sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-03 01:18:10 +03:00
Code

libcli: Make handling implicit_owner_rights bit easier to read

Browse Source 
The first time I came across this I missed the "FALL_THROUGH" and had
to look closely at what happens. I had expected
IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS to grant two rights,
which to me is now more obvious. It was correct before, but to me this
is now more obvious. YMMV.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
This commit is contained in:
Volker Lendecke 2024-11-29 13:06:03 +01:00
parent 9312bdd271
commit ddc88fa8b6
1 changed files with 11 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
libcli/security/access_check.c
View File

@ -245,8 +245,9 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
if (security_token_has_sid(token, sd->owner_sid)) { if (security_token_has_sid(token, sd->owner_sid)) {
switch (implicit_owner_rights) { switch (implicit_owner_rights) {
case IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS: case IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS:
granted |= SEC_STD_WRITE_DAC; granted |= (SEC_STD_READ_CONTROL |
FALL_THROUGH; SEC_STD_WRITE_DAC);
break;
case IMPLICIT_OWNER_READ_CONTROL_RIGHTS: case IMPLICIT_OWNER_READ_CONTROL_RIGHTS:
granted |= SEC_STD_READ_CONTROL; granted |= SEC_STD_READ_CONTROL;
break; break;
@ -282,8 +283,8 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
if (am_owner && !have_owner_rights_ace) { if (am_owner && !have_owner_rights_ace) {
switch (implicit_owner_rights) { switch (implicit_owner_rights) {
case IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS: case IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS:
granted |= SEC_STD_WRITE_DAC; granted |= (SEC_STD_READ_CONTROL | SEC_STD_WRITE_DAC);
FALL_THROUGH; break;
case IMPLICIT_OWNER_READ_CONTROL_RIGHTS: case IMPLICIT_OWNER_READ_CONTROL_RIGHTS:
granted |= SEC_STD_READ_CONTROL; granted |= SEC_STD_READ_CONTROL;
break; break;
@ -436,8 +437,9 @@ static NTSTATUS se_access_check_implicit_owner(const struct security_descriptor
if (am_owner && !have_owner_rights_ace) { if (am_owner && !have_owner_rights_ace) {
switch (implicit_owner_rights) { switch (implicit_owner_rights) {
case IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS: case IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS:
bits_remaining &= ~SEC_STD_WRITE_DAC; bits_remaining &= ~(SEC_STD_WRITE_DAC |
FALL_THROUGH; SEC_STD_READ_CONTROL);
break;
case IMPLICIT_OWNER_READ_CONTROL_RIGHTS: case IMPLICIT_OWNER_READ_CONTROL_RIGHTS:
bits_remaining &= ~SEC_STD_READ_CONTROL; bits_remaining &= ~SEC_STD_READ_CONTROL;
break; break;
@ -751,8 +753,9 @@ NTSTATUS sec_access_check_ds_implicit_owner(const struct security_descriptor *sd
security_token_has_sid(token, sd->owner_sid)) { security_token_has_sid(token, sd->owner_sid)) {
switch (implicit_owner_rights) { switch (implicit_owner_rights) {
case IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS: case IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS:
bits_remaining &= ~SEC_STD_WRITE_DAC; bits_remaining &= ~(SEC_STD_WRITE_DAC |
FALL_THROUGH; SEC_STD_READ_CONTROL);
break;
case IMPLICIT_OWNER_READ_CONTROL_RIGHTS: case IMPLICIT_OWNER_READ_CONTROL_RIGHTS:
bits_remaining &= ~SEC_STD_READ_CONTROL; bits_remaining &= ~SEC_STD_READ_CONTROL;
break; break;