[SCM] Samba Shared Repository - branch master updated
Andrew Tridgell
tridge at samba.org
Wed Oct 13 21:17:01 MDT 2010
The branch, master has been updated
via 40a6e01 security: ensure the merge of libcli/security doesn't change s3 behaviour
via f7ffc12 libcli/security Use static SIDs rather than parsing from strings
via a879a46 libcli/auth Merge source4/libcli/security and util_sid.c into the common code
via 8b22eef libcli/security Define traditional constants in terms of IDL macros
via 949541c libcli/security Move source3/lib/util_seaccess.c into the common code
via 353d9bc s4-acl Merge sec_access_check() with se_access_check() from source3/
via 058daa1 s3-acl Use uint32_t for counting the ACEs
via a040466 s3-acl Merge source4-supported privileges into se_access_check
via 7c6105e s3-util_nttoken.c Also copy the rights_mask when copying a security_token
via 170b345 s3-auth Use security_token_debug() from common code
via 58cf837 s3-auth use security_token_has_sid() from the common code
via deb7c02 s3 Replace is_sid_in_token() with security_token_has_sid() from common code
from c41bb6e s4: show samba version in bin/samba -b
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 40a6e019fdb9ed3d736883b7ba349a976f215208
Author: Andrew Tridgell <tridge at samba.org>
Date: Thu Oct 14 13:32:17 2010 +1100
security: ensure the merge of libcli/security doesn't change s3 behaviour
Jeremy, you put a #if 0 around this logic in this commit:
8344e945 (Jeremy Allison 2008-10-31 10:51:45 -0700 181)
is this still needed?
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
Autobuild-User: Andrew Tridgell <tridge at samba.org>
Autobuild-Date: Thu Oct 14 03:16:41 UTC 2010 on sn-devel-104
commit f7ffc12e2d43bd2dddb0a29eb778ff69a6b2802d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 21 07:14:38 2010 +1000
libcli/security Use static SIDs rather than parsing from strings
This should make the security_token_is_*() calls a little faster.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit a879a4610dac03b814ad40800f408416d250c6be
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Sep 18 12:55:31 2010 +1000
libcli/auth Merge source4/libcli/security and util_sid.c into the common code
This should ensure we only have one copy of these core functions
in the tree.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit 8b22eefd252e5d8d787ce3368d54b23d75b00310
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 20 14:48:00 2010 +1000
libcli/security Define traditional constants in terms of IDL macros
The source3/ code uses these constants in a lot of places, and it will
take time and care to rename them, if that is desired. Linking the
macros here will at least allow common code to use the IDL based macros,
and preserve a documentary link between the constants (other than just their value)
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit 949541cc6f42651344c14dc6f673e72a3e7db947
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Sep 18 11:06:02 2010 +1000
libcli/security Move source3/lib/util_seaccess.c into the common code
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit 353d9bc3e42bc051119c205ac981fc819c6877b4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Sep 18 10:58:10 2010 +1000
s4-acl Merge sec_access_check() with se_access_check() from source3/
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit 058daa1cf5742fc95fc15141bbd5fad96d02dee6
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Sep 18 10:54:37 2010 +1000
s3-acl Use uint32_t for counting the ACEs
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit a040466d0d6866f2ede22261fbd90018773b03de
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Sep 18 10:29:02 2010 +1000
s3-acl Merge source4-supported privileges into se_access_check
This will shortly be the common se_access_check function.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit 7c6105ec27612adc712d3afcd3a794b6b7d32d8d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Sep 17 16:23:53 2010 +1000
s3-util_nttoken.c Also copy the rights_mask when copying a security_token
These are unused in source3/ code at the moment, but it would be
unfortunate if that were to change, and this function not be updated.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit 170b345e0c688b178eb37a73a8110dec68a8ae31
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Sep 17 15:31:28 2010 +1000
s3-auth Use security_token_debug() from common code
This prints the security token including the privileges as strings
instead of just a bitmap.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit 58cf83732a3af2cf2098b1b2108e4b5f36e8fa9e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Sep 17 14:55:56 2010 +1000
s3-auth use security_token_has_sid() from the common code
The wrapper call is left here to avoid changing semantics for
the NULL parameter case.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit deb7c0243663d3fa435531bad77d2897b1d15285
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Sep 17 13:08:59 2010 +1000
s3 Replace is_sid_in_token() with security_token_has_sid() from common code
The two routines are identical, so there is no need to keep both.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge at samba.org>
-----------------------------------------------------------------------
Summary of changes:
{source4/libcli => libcli}/security/access_check.c | 149 ++++++++--
libcli/security/access_check.h | 78 +++++
.../libcli => libcli}/security/create_descriptor.c | 0
libcli/security/dom_sid.c | 4 +-
libcli/security/dom_sid.h | 51 +++
{source4/libcli => libcli}/security/object_tree.c | 0
libcli/security/security.h | 69 ++++-
libcli/security/security_descriptor.h | 13 +
libcli/security/security_token.c | 10 +-
{source3/lib => libcli/security}/util_sid.c | 268 +++-------------
libcli/security/wscript_build | 4 +-
libgpo/gpo_ldap.c | 2 +-
nsswitch/wscript_build | 2 +-
source3/Makefile.in | 6 +-
source3/auth/auth_util.c | 2 +-
source3/auth/token_util.c | 37 +--
source3/include/proto.h | 28 --
source3/include/smb.h | 91 ------
source3/lib/util_nttoken.c | 4 +
source3/lib/util_seaccess.c | 247 ---------------
source3/lib/util_sid.c | 325 +-------------------
source3/rpc_server/srv_samr_nt.c | 6 +-
source3/rpc_server/srv_wkssvc_nt.c | 6 +-
source3/smbd/sec_ctx.c | 3 +-
source3/utils/net_proto.h | 1 -
source3/utils/net_rpc.c | 2 +-
source3/winbindd/winbindd_pam.c | 2 +-
source3/winbindd/winbindd_proto.h | 1 -
source3/winbindd/winbindd_util.c | 2 +-
source4/lib/policy/gp_ldap.c | 2 +-
source4/libcli/raw/smb.h | 13 -
source4/libcli/security/wscript_build | 8 +-
source4/ntvfs/posix/pvfs_acl.c | 2 +-
source4/rpc_server/srvsvc/dcesrv_srvsvc.c | 2 +-
source4/torture/rpc/lsa.c | 17 -
source4/torture/rpc/lsa_lookup.c | 17 -
36 files changed, 419 insertions(+), 1055 deletions(-)
rename {source4/libcli => libcli}/security/access_check.c (74%)
create mode 100644 libcli/security/access_check.h
rename {source4/libcli => libcli}/security/create_descriptor.c (100%)
rename {source4/libcli => libcli}/security/object_tree.c (100%)
copy {source3/lib => libcli/security}/util_sid.c (62%)
delete mode 100644 source3/lib/util_seaccess.c
Changeset truncated at 500 lines:
diff --git a/source4/libcli/security/access_check.c b/libcli/security/access_check.c
similarity index 74%
rename from source4/libcli/security/access_check.c
rename to libcli/security/access_check.c
index e8b8ee8..35ee057 100644
--- a/source4/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -1,9 +1,11 @@
/*
Unix SMB/CIFS implementation.
- security access checking routines
-
Copyright (C) Andrew Tridgell 2004
+ Copyright (C) Gerald Carter 2005
+ Copyright (C) Volker Lendecke 2007
+ Copyright (C) Jeremy Allison 2008
+ Copyright (C) Andrew Bartlett 2010
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -22,15 +24,93 @@
#include "includes.h"
#include "libcli/security/security.h"
+/* Map generic access rights to object specific rights. This technique is
+ used to give meaning to assigning read, write, execute and all access to
+ objects. Each type of object has its own mapping of generic to object
+ specific access rights. */
+
+void se_map_generic(uint32_t *access_mask, const struct generic_mapping *mapping)
+{
+ uint32_t old_mask = *access_mask;
+
+ if (*access_mask & GENERIC_READ_ACCESS) {
+ *access_mask &= ~GENERIC_READ_ACCESS;
+ *access_mask |= mapping->generic_read;
+ }
+
+ if (*access_mask & GENERIC_WRITE_ACCESS) {
+ *access_mask &= ~GENERIC_WRITE_ACCESS;
+ *access_mask |= mapping->generic_write;
+ }
+
+ if (*access_mask & GENERIC_EXECUTE_ACCESS) {
+ *access_mask &= ~GENERIC_EXECUTE_ACCESS;
+ *access_mask |= mapping->generic_execute;
+ }
+
+ if (*access_mask & GENERIC_ALL_ACCESS) {
+ *access_mask &= ~GENERIC_ALL_ACCESS;
+ *access_mask |= mapping->generic_all;
+ }
+
+ if (old_mask != *access_mask) {
+ DEBUG(10, ("se_map_generic(): mapped mask 0x%08x to 0x%08x\n",
+ old_mask, *access_mask));
+ }
+}
+
+/* Map generic access rights to object specific rights for all the ACE's
+ * in a security_acl.
+ */
+
+void security_acl_map_generic(struct security_acl *sa,
+ const struct generic_mapping *mapping)
+{
+ unsigned int i;
+
+ if (!sa) {
+ return;
+ }
+
+ for (i = 0; i < sa->num_aces; i++) {
+ se_map_generic(&sa->aces[i].access_mask, mapping);
+ }
+}
+
+/* Map standard access rights to object specific rights. This technique is
+ used to give meaning to assigning read, write, execute and all access to
+ objects. Each type of object has its own mapping of standard to object
+ specific access rights. */
+
+void se_map_standard(uint32_t *access_mask, const struct standard_mapping *mapping)
+{
+ uint32_t old_mask = *access_mask;
+
+ if (*access_mask & SEC_STD_READ_CONTROL) {
+ *access_mask &= ~SEC_STD_READ_CONTROL;
+ *access_mask |= mapping->std_read;
+ }
+
+ if (*access_mask & (SEC_STD_DELETE|SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|SEC_STD_SYNCHRONIZE)) {
+ *access_mask &= ~(SEC_STD_DELETE|SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|SEC_STD_SYNCHRONIZE);
+ *access_mask |= mapping->std_all;
+ }
+
+ if (old_mask != *access_mask) {
+ DEBUG(10, ("se_map_standard(): mapped mask 0x%08x to 0x%08x\n",
+ old_mask, *access_mask));
+ }
+}
+
/*
perform a SEC_FLAG_MAXIMUM_ALLOWED access check
*/
-static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
- const struct security_token *token)
+static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
+ const struct security_token *token)
{
uint32_t denied = 0, granted = 0;
- uint32_t i;
-
+ unsigned i;
+
if (security_token_has_sid(token, sd->owner_sid)) {
granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL | SEC_STD_DELETE;
} else if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
@@ -40,7 +120,7 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
if (sd->dacl == NULL) {
return granted & ~denied;
}
-
+
for (i = 0;i<sd->dacl->num_aces; i++) {
struct security_ace *ace = &sd->dacl->aces[i];
@@ -68,25 +148,12 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
return granted & ~denied;
}
-static const struct GUID *get_ace_object_type(struct security_ace *ace)
-{
- struct GUID *type;
-
- if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT)
- type = &ace->object.object.type.type;
- else if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)
- type = &ace->object.object.inherited_type.inherited_type; /* This doesn't look right. Is something wrong with the IDL? */
- else
- type = NULL;
-
- return type;
-
-}
-
/*
- the main entry point for access checking.
+ The main entry point for access checking. If returning ACCESS_DENIED
+ this function returns the denied bits in the uint32_t pointed
+ to by the access_granted pointer.
*/
-NTSTATUS sec_access_check(const struct security_descriptor *sd,
+NTSTATUS se_access_check(const struct security_descriptor *sd,
const struct security_token *token,
uint32_t access_desired,
uint32_t *access_granted)
@@ -99,12 +166,23 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd,
/* handle the maximum allowed flag */
if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
+ uint32_t orig_access_desired = access_desired;
+
access_desired |= access_check_max_allowed(sd, token);
access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
*access_granted = access_desired;
bits_remaining = access_desired & ~SEC_STD_DELETE;
+
+ DEBUG(10,("se_access_check: MAX desired = 0x%x, granted = 0x%x, remaining = 0x%x\n",
+ orig_access_desired,
+ *access_granted,
+ bits_remaining));
}
+#if (_SAMBA_BUILD_ >= 4)
+ /* s3 had this with #if 0 previously. To be sure the merge
+ doesn't change any behaviour, we have the above #if check
+ on _SAMBA_BUILD_. */
if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
@@ -112,6 +190,7 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd,
return NT_STATUS_PRIVILEGE_NOT_HELD;
}
}
+#endif
/* a NULL dacl allows access */
if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
@@ -124,6 +203,10 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd,
security_token_has_sid(token, sd->owner_sid)) {
bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE);
}
+ if ((bits_remaining & SEC_STD_DELETE) &&
+ (security_token_has_privilege(token, SEC_PRIV_RESTORE))) {
+ bits_remaining &= ~SEC_STD_DELETE;
+ }
if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
@@ -166,12 +249,29 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd,
done:
if (bits_remaining != 0) {
+ *access_granted = bits_remaining;
return NT_STATUS_ACCESS_DENIED;
}
return NT_STATUS_OK;
}
+
+static const struct GUID *get_ace_object_type(struct security_ace *ace)
+{
+ struct GUID *type;
+
+ if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT)
+ type = &ace->object.object.type.type;
+ else if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)
+ type = &ace->object.object.inherited_type.inherited_type; /* This doesn't look right. Is something wrong with the IDL? */
+ else
+ type = NULL;
+
+ return type;
+
+}
+
/* modified access check for the purposes of DS security
* Lots of code duplication, it will ve united in just one
* function eventually */
@@ -299,4 +399,3 @@ done:
return NT_STATUS_OK;
}
-
diff --git a/libcli/security/access_check.h b/libcli/security/access_check.h
new file mode 100644
index 0000000..700f981
--- /dev/null
+++ b/libcli/security/access_check.h
@@ -0,0 +1,78 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Copyright (C) Andrew Tridgell 2004
+ Copyright (C) Gerald Carter 2005
+ Copyright (C) Volker Lendecke 2007
+ Copyright (C) Jeremy Allison 2008
+ Copyright (C) Andrew Bartlett 2010
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "librpc/gen_ndr/security.h"
+
+/* Map generic access rights to object specific rights. This technique is
+ used to give meaning to assigning read, write, execute and all access to
+ objects. Each type of object has its own mapping of generic to object
+ specific access rights. */
+
+void se_map_generic(uint32_t *access_mask, const struct generic_mapping *mapping);
+
+/* Map generic access rights to object specific rights for all the ACE's
+ * in a security_acl.
+ */
+void security_acl_map_generic(struct security_acl *sa,
+ const struct generic_mapping *mapping);
+
+/* Map standard access rights to object specific rights. This technique is
+ used to give meaning to assigning read, write, execute and all access to
+ objects. Each type of object has its own mapping of standard to object
+ specific access rights. */
+void se_map_standard(uint32_t *access_mask, const struct standard_mapping *mapping);
+
+/*
+ The main entry point for access checking. If returning ACCESS_DENIED
+ this function returns the denied bits in the uint32_t pointed
+ to by the access_granted pointer.
+*/
+NTSTATUS se_access_check(const struct security_descriptor *sd,
+ const struct security_token *token,
+ uint32_t access_desired,
+ uint32_t *access_granted);
+
+/* modified access check for the purposes of DS security
+ * Lots of code duplication, it will ve united in just one
+ * function eventually */
+
+NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
+ const struct security_token *token,
+ uint32_t access_desired,
+ uint32_t *access_granted,
+ struct object_tree *tree,
+ struct dom_sid *replace_sid);
+
+bool insert_in_object_tree(TALLOC_CTX *mem_ctx,
+ const struct GUID *guid,
+ uint32_t init_access,
+ struct object_tree **root,
+ struct object_tree **new_node);
+
+/* search by GUID */
+struct object_tree *get_object_tree_by_GUID(struct object_tree *root,
+ const struct GUID *guid);
+
+/* Change the granted access per each ACE */
+void object_tree_modify_access(struct object_tree *root,
+ uint32_t access);
diff --git a/source4/libcli/security/create_descriptor.c b/libcli/security/create_descriptor.c
similarity index 100%
rename from source4/libcli/security/create_descriptor.c
rename to libcli/security/create_descriptor.c
diff --git a/libcli/security/dom_sid.c b/libcli/security/dom_sid.c
index f94d952..217d7bb 100644
--- a/libcli/security/dom_sid.c
+++ b/libcli/security/dom_sid.c
@@ -28,8 +28,8 @@
Compare the auth portion of two sids.
*****************************************************************/
-static int dom_sid_compare_auth(const struct dom_sid *sid1,
- const struct dom_sid *sid2)
+int dom_sid_compare_auth(const struct dom_sid *sid1,
+ const struct dom_sid *sid2)
{
int i;
diff --git a/libcli/security/dom_sid.h b/libcli/security/dom_sid.h
index ac8669d..3d1161f 100644
--- a/libcli/security/dom_sid.h
+++ b/libcli/security/dom_sid.h
@@ -25,10 +25,41 @@
#include "librpc/gen_ndr/security.h"
+/* Some well-known SIDs */
+extern const struct dom_sid global_sid_World_Domain;
+extern const struct dom_sid global_sid_World;
+extern const struct dom_sid global_sid_Creator_Owner_Domain;
+extern const struct dom_sid global_sid_NT_Authority;
+extern const struct dom_sid global_sid_Enterprise_DCs;
+extern const struct dom_sid global_sid_System;
+extern const struct dom_sid global_sid_NULL;
+extern const struct dom_sid global_sid_Authenticated_Users;
+extern const struct dom_sid global_sid_Network;
+extern const struct dom_sid global_sid_Creator_Owner;
+extern const struct dom_sid global_sid_Creator_Group;
+extern const struct dom_sid global_sid_Anonymous;
+extern const struct dom_sid global_sid_Builtin;
+extern const struct dom_sid global_sid_Builtin_Administrators;
+extern const struct dom_sid global_sid_Builtin_Users;
+extern const struct dom_sid global_sid_Builtin_Guests;
+extern const struct dom_sid global_sid_Builtin_Power_Users;
+extern const struct dom_sid global_sid_Builtin_Account_Operators;
+extern const struct dom_sid global_sid_Builtin_Server_Operators;
+extern const struct dom_sid global_sid_Builtin_Print_Operators;
+extern const struct dom_sid global_sid_Builtin_Backup_Operators;
+extern const struct dom_sid global_sid_Builtin_Replicator;
+extern const struct dom_sid global_sid_Builtin_PreWin2kAccess;
+extern const struct dom_sid global_sid_Unix_Users;
+extern const struct dom_sid global_sid_Unix_Groups;
+
+int dom_sid_compare_auth(const struct dom_sid *sid1,
+ const struct dom_sid *sid2);
int dom_sid_compare(const struct dom_sid *sid1, const struct dom_sid *sid2);
int dom_sid_compare_domain(const struct dom_sid *sid1,
const struct dom_sid *sid2);
bool dom_sid_equal(const struct dom_sid *sid1, const struct dom_sid *sid2);
+bool sid_append_rid(struct dom_sid *sid, uint32_t rid);
+bool string_to_sid(struct dom_sid *sidout, const char *sidstr);
bool dom_sid_parse(const char *sidstr, struct dom_sid *ret);
struct dom_sid *dom_sid_parse_talloc(TALLOC_CTX *mem_ctx, const char *sidstr);
struct dom_sid *dom_sid_parse_length(TALLOC_CTX *mem_ctx, const DATA_BLOB *sid);
@@ -42,5 +73,25 @@ bool dom_sid_in_domain(const struct dom_sid *domain_sid,
const struct dom_sid *sid);
char *dom_sid_string(TALLOC_CTX *mem_ctx, const struct dom_sid *sid);
+
+const char *sid_type_lookup(uint32_t sid_type);
+const struct security_token *get_system_token(void);
+bool sid_compose(struct dom_sid *dst, const struct dom_sid *domain_sid, uint32_t rid);
+bool sid_split_rid(struct dom_sid *sid, uint32_t *rid);
+bool sid_peek_rid(const struct dom_sid *sid, uint32_t *rid);
+bool sid_peek_check_rid(const struct dom_sid *exp_dom_sid, const struct dom_sid *sid, uint32_t *rid);
+void sid_copy(struct dom_sid *dst, const struct dom_sid *src);
+bool sid_parse(const char *inbuf, size_t len, struct dom_sid *sid);
+int sid_compare_domain(const struct dom_sid *sid1, const struct dom_sid *sid2);
+bool sid_equal(const struct dom_sid *sid1, const struct dom_sid *sid2);
+NTSTATUS add_sid_to_array(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
+ struct dom_sid **sids, uint32_t *num);
+NTSTATUS add_sid_to_array_unique(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
+ struct dom_sid **sids, uint32_t *num_sids);
+void del_sid_from_array(const struct dom_sid *sid, struct dom_sid **sids, size_t *num);
+bool add_rid_to_array_unique(TALLOC_CTX *mem_ctx,
+ uint32_t rid, uint32_t **pp_rids, size_t *p_num);
+bool is_null_sid(const struct dom_sid *sid);
+
#endif /*_DOM_SID_H_*/
diff --git a/source4/libcli/security/object_tree.c b/libcli/security/object_tree.c
similarity index 100%
rename from source4/libcli/security/object_tree.c
rename to libcli/security/object_tree.c
diff --git a/libcli/security/security.h b/libcli/security/security.h
index 8018bee..39ae3ec 100644
--- a/libcli/security/security.h
+++ b/libcli/security/security.h
@@ -25,6 +25,70 @@
#define PRIMARY_USER_SID_INDEX 0
#define PRIMARY_GROUP_SID_INDEX 1
+/* File Specific access rights */
+#define FILE_READ_DATA SEC_FILE_READ_DATA
+#define FILE_WRITE_DATA SEC_FILE_WRITE_DATA
+#define FILE_APPEND_DATA SEC_FILE_APPEND_DATA
+#define FILE_READ_EA SEC_FILE_READ_EA /* File and directory */
+#define FILE_WRITE_EA SEC_FILE_WRITE_EA /* File and directory */
+#define FILE_EXECUTE SEC_FILE_EXECUTE
+#define FILE_READ_ATTRIBUTES SEC_FILE_READ_ATTRIBUTE
+#define FILE_WRITE_ATTRIBUTES SEC_FILE_WRITE_ATTRIBUTE
+
+#define FILE_ALL_ACCESS SEC_FILE_ALL
+
+/* Directory specific access rights */
+#define FILE_LIST_DIRECTORY SEC_DIR_LIST
+#define FILE_ADD_FILE SEC_DIR_ADD_FILE
+#define FILE_ADD_SUBDIRECTORY SEC_DIR_ADD_SUBDIR
+#define FILE_TRAVERSE SEC_DIR_TRAVERSE
+#define FILE_DELETE_CHILD SEC_DIR_DELETE_CHILD
+
+/* Generic access masks & rights. */
+#define DELETE_ACCESS SEC_STD_DELETE /* (1L<<16) */
+#define READ_CONTROL_ACCESS SEC_STD_READ_CONTROL /* (1L<<17) */
+#define WRITE_DAC_ACCESS SEC_STD_WRITE_DAC /* (1L<<18) */
+#define WRITE_OWNER_ACCESS SEC_STD_WRITE_OWNER /* (1L<<19) */
+#define SYNCHRONIZE_ACCESS SEC_STD_SYNCHRONIZE /* (1L<<20) */
+
+#define SYSTEM_SECURITY_ACCESS SEC_FLAG_SYSTEM_SECURITY /* (1L<<24) */
+#define MAXIMUM_ALLOWED_ACCESS SEC_FLAG_MAXIMUM_ALLOWED /* (1L<<25) */
+#define GENERIC_ALL_ACCESS SEC_GENERIC_ALL /* (1<<28) */
+#define GENERIC_EXECUTE_ACCESS SEC_GENERIC_EXECUTE /* (1<<29) */
+#define GENERIC_WRITE_ACCESS SEC_GENERIC_WRITE /* (1<<30) */
+#define GENERIC_READ_ACCESS ((unsigned)SEC_GENERIC_READ) /* (((unsigned)1)<<31) */
+
+/* Mapping of generic access rights for files to specific rights. */
+
+/* This maps to 0x1F01FF */
+#define FILE_GENERIC_ALL (STANDARD_RIGHTS_REQUIRED_ACCESS|\
+ SEC_STD_SYNCHRONIZE|\
+ FILE_ALL_ACCESS)
+
+/* This maps to 0x120089 */
+#define FILE_GENERIC_READ (STANDARD_RIGHTS_READ_ACCESS|\
+ FILE_READ_DATA|\
+ FILE_READ_ATTRIBUTES|\
+ FILE_READ_EA|\
+ SYNCHRONIZE_ACCESS)
+
+/* This maps to 0x120116 */
+#define FILE_GENERIC_WRITE (SEC_STD_READ_CONTROL|\
+ FILE_WRITE_DATA|\
+ FILE_WRITE_ATTRIBUTES|\
+ FILE_WRITE_EA|\
+ FILE_APPEND_DATA|\
+ SYNCHRONIZE_ACCESS)
+
+#define FILE_GENERIC_EXECUTE (STANDARD_RIGHTS_EXECUTE_ACCESS|\
+ FILE_READ_ATTRIBUTES|\
+ FILE_EXECUTE|\
+ SYNCHRONIZE_ACCESS)
+
+/* Share specific rights. */
+#define SHARE_ALL_ACCESS FILE_GENERIC_ALL
+#define SHARE_READ_ONLY (FILE_GENERIC_READ|FILE_EXECUTE)
+
struct object_tree {
uint32_t remaining_access;
struct GUID guid;
@@ -40,9 +104,6 @@ struct object_tree {
#include "libcli/security/security_token.h"
#include "libcli/security/sddl.h"
#include "libcli/security/privileges.h"
-
-#if _SAMBA_BUILD_ >= 4
-#include "libcli/security/proto.h"
-#endif
+#include "libcli/security/access_check.h"
--
Samba Shared Repository
More information about the samba-cvs
mailing list