sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-08-02 00:22:11 +03:00
Code Activity

Added some debugs.

Browse Source 
Changed interface to se_access_check to take a user struct instead of each
bit as a separate parameter.
This commit is contained in:
Tim Potter
-
parent 34f69f09f8
commit ff7938310d
1 changed files with 27 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
source/lib/util_seaccess.c
View File

@ -146,7 +146,7 @@ static BOOL check_ace(SEC_ACE *ace, BOOL is_owner, DOM_SID *sid,
if (ace_grant(mask, acc_desired,
acc_granted)) {
*status = NT_STATUS_NO_PROBLEMO;
DEBUG(3, ("access granted\n"));
DEBUG(3, ("access granted by ace\n"));
return True;
}
}
@ -168,7 +168,7 @@ static BOOL check_ace(SEC_ACE *ace, BOOL is_owner, DOM_SID *sid,
if (ace_deny(mask, acc_desired,
acc_granted)) {
*status = NT_STATUS_ACCESS_DENIED;
DEBUG(3, ("access denied\n"));
DEBUG(3, ("access denied by ace\n"));
return True;
}
}
@ -204,9 +204,8 @@ static BOOL check_ace(SEC_ACE *ace, BOOL is_owner, DOM_SID *sid,
or more ACEs explicitly grant all requested access rights. See
"Access-Checking" document in MSDN. */
BOOL se_access_check(SEC_DESC *sd, uid_t uid, gid_t gid, int ngroups,
gid_t *groups, uint32 acc_desired,
uint32 *acc_granted, uint32 *status)
BOOL se_access_check(SEC_DESC *sd, struct current_user *user,
uint32 acc_desired, uint32 *acc_granted, uint32 *status)
{
DOM_SID user_sid, group_sid;
DOM_SID **group_sids = NULL;
@ -214,6 +213,7 @@ BOOL se_access_check(SEC_DESC *sd, uid_t uid, gid_t gid, int ngroups,
uint ngroup_sids = 0;
SEC_ACL *acl;
uint8 check_ace_type;
fstring sid_str;
if (!status || !acc_granted) return False;
@ -226,6 +226,7 @@ BOOL se_access_check(SEC_DESC *sd, uid_t uid, gid_t gid, int ngroups,
*status = NT_STATUS_NOPROBLEMO;
*acc_granted = acc_desired;
acc_desired = 0;
DEBUG(3, ("no sd, access allowed\n"));
goto done;
}
@ -245,33 +246,40 @@ BOOL se_access_check(SEC_DESC *sd, uid_t uid, gid_t gid, int ngroups,
/* Create user sid */
if (!winbind_uid_to_sid(uid, &user_sid)) {
DEBUG(3, ("could not lookup sid for uid %d\n", uid));
if (!winbind_uid_to_sid(user->uid, &user_sid)) {
DEBUG(3, ("could not lookup sid for uid %d\n", user->uid));
}
sid_to_string(sid_str, &user_sid);
DEBUG(3, ("user sid is %s\n", sid_str));
/* If we're the owner, then we can do anything */
if (sid_equal(&user_sid, sd->owner_sid)) {
*status = NT_STATUS_NOPROBLEMO;
*acc_granted = acc_desired;
acc_desired = 0;
DEBUG(3, ("is owner, access allowed\n"));
goto done;
}
/* Create group sid */
if (!winbind_gid_to_sid(gid, &group_sid)) {
DEBUG(3, ("could not lookup sid for gid %d\n", gid));
if (!winbind_gid_to_sid(user->gid, &group_sid)) {
DEBUG(3, ("could not lookup sid for gid %d\n", user->gid));
}
sid_to_string(sid_str, &group_sid);
DEBUG(3, ("group sid is %s\n", sid_str));
/* Create array of group sids */
add_sid_to_array(&ngroup_sids, &group_sids, &group_sid);
for (i = 0; i < ngroups; i++) {
if (groups[i] != gid) {
if (winbind_gid_to_sid(groups[i], &group_sid)) {
for (i = 0; i < user->ngroups; i++) {
if (user->groups[i] != user->gid) {
if (winbind_gid_to_sid(user->groups[i], &group_sid)) {
/* If we're a group member then we can also
do anything */
@ -280,6 +288,8 @@ BOOL se_access_check(SEC_DESC *sd, uid_t uid, gid_t gid, int ngroups,
*status = NT_STATUS_NOPROBLEMO;
*acc_granted = acc_desired;
acc_desired = 0;
DEBUG(3, ("is group member "
"access allowed\n"));
goto done;
}
@ -288,8 +298,11 @@ BOOL se_access_check(SEC_DESC *sd, uid_t uid, gid_t gid, int ngroups,
&group_sid);
} else {
DEBUG(3, ("could not lookup sid for gid %d\n",
gid));
user->gid));
}
sid_to_string(sid_str, &group_sid);
DEBUG(3, ("supplementary group %s\n", sid_str));
}
}
@ -305,6 +318,7 @@ BOOL se_access_check(SEC_DESC *sd, uid_t uid, gid_t gid, int ngroups,
*status = NT_STATUS_NOPROBLEMO;
*acc_granted = acc_desired;
acc_desired = 0;
DEBUG(3, ("null ace, access allowed\n"));
goto done;
}