From 84f01a1607275b65899bffc672739f4c9bd018e4 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 27 Aug 2010 12:19:09 +1000
Subject: [PATCH] libcli/security Don't export privs[] as a global variable

Instead, provide access functions for the LSA and net sam callers
for the information they need.

They still only enumerate the first 8 privileges that have traditionally
been exposed.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
---
 libcli/security/privileges.c    | 43 +++++++++++++++------------------
 libcli/security/privileges.h    | 25 ++++++-------------
 source3/rpc_server/srv_lsa_nt.c |  7 ++----
 source3/utils/net_sam.c         |  6 ++---
 4 files changed, 31 insertions(+), 50 deletions(-)

diff --git a/libcli/security/privileges.c b/libcli/security/privileges.c
index 24a58e49e88..a33ef57a60e 100644
--- a/libcli/security/privileges.c
+++ b/libcli/security/privileges.c
@@ -55,7 +55,12 @@ const uint64_t se_take_ownership  = SE_TAKE_OWNERSHIP;
 
 #define NUM_SHORT_LIST_PRIVS 8
 
-PRIVS privs[] = {
+static const struct {
+	enum sec_privilege luid;
+	uint64_t privilege_mask;
+	const char *name;
+	const char *description;
+} privs[] = {
 
 	{SEC_PRIV_MACHINE_ACCOUNT, SE_MACHINE_ACCOUNT,   "SeMachineAccountPrivilege",	"Add machines to domain"},
 	{SEC_PRIV_TAKE_OWNERSHIP,  SE_TAKE_OWNERSHIP,    "SeTakeOwnershipPrivilege",    "Take ownership of files or other objects"},
@@ -404,7 +409,7 @@ bool user_has_any_privilege(struct security_token *token, const uint64_t *privil
 }
 
 /*******************************************************************
- return the number of elements in the privlege array
+ return the number of elements in the 'short' privlege array (traditional source3 behaviour)
 *******************************************************************/
 
 int num_privileges_in_short_list( void )
@@ -412,27 +417,6 @@ int num_privileges_in_short_list( void )
 	return NUM_SHORT_LIST_PRIVS;
 }
 
-/*********************************************************************
- Generate the struct lsa_LUIDAttribute structure based on a bitmask
- The assumption here is that the privilege has already been validated
- so we are guaranteed to find it in the list.
-*********************************************************************/
-
-enum sec_privilege get_privilege_luid( uint64_t *privilege_mask )
-{
-	int i;
-
-	uint32_t num_privs = ARRAY_SIZE(privs);
-
-	for ( i=0; i<num_privs; i++ ) {
-		if ( se_priv_equal( &privs[i].privilege_mask, privilege_mask ) ) {
-			return privs[i].luid;
-		}
-	}
-
-	return 0;
-}
-
 /****************************************************************************
  Convert a LUID to a named string
 ****************************************************************************/
@@ -613,7 +597,7 @@ enum sec_privilege sec_privilege_from_mask(uint64_t mask)
 }
 
 /*
-  map a privilege name to a privilege id. Return -1 if not found
+  assist in walking the table of privileges - return the LUID (low 32 bits) by index
 */
 enum sec_privilege sec_privilege_from_index(int idx)
 {
@@ -623,6 +607,17 @@ enum sec_privilege sec_privilege_from_index(int idx)
 	return -1;
 }
 
+/*
+  assist in walking the table of privileges - return the string constant by index
+*/
+const char *sec_privilege_name_from_index(int idx)
+{
+	if (idx >= 0 && idx<ARRAY_SIZE(privs)) {
+		return privs[idx].name;
+	}
+	return NULL;
+}
+
 
 /*
   return a privilege mask given a privilege id
diff --git a/libcli/security/privileges.h b/libcli/security/privileges.h
index e1cfbbb4042..e715c468c2e 100644
--- a/libcli/security/privileges.h
+++ b/libcli/security/privileges.h
@@ -63,13 +63,6 @@ typedef struct {
 	struct lsa_LUIDAttribute *set;
 } PRIVILEGE_SET;
 
-typedef struct {
-	enum sec_privilege luid;
-	uint64_t privilege_mask;
-	const char *name;
-	const char *description;
-} PRIVS;
-
 /***************************************************************************
  copy an uint64_t structure
 ****************************************************************************/
@@ -137,18 +130,11 @@ bool user_has_privileges(const struct security_token *token, const uint64_t *pri
 bool user_has_any_privilege(struct security_token *token, const uint64_t *privilege_mask);
 
 /*******************************************************************
- return the number of elements in the privlege array
+ return the number of elements in the 'short' privlege array (traditional source3 behaviour)
 *******************************************************************/
 
-int count_all_privileges( void );
-
-/*********************************************************************
- Generate the struct lsa_LUIDAttribute structure based on a bitmask
- The assumption here is that the privilege has already been validated
- so we are guaranteed to find it in the list.
-*********************************************************************/
+int num_privileges_in_short_list( void );
 
-enum sec_privilege get_privilege_luid( uint64_t *privilege_mask );
 /****************************************************************************
  Convert a LUID to a named string
 ****************************************************************************/
@@ -181,10 +167,15 @@ enum sec_privilege sec_privilege_id(const char *name);
 enum sec_privilege sec_privilege_from_mask(uint64_t mask);
 
 /*
-  map a privilege name to a privilege id. Return -1 if not found
+  assist in walking the table of privileges - return the LUID (low 32 bits) by index
 */
 enum sec_privilege sec_privilege_from_index(int idx);
 
+/*
+  assist in walking the table of privileges - return the string constant by index
+*/
+const char *sec_privilege_name_from_index(int idx);
+
 /*
   return true if a security_token has a particular privilege bit set
 */
diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index 6eee8995305..c787502a357 100644
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -39,8 +39,6 @@
 
 #define MAX_LOOKUP_SIDS 0x5000 /* 20480 */
 
-extern PRIVS privs[];
-
 enum lsa_handle_type { LSA_HANDLE_POLICY_TYPE = 1, LSA_HANDLE_ACCOUNT_TYPE };
 
 struct lsa_info {
@@ -1454,7 +1452,6 @@ NTSTATUS _lsa_EnumPrivs(struct pipes_struct *p,
 	uint32 enum_context = *r->in.resume_handle;
 	int num_privs = num_privileges_in_short_list();
 	struct lsa_PrivEntry *entries = NULL;
-	struct lsa_LUIDAttribute luid;
 
 	/* remember that the enum_context starts at 0 and not 1 */
 
@@ -1495,9 +1492,9 @@ NTSTATUS _lsa_EnumPrivs(struct pipes_struct *p,
 			entries[i].luid.high = 0;
 		} else {
 
-			init_lsa_StringLarge(&entries[i].name, privs[i].name);
+			init_lsa_StringLarge(&entries[i].name, sec_privilege_name_from_index(i));
 
-			entries[i].luid.low = get_privilege_luid( &privs[i].privilege_mask );
+			entries[i].luid.low = sec_privilege_from_index(i);
 			entries[i].luid.high = 0;
 		}
 	}
diff --git a/source3/utils/net_sam.c b/source3/utils/net_sam.c
index 99eac045e02..6a9e261ea08 100644
--- a/source3/utils/net_sam.c
+++ b/source3/utils/net_sam.c
@@ -631,8 +631,6 @@ static int net_sam_policy(struct net_context *c, int argc, const char **argv)
         return net_run_function(c, argc, argv, "net sam policy", func);
 }
 
-extern PRIVS privs[];
-
 static int net_sam_rights_list(struct net_context *c, int argc,
 			       const char **argv)
 {
@@ -647,10 +645,10 @@ static int net_sam_rights_list(struct net_context *c, int argc,
 
 	if (argc == 0) {
 		int i;
-		int num = count_all_privileges();
+		int num = num_privileges_in_short_list();
 
 		for (i=0; i<num; i++) {
-			d_printf("%s\n", privs[i].name);
+			d_printf("%s\n", sec_privilege_name_from_index(i));
 		}
 		return 0;
 	}
-- 
2.34.1