From fdc9f417d89fdf9dd6afbc22843d70585e195c9d Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 30 Nov 2004 04:33:27 +0000 Subject: r4011: get rid of rpc_secdes.h and replace it with a single sane set of definitions for security access masks, in security.idl The previous definitions were inconsistently named, and contained many duplicate and misleading entries. I kept finding myself tripping up while using them. (This used to be commit 01c0fa722f80ceeb3f81f01987de95f365a2ed3d) --- source4/ntvfs/posix/pvfs_acl.c | 80 +++++++++++++++++----------------- source4/ntvfs/posix/pvfs_open.c | 24 +++++----- source4/ntvfs/posix/pvfs_read.c | 5 ++- source4/ntvfs/posix/pvfs_setfileinfo.c | 5 ++- source4/ntvfs/posix/pvfs_write.c | 3 +- 5 files changed, 60 insertions(+), 57 deletions(-) (limited to 'source4/ntvfs/posix') diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c index 2ff873fd78..2fff6db628 100644 --- a/source4/ntvfs/posix/pvfs_acl.c +++ b/source4/ntvfs/posix/pvfs_acl.c @@ -71,7 +71,7 @@ static NTSTATUS pvfs_default_acl(struct pvfs_state *pvfs, - Group - Everyone */ - access_masks[0] = SEC_RIGHTS_FULL_CTRL | STD_RIGHT_ALL_ACCESS; + access_masks[0] = SEC_RIGHTS_FULL_CONTROL; access_masks[1] = 0; access_masks[2] = 0; access_masks[3] = 0; @@ -80,54 +80,54 @@ static NTSTATUS pvfs_default_acl(struct pvfs_state *pvfs, if (mode & S_IRUSR) { access_masks[1] |= - SA_RIGHT_FILE_READ_DATA | - SA_RIGHT_FILE_READ_EA | - SA_RIGHT_FILE_READ_ATTRIBUTES | - SA_RIGHT_FILE_EXECUTE | - STD_RIGHT_SYNCHRONIZE_ACCESS | - STD_RIGHT_READ_CONTROL_ACCESS; + SEC_FILE_READ_DATA | + SEC_FILE_READ_EA | + SEC_FILE_READ_ATTRIBUTE | + SEC_FILE_EXECUTE | + SEC_STD_SYNCHRONIZE | + SEC_STD_READ_CONTROL; } if (mode & S_IWUSR) { access_masks[1] |= - SA_RIGHT_FILE_WRITE_DATA | - SA_RIGHT_FILE_APPEND_DATA | - SA_RIGHT_FILE_WRITE_EA | - SA_RIGHT_FILE_WRITE_ATTRIBUTES | - STD_RIGHT_DELETE_ACCESS; + SEC_FILE_WRITE_DATA | + SEC_FILE_APPEND_DATA | + SEC_FILE_WRITE_EA | + SEC_FILE_WRITE_ATTRIBUTE | + SEC_STD_DELETE; } if (mode & S_IRGRP) { access_masks[2] |= - SA_RIGHT_FILE_READ_DATA | - SA_RIGHT_FILE_READ_EA | - SA_RIGHT_FILE_READ_ATTRIBUTES | - SA_RIGHT_FILE_EXECUTE | - STD_RIGHT_SYNCHRONIZE_ACCESS | - STD_RIGHT_READ_CONTROL_ACCESS; + SEC_FILE_READ_DATA | + SEC_FILE_READ_EA | + SEC_FILE_READ_ATTRIBUTE | + SEC_FILE_EXECUTE | + SEC_STD_SYNCHRONIZE | + SEC_STD_READ_CONTROL; } if (mode & S_IWGRP) { access_masks[2] |= - SA_RIGHT_FILE_WRITE_DATA | - SA_RIGHT_FILE_APPEND_DATA | - SA_RIGHT_FILE_WRITE_EA | - SA_RIGHT_FILE_WRITE_ATTRIBUTES; + SEC_FILE_WRITE_DATA | + SEC_FILE_APPEND_DATA | + SEC_FILE_WRITE_EA | + SEC_FILE_WRITE_ATTRIBUTE; } if (mode & S_IROTH) { access_masks[3] |= - SA_RIGHT_FILE_READ_DATA | - SA_RIGHT_FILE_READ_EA | - SA_RIGHT_FILE_READ_ATTRIBUTES | - SA_RIGHT_FILE_EXECUTE | - STD_RIGHT_SYNCHRONIZE_ACCESS | - STD_RIGHT_READ_CONTROL_ACCESS; + SEC_FILE_READ_DATA | + SEC_FILE_READ_EA | + SEC_FILE_READ_ATTRIBUTE | + SEC_FILE_EXECUTE | + SEC_STD_SYNCHRONIZE | + SEC_STD_READ_CONTROL; } if (mode & S_IWOTH) { access_masks[3] |= - SA_RIGHT_FILE_WRITE_DATA | - SA_RIGHT_FILE_APPEND_DATA | - SA_RIGHT_FILE_WRITE_EA | - SA_RIGHT_FILE_WRITE_ATTRIBUTES; + SEC_FILE_WRITE_DATA | + SEC_FILE_APPEND_DATA | + SEC_FILE_WRITE_EA | + SEC_FILE_WRITE_ATTRIBUTE; } ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED; @@ -163,16 +163,16 @@ static NTSTATUS pvfs_default_acl(struct pvfs_state *pvfs, */ static void normalise_sd_flags(struct security_descriptor *sd, uint32_t secinfo_flags) { - if (!(secinfo_flags & OWNER_SECURITY_INFORMATION)) { + if (!(secinfo_flags & SECINFO_OWNER)) { sd->owner_sid = NULL; } - if (!(secinfo_flags & GROUP_SECURITY_INFORMATION)) { + if (!(secinfo_flags & SECINFO_GROUP)) { sd->group_sid = NULL; } - if (!(secinfo_flags & DACL_SECURITY_INFORMATION)) { + if (!(secinfo_flags & SECINFO_DACL)) { sd->dacl = NULL; } - if (!(secinfo_flags & SACL_SECURITY_INFORMATION)) { + if (!(secinfo_flags & SECINFO_SACL)) { sd->sacl = NULL; } } @@ -214,16 +214,16 @@ NTSTATUS pvfs_acl_set(struct pvfs_state *pvfs, new_sd = info->set_secdesc.in.sd; /* only set the elements that have been specified */ - if (secinfo_flags & OWNER_SECURITY_INFORMATION) { + if (secinfo_flags & SECINFO_OWNER) { sd->owner_sid = new_sd->owner_sid; } - if (secinfo_flags & GROUP_SECURITY_INFORMATION) { + if (secinfo_flags & SECINFO_GROUP) { sd->group_sid = new_sd->group_sid; } - if (secinfo_flags & DACL_SECURITY_INFORMATION) { + if (secinfo_flags & SECINFO_DACL) { sd->dacl = new_sd->dacl; } - if (secinfo_flags & SACL_SECURITY_INFORMATION) { + if (secinfo_flags & SECINFO_SACL) { sd->sacl = new_sd->sacl; } diff --git a/source4/ntvfs/posix/pvfs_open.c b/source4/ntvfs/posix/pvfs_open.c index 3d0e444d29..4b8de28488 100644 --- a/source4/ntvfs/posix/pvfs_open.c +++ b/source4/ntvfs/posix/pvfs_open.c @@ -380,11 +380,11 @@ static NTSTATUS pvfs_create_file(struct pvfs_state *pvfs, return NT_STATUS_CANNOT_DELETE; } - if (access_mask & SEC_RIGHT_MAXIMUM_ALLOWED) { - access_mask = GENERIC_RIGHTS_FILE_READ | GENERIC_RIGHTS_FILE_WRITE; + if (access_mask & SEC_FLAG_MAXIMUM_ALLOWED) { + access_mask = SEC_RIGHTS_FILE_READ | SEC_RIGHTS_FILE_WRITE; } - if (access_mask & SA_RIGHT_FILE_WRITE_APPEND) { + if (access_mask & (SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA)) { flags = O_RDWR; } else { flags = O_RDONLY; @@ -460,7 +460,7 @@ static NTSTATUS pvfs_create_file(struct pvfs_state *pvfs, union smb_setfileinfo set; set.set_secdesc.file.fnum = fnum; - set.set_secdesc.in.secinfo_flags = DACL_SECURITY_INFORMATION; + set.set_secdesc.in.secinfo_flags = SECINFO_DACL; set.set_secdesc.in.sd = io->ntcreatex.in.sec_desc; status = pvfs_acl_set(pvfs, req, name, fd, &set); @@ -676,7 +676,7 @@ static NTSTATUS pvfs_open_deny_dos(struct ntvfs_module_context *ntvfs, (f2->handle->create_options & (NTCREATEX_OPTIONS_PRIVATE_DENY_DOS | NTCREATEX_OPTIONS_PRIVATE_DENY_FCB)) && - (f2->access_mask & SA_RIGHT_FILE_WRITE_DATA) && + (f2->access_mask & SEC_FILE_WRITE_DATA) && StrCaseCmp(f2->handle->name->original_name, io->generic.in.fname)==0) { break; @@ -862,17 +862,17 @@ NTSTATUS pvfs_open(struct ntvfs_module_context *ntvfs, share_access = io->generic.in.share_access; access_mask = io->generic.in.access_mask; - if (access_mask & SEC_RIGHT_MAXIMUM_ALLOWED) { + if (access_mask & SEC_FLAG_MAXIMUM_ALLOWED) { if (name->exists && (name->dos.attrib & FILE_ATTRIBUTE_READONLY)) { - access_mask = GENERIC_RIGHTS_FILE_READ; + access_mask = SEC_RIGHTS_FILE_READ; } else { - access_mask = GENERIC_RIGHTS_FILE_READ | GENERIC_RIGHTS_FILE_WRITE; + access_mask = SEC_RIGHTS_FILE_READ | SEC_RIGHTS_FILE_WRITE; } } /* certain create options are not allowed */ if ((create_options & NTCREATEX_OPTIONS_DELETE_ON_CLOSE) && - !(access_mask & STD_RIGHT_DELETE_ACCESS)) { + !(access_mask & SEC_STD_DELETE)) { return NT_STATUS_INVALID_PARAMETER; } @@ -914,7 +914,7 @@ NTSTATUS pvfs_open(struct ntvfs_module_context *ntvfs, return NT_STATUS_INVALID_PARAMETER; } - if (access_mask & SA_RIGHT_FILE_WRITE_APPEND) { + if (access_mask & (SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA)) { flags |= O_RDWR; } else { flags |= O_RDONLY; @@ -1240,7 +1240,7 @@ NTSTATUS pvfs_can_delete(struct pvfs_state *pvfs, struct pvfs_filename *name) NTCREATEX_SHARE_ACCESS_WRITE | NTCREATEX_SHARE_ACCESS_DELETE, NTCREATEX_OPTIONS_DELETE_ON_CLOSE, - STD_RIGHT_DELETE_ACCESS); + SEC_STD_DELETE); return status; } @@ -1263,7 +1263,7 @@ NTSTATUS pvfs_can_rename(struct pvfs_state *pvfs, struct pvfs_filename *name) NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE, 0, - STD_RIGHT_DELETE_ACCESS); + SEC_STD_DELETE); return status; } diff --git a/source4/ntvfs/posix/pvfs_read.c b/source4/ntvfs/posix/pvfs_read.c index 793a97ba62..db597d7097 100644 --- a/source4/ntvfs/posix/pvfs_read.c +++ b/source4/ntvfs/posix/pvfs_read.c @@ -23,6 +23,7 @@ #include "includes.h" #include "vfs_posix.h" #include "system/filesys.h" +#include "librpc/gen_ndr/ndr_security.h" /* read from a file @@ -50,9 +51,9 @@ NTSTATUS pvfs_read(struct ntvfs_module_context *ntvfs, return NT_STATUS_FILE_IS_A_DIRECTORY; } - mask = SA_RIGHT_FILE_READ_DATA; + mask = SEC_FILE_READ_DATA; if (req->flags2 & FLAGS2_READ_PERMIT_EXECUTE) { - mask |= SA_RIGHT_FILE_EXECUTE; + mask |= SEC_FILE_EXECUTE; } if (!(f->access_mask & mask)) { return NT_STATUS_ACCESS_DENIED; diff --git a/source4/ntvfs/posix/pvfs_setfileinfo.c b/source4/ntvfs/posix/pvfs_setfileinfo.c index 5a758a6b70..c43ef5c40a 100644 --- a/source4/ntvfs/posix/pvfs_setfileinfo.c +++ b/source4/ntvfs/posix/pvfs_setfileinfo.c @@ -258,7 +258,7 @@ NTSTATUS pvfs_setfileinfo(struct ntvfs_module_context *ntvfs, case RAW_SFILEINFO_DISPOSITION_INFO: case RAW_SFILEINFO_DISPOSITION_INFORMATION: - if (!(f->access_mask & STD_RIGHT_DELETE_ACCESS)) { + if (!(f->access_mask & SEC_STD_DELETE)) { return NT_STATUS_ACCESS_DENIED; } create_options = h->create_options; @@ -322,7 +322,8 @@ NTSTATUS pvfs_setfileinfo(struct ntvfs_module_context *ntvfs, } } else { int ret; - if (f->access_mask & SA_RIGHT_FILE_WRITE_APPEND) { + if (f->access_mask & + (SEC_FILE_WRITE_DATA|SEC_FILE_APPEND_DATA)) { ret = ftruncate(h->fd, newstats.st.st_size); } else { ret = truncate(h->name->full_name, newstats.st.st_size); diff --git a/source4/ntvfs/posix/pvfs_write.c b/source4/ntvfs/posix/pvfs_write.c index 3f6e8d908a..025ea3f3eb 100644 --- a/source4/ntvfs/posix/pvfs_write.c +++ b/source4/ntvfs/posix/pvfs_write.c @@ -22,6 +22,7 @@ #include "includes.h" #include "vfs_posix.h" +#include "librpc/gen_ndr/ndr_security.h" /* @@ -48,7 +49,7 @@ NTSTATUS pvfs_write(struct ntvfs_module_context *ntvfs, return NT_STATUS_FILE_IS_A_DIRECTORY; } - if (!(f->access_mask & SA_RIGHT_FILE_WRITE_APPEND)) { + if (!(f->access_mask & (SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA))) { return NT_STATUS_ACCESS_VIOLATION; } -- cgit