summaryrefslogtreecommitdiff
path: root/source3/lib/util_seaccess.c
AgeCommit message (Collapse)AuthorFilesLines
2003-10-06split some security related functions in their own files.Simo Sorce1-129/+0
(no need to include all of smbd files to use some basic sec functions) also minor compile fixes (This used to be commit 66074d3b097d8cf2a231bf08c7f4db62da68189d)
2003-09-19Ensure that dup_sec_desc copies the 'type' field correctly. This causedJeremy Allison1-2/+2
me to expose a type arguement to make_sec_desc(). We weren't copying the SE_DESC_DACL_AUTO_INHERITED flag which could cause errors on auto inherited checks. Jeremy. (This used to be commit 546b2271c08735ac1049a453abac996d794aa364)
2003-02-22More signed/unsigned fixes (yes, I run with funny compiler options) andAndrew Bartlett1-1/+1
make x_fwrite() match fwrite() in returning a size_t. Andrew Bartlett (This used to be commit 2943c695787b742e9a96b2eefe2d75f681bacf7c)
2002-10-06try to put every security descriptors related definitions in the same file.Simo Sorce1-2/+2
also try to uniform names to a clean scheme. first part. (This used to be commit a123e05877caf90c28980be2d84b1d0b46e4fd21)
2002-09-28Add const.Andrew Bartlett1-1/+1
(This used to be commit f7dd66e88dba947a167d9a14c96810854dfc5c9d)
2002-08-31Add a bit of 'const' and move a lot of our 'repeditive' DEBUG() statements toAndrew Bartlett1-9/+10
'DEBUGADD', so we don't repeat headers. (Makes them much easier to read). (Based on patch by kai) Andrew Bartlett (This used to be commit 9deada345c5f89f338530c4de62835cc1eeb3d0e)
2002-08-29Move samr_make_sam_obj_sd to lib/util_seaccess.c. samtest now compiles andJelmer Vernooij1-0/+41
links successfully! (This used to be commit 0ea4bcb6b772a0d95d20f7c1a2a0c08a0ba9e466)
2002-08-28Make constJelmer Vernooij1-1/+1
(This used to be commit b1ab3bec8dc7c5d0873b7a4b4c6fab2d7591c9b3)
2002-06-10Remove "sids.h" as it really wasn't being used anywhere, and was exportingAndrew Bartlett1-2/+0
the (now static) global_sam_sid. The only place it was being used was to return global_sid_NULL to some uid->sid functions - and I'm not convinced this is correct in any case. Andrew Bartlett (This used to be commit e2a76a7fc94dd59c09bba3cda91446fad9f8c0e0)
2002-03-17Renamed get_nt_error_msg() to nt_errstr().Tim Potter1-1/+1
(This used to be commit 1f007d3ed41c1b71a89fa6be7d173e67e927c302)
2002-03-15syncing up printing code with SAMBA_2_2 (already done some mergesGerald Carter1-0/+25
in the reverse). * add in new printer change notify code from SAMBA_2_2 * add in se_map_standard() from 2.2 in _spoolss_open_printer_ex() * sync up the _print_queue_struct in smb.h (why did someone change the user/file names in fs_user/fs_file (or vice-versa) ? ) * sync up some cli_spoolss_XXX functions (This used to be commit 5760315c1de4033fdc22684c940f18010010924f)
2002-01-30Removed version number from file header.Tim Potter1-2/+1
Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
2001-12-17tidy up debugJean-François Micouleau1-1/+1
J.F. (This used to be commit c44f4e9e3368320b7559059dc214fa6c003d1187)
2001-11-30Renamed sid field in SEC_ACE to trustee to be more in line with MS'sTim Potter1-4/+4
definitions. (This used to be commit 9712d3f15a47155f558d0034ef71fd06afb11301)
2001-11-16I *love* removing code :-). Removed 4 files that weren't being used.Jeremy Allison1-1/+1
All this stuff was being pulled in due to *one* unneeded call to fetch a domain SID which smbpasswd already puts in the database... Jeremy. (This used to be commit 6bf2505cce7db770fd4db5b19999a78588e96b58)
2001-10-02Removed 'extern int DEBUGLEVEL' as it is now in the smb.h header.Tim Potter1-2/+0
(This used to be commit 2d0922b0eabfdc0aaf1d0797482fef47ed7fde8e)
2001-09-26Added Elrond patch to make se_access_check use NT datastructures, not Samba.Jeremy Allison1-5/+8
Jeremy. (This used to be commit bca6419447e926e51aeecf3e484228f640cecb84)
2001-08-27converted another bunch of stuff to NTSTATUSAndrew Tridgell1-4/+4
(This used to be commit 1d36250e338ae0ff9fbbf86019809205dd97d05e)
2001-08-27started converting NTSTATUS to be a structure on systems with gcc in order ↵Andrew Tridgell1-6/+11
to make it type incompatible with BOOL so we catch errors sooner. This has already found a number of bugs (This used to be commit 1b778bc7d22efff3f90dc450eb12baa1241cf68f)
2001-04-27Don't use variables called "acl" as it's the name of a function in Solaris.Jeremy Allison1-13/+13
Jeremy. (This used to be commit 277eb517e25eb3910057336b2bee18875dffe6cc)
2001-02-28Move to talloc control of SPOOL_XXX structs. Move to talloc control ofJeremy Allison1-10/+5
security descriptors and pointers. Syncup with 2.2 tree. Jeremy. (This used to be commit 14d5997dc841e78a619e865288486d50c245896d)
2001-01-19Changes from APPLIANCE_HEAD:David O'Neill1-28/+119
source/lib/util_seaccess.c - added se_create_child_secdesc() function which takes a parent (container) security descriptor and creates a security descriptor which has the inheritance flags for each ACE applied. In NT a print job is a child object of a printer so deleting and pausing/resuming jobs requires a check against the child security descriptor, not the parent. The values seen in NT printer security descriptors now all fit together in a natural and elegant way which is always nice. - Removed #ifdef'ed out portion of check_ace() when the INHERIT_ONLY flag is set as the se_create_child_secdesc() function now creates a security descriptor which can be used without this hack. (This used to be commit f125b9a94413fd481ae9f05ec5096ef79f0d49e4)
2001-01-04Changes from APPLIANCE_HEAD:David O'Neill1-5/+74
source/Makefile.in - changes to ctags and etags rules that somehow got lost along the way. source/include/proto.h - make proto source/smbd/sec_ctx.c source/smbd/password.c - merge debugs for debugging user groups and NT token stuff. source/lib/util_str.c - capitalise domain name returned from parse_domain_user() source/nsswitch/wb_client.c - fix broken conditional in debug statement. source/include/rpc_secdes.h source/include/rpc_spoolss.h source/printing/nt_printing.c source/lib/util_seaccess.c - fix printer permission bugs related to ACE masks for printers. This adds mapping of generic access rights to object specific rights for NT printers. Still need to work out whether or not to ignore ACEs with certain flags set, though. See comments in util_seaccess.c:check_ace() for details. source/printing/nt_printing.c source/printing/printing.c - use PRINTER_ACCESS_ADMINISTER instead of JOB_ACCESS_ADMINISTER until we sort out printer/printjob permission stuff. (This used to be commit 1dba9c5cd1e6389734c648f6903abcb7c8d5b2f0)
2000-12-12Removed the special casing of SIDs in se_access_check. This is now done ↵Jeremy Allison1-31/+2
(correctly) when the NT_USER_TOKEN is *created*. Jeremy. (This used to be commit 27d72ed1cf8ece2bede812341279ba5a7262ace4)
2000-12-12Owner always has READ_CONTROL and WRITE_DAC access.Jeremy Allison1-1/+3
Jeremy. (This used to be commit 05fcb124dfbb1a257828e9dc6a7793fc3dc73c4b)
2000-08-10Tidied up security rights definitions.Jeremy Allison1-4/+4
Jeremy. (This used to be commit e466c863f5540e13776f4477b6d58e3fbfe7276d)
2000-08-10Removed requirement that sid have an owner before being interpreted.Jeremy Allison1-18/+9
Thanks to Elrond for pointing this out. Jeremy. (This used to be commit 1d9a5494f8214b8d6171073f4090687a8535d78c)
2000-08-09Fixed memory leak with NT tokens.Jeremy Allison1-2/+15
Added debug messages to se_access_check(). Added FULL_ACCESS acl to default acl on printers. Jeremy. (This used to be commit 7507f6f408cf8b0f8d7e2b3da54ce5fb5ef5343b)
2000-08-08Added SID "Everyone" S-1-1-0 as always matching if present in an ACE.Jeremy Allison1-4/+17
Jeremy. (This used to be commit b3a1038ac1bfb0c32e64f6cb26e5e46fbda794a2)
2000-08-08Changed the sec desc access checks to match the spec. Needs testing.Jeremy Allison1-220/+149
Jeremy. (This used to be commit 5a4a7cd4727df5d1b5e71d343e776c7df52dc515)
2000-08-04Fixed up se_access_check() to use the token list from the user structJeremy Allison1-82/+32
as the SID list. Now to go through and tidy up the algorithm. Jeremy. (This used to be commit 1f7300df6713a6728feb1600ca7e62fc213232fc)
2000-08-02Started to canonicalize our handling of uid -> sid code in order toJeremy Allison1-19/+27
get ready and fix se_access_check(). Added cannonical lookup_name(), lookup_sid(), uid_to_sid(), gid_to_sid() functions that look via winbind first the fall back on local lookup. All Samba should use these rather than trying to call winbindd code directly. Added NT_USER_TOKEN struct in user_struct, contains list of NT sids associated with this user. se_access_check() should use this (cached) value rather than attempting to do the same thing itself when given a uid/gid pair. More work needs to be done to preserve these things accross security context changes (especially with the tricky pipe problem) but I'm beginning to see how this will be done..... probably by registering a new vuid for an authenticated RPC pipe and not treating the pipe calls specially. More thoughts needed - but we're almost there... Jeremy. (This used to be commit 5e5cc6efe2e4687be59085f562caea1e2e05d0a8)
2000-07-17Added some debugs.Tim Potter1-13/+27
Changed interface to se_access_check to take a user struct instead of each bit as a separate parameter. (This used to be commit ff7938310d0636b165b03a2b0a15e51494b2459f)
2000-07-10Fixes for various compile warnings on Solaris 8.Tim Potter1-1/+2
(This used to be commit 898a483cdab1ed7d8ff902c0dc0e0620440ae4cd)
2000-07-10Moved winbind client functions from various odd locations toTim Potter1-64/+0
nsswitch/wb_client.c Merge of nsswitch/common.c rename to nsswitch/wb_common.c from TNG. (This used to be commit f866c18f6be65db67d9d2a6c0b42e1af3b421e6c)
2000-07-10Added some useful debugging stuff.Tim Potter1-10/+66
Fixes for se_access_check() when you are the owner of the object. (This used to be commit 1478198b709b26d0007a8ff0586c34fc6f37a9d2)
2000-07-06Rewrite of se_access_check() function. Added comments and fixed a bunch ofTim Potter1-189/+287
bugs. I think there is a problem though with the permissions granted when SEC_RIGHTS_MAXIMUM_ALLOWED is passed as the permissions requested. (This used to be commit 27d821913c87dddd44a0690f4b191c9d2445817e)
2000-06-08added se_access_check.Luke Leighton1-0/+279
(This used to be commit 6de329f6bf9c26e132869cf43d4976d4881e285c)