From 1e823bc781fdb0738a58f478432c017732b69068 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 10 Aug 2000 19:51:45 +0000 Subject: Tidied up security rights definitions. Jeremy. (This used to be commit e466c863f5540e13776f4477b6d58e3fbfe7276d) --- source3/include/rpc_secdes.h | 4 ---- source3/include/rpc_spoolss.h | 29 ++++++++++++----------------- source3/include/smb.h | 15 ++++++++------- source3/lib/util_seaccess.c | 8 ++++---- source3/printing/nt_printing.c | 2 +- source3/rpc_server/srv_lsa.c | 3 +-- source3/rpcclient/display_sec.c | 8 ++++---- 7 files changed, 30 insertions(+), 39 deletions(-) (limited to 'source3') diff --git a/source3/include/rpc_secdes.h b/source3/include/rpc_secdes.h index 13b8494b2e..9acc4511e8 100644 --- a/source3/include/rpc_secdes.h +++ b/source3/include/rpc_secdes.h @@ -29,10 +29,6 @@ #define SEC_RIGHTS_ENUM_SUBKEYS 0x00000008 #define SEC_RIGHTS_NOTIFY 0x00000010 #define SEC_RIGHTS_CREATE_LINK 0x00000020 -#define SEC_RIGHTS_DELETE 0x00010000 -#define SEC_RIGHTS_READ_CONTROL 0x00020000 -#define SEC_RIGHTS_WRITE_DAC 0x00040000 -#define SEC_RIGHTS_WRITE_OWNER 0x00080000 #define SEC_RIGHTS_READ 0x00020019 #define SEC_RIGHTS_FULL_CONTROL 0x000f003f diff --git a/source3/include/rpc_spoolss.h b/source3/include/rpc_spoolss.h index 6781dc6aea..1e0a53d9e0 100755 --- a/source3/include/rpc_spoolss.h +++ b/source3/include/rpc_spoolss.h @@ -157,28 +157,23 @@ #define PRINTER_ACCESS_USE 0x00000008 #define JOB_ACCESS_ADMINISTER 0x00000010 -#define STANDARD_RIGHTS_READ 0x00020000 -#define STANDARD_RIGHTS_WRITE STANDARD_RIGHTS_READ -#define STANDARD_RIGHTS_EXECUTE STANDARD_RIGHTS_READ -#define STANDARD_RIGHTS_REQUIRED 0x000F0000 - /* Access rights for print servers */ -#define SERVER_ALL_ACCESS STANDARD_RIGHTS_REQUIRED|SERVER_ACCESS_ADMINISTER|SERVER_ACCESS_ENUMERATE -#define SERVER_READ STANDARD_RIGHTS_READ|SERVER_ACCESS_ENUMERATE -#define SERVER_WRITE STANDARD_RIGHTS_WRITE|SERVER_ACCESS_ADMINISTER|SERVER_ACCESS_ENUMERATE -#define SERVER_EXECUTE STANDARD_RIGHTS_EXECUTE|SERVER_ACCESS_ENUMERATE +#define SERVER_ALL_ACCESS STANDARD_RIGHTS_REQUIRED_ACCESS|SERVER_ACCESS_ADMINISTER|SERVER_ACCESS_ENUMERATE +#define SERVER_READ STANDARD_RIGHTS_READ_ACCESS|SERVER_ACCESS_ENUMERATE +#define SERVER_WRITE STANDARD_RIGHTS_WRITE_ACCESS|SERVER_ACCESS_ADMINISTER|SERVER_ACCESS_ENUMERATE +#define SERVER_EXECUTE STANDARD_RIGHTS_EXECUTE_ACCESS|SERVER_ACCESS_ENUMERATE /* Access rights for printers */ -#define PRINTER_ALL_ACCESS STANDARD_RIGHTS_REQUIRED|PRINTER_ACCESS_ADMINISTER|PRINTER_ACCESS_USE -#define PRINTER_READ STANDARD_RIGHTS_READ|PRINTER_ACCESS_USE -#define PRINTER_WRITE STANDARD_RIGHTS_WRITE|PRINTER_ACCESS_USE -#define PRINTER_EXECUTE STANDARD_RIGHTS_EXECUTE|PRINTER_ACCESS_USE +#define PRINTER_ALL_ACCESS STANDARD_RIGHTS_REQUIRED_ACCESS|PRINTER_ACCESS_ADMINISTER|PRINTER_ACCESS_USE +#define PRINTER_READ STANDARD_RIGHTS_READ_ACCESS|PRINTER_ACCESS_USE +#define PRINTER_WRITE STANDARD_RIGHTS_WRITE_ACCESS|PRINTER_ACCESS_USE +#define PRINTER_EXECUTE STANDARD_RIGHTS_EXECUTE_ACCESS|PRINTER_ACCESS_USE /* Access rights for jobs */ -#define JOB_ALL_ACCESS STANDARD_RIGHTS_REQUIRED|JOB_ACCESS_ADMINISTER -#define JOB_READ STANDARD_RIGHTS_READ|JOB_ACCESS_ADMINISTER -#define JOB_WRITE STANDARD_RIGHTS_WRITE|JOB_ACCESS_ADMINISTER -#define JOB_EXECUTE STANDARD_RIGHTS_EXECUTE|JOB_ACCESS_ADMINISTER +#define JOB_ALL_ACCESS STANDARD_RIGHTS_REQUIRED_ACCESS|JOB_ACCESS_ADMINISTER +#define JOB_READ STANDARD_RIGHTS_READ_ACCESS|JOB_ACCESS_ADMINISTER +#define JOB_WRITE STANDARD_RIGHTS_WRITE_ACCESS|JOB_ACCESS_ADMINISTER +#define JOB_EXECUTE STANDARD_RIGHTS_EXECUTE_ACCESS|JOB_ACCESS_ADMINISTER #define POLICY_HND_SIZE 20 diff --git a/source3/include/smb.h b/source3/include/smb.h index 03d4b4c9b3..bd7f828747 100644 --- a/source3/include/smb.h +++ b/source3/include/smb.h @@ -1154,21 +1154,22 @@ struct bitmap { #define WRITE_OWNER_ACCESS (1L<<19) #define SYNCHRONIZE_ACCESS (1L<<20) +/* Combinations of standard masks. */ +#define STANDARD_RIGHTS_ALL_ACCESS (DELETE_ACCESS|READ_CONTROL_ACCESS|WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS|SYNCHRONIZE_ACCESS) +#define STANDARD_RIGHTS_EXECUTE_ACCESS (READ_CONTROL_ACCESS) +#define STANDARD_RIGHTS_READ_ACCESS (READ_CONTROL_ACCESS) +#define STANDARD_RIGHTS_REQUIRED_ACCESS (DELETE_ACCESS|READ_CONTROL_ACCESS|WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS) +#define STANDARD_RIGHTS_WRITE_ACCESS (READ_CONTROL_ACCESS) + #define SYSTEM_SECURITY_ACCESS (1L<<24) +#define MAXIMUM_ALLOWED_ACCESS (1L<<25) #define GENERIC_ALL_ACCESS (1<<28) #define GENERIC_EXECUTE_ACCESS (1<<29) #define GENERIC_WRITE_ACCESS (1<<30) #define GENERIC_READ_ACCESS (((unsigned)1)<<31) -#define FILE_ALL_STANDARD_ACCESS 0x1F0000 - /* Mapping of access rights to UNIX perms. */ -#if 0 /* Don't use all here... JRA. */ -#define UNIX_ACCESS_RWX (FILE_ALL_ATTRIBUTES|FILE_ALL_STANDARD_ACCESS) -#else #define UNIX_ACCESS_RWX (UNIX_ACCESS_R|UNIX_ACCESS_W|UNIX_ACCESS_X) -#endif - #define UNIX_ACCESS_R (READ_CONTROL_ACCESS|SYNCHRONIZE_ACCESS|\ FILE_READ_ATTRIBUTES|FILE_READ_EA|FILE_READ_DATA) #define UNIX_ACCESS_W (READ_CONTROL_ACCESS|SYNCHRONIZE_ACCESS|\ diff --git a/source3/lib/util_seaccess.c b/source3/lib/util_seaccess.c index 486db7c8c8..cacdad16fd 100644 --- a/source3/lib/util_seaccess.c +++ b/source3/lib/util_seaccess.c @@ -241,16 +241,16 @@ BOOL se_access_check(SEC_DESC *sd, struct current_user *user, /* * The owner always has SEC_RIGHTS_WRITE_DAC. */ - if (tmp_acc_desired & SEC_RIGHTS_WRITE_DAC) - tmp_acc_desired &= ~SEC_RIGHTS_WRITE_DAC; + if (tmp_acc_desired & WRITE_DAC_ACCESS) + tmp_acc_desired &= ~WRITE_DAC_ACCESS; } } } acl = sd->dacl; - if (tmp_acc_desired & SEC_RIGHTS_MAXIMUM_ALLOWED) { - tmp_acc_desired &= ~SEC_RIGHTS_MAXIMUM_ALLOWED; + if (tmp_acc_desired & MAXIMUM_ALLOWED_ACCESS) { + tmp_acc_desired &= ~MAXIMUM_ALLOWED_ACCESS; return get_max_access( acl, token, acc_granted, tmp_acc_desired, status); } diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c index 2f32a5ac2e..eefcd2384d 100644 --- a/source3/printing/nt_printing.c +++ b/source3/printing/nt_printing.c @@ -1987,7 +1987,7 @@ static SEC_DESC_BUF *construct_default_printer_sdb(void) } } - init_sec_access(&sa, PRINTER_ACE_FULL_CONTROL); + init_sec_access(&sa, PRINTER_ACE_MANAGE_DOCUMENTS | PRINTER_ACE_PRINT); init_sec_ace(&ace[1], &owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, sa, SEC_ACE_FLAG_CONTAINER_INHERIT); diff --git a/source3/rpc_server/srv_lsa.c b/source3/rpc_server/srv_lsa.c index dc97d6db44..f37bb249ba 100644 --- a/source3/rpc_server/srv_lsa.c +++ b/source3/rpc_server/srv_lsa.c @@ -305,8 +305,7 @@ static void init_lsa_trans_names(DOM_R_REF *ref, LSA_TRANS_NAME_ENUM *trn, memset(dom_name, '\0', sizeof(dom_name)); memset(name, '\0', sizeof(name)); - status = winbind_lookup_sid(&find_sid, dom_name, name, - &sid_name_use); + status = lookup_sid(&find_sid, dom_name, name, &sid_name_use); if (!status) { sid_name_use = SID_NAME_UNKNOWN; diff --git a/source3/rpcclient/display_sec.c b/source3/rpcclient/display_sec.c index 44e7e6e8aa..a428a95686 100644 --- a/source3/rpcclient/display_sec.c +++ b/source3/rpcclient/display_sec.c @@ -64,10 +64,10 @@ static const char *get_sec_mask_str(uint32 type) case SEC_RIGHTS_ENUM_SUBKEYS : fstrcat(typestr, "Enum "); break; case SEC_RIGHTS_NOTIFY : fstrcat(typestr, "Notify "); break; case SEC_RIGHTS_CREATE_LINK : fstrcat(typestr, "CreateLink "); break; - case SEC_RIGHTS_DELETE : fstrcat(typestr, "Delete "); break; - case SEC_RIGHTS_READ_CONTROL : fstrcat(typestr, "ReadControl "); break; - case SEC_RIGHTS_WRITE_DAC : fstrcat(typestr, "WriteDAC "); break; - case SEC_RIGHTS_WRITE_OWNER : fstrcat(typestr, "WriteOwner "); break; + case DELETE_ACCESS : fstrcat(typestr, "Delete "); break; + case READ_CONTROL_ACCESS : fstrcat(typestr, "ReadControl "); break; + case WRITE_DAC_ACCESS : fstrcat(typestr, "WriteDAC "); break; + case WRITE_OWNER_ACCESS : fstrcat(typestr, "WriteOwner "); break; } type &= ~(1 << i); } -- cgit