From b6a2cea74d90499bd3e239ab696502ae8afed30e Mon Sep 17 00:00:00 2001
From: Günther Deschner <gd@samba.org>
Date: Thu, 3 Jun 2010 10:36:05 +0200
Subject: s3-security: use shared "Standard access rights.".

Guenther
---
 source3/include/rpc_secdes.h       | 10 ----------
 source3/include/smb.h              |  2 +-
 source3/lib/netapi/localgroup.c    |  2 +-
 source3/lib/netapi/user.c          |  4 ++--
 source3/modules/nfs4_acls.c        |  2 +-
 source3/rpc_server/srv_lsa_nt.c    |  4 ++--
 source3/rpc_server/srv_samr_nt.c   | 16 ++++++++--------
 source3/rpc_server/srv_svcctl_nt.c |  6 +++---
 source3/rpc_server/srv_winreg_nt.c |  4 ++--
 source3/smbd/reply.c               |  2 +-
 10 files changed, 21 insertions(+), 31 deletions(-)

(limited to 'source3')

diff --git a/source3/include/rpc_secdes.h b/source3/include/rpc_secdes.h
index 216f8830eb..d14a95b17b 100644
--- a/source3/include/rpc_secdes.h
+++ b/source3/include/rpc_secdes.h
@@ -24,14 +24,4 @@
 /* for ADS */
 #define SEC_RIGHTS_FULL_CTRL		0xf01ff
 
-/* Standard access rights. */
-
-#define STD_RIGHT_DELETE_ACCESS		0x00010000
-#define STD_RIGHT_READ_CONTROL_ACCESS	0x00020000
-#define STD_RIGHT_WRITE_DAC_ACCESS	0x00040000
-#define STD_RIGHT_WRITE_OWNER_ACCESS	0x00080000
-#define STD_RIGHT_SYNCHRONIZE_ACCESS	0x00100000
-
-#define STD_RIGHT_ALL_ACCESS		0x001F0000
-
 #endif /* _RPC_SECDES_H */
diff --git a/source3/include/smb.h b/source3/include/smb.h
index 89b3572d67..ce8022ab21 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -1234,7 +1234,7 @@ struct bitmap {
 			   SYNCHRONIZE_ACCESS)
 
 /* This maps to 0x120116 */
-#define FILE_GENERIC_WRITE (STD_RIGHT_READ_CONTROL_ACCESS|\
+#define FILE_GENERIC_WRITE (SEC_STD_READ_CONTROL|\
 			    FILE_WRITE_DATA|\
 			    FILE_WRITE_ATTRIBUTES|\
 			    FILE_WRITE_EA|\
diff --git a/source3/lib/netapi/localgroup.c b/source3/lib/netapi/localgroup.c
index dd0f8d2097..f8832328fe 100644
--- a/source3/lib/netapi/localgroup.c
+++ b/source3/lib/netapi/localgroup.c
@@ -934,7 +934,7 @@ static NTSTATUS libnetapi_lsa_lookup_names3(TALLOC_CTX *mem_ctx,
 
 	status = rpccli_lsa_open_policy2(lsa_pipe, mem_ctx,
 					 false,
-					 STD_RIGHT_READ_CONTROL_ACCESS |
+					 SEC_STD_READ_CONTROL |
 					 LSA_POLICY_VIEW_LOCAL_INFORMATION |
 					 LSA_POLICY_LOOKUP_NAMES,
 					 &lsa_handle);
diff --git a/source3/lib/netapi/user.c b/source3/lib/netapi/user.c
index e291193fa2..c586d11ceb 100644
--- a/source3/lib/netapi/user.c
+++ b/source3/lib/netapi/user.c
@@ -1770,8 +1770,8 @@ WERROR NetUserSetInfo_r(struct libnetapi_ctx *ctx,
 				    SAMR_USER_ACCESS_GET_GROUPS;
 			break;
 		case 3:
-			user_mask = STD_RIGHT_READ_CONTROL_ACCESS |
-				    STD_RIGHT_WRITE_DAC_ACCESS |
+			user_mask = SEC_STD_READ_CONTROL |
+				    SEC_STD_WRITE_DAC |
 				    SAMR_USER_ACCESS_GET_GROUPS |
 				    SAMR_USER_ACCESS_SET_PASSWORD |
 				    SAMR_USER_ACCESS_SET_ATTRIBUTES |
diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
index 3d4ab29510..83e8f38ae8 100644
--- a/source3/modules/nfs4_acls.c
+++ b/source3/modules/nfs4_acls.c
@@ -553,7 +553,7 @@ static bool smbacl4_fill_ace4(
 	ace_v4->aceType = ace_nt->type; /* only ACCESS|DENY supported right now */
 	ace_v4->aceFlags = ace_nt->flags & SEC_ACE_FLAG_VALID_INHERIT;
 	ace_v4->aceMask = ace_nt->access_mask &
-		(STD_RIGHT_ALL_ACCESS | SEC_FILE_ALL);
+		(SEC_STD_ALL | SEC_FILE_ALL);
 
 	se_map_generic(&ace_v4->aceMask, &file_generic_mapping);
 
diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index 7e00e7aa33..fffb912782 100644
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -1414,7 +1414,7 @@ NTSTATUS _lsa_DeleteObject(pipes_struct *p,
 		return NT_STATUS_INVALID_HANDLE;
 	}
 
-	if (!(info->access & STD_RIGHT_DELETE_ACCESS)) {
+	if (!(info->access & SEC_STD_DELETE)) {
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
@@ -2261,7 +2261,7 @@ NTSTATUS _lsa_RemoveAccountRights(pipes_struct *p,
 	status = access_check_object(psd, p->server_info->ptok,
 				     NULL, 0,
 				     LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
-				     LSA_ACCOUNT_VIEW|STD_RIGHT_DELETE_ACCESS,
+				     LSA_ACCOUNT_VIEW|SEC_STD_DELETE,
 				     &acc_granted, "_lsa_RemoveAccountRights");
         if (!NT_STATUS_IS_OK(status)) {
                 return status;
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index 30c5c5e839..fda8515e12 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -779,7 +779,7 @@ NTSTATUS _samr_QuerySecurity(pipes_struct *p,
 	size_t sd_size = 0;
 
 	cinfo = policy_handle_find(p, r->in.handle,
-				   STD_RIGHT_READ_CONTROL_ACCESS, NULL,
+				   SEC_STD_READ_CONTROL, NULL,
 				   struct samr_connect_info, &status);
 	if (NT_STATUS_IS_OK(status)) {
 		DEBUG(5,("_samr_QuerySecurity: querying security on SAM\n"));
@@ -789,7 +789,7 @@ NTSTATUS _samr_QuerySecurity(pipes_struct *p,
 	}
 
 	dinfo = policy_handle_find(p, r->in.handle,
-				   STD_RIGHT_READ_CONTROL_ACCESS, NULL,
+				   SEC_STD_READ_CONTROL, NULL,
 				   struct samr_domain_info, &status);
 	if (NT_STATUS_IS_OK(status)) {
 		DEBUG(5,("_samr_QuerySecurity: querying security on Domain "
@@ -804,7 +804,7 @@ NTSTATUS _samr_QuerySecurity(pipes_struct *p,
 	}
 
 	uinfo = policy_handle_find(p, r->in.handle,
-				   STD_RIGHT_READ_CONTROL_ACCESS, NULL,
+				   SEC_STD_READ_CONTROL, NULL,
 				   struct samr_user_info, &status);
 	if (NT_STATUS_IS_OK(status)) {
 		DEBUG(10,("_samr_QuerySecurity: querying security on user "
@@ -825,7 +825,7 @@ NTSTATUS _samr_QuerySecurity(pipes_struct *p,
 	}
 
 	ginfo = policy_handle_find(p, r->in.handle,
-				   STD_RIGHT_READ_CONTROL_ACCESS, NULL,
+				   SEC_STD_READ_CONTROL, NULL,
 				   struct samr_group_info, &status);
 	if (NT_STATUS_IS_OK(status)) {
 		/*
@@ -843,7 +843,7 @@ NTSTATUS _samr_QuerySecurity(pipes_struct *p,
 	}
 
 	ainfo = policy_handle_find(p, r->in.handle,
-				   STD_RIGHT_READ_CONTROL_ACCESS, NULL,
+				   SEC_STD_READ_CONTROL, NULL,
 				   struct samr_alias_info, &status);
 	if (NT_STATUS_IS_OK(status)) {
 		/*
@@ -5699,7 +5699,7 @@ NTSTATUS _samr_DeleteUser(pipes_struct *p,
 	DEBUG(5, ("_samr_DeleteUser: %d\n", __LINE__));
 
 	uinfo = policy_handle_find(p, r->in.user_handle,
-				   STD_RIGHT_DELETE_ACCESS, NULL,
+				   SEC_STD_DELETE, NULL,
 				   struct samr_user_info, &status);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
@@ -5767,7 +5767,7 @@ NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p,
 	DEBUG(5, ("samr_DeleteDomainGroup: %d\n", __LINE__));
 
 	ginfo = policy_handle_find(p, r->in.group_handle,
-				   STD_RIGHT_DELETE_ACCESS, NULL,
+				   SEC_STD_DELETE, NULL,
 				   struct samr_group_info, &status);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
@@ -5817,7 +5817,7 @@ NTSTATUS _samr_DeleteDomAlias(pipes_struct *p,
 	DEBUG(5, ("_samr_DeleteDomAlias: %d\n", __LINE__));
 
 	ainfo = policy_handle_find(p, r->in.alias_handle,
-				   STD_RIGHT_DELETE_ACCESS, NULL,
+				   SEC_STD_DELETE, NULL,
 				   struct samr_alias_info, &status);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
diff --git a/source3/rpc_server/srv_svcctl_nt.c b/source3/rpc_server/srv_svcctl_nt.c
index 02b3c8d833..5dc62ef29b 100644
--- a/source3/rpc_server/srv_svcctl_nt.c
+++ b/source3/rpc_server/srv_svcctl_nt.c
@@ -869,7 +869,7 @@ WERROR _svcctl_QueryServiceObjectSecurity(pipes_struct *p,
 
 	/* check access reights (according to MSDN) */
 
-	if ( !(info->access_granted & STD_RIGHT_READ_CONTROL_ACCESS) )
+	if ( !(info->access_granted & SEC_STD_READ_CONTROL) )
 		return WERR_ACCESS_DENIED;
 
 	/* TODO: handle something besides SECINFO_DACL */
@@ -923,12 +923,12 @@ WERROR _svcctl_SetServiceObjectSecurity(pipes_struct *p,
 
 	switch ( r->in.security_flags ) {
 		case SECINFO_DACL:
-			required_access = STD_RIGHT_WRITE_DAC_ACCESS;
+			required_access = SEC_STD_WRITE_DAC;
 			break;
 
 		case SECINFO_OWNER:
 		case SECINFO_GROUP:
-			required_access = STD_RIGHT_WRITE_OWNER_ACCESS;
+			required_access = SEC_STD_WRITE_OWNER;
 			break;
 
 		case SECINFO_SACL:
diff --git a/source3/rpc_server/srv_winreg_nt.c b/source3/rpc_server/srv_winreg_nt.c
index 10ea8fef22..28d5ac9237 100644
--- a/source3/rpc_server/srv_winreg_nt.c
+++ b/source3/rpc_server/srv_winreg_nt.c
@@ -851,7 +851,7 @@ WERROR _winreg_GetKeySecurity(pipes_struct *p, struct winreg_GetKeySecurity *r)
 
 	/* access checks first */
 
-	if ( !(key->key->access_granted & STD_RIGHT_READ_CONTROL_ACCESS) )
+	if ( !(key->key->access_granted & SEC_STD_READ_CONTROL) )
 		return WERR_ACCESS_DENIED;
 
 	err = reg_getkeysecurity(p->mem_ctx, key, &secdesc);
@@ -892,7 +892,7 @@ WERROR _winreg_SetKeySecurity(pipes_struct *p, struct winreg_SetKeySecurity *r)
 
 	/* access checks first */
 
-	if ( !(key->key->access_granted & STD_RIGHT_WRITE_DAC_ACCESS) )
+	if ( !(key->key->access_granted & SEC_STD_WRITE_DAC) )
 		return WERR_ACCESS_DENIED;
 
 	err = ntstatus_to_werror(unmarshall_sec_desc(p->mem_ctx, r->in.sd->data,
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 5107b1a9e2..330e89df18 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -2024,7 +2024,7 @@ void reply_open_and_X(struct smb_request *req)
 	SSVAL(req->outbuf,smb_vwv11,smb_action);
 
 	if (open_flags & EXTENDED_RESPONSE_REQUIRED) {
-		SIVAL(req->outbuf, smb_vwv15, STD_RIGHT_ALL_ACCESS);
+		SIVAL(req->outbuf, smb_vwv15, SEC_STD_ALL);
 	}
 
 	chain_reply(req);
-- 
cgit