| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
If the system has O_NOFOLLOW and O_DIRECTORY then we allow for
overrides by default. If not, then we disable by default, as we will
be more vulnerable to symlink attacks
|
|
To prevent symlink attacks we need to use O_NOFOLLOW one level at a
time when processing a root security override
|
|
This allows for root override, which fixes many problems with
mismatches between NT ACL permissions and unix permissions.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
The pvfs_sys_*() calls provide wrapper functions for posix file
functions which use root privileges to override EACCES failures if
PVFS_FLAG_PERM_OVERRIDE is set
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
This flag indicates that we should use root privileges to override
unix permissions when the NT ACLs indicate that access should be
granted
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Guenther
|
|
At the moment nothing is done when the enumeration variable is set to one of
those constants as before. This is only to quite nasty warnings.
|
|
"test_SamLogon_with_creds" constant
This to quiet warnings.
|
|
Otherwise always a warning is generated.
|
|
This should make is easier to track down some bug reports
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Re-using two of the create_options bits was bound to eventually
cause problems, and indeed, Windows7 now uses one of those bits
when opening text files.
Fixes bug 7189
|
|
|
|
|
|
|
|
This library is not installed on enough systems for us to rely
on it being available. We use the system copy if possible, and
fallback to this local copy
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
For python libraries like dns.resolver it is useful to be able to install
a copy of the library with Samba. This set of functions allows us to do that
while using the locally installed version if it is available
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
I'm hoping this will fix an occasional segfault I've noticed where
epoll still calls events on a closed fde
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
"authsam_expand_nested_groups"
Better use the "res_sids_ctx" as base context for the "tmp_ctx" and not the
long-living "sam_ctx"/"ldb" context to prevent memory leaks.
|
|
It tests also some other constructed attributes in a basic way.
|
|
|
|
need them for more constructed attributes
With this patch we delete the helper attributes at the end where all constructed
attributes have already been computed.
|
|
No need to have signed counters here.
|
|
It contains the transitive SID closure (expand member/memberOf attributes) of a
certain SAM object. The "tokenGroups" attribute never contains the SID of the
object itself.
References: http://msdn.microsoft.com/en-us/library/ms680275(VS.85).aspx,
http://support.microsoft.com/kb/301916,
MS-ADTS 3.1.1.4.5.19.
|
|
This is needed by the "tokenGroups" work in the operational LDB module.
|
|
|
|
Should also be unsigned - no need for a signed "i" and "num_sids" here.
|
|
"construct_primary_group_token"
Use the "msg" as temporary context and not "ldb" which lives much longer.
|
|
Made each type into a separate class to be easily run individually,
removed code duplication
|
|
host IPv4 address
Inform the user when there are more possibilities (so he can check for the
right address and otherwise he is able to do an immediate reprovision) and no
possibility at all (then we fall back to the loopback address "127.0.0.1" - this
is thought for testing purposes).
I think this should be enough for closing bug #5484.
|
|
I changed "uint32_t" to "unsigned int" since the LDB specification prescrives
"unsigned (int)" for counter variables (number of attributes,
number of values...).
|
|
Use an unsigned argument for the numbers of groups and the counter "i" since
the function is called only by "auth_generate_session_info" with an unsigned
number of groups argument.
|
|
Previous commit was incomplete. The "service" parameter in the "tcon" structure
should point to "scfg->name". I'm not sure if "share" is right but the first
was used before commit f390daef475126b4ff5a3d0ffd2babbd87d4c22b.
|
|
This should be the right fix (set the service name in the tcon union to the
share name/path). That should be the solution for bug #6784.
|
|
"QueryDomainInfo" returns only global groups, "QueryDisplayInfo" also universal
ones. Consider MS-SAMR 3.1.5.5.1.1 and 3.1.5.3.1.
|
|
universal groups
Find the "Enterprise Admins" group which does exist on s4 and Windows
directories and is always per default universal. Test this only when the target
is set to s4 (s3 deployments don't contain this group). If the number of
returned objects is "0" (count) then we are likely testing the builtin domain of
an AD deployment.Then we ignore the inexistent "Enterprise Admins" group.
I didn't enhance the test for "QueryDomainInfo" since this does itself a
comparison of all returned objects with the "EnumDomainGroups" call. Therefore
if the latter passes, and the "QueryDomainInfo" test passes also the
"QueryDomainInfo" call is okay regarding groups.
|
|
|
|
We need to look for both global and universal group types when querying them.
Found by ekacnet (http://lists.samba.org/archive/samba-technical/2010-March/069777.html).
|
|
|
|
Otherwise we can lose debug output when a timeout happens
|
|
When a user has SEC_PRIV_TAKE_OWNERSHIP or SEC_PRIV_RESTORE they have
permission to change the ownership of a file.
This should fix bug 6987
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Michael
|
|
Actually ildb_context pointer is not supposed to be
valid after calling ildb_request_done().
This is due to the fact that when calling ildb_request_done()
caller will (most probably) free any locally built
ldap_request objects - thus rendering ildb_context invalid.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
In samba3 it is not an error when no users are returned in getpwent() calls
(e.g. on a DC w/o interdomain trusts).
Kai, please check.
Guenther
|
|
"i" needs to be unsigned on both places since it counts till a "count" variable
of a "struct ldb_result" object which itself is unsigned.
I see counting variables much better as "unsigned" since in most cases we don't
use negative values at all. We've only to be careful on binary searches and
downto counts regarding them.
|
|
"i" needs to be unsigned here since it counts until "r->in.len" which itself is
unsigned and not signed.
|
|
init().
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
