mirror of
https://github.com/samba-team/samba.git
synced 2024-12-27 03:21:53 +03:00
Added some useful debugging stuff.
Fixes for se_access_check() when you are the owner of the object.
(This used to be commit 1478198b70
)
This commit is contained in:
parent
119f965f49
commit
8c0bb0c241
@ -153,6 +153,38 @@ static BOOL check_ace(SEC_ACE *ace, BOOL is_owner, DOM_SID *sid,
|
||||
return False;
|
||||
}
|
||||
|
||||
/* Some debugging stuff */
|
||||
|
||||
if (DEBUGLEVEL >= 3) {
|
||||
fstring ace_sid_str, sid_str;
|
||||
fstring ace_name, ace_name_dom, name, name_dom;
|
||||
uint8 name_type;
|
||||
|
||||
sid_to_string(sid_str, sid);
|
||||
sid_to_string(ace_sid_str, &ace->sid);
|
||||
|
||||
if (!winbind_lookup_sid(sid, name_dom, name, &name_type)) {
|
||||
fstrcpy(name_dom, "UNKNOWN");
|
||||
fstrcpy(name, "UNKNOWN");
|
||||
}
|
||||
|
||||
if (!winbind_lookup_sid(&ace->sid, ace_name_dom, ace_name,
|
||||
&name_type)) {
|
||||
fstrcpy(ace_name_dom, "UNKNOWN");
|
||||
fstrcpy(ace_name, "UNKNOWN");
|
||||
}
|
||||
|
||||
DEBUG(3, ("checking %s ACE sid %s (%s%s%s) mask 0x%08x "
|
||||
"against sid %s (%s%s%s)\n",
|
||||
(ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) ?
|
||||
"allowed" : ((ace->type ==
|
||||
SEC_ACE_TYPE_ACCESS_DENIED) ?
|
||||
"denied" : "unknown"),
|
||||
ace_sid_str, ace_name_dom, lp_winbind_separator(),
|
||||
ace_name, mask, sid_str, name_dom,
|
||||
lp_winbind_separator(), name));
|
||||
}
|
||||
|
||||
/* Only owner allowed write-owner rights */
|
||||
|
||||
if (!is_owner) {
|
||||
@ -178,6 +210,7 @@ static BOOL check_ace(SEC_ACE *ace, BOOL is_owner, DOM_SID *sid,
|
||||
if (ace_grant(mask, acc_desired,
|
||||
acc_granted)) {
|
||||
*status = NT_STATUS_NO_PROBLEMO;
|
||||
DEBUG(3, ("access granted\n"));
|
||||
return True;
|
||||
}
|
||||
}
|
||||
@ -199,6 +232,7 @@ static BOOL check_ace(SEC_ACE *ace, BOOL is_owner, DOM_SID *sid,
|
||||
if (ace_deny(mask, acc_desired,
|
||||
acc_granted)) {
|
||||
*status = NT_STATUS_ACCESS_DENIED;
|
||||
DEBUG(3, ("access denied\n"));
|
||||
return True;
|
||||
}
|
||||
}
|
||||
@ -240,7 +274,6 @@ BOOL se_access_check(SEC_DESC *sd, uid_t uid, gid_t gid, int ngroups,
|
||||
{
|
||||
DOM_SID user_sid, group_sid;
|
||||
DOM_SID **group_sids = NULL;
|
||||
BOOL is_owner;
|
||||
int i, j, ngroup_sids = 0;
|
||||
SEC_ACL *acl;
|
||||
uint8 check_ace_type;
|
||||
@ -279,24 +312,47 @@ BOOL se_access_check(SEC_DESC *sd, uid_t uid, gid_t gid, int ngroups,
|
||||
DEBUG(3, ("could not lookup sid for uid %d\n", uid));
|
||||
}
|
||||
|
||||
/* If we're the owner, then we can do anything */
|
||||
|
||||
if (sid_equal(&user_sid, sd->owner_sid)) {
|
||||
*status = NT_STATUS_NOPROBLEMO;
|
||||
*acc_granted = acc_desired;
|
||||
acc_desired = 0;
|
||||
|
||||
goto done;
|
||||
}
|
||||
|
||||
/* Create group sid */
|
||||
|
||||
if (!winbind_gid_to_sid(gid, &group_sid)) {
|
||||
DEBUG(3, ("could not lookup sid for gid %d\n", gid));
|
||||
}
|
||||
|
||||
/* Preparation: check owner sid, create array of group sids */
|
||||
/* Create array of group sids */
|
||||
|
||||
is_owner = sid_equal(&user_sid, sd->owner_sid);
|
||||
add_sid_to_array(&ngroup_sids, &group_sids, &group_sid);
|
||||
|
||||
for (i = 0; i < ngroups; i++) {
|
||||
if (groups[i] != gid &&
|
||||
winbind_gid_to_sid(groups[i], &group_sid)) {
|
||||
if (groups[i] != gid) {
|
||||
if (winbind_gid_to_sid(groups[i], &group_sid)) {
|
||||
|
||||
/* If we're a group member then we can also
|
||||
do anything */
|
||||
|
||||
if (sid_equal(&group_sid, sd->grp_sid)) {
|
||||
*status = NT_STATUS_NOPROBLEMO;
|
||||
*acc_granted = acc_desired;
|
||||
acc_desired = 0;
|
||||
|
||||
goto done;
|
||||
}
|
||||
|
||||
add_sid_to_array(&ngroup_sids, &group_sids,
|
||||
&group_sid);
|
||||
} else {
|
||||
DEBUG(3, ("could not lookup sid for gid %d\n", gid));
|
||||
DEBUG(3, ("could not lookup sid for gid %d\n",
|
||||
gid));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -335,7 +391,7 @@ BOOL se_access_check(SEC_DESC *sd, uid_t uid, gid_t gid, int ngroups,
|
||||
/* Check user sid */
|
||||
|
||||
if (ace->type == check_ace_type &&
|
||||
check_ace(ace, is_owner, &user_sid, &acc_desired,
|
||||
check_ace(ace, False, &user_sid, &acc_desired,
|
||||
acc_granted, status)) {
|
||||
goto done;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user