1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

164 Commits

Author SHA1 Message Date
Richard Sharpe
3e5acc155b Fix bug #9674 - Samba denies owner Read Control when there is a DENY entry while W2K08 does not.
Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Feb 23 19:28:15 CET 2013 on sn-devel-104
2013-02-23 19:28:15 +01:00
Stefan Metzmacher
2413962d53 libcli/security: calculate INHERIT_ONLY correcty for AUDIT and ALARM aces (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27 20:14:20 +11:00
Matthieu Patou
b1e231384a libcli-acl: add documentation
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-22 21:14:05 +11:00
Matthieu Patou
7822952a11 security: Add documentation
Names seems to be a bit cryptic and misleading (at least for me).
So documenting them should remove at least partially this problem.

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21 22:31:20 +01:00
Matthieu Patou
c0638dae6c libcli-security: Add documentation for object_tree_modify_access
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21 22:31:20 +01:00
Andrew Bartlett
d36c03056f libcli/security: remove useless if (root->num_of_children > 0) statements
The for loop does this implicitly when comparing for (i = 0; i < root->num_of_children; i++)

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21 16:12:45 +01:00
Stefan Metzmacher
853ecd418a libcli/security: add init_mask to existing children in insert_in_object_tree
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21 16:12:45 +01:00
Andrew Bartlett
5b4e3de2bb libcli/security: handle node initialisation in one spot in insert_in_object_tree()
This removes special-case for initalising the children array in
insert_in_object_tree().  talloc_realloc() handles the intial allocate
case perfectly well, so there is no need to have this duplicated.

This also restores having just one place were the rest of the elements
are intialised, to ensure uniform behaviour.

To do this, we have to rework insert_in_object_tree to have only one
output variable, both because having both root and new_node as output
variables was too confusing, and because otherwise the two pointers
were being allowed to point at the same memory.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21 16:12:45 +01:00
Stefan Metzmacher
a359aef083 libcli/security: avoid usage of dom_sid_parse_talloc() in sec_access_check_ds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21 16:12:45 +01:00
Stefan Metzmacher
a3fffde368 libcli/security: simplify get_ace_object_type()
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21 16:12:45 +01:00
Stefan Metzmacher
b0f731fc3b libcli/security: fix formating in access_check.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21 16:12:45 +01:00
Stefan Metzmacher
10a90ce842 libcli/security: fix whitespaces in access_check.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21 16:12:45 +01:00
Stefan Metzmacher
629ce2a1ba libcli/security: don't look at the inherited type in get_ace_object_type()
The inherited_type is only used to decide if aces should be inherited
effectively or not (INHERIT_ONLY) for the specified object.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Matthieu Patou <mat@matws.net>
2013-01-17 00:22:32 -08:00
Andrew Bartlett
b26668c606 libcli/security: Ensure to fill in remaining_access for the initial case (bug #9554 - CVE-2013-0172)
It is critically important that we initialise this element as otherwise
all access is permitted.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit a75805490d)
2013-01-15 12:14:25 +01:00
Stefan Metzmacher
d20c46a520 libcli/security: calculate the correct inherited_object GUID
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-11 04:49:48 +01:00
Stefan Metzmacher
75729e6703 libcli/security: implement object_in_list()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-11 04:45:54 +01:00
Stefan Metzmacher
cf60338ada libcli/security: remove duplicate aces in se_create_child_secdesc()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-02 22:42:20 +01:00
Jeremy Allison
2b89e1a20a Factor out privilege checking code into se_file_access_check() which takes a bool priv_open_requested parameter. 2012-08-31 20:29:13 -07:00
Jeremy Allison
cf29863c69 Fix bug #9124 - Samba fails to set "inherited" bit on inherited ACE's.
Change se_create_child_secdesc() to handle inheritance correctly.
2012-08-30 10:08:50 -07:00
Björn Jacke
13f8674a15 build: rename security → samba-security
there is a libsecurity on OSF1 which clasheѕ with our security lib. see bug #9023.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Björn Jacke <bj@sernet.de>
Autobuild-Date(master): Fri Aug 10 14:22:21 CEST 2012 on sn-devel-104
2012-08-10 14:22:20 +02:00
Jeremy Allison
9b212d8df5 Fix warning: variable ‘XX’ set but not used. 2012-06-19 10:27:23 -07:00
Jeremy Allison
2d35fd7259 Fix bug #8811 - sd_has_inheritable_components segfaults on an SD that se_access_check accepts.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Wed Mar 14 05:08:03 CET 2012 on sn-devel-104
2012-03-14 05:08:03 +01:00
Richard Sharpe
44590c1b70 Fix bug #8795 - Samba does not handle the Owner Rights permissions at all
Signed-off-by: Jeremy Allison <jra@samba.org>

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Wed Mar 14 02:26:34 CET 2012 on sn-devel-104
2012-03-14 02:26:34 +01:00
Richard Sharpe
1e8141f40a Fix bug #8797 - Samba does not correctly handle DENY ACEs when privileges apply.
Signed-off-by: Jeremy Allison <jra@samba.org>

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Sat Mar 10 01:33:45 CET 2012 on sn-devel-104
2012-03-10 01:33:44 +01:00
Richard Sharpe
1082532500 Honor SeTakeOwnershiPrivilege when client asks for SEC_STD_WRITE_OWNER but has no permission for that, but token has SeTakeOwnershipPrivilege
Autobuild-User: Richard Sharpe <sharpe@samba.org>
Autobuild-Date: Wed Feb 22 19:19:32 CET 2012 on sn-devel-104
2012-02-22 19:19:32 +01:00
Jeremy Allison
f15cf9176d Second part of fix for bug #8673 - NT ACL issue.
Ensure we process the entire ACE list instead of returning ACCESS_DENIED
and terminating the walk - ensure we only return the exact bits that cause
the access to be denied. Some of the S3 fileserver needs to know if we
are only denied DELETE access before overriding it by looking at the
containing directory ACL.

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Wed Jan 11 19:24:53 CET 2012 on sn-devel-104
2012-01-11 19:24:53 +01:00
Christian Ambach
53ad886f75 security: add local authority well-known SIDs
add the S-1-2 well-known SID family

Autobuild-User: Christian Ambach <ambi@samba.org>
Autobuild-Date: Thu Nov 24 19:01:08 CET 2011 on sn-devel-104
2011-11-24 19:01:08 +01:00
Andrew Bartlett
055f017b36 build: Reduce build systems to just top level waf and autoconf
The s3-waf build system is a key component of the top level build, but
with this commit is is no longer available directly.  This reduces the
number of build system combinations in master as we prepare for the
Samba 4.0 release.

Andrew Bartlett
2011-10-07 17:42:03 +11:00
Volker Lendecke
fe66abd6ff Adapt del_sid_from_array to Samba coding style
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Wed Aug 17 16:46:24 CEST 2011 on sn-devel-104
2011-08-17 16:46:24 +02:00
Volker Lendecke
e5a6d4cdb6 Fix a typo 2011-08-17 14:11:03 +02:00
Volker Lendecke
28b237b2cc Remove unused "sid_equal" 2011-08-17 12:30:08 +02:00
Volker Lendecke
8fd5e0ff2e Replace calls to sid_equal with calls to dom_sid_equal 2011-08-17 12:30:08 +02:00
Jelmer Vernooij
f8ec7f6cb1 pytalloc: Use consistent prefix for functions, add ABI file. 2011-08-10 15:36:21 +02:00
Stefan Metzmacher
82413e829e libcli/security: add some const to marshall_sec_desc[_buf]()
metze
2011-07-23 09:55:54 +02:00
Volker Lendecke
36e674c134 s3: Allow NULL sd_size in make_sec_desc
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Sat Jun 18 22:26:15 CEST 2011 on sn-devel-104
2011-06-18 22:26:15 +02:00
Günther Deschner
a49c1b7019 libcli/security/secdesc.h: fix licence/copyright
Guenther
2011-06-10 15:11:40 +02:00
Volker Lendecke
b9a727c5f1 Tiny simplification to dom_sid_string_buf
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Tue May 31 23:16:31 CEST 2011 on sn-devel-104
2011-05-31 23:16:31 +02:00
Andrew Bartlett
381423b1bd libcli/security: move secdesc.c to the top level libcli/security
This code does not rely on lp_ or other source3 only functions, so can
be part of the common library.

Andrew Bartlett
2011-05-31 00:32:07 +02:00
Günther Deschner
03b9a9938b libcli/security: fix build warning, cr_descr_log_acl() is not used currently.
Guenther
2011-05-06 10:48:11 +02:00
Volker Lendecke
d4c693df98 Add dom_sid_parse_endp
This returns a pointer to the first non-parsed character, along the lines of
strtoul for example.

Signed-off-by: Jeremy Allison <jra@samba.org>
2011-04-13 14:13:24 -07:00
Andrew Bartlett
663dc94e63 auth: Move auth_session_info into IDL
This changes auth_session_info_transport to just be a wrapper, rather
than a copy that has to be kept in sync.

As auth_session_info was already wrapped in python, this required
changes to the existing pyauth wrapper and it's users.

Andrew Bartlett
2011-04-05 23:46:04 +02:00
Stefan Metzmacher
4928d66fc2 libcli/security: make sure that we don't grant SEC_STD_DELETE to the owner by default
In the file server SEC_STD_DELETE is granted on the file/directory
or by FILE_DELETE_CHILD on the parent directory.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Mar 21 23:25:05 CET 2011 on sn-devel-104
2011-03-21 23:25:05 +01:00
Jelmer Vernooij
fa387825e2 libcli/: Fix prototypes for all functions. 2011-03-19 03:20:05 +01:00
Günther Deschner
e1f84330ba libcli/security: move display_sec headers to own header file and add to
security.h grouping header.

Guenther
2011-03-16 10:11:08 +01:00
Andrew Tridgell
73e7b72936 libcli: openchange doesn't need these headers any more
thanks to Simo for pointing this out

Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Wed Mar 16 00:25:10 CET 2011 on sn-devel-104
2011-03-16 00:25:10 +01:00
Andrew Tridgell
b2b41a5087 libcli: protect access_check.h against double inclusion
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Tue Mar 15 05:07:01 CET 2011 on sn-devel-104
2011-03-15 05:07:01 +01:00
Andrew Tridgell
6c6ab50a40 waf: build substituted public headers in build tree
the bin/default/include/public directory will contain headers that are
ready to install
2011-03-15 12:22:19 +11:00
Volker Lendecke
16b007c223 Quite some callers of sid_split_rid do not care about the rid 2011-03-10 18:48:34 +01:00
Volker Lendecke
70517477f8 Add dom_sid_string_buf
This prints into a fixed buffer with the same overflow semantics as snprintf
has: Return required string length, regardless of whether it fit or not.
2011-03-03 22:08:49 +01:00
Andrew Bartlett
86aa05e860 libcli/security Add unix_token and unix_info to auth_session_info too
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Mar  1 07:13:43 CET 2011 on sn-devel-104
2011-03-01 07:13:43 +01:00