void lp_set_passdb_backend(const char *backend);
void widelinks_warning(int snum);
char *lp_ncalrpc_dir(void);
-bool s3_security_token_has_privilege(const struct security_token *token, enum sec_privilege privilege);
/* The following definitions come from param/loadparm_server_role.c */
}
return _lp_readraw();
}
-
-bool s3_security_token_has_privilege(const struct security_token *token, enum sec_privilege privilege)
-{
- if (!lp_enable_privileges()) {
- return false;
- }
- return security_token_has_privilege(token, privilege);
-}
/* Always allow root or SE_PRINT_OPERATROR to do anything */
if (server_info->utok.uid == sec_initial_uid()
- || s3_security_token_has_privilege(server_info->ptok, SEC_PRIV_PRINT_OPERATOR)) {
+ || security_token_has_privilege(server_info->ptok, SEC_PRIV_PRINT_OPERATOR)) {
return True;
}
uint32 *granted,
const struct security_token *token)
{
- if (!s3_security_token_has_privilege(token, SEC_PRIV_DISK_OPERATOR)) {
+ if (!security_token_has_privilege(token, SEC_PRIV_DISK_OPERATOR)) {
return False;
}
by privileges (mostly having to do with creating/modifying/deleting
users and groups) */
- if ((needed_priv_1 != SEC_PRIV_INVALID && s3_security_token_has_privilege(token, needed_priv_1)) ||
- (needed_priv_2 != SEC_PRIV_INVALID && s3_security_token_has_privilege(token, needed_priv_2))) {
+ if ((needed_priv_1 != SEC_PRIV_INVALID && security_token_has_privilege(token, needed_priv_1)) ||
+ (needed_priv_2 != SEC_PRIV_INVALID && security_token_has_privilege(token, needed_priv_2))) {
saved_mask = (des_access & rights_mask);
des_access &= ~saved_mask;
* Users with SeAddUser get the ability to manipulate groups
* and aliases.
*/
- if (s3_security_token_has_privilege(p->server_info->ptok, SEC_PRIV_ADD_USERS)) {
+ if (security_token_has_privilege(p->server_info->ptok, SEC_PRIV_ADD_USERS)) {
extra_access |= (SAMR_DOMAIN_ACCESS_CREATE_GROUP |
SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS |
SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT |
can_add_account = true;
} else if (acb_info & ACB_WSTRUST) {
needed_priv = SEC_PRIV_MACHINE_ACCOUNT;
- can_add_account = s3_security_token_has_privilege(p->server_info->ptok, SEC_PRIV_MACHINE_ACCOUNT);
+ can_add_account = security_token_has_privilege(p->server_info->ptok, SEC_PRIV_MACHINE_ACCOUNT);
} else if (acb_info & ACB_NORMAL &&
(account[strlen(account)-1] != '$')) {
/* usrmgr.exe (and net rpc trustdom grant) creates a normal user
account for domain trusts and changes the ACB flags later */
needed_priv = SEC_PRIV_ADD_USERS;
- can_add_account = s3_security_token_has_privilege(p->server_info->ptok, SEC_PRIV_ADD_USERS);
+ can_add_account = security_token_has_privilege(p->server_info->ptok, SEC_PRIV_ADD_USERS);
} else if (lp_enable_privileges()) {
/* implicit assumption of a BDC or domain trust account here
* (we already check the flags earlier) */
return WERR_NOMEM;
}
if ( token )
- is_print_op = s3_security_token_has_privilege(token, SEC_PRIV_PRINT_OPERATOR);
+ is_print_op = security_token_has_privilege(token, SEC_PRIV_PRINT_OPERATOR);
DEBUG(10,("Running [%s]\n", command));
and not a printer admin, then fail */
if ((p->server_info->utok.uid != sec_initial_uid()) &&
- !s3_security_token_has_privilege(p->server_info->ptok, SEC_PRIV_PRINT_OPERATOR) &&
+ !security_token_has_privilege(p->server_info->ptok, SEC_PRIV_PRINT_OPERATOR) &&
!token_contains_name_in_list(
uidtoname(p->server_info->utok.uid),
p->server_info->info3->base.domain.string,
and not a printer admin, then fail */
if ( (p->server_info->utok.uid != sec_initial_uid())
- && !s3_security_token_has_privilege(p->server_info->ptok, SEC_PRIV_PRINT_OPERATOR)
+ && !security_token_has_privilege(p->server_info->ptok, SEC_PRIV_PRINT_OPERATOR)
&& !token_contains_name_in_list(
uidtoname(p->server_info->utok.uid),
p->server_info->info3->base.domain.string,
and not a printer admin, then fail */
if ( (p->server_info->utok.uid != sec_initial_uid())
- && !s3_security_token_has_privilege(p->server_info->ptok, SEC_PRIV_PRINT_OPERATOR)
+ && !security_token_has_privilege(p->server_info->ptok, SEC_PRIV_PRINT_OPERATOR)
&& !token_contains_name_in_list(
uidtoname(p->server_info->utok.uid),
p->server_info->info3->base.domain.string,
}
if ( token )
- is_print_op = s3_security_token_has_privilege(token, SEC_PRIV_PRINT_OPERATOR);
+ is_print_op = security_token_has_privilege(token, SEC_PRIV_PRINT_OPERATOR);
DEBUG(10,("Running [%s]\n", command));
}
if ( token )
- is_print_op = s3_security_token_has_privilege(token, SEC_PRIV_PRINT_OPERATOR);
+ is_print_op = security_token_has_privilege(token, SEC_PRIV_PRINT_OPERATOR);
DEBUG(10,("Running [%s]\n", command));
and not a printer admin, then fail */
if ((p->server_info->utok.uid != sec_initial_uid()) &&
- !s3_security_token_has_privilege(p->server_info->ptok, SEC_PRIV_PRINT_OPERATOR) &&
+ !security_token_has_privilege(p->server_info->ptok, SEC_PRIV_PRINT_OPERATOR) &&
!token_contains_name_in_list(uidtoname(p->server_info->utok.uid),
p->server_info->info3->base.domain.string,
NULL,
}
if ((p->server_info->utok.uid != sec_initial_uid()) &&
- !s3_security_token_has_privilege(p->server_info->ptok, SEC_PRIV_PRINT_OPERATOR) &&
+ !security_token_has_privilege(p->server_info->ptok, SEC_PRIV_PRINT_OPERATOR) &&
!token_contains_name_in_list(uidtoname(p->server_info->utok.uid),
p->server_info->info3->base.domain.string,
NULL,
and not a printer admin, then fail */
if ((p->server_info->utok.uid != sec_initial_uid()) &&
- !s3_security_token_has_privilege(p->server_info->ptok, SEC_PRIV_PRINT_OPERATOR) &&
+ !security_token_has_privilege(p->server_info->ptok, SEC_PRIV_PRINT_OPERATOR) &&
!token_contains_name_in_list(uidtoname(p->server_info->utok.uid),
p->server_info->info3->base.domain.string,
NULL,
if (lp_print_ok(snum))
return WERR_ACCESS_DENIED;
- is_disk_op = s3_security_token_has_privilege(p->server_info->ptok, SEC_PRIV_DISK_OPERATOR);
+ is_disk_op = security_token_has_privilege(p->server_info->ptok, SEC_PRIV_DISK_OPERATOR);
/* fail out now if you are not root and not a disk op */
*r->out.parm_error = 0;
}
- is_disk_op = s3_security_token_has_privilege(p->server_info->ptok, SEC_PRIV_DISK_OPERATOR);
+ is_disk_op = security_token_has_privilege(p->server_info->ptok, SEC_PRIV_DISK_OPERATOR);
if (p->server_info->utok.uid != sec_initial_uid() && !is_disk_op )
return WERR_ACCESS_DENIED;
if (lp_print_ok(snum))
return WERR_ACCESS_DENIED;
- is_disk_op = s3_security_token_has_privilege(p->server_info->ptok, SEC_PRIV_DISK_OPERATOR);
+ is_disk_op = security_token_has_privilege(p->server_info->ptok, SEC_PRIV_DISK_OPERATOR);
if (p->server_info->utok.uid != sec_initial_uid() && !is_disk_op )
return WERR_ACCESS_DENIED;
DEBUG(5,("_srvsvc_NetFileClose: %d\n", __LINE__));
- is_disk_op = s3_security_token_has_privilege(p->server_info->ptok, SEC_PRIV_DISK_OPERATOR);
+ is_disk_op = security_token_has_privilege(p->server_info->ptok, SEC_PRIV_DISK_OPERATOR);
if (p->server_info->utok.uid != sec_initial_uid() && !is_disk_op) {
return WERR_ACCESS_DENIED;
return WERR_NOMEM;
}
- can_shutdown = s3_security_token_has_privilege(p->server_info->ptok, SEC_PRIV_REMOTE_SHUTDOWN);
+ can_shutdown = security_token_has_privilege(p->server_info->ptok, SEC_PRIV_REMOTE_SHUTDOWN);
/* IF someone has privs, run the shutdown script as root. OTHERWISE run it as not root
Take the error return from the script and provide it as the Windows return code. */
if (!*abort_shutdown_script)
return WERR_ACCESS_DENIED;
- can_shutdown = s3_security_token_has_privilege(p->server_info->ptok, SEC_PRIV_REMOTE_SHUTDOWN);
+ can_shutdown = security_token_has_privilege(p->server_info->ptok, SEC_PRIV_REMOTE_SHUTDOWN);
/********** BEGIN SeRemoteShutdownPrivilege BLOCK **********/
/* user must posses SeRestorePrivilege for this this proceed */
- if ( !s3_security_token_has_privilege(p->server_info->ptok, SEC_PRIV_RESTORE)) {
+ if ( !security_token_has_privilege(p->server_info->ptok, SEC_PRIV_RESTORE)) {
return WERR_ACCESS_DENIED;
}
return WERR_INVALID_PARAM;
}
- if (!s3_security_token_has_privilege(token, SEC_PRIV_MACHINE_ACCOUNT) &&
+ if (!security_token_has_privilege(token, SEC_PRIV_MACHINE_ACCOUNT) &&
!nt_token_check_domain_rid(token, DOMAIN_RID_ADMINS) &&
!nt_token_check_sid(&global_sid_Builtin_Administrators, token)) {
DEBUG(5,("_wkssvc_NetrJoinDomain2: account doesn't have "
return WERR_INVALID_PARAM;
}
- if (!s3_security_token_has_privilege(token, SEC_PRIV_MACHINE_ACCOUNT) &&
+ if (!security_token_has_privilege(token, SEC_PRIV_MACHINE_ACCOUNT) &&
!nt_token_check_domain_rid(token, DOMAIN_RID_ADMINS) &&
!nt_token_check_sid(&global_sid_Builtin_Administrators, token)) {
DEBUG(5,("_wkssvc_NetrUnjoinDomain2: account doesn't have "
}
if ((access_mask & SEC_FLAG_SYSTEM_SECURITY) &
- !s3_security_token_has_privilege(get_current_nttok(conn),
+ !security_token_has_privilege(get_current_nttok(conn),
SEC_PRIV_SECURITY)) {
DEBUG(10, ("open_directory: open on %s "
"failed - SEC_FLAG_SYSTEM_SECURITY denied.\n",
}
if ((access_mask & SEC_FLAG_SYSTEM_SECURITY) &&
- !s3_security_token_has_privilege(get_current_nttok(conn),
+ !security_token_has_privilege(get_current_nttok(conn),
SEC_PRIV_SECURITY)) {
DEBUG(10, ("create_file_unixpath: open on %s "
"failed - SEC_FLAG_SYSTEM_SECURITY denied.\n",
/* Case (2) / (3) */
if (lp_enable_privileges()) {
- bool has_take_ownership_priv = s3_security_token_has_privilege(get_current_nttok(conn), SEC_PRIV_TAKE_OWNERSHIP);
- bool has_restore_priv = s3_security_token_has_privilege(get_current_nttok(conn), SEC_PRIV_RESTORE);
+ bool has_take_ownership_priv = security_token_has_privilege(get_current_nttok(conn), SEC_PRIV_TAKE_OWNERSHIP);
+ bool has_restore_priv = security_token_has_privilege(get_current_nttok(conn), SEC_PRIV_RESTORE);
/* Case (2) */
if ( ( has_take_ownership_priv && ( uid == get_current_uid(conn) ) ) ||
git.samba.org / kai / samba.git / commitdiff