From 353d9bc3e42bc051119c205ac981fc819c6877b4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 18 Sep 2010 10:58:10 +1000 Subject: s4-acl Merge sec_access_check() with se_access_check() from source3/ Andrew Bartlett Signed-off-by: Andrew Tridgell --- source4/libcli/security/access_check.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) (limited to 'source4/libcli/security/access_check.c') diff --git a/source4/libcli/security/access_check.c b/source4/libcli/security/access_check.c index e8b8ee8771..5ae318be43 100644 --- a/source4/libcli/security/access_check.c +++ b/source4/libcli/security/access_check.c @@ -84,9 +84,11 @@ static const struct GUID *get_ace_object_type(struct security_ace *ace) } /* - the main entry point for access checking. + The main entry point for access checking. If returning ACCESS_DENIED + this function returns the denied bits in the uint32_t pointed + to by the access_granted pointer. */ -NTSTATUS sec_access_check(const struct security_descriptor *sd, +NTSTATUS se_access_check(const struct security_descriptor *sd, const struct security_token *token, uint32_t access_desired, uint32_t *access_granted) @@ -99,10 +101,17 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd, /* handle the maximum allowed flag */ if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) { + uint32_t orig_access_desired = access_desired; + access_desired |= access_check_max_allowed(sd, token); access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED; *access_granted = access_desired; bits_remaining = access_desired & ~SEC_STD_DELETE; + + DEBUG(10,("se_access_check: MAX desired = 0x%x, granted = 0x%x, remaining = 0x%x\n", + orig_access_desired, + *access_granted, + bits_remaining)); } if (access_desired & SEC_FLAG_SYSTEM_SECURITY) { @@ -124,6 +133,10 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd, security_token_has_sid(token, sd->owner_sid)) { bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE); } + if ((bits_remaining & SEC_STD_DELETE) && + (security_token_has_privilege(token, SEC_PRIV_RESTORE))) { + bits_remaining &= ~SEC_STD_DELETE; + } if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) && security_token_has_privilege(token, SEC_PRIV_RESTORE)) { bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE); @@ -166,6 +179,7 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd, done: if (bits_remaining != 0) { + *access_granted = bits_remaining; return NT_STATUS_ACCESS_DENIED; } -- cgit