priv_str));
continue;
}
- sec_privilege_set(token, privilege);
+ security_token_set_privilege(token, privilege);
}
return NT_STATUS_OK;
#include "libcli/security/security.h"
-/*
- check if a sid is in the supplied token
-*/
-static BOOL sid_active_in_token(const struct dom_sid *sid,
- const struct security_token *token)
-{
- int i;
- for (i=0;i<token->num_sids;i++) {
- if (dom_sid_equal(sid, token->sids[i])) {
- return True;
- }
- }
- return False;
-}
-
-
/*
perform a SEC_FLAG_MAXIMUM_ALLOWED access check
*/
uint32_t denied = 0, granted = 0;
unsigned i;
- if (sid_active_in_token(sd->owner_sid, token)) {
+ if (security_token_has_sid(token, sd->owner_sid)) {
granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL | SEC_STD_DELETE;
- } else if (sec_privilege_check(token, SEC_PRIV_RESTORE)) {
+ } else if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
granted |= SEC_STD_DELETE;
}
continue;
}
- if (!sid_active_in_token(&ace->trustee, token)) {
+ if (!security_token_has_sid(token, &ace->trustee)) {
continue;
}
}
if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
- if (sec_privilege_check(token, SEC_PRIV_SECURITY)) {
+ if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
} else {
return NT_STATUS_ACCESS_DENIED;
/* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */
if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE)) &&
- sid_active_in_token(sd->owner_sid, token)) {
+ security_token_has_sid(token, sd->owner_sid)) {
bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE);
}
if ((bits_remaining & SEC_STD_DELETE) &&
- sec_privilege_check(token, SEC_PRIV_RESTORE)) {
+ security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
bits_remaining &= ~SEC_STD_DELETE;
}
continue;
}
- if (!sid_active_in_token(&ace->trustee, token)) {
+ if (!security_token_has_sid(token, &ace->trustee)) {
continue;
}
/*
return True if a security_token has a particular privilege bit set
*/
-BOOL sec_privilege_check(const struct security_token *token, enum sec_privilege privilege)
+BOOL security_token_has_privilege(const struct security_token *token, enum sec_privilege privilege)
{
uint64_t mask;
/*
set a bit in the privilege mask
*/
-void sec_privilege_set(struct security_token *token, enum sec_privilege privilege)
+void security_token_set_privilege(struct security_token *token, enum sec_privilege privilege)
{
if (privilege < 1 || privilege > 64) {
return;
token->privilege_mask |= sec_privilege_mask(privilege);
}
-void sec_privilege_debug(int dbg_lev, const struct security_token *token)
+void security_token_debug_privileges(int dbg_lev, const struct security_token *token)
{
DEBUGADD(dbg_lev, (" Privileges (0x%16llX):\n",
(unsigned long long) token->privilege_mask));
dom_sid_string(mem_ctx, token->sids[i])));
}
- sec_privilege_debug(dbg_lev, token);
+ security_token_debug_privileges(dbg_lev, token);
talloc_free(mem_ctx);
}
/* These really should be cheaper... */
-BOOL security_token_is_sid(struct security_token *token, const struct dom_sid *sid)
+BOOL security_token_is_sid(const struct security_token *token, const struct dom_sid *sid)
{
if (dom_sid_equal(token->user_sid, sid)) {
return True;
return False;
}
-BOOL security_token_is_sid_string(struct security_token *token, const char *sid_string)
+BOOL security_token_is_sid_string(const struct security_token *token, const char *sid_string)
{
BOOL ret;
- struct dom_sid *sid = dom_sid_parse_talloc(token, sid_string);
+ struct dom_sid *sid = dom_sid_parse_talloc(NULL, sid_string);
if (!sid) return False;
ret = security_token_is_sid(token, sid);
return ret;
}
-BOOL security_token_is_system(struct security_token *token)
+BOOL security_token_is_system(const struct security_token *token)
{
return security_token_is_sid_string(token, SID_NT_SYSTEM);
}
-BOOL security_token_is_anonymous(struct security_token *token)
+BOOL security_token_is_anonymous(const struct security_token *token)
{
return security_token_is_sid_string(token, SID_NT_ANONYMOUS);
}
-BOOL security_token_has_sid(struct security_token *token, struct dom_sid *sid)
+BOOL security_token_has_sid(const struct security_token *token, const struct dom_sid *sid)
{
int i;
for (i = 0; i < token->num_sids; i++) {
return False;
}
-BOOL security_token_has_sid_string(struct security_token *token, const char *sid_string)
+BOOL security_token_has_sid_string(const struct security_token *token, const char *sid_string)
{
BOOL ret;
- struct dom_sid *sid = dom_sid_parse_talloc(token, sid_string);
+ struct dom_sid *sid = dom_sid_parse_talloc(NULL, sid_string);
if (!sid) return False;
ret = security_token_has_sid(token, sid);
return ret;
}
-BOOL security_token_has_builtin_administrators(struct security_token *token)
+BOOL security_token_has_builtin_administrators(const struct security_token *token)
{
return security_token_has_sid_string(token, SID_BUILTIN_ADMINISTRATORS);
}
-BOOL security_token_has_nt_authenticated_users(struct security_token *token)
+BOOL security_token_has_nt_authenticated_users(const struct security_token *token)
{
return security_token_has_sid_string(token, SID_NT_AUTHENTICATED_USERS);
}
git.samba.org / abartlet / samba.git / .git / commitdiff