From a6c4b9d1793c7ea1965a23e1d23b73012acd151b Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 10 Oct 2007 13:12:53 +0200 Subject: r25607: Allow to set security descriptor type flags at creation time with security_descriptor_create(). Guenther (This used to be commit 7dd0d28d254f78891b0807492baafa188b42df16) --- source4/lib/registry/tests/registry.c | 1 + source4/libcli/security/security_descriptor.c | 4 +++ source4/libnet/libnet_become_dc.c | 1 + source4/torture/raw/acls.c | 40 +++++++++++++-------------- source4/torture/rpc/samba3rpc.c | 2 +- source4/torture/rpc/winreg.c | 1 + 6 files changed, 28 insertions(+), 21 deletions(-) diff --git a/source4/lib/registry/tests/registry.c b/source4/lib/registry/tests/registry.c index 9b1c6ff249..d2838e363f 100644 --- a/source4/lib/registry/tests/registry.c +++ b/source4/lib/registry/tests/registry.c @@ -400,6 +400,7 @@ static bool test_security(struct torture_context *tctx, const void *_data) return false; osd = security_descriptor_create(tctx, + 0, NULL, NULL, SID_NT_AUTHENTICATED_USERS, SEC_ACE_TYPE_ACCESS_ALLOWED, diff --git a/source4/libcli/security/security_descriptor.c b/source4/libcli/security/security_descriptor.c index 1d8549a605..9723e8ccca 100644 --- a/source4/libcli/security/security_descriptor.c +++ b/source4/libcli/security/security_descriptor.c @@ -327,6 +327,7 @@ bool security_descriptor_mask_equal(const struct security_descriptor *sd1, a typical call would be: sd = security_descriptor_create(mem_ctx, + sd_type_flags, mysid, mygroup, SID_NT_AUTHENTICATED_USERS, @@ -379,6 +380,7 @@ struct security_descriptor *security_descriptor_append(struct security_descripto } struct security_descriptor *security_descriptor_create(TALLOC_CTX *mem_ctx, + uint16_t sd_type, const char *owner_sid, const char *group_sid, ...) @@ -390,6 +392,8 @@ struct security_descriptor *security_descriptor_create(TALLOC_CTX *mem_ctx, sd = security_descriptor_initialise(mem_ctx); if (sd == NULL) return NULL; + sd->type |= sd_type; + if (owner_sid) { sd->owner_sid = dom_sid_parse_talloc(sd, owner_sid); if (sd->owner_sid == NULL) { diff --git a/source4/libnet/libnet_become_dc.c b/source4/libnet/libnet_become_dc.c index cd782066db..a6ca3551ce 100644 --- a/source4/libnet/libnet_become_dc.c +++ b/source4/libnet/libnet_become_dc.c @@ -1737,6 +1737,7 @@ static void becomeDC_drsuapi1_add_entry_send(struct libnet_BecomeDC_state *s) if (composite_nomem(domain_admins_sid_str, c)) return; v = security_descriptor_create(vd, + 0, /* owner: domain admins */ domain_admins_sid_str, /* owner group: domain admins */ diff --git a/source4/torture/raw/acls.c b/source4/torture/raw/acls.c index 2c3f4a52c6..0136056bdf 100644 --- a/source4/torture/raw/acls.c +++ b/source4/torture/raw/acls.c @@ -298,7 +298,7 @@ static bool test_creator_sid(struct torture_context *tctx, printf("set a sec desc allowing no write by CREATOR_OWNER\n"); sd = security_descriptor_create(tctx, - NULL, NULL, + 0, NULL, NULL, SID_CREATOR_OWNER, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_READ | SEC_STD_ALL, @@ -335,7 +335,7 @@ static bool test_creator_sid(struct torture_context *tctx, printf("set a sec desc allowing no write by owner\n"); sd = security_descriptor_create(tctx, - owner_sid, NULL, + 0, owner_sid, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_READ | SEC_STD_ALL, @@ -390,7 +390,7 @@ static bool test_creator_sid(struct torture_context *tctx, printf("set a sec desc allowing generic read by owner\n"); sd = security_descriptor_create(tctx, - NULL, NULL, + 0, NULL, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_GENERIC_READ | SEC_STD_ALL, @@ -403,7 +403,7 @@ static bool test_creator_sid(struct torture_context *tctx, printf("check that generic read has been mapped correctly\n"); sd2 = security_descriptor_create(tctx, - owner_sid, NULL, + 0, owner_sid, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_READ | SEC_STD_ALL, @@ -568,7 +568,7 @@ static bool test_generic_bits(struct torture_context *tctx, printf("testing generic bits 0x%08x\n", file_mappings[i].gen_bits); sd = security_descriptor_create(tctx, - owner_sid, NULL, + 0, owner_sid, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, file_mappings[i].gen_bits, @@ -584,7 +584,7 @@ static bool test_generic_bits(struct torture_context *tctx, CHECK_STATUS(status, NT_STATUS_OK); sd2 = security_descriptor_create(tctx, - owner_sid, NULL, + 0, owner_sid, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, file_mappings[i].specific_bits, @@ -616,7 +616,7 @@ static bool test_generic_bits(struct torture_context *tctx, printf("testing generic bits 0x%08x (anonymous)\n", file_mappings[i].gen_bits); sd = security_descriptor_create(tctx, - SID_NT_ANONYMOUS, NULL, + 0, SID_NT_ANONYMOUS, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, file_mappings[i].gen_bits, @@ -632,7 +632,7 @@ static bool test_generic_bits(struct torture_context *tctx, CHECK_STATUS(status, NT_STATUS_OK); sd2 = security_descriptor_create(tctx, - SID_NT_ANONYMOUS, NULL, + 0, SID_NT_ANONYMOUS, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, file_mappings[i].specific_bits, @@ -733,7 +733,7 @@ static bool test_generic_bits(struct torture_context *tctx, printf("testing generic bits 0x%08x\n", file_mappings[i].gen_bits); sd = security_descriptor_create(tctx, - owner_sid, NULL, + 0, owner_sid, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, dir_mappings[i].gen_bits, @@ -749,7 +749,7 @@ static bool test_generic_bits(struct torture_context *tctx, CHECK_STATUS(status, NT_STATUS_OK); sd2 = security_descriptor_create(tctx, - owner_sid, NULL, + 0, owner_sid, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, dir_mappings[i].specific_bits, @@ -781,7 +781,7 @@ static bool test_generic_bits(struct torture_context *tctx, printf("testing generic bits 0x%08x (anonymous)\n", file_mappings[i].gen_bits); sd = security_descriptor_create(tctx, - SID_NT_ANONYMOUS, NULL, + 0, SID_NT_ANONYMOUS, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, file_mappings[i].gen_bits, @@ -797,7 +797,7 @@ static bool test_generic_bits(struct torture_context *tctx, CHECK_STATUS(status, NT_STATUS_OK); sd2 = security_descriptor_create(tctx, - SID_NT_ANONYMOUS, NULL, + 0, SID_NT_ANONYMOUS, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, file_mappings[i].specific_bits, @@ -908,7 +908,7 @@ static bool test_owner_bits(struct torture_context *tctx, printf("SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_take_ownership_privilege?"Yes":"No"); sd = security_descriptor_create(tctx, - NULL, NULL, + 0, NULL, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA, @@ -1115,7 +1115,7 @@ static bool test_inheritance(struct torture_context *tctx, printf("owner_sid is %s\n", owner_sid); sd_def = security_descriptor_create(tctx, - owner_sid, NULL, + 0, owner_sid, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_ALL, @@ -1130,7 +1130,7 @@ static bool test_inheritance(struct torture_context *tctx, for (i=0;itree, fnum2); sd2 = security_descriptor_create(tctx, - owner_sid, NULL, + 0, owner_sid, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA | SEC_STD_WRITE_DAC, @@ -1432,7 +1432,7 @@ static bool test_inheritance_dynamic(struct torture_context *tctx, printf("owner_sid is %s\n", owner_sid); sd = security_descriptor_create(tctx, - NULL, NULL, + 0, NULL, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA | SEC_STD_DELETE | SEC_FILE_READ_ATTRIBUTE, @@ -1472,7 +1472,7 @@ static bool test_inheritance_dynamic(struct torture_context *tctx, printf("update parent sd\n"); sd = security_descriptor_create(tctx, - NULL, NULL, + 0, NULL, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA | SEC_STD_DELETE | SEC_FILE_READ_ATTRIBUTE | SEC_FILE_EXECUTE, @@ -1587,7 +1587,7 @@ static bool test_sd_get_set(struct torture_context *tctx, /* first create a file with full access for everyone */ sd = security_descriptor_create(tctx, - SID_NT_ANONYMOUS, SID_BUILTIN_USERS, + 0, SID_NT_ANONYMOUS, SID_BUILTIN_USERS, SID_WORLD, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_GENERIC_ALL, diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c index 8c52199e66..fe75fabad6 100644 --- a/source4/torture/rpc/samba3rpc.c +++ b/source4/torture/rpc/samba3rpc.c @@ -2004,7 +2004,7 @@ bool try_tcon(TALLOC_CTX *mem_ctx, } sd = security_descriptor_create( - tmp_ctx, "S-1-5-32-544", + tmp_ctx, 0, "S-1-5-32-544", dom_sid_string(mem_ctx, dom_sid_add_rid(mem_ctx, domain_sid, DOMAIN_RID_USERS)), dom_sid_string(mem_ctx, user_sid), diff --git a/source4/torture/rpc/winreg.c b/source4/torture/rpc/winreg.c index 44df6dab74..8086986917 100644 --- a/source4/torture/rpc/winreg.c +++ b/source4/torture/rpc/winreg.c @@ -138,6 +138,7 @@ static bool test_CreateKey_sd(struct dcerpc_pipe *p, struct winreg_SecBuf secbuf; sd = security_descriptor_create(tctx, + 0, NULL, NULL, SID_NT_AUTHENTICATED_USERS, SEC_ACE_TYPE_ACCESS_ALLOWED, -- cgit