From b6a2cea74d90499bd3e239ab696502ae8afed30e Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 3 Jun 2010 10:36:05 +0200 Subject: s3-security: use shared "Standard access rights.". Guenther --- source3/include/rpc_secdes.h | 10 ---------- source3/include/smb.h | 2 +- source3/lib/netapi/localgroup.c | 2 +- source3/lib/netapi/user.c | 4 ++-- source3/modules/nfs4_acls.c | 2 +- source3/rpc_server/srv_lsa_nt.c | 4 ++-- source3/rpc_server/srv_samr_nt.c | 16 ++++++++-------- source3/rpc_server/srv_svcctl_nt.c | 6 +++--- source3/rpc_server/srv_winreg_nt.c | 4 ++-- source3/smbd/reply.c | 2 +- 10 files changed, 21 insertions(+), 31 deletions(-) (limited to 'source3') diff --git a/source3/include/rpc_secdes.h b/source3/include/rpc_secdes.h index 216f8830eb..d14a95b17b 100644 --- a/source3/include/rpc_secdes.h +++ b/source3/include/rpc_secdes.h @@ -24,14 +24,4 @@ /* for ADS */ #define SEC_RIGHTS_FULL_CTRL 0xf01ff -/* Standard access rights. */ - -#define STD_RIGHT_DELETE_ACCESS 0x00010000 -#define STD_RIGHT_READ_CONTROL_ACCESS 0x00020000 -#define STD_RIGHT_WRITE_DAC_ACCESS 0x00040000 -#define STD_RIGHT_WRITE_OWNER_ACCESS 0x00080000 -#define STD_RIGHT_SYNCHRONIZE_ACCESS 0x00100000 - -#define STD_RIGHT_ALL_ACCESS 0x001F0000 - #endif /* _RPC_SECDES_H */ diff --git a/source3/include/smb.h b/source3/include/smb.h index 89b3572d67..ce8022ab21 100644 --- a/source3/include/smb.h +++ b/source3/include/smb.h @@ -1234,7 +1234,7 @@ struct bitmap { SYNCHRONIZE_ACCESS) /* This maps to 0x120116 */ -#define FILE_GENERIC_WRITE (STD_RIGHT_READ_CONTROL_ACCESS|\ +#define FILE_GENERIC_WRITE (SEC_STD_READ_CONTROL|\ FILE_WRITE_DATA|\ FILE_WRITE_ATTRIBUTES|\ FILE_WRITE_EA|\ diff --git a/source3/lib/netapi/localgroup.c b/source3/lib/netapi/localgroup.c index dd0f8d2097..f8832328fe 100644 --- a/source3/lib/netapi/localgroup.c +++ b/source3/lib/netapi/localgroup.c @@ -934,7 +934,7 @@ static NTSTATUS libnetapi_lsa_lookup_names3(TALLOC_CTX *mem_ctx, status = rpccli_lsa_open_policy2(lsa_pipe, mem_ctx, false, - STD_RIGHT_READ_CONTROL_ACCESS | + SEC_STD_READ_CONTROL | LSA_POLICY_VIEW_LOCAL_INFORMATION | LSA_POLICY_LOOKUP_NAMES, &lsa_handle); diff --git a/source3/lib/netapi/user.c b/source3/lib/netapi/user.c index e291193fa2..c586d11ceb 100644 --- a/source3/lib/netapi/user.c +++ b/source3/lib/netapi/user.c @@ -1770,8 +1770,8 @@ WERROR NetUserSetInfo_r(struct libnetapi_ctx *ctx, SAMR_USER_ACCESS_GET_GROUPS; break; case 3: - user_mask = STD_RIGHT_READ_CONTROL_ACCESS | - STD_RIGHT_WRITE_DAC_ACCESS | + user_mask = SEC_STD_READ_CONTROL | + SEC_STD_WRITE_DAC | SAMR_USER_ACCESS_GET_GROUPS | SAMR_USER_ACCESS_SET_PASSWORD | SAMR_USER_ACCESS_SET_ATTRIBUTES | diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c index 3d4ab29510..83e8f38ae8 100644 --- a/source3/modules/nfs4_acls.c +++ b/source3/modules/nfs4_acls.c @@ -553,7 +553,7 @@ static bool smbacl4_fill_ace4( ace_v4->aceType = ace_nt->type; /* only ACCESS|DENY supported right now */ ace_v4->aceFlags = ace_nt->flags & SEC_ACE_FLAG_VALID_INHERIT; ace_v4->aceMask = ace_nt->access_mask & - (STD_RIGHT_ALL_ACCESS | SEC_FILE_ALL); + (SEC_STD_ALL | SEC_FILE_ALL); se_map_generic(&ace_v4->aceMask, &file_generic_mapping); diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c index 7e00e7aa33..fffb912782 100644 --- a/source3/rpc_server/srv_lsa_nt.c +++ b/source3/rpc_server/srv_lsa_nt.c @@ -1414,7 +1414,7 @@ NTSTATUS _lsa_DeleteObject(pipes_struct *p, return NT_STATUS_INVALID_HANDLE; } - if (!(info->access & STD_RIGHT_DELETE_ACCESS)) { + if (!(info->access & SEC_STD_DELETE)) { return NT_STATUS_ACCESS_DENIED; } @@ -2261,7 +2261,7 @@ NTSTATUS _lsa_RemoveAccountRights(pipes_struct *p, status = access_check_object(psd, p->server_info->ptok, NULL, 0, LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS| - LSA_ACCOUNT_VIEW|STD_RIGHT_DELETE_ACCESS, + LSA_ACCOUNT_VIEW|SEC_STD_DELETE, &acc_granted, "_lsa_RemoveAccountRights"); if (!NT_STATUS_IS_OK(status)) { return status; diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 30c5c5e839..fda8515e12 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -779,7 +779,7 @@ NTSTATUS _samr_QuerySecurity(pipes_struct *p, size_t sd_size = 0; cinfo = policy_handle_find(p, r->in.handle, - STD_RIGHT_READ_CONTROL_ACCESS, NULL, + SEC_STD_READ_CONTROL, NULL, struct samr_connect_info, &status); if (NT_STATUS_IS_OK(status)) { DEBUG(5,("_samr_QuerySecurity: querying security on SAM\n")); @@ -789,7 +789,7 @@ NTSTATUS _samr_QuerySecurity(pipes_struct *p, } dinfo = policy_handle_find(p, r->in.handle, - STD_RIGHT_READ_CONTROL_ACCESS, NULL, + SEC_STD_READ_CONTROL, NULL, struct samr_domain_info, &status); if (NT_STATUS_IS_OK(status)) { DEBUG(5,("_samr_QuerySecurity: querying security on Domain " @@ -804,7 +804,7 @@ NTSTATUS _samr_QuerySecurity(pipes_struct *p, } uinfo = policy_handle_find(p, r->in.handle, - STD_RIGHT_READ_CONTROL_ACCESS, NULL, + SEC_STD_READ_CONTROL, NULL, struct samr_user_info, &status); if (NT_STATUS_IS_OK(status)) { DEBUG(10,("_samr_QuerySecurity: querying security on user " @@ -825,7 +825,7 @@ NTSTATUS _samr_QuerySecurity(pipes_struct *p, } ginfo = policy_handle_find(p, r->in.handle, - STD_RIGHT_READ_CONTROL_ACCESS, NULL, + SEC_STD_READ_CONTROL, NULL, struct samr_group_info, &status); if (NT_STATUS_IS_OK(status)) { /* @@ -843,7 +843,7 @@ NTSTATUS _samr_QuerySecurity(pipes_struct *p, } ainfo = policy_handle_find(p, r->in.handle, - STD_RIGHT_READ_CONTROL_ACCESS, NULL, + SEC_STD_READ_CONTROL, NULL, struct samr_alias_info, &status); if (NT_STATUS_IS_OK(status)) { /* @@ -5699,7 +5699,7 @@ NTSTATUS _samr_DeleteUser(pipes_struct *p, DEBUG(5, ("_samr_DeleteUser: %d\n", __LINE__)); uinfo = policy_handle_find(p, r->in.user_handle, - STD_RIGHT_DELETE_ACCESS, NULL, + SEC_STD_DELETE, NULL, struct samr_user_info, &status); if (!NT_STATUS_IS_OK(status)) { return status; @@ -5767,7 +5767,7 @@ NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p, DEBUG(5, ("samr_DeleteDomainGroup: %d\n", __LINE__)); ginfo = policy_handle_find(p, r->in.group_handle, - STD_RIGHT_DELETE_ACCESS, NULL, + SEC_STD_DELETE, NULL, struct samr_group_info, &status); if (!NT_STATUS_IS_OK(status)) { return status; @@ -5817,7 +5817,7 @@ NTSTATUS _samr_DeleteDomAlias(pipes_struct *p, DEBUG(5, ("_samr_DeleteDomAlias: %d\n", __LINE__)); ainfo = policy_handle_find(p, r->in.alias_handle, - STD_RIGHT_DELETE_ACCESS, NULL, + SEC_STD_DELETE, NULL, struct samr_alias_info, &status); if (!NT_STATUS_IS_OK(status)) { return status; diff --git a/source3/rpc_server/srv_svcctl_nt.c b/source3/rpc_server/srv_svcctl_nt.c index 02b3c8d833..5dc62ef29b 100644 --- a/source3/rpc_server/srv_svcctl_nt.c +++ b/source3/rpc_server/srv_svcctl_nt.c @@ -869,7 +869,7 @@ WERROR _svcctl_QueryServiceObjectSecurity(pipes_struct *p, /* check access reights (according to MSDN) */ - if ( !(info->access_granted & STD_RIGHT_READ_CONTROL_ACCESS) ) + if ( !(info->access_granted & SEC_STD_READ_CONTROL) ) return WERR_ACCESS_DENIED; /* TODO: handle something besides SECINFO_DACL */ @@ -923,12 +923,12 @@ WERROR _svcctl_SetServiceObjectSecurity(pipes_struct *p, switch ( r->in.security_flags ) { case SECINFO_DACL: - required_access = STD_RIGHT_WRITE_DAC_ACCESS; + required_access = SEC_STD_WRITE_DAC; break; case SECINFO_OWNER: case SECINFO_GROUP: - required_access = STD_RIGHT_WRITE_OWNER_ACCESS; + required_access = SEC_STD_WRITE_OWNER; break; case SECINFO_SACL: diff --git a/source3/rpc_server/srv_winreg_nt.c b/source3/rpc_server/srv_winreg_nt.c index 10ea8fef22..28d5ac9237 100644 --- a/source3/rpc_server/srv_winreg_nt.c +++ b/source3/rpc_server/srv_winreg_nt.c @@ -851,7 +851,7 @@ WERROR _winreg_GetKeySecurity(pipes_struct *p, struct winreg_GetKeySecurity *r) /* access checks first */ - if ( !(key->key->access_granted & STD_RIGHT_READ_CONTROL_ACCESS) ) + if ( !(key->key->access_granted & SEC_STD_READ_CONTROL) ) return WERR_ACCESS_DENIED; err = reg_getkeysecurity(p->mem_ctx, key, &secdesc); @@ -892,7 +892,7 @@ WERROR _winreg_SetKeySecurity(pipes_struct *p, struct winreg_SetKeySecurity *r) /* access checks first */ - if ( !(key->key->access_granted & STD_RIGHT_WRITE_DAC_ACCESS) ) + if ( !(key->key->access_granted & SEC_STD_WRITE_DAC) ) return WERR_ACCESS_DENIED; err = ntstatus_to_werror(unmarshall_sec_desc(p->mem_ctx, r->in.sd->data, diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 5107b1a9e2..330e89df18 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -2024,7 +2024,7 @@ void reply_open_and_X(struct smb_request *req) SSVAL(req->outbuf,smb_vwv11,smb_action); if (open_flags & EXTENDED_RESPONSE_REQUIRED) { - SIVAL(req->outbuf, smb_vwv15, STD_RIGHT_ALL_ACCESS); + SIVAL(req->outbuf, smb_vwv15, SEC_STD_ALL); } chain_reply(req); -- cgit