From ab9a29eb638143a93f70bb7880ca24f73bbb2118 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 25 Mar 2011 14:12:59 +0100 Subject: s3-rpc_server: move access check functions out of samr server. Guenther --- source3/rpc_server/samr/srv_samr_nt.c | 114 +--------------------------------- 1 file changed, 1 insertion(+), 113 deletions(-) (limited to 'source3/rpc_server/samr') diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c index 2d8564d786..2e4f883a58 100644 --- a/source3/rpc_server/samr/srv_samr_nt.c +++ b/source3/rpc_server/samr/srv_samr_nt.c @@ -44,6 +44,7 @@ #include "passdb.h" #include "auth.h" #include "ntdomain.h" +#include "rpc_server/srv_access_check.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_RPC_SRV @@ -179,119 +180,6 @@ static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, struct security_descriptor return NT_STATUS_OK; } -/******************************************************************* - Checks if access to an object should be granted, and returns that - level of access for further checks. - - If the user has either of needed_priv_1 or needed_priv_2 then they - get the rights in rights_mask in addition to any calulated rights. - - This handles the unusual case where we need to allow two different - privileges to obtain exactly the same rights, which occours only in - SAMR. -********************************************************************/ - -NTSTATUS access_check_object( struct security_descriptor *psd, struct security_token *token, - enum sec_privilege needed_priv_1, enum sec_privilege needed_priv_2, - uint32 rights_mask, - uint32 des_access, uint32 *acc_granted, - const char *debug ) -{ - NTSTATUS status = NT_STATUS_ACCESS_DENIED; - uint32 saved_mask = 0; - - /* check privileges; certain SAM access bits should be overridden - by privileges (mostly having to do with creating/modifying/deleting - users and groups) */ - - if ((needed_priv_1 != SEC_PRIV_INVALID && security_token_has_privilege(token, needed_priv_1)) || - (needed_priv_2 != SEC_PRIV_INVALID && security_token_has_privilege(token, needed_priv_2))) { - saved_mask = (des_access & rights_mask); - des_access &= ~saved_mask; - - DEBUG(4,("access_check_object: user rights access mask [0x%x]\n", - rights_mask)); - } - - - /* check the security descriptor first */ - - status = se_access_check(psd, token, des_access, acc_granted); - if (NT_STATUS_IS_OK(status)) { - goto done; - } - - /* give root a free pass */ - - if ( geteuid() == sec_initial_uid() ) { - - DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", debug, des_access)); - DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n")); - - *acc_granted = des_access; - - status = NT_STATUS_OK; - goto done; - } - - -done: - /* add in any bits saved during the privilege check (only - matters is status is ok) */ - - *acc_granted |= rights_mask; - - DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n", - debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED", - des_access, *acc_granted)); - - return status; -} - - -/******************************************************************* - Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set. -********************************************************************/ - -void map_max_allowed_access(const struct security_token *nt_token, - const struct security_unix_token *unix_token, - uint32_t *pacc_requested) -{ - if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) { - return; - } - *pacc_requested &= ~MAXIMUM_ALLOWED_ACCESS; - - /* At least try for generic read|execute - Everyone gets that. */ - *pacc_requested = GENERIC_READ_ACCESS|GENERIC_EXECUTE_ACCESS; - - /* root gets anything. */ - if (unix_token->uid == sec_initial_uid()) { - *pacc_requested |= GENERIC_ALL_ACCESS; - return; - } - - /* Full Access for 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */ - - if (security_token_has_sid(nt_token, &global_sid_Builtin_Administrators) || - security_token_has_sid(nt_token, &global_sid_Builtin_Account_Operators)) { - *pacc_requested |= GENERIC_ALL_ACCESS; - return; - } - - /* Full access for DOMAIN\Domain Admins. */ - if ( IS_DC ) { - struct dom_sid domadmin_sid; - sid_compose(&domadmin_sid, get_global_sam_sid(), - DOMAIN_RID_ADMINS); - if (security_token_has_sid(nt_token, &domadmin_sid)) { - *pacc_requested |= GENERIC_ALL_ACCESS; - return; - } - } - /* TODO ! Check privileges. */ -} - /******************************************************************* Fetch or create a dispinfo struct. ********************************************************************/ -- cgit