULL; uint32 group_rid; unsigned int j, r; |