From 4075e28a4f87993858e630012cffe96e49ff6717 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 3 Dec 2004 13:04:10 +0000 Subject: r4056: modified the access check code based on results from RAW-ACLS test. Also added generic mapping bits for pvfs. We don't pass RAW-ACLS yet, but its close. (This used to be commit c7cbd966d49a5345ea326732587555d209c531fc) --- source4/libcli/security/access_check.c | 45 ++++++++++++++-------------------- 1 file changed, 19 insertions(+), 26 deletions(-) (limited to 'source4/libcli/security') diff --git a/source4/libcli/security/access_check.c b/source4/libcli/security/access_check.c index d8809aebc6..7e70736d09 100644 --- a/source4/libcli/security/access_check.c +++ b/source4/libcli/security/access_check.c @@ -42,13 +42,16 @@ static BOOL sid_active_in_token(struct dom_sid *sid, struct nt_user_token *token /* perform a SEC_FLAG_MAXIMUM_ALLOWED access check */ -static NTSTATUS access_check_max_allowed(struct security_descriptor *sd, - struct nt_user_token *token, - uint32_t *access_granted) +static uint32_t access_check_max_allowed(struct security_descriptor *sd, + struct nt_user_token *token) { uint32_t denied = 0, granted = 0; - int i; + unsigned i; + if (sid_active_in_token(sd->owner_sid, token)) { + granted |= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL); + } + for (i = 0;idacl->num_aces; i++) { struct security_ace *ace = &sd->dacl->aces[i]; @@ -67,15 +70,7 @@ static NTSTATUS access_check_max_allowed(struct security_descriptor *sd, } } - granted &= ~denied; - - if (granted == 0) { - return NT_STATUS_ACCESS_DENIED; - } - - *access_granted = granted; - - return NT_STATUS_OK; + return granted & ~denied; } /* @@ -89,16 +84,15 @@ NTSTATUS sec_access_check(struct security_descriptor *sd, int i; uint32_t bits_remaining; - bits_remaining = access_desired; - - /* the owner always gets SEC_STD_WRITE_DAC & SEC_STD_READ_CONTROL */ - if (bits_remaining & (SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL)) { - if (sid_active_in_token(sd->owner_sid, token)) { - bits_remaining &= - ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL); - } + /* handle the maximum allowed flag */ + if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) { + access_desired |= access_check_max_allowed(sd, token); + access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED; } + *access_granted = access_desired; + bits_remaining = access_desired; + #if 0 /* this is where we should check for the "system security" privilege, once we move to the full security_token and not just the nt_user_token */ @@ -122,9 +116,10 @@ NTSTATUS sec_access_check(struct security_descriptor *sd, return NT_STATUS_ACCESS_DENIED; } - /* handle the maximum allowed case separately */ - if (access_desired == SEC_FLAG_MAXIMUM_ALLOWED) { - return access_check_max_allowed(sd, token, access_granted); + /* the owner always gets SEC_STD_WRITE_DAC & SEC_STD_READ_CONTROL */ + if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL)) && + sid_active_in_token(sd->owner_sid, token)) { + bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL); } /* check each ace in turn. */ @@ -156,7 +151,5 @@ NTSTATUS sec_access_check(struct security_descriptor *sd, return NT_STATUS_ACCESS_DENIED; } - *access_granted = access_desired; - return NT_STATUS_OK; } -- cgit