From 4928d66fc2f469b75090c34f8d233026485e4a1e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 21 Mar 2011 11:21:57 +0100
Subject: libcli/security: make sure that we don't grant SEC_STD_DELETE to the
 owner by default

In the file server SEC_STD_DELETE is granted on the file/directory
or by FILE_DELETE_CHILD on the parent directory.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Mar 21 23:25:05 CET 2011 on sn-devel-104
---
 libcli/security/access_check.c | 58 ++++++++++++++++++++++--------------------
 1 file changed, 30 insertions(+), 28 deletions(-)

(limited to 'libcli')

diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index c5f89af32a..6bb64aeabe 100644
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -112,9 +112,7 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
 	unsigned i;
 
 	if (security_token_has_sid(token, sd->owner_sid)) {
-		granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL | SEC_STD_DELETE;
-	} else if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
-		granted |= SEC_STD_DELETE;
+		granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL;
 	}
 
 	if (sd->dacl == NULL) {
@@ -171,7 +169,7 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
 		access_desired |= access_check_max_allowed(sd, token);
 		access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
 		*access_granted = access_desired;
-		bits_remaining = access_desired & ~SEC_STD_DELETE;
+		bits_remaining = access_desired;
 
 		DEBUG(10,("se_access_check: MAX desired = 0x%x, granted = 0x%x, remaining = 0x%x\n",
 			orig_access_desired,
@@ -190,21 +188,13 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
 		}
 	}
 
-	/* a NULL dacl allows access */
-	if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
-		*access_granted = access_desired;
-		return NT_STATUS_OK;
-	}
-
-	/* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */
-	if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE)) &&
+	/* the owner always gets SEC_STD_WRITE_DAC and SEC_STD_READ_CONTROL */
+	if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL)) &&
 	    security_token_has_sid(token, sd->owner_sid)) {
-		bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE);
-	}
-	if ((bits_remaining & SEC_STD_DELETE) &&
-	    (security_token_has_privilege(token, SEC_PRIV_RESTORE))) {
-		bits_remaining &= ~SEC_STD_DELETE;
+		bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL);
 	}
+
+	/* TODO: remove this, as it is file server specific */
 	if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
 	    security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
 		bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
@@ -214,6 +204,12 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
 		bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
 	}
 
+	/* a NULL dacl allows access */
+	if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
+		*access_granted = access_desired;
+		return NT_STATUS_OK;
+	}
+
 	if (sd->dacl == NULL) {
 		goto done;
 	}
@@ -295,7 +291,7 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
                 access_desired |= access_check_max_allowed(sd, token);
                 access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
                 *access_granted = access_desired;
-                bits_remaining = access_desired & ~SEC_STD_DELETE;
+		bits_remaining = access_desired;
         }
 
         if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
@@ -307,6 +303,22 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
                 }
         }
 
+	/* the owner always gets SEC_STD_WRITE_DAC and SEC_STD_READ_CONTROL */
+	if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL)) &&
+	    security_token_has_sid(token, sd->owner_sid)) {
+		bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL);
+	}
+
+	/* TODO: remove this, as it is file server specific */
+	if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
+	    security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
+		bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
+	}
+	if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) &&
+	    security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
+		bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
+	}
+
         /* a NULL dacl allows access */
         if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
                 *access_granted = access_desired;
@@ -314,16 +326,6 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
                 return NT_STATUS_OK;
         }
 
-        /* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */
-        if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE)) &&
-            security_token_has_sid(token, sd->owner_sid)) {
-                bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE);
-        }
-        if ((bits_remaining & SEC_STD_DELETE) &&
-            security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
-                bits_remaining &= ~SEC_STD_DELETE;
-        }
-
         if (sd->dacl == NULL) {
                 goto done;
         }
-- 
cgit