svn commit: samba r4056 - in branches/SAMBA_4_0/source: libcli/security ntvfs/posix

tridge at samba.org tridge at samba.org
Fri Dec 3 13:04:11 GMT 2004 

Author: tridge
Date: 2004-12-03 13:04:10 +0000 (Fri, 03 Dec 2004)
New Revision: 4056

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=4056

Log:
modified the access check code based on results from RAW-ACLS
test. Also added generic mapping bits for pvfs. We don't pass RAW-ACLS
yet, but its close.


Modified:
   branches/SAMBA_4_0/source/libcli/security/access_check.c
   branches/SAMBA_4_0/source/ntvfs/posix/pvfs_acl.c


Changeset:
Modified: branches/SAMBA_4_0/source/libcli/security/access_check.c
===================================================================
--- branches/SAMBA_4_0/source/libcli/security/access_check.c	2004-12-03 07:20:30 UTC (rev 4055)
+++ branches/SAMBA_4_0/source/libcli/security/access_check.c	2004-12-03 13:04:10 UTC (rev 4056)
@@ -42,13 +42,16 @@
 /*
   perform a SEC_FLAG_MAXIMUM_ALLOWED access check
 */
-static NTSTATUS access_check_max_allowed(struct security_descriptor *sd, 
-					 struct nt_user_token *token, 
-					 uint32_t *access_granted)
+static uint32_t access_check_max_allowed(struct security_descriptor *sd, 
+					 struct nt_user_token *token)
 {
 	uint32_t denied = 0, granted = 0;
-	int i;
+	unsigned i;
 	
+	if (sid_active_in_token(sd->owner_sid, token)) {
+		granted |= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL);
+	}
+
 	for (i = 0;i<sd->dacl->num_aces; i++) {
 		struct security_ace *ace = &sd->dacl->aces[i];
 
@@ -67,15 +70,7 @@
 		}
 	}
 
-	granted &= ~denied;
-
-	if (granted == 0) {
-		return NT_STATUS_ACCESS_DENIED;
-	}
-
-	*access_granted = granted;
-
-	return NT_STATUS_OK;	
+	return granted & ~denied;
 }
 
 /*
@@ -89,16 +84,15 @@
 	int i;
 	uint32_t bits_remaining;
 
-	bits_remaining = access_desired;
-
-	/* the owner always gets SEC_STD_WRITE_DAC & SEC_STD_READ_CONTROL */
-	if (bits_remaining & (SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL)) {
-		if (sid_active_in_token(sd->owner_sid, token)) {
-			bits_remaining &= 
-				~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL);
-		}
+	/* handle the maximum allowed flag */
+	if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
+		access_desired |= access_check_max_allowed(sd, token);
+		access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
 	}
 
+	*access_granted = access_desired;
+	bits_remaining = access_desired;
+
 #if 0
 	/* this is where we should check for the "system security" privilege, once we 
 	   move to the full security_token and not just the nt_user_token */
@@ -122,9 +116,10 @@
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	/* handle the maximum allowed case separately */
-	if (access_desired == SEC_FLAG_MAXIMUM_ALLOWED) {
-		return access_check_max_allowed(sd, token, access_granted);
+	/* the owner always gets SEC_STD_WRITE_DAC & SEC_STD_READ_CONTROL */
+	if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL)) &&
+	    sid_active_in_token(sd->owner_sid, token)) {
+		bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL);
 	}
 
 	/* check each ace in turn. */
@@ -156,7 +151,5 @@
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	*access_granted = access_desired;
-
 	return NT_STATUS_OK;
 }

Modified: branches/SAMBA_4_0/source/ntvfs/posix/pvfs_acl.c
===================================================================
--- branches/SAMBA_4_0/source/ntvfs/posix/pvfs_acl.c	2004-12-03 07:20:30 UTC (rev 4055)
+++ branches/SAMBA_4_0/source/ntvfs/posix/pvfs_acl.c	2004-12-03 13:04:10 UTC (rev 4056)
@@ -28,6 +28,38 @@
 
 
 /*
+  map a single access_mask from generic to specific bits for files/dirs
+*/
+static uint32_t pvfs_translate_mask(uint32_t access_mask)
+{
+	if (access_mask & SEC_MASK_GENERIC) {
+		if (access_mask & SEC_GENERIC_READ)    access_mask |= SEC_RIGHTS_FILE_READ;
+		if (access_mask & SEC_GENERIC_WRITE)   access_mask |= SEC_RIGHTS_FILE_WRITE;
+		if (access_mask & SEC_GENERIC_EXECUTE) access_mask |= SEC_RIGHTS_FILE_EXECUTE;
+		if (access_mask & SEC_GENERIC_ALL)     access_mask |= SEC_RIGHTS_FILE_ALL;
+		access_mask &= ~SEC_MASK_GENERIC;
+	}
+	return access_mask;
+}
+
+
+/*
+  map any generic access bits in the given acl
+  this relies on the fact that the mappings for files and directories
+  are the same
+*/
+static void pvfs_translate_generic_bits(struct security_acl *acl)
+{
+	unsigned i;
+
+	for (i=0;i<acl->num_aces;i++) {
+		struct security_ace *ace = &acl->aces[i];
+		ace->access_mask = pvfs_translate_mask(ace->access_mask);
+	}
+}
+
+
+/*
   setup a default ACL for a file
 */
 static NTSTATUS pvfs_default_acl(struct pvfs_state *pvfs,
@@ -222,9 +254,11 @@
 	}
 	if (secinfo_flags & SECINFO_DACL) {
 		sd->dacl = new_sd->dacl;
+		pvfs_translate_generic_bits(sd->dacl);
 	}
 	if (secinfo_flags & SECINFO_SACL) {
 		sd->sacl = new_sd->sacl;
+		pvfs_translate_generic_bits(sd->sacl);
 	}
 
 	status = pvfs_acl_save(pvfs, name, fd, acl);
@@ -343,8 +377,15 @@
 		return NT_STATUS_INVALID_ACL;
 	}
 
+	/* expand the generic access bits to file specific bits */
+	*access_mask = pvfs_translate_mask(*access_mask);
+
+	/* check the acl against the required access mask */
 	status = sec_access_check(sd, token, *access_mask, access_mask);
 
+	/* this bit is always granted, even if not asked for */
+	*access_mask |= SEC_FILE_READ_ATTRIBUTE;
+
 	talloc_free(acl);
 	
 	return status;

More information about the samba-cvs mailing list