small se_access_check patch
Elrond
elrond at samba-tng.org
Mon Sep 24 10:39:01 GMT 2001
Hi,
These are some small changes to se_access_check.
Most notably, I changed the second parameter from
struct current_user to NT_USER_TOKEN.
This requires any se_access_check to be changed like:
se_access_check(..., user, ...)
to:
se_access_check(..., user->nt_user_token, ...)
In the event of user possibly being NULL (which would have
coredumped se_access_check anyway), it should be changed
to:
se_access_check(..., (user ? user->nt_user_token : NULL), ...)
The const are needed by TNG specific things, and they
should not hurt normal samba, because the only function
outside util_seaccess.c, which is affected is sid_equal,
which already has const in it.
Elrond
Index: lib/util_seaccess.c
===================================================================
RCS file: /cvsroot/samba/source/lib/util_seaccess.c,v
retrieving revision 1.22
diff -u -p -r1.22 util_seaccess.c
--- lib/util_seaccess.c 27 Aug 2001 19:46:16 -0000 1.22
+++ lib/util_seaccess.c 24 Sep 2001 17:25:31 -0000
@@ -4,6 +4,7 @@
Copyright (C) Luke Kenneth Casson Leighton 1996-2000.
Copyright (C) Tim Potter 2000.
Copyright (C) Re-written by Jeremy Allison 2000.
+ Copyright (C) Elrond <elrond at samba-tng.org> 2001.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -30,7 +31,7 @@ extern int DEBUGLEVEL;
Check if this ACE has a SID in common with the token.
**********************************************************************************/
-static BOOL token_sid_in_ace( NT_USER_TOKEN *token, SEC_ACE *ace)
+static BOOL token_sid_in_ace(const NT_USER_TOKEN *token, const SEC_ACE *ace)
{
size_t i;
@@ -47,7 +48,7 @@ static BOOL token_sid_in_ace( NT_USER_TO
bits not yet granted. Zero means permission allowed (no more needed bits).
**********************************************************************************/
-static uint32 check_ace(SEC_ACE *ace, NT_USER_TOKEN *token, uint32 acc_desired,
+static uint32 check_ace(const SEC_ACE *ace, const NT_USER_TOKEN *token, uint32 acc_desired,
NTSTATUS *status)
{
uint32 mask = ace->info.mask;
@@ -107,7 +108,7 @@ static uint32 check_ace(SEC_ACE *ace, NT
include other bits requested.
**********************************************************************************/
-static BOOL get_max_access( SEC_ACL *the_acl, NT_USER_TOKEN *token, uint32 *granted,
+static BOOL get_max_access( SEC_ACL *the_acl, const NT_USER_TOKEN *token, uint32 *granted,
uint32 desired,
NTSTATUS *status)
{
@@ -204,7 +205,7 @@ void se_map_generic(uint32 *access_mask,
"Access-Checking" document in MSDN.
*****************************************************************************/
-BOOL se_access_check(SEC_DESC *sd, struct current_user *user,
+BOOL se_access_check(SEC_DESC *sd, NT_USER_TOKEN *token,
uint32 acc_desired, uint32 *acc_granted,
NTSTATUS *status)
{
@@ -212,17 +213,20 @@ BOOL se_access_check(SEC_DESC *sd, struc
size_t i;
SEC_ACL *the_acl;
fstring sid_str;
- NT_USER_TOKEN *token = user->nt_user_token ? user->nt_user_token : &anonymous_token;
uint32 tmp_acc_desired = acc_desired;
+ if (!token)
+ token = &anonymous_token;
+
if (!status || !acc_granted)
return False;
*status = NT_STATUS_OK;
*acc_granted = 0;
- DEBUG(10,("se_access_check: requested access %x, for uid %u\n",
- (unsigned int)acc_desired, (unsigned int)user->uid ));
+ DEBUG(7, ("se_access_check: requested access 0x%x, for NT token with %u entries and first sid %s.\n",
+ (unsigned int)acc_desired, token->num_sids,
+ sid_to_string(sid_str, &token->user_sids[0])));
/*
* No security descriptor or security descriptor with no DACL
More information about the samba-technical
mailing list