#define SE_BACKUP { { 0x00000200, 0x00000000, 0x00000000, 0x00000000 } }
#define SE_RESTORE { { 0x00000400, 0x00000000, 0x00000000, 0x00000000 } }
#define SE_TAKE_OWNERSHIP { { 0x00000800, 0x00000000, 0x00000000, 0x00000000 } }
+#define SE_SECURITY { { 0x00001000, 0x00000000, 0x00000000, 0x00000000 } }
/* defined in lib/privilegs_basic.c */
extern const SE_PRIV se_remote_shutdown;
extern const SE_PRIV se_restore;
extern const SE_PRIV se_take_ownership;
+extern const SE_PRIV se_security;
/*
const SE_PRIV se_remote_shutdown = SE_REMOTE_SHUTDOWN;
const SE_PRIV se_restore = SE_RESTORE;
const SE_PRIV se_take_ownership = SE_TAKE_OWNERSHIP;
+const SE_PRIV se_security = SE_SECURITY;
/********************************************************************
This is a list of privileges reported by a WIndows 2000 SP4 AD DC
{SE_SERVICE_LOGON, "SeServiceLogonRight", "Log on as a service", { 0x0, 0x0 }},
#endif
{SE_MACHINE_ACCOUNT, "SeMachineAccountPrivilege", "Add machines to domain", { 0x0, 0x0006 }},
+ {SE_SECURITY, "SeSecurityPrivilege", "Manage auditing and security log", { 0x0, 0x0008 }},
{SE_TAKE_OWNERSHIP, "SeTakeOwnershipPrivilege", "Take ownership of files or other objects",{ 0x0, 0x0009 }},
{SE_BACKUP, "SeBackupPrivilege", "Back up files and directories", { 0x0, 0x0011 }},
{SE_RESTORE, "SeRestorePrivilege", "Restore files and directories", { 0x0, 0x0012 }},
{SE_ADD_USERS, "SeAddUsersPrivilege", "Add users and groups to the domain", { 0x0, 0x1002 }},
{SE_DISK_OPERATOR, "SeDiskOperatorPrivilege", "Manage disk shares", { 0x0, 0x1003 }},
+
{SE_END, "", "", { 0x0, 0x0 }}
};
bits_remaining));
}
-#if 0
- /* We need to support SeSecurityPrivilege for this. */
-
if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
- if (user_has_privileges(token, &sec_security)) {
+ if (user_has_privileges(token, &se_security)) {
bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
} else {
return NT_STATUS_PRIVILEGE_NOT_HELD;
}
}
-#endif
/* a NULL dacl allows access */
if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
* Get the permissions to return.
*/
+ if ((security_info_wanted & SECINFO_SACL) &&
+ !(fsp->access_mask & SEC_FLAG_SYSTEM_SECURITY)) {
+ reply_nterror(req, NT_STATUS_ACCESS_DENIED);
+ return;
+ }
+
+ if ((security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|SECINFO_GROUP)) &&
+ !(fsp->access_mask & SEC_STD_READ_CONTROL)) {
+ reply_nterror(req, NT_STATUS_ACCESS_DENIED);
+ return;
+ }
+
if (!lp_nt_acl_support(SNUM(conn))) {
status = get_null_nt_acl(talloc_tos(), &psd);
} else {
#include "includes.h"
#include "smbd/globals.h"
+extern struct current_user current_user;
extern const struct generic_mapping file_generic_mapping;
struct deferred_open_record {
return status;
}
- /* We need to support SeSecurityPrivilege for this. */
- if (access_mask & SEC_FLAG_SYSTEM_SECURITY) {
+ if ((access_mask & SEC_FLAG_SYSTEM_SECURITY) &&
+ !user_has_privileges(current_user.nt_user_token, &se_security)) {
DEBUG(10, ("open_directory: open on %s "
"failed - SEC_FLAG_SYSTEM_SECURITY denied.\n",
smb_fname_str_dbg(smb_dname)));
goto fail;
}
-#if 0
- /* We need to support SeSecurityPrivilege for this. */
if ((access_mask & SEC_FLAG_SYSTEM_SECURITY) &&
- !user_has_privileges(current_user.nt_user_token,
- &se_security)) {
- status = NT_STATUS_PRIVILEGE_NOT_HELD;
- goto fail;
- }
-#else
- /* We need to support SeSecurityPrivilege for this. */
- if (access_mask & SEC_FLAG_SYSTEM_SECURITY) {
- status = NT_STATUS_PRIVILEGE_NOT_HELD;
- goto fail;
- }
- /* Don't allow a SACL set from an NTtrans create until we
- * support SeSecurityPrivilege. */
- if (!VALID_STAT(smb_fname->st) &&
- lp_nt_acl_support(SNUM(conn)) &&
- sd && (sd->sacl != NULL)) {
+ !user_has_privileges(current_user.nt_user_token, &se_security)) {
+ DEBUG(10, ("create_file_unixpath:: open on %s "
+ "failed - SEC_FLAG_SYSTEM_SECURITY denied.\n",
+ smb_fname_str_dbg(smb_fname)));
status = NT_STATUS_PRIVILEGE_NOT_HELD;
goto fail;
}
-#endif
if ((conn->fs_capabilities & FILE_NAMED_STREAMS)
&& is_ntfs_stream_smb_fname(smb_fname)