libcli/security: make sure that we don't grant SEC_STD_DELETE to the owner by default

In the file server SEC_STD_DELETE is granted on the file/directory
or by FILE_DELETE_CHILD on the parent directory.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Mar 21 23:25:05 CET 2011 on sn-devel-104

diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index c5f89af32a6ecd7dd8a4ccc7b06d47ea950aef54..6bb64aeabe5311ab8e10b4d31cc48a08d5f4b65c 100644 (file)
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -112,9 +112,7 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
        unsigned i;
 
        if (security_token_has_sid(token, sd->owner_sid)) {
-               granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL | SEC_STD_DELETE;
-       } else if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
-               granted |= SEC_STD_DELETE;
+               granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL;
        }
 
        if (sd->dacl == NULL) {
@@ -171,7 +169,7 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
                access_desired |= access_check_max_allowed(sd, token);
                access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
                *access_granted = access_desired;
-               bits_remaining = access_desired & ~SEC_STD_DELETE;
+               bits_remaining = access_desired;
 
                DEBUG(10,("se_access_check: MAX desired = 0x%x, granted = 0x%x, remaining = 0x%x\n",
                        orig_access_desired,
@@ -190,21 +188,13 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
                }
        }
 
-       /* a NULL dacl allows access */
-       if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
-               *access_granted = access_desired;
-               return NT_STATUS_OK;
-       }
-
-       /* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */
-       if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE)) &&
+       /* the owner always gets SEC_STD_WRITE_DAC and SEC_STD_READ_CONTROL */
+       if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL)) &&
            security_token_has_sid(token, sd->owner_sid)) {
-               bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE);
-       }
-       if ((bits_remaining & SEC_STD_DELETE) &&
-           (security_token_has_privilege(token, SEC_PRIV_RESTORE))) {
-               bits_remaining &= ~SEC_STD_DELETE;
+               bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL);
        }
+
+       /* TODO: remove this, as it is file server specific */
        if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
            security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
                bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
@@ -214,6 +204,12 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
                bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
        }
 
+       /* a NULL dacl allows access */
+       if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
+               *access_granted = access_desired;
+               return NT_STATUS_OK;
+       }
+
        if (sd->dacl == NULL) {
                goto done;
        }
@@ -295,7 +291,7 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
                 access_desired |= access_check_max_allowed(sd, token);
                 access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
                 *access_granted = access_desired;
-                bits_remaining = access_desired & ~SEC_STD_DELETE;
+               bits_remaining = access_desired;
         }
 
         if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
@@ -307,6 +303,22 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
                 }
         }
 
+       /* the owner always gets SEC_STD_WRITE_DAC and SEC_STD_READ_CONTROL */
+       if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL)) &&
+           security_token_has_sid(token, sd->owner_sid)) {
+               bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL);
+       }
+
+       /* TODO: remove this, as it is file server specific */
+       if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
+           security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
+               bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
+       }
+       if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) &&
+           security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
+               bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
+       }
+
         /* a NULL dacl allows access */
         if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
                 *access_granted = access_desired;
@@ -314,16 +326,6 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
                 return NT_STATUS_OK;
         }
 
-        /* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */
-        if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE)) &&
-            security_token_has_sid(token, sd->owner_sid)) {
-                bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE);
-        }
-        if ((bits_remaining & SEC_STD_DELETE) &&
-            security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
-                bits_remaining &= ~SEC_STD_DELETE;
-        }
-
         if (sd->dacl == NULL) {
                 goto done;
         }