mirror of
https://github.com/samba-team/samba.git
synced 2024-12-27 03:21:53 +03:00
Tidied up security rights definitions.
Jeremy.
This commit is contained in:
parent
1d9a5494f8
commit
e466c863f5
@ -29,10 +29,6 @@
|
|||||||
#define SEC_RIGHTS_ENUM_SUBKEYS 0x00000008
|
#define SEC_RIGHTS_ENUM_SUBKEYS 0x00000008
|
||||||
#define SEC_RIGHTS_NOTIFY 0x00000010
|
#define SEC_RIGHTS_NOTIFY 0x00000010
|
||||||
#define SEC_RIGHTS_CREATE_LINK 0x00000020
|
#define SEC_RIGHTS_CREATE_LINK 0x00000020
|
||||||
#define SEC_RIGHTS_DELETE 0x00010000
|
|
||||||
#define SEC_RIGHTS_READ_CONTROL 0x00020000
|
|
||||||
#define SEC_RIGHTS_WRITE_DAC 0x00040000
|
|
||||||
#define SEC_RIGHTS_WRITE_OWNER 0x00080000
|
|
||||||
|
|
||||||
#define SEC_RIGHTS_READ 0x00020019
|
#define SEC_RIGHTS_READ 0x00020019
|
||||||
#define SEC_RIGHTS_FULL_CONTROL 0x000f003f
|
#define SEC_RIGHTS_FULL_CONTROL 0x000f003f
|
||||||
|
@ -157,28 +157,23 @@
|
|||||||
#define PRINTER_ACCESS_USE 0x00000008
|
#define PRINTER_ACCESS_USE 0x00000008
|
||||||
#define JOB_ACCESS_ADMINISTER 0x00000010
|
#define JOB_ACCESS_ADMINISTER 0x00000010
|
||||||
|
|
||||||
#define STANDARD_RIGHTS_READ 0x00020000
|
|
||||||
#define STANDARD_RIGHTS_WRITE STANDARD_RIGHTS_READ
|
|
||||||
#define STANDARD_RIGHTS_EXECUTE STANDARD_RIGHTS_READ
|
|
||||||
#define STANDARD_RIGHTS_REQUIRED 0x000F0000
|
|
||||||
|
|
||||||
/* Access rights for print servers */
|
/* Access rights for print servers */
|
||||||
#define SERVER_ALL_ACCESS STANDARD_RIGHTS_REQUIRED|SERVER_ACCESS_ADMINISTER|SERVER_ACCESS_ENUMERATE
|
#define SERVER_ALL_ACCESS STANDARD_RIGHTS_REQUIRED_ACCESS|SERVER_ACCESS_ADMINISTER|SERVER_ACCESS_ENUMERATE
|
||||||
#define SERVER_READ STANDARD_RIGHTS_READ|SERVER_ACCESS_ENUMERATE
|
#define SERVER_READ STANDARD_RIGHTS_READ_ACCESS|SERVER_ACCESS_ENUMERATE
|
||||||
#define SERVER_WRITE STANDARD_RIGHTS_WRITE|SERVER_ACCESS_ADMINISTER|SERVER_ACCESS_ENUMERATE
|
#define SERVER_WRITE STANDARD_RIGHTS_WRITE_ACCESS|SERVER_ACCESS_ADMINISTER|SERVER_ACCESS_ENUMERATE
|
||||||
#define SERVER_EXECUTE STANDARD_RIGHTS_EXECUTE|SERVER_ACCESS_ENUMERATE
|
#define SERVER_EXECUTE STANDARD_RIGHTS_EXECUTE_ACCESS|SERVER_ACCESS_ENUMERATE
|
||||||
|
|
||||||
/* Access rights for printers */
|
/* Access rights for printers */
|
||||||
#define PRINTER_ALL_ACCESS STANDARD_RIGHTS_REQUIRED|PRINTER_ACCESS_ADMINISTER|PRINTER_ACCESS_USE
|
#define PRINTER_ALL_ACCESS STANDARD_RIGHTS_REQUIRED_ACCESS|PRINTER_ACCESS_ADMINISTER|PRINTER_ACCESS_USE
|
||||||
#define PRINTER_READ STANDARD_RIGHTS_READ|PRINTER_ACCESS_USE
|
#define PRINTER_READ STANDARD_RIGHTS_READ_ACCESS|PRINTER_ACCESS_USE
|
||||||
#define PRINTER_WRITE STANDARD_RIGHTS_WRITE|PRINTER_ACCESS_USE
|
#define PRINTER_WRITE STANDARD_RIGHTS_WRITE_ACCESS|PRINTER_ACCESS_USE
|
||||||
#define PRINTER_EXECUTE STANDARD_RIGHTS_EXECUTE|PRINTER_ACCESS_USE
|
#define PRINTER_EXECUTE STANDARD_RIGHTS_EXECUTE_ACCESS|PRINTER_ACCESS_USE
|
||||||
|
|
||||||
/* Access rights for jobs */
|
/* Access rights for jobs */
|
||||||
#define JOB_ALL_ACCESS STANDARD_RIGHTS_REQUIRED|JOB_ACCESS_ADMINISTER
|
#define JOB_ALL_ACCESS STANDARD_RIGHTS_REQUIRED_ACCESS|JOB_ACCESS_ADMINISTER
|
||||||
#define JOB_READ STANDARD_RIGHTS_READ|JOB_ACCESS_ADMINISTER
|
#define JOB_READ STANDARD_RIGHTS_READ_ACCESS|JOB_ACCESS_ADMINISTER
|
||||||
#define JOB_WRITE STANDARD_RIGHTS_WRITE|JOB_ACCESS_ADMINISTER
|
#define JOB_WRITE STANDARD_RIGHTS_WRITE_ACCESS|JOB_ACCESS_ADMINISTER
|
||||||
#define JOB_EXECUTE STANDARD_RIGHTS_EXECUTE|JOB_ACCESS_ADMINISTER
|
#define JOB_EXECUTE STANDARD_RIGHTS_EXECUTE_ACCESS|JOB_ACCESS_ADMINISTER
|
||||||
|
|
||||||
#define POLICY_HND_SIZE 20
|
#define POLICY_HND_SIZE 20
|
||||||
|
|
||||||
|
@ -1154,21 +1154,22 @@ struct bitmap {
|
|||||||
#define WRITE_OWNER_ACCESS (1L<<19)
|
#define WRITE_OWNER_ACCESS (1L<<19)
|
||||||
#define SYNCHRONIZE_ACCESS (1L<<20)
|
#define SYNCHRONIZE_ACCESS (1L<<20)
|
||||||
|
|
||||||
|
/* Combinations of standard masks. */
|
||||||
|
#define STANDARD_RIGHTS_ALL_ACCESS (DELETE_ACCESS|READ_CONTROL_ACCESS|WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS|SYNCHRONIZE_ACCESS)
|
||||||
|
#define STANDARD_RIGHTS_EXECUTE_ACCESS (READ_CONTROL_ACCESS)
|
||||||
|
#define STANDARD_RIGHTS_READ_ACCESS (READ_CONTROL_ACCESS)
|
||||||
|
#define STANDARD_RIGHTS_REQUIRED_ACCESS (DELETE_ACCESS|READ_CONTROL_ACCESS|WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS)
|
||||||
|
#define STANDARD_RIGHTS_WRITE_ACCESS (READ_CONTROL_ACCESS)
|
||||||
|
|
||||||
#define SYSTEM_SECURITY_ACCESS (1L<<24)
|
#define SYSTEM_SECURITY_ACCESS (1L<<24)
|
||||||
|
#define MAXIMUM_ALLOWED_ACCESS (1L<<25)
|
||||||
#define GENERIC_ALL_ACCESS (1<<28)
|
#define GENERIC_ALL_ACCESS (1<<28)
|
||||||
#define GENERIC_EXECUTE_ACCESS (1<<29)
|
#define GENERIC_EXECUTE_ACCESS (1<<29)
|
||||||
#define GENERIC_WRITE_ACCESS (1<<30)
|
#define GENERIC_WRITE_ACCESS (1<<30)
|
||||||
#define GENERIC_READ_ACCESS (((unsigned)1)<<31)
|
#define GENERIC_READ_ACCESS (((unsigned)1)<<31)
|
||||||
|
|
||||||
#define FILE_ALL_STANDARD_ACCESS 0x1F0000
|
|
||||||
|
|
||||||
/* Mapping of access rights to UNIX perms. */
|
/* Mapping of access rights to UNIX perms. */
|
||||||
#if 0 /* Don't use all here... JRA. */
|
|
||||||
#define UNIX_ACCESS_RWX (FILE_ALL_ATTRIBUTES|FILE_ALL_STANDARD_ACCESS)
|
|
||||||
#else
|
|
||||||
#define UNIX_ACCESS_RWX (UNIX_ACCESS_R|UNIX_ACCESS_W|UNIX_ACCESS_X)
|
#define UNIX_ACCESS_RWX (UNIX_ACCESS_R|UNIX_ACCESS_W|UNIX_ACCESS_X)
|
||||||
#endif
|
|
||||||
|
|
||||||
#define UNIX_ACCESS_R (READ_CONTROL_ACCESS|SYNCHRONIZE_ACCESS|\
|
#define UNIX_ACCESS_R (READ_CONTROL_ACCESS|SYNCHRONIZE_ACCESS|\
|
||||||
FILE_READ_ATTRIBUTES|FILE_READ_EA|FILE_READ_DATA)
|
FILE_READ_ATTRIBUTES|FILE_READ_EA|FILE_READ_DATA)
|
||||||
#define UNIX_ACCESS_W (READ_CONTROL_ACCESS|SYNCHRONIZE_ACCESS|\
|
#define UNIX_ACCESS_W (READ_CONTROL_ACCESS|SYNCHRONIZE_ACCESS|\
|
||||||
|
@ -241,16 +241,16 @@ BOOL se_access_check(SEC_DESC *sd, struct current_user *user,
|
|||||||
/*
|
/*
|
||||||
* The owner always has SEC_RIGHTS_WRITE_DAC.
|
* The owner always has SEC_RIGHTS_WRITE_DAC.
|
||||||
*/
|
*/
|
||||||
if (tmp_acc_desired & SEC_RIGHTS_WRITE_DAC)
|
if (tmp_acc_desired & WRITE_DAC_ACCESS)
|
||||||
tmp_acc_desired &= ~SEC_RIGHTS_WRITE_DAC;
|
tmp_acc_desired &= ~WRITE_DAC_ACCESS;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
acl = sd->dacl;
|
acl = sd->dacl;
|
||||||
|
|
||||||
if (tmp_acc_desired & SEC_RIGHTS_MAXIMUM_ALLOWED) {
|
if (tmp_acc_desired & MAXIMUM_ALLOWED_ACCESS) {
|
||||||
tmp_acc_desired &= ~SEC_RIGHTS_MAXIMUM_ALLOWED;
|
tmp_acc_desired &= ~MAXIMUM_ALLOWED_ACCESS;
|
||||||
return get_max_access( acl, token, acc_granted, tmp_acc_desired, status);
|
return get_max_access( acl, token, acc_granted, tmp_acc_desired, status);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1987,7 +1987,7 @@ static SEC_DESC_BUF *construct_default_printer_sdb(void)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
init_sec_access(&sa, PRINTER_ACE_FULL_CONTROL);
|
init_sec_access(&sa, PRINTER_ACE_MANAGE_DOCUMENTS | PRINTER_ACE_PRINT);
|
||||||
init_sec_ace(&ace[1], &owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
|
init_sec_ace(&ace[1], &owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
|
||||||
sa, SEC_ACE_FLAG_CONTAINER_INHERIT);
|
sa, SEC_ACE_FLAG_CONTAINER_INHERIT);
|
||||||
|
|
||||||
|
@ -305,8 +305,7 @@ static void init_lsa_trans_names(DOM_R_REF *ref, LSA_TRANS_NAME_ENUM *trn,
|
|||||||
memset(dom_name, '\0', sizeof(dom_name));
|
memset(dom_name, '\0', sizeof(dom_name));
|
||||||
memset(name, '\0', sizeof(name));
|
memset(name, '\0', sizeof(name));
|
||||||
|
|
||||||
status = winbind_lookup_sid(&find_sid, dom_name, name,
|
status = lookup_sid(&find_sid, dom_name, name, &sid_name_use);
|
||||||
&sid_name_use);
|
|
||||||
|
|
||||||
if (!status) {
|
if (!status) {
|
||||||
sid_name_use = SID_NAME_UNKNOWN;
|
sid_name_use = SID_NAME_UNKNOWN;
|
||||||
|
@ -64,10 +64,10 @@ static const char *get_sec_mask_str(uint32 type)
|
|||||||
case SEC_RIGHTS_ENUM_SUBKEYS : fstrcat(typestr, "Enum "); break;
|
case SEC_RIGHTS_ENUM_SUBKEYS : fstrcat(typestr, "Enum "); break;
|
||||||
case SEC_RIGHTS_NOTIFY : fstrcat(typestr, "Notify "); break;
|
case SEC_RIGHTS_NOTIFY : fstrcat(typestr, "Notify "); break;
|
||||||
case SEC_RIGHTS_CREATE_LINK : fstrcat(typestr, "CreateLink "); break;
|
case SEC_RIGHTS_CREATE_LINK : fstrcat(typestr, "CreateLink "); break;
|
||||||
case SEC_RIGHTS_DELETE : fstrcat(typestr, "Delete "); break;
|
case DELETE_ACCESS : fstrcat(typestr, "Delete "); break;
|
||||||
case SEC_RIGHTS_READ_CONTROL : fstrcat(typestr, "ReadControl "); break;
|
case READ_CONTROL_ACCESS : fstrcat(typestr, "ReadControl "); break;
|
||||||
case SEC_RIGHTS_WRITE_DAC : fstrcat(typestr, "WriteDAC "); break;
|
case WRITE_DAC_ACCESS : fstrcat(typestr, "WriteDAC "); break;
|
||||||
case SEC_RIGHTS_WRITE_OWNER : fstrcat(typestr, "WriteOwner "); break;
|
case WRITE_OWNER_ACCESS : fstrcat(typestr, "WriteOwner "); break;
|
||||||
}
|
}
|
||||||
type &= ~(1 << i);
|
type &= ~(1 << i);
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user