mirror of
https://github.com/samba-team/samba.git
synced 2025-01-11 05:18:09 +03:00
libcli/security Don't export privs[] as a global variable
Instead, provide access functions for the LSA and net sam callers for the information they need. They still only enumerate the first 8 privileges that have traditionally been exposed. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
This commit is contained in:
Andrew Bartlett
parent
33ce8633d6
commit
cbd72ab93b
@ -55,7 +55,12 @@ const uint64_t se_take_ownership = SE_TAKE_OWNERSHIP;
|
||||
|
||||
#define NUM_SHORT_LIST_PRIVS 8
|
||||
|
||||
PRIVS privs[] = {
|
||||
static const struct {
|
||||
enum sec_privilege luid;
|
||||
uint64_t privilege_mask;
|
||||
const char *name;
|
||||
const char *description;
|
||||
} privs[] = {
|
||||
|
||||
{SEC_PRIV_MACHINE_ACCOUNT, SE_MACHINE_ACCOUNT, "SeMachineAccountPrivilege", "Add machines to domain"},
|
||||
{SEC_PRIV_TAKE_OWNERSHIP, SE_TAKE_OWNERSHIP, "SeTakeOwnershipPrivilege", "Take ownership of files or other objects"},
|
||||
@ -404,7 +409,7 @@ bool user_has_any_privilege(struct security_token *token, const uint64_t *privil
|
||||
}
|
||||
|
||||
/*******************************************************************
|
||||
return the number of elements in the privlege array
|
||||
return the number of elements in the 'short' privlege array (traditional source3 behaviour)
|
||||
*******************************************************************/
|
||||
|
||||
int num_privileges_in_short_list( void )
|
||||
@ -412,27 +417,6 @@ int num_privileges_in_short_list( void )
|
||||
return NUM_SHORT_LIST_PRIVS;
|
||||
}
|
||||
|
||||
/*********************************************************************
|
||||
Generate the struct lsa_LUIDAttribute structure based on a bitmask
|
||||
The assumption here is that the privilege has already been validated
|
||||
so we are guaranteed to find it in the list.
|
||||
*********************************************************************/
|
||||
|
||||
enum sec_privilege get_privilege_luid( uint64_t *privilege_mask )
|
||||
{
|
||||
int i;
|
||||
|
||||
uint32_t num_privs = ARRAY_SIZE(privs);
|
||||
|
||||
for ( i=0; i<num_privs; i++ ) {
|
||||
if ( se_priv_equal( &privs[i].privilege_mask, privilege_mask ) ) {
|
||||
return privs[i].luid;
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/****************************************************************************
|
||||
Convert a LUID to a named string
|
||||
****************************************************************************/
|
||||
@ -613,7 +597,7 @@ enum sec_privilege sec_privilege_from_mask(uint64_t mask)
|
||||
}
|
||||
|
||||
/*
|
||||
map a privilege name to a privilege id. Return -1 if not found
|
||||
assist in walking the table of privileges - return the LUID (low 32 bits) by index
|
||||
*/
|
||||
enum sec_privilege sec_privilege_from_index(int idx)
|
||||
{
|
||||
@ -623,6 +607,17 @@ enum sec_privilege sec_privilege_from_index(int idx)
|
||||
return -1;
|
||||
}
|
||||
|
||||
/*
|
||||
assist in walking the table of privileges - return the string constant by index
|
||||
*/
|
||||
const char *sec_privilege_name_from_index(int idx)
|
||||
{
|
||||
if (idx >= 0 && idx<ARRAY_SIZE(privs)) {
|
||||
return privs[idx].name;
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
return a privilege mask given a privilege id
|
||||
|
||||
@ -63,13 +63,6 @@ typedef struct {
|
||||
struct lsa_LUIDAttribute *set;
|
||||
} PRIVILEGE_SET;
|
||||
|
||||
typedef struct {
|
||||
enum sec_privilege luid;
|
||||
uint64_t privilege_mask;
|
||||
const char *name;
|
||||
const char *description;
|
||||
} PRIVS;
|
||||
|
||||
/***************************************************************************
|
||||
copy an uint64_t structure
|
||||
****************************************************************************/
|
||||
@ -137,18 +130,11 @@ bool user_has_privileges(const struct security_token *token, const uint64_t *pri
|
||||
bool user_has_any_privilege(struct security_token *token, const uint64_t *privilege_mask);
|
||||
|
||||
/*******************************************************************
|
||||
return the number of elements in the privlege array
|
||||
return the number of elements in the 'short' privlege array (traditional source3 behaviour)
|
||||
*******************************************************************/
|
||||
|
||||
int count_all_privileges( void );
|
||||
int num_privileges_in_short_list( void );
|
||||
|
||||
/*********************************************************************
|
||||
Generate the struct lsa_LUIDAttribute structure based on a bitmask
|
||||
The assumption here is that the privilege has already been validated
|
||||
so we are guaranteed to find it in the list.
|
||||
*********************************************************************/
|
||||
|
||||
enum sec_privilege get_privilege_luid( uint64_t *privilege_mask );
|
||||
/****************************************************************************
|
||||
Convert a LUID to a named string
|
||||
****************************************************************************/
|
||||
@ -181,10 +167,15 @@ enum sec_privilege sec_privilege_id(const char *name);
|
||||
enum sec_privilege sec_privilege_from_mask(uint64_t mask);
|
||||
|
||||
/*
|
||||
map a privilege name to a privilege id. Return -1 if not found
|
||||
assist in walking the table of privileges - return the LUID (low 32 bits) by index
|
||||
*/
|
||||
enum sec_privilege sec_privilege_from_index(int idx);
|
||||
|
||||
/*
|
||||
assist in walking the table of privileges - return the string constant by index
|
||||
*/
|
||||
const char *sec_privilege_name_from_index(int idx);
|
||||
|
||||
/*
|
||||
return true if a security_token has a particular privilege bit set
|
||||
*/
|
||||
|
||||
@ -39,8 +39,6 @@
|
||||
|
||||
#define MAX_LOOKUP_SIDS 0x5000 /* 20480 */
|
||||
|
||||
extern PRIVS privs[];
|
||||
|
||||
enum lsa_handle_type { LSA_HANDLE_POLICY_TYPE = 1, LSA_HANDLE_ACCOUNT_TYPE };
|
||||
|
||||
struct lsa_info {
|
||||
@ -1454,7 +1452,6 @@ NTSTATUS _lsa_EnumPrivs(struct pipes_struct *p,
|
||||
uint32 enum_context = *r->in.resume_handle;
|
||||
int num_privs = num_privileges_in_short_list();
|
||||
struct lsa_PrivEntry *entries = NULL;
|
||||
struct lsa_LUIDAttribute luid;
|
||||
|
||||
/* remember that the enum_context starts at 0 and not 1 */
|
||||
|
||||
@ -1495,9 +1492,9 @@ NTSTATUS _lsa_EnumPrivs(struct pipes_struct *p,
|
||||
entries[i].luid.high = 0;
|
||||
} else {
|
||||
|
||||
init_lsa_StringLarge(&entries[i].name, privs[i].name);
|
||||
init_lsa_StringLarge(&entries[i].name, sec_privilege_name_from_index(i));
|
||||
|
||||
entries[i].luid.low = get_privilege_luid( &privs[i].privilege_mask );
|
||||
entries[i].luid.low = sec_privilege_from_index(i);
|
||||
entries[i].luid.high = 0;
|
||||
}
|
||||
}
|
||||
|
||||
@ -631,8 +631,6 @@ static int net_sam_policy(struct net_context *c, int argc, const char **argv)
|
||||
return net_run_function(c, argc, argv, "net sam policy", func);
|
||||
}
|
||||
|
||||
extern PRIVS privs[];
|
||||
|
||||
static int net_sam_rights_list(struct net_context *c, int argc,
|
||||
const char **argv)
|
||||
{
|
||||
@ -647,10 +645,10 @@ static int net_sam_rights_list(struct net_context *c, int argc,
|
||||
|
||||
if (argc == 0) {
|
||||
int i;
|
||||
int num = count_all_privileges();
|
||||
int num = num_privileges_in_short_list();
|
||||
|
||||
for (i=0; i<num; i++) {
|
||||
d_printf("%s\n", privs[i].name);
|
||||
d_printf("%s\n", sec_privilege_name_from_index(i));
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user