From fdc9f417d89fdf9dd6afbc22843d70585e195c9d Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 30 Nov 2004 04:33:27 +0000 Subject: r4011: get rid of rpc_secdes.h and replace it with a single sane set of definitions for security access masks, in security.idl The previous definitions were inconsistently named, and contained many duplicate and misleading entries. I kept finding myself tripping up while using them. (This used to be commit 01c0fa722f80ceeb3f81f01987de95f365a2ed3d) --- source4/ntvfs/common/opendb.c | 29 +++++++----- source4/ntvfs/ntvfs_generic.c | 31 +++++++------ source4/ntvfs/posix/pvfs_acl.c | 80 +++++++++++++++++----------------- source4/ntvfs/posix/pvfs_open.c | 24 +++++----- source4/ntvfs/posix/pvfs_read.c | 5 ++- source4/ntvfs/posix/pvfs_setfileinfo.c | 5 ++- source4/ntvfs/posix/pvfs_write.c | 3 +- 7 files changed, 94 insertions(+), 83 deletions(-) (limited to 'source4/ntvfs') diff --git a/source4/ntvfs/common/opendb.c b/source4/ntvfs/common/opendb.c index 99c013fc84..8947a5d255 100644 --- a/source4/ntvfs/common/opendb.c +++ b/source4/ntvfs/common/opendb.c @@ -40,6 +40,7 @@ #include "includes.h" #include "messages.h" +#include "librpc/gen_ndr/ndr_security.h" struct odb_context { struct tdb_wrap *w; @@ -157,14 +158,18 @@ static BOOL share_conflict(struct odb_entry *e1, struct odb_entry *e2) /* if either open involves no read.write or delete access then it can't conflict */ - if (!(e1->access_mask & (SA_RIGHT_FILE_WRITE_APPEND | - SA_RIGHT_FILE_READ_EXEC | - STD_RIGHT_DELETE_ACCESS))) { + if (!(e1->access_mask & (SEC_FILE_WRITE_DATA | + SEC_FILE_APPEND_DATA | + SEC_FILE_READ_DATA | + SEC_FILE_EXECUTE | + SEC_STD_DELETE))) { return False; } - if (!(e2->access_mask & (SA_RIGHT_FILE_WRITE_APPEND | - SA_RIGHT_FILE_READ_EXEC | - STD_RIGHT_DELETE_ACCESS))) { + if (!(e2->access_mask & (SEC_FILE_WRITE_DATA | + SEC_FILE_APPEND_DATA | + SEC_FILE_READ_DATA | + SEC_FILE_EXECUTE | + SEC_STD_DELETE))) { return False; } @@ -176,24 +181,24 @@ static BOOL share_conflict(struct odb_entry *e1, struct odb_entry *e2) } CHECK_MASK(e1->access_mask, e2->share_access, - SA_RIGHT_FILE_WRITE_APPEND, + SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA, NTCREATEX_SHARE_ACCESS_WRITE); CHECK_MASK(e2->access_mask, e1->share_access, - SA_RIGHT_FILE_WRITE_APPEND, + SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA, NTCREATEX_SHARE_ACCESS_WRITE); CHECK_MASK(e1->access_mask, e2->share_access, - SA_RIGHT_FILE_READ_EXEC, + SEC_FILE_READ_DATA | SEC_FILE_EXECUTE, NTCREATEX_SHARE_ACCESS_READ); CHECK_MASK(e2->access_mask, e1->share_access, - SA_RIGHT_FILE_READ_EXEC, + SEC_FILE_READ_DATA | SEC_FILE_EXECUTE, NTCREATEX_SHARE_ACCESS_READ); CHECK_MASK(e1->access_mask, e2->share_access, - STD_RIGHT_DELETE_ACCESS, + SEC_STD_DELETE, NTCREATEX_SHARE_ACCESS_DELETE); CHECK_MASK(e2->access_mask, e1->share_access, - STD_RIGHT_DELETE_ACCESS, + SEC_STD_DELETE, NTCREATEX_SHARE_ACCESS_DELETE); /* if a delete is pending then a second open is not allowed */ diff --git a/source4/ntvfs/ntvfs_generic.c b/source4/ntvfs/ntvfs_generic.c index a9bc8120c8..49de8944ff 100644 --- a/source4/ntvfs/ntvfs_generic.c +++ b/source4/ntvfs/ntvfs_generic.c @@ -33,6 +33,7 @@ #include "includes.h" #include "smb_server/smb_server.h" +#include "librpc/gen_ndr/ndr_security.h" /* a second stage function converts from the out parameters of the generic call onto the out parameters of the specific call made */ @@ -178,7 +179,7 @@ static NTSTATUS ntvfs_map_open_finish(struct smbsrv_request *req, io->openx.out.devstate = 0; io->openx.out.action = io2->generic.out.create_action; io->openx.out.unique_fid = 0; - io->openx.out.access_mask = STANDARD_RIGHTS_ALL_ACCESS; + io->openx.out.access_mask = SEC_STD_ALL; io->openx.out.unknown = 0; /* we need to extend the file to the requested size if @@ -280,17 +281,19 @@ NTSTATUS ntvfs_map_open(struct smbsrv_request *req, union smb_open *io, switch (io->openx.in.open_mode & OPENX_MODE_ACCESS_MASK) { case OPENX_MODE_ACCESS_READ: - io2->generic.in.access_mask = GENERIC_RIGHTS_FILE_READ; + io2->generic.in.access_mask = SEC_RIGHTS_FILE_READ; io->openx.out.access = OPENX_MODE_ACCESS_READ; break; case OPENX_MODE_ACCESS_WRITE: - io2->generic.in.access_mask = GENERIC_RIGHTS_FILE_WRITE; + io2->generic.in.access_mask = SEC_RIGHTS_FILE_WRITE; io->openx.out.access = OPENX_MODE_ACCESS_WRITE; break; case OPENX_MODE_ACCESS_RDWR: case OPENX_MODE_ACCESS_FCB: case OPENX_MODE_ACCESS_EXEC: - io2->generic.in.access_mask = GENERIC_RIGHTS_FILE_WRITE | GENERIC_RIGHTS_FILE_READ; + io2->generic.in.access_mask = + SEC_RIGHTS_FILE_READ | + SEC_RIGHTS_FILE_WRITE; io->openx.out.access = OPENX_MODE_ACCESS_RDWR; break; default: @@ -381,17 +384,17 @@ NTSTATUS ntvfs_map_open(struct smbsrv_request *req, union smb_open *io, io2->generic.in.open_disposition = NTCREATEX_DISP_OPEN; switch (io->openold.in.flags & OPEN_FLAGS_MODE_MASK) { case OPEN_FLAGS_OPEN_READ: - io2->generic.in.access_mask = GENERIC_RIGHTS_FILE_READ; + io2->generic.in.access_mask = SEC_RIGHTS_FILE_READ; io->openold.out.rmode = DOS_OPEN_RDONLY; break; case OPEN_FLAGS_OPEN_WRITE: - io2->generic.in.access_mask = GENERIC_RIGHTS_FILE_WRITE; + io2->generic.in.access_mask = SEC_RIGHTS_FILE_WRITE; io->openold.out.rmode = DOS_OPEN_WRONLY; break; case OPEN_FLAGS_OPEN_RDWR: case 0xf: /* FCB mode */ - io2->generic.in.access_mask = GENERIC_RIGHTS_FILE_READ | - GENERIC_RIGHTS_FILE_WRITE; + io2->generic.in.access_mask = SEC_RIGHTS_FILE_READ | + SEC_RIGHTS_FILE_WRITE; io->openold.out.rmode = DOS_OPEN_RDWR; /* assume we got r/w */ break; default: @@ -463,8 +466,8 @@ NTSTATUS ntvfs_map_open(struct smbsrv_request *req, union smb_open *io, io2->generic.in.fname = io->mknew.in.fname; io2->generic.in.open_disposition = NTCREATEX_DISP_CREATE; io2->generic.in.access_mask = - GENERIC_RIGHTS_FILE_READ | - GENERIC_RIGHTS_FILE_WRITE; + SEC_RIGHTS_FILE_READ | + SEC_RIGHTS_FILE_WRITE; io2->generic.in.share_access = NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE; @@ -476,8 +479,8 @@ NTSTATUS ntvfs_map_open(struct smbsrv_request *req, union smb_open *io, io2->generic.in.fname = io->mknew.in.fname; io2->generic.in.open_disposition = NTCREATEX_DISP_OPEN_IF; io2->generic.in.access_mask = - GENERIC_RIGHTS_FILE_READ | - GENERIC_RIGHTS_FILE_WRITE; + SEC_RIGHTS_FILE_READ | + SEC_RIGHTS_FILE_WRITE; io2->generic.in.share_access = NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE; @@ -493,8 +496,8 @@ NTSTATUS ntvfs_map_open(struct smbsrv_request *req, union smb_open *io, generate_random_str_list(io2, 5, "0123456789")); io2->generic.in.open_disposition = NTCREATEX_DISP_CREATE; io2->generic.in.access_mask = - GENERIC_RIGHTS_FILE_READ | - GENERIC_RIGHTS_FILE_WRITE; + SEC_RIGHTS_FILE_READ | + SEC_RIGHTS_FILE_WRITE; io2->generic.in.share_access = NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE; diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c index 2ff873fd78..2fff6db628 100644 --- a/source4/ntvfs/posix/pvfs_acl.c +++ b/source4/ntvfs/posix/pvfs_acl.c @@ -71,7 +71,7 @@ static NTSTATUS pvfs_default_acl(struct pvfs_state *pvfs, - Group - Everyone */ - access_masks[0] = SEC_RIGHTS_FULL_CTRL | STD_RIGHT_ALL_ACCESS; + access_masks[0] = SEC_RIGHTS_FULL_CONTROL; access_masks[1] = 0; access_masks[2] = 0; access_masks[3] = 0; @@ -80,54 +80,54 @@ static NTSTATUS pvfs_default_acl(struct pvfs_state *pvfs, if (mode & S_IRUSR) { access_masks[1] |= - SA_RIGHT_FILE_READ_DATA | - SA_RIGHT_FILE_READ_EA | - SA_RIGHT_FILE_READ_ATTRIBUTES | - SA_RIGHT_FILE_EXECUTE | - STD_RIGHT_SYNCHRONIZE_ACCESS | - STD_RIGHT_READ_CONTROL_ACCESS; + SEC_FILE_READ_DATA | + SEC_FILE_READ_EA | + SEC_FILE_READ_ATTRIBUTE | + SEC_FILE_EXECUTE | + SEC_STD_SYNCHRONIZE | + SEC_STD_READ_CONTROL; } if (mode & S_IWUSR) { access_masks[1] |= - SA_RIGHT_FILE_WRITE_DATA | - SA_RIGHT_FILE_APPEND_DATA | - SA_RIGHT_FILE_WRITE_EA | - SA_RIGHT_FILE_WRITE_ATTRIBUTES | - STD_RIGHT_DELETE_ACCESS; + SEC_FILE_WRITE_DATA | + SEC_FILE_APPEND_DATA | + SEC_FILE_WRITE_EA | + SEC_FILE_WRITE_ATTRIBUTE | + SEC_STD_DELETE; } if (mode & S_IRGRP) { access_masks[2] |= - SA_RIGHT_FILE_READ_DATA | - SA_RIGHT_FILE_READ_EA | - SA_RIGHT_FILE_READ_ATTRIBUTES | - SA_RIGHT_FILE_EXECUTE | - STD_RIGHT_SYNCHRONIZE_ACCESS | - STD_RIGHT_READ_CONTROL_ACCESS; + SEC_FILE_READ_DATA | + SEC_FILE_READ_EA | + SEC_FILE_READ_ATTRIBUTE | + SEC_FILE_EXECUTE | + SEC_STD_SYNCHRONIZE | + SEC_STD_READ_CONTROL; } if (mode & S_IWGRP) { access_masks[2] |= - SA_RIGHT_FILE_WRITE_DATA | - SA_RIGHT_FILE_APPEND_DATA | - SA_RIGHT_FILE_WRITE_EA | - SA_RIGHT_FILE_WRITE_ATTRIBUTES; + SEC_FILE_WRITE_DATA | + SEC_FILE_APPEND_DATA | + SEC_FILE_WRITE_EA | + SEC_FILE_WRITE_ATTRIBUTE; } if (mode & S_IROTH) { access_masks[3] |= - SA_RIGHT_FILE_READ_DATA | - SA_RIGHT_FILE_READ_EA | - SA_RIGHT_FILE_READ_ATTRIBUTES | - SA_RIGHT_FILE_EXECUTE | - STD_RIGHT_SYNCHRONIZE_ACCESS | - STD_RIGHT_READ_CONTROL_ACCESS; + SEC_FILE_READ_DATA | + SEC_FILE_READ_EA | + SEC_FILE_READ_ATTRIBUTE | + SEC_FILE_EXECUTE | + SEC_STD_SYNCHRONIZE | + SEC_STD_READ_CONTROL; } if (mode & S_IWOTH) { access_masks[3] |= - SA_RIGHT_FILE_WRITE_DATA | - SA_RIGHT_FILE_APPEND_DATA | - SA_RIGHT_FILE_WRITE_EA | - SA_RIGHT_FILE_WRITE_ATTRIBUTES; + SEC_FILE_WRITE_DATA | + SEC_FILE_APPEND_DATA | + SEC_FILE_WRITE_EA | + SEC_FILE_WRITE_ATTRIBUTE; } ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED; @@ -163,16 +163,16 @@ static NTSTATUS pvfs_default_acl(struct pvfs_state *pvfs, */ static void normalise_sd_flags(struct security_descriptor *sd, uint32_t secinfo_flags) { - if (!(secinfo_flags & OWNER_SECURITY_INFORMATION)) { + if (!(secinfo_flags & SECINFO_OWNER)) { sd->owner_sid = NULL; } - if (!(secinfo_flags & GROUP_SECURITY_INFORMATION)) { + if (!(secinfo_flags & SECINFO_GROUP)) { sd->group_sid = NULL; } - if (!(secinfo_flags & DACL_SECURITY_INFORMATION)) { + if (!(secinfo_flags & SECINFO_DACL)) { sd->dacl = NULL; } - if (!(secinfo_flags & SACL_SECURITY_INFORMATION)) { + if (!(secinfo_flags & SECINFO_SACL)) { sd->sacl = NULL; } } @@ -214,16 +214,16 @@ NTSTATUS pvfs_acl_set(struct pvfs_state *pvfs, new_sd = info->set_secdesc.in.sd; /* only set the elements that have been specified */ - if (secinfo_flags & OWNER_SECURITY_INFORMATION) { + if (secinfo_flags & SECINFO_OWNER) { sd->owner_sid = new_sd->owner_sid; } - if (secinfo_flags & GROUP_SECURITY_INFORMATION) { + if (secinfo_flags & SECINFO_GROUP) { sd->group_sid = new_sd->group_sid; } - if (secinfo_flags & DACL_SECURITY_INFORMATION) { + if (secinfo_flags & SECINFO_DACL) { sd->dacl = new_sd->dacl; } - if (secinfo_flags & SACL_SECURITY_INFORMATION) { + if (secinfo_flags & SECINFO_SACL) { sd->sacl = new_sd->sacl; } diff --git a/source4/ntvfs/posix/pvfs_open.c b/source4/ntvfs/posix/pvfs_open.c index 3d0e444d29..4b8de28488 100644 --- a/source4/ntvfs/posix/pvfs_open.c +++ b/source4/ntvfs/posix/pvfs_open.c @@ -380,11 +380,11 @@ static NTSTATUS pvfs_create_file(struct pvfs_state *pvfs, return NT_STATUS_CANNOT_DELETE; } - if (access_mask & SEC_RIGHT_MAXIMUM_ALLOWED) { - access_mask = GENERIC_RIGHTS_FILE_READ | GENERIC_RIGHTS_FILE_WRITE; + if (access_mask & SEC_FLAG_MAXIMUM_ALLOWED) { + access_mask = SEC_RIGHTS_FILE_READ | SEC_RIGHTS_FILE_WRITE; } - if (access_mask & SA_RIGHT_FILE_WRITE_APPEND) { + if (access_mask & (SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA)) { flags = O_RDWR; } else { flags = O_RDONLY; @@ -460,7 +460,7 @@ static NTSTATUS pvfs_create_file(struct pvfs_state *pvfs, union smb_setfileinfo set; set.set_secdesc.file.fnum = fnum; - set.set_secdesc.in.secinfo_flags = DACL_SECURITY_INFORMATION; + set.set_secdesc.in.secinfo_flags = SECINFO_DACL; set.set_secdesc.in.sd = io->ntcreatex.in.sec_desc; status = pvfs_acl_set(pvfs, req, name, fd, &set); @@ -676,7 +676,7 @@ static NTSTATUS pvfs_open_deny_dos(struct ntvfs_module_context *ntvfs, (f2->handle->create_options & (NTCREATEX_OPTIONS_PRIVATE_DENY_DOS | NTCREATEX_OPTIONS_PRIVATE_DENY_FCB)) && - (f2->access_mask & SA_RIGHT_FILE_WRITE_DATA) && + (f2->access_mask & SEC_FILE_WRITE_DATA) && StrCaseCmp(f2->handle->name->original_name, io->generic.in.fname)==0) { break; @@ -862,17 +862,17 @@ NTSTATUS pvfs_open(struct ntvfs_module_context *ntvfs, share_access = io->generic.in.share_access; access_mask = io->generic.in.access_mask; - if (access_mask & SEC_RIGHT_MAXIMUM_ALLOWED) { + if (access_mask & SEC_FLAG_MAXIMUM_ALLOWED) { if (name->exists && (name->dos.attrib & FILE_ATTRIBUTE_READONLY)) { - access_mask = GENERIC_RIGHTS_FILE_READ; + access_mask = SEC_RIGHTS_FILE_READ; } else { - access_mask = GENERIC_RIGHTS_FILE_READ | GENERIC_RIGHTS_FILE_WRITE; + access_mask = SEC_RIGHTS_FILE_READ | SEC_RIGHTS_FILE_WRITE; } } /* certain create options are not allowed */ if ((create_options & NTCREATEX_OPTIONS_DELETE_ON_CLOSE) && - !(access_mask & STD_RIGHT_DELETE_ACCESS)) { + !(access_mask & SEC_STD_DELETE)) { return NT_STATUS_INVALID_PARAMETER; } @@ -914,7 +914,7 @@ NTSTATUS pvfs_open(struct ntvfs_module_context *ntvfs, return NT_STATUS_INVALID_PARAMETER; } - if (access_mask & SA_RIGHT_FILE_WRITE_APPEND) { + if (access_mask & (SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA)) { flags |= O_RDWR; } else { flags |= O_RDONLY; @@ -1240,7 +1240,7 @@ NTSTATUS pvfs_can_delete(struct pvfs_state *pvfs, struct pvfs_filename *name) NTCREATEX_SHARE_ACCESS_WRITE | NTCREATEX_SHARE_ACCESS_DELETE, NTCREATEX_OPTIONS_DELETE_ON_CLOSE, - STD_RIGHT_DELETE_ACCESS); + SEC_STD_DELETE); return status; } @@ -1263,7 +1263,7 @@ NTSTATUS pvfs_can_rename(struct pvfs_state *pvfs, struct pvfs_filename *name) NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE, 0, - STD_RIGHT_DELETE_ACCESS); + SEC_STD_DELETE); return status; } diff --git a/source4/ntvfs/posix/pvfs_read.c b/source4/ntvfs/posix/pvfs_read.c index 793a97ba62..db597d7097 100644 --- a/source4/ntvfs/posix/pvfs_read.c +++ b/source4/ntvfs/posix/pvfs_read.c @@ -23,6 +23,7 @@ #include "includes.h" #include "vfs_posix.h" #include "system/filesys.h" +#include "librpc/gen_ndr/ndr_security.h" /* read from a file @@ -50,9 +51,9 @@ NTSTATUS pvfs_read(struct ntvfs_module_context *ntvfs, return NT_STATUS_FILE_IS_A_DIRECTORY; } - mask = SA_RIGHT_FILE_READ_DATA; + mask = SEC_FILE_READ_DATA; if (req->flags2 & FLAGS2_READ_PERMIT_EXECUTE) { - mask |= SA_RIGHT_FILE_EXECUTE; + mask |= SEC_FILE_EXECUTE; } if (!(f->access_mask & mask)) { return NT_STATUS_ACCESS_DENIED; diff --git a/source4/ntvfs/posix/pvfs_setfileinfo.c b/source4/ntvfs/posix/pvfs_setfileinfo.c index 5a758a6b70..c43ef5c40a 100644 --- a/source4/ntvfs/posix/pvfs_setfileinfo.c +++ b/source4/ntvfs/posix/pvfs_setfileinfo.c @@ -258,7 +258,7 @@ NTSTATUS pvfs_setfileinfo(struct ntvfs_module_context *ntvfs, case RAW_SFILEINFO_DISPOSITION_INFO: case RAW_SFILEINFO_DISPOSITION_INFORMATION: - if (!(f->access_mask & STD_RIGHT_DELETE_ACCESS)) { + if (!(f->access_mask & SEC_STD_DELETE)) { return NT_STATUS_ACCESS_DENIED; } create_options = h->create_options; @@ -322,7 +322,8 @@ NTSTATUS pvfs_setfileinfo(struct ntvfs_module_context *ntvfs, } } else { int ret; - if (f->access_mask & SA_RIGHT_FILE_WRITE_APPEND) { + if (f->access_mask & + (SEC_FILE_WRITE_DATA|SEC_FILE_APPEND_DATA)) { ret = ftruncate(h->fd, newstats.st.st_size); } else { ret = truncate(h->name->full_name, newstats.st.st_size); diff --git a/source4/ntvfs/posix/pvfs_write.c b/source4/ntvfs/posix/pvfs_write.c index 3f6e8d908a..025ea3f3eb 100644 --- a/source4/ntvfs/posix/pvfs_write.c +++ b/source4/ntvfs/posix/pvfs_write.c @@ -22,6 +22,7 @@ #include "includes.h" #include "vfs_posix.h" +#include "librpc/gen_ndr/ndr_security.h" /* @@ -48,7 +49,7 @@ NTSTATUS pvfs_write(struct ntvfs_module_context *ntvfs, return NT_STATUS_FILE_IS_A_DIRECTORY; } - if (!(f->access_mask & SA_RIGHT_FILE_WRITE_APPEND)) { + if (!(f->access_mask & (SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA))) { return NT_STATUS_ACCESS_VIOLATION; } -- cgit