From a75436e3ee11fa1491bfa574523269be716fc892 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Wed, 2 Jun 2010 23:35:44 +0200 Subject: [PATCH] s3-security: use shared SECINFO_DACL define. Guenther --- libgpo/gpo_ldap.c | 2 +- source3/include/rpc_secdes.h | 4 +--- source3/lib/secdesc.c | 2 +- source3/libsmb/clisecdesc.c | 2 +- source3/modules/nfs4_acls.c | 4 ++-- source3/modules/onefs_acl.c | 6 +++--- source3/modules/vfs_acl_common.c | 20 ++++++++++---------- source3/modules/vfs_afsacl.c | 2 +- source3/rpc_server/srv_srvsvc_nt.c | 4 ++-- source3/rpc_server/srv_svcctl_nt.c | 6 +++--- source3/rpcclient/cmd_lsarpc.c | 2 +- source3/rpcclient/cmd_samr.c | 2 +- source3/smbd/file_access.c | 4 ++-- source3/smbd/nttrans.c | 2 +- source3/smbd/open.c | 6 +++--- source3/smbd/posix_acls.c | 12 ++++++------ source3/utils/net_ads_gpo.c | 2 +- 17 files changed, 40 insertions(+), 42 deletions(-) diff --git a/libgpo/gpo_ldap.c b/libgpo/gpo_ldap.c index 66e90fb0c9a..367756d7a2f 100644 --- a/libgpo/gpo_ldap.c +++ b/libgpo/gpo_ldap.c @@ -485,7 +485,7 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads, "ntSecurityDescriptor", "versionNumber", NULL}; - uint32_t sd_flags = DACL_SECURITY_INFORMATION; + uint32_t sd_flags = SECINFO_DACL; ZERO_STRUCTP(gpo); diff --git a/source3/include/rpc_secdes.h b/source3/include/rpc_secdes.h index f4eb22cfef0..1eefbc92da2 100644 --- a/source3/include/rpc_secdes.h +++ b/source3/include/rpc_secdes.h @@ -24,8 +24,6 @@ /* for ADS */ #define SEC_RIGHTS_FULL_CTRL 0xf01ff -/* security information */ -#define DACL_SECURITY_INFORMATION 0x00000004 /* Extra W2K flags. */ #define UNPROTECTED_SACL_SECURITY_INFORMATION 0x10000000 #define UNPROTECTED_DACL_SECURITY_INFORMATION 0x20000000 @@ -33,7 +31,7 @@ #define PROTECTED_DACL_SECURITY_INFORMATION 0x80000000 #define ALL_SECURITY_INFORMATION (SECINFO_OWNER|SECINFO_GROUP|\ - DACL_SECURITY_INFORMATION|SECINFO_SACL|\ + SECINFO_DACL|SECINFO_SACL|\ UNPROTECTED_SACL_SECURITY_INFORMATION|\ UNPROTECTED_DACL_SECURITY_INFORMATION|\ PROTECTED_SACL_SECURITY_INFORMATION|\ diff --git a/source3/lib/secdesc.c b/source3/lib/secdesc.c index b1e12c3f2bf..8cabe0b5f54 100644 --- a/source3/lib/secdesc.c +++ b/source3/lib/secdesc.c @@ -52,7 +52,7 @@ uint32_t get_sec_info(const struct security_descriptor *sd) sec_info &= ~SECINFO_SACL; } if (sd->dacl == NULL) { - sec_info &= ~DACL_SECURITY_INFORMATION; + sec_info &= ~SECINFO_DACL; } return sec_info; diff --git a/source3/libsmb/clisecdesc.c b/source3/libsmb/clisecdesc.c index bddf3895a03..1fc3da0c868 100644 --- a/source3/libsmb/clisecdesc.c +++ b/source3/libsmb/clisecdesc.c @@ -91,7 +91,7 @@ bool cli_set_secdesc(struct cli_state *cli, uint16_t fnum, struct security_descr SIVAL(param, 0, fnum); if (sd->dacl) - sec_info |= DACL_SECURITY_INFORMATION; + sec_info |= SECINFO_DACL; if (sd->owner_sid) sec_info |= SECINFO_OWNER; if (sd->group_sid) diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c index 9f383cfc165..a6b9c6ed01c 100644 --- a/source3/modules/nfs4_acls.c +++ b/source3/modules/nfs4_acls.c @@ -734,7 +734,7 @@ NTSTATUS smb_set_nt_acl_nfs4(files_struct *fsp, DEBUG(10, ("smb_set_nt_acl_nfs4 invoked for %s\n", fsp_str_dbg(fsp))); - if ((security_info_sent & (DACL_SECURITY_INFORMATION | + if ((security_info_sent & (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER)) == 0) { DEBUG(9, ("security_info_sent (0x%x) ignored\n", @@ -784,7 +784,7 @@ NTSTATUS smb_set_nt_acl_nfs4(files_struct *fsp, } } - if (!(security_info_sent & DACL_SECURITY_INFORMATION) || psd->dacl ==NULL) { + if (!(security_info_sent & SECINFO_DACL) || psd->dacl ==NULL) { DEBUG(10, ("no dacl found; security_info_sent = 0x%x\n", security_info_sent)); return NT_STATUS_OK; } diff --git a/source3/modules/onefs_acl.c b/source3/modules/onefs_acl.c index 4fa2e79c7bd..7080f6c660b 100644 --- a/source3/modules/onefs_acl.c +++ b/source3/modules/onefs_acl.c @@ -725,7 +725,7 @@ onefs_fget_nt_acl(vfs_handle_struct *handle, files_struct *fsp, } /* Copy DACL into ppdesc */ - if (security_info & DACL_SECURITY_INFORMATION) { + if (security_info & SECINFO_DACL) { if (!onefs_acl_to_samba_acl(sd->dacl, &dacl)) { status = NT_STATUS_INVALID_PARAMETER; goto out; @@ -860,13 +860,13 @@ NTSTATUS onefs_samba_sd_to_sd(uint32_t security_info_sent, } /* Setup DACL */ - if ((security_info_sent & DACL_SECURITY_INFORMATION) && (psd->dacl)) { + if ((security_info_sent & SECINFO_DACL) && (psd->dacl)) { if (!onefs_samba_acl_to_acl(psd->dacl, &daclp, &ignore_aces, snum)) return NT_STATUS_ACCESS_DENIED; if (ignore_aces == true) - *security_info_effective &= ~DACL_SECURITY_INFORMATION; + *security_info_effective &= ~SECINFO_DACL; } /* Setup SACL */ diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c index 59aa70310f2..79eb533af74 100644 --- a/source3/modules/vfs_acl_common.c +++ b/source3/modules/vfs_acl_common.c @@ -38,7 +38,7 @@ static NTSTATUS store_acl_blob_fsp(vfs_handle_struct *handle, #define HASH_SECURITY_INFO (SECINFO_OWNER | \ SECINFO_GROUP | \ - DACL_SECURITY_INFORMATION | \ + SECINFO_DACL | \ SECINFO_SACL) /******************************************************************* @@ -377,7 +377,7 @@ static NTSTATUS get_nt_acl_internal(vfs_handle_struct *handle, if (!(security_info & SECINFO_GROUP)) { psd->group_sid = NULL; } - if (!(security_info & DACL_SECURITY_INFORMATION)) { + if (!(security_info & SECINFO_DACL)) { psd->dacl = NULL; } if (!(security_info & SECINFO_SACL)) { @@ -438,7 +438,7 @@ static NTSTATUS inherit_new_acl(vfs_handle_struct *handle, return SMB_VFS_FSET_NT_ACL(fsp, (SECINFO_OWNER | SECINFO_GROUP | - DACL_SECURITY_INFORMATION), + SECINFO_DACL), psd); } @@ -461,7 +461,7 @@ static NTSTATUS check_parent_acl_common(vfs_handle_struct *handle, parent_name, (SECINFO_OWNER | SECINFO_GROUP | - DACL_SECURITY_INFORMATION), + SECINFO_DACL), &parent_desc); if (!NT_STATUS_IS_OK(status)) { @@ -534,7 +534,7 @@ static int open_acl_common(vfs_handle_struct *handle, fname, (SECINFO_OWNER | SECINFO_GROUP | - DACL_SECURITY_INFORMATION), + SECINFO_DACL), &pdesc); if (NT_STATUS_IS_OK(status)) { /* See if we can access it. */ @@ -680,10 +680,10 @@ static NTSTATUS fset_nt_acl_common(vfs_handle_struct *handle, files_struct *fsp, if ((security_info_sent & (SECINFO_OWNER| SECINFO_GROUP| - DACL_SECURITY_INFORMATION)) != + SECINFO_DACL)) != (SECINFO_OWNER| SECINFO_GROUP| - DACL_SECURITY_INFORMATION)) { + SECINFO_DACL)) { /* No we don't - read from the existing SD. */ struct security_descriptor *nc_psd = NULL; @@ -691,7 +691,7 @@ static NTSTATUS fset_nt_acl_common(vfs_handle_struct *handle, files_struct *fsp, NULL, (SECINFO_OWNER| SECINFO_GROUP| - DACL_SECURITY_INFORMATION), + SECINFO_DACL), &nc_psd); if (!NT_STATUS_IS_OK(status)) { @@ -709,13 +709,13 @@ static NTSTATUS fset_nt_acl_common(vfs_handle_struct *handle, files_struct *fsp, } security_info_sent |= SECINFO_GROUP; - if (security_info_sent & DACL_SECURITY_INFORMATION) { + if (security_info_sent & SECINFO_DACL) { nc_psd->dacl = dup_sec_acl(talloc_tos(), psd->dacl); if (nc_psd->dacl == NULL) { return NT_STATUS_NO_MEMORY; } } - security_info_sent |= DACL_SECURITY_INFORMATION; + security_info_sent |= SECINFO_DACL; psd = nc_psd; } diff --git a/source3/modules/vfs_afsacl.c b/source3/modules/vfs_afsacl.c index f2ff474f069..dacd58f7aee 100644 --- a/source3/modules/vfs_afsacl.c +++ b/source3/modules/vfs_afsacl.c @@ -731,7 +731,7 @@ static bool nt_to_afs_acl(const char *filename, /* Currently we *only* look at the dacl */ - if (((security_info_sent & DACL_SECURITY_INFORMATION) == 0) || + if (((security_info_sent & SECINFO_DACL) == 0) || (psd->dacl == NULL)) return True; diff --git a/source3/rpc_server/srv_srvsvc_nt.c b/source3/rpc_server/srv_srvsvc_nt.c index bdf7018147e..14461df3553 100644 --- a/source3/rpc_server/srv_srvsvc_nt.c +++ b/source3/rpc_server/srv_srvsvc_nt.c @@ -2148,7 +2148,7 @@ WERROR _srvsvc_NetGetFileSecurity(pipes_struct *p, nt_status = SMB_VFS_FGET_NT_ACL(fsp, (SECINFO_OWNER |SECINFO_GROUP - |DACL_SECURITY_INFORMATION), &psd); + |SECINFO_DACL), &psd); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(3,("_srvsvc_NetGetFileSecurity: Unable to get NT ACL " @@ -2289,7 +2289,7 @@ WERROR _srvsvc_NetSetFileSecurity(pipes_struct *p, security_info_sent &= ~SECINFO_SACL; } if (psd->dacl==0) { - security_info_sent &= ~DACL_SECURITY_INFORMATION; + security_info_sent &= ~SECINFO_DACL; } /* Convert all the generic bits. */ diff --git a/source3/rpc_server/srv_svcctl_nt.c b/source3/rpc_server/srv_svcctl_nt.c index b8dcfbe1c6a..02b3c8d8334 100644 --- a/source3/rpc_server/srv_svcctl_nt.c +++ b/source3/rpc_server/srv_svcctl_nt.c @@ -872,9 +872,9 @@ WERROR _svcctl_QueryServiceObjectSecurity(pipes_struct *p, if ( !(info->access_granted & STD_RIGHT_READ_CONTROL_ACCESS) ) return WERR_ACCESS_DENIED; - /* TODO: handle something besides DACL_SECURITY_INFORMATION */ + /* TODO: handle something besides SECINFO_DACL */ - if ( (r->in.security_flags & DACL_SECURITY_INFORMATION) != DACL_SECURITY_INFORMATION ) + if ( (r->in.security_flags & SECINFO_DACL) != SECINFO_DACL ) return WERR_INVALID_PARAM; /* lookup the security descriptor and marshall it up for a reply */ @@ -922,7 +922,7 @@ WERROR _svcctl_SetServiceObjectSecurity(pipes_struct *p, /* check the access on the open handle */ switch ( r->in.security_flags ) { - case DACL_SECURITY_INFORMATION: + case SECINFO_DACL: required_access = STD_RIGHT_WRITE_DAC_ACCESS; break; diff --git a/source3/rpcclient/cmd_lsarpc.c b/source3/rpcclient/cmd_lsarpc.c index da01e6ec947..1cc16fb7f45 100644 --- a/source3/rpcclient/cmd_lsarpc.c +++ b/source3/rpcclient/cmd_lsarpc.c @@ -1040,7 +1040,7 @@ static NTSTATUS cmd_lsa_query_secobj(struct rpc_pipe_client *cli, struct policy_handle pol; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; struct sec_desc_buf *sdb; - uint32 sec_info = DACL_SECURITY_INFORMATION; + uint32 sec_info = SECINFO_DACL; if (argc < 1 || argc > 2) { printf("Usage: %s [sec_info]\n", argv[0]); diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c index 199c8b1dccd..367c3b864b5 100644 --- a/source3/rpcclient/cmd_samr.c +++ b/source3/rpcclient/cmd_samr.c @@ -2160,7 +2160,7 @@ static NTSTATUS cmd_samr_query_sec_obj(struct rpc_pipe_client *cli, { struct policy_handle connect_pol, domain_pol, user_pol, *pol; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - uint32 sec_info = DACL_SECURITY_INFORMATION; + uint32 sec_info = SECINFO_DACL; uint32 user_rid = 0; TALLOC_CTX *ctx = NULL; struct sec_desc_buf *sec_desc_buf=NULL; diff --git a/source3/smbd/file_access.c b/source3/smbd/file_access.c index bd0a725e9d3..1d1776218eb 100644 --- a/source3/smbd/file_access.c +++ b/source3/smbd/file_access.c @@ -44,7 +44,7 @@ bool can_access_file_acl(struct connection_struct *conn, status = SMB_VFS_GET_NT_ACL(conn, smb_fname->base_name, (SECINFO_OWNER | SECINFO_GROUP | - DACL_SECURITY_INFORMATION), + SECINFO_DACL), &secdesc); if (!NT_STATUS_IS_OK(status)) { DEBUG(5, ("Could not get acl: %s\n", nt_errstr(status))); @@ -252,7 +252,7 @@ bool directory_has_default_acl(connection_struct *conn, const char *fname) struct security_descriptor *secdesc = NULL; unsigned int i; NTSTATUS status = SMB_VFS_GET_NT_ACL(conn, fname, - DACL_SECURITY_INFORMATION, &secdesc); + SECINFO_DACL, &secdesc); if (!NT_STATUS_IS_OK(status) || secdesc == NULL) { return false; diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index 1b34b6ce803..04c32260a98 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -1809,7 +1809,7 @@ NTSTATUS smbd_do_query_security_desc(connection_struct *conn, security_info_wanted & SECINFO_SACL) psd->type |= SEC_DESC_SACL_PRESENT; if (psd->dacl == NULL && - security_info_wanted & DACL_SECURITY_INFORMATION) + security_info_wanted & SECINFO_DACL) psd->type |= SEC_DESC_DACL_PRESENT; *psd_size = ndr_size_security_descriptor(psd, 0); diff --git a/source3/smbd/open.c b/source3/smbd/open.c index f6905eaaa10..4fc464d8abd 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -91,7 +91,7 @@ NTSTATUS smbd_check_open_rights(struct connection_struct *conn, status = SMB_VFS_GET_NT_ACL(conn, smb_fname->base_name, (SECINFO_OWNER | SECINFO_GROUP | - DACL_SECURITY_INFORMATION),&sd); + SECINFO_DACL),&sd); if (!NT_STATUS_IS_OK(status)) { DEBUG(10, ("smbd_check_open_rights: Could not get acl " @@ -1415,7 +1415,7 @@ static NTSTATUS calculate_access_mask(connection_struct *conn, status = SMB_VFS_GET_NT_ACL(conn, smb_fname->base_name, (SECINFO_OWNER | SECINFO_GROUP | - DACL_SECURITY_INFORMATION),&sd); + SECINFO_DACL),&sd); if (!NT_STATUS_IS_OK(status)) { DEBUG(10, ("calculate_access_mask: Could not get acl " @@ -3211,7 +3211,7 @@ static NTSTATUS create_file_unixpath(connection_struct *conn, if (sec_info_sent & (SECINFO_OWNER| SECINFO_GROUP| - DACL_SECURITY_INFORMATION| + SECINFO_DACL| SECINFO_SACL)) { status = SMB_VFS_FSET_NT_ACL(fsp, sec_info_sent, sd); } diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index c6b0cfdeeb8..a809b909b3b 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -2337,7 +2337,7 @@ static bool unpack_canon_ace(files_struct *fsp, * If no DACL then this is a chown only security descriptor. */ - if(!(security_info_sent & DACL_SECURITY_INFORMATION) || !psd->dacl) + if(!(security_info_sent & SECINFO_DACL) || !psd->dacl) return True; /* @@ -3206,7 +3206,7 @@ static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn, num_profile_acls = 3; } - if ((security_info & DACL_SECURITY_INFORMATION) && !(security_info & PROTECTED_DACL_SECURITY_INFORMATION)) { + if ((security_info & SECINFO_DACL) && !(security_info & PROTECTED_DACL_SECURITY_INFORMATION)) { /* * In the optimum case Creator Owner and Creator Group would be used for @@ -3385,7 +3385,7 @@ static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn, goto done; } } - } /* security_info & DACL_SECURITY_INFORMATION */ + } /* security_info & SECINFO_DACL */ psd = make_standard_sec_desc( talloc_tos(), (security_info & SECINFO_OWNER) ? &owner_sid : NULL, @@ -3682,7 +3682,7 @@ NTSTATUS append_parent_acl(files_struct *fsp, } status = SMB_VFS_GET_NT_ACL(parent_fsp->conn, smb_dname->base_name, - DACL_SECURITY_INFORMATION, &parent_sd ); + SECINFO_DACL, &parent_sd ); close_file(NULL, parent_fsp, NORMAL_CLOSE); TALLOC_FREE(smb_dname); @@ -3937,7 +3937,7 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const struct s * Only change security if we got a DACL. */ - if(!(security_info_sent & DACL_SECURITY_INFORMATION) || (psd->dacl == NULL)) { + if(!(security_info_sent & SECINFO_DACL) || (psd->dacl == NULL)) { free_canon_ace_list(file_ace_list); free_canon_ace_list(dir_ace_list); return NT_STATUS_OK; @@ -4747,7 +4747,7 @@ struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fna return NULL; } - if (!NT_STATUS_IS_OK(SMB_VFS_FGET_NT_ACL( &finfo, DACL_SECURITY_INFORMATION, &psd))) { + if (!NT_STATUS_IS_OK(SMB_VFS_FGET_NT_ACL( &finfo, SECINFO_DACL, &psd))) { DEBUG(0,("get_nt_acl_no_snum: get_nt_acl returned zero.\n")); TALLOC_FREE(finfo.fsp_name); conn_free(conn); diff --git a/source3/utils/net_ads_gpo.c b/source3/utils/net_ads_gpo.c index e47efe768ed..b120ca597b6 100644 --- a/source3/utils/net_ads_gpo.c +++ b/source3/utils/net_ads_gpo.c @@ -248,7 +248,7 @@ static int net_ads_gpo_list_all(struct net_context *c, int argc, const char **ar LDAP_SCOPE_SUBTREE, "(objectclass=groupPolicyContainer)", attrs, - DACL_SECURITY_INFORMATION, + SECINFO_DACL, &res); if (!ADS_ERR_OK(status)) {