From a4c22506eff954ceacfb8d2405dae358b5b4c964 Mon Sep 17 00:00:00 2001 From: David O'Neill Date: Fri, 19 Jan 2001 16:56:58 +0000 Subject: Changes from APPLIANCE_HEAD: source/lib/util_seaccess.c - added se_create_child_secdesc() function which takes a parent (container) security descriptor and creates a security descriptor which has the inheritance flags for each ACE applied. In NT a print job is a child object of a printer so deleting and pausing/resuming jobs requires a check against the child security descriptor, not the parent. The values seen in NT printer security descriptors now all fit together in a natural and elegant way which is always nice. - Removed #ifdef'ed out portion of check_ace() when the INHERIT_ONLY flag is set as the se_create_child_secdesc() function now creates a security descriptor which can be used without this hack. (This used to be commit f125b9a94413fd481ae9f05ec5096ef79f0d49e4) --- source3/lib/util_seaccess.c | 147 +++++++++++++++++++++++++++++++++++--------- 1 file changed, 119 insertions(+), 28 deletions(-) (limited to 'source3/lib/util_seaccess.c') diff --git a/source3/lib/util_seaccess.c b/source3/lib/util_seaccess.c index 68f900b34d..6cfcd065aa 100644 --- a/source3/lib/util_seaccess.c +++ b/source3/lib/util_seaccess.c @@ -51,32 +51,6 @@ static uint32 check_ace(SEC_ACE *ace, NT_USER_TOKEN *token, uint32 acc_desired, { uint32 mask = ace->info.mask; -#if 0 - - /* I think there is some aspect of inheritable ACEs that we don't - understand. A 'Manage Documents' permission has the following - ACE entries (after generic mapping has been applied): - - S-1-5-21-1067277791-1719175008-3000797951-1033 0 9 0x000f000c - S-1-5-21-1067277791-1719175008-3000797951-1033 0 2 0x00020000 - - Now a user wanting to print calls se_access_check() with desired - access PRINTER_ACCESS_USE (0x00000008). This is only allowed if - the inherit only ACE, flags & SEC_ACE_FLAG_INHERIT_ONLY (0x8) is - checked. A similar argument is used to explain how a user with - 'Full Control' permission can print. - - Having both the flags SEC_ACE_FLAG_INHERIT_ONLY and - SEC_ACE_FLAG_OBJECT_INHERIT set in an ACE doesn't seem to make - sense. According to the MSDN, an inherit only ACE "indicates an - [...] ACE which does not control access to the object to which - it is attached" and an object inherit ACE for "non-container - child objects [they] inherit the ACE as an effective ACE". - These two flags don't seem to make sense when combined. Does - the object inherit override the inherit only flag? We are also - talking about access to a printer object, not a printer job so - inheritance shouldn't even be involved. -tpot */ - /* * Inherit only is ignored. */ @@ -85,8 +59,6 @@ static uint32 check_ace(SEC_ACE *ace, NT_USER_TOKEN *token, uint32 acc_desired, return acc_desired; } -#endif - /* * If this ACE has no SID in common with the token, * ignore it as it cannot be used to make an access @@ -328,3 +300,122 @@ BOOL se_access_check(SEC_DESC *sd, struct current_user *user, DEBUG(5,("se_access_check: access (%x) denied.\n", (unsigned int)acc_desired )); return False; } + +/* Create a child security descriptor using another security descriptor as + the parent container. This child object can either be a container or + non-container object. */ + +SEC_DESC_BUF *se_create_child_secdesc(SEC_DESC *parent_ctr, + BOOL child_container) +{ + SEC_DESC_BUF *sdb; + SEC_DESC *sd; + SEC_ACL *new_dacl, *acl; + SEC_ACE *new_ace_list = NULL; + int new_ace_list_ndx = 0, i; + size_t size; + + /* Currently we only process the dacl when creating the child. The + sacl should also be processed but this is left out as sacls are + not implemented in Samba at the moment.*/ + + acl = parent_ctr->dacl; + + if (!(new_ace_list = malloc(sizeof(SEC_ACE) * acl->num_aces))) + return NULL; + + for (i = 0; acl && i < acl->num_aces; i++) { + SEC_ACE *ace = &acl->ace[i]; + SEC_ACE *new_ace = &new_ace_list[new_ace_list_ndx]; + uint8 new_flags = 0; + BOOL inherit = False; + fstring sid_str; + + /* The OBJECT_INHERIT_ACE flag causes the ACE to be + inherited by non-container children objects. Container + children objects will inherit it as an INHERIT_ONLY + ACE. */ + + if (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT) { + + if (!child_container) { + new_flags |= SEC_ACE_FLAG_OBJECT_INHERIT; + } else { + new_flags |= SEC_ACE_FLAG_INHERIT_ONLY; + } + + inherit = True; + } + + /* The CONAINER_INHERIT_ACE flag means all child container + objects will inherit and use the ACE. */ + + if (ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT) { + if (!child_container) { + inherit = False; + } else { + new_flags |= SEC_ACE_FLAG_CONTAINER_INHERIT; + } + } + + /* The INHERIT_ONLY_ACE is not used by the se_access_check() + function for the parent container, but is inherited by + all child objects as a normal ACE. */ + + if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) { + /* Move along, nothing to see here */ + } + + /* The SEC_ACE_FLAG_NO_PROPAGATE_INHERIT flag means the ACE + is inherited by child objects but not grandchildren + objects. We clear the object inherit and container + inherit flags in the inherited ACE. */ + + if (ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) { + new_flags &= ~(SEC_ACE_FLAG_OBJECT_INHERIT | + SEC_ACE_FLAG_CONTAINER_INHERIT); + } + + /* Add ACE to ACE list */ + + if (!inherit) + continue; + + init_sec_access(&new_ace->info, ace->info.mask); + init_sec_ace(new_ace, &ace->sid, ace->type, + new_ace->info, new_flags); + + sid_to_string(sid_str, &ace->sid); + + DEBUG(5, ("se_create_child_secdesc(): %s:%d/0x%02x/0x%08x " + " inherited as %s:%d/0x%02x/0x%08x\n", sid_str, + ace->type, ace->flags, ace->info.mask, + sid_str, new_ace->type, new_ace->flags, + new_ace->info.mask)); + + new_ace_list_ndx++; + } + + /* Create child security descriptor to return */ + + new_dacl = make_sec_acl(ACL_REVISION, new_ace_list_ndx, new_ace_list); + safe_free(new_ace_list); + + /* Use the existing user and group sids. I don't think this is + correct. Perhaps the user and group should be passed in as + parameters by the caller? */ + + sd = make_sec_desc(SEC_DESC_REVISION, + parent_ctr->owner_sid, + parent_ctr->grp_sid, + parent_ctr->sacl, + new_dacl, &size); + + free_sec_acl(&new_dacl); + + sdb = make_sec_desc_buf(size, sd); + + free_sec_desc(&sd); + + return sdb; +} -- cgit