if (ace_grant(mask, acc_desired,
acc_granted)) {
*status = NT_STATUS_NO_PROBLEMO;
- DEBUG(3, ("access granted\n"));
+ DEBUG(3, ("access granted by ace\n"));
return True;
}
}
if (ace_deny(mask, acc_desired,
acc_granted)) {
*status = NT_STATUS_ACCESS_DENIED;
- DEBUG(3, ("access denied\n"));
+ DEBUG(3, ("access denied by ace\n"));
return True;
}
}
or more ACEs explicitly grant all requested access rights. See
"Access-Checking" document in MSDN. */
-BOOL se_access_check(SEC_DESC *sd, uid_t uid, gid_t gid, int ngroups,
- gid_t *groups, uint32 acc_desired,
- uint32 *acc_granted, uint32 *status)
+BOOL se_access_check(SEC_DESC *sd, struct current_user *user,
+ uint32 acc_desired, uint32 *acc_granted, uint32 *status)
{
DOM_SID user_sid, group_sid;
DOM_SID **group_sids = NULL;
uint ngroup_sids = 0;
SEC_ACL *acl;
uint8 check_ace_type;
+ fstring sid_str;
if (!status || !acc_granted) return False;
*status = NT_STATUS_NOPROBLEMO;
*acc_granted = acc_desired;
acc_desired = 0;
+ DEBUG(3, ("no sd, access allowed\n"));
goto done;
}
/* Create user sid */
- if (!winbind_uid_to_sid(uid, &user_sid)) {
- DEBUG(3, ("could not lookup sid for uid %d\n", uid));
+ if (!winbind_uid_to_sid(user->uid, &user_sid)) {
+ DEBUG(3, ("could not lookup sid for uid %d\n", user->uid));
}
+ sid_to_string(sid_str, &user_sid);
+ DEBUG(3, ("user sid is %s\n", sid_str));
+
/* If we're the owner, then we can do anything */
if (sid_equal(&user_sid, sd->owner_sid)) {
*status = NT_STATUS_NOPROBLEMO;
*acc_granted = acc_desired;
acc_desired = 0;
+ DEBUG(3, ("is owner, access allowed\n"));
goto done;
}
/* Create group sid */
- if (!winbind_gid_to_sid(gid, &group_sid)) {
- DEBUG(3, ("could not lookup sid for gid %d\n", gid));
+ if (!winbind_gid_to_sid(user->gid, &group_sid)) {
+ DEBUG(3, ("could not lookup sid for gid %d\n", user->gid));
}
+ sid_to_string(sid_str, &group_sid);
+ DEBUG(3, ("group sid is %s\n", sid_str));
+
/* Create array of group sids */
add_sid_to_array(&ngroup_sids, &group_sids, &group_sid);
- for (i = 0; i < ngroups; i++) {
- if (groups[i] != gid) {
- if (winbind_gid_to_sid(groups[i], &group_sid)) {
+ for (i = 0; i < user->ngroups; i++) {
+ if (user->groups[i] != user->gid) {
+ if (winbind_gid_to_sid(user->groups[i], &group_sid)) {
/* If we're a group member then we can also
do anything */
*status = NT_STATUS_NOPROBLEMO;
*acc_granted = acc_desired;
acc_desired = 0;
+ DEBUG(3, ("is group member "
+ "access allowed\n"));
goto done;
}
&group_sid);
} else {
DEBUG(3, ("could not lookup sid for gid %d\n",
- gid));
+ user->gid));
}
+
+ sid_to_string(sid_str, &group_sid);
+ DEBUG(3, ("supplementary group %s\n", sid_str));
}
}
*status = NT_STATUS_NOPROBLEMO;
*acc_granted = acc_desired;
acc_desired = 0;
+ DEBUG(3, ("null ace, access allowed\n"));
goto done;
}
git.samba.org / samba.git / commitdiff