s3-security: use shared "Standard access rights.".

Guenther

diff --git a/source3/include/rpc_secdes.h b/source3/include/rpc_secdes.h
index 216f8830eb5d7817dfd9296ef08b4f23cb2949b1..d14a95b17b3b697ad817fae765719624c07669a8 100644 (file)
--- a/source3/include/rpc_secdes.h
+++ b/source3/include/rpc_secdes.h
@@ -24,14 +24,4 @@
 /* for ADS */
 #define SEC_RIGHTS_FULL_CTRL           0xf01ff
 
-/* Standard access rights. */
-
-#define STD_RIGHT_DELETE_ACCESS                0x00010000
-#define STD_RIGHT_READ_CONTROL_ACCESS  0x00020000
-#define STD_RIGHT_WRITE_DAC_ACCESS     0x00040000
-#define STD_RIGHT_WRITE_OWNER_ACCESS   0x00080000
-#define STD_RIGHT_SYNCHRONIZE_ACCESS   0x00100000
-
-#define STD_RIGHT_ALL_ACCESS           0x001F0000
-
 #endif /* _RPC_SECDES_H */

diff --git a/source3/include/smb.h b/source3/include/smb.h
index 89b3572d67e983a8336f5e9271aee2cd0612b767..ce8022ab2171c8e039cc8ea9156922eb35fc9b02 100644 (file)
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -1234,7 +1234,7 @@ struct bitmap {
                           SYNCHRONIZE_ACCESS)
 
 /* This maps to 0x120116 */
-#define FILE_GENERIC_WRITE (STD_RIGHT_READ_CONTROL_ACCESS|\
+#define FILE_GENERIC_WRITE (SEC_STD_READ_CONTROL|\
                            FILE_WRITE_DATA|\
                            FILE_WRITE_ATTRIBUTES|\
                            FILE_WRITE_EA|\

diff --git a/source3/lib/netapi/localgroup.c b/source3/lib/netapi/localgroup.c
index dd0f8d2097690fa5c96f02f893c3306ed94914e7..f8832328fe547349f235a9c48f51e2b20c5941b0 100644 (file)
--- a/source3/lib/netapi/localgroup.c
+++ b/source3/lib/netapi/localgroup.c
@@ -934,7 +934,7 @@ static NTSTATUS libnetapi_lsa_lookup_names3(TALLOC_CTX *mem_ctx,
 
        status = rpccli_lsa_open_policy2(lsa_pipe, mem_ctx,
                                         false,
-                                        STD_RIGHT_READ_CONTROL_ACCESS |
+                                        SEC_STD_READ_CONTROL |
                                         LSA_POLICY_VIEW_LOCAL_INFORMATION |
                                         LSA_POLICY_LOOKUP_NAMES,
                                         &lsa_handle);

diff --git a/source3/lib/netapi/user.c b/source3/lib/netapi/user.c
index e291193fa28423d456cd5f3ed017f3ab4ae3ba27..c586d11ceb15ba073a460159d43addca304d9932 100644 (file)
--- a/source3/lib/netapi/user.c
+++ b/source3/lib/netapi/user.c
@@ -1770,8 +1770,8 @@ WERROR NetUserSetInfo_r(struct libnetapi_ctx *ctx,
                                    SAMR_USER_ACCESS_GET_GROUPS;
                        break;
                case 3:
-                       user_mask = STD_RIGHT_READ_CONTROL_ACCESS |
-                                   STD_RIGHT_WRITE_DAC_ACCESS |
+                       user_mask = SEC_STD_READ_CONTROL |
+                                   SEC_STD_WRITE_DAC |
                                    SAMR_USER_ACCESS_GET_GROUPS |
                                    SAMR_USER_ACCESS_SET_PASSWORD |
                                    SAMR_USER_ACCESS_SET_ATTRIBUTES |

diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
index 3d4ab295103f8daa3b8f66e809c74a3e69d711f4..83e8f38ae8bb686b348c243fbd7511551d71b37d 100644 (file)
--- a/source3/modules/nfs4_acls.c
+++ b/source3/modules/nfs4_acls.c
@@ -553,7 +553,7 @@ static bool smbacl4_fill_ace4(
        ace_v4->aceType = ace_nt->type; /* only ACCESS|DENY supported right now */
        ace_v4->aceFlags = ace_nt->flags & SEC_ACE_FLAG_VALID_INHERIT;
        ace_v4->aceMask = ace_nt->access_mask &
-               (STD_RIGHT_ALL_ACCESS | SEC_FILE_ALL);
+               (SEC_STD_ALL | SEC_FILE_ALL);
 
        se_map_generic(&ace_v4->aceMask, &file_generic_mapping);
 

diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index 7e00e7aa33f5f35e8537037aaea676aec8abdad9..fffb912782c980b818e245a6b9cea94b66accc44 100644 (file)
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -1414,7 +1414,7 @@ NTSTATUS _lsa_DeleteObject(pipes_struct *p,
                return NT_STATUS_INVALID_HANDLE;
        }
 
-       if (!(info->access & STD_RIGHT_DELETE_ACCESS)) {
+       if (!(info->access & SEC_STD_DELETE)) {
                return NT_STATUS_ACCESS_DENIED;
        }
 
@@ -2261,7 +2261,7 @@ NTSTATUS _lsa_RemoveAccountRights(pipes_struct *p,
        status = access_check_object(psd, p->server_info->ptok,
                                     NULL, 0,
                                     LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
-                                    LSA_ACCOUNT_VIEW|STD_RIGHT_DELETE_ACCESS,
+                                    LSA_ACCOUNT_VIEW|SEC_STD_DELETE,
                                     &acc_granted, "_lsa_RemoveAccountRights");
         if (!NT_STATUS_IS_OK(status)) {
                 return status;

diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index 30c5c5e839a1dae3132b7f45fdfaea557e9a4c08..fda8515e12b6e8961ad5f2f28133c6cbff3caa30 100644 (file)
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -779,7 +779,7 @@ NTSTATUS _samr_QuerySecurity(pipes_struct *p,
        size_t sd_size = 0;
 
        cinfo = policy_handle_find(p, r->in.handle,
-                                  STD_RIGHT_READ_CONTROL_ACCESS, NULL,
+                                  SEC_STD_READ_CONTROL, NULL,
                                   struct samr_connect_info, &status);
        if (NT_STATUS_IS_OK(status)) {
                DEBUG(5,("_samr_QuerySecurity: querying security on SAM\n"));
@@ -789,7 +789,7 @@ NTSTATUS _samr_QuerySecurity(pipes_struct *p,
        }
 
        dinfo = policy_handle_find(p, r->in.handle,
-                                  STD_RIGHT_READ_CONTROL_ACCESS, NULL,
+                                  SEC_STD_READ_CONTROL, NULL,
                                   struct samr_domain_info, &status);
        if (NT_STATUS_IS_OK(status)) {
                DEBUG(5,("_samr_QuerySecurity: querying security on Domain "
@@ -804,7 +804,7 @@ NTSTATUS _samr_QuerySecurity(pipes_struct *p,
        }
 
        uinfo = policy_handle_find(p, r->in.handle,
-                                  STD_RIGHT_READ_CONTROL_ACCESS, NULL,
+                                  SEC_STD_READ_CONTROL, NULL,
                                   struct samr_user_info, &status);
        if (NT_STATUS_IS_OK(status)) {
                DEBUG(10,("_samr_QuerySecurity: querying security on user "
@@ -825,7 +825,7 @@ NTSTATUS _samr_QuerySecurity(pipes_struct *p,
        }
 
        ginfo = policy_handle_find(p, r->in.handle,
-                                  STD_RIGHT_READ_CONTROL_ACCESS, NULL,
+                                  SEC_STD_READ_CONTROL, NULL,
                                   struct samr_group_info, &status);
        if (NT_STATUS_IS_OK(status)) {
                /*
@@ -843,7 +843,7 @@ NTSTATUS _samr_QuerySecurity(pipes_struct *p,
        }
 
        ainfo = policy_handle_find(p, r->in.handle,
-                                  STD_RIGHT_READ_CONTROL_ACCESS, NULL,
+                                  SEC_STD_READ_CONTROL, NULL,
                                   struct samr_alias_info, &status);
        if (NT_STATUS_IS_OK(status)) {
                /*
@@ -5699,7 +5699,7 @@ NTSTATUS _samr_DeleteUser(pipes_struct *p,
        DEBUG(5, ("_samr_DeleteUser: %d\n", __LINE__));
 
        uinfo = policy_handle_find(p, r->in.user_handle,
-                                  STD_RIGHT_DELETE_ACCESS, NULL,
+                                  SEC_STD_DELETE, NULL,
                                   struct samr_user_info, &status);
        if (!NT_STATUS_IS_OK(status)) {
                return status;
@@ -5767,7 +5767,7 @@ NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p,
        DEBUG(5, ("samr_DeleteDomainGroup: %d\n", __LINE__));
 
        ginfo = policy_handle_find(p, r->in.group_handle,
-                                  STD_RIGHT_DELETE_ACCESS, NULL,
+                                  SEC_STD_DELETE, NULL,
                                   struct samr_group_info, &status);
        if (!NT_STATUS_IS_OK(status)) {
                return status;
@@ -5817,7 +5817,7 @@ NTSTATUS _samr_DeleteDomAlias(pipes_struct *p,
        DEBUG(5, ("_samr_DeleteDomAlias: %d\n", __LINE__));
 
        ainfo = policy_handle_find(p, r->in.alias_handle,
-                                  STD_RIGHT_DELETE_ACCESS, NULL,
+                                  SEC_STD_DELETE, NULL,
                                   struct samr_alias_info, &status);
        if (!NT_STATUS_IS_OK(status)) {
                return status;

diff --git a/source3/rpc_server/srv_svcctl_nt.c b/source3/rpc_server/srv_svcctl_nt.c
index 02b3c8d83341d3e6c0a3873eaa8177aba8964ffa..5dc62ef29ba4e24d91a7e008006109a33c588dc1 100644 (file)
--- a/source3/rpc_server/srv_svcctl_nt.c
+++ b/source3/rpc_server/srv_svcctl_nt.c
@@ -869,7 +869,7 @@ WERROR _svcctl_QueryServiceObjectSecurity(pipes_struct *p,
 
        /* check access reights (according to MSDN) */
 
-       if ( !(info->access_granted & STD_RIGHT_READ_CONTROL_ACCESS) )
+       if ( !(info->access_granted & SEC_STD_READ_CONTROL) )
                return WERR_ACCESS_DENIED;
 
        /* TODO: handle something besides SECINFO_DACL */
@@ -923,12 +923,12 @@ WERROR _svcctl_SetServiceObjectSecurity(pipes_struct *p,
 
        switch ( r->in.security_flags ) {
                case SECINFO_DACL:
-                       required_access = STD_RIGHT_WRITE_DAC_ACCESS;
+                       required_access = SEC_STD_WRITE_DAC;
                        break;
 
                case SECINFO_OWNER:
                case SECINFO_GROUP:
-                       required_access = STD_RIGHT_WRITE_OWNER_ACCESS;
+                       required_access = SEC_STD_WRITE_OWNER;
                        break;
 
                case SECINFO_SACL:

diff --git a/source3/rpc_server/srv_winreg_nt.c b/source3/rpc_server/srv_winreg_nt.c
index 10ea8fef22362493a8bb9bac0d154027031babb2..28d5ac923765af185b77b4c41d8c636b392a59c5 100644 (file)
--- a/source3/rpc_server/srv_winreg_nt.c
+++ b/source3/rpc_server/srv_winreg_nt.c
@@ -851,7 +851,7 @@ WERROR _winreg_GetKeySecurity(pipes_struct *p, struct winreg_GetKeySecurity *r)
 
        /* access checks first */
 
-       if ( !(key->key->access_granted & STD_RIGHT_READ_CONTROL_ACCESS) )
+       if ( !(key->key->access_granted & SEC_STD_READ_CONTROL) )
                return WERR_ACCESS_DENIED;
 
        err = reg_getkeysecurity(p->mem_ctx, key, &secdesc);
@@ -892,7 +892,7 @@ WERROR _winreg_SetKeySecurity(pipes_struct *p, struct winreg_SetKeySecurity *r)
 
        /* access checks first */
 
-       if ( !(key->key->access_granted & STD_RIGHT_WRITE_DAC_ACCESS) )
+       if ( !(key->key->access_granted & SEC_STD_WRITE_DAC) )
                return WERR_ACCESS_DENIED;
 
        err = ntstatus_to_werror(unmarshall_sec_desc(p->mem_ctx, r->in.sd->data,

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 5107b1a9e238c7f0e9186e23477123aff0c563ac..330e89df18f2defbfea8cce2f66065d2c63fe207 100644 (file)
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -2024,7 +2024,7 @@ void reply_open_and_X(struct smb_request *req)
        SSVAL(req->outbuf,smb_vwv11,smb_action);
 
        if (open_flags & EXTENDED_RESPONSE_REQUIRED) {
-               SIVAL(req->outbuf, smb_vwv15, STD_RIGHT_ALL_ACCESS);
+               SIVAL(req->outbuf, smb_vwv15, SEC_STD_ALL);
        }
 
        chain_reply(req);