static const struct GUID *get_ace_object_type(struct security_ace *ace)
{
- struct GUID *type;
-
- if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT)
- type = &ace->object.object.type.type;
- else
- type = NULL;
-
- return type;
+ if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
+ return &ace->object.object.type.type;
+ }
+ return NULL;
}
-/* modified access check for the purposes of DS security
+/**
+ * @brief Perform directoryservice (DS) related access checks for a given user
+ *
+ * Perform DS access checks for the user represented by its security_token, on
+ * the provided security descriptor. If an tree associating GUID and access
+ * required is provided then object access (OA) are checked as well. *
+ * @param[in] sd The security descritor against which the required
+ * access are requested
+ *
+ * @param[in] token The security_token associated with the user to
+ * test
+ *
+ * @param[in] access_desired A bitfield of rights that must be granted for the
+ * given user in the specified SD.
+ *
+ * If one
+ * of the entry in the tree grants all the requested rights for the given GUID
+ * FIXME
+ * tree can be null if not null it's the
* Lots of code duplication, it will ve united in just one
* function eventually */
uint32_t bits_remaining;
struct object_tree *node;
const struct GUID *type;
- struct dom_sid *ps_sid = dom_sid_parse_talloc(NULL, SID_NT_SELF);
+ struct dom_sid self_sid;
+
+ dom_sid_parse(SID_NT_SELF, &self_sid);
*access_granted = access_desired;
bits_remaining = access_desired;
if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
} else {
- talloc_free(ps_sid);
return NT_STATUS_PRIVILEGE_NOT_HELD;
}
}
/* a NULL dacl allows access */
if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
*access_granted = access_desired;
- talloc_free(ps_sid);
return NT_STATUS_OK;
}
continue;
}
- if (dom_sid_equal(&ace->trustee, ps_sid) && replace_sid) {
+ if (dom_sid_equal(&ace->trustee, &self_sid) && replace_sid) {
trustee = replace_sid;
} else {
trustee = &ace->trustee;
break;
case SEC_ACE_TYPE_ACCESS_DENIED:
if (bits_remaining & ace->access_mask) {
- talloc_free(ps_sid);
return NT_STATUS_ACCESS_DENIED;
}
break;
if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) {
object_tree_modify_access(node, ace->access_mask);
if (node->remaining_access == 0) {
- talloc_free(ps_sid);
return NT_STATUS_OK;
}
} else {
if (node->remaining_access & ace->access_mask){
- talloc_free(ps_sid);
return NT_STATUS_ACCESS_DENIED;
}
}
}
done:
- talloc_free(ps_sid);
if (bits_remaining != 0) {
return NT_STATUS_ACCESS_DENIED;
}