#define ALLOC_CHECK(ptr, err, label, str) do { if ((ptr) == NULL) { DEBUG(0, ("%s: out of memory!\n", str)); err = NT_STATUS_NO_MEMORY; goto label; } } while(0)
#define NTSTATUS_CHECK(err, label, str1, str2) do { if (!NT_STATUS_IS_OK(err)) { DEBUG(0, ("%s: %s failed!\n", str1, str2)); } } while(0)
-
-PRIVS privs[] = {
- {SE_NONE, "no_privs", "No privilege"}, /* this one MUST be first */
- {SE_CREATE_TOKEN, "SeCreateTokenPrivilege", "Create Token"},
- {SE_ASSIGN_PRIMARY_TOKEN, "SeAssignPrimaryTokenPrivilege", "Assign Primary Token"},
- {SE_LOCK_MEMORY, "SeLockMemoryPrivilege", "Lock Memory"},
- {SE_INCREASE_QUOTA, "SeIncreaseQuotaPrivilege", "Increase Quota"},
- {SE_UNSOLICITED_INPUT, "eUnsolicitedInputPrivilege", "Unsolicited Input"},
- {SE_MACHINE_ACCOUNT, "SeMachineAccountPrivilege", "Can add Machine Accounts to the Domain"},
- {SE_TCB, "SeTcbPrivilege", "TCB"},
- {SE_SECURITY, "SeSecurityPrivilege", "Security Privilege"},
- {SE_TAKE_OWNERSHIP, "SeTakeOwnershipPrivilege", "Take Ownership Privilege"},
- {SE_LOAD_DRIVER, "SeLocalDriverPrivilege", "Local Driver Privilege"},
- {SE_SYSTEM_PROFILE, "SeSystemProfilePrivilege", "System Profile Privilege"},
- {SE_SYSTEM_TIME, "SeSystemtimePrivilege", "System Time"},
- {SE_PROF_SINGLE_PROCESS, "SeProfileSingleProcessPrivilege", "Profile Single Process Privilege"},
- {SE_INC_BASE_PRIORITY, "SeIncreaseBasePriorityPrivilege", "Increase Base Priority Privilege"},
- {SE_CREATE_PAGEFILE, "SeCreatePagefilePrivilege", "Create Pagefile Privilege"},
- {SE_CREATE_PERMANENT, "SeCreatePermanentPrivilege", "Create Permanent"},
- {SE_BACKUP, "SeBackupPrivilege", "Backup Privilege"},
- {SE_RESTORE, "SeRestorePrivilege", "Restore Privilege"},
- {SE_SHUTDOWN, "SeShutdownPrivilege", "Shutdown Privilege"},
- {SE_DEBUG, "SeDebugPrivilege", "Debug Privilege"},
- {SE_AUDIT, "SeAuditPrivilege", "Audit"},
- {SE_SYSTEM_ENVIRONMENT, "SeSystemEnvironmentPrivilege", "System Environment Privilege"},
- {SE_CHANGE_NOTIFY, "SeChangeNotifyPrivilege", "Change Notify"},
- {SE_REMOTE_SHUTDOWN, "SeRemoteShutdownPrivilege", "Remote Shutdown Privilege"},
- {SE_UNDOCK, "SeUndockPrivilege", "Undock"},
- {SE_SYNC_AGENT, "SeSynchronizationAgentPrivilege", "Synchronization Agent"},
- {SE_ENABLE_DELEGATION, "SeEnableDelegationPrivilege", "Enable Delegation"},
- {SE_PRINT_OPERATOR, "SePrintOperatorPrivilege", "Printer Operator"},
- {SE_ADD_USERS, "SeAddUsersPrivilege", "Add Users"},
- {SE_ALL_PRIVS, "SeAllPrivileges", "All Privileges"}
-};
-
-
-
/****************************************************************************
Check if a user is a mapped group.
if ( !old_la )
return NT_STATUS_OK;
- *new_la = (LUID_ATTR *)talloc(mem_ctx, sizeof(LUID_ATTR));
+ *new_la = TALLOC_P(mem_ctx, LUID_ATTR);
ALLOC_CHECK(new_la, ret, done, "dupalloc_luid_attr");
(*new_la)->luid.high = old_la->luid.high;
TALLOC_CTX *mem_ctx = talloc_init("privilege set");
ALLOC_CHECK(mem_ctx, ret, done, "init_privilege");
- *priv_set = talloc_zero(mem_ctx, sizeof(PRIVILEGE_SET));
+ *priv_set = TALLOC_ZERO_P(mem_ctx, PRIVILEGE_SET);
ALLOC_CHECK(*priv_set, ret, done, "init_privilege");
(*priv_set)->mem_ctx = mem_ctx;
{
NTSTATUS ret;
- *priv_set = talloc_zero(mem_ctx, sizeof(PRIVILEGE_SET));
+ *priv_set = TALLOC_ZERO_P(mem_ctx, PRIVILEGE_SET);
ALLOC_CHECK(*priv_set, ret, done, "init_privilege");
(*priv_set)->mem_ctx = mem_ctx;
void destroy_privilege(PRIVILEGE_SET **priv_set)
{
- if (priv_set == NULL || *priv_set == NULL)
- return;
-
reset_privilege(*priv_set);
if (!((*priv_set)->ext_ctx))
/* mem_ctx is local, destroy it */
/* we can allocate memory to add the new privilege */
- new_set = (LUID_ATTR *)talloc_realloc(priv_set->mem_ctx, priv_set->set, (priv_set->count + 1) * (sizeof(LUID_ATTR)));
+ new_set = TALLOC_REALLOC_ARRAY(priv_set->mem_ctx, priv_set->set, LUID_ATTR, priv_set->count + 1);
ALLOC_CHECK(new_set, ret, done, "add_privilege");
new_set[priv_set->count].luid.high = set.luid.high;
return ret;
}
-NTSTATUS add_privilege_by_name(PRIVILEGE_SET *priv_set, const char *name)
-{
- int e;
-
- for (e = 0; privs[e].se_priv != SE_ALL_PRIVS; e++) {
- if (StrCaseCmp(privs[e].priv, name) == 0) {
- LUID_ATTR la;
-
- la.attr = 0;
- la.luid.high = 0;
- la.luid.low = privs[e].se_priv;
-
- return add_privilege(priv_set, la);
- }
- }
-
- DEBUG(1, ("add_privilege_by_name: No Such Privilege Found (%s)\n", name));
-
- return NT_STATUS_UNSUCCESSFUL;
-}
-
/****************************************************************************
add all the privileges to a privilege array
****************************************************************************/
set.luid.high = 0;
/* TODO: set a proper list of privileges */
- set.luid.low = SE_ADD_USERS;
+ set.luid.low = SE_PRIV_ADD_USERS;
result = add_privilege(priv_set, set);
NTSTATUS_CHECK(result, done, "add_all_privilege", "add_privilege");
- set.luid.low = SE_MACHINE_ACCOUNT;
+ set.luid.low = SE_PRIV_ADD_MACHINES;
result = add_privilege(priv_set, set);
NTSTATUS_CHECK(result, done, "add_all_privilege", "add_privilege");
- set.luid.low = SE_PRINT_OPERATOR;
+ set.luid.low = SE_PRIV_PRINT_OPERATOR;
result = add_privilege(priv_set, set);
NTSTATUS_CHECK(result, done, "add_all_privilege", "add_privilege");
old_set = priv_set->set;
- new_set = (LUID_ATTR *)talloc(priv_set->mem_ctx, (priv_set->count - 1) * (sizeof(LUID_ATTR)));
+ new_set = TALLOC_ARRAY(priv_set->mem_ctx, LUID_ATTR, priv_set->count - 1);
ALLOC_CHECK(new_set, ret, done, "remove_privilege");
for (i=0, j=0; i < priv_set->count; i++) {
LUID_ATTR *old_set;
int i;
- if (new_priv_set == NULL || priv_set == NULL)
+ if (!new_priv_set || !priv_set)
return NT_STATUS_INVALID_PARAMETER;
/* special case if there are no privileges in the list */
old_set = priv_set->set;
- new_set = (LUID_ATTR *)talloc(new_priv_set->mem_ctx, (priv_set->count) * (sizeof(LUID_ATTR)));
+ new_set = TALLOC_ARRAY(new_priv_set->mem_ctx, LUID_ATTR, priv_set->count - 1);
ALLOC_CHECK(new_set, ret, done, "dup_priv_set");
for (i=0; i < priv_set->count; i++) {
done:
return ret;
}
-
-
-NTSTATUS user_has_privilege(struct current_user *user, uint32 privilege)
-{
- LUID_ATTR set;
-
- set.attr = 0;
- set.luid.high = 0;
- set.luid.low = privilege;
-
- return check_priv_in_privilege(user->privs, set);
-}
-