sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-26 21:57:41 +03:00
Code

add lsa_query_secobj server code. level 4 is the ACL, level 1 is the

Browse Source 
owner. that's basic stuff.

got the POLICY_ define from TNG but they are also in an include file in
the NT SDK.

	J.F.
(This used to be commit 84289a9bf42847981926e198ad36c050904fa9ed)
This commit is contained in:
Jean-François Micouleau 2001-12-14 17:31:48 +00:00
parent 968e2a2976
commit 689144c631
3 changed files with 148 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
source3/include/rpc_lsa.h
View File

@ -185,6 +185,53 @@ typedef struct lsa_r_open_pol2_info
} LSA_R_OPEN_POL2;
#define POLICY_VIEW_LOCAL_INFORMATION 0x00000001
#define POLICY_VIEW_AUDIT_INFORMATION 0x00000002
#define POLICY_GET_PRIVATE_INFORMATION 0x00000004
#define POLICY_TRUST_ADMIN 0x00000008
#define POLICY_CREATE_ACCOUNT 0x00000010
#define POLICY_CREATE_SECRET 0x00000020
#define POLICY_CREATE_PRIVILEGE 0x00000040
#define POLICY_SET_DEFAULT_QUOTA_LIMITS 0x00000080
#define POLICY_SET_AUDIT_REQUIREMENTS 0x00000100
#define POLICY_AUDIT_LOG_ADMIN 0x00000200
#define POLICY_SERVER_ADMIN 0x00000400
#define POLICY_LOOKUP_NAMES 0x00000800
#define POLICY_ALL_ACCESS ( STANDARD_RIGHTS_REQUIRED_ACCESS |\
POLICY_VIEW_LOCAL_INFORMATION |\
POLICY_VIEW_AUDIT_INFORMATION |\
POLICY_GET_PRIVATE_INFORMATION |\
POLICY_TRUST_ADMIN |\
POLICY_CREATE_ACCOUNT |\
POLICY_CREATE_SECRET |\
POLICY_CREATE_PRIVILEGE |\
POLICY_SET_DEFAULT_QUOTA_LIMITS |\
POLICY_SET_AUDIT_REQUIREMENTS |\
POLICY_AUDIT_LOG_ADMIN |\
POLICY_SERVER_ADMIN |\
POLICY_LOOKUP_NAMES )
#define POLICY_READ ( STANDARD_RIGHTS_READ_ACCESS |\
POLICY_VIEW_AUDIT_INFORMATION |\
POLICY_GET_PRIVATE_INFORMATION)
#define POLICY_WRITE ( STANDARD_RIGHTS_WRITE_ACCESS |\
POLICY_TRUST_ADMIN |\
POLICY_CREATE_ACCOUNT |\
POLICY_CREATE_SECRET |\
POLICY_CREATE_PRIVILEGE |\
POLICY_SET_DEFAULT_QUOTA_LIMITS |\
POLICY_SET_AUDIT_REQUIREMENTS |\
POLICY_AUDIT_LOG_ADMIN |\
POLICY_SERVER_ADMIN)
#define POLICY_EXECUTE ( STANDARD_RIGHTS_EXECUTE_ACCESS |\
POLICY_VIEW_LOCAL_INFORMATION |\
POLICY_LOOKUP_NAMES )
/* LSA_Q_QUERY_SEC_OBJ - LSA query security */
typedef struct lsa_query_sec_obj_info
{
@ -624,22 +671,6 @@ typedef struct lsa_r_removeprivs
} LSA_R_REMOVEPRIVS;
#endif /* _RPC_LSA_H */
/*
opnum 11: opensid: query: handle du domaine, sid du user
reply: handle, status
opnum 12: getlistofprivs: query: handle du user
reply: ptr, nombre, nombre, tableau de 3 uint32: flag+priv.low+priv.high
uint32 0, status
opnum 17: ?? query: handle
reply: uint32 + status
*/

31
source3/rpc_server/srv_lsa.c
View File

@ -574,6 +574,36 @@ static BOOL api_lsa_removeprivs(pipes_struct *p)
return True;
}
/***************************************************************************
api_lsa_query_secobj
***************************************************************************/
static BOOL api_lsa_query_secobj(pipes_struct *p)
{
LSA_Q_QUERY_SEC_OBJ q_u;
LSA_R_QUERY_SEC_OBJ r_u;
prs_struct *data = &p->in_data.data;
prs_struct *rdata = &p->out_data.rdata;
ZERO_STRUCT(q_u);
ZERO_STRUCT(r_u);
if(!lsa_io_q_query_sec_obj("", &q_u, data, 0)) {
DEBUG(0,("api_lsa_query_secobj: failed to unmarshall LSA_Q_QUERY_SEC_OBJ.\n"));
return False;
}
r_u.status = _lsa_query_secobj(p, &q_u, &r_u);
/* store the response in the SMB stream */
if(!lsa_io_r_query_sec_obj("", &r_u, rdata, 0)) {
DEBUG(0,("api_lsa_query_secobj: Failed to marshall LSA_R_QUERY_SEC_OBJ.\n"));
return False;
}
return True;
}
/***************************************************************************
\PIPE\ntlsa commands
@ -599,6 +629,7 @@ static struct api_struct api_lsa_cmds[] =
{ "LSA_SETSYSTEMACCOUNT", LSA_SETSYSTEMACCOUNT, api_lsa_setsystemaccount },
{ "LSA_ADDPRIVS" , LSA_ADDPRIVS , api_lsa_addprivs },
{ "LSA_REMOVEPRIVS" , LSA_REMOVEPRIVS , api_lsa_removeprivs },
{ "LSA_QUERYSECOBJ" , LSA_QUERYSECOBJ , api_lsa_query_secobj },
{ NULL , 0 , NULL }
};

70
source3/rpc_server/srv_lsa_nt.c
View File

@ -913,3 +913,73 @@ NTSTATUS _lsa_removeprivs(pipes_struct *p, LSA_Q_REMOVEPRIVS *q_u, LSA_R_REMOVEP
return r_u->status;
}
/***************************************************************************
For a given SID, remove some privileges.
***************************************************************************/
NTSTATUS _lsa_query_secobj(pipes_struct *p, LSA_Q_QUERY_SEC_OBJ *q_u, LSA_R_QUERY_SEC_OBJ *r_u)
{
struct lsa_info *info=NULL;
extern DOM_SID global_sid_World;
extern DOM_SID global_sid_Builtin;
DOM_SID adm_sid;
SEC_ACE ace[2];
SEC_ACCESS mask;
SEC_ACL *psa = NULL;
SEC_DESC *psd = NULL;
size_t sd_size;
r_u->status = NT_STATUS_OK;
/* find the connection policy handle. */
if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
return NT_STATUS_INVALID_HANDLE;
switch (q_u->sec_info) {
case 1:
/* SD contains only the owner */
sid_copy(&adm_sid, &global_sid_Builtin);
sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS);
if((psd = make_sec_desc(p->mem_ctx, SEC_DESC_REVISION, &adm_sid, NULL, NULL, NULL, &sd_size)) == NULL)
return NT_STATUS_NO_MEMORY;
if((r_u->buf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
return NT_STATUS_NO_MEMORY;
break;
case 4:
/* SD contains only the ACL */
init_sec_access(&mask, POLICY_EXECUTE);
init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
sid_copy(&adm_sid, &global_sid_Builtin);
sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS);
init_sec_access(&mask, POLICY_ALL_ACCESS);
init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
if((psa = make_sec_acl(p->mem_ctx, NT4_ACL_REVISION, 2, ace)) == NULL)
return NT_STATUS_NO_MEMORY;
if((psd = make_sec_desc(p->mem_ctx, SEC_DESC_REVISION, NULL, NULL, NULL, psa, &sd_size)) == NULL)
return NT_STATUS_NO_MEMORY;
if((r_u->buf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
return NT_STATUS_NO_MEMORY;
break;
default:
return NT_STATUS_INVALID_LEVEL;
break;
}
r_u->ptr=1;
return r_u->status;
}