#include "includes.h"
-extern NT_USER_TOKEN anonymous_token;
-
/* Map generic access rights to object specific rights. This technique is
used to give meaning to assigning read, write, execute and all access to
objects. Each type of object has its own mapping of generic to object
objects. Each type of object has its own mapping of standard to object
specific access rights. */
-void se_map_standard(uint32 *access_mask, struct standard_mapping *mapping)
+void se_map_standard(uint32 *access_mask, const struct standard_mapping *mapping)
{
uint32 old_mask = *access_mask;
perform a SEC_FLAG_MAXIMUM_ALLOWED access check
*/
static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
- const NT_USER_TOKEN *token)
+ const struct security_token *token)
{
uint32_t denied = 0, granted = 0;
unsigned i;
if (is_sid_in_token(token, sd->owner_sid)) {
granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL | SEC_STD_DELETE;
- } else if (user_has_privileges(token, &se_restore)) {
+ } else if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
granted |= SEC_STD_DELETE;
}
to by the access_granted pointer.
*/
NTSTATUS se_access_check(const struct security_descriptor *sd,
- const NT_USER_TOKEN *token,
+ const struct security_token *token,
uint32_t access_desired,
uint32_t *access_granted)
{
bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE);
}
if ((bits_remaining & SEC_STD_DELETE) &&
- user_has_privileges(token, &se_restore)) {
+ (security_token_has_privilege(token, SEC_PRIV_RESTORE))) {
bits_remaining &= ~SEC_STD_DELETE;
}
return NT_STATUS_OK;
}
-
-/*******************************************************************
- samr_make_sam_obj_sd
- ********************************************************************/
-
-NTSTATUS samr_make_sam_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size)
-{
- DOM_SID adm_sid;
- DOM_SID act_sid;
-
- SEC_ACE ace[3];
-
- SEC_ACL *psa = NULL;
-
- sid_copy(&adm_sid, &global_sid_Builtin);
- sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS);
-
- sid_copy(&act_sid, &global_sid_Builtin);
- sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS);
-
- /*basic access for every one*/
- init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
- GENERIC_RIGHTS_SAM_EXECUTE | GENERIC_RIGHTS_SAM_READ, 0);
-
- /*full access for builtin aliases Administrators and Account Operators*/
- init_sec_ace(&ace[1], &adm_sid,
- SEC_ACE_TYPE_ACCESS_ALLOWED, GENERIC_RIGHTS_SAM_ALL_ACCESS, 0);
- init_sec_ace(&ace[2], &act_sid,
- SEC_ACE_TYPE_ACCESS_ALLOWED, GENERIC_RIGHTS_SAM_ALL_ACCESS, 0);
-
- if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) == NULL)
- return NT_STATUS_NO_MEMORY;
-
- if ((*psd = make_sec_desc(ctx, SECURITY_DESCRIPTOR_REVISION_1,
- SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL,
- psa, sd_size)) == NULL)
- return NT_STATUS_NO_MEMORY;
-
- return NT_STATUS_OK;
-}
git.samba.org / abartlet / samba.git / .git / blobdiff