| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Jeremy.
|
| |
|
|
|
| |
security descriptors and pointers. Syncup with 2.2 tree.
Jeremy.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
source/lib/util_seaccess.c
- added se_create_child_secdesc() function which takes a parent
(container) security descriptor and creates a security descriptor
which has the inheritance flags for each ACE applied. In NT a
print job is a child object of a printer so deleting and
pausing/resuming jobs requires a check against the child security
descriptor, not the parent. The values seen in NT printer
security descriptors now all fit together in a natural and
elegant way which is always nice.
- Removed #ifdef'ed out portion of check_ace() when the
INHERIT_ONLY flag is set as the se_create_child_secdesc()
function now creates a security descriptor which can be used
without this hack.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
source/Makefile.in
- changes to ctags and etags rules that somehow got lost along the way.
source/include/proto.h
- make proto
source/smbd/sec_ctx.c
source/smbd/password.c
- merge debugs for debugging user groups and NT token stuff.
source/lib/util_str.c
- capitalise domain name returned from parse_domain_user()
source/nsswitch/wb_client.c
- fix broken conditional in debug statement.
source/include/rpc_secdes.h
source/include/rpc_spoolss.h
source/printing/nt_printing.c
source/lib/util_seaccess.c
- fix printer permission bugs related to ACE masks for printers.
This adds mapping of generic access rights to object specific
rights for NT printers. Still need to work out whether or not to
ignore ACEs with certain flags set, though. See comments in
util_seaccess.c:check_ace() for details.
source/printing/nt_printing.c
source/printing/printing.c
- use PRINTER_ACCESS_ADMINISTER instead of JOB_ACCESS_ADMINISTER
until we sort out printer/printjob permission stuff.
|
| |
|
|
|
|
|
| |
(correctly)
when the NT_USER_TOKEN is *created*.
Jeremy.
|
| |
|
|
| |
Jeremy.
|
| |
|
|
| |
Jeremy.
|
| |
|
|
|
| |
Thanks to Elrond for pointing this out.
Jeremy.
|
| |
|
|
|
|
| |
Added debug messages to se_access_check().
Added FULL_ACCESS acl to default acl on printers.
Jeremy.
|
| |
|
|
| |
Jeremy.
|
| |
|
|
| |
Jeremy.
|
| |
|
|
|
| |
as the SID list. Now to go through and tidy up the algorithm.
Jeremy.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
get ready and fix se_access_check().
Added cannonical lookup_name(), lookup_sid(), uid_to_sid(), gid_to_sid()
functions that look via winbind first the fall back on local lookup.
All Samba should use these rather than trying to call winbindd code
directly.
Added NT_USER_TOKEN struct in user_struct, contains list of NT sids
associated with this user.
se_access_check() should use this (cached) value rather than attempting
to do the same thing itself when given a uid/gid pair.
More work needs to be done to preserve these things accross security
context changes (especially with the tricky pipe problem) but I'm
beginning to see how this will be done..... probably by registering
a new vuid for an authenticated RPC pipe and not treating the
pipe calls specially.
More thoughts needed - but we're almost there...
Jeremy.
|
| |
|
|
|
| |
Changed interface to se_access_check to take a user struct instead of each
bit as a separate parameter.
|
| | |
|
| |
|
|
|
|
| |
nsswitch/wb_client.c
Merge of nsswitch/common.c rename to nsswitch/wb_common.c from TNG.
|
| |
|
|
| |
Fixes for se_access_check() when you are the owner of the object.
|
| |
|
|
|
| |
bugs. I think there is a problem though with the permissions granted when
SEC_RIGHTS_MAXIMUM_ALLOWED is passed as the permissions requested.
|
| |
|
