From 0f4281b9b4a4056e9e087deb15e60ea482af7a74 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 26 Sep 2001 00:05:03 +0000
Subject: Added Elrond patch to make se_access_check use NT datastructures, not
 Samba. Jeremy. (This used to be commit
 bca6419447e926e51aeecf3e484228f640cecb84)

---
 source3/lib/util_seaccess.c        | 13 ++++++++-----
 source3/printing/nt_printing.c     |  5 +++--
 source3/rpc_server/srv_srvsvc_nt.c | 27 ++++++---------------------
 3 files changed, 17 insertions(+), 28 deletions(-)

(limited to 'source3')

diff --git a/source3/lib/util_seaccess.c b/source3/lib/util_seaccess.c
index f10c84c276..ec1b56ae86 100644
--- a/source3/lib/util_seaccess.c
+++ b/source3/lib/util_seaccess.c
@@ -30,7 +30,7 @@ extern int DEBUGLEVEL;
  Check if this ACE has a SID in common with the token.
 **********************************************************************************/
 
-static BOOL token_sid_in_ace( NT_USER_TOKEN *token, SEC_ACE *ace)
+static BOOL token_sid_in_ace(const NT_USER_TOKEN *token, const SEC_ACE *ace)
 {
 	size_t i;
 
@@ -204,7 +204,7 @@ void se_map_generic(uint32 *access_mask, struct generic_mapping *mapping)
  "Access-Checking" document in MSDN.
 *****************************************************************************/ 
 
-BOOL se_access_check(SEC_DESC *sd, struct current_user *user,
+BOOL se_access_check(SEC_DESC *sd, NT_USER_TOKEN *token,
 		     uint32 acc_desired, uint32 *acc_granted, 
 		     NTSTATUS *status)
 {
@@ -212,17 +212,20 @@ BOOL se_access_check(SEC_DESC *sd, struct current_user *user,
 	size_t i;
 	SEC_ACL *the_acl;
 	fstring sid_str;
-	NT_USER_TOKEN *token = user->nt_user_token ? user->nt_user_token : &anonymous_token;
 	uint32 tmp_acc_desired = acc_desired;
 
 	if (!status || !acc_granted)
 		return False;
 
+	if (!token)
+		token = &anonymous_token;
+
 	*status = NT_STATUS_OK;
 	*acc_granted = 0;
 
-	DEBUG(10,("se_access_check: requested access %x, for uid %u\n", 
-				(unsigned int)acc_desired, (unsigned int)user->uid ));
+	DEBUG(10,("se_access_check: requested access %x, for  NT token with %u entries and first sid %s.\n",
+		 (unsigned int)acc_desired, (unsigned int)token->num_sids,
+		sid_to_string(sid_str, &token->user_sids[0])));
 
 	/*
 	 * No security descriptor or security descriptor with no DACL
diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c
index 1a1c71fe39..58fc7e25ae 100644
--- a/source3/printing/nt_printing.c
+++ b/source3/printing/nt_printing.c
@@ -3691,7 +3691,8 @@ BOOL print_access_check(struct current_user *user, int snum, int access_type)
 	
 	/* If user is NULL then use the current_user structure */
 
-	if (!user) user = &current_user;
+	if (!user)
+		user = &current_user;
 
 	/* Always allow root or printer admins to do anything */
 
@@ -3740,7 +3741,7 @@ BOOL print_access_check(struct current_user *user, int snum, int access_type)
 	
 	map_printer_permissions(secdesc->sec);
 
-	result = se_access_check(secdesc->sec, user, access_type,
+	result = se_access_check(secdesc->sec, user->nt_user_token, access_type,
 				 &access_granted, &status);
 
 	DEBUG(4, ("access check was %s\n", result ? "SUCCESS" : "FAILURE"));
diff --git a/source3/rpc_server/srv_srvsvc_nt.c b/source3/rpc_server/srv_srvsvc_nt.c
index 7bc94c5575..2877b7af05 100644
--- a/source3/rpc_server/srv_srvsvc_nt.c
+++ b/source3/rpc_server/srv_srvsvc_nt.c
@@ -308,8 +308,7 @@ BOOL share_access_check(connection_struct *conn, int snum, uint16 vuid, uint32 d
 	TALLOC_CTX *mem_ctx = NULL;
 	SEC_DESC *psd = NULL;
 	size_t sd_size;
-	struct current_user tmp_user;
-	struct current_user *puser = NULL;
+	NT_USER_TOKEN *token = NULL;
 	user_struct *vuser = get_valid_user_struct(vuid);
 	BOOL ret = True;
 
@@ -322,26 +321,12 @@ BOOL share_access_check(connection_struct *conn, int snum, uint16 vuid, uint32 d
 	if (!psd)
 		goto out;
 
-	ZERO_STRUCT(tmp_user);
-	if (vuser) {
-		tmp_user.vuid = vuid;
-		tmp_user.uid = vuser->uid;
-		tmp_user.gid = vuser->gid;
-		tmp_user.ngroups = vuser->n_groups;
-		tmp_user.groups = vuser->groups;
-		tmp_user.nt_user_token = vuser->nt_user_token;
-	} else {
-		tmp_user.vuid = vuid;
-		tmp_user.uid = conn->uid;
-		tmp_user.gid = conn->gid;
-		tmp_user.ngroups = conn->ngroups;
-		tmp_user.groups = conn->groups;
-		tmp_user.nt_user_token = conn->nt_user_token;
-	}
-
-	puser = &tmp_user;
+	if (vuser)
+		token = vuser->nt_user_token;
+	else
+		token = conn->nt_user_token;
 
-	ret = se_access_check(psd, puser, desired_access, &granted, &status);
+	ret = se_access_check(psd, token, desired_access, &granted, &status);
 
   out:
 
-- 
cgit