summaryrefslogtreecommitdiff
path: root/libcli/security
AgeCommit message (Collapse)AuthorFilesLines
2013-10-25s4-dsacl: Fixed incorrect handling of privileges in sec_access_check_dsNadezhda Ivanova1-8/+4
Restore and backup privileges are not relevant to ldap access checks, and the TakeOwnership privilege should grant write_owner right Signed-off-by: Nadezhda Ivanova <nivanova@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-06libcli: Add security_token_system_privilege().Andreas Schneider2-0/+23
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
2013-07-31libcli: fix conversion logic in dom_sid_string_bufJeff Layton1-10/+18
Signed-off-by: Jeff Layton <jlayton@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2013-07-31libcli: fix conversion logic in dom_sid_parse_endpJeff Layton1-14/+15
Signed-off-by: Jeff Layton <jlayton@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2013-04-02Add a comment about why we are removing the INHERITED bit so people understand.Richard Sharpe1-0/+9
Signed-off-by: Richard Sharpe <realrichardsharpe@gmail.com> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue Apr 2 20:05:13 CEST 2013 on sn-devel-104
2013-03-28Make sure that we only propogate the INHERITED flag when we are allowed to.Richard Sharpe1-1/+2
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Mar 28 19:43:41 CET 2013 on sn-devel-104
2013-02-23Fix bug #9674 - Samba denies owner Read Control when there is a DENY entry ↵Richard Sharpe1-3/+3
while W2K08 does not. Signed-off-by: Richard Sharpe <rsharpe@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Feb 23 19:28:15 CET 2013 on sn-devel-104
2013-01-27libcli/security: calculate INHERIT_ONLY correcty for AUDIT and ALARM aces ↵Stefan Metzmacher1-4/+16
(bug #9481) Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-22libcli-acl: add documentationMatthieu Patou1-1/+19
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21security: Add documentationMatthieu Patou1-0/+9
Names seems to be a bit cryptic and misleading (at least for me). So documenting them should remove at least partially this problem. Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21libcli-security: Add documentation for object_tree_modify_accessMatthieu Patou1-2/+12
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21libcli/security: remove useless if (root->num_of_children > 0) statementsAndrew Bartlett1-8/+4
The for loop does this implicitly when comparing for (i = 0; i < root->num_of_children; i++) Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21libcli/security: add init_mask to existing children in insert_in_object_treeStefan Metzmacher1-0/+1
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21libcli/security: handle node initialisation in one spot in ↵Andrew Bartlett2-38/+37
insert_in_object_tree() This removes special-case for initalising the children array in insert_in_object_tree(). talloc_realloc() handles the intial allocate case perfectly well, so there is no need to have this duplicated. This also restores having just one place were the rest of the elements are intialised, to ensure uniform behaviour. To do this, we have to rework insert_in_object_tree to have only one output variable, both because having both root and new_node as output variables was too confusing, and because otherwise the two pointers were being allowed to point at the same memory. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21libcli/security: avoid usage of dom_sid_parse_talloc() in sec_access_check_ds()Stefan Metzmacher1-8/+4
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21libcli/security: simplify get_ace_object_type()Stefan Metzmacher1-8/+4
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21libcli/security: fix formating in access_check.cStefan Metzmacher1-8/+12
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21libcli/security: fix whitespaces in access_check.cStefan Metzmacher1-98/+100
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-17libcli/security: don't look at the inherited type in get_ace_object_type()Stefan Metzmacher1-2/+0
The inherited_type is only used to decide if aces should be inherited effectively or not (INHERIT_ONLY) for the specified object. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Matthieu Patou <mat@matws.net>
2013-01-15libcli/security: Ensure to fill in remaining_access for the initial case ↵Andrew Bartlett1-0/+1
(bug #9554 - CVE-2013-0172) It is critically important that we initialise this element as otherwise all access is permitted. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit a75805490d96a85786287f5d0522dd7671d6816e)
2012-12-11libcli/security: calculate the correct inherited_object GUIDStefan Metzmacher1-1/+7
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-11libcli/security: implement object_in_list()Stefan Metzmacher1-2/+23
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-02libcli/security: remove duplicate aces in se_create_child_secdesc()Stefan Metzmacher1-0/+34
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-08-31Factor out privilege checking code into se_file_access_check() which takes a ↵Jeremy Allison2-10/+87
bool priv_open_requested parameter.
2012-08-30Fix bug #9124 - Samba fails to set "inherited" bit on inherited ACE's.Jeremy Allison1-3/+7
Change se_create_child_secdesc() to handle inheritance correctly.
2012-08-10build: rename security → samba-securityBjörn Jacke1-2/+2
there is a libsecurity on OSF1 which clasheѕ with our security lib. see bug #9023. Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Björn Jacke <bj@sernet.de> Autobuild-Date(master): Fri Aug 10 14:22:21 CEST 2012 on sn-devel-104
2012-06-19Fix warning: variable ‘XX’ set but not used.Jeremy Allison1-7/+0
2012-03-14Fix bug #8811 - sd_has_inheritable_components segfaults on an SD that ↵Jeremy Allison1-0/+4
se_access_check accepts. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Wed Mar 14 05:08:03 CET 2012 on sn-devel-104
2012-03-14Fix bug #8795 - Samba does not handle the Owner Rights permissions at allRichard Sharpe3-6/+49
Signed-off-by: Jeremy Allison <jra@samba.org> Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Wed Mar 14 02:26:34 CET 2012 on sn-devel-104
2012-03-10Fix bug #8797 - Samba does not correctly handle DENY ACEs when privileges apply.Richard Sharpe1-26/+28
Signed-off-by: Jeremy Allison <jra@samba.org> Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Sat Mar 10 01:33:45 CET 2012 on sn-devel-104
2012-02-22Honor SeTakeOwnershiPrivilege when client asks for SEC_STD_WRITE_OWNER but ↵Richard Sharpe1-0/+5
has no permission for that, but token has SeTakeOwnershipPrivilege Autobuild-User: Richard Sharpe <sharpe@samba.org> Autobuild-Date: Wed Feb 22 19:19:32 CET 2012 on sn-devel-104
2012-01-11Second part of fix for bug #8673 - NT ACL issue.Jeremy Allison1-3/+4
Ensure we process the entire ACE list instead of returning ACCESS_DENIED and terminating the walk - ensure we only return the exact bits that cause the access to be denied. Some of the S3 fileserver needs to know if we are only denied DELETE access before overriding it by looking at the containing directory ACL. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Wed Jan 11 19:24:53 CET 2012 on sn-devel-104
2011-11-24security: add local authority well-known SIDsChristian Ambach2-0/+3
add the S-1-2 well-known SID family Autobuild-User: Christian Ambach <ambi@samba.org> Autobuild-Date: Thu Nov 24 19:01:08 CET 2011 on sn-devel-104
2011-10-07build: Reduce build systems to just top level waf and autoconfAndrew Bartlett1-6/+5
The s3-waf build system is a key component of the top level build, but with this commit is is no longer available directly. This reduces the number of build system combinations in master as we prepare for the Samba 4.0 release. Andrew Bartlett
2011-08-17Adapt del_sid_from_array to Samba coding styleVolker Lendecke1-1/+2
Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Wed Aug 17 16:46:24 CEST 2011 on sn-devel-104
2011-08-17Fix a typoVolker Lendecke1-1/+1
2011-08-17Remove unused "sid_equal"Volker Lendecke2-10/+0
2011-08-17Replace calls to sid_equal with calls to dom_sid_equalVolker Lendecke1-2/+2
2011-08-10pytalloc: Use consistent prefix for functions, add ABI file.Jelmer Vernooij1-4/+4
2011-07-23libcli/security: add some const to marshall_sec_desc[_buf]()Stefan Metzmacher2-4/+4
metze
2011-06-18s3: Allow NULL sd_size in make_sec_descVolker Lendecke1-2/+10
Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Sat Jun 18 22:26:15 CEST 2011 on sn-devel-104
2011-06-10libcli/security/secdesc.h: fix licence/copyrightGünther Deschner1-0/+22
Guenther
2011-05-31Tiny simplification to dom_sid_string_bufVolker Lendecke1-2/+1
Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Tue May 31 23:16:31 CEST 2011 on sn-devel-104
2011-05-31libcli/security: move secdesc.c to the top level libcli/securityAndrew Bartlett4-1/+823
This code does not rely on lp_ or other source3 only functions, so can be part of the common library. Andrew Bartlett
2011-05-06libcli/security: fix build warning, cr_descr_log_acl() is not used currently.Günther Deschner1-0/+2
Guenther
2011-04-13Add dom_sid_parse_endpVolker Lendecke2-2/+14
This returns a pointer to the first non-parsed character, along the lines of strtoul for example. Signed-off-by: Jeremy Allison <jra@samba.org>
2011-04-05auth: Move auth_session_info into IDLAndrew Bartlett1-10/+1
This changes auth_session_info_transport to just be a wrapper, rather than a copy that has to be kept in sync. As auth_session_info was already wrapped in python, this required changes to the existing pyauth wrapper and it's users. Andrew Bartlett
2011-03-21libcli/security: make sure that we don't grant SEC_STD_DELETE to the owner ↵Stefan Metzmacher1-28/+30
by default In the file server SEC_STD_DELETE is granted on the file/directory or by FILE_DELETE_CHILD on the parent directory. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Mon Mar 21 23:25:05 CET 2011 on sn-devel-104
2011-03-19libcli/: Fix prototypes for all functions.Jelmer Vernooij2-0/+3
2011-03-16libcli/security: move display_sec headers to own header file and add toGünther Deschner3-0/+36
security.h grouping header. Guenther