[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Wed Oct 20 18:16:01 MDT 2010


The branch, master has been updated
       via  e00c2b3 Add code to implement SeSecurityPrivilege in net rpc rights, and in the open and get/set NT security descriptor code.
      from  c0b9526 pytalloc: use talloc_unlink() to free py_talloc objects

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit e00c2b3cdf6faa03b6ffcf87dc677fdbdd381fe3
Author: Jeremy Allison <jra at samba.org>
Date:   Wed Oct 20 16:31:18 2010 -0700

    Add code to implement SeSecurityPrivilege in net rpc rights, and in the
    open and get/set NT security descriptor code.
    
    Jeremy.
    
    Autobuild-User: Jeremy Allison <jra at samba.org>
    Autobuild-Date: Thu Oct 21 00:15:57 UTC 2010 on sn-devel-104

-----------------------------------------------------------------------

Summary of changes:
 libcli/security/privileges.c |    9 +++------
 source3/smbd/nttrans.c       |   10 ++++++++++
 source3/smbd/open.c          |   29 ++++++++---------------------
 3 files changed, 21 insertions(+), 27 deletions(-)


Changeset truncated at 500 lines:

diff --git a/libcli/security/privileges.c b/libcli/security/privileges.c
index 5d4cf77..57c485d 100644
--- a/libcli/security/privileges.c
+++ b/libcli/security/privileges.c
@@ -40,7 +40,7 @@
 /* The use of strcasecmp here is safe, all the comparison strings are ASCII */
 #undef strcasecmp
 
-#define NUM_SHORT_LIST_PRIVS 8
+#define NUM_SHORT_LIST_PRIVS 9
 
 static const struct {
 	enum sec_privilege luid;
@@ -58,16 +58,13 @@ static const struct {
 	{SEC_PRIV_PRINT_OPERATOR,  SEC_PRIV_PRINT_OPERATOR_BIT,	 "SePrintOperatorPrivilege",	"Manage printers"},
 	{SEC_PRIV_ADD_USERS,       SEC_PRIV_ADD_USERS_BIT,	 "SeAddUsersPrivilege",		"Add users and groups to the domain"},
 	{SEC_PRIV_DISK_OPERATOR,   SEC_PRIV_DISK_OPERATOR_BIT,	 "SeDiskOperatorPrivilege",	"Manage disk shares"},
+	{SEC_PRIV_SECURITY,	   SEC_PRIV_SECURITY_BIT,	 "SeSecurityPrivilege",	"System security"},
+
 
 	/* The list from here on is not displayed in the code from
 	 * source3, and is after index NUM_SHORT_LIST_PRIVS for that
 	 * reason */ 
 
-	{SEC_PRIV_SECURITY,
-	 SEC_PRIV_SECURITY_BIT,
-	 "SeSecurityPrivilege",
-	"System security"},
-
 	{SEC_PRIV_SYSTEMTIME,
 	 SEC_PRIV_SYSTEMTIME_BIT,
 	 "SeSystemtimePrivilege",
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 3a9f681..caba211 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -1837,6 +1837,16 @@ NTSTATUS smbd_do_query_security_desc(connection_struct *conn,
 	 * Get the permissions to return.
 	 */
 
+	if ((security_info_wanted & SECINFO_SACL) &&
+			!(fsp->access_mask & SEC_FLAG_SYSTEM_SECURITY)) {
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
+	if ((security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|SECINFO_GROUP)) &&
+			!(fsp->access_mask & SEC_STD_READ_CONTROL)) {
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
 	if (!lp_nt_acl_support(SNUM(conn))) {
 		status = get_null_nt_acl(mem_ctx, &psd);
 	} else {
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 01f0cd6..f5de607 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -2506,8 +2506,9 @@ static NTSTATUS open_directory(connection_struct *conn,
 		return status;
 	}
 
-	/* We need to support SeSecurityPrivilege for this. */
-	if (access_mask & SEC_FLAG_SYSTEM_SECURITY) {
+	if ((access_mask & SEC_FLAG_SYSTEM_SECURITY) &
+			!security_token_has_privilege(get_current_nttok(conn),
+					SEC_PRIV_SECURITY)) {
 		DEBUG(10, ("open_directory: open on %s "
 			"failed - SEC_FLAG_SYSTEM_SECURITY denied.\n",
 			smb_fname_str_dbg(smb_dname)));
@@ -3029,29 +3030,15 @@ static NTSTATUS create_file_unixpath(connection_struct *conn,
 		goto fail;
 	}
 
-#if 0
-	/* We need to support SeSecurityPrivilege for this. */
 	if ((access_mask & SEC_FLAG_SYSTEM_SECURITY) &&
-	    !user_has_privileges(current_user.nt_user_token,
-				 &se_security)) {
-		status = NT_STATUS_PRIVILEGE_NOT_HELD;
-		goto fail;
-	}
-#else
-	/* We need to support SeSecurityPrivilege for this. */
-	if (access_mask & SEC_FLAG_SYSTEM_SECURITY) {
-		status = NT_STATUS_PRIVILEGE_NOT_HELD;
-		goto fail;
-	}
-	/* Don't allow a SACL set from an NTtrans create until we
-	 * support SeSecurityPrivilege. */
-	if (!VALID_STAT(smb_fname->st) &&
-			lp_nt_acl_support(SNUM(conn)) &&
-			sd && (sd->sacl != NULL)) {
+			!security_token_has_privilege(get_current_nttok(conn),
+					SEC_PRIV_SECURITY)) {
+		DEBUG(10, ("create_file_unixpath: open on %s "
+			"failed - SEC_FLAG_SYSTEM_SECURITY denied.\n",
+			smb_fname_str_dbg(smb_fname)));
 		status = NT_STATUS_PRIVILEGE_NOT_HELD;
 		goto fail;
 	}
-#endif
 
 	if ((conn->fs_capabilities & FILE_NAMED_STREAMS)
 	    && is_ntfs_stream_smb_fname(smb_fname)


-- 
Samba Shared Repository


More information about the samba-cvs mailing list