From 023ac1031b0057ee752cf2d3a8de3d6e0d4b1802 Mon Sep 17 00:00:00 2001
From: Gerald Carter <jerry@samba.org>
Date: Tue, 14 Jun 2005 18:08:39 +0000
Subject: r7576: implement access checks for open_scm and open_service
 according to default security descriptor described in MSDN.

no one can get in to due to the permissions, but i'll fix
that next.
(This used to be commit 11902e503ed4f6d6991a9fe7521fe44168274ec8)
---
 source3/include/rpc_secdes.h | 34 ++++++++++++++++++++++++----------
 1 file changed, 24 insertions(+), 10 deletions(-)

(limited to 'source3/include')

diff --git a/source3/include/rpc_secdes.h b/source3/include/rpc_secdes.h
index 9eb4c9a41e..fe95706d03 100644
--- a/source3/include/rpc_secdes.h
+++ b/source3/include/rpc_secdes.h
@@ -475,15 +475,20 @@ typedef struct standard_mapping {
 #define SC_RIGHT_MGR_QUERY_LOCK_STATUS		0x0010
 #define SC_RIGHT_MGR_MODIFY_BOOT_CONFIG		0x0020
 
+#define SC_MANAGER_READ_ACCESS \
+	( STANDARD_RIGHTS_READ_ACCESS		| \
+	  SC_RIGHT_MGR_CONNECT			| \
+	  SC_RIGHT_MGR_ENUMERATE_SERVICE	| \
+	  SC_RIGHT_MGR_QUERY_LOCK_STATUS )
+
 #define SC_MANAGER_ALL_ACCESS \
 	( STANDARD_RIGHTS_REQUIRED_ACCESS	| \
-	  SC_RIGHT_MGR_CONNECT			| \
+	  SC_MANAGER_READ_ACCESS		| \
 	  SC_RIGHT_MGR_CREATE_SERVICE		| \
-	  SC_RIGHT_MGR_ENUMERATE_SERVICE	| \
 	  SC_RIGHT_MGR_LOCK			| \
-	  SC_RIGHT_MGR_QUERY_LOCK_STATUS	| \
 	  SC_RIGHT_MGR_MODIFY_BOOT_CONFIG )
 
+
 /* Service Object Bits */ 
 
 #define SC_RIGHT_SVC_QUERY_CONFIG		0x0001
@@ -496,17 +501,26 @@ typedef struct standard_mapping {
 #define SC_RIGHT_SVC_INTERROGATE		0x0080
 #define SC_RIGHT_SVC_USER_DEFINED_CONTROL	0x0100
 
-#define SERVICE_ALL_ACCESS \
-	( STANDARD_RIGHTS_REQUIRED_ACCESS	| \
+#define SERVICE_READ_ACCESS \
+	( STANDARD_RIGHTS_READ_ACCESS		| \
+	  SC_RIGHT_SVC_ENUMERATE_DEPENDENTS	| \
+	  SC_RIGHT_SVC_INTERROGATE		| \
 	  SC_RIGHT_SVC_QUERY_CONFIG		| \
-	  SC_RIGHT_SVC_CHANGE_CONFIG		| \
 	  SC_RIGHT_SVC_QUERY_STATUS		| \
-	  SC_RIGHT_SVC_ENUMERATE_DEPENDENTS	| \
+	  SC_RIGHT_SVC_USER_DEFINED_CONTROL )
+
+#define SERVICE_EXECUTE_ACCESS \
+	( SERVICE_READ_ACCESS 			| \
 	  SC_RIGHT_SVC_START			| \
 	  SC_RIGHT_SVC_STOP			| \
-	  SC_RIGHT_SVC_PAUSE_CONTINUE		| \
-	  SC_RIGHT_SVC_INTERROGATE		| \
-	  SC_RIGHT_SVC_USER_DEFINED_CONTROL )
+	  SC_RIGHT_SVC_PAUSE_CONTINUE )
+
+#define SERVICE_ALL_ACCESS \
+	( STANDARD_RIGHTS_REQUIRED_ACCESS	| \
+	  SERVICE_READ_ACCESS			| \
+	  SERVICE_EXECUTE_ACCESS )
+
+	   
 
 /*
  * Access Bits for registry ACLS
-- 
cgit