From b3b512264d90f58a9a9c50cef33d9b860f54c51a Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 4 Aug 2000 19:56:58 +0000 Subject: Fixed up se_access_check() to use the token list from the user struct as the SID list. Now to go through and tidy up the algorithm. Jeremy. (This used to be commit 1f7300df6713a6728feb1600ca7e62fc213232fc) --- source3/lib/util_seaccess.c | 114 +++++++++++++------------------------------- 1 file changed, 32 insertions(+), 82 deletions(-) (limited to 'source3/lib/util_seaccess.c') diff --git a/source3/lib/util_seaccess.c b/source3/lib/util_seaccess.c index 52696d2d30..28e8a43c4e 100644 --- a/source3/lib/util_seaccess.c +++ b/source3/lib/util_seaccess.c @@ -3,6 +3,7 @@ Version 2.0 Copyright (C) Luke Kenneth Casson Leighton 1996-2000. Copyright (C) Tim Potter 2000. + Copyright (C) Jeremy Allison 2000. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -25,6 +26,22 @@ extern int DEBUGLEVEL; +/* + * Guest token used when there is no NT_USER_TOKEN available. + */ + +static DOM_SID builtin_guest = { + 1, /* sid_rev_num */ + 2, /* num_auths */ + { 0, 0, 0, 0, 0, 5}, /* id_auth[6] */ + { 32, 546, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} /* sub_auth[15] */ +}; + +static NT_USER_TOKEN guest_token = { + 1, + &builtin_guest +}; + /* Process an access allowed ACE */ static BOOL ace_grant(uint32 mask, uint32 *acc_desired, uint32 *acc_granted) @@ -207,14 +224,11 @@ static BOOL check_ace(SEC_ACE *ace, BOOL is_owner, DOM_SID *sid, BOOL se_access_check(SEC_DESC *sd, struct current_user *user, uint32 acc_desired, uint32 *acc_granted, uint32 *status) { - DOM_SID user_sid, group_sid; - DOM_SID owner_sid; - DOM_SID **group_sids = NULL; int i, j; - uint ngroup_sids = 0; SEC_ACL *acl; uint8 check_ace_type; fstring sid_str; + NT_USER_TOKEN *token = user->nt_user_token ? user->nt_user_token : &guest_token; if (!status || !acc_granted) return False; @@ -250,70 +264,21 @@ BOOL se_access_check(SEC_DESC *sd, struct current_user *user, goto done; } - /* Create user sid */ + /* The user sid is the first in the token */ - if (!uid_to_sid(&user_sid, user->uid)) { - DEBUG(3, ("could not lookup sid for uid %d\n", user->uid)); - goto done; - } - - DEBUG(3, ("se_access_check: user sid is %s\n", sid_to_string(sid_str, &user_sid) )); + DEBUG(3, ("se_access_check: user sid is %s\n", sid_to_string(sid_str, &token->user_sids[0]) )); /* If we're the owner, then we can do anything */ - if (sid_equal(&user_sid, sd->owner_sid)) { + if (sid_equal(&token->user_sids[0], sd->owner_sid)) { *status = NT_STATUS_NOPROBLEMO; *acc_granted = acc_desired; acc_desired = 0; DEBUG(3, ("is owner, access allowed\n")); - - goto done; - } - - /* Create group sid */ - - if (!gid_to_sid(&group_sid, user->gid)) { - DEBUG(3, ("could not lookup sid for gid %d\n", user->gid)); goto done; } - sid_to_string(sid_str, &group_sid); - DEBUG(3, ("group sid is %s\n", sid_str)); - - /* Create array of group sids */ - - add_sid_to_array(&ngroup_sids, &group_sids, &group_sid); - - for (i = 0; i < user->ngroups; i++) { - if (user->groups[i] != user->gid) { - if (gid_to_sid(&group_sid, user->groups[i])) { - - /* If we're a group member then we can also - do anything */ - - if (sid_equal(&group_sid, sd->grp_sid)) { - *status = NT_STATUS_NOPROBLEMO; - *acc_granted = acc_desired; - acc_desired = 0; - DEBUG(3, ("is group member " - "access allowed\n")); - - goto done; - } - - add_sid_to_array(&ngroup_sids, &group_sids, - &group_sid); - } else { - DEBUG(3, ("could not lookup sid for gid %d\n", - user->gid)); - } - - sid_to_string(sid_str, &group_sid); - DEBUG(3, ("supplementary group %s\n", sid_str)); - } - } - - /* ACL must have something in it */ + /* ACL must have something in it */ acl = sd->dacl; @@ -340,34 +305,21 @@ BOOL se_access_check(SEC_DESC *sd, struct current_user *user, check_ace_type = SEC_ACE_TYPE_ACCESS_DENIED; - check_aces: - - for (i = 0; i < acl->num_aces; i++) { - SEC_ACE *ace = &acl->ace[i]; - BOOL is_group_owner; - - /* Check user sid */ - - if (ace->type == check_ace_type && - check_ace(ace, False, &user_sid, &acc_desired, - acc_granted, status)) { - goto done; - } + check_aces: - /* Check group sids */ + for (i = 0; i < acl->num_aces; i++) { + SEC_ACE *ace = &acl->ace[i]; - for (j = 0; j < ngroup_sids; j++) { + /* Check sids */ - is_group_owner = sd->grp_sid ? - sid_equal(group_sids[j], sd->grp_sid) : False; + for (j = 0; j < token->num_sids; j++) { + BOOL is_owner = sid_equal(&token->user_sids[j], sd->owner_sid); - if (ace->type == check_ace_type && - check_ace(ace, is_group_owner, group_sids[j], - &acc_desired, acc_granted, status)) { + if (ace->type == check_ace_type && check_ace(ace, is_owner, &token->user_sids[j], &acc_desired, acc_granted, status)) { goto done; - } - } - } + } + } + } /* Check access allowed ACEs */ @@ -378,8 +330,6 @@ BOOL se_access_check(SEC_DESC *sd, struct current_user *user, done: - free_sid_array(ngroup_sids, group_sids); - /* If any access desired bits are still on, return access denied and turn off any bits already granted. */ -- cgit