Wrap security_token_has_privilege() with a check for lp_enable_privileges()

Andrew Bartlett abartlet at samba.org
Fri Oct 22 14:24:20 MDT 2010 

On Fri, 2010-10-22 at 20:16 +0200, Jeremy Allison wrote:
> The branch, master has been updated
>        via  a8b9568 Wrap security_token_has_privilege() with a check for lp_enable_privileges(). Needed to maintain compatibility with smb.conf manpage.
>        via  3e79cd6 Fix const warning. Allocate off NULL as we always talloc_free().
>       from  2a00138 s4-dsdb/schema_syntax: Separate validation for numericoid OID values
> 
> http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
> 
> 
> - Log -----------------------------------------------------------------
> commit a8b95686a7bde3f96f141b6938e24e101567ef54
> Author: Jeremy Allison <jra at samba.org>
> Date:   Fri Oct 22 10:31:06 2010 -0700
> 
>     Wrap security_token_has_privilege() with a check for lp_enable_privileges(). Needed
>     to maintain compatibility with smb.conf manpage.
>     
>     Jeremy.
>     
>     Autobuild-User: Jeremy Allison <jra at samba.org>
>     Autobuild-Date: Fri Oct 22 18:15:48 UTC 2010 on sn-devel-104

Jeremy,

Why is this required?

It seems to me that if this smb.conf option is not set, that due to the
check in source3/lib/privilages.c:get_privileges() we cannot have any
privileges associated with user tokens.   (We may for some of the static
tokens such as system or domain administrator that are not generated
here, but that's not really an issue).

Did you have this come up in a real use case, or is this simply about
that you would feel safer 'knowing' that this cannot be invoked without
the smb.conf option set?

I really think that going back to having s3_ prefix functions is not the
right approach.  To do so consistently we would have to break apart
se_access_check() again into s3 and s4 codepaths, and as this check was
never here in the old user_have_privileges() codepath.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101023/7ab44932/attachment.pgp>

More information about the samba-technical mailing list