From 2d01ec2c390f8dd753600f22cefb17e7b8916ffd Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 27 Feb 2008 15:49:31 +0100 Subject: Use new LSA_POLICY defines in lsa rpc server code and other places. Guenther (This used to be commit 58cca9faf9db506bd2f6eab4a99ef85153797ab2) --- source3/include/rpc_lsa.h | 69 +++++++++++++++++------------------------ source3/libsmb/trusts_util.c | 2 +- source3/rpc_server/srv_lsa_nt.c | 48 ++++++++++++++-------------- source3/rpcclient/cmd_lsarpc.c | 2 +- 4 files changed, 54 insertions(+), 67 deletions(-) diff --git a/source3/include/rpc_lsa.h b/source3/include/rpc_lsa.h index 3f55e18e0f..a5316c49e5 100644 --- a/source3/include/rpc_lsa.h +++ b/source3/include/rpc_lsa.h @@ -27,51 +27,38 @@ #define LSA_AUDIT_NUM_CATEGORIES_WIN2K 9 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4 -#define POLICY_VIEW_LOCAL_INFORMATION 0x00000001 -#define POLICY_VIEW_AUDIT_INFORMATION 0x00000002 -#define POLICY_GET_PRIVATE_INFORMATION 0x00000004 -#define POLICY_TRUST_ADMIN 0x00000008 -#define POLICY_CREATE_ACCOUNT 0x00000010 -#define POLICY_CREATE_SECRET 0x00000020 -#define POLICY_CREATE_PRIVILEGE 0x00000040 -#define POLICY_SET_DEFAULT_QUOTA_LIMITS 0x00000080 -#define POLICY_SET_AUDIT_REQUIREMENTS 0x00000100 -#define POLICY_AUDIT_LOG_ADMIN 0x00000200 -#define POLICY_SERVER_ADMIN 0x00000400 -#define POLICY_LOOKUP_NAMES 0x00000800 +#define LSA_POLICY_ALL_ACCESS ( STANDARD_RIGHTS_REQUIRED_ACCESS |\ + LSA_POLICY_VIEW_LOCAL_INFORMATION |\ + LSA_POLICY_VIEW_AUDIT_INFORMATION |\ + LSA_POLICY_GET_PRIVATE_INFORMATION |\ + LSA_POLICY_TRUST_ADMIN |\ + LSA_POLICY_CREATE_ACCOUNT |\ + LSA_POLICY_CREATE_SECRET |\ + LSA_POLICY_CREATE_PRIVILEGE |\ + LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS |\ + LSA_POLICY_SET_AUDIT_REQUIREMENTS |\ + LSA_POLICY_AUDIT_LOG_ADMIN |\ + LSA_POLICY_SERVER_ADMIN |\ + LSA_POLICY_LOOKUP_NAMES ) -#define POLICY_ALL_ACCESS ( STANDARD_RIGHTS_REQUIRED_ACCESS |\ - POLICY_VIEW_LOCAL_INFORMATION |\ - POLICY_VIEW_AUDIT_INFORMATION |\ - POLICY_GET_PRIVATE_INFORMATION |\ - POLICY_TRUST_ADMIN |\ - POLICY_CREATE_ACCOUNT |\ - POLICY_CREATE_SECRET |\ - POLICY_CREATE_PRIVILEGE |\ - POLICY_SET_DEFAULT_QUOTA_LIMITS |\ - POLICY_SET_AUDIT_REQUIREMENTS |\ - POLICY_AUDIT_LOG_ADMIN |\ - POLICY_SERVER_ADMIN |\ - POLICY_LOOKUP_NAMES ) +#define LSA_POLICY_READ ( STANDARD_RIGHTS_READ_ACCESS |\ + LSA_POLICY_VIEW_AUDIT_INFORMATION |\ + LSA_POLICY_GET_PRIVATE_INFORMATION) -#define POLICY_READ ( STANDARD_RIGHTS_READ_ACCESS |\ - POLICY_VIEW_AUDIT_INFORMATION |\ - POLICY_GET_PRIVATE_INFORMATION) +#define LSA_POLICY_WRITE ( STD_RIGHT_READ_CONTROL_ACCESS |\ + LSA_POLICY_TRUST_ADMIN |\ + LSA_POLICY_CREATE_ACCOUNT |\ + LSA_POLICY_CREATE_SECRET |\ + LSA_POLICY_CREATE_PRIVILEGE |\ + LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS |\ + LSA_POLICY_SET_AUDIT_REQUIREMENTS |\ + LSA_POLICY_AUDIT_LOG_ADMIN |\ + LSA_POLICY_SERVER_ADMIN) -#define POLICY_WRITE ( STD_RIGHT_READ_CONTROL_ACCESS |\ - POLICY_TRUST_ADMIN |\ - POLICY_CREATE_ACCOUNT |\ - POLICY_CREATE_SECRET |\ - POLICY_CREATE_PRIVILEGE |\ - POLICY_SET_DEFAULT_QUOTA_LIMITS |\ - POLICY_SET_AUDIT_REQUIREMENTS |\ - POLICY_AUDIT_LOG_ADMIN |\ - POLICY_SERVER_ADMIN) - -#define POLICY_EXECUTE ( STANDARD_RIGHTS_EXECUTE_ACCESS |\ - POLICY_VIEW_LOCAL_INFORMATION |\ - POLICY_LOOKUP_NAMES ) +#define LSA_POLICY_EXECUTE ( STANDARD_RIGHTS_EXECUTE_ACCESS |\ + LSA_POLICY_VIEW_LOCAL_INFORMATION |\ + LSA_POLICY_LOOKUP_NAMES ) /*******************************************************/ #define MAX_REF_DOMAINS 32 diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index 1e92bf21de..c079fb149a 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -209,7 +209,7 @@ bool enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain, /* get a handle */ result = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, True, - POLICY_VIEW_LOCAL_INFORMATION, &pol); + LSA_POLICY_VIEW_LOCAL_INFORMATION, &pol); if ( !NT_STATUS_IS_OK(result) ) goto done; diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c index f43258d5e5..ec9da32874 100644 --- a/source3/rpc_server/srv_lsa_nt.c +++ b/source3/rpc_server/srv_lsa_nt.c @@ -40,10 +40,10 @@ struct lsa_info { }; const struct generic_mapping lsa_generic_mapping = { - POLICY_READ, - POLICY_WRITE, - POLICY_EXECUTE, - POLICY_ALL_ACCESS + LSA_POLICY_READ, + LSA_POLICY_WRITE, + LSA_POLICY_EXECUTE, + LSA_POLICY_ALL_ACCESS }; /*************************************************************************** @@ -289,17 +289,17 @@ static NTSTATUS lsa_get_generic_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *s SEC_ACL *psa = NULL; - init_sec_access(&mask, POLICY_EXECUTE); + init_sec_access(&mask, LSA_POLICY_EXECUTE); init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); sid_copy(&adm_sid, get_global_sam_sid()); sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS); - init_sec_access(&mask, POLICY_ALL_ACCESS); + init_sec_access(&mask, LSA_POLICY_ALL_ACCESS); init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); sid_copy(&local_adm_sid, &global_sid_Builtin); sid_append_rid(&local_adm_sid, BUILTIN_ALIAS_RID_ADMINS); - init_sec_access(&mask, POLICY_ALL_ACCESS); + init_sec_access(&mask, LSA_POLICY_ALL_ACCESS); init_sec_ace(&ace[2], &local_adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, 3, ace)) == NULL) @@ -390,7 +390,7 @@ NTSTATUS _lsa_OpenPolicy2(pipes_struct *p, /* This is needed for lsa_open_account and rpcclient .... :-) */ if (p->pipe_user.ut.uid == sec_initial_uid()) - acc_granted = POLICY_ALL_ACCESS; + acc_granted = LSA_POLICY_ALL_ACCESS; /* associate the domain SID with the (unique) handle. */ if ((info = SMB_MALLOC_P(struct lsa_info)) == NULL) @@ -483,7 +483,7 @@ NTSTATUS _lsa_EnumTrustDom(pipes_struct *p, return NT_STATUS_INVALID_HANDLE; /* check if the user have enough rights */ - if (!(info->access & POLICY_VIEW_LOCAL_INFORMATION)) + if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) return NT_STATUS_ACCESS_DENIED; nt_status = pdb_enum_trusteddoms(p->mem_ctx, &num_domains, &domains); @@ -558,7 +558,7 @@ NTSTATUS _lsa_QueryInfoPolicy(pipes_struct *p, uint32 policy_def = LSA_AUDIT_POLICY_ALL; /* check if the user have enough rights */ - if (!(handle->access & POLICY_VIEW_AUDIT_INFORMATION)) { + if (!(handle->access & LSA_POLICY_VIEW_AUDIT_INFORMATION)) { DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n")); return NT_STATUS_ACCESS_DENIED; } @@ -586,7 +586,7 @@ NTSTATUS _lsa_QueryInfoPolicy(pipes_struct *p, } case 0x03: /* check if the user have enough rights */ - if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION)) + if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) return NT_STATUS_ACCESS_DENIED; /* Request PolicyPrimaryDomainInformation. */ @@ -615,7 +615,7 @@ NTSTATUS _lsa_QueryInfoPolicy(pipes_struct *p, break; case 0x05: /* check if the user have enough rights */ - if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION)) + if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) return NT_STATUS_ACCESS_DENIED; /* Request PolicyAccountDomainInformation. */ @@ -626,7 +626,7 @@ NTSTATUS _lsa_QueryInfoPolicy(pipes_struct *p, break; case 0x06: /* check if the user have enough rights */ - if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION)) + if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) return NT_STATUS_ACCESS_DENIED; switch (lp_server_role()) { @@ -793,7 +793,7 @@ NTSTATUS _lsa_LookupSids(pipes_struct *p, } /* check if the user has enough rights */ - if (!(handle->access & POLICY_LOOKUP_NAMES)) { + if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) { return NT_STATUS_ACCESS_DENIED; } @@ -867,7 +867,7 @@ NTSTATUS _lsa_LookupSids2(pipes_struct *p, } /* check if the user have enough rights */ - if (!(handle->access & POLICY_LOOKUP_NAMES)) { + if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) { return NT_STATUS_ACCESS_DENIED; } } @@ -999,7 +999,7 @@ NTSTATUS _lsa_LookupNames(pipes_struct *p, } /* check if the user have enough rights */ - if (!(handle->access & POLICY_LOOKUP_NAMES)) { + if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) { status = NT_STATUS_ACCESS_DENIED; goto done; } @@ -1138,7 +1138,7 @@ NTSTATUS _lsa_LookupNames3(pipes_struct *p, } /* check if the user have enough rights */ - if (!(handle->access & POLICY_LOOKUP_NAMES)) { + if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) { status = NT_STATUS_ACCESS_DENIED; goto done; } @@ -1292,7 +1292,7 @@ NTSTATUS _lsa_EnumPrivs(pipes_struct *p, /* check if the user have enough rights I don't know if it's the right one. not documented. */ - if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION)) + if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) return NT_STATUS_ACCESS_DENIED; if (num_privs) { @@ -1350,7 +1350,7 @@ NTSTATUS _lsa_LookupPrivDisplayName(pipes_struct *p, /* * I don't know if it's the right one. not documented. */ - if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION)) + if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) return NT_STATUS_ACCESS_DENIED; DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r->in.name->string)); @@ -1392,7 +1392,7 @@ NTSTATUS _lsa_EnumAccounts(pipes_struct *p, if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) return NT_STATUS_INVALID_HANDLE; - if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION)) + if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) return NT_STATUS_ACCESS_DENIED; sid_list = NULL; @@ -1505,7 +1505,7 @@ NTSTATUS _lsa_CreateAccount(pipes_struct *p, * I don't know if it's the right one. not documented. * but guessed with rpcclient. */ - if (!(handle->access & POLICY_GET_PRIVATE_INFORMATION)) + if (!(handle->access & LSA_POLICY_GET_PRIVATE_INFORMATION)) return NT_STATUS_ACCESS_DENIED; /* check to see if the pipe_user is a Domain Admin since @@ -1554,7 +1554,7 @@ NTSTATUS _lsa_OpenAccount(pipes_struct *p, * I don't know if it's the right one. not documented. * but guessed with rpcclient. */ - if (!(handle->access & POLICY_GET_PRIVATE_INFORMATION)) + if (!(handle->access & LSA_POLICY_GET_PRIVATE_INFORMATION)) return NT_STATUS_ACCESS_DENIED; /* TODO: Fis the parsing routine before reenabling this check! */ @@ -1798,7 +1798,7 @@ NTSTATUS _lsa_QuerySecurity(pipes_struct *p, return NT_STATUS_INVALID_HANDLE; /* check if the user have enough rights */ - if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION)) + if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) return NT_STATUS_ACCESS_DENIED; @@ -1855,7 +1855,7 @@ NTSTATUS _lsa_QuerySecurity(pipes_struct *p, switch (q_u->info_class) { case 0x0c: /* check if the user have enough rights */ - if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION)) + if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) return NT_STATUS_ACCESS_DENIED; /* Request PolicyPrimaryDomainInformation. */ diff --git a/source3/rpcclient/cmd_lsarpc.c b/source3/rpcclient/cmd_lsarpc.c index 3fe8bc8e52..512d80ae15 100644 --- a/source3/rpcclient/cmd_lsarpc.c +++ b/source3/rpcclient/cmd_lsarpc.c @@ -394,7 +394,7 @@ static NTSTATUS cmd_lsa_enum_trust_dom(struct rpc_pipe_client *cli, } result = rpccli_lsa_open_policy(cli, mem_ctx, True, - POLICY_VIEW_LOCAL_INFORMATION, + LSA_POLICY_VIEW_LOCAL_INFORMATION, &pol); if (!NT_STATUS_IS_OK(result)) -- cgit