1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

21 Commits

Author SHA1 Message Date
Andrew Bartlett
821b9e61aa privs Move privilege bitmasks to security.idl
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11 18:46:04 +10:00
Andrew Bartlett
42a98a570b s3:privileges Change SE_PRIV to be just a uint64_t
We don't need 128 possible privileges here, as we only use 12.

This reverts some of 46e5effea9
by Jerry back in 2005, where he introduced the SE_PRIV structure
to replace the uint32_t used at the time.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11 18:46:03 +10:00
Günther Deschner
4591fdbc18 s3-privileges: use LUID defines from lsa IDL.
Guenther
2010-06-07 10:33:36 +02:00
Günther Deschner
af5a71d528 s3-lsa: use LSA_POLICY_MODE flags in _lsa_GetSystemAccessAccount().
Guenther
2009-04-30 14:28:38 +02:00
Jeremy Allison
30191d1a57 RIP BOOL. Convert BOOL -> bool. I found a few interesting
bugs in various places whilst doing this (places that assumed
BOOL == int). I also need to fix the Samba4 pidl generation
(next checkin).
Jeremy.
(This used to be commit f35a266b3c)
2007-10-18 17:40:25 -07:00
Andrew Tridgell
5e54558c6d r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text
(This used to be commit b0132e94fc)
2007-10-10 12:28:22 -05:00
Jeremy Allison
d824b98f80 r23779: Change from v2 or later to v3 or later.
Jeremy.
(This used to be commit 407e6e695b)
2007-10-10 12:28:20 -05:00
Michael Adam
6090601c8b r23485: This checkin consists mostly of refactorings in preparation of the
activation of global registry options in loadparm.c, mainly to
extract functionality from net_conf.c to be made availabel elsewhere
and to minimize linker dependencies.

In detail:

* move functions registry_push/pull_value from lib/util_reg.c to new file
  lib/util_reg_api.c

* create a fake user token consisting of builtin administrators sid and
  se_disk_operators privilege by hand instead of using get_root_nt_token()
  to minimize linker deps for bin/net.

  + new function registry_create_admin_token() in new lib/util_reg_smbconf.c
  + move dup_nt_token from auth/token_util.c to new file lib/util_nttoken.c
  + adapt net_conf.c and Makefile.in accordingly.

* split lib/profiles.c into two parts: new file lib/profiles_basic.c
  takes all the low level mask manipulation and format conversion functions
  (se_priv, privset, luid). the privs array is completely hidden from
  profiles.c by adding some access-functions. some mask-functions are not
  static anymore.

  Generally, SID- and LUID-related stuff that has more dependencies
  is kept in lib/profiles.c

* Move initialization of regdb from net_conf.c into a function
  registry_init_regdb() in lib/util_reg_smbconf.c.

Michael
(This used to be commit efd3e2bfb7)
2007-10-10 12:23:21 -05:00
Stefan Metzmacher
beecb90440 r18784: hopefully fix the BOOL bug on AIX
metze
(This used to be commit 454d9590de)
2007-10-10 12:00:57 -05:00
Günther Deschner
e722cb25d8 r9952: Adapt better to the Windows way of taking and assigning ownership:
* Users with SeRestorePrivilege may chown files to anyone (be it as a
backup software or directly using the ownership-tab in the security
acl editor on xp), while

* Users with SeTakeOwnershipPrivilege only can chown to themselves.

Simo, Jeremy. I think this is correct now.

Guenther
(This used to be commit 1ef7a192ee)
2007-10-10 11:03:29 -05:00
Gerald Carter
270b90e25f r7995: * privileges are local except when they're *not*
printmig.exe assumes that the LUID of the SeBackupPrivlege
  on the target server matches the LUID of the privilege
  on the local client.  Even though an LUID is never guaranteed
  to be the same across reboots.  How *awful*!  My cat could
  write better code! (more on my cat later....)

* Set the privelege LUID in the global PRIVS[] array

* Rename RegCreateKey() to RegCreateKeyEx() to better match MSDN

* Rename the unknown field in RegCreateKeyEx() to disposition
  (guess according to MSDN)

* Add the capability to define REG_TDB_ONLY for using the reg_db.c
  functions and stress the RegXXX() rpc functions.
(This used to be commit 0d6352da48)
2007-10-10 10:58:07 -05:00
Gerald Carter
129b461673 r7440: * merge registry server changes from trunk (so far) for more
printmig.exe work
* merge the sys_select_signal(char c) change from trunk
  in order to keeo the winbind code in sync
(This used to be commit a112c5570a)
2007-10-10 10:57:09 -05:00
Gerald Carter
66df8431ec r5726: merge LsaLookupPrivValue() code from trunk
(This used to be commit 277203b535)
2007-10-10 10:55:57 -05:00
Gerald Carter
a84bb6d1ec r5203: additional changes for BUG 2291 to restrict who can join a BDC and add domain trusts
(This used to be commit 5ec1faa2ad)
2007-10-10 10:55:32 -05:00
Gerald Carter
b3757eadf0 r4849: * finish SeAddUsers support in srv_samr_nt.c
* define some const SE_PRIV structure for use when
  you need a SE_PRIV* to a privilege
* fix an annoying compiler warngin in smbfilter.c
* translate SIDs to names in 'net rpc rights list accounts'
* fix a seg fault in cli_lsa_enum_account_rights caused by
  me forgetting the precedence of * vs. []
(This used to be commit d25fc84bc2)
2007-10-10 10:53:59 -05:00
Gerald Carter
ade3ef6f04 r4809: * include SeDiskOperatorPrivilege and SeRemoteShutdownPrivilege
(noty enfornced yet though)
* add 'enable privileges (off by default) to control whether or
  not any privuleges can be assigned to SIDs
(This used to be commit cf63519169)
2007-10-10 10:53:55 -05:00
Gerald Carter
46e5effea9 r4805: Last planned change to the privileges infrastructure:
* rewrote the tdb layout of privilege records in account_pol.tdb
  (allow for 128 bits instead of 32 bit flags)
* migrated to using SE_PRIV structure instead of the PRIVILEGE_SET
  structure.  The latter is now used for parsing routines mainly.

Still need to incorporate some client support into 'net' so
for setting privileges.  And make use of the SeAddUserPrivilege
right.
(This used to be commit 41dc7f7573)
2007-10-10 10:53:55 -05:00
Gerald Carter
d94d87472c r4724: Add support for Windows privileges in Samba 3.0
(based on Simo's code in trunk).  Rewritten with the
following changes:

* privilege set is based on a 32-bit mask instead of strings
  (plans are to extend this to a 64 or 128-bit mask before
   the next 3.0.11preX release).
* Remove the privilege code from the passdb API
  (replication to come later)
* Only support the minimum amount of privileges that make
  sense.
* Rewrite the domain join checks to use the SeMachineAccountPrivilege
  instead of the 'is a member of "Domain Admins"?' check that started
  all this.

Still todo:

* Utilize the SePrintOperatorPrivilege in addition to the 'printer admin'
  parameter
* Utilize the SeAddUserPrivilege for adding users and groups
* Fix some of the hard coded _lsa_*() calls
* Start work on enough of SAM replication to get privileges from one
  Samba DC to another.
* Come up with some management tool for manipultaing privileges
  instead of user manager since it is buggy when run on a 2k client
  (haven't tried xp).  Works ok on NT4.
(This used to be commit 77c10ff9aa)
2007-10-10 10:53:51 -05:00
Simo Sorce
b1f610ebb1 split some security related functions in their own files.
(no need to include all of smbd files to use some basic sec functions)

also minor compile fixes
couldn't compile to test these due to some kerberos problems wirh 3.0,
but on HEAD they're working well, so I suppose it's ok to commit
(This used to be commit c78f2d0bd1)
2003-10-06 01:38:46 +00:00
Simo Sorce
75a5c0b307 Ok, this patch removes the privilege stuff we had in, unused, for some time.
The code was nice, but put in the wrong place (group mapping) and not
supported by most of the code, thus useless.

We will put back most of the code when our infrastructure will be changed
so that privileges actually really make sense to be set.

This is a first patch of a set to enhance all our mapping code cleaness and
stability towards a sane next beta for 3.0 code base

Simo.
(This used to be commit e341e7c49f)
2003-06-18 15:24:10 +00:00
Simo Sorce
9cd45eeaf9 sort out some include dependencies
split out privileges from rpc_lsa.h
(This used to be commit 37d7cc8162)
2003-05-06 13:10:10 +00:00