From fdc9f417d89fdf9dd6afbc22843d70585e195c9d Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 30 Nov 2004 04:33:27 +0000 Subject: r4011: get rid of rpc_secdes.h and replace it with a single sane set of definitions for security access masks, in security.idl The previous definitions were inconsistently named, and contained many duplicate and misleading entries. I kept finding myself tripping up while using them. (This used to be commit 01c0fa722f80ceeb3f81f01987de95f365a2ed3d) --- source4/include/includes.h | 1 - source4/include/rpc_secdes.h | 344 --------------------------------- source4/include/structs.h | 2 + source4/librpc/idl/security.idl | 94 +++++++++ source4/librpc/rpc/dcerpc_smb.c | 11 +- source4/ntvfs/common/opendb.c | 29 +-- source4/ntvfs/ntvfs_generic.c | 31 +-- source4/ntvfs/posix/pvfs_acl.c | 80 ++++---- source4/ntvfs/posix/pvfs_open.c | 24 +-- source4/ntvfs/posix/pvfs_read.c | 5 +- source4/ntvfs/posix/pvfs_setfileinfo.c | 5 +- source4/ntvfs/posix/pvfs_write.c | 3 +- source4/smb_server/service.c | 19 -- source4/smbd/rewrite.c | 3 - source4/torture/basic/attr.c | 14 +- source4/torture/basic/charset.c | 3 +- source4/torture/basic/delete.c | 93 +++++---- source4/torture/basic/denytest.c | 51 ++--- source4/torture/basic/dir.c | 8 +- source4/torture/basic/disconnect.c | 3 +- source4/torture/basic/rename.c | 7 +- source4/torture/basic/scanner.c | 11 +- source4/torture/basic/unlink.c | 3 +- source4/torture/basic/utable.c | 11 +- source4/torture/gentest.c | 5 +- source4/torture/nbench/nbio.c | 11 +- source4/torture/raw/acls.c | 20 +- source4/torture/raw/chkpath.c | 43 +++-- source4/torture/raw/context.c | 7 +- source4/torture/raw/eas.c | 5 +- source4/torture/raw/mux.c | 3 +- source4/torture/raw/notify.c | 3 +- source4/torture/raw/open.c | 15 +- source4/torture/raw/oplock.c | 9 +- source4/torture/raw/qfileinfo.c | 16 +- source4/torture/raw/rename.c | 5 +- source4/torture/raw/streams.c | 5 +- source4/torture/rpc/samr.c | 2 +- source4/torture/rpc/svcctl.c | 1 + source4/torture/torture.c | 73 +++---- source4/torture/torture_util.c | 18 +- 41 files changed, 450 insertions(+), 646 deletions(-) delete mode 100644 source4/include/rpc_secdes.h diff --git a/source4/include/includes.h b/source4/include/includes.h index c5842f84da..6335780b89 100644 --- a/source4/include/includes.h +++ b/source4/include/includes.h @@ -169,7 +169,6 @@ extern int errno; #include "enums.h" #include "pstring.h" #include "smb_macros.h" -#include "rpc_secdes.h" #include "smb.h" #include "ads.h" #include "lib/socket/socket.h" diff --git a/source4/include/rpc_secdes.h b/source4/include/rpc_secdes.h deleted file mode 100644 index 1a7e56974a..0000000000 --- a/source4/include/rpc_secdes.h +++ /dev/null @@ -1,344 +0,0 @@ -/* - Unix SMB/CIFS implementation. - SMB parameters and setup - Copyright (C) Andrew Tridgell 1992-2000 - Copyright (C) Luke Kenneth Casson Leighton 1996-2000 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -typedef struct security_descriptor SEC_DESC; - -#ifndef _RPC_SECDES_H /* _RPC_SECDES_H */ -#define _RPC_SECDES_H - -#define SEC_RIGHTS_QUERY_VALUE 0x00000001 -#define SEC_RIGHTS_SET_VALUE 0x00000002 -#define SEC_RIGHTS_CREATE_SUBKEY 0x00000004 -#define SEC_RIGHTS_ENUM_SUBKEYS 0x00000008 -#define SEC_RIGHTS_NOTIFY 0x00000010 -#define SEC_RIGHTS_CREATE_LINK 0x00000020 -#define SEC_RIGHTS_READ 0x00020019 -#define SEC_RIGHTS_FULL_CONTROL 0x000f003f -#define SEC_RIGHTS_MAXIMUM_ALLOWED 0x02000000 - -/* for ADS */ -#define SEC_RIGHTS_LIST_CONTENTS 0x4 -#define SEC_RIGHTS_LIST_OBJECT 0x80 -#define SEC_RIGHTS_READ_ALL_PROP 0x10 -#define SEC_RIGHTS_READ_PERMS 0x20000 -#define SEC_RIGHTS_WRITE_ALL_VALID 0x8 -#define SEC_RIGHTS_WRITE_ALL_PROP 0x20 -#define SEC_RIGHTS_MODIFY_OWNER 0x80000 -#define SEC_RIGHTS_MODIFY_PERMS 0x40000 -#define SEC_RIGHTS_CREATE_CHILD 0x1 -#define SEC_RIGHTS_DELETE_CHILD 0x2 -#define SEC_RIGHTS_DELETE_SUBTREE 0x40 -#define SEC_RIGHTS_DELETE 0x10000 /* advanced/special/object/delete */ -#define SEC_RIGHTS_EXTENDED 0x100 /* change/reset password, receive/send as*/ -#define SEC_RIGHTS_CHANGE_PASSWD SEC_RIGHTS_EXTENDED -#define SEC_RIGHTS_RESET_PASSWD SEC_RIGHTS_EXTENDED -#define SEC_RIGHTS_FULL_CTRL 0xf01ff - -/* Don't know what this means. */ - -/* security information flags used in query_secdesc and set_secdesc */ -#define OWNER_SECURITY_INFORMATION 0x00000001 -#define GROUP_SECURITY_INFORMATION 0x00000002 -#define DACL_SECURITY_INFORMATION 0x00000004 -#define SACL_SECURITY_INFORMATION 0x00000008 - -/* Extra W2K flags. */ -#define UNPROTECTED_SACL_SECURITY_INFORMATION 0x10000000 -#define UNPROTECTED_DACL_SECURITY_INFORMATION 0x20000000 -#define PROTECTED_SACL_SECURITY_INFORMATION 0x40000000 -#define PROTECTED_DACL_SECURITY_INFORMATION 0x80000000 - -#define ALL_SECURITY_INFORMATION (OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|\ - DACL_SECURITY_INFORMATION|SACL_SECURITY_INFORMATION|\ - UNPROTECTED_SACL_SECURITY_INFORMATION|\ - UNPROTECTED_DACL_SECURITY_INFORMATION|\ - PROTECTED_SACL_SECURITY_INFORMATION|\ - PROTECTED_DACL_SECURITY_INFORMATION) - -#ifndef ACL_REVISION -#define ACL_REVISION 0x3 -#endif - -#ifndef NT4_ACL_REVISION -#define NT4_ACL_REVISION 0x2 -#endif - -#ifndef SEC_DESC_REVISION -#define SEC_DESC_REVISION 0x1 -#endif - - -/* Security Access Masks Rights */ - -#define SPECIFIC_RIGHTS_MASK 0x0000FFFF -#define STANDARD_RIGHTS_MASK 0x00FF0000 -#define GENERIC_RIGHTS_MASK 0xF0000000 - -#define SEC_RIGHT_SYSTEM_SECURITY 0x01000000 -#define SEC_RIGHT_MAXIMUM_ALLOWED 0x02000000 - -/* Generic access rights */ - -#define GENERIC_RIGHT_ALL_ACCESS 0x10000000 -#define GENERIC_RIGHT_EXECUTE_ACCESS 0x20000000 -#define GENERIC_RIGHT_WRITE_ACCESS 0x40000000 -#define GENERIC_RIGHT_READ_ACCESS 0x80000000 - -/* Standard access rights. */ - -#define STD_RIGHT_DELETE_ACCESS 0x00010000 -#define STD_RIGHT_READ_CONTROL_ACCESS 0x00020000 -#define STD_RIGHT_WRITE_DAC_ACCESS 0x00040000 -#define STD_RIGHT_WRITE_OWNER_ACCESS 0x00080000 -#define STD_RIGHT_SYNCHRONIZE_ACCESS 0x00100000 - -#define STD_RIGHT_ALL_ACCESS 0x001F0000 - -/* Combinations of standard masks. */ -#define STANDARD_RIGHTS_ALL_ACCESS STD_RIGHT_ALL_ACCESS /* 0x001f0000 */ -#define STANDARD_RIGHTS_EXECUTE_ACCESS STD_RIGHT_READ_CONTROL_ACCESS /* 0x00020000 */ -#define STANDARD_RIGHTS_READ_ACCESS STD_RIGHT_READ_CONTROL_ACCESS /* 0x00020000 */ -#define STANDARD_RIGHTS_WRITE_ACCESS STD_RIGHT_READ_CONTROL_ACCESS /* 0x00020000 */ -#define STANDARD_RIGHTS_REQUIRED_ACCESS \ - (STD_RIGHT_DELETE_ACCESS | \ - STD_RIGHT_READ_CONTROL_ACCESS | \ - STD_RIGHT_WRITE_DAC_ACCESS | \ - STD_RIGHT_WRITE_OWNER_ACCESS) /* 0x000f0000 */ - -/* File Object specific access rights */ - -#define SA_RIGHT_FILE_READ_DATA 0x00000001 -#define SA_RIGHT_FILE_WRITE_DATA 0x00000002 -#define SA_RIGHT_FILE_APPEND_DATA 0x00000004 -#define SA_RIGHT_FILE_READ_EA 0x00000008 -#define SA_RIGHT_FILE_WRITE_EA 0x00000010 -#define SA_RIGHT_FILE_EXECUTE 0x00000020 -#define SA_RIGHT_FILE_DELETE_CHILD 0x00000040 -#define SA_RIGHT_FILE_READ_ATTRIBUTES 0x00000080 -#define SA_RIGHT_FILE_WRITE_ATTRIBUTES 0x00000100 -#define SA_RIGHT_FILE_READ_EXEC (SA_RIGHT_FILE_READ_DATA|SA_RIGHT_FILE_EXECUTE) -#define SA_RIGHT_FILE_WRITE_APPEND (SA_RIGHT_FILE_WRITE_DATA|SA_RIGHT_FILE_APPEND_DATA) - -#define SA_RIGHT_FILE_ALL_ACCESS 0x000001FF - -#define GENERIC_RIGHTS_FILE_ALL_ACCESS \ - (STANDARD_RIGHTS_REQUIRED_ACCESS| \ - STD_RIGHT_SYNCHRONIZE_ACCESS | \ - SA_RIGHT_FILE_ALL_ACCESS) - -#define GENERIC_RIGHTS_FILE_READ \ - (STANDARD_RIGHTS_READ_ACCESS | \ - STD_RIGHT_SYNCHRONIZE_ACCESS | \ - SA_RIGHT_FILE_READ_DATA | \ - SA_RIGHT_FILE_READ_ATTRIBUTES | \ - SA_RIGHT_FILE_READ_EA) - -#define GENERIC_RIGHTS_FILE_WRITE \ - (STANDARD_RIGHTS_WRITE_ACCESS | \ - STD_RIGHT_SYNCHRONIZE_ACCESS | \ - SA_RIGHT_FILE_WRITE_DATA | \ - SA_RIGHT_FILE_WRITE_ATTRIBUTES | \ - SA_RIGHT_FILE_WRITE_EA | \ - SA_RIGHT_FILE_APPEND_DATA) - -#define GENERIC_RIGHTS_FILE_EXECUTE \ - (STANDARD_RIGHTS_EXECUTE_ACCESS | \ - SA_RIGHT_FILE_READ_ATTRIBUTES | \ - SA_RIGHT_FILE_EXECUTE) - - -/* directory specific access rights */ -#define SA_RIGHT_DIR_LIST 0x0001 -#define SA_RIGHT_DIR_ADD_FILE 0x0002 -#define SA_RIGHT_DIR_ADD_SUBDIRECTORY 0x0004 -#define SA_RIGHT_DIR_TRAVERSE 0x0020 -#define SA_RIGHT_DIR_DELETE_CHILD 0x0040 - - -/* SAM server specific access rights */ - -#define SA_RIGHT_SAM_CONNECT_SERVER 0x00000001 -#define SA_RIGHT_SAM_SHUTDOWN_SERVER 0x00000002 -#define SA_RIGHT_SAM_INITIALISE_SERVER 0x00000004 -#define SA_RIGHT_SAM_CREATE_DOMAIN 0x00000008 -#define SA_RIGHT_SAM_ENUM_DOMAINS 0x00000010 -#define SA_RIGHT_SAM_OPEN_DOMAIN 0x00000020 - -#define SA_RIGHT_SAM_ALL_ACCESS 0x0000003F - -#define GENERIC_RIGHTS_SAM_ALL_ACCESS \ - (STANDARD_RIGHTS_REQUIRED_ACCESS| \ - SA_RIGHT_SAM_ALL_ACCESS) - -#define GENERIC_RIGHTS_SAM_READ \ - (STANDARD_RIGHTS_READ_ACCESS | \ - SA_RIGHT_SAM_ENUM_DOMAINS) - -#define GENERIC_RIGHTS_SAM_WRITE \ - (STANDARD_RIGHTS_WRITE_ACCESS | \ - SA_RIGHT_SAM_CREATE_DOMAIN | \ - SA_RIGHT_SAM_INITIALISE_SERVER | \ - SA_RIGHT_SAM_SHUTDOWN_SERVER) - -#define GENERIC_RIGHTS_SAM_EXECUTE \ - (STANDARD_RIGHTS_EXECUTE_ACCESS | \ - SA_RIGHT_SAM_OPEN_DOMAIN | \ - SA_RIGHT_SAM_CONNECT_SERVER) - - -/* Domain Object specific access rights */ - -#define SA_RIGHT_DOMAIN_LOOKUP_INFO_1 0x00000001 -#define SA_RIGHT_DOMAIN_SET_INFO_1 0x00000002 -#define SA_RIGHT_DOMAIN_LOOKUP_INFO_2 0x00000004 -#define SA_RIGHT_DOMAIN_SET_INFO_2 0x00000008 -#define SA_RIGHT_DOMAIN_CREATE_USER 0x00000010 -#define SA_RIGHT_DOMAIN_CREATE_GROUP 0x00000020 -#define SA_RIGHT_DOMAIN_CREATE_ALIAS 0x00000040 -#define SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM 0x00000080 -#define SA_RIGHT_DOMAIN_ENUM_ACCOUNTS 0x00000100 -#define SA_RIGHT_DOMAIN_OPEN_ACCOUNT 0x00000200 -#define SA_RIGHT_DOMAIN_SET_INFO_3 0x00000400 - -#define SA_RIGHT_DOMAIN_ALL_ACCESS 0x000007FF - -#define GENERIC_RIGHTS_DOMAIN_ALL_ACCESS \ - (STANDARD_RIGHTS_REQUIRED_ACCESS| \ - SA_RIGHT_DOMAIN_ALL_ACCESS) - -#define GENERIC_RIGHTS_DOMAIN_READ \ - (STANDARD_RIGHTS_READ_ACCESS | \ - SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM | \ - SA_RIGHT_DOMAIN_LOOKUP_INFO_2) - -#define GENERIC_RIGHTS_DOMAIN_WRITE \ - (STANDARD_RIGHTS_WRITE_ACCESS | \ - SA_RIGHT_DOMAIN_SET_INFO_3 | \ - SA_RIGHT_DOMAIN_CREATE_ALIAS | \ - SA_RIGHT_DOMAIN_CREATE_GROUP | \ - SA_RIGHT_DOMAIN_CREATE_USER | \ - SA_RIGHT_DOMAIN_SET_INFO_2 | \ - SA_RIGHT_DOMAIN_SET_INFO_1) - -#define GENERIC_RIGHTS_DOMAIN_EXECUTE \ - (STANDARD_RIGHTS_EXECUTE_ACCESS | \ - SA_RIGHT_DOMAIN_OPEN_ACCOUNT | \ - SA_RIGHT_DOMAIN_ENUM_ACCOUNTS | \ - SA_RIGHT_DOMAIN_LOOKUP_INFO_1) - - -/* User Object specific access rights */ - -#define SA_RIGHT_USER_GET_NAME_ETC 0x00000001 -#define SA_RIGHT_USER_GET_LOCALE 0x00000002 -#define SA_RIGHT_USER_SET_LOC_COM 0x00000004 -#define SA_RIGHT_USER_GET_LOGONINFO 0x00000008 -#define SA_RIGHT_USER_ACCT_FLAGS_EXPIRY 0x00000010 -#define SA_RIGHT_USER_SET_ATTRIBUTES 0x00000020 -#define SA_RIGHT_USER_CHANGE_PASSWORD 0x00000040 -#define SA_RIGHT_USER_SET_PASSWORD 0x00000080 -#define SA_RIGHT_USER_GET_GROUPS 0x00000100 -#define SA_RIGHT_USER_READ_GROUP_MEM 0x00000200 -#define SA_RIGHT_USER_CHANGE_GROUP_MEM 0x00000400 - -#define SA_RIGHT_USER_ALL_ACCESS 0x000007FF - -#define GENERIC_RIGHTS_USER_ALL_ACCESS \ - (STANDARD_RIGHTS_REQUIRED_ACCESS| \ - SA_RIGHT_USER_ALL_ACCESS) /* 0x000f07ff */ - -#define GENERIC_RIGHTS_USER_READ \ - (STANDARD_RIGHTS_READ_ACCESS | \ - SA_RIGHT_USER_READ_GROUP_MEM | \ - SA_RIGHT_USER_GET_GROUPS | \ - SA_RIGHT_USER_ACCT_FLAGS_EXPIRY | \ - SA_RIGHT_USER_GET_LOGONINFO | \ - SA_RIGHT_USER_GET_LOCALE) /* 0x0002031a */ - -#define GENERIC_RIGHTS_USER_WRITE \ - (STANDARD_RIGHTS_WRITE_ACCESS | \ - SA_RIGHT_USER_CHANGE_PASSWORD | \ - SA_RIGHT_USER_SET_LOC_COM) /* 0x00020044 */ - -#define GENERIC_RIGHTS_USER_EXECUTE \ - (STANDARD_RIGHTS_EXECUTE_ACCESS | \ - SA_RIGHT_USER_CHANGE_PASSWORD | \ - SA_RIGHT_USER_GET_NAME_ETC ) /* 0x00020041 */ - - -/* Group Object specific access rights */ - -#define SA_RIGHT_GROUP_LOOKUP_INFO 0x00000001 -#define SA_RIGHT_GROUP_SET_INFO 0x00000002 -#define SA_RIGHT_GROUP_ADD_MEMBER 0x00000004 -#define SA_RIGHT_GROUP_REMOVE_MEMBER 0x00000008 -#define SA_RIGHT_GROUP_GET_MEMBERS 0x00000010 - -#define SA_RIGHT_GROUP_ALL_ACCESS 0x0000001F - -#define GENERIC_RIGHTS_GROUP_ALL_ACCESS \ - (STANDARD_RIGHTS_REQUIRED_ACCESS| \ - SA_RIGHT_GROUP_ALL_ACCESS) /* 0x000f001f */ - -#define GENERIC_RIGHTS_GROUP_READ \ - (STANDARD_RIGHTS_READ_ACCESS | \ - SA_RIGHT_GROUP_GET_MEMBERS) /* 0x00020010 */ - -#define GENERIC_RIGHTS_GROUP_WRITE \ - (STANDARD_RIGHTS_WRITE_ACCESS | \ - SA_RIGHT_GROUP_REMOVE_MEMBER | \ - SA_RIGHT_GROUP_ADD_MEMBER | \ - SA_RIGHT_GROUP_SET_INFO ) /* 0x0002000e */ - -#define GENERIC_RIGHTS_GROUP_EXECUTE \ - (STANDARD_RIGHTS_EXECUTE_ACCESS | \ - SA_RIGHT_GROUP_LOOKUP_INFO) /* 0x00020001 */ - - -/* Alias Object specific access rights */ - -#define SA_RIGHT_ALIAS_ADD_MEMBER 0x00000001 -#define SA_RIGHT_ALIAS_REMOVE_MEMBER 0x00000002 -#define SA_RIGHT_ALIAS_GET_MEMBERS 0x00000004 -#define SA_RIGHT_ALIAS_LOOKUP_INFO 0x00000008 -#define SA_RIGHT_ALIAS_SET_INFO 0x00000010 - -#define SA_RIGHT_ALIAS_ALL_ACCESS 0x0000001F - -#define GENERIC_RIGHTS_ALIAS_ALL_ACCESS \ - (STANDARD_RIGHTS_REQUIRED_ACCESS| \ - SA_RIGHT_ALIAS_ALL_ACCESS) /* 0x000f001f */ - -#define GENERIC_RIGHTS_ALIAS_READ \ - (STANDARD_RIGHTS_READ_ACCESS | \ - SA_RIGHT_ALIAS_GET_MEMBERS ) /* 0x00020004 */ - -#define GENERIC_RIGHTS_ALIAS_WRITE \ - (STANDARD_RIGHTS_WRITE_ACCESS | \ - SA_RIGHT_ALIAS_REMOVE_MEMBER | \ - SA_RIGHT_ALIAS_ADD_MEMBER | \ - SA_RIGHT_ALIAS_SET_INFO ) /* 0x00020013 */ - -#define GENERIC_RIGHTS_ALIAS_EXECUTE \ - (STANDARD_RIGHTS_EXECUTE_ACCESS | \ - SA_RIGHT_ALIAS_LOOKUP_INFO ) /* 0x00020008 */ - -#endif /* _RPC_SECDES_H */ diff --git a/source4/include/structs.h b/source4/include/structs.h index ae3713eefd..4204cdab15 100644 --- a/source4/include/structs.h +++ b/source4/include/structs.h @@ -125,3 +125,5 @@ struct ldb_message; struct security_token; struct security_acl; struct security_ace; + +typedef struct security_descriptor SEC_DESC; diff --git a/source4/librpc/idl/security.idl b/source4/librpc/idl/security.idl index 9625153ec1..817b57a780 100644 --- a/source4/librpc/idl/security.idl +++ b/source4/librpc/idl/security.idl @@ -6,6 +6,90 @@ interface security { + /* + access masks are divided up like this: + 0xabccdddd + where + a = generic rights bits SEC_GENERIC_ + b = flags SEC_FLAG_ + c = standard rights bits SEC_STD_ + d = object type specific bits SEC_{FILE,DIR,REG,xxx}_ + + common combinations of bits are prefixed with SEC_RIGHTS_ + */ + const int SEC_MASK_GENERIC = 0xF0000000; + const int SEC_MASK_FLAGS = 0x0F000000; + const int SEC_MASK_STANDARD = 0x00FF0000; + const int SEC_MASK_SPECIFIC = 0x0000FFFF; + + /* generic bits */ + const int SEC_GENERIC_ALL = 0x10000000; + const int SEC_GENERIC_EXECUTE = 0x20000000; + const int SEC_GENERIC_WRITE = 0x40000000; + const int SEC_GENERIC_READ = 0x80000000; + + /* flag bits */ + const int SEC_FLAG_SYSTEM_SECURITY = 0x01000000; + const int SEC_FLAG_MAXIMUM_ALLOWED = 0x02000000; + + /* standard bits */ + const int SEC_STD_DELETE = 0x00010000; + const int SEC_STD_READ_CONTROL = 0x00020000; + const int SEC_STD_WRITE_DAC = 0x00040000; + const int SEC_STD_WRITE_OWNER = 0x00080000; + const int SEC_STD_SYNCHRONIZE = 0x00100000; + const int SEC_STD_REQUIRED = 0x000F0000; + const int SEC_STD_ALL = 0x001F0000; + + /* file specific bits */ + const int SEC_FILE_READ_DATA = 0x00000001; + const int SEC_FILE_WRITE_DATA = 0x00000002; + const int SEC_FILE_APPEND_DATA = 0x00000004; + const int SEC_FILE_READ_EA = 0x00000008; + const int SEC_FILE_WRITE_EA = 0x00000010; + const int SEC_FILE_EXECUTE = 0x00000020; + const int SEC_FILE_READ_ATTRIBUTE = 0x00000080; + const int SEC_FILE_WRITE_ATTRIBUTE = 0x00000100; + const int SEC_FILE_ALL = 0x000001ff; + + /* directory specific bits */ + const int SEC_DIR_LIST = 0x00000001; + const int SEC_DIR_ADD_FILE = 0x00000002; + const int SEC_DIR_ADD_SUBDIR = 0x00000004; + const int SEC_DIR_READ_EA = 0x00000008; + const int SEC_DIR_WRITE_EA = 0x00000010; + const int SEC_DIR_TRAVERSE = 0x00000020; + const int SEC_DIR_DELETE_CHILD = 0x00000040; + const int SEC_DIR_READ_ATTRIBUTE = 0x00000080; + const int SEC_DIR_WRITE_ATTRIBUTE = 0x00000100; + + /* registry entry specific bits */ + const int SEC_REG_QUERY_VALUE = 0x00000001; + const int SEC_REG_SET_VALUE = 0x00000002; + const int SEC_REG_CREATE_SUBKEY = 0x00000004; + const int SEC_REG_ENUM_SUBKEYS = 0x00000008; + const int SEC_REG_NOTIFY = 0x00000010; + const int SEC_REG_CREATE_LINK = 0x00000020; + + /* common combinations of bits */ + const int SEC_RIGHTS_FULL_CONTROL = SEC_STD_ALL | SEC_FILE_ALL; + + const int SEC_RIGHTS_FILE_READ = SEC_STD_READ_CONTROL | + SEC_STD_SYNCHRONIZE | + SEC_FILE_READ_DATA | + SEC_FILE_READ_ATTRIBUTE | + SEC_FILE_READ_EA; + + const int SEC_RIGHTS_FILE_WRITE = SEC_STD_READ_CONTROL | + SEC_STD_SYNCHRONIZE | + SEC_FILE_WRITE_DATA | + SEC_FILE_WRITE_ATTRIBUTE | + SEC_FILE_WRITE_EA | + SEC_FILE_APPEND_DATA; + + const int SEC_RIGHTS_MAXIMUM_ALLOWED = SEC_FLAG_MAXIMUM_ALLOWED; + + /* a NULL sid */ const string SID_NULL = "S-1-0-0"; @@ -83,6 +167,8 @@ interface security dom_sid trustee; } security_ace; + const int NT4_ACL_REVISION = 0x2; + typedef [public] struct { uint16 revision; [value(ndr_size_security_acl(r))] uint16 size; @@ -111,6 +197,14 @@ interface security const int SEC_DESC_RM_CONTROL_VALID = 0x4000; const int SEC_DESC_SELF_RELATIVE = 0x8000; + /* bits that determine which parts of a security descriptor + are being queried/set */ + const int SECINFO_OWNER = 0x00000001; + const int SECINFO_GROUP = 0x00000002; + const int SECINFO_DACL = 0x00000004; + const int SECINFO_SACL = 0x00000008; + + typedef [public,flag(NDR_LITTLE_ENDIAN)] struct { uint8 revision; uint16 type; /* SEC_DESC_xxxx flags */ diff --git a/source4/librpc/rpc/dcerpc_smb.c b/source4/librpc/rpc/dcerpc_smb.c index 25f3ea277a..d04b067eeb 100644 --- a/source4/librpc/rpc/dcerpc_smb.c +++ b/source4/librpc/rpc/dcerpc_smb.c @@ -23,6 +23,7 @@ #include "includes.h" #include "libcli/raw/libcliraw.h" +#include "librpc/gen_ndr/ndr_security.h" /* transport private information used by SMB pipe transport */ struct smb_private { @@ -379,11 +380,11 @@ NTSTATUS dcerpc_pipe_open_smb(struct dcerpc_pipe **p, io.ntcreatex.in.flags = 0; io.ntcreatex.in.root_fid = 0; io.ntcreatex.in.access_mask = - STD_RIGHT_READ_CONTROL_ACCESS | - SA_RIGHT_FILE_WRITE_ATTRIBUTES | - SA_RIGHT_FILE_WRITE_EA | - GENERIC_RIGHTS_FILE_READ | - GENERIC_RIGHTS_FILE_WRITE; + SEC_STD_READ_CONTROL | + SEC_FILE_WRITE_ATTRIBUTE | + SEC_FILE_WRITE_EA | + SEC_FILE_READ_DATA | + SEC_FILE_WRITE_DATA; io.ntcreatex.in.file_attr = 0; io.ntcreatex.in.alloc_size = 0; io.ntcreatex.in.share_access = diff --git a/source4/ntvfs/common/opendb.c b/source4/ntvfs/common/opendb.c index 99c013fc84..8947a5d255 100644 --- a/source4/ntvfs/common/opendb.c +++ b/source4/ntvfs/common/opendb.c @@ -40,6 +40,7 @@ #include "includes.h" #include "messages.h" +#include "librpc/gen_ndr/ndr_security.h" struct odb_context { struct tdb_wrap *w; @@ -157,14 +158,18 @@ static BOOL share_conflict(struct odb_entry *e1, struct odb_entry *e2) /* if either open involves no read.write or delete access then it can't conflict */ - if (!(e1->access_mask & (SA_RIGHT_FILE_WRITE_APPEND | - SA_RIGHT_FILE_READ_EXEC | - STD_RIGHT_DELETE_ACCESS))) { + if (!(e1->access_mask & (SEC_FILE_WRITE_DATA | + SEC_FILE_APPEND_DATA | + SEC_FILE_READ_DATA | + SEC_FILE_EXECUTE | + SEC_STD_DELETE))) { return False; } - if (!(e2->access_mask & (SA_RIGHT_FILE_WRITE_APPEND | - SA_RIGHT_FILE_READ_EXEC | - STD_RIGHT_DELETE_ACCESS))) { + if (!(e2->access_mask & (SEC_FILE_WRITE_DATA | + SEC_FILE_APPEND_DATA | + SEC_FILE_READ_DATA | + SEC_FILE_EXECUTE | + SEC_STD_DELETE))) { return False; } @@ -176,24 +181,24 @@ static BOOL share_conflict(struct odb_entry *e1, struct odb_entry *e2) } CHECK_MASK(e1->access_mask, e2->share_access, - SA_RIGHT_FILE_WRITE_APPEND, + SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA, NTCREATEX_SHARE_ACCESS_WRITE); CHECK_MASK(e2->access_mask, e1->share_access, - SA_RIGHT_FILE_WRITE_APPEND, + SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA, NTCREATEX_SHARE_ACCESS_WRITE); CHECK_MASK(e1->access_mask, e2->share_access, - SA_RIGHT_FILE_READ_EXEC, + SEC_FILE_READ_DATA | SEC_FILE_EXECUTE, NTCREATEX_SHARE_ACCESS_READ); CHECK_MASK(e2->access_mask, e1->share_access, - SA_RIGHT_FILE_READ_EXEC, + SEC_FILE_READ_DATA | SEC_FILE_EXECUTE, NTCREATEX_SHARE_ACCESS_READ); CHECK_MASK(e1->access_mask, e2->share_access, - STD_RIGHT_DELETE_ACCESS, + SEC_STD_DELETE, NTCREATEX_SHARE_ACCESS_DELETE); CHECK_MASK(e2->access_mask, e1->share_access, - STD_RIGHT_DELETE_ACCESS, + SEC_STD_DELETE, NTCREATEX_SHARE_ACCESS_DELETE); /* if a delete is pending then a second open is not allowed */ diff --git a/source4/ntvfs/ntvfs_generic.c b/source4/ntvfs/ntvfs_generic.c index a9bc8120c8..49de8944ff 100644 --- a/source4/ntvfs/ntvfs_generic.c +++ b/source4/ntvfs/ntvfs_generic.c @@ -33,6 +33,7 @@ #include "includes.h" #include "smb_server/smb_server.h" +#include "librpc/gen_ndr/ndr_security.h" /* a second stage function converts from the out parameters of the generic call onto the out parameters of the specific call made */ @@ -178,7 +179,7 @@ static NTSTATUS ntvfs_map_open_finish(struct smbsrv_request *req, io->openx.out.devstate = 0; io->openx.out.action = io2->generic.out.create_action; io->openx.out.unique_fid = 0; - io->openx.out.access_mask = STANDARD_RIGHTS_ALL_ACCESS; + io->openx.out.access_mask = SEC_STD_ALL; io->openx.out.unknown = 0; /* we need to extend the file to the requested size if @@ -280,17 +281,19 @@ NTSTATUS ntvfs_map_open(struct smbsrv_request *req, union smb_open *io, switch (io->openx.in.open_mode & OPENX_MODE_ACCESS_MASK) { case OPENX_MODE_ACCESS_READ: - io2->generic.in.access_mask = GENERIC_RIGHTS_FILE_READ; + io2->generic.in.access_mask = SEC_RIGHTS_FILE_READ; io->openx.out.access = OPENX_MODE_ACCESS_READ; break; case OPENX_MODE_ACCESS_WRITE: - io2->generic.in.access_mask = GENERIC_RIGHTS_FILE_WRITE; + io2->generic.in.access_mask = SEC_RIGHTS_FILE_WRITE; io->openx.out.access = OPENX_MODE_ACCESS_WRITE; break; case OPENX_MODE_ACCESS_RDWR: case OPENX_MODE_ACCESS_FCB: case OPENX_MODE_ACCESS_EXEC: - io2->generic.in.access_mask = GENERIC_RIGHTS_FILE_WRITE | GENERIC_RIGHTS_FILE_READ; + io2->generic.in.access_mask = + SEC_RIGHTS_FILE_READ | + SEC_RIGHTS_FILE_WRITE; io->openx.out.access = OPENX_MODE_ACCESS_RDWR; break; default: @@ -381,17 +384,17 @@ NTSTATUS ntvfs_map_open(struct smbsrv_request *req, union smb_open *io, io2->generic.in.open_disposition = NTCREATEX_DISP_OPEN; switch (io->openold.in.flags & OPEN_FLAGS_MODE_MASK) { case OPEN_FLAGS_OPEN_READ: - io2->generic.in.access_mask = GENERIC_RIGHTS_FILE_READ; + io2->generic.in.access_mask = SEC_RIGHTS_FILE_READ; io->openold.out.rmode = DOS_OPEN_RDONLY; break; case OPEN_FLAGS_OPEN_WRITE: - io2->generic.in.access_mask = GENERIC_RIGHTS_FILE_WRITE; + io2->generic.in.access_mask = SEC_RIGHTS_FILE_WRITE; io->openold.out.rmode = DOS_OPEN_WRONLY; break; case OPEN_FLAGS_OPEN_RDWR: case 0xf: /* FCB mode */ - io2->generic.in.access_mask = GENERIC_RIGHTS_FILE_READ | - GENERIC_RIGHTS_FILE_WRITE; + io2->generic.in.access_mask = SEC_RIGHTS_FILE_READ | + SEC_RIGHTS_FILE_WRITE; io->openold.out.rmode = DOS_OPEN_RDWR; /* assume we got r/w */ break; default: @@ -463,8 +466,8 @@ NTSTATUS ntvfs_map_open(struct smbsrv_request *req, union smb_open *io, io2->generic.in.fname = io->mknew.in.fname; io2->generic.in.open_disposition = NTCREATEX_DISP_CREATE; io2->generic.in.access_mask = - GENERIC_RIGHTS_FILE_READ | - GENERIC_RIGHTS_FILE_WRITE; + SEC_RIGHTS_FILE_READ | + SEC_RIGHTS_FILE_WRITE; io2->generic.in.share_access = NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE; @@ -476,8 +479,8 @@ NTSTATUS ntvfs_map_open(struct smbsrv_request *req, union smb_open *io, io2->generic.in.fname = io->mknew.in.fname; io2->generic.in.open_disposition = NTCREATEX_DISP_OPEN_IF; io2->generic.in.access_mask = - GENERIC_RIGHTS_FILE_READ | - GENERIC_RIGHTS_FILE_WRITE; + SEC_RIGHTS_FILE_READ | + SEC_RIGHTS_FILE_WRITE; io2->generic.in.share_access = NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE; @@ -493,8 +496,8 @@ NTSTATUS ntvfs_map_open(struct smbsrv_request *req, union smb_open *io, generate_random_str_list(io2, 5, "0123456789")); io2->generic.in.open_disposition = NTCREATEX_DISP_CREATE; io2->generic.in.access_mask = - GENERIC_RIGHTS_FILE_READ | - GENERIC_RIGHTS_FILE_WRITE; + SEC_RIGHTS_FILE_READ | + SEC_RIGHTS_FILE_WRITE; io2->generic.in.share_access = NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE; diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c index 2ff873fd78..2fff6db628 100644 --- a/source4/ntvfs/posix/pvfs_acl.c +++ b/source4/ntvfs/posix/pvfs_acl.c @@ -71,7 +71,7 @@ static NTSTATUS pvfs_default_acl(struct pvfs_state *pvfs, - Group - Everyone */ - access_masks[0] = SEC_RIGHTS_FULL_CTRL | STD_RIGHT_ALL_ACCESS; + access_masks[0] = SEC_RIGHTS_FULL_CONTROL; access_masks[1] = 0; access_masks[2] = 0; access_masks[3] = 0; @@ -80,54 +80,54 @@ static NTSTATUS pvfs_default_acl(struct pvfs_state *pvfs, if (mode & S_IRUSR) { access_masks[1] |= - SA_RIGHT_FILE_READ_DATA | - SA_RIGHT_FILE_READ_EA | - SA_RIGHT_FILE_READ_ATTRIBUTES | - SA_RIGHT_FILE_EXECUTE | - STD_RIGHT_SYNCHRONIZE_ACCESS | - STD_RIGHT_READ_CONTROL_ACCESS; + SEC_FILE_READ_DATA | + SEC_FILE_READ_EA | + SEC_FILE_READ_ATTRIBUTE | + SEC_FILE_EXECUTE | + SEC_STD_SYNCHRONIZE | + SEC_STD_READ_CONTROL; } if (mode & S_IWUSR) { access_masks[1] |= - SA_RIGHT_FILE_WRITE_DATA | - SA_RIGHT_FILE_APPEND_DATA | - SA_RIGHT_FILE_WRITE_EA | - SA_RIGHT_FILE_WRITE_ATTRIBUTES | - STD_RIGHT_DELETE_ACCESS; + SEC_FILE_WRITE_DATA | + SEC_FILE_APPEND_DATA | + SEC_FILE_WRITE_EA | + SEC_FILE_WRITE_ATTRIBUTE | + SEC_STD_DELETE; } if (mode & S_IRGRP) { access_masks[2] |= - SA_RIGHT_FILE_READ_DATA | - SA_RIGHT_FILE_READ_EA | - SA_RIGHT_FILE_READ_ATTRIBUTES | - SA_RIGHT_FILE_EXECUTE | - STD_RIGHT_SYNCHRONIZE_ACCESS | - STD_RIGHT_READ_CONTROL_ACCESS; + SEC_FILE_READ_DATA | + SEC_FILE_READ_EA | + SEC_FILE_READ_ATTRIBUTE | + SEC_FILE_EXECUTE | + SEC_STD_SYNCHRONIZE | + SEC_STD_READ_CONTROL; } if (mode & S_IWGRP) { access_masks[2] |= - SA_RIGHT_FILE_WRITE_DATA | - SA_RIGHT_FILE_APPEND_DATA | - SA_RIGHT_FILE_WRITE_EA | - SA_RIGHT_FILE_WRITE_ATTRIBUTES; + SEC_FILE_WRITE_DATA | + SEC_FILE_APPEND_DATA | + SEC_FILE_WRITE_EA | + SEC_FILE_WRITE_ATTRIBUTE; } if (mode & S_IROTH) { access_masks[3] |= - SA_RIGHT_FILE_READ_DATA | - SA_RIGHT_FILE_READ_EA | - SA_RIGHT_FILE_READ_ATTRIBUTES | - SA_RIGHT_FILE_EXECUTE | - STD_RIGHT_SYNCHRONIZE_ACCESS | - STD_RIGHT_READ_CONTROL_ACCESS; + SEC_FILE_READ_DATA | + SEC_FILE_READ_EA | + SEC_FILE_READ_ATTRIBUTE | + SEC_FILE_EXECUTE | + SEC_STD_SYNCHRONIZE | + SEC_STD_READ_CONTROL; } if (mode & S_IWOTH) { access_masks[3] |= - SA_RIGHT_FILE_WRITE_DATA | - SA_RIGHT_FILE_APPEND_DATA | - SA_RIGHT_FILE_WRITE_EA | - SA_RIGHT_FILE_WRITE_ATTRIBUTES; + SEC_FILE_WRITE_DATA | + SEC_FILE_APPEND_DATA | + SEC_FILE_WRITE_EA | + SEC_FILE_WRITE_ATTRIBUTE; } ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED; @@ -163,16 +163,16 @@ static NTSTATUS pvfs_default_acl(struct pvfs_state *pvfs, */ static void normalise_sd_flags(struct security_descriptor *sd, uint32_t secinfo_flags) { - if (!(secinfo_flags & OWNER_SECURITY_INFORMATION)) { + if (!(secinfo_flags & SECINFO_OWNER)) { sd->owner_sid = NULL; } - if (!(secinfo_flags & GROUP_SECURITY_INFORMATION)) { + if (!(secinfo_flags & SECINFO_GROUP)) { sd->group_sid = NULL; } - if (!(secinfo_flags & DACL_SECURITY_INFORMATION)) { + if (!(secinfo_flags & SECINFO_DACL)) { sd->dacl = NULL; } - if (!(secinfo_flags & SACL_SECURITY_INFORMATION)) { + if (!(secinfo_flags & SECINFO_SACL)) { sd->sacl = NULL; } } @@ -214,16 +214,16 @@ NTSTATUS pvfs_acl_set(struct pvfs_state *pvfs, new_sd = info->set_secdesc.in.sd; /* only set the elements that have been specified */ - if (secinfo_flags & OWNER_SECURITY_INFORMATION) { + if (secinfo_flags & SECINFO_OWNER) { sd->owner_sid = new_sd->owner_sid; } - if (secinfo_flags & GROUP_SECURITY_INFORMATION) { + if (secinfo_flags & SECINFO_GROUP) { sd->group_sid = new_sd->group_sid; } - if (secinfo_flags & DACL_SECURITY_INFORMATION) { + if (secinfo_flags & SECINFO_DACL) { sd->dacl = new_sd->dacl; } - if (secinfo_flags & SACL_SECURITY_INFORMATION) { + if (secinfo_flags & SECINFO_SACL) { sd->sacl = new_sd->sacl; } diff --git a/source4/ntvfs/posix/pvfs_open.c b/source4/ntvfs/posix/pvfs_open.c index 3d0e444d29..4b8de28488 100644 --- a/source4/ntvfs/posix/pvfs_open.c +++ b/source4/ntvfs/posix/pvfs_open.c @@ -380,11 +380,11 @@ static NTSTATUS pvfs_create_file(struct pvfs_state *pvfs, return NT_STATUS_CANNOT_DELETE; } - if (access_mask & SEC_RIGHT_MAXIMUM_ALLOWED) { - access_mask = GENERIC_RIGHTS_FILE_READ | GENERIC_RIGHTS_FILE_WRITE; + if (access_mask & SEC_FLAG_MAXIMUM_ALLOWED) { + access_mask = SEC_RIGHTS_FILE_READ | SEC_RIGHTS_FILE_WRITE; } - if (access_mask & SA_RIGHT_FILE_WRITE_APPEND) { + if (access_mask & (SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA)) { flags = O_RDWR; } else { flags = O_RDONLY; @@ -460,7 +460,7 @@ static NTSTATUS pvfs_create_file(struct pvfs_state *pvfs, union smb_setfileinfo set; set.set_secdesc.file.fnum = fnum; - set.set_secdesc.in.secinfo_flags = DACL_SECURITY_INFORMATION; + set.set_secdesc.in.secinfo_flags = SECINFO_DACL; set.set_secdesc.in.sd = io->ntcreatex.in.sec_desc; status = pvfs_acl_set(pvfs, req, name, fd, &set); @@ -676,7 +676,7 @@ static NTSTATUS pvfs_open_deny_dos(struct ntvfs_module_context *ntvfs, (f2->handle->create_options & (NTCREATEX_OPTIONS_PRIVATE_DENY_DOS | NTCREATEX_OPTIONS_PRIVATE_DENY_FCB)) && - (f2->access_mask & SA_RIGHT_FILE_WRITE_DATA) && + (f2->access_mask & SEC_FILE_WRITE_DATA) && StrCaseCmp(f2->handle->name->original_name, io->generic.in.fname)==0) { break; @@ -862,17 +862,17 @@ NTSTATUS pvfs_open(struct ntvfs_module_context *ntvfs, share_access = io->generic.in.share_access; access_mask = io->generic.in.access_mask; - if (access_mask & SEC_RIGHT_MAXIMUM_ALLOWED) { + if (access_mask & SEC_FLAG_MAXIMUM_ALLOWED) { if (name->exists && (name->dos.attrib & FILE_ATTRIBUTE_READONLY)) { - access_mask = GENERIC_RIGHTS_FILE_READ; + access_mask = SEC_RIGHTS_FILE_READ; } else { - access_mask = GENERIC_RIGHTS_FILE_READ | GENERIC_RIGHTS_FILE_WRITE; + access_mask = SEC_RIGHTS_FILE_READ | SEC_RIGHTS_FILE_WRITE; } } /* certain create options are not allowed */ if ((create_options & NTCREATEX_OPTIONS_DELETE_ON_CLOSE) && - !(access_mask & STD_RIGHT_DELETE_ACCESS)) { + !(access_mask & SEC_STD_DELETE)) { return NT_STATUS_INVALID_PARAMETER; } @@ -914,7 +914,7 @@ NTSTATUS pvfs_open(struct ntvfs_module_context *ntvfs, return NT_STATUS_INVALID_PARAMETER; } - if (access_mask & SA_RIGHT_FILE_WRITE_APPEND) { + if (access_mask & (SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA)) { flags |= O_RDWR; } else { flags |= O_RDONLY; @@ -1240,7 +1240,7 @@ NTSTATUS pvfs_can_delete(struct pvfs_state *pvfs, struct pvfs_filename *name) NTCREATEX_SHARE_ACCESS_WRITE | NTCREATEX_SHARE_ACCESS_DELETE, NTCREATEX_OPTIONS_DELETE_ON_CLOSE, - STD_RIGHT_DELETE_ACCESS); + SEC_STD_DELETE); return status; } @@ -1263,7 +1263,7 @@ NTSTATUS pvfs_can_rename(struct pvfs_state *pvfs, struct pvfs_filename *name) NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE, 0, - STD_RIGHT_DELETE_ACCESS); + SEC_STD_DELETE); return status; } diff --git a/source4/ntvfs/posix/pvfs_read.c b/source4/ntvfs/posix/pvfs_read.c index 793a97ba62..db597d7097 100644 --- a/source4/ntvfs/posix/pvfs_read.c +++ b/source4/ntvfs/posix/pvfs_read.c @@ -23,6 +23,7 @@ #include "includes.h" #include "vfs_posix.h" #include "system/filesys.h" +#include "librpc/gen_ndr/ndr_security.h" /* read from a file @@ -50,9 +51,9 @@ NTSTATUS pvfs_read(struct ntvfs_module_context *ntvfs, return NT_STATUS_FILE_IS_A_DIRECTORY; } - mask = SA_RIGHT_FILE_READ_DATA; + mask = SEC_FILE_READ_DATA; if (req->flags2 & FLAGS2_READ_PERMIT_EXECUTE) { - mask |= SA_RIGHT_FILE_EXECUTE; + mask |= SEC_FILE_EXECUTE; } if (!(f->access_mask & mask)) { return NT_STATUS_ACCESS_DENIED; diff --git a/source4/ntvfs/posix/pvfs_setfileinfo.c b/source4/ntvfs/posix/pvfs_setfileinfo.c index 5a758a6b70..c43ef5c40a 100644 --- a/source4/ntvfs/posix/pvfs_setfileinfo.c +++ b/source4/ntvfs/posix/pvfs_setfileinfo.c @@ -258,7 +258,7 @@ NTSTATUS pvfs_setfileinfo(struct ntvfs_module_context *ntvfs, case RAW_SFILEINFO_DISPOSITION_INFO: case RAW_SFILEINFO_DISPOSITION_INFORMATION: - if (!(f->access_mask & STD_RIGHT_DELETE_ACCESS)) { + if (!(f->access_mask & SEC_STD_DELETE)) { return NT_STATUS_ACCESS_DENIED; } create_options = h->create_options; @@ -322,7 +322,8 @@ NTSTATUS pvfs_setfileinfo(struct ntvfs_module_context *ntvfs, } } else { int ret; - if (f->access_mask & SA_RIGHT_FILE_WRITE_APPEND) { + if (f->access_mask & + (SEC_FILE_WRITE_DATA|SEC_FILE_APPEND_DATA)) { ret = ftruncate(h->fd, newstats.st.st_size); } else { ret = truncate(h->name->full_name, newstats.st.st_size); diff --git a/source4/ntvfs/posix/pvfs_write.c b/source4/ntvfs/posix/pvfs_write.c index 3f6e8d908a..025ea3f3eb 100644 --- a/source4/ntvfs/posix/pvfs_write.c +++ b/source4/ntvfs/posix/pvfs_write.c @@ -22,6 +22,7 @@ #include "includes.h" #include "vfs_posix.h" +#include "librpc/gen_ndr/ndr_security.h" /* @@ -48,7 +49,7 @@ NTSTATUS pvfs_write(struct ntvfs_module_context *ntvfs, return NT_STATUS_FILE_IS_A_DIRECTORY; } - if (!(f->access_mask & SA_RIGHT_FILE_WRITE_APPEND)) { + if (!(f->access_mask & (SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA))) { return NT_STATUS_ACCESS_VIOLATION; } diff --git a/source4/smb_server/service.c b/source4/smb_server/service.c index 815a58ce70..12a983e41b 100644 --- a/source4/smb_server/service.c +++ b/source4/smb_server/service.c @@ -161,25 +161,6 @@ static NTSTATUS make_connection_snum(struct smbsrv_request *req, tcon->service = snum; - /* - * New code to check if there's a share security descripter - * added from NT server manager. This is done after the - * smb.conf checks are done as we need a uid and token. JRA. - * - */ - - if (!share_access_check(req, tcon, snum, SA_RIGHT_FILE_WRITE_DATA)) { - if (!share_access_check(req, tcon, snum, SA_RIGHT_FILE_READ_DATA)) { - /* No access, read or write. */ - DEBUG(0,( "make_connection: connection to %s denied due to security descriptor.\n", - lp_servicename(snum))); - conn_free(req->smb_conn, tcon); - return NT_STATUS_ACCESS_DENIED; - } else { - tcon->read_only = True; - } - } - /* init ntvfs function pointers */ status = ntvfs_init_connection(req, type); if (!NT_STATUS_IS_OK(status)) { diff --git a/source4/smbd/rewrite.c b/source4/smbd/rewrite.c index d22e3c28c3..8e7ddc405e 100644 --- a/source4/smbd/rewrite.c +++ b/source4/smbd/rewrite.c @@ -10,9 +10,6 @@ BOOL pcap_printername_ok(const char *service, const char *foo) { return True; } -BOOL share_access_check(struct smbsrv_request *req, struct smbsrv_tcon *tcon, int snum, uint32_t desired_access) -{ return True; } - /* * initialize an smb process. Guaranteed to be called only once per * smbd instance (so it can assume it is starting from scratch, and diff --git a/source4/torture/basic/attr.c b/source4/torture/basic/attr.c index 5cd05d9647..07a36ea950 100644 --- a/source4/torture/basic/attr.c +++ b/source4/torture/basic/attr.c @@ -21,6 +21,7 @@ */ #include "includes.h" +#include "librpc/gen_ndr/ndr_security.h" extern int torture_failures; @@ -103,7 +104,9 @@ BOOL torture_openattrtest(void) for (k = 0, i = 0; i < sizeof(open_attrs_table)/sizeof(uint32_t); i++) { smbcli_setatr(cli1->tree, fname, 0, 0); smbcli_unlink(cli1->tree, fname); - fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, SA_RIGHT_FILE_WRITE_DATA, open_attrs_table[i], + fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, + SEC_FILE_WRITE_DATA, + open_attrs_table[i], NTCREATEX_SHARE_ACCESS_NONE, NTCREATEX_DISP_OVERWRITE_IF, 0, 0); if (fnum1 == -1) { @@ -118,10 +121,11 @@ BOOL torture_openattrtest(void) for (j = 0; j < ARRAY_SIZE(open_attrs_table); j++) { fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, - SA_RIGHT_FILE_READ_DATA|SA_RIGHT_FILE_WRITE_DATA, - open_attrs_table[j], - NTCREATEX_SHARE_ACCESS_NONE, - NTCREATEX_DISP_OVERWRITE, 0, 0); + SEC_FILE_READ_DATA| + SEC_FILE_WRITE_DATA, + open_attrs_table[j], + NTCREATEX_SHARE_ACCESS_NONE, + NTCREATEX_DISP_OVERWRITE, 0, 0); if (fnum1 == -1) { for (l = 0; l < ARRAY_SIZE(attr_results); l++) { diff --git a/source4/torture/basic/charset.c b/source4/torture/basic/charset.c index 4f57eba64a..1024c1cd26 100644 --- a/source4/torture/basic/charset.c +++ b/source4/torture/basic/charset.c @@ -21,6 +21,7 @@ */ #include "includes.h" +#include "librpc/gen_ndr/ndr_security.h" #define BASEDIR "\\chartest\\" @@ -67,7 +68,7 @@ static NTSTATUS unicode_open(struct smbcli_tree *tree, io.generic.level = RAW_OPEN_NTCREATEX; io.ntcreatex.in.flags = NTCREATEX_FLAGS_EXTENDED; io.ntcreatex.in.root_fid = 0; - io.ntcreatex.in.access_mask = GENERIC_RIGHTS_FILE_ALL_ACCESS; + io.ntcreatex.in.access_mask = SEC_RIGHTS_FULL_CONTROL; io.ntcreatex.in.alloc_size = 0; io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL; io.ntcreatex.in.share_access = NTCREATEX_SHARE_ACCESS_NONE; diff --git a/source4/torture/basic/delete.c b/source4/torture/basic/delete.c index 742a51bcaa..99be602de9 100644 --- a/source4/torture/basic/delete.c +++ b/source4/torture/basic/delete.c @@ -21,6 +21,7 @@ */ #include "includes.h" +#include "librpc/gen_ndr/ndr_security.h" /* @@ -47,9 +48,11 @@ BOOL torture_test_delete(void) smbcli_setatr(cli1->tree, fname, 0, 0); smbcli_unlink(cli1->tree, fname); - fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, GENERIC_RIGHTS_FILE_ALL_ACCESS, FILE_ATTRIBUTE_NORMAL, - NTCREATEX_SHARE_ACCESS_DELETE, NTCREATEX_DISP_OVERWRITE_IF, - NTCREATEX_OPTIONS_DELETE_ON_CLOSE, 0); + fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, + SEC_RIGHTS_FULL_CONTROL, + FILE_ATTRIBUTE_NORMAL, + NTCREATEX_SHARE_ACCESS_DELETE, NTCREATEX_DISP_OVERWRITE_IF, + NTCREATEX_OPTIONS_DELETE_ON_CLOSE, 0); if (fnum1 == -1) { printf("(%s) open of %s failed (%s)\n", @@ -80,9 +83,10 @@ BOOL torture_test_delete(void) smbcli_setatr(cli1->tree, fname, 0, 0); smbcli_unlink(cli1->tree, fname); - fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, GENERIC_RIGHTS_FILE_ALL_ACCESS, - FILE_ATTRIBUTE_NORMAL, NTCREATEX_SHARE_ACCESS_NONE, - NTCREATEX_DISP_OVERWRITE_IF, 0, 0); + fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, + SEC_RIGHTS_FULL_CONTROL, + FILE_ATTRIBUTE_NORMAL, NTCREATEX_SHARE_ACCESS_NONE, + NTCREATEX_DISP_OVERWRITE_IF, 0, 0); if (fnum1 == -1) { printf("(%s) open of %s failed (%s)\n", @@ -124,7 +128,7 @@ BOOL torture_test_delete(void) smbcli_unlink(cli1->tree, fname); fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, - GENERIC_RIGHTS_FILE_ALL_ACCESS, + SEC_RIGHTS_FULL_CONTROL, FILE_ATTRIBUTE_NORMAL, NTCREATEX_SHARE_ACCESS_READ|NTCREATEX_SHARE_ACCESS_WRITE, NTCREATEX_DISP_OVERWRITE_IF, 0, 0); @@ -140,7 +144,7 @@ BOOL torture_test_delete(void) with SHARE_DELETE. */ fnum2 = smbcli_nt_create_full(cli1->tree, fname, 0, - GENERIC_RIGHTS_FILE_READ, + SEC_RIGHTS_FILE_READ, FILE_ATTRIBUTE_NORMAL, NTCREATEX_SHARE_ACCESS_READ|NTCREATEX_SHARE_ACCESS_WRITE, NTCREATEX_DISP_OPEN, 0, 0); @@ -154,8 +158,11 @@ BOOL torture_test_delete(void) /* This should succeed. */ - fnum2 = smbcli_nt_create_full(cli1->tree, fname, 0, GENERIC_RIGHTS_FILE_READ, FILE_ATTRIBUTE_NORMAL, - NTCREATEX_SHARE_ACCESS_READ|NTCREATEX_SHARE_ACCESS_WRITE|NTCREATEX_SHARE_ACCESS_DELETE, NTCREATEX_DISP_OPEN, 0, 0); + fnum2 = smbcli_nt_create_full(cli1->tree, fname, 0, + SEC_RIGHTS_FILE_READ, + FILE_ATTRIBUTE_NORMAL, + NTCREATEX_SHARE_ACCESS_READ|NTCREATEX_SHARE_ACCESS_WRITE|NTCREATEX_SHARE_ACCESS_DELETE, + NTCREATEX_DISP_OPEN, 0, 0); if (fnum2 == -1) { printf("(%s) open - 2 of %s failed (%s)\n", @@ -211,12 +218,12 @@ BOOL torture_test_delete(void) } fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, - SA_RIGHT_FILE_READ_DATA | - SA_RIGHT_FILE_WRITE_DATA | - STD_RIGHT_DELETE_ACCESS, - FILE_ATTRIBUTE_NORMAL, - NTCREATEX_SHARE_ACCESS_READ|NTCREATEX_SHARE_ACCESS_WRITE, - NTCREATEX_DISP_OVERWRITE_IF, 0, 0); + SEC_FILE_READ_DATA | + SEC_FILE_WRITE_DATA | + SEC_STD_DELETE, + FILE_ATTRIBUTE_NORMAL, + NTCREATEX_SHARE_ACCESS_READ|NTCREATEX_SHARE_ACCESS_WRITE, + NTCREATEX_DISP_OVERWRITE_IF, 0, 0); if (fnum1 == -1) { printf("(%s) open of %s failed (%s)\n", @@ -226,7 +233,8 @@ BOOL torture_test_delete(void) } /* This should succeed. */ - fnum2 = smbcli_nt_create_full(cli1->tree, fname, 0, GENERIC_RIGHTS_FILE_READ, + fnum2 = smbcli_nt_create_full(cli1->tree, fname, 0, + SEC_RIGHTS_FILE_READ, FILE_ATTRIBUTE_NORMAL, NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE | @@ -255,7 +263,7 @@ BOOL torture_test_delete(void) /* This should fail - no more opens once delete on close set. */ fnum2 = smbcli_nt_create_full(cli1->tree, fname, 0, - GENERIC_RIGHTS_FILE_READ, + SEC_RIGHTS_FILE_READ, FILE_ATTRIBUTE_NORMAL, NTCREATEX_SHARE_ACCESS_READ|NTCREATEX_SHARE_ACCESS_WRITE|NTCREATEX_SHARE_ACCESS_DELETE, NTCREATEX_DISP_OPEN, 0, 0); @@ -309,7 +317,7 @@ BOOL torture_test_delete(void) smbcli_unlink(cli1->tree, fname); fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, - SA_RIGHT_FILE_READ_DATA | SA_RIGHT_FILE_WRITE_DATA, + SEC_FILE_READ_DATA | SEC_FILE_WRITE_DATA, FILE_ATTRIBUTE_NORMAL, NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE | @@ -346,10 +354,11 @@ BOOL torture_test_delete(void) smbcli_unlink(cli1->tree, fname); fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, - SA_RIGHT_FILE_READ_DATA | - SA_RIGHT_FILE_WRITE_DATA | - STD_RIGHT_DELETE_ACCESS, - FILE_ATTRIBUTE_NORMAL, 0, NTCREATEX_DISP_OVERWRITE_IF, 0, 0); + SEC_FILE_READ_DATA | + SEC_FILE_WRITE_DATA | + SEC_STD_DELETE, + FILE_ATTRIBUTE_NORMAL, 0, + NTCREATEX_DISP_OVERWRITE_IF, 0, 0); if (fnum1 == -1) { printf("(%s) open of %s failed (%s)\n", @@ -409,9 +418,13 @@ BOOL torture_test_delete(void) goto fail; } - fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, SA_RIGHT_FILE_READ_DATA|SA_RIGHT_FILE_WRITE_DATA|STD_RIGHT_DELETE_ACCESS, - FILE_ATTRIBUTE_NORMAL, NTCREATEX_SHARE_ACCESS_READ|NTCREATEX_SHARE_ACCESS_WRITE|NTCREATEX_SHARE_ACCESS_DELETE, - NTCREATEX_DISP_OVERWRITE_IF, 0, 0); + fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, + SEC_FILE_READ_DATA| + SEC_FILE_WRITE_DATA| + SEC_STD_DELETE, + FILE_ATTRIBUTE_NORMAL, + NTCREATEX_SHARE_ACCESS_READ|NTCREATEX_SHARE_ACCESS_WRITE|NTCREATEX_SHARE_ACCESS_DELETE, + NTCREATEX_DISP_OVERWRITE_IF, 0, 0); if (fnum1 == -1) { printf("(%s) open of %s failed (%s)\n", @@ -420,9 +433,13 @@ BOOL torture_test_delete(void) goto fail; } - fnum2 = smbcli_nt_create_full(cli2->tree, fname, 0, SA_RIGHT_FILE_READ_DATA|SA_RIGHT_FILE_WRITE_DATA|STD_RIGHT_DELETE_ACCESS, - FILE_ATTRIBUTE_NORMAL, NTCREATEX_SHARE_ACCESS_READ|NTCREATEX_SHARE_ACCESS_WRITE|NTCREATEX_SHARE_ACCESS_DELETE, - NTCREATEX_DISP_OPEN, 0, 0); + fnum2 = smbcli_nt_create_full(cli2->tree, fname, 0, + SEC_FILE_READ_DATA| + SEC_FILE_WRITE_DATA| + SEC_STD_DELETE, + FILE_ATTRIBUTE_NORMAL, + NTCREATEX_SHARE_ACCESS_READ|NTCREATEX_SHARE_ACCESS_WRITE|NTCREATEX_SHARE_ACCESS_DELETE, + NTCREATEX_DISP_OPEN, 0, 0); if (fnum2 == -1) { printf("(%s) open of %s failed (%s)\n", @@ -464,7 +481,7 @@ BOOL torture_test_delete(void) /* This should fail - we need to set DELETE_ACCESS. */ fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, - SA_RIGHT_FILE_READ_DATA|SA_RIGHT_FILE_WRITE_DATA, + SEC_FILE_READ_DATA|SEC_FILE_WRITE_DATA, FILE_ATTRIBUTE_NORMAL, NTCREATEX_SHARE_ACCESS_NONE, NTCREATEX_DISP_OVERWRITE_IF, @@ -480,7 +497,9 @@ BOOL torture_test_delete(void) printf("ninth delete on close test succeeded.\n"); fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, - SA_RIGHT_FILE_READ_DATA|SA_RIGHT_FILE_WRITE_DATA|STD_RIGHT_DELETE_ACCESS, + SEC_FILE_READ_DATA| + SEC_FILE_WRITE_DATA| + SEC_STD_DELETE, FILE_ATTRIBUTE_NORMAL, NTCREATEX_SHARE_ACCESS_NONE, NTCREATEX_DISP_OVERWRITE_IF, @@ -514,9 +533,9 @@ BOOL torture_test_delete(void) smbcli_setatr(cli1->tree, fname, 0, 0); smbcli_unlink(cli1->tree, fname); - + fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, - GENERIC_RIGHTS_FILE_ALL_ACCESS, + SEC_RIGHTS_FULL_CONTROL, FILE_ATTRIBUTE_READONLY, NTCREATEX_SHARE_ACCESS_NONE, NTCREATEX_DISP_OVERWRITE_IF, 0, 0); @@ -551,9 +570,11 @@ BOOL torture_test_delete(void) /* test 12 - does having read only attribute still allow delete on close at time of open. */ - fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, GENERIC_RIGHTS_FILE_ALL_ACCESS, FILE_ATTRIBUTE_READONLY, - NTCREATEX_SHARE_ACCESS_DELETE, NTCREATEX_DISP_OVERWRITE_IF, - NTCREATEX_OPTIONS_DELETE_ON_CLOSE, 0); + fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, + SEC_RIGHTS_FULL_CONTROL, + FILE_ATTRIBUTE_READONLY, + NTCREATEX_SHARE_ACCESS_DELETE, NTCREATEX_DISP_OVERWRITE_IF, + NTCREATEX_OPTIONS_DELETE_ON_CLOSE, 0); if (fnum1 != -1) { printf("(%s) open of %s succeeded. Should fail with NT_STATUS_CANNOT_DELETE.\n", diff --git a/source4/torture/basic/denytest.c b/source4/torture/basic/denytest.c index 8373e786fe..70d7a2b2a1 100644 --- a/source4/torture/basic/denytest.c +++ b/source4/torture/basic/denytest.c @@ -20,6 +20,7 @@ #include "includes.h" #include "libcli/raw/libcliraw.h" +#include "librpc/gen_ndr/ndr_security.h" extern BOOL torture_showall; extern int torture_failures; @@ -1699,49 +1700,53 @@ static NTSTATUS predict_share_conflict(uint32_t sa1, uint32_t am1, uint32_t sa2, }} while (0) *res = A_0; - if (am2 & SA_RIGHT_FILE_WRITE_APPEND) { + if (am2 & (SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA)) { *res += A_W; } - if (am2 & SA_RIGHT_FILE_READ_DATA) { + if (am2 & SEC_FILE_READ_DATA) { *res += A_R; - } else if ((am2 & SA_RIGHT_FILE_EXECUTE) && + } else if ((am2 & SEC_FILE_EXECUTE) && (flags2 & FLAGS2_READ_PERMIT_EXECUTE)) { *res += A_R; } /* if either open involves no read.write or delete access then it can't conflict */ - if (!(am1 & (SA_RIGHT_FILE_WRITE_APPEND | - SA_RIGHT_FILE_READ_EXEC | - STD_RIGHT_DELETE_ACCESS))) { + if (!(am1 & (SEC_FILE_WRITE_DATA | + SEC_FILE_APPEND_DATA | + SEC_FILE_READ_DATA | + SEC_FILE_EXECUTE | + SEC_STD_DELETE))) { return NT_STATUS_OK; } - if (!(am2 & (SA_RIGHT_FILE_WRITE_APPEND | - SA_RIGHT_FILE_READ_EXEC | - STD_RIGHT_DELETE_ACCESS))) { + if (!(am2 & (SEC_FILE_WRITE_DATA | + SEC_FILE_APPEND_DATA | + SEC_FILE_READ_DATA | + SEC_FILE_EXECUTE | + SEC_STD_DELETE))) { return NT_STATUS_OK; } /* check the basic share access */ CHECK_MASK(am1, sa2, - SA_RIGHT_FILE_WRITE_APPEND, + SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA, NTCREATEX_SHARE_ACCESS_WRITE); CHECK_MASK(am2, sa1, - SA_RIGHT_FILE_WRITE_APPEND, + SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA, NTCREATEX_SHARE_ACCESS_WRITE); CHECK_MASK(am1, sa2, - SA_RIGHT_FILE_READ_EXEC, + SEC_FILE_READ_DATA | SEC_FILE_EXECUTE, NTCREATEX_SHARE_ACCESS_READ); CHECK_MASK(am2, sa1, - SA_RIGHT_FILE_READ_EXEC, + SEC_FILE_READ_DATA | SEC_FILE_EXECUTE, NTCREATEX_SHARE_ACCESS_READ); CHECK_MASK(am1, sa2, - STD_RIGHT_DELETE_ACCESS, + SEC_STD_DELETE, NTCREATEX_SHARE_ACCESS_DELETE); CHECK_MASK(am2, sa1, - STD_RIGHT_DELETE_ACCESS, + SEC_STD_DELETE, NTCREATEX_SHARE_ACCESS_DELETE); return NT_STATUS_OK; @@ -1758,14 +1763,14 @@ static BOOL torture_ntdenytest(struct smbcli_state *cli1, struct smbcli_state *c { NTCREATEX_SHARE_ACCESS_DELETE, "S_D" } }; const struct bit_value access_mask_bits[] = { - { SA_RIGHT_FILE_READ_DATA, "R_DATA" }, - { SA_RIGHT_FILE_WRITE_DATA, "W_DATA" }, - { SA_RIGHT_FILE_READ_ATTRIBUTES, "R_ATTR" }, - { SA_RIGHT_FILE_WRITE_ATTRIBUTES, "W_ATTR" }, - { SA_RIGHT_FILE_READ_EA, "R_EAS " }, - { SA_RIGHT_FILE_WRITE_EA, "W_EAS " }, - { SA_RIGHT_FILE_APPEND_DATA, "A_DATA" }, - { SA_RIGHT_FILE_EXECUTE, "EXEC " } + { SEC_FILE_READ_DATA, "R_DATA" }, + { SEC_FILE_WRITE_DATA, "W_DATA" }, + { SEC_FILE_READ_ATTRIBUTE, "R_ATTR" }, + { SEC_FILE_WRITE_ATTRIBUTE, "W_ATTR" }, + { SEC_FILE_READ_EA, "R_EAS " }, + { SEC_FILE_WRITE_EA, "W_EAS " }, + { SEC_FILE_APPEND_DATA, "A_DATA" }, + { SEC_FILE_EXECUTE, "EXEC " } }; int fnum1; int i; diff --git a/source4/torture/basic/dir.c b/source4/torture/basic/dir.c index 6e2e21fc08..0f962e6cf1 100644 --- a/source4/torture/basic/dir.c +++ b/source4/torture/basic/dir.c @@ -21,6 +21,7 @@ */ #include "includes.h" +#include "librpc/gen_ndr/ndr_security.h" static void list_fn(struct file_info *finfo, const char *name, void *state) { @@ -109,8 +110,11 @@ BOOL torture_dirtest2(void) for (i=0;itree, fname, 0, GENERIC_RIGHTS_FILE_ALL_ACCESS, FILE_ATTRIBUTE_ARCHIVE, - NTCREATEX_SHARE_ACCESS_READ|NTCREATEX_SHARE_ACCESS_WRITE, NTCREATEX_DISP_OVERWRITE_IF, 0, 0); + fnum = smbcli_nt_create_full(cli->tree, fname, 0, + SEC_RIGHTS_FULL_CONTROL, + FILE_ATTRIBUTE_ARCHIVE, + NTCREATEX_SHARE_ACCESS_READ|NTCREATEX_SHARE_ACCESS_WRITE, + NTCREATEX_DISP_OVERWRITE_IF, 0, 0); if (fnum == -1) { fprintf(stderr,"(%s) Failed to open %s, error=%s\n", __location__, fname, smbcli_errstr(cli->tree)); diff --git a/source4/torture/basic/disconnect.c b/source4/torture/basic/disconnect.c index a225178b96..898fc41b4e 100644 --- a/source4/torture/basic/disconnect.c +++ b/source4/torture/basic/disconnect.c @@ -22,6 +22,7 @@ #include "includes.h" #include "libcli/raw/libcliraw.h" +#include "librpc/gen_ndr/ndr_security.h" #define BASEDIR "\\test_disconnect" @@ -47,7 +48,7 @@ static BOOL test_disconnect_open(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) io.generic.level = RAW_OPEN_NTCREATEX; io.ntcreatex.in.root_fid = 0; io.ntcreatex.in.flags = 0; - io.ntcreatex.in.access_mask = SA_RIGHT_FILE_READ_DATA; + io.ntcreatex.in.access_mask = SEC_FILE_READ_DATA; io.ntcreatex.in.create_options = 0; io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL; io.ntcreatex.in.share_access = NTCREATEX_SHARE_ACCESS_READ; diff --git a/source4/torture/basic/rename.c b/source4/torture/basic/rename.c index e26c85b5df..3f7be04a8e 100644 --- a/source4/torture/basic/rename.c +++ b/source4/torture/basic/rename.c @@ -21,6 +21,7 @@ */ #include "includes.h" +#include "librpc/gen_ndr/ndr_security.h" /* Test rename on files open with share delete and no share delete. @@ -42,7 +43,7 @@ BOOL torture_test_rename(void) smbcli_unlink(cli1->tree, fname); smbcli_unlink(cli1->tree, fname1); fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, - GENERIC_RIGHTS_FILE_READ, + SEC_RIGHTS_FILE_READ, FILE_ATTRIBUTE_NORMAL, NTCREATEX_SHARE_ACCESS_READ, NTCREATEX_DISP_OVERWRITE_IF, 0, 0); @@ -69,7 +70,7 @@ BOOL torture_test_rename(void) smbcli_unlink(cli1->tree, fname); smbcli_unlink(cli1->tree, fname1); fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, - GENERIC_RIGHTS_FILE_READ, + SEC_RIGHTS_FILE_READ, FILE_ATTRIBUTE_NORMAL, NTCREATEX_SHARE_ACCESS_DELETE|NTCREATEX_SHARE_ACCESS_READ, NTCREATEX_DISP_OVERWRITE_IF, 0, 0); @@ -97,7 +98,7 @@ BOOL torture_test_rename(void) smbcli_unlink(cli1->tree, fname1); fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, - STD_RIGHT_READ_CONTROL_ACCESS, + SEC_STD_READ_CONTROL, FILE_ATTRIBUTE_NORMAL, NTCREATEX_SHARE_ACCESS_NONE, NTCREATEX_DISP_OVERWRITE_IF, 0, 0); diff --git a/source4/torture/basic/scanner.c b/source4/torture/basic/scanner.c index ad4220b9ad..08a870334d 100644 --- a/source4/torture/basic/scanner.c +++ b/source4/torture/basic/scanner.c @@ -20,6 +20,7 @@ #include "includes.h" #include "libcli/raw/libcliraw.h" +#include "librpc/gen_ndr/ndr_security.h" #define VERBOSE 0 #define OP_MIN 0 @@ -255,10 +256,12 @@ BOOL torture_trans2_scan(void) printf("file open failed - %s\n", smbcli_errstr(cli->tree)); } dnum = smbcli_nt_create_full(cli->tree, "\\", - 0, GENERIC_RIGHTS_FILE_READ, FILE_ATTRIBUTE_NORMAL, - NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE, - NTCREATEX_DISP_OPEN, - NTCREATEX_OPTIONS_DIRECTORY, 0); + 0, + SEC_RIGHTS_FILE_READ, + FILE_ATTRIBUTE_NORMAL, + NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE, + NTCREATEX_DISP_OPEN, + NTCREATEX_OPTIONS_DIRECTORY, 0); if (dnum == -1) { printf("directory open failed - %s\n", smbcli_errstr(cli->tree)); } diff --git a/source4/torture/basic/unlink.c b/source4/torture/basic/unlink.c index dd2ff5a5c5..3fe0ea8f28 100644 --- a/source4/torture/basic/unlink.c +++ b/source4/torture/basic/unlink.c @@ -22,6 +22,7 @@ #include "includes.h" #include "libcli/raw/libcliraw.h" +#include "librpc/gen_ndr/ndr_security.h" /* This test checks that @@ -81,7 +82,7 @@ BOOL torture_unlinktest(void) io.ntcreatex.in.security_flags = 0; io.ntcreatex.in.fname = fname; io.ntcreatex.in.share_access = NTCREATEX_SHARE_ACCESS_DELETE; - io.ntcreatex.in.access_mask = GENERIC_RIGHTS_FILE_ALL_ACCESS; + io.ntcreatex.in.access_mask = SEC_RIGHTS_FULL_CONTROL; status = smb_raw_open(cli->tree, cli, &io); if (!NT_STATUS_IS_OK(status)) { diff --git a/source4/torture/basic/utable.c b/source4/torture/basic/utable.c index 30d389dd92..dcd00b9fbb 100644 --- a/source4/torture/basic/utable.c +++ b/source4/torture/basic/utable.c @@ -20,6 +20,7 @@ #include "includes.h" #include "system/iconv.h" +#include "librpc/gen_ndr/ndr_security.h" BOOL torture_utable(void) { @@ -148,13 +149,13 @@ BOOL torture_casetable(void) fname = form_name(c); fnum = smbcli_nt_create_full(cli->tree, fname, 0, #if 0 - SEC_RIGHT_MAXIMUM_ALLOWED, + SEC_RIGHT_MAXIMUM_ALLOWED, #else - GENERIC_RIGHTS_FILE_ALL_ACCESS, + SEC_RIGHTS_FULL_CONTROL, #endif - FILE_ATTRIBUTE_NORMAL, - NTCREATEX_SHARE_ACCESS_NONE, - NTCREATEX_DISP_OPEN_IF, 0, 0); + FILE_ATTRIBUTE_NORMAL, + NTCREATEX_SHARE_ACCESS_NONE, + NTCREATEX_DISP_OPEN_IF, 0, 0); if (fnum == -1) { printf("Failed to create file with char %04x\n", c); diff --git a/source4/torture/gentest.c b/source4/torture/gentest.c index 4d3820793f..35b835b37f 100644 --- a/source4/torture/gentest.c +++ b/source4/torture/gentest.c @@ -23,6 +23,7 @@ #include "system/time.h" #include "request.h" #include "libcli/raw/libcliraw.h" +#include "librpc/gen_ndr/ndr_security.h" #define NSERVERS 2 #define NINSTANCES 2 @@ -526,8 +527,8 @@ static uint32_t gen_ntcreatex_flags(void) */ static uint32_t gen_access_mask(void) { - if (gen_chance(50)) return SEC_RIGHT_MAXIMUM_ALLOWED; - if (gen_chance(20)) return GENERIC_RIGHTS_FILE_ALL_ACCESS; + if (gen_chance(50)) return SEC_RIGHTS_MAXIMUM_ALLOWED; + if (gen_chance(20)) return SEC_FILE_ALL; return gen_bits_mask(0xFFFFFFFF); } diff --git a/source4/torture/nbench/nbio.c b/source4/torture/nbench/nbio.c index e3c40f9ba1..34de81c5b3 100644 --- a/source4/torture/nbench/nbio.c +++ b/source4/torture/nbench/nbio.c @@ -23,6 +23,7 @@ #include "includes.h" #include "system/time.h" #include "dlinklist.h" +#include "librpc/gen_ndr/ndr_security.h" #define MAX_FILES 100 @@ -247,13 +248,13 @@ void nb_createx(const char *fname, mem_ctx = talloc_init("raw_open"); if (create_options & NTCREATEX_OPTIONS_DIRECTORY) { - desired_access = SA_RIGHT_FILE_READ_DATA; + desired_access = SEC_FILE_READ_DATA; } else { desired_access = - SA_RIGHT_FILE_READ_DATA | - SA_RIGHT_FILE_WRITE_DATA | - SA_RIGHT_FILE_READ_ATTRIBUTES | - SA_RIGHT_FILE_WRITE_ATTRIBUTES; + SEC_FILE_READ_DATA | + SEC_FILE_WRITE_DATA | + SEC_FILE_READ_ATTRIBUTE | + SEC_FILE_WRITE_ATTRIBUTE; flags = NTCREATEX_FLAGS_EXTENDED | NTCREATEX_FLAGS_REQUEST_OPLOCK | NTCREATEX_FLAGS_REQUEST_BATCH_OPLOCK; diff --git a/source4/torture/raw/acls.c b/source4/torture/raw/acls.c index d0f4132be4..785e3c72dd 100644 --- a/source4/torture/raw/acls.c +++ b/source4/torture/raw/acls.c @@ -53,7 +53,7 @@ static BOOL test_sd(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) io.generic.level = RAW_OPEN_NTCREATEX; io.ntcreatex.in.root_fid = 0; io.ntcreatex.in.flags = 0; - io.ntcreatex.in.access_mask = SEC_RIGHT_MAXIMUM_ALLOWED; + io.ntcreatex.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED; io.ntcreatex.in.create_options = 0; io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL; io.ntcreatex.in.share_access = @@ -71,9 +71,9 @@ static BOOL test_sd(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) q.query_secdesc.level = RAW_FILEINFO_SEC_DESC; q.query_secdesc.in.fnum = fnum; q.query_secdesc.in.secinfo_flags = - OWNER_SECURITY_INFORMATION | - GROUP_SECURITY_INFORMATION | - DACL_SECURITY_INFORMATION; + SECINFO_OWNER | + SECINFO_GROUP | + SECINFO_DACL; status = smb_raw_fileinfo(cli->tree, mem_ctx, &q); CHECK_STATUS(status, NT_STATUS_OK); sd = q.query_secdesc.out.sd; @@ -84,7 +84,7 @@ static BOOL test_sd(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED; ace.flags = 0; - ace.access_mask = STD_RIGHT_ALL_ACCESS; + ace.access_mask = SEC_STD_ALL; ace.trustee = *test_sid; status = security_descriptor_dacl_add(sd, &ace); @@ -154,7 +154,7 @@ static BOOL test_nttrans_create(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) io.generic.level = RAW_OPEN_NTTRANS_CREATE; io.ntcreatex.in.root_fid = 0; io.ntcreatex.in.flags = 0; - io.ntcreatex.in.access_mask = SEC_RIGHT_MAXIMUM_ALLOWED; + io.ntcreatex.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED; io.ntcreatex.in.create_options = 0; io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL; io.ntcreatex.in.share_access = @@ -179,9 +179,9 @@ static BOOL test_nttrans_create(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) q.query_secdesc.level = RAW_FILEINFO_SEC_DESC; q.query_secdesc.in.fnum = fnum; q.query_secdesc.in.secinfo_flags = - OWNER_SECURITY_INFORMATION | - GROUP_SECURITY_INFORMATION | - DACL_SECURITY_INFORMATION; + SECINFO_OWNER | + SECINFO_GROUP | + SECINFO_DACL; status = smb_raw_fileinfo(cli->tree, mem_ctx, &q); CHECK_STATUS(status, NT_STATUS_OK); sd = q.query_secdesc.out.sd; @@ -194,7 +194,7 @@ static BOOL test_nttrans_create(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED; ace.flags = 0; - ace.access_mask = STD_RIGHT_ALL_ACCESS; + ace.access_mask = SEC_STD_ALL; ace.trustee = *test_sid; status = security_descriptor_dacl_add(sd, &ace); diff --git a/source4/torture/raw/chkpath.c b/source4/torture/raw/chkpath.c index 4948949886..6379c3ce8d 100644 --- a/source4/torture/raw/chkpath.c +++ b/source4/torture/raw/chkpath.c @@ -19,6 +19,7 @@ */ #include "includes.h" +#include "librpc/gen_ndr/ndr_security.h" #define BASEDIR "\\rawchkpath" @@ -127,13 +128,13 @@ static BOOL test_chkpath(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) printf("testing Open on %s\n", "\\.\\\\\\\\\\\\."); /* findfirst seems to fail with a different error. */ fnum1 = smbcli_nt_create_full(cli->tree, "\\.\\\\\\\\\\\\.", - 0, GENERIC_RIGHTS_FILE_ALL_ACCESS, - FILE_ATTRIBUTE_NORMAL, - NTCREATEX_SHARE_ACCESS_DELETE| - NTCREATEX_SHARE_ACCESS_READ| - NTCREATEX_SHARE_ACCESS_WRITE, - NTCREATEX_DISP_OVERWRITE_IF, - 0, 0); + 0, SEC_RIGHTS_FULL_CONTROL, + FILE_ATTRIBUTE_NORMAL, + NTCREATEX_SHARE_ACCESS_DELETE| + NTCREATEX_SHARE_ACCESS_READ| + NTCREATEX_SHARE_ACCESS_WRITE, + NTCREATEX_DISP_OVERWRITE_IF, + 0, 0); status = smbcli_nt_error(cli->tree); CHECK_STATUS(status, NT_STATUS_OBJECT_PATH_NOT_FOUND); @@ -168,13 +169,13 @@ static BOOL test_chkpath(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) printf("testing Open on %s\n", BASEDIR".\\.\\.\\.\\foo\\..\\.\\"); /* findfirst seems to fail with a different error. */ fnum1 = smbcli_nt_create_full(cli->tree, BASEDIR".\\.\\.\\.\\foo\\..\\.\\", - 0, GENERIC_RIGHTS_FILE_ALL_ACCESS, - FILE_ATTRIBUTE_NORMAL, - NTCREATEX_SHARE_ACCESS_DELETE| - NTCREATEX_SHARE_ACCESS_READ| - NTCREATEX_SHARE_ACCESS_WRITE, - NTCREATEX_DISP_OVERWRITE_IF, - 0, 0); + 0, SEC_RIGHTS_FULL_CONTROL, + FILE_ATTRIBUTE_NORMAL, + NTCREATEX_SHARE_ACCESS_DELETE| + NTCREATEX_SHARE_ACCESS_READ| + NTCREATEX_SHARE_ACCESS_WRITE, + NTCREATEX_DISP_OVERWRITE_IF, + 0, 0); status = smbcli_nt_error(cli->tree); CHECK_STATUS(status, NT_STATUS_OBJECT_PATH_NOT_FOUND); @@ -186,13 +187,13 @@ static BOOL test_chkpath(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) /* findfirst seems to fail with a different error. */ printf("testing Open on %s\n", BASEDIR "\\nt\\V S\\VB98\\vb6.exe\\3"); fnum1 = smbcli_nt_create_full(cli->tree, BASEDIR "\\nt\\V S\\VB98\\vb6.exe\\3", - 0, GENERIC_RIGHTS_FILE_ALL_ACCESS, - FILE_ATTRIBUTE_NORMAL, - NTCREATEX_SHARE_ACCESS_DELETE| - NTCREATEX_SHARE_ACCESS_READ| - NTCREATEX_SHARE_ACCESS_WRITE, - NTCREATEX_DISP_OVERWRITE_IF, - 0, 0); + 0, SEC_RIGHTS_FULL_CONTROL, + FILE_ATTRIBUTE_NORMAL, + NTCREATEX_SHARE_ACCESS_DELETE| + NTCREATEX_SHARE_ACCESS_READ| + NTCREATEX_SHARE_ACCESS_WRITE, + NTCREATEX_DISP_OVERWRITE_IF, + 0, 0); status = smbcli_nt_error(cli->tree); CHECK_STATUS(status, NT_STATUS_OBJECT_PATH_NOT_FOUND); diff --git a/source4/torture/raw/context.c b/source4/torture/raw/context.c index 446ada80a6..581705c1e4 100644 --- a/source4/torture/raw/context.c +++ b/source4/torture/raw/context.c @@ -20,6 +20,7 @@ #include "includes.h" #include "libcli/raw/libcliraw.h" +#include "librpc/gen_ndr/ndr_security.h" #define BASEDIR "\\rawcontext" @@ -139,7 +140,7 @@ static BOOL test_session(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) io.generic.level = RAW_OPEN_NTCREATEX; io.ntcreatex.in.root_fid = 0; io.ntcreatex.in.flags = 0; - io.ntcreatex.in.access_mask = SEC_RIGHT_MAXIMUM_ALLOWED; + io.ntcreatex.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED; io.ntcreatex.in.create_options = 0; io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL; io.ntcreatex.in.share_access = NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE; @@ -241,7 +242,7 @@ static BOOL test_tree(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) io.generic.level = RAW_OPEN_NTCREATEX; io.ntcreatex.in.root_fid = 0; io.ntcreatex.in.flags = 0; - io.ntcreatex.in.access_mask = SEC_RIGHT_MAXIMUM_ALLOWED; + io.ntcreatex.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED; io.ntcreatex.in.create_options = 0; io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL; io.ntcreatex.in.share_access = NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE; @@ -326,7 +327,7 @@ static BOOL test_pid(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) io.generic.level = RAW_OPEN_NTCREATEX; io.ntcreatex.in.root_fid = 0; io.ntcreatex.in.flags = 0; - io.ntcreatex.in.access_mask = SEC_RIGHT_MAXIMUM_ALLOWED; + io.ntcreatex.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED; io.ntcreatex.in.create_options = 0; io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL; io.ntcreatex.in.share_access = NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE; diff --git a/source4/torture/raw/eas.c b/source4/torture/raw/eas.c index 57ca8de35c..949643872d 100644 --- a/source4/torture/raw/eas.c +++ b/source4/torture/raw/eas.c @@ -22,6 +22,7 @@ #include "includes.h" #include "libcli/raw/libcliraw.h" +#include "librpc/gen_ndr/ndr_security.h" #define BASEDIR "\\testeas" @@ -105,7 +106,7 @@ static BOOL test_eas(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) io.generic.level = RAW_OPEN_NTCREATEX; io.ntcreatex.in.root_fid = 0; io.ntcreatex.in.flags = 0; - io.ntcreatex.in.access_mask = SEC_RIGHT_MAXIMUM_ALLOWED; + io.ntcreatex.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED; io.ntcreatex.in.create_options = 0; io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL; io.ntcreatex.in.share_access = @@ -206,7 +207,7 @@ static BOOL test_nttrans_create(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) io.generic.level = RAW_OPEN_NTTRANS_CREATE; io.ntcreatex.in.root_fid = 0; io.ntcreatex.in.flags = 0; - io.ntcreatex.in.access_mask = SEC_RIGHT_MAXIMUM_ALLOWED; + io.ntcreatex.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED; io.ntcreatex.in.create_options = 0; io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL; io.ntcreatex.in.share_access = diff --git a/source4/torture/raw/mux.c b/source4/torture/raw/mux.c index 9afbc7c506..fce036a5e6 100644 --- a/source4/torture/raw/mux.c +++ b/source4/torture/raw/mux.c @@ -20,6 +20,7 @@ #include "includes.h" #include "libcli/raw/libcliraw.h" +#include "librpc/gen_ndr/ndr_security.h" #define BASEDIR "\\test_mux" @@ -51,7 +52,7 @@ static BOOL test_mux_open(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) io.generic.level = RAW_OPEN_NTCREATEX; io.ntcreatex.in.root_fid = 0; io.ntcreatex.in.flags = 0; - io.ntcreatex.in.access_mask = SA_RIGHT_FILE_READ_DATA; + io.ntcreatex.in.access_mask = SEC_FILE_READ_DATA; io.ntcreatex.in.create_options = 0; io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL; io.ntcreatex.in.share_access = NTCREATEX_SHARE_ACCESS_READ; diff --git a/source4/torture/raw/notify.c b/source4/torture/raw/notify.c index 0156f5b251..2a5a0ca074 100644 --- a/source4/torture/raw/notify.c +++ b/source4/torture/raw/notify.c @@ -19,6 +19,7 @@ */ #include "includes.h" +#include "librpc/gen_ndr/ndr_security.h" #define BASEDIR "\\test_notify" @@ -77,7 +78,7 @@ BOOL torture_raw_notify(void) io.generic.level = RAW_OPEN_NTCREATEX; io.ntcreatex.in.root_fid = 0; io.ntcreatex.in.flags = 0; - io.ntcreatex.in.access_mask = SA_RIGHT_FILE_ALL_ACCESS; + io.ntcreatex.in.access_mask = SEC_FILE_ALL; io.ntcreatex.in.create_options = NTCREATEX_OPTIONS_DIRECTORY; io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL; io.ntcreatex.in.share_access = NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE; diff --git a/source4/torture/raw/open.c b/source4/torture/raw/open.c index f938c82cfb..9d8e360f00 100644 --- a/source4/torture/raw/open.c +++ b/source4/torture/raw/open.c @@ -21,6 +21,7 @@ #include "includes.h" #include "libcli/raw/libcliraw.h" #include "system/time.h" +#include "librpc/gen_ndr/ndr_security.h" /* enum for whether reads/writes are possible on a file */ enum rdwr_mode {RDWR_NONE, RDWR_RDONLY, RDWR_WRONLY, RDWR_RDWR}; @@ -430,7 +431,7 @@ static BOOL test_openx(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) io.openx.in.open_func = OPENX_OPEN_FUNC_OPEN; status = smb_raw_open(cli->tree, mem_ctx, &io); CHECK_STATUS(status, NT_STATUS_OK); - CHECK_VAL(io.openx.out.access_mask, STD_RIGHT_ALL_ACCESS); + CHECK_VAL(io.openx.out.access_mask, SEC_STD_ALL); smbcli_close(cli->tree, io.openx.out.fnum); done: @@ -620,7 +621,7 @@ static BOOL test_ntcreatex(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) io.generic.level = RAW_OPEN_NTCREATEX; io.ntcreatex.in.flags = NTCREATEX_FLAGS_EXTENDED; io.ntcreatex.in.root_fid = 0; - io.ntcreatex.in.access_mask = GENERIC_RIGHTS_FILE_ALL_ACCESS; + io.ntcreatex.in.access_mask = SEC_RIGHTS_FULL_CONTROL; io.ntcreatex.in.alloc_size = 1024*1024; io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL; io.ntcreatex.in.share_access = NTCREATEX_SHARE_ACCESS_NONE; @@ -706,7 +707,7 @@ static BOOL test_ntcreatex(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) /* create a directory */ io.ntcreatex.in.open_disposition = NTCREATEX_DISP_CREATE; - io.ntcreatex.in.access_mask = GENERIC_RIGHTS_FILE_ALL_ACCESS; + io.ntcreatex.in.access_mask = SEC_RIGHTS_FULL_CONTROL; io.ntcreatex.in.alloc_size = 0; io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_DIRECTORY; io.ntcreatex.in.share_access = NTCREATEX_SHARE_ACCESS_NONE; @@ -718,7 +719,7 @@ static BOOL test_ntcreatex(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) smbcli_rmdir(cli->tree, fname); smbcli_unlink(cli->tree, fname); - io.ntcreatex.in.access_mask = SEC_RIGHT_MAXIMUM_ALLOWED; + io.ntcreatex.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED; io.ntcreatex.in.create_options = NTCREATEX_OPTIONS_DIRECTORY; io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL; io.ntcreatex.in.share_access = NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE; @@ -793,7 +794,7 @@ static BOOL test_nttrans_create(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) io.generic.level = RAW_OPEN_NTTRANS_CREATE; io.ntcreatex.in.flags = NTCREATEX_FLAGS_EXTENDED; io.ntcreatex.in.root_fid = 0; - io.ntcreatex.in.access_mask = GENERIC_RIGHTS_FILE_ALL_ACCESS; + io.ntcreatex.in.access_mask = SEC_RIGHTS_FULL_CONTROL; io.ntcreatex.in.alloc_size = 1024*1024; io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL; io.ntcreatex.in.share_access = NTCREATEX_SHARE_ACCESS_NONE; @@ -881,7 +882,7 @@ static BOOL test_nttrans_create(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) /* create a directory */ io.ntcreatex.in.open_disposition = NTCREATEX_DISP_CREATE; - io.ntcreatex.in.access_mask = GENERIC_RIGHTS_FILE_ALL_ACCESS; + io.ntcreatex.in.access_mask = SEC_RIGHTS_FULL_CONTROL; io.ntcreatex.in.alloc_size = 0; io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_DIRECTORY; io.ntcreatex.in.share_access = NTCREATEX_SHARE_ACCESS_NONE; @@ -893,7 +894,7 @@ static BOOL test_nttrans_create(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) smbcli_rmdir(cli->tree, fname); smbcli_unlink(cli->tree, fname); - io.ntcreatex.in.access_mask = SEC_RIGHT_MAXIMUM_ALLOWED; + io.ntcreatex.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED; io.ntcreatex.in.create_options = NTCREATEX_OPTIONS_DIRECTORY; io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL; io.ntcreatex.in.share_access = NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE; diff --git a/source4/torture/raw/oplock.c b/source4/torture/raw/oplock.c index 51e6a5de6c..78236246f4 100644 --- a/source4/torture/raw/oplock.c +++ b/source4/torture/raw/oplock.c @@ -19,6 +19,7 @@ */ #include "includes.h" +#include "librpc/gen_ndr/ndr_security.h" #define CHECK_VAL(v, correct) do { \ if ((v) != (correct)) { \ @@ -107,7 +108,7 @@ static BOOL test_oplock(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) */ io.generic.level = RAW_OPEN_NTCREATEX; io.ntcreatex.in.root_fid = 0; - io.ntcreatex.in.access_mask = GENERIC_RIGHTS_FILE_ALL_ACCESS; + io.ntcreatex.in.access_mask = SEC_RIGHTS_FULL_CONTROL; io.ntcreatex.in.alloc_size = 0; io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL; io.ntcreatex.in.share_access = NTCREATEX_SHARE_ACCESS_NONE; @@ -275,7 +276,7 @@ static BOOL test_oplock(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) io.ntcreatex.in.flags = NTCREATEX_FLAGS_EXTENDED | NTCREATEX_FLAGS_REQUEST_OPLOCK | NTCREATEX_FLAGS_REQUEST_BATCH_OPLOCK; - io.ntcreatex.in.access_mask = SA_RIGHT_FILE_READ_ATTRIBUTES|SA_RIGHT_FILE_WRITE_ATTRIBUTES|STD_RIGHT_SYNCHRONIZE_ACCESS; + io.ntcreatex.in.access_mask = SEC_FILE_READ_ATTRIBUTE|SEC_FILE_WRITE_ATTRIBUTE|SEC_STD_SYNCHRONIZE; status = smb_raw_open(cli->tree, mem_ctx, &io); CHECK_STATUS(status, NT_STATUS_OK); fnum2 = io.ntcreatex.out.fnum; @@ -292,7 +293,7 @@ static BOOL test_oplock(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) io.ntcreatex.in.flags = NTCREATEX_FLAGS_EXTENDED | NTCREATEX_FLAGS_REQUEST_OPLOCK | NTCREATEX_FLAGS_REQUEST_BATCH_OPLOCK; - io.ntcreatex.in.access_mask = SA_RIGHT_FILE_READ_ATTRIBUTES|SA_RIGHT_FILE_WRITE_ATTRIBUTES|STD_RIGHT_SYNCHRONIZE_ACCESS; + io.ntcreatex.in.access_mask = SEC_FILE_READ_ATTRIBUTE|SEC_FILE_WRITE_ATTRIBUTE|SEC_STD_SYNCHRONIZE; io.ntcreatex.in.open_disposition = NTCREATEX_DISP_CREATE; status = smb_raw_open(cli->tree, mem_ctx, &io); CHECK_STATUS(status, NT_STATUS_OK); @@ -307,7 +308,7 @@ static BOOL test_oplock(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) io.ntcreatex.in.flags = NTCREATEX_FLAGS_EXTENDED | NTCREATEX_FLAGS_REQUEST_OPLOCK | NTCREATEX_FLAGS_REQUEST_BATCH_OPLOCK; - io.ntcreatex.in.access_mask = GENERIC_RIGHTS_FILE_ALL_ACCESS; + io.ntcreatex.in.access_mask = SEC_RIGHTS_FULL_CONTROL; io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN; status = smb_raw_open(cli->tree, mem_ctx, &io); CHECK_STATUS(status, NT_STATUS_OK); diff --git a/source4/torture/raw/qfileinfo.c b/source4/torture/raw/qfileinfo.c index 45abecfa8d..23e9cad246 100644 --- a/source4/torture/raw/qfileinfo.c +++ b/source4/torture/raw/qfileinfo.c @@ -20,6 +20,7 @@ #include "includes.h" #include "libcli/raw/libcliraw.h" +#include "librpc/gen_ndr/ndr_security.h" static struct { const char *name; @@ -554,13 +555,14 @@ BOOL torture_raw_qfileinfo(void) /* and make sure we can open by alternate name */ smbcli_close(cli->tree, fnum); - fnum = smbcli_nt_create_full(cli->tree, correct_name, 0, GENERIC_RIGHTS_FILE_ALL_ACCESS, - FILE_ATTRIBUTE_NORMAL, - NTCREATEX_SHARE_ACCESS_DELETE| - NTCREATEX_SHARE_ACCESS_READ| - NTCREATEX_SHARE_ACCESS_WRITE, - NTCREATEX_DISP_OVERWRITE_IF, - 0, 0); + fnum = smbcli_nt_create_full(cli->tree, correct_name, 0, + SEC_RIGHTS_FULL_CONTROL, + FILE_ATTRIBUTE_NORMAL, + NTCREATEX_SHARE_ACCESS_DELETE| + NTCREATEX_SHARE_ACCESS_READ| + NTCREATEX_SHARE_ACCESS_WRITE, + NTCREATEX_DISP_OVERWRITE_IF, + 0, 0); if (fnum == -1) { printf("Unable to open by alt_name - %s\n", smbcli_errstr(cli->tree)); ret = False; diff --git a/source4/torture/raw/rename.c b/source4/torture/raw/rename.c index c3fc739d6a..04071c2f80 100644 --- a/source4/torture/raw/rename.c +++ b/source4/torture/raw/rename.c @@ -19,6 +19,7 @@ */ #include "includes.h" +#include "librpc/gen_ndr/ndr_security.h" #define CHECK_STATUS(status, correct) do { \ if (!NT_STATUS_EQUAL(status, correct)) { \ @@ -61,7 +62,7 @@ static BOOL test_mv(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) op.generic.level = RAW_OPEN_NTCREATEX; op.ntcreatex.in.root_fid = 0; op.ntcreatex.in.flags = 0; - op.ntcreatex.in.access_mask = SEC_RIGHT_MAXIMUM_ALLOWED; + op.ntcreatex.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED; op.ntcreatex.in.create_options = 0; op.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL; op.ntcreatex.in.share_access = @@ -88,7 +89,7 @@ static BOOL test_mv(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) smbcli_close(cli->tree, fnum); - op.ntcreatex.in.access_mask = GENERIC_RIGHTS_FILE_READ; + op.ntcreatex.in.access_mask = SEC_FILE_READ_DATA; op.ntcreatex.in.share_access = NTCREATEX_SHARE_ACCESS_DELETE | NTCREATEX_SHARE_ACCESS_READ | diff --git a/source4/torture/raw/streams.c b/source4/torture/raw/streams.c index 933a102989..3956e7d4c2 100644 --- a/source4/torture/raw/streams.c +++ b/source4/torture/raw/streams.c @@ -22,6 +22,7 @@ #include "includes.h" #include "libcli/raw/libcliraw.h" +#include "librpc/gen_ndr/ndr_security.h" #define BASEDIR "\\teststreams" @@ -108,7 +109,7 @@ static BOOL test_stream_io(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) io.generic.level = RAW_OPEN_NTCREATEX; io.ntcreatex.in.root_fid = 0; io.ntcreatex.in.flags = 0; - io.ntcreatex.in.access_mask = SA_RIGHT_FILE_WRITE_DATA; + io.ntcreatex.in.access_mask = SEC_FILE_WRITE_DATA; io.ntcreatex.in.create_options = NTCREATEX_OPTIONS_DIRECTORY; io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL; io.ntcreatex.in.share_access = 0; @@ -187,7 +188,7 @@ static BOOL test_stream_io(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) io.ntcreatex.in.fname = sname2; io.ntcreatex.in.create_options = NTCREATEX_OPTIONS_DELETE_ON_CLOSE; io.ntcreatex.in.share_access = NTCREATEX_SHARE_ACCESS_DELETE; - io.ntcreatex.in.access_mask = GENERIC_RIGHTS_FILE_ALL_ACCESS; + io.ntcreatex.in.access_mask = SEC_RIGHTS_FULL_CONTROL; io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN; status = smb_raw_open(cli->tree, mem_ctx, &io); CHECK_STATUS(status, NT_STATUS_OK); diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c index 370f309b6c..29ae5b9273 100644 --- a/source4/torture/rpc/samr.c +++ b/source4/torture/rpc/samr.c @@ -1469,7 +1469,7 @@ static BOOL test_CreateAlias(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, init_samr_String(&name, TEST_ALIASNAME); r.in.domain_handle = domain_handle; r.in.aliasname = &name; - r.in.access_mask = SEC_RIGHT_MAXIMUM_ALLOWED; + r.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED; r.out.alias_handle = alias_handle; r.out.rid = &rid; diff --git a/source4/torture/rpc/svcctl.c b/source4/torture/rpc/svcctl.c index fd4dcf7894..3c40f06b32 100644 --- a/source4/torture/rpc/svcctl.c +++ b/source4/torture/rpc/svcctl.c @@ -21,6 +21,7 @@ #include "includes.h" #include "librpc/gen_ndr/ndr_svcctl.h" +#include "librpc/gen_ndr/ndr_security.h" static BOOL test_EnumServicesStatus(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, struct policy_handle *h) { diff --git a/source4/torture/torture.c b/source4/torture/torture.c index 7e1cd1f138..ca8c3342b6 100644 --- a/source4/torture/torture.c +++ b/source4/torture/torture.c @@ -26,6 +26,7 @@ #include "system/time.h" #include "system/wait.h" #include "ioctl.h" +#include "librpc/gen_ndr/ndr_security.h" int torture_nprocs=4; int torture_numops=100; @@ -895,9 +896,11 @@ static BOOL run_deferopen(struct smbcli_state *cli, int dummy) do { struct timeval tv; tv = timeval_current(); - fnum = smbcli_nt_create_full(cli->tree, fname, 0, GENERIC_RIGHTS_FILE_ALL_ACCESS, - FILE_ATTRIBUTE_NORMAL, NTCREATEX_SHARE_ACCESS_NONE, - NTCREATEX_DISP_OPEN_IF, 0, 0); + fnum = smbcli_nt_create_full(cli->tree, fname, 0, + SEC_RIGHTS_FULL_CONTROL, + FILE_ATTRIBUTE_NORMAL, + NTCREATEX_SHARE_ACCESS_NONE, + NTCREATEX_DISP_OPEN_IF, 0, 0); if (fnum != -1) { break; } @@ -1311,22 +1314,22 @@ static BOOL run_trans2test(void) /* FIRST_DESIRED_ACCESS 0xf019f */ -#define FIRST_DESIRED_ACCESS SA_RIGHT_FILE_READ_DATA|SA_RIGHT_FILE_WRITE_DATA|SA_RIGHT_FILE_APPEND_DATA|\ - SA_RIGHT_FILE_READ_EA| /* 0xf */ \ - SA_RIGHT_FILE_WRITE_EA|SA_RIGHT_FILE_READ_ATTRIBUTES| /* 0x90 */ \ - SA_RIGHT_FILE_WRITE_ATTRIBUTES| /* 0x100 */ \ - STD_RIGHT_DELETE_ACCESS|STD_RIGHT_READ_CONTROL_ACCESS|\ - STD_RIGHT_WRITE_DAC_ACCESS|STD_RIGHT_WRITE_OWNER_ACCESS /* 0xf0000 */ +#define FIRST_DESIRED_ACCESS SEC_FILE_READ_DATA|SEC_FILE_WRITE_DATA|SEC_FILE_APPEND_DATA|\ + SEC_FILE_READ_EA| /* 0xf */ \ + SEC_FILE_WRITE_EA|SEC_FILE_READ_ATTRIBUTE| /* 0x90 */ \ + SEC_FILE_WRITE_ATTRIBUTE| /* 0x100 */ \ + SEC_STD_DELETE|SEC_STD_READ_CONTROL|\ + SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER /* 0xf0000 */ /* SECOND_DESIRED_ACCESS 0xe0080 */ -#define SECOND_DESIRED_ACCESS SA_RIGHT_FILE_READ_ATTRIBUTES| /* 0x80 */ \ - STD_RIGHT_READ_CONTROL_ACCESS|STD_RIGHT_WRITE_DAC_ACCESS|\ - STD_RIGHT_WRITE_OWNER_ACCESS /* 0xe0000 */ +#define SECOND_DESIRED_ACCESS SEC_FILE_READ_ATTRIBUTE| /* 0x80 */ \ + SEC_STD_READ_CONTROL|SEC_STD_WRITE_DAC|\ + SEC_STD_WRITE_OWNER /* 0xe0000 */ #if 0 -#define THIRD_DESIRED_ACCESS FILE_READ_ATTRIBUTES| /* 0x80 */ \ - READ_CONTROL_ACCESS|WRITE_DAC_ACCESS|\ - SA_RIGHT_FILE_READ_DATA|\ - WRITE_OWNER_ACCESS /* */ +#define THIRD_DESIRED_ACCESS FILE_READ_ATTRIBUTE| /* 0x80 */ \ + READ_CONTROL|WRITE_DAC|\ + SEC_FILE_READ_DATA|\ + WRITE_OWNER /* */ #endif /* @@ -1346,9 +1349,11 @@ static BOOL run_xcopy(void) } fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, - FIRST_DESIRED_ACCESS, FILE_ATTRIBUTE_ARCHIVE, - NTCREATEX_SHARE_ACCESS_NONE, NTCREATEX_DISP_OVERWRITE_IF, - 0x4044, 0); + FIRST_DESIRED_ACCESS, + FILE_ATTRIBUTE_ARCHIVE, + NTCREATEX_SHARE_ACCESS_NONE, + NTCREATEX_DISP_OVERWRITE_IF, + 0x4044, 0); if (fnum1 == -1) { printf("First open failed - %s\n", smbcli_errstr(cli1->tree)); @@ -1388,7 +1393,7 @@ static BOOL run_pipe_number(void) } while(1) { - fnum = smbcli_nt_create_full(cli1->tree, pipe_name, 0, SA_RIGHT_FILE_READ_DATA, FILE_ATTRIBUTE_NORMAL, + fnum = smbcli_nt_create_full(cli1->tree, pipe_name, 0, SEC_FILE_READ_DATA, FILE_ATTRIBUTE_NORMAL, NTCREATEX_SHARE_ACCESS_READ|NTCREATEX_SHARE_ACCESS_WRITE, NTCREATEX_DISP_OPEN_IF, 0, 0); if (fnum == -1) { @@ -1705,7 +1710,7 @@ error_test4: printf("TEST #1 testing 2 non-io opens (no delete)\n"); - fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, SA_RIGHT_FILE_READ_ATTRIBUTES, FILE_ATTRIBUTE_NORMAL, + fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, SEC_FILE_READ_ATTRIBUTE, FILE_ATTRIBUTE_NORMAL, NTCREATEX_SHARE_ACCESS_NONE, NTCREATEX_DISP_OVERWRITE_IF, 0, 0); if (fnum1 == -1) { @@ -1714,7 +1719,7 @@ error_test4: return False; } - fnum2 = smbcli_nt_create_full(cli2->tree, fname, 0, SA_RIGHT_FILE_READ_ATTRIBUTES, FILE_ATTRIBUTE_NORMAL, + fnum2 = smbcli_nt_create_full(cli2->tree, fname, 0, SEC_FILE_READ_ATTRIBUTE, FILE_ATTRIBUTE_NORMAL, NTCREATEX_SHARE_ACCESS_NONE, NTCREATEX_DISP_OPEN_IF, 0, 0); if (fnum2 == -1) { printf("test 1 open 2 of %s failed (%s)\n", fname, smbcli_errstr(cli2->tree)); @@ -1737,7 +1742,7 @@ error_test10: printf("TEST #2 testing 2 non-io opens (first with delete)\n"); - fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, STD_RIGHT_DELETE_ACCESS|SA_RIGHT_FILE_READ_ATTRIBUTES, FILE_ATTRIBUTE_NORMAL, + fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, SEC_STD_DELETE|SEC_FILE_READ_ATTRIBUTE, FILE_ATTRIBUTE_NORMAL, NTCREATEX_SHARE_ACCESS_NONE, NTCREATEX_DISP_OVERWRITE_IF, 0, 0); if (fnum1 == -1) { @@ -1746,7 +1751,7 @@ error_test10: return False; } - fnum2 = smbcli_nt_create_full(cli2->tree, fname, 0, SA_RIGHT_FILE_READ_ATTRIBUTES, FILE_ATTRIBUTE_NORMAL, + fnum2 = smbcli_nt_create_full(cli2->tree, fname, 0, SEC_FILE_READ_ATTRIBUTE, FILE_ATTRIBUTE_NORMAL, NTCREATEX_SHARE_ACCESS_NONE, NTCREATEX_DISP_OPEN_IF, 0, 0); if (fnum2 == -1) { @@ -1770,7 +1775,7 @@ error_test20: printf("TEST #3 testing 2 non-io opens (second with delete)\n"); - fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, SA_RIGHT_FILE_READ_ATTRIBUTES, FILE_ATTRIBUTE_NORMAL, + fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, SEC_FILE_READ_ATTRIBUTE, FILE_ATTRIBUTE_NORMAL, NTCREATEX_SHARE_ACCESS_NONE, NTCREATEX_DISP_OVERWRITE_IF, 0, 0); if (fnum1 == -1) { @@ -1779,7 +1784,7 @@ error_test20: return False; } - fnum2 = smbcli_nt_create_full(cli2->tree, fname, 0, STD_RIGHT_DELETE_ACCESS|SA_RIGHT_FILE_READ_ATTRIBUTES, FILE_ATTRIBUTE_NORMAL, + fnum2 = smbcli_nt_create_full(cli2->tree, fname, 0, SEC_STD_DELETE|SEC_FILE_READ_ATTRIBUTE, FILE_ATTRIBUTE_NORMAL, NTCREATEX_SHARE_ACCESS_NONE, NTCREATEX_DISP_OPEN_IF, 0, 0); if (fnum2 == -1) { @@ -1803,7 +1808,7 @@ error_test30: printf("TEST #4 testing 2 non-io opens (both with delete)\n"); - fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, STD_RIGHT_DELETE_ACCESS|SA_RIGHT_FILE_READ_ATTRIBUTES, FILE_ATTRIBUTE_NORMAL, + fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, SEC_STD_DELETE|SEC_FILE_READ_ATTRIBUTE, FILE_ATTRIBUTE_NORMAL, NTCREATEX_SHARE_ACCESS_NONE, NTCREATEX_DISP_OVERWRITE_IF, 0, 0); if (fnum1 == -1) { @@ -1812,7 +1817,7 @@ error_test30: return False; } - fnum2 = smbcli_nt_create_full(cli2->tree, fname, 0, STD_RIGHT_DELETE_ACCESS|SA_RIGHT_FILE_READ_ATTRIBUTES, FILE_ATTRIBUTE_NORMAL, + fnum2 = smbcli_nt_create_full(cli2->tree, fname, 0, SEC_STD_DELETE|SEC_FILE_READ_ATTRIBUTE, FILE_ATTRIBUTE_NORMAL, NTCREATEX_SHARE_ACCESS_NONE, NTCREATEX_DISP_OPEN_IF, 0, 0); if (fnum2 != -1) { @@ -1834,7 +1839,7 @@ error_test40: printf("TEST #5 testing 2 non-io opens (both with delete - both with file share delete)\n"); - fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, STD_RIGHT_DELETE_ACCESS|SA_RIGHT_FILE_READ_ATTRIBUTES, FILE_ATTRIBUTE_NORMAL, + fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, SEC_STD_DELETE|SEC_FILE_READ_ATTRIBUTE, FILE_ATTRIBUTE_NORMAL, NTCREATEX_SHARE_ACCESS_DELETE, NTCREATEX_DISP_OVERWRITE_IF, 0, 0); if (fnum1 == -1) { @@ -1843,7 +1848,7 @@ error_test40: return False; } - fnum2 = smbcli_nt_create_full(cli2->tree, fname, 0, STD_RIGHT_DELETE_ACCESS|SA_RIGHT_FILE_READ_ATTRIBUTES, FILE_ATTRIBUTE_NORMAL, + fnum2 = smbcli_nt_create_full(cli2->tree, fname, 0, SEC_STD_DELETE|SEC_FILE_READ_ATTRIBUTE, FILE_ATTRIBUTE_NORMAL, NTCREATEX_SHARE_ACCESS_DELETE, NTCREATEX_DISP_OPEN_IF, 0, 0); if (fnum2 == -1) { @@ -1868,7 +1873,7 @@ error_test50: smbcli_unlink(cli1->tree, fname); - fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, SA_RIGHT_FILE_READ_DATA, FILE_ATTRIBUTE_NORMAL, + fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, SEC_FILE_READ_DATA, FILE_ATTRIBUTE_NORMAL, NTCREATEX_SHARE_ACCESS_NONE, NTCREATEX_DISP_OVERWRITE_IF, 0, 0); if (fnum1 == -1) { @@ -1877,7 +1882,7 @@ error_test50: return False; } - fnum2 = smbcli_nt_create_full(cli2->tree, fname, 0, SA_RIGHT_FILE_READ_ATTRIBUTES, FILE_ATTRIBUTE_NORMAL, + fnum2 = smbcli_nt_create_full(cli2->tree, fname, 0, SEC_FILE_READ_ATTRIBUTE, FILE_ATTRIBUTE_NORMAL, NTCREATEX_SHARE_ACCESS_READ, NTCREATEX_DISP_OPEN_IF, 0, 0); if (fnum2 == -1) { @@ -1902,7 +1907,7 @@ error_test60: smbcli_unlink(cli1->tree, fname); - fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, SA_RIGHT_FILE_READ_DATA, FILE_ATTRIBUTE_NORMAL, + fnum1 = smbcli_nt_create_full(cli1->tree, fname, 0, SEC_FILE_READ_DATA, FILE_ATTRIBUTE_NORMAL, NTCREATEX_SHARE_ACCESS_NONE, NTCREATEX_DISP_OVERWRITE_IF, 0, 0); if (fnum1 == -1) { @@ -1911,7 +1916,7 @@ error_test60: return False; } - fnum2 = smbcli_nt_create_full(cli2->tree, fname, 0, STD_RIGHT_DELETE_ACCESS|SA_RIGHT_FILE_READ_ATTRIBUTES, FILE_ATTRIBUTE_NORMAL, + fnum2 = smbcli_nt_create_full(cli2->tree, fname, 0, SEC_STD_DELETE|SEC_FILE_READ_ATTRIBUTE, FILE_ATTRIBUTE_NORMAL, NTCREATEX_SHARE_ACCESS_READ|NTCREATEX_SHARE_ACCESS_DELETE, NTCREATEX_DISP_OPEN_IF, 0, 0); if (fnum2 != -1) { diff --git a/source4/torture/torture_util.c b/source4/torture/torture_util.c index af8a1ca065..edc00a571f 100644 --- a/source4/torture/torture_util.c +++ b/source4/torture/torture_util.c @@ -22,6 +22,7 @@ #include "libcli/raw/libcliraw.h" #include "system/shmem.h" #include "system/time.h" +#include "librpc/gen_ndr/ndr_security.h" /* @@ -52,7 +53,7 @@ int create_directory_handle(struct smbcli_tree *tree, const char *dname) io.generic.level = RAW_OPEN_NTCREATEX; io.ntcreatex.in.root_fid = 0; io.ntcreatex.in.flags = 0; - io.ntcreatex.in.access_mask = SA_RIGHT_FILE_ALL_ACCESS; + io.ntcreatex.in.access_mask = SEC_FILE_ALL; io.ntcreatex.in.create_options = NTCREATEX_OPTIONS_DIRECTORY; io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL; io.ntcreatex.in.share_access = NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE; @@ -86,13 +87,14 @@ int create_complex_file(struct smbcli_state *cli, TALLOC_CTX *mem_ctx, const cha NTSTATUS status; smbcli_unlink(cli->tree, fname); - fnum = smbcli_nt_create_full(cli->tree, fname, 0, GENERIC_RIGHTS_FILE_ALL_ACCESS, - FILE_ATTRIBUTE_NORMAL, - NTCREATEX_SHARE_ACCESS_DELETE| - NTCREATEX_SHARE_ACCESS_READ| - NTCREATEX_SHARE_ACCESS_WRITE, - NTCREATEX_DISP_OVERWRITE_IF, - 0, 0); + fnum = smbcli_nt_create_full(cli->tree, fname, 0, + SEC_RIGHTS_FULL_CONTROL, + FILE_ATTRIBUTE_NORMAL, + NTCREATEX_SHARE_ACCESS_DELETE| + NTCREATEX_SHARE_ACCESS_READ| + NTCREATEX_SHARE_ACCESS_WRITE, + NTCREATEX_DISP_OVERWRITE_IF, + 0, 0); if (fnum == -1) return -1; smbcli_write(cli->tree, fnum, 0, buf, 0, sizeof(buf)); -- cgit