return ret;
}
-/****************************************************************************
- Store a security desc for a printer.
-****************************************************************************/
-
-WERROR nt_printing_setsec(const char *sharename, struct sec_desc_buf *secdesc_ctr)
-{
- struct sec_desc_buf *new_secdesc_ctr = NULL;
- struct sec_desc_buf *old_secdesc_ctr = NULL;
- TALLOC_CTX *mem_ctx = NULL;
- TDB_DATA kbuf;
- TDB_DATA dbuf;
- DATA_BLOB blob;
- WERROR status;
- NTSTATUS nt_status;
-
- mem_ctx = talloc_init("nt_printing_setsec");
- if (mem_ctx == NULL)
- return WERR_NOMEM;
-
- /* The old owner and group sids of the security descriptor are not
- present when new ACEs are added or removed by changing printer
- permissions through NT. If they are NULL in the new security
- descriptor then copy them over from the old one. */
-
- if (!secdesc_ctr->sd->owner_sid || !secdesc_ctr->sd->group_sid) {
- struct dom_sid *owner_sid, *group_sid;
- struct security_acl *dacl, *sacl;
- struct security_descriptor *psd = NULL;
- size_t size;
-
- if (!nt_printing_getsec(mem_ctx, sharename, &old_secdesc_ctr)) {
- status = WERR_NOMEM;
- goto out;
- }
-
- /* Pick out correct owner and group sids */
-
- owner_sid = secdesc_ctr->sd->owner_sid ?
- secdesc_ctr->sd->owner_sid :
- old_secdesc_ctr->sd->owner_sid;
-
- group_sid = secdesc_ctr->sd->group_sid ?
- secdesc_ctr->sd->group_sid :
- old_secdesc_ctr->sd->group_sid;
-
- dacl = secdesc_ctr->sd->dacl ?
- secdesc_ctr->sd->dacl :
- old_secdesc_ctr->sd->dacl;
-
- sacl = secdesc_ctr->sd->sacl ?
- secdesc_ctr->sd->sacl :
- old_secdesc_ctr->sd->sacl;
-
- /* Make a deep copy of the security descriptor */
-
- psd = make_sec_desc(mem_ctx, secdesc_ctr->sd->revision, secdesc_ctr->sd->type,
- owner_sid, group_sid,
- sacl,
- dacl,
- &size);
-
- if (!psd) {
- status = WERR_NOMEM;
- goto out;
- }
-
- new_secdesc_ctr = make_sec_desc_buf(mem_ctx, size, psd);
- }
-
- if (!new_secdesc_ctr) {
- new_secdesc_ctr = secdesc_ctr;
- }
-
- /* Store the security descriptor in a tdb */
-
- nt_status = marshall_sec_desc_buf(mem_ctx, new_secdesc_ctr,
- &blob.data, &blob.length);
- if (!NT_STATUS_IS_OK(nt_status)) {
- status = ntstatus_to_werror(nt_status);
- goto out;
- }
-
- kbuf = make_printers_secdesc_tdbkey(mem_ctx, sharename );
-
- dbuf.dptr = (unsigned char *)blob.data;
- dbuf.dsize = blob.length;
-
- if (tdb_trans_store(tdb_printers, kbuf, dbuf, TDB_REPLACE)==0) {
- status = WERR_OK;
- } else {
- DEBUG(1,("Failed to store secdesc for %s\n", sharename));
- status = WERR_BADFUNC;
- }
-
- /* Free malloc'ed memory */
- talloc_free(blob.data);
-
- out:
-
- if (mem_ctx)
- talloc_destroy(mem_ctx);
- return status;
-}
-
-/****************************************************************************
- Construct a default security descriptor buffer for a printer.
-****************************************************************************/
-
-static struct sec_desc_buf *construct_default_printer_sdb(TALLOC_CTX *ctx)
-{
- struct security_ace ace[7]; /* max number of ace entries */
- int i = 0;
- uint32_t sa;
- struct security_acl *psa = NULL;
- struct sec_desc_buf *sdb = NULL;
- struct security_descriptor *psd = NULL;
- struct dom_sid adm_sid;
- size_t sd_size;
-
- /* Create an ACE where Everyone is allowed to print */
-
- sa = PRINTER_ACE_PRINT;
- init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
- sa, SEC_ACE_FLAG_CONTAINER_INHERIT);
-
- /* Add the domain admins group if we are a DC */
-
- if ( IS_DC ) {
- struct dom_sid domadmins_sid;
-
- sid_compose(&domadmins_sid, get_global_sam_sid(),
- DOMAIN_RID_ADMINS);
-
- sa = PRINTER_ACE_FULL_CONTROL;
- init_sec_ace(&ace[i++], &domadmins_sid,
- SEC_ACE_TYPE_ACCESS_ALLOWED, sa,
- SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY);
- init_sec_ace(&ace[i++], &domadmins_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
- sa, SEC_ACE_FLAG_CONTAINER_INHERIT);
- }
- else if (secrets_fetch_domain_sid(lp_workgroup(), &adm_sid)) {
- sid_append_rid(&adm_sid, DOMAIN_RID_ADMINISTRATOR);
-
- sa = PRINTER_ACE_FULL_CONTROL;
- init_sec_ace(&ace[i++], &adm_sid,
- SEC_ACE_TYPE_ACCESS_ALLOWED, sa,
- SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY);
- init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
- sa, SEC_ACE_FLAG_CONTAINER_INHERIT);
- }
-
- /* add BUILTIN\Administrators as FULL CONTROL */
-
- sa = PRINTER_ACE_FULL_CONTROL;
- init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
- SEC_ACE_TYPE_ACCESS_ALLOWED, sa,
- SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY);
- init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
- SEC_ACE_TYPE_ACCESS_ALLOWED,
- sa, SEC_ACE_FLAG_CONTAINER_INHERIT);
-
- /* add BUILTIN\Print Operators as FULL CONTROL */
-
- sa = PRINTER_ACE_FULL_CONTROL;
- init_sec_ace(&ace[i++], &global_sid_Builtin_Print_Operators,
- SEC_ACE_TYPE_ACCESS_ALLOWED, sa,
- SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY);
- init_sec_ace(&ace[i++], &global_sid_Builtin_Print_Operators,
- SEC_ACE_TYPE_ACCESS_ALLOWED,
- sa, SEC_ACE_FLAG_CONTAINER_INHERIT);
-
- /* Make the security descriptor owned by the BUILTIN\Administrators */
-
- /* The ACL revision number in rpc_secdesc.h differs from the one
- created by NT when setting ACE entries in printer
- descriptors. NT4 complains about the property being edited by a
- NT5 machine. */
-
- if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) != NULL) {
- psd = make_sec_desc(ctx, SD_REVISION, SEC_DESC_SELF_RELATIVE,
- &global_sid_Builtin_Administrators,
- &global_sid_Builtin_Administrators,
- NULL, psa, &sd_size);
- }
-
- if (!psd) {
- DEBUG(0,("construct_default_printer_sd: Failed to make SEC_DESC.\n"));
- return NULL;
- }
-
- sdb = make_sec_desc_buf(ctx, sd_size, psd);
-
- DEBUG(4,("construct_default_printer_sdb: size = %u.\n",
- (unsigned int)sd_size));
-
- return sdb;
-}
-
-/****************************************************************************
- Get a security desc for a printer.
-****************************************************************************/
-
-bool nt_printing_getsec(TALLOC_CTX *ctx, const char *sharename, struct sec_desc_buf **secdesc_ctr)
-{
- TDB_DATA kbuf;
- TDB_DATA dbuf;
- DATA_BLOB blob;
- char *temp;
- NTSTATUS status;
-
- if (strlen(sharename) > 2 && (temp = strchr(sharename + 2, '\\'))) {
- sharename = temp + 1;
- }
-
- /* Fetch security descriptor from tdb */
-
- kbuf = make_printers_secdesc_tdbkey(ctx, sharename);
-
- dbuf = tdb_fetch(tdb_printers, kbuf);
- if (dbuf.dptr) {
-
- status = unmarshall_sec_desc_buf(ctx, dbuf.dptr, dbuf.dsize,
- secdesc_ctr);
- SAFE_FREE(dbuf.dptr);
-
- if (NT_STATUS_IS_OK(status)) {
- return true;
- }
- }
-
- *secdesc_ctr = construct_default_printer_sdb(ctx);
- if (!*secdesc_ctr) {
- return false;
- }
-
- status = marshall_sec_desc_buf(ctx, *secdesc_ctr,
- &blob.data, &blob.length);
- if (NT_STATUS_IS_OK(status)) {
- dbuf.dptr = (unsigned char *)blob.data;
- dbuf.dsize = blob.length;
- tdb_trans_store(tdb_printers, kbuf, dbuf, TDB_REPLACE);
- talloc_free(blob.data);
- }
-
- /* If security descriptor is owned by S-1-1-0 and winbindd is up,
- this security descriptor has been created when winbindd was
- down. Take ownership of security descriptor. */
-
- if (sid_equal((*secdesc_ctr)->sd->owner_sid, &global_sid_World)) {
- struct dom_sid owner_sid;
-
- /* Change sd owner to workgroup administrator */
-
- if (secrets_fetch_domain_sid(lp_workgroup(), &owner_sid)) {
- struct sec_desc_buf *new_secdesc_ctr = NULL;
- struct security_descriptor *psd = NULL;
- size_t size;
-
- /* Create new sd */
-
- sid_append_rid(&owner_sid, DOMAIN_RID_ADMINISTRATOR);
-
- psd = make_sec_desc(ctx, (*secdesc_ctr)->sd->revision, (*secdesc_ctr)->sd->type,
- &owner_sid,
- (*secdesc_ctr)->sd->group_sid,
- (*secdesc_ctr)->sd->sacl,
- (*secdesc_ctr)->sd->dacl,
- &size);
-
- if (!psd) {
- return False;
- }
-
- new_secdesc_ctr = make_sec_desc_buf(ctx, size, psd);
- if (!new_secdesc_ctr) {
- return False;
- }
-
- /* Swap with other one */
-
- *secdesc_ctr = new_secdesc_ctr;
-
- /* Set it */
-
- nt_printing_setsec(sharename, *secdesc_ctr);
- }
- }
-
- if (DEBUGLEVEL >= 10) {
- struct security_acl *the_acl = (*secdesc_ctr)->sd->dacl;
- int i;
-
- DEBUG(10, ("secdesc_ctr for %s has %d aces:\n",
- sharename, the_acl->num_aces));
-
- for (i = 0; i < the_acl->num_aces; i++) {
- DEBUG(10, ("%s %d %d 0x%08x\n",
- sid_string_dbg(&the_acl->aces[i].trustee),
- the_acl->aces[i].type, the_acl->aces[i].flags,
- the_acl->aces[i].access_mask));
- }
- }
-
- return True;
-}
-
/* error code:
0: everything OK
1: level not implemented
git.samba.org / amitay / samba.git / commitdiff