summaryrefslogtreecommitdiff
path: root/source4/libcli/security
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r13924: Split more prototypes out of include/proto.h + initial work on headerJelmer Vernooij5-0/+5
file dependencies (This used to be commit 122835876748a3eaf5e8d31ad1abddab9acb8781)
2007-10-10r12858: This moves the libnet_LookupPdc code to use a GetDC request to findAndrew Bartlett1-0/+5
the remote server's name, or in the absence of a local nbt_server to communicate with (or without root access), a node status request. The result is that we are in a better position to use kerberos, as well as to remove the 'password server' mandatory parameter for the samsync and samdump commands. (I need this to put these into SWAT). The only problem I have is that I must create a messaging context, which requires a server ID. As a client process, I don't expect to get messages, but it is currently required for replies, so I generate a random() number. We probably need the servers to accept connections on streamed sockets too, for client-only tasks that want IRPC. Because I wanted to test this code, I have put the NET-API-* tests into our test scripts, to ensure they pass and keep passing. They are good frontends onto the libnet system, and I see no reason not to test them. In doing so the NET-API-RPCCONNECT test was simplified to take a binding string on the command line, removing duplicate code, and testing the combinations in the scripts instead. (I have done a bit of work on the list shares code in libnet_share.c to make it pass 'make test') In the future, I would like to extend the libcli/findds.c code (based off volker's winbind/wb_async_helpers.c, which is why it shows up a bit odd in the patch) to handle getting multiple name replies, sending a getdc request to each in turn. (posted to samba-technical for review, and I'll happily update with any comments) Andrew Bartlett (This used to be commit 7ccddfd3515fc2c0d6f447c768ccbf7a220c3380)
2007-10-10r12747: Add a couple more token tests, used by the kludge ACL module.Andrew Bartlett1-0/+30
Andrew Bartlett (This used to be commit 10eadf48124d61f2eb586fb277a66aa4b9e6cad3)
2007-10-10r12608: Remove some unused #include lines.Jelmer Vernooij6-6/+0
(This used to be commit 70e7449318aa0e9d2639c76730a7d1683b2f4981)
2007-10-10r12592: Remove some useless dependenciesJelmer Vernooij1-19/+2
(This used to be commit ca8db1a0cd77682ac2c6dc4718f5d753a4fcc4db)
2007-10-10r12542: Move some more prototypes out to seperate headersJelmer Vernooij1-0/+1
(This used to be commit 0aca5fd5130d980d07398f3291d294202aefe3c2)
2007-10-10r12498: Eliminate INIT_OBJ_FILES and ADD_OBJ_FILES. We were not usingJelmer Vernooij1-3/+3
the difference between these at all, and in the future the fact that INIT_OBJ_FILES include smb_build.h will be sufficient to have recompiles at the right time. (This used to be commit b24f2583edee38abafa58578d8b5c4b43e517def)
2007-10-10r12161: Fix a memleak and do the -O1 janitor :-)Volker Lendecke1-1/+5
(This used to be commit 82d87d62614a33ec9d2ed20e63d80a7af64e8678)
2007-10-10r12158: added ldif handlers for the ntSecurityDescriptor attribute, so whenAndrew Tridgell1-8/+8
displaying security descriptors in ldbsearch or ldbedit you can see the SDDL version. This also allows us to specify security descriptors in our setup/*.ldif files in SDDL format, which is much more convenient than the NDR binary format! (This used to be commit 8185731c1846412c1b3366824cdb3d05b2d50b73)
2007-10-10r12139: - fixed up the ace object flags checkingAndrew Tridgell1-3/+8
- allow for arbitrary access masks in sddl_encode_ace() (This used to be commit 5e2b1bd6afafe2eb96e98c4636e0a62235693183)
2007-10-10r12138: added use of 2 letter SID codes in sddl_encode_sid()Andrew Tridgell1-3/+42
(This used to be commit a0662ae9d3f719d2db193490361923095bd4d419)
2007-10-10r12137: added sddl_encode(), the reverse of the sddl_decode() function added aAndrew Tridgell1-0/+170
couple of days ago. Doesn't yet encode using the shorthand for well known SIDs. (This used to be commit 655a4ebe8e0ee18133103bfba0ca6d14cbf81d56)
2007-10-10r12011: fixed another 'mixed code and declarations' bugAndrew Tridgell1-1/+2
(This used to be commit 1eca19d597ea21a073361fc6fc550919abf97574)
2007-10-10r12010: - added support for domain specific SID codes in SDDL stringsAndrew Tridgell1-20/+67
- added a bunch more tests to LOCAL-SDDL (all the ones from our schema) - fixed 'mixed coded declarations' bug (This used to be commit c30e7698e8e1d9991d35bf86c0d4041a1814ad92)
2007-10-10r12005: added a SDDL (Security Descriptor Description Language) parser. NotAndrew Tridgell2-0/+316
all flags are covered yet, and object aces aren't done yet. This is needed for ACL support in ldb, as the default security descriptor for each object class is given by the defaultSecurityDescriptor attribute in the schema, which is stored in SDDL format (This used to be commit dbdeecea01a8b362a9a525a3689cb03662a86776)
2007-10-10r11244: Relative path names in .mk filesJelmer Vernooij1-8/+8
(This used to be commit 24e10300906c380919d2d631bfb3b8fd6b3f54ba)
2007-10-10r11214: Remove scons files (see ↵Jelmer Vernooij1-0/+0
http://lists.samba.org/archive/samba-technical/2005-October/043443.html) (This used to be commit 7fffc5c9178158249be632ac0ca179c13bd1f98f)
2007-10-10r11052: bring samba4 uptodate with the samba4-winsrepl branch,Stefan Metzmacher1-5/+0
before the bad merge metze (This used to be commit 471c0ca4abb17fb5f73c0efed195c67628c1c06e)
2007-10-10r11037:Stefan Metzmacher1-0/+5
(This used to be commit 6913e338405a5aca5c70cf6e022532c596ed0a36)
2007-10-10r10810: This adds the hooks required to communicate the current user from theAndrew Bartlett1-0/+25
authenticated session down into LDB. This associates a session info structure with the open LDB, allowing a future ldb_ntacl module to allow/deny operations on that basis. Along the way, I cleaned up a few things, and added new helper functions to assist. In particular the LSA pipe uses simpler queries for some of the setup. In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't been worked on (other than making it continue to compile) since January, and I think the features of this module are being put into ldb anyway. I have also changed the partitions in ldap_server to be initialised after the connection, with the private pointer used to associate the ldb with the incoming session. Andrew Bartlett (This used to be commit fd7203789a2c0929eecea8125b57b833a67fed71)
2007-10-10r10478: More work on proto headers; we now generate a couple of smaller onesJelmer Vernooij1-5/+0
that are then included by include/proto.h (This used to be commit 703ffbaaaca11f3d8781cfe9e7542fcaa626d991)
2007-10-10r10348: Add scons scripts for remaining subsystems. Most subsystems build now,Jelmer Vernooij1-0/+5
but final linking still fails (as does generating files asn1, et, idl and proto files) (This used to be commit 4f0d7f75b99c7f4388d8acb0838577d86baf68b5)
2007-10-10r10185: Fix another two sets of unhandled enumeration warnings, plus correct ↵Tim Potter1-7/+11
some awful indentation. (-: (This used to be commit 2f24fc7a7a195c04f88a25d52efc02ddf491126c)
2007-10-10r9573: fixed a commentAndrew Tridgell1-1/+1
(This used to be commit d151a9459dcbfc88b0dc2ec9dd1cafa18ad5b8f8)
2007-10-10r9511: - fix the memory treesStefan Metzmacher2-7/+8
- add a note about a possible talloc_free() metze (This used to be commit 550e3030f0e02720b527f3b4923457f05f484e6e)
2007-10-10r9510: fix the memory treeStefan Metzmacher1-1/+1
metze (This used to be commit 6d412cf0a4186ec04cee61dd5387903de051fde7)
2007-10-10r9240: - move struct security_token to the idl file, with this we canStefan Metzmacher6-41/+5
the ndr_pull/push/print functions for it in the ntacl-lsm module - fix compiler warnings in the ldap_encode_ndr_* code metze (This used to be commit 83d65d0d7ed9c240ad44aa2c881c1f07212bfda4)
2007-10-10r7679: update the documentation of security_description_create()Stefan Metzmacher1-2/+5
metze (This used to be commit 6ad7ffab043c3b510f4dff052973a054e5a75779)
2007-10-10r6352: Two new composite calls:Alexander Bokovoy1-3/+77
- qfsinfo (query file system information) - appendacl (append an ACL to existing file's security descriptor and get new full ACL) The second one also includes an improvement to security descriptor handling which allows to copy security descriptor. Written by Peter Novodvorsky <peter.novodvorsky@ru.ibm.com> Both functions have corresponding torture tests added. Tested under valgrind and work against Samba 4 and Windows XP. ToDo: document composite call creation process in prog_guide.txt (This used to be commit 441cff62ac75ed16851ce7b8daf9d03eb4c3ec79)
2007-10-10r6287: sorted out a small but surprisingly tricky dependency problem with theAndrew Tridgell2-32/+8
ndr code for handling sids and security descriptors now that we have a sid in the nbt IDL (This used to be commit f8e77fcdeac704aed5e501aa9108f3ed0ab26ca4)
2007-10-10r5137: fix typesStefan Metzmacher1-1/+1
metze (This used to be commit add1c579375d08040f722946da31ee3862f9e7ac)
2007-10-10r5037: got rid of all of the TALLOC_DEPRECATED stuff. My apologies for theAndrew Tridgell3-13/+13
large commit. I thought this was worthwhile to get done for consistency. (This used to be commit ec32b22ed5ec224f6324f5e069d15e92e38e15c0)
2007-10-10r4620: - add interface functions to the auth subsystem so that callers ↵Stefan Metzmacher1-20/+25
doesn't need to use function pointers anymore - make the module init much easier - a lot of cleanups don't try to read the diff in auth/ better read the new files it passes test_echo.sh and test_rpc.sh abartlet: please fix spelling fixes metze (This used to be commit 3c0d16b8236451f2cfd38fc3db8ae2906106d847)
2007-10-10r4549: got rid of a lot more uses of plain talloc(), instead usingAndrew Tridgell1-1/+1
talloc_size() or talloc_array_p() where appropriate. also fixed a memory leak in pvfs_copy_file() (failed to free a memory context) (This used to be commit 89b74b53546e1570b11b3702f40bee58aed8c503)
2007-10-10r4429: the owner of a file always gets SEC_STD_DELETEAndrew Tridgell1-6/+5
(This used to be commit 81630d3014c8cbd970bc917e3e9aef337fa211cd)
2007-10-10r4419: move security_token stuff to the libcli/security/Stefan Metzmacher6-5/+158
and debug privileges metze (This used to be commit c981808ed4cfa63c7ba7c4f9190b6b14f74bab40)
2007-10-10r4404: check for SEC_ACE_FLAG_INHERIT_ONLY in the "maximum allowed" logicAndrew Tridgell1-0/+4
(This used to be commit e4ee8b776ba164a89afca43de20c166ccbfddb99)
2007-10-10r4388: - allow ACE flags to be specified in security_descriptor_create()Andrew Tridgell1-1/+2
- added a test for all combinations of the inheritance ACE flags and how they are propogated to child directories and files (This used to be commit fdb38c8e4b6279137892402b21d2d52e1921e456)
2007-10-10r4196: - added server side code for lsa_LookupPrivDisplayNameAndrew Tridgell1-24/+112
- added english descriptions of privileges. We should add other languages in the future. (This used to be commit 3eee8b7c13de3ffe7c5a87d6f1ebdcc66ff391eb)
2007-10-10r4151: added privilege attribute handling on samdb.Andrew Tridgell1-5/+13
pvfs will now honor some privileges on ACLs, and it will be quite easy to add the checks for more privileges in the necessary places, by making calls to sec_privilege_check(). (This used to be commit 3549039d0fbc54f87ae679e7288b82b28713e487)
2007-10-10r4150: - add fns for manipulating the privilege_mask in a security_tokenAndrew Tridgell2-6/+33
- add the hooks in access_check that check the privilege bitmasks for SEC_STD_DELETE and SEC_FLAG_SYSTEM_SECURITY (This used to be commit 0fa3764edcabffe8f7d5e40f0097f97d0c4519c4)
2007-10-10r4147: converted from NT_USER_TOKEN to struct security_tokenAndrew Tridgell4-21/+95
this is mostly just a tidyup, but also adds the privilege_mask, which I will be using shortly in ACL checking. note that I had to move the definition of struct security_token out of security.idl as pidl doesn't yet handle arrays of pointers, and the usual workaround (to use a intermediate structure) would make things too cumbersome for this structure, especially given we never encode it to NDR. (This used to be commit 7b446af09b8050746bfc2c50e9d56aa94397cc1a)
2007-10-10r4062: the RAW-ACLS test now passes. The SEC_STD_DELETE bit is rather strangeAndrew Tridgell1-4/+7
though - I expect we'll need to tweak that some more. (This used to be commit e3500811b90b8423ee7694609340f394957d1160)
2007-10-10r4056: modified the access check code based on results from RAW-ACLSAndrew Tridgell1-26/+19
test. Also added generic mapping bits for pvfs. We don't pass RAW-ACLS yet, but its close. (This used to be commit c7cbd966d49a5345ea326732587555d209c531fc)
2007-10-10r4034: add a function security_descriptor_create() which can be used toAndrew Tridgell1-0/+79
easily create complex security descriptors for testing. This greatly simplifies the smbtorture code I am writing for testing our new access_check code. (This used to be commit 891a8bc16af3c6ce5800e793ce4ec8b0078e444f)
2007-10-10r4025: added a sec_access_check() function for checking security descriptorsAndrew Tridgell3-39/+163
against a users security token and access_mask (This used to be commit c4d21cd4b1ccffd5aaa70a551c57f6eab1ca9c6d)
2007-10-10r3988: made dom_sid_add_rid() allocate the new sid with proper parent/child ↵Andrew Tridgell1-3/+5
talloc relationship (This used to be commit 5db0eb1fe3abb5150bef27bfed4b7da723e4a287)
2007-10-10r3979: added server side code for lsa_LookupSids2() and fixed authority_nameAndrew Tridgell1-0/+26
return code to include our own domain. editing of ACLs via the w2k3 GUI works nicely (and faster) with these changes (This used to be commit a3f7f34b3965ddbd89b06334e03d2e1bb6aa364b)
2007-10-10r3885: Add security descriptor comparison to our RPC-SAMSYNC test. We nowAndrew Bartlett1-0/+21
verify that the security descriptor found in the SamSync is the same as what is available over SAMR. Unfortunately, the administrator seems unable to retrieve the SACL on the security descriptor, so I've added a new function to compare with a mask. Andrew Bartlett (This used to be commit 39ae5e1dac31a22086be50fb23261e02be877f3f)
2007-10-10r3836: - fixed the handling of NT_STATUS_BUFFER_TOO_SMALL in nttrans serverAndrew Tridgell1-1/+1
- fixed revision number on default DACL - fixed DACL_PRESENT bit in acl query with these fixes cacls.exe and the GUI ACL editor in w2k both work against pvfs. The GUI editor is slow as it times out looking up the SID -> name mappings. (This used to be commit 4468018cb63fd884920c2b0f5235bded50c6b5db)