From e00c2b3cdf6faa03b6ffcf87dc677fdbdd381fe3 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 20 Oct 2010 16:31:18 -0700
Subject: Add code to implement SeSecurityPrivilege in net rpc rights, and in
the open and get/set NT security descriptor code.
Jeremy.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Thu Oct 21 00:15:57 UTC 2010 on sn-devel-104
---
libcli/security/privileges.c | 9 +++------
source3/smbd/nttrans.c | 10 ++++++++++
source3/smbd/open.c | 29 ++++++++---------------------
3 files changed, 21 insertions(+), 27 deletions(-)
diff --git a/libcli/security/privileges.c b/libcli/security/privileges.c
index 5d4cf77490f..57c485dbe60 100644
--- a/libcli/security/privileges.c
+++ b/libcli/security/privileges.c
@@ -40,7 +40,7 @@
/* The use of strcasecmp here is safe, all the comparison strings are ASCII */
#undef strcasecmp
-#define NUM_SHORT_LIST_PRIVS 8
+#define NUM_SHORT_LIST_PRIVS 9
static const struct {
enum sec_privilege luid;
@@ -58,16 +58,13 @@ static const struct {
{SEC_PRIV_PRINT_OPERATOR, SEC_PRIV_PRINT_OPERATOR_BIT, "SePrintOperatorPrivilege", "Manage printers"},
{SEC_PRIV_ADD_USERS, SEC_PRIV_ADD_USERS_BIT, "SeAddUsersPrivilege", "Add users and groups to the domain"},
{SEC_PRIV_DISK_OPERATOR, SEC_PRIV_DISK_OPERATOR_BIT, "SeDiskOperatorPrivilege", "Manage disk shares"},
+ {SEC_PRIV_SECURITY, SEC_PRIV_SECURITY_BIT, "SeSecurityPrivilege", "System security"},
+
/* The list from here on is not displayed in the code from
* source3, and is after index NUM_SHORT_LIST_PRIVS for that
* reason */
- {SEC_PRIV_SECURITY,
- SEC_PRIV_SECURITY_BIT,
- "SeSecurityPrivilege",
- "System security"},
-
{SEC_PRIV_SYSTEMTIME,
SEC_PRIV_SYSTEMTIME_BIT,
"SeSystemtimePrivilege",
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 3a9f6813ecd..caba21161c1 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -1837,6 +1837,16 @@ NTSTATUS smbd_do_query_security_desc(connection_struct *conn,
* Get the permissions to return.
*/
+ if ((security_info_wanted & SECINFO_SACL) &&
+ !(fsp->access_mask & SEC_FLAG_SYSTEM_SECURITY)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ if ((security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|SECINFO_GROUP)) &&
+ !(fsp->access_mask & SEC_STD_READ_CONTROL)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
if (!lp_nt_acl_support(SNUM(conn))) {
status = get_null_nt_acl(mem_ctx, &psd);
} else {
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 01f0cd699a0..f5de607713c 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -2506,8 +2506,9 @@ static NTSTATUS open_directory(connection_struct *conn,
return status;
}
- /* We need to support SeSecurityPrivilege for this. */
- if (access_mask & SEC_FLAG_SYSTEM_SECURITY) {
+ if ((access_mask & SEC_FLAG_SYSTEM_SECURITY) &
+ !security_token_has_privilege(get_current_nttok(conn),
+ SEC_PRIV_SECURITY)) {
DEBUG(10, ("open_directory: open on %s "
"failed - SEC_FLAG_SYSTEM_SECURITY denied.\n",
smb_fname_str_dbg(smb_dname)));
@@ -3029,29 +3030,15 @@ static NTSTATUS create_file_unixpath(connection_struct *conn,
goto fail;
}
-#if 0
- /* We need to support SeSecurityPrivilege for this. */
if ((access_mask & SEC_FLAG_SYSTEM_SECURITY) &&
- !user_has_privileges(current_user.nt_user_token,
- &se_security)) {
- status = NT_STATUS_PRIVILEGE_NOT_HELD;
- goto fail;
- }
-#else
- /* We need to support SeSecurityPrivilege for this. */
- if (access_mask & SEC_FLAG_SYSTEM_SECURITY) {
- status = NT_STATUS_PRIVILEGE_NOT_HELD;
- goto fail;
- }
- /* Don't allow a SACL set from an NTtrans create until we
- * support SeSecurityPrivilege. */
- if (!VALID_STAT(smb_fname->st) &&
- lp_nt_acl_support(SNUM(conn)) &&
- sd && (sd->sacl != NULL)) {
+ !security_token_has_privilege(get_current_nttok(conn),
+ SEC_PRIV_SECURITY)) {
+ DEBUG(10, ("create_file_unixpath: open on %s "
+ "failed - SEC_FLAG_SYSTEM_SECURITY denied.\n",
+ smb_fname_str_dbg(smb_fname)));
status = NT_STATUS_PRIVILEGE_NOT_HELD;
goto fail;
}
-#endif
if ((conn->fs_capabilities & FILE_NAMED_STREAMS)
&& is_ntfs_stream_smb_fname(smb_fname)
--
cgit