1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-13 13:18:06 +03:00

Tidied up security rights definitions.

Jeremy.
This commit is contained in:
Jeremy Allison 0001-01-01 00:00:00 +00:00
parent 1d9a5494f8
commit e466c863f5
7 changed files with 30 additions and 39 deletions

View File

@ -29,10 +29,6 @@
#define SEC_RIGHTS_ENUM_SUBKEYS 0x00000008 #define SEC_RIGHTS_ENUM_SUBKEYS 0x00000008
#define SEC_RIGHTS_NOTIFY 0x00000010 #define SEC_RIGHTS_NOTIFY 0x00000010
#define SEC_RIGHTS_CREATE_LINK 0x00000020 #define SEC_RIGHTS_CREATE_LINK 0x00000020
#define SEC_RIGHTS_DELETE 0x00010000
#define SEC_RIGHTS_READ_CONTROL 0x00020000
#define SEC_RIGHTS_WRITE_DAC 0x00040000
#define SEC_RIGHTS_WRITE_OWNER 0x00080000
#define SEC_RIGHTS_READ 0x00020019 #define SEC_RIGHTS_READ 0x00020019
#define SEC_RIGHTS_FULL_CONTROL 0x000f003f #define SEC_RIGHTS_FULL_CONTROL 0x000f003f

View File

@ -157,28 +157,23 @@
#define PRINTER_ACCESS_USE 0x00000008 #define PRINTER_ACCESS_USE 0x00000008
#define JOB_ACCESS_ADMINISTER 0x00000010 #define JOB_ACCESS_ADMINISTER 0x00000010
#define STANDARD_RIGHTS_READ 0x00020000
#define STANDARD_RIGHTS_WRITE STANDARD_RIGHTS_READ
#define STANDARD_RIGHTS_EXECUTE STANDARD_RIGHTS_READ
#define STANDARD_RIGHTS_REQUIRED 0x000F0000
/* Access rights for print servers */ /* Access rights for print servers */
#define SERVER_ALL_ACCESS STANDARD_RIGHTS_REQUIRED|SERVER_ACCESS_ADMINISTER|SERVER_ACCESS_ENUMERATE #define SERVER_ALL_ACCESS STANDARD_RIGHTS_REQUIRED_ACCESS|SERVER_ACCESS_ADMINISTER|SERVER_ACCESS_ENUMERATE
#define SERVER_READ STANDARD_RIGHTS_READ|SERVER_ACCESS_ENUMERATE #define SERVER_READ STANDARD_RIGHTS_READ_ACCESS|SERVER_ACCESS_ENUMERATE
#define SERVER_WRITE STANDARD_RIGHTS_WRITE|SERVER_ACCESS_ADMINISTER|SERVER_ACCESS_ENUMERATE #define SERVER_WRITE STANDARD_RIGHTS_WRITE_ACCESS|SERVER_ACCESS_ADMINISTER|SERVER_ACCESS_ENUMERATE
#define SERVER_EXECUTE STANDARD_RIGHTS_EXECUTE|SERVER_ACCESS_ENUMERATE #define SERVER_EXECUTE STANDARD_RIGHTS_EXECUTE_ACCESS|SERVER_ACCESS_ENUMERATE
/* Access rights for printers */ /* Access rights for printers */
#define PRINTER_ALL_ACCESS STANDARD_RIGHTS_REQUIRED|PRINTER_ACCESS_ADMINISTER|PRINTER_ACCESS_USE #define PRINTER_ALL_ACCESS STANDARD_RIGHTS_REQUIRED_ACCESS|PRINTER_ACCESS_ADMINISTER|PRINTER_ACCESS_USE
#define PRINTER_READ STANDARD_RIGHTS_READ|PRINTER_ACCESS_USE #define PRINTER_READ STANDARD_RIGHTS_READ_ACCESS|PRINTER_ACCESS_USE
#define PRINTER_WRITE STANDARD_RIGHTS_WRITE|PRINTER_ACCESS_USE #define PRINTER_WRITE STANDARD_RIGHTS_WRITE_ACCESS|PRINTER_ACCESS_USE
#define PRINTER_EXECUTE STANDARD_RIGHTS_EXECUTE|PRINTER_ACCESS_USE #define PRINTER_EXECUTE STANDARD_RIGHTS_EXECUTE_ACCESS|PRINTER_ACCESS_USE
/* Access rights for jobs */ /* Access rights for jobs */
#define JOB_ALL_ACCESS STANDARD_RIGHTS_REQUIRED|JOB_ACCESS_ADMINISTER #define JOB_ALL_ACCESS STANDARD_RIGHTS_REQUIRED_ACCESS|JOB_ACCESS_ADMINISTER
#define JOB_READ STANDARD_RIGHTS_READ|JOB_ACCESS_ADMINISTER #define JOB_READ STANDARD_RIGHTS_READ_ACCESS|JOB_ACCESS_ADMINISTER
#define JOB_WRITE STANDARD_RIGHTS_WRITE|JOB_ACCESS_ADMINISTER #define JOB_WRITE STANDARD_RIGHTS_WRITE_ACCESS|JOB_ACCESS_ADMINISTER
#define JOB_EXECUTE STANDARD_RIGHTS_EXECUTE|JOB_ACCESS_ADMINISTER #define JOB_EXECUTE STANDARD_RIGHTS_EXECUTE_ACCESS|JOB_ACCESS_ADMINISTER
#define POLICY_HND_SIZE 20 #define POLICY_HND_SIZE 20

View File

@ -1154,21 +1154,22 @@ struct bitmap {
#define WRITE_OWNER_ACCESS (1L<<19) #define WRITE_OWNER_ACCESS (1L<<19)
#define SYNCHRONIZE_ACCESS (1L<<20) #define SYNCHRONIZE_ACCESS (1L<<20)
/* Combinations of standard masks. */
#define STANDARD_RIGHTS_ALL_ACCESS (DELETE_ACCESS|READ_CONTROL_ACCESS|WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS|SYNCHRONIZE_ACCESS)
#define STANDARD_RIGHTS_EXECUTE_ACCESS (READ_CONTROL_ACCESS)
#define STANDARD_RIGHTS_READ_ACCESS (READ_CONTROL_ACCESS)
#define STANDARD_RIGHTS_REQUIRED_ACCESS (DELETE_ACCESS|READ_CONTROL_ACCESS|WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS)
#define STANDARD_RIGHTS_WRITE_ACCESS (READ_CONTROL_ACCESS)
#define SYSTEM_SECURITY_ACCESS (1L<<24) #define SYSTEM_SECURITY_ACCESS (1L<<24)
#define MAXIMUM_ALLOWED_ACCESS (1L<<25)
#define GENERIC_ALL_ACCESS (1<<28) #define GENERIC_ALL_ACCESS (1<<28)
#define GENERIC_EXECUTE_ACCESS (1<<29) #define GENERIC_EXECUTE_ACCESS (1<<29)
#define GENERIC_WRITE_ACCESS (1<<30) #define GENERIC_WRITE_ACCESS (1<<30)
#define GENERIC_READ_ACCESS (((unsigned)1)<<31) #define GENERIC_READ_ACCESS (((unsigned)1)<<31)
#define FILE_ALL_STANDARD_ACCESS 0x1F0000
/* Mapping of access rights to UNIX perms. */ /* Mapping of access rights to UNIX perms. */
#if 0 /* Don't use all here... JRA. */
#define UNIX_ACCESS_RWX (FILE_ALL_ATTRIBUTES|FILE_ALL_STANDARD_ACCESS)
#else
#define UNIX_ACCESS_RWX (UNIX_ACCESS_R|UNIX_ACCESS_W|UNIX_ACCESS_X) #define UNIX_ACCESS_RWX (UNIX_ACCESS_R|UNIX_ACCESS_W|UNIX_ACCESS_X)
#endif
#define UNIX_ACCESS_R (READ_CONTROL_ACCESS|SYNCHRONIZE_ACCESS|\ #define UNIX_ACCESS_R (READ_CONTROL_ACCESS|SYNCHRONIZE_ACCESS|\
FILE_READ_ATTRIBUTES|FILE_READ_EA|FILE_READ_DATA) FILE_READ_ATTRIBUTES|FILE_READ_EA|FILE_READ_DATA)
#define UNIX_ACCESS_W (READ_CONTROL_ACCESS|SYNCHRONIZE_ACCESS|\ #define UNIX_ACCESS_W (READ_CONTROL_ACCESS|SYNCHRONIZE_ACCESS|\

View File

@ -241,16 +241,16 @@ BOOL se_access_check(SEC_DESC *sd, struct current_user *user,
/* /*
* The owner always has SEC_RIGHTS_WRITE_DAC. * The owner always has SEC_RIGHTS_WRITE_DAC.
*/ */
if (tmp_acc_desired & SEC_RIGHTS_WRITE_DAC) if (tmp_acc_desired & WRITE_DAC_ACCESS)
tmp_acc_desired &= ~SEC_RIGHTS_WRITE_DAC; tmp_acc_desired &= ~WRITE_DAC_ACCESS;
} }
} }
} }
acl = sd->dacl; acl = sd->dacl;
if (tmp_acc_desired & SEC_RIGHTS_MAXIMUM_ALLOWED) { if (tmp_acc_desired & MAXIMUM_ALLOWED_ACCESS) {
tmp_acc_desired &= ~SEC_RIGHTS_MAXIMUM_ALLOWED; tmp_acc_desired &= ~MAXIMUM_ALLOWED_ACCESS;
return get_max_access( acl, token, acc_granted, tmp_acc_desired, status); return get_max_access( acl, token, acc_granted, tmp_acc_desired, status);
} }

View File

@ -1987,7 +1987,7 @@ static SEC_DESC_BUF *construct_default_printer_sdb(void)
} }
} }
init_sec_access(&sa, PRINTER_ACE_FULL_CONTROL); init_sec_access(&sa, PRINTER_ACE_MANAGE_DOCUMENTS | PRINTER_ACE_PRINT);
init_sec_ace(&ace[1], &owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, init_sec_ace(&ace[1], &owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
sa, SEC_ACE_FLAG_CONTAINER_INHERIT); sa, SEC_ACE_FLAG_CONTAINER_INHERIT);

View File

@ -305,8 +305,7 @@ static void init_lsa_trans_names(DOM_R_REF *ref, LSA_TRANS_NAME_ENUM *trn,
memset(dom_name, '\0', sizeof(dom_name)); memset(dom_name, '\0', sizeof(dom_name));
memset(name, '\0', sizeof(name)); memset(name, '\0', sizeof(name));
status = winbind_lookup_sid(&find_sid, dom_name, name, status = lookup_sid(&find_sid, dom_name, name, &sid_name_use);
&sid_name_use);
if (!status) { if (!status) {
sid_name_use = SID_NAME_UNKNOWN; sid_name_use = SID_NAME_UNKNOWN;

View File

@ -64,10 +64,10 @@ static const char *get_sec_mask_str(uint32 type)
case SEC_RIGHTS_ENUM_SUBKEYS : fstrcat(typestr, "Enum "); break; case SEC_RIGHTS_ENUM_SUBKEYS : fstrcat(typestr, "Enum "); break;
case SEC_RIGHTS_NOTIFY : fstrcat(typestr, "Notify "); break; case SEC_RIGHTS_NOTIFY : fstrcat(typestr, "Notify "); break;
case SEC_RIGHTS_CREATE_LINK : fstrcat(typestr, "CreateLink "); break; case SEC_RIGHTS_CREATE_LINK : fstrcat(typestr, "CreateLink "); break;
case SEC_RIGHTS_DELETE : fstrcat(typestr, "Delete "); break; case DELETE_ACCESS : fstrcat(typestr, "Delete "); break;
case SEC_RIGHTS_READ_CONTROL : fstrcat(typestr, "ReadControl "); break; case READ_CONTROL_ACCESS : fstrcat(typestr, "ReadControl "); break;
case SEC_RIGHTS_WRITE_DAC : fstrcat(typestr, "WriteDAC "); break; case WRITE_DAC_ACCESS : fstrcat(typestr, "WriteDAC "); break;
case SEC_RIGHTS_WRITE_OWNER : fstrcat(typestr, "WriteOwner "); break; case WRITE_OWNER_ACCESS : fstrcat(typestr, "WriteOwner "); break;
} }
type &= ~(1 << i); type &= ~(1 << i);
} }