Author: tridge Date: 2004-12-11 12:01:20 +0000 (Sat, 11 Dec 2004) New Revision: 4150
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=4150 Log: - add fns for manipulating the privilege_mask in a security_token - add the hooks in access_check that check the privilege bitmasks for SEC_STD_DELETE and SEC_FLAG_SYSTEM_SECURITY Modified: branches/SAMBA_4_0/source/libcli/security/access_check.c branches/SAMBA_4_0/source/libcli/security/privilege.c Changeset: Modified: branches/SAMBA_4_0/source/libcli/security/access_check.c =================================================================== --- branches/SAMBA_4_0/source/libcli/security/access_check.c 2004-12-11 11:11:57 UTC (rev 4149) +++ branches/SAMBA_4_0/source/libcli/security/access_check.c 2004-12-11 12:01:20 UTC (rev 4150) @@ -50,8 +50,11 @@ unsigned i; if (sid_active_in_token(sd->owner_sid, token)) { - granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL | SEC_STD_DELETE; + granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL; } + if (sec_privilege_check(token, SEC_PRIV_RESTORE)) { + granted |= SEC_STD_DELETE; + } for (i = 0;i<sd->dacl->num_aces; i++) { struct security_ace *ace = &sd->dacl->aces[i]; @@ -96,17 +99,13 @@ bits_remaining = access_desired & ~SEC_STD_DELETE; } -#if 0 - /* this is where we should check for the "system security" privilege, once we - move to the full security_token and not just the nt_user_token */ if (access_desired & SEC_FLAG_SYSTEM_SECURITY) { - if (privilege_in_token(SE_PRIVILEGE_SYSTEM_SECURITY, token)) { + if (sec_privilege_check(token, SEC_PRIV_SECURITY)) { bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY; } else { return NT_STATUS_ACCESS_DENIED; } } -#endif /* dacl not present allows access */ if (!(sd->type & SEC_DESC_DACL_PRESENT)) { @@ -124,6 +123,10 @@ sid_active_in_token(sd->owner_sid, token)) { bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL); } + if ((bits_remaining & SEC_STD_DELETE) && + sec_privilege_check(token, SEC_PRIV_RESTORE)) { + bits_remaining &= ~SEC_STD_DELETE; + } /* check each ace in turn. */ for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) { Modified: branches/SAMBA_4_0/source/libcli/security/privilege.c =================================================================== --- branches/SAMBA_4_0/source/libcli/security/privilege.c 2004-12-11 11:11:57 UTC (rev 4149) +++ branches/SAMBA_4_0/source/libcli/security/privilege.c 2004-12-11 12:01:20 UTC (rev 4150) @@ -82,3 +82,27 @@ } return -1; } + + +/* + return True if a security_token has a particular privilege bit set +*/ +BOOL sec_privilege_check(const struct security_token *token, unsigned int privilege) +{ + uint64_t mask = 1; + mask <<= (privilege-1); + if (token->privilege_mask & mask) { + return True; + } + return False; +} + +/* + set a bit in the privilege mask +*/ +void sec_privilege_set(struct security_token *token, unsigned int privilege) +{ + uint64_t mask = 1; + mask <<= (privilege-1); + token->privilege_mask |= mask; +}