From b5bec1a6d73f5939b306e157937d027a7286163c Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 15 Apr 2009 01:12:13 +0200 Subject: s3-secdesc: use SEC_FLAG_MAXIMUM_ALLOWED instead of SEC_RIGHTS_MAXIMUM_ALLOWED. Guenther --- source3/libnet/libnet_join.c | 10 ++++----- source3/libsmb/libsmb_server.c | 2 +- source3/rpcclient/cmd_lsarpc.c | 48 ++++++++++++++++++++-------------------- source3/rpcclient/cmd_samr.c | 4 ++-- source3/rpcclient/rpcclient.c | 2 +- source3/utils/net_rpc.c | 8 +++---- source3/utils/net_rpc_audit.c | 8 +++---- source3/utils/net_rpc_join.c | 4 ++-- source3/utils/net_rpc_registry.c | 10 ++++----- source3/utils/net_rpc_rights.c | 10 ++++----- source3/utils/net_util.c | 2 +- source3/utils/netlookup.c | 2 +- source3/utils/smbcquotas.c | 2 +- source3/winbindd/winbindd_cm.c | 18 +++++++-------- source3/winbindd/winbindd_rpc.c | 6 ++--- 15 files changed, 68 insertions(+), 68 deletions(-) diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 894f5cba32..81990dfd81 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -703,7 +703,7 @@ static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx, } status = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true, - SEC_RIGHTS_MAXIMUM_ALLOWED, &lsa_pol); + SEC_FLAG_MAXIMUM_ALLOWED, &lsa_pol); if (!NT_STATUS_IS_OK(status)) { goto done; } @@ -888,7 +888,7 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx, &domain_pol, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, user_rid, &user_pol); if (!NT_STATUS_IS_OK(status)) { @@ -1167,7 +1167,7 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx, status = rpccli_samr_Connect2(pipe_hnd, mem_ctx, pipe_hnd->desthost, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &sam_pol); if (!NT_STATUS_IS_OK(status)) { goto done; @@ -1175,7 +1175,7 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx, status = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx, &sam_pol, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, r->in.domain_sid, &domain_pol); if (!NT_STATUS_IS_OK(status)) { @@ -1213,7 +1213,7 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx, status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx, &domain_pol, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, user_rid, &user_pol); if (!NT_STATUS_IS_OK(status)) { diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c index eda37f2187..60849c812f 100644 --- a/source3/libsmb/libsmb_server.c +++ b/source3/libsmb/libsmb_server.c @@ -740,7 +740,7 @@ SMBC_attr_server(TALLOC_CTX *ctx, /* * Some systems don't support - * SEC_RIGHTS_MAXIMUM_ALLOWED, but NT sends 0x2000000 + * SEC_FLAG_MAXIMUM_ALLOWED, but NT sends 0x2000000 * so we might as well do it too. */ diff --git a/source3/rpcclient/cmd_lsarpc.c b/source3/rpcclient/cmd_lsarpc.c index cf2b1ae563..ef3187579a 100644 --- a/source3/rpcclient/cmd_lsarpc.c +++ b/source3/rpcclient/cmd_lsarpc.c @@ -42,7 +42,7 @@ static NTSTATUS name_to_sid(struct rpc_pipe_client *cli, } result = rpccli_lsa_open_policy(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) goto done; @@ -167,7 +167,7 @@ static NTSTATUS cmd_lsa_query_info_policy(struct rpc_pipe_client *cli, switch (info_class) { case 12: result = rpccli_lsa_open_policy2(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) @@ -180,7 +180,7 @@ static NTSTATUS cmd_lsa_query_info_policy(struct rpc_pipe_client *cli, break; default: result = rpccli_lsa_open_policy(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) @@ -220,7 +220,7 @@ static NTSTATUS cmd_lsa_lookup_names(struct rpc_pipe_client *cli, } result = rpccli_lsa_open_policy(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) @@ -268,7 +268,7 @@ static NTSTATUS cmd_lsa_lookup_names_level(struct rpc_pipe_client *cli, } result = rpccli_lsa_open_policy(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) @@ -320,7 +320,7 @@ static NTSTATUS cmd_lsa_lookup_sids(struct rpc_pipe_client *cli, TALLOC_CTX *mem } result = rpccli_lsa_open_policy(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) @@ -460,7 +460,7 @@ static NTSTATUS cmd_lsa_enum_privilege(struct rpc_pipe_client *cli, pref_max_length=atoi(argv[2]); result = rpccli_lsa_open_policy(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) @@ -512,7 +512,7 @@ static NTSTATUS cmd_lsa_get_dispname(struct rpc_pipe_client *cli, } result = rpccli_lsa_open_policy(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) @@ -565,7 +565,7 @@ static NTSTATUS cmd_lsa_enum_sids(struct rpc_pipe_client *cli, pref_max_length=atoi(argv[2]); result = rpccli_lsa_open_policy(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) @@ -618,7 +618,7 @@ static NTSTATUS cmd_lsa_create_account(struct rpc_pipe_client *cli, goto done; result = rpccli_lsa_open_policy2(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &dom_pol); if (!NT_STATUS_IS_OK(result)) @@ -666,7 +666,7 @@ static NTSTATUS cmd_lsa_enum_privsaccounts(struct rpc_pipe_client *cli, goto done; result = rpccli_lsa_open_policy2(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &dom_pol); if (!NT_STATUS_IS_OK(result)) @@ -728,7 +728,7 @@ static NTSTATUS cmd_lsa_enum_acct_rights(struct rpc_pipe_client *cli, goto done; result = rpccli_lsa_open_policy2(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &dom_pol); if (!NT_STATUS_IS_OK(result)) @@ -777,7 +777,7 @@ static NTSTATUS cmd_lsa_add_acct_rights(struct rpc_pipe_client *cli, goto done; result = rpccli_lsa_open_policy2(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &dom_pol); if (!NT_STATUS_IS_OK(result)) @@ -830,7 +830,7 @@ static NTSTATUS cmd_lsa_remove_acct_rights(struct rpc_pipe_client *cli, goto done; result = rpccli_lsa_open_policy2(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &dom_pol); if (!NT_STATUS_IS_OK(result)) @@ -880,7 +880,7 @@ static NTSTATUS cmd_lsa_lookup_priv_value(struct rpc_pipe_client *cli, } result = rpccli_lsa_open_policy2(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) @@ -922,7 +922,7 @@ static NTSTATUS cmd_lsa_query_secobj(struct rpc_pipe_client *cli, } result = rpccli_lsa_open_policy2(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (argc == 2) @@ -995,7 +995,7 @@ static NTSTATUS cmd_lsa_query_trustdominfobysid(struct rpc_pipe_client *cli, struct policy_handle pol; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; DOM_SID dom_sid; - uint32 access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED; + uint32 access_mask = SEC_FLAG_MAXIMUM_ALLOWED; union lsa_TrustedDomainInfo *info = NULL; enum lsa_TrustDomInfoEnum info_class = 1; uint8_t nt_hash[16]; @@ -1043,7 +1043,7 @@ static NTSTATUS cmd_lsa_query_trustdominfobyname(struct rpc_pipe_client *cli, { struct policy_handle pol; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - uint32 access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED; + uint32 access_mask = SEC_FLAG_MAXIMUM_ALLOWED; union lsa_TrustedDomainInfo *info = NULL; enum lsa_TrustDomInfoEnum info_class = 1; struct lsa_String trusted_domain; @@ -1091,7 +1091,7 @@ static NTSTATUS cmd_lsa_query_trustdominfo(struct rpc_pipe_client *cli, { struct policy_handle pol, trustdom_pol; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - uint32 access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED; + uint32 access_mask = SEC_FLAG_MAXIMUM_ALLOWED; union lsa_TrustedDomainInfo *info = NULL; DOM_SID dom_sid; enum lsa_TrustDomInfoEnum info_class = 1; @@ -1160,7 +1160,7 @@ static NTSTATUS cmd_lsa_get_username(struct rpc_pipe_client *cli, } result = rpccli_lsa_open_policy(cli, mem_ctx, true, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) { @@ -1210,7 +1210,7 @@ static NTSTATUS cmd_lsa_add_priv(struct rpc_pipe_client *cli, } result = rpccli_lsa_open_policy2(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &dom_pol); if (!NT_STATUS_IS_OK(result)) { @@ -1220,7 +1220,7 @@ static NTSTATUS cmd_lsa_add_priv(struct rpc_pipe_client *cli, result = rpccli_lsa_OpenAccount(cli, mem_ctx, &dom_pol, &sid, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &user_pol); if (!NT_STATUS_IS_OK(result)) { @@ -1294,7 +1294,7 @@ static NTSTATUS cmd_lsa_del_priv(struct rpc_pipe_client *cli, } result = rpccli_lsa_open_policy2(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &dom_pol); if (!NT_STATUS_IS_OK(result)) { @@ -1304,7 +1304,7 @@ static NTSTATUS cmd_lsa_del_priv(struct rpc_pipe_client *cli, result = rpccli_lsa_OpenAccount(cli, mem_ctx, &dom_pol, &sid, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &user_pol); if (!NT_STATUS_IS_OK(result)) { diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c index 83cec72318..96484f0982 100644 --- a/source3/rpcclient/cmd_samr.c +++ b/source3/rpcclient/cmd_samr.c @@ -2860,7 +2860,7 @@ static NTSTATUS cmd_samr_get_dispinfo_idx(struct rpc_pipe_client *cli, } status = rpccli_try_samr_connects(cli, mem_ctx, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &connect_handle); if (!NT_STATUS_IS_OK(status)) { @@ -2869,7 +2869,7 @@ static NTSTATUS cmd_samr_get_dispinfo_idx(struct rpc_pipe_client *cli, status = rpccli_samr_OpenDomain(cli, mem_ctx, &connect_handle, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &domain_sid, &domain_handle); diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c index 6fd6b4f6d9..ceeeae7ea6 100644 --- a/source3/rpcclient/rpcclient.c +++ b/source3/rpcclient/rpcclient.c @@ -156,7 +156,7 @@ static void fetch_machine_sid(struct cli_state *cli) } result = rpccli_lsa_open_policy(lsapipe, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) { goto error; diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c index 5dd3df9a69..845ceca573 100644 --- a/source3/utils/net_rpc.c +++ b/source3/utils/net_rpc.c @@ -68,7 +68,7 @@ NTSTATUS net_get_remote_domain_sid(struct cli_state *cli, TALLOC_CTX *mem_ctx, } result = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, false, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) { d_fprintf(stderr, "open_policy failed: %s\n", @@ -1668,7 +1668,7 @@ static NTSTATUS get_sid_from_name(struct cli_state *cli, } result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, false, - SEC_RIGHTS_MAXIMUM_ALLOWED, &lsa_pol); + SEC_FLAG_MAXIMUM_ALLOWED, &lsa_pol); if (!NT_STATUS_IS_OK(result)) { goto done; @@ -2485,7 +2485,7 @@ static NTSTATUS rpc_list_alias_members(struct net_context *c, } result = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, true, - SEC_RIGHTS_MAXIMUM_ALLOWED, &lsa_pol); + SEC_FLAG_MAXIMUM_ALLOWED, &lsa_pol); if (!NT_STATUS_IS_OK(result)) { d_fprintf(stderr, "Couldn't open LSA policy handle\n"); @@ -3850,7 +3850,7 @@ static NTSTATUS rpc_aliaslist_dump(struct net_context *c, struct policy_handle lsa_pol; result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &lsa_pol); if (!NT_STATUS_IS_OK(result)) return result; diff --git a/source3/utils/net_rpc_audit.c b/source3/utils/net_rpc_audit.c index aa7fc7c394..823fe06f1a 100644 --- a/source3/utils/net_rpc_audit.c +++ b/source3/utils/net_rpc_audit.c @@ -88,7 +88,7 @@ static NTSTATUS rpc_audit_get_internal(struct net_context *c, } result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) { @@ -170,7 +170,7 @@ static NTSTATUS rpc_audit_set_internal(struct net_context *c, } result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) { @@ -229,7 +229,7 @@ static NTSTATUS rpc_audit_enable_internal_ext(struct rpc_pipe_client *pipe_hnd, union lsa_PolicyInformation *info = NULL; result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) { @@ -314,7 +314,7 @@ static NTSTATUS rpc_audit_list_internal(struct net_context *c, int i; result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) { diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index c2e3630641..ed0311317d 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -211,7 +211,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv) CHECK_RPC_ERR(rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &lsa_pol), "error opening lsa policy handle"); @@ -326,7 +326,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv) CHECK_RPC_ERR_DEBUG( rpccli_samr_OpenUser(pipe_hnd, mem_ctx, &domain_pol, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, user_rid, &user_pol), ("could not re-open existing user %s: %s\n", diff --git a/source3/utils/net_rpc_registry.c b/source3/utils/net_rpc_registry.c index 60274728f3..203a0cc9e3 100644 --- a/source3/utils/net_rpc_registry.c +++ b/source3/utils/net_rpc_registry.c @@ -383,7 +383,7 @@ static NTSTATUS rpc_registry_setvalue_internal(struct net_context *c, struct registry_value value; status = registry_openkey(mem_ctx, pipe_hnd, argv[0], - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &hive_hnd, &key_hnd); if (!NT_STATUS_IS_OK(status)) { d_fprintf(stderr, "registry_openkey failed: %s\n", @@ -455,7 +455,7 @@ static NTSTATUS rpc_registry_deletevalue_internal(struct net_context *c, ZERO_STRUCT(valuename); status = registry_openkey(mem_ctx, pipe_hnd, argv[0], - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &hive_hnd, &key_hnd); if (!NT_STATUS_IS_OK(status)) { d_fprintf(stderr, "registry_openkey failed: %s\n", @@ -516,7 +516,7 @@ static NTSTATUS rpc_registry_getvalue_internal(struct net_context *c, ZERO_STRUCT(valuename); status = registry_openkey(tmp_ctx, pipe_hnd, argv[0], - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &hive_hnd, &key_hnd); if (!NT_STATUS_IS_OK(status)) { d_fprintf(stderr, "registry_openkey failed: %s\n", @@ -657,7 +657,7 @@ static NTSTATUS rpc_registry_createkey_internal(struct net_context *c, } status = rpccli_winreg_Connect(pipe_hnd, mem_ctx, hive, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &hive_hnd); if (!(NT_STATUS_IS_OK(status))) { return status; @@ -727,7 +727,7 @@ static NTSTATUS rpc_registry_deletekey_internal(struct net_context *c, } status = rpccli_winreg_Connect(pipe_hnd, mem_ctx, hive, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &hive_hnd); if (!(NT_STATUS_IS_OK(status))) { return status; diff --git a/source3/utils/net_rpc_rights.c b/source3/utils/net_rpc_rights.c index 10166b6d2b..abf70e7ea2 100644 --- a/source3/utils/net_rpc_rights.c +++ b/source3/utils/net_rpc_rights.c @@ -34,7 +34,7 @@ static NTSTATUS sid_to_name(struct rpc_pipe_client *pipe_hnd, char **domains = NULL, **names = NULL; result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true, - SEC_RIGHTS_MAXIMUM_ALLOWED, &pol); + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if ( !NT_STATUS_IS_OK(result) ) return result; @@ -70,7 +70,7 @@ static NTSTATUS name_to_sid(struct rpc_pipe_client *pipe_hnd, } result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true, - SEC_RIGHTS_MAXIMUM_ALLOWED, &pol); + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if ( !NT_STATUS_IS_OK(result) ) return result; @@ -328,7 +328,7 @@ static NTSTATUS rpc_rights_list_internal(struct net_context *c, uint16 lang_id_desc; result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true, - SEC_RIGHTS_MAXIMUM_ALLOWED, &pol); + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if ( !NT_STATUS_IS_OK(result) ) return result; @@ -456,7 +456,7 @@ static NTSTATUS rpc_rights_grant_internal(struct net_context *c, goto done; result = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, true, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &dom_pol); if (!NT_STATUS_IS_OK(result)) @@ -522,7 +522,7 @@ static NTSTATUS rpc_rights_revoke_internal(struct net_context *c, return result; result = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, true, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &dom_pol); if (!NT_STATUS_IS_OK(result)) diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c index 2915ffb809..8bf9aac6f2 100644 --- a/source3/utils/net_util.c +++ b/source3/utils/net_util.c @@ -45,7 +45,7 @@ NTSTATUS net_rpc_lookup_name(struct net_context *c, } result = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, false, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) { d_fprintf(stderr, "open_policy failed: %s\n", diff --git a/source3/utils/netlookup.c b/source3/utils/netlookup.c index dd0efa4142..af219eb93c 100644 --- a/source3/utils/netlookup.c +++ b/source3/utils/netlookup.c @@ -131,7 +131,7 @@ static struct con_struct *create_cs(struct net_context *c, } nt_status = rpccli_lsa_open_policy(cs->lsapipe, ctx, true, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &cs->pol); if (!NT_STATUS_IS_OK(nt_status)) { diff --git a/source3/utils/smbcquotas.c b/source3/utils/smbcquotas.c index 78260acf76..1425d428ec 100644 --- a/source3/utils/smbcquotas.c +++ b/source3/utils/smbcquotas.c @@ -62,7 +62,7 @@ static bool cli_open_policy_hnd(void) if (!got_policy_hnd) { - /* Some systems don't support SEC_RIGHTS_MAXIMUM_ALLOWED, + /* Some systems don't support SEC_FLAG_MAXIMUM_ALLOWED, but NT sends 0x2000000 so we might as well do it too. */ if (!NT_STATUS_IS_OK(rpccli_lsa_open_policy(global_pipe_hnd, talloc_tos(), True, diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 9cf4597595..b59a391029 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -1852,7 +1852,7 @@ no_dssetup: } result = rpccli_lsa_open_policy2(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, &pol); + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (NT_STATUS_IS_OK(result)) { /* This particular query is exactly what Win2k clients use @@ -1894,7 +1894,7 @@ no_dssetup: domain->active_directory = False; result = rpccli_lsa_open_policy(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &pol); if (!NT_STATUS_IS_OK(result)) { @@ -2068,7 +2068,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx, conn->samr_pipe->desthost, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &conn->sam_connect_handle); if (NT_STATUS_IS_OK(result)) { goto open_domain; @@ -2103,7 +2103,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx, conn->samr_pipe->desthost, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &conn->sam_connect_handle); if (NT_STATUS_IS_OK(result)) { goto open_domain; @@ -2125,7 +2125,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx, conn->samr_pipe->desthost, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &conn->sam_connect_handle); if (!NT_STATUS_IS_OK(result)) { DEBUG(10,("cm_connect_sam: rpccli_samr_Connect2 failed " @@ -2138,7 +2138,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, result = rpccli_samr_OpenDomain(conn->samr_pipe, mem_ctx, &conn->sam_connect_handle, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &domain->sid, &conn->sam_domain_handle); @@ -2203,7 +2203,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, domain->name, conn->cli->domain, conn->cli->user_name )); result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &conn->lsa_policy); if (NT_STATUS_IS_OK(result)) { goto done; @@ -2239,7 +2239,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, "schannel.\n", domain->name )); result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &conn->lsa_policy); if (NT_STATUS_IS_OK(result)) { goto done; @@ -2261,7 +2261,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, } result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, &conn->lsa_policy); done: if (!NT_STATUS_IS_OK(result)) { diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c index 5edb0d98b0..50ccbae6b2 100644 --- a/source3/winbindd/winbindd_rpc.c +++ b/source3/winbindd/winbindd_rpc.c @@ -525,7 +525,7 @@ static NTSTATUS query_user(struct winbindd_domain *domain, /* Get user handle */ result = rpccli_samr_OpenUser(cli, mem_ctx, &dom_pol, - SEC_RIGHTS_MAXIMUM_ALLOWED, + SEC_FLAG_MAXIMUM_ALLOWED, user_rid, &user_pol); @@ -565,7 +565,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, { NTSTATUS result = NT_STATUS_UNSUCCESSFUL; struct policy_handle dom_pol, user_pol; - uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED; + uint32 des_access = SEC_FLAG_MAXIMUM_ALLOWED; struct samr_RidWithAttributeArray *rid_array = NULL; unsigned int i; uint32 user_rid; @@ -746,7 +746,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, NTSTATUS result = NT_STATUS_UNSUCCESSFUL; uint32 i, total_names = 0; struct policy_handle dom_pol, group_pol; - uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED; + uint32 des_access = SEC_FLAG_MAXIMUM_ALLOWED; uint32 *rid_mem = NULL; uint32 group_rid; unsigned int j, r; -- cgit From 1bb093aea9a4c5996514b10adc39a130cc6859ba Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 15 Apr 2009 01:16:41 +0200 Subject: s3-secdesc: use SEC_FLAG_MAXIMUM_ALLOWED instead of SEC_RIGHT_MAXIMUM_ALLOWED. Guenther --- source3/utils/net_registry.c | 2 +- source3/utils/net_rpc_registry.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/source3/utils/net_registry.c b/source3/utils/net_registry.c index e2f410b9ac..a504bcfd0b 100644 --- a/source3/utils/net_registry.c +++ b/source3/utils/net_registry.c @@ -411,7 +411,7 @@ static int net_registry_getsd(struct net_context *c, int argc, struct security_descriptor *secdesc = NULL; TALLOC_CTX *ctx = talloc_stackframe(); uint32_t access_mask = REG_KEY_READ | - SEC_RIGHT_MAXIMUM_ALLOWED | + SEC_FLAG_MAXIMUM_ALLOWED | SEC_RIGHT_SYSTEM_SECURITY; /* diff --git a/source3/utils/net_rpc_registry.c b/source3/utils/net_rpc_registry.c index 203a0cc9e3..3076866a3a 100644 --- a/source3/utils/net_rpc_registry.c +++ b/source3/utils/net_rpc_registry.c @@ -1147,7 +1147,7 @@ static NTSTATUS rpc_registry_getsd_internal(struct net_context *c, DATA_BLOB blob; struct security_descriptor sec_desc; uint32_t access_mask = REG_KEY_READ | - SEC_RIGHT_MAXIMUM_ALLOWED | + SEC_FLAG_MAXIMUM_ALLOWED | SEC_RIGHT_SYSTEM_SECURITY; if (argc <1 || argc > 2 || c->display_usage) { -- cgit From da92e54236293460e307edd52ca7f1e20c6f23ef Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 15 Apr 2009 01:19:30 +0200 Subject: s3-secdesc: use SEC_FLAG_SYSTEM_SECURITY instead of SEC_RIGHT_SYSTEM_SECURITY. Guenther --- source3/smbd/open.c | 8 ++++---- source3/utils/net_registry.c | 4 ++-- source3/utils/net_rpc_registry.c | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/source3/smbd/open.c b/source3/smbd/open.c index 451461744b..a0ae82a73c 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -2400,9 +2400,9 @@ static NTSTATUS open_directory(connection_struct *conn, } /* We need to support SeSecurityPrivilege for this. */ - if (access_mask & SEC_RIGHT_SYSTEM_SECURITY) { + if (access_mask & SEC_FLAG_SYSTEM_SECURITY) { DEBUG(10, ("open_directory: open on %s " - "failed - SEC_RIGHT_SYSTEM_SECURITY denied.\n", + "failed - SEC_FLAG_SYSTEM_SECURITY denied.\n", fname)); return NT_STATUS_PRIVILEGE_NOT_HELD; } @@ -2946,7 +2946,7 @@ static NTSTATUS create_file_unixpath(connection_struct *conn, #if 0 /* We need to support SeSecurityPrivilege for this. */ - if ((access_mask & SEC_RIGHT_SYSTEM_SECURITY) && + if ((access_mask & SEC_FLAG_SYSTEM_SECURITY) && !user_has_privileges(current_user.nt_user_token, &se_security)) { status = NT_STATUS_PRIVILEGE_NOT_HELD; @@ -2954,7 +2954,7 @@ static NTSTATUS create_file_unixpath(connection_struct *conn, } #else /* We need to support SeSecurityPrivilege for this. */ - if (access_mask & SEC_RIGHT_SYSTEM_SECURITY) { + if (access_mask & SEC_FLAG_SYSTEM_SECURITY) { status = NT_STATUS_PRIVILEGE_NOT_HELD; goto fail; } diff --git a/source3/utils/net_registry.c b/source3/utils/net_registry.c index a504bcfd0b..d6cdd982c3 100644 --- a/source3/utils/net_registry.c +++ b/source3/utils/net_registry.c @@ -412,10 +412,10 @@ static int net_registry_getsd(struct net_context *c, int argc, TALLOC_CTX *ctx = talloc_stackframe(); uint32_t access_mask = REG_KEY_READ | SEC_FLAG_MAXIMUM_ALLOWED | - SEC_RIGHT_SYSTEM_SECURITY; + SEC_FLAG_SYSTEM_SECURITY; /* - * net_rpc_regsitry uses SEC_RIGHT_SYSTEM_SECURITY, but access + * net_rpc_regsitry uses SEC_FLAG_SYSTEM_SECURITY, but access * is denied with these perms right now... */ access_mask = REG_KEY_READ; diff --git a/source3/utils/net_rpc_registry.c b/source3/utils/net_rpc_registry.c index 3076866a3a..cad605fdde 100644 --- a/source3/utils/net_rpc_registry.c +++ b/source3/utils/net_rpc_registry.c @@ -1148,7 +1148,7 @@ static NTSTATUS rpc_registry_getsd_internal(struct net_context *c, struct security_descriptor sec_desc; uint32_t access_mask = REG_KEY_READ | SEC_FLAG_MAXIMUM_ALLOWED | - SEC_RIGHT_SYSTEM_SECURITY; + SEC_FLAG_SYSTEM_SECURITY; if (argc <1 || argc > 2 || c->display_usage) { d_printf("Usage: net rpc registry getsd \n"); -- cgit From 38264bb3b86a3c9da941070f29ec08227c471d2b Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 15 Apr 2009 01:30:12 +0200 Subject: s3-secdesc: move all winreg access bits to IDL. Guenther --- librpc/gen_ndr/winreg.h | 4 ++++ librpc/idl/winreg.idl | 20 ++++++++++++++++++++ source3/include/rpc_secdes.h | 35 ----------------------------------- source3/lib/smbconf/smbconf_reg.c | 2 +- source3/registry/reg_api.c | 28 ++++++++++++++-------------- source3/rpcclient/cmd_test.c | 2 +- source3/utils/net_rpc.c | 6 +++--- 7 files changed, 43 insertions(+), 54 deletions(-) diff --git a/librpc/gen_ndr/winreg.h b/librpc/gen_ndr/winreg.h index e0300fd0e7..103817c466 100644 --- a/librpc/gen_ndr/winreg.h +++ b/librpc/gen_ndr/winreg.h @@ -9,6 +9,10 @@ #ifndef _HEADER_winreg #define _HEADER_winreg +#define REG_KEY_READ ( (STANDARD_RIGHTS_READ_ACCESS|KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY) ) +#define REG_KEY_EXECUTE ( REG_KEY_READ ) +#define REG_KEY_WRITE ( (STANDARD_RIGHTS_WRITE_ACCESS|KEY_SET_VALUE|KEY_CREATE_SUB_KEY) ) +#define REG_KEY_ALL ( (STANDARD_RIGHTS_REQUIRED_ACCESS|REG_KEY_READ|REG_KEY_WRITE|KEY_CREATE_LINK) ) /* bitmap winreg_AccessMask */ #define KEY_QUERY_VALUE ( 0x00001 ) #define KEY_SET_VALUE ( 0x00002 ) diff --git a/librpc/idl/winreg.idl b/librpc/idl/winreg.idl index b905bdea7b..18b5edcb5d 100644 --- a/librpc/idl/winreg.idl +++ b/librpc/idl/winreg.idl @@ -14,6 +14,10 @@ import "lsa.idl", "security.idl"; { typedef bitmap security_secinfo security_secinfo; + /* + * Access Bits for registry ACLS + */ + typedef [bitmap32bit] bitmap { KEY_QUERY_VALUE = 0x00001, KEY_SET_VALUE = 0x00002, @@ -25,6 +29,22 @@ import "lsa.idl", "security.idl"; KEY_WOW64_32KEY = 0x00200 } winreg_AccessMask; + const int REG_KEY_READ = ( STANDARD_RIGHTS_READ_ACCESS | + KEY_QUERY_VALUE | + KEY_ENUMERATE_SUB_KEYS | + KEY_NOTIFY); + + const int REG_KEY_EXECUTE = REG_KEY_READ; + + const int REG_KEY_WRITE = ( STANDARD_RIGHTS_WRITE_ACCESS | + KEY_SET_VALUE | + KEY_CREATE_SUB_KEY); + + const int REG_KEY_ALL = ( STANDARD_RIGHTS_REQUIRED_ACCESS | + REG_KEY_READ | + REG_KEY_WRITE | + KEY_CREATE_LINK); + typedef [public,v1_enum] enum { REG_NONE = 0, REG_SZ = 1, diff --git a/source3/include/rpc_secdes.h b/source3/include/rpc_secdes.h index c74d621f35..1ce3f84600 100644 --- a/source3/include/rpc_secdes.h +++ b/source3/include/rpc_secdes.h @@ -194,39 +194,4 @@ struct standard_mapping { SA_RIGHT_FILE_WRITE_DATA | \ SA_RIGHT_FILE_READ_DATA) -/* - * Access Bits for registry ACLS - */ - -/* used by registry ACLs */ - -#define SEC_RIGHTS_QUERY_VALUE 0x00000001 -#define SEC_RIGHTS_SET_VALUE 0x00000002 -#define SEC_RIGHTS_CREATE_SUBKEY 0x00000004 -#define SEC_RIGHTS_ENUM_SUBKEYS 0x00000008 -#define SEC_RIGHTS_NOTIFY 0x00000010 -#define SEC_RIGHTS_CREATE_LINK 0x00000020 -#define SEC_RIGHTS_MAXIMUM_ALLOWED 0x02000000 - - -#define REG_KEY_READ \ - ( STANDARD_RIGHTS_READ_ACCESS |\ - SEC_RIGHTS_QUERY_VALUE |\ - SEC_RIGHTS_ENUM_SUBKEYS |\ - SEC_RIGHTS_NOTIFY ) - -#define REG_KEY_EXECUTE REG_KEY_READ - -#define REG_KEY_WRITE \ - ( STANDARD_RIGHTS_WRITE_ACCESS |\ - SEC_RIGHTS_SET_VALUE |\ - SEC_RIGHTS_CREATE_SUBKEY ) - -#define REG_KEY_ALL \ - ( STANDARD_RIGHTS_REQUIRED_ACCESS |\ - REG_KEY_READ |\ - REG_KEY_WRITE |\ - SEC_RIGHTS_CREATE_LINK ) - - #endif /* _RPC_SECDES_H */ diff --git a/source3/lib/smbconf/smbconf_reg.c b/source3/lib/smbconf/smbconf_reg.c index 0ecac97575..54ce5348a7 100644 --- a/source3/lib/smbconf/smbconf_reg.c +++ b/source3/lib/smbconf/smbconf_reg.c @@ -567,7 +567,7 @@ static WERROR smbconf_reg_init(struct smbconf_ctx *ctx, const char *path) } werr = reg_open_path(ctx, ctx->path, - SEC_RIGHTS_ENUM_SUBKEYS | REG_KEY_WRITE, + KEY_ENUMERATE_SUB_KEYS | REG_KEY_WRITE, token, &rpd(ctx)->base_key); if (!W_ERROR_IS_OK(werr)) { goto done; diff --git a/source3/registry/reg_api.c b/source3/registry/reg_api.c index c1a78c14dc..817d43be6b 100644 --- a/source3/registry/reg_api.c +++ b/source3/registry/reg_api.c @@ -272,7 +272,7 @@ WERROR reg_openkey(TALLOC_CTX *mem_ctx, struct registry_key *parent, err = regkey_open_onelevel(mem_ctx, direct_parent, name_component, parent->token, - SEC_RIGHTS_ENUM_SUBKEYS, &tmp); + KEY_ENUMERATE_SUB_KEYS, &tmp); SAFE_FREE(name_component); if (!W_ERROR_IS_OK(err)) { @@ -301,7 +301,7 @@ WERROR reg_enumkey(TALLOC_CTX *mem_ctx, struct registry_key *key, { WERROR err; - if (!(key->key->access_granted & SEC_RIGHTS_ENUM_SUBKEYS)) { + if (!(key->key->access_granted & KEY_ENUMERATE_SUB_KEYS)) { return WERR_ACCESS_DENIED; } @@ -332,7 +332,7 @@ WERROR reg_enumvalue(TALLOC_CTX *mem_ctx, struct registry_key *key, struct registry_value *val; WERROR err; - if (!(key->key->access_granted & SEC_RIGHTS_QUERY_VALUE)) { + if (!(key->key->access_granted & KEY_QUERY_VALUE)) { return WERR_ACCESS_DENIED; } @@ -370,7 +370,7 @@ WERROR reg_queryvalue(TALLOC_CTX *mem_ctx, struct registry_key *key, WERROR err; uint32 i; - if (!(key->key->access_granted & SEC_RIGHTS_QUERY_VALUE)) { + if (!(key->key->access_granted & KEY_QUERY_VALUE)) { return WERR_ACCESS_DENIED; } @@ -399,7 +399,7 @@ WERROR reg_queryinfokey(struct registry_key *key, uint32_t *num_subkeys, WERROR err; struct security_descriptor *secdesc; - if (!(key->key->access_granted & SEC_RIGHTS_QUERY_VALUE)) { + if (!(key->key->access_granted & KEY_QUERY_VALUE)) { return WERR_ACCESS_DENIED; } @@ -483,7 +483,7 @@ WERROR reg_createkey(TALLOC_CTX *ctx, struct registry_key *parent, *end = '\0'; err = reg_createkey(mem_ctx, key, path, - SEC_RIGHTS_ENUM_SUBKEYS, &tmp, &action); + KEY_ENUMERATE_SUB_KEYS, &tmp, &action); if (!W_ERROR_IS_OK(err)) { goto done; } @@ -521,7 +521,7 @@ WERROR reg_createkey(TALLOC_CTX *ctx, struct registry_key *parent, * with ENUM_SUBKEY access. */ - err = reg_openkey(mem_ctx, key, "", SEC_RIGHTS_CREATE_SUBKEY, + err = reg_openkey(mem_ctx, key, "", KEY_CREATE_SUB_KEY, &create_parent); if (!W_ERROR_IS_OK(err)) { goto done; @@ -582,7 +582,7 @@ WERROR reg_deletekey(struct registry_key *parent, const char *path) *end = '\0'; err = reg_openkey(mem_ctx, parent, name, - SEC_RIGHTS_CREATE_SUBKEY, &tmp_key); + KEY_CREATE_SUB_KEY, &tmp_key); W_ERROR_NOT_OK_GOTO_DONE(err); parent = tmp_key; @@ -608,7 +608,7 @@ WERROR reg_setvalue(struct registry_key *key, const char *name, DATA_BLOB value_data; int res; - if (!(key->key->access_granted & SEC_RIGHTS_SET_VALUE)) { + if (!(key->key->access_granted & KEY_SET_VALUE)) { return WERR_ACCESS_DENIED; } @@ -655,7 +655,7 @@ WERROR reg_deletevalue(struct registry_key *key, const char *name) { WERROR err; - if (!(key->key->access_granted & SEC_RIGHTS_SET_VALUE)) { + if (!(key->key->access_granted & KEY_SET_VALUE)) { return WERR_ACCESS_DENIED; } @@ -982,7 +982,7 @@ WERROR reg_deleteallvalues(struct registry_key *key) WERROR err; int i; - if (!(key->key->access_granted & SEC_RIGHTS_SET_VALUE)) { + if (!(key->key->access_granted & KEY_SET_VALUE)) { return WERR_ACCESS_DENIED; } @@ -1038,7 +1038,7 @@ WERROR reg_open_path(TALLOC_CTX *mem_ctx, const char *orig_path, *p = '\0'; - err = reg_openhive(mem_ctx, path, SEC_RIGHTS_ENUM_SUBKEYS, token, + err = reg_openhive(mem_ctx, path, KEY_ENUMERATE_SUB_KEYS, token, &hive); if (!W_ERROR_IS_OK(err)) { SAFE_FREE(path); @@ -1209,7 +1209,7 @@ WERROR reg_create_path(TALLOC_CTX *mem_ctx, const char *orig_path, err = reg_openhive(mem_ctx, path, (strchr(p+1, '\\') != NULL) ? - SEC_RIGHTS_ENUM_SUBKEYS : SEC_RIGHTS_CREATE_SUBKEY, + KEY_ENUMERATE_SUB_KEYS : KEY_CREATE_SUB_KEY, token, &hive); if (!W_ERROR_IS_OK(err)) { SAFE_FREE(path); @@ -1249,7 +1249,7 @@ WERROR reg_delete_path(const struct nt_user_token *token, err = reg_openhive(NULL, path, (strchr(p+1, '\\') != NULL) ? - SEC_RIGHTS_ENUM_SUBKEYS : SEC_RIGHTS_CREATE_SUBKEY, + KEY_ENUMERATE_SUB_KEYS : KEY_CREATE_SUB_KEY, token, &hive); if (!W_ERROR_IS_OK(err)) { SAFE_FREE(path); diff --git a/source3/rpcclient/cmd_test.c b/source3/rpcclient/cmd_test.c index b7be038539..85e90a19b5 100644 --- a/source3/rpcclient/cmd_test.c +++ b/source3/rpcclient/cmd_test.c @@ -45,7 +45,7 @@ static NTSTATUS cmd_testme(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, } status = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, False, - SEC_RIGHTS_QUERY_VALUE, &pol); + KEY_QUERY_VALUE, &pol); if (!NT_STATUS_IS_OK(status)) goto done; diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c index 845ceca573..29e2f4f05d 100644 --- a/source3/utils/net_rpc.c +++ b/source3/utils/net_rpc.c @@ -5596,7 +5596,7 @@ static int rpc_trustdom_establish(struct net_context *c, int argc, return -1; } - nt_status = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, true, SEC_RIGHTS_QUERY_VALUE, + nt_status = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, true, KEY_QUERY_VALUE, &connect_hnd); if (NT_STATUS_IS_ERR(nt_status)) { DEBUG(0, ("Couldn't open policy handle. Error was %s\n", @@ -5854,7 +5854,7 @@ static int rpc_trustdom_vampire(struct net_context *c, int argc, return -1; }; - nt_status = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, false, SEC_RIGHTS_QUERY_VALUE, + nt_status = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, false, KEY_QUERY_VALUE, &connect_hnd); if (NT_STATUS_IS_ERR(nt_status)) { DEBUG(0, ("Couldn't open policy handle. Error was %s\n", @@ -6011,7 +6011,7 @@ static int rpc_trustdom_list(struct net_context *c, int argc, const char **argv) return -1; }; - nt_status = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, false, SEC_RIGHTS_QUERY_VALUE, + nt_status = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, false, KEY_QUERY_VALUE, &connect_hnd); if (NT_STATUS_IS_ERR(nt_status)) { DEBUG(0, ("Couldn't open policy handle. Error was %s\n", -- cgit From d94bbb3167f3a18d6b8a311557f228e2977249ea Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 21 Apr 2009 13:01:29 +0200 Subject: s3-secdesc: remove SEC_RIGHT_MAXIMUM_ALLOWED and SEC_RIGHT_SYSTEM_SECURITY. We had up to three incarnations of these flags in Samba3. Guenther --- source3/include/rpc_secdes.h | 3 --- 1 file changed, 3 deletions(-) diff --git a/source3/include/rpc_secdes.h b/source3/include/rpc_secdes.h index 1ce3f84600..6db3f2d7c7 100644 --- a/source3/include/rpc_secdes.h +++ b/source3/include/rpc_secdes.h @@ -121,9 +121,6 @@ struct standard_mapping { #define STANDARD_RIGHTS_MASK 0x00FF0000 #define GENERIC_RIGHTS_MASK 0xF0000000 -#define SEC_RIGHT_SYSTEM_SECURITY 0x01000000 -#define SEC_RIGHT_MAXIMUM_ALLOWED 0x02000000 - /* Generic access rights */ #define GENERIC_RIGHT_ALL_ACCESS 0x10000000 -- cgit From 512cf3ea249cef1920e897ad06a867581683c6ee Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 21 Apr 2009 12:16:58 +0200 Subject: Fix samr_SetSecurity --- source3/rpc_server/srv_samr_nt.c | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 90131e1624..0900a9bab4 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -755,15 +755,19 @@ static bool get_lsa_policy_samr_sid( pipes_struct *p, struct policy_handle *pol, NTSTATUS _samr_SetSecurity(pipes_struct *p, struct samr_SetSecurity *r) { - DOM_SID pol_sid; - uint32 acc_granted, i; + struct samr_user_info *uinfo; + uint32 i; SEC_ACL *dacl; bool ret; struct samu *sampass=NULL; NTSTATUS status; - if (!get_lsa_policy_samr_sid(p, r->in.handle, &pol_sid, &acc_granted, NULL)) - return NT_STATUS_INVALID_HANDLE; + uinfo = policy_handle_find(p, r->in.handle, + SAMR_USER_ACCESS_SET_ATTRIBUTES, NULL, + struct samr_user_info, &status); + if (!NT_STATUS_IS_OK(status)) { + return status; + } if (!(sampass = samu_new( p->mem_ctx))) { DEBUG(0,("No memory!\n")); @@ -772,18 +776,19 @@ NTSTATUS _samr_SetSecurity(pipes_struct *p, /* get the user record */ become_root(); - ret = pdb_getsampwsid(sampass, &pol_sid); + ret = pdb_getsampwsid(sampass, &uinfo->sid); unbecome_root(); if (!ret) { - DEBUG(4, ("User %s not found\n", sid_string_dbg(&pol_sid))); + DEBUG(4, ("User %s not found\n", + sid_string_dbg(&uinfo->sid))); TALLOC_FREE(sampass); return NT_STATUS_INVALID_HANDLE; } dacl = r->in.sdbuf->sd->dacl; for (i=0; i < dacl->num_aces; i++) { - if (sid_equal(&pol_sid, &dacl->aces[i].trustee)) { + if (sid_equal(&uinfo->sid, &dacl->aces[i].trustee)) { ret = pdb_set_pass_can_change(sampass, (dacl->aces[i].access_mask & SAMR_USER_ACCESS_CHANGE_PASSWORD) ? @@ -797,14 +802,9 @@ NTSTATUS _samr_SetSecurity(pipes_struct *p, return NT_STATUS_ACCESS_DENIED; } - status = access_check_samr_function(acc_granted, - SAMR_USER_ACCESS_SET_ATTRIBUTES, - "_samr_SetSecurity"); - if (NT_STATUS_IS_OK(status)) { - become_root(); - status = pdb_update_sam_account(sampass); - unbecome_root(); - } + become_root(); + status = pdb_update_sam_account(sampass); + unbecome_root(); TALLOC_FREE(sampass); -- cgit From 3f39df75d86358b59c95e51c19fddfcfd073bd94 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 21 Apr 2009 12:35:53 +0200 Subject: Fix _samr_QuerySecurity --- source3/rpc_server/srv_samr_nt.c | 125 +++++++++++++++++++++++++-------------- 1 file changed, 82 insertions(+), 43 deletions(-) diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 0900a9bab4..b9eaaee2b7 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -852,60 +852,99 @@ static bool check_change_pw_access(TALLOC_CTX *mem_ctx, DOM_SID *user_sid) NTSTATUS _samr_QuerySecurity(pipes_struct *p, struct samr_QuerySecurity *r) { + struct samr_connect_info *cinfo; + struct samr_domain_info *dinfo; + struct samr_user_info *uinfo; + struct samr_group_info *ginfo; + struct samr_alias_info *ainfo; NTSTATUS status; - DOM_SID pol_sid; SEC_DESC * psd = NULL; - uint32 acc_granted; size_t sd_size; - /* Get the SID. */ - if (!get_lsa_policy_samr_sid(p, r->in.handle, &pol_sid, &acc_granted, NULL)) - return NT_STATUS_INVALID_HANDLE; - - DEBUG(10,("_samr_QuerySecurity: querying security on SID: %s\n", - sid_string_dbg(&pol_sid))); - - status = access_check_samr_function(acc_granted, - STD_RIGHT_READ_CONTROL_ACCESS, - "_samr_QuerySecurity"); - if (!NT_STATUS_IS_OK(status)) { - return status; + cinfo = policy_handle_find(p, r->in.handle, + STD_RIGHT_READ_CONTROL_ACCESS, NULL, + struct samr_connect_info, &status); + if (NT_STATUS_IS_OK(status)) { + DEBUG(5,("_samr_QuerySecurity: querying security on SAM\n")); + status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, + &sam_generic_mapping, NULL, 0); + goto done; } - /* Check what typ of SID is beeing queried (e.g Domain SID, User SID, Group SID) */ - - /* To query the security of the SAM it self an invalid SID with S-0-0 is passed to this function */ - if (pol_sid.sid_rev_num == 0) { - DEBUG(5,("_samr_QuerySecurity: querying security on SAM\n")); - status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); - } else if (sid_equal(&pol_sid,get_global_sam_sid())) { - /* check if it is our domain SID */ + dinfo = policy_handle_find(p, r->in.handle, + STD_RIGHT_READ_CONTROL_ACCESS, NULL, + struct samr_domain_info, &status); + if (NT_STATUS_IS_OK(status)) { DEBUG(5,("_samr_QuerySecurity: querying security on Domain " - "with SID: %s\n", sid_string_dbg(&pol_sid))); - status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0); - } else if (sid_equal(&pol_sid,&global_sid_Builtin)) { - /* check if it is the Builtin Domain */ - /* TODO: Builtin probably needs a different SD with restricted write access*/ - DEBUG(5,("_samr_QuerySecurity: querying security on Builtin " - "Domain with SID: %s\n", sid_string_dbg(&pol_sid))); - status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0); - } else if (sid_check_is_in_our_domain(&pol_sid) || - sid_check_is_in_builtin(&pol_sid)) { - /* TODO: different SDs have to be generated for aliases groups and users. - Currently all three get a default user SD */ - DEBUG(10,("_samr_QuerySecurity: querying security on Object " - "with SID: %s\n", sid_string_dbg(&pol_sid))); - if (check_change_pw_access(p->mem_ctx, &pol_sid)) { - status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, - &pol_sid, SAMR_USR_RIGHTS_WRITE_PW); + "with SID: %s\n", sid_string_dbg(&dinfo->sid))); + /* + * TODO: Builtin probably needs a different SD with restricted + * write access + */ + status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, + &dom_generic_mapping, NULL, 0); + goto done; + } + + uinfo = policy_handle_find(p, r->in.handle, + STD_RIGHT_READ_CONTROL_ACCESS, NULL, + struct samr_user_info, &status); + if (NT_STATUS_IS_OK(status)) { + DEBUG(10,("_samr_QuerySecurity: querying security on user " + "Object with SID: %s\n", + sid_string_dbg(&uinfo->sid))); + if (check_change_pw_access(p->mem_ctx, &uinfo->sid)) { + status = make_samr_object_sd( + p->mem_ctx, &psd, &sd_size, + &usr_generic_mapping, + &uinfo->sid, SAMR_USR_RIGHTS_WRITE_PW); } else { - status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_nopwchange_generic_mapping, - &pol_sid, SAMR_USR_RIGHTS_CANT_WRITE_PW); + status = make_samr_object_sd( + p->mem_ctx, &psd, &sd_size, + &usr_nopwchange_generic_mapping, + &uinfo->sid, SAMR_USR_RIGHTS_CANT_WRITE_PW); } - } else { - return NT_STATUS_OBJECT_TYPE_MISMATCH; + goto done; } + ginfo = policy_handle_find(p, r->in.handle, + STD_RIGHT_READ_CONTROL_ACCESS, NULL, + struct samr_group_info, &status); + if (NT_STATUS_IS_OK(status)) { + /* + * TODO: different SDs have to be generated for aliases groups + * and users. Currently all three get a default user SD + */ + DEBUG(10,("_samr_QuerySecurity: querying security on group " + "Object with SID: %s\n", + sid_string_dbg(&ginfo->sid))); + status = make_samr_object_sd( + p->mem_ctx, &psd, &sd_size, + &usr_nopwchange_generic_mapping, + &ginfo->sid, SAMR_USR_RIGHTS_CANT_WRITE_PW); + goto done; + } + + ainfo = policy_handle_find(p, r->in.handle, + STD_RIGHT_READ_CONTROL_ACCESS, NULL, + struct samr_alias_info, &status); + if (NT_STATUS_IS_OK(status)) { + /* + * TODO: different SDs have to be generated for aliases groups + * and users. Currently all three get a default user SD + */ + DEBUG(10,("_samr_QuerySecurity: querying security on alias " + "Object with SID: %s\n", + sid_string_dbg(&ainfo->sid))); + status = make_samr_object_sd( + p->mem_ctx, &psd, &sd_size, + &usr_nopwchange_generic_mapping, + &ainfo->sid, SAMR_USR_RIGHTS_CANT_WRITE_PW); + goto done; + } + + return NT_STATUS_OBJECT_TYPE_MISMATCH; +done: if ((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL) return NT_STATUS_NO_MEMORY; -- cgit From 4024abb0a80e5ec10dd2f86b378bcea89b919050 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 21 Apr 2009 12:37:47 +0200 Subject: Remove "struct samr_info" --- source3/rpc_server/srv_samr_nt.c | 108 --------------------------------------- 1 file changed, 108 deletions(-) diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index b9eaaee2b7..a651cd21e2 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -84,17 +84,6 @@ typedef struct disp_info { * handler. */ } DISP_INFO; -/* We keep a static list of these by SID as modern clients close down - all resources between each request in a complete enumeration. */ - -struct samr_info { - /* for use by the \PIPE\samr policy */ - DOM_SID sid; - uint32 status; /* some sort of flag. best to record it. comes from opnum 0x39 */ - uint32 acc_granted; - DISP_INFO *disp_info; -}; - static const struct generic_mapping sam_generic_mapping = { GENERIC_RIGHTS_SAM_READ, GENERIC_RIGHTS_SAM_WRITE, @@ -240,36 +229,6 @@ done: return status; } -/******************************************************************* - Checks if access to a function can be granted -********************************************************************/ - -static NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_required, const char *debug) -{ - DEBUG(5,("%s: access check ((granted: %#010x; required: %#010x)\n", - debug, acc_granted, acc_required)); - - /* check the security descriptor first */ - - if ( (acc_granted&acc_required) == acc_required ) - return NT_STATUS_OK; - - /* give root a free pass */ - - if (geteuid() == sec_initial_uid()) { - - DEBUG(4,("%s: ACCESS should be DENIED (granted: %#010x; required: %#010x)\n", - debug, acc_granted, acc_required)); - DEBUGADD(4,("but overwritten by euid == 0\n")); - - return NT_STATUS_OK; - } - - DEBUG(2,("%s: ACCESS DENIED (granted: %#010x; required: %#010x)\n", - debug, acc_granted, acc_required)); - - return NT_STATUS_ACCESS_DENIED; -} /******************************************************************* Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set. @@ -386,37 +345,6 @@ static DISP_INFO *get_samr_dispinfo_by_sid(const struct dom_sid *psid) return NULL; } -/******************************************************************* - Create a samr_info struct. -********************************************************************/ - -static int samr_info_destructor(struct samr_info *info); - -static struct samr_info *get_samr_info_by_sid(TALLOC_CTX *mem_ctx, - DOM_SID *psid) -{ - struct samr_info *info; - - info = talloc_zero(mem_ctx, struct samr_info); - if (info == NULL) { - return NULL; - } - talloc_set_destructor(info, samr_info_destructor); - - DEBUG(10, ("get_samr_info_by_sid: created new info for sid %s\n", - sid_string_dbg(psid))); - - if (psid) { - sid_copy( &info->sid, psid); - } else { - DEBUG(10,("get_samr_info_by_sid: created new info for NULL sid.\n")); - } - - info->disp_info = get_samr_dispinfo_by_sid(psid); - - return info; -} - /******************************************************************* Function to free the per SID data. ********************************************************************/ @@ -440,17 +368,6 @@ static void free_samr_cache(DISP_INFO *disp_info) unbecome_root(); } -static int samr_info_destructor(struct samr_info *info) -{ - /* Only free the dispinfo cache if no one bothered to set up - a timeout. */ - - if (info->disp_info && info->disp_info->cache_timeout_event == NULL) { - free_samr_cache(info->disp_info); - } - return 0; -} - /******************************************************************* Idle event handler. Throw away the disp info cache. ********************************************************************/ @@ -723,31 +640,6 @@ NTSTATUS _samr_GetUserPwInfo(pipes_struct *p, return NT_STATUS_OK; } -/******************************************************************* -********************************************************************/ - -static bool get_lsa_policy_samr_sid( pipes_struct *p, struct policy_handle *pol, - DOM_SID *sid, uint32 *acc_granted, - DISP_INFO **ppdisp_info) -{ - struct samr_info *info = NULL; - - /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, pol, (void **)(void *)&info)) - return False; - - if (!info) - return False; - - *sid = info->sid; - *acc_granted = info->acc_granted; - if (ppdisp_info) { - *ppdisp_info = info->disp_info; - } - - return True; -} - /******************************************************************* _samr_SetSecurity ********************************************************************/ -- cgit From dfc79de607e94179114a8e1d0b0e56117f34595b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 21 Apr 2009 05:52:34 -0700 Subject: Make cli_mkdir async. Change it to return NTSTATUS. Jeremy. --- source3/client/client.c | 2 +- source3/client/clitar.c | 2 +- source3/include/proto.h | 2 +- source3/libsmb/clifile.c | 110 ++++++++++++++++++++++++++++++++++++++++ source3/libsmb/libsmb_dir.c | 3 +- source3/torture/mangle_test.c | 2 +- source3/torture/torture.c | 10 ++-- source3/torture/utable.c | 2 +- source3/utils/net_rpc_printer.c | 4 +- 9 files changed, 123 insertions(+), 14 deletions(-) diff --git a/source3/client/client.c b/source3/client/client.c index fcb9b27f1f..d74de35bc5 100644 --- a/source3/client/client.c +++ b/source3/client/client.c @@ -1389,7 +1389,7 @@ static bool do_mkdir(const char *name) return false; } - if (!cli_mkdir(targetcli, targetname)) { + if (!NT_STATUS_IS_OK(cli_mkdir(targetcli, targetname))) { d_printf("%s making remote directory %s\n", cli_errstr(targetcli),name); return false; diff --git a/source3/client/clitar.c b/source3/client/clitar.c index c9f3e87c4d..7512583e19 100644 --- a/source3/client/clitar.c +++ b/source3/client/clitar.c @@ -555,7 +555,7 @@ static bool ensurepath(const char *fname) safe_strcat(partpath, p, strlen(fname) + 1); if (!cli_chkpath(cli, partpath)) { - if (!cli_mkdir(cli, partpath)) { + if (!NT_STATUS_IS_OK(cli_mkdir(cli, partpath))) { SAFE_FREE(partpath); SAFE_FREE(ffname); DEBUG(0, ("Error mkdir %s\n", cli_errstr(cli))); diff --git a/source3/include/proto.h b/source3/include/proto.h index fa6dafa1b0..3ddbf6f3b9 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -2338,7 +2338,7 @@ bool cli_ntrename(struct cli_state *cli, const char *fname_src, const char *fnam bool cli_nt_hardlink(struct cli_state *cli, const char *fname_src, const char *fname_dst); bool cli_unlink_full(struct cli_state *cli, const char *fname, uint16 attrs); bool cli_unlink(struct cli_state *cli, const char *fname); -bool cli_mkdir(struct cli_state *cli, const char *dname); +NTSTATUS cli_mkdir(struct cli_state *cli, const char *dname); bool cli_rmdir(struct cli_state *cli, const char *dname); int cli_nt_delete_on_close(struct cli_state *cli, int fnum, bool flag); int cli_nt_create_full(struct cli_state *cli, const char *fname, diff --git a/source3/libsmb/clifile.c b/source3/libsmb/clifile.c index 0a1168fd0f..5be18366b9 100644 --- a/source3/libsmb/clifile.c +++ b/source3/libsmb/clifile.c @@ -596,6 +596,7 @@ bool cli_unlink(struct cli_state *cli, const char *fname) return cli_unlink_full(cli, fname, aSYSTEM | aHIDDEN); } +#if 0 /**************************************************************************** Create a directory. ****************************************************************************/ @@ -631,6 +632,115 @@ bool cli_mkdir(struct cli_state *cli, const char *dname) return True; } +#endif + +/**************************************************************************** + Create a directory. +****************************************************************************/ + +static void cli_mkdir_done(struct tevent_req *subreq); + +struct cli_mkdir_state { + int dummy; +}; + +struct tevent_req *cli_mkdir_send(TALLOC_CTX *mem_ctx, + struct event_context *ev, + struct cli_state *cli, + const char *dname) +{ + struct tevent_req *req = NULL, *subreq = NULL; + struct cli_mkdir_state *state = NULL; + uint8_t additional_flags = 0; + uint8_t *bytes = NULL; + + req = tevent_req_create(mem_ctx, &state, struct cli_mkdir_state); + if (req == NULL) { + return NULL; + } + + bytes = talloc_array(state, uint8_t, 1); + if (!bytes) { + return NULL; + } + bytes[0] = 4; + bytes = smb_bytes_push_str(bytes, cli_ucs2(cli), dname, + strlen(dname)+1, NULL); + + if (tevent_req_nomem(bytes, req)) { + return tevent_req_post(req, ev); + } + + subreq = cli_smb_send(state, ev, cli, SMBmkdir, additional_flags, + 0, NULL, talloc_get_size(bytes), bytes); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } + tevent_req_set_callback(subreq, cli_mkdir_done, req); + return req; +} + +static void cli_mkdir_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + NTSTATUS status; + + status = cli_smb_recv(subreq, 0, NULL, NULL, NULL, NULL); + TALLOC_FREE(subreq); + if (!NT_STATUS_IS_OK(status)) { + tevent_req_nterror(req, status); + return; + } + tevent_req_done(req); +} + +NTSTATUS cli_mkdir_recv(struct tevent_req *req) +{ + return tevent_req_simple_recv_ntstatus(req); +} + +NTSTATUS cli_mkdir(struct cli_state *cli, const char *dname) +{ + TALLOC_CTX *frame = talloc_stackframe(); + struct event_context *ev; + struct tevent_req *req; + NTSTATUS status = NT_STATUS_OK; + + if (cli_has_async_calls(cli)) { + /* + * Can't use sync call while an async call is in flight + */ + status = NT_STATUS_INVALID_PARAMETER; + goto fail; + } + + ev = event_context_init(frame); + if (ev == NULL) { + status = NT_STATUS_NO_MEMORY; + goto fail; + } + + req = cli_mkdir_send(frame, ev, cli, dname); + if (req == NULL) { + status = NT_STATUS_NO_MEMORY; + goto fail; + } + + if (!tevent_req_poll(req, ev)) { + status = map_nt_error_from_unix(errno); + goto fail; + } + + status = cli_mkdir_recv(req); + + fail: + TALLOC_FREE(frame); + if (!NT_STATUS_IS_OK(status)) { + cli_set_error(cli, status); + } + return status; +} /**************************************************************************** Remove a directory. diff --git a/source3/libsmb/libsmb_dir.c b/source3/libsmb/libsmb_dir.c index 219bbe64e1..5afc8e48b6 100644 --- a/source3/libsmb/libsmb_dir.c +++ b/source3/libsmb/libsmb_dir.c @@ -1177,8 +1177,7 @@ SMBC_mkdir_ctx(SMBCCTX *context, } /*d_printf(">>>mkdir: resolved path as %s\n", targetpath);*/ - if (!cli_mkdir(targetcli, targetpath)) { - + if (!NT_STATUS_IS_OK(cli_mkdir(targetcli, targetpath))) { errno = SMBC_errno(context, targetcli); TALLOC_FREE(frame); return -1; diff --git a/source3/torture/mangle_test.c b/source3/torture/mangle_test.c index 00457719a8..525a1eb3c3 100644 --- a/source3/torture/mangle_test.c +++ b/source3/torture/mangle_test.c @@ -180,7 +180,7 @@ bool torture_mangle(int dummy) cli_unlink(cli, "\\mangle_test\\*"); cli_rmdir(cli, "\\mangle_test"); - if (!cli_mkdir(cli, "\\mangle_test")) { + if (!NT_STATUS_IS_OK(cli_mkdir(cli, "\\mangle_test"))) { printf("ERROR: Failed to make directory\n"); return False; } diff --git a/source3/torture/torture.c b/source3/torture/torture.c index 07945fccf1..0328cfe545 100644 --- a/source3/torture/torture.c +++ b/source3/torture/torture.c @@ -2625,7 +2625,7 @@ static bool run_trans2test(int dummy) /* check if the server updates the directory modification time when creating a new file */ - if (!cli_mkdir(cli, dname)) { + if (!NT_STATUS_IS_OK(cli_mkdir(cli, dname))) { printf("ERROR: mkdir failed (%s)\n", cli_errstr(cli)); correct = False; } @@ -4584,12 +4584,12 @@ bool torture_chkpath_test(int dummy) cli_unlink(cli, "\\chkpath.dir\\*"); cli_rmdir(cli, "\\chkpath.dir"); - if (!cli_mkdir(cli, "\\chkpath.dir")) { + if (!NT_STATUS_IS_OK(cli_mkdir(cli, "\\chkpath.dir"))) { printf("mkdir1 failed : %s\n", cli_errstr(cli)); return False; } - if (!cli_mkdir(cli, "\\chkpath.dir\\dir2")) { + if (!NT_STATUS_IS_OK(cli_mkdir(cli, "\\chkpath.dir\\dir2"))) { printf("mkdir2 failed : %s\n", cli_errstr(cli)); return False; } @@ -4801,7 +4801,7 @@ static bool run_dirtest1(int dummy) for (i=0;i<1000;i++) { fstring fname; slprintf(fname, sizeof(fname), "\\LISTDIR\\d%d", i); - if (!cli_mkdir(cli, fname)) { + if (!NT_STATUS_IS_OK(cli_mkdir(cli, fname))) { fprintf(stderr,"Failed to open %s\n", fname); return False; } @@ -5279,7 +5279,7 @@ static bool run_uid_regression_test(int dummy) cli->vuid = old_vuid; /* Try an operation. */ - if (!cli_mkdir(cli, "\\uid_reg_test")) { + if (!NT_STATUS_IS_OK(cli_mkdir(cli, "\\uid_reg_test"))) { /* We expect bad uid. */ if (!check_error(__LINE__, cli, ERRSRV, ERRbaduid, NT_STATUS_NO_SUCH_USER)) { diff --git a/source3/torture/utable.c b/source3/torture/utable.c index e36b0388c4..aaa763a2a3 100644 --- a/source3/torture/utable.c +++ b/source3/torture/utable.c @@ -132,7 +132,7 @@ bool torture_casetable(int dummy) cli_unlink(cli, "\\utable\\*"); cli_rmdir(cli, "\\utable"); - if (!cli_mkdir(cli, "\\utable")) { + if (!NT_STATUS_IS_OK(cli_mkdir(cli, "\\utable"))) { printf("Failed to create utable directory!\n"); return False; } diff --git a/source3/utils/net_rpc_printer.c b/source3/utils/net_rpc_printer.c index 9721628f02..477ddf7f26 100644 --- a/source3/utils/net_rpc_printer.c +++ b/source3/utils/net_rpc_printer.c @@ -406,7 +406,7 @@ NTSTATUS net_copy_file(struct net_context *c, DEBUGADD(3,("creating dir %s on the destination server\n", dst_name)); - if (!cli_mkdir(cli_share_dst, dst_name)) { + if (!NT_STATUS_IS_OK(cli_mkdir(cli_share_dst, dst_name))) { DEBUG(0,("cannot create directory %s: %s\n", dst_name, cli_errstr(cli_share_dst))); nt_status = NT_STATUS_NO_SUCH_FILE; @@ -555,7 +555,7 @@ static NTSTATUS check_arch_dir(struct cli_state *cli_share, const char *short_ar DEBUG(10,("creating print-driver dir for architecture: %s\n", short_archi)); - if (!cli_mkdir(cli_share, dir)) { + if (!NT_STATUS_IS_OK(cli_mkdir(cli_share, dir))) { DEBUG(1,("cannot create directory %s: %s\n", dir, cli_errstr(cli_share))); nt_status = NT_STATUS_NO_SUCH_FILE; -- cgit From 3e75c9bd33f838cb3d47d58441123a22f7b8d317 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 21 Apr 2009 12:44:01 +0200 Subject: Use a static copy of the samsync header file as Samba3 doesn't generate prototype headers. --- libcli/samsync/config.mk | 4 ---- libcli/samsync/samsync.h | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 4 deletions(-) create mode 100644 libcli/samsync/samsync.h diff --git a/libcli/samsync/config.mk b/libcli/samsync/config.mk index 69f798342e..bea909e398 100644 --- a/libcli/samsync/config.mk +++ b/libcli/samsync/config.mk @@ -4,7 +4,3 @@ PUBLIC_DEPENDENCIES = \ LIBCLI_SAMSYNC_OBJ_FILES = $(addprefix $(libclicommonsrcdir)/samsync/, \ decrypt.o) - -PUBLIC_HEADERS += ../libcli/samsync/samsync.h - -$(eval $(call proto_header_template,$(libclicommonsrcdir)/samsync/samsync.h,$(LIBCLI_SAMSYNC_OBJ_FILES:.o=.c))) diff --git a/libcli/samsync/samsync.h b/libcli/samsync/samsync.h new file mode 100644 index 0000000000..df76f1b17b --- /dev/null +++ b/libcli/samsync/samsync.h @@ -0,0 +1,34 @@ +/* + Unix SMB/CIFS implementation. + + Extract the user/system database from a remote SamSync server + + Copyright (C) Guenther Deschner 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __SAMSYNC_SAMSYNC_H__ +#define __SAMSYNC_SAMSYNC_H__ + +/** + * Fix up the delta, dealing with encryption issues so that the final + * callback need only do the printing or application logic + */ +NTSTATUS samsync_fix_delta(TALLOC_CTX *mem_ctx, + struct netlogon_creds_CredentialState *creds, + enum netr_SamDatabaseID database_id, + struct netr_DELTA_ENUM *delta); + +#endif /* __SAMSYNC_SAMSYNC_H__ */ -- cgit From 2eff2de2f81374483df99757046f1d5ee4050155 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 21 Apr 2009 14:27:25 +0200 Subject: Move the security_descriptor utility code to the top-level. --- libcli/security/config.mk | 2 +- libcli/security/security_descriptor.c | 533 ++++++++++++++++++++++++++ libcli/security/security_descriptor.h | 64 ++++ source3/Makefile.in | 2 +- source3/include/includes.h | 1 + source4/libcli/security/config.mk | 3 +- source4/libcli/security/security.h | 1 + source4/libcli/security/security_descriptor.c | 533 -------------------------- 8 files changed, 602 insertions(+), 537 deletions(-) create mode 100644 libcli/security/security_descriptor.c create mode 100644 libcli/security/security_descriptor.h delete mode 100644 source4/libcli/security/security_descriptor.c diff --git a/libcli/security/config.mk b/libcli/security/config.mk index 7ade01510c..060429bd67 100644 --- a/libcli/security/config.mk +++ b/libcli/security/config.mk @@ -2,4 +2,4 @@ PRIVATE_DEPENDENCIES = TALLOC LIBSECURITY_COMMON_OBJ_FILES = $(addprefix $(libclicommonsrcdir)/security/, \ - dom_sid.o display_sec.o secace.o secacl.o) + dom_sid.o display_sec.o secace.o secacl.o security_descriptor.o) diff --git a/libcli/security/security_descriptor.c b/libcli/security/security_descriptor.c new file mode 100644 index 0000000000..8e9c7eb4a9 --- /dev/null +++ b/libcli/security/security_descriptor.c @@ -0,0 +1,533 @@ +/* + Unix SMB/CIFS implementation. + + security descriptror utility functions + + Copyright (C) Andrew Tridgell 2004 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "includes.h" +#include "libcli/security/security.h" + +/* + return a blank security descriptor (no owners, dacl or sacl) +*/ +struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx) +{ + struct security_descriptor *sd; + + sd = talloc(mem_ctx, struct security_descriptor); + if (!sd) { + return NULL; + } + + sd->revision = SD_REVISION; + /* we mark as self relative, even though it isn't while it remains + a pointer in memory because this simplifies the ndr code later. + All SDs that we store/emit are in fact SELF_RELATIVE + */ + sd->type = SEC_DESC_SELF_RELATIVE; + + sd->owner_sid = NULL; + sd->group_sid = NULL; + sd->sacl = NULL; + sd->dacl = NULL; + + return sd; +} + +static struct security_acl *security_acl_dup(TALLOC_CTX *mem_ctx, + const struct security_acl *oacl) +{ + struct security_acl *nacl; + + nacl = talloc (mem_ctx, struct security_acl); + if (nacl == NULL) { + return NULL; + } + + nacl->aces = (struct security_ace *)talloc_memdup (nacl, oacl->aces, sizeof(struct security_ace) * oacl->num_aces); + if ((nacl->aces == NULL) && (oacl->num_aces > 0)) { + goto failed; + } + + nacl->revision = oacl->revision; + nacl->size = oacl->size; + nacl->num_aces = oacl->num_aces; + + return nacl; + + failed: + talloc_free (nacl); + return NULL; + +} + +/* + talloc and copy a security descriptor + */ +struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx, + const struct security_descriptor *osd) +{ + struct security_descriptor *nsd; + + nsd = talloc_zero(mem_ctx, struct security_descriptor); + if (!nsd) { + return NULL; + } + + if (osd->owner_sid) { + nsd->owner_sid = dom_sid_dup(nsd, osd->owner_sid); + if (nsd->owner_sid == NULL) { + goto failed; + } + } + + if (osd->group_sid) { + nsd->group_sid = dom_sid_dup(nsd, osd->group_sid); + if (nsd->group_sid == NULL) { + goto failed; + } + } + + if (osd->sacl) { + nsd->sacl = security_acl_dup(nsd, osd->sacl); + if (nsd->sacl == NULL) { + goto failed; + } + } + + if (osd->dacl) { + nsd->dacl = security_acl_dup(nsd, osd->dacl); + if (nsd->dacl == NULL) { + goto failed; + } + } + + nsd->revision = osd->revision; + nsd->type = osd->type; + + return nsd; + + failed: + talloc_free(nsd); + + return NULL; +} + +/* + add an ACE to an ACL of a security_descriptor +*/ + +static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd, + bool add_to_sacl, + const struct security_ace *ace) +{ + struct security_acl *acl = NULL; + + if (add_to_sacl) { + acl = sd->sacl; + } else { + acl = sd->dacl; + } + + if (acl == NULL) { + acl = talloc(sd, struct security_acl); + if (acl == NULL) { + return NT_STATUS_NO_MEMORY; + } + acl->revision = SECURITY_ACL_REVISION_NT4; + acl->size = 0; + acl->num_aces = 0; + acl->aces = NULL; + } + + acl->aces = talloc_realloc(acl, acl->aces, + struct security_ace, acl->num_aces+1); + if (acl->aces == NULL) { + return NT_STATUS_NO_MEMORY; + } + + acl->aces[acl->num_aces] = *ace; + + switch (acl->aces[acl->num_aces].type) { + case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: + case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: + case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT: + case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT: + acl->revision = SECURITY_ACL_REVISION_ADS; + break; + default: + break; + } + + acl->num_aces++; + + if (add_to_sacl) { + sd->sacl = acl; + sd->type |= SEC_DESC_SACL_PRESENT; + } else { + sd->dacl = acl; + sd->type |= SEC_DESC_DACL_PRESENT; + } + + return NT_STATUS_OK; +} + +/* + add an ACE to the SACL of a security_descriptor +*/ + +NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd, + const struct security_ace *ace) +{ + return security_descriptor_acl_add(sd, true, ace); +} + +/* + add an ACE to the DACL of a security_descriptor +*/ + +NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd, + const struct security_ace *ace) +{ + return security_descriptor_acl_add(sd, false, ace); +} + +/* + delete the ACE corresponding to the given trustee in an ACL of a + security_descriptor +*/ + +static NTSTATUS security_descriptor_acl_del(struct security_descriptor *sd, + bool sacl_del, + const struct dom_sid *trustee) +{ + int i; + bool found = false; + struct security_acl *acl = NULL; + + if (sacl_del) { + acl = sd->sacl; + } else { + acl = sd->dacl; + } + + if (acl == NULL) { + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + } + + /* there can be multiple ace's for one trustee */ + for (i=0;inum_aces;i++) { + if (dom_sid_equal(trustee, &acl->aces[i].trustee)) { + memmove(&acl->aces[i], &acl->aces[i+1], + sizeof(acl->aces[i]) * (acl->num_aces - (i+1))); + acl->num_aces--; + if (acl->num_aces == 0) { + acl->aces = NULL; + } + found = true; + } + } + + if (!found) { + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + } + + acl->revision = SECURITY_ACL_REVISION_NT4; + + for (i=0;inum_aces;i++) { + switch (acl->aces[i].type) { + case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: + case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: + case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT: + case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT: + acl->revision = SECURITY_ACL_REVISION_ADS; + return NT_STATUS_OK; + default: + break; /* only for the switch statement */ + } + } + + return NT_STATUS_OK; +} + +/* + delete the ACE corresponding to the given trustee in the DACL of a + security_descriptor +*/ + +NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd, + const struct dom_sid *trustee) +{ + return security_descriptor_acl_del(sd, false, trustee); +} + +/* + delete the ACE corresponding to the given trustee in the SACL of a + security_descriptor +*/ + +NTSTATUS security_descriptor_sacl_del(struct security_descriptor *sd, + const struct dom_sid *trustee) +{ + return security_descriptor_acl_del(sd, true, trustee); +} + +/* + compare two security ace structures +*/ +bool security_ace_equal(const struct security_ace *ace1, + const struct security_ace *ace2) +{ + if (ace1 == ace2) return true; + if (!ace1 || !ace2) return false; + if (ace1->type != ace2->type) return false; + if (ace1->flags != ace2->flags) return false; + if (ace1->access_mask != ace2->access_mask) return false; + if (!dom_sid_equal(&ace1->trustee, &ace2->trustee)) return false; + + return true; +} + + +/* + compare two security acl structures +*/ +bool security_acl_equal(const struct security_acl *acl1, + const struct security_acl *acl2) +{ + int i; + + if (acl1 == acl2) return true; + if (!acl1 || !acl2) return false; + if (acl1->revision != acl2->revision) return false; + if (acl1->num_aces != acl2->num_aces) return false; + + for (i=0;inum_aces;i++) { + if (!security_ace_equal(&acl1->aces[i], &acl2->aces[i])) return false; + } + return true; +} + +/* + compare two security descriptors. +*/ +bool security_descriptor_equal(const struct security_descriptor *sd1, + const struct security_descriptor *sd2) +{ + if (sd1 == sd2) return true; + if (!sd1 || !sd2) return false; + if (sd1->revision != sd2->revision) return false; + if (sd1->type != sd2->type) return false; + + if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false; + if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false; + if (!security_acl_equal(sd1->sacl, sd2->sacl)) return false; + if (!security_acl_equal(sd1->dacl, sd2->dacl)) return false; + + return true; +} + +/* + compare two security descriptors, but allow certain (missing) parts + to be masked out of the comparison +*/ +bool security_descriptor_mask_equal(const struct security_descriptor *sd1, + const struct security_descriptor *sd2, + uint32_t mask) +{ + if (sd1 == sd2) return true; + if (!sd1 || !sd2) return false; + if (sd1->revision != sd2->revision) return false; + if ((sd1->type & mask) != (sd2->type & mask)) return false; + + if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false; + if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false; + if ((mask & SEC_DESC_DACL_PRESENT) && !security_acl_equal(sd1->dacl, sd2->dacl)) return false; + if ((mask & SEC_DESC_SACL_PRESENT) && !security_acl_equal(sd1->sacl, sd2->sacl)) return false; + + return true; +} + + +static struct security_descriptor *security_descriptor_appendv(struct security_descriptor *sd, + bool add_ace_to_sacl, + va_list ap) +{ + const char *sidstr; + + while ((sidstr = va_arg(ap, const char *))) { + struct dom_sid *sid; + struct security_ace *ace = talloc(sd, struct security_ace); + NTSTATUS status; + + if (ace == NULL) { + talloc_free(sd); + return NULL; + } + ace->type = va_arg(ap, unsigned int); + ace->access_mask = va_arg(ap, unsigned int); + ace->flags = va_arg(ap, unsigned int); + sid = dom_sid_parse_talloc(ace, sidstr); + if (sid == NULL) { + talloc_free(sd); + return NULL; + } + ace->trustee = *sid; + if (add_ace_to_sacl) { + status = security_descriptor_sacl_add(sd, ace); + } else { + status = security_descriptor_dacl_add(sd, ace); + } + /* TODO: check: would talloc_free(ace) here be correct? */ + if (!NT_STATUS_IS_OK(status)) { + talloc_free(sd); + return NULL; + } + } + + return sd; +} + +struct security_descriptor *security_descriptor_append(struct security_descriptor *sd, + ...) +{ + va_list ap; + + va_start(ap, sd); + sd = security_descriptor_appendv(sd, false, ap); + va_end(ap); + + return sd; +} + +static struct security_descriptor *security_descriptor_createv(TALLOC_CTX *mem_ctx, + uint16_t sd_type, + const char *owner_sid, + const char *group_sid, + bool add_ace_to_sacl, + va_list ap) +{ + struct security_descriptor *sd; + + sd = security_descriptor_initialise(mem_ctx); + if (sd == NULL) { + return NULL; + } + + sd->type |= sd_type; + + if (owner_sid) { + sd->owner_sid = dom_sid_parse_talloc(sd, owner_sid); + if (sd->owner_sid == NULL) { + talloc_free(sd); + return NULL; + } + } + if (group_sid) { + sd->group_sid = dom_sid_parse_talloc(sd, group_sid); + if (sd->group_sid == NULL) { + talloc_free(sd); + return NULL; + } + } + + return security_descriptor_appendv(sd, add_ace_to_sacl, ap); +} + +/* + create a security descriptor using string SIDs. This is used by the + torture code to allow the easy creation of complex ACLs + This is a varargs function. The list of DACL ACEs ends with a NULL sid. + + Each ACE contains a set of 4 parameters: + SID, ACCESS_TYPE, MASK, FLAGS + + a typical call would be: + + sd = security_descriptor_dacl_create(mem_ctx, + sd_type_flags, + mysid, + mygroup, + SID_NT_AUTHENTICATED_USERS, + SEC_ACE_TYPE_ACCESS_ALLOWED, + SEC_FILE_ALL, + SEC_ACE_FLAG_OBJECT_INHERIT, + NULL); + that would create a sd with one DACL ACE +*/ + +struct security_descriptor *security_descriptor_dacl_create(TALLOC_CTX *mem_ctx, + uint16_t sd_type, + const char *owner_sid, + const char *group_sid, + ...) +{ + struct security_descriptor *sd = NULL; + va_list ap; + va_start(ap, group_sid); + sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid, + group_sid, false, ap); + va_end(ap); + + return sd; +} + +struct security_descriptor *security_descriptor_sacl_create(TALLOC_CTX *mem_ctx, + uint16_t sd_type, + const char *owner_sid, + const char *group_sid, + ...) +{ + struct security_descriptor *sd = NULL; + va_list ap; + va_start(ap, group_sid); + sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid, + group_sid, true, ap); + va_end(ap); + + return sd; +} + +struct security_ace *security_ace_create(TALLOC_CTX *mem_ctx, + const char *sid_str, + enum security_ace_type type, + uint32_t access_mask, + uint8_t flags) + +{ + struct dom_sid *sid; + struct security_ace *ace; + + ace = talloc_zero(mem_ctx, struct security_ace); + if (ace == NULL) { + return NULL; + } + + sid = dom_sid_parse_talloc(ace, sid_str); + if (sid == NULL) { + talloc_free(ace); + return NULL; + } + + ace->trustee = *sid; + ace->type = type; + ace->access_mask = access_mask; + ace->flags = flags; + + return ace; +} diff --git a/libcli/security/security_descriptor.h b/libcli/security/security_descriptor.h new file mode 100644 index 0000000000..c535f5d253 --- /dev/null +++ b/libcli/security/security_descriptor.h @@ -0,0 +1,64 @@ +/* + Unix SMB/CIFS implementation. + Samba utility functions + + Copyright (C) 2009 Jelmer Vernooij + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __SECURITY_DESCRIPTOR_H__ +#define __SECURITY_DESCRIPTOR_H__ + +#include "librpc/gen_ndr/security.h" + +struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx); +struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx, + const struct security_descriptor *osd); +NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd, + const struct security_ace *ace); +NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd, + const struct security_ace *ace); +NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd, + const struct dom_sid *trustee); +NTSTATUS security_descriptor_sacl_del(struct security_descriptor *sd, + const struct dom_sid *trustee); +bool security_ace_equal(const struct security_ace *ace1, + const struct security_ace *ace2); +bool security_acl_equal(const struct security_acl *acl1, + const struct security_acl *acl2); +bool security_descriptor_equal(const struct security_descriptor *sd1, + const struct security_descriptor *sd2); +bool security_descriptor_mask_equal(const struct security_descriptor *sd1, + const struct security_descriptor *sd2, + uint32_t mask); +struct security_descriptor *security_descriptor_append(struct security_descriptor *sd, + ...); +struct security_descriptor *security_descriptor_dacl_create(TALLOC_CTX *mem_ctx, + uint16_t sd_type, + const char *owner_sid, + const char *group_sid, + ...); +struct security_descriptor *security_descriptor_sacl_create(TALLOC_CTX *mem_ctx, + uint16_t sd_type, + const char *owner_sid, + const char *group_sid, + ...); +struct security_ace *security_ace_create(TALLOC_CTX *mem_ctx, + const char *sid_str, + enum security_ace_type type, + uint32_t access_mask, + uint8_t flags); + +#endif /* __SECURITY_DESCRIPTOR_H__ */ diff --git a/source3/Makefile.in b/source3/Makefile.in index 51a469b2b9..ca42d5b95d 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -388,7 +388,7 @@ LIB_OBJ = $(LIBSAMBAUTIL_OBJ) $(UTIL_OBJ) $(CRYPTO_OBJ) \ ../libcli/security/secacl.o \ libads/krb5_errs.o lib/system_smbd.o lib/audit.o $(LIBNDR_OBJ) \ lib/file_id.o lib/idmap_cache.o \ - ../libcli/security/dom_sid.o + ../libcli/security/dom_sid.o ../libcli/security/security_descriptor.o LIB_DUMMY_OBJ = lib/dummysmbd.o lib/dummyroot.o LIB_NONSMBD_OBJ = $(LIB_OBJ) $(LIB_DUMMY_OBJ) diff --git a/source3/include/includes.h b/source3/include/includes.h index 943de8db7b..596c772d9e 100644 --- a/source3/include/includes.h +++ b/source3/include/includes.h @@ -702,6 +702,7 @@ enum flush_reason_enum { #endif #include "libcli/security/secace.h" #include "libcli/security/secacl.h" +#include "libcli/security/security_descriptor.h" #if defined(HAVE_POSIX_ACLS) #include "modules/vfs_posixacl.h" diff --git a/source4/libcli/security/config.mk b/source4/libcli/security/config.mk index 9d23fe9588..d08c25d66f 100644 --- a/source4/libcli/security/config.mk +++ b/source4/libcli/security/config.mk @@ -2,7 +2,6 @@ PUBLIC_DEPENDENCIES = LIBNDR LIBSECURITY_COMMON LIBSECURITY_OBJ_FILES = $(addprefix $(libclisrcdir)/security/, \ - security_token.o security_descriptor.o \ - access_check.o privilege.o sddl.o) \ + security_token.o access_check.o privilege.o sddl.o) \ $(eval $(call proto_header_template,$(libclisrcdir)/security/proto.h,$(LIBSECURITY_OBJ_FILES:.o=.c))) diff --git a/source4/libcli/security/security.h b/source4/libcli/security/security.h index 2608c9f7ed..6dbbe014e7 100644 --- a/source4/libcli/security/security.h +++ b/source4/libcli/security/security.h @@ -33,3 +33,4 @@ struct auth_session_info; #include "libcli/security/secace.h" #include "libcli/security/secacl.h" #include "libcli/security/proto.h" +#include "libcli/security/security_descriptor.h" diff --git a/source4/libcli/security/security_descriptor.c b/source4/libcli/security/security_descriptor.c deleted file mode 100644 index 8e9c7eb4a9..0000000000 --- a/source4/libcli/security/security_descriptor.c +++ /dev/null @@ -1,533 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - security descriptror utility functions - - Copyright (C) Andrew Tridgell 2004 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ - -#include "includes.h" -#include "libcli/security/security.h" - -/* - return a blank security descriptor (no owners, dacl or sacl) -*/ -struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx) -{ - struct security_descriptor *sd; - - sd = talloc(mem_ctx, struct security_descriptor); - if (!sd) { - return NULL; - } - - sd->revision = SD_REVISION; - /* we mark as self relative, even though it isn't while it remains - a pointer in memory because this simplifies the ndr code later. - All SDs that we store/emit are in fact SELF_RELATIVE - */ - sd->type = SEC_DESC_SELF_RELATIVE; - - sd->owner_sid = NULL; - sd->group_sid = NULL; - sd->sacl = NULL; - sd->dacl = NULL; - - return sd; -} - -static struct security_acl *security_acl_dup(TALLOC_CTX *mem_ctx, - const struct security_acl *oacl) -{ - struct security_acl *nacl; - - nacl = talloc (mem_ctx, struct security_acl); - if (nacl == NULL) { - return NULL; - } - - nacl->aces = (struct security_ace *)talloc_memdup (nacl, oacl->aces, sizeof(struct security_ace) * oacl->num_aces); - if ((nacl->aces == NULL) && (oacl->num_aces > 0)) { - goto failed; - } - - nacl->revision = oacl->revision; - nacl->size = oacl->size; - nacl->num_aces = oacl->num_aces; - - return nacl; - - failed: - talloc_free (nacl); - return NULL; - -} - -/* - talloc and copy a security descriptor - */ -struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx, - const struct security_descriptor *osd) -{ - struct security_descriptor *nsd; - - nsd = talloc_zero(mem_ctx, struct security_descriptor); - if (!nsd) { - return NULL; - } - - if (osd->owner_sid) { - nsd->owner_sid = dom_sid_dup(nsd, osd->owner_sid); - if (nsd->owner_sid == NULL) { - goto failed; - } - } - - if (osd->group_sid) { - nsd->group_sid = dom_sid_dup(nsd, osd->group_sid); - if (nsd->group_sid == NULL) { - goto failed; - } - } - - if (osd->sacl) { - nsd->sacl = security_acl_dup(nsd, osd->sacl); - if (nsd->sacl == NULL) { - goto failed; - } - } - - if (osd->dacl) { - nsd->dacl = security_acl_dup(nsd, osd->dacl); - if (nsd->dacl == NULL) { - goto failed; - } - } - - nsd->revision = osd->revision; - nsd->type = osd->type; - - return nsd; - - failed: - talloc_free(nsd); - - return NULL; -} - -/* - add an ACE to an ACL of a security_descriptor -*/ - -static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd, - bool add_to_sacl, - const struct security_ace *ace) -{ - struct security_acl *acl = NULL; - - if (add_to_sacl) { - acl = sd->sacl; - } else { - acl = sd->dacl; - } - - if (acl == NULL) { - acl = talloc(sd, struct security_acl); - if (acl == NULL) { - return NT_STATUS_NO_MEMORY; - } - acl->revision = SECURITY_ACL_REVISION_NT4; - acl->size = 0; - acl->num_aces = 0; - acl->aces = NULL; - } - - acl->aces = talloc_realloc(acl, acl->aces, - struct security_ace, acl->num_aces+1); - if (acl->aces == NULL) { - return NT_STATUS_NO_MEMORY; - } - - acl->aces[acl->num_aces] = *ace; - - switch (acl->aces[acl->num_aces].type) { - case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: - case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: - case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT: - case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT: - acl->revision = SECURITY_ACL_REVISION_ADS; - break; - default: - break; - } - - acl->num_aces++; - - if (add_to_sacl) { - sd->sacl = acl; - sd->type |= SEC_DESC_SACL_PRESENT; - } else { - sd->dacl = acl; - sd->type |= SEC_DESC_DACL_PRESENT; - } - - return NT_STATUS_OK; -} - -/* - add an ACE to the SACL of a security_descriptor -*/ - -NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd, - const struct security_ace *ace) -{ - return security_descriptor_acl_add(sd, true, ace); -} - -/* - add an ACE to the DACL of a security_descriptor -*/ - -NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd, - const struct security_ace *ace) -{ - return security_descriptor_acl_add(sd, false, ace); -} - -/* - delete the ACE corresponding to the given trustee in an ACL of a - security_descriptor -*/ - -static NTSTATUS security_descriptor_acl_del(struct security_descriptor *sd, - bool sacl_del, - const struct dom_sid *trustee) -{ - int i; - bool found = false; - struct security_acl *acl = NULL; - - if (sacl_del) { - acl = sd->sacl; - } else { - acl = sd->dacl; - } - - if (acl == NULL) { - return NT_STATUS_OBJECT_NAME_NOT_FOUND; - } - - /* there can be multiple ace's for one trustee */ - for (i=0;inum_aces;i++) { - if (dom_sid_equal(trustee, &acl->aces[i].trustee)) { - memmove(&acl->aces[i], &acl->aces[i+1], - sizeof(acl->aces[i]) * (acl->num_aces - (i+1))); - acl->num_aces--; - if (acl->num_aces == 0) { - acl->aces = NULL; - } - found = true; - } - } - - if (!found) { - return NT_STATUS_OBJECT_NAME_NOT_FOUND; - } - - acl->revision = SECURITY_ACL_REVISION_NT4; - - for (i=0;inum_aces;i++) { - switch (acl->aces[i].type) { - case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: - case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: - case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT: - case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT: - acl->revision = SECURITY_ACL_REVISION_ADS; - return NT_STATUS_OK; - default: - break; /* only for the switch statement */ - } - } - - return NT_STATUS_OK; -} - -/* - delete the ACE corresponding to the given trustee in the DACL of a - security_descriptor -*/ - -NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd, - const struct dom_sid *trustee) -{ - return security_descriptor_acl_del(sd, false, trustee); -} - -/* - delete the ACE corresponding to the given trustee in the SACL of a - security_descriptor -*/ - -NTSTATUS security_descriptor_sacl_del(struct security_descriptor *sd, - const struct dom_sid *trustee) -{ - return security_descriptor_acl_del(sd, true, trustee); -} - -/* - compare two security ace structures -*/ -bool security_ace_equal(const struct security_ace *ace1, - const struct security_ace *ace2) -{ - if (ace1 == ace2) return true; - if (!ace1 || !ace2) return false; - if (ace1->type != ace2->type) return false; - if (ace1->flags != ace2->flags) return false; - if (ace1->access_mask != ace2->access_mask) return false; - if (!dom_sid_equal(&ace1->trustee, &ace2->trustee)) return false; - - return true; -} - - -/* - compare two security acl structures -*/ -bool security_acl_equal(const struct security_acl *acl1, - const struct security_acl *acl2) -{ - int i; - - if (acl1 == acl2) return true; - if (!acl1 || !acl2) return false; - if (acl1->revision != acl2->revision) return false; - if (acl1->num_aces != acl2->num_aces) return false; - - for (i=0;inum_aces;i++) { - if (!security_ace_equal(&acl1->aces[i], &acl2->aces[i])) return false; - } - return true; -} - -/* - compare two security descriptors. -*/ -bool security_descriptor_equal(const struct security_descriptor *sd1, - const struct security_descriptor *sd2) -{ - if (sd1 == sd2) return true; - if (!sd1 || !sd2) return false; - if (sd1->revision != sd2->revision) return false; - if (sd1->type != sd2->type) return false; - - if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false; - if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false; - if (!security_acl_equal(sd1->sacl, sd2->sacl)) return false; - if (!security_acl_equal(sd1->dacl, sd2->dacl)) return false; - - return true; -} - -/* - compare two security descriptors, but allow certain (missing) parts - to be masked out of the comparison -*/ -bool security_descriptor_mask_equal(const struct security_descriptor *sd1, - const struct security_descriptor *sd2, - uint32_t mask) -{ - if (sd1 == sd2) return true; - if (!sd1 || !sd2) return false; - if (sd1->revision != sd2->revision) return false; - if ((sd1->type & mask) != (sd2->type & mask)) return false; - - if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false; - if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false; - if ((mask & SEC_DESC_DACL_PRESENT) && !security_acl_equal(sd1->dacl, sd2->dacl)) return false; - if ((mask & SEC_DESC_SACL_PRESENT) && !security_acl_equal(sd1->sacl, sd2->sacl)) return false; - - return true; -} - - -static struct security_descriptor *security_descriptor_appendv(struct security_descriptor *sd, - bool add_ace_to_sacl, - va_list ap) -{ - const char *sidstr; - - while ((sidstr = va_arg(ap, const char *))) { - struct dom_sid *sid; - struct security_ace *ace = talloc(sd, struct security_ace); - NTSTATUS status; - - if (ace == NULL) { - talloc_free(sd); - return NULL; - } - ace->type = va_arg(ap, unsigned int); - ace->access_mask = va_arg(ap, unsigned int); - ace->flags = va_arg(ap, unsigned int); - sid = dom_sid_parse_talloc(ace, sidstr); - if (sid == NULL) { - talloc_free(sd); - return NULL; - } - ace->trustee = *sid; - if (add_ace_to_sacl) { - status = security_descriptor_sacl_add(sd, ace); - } else { - status = security_descriptor_dacl_add(sd, ace); - } - /* TODO: check: would talloc_free(ace) here be correct? */ - if (!NT_STATUS_IS_OK(status)) { - talloc_free(sd); - return NULL; - } - } - - return sd; -} - -struct security_descriptor *security_descriptor_append(struct security_descriptor *sd, - ...) -{ - va_list ap; - - va_start(ap, sd); - sd = security_descriptor_appendv(sd, false, ap); - va_end(ap); - - return sd; -} - -static struct security_descriptor *security_descriptor_createv(TALLOC_CTX *mem_ctx, - uint16_t sd_type, - const char *owner_sid, - const char *group_sid, - bool add_ace_to_sacl, - va_list ap) -{ - struct security_descriptor *sd; - - sd = security_descriptor_initialise(mem_ctx); - if (sd == NULL) { - return NULL; - } - - sd->type |= sd_type; - - if (owner_sid) { - sd->owner_sid = dom_sid_parse_talloc(sd, owner_sid); - if (sd->owner_sid == NULL) { - talloc_free(sd); - return NULL; - } - } - if (group_sid) { - sd->group_sid = dom_sid_parse_talloc(sd, group_sid); - if (sd->group_sid == NULL) { - talloc_free(sd); - return NULL; - } - } - - return security_descriptor_appendv(sd, add_ace_to_sacl, ap); -} - -/* - create a security descriptor using string SIDs. This is used by the - torture code to allow the easy creation of complex ACLs - This is a varargs function. The list of DACL ACEs ends with a NULL sid. - - Each ACE contains a set of 4 parameters: - SID, ACCESS_TYPE, MASK, FLAGS - - a typical call would be: - - sd = security_descriptor_dacl_create(mem_ctx, - sd_type_flags, - mysid, - mygroup, - SID_NT_AUTHENTICATED_USERS, - SEC_ACE_TYPE_ACCESS_ALLOWED, - SEC_FILE_ALL, - SEC_ACE_FLAG_OBJECT_INHERIT, - NULL); - that would create a sd with one DACL ACE -*/ - -struct security_descriptor *security_descriptor_dacl_create(TALLOC_CTX *mem_ctx, - uint16_t sd_type, - const char *owner_sid, - const char *group_sid, - ...) -{ - struct security_descriptor *sd = NULL; - va_list ap; - va_start(ap, group_sid); - sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid, - group_sid, false, ap); - va_end(ap); - - return sd; -} - -struct security_descriptor *security_descriptor_sacl_create(TALLOC_CTX *mem_ctx, - uint16_t sd_type, - const char *owner_sid, - const char *group_sid, - ...) -{ - struct security_descriptor *sd = NULL; - va_list ap; - va_start(ap, group_sid); - sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid, - group_sid, true, ap); - va_end(ap); - - return sd; -} - -struct security_ace *security_ace_create(TALLOC_CTX *mem_ctx, - const char *sid_str, - enum security_ace_type type, - uint32_t access_mask, - uint8_t flags) - -{ - struct dom_sid *sid; - struct security_ace *ace; - - ace = talloc_zero(mem_ctx, struct security_ace); - if (ace == NULL) { - return NULL; - } - - sid = dom_sid_parse_talloc(ace, sid_str); - if (sid == NULL) { - talloc_free(ace); - return NULL; - } - - ace->trustee = *sid; - ace->type = type; - ace->access_mask = access_mask; - ace->flags = flags; - - return ace; -} -- cgit