svn commit: samba r4151 - in branches/SAMBA_4_0/source: auth dsdb dsdb/samdb libcli/auth libcli/security

tridge at samba.org tridge at samba.org
Sat Dec 11 13:19:42 GMT 2004 

Author: tridge
Date: 2004-12-11 13:19:41 +0000 (Sat, 11 Dec 2004)
New Revision: 4151

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=4151

Log:
added privilege attribute handling on samdb.

pvfs will now honor some privileges on ACLs, and it will be quite easy
to add the checks for more privileges in the necessary places, by
making calls to sec_privilege_check().


Added:
   branches/SAMBA_4_0/source/dsdb/samdb/samdb_privilege.c
Modified:
   branches/SAMBA_4_0/source/auth/auth_util.c
   branches/SAMBA_4_0/source/dsdb/config.mk
   branches/SAMBA_4_0/source/libcli/auth/gensec_krb5.c
   branches/SAMBA_4_0/source/libcli/security/privilege.c


Changeset:
Modified: branches/SAMBA_4_0/source/auth/auth_util.c
===================================================================
--- branches/SAMBA_4_0/source/auth/auth_util.c	2004-12-11 12:01:20 UTC (rev 4150)
+++ branches/SAMBA_4_0/source/auth/auth_util.c	2004-12-11 13:19:41 UTC (rev 4151)
@@ -353,6 +353,7 @@
 {
 	struct security_token *ptoken;
 	int i;
+	NTSTATUS status;
 
 	ptoken = security_token_initialise(mem_ctx);
 	if (ptoken == NULL) {
@@ -397,6 +398,13 @@
 			ptoken->sids[ptoken->num_sids++] = groupSIDs[i];
 		}
 	}
+
+	/* setup the privilege mask for this token */
+	status = samdb_privilege_setup(ptoken);
+	if (!NT_STATUS_IS_OK(status)) {
+		talloc_free(ptoken);
+		return status;
+	}
 	
 	debug_security_token(DBGC_AUTH, 10, ptoken);
 	

Modified: branches/SAMBA_4_0/source/dsdb/config.mk
===================================================================
--- branches/SAMBA_4_0/source/dsdb/config.mk	2004-12-11 12:01:20 UTC (rev 4150)
+++ branches/SAMBA_4_0/source/dsdb/config.mk	2004-12-11 13:19:41 UTC (rev 4151)
@@ -6,6 +6,7 @@
 INIT_OBJ_FILES = \
 		dsdb/samdb/samdb.o
 ADD_OBJ_FILES = \
+		dsdb/samdb/samdb_privilege.o \
 		dsdb/common/flag_mapping.o
 REQUIRED_SUBSYSTEMS = \
 		DCERPC_COMMON \

Added: branches/SAMBA_4_0/source/dsdb/samdb/samdb_privilege.c
===================================================================
--- branches/SAMBA_4_0/source/dsdb/samdb/samdb_privilege.c	2004-12-11 12:01:20 UTC (rev 4150)
+++ branches/SAMBA_4_0/source/dsdb/samdb/samdb_privilege.c	2004-12-11 13:19:41 UTC (rev 4151)
@@ -0,0 +1,107 @@
+/* 
+   Unix SMB/CIFS implementation.
+
+   manipulate privilege records in samdb
+
+   Copyright (C) Andrew Tridgell 2004
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+#include "librpc/gen_ndr/ndr_security.h"
+#include "lib/ldb/include/ldb.h"
+
+/*
+  add privilege bits for one sid to a security_token
+*/
+static NTSTATUS samdb_privilege_setup_sid(void *samctx, TALLOC_CTX *mem_ctx,
+					  const struct dom_sid *sid, 
+					  uint64_t *mask)
+{
+	char *sidstr;
+	const char * const attrs[] = { "privilege", NULL };
+	struct ldb_message **res = NULL;
+	struct ldb_message_element *el;
+	int ret, i;
+	
+	*mask = 0;
+
+	sidstr = dom_sid_string(mem_ctx, sid);
+	if (sidstr == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	ret = samdb_search(samctx, mem_ctx, NULL, &res, attrs, "objectSid=%s", sidstr);
+	if (ret != 1) {
+		talloc_free(sidstr);
+		/* not an error to not match */
+		return NT_STATUS_OK;
+	}
+
+	el = ldb_msg_find_element(res[0], "privilege");
+	if (el == NULL) {
+		talloc_free(sidstr);
+		return NT_STATUS_OK;
+	}
+
+	for (i=0;i<el->num_values;i++) {
+		const char *priv_str = el->values[i].data;
+		int privilege = sec_privilege_id(priv_str);
+		if (privilege == -1) {
+			DEBUG(1,("Unknown privilege '%s' in samdb\n",
+				 priv_str));
+			continue;
+		}
+		*mask |= sec_privilege_mask(privilege);
+	}
+
+	return NT_STATUS_OK;
+}
+
+/*
+  setup the privilege mask for this security token based on our
+  local SAM
+*/
+NTSTATUS samdb_privilege_setup(struct security_token *token)
+{
+	void *samctx;
+	TALLOC_CTX *mem_ctx = talloc(token, 0);
+	int i;
+	NTSTATUS status;
+
+	samctx = samdb_connect(mem_ctx);
+	if (samctx == NULL) {
+		talloc_free(mem_ctx);
+		return NT_STATUS_INTERNAL_DB_CORRUPTION;
+	}
+
+	token->privilege_mask = 0;
+	
+	for (i=0;i<token->num_sids;i++) {
+		uint64_t mask;
+		status = samdb_privilege_setup_sid(samctx, mem_ctx, 
+						   token->sids[i], &mask);
+		if (!NT_STATUS_IS_OK(status)) {
+			talloc_free(mem_ctx);
+			return status;
+		}
+		token->privilege_mask |= mask;
+	}
+
+	talloc_free(mem_ctx);
+
+	return NT_STATUS_OK;	
+}

Modified: branches/SAMBA_4_0/source/libcli/auth/gensec_krb5.c
===================================================================
--- branches/SAMBA_4_0/source/libcli/auth/gensec_krb5.c	2004-12-11 12:01:20 UTC (rev 4150)
+++ branches/SAMBA_4_0/source/libcli/auth/gensec_krb5.c	2004-12-11 13:19:41 UTC (rev 4151)
@@ -716,6 +716,13 @@
 				= dom_sid_add_rid(session_info, sid, 
 						  logon_info->groups[ptoken->num_sids - 2].rid);
 		}
+
+		/* setup any privileges for this token */
+		nt_status = samdb_privilege_setup(ptoken);
+		if (!NT_STATUS_IS_OK(nt_status)) {
+			talloc_free(ptoken);
+			return nt_status;
+		}
 		
 		debug_security_token(DBGC_AUTH, 0, ptoken);
 		

Modified: branches/SAMBA_4_0/source/libcli/security/privilege.c
===================================================================
--- branches/SAMBA_4_0/source/libcli/security/privilege.c	2004-12-11 12:01:20 UTC (rev 4150)
+++ branches/SAMBA_4_0/source/libcli/security/privilege.c	2004-12-11 13:19:41 UTC (rev 4151)
@@ -85,12 +85,22 @@
 
 
 /*
+  return a privilege mask given a privilege id
+*/
+uint64_t sec_privilege_mask(unsigned int privilege)
+{
+	uint64_t mask = 1;
+	mask <<= (privilege-1);
+	return mask;
+}
+
+
+/*
   return True if a security_token has a particular privilege bit set
 */
 BOOL sec_privilege_check(const struct security_token *token, unsigned int privilege)
 {
-	uint64_t mask = 1;
-	mask <<= (privilege-1);
+	uint64_t mask = sec_privilege_mask(privilege);
 	if (token->privilege_mask & mask) {
 		return True;
 	}
@@ -102,7 +112,5 @@
 */
 void sec_privilege_set(struct security_token *token, unsigned int privilege)
 {
-	uint64_t mask = 1;
-	mask <<= (privilege-1);
-	token->privilege_mask |= mask;
+	token->privilege_mask |= sec_privilege_mask(privilege);
 }

More information about the samba-cvs mailing list