s3-samr: remove duplicate copies of SAM user specific access rights.
authorGünther Deschner <gd@samba.org>
Thu, 23 Oct 2008 17:24:41 +0000 (19:24 +0200)
committerGünther Deschner <gd@samba.org>
Fri, 31 Oct 2008 20:14:26 +0000 (21:14 +0100)
Guenther

source3/include/rpc_secdes.h
source3/librpc/gen_ndr/samr.h
source3/rpc_server/srv_samr_nt.c

index cb0854eb71d634b849e206646b5e0b5f7e47db00..6b30c6d40a8b9a50fc2f70dc32687bb3ac344ece 100644 (file)
@@ -254,49 +254,6 @@ struct standard_mapping {
                SA_RIGHT_DOMAIN_ENUM_ACCOUNTS   | \
                SA_RIGHT_DOMAIN_LOOKUP_INFO_1)            
 
-
-/* User Object specific access rights */
-
-#define SA_RIGHT_USER_GET_NAME_ETC     0x00000001
-#define SA_RIGHT_USER_GET_LOCALE       0x00000002
-#define SA_RIGHT_USER_SET_LOC_COM      0x00000004
-#define SA_RIGHT_USER_GET_LOGONINFO    0x00000008
-#define SA_RIGHT_USER_ACCT_FLAGS_EXPIRY        0x00000010
-#define SA_RIGHT_USER_SET_ATTRIBUTES   0x00000020
-#define SA_RIGHT_USER_CHANGE_PASSWORD  0x00000040
-#define SA_RIGHT_USER_SET_PASSWORD     0x00000080
-#define SA_RIGHT_USER_GET_GROUPS       0x00000100
-#define SA_RIGHT_USER_READ_GROUP_MEM   0x00000200
-#define SA_RIGHT_USER_CHANGE_GROUP_MEM 0x00000400
-
-#define SA_RIGHT_USER_ALL_ACCESS       0x000007FF
-
-#define GENERIC_RIGHTS_USER_ALL_ACCESS \
-               (STANDARD_RIGHTS_REQUIRED_ACCESS| \
-               SA_RIGHT_USER_ALL_ACCESS)       /* 0x000f07ff */
-
-#define GENERIC_RIGHTS_USER_READ \
-               (STANDARD_RIGHTS_READ_ACCESS    | \
-               SA_RIGHT_USER_READ_GROUP_MEM    | \
-               SA_RIGHT_USER_GET_GROUPS        | \
-               SA_RIGHT_USER_ACCT_FLAGS_EXPIRY | \
-               SA_RIGHT_USER_GET_LOGONINFO     | \
-               SA_RIGHT_USER_GET_LOCALE)       /* 0x0002031a */
-
-#define GENERIC_RIGHTS_USER_WRITE \
-               (STANDARD_RIGHTS_WRITE_ACCESS   | \
-               SA_RIGHT_USER_CHANGE_PASSWORD   | \
-               SA_RIGHT_USER_SET_LOC_COM       | \
-               SA_RIGHT_USER_SET_ATTRIBUTES    | \
-               SA_RIGHT_USER_SET_PASSWORD      | \
-               SA_RIGHT_USER_CHANGE_GROUP_MEM) /* 0x000204e4 */
-
-#define GENERIC_RIGHTS_USER_EXECUTE \
-               (STANDARD_RIGHTS_EXECUTE_ACCESS | \
-               SA_RIGHT_USER_CHANGE_PASSWORD   | \
-               SA_RIGHT_USER_GET_NAME_ETC )    /* 0x00020041 */
-
-
 /* Group Object specific access rights */
 
 #define SA_RIGHT_GROUP_LOOKUP_INFO     0x00000001
index 62f6bf8de6ed36e24d42dfdb119c525d16e7c5a3..d2492d6d249e0be231ce3e6383335bb02780c3a9 100644 (file)
@@ -8,6 +8,16 @@
 #ifndef _HEADER_samr
 #define _HEADER_samr
 
+#define SAMR_ACCESS_ALL_ACCESS ( 0x0000003F )
+#define GENERIC_RIGHTS_SAM_ALL_ACCESS  ( (STANDARD_RIGHTS_REQUIRED_ACCESS|SAMR_ACCESS_ALL_ACCESS) )
+#define GENERIC_RIGHTS_SAM_READ        ( (STANDARD_RIGHTS_READ_ACCESS|SAMR_ACCESS_ENUM_DOMAINS) )
+#define GENERIC_RIGHTS_SAM_WRITE       ( (STANDARD_RIGHTS_WRITE_ACCESS|SAMR_ACCESS_CREATE_DOMAIN|SAMR_ACCESS_INITIALIZE_SERVER|SAMR_ACCESS_SHUTDOWN_SERVER) )
+#define GENERIC_RIGHTS_SAM_EXECUTE     ( (STANDARD_RIGHTS_EXECUTE_ACCESS|SAMR_ACCESS_OPEN_DOMAIN|SAMR_ACCESS_CONNECT_TO_SERVER) )
+#define SAMR_USER_ACCESS_ALL_ACCESS    ( 0x000007FF )
+#define GENERIC_RIGHTS_USER_ALL_ACCESS ( (STANDARD_RIGHTS_REQUIRED_ACCESS|SAMR_USER_ACCESS_ALL_ACCESS) )
+#define GENERIC_RIGHTS_USER_READ       ( (STANDARD_RIGHTS_READ_ACCESS|SAMR_USER_ACCESS_GET_GROUP_MEMBERSHIP|SAMR_USER_ACCESS_GET_GROUPS|SAMR_USER_ACCESS_GET_ATTRIBUTES|SAMR_USER_ACCESS_GET_LOGONINFO|SAMR_USER_ACCESS_GET_LOCALE) )
+#define GENERIC_RIGHTS_USER_WRITE      ( (STANDARD_RIGHTS_WRITE_ACCESS|SAMR_USER_ACCESS_CHANGE_PASSWORD|SAMR_USER_ACCESS_SET_LOC_COM|SAMR_USER_ACCESS_SET_ATTRIBUTES|SAMR_USER_ACCESS_SET_PASSWORD|SAMR_USER_ACCESS_CHANGE_GROUP_MEMBERSHIP) )
+#define GENERIC_RIGHTS_USER_EXECUTE    ( (STANDARD_RIGHTS_EXECUTE_ACCESS|SAMR_USER_ACCESS_CHANGE_PASSWORD|SAMR_USER_ACCESS_GET_NAME_ETC) )
 #define MAX_SAM_ENTRIES_W2K    ( 0x400 )
 #define MAX_SAM_ENTRIES_W95    ( 50 )
 #define SAMR_ENUM_USERS_MULTIPLIER     ( 54 )
index d5be53b09f3a11df9a51abb4d45a7bed4810e12e..532392c88b712e10ea43100b03e7149e114e56d0 100644 (file)
 
 #define SAMR_USR_RIGHTS_WRITE_PW \
                ( READ_CONTROL_ACCESS           | \
-                 SA_RIGHT_USER_CHANGE_PASSWORD | \
-                 SA_RIGHT_USER_SET_LOC_COM )
+                 SAMR_USER_ACCESS_CHANGE_PASSWORD      | \
+                 SAMR_USER_ACCESS_SET_LOC_COM)
 #define SAMR_USR_RIGHTS_CANT_WRITE_PW \
-               ( READ_CONTROL_ACCESS | SA_RIGHT_USER_SET_LOC_COM )
+               ( READ_CONTROL_ACCESS | SAMR_USER_ACCESS_SET_LOC_COM )
 
 #define DISP_INFO_CACHE_TIMEOUT 10
 
@@ -91,7 +91,7 @@ static const struct generic_mapping usr_generic_mapping = {
 static const struct generic_mapping usr_nopwchange_generic_mapping = {
        GENERIC_RIGHTS_USER_READ,
        GENERIC_RIGHTS_USER_WRITE,
-       GENERIC_RIGHTS_USER_EXECUTE & ~SA_RIGHT_USER_CHANGE_PASSWORD,
+       GENERIC_RIGHTS_USER_EXECUTE & ~SAMR_USER_ACCESS_CHANGE_PASSWORD,
        GENERIC_RIGHTS_USER_ALL_ACCESS};
 static const struct generic_mapping grp_generic_mapping = {
        GENERIC_RIGHTS_GROUP_READ,
@@ -791,7 +791,7 @@ NTSTATUS _samr_SetSecurity(pipes_struct *p,
                if (sid_equal(&pol_sid, &dacl->aces[i].trustee)) {
                        ret = pdb_set_pass_can_change(sampass,
                                (dacl->aces[i].access_mask &
-                                SA_RIGHT_USER_CHANGE_PASSWORD) ?
+                                SAMR_USER_ACCESS_CHANGE_PASSWORD) ?
                                                      True: False);
                        break;
                }
@@ -803,7 +803,7 @@ NTSTATUS _samr_SetSecurity(pipes_struct *p,
        }
 
        status = access_check_samr_function(acc_granted,
-                                           SA_RIGHT_USER_SET_ATTRIBUTES,
+                                           SAMR_USER_ACCESS_SET_ATTRIBUTES,
                                            "_samr_SetSecurity");
        if (NT_STATUS_IS_OK(status)) {
                become_root();
@@ -2764,7 +2764,7 @@ NTSTATUS _samr_GetGroupsForUser(pipes_struct *p,
                return NT_STATUS_INVALID_HANDLE;
 
        result = access_check_samr_function(acc_granted,
-                                           SA_RIGHT_USER_GET_GROUPS,
+                                           SAMR_USER_ACCESS_GET_GROUPS,
                                            "_samr_GetGroupsForUser");
        if (!NT_STATUS_IS_OK(result)) {
                return result;
@@ -4109,9 +4109,9 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p,
        }
 
        /* This is tricky.  A WinXP domain join sets
-         (SA_RIGHT_USER_SET_PASSWORD|SA_RIGHT_USER_SET_ATTRIBUTES|SA_RIGHT_USER_ACCT_FLAGS_EXPIRY)
+         (SAMR_USER_ACCESS_SET_PASSWORD|SAMR_USER_ACCESS_SET_ATTRIBUTES|SAMR_USER_ACCESS_GET_ATTRIBUTES)
          The MMC lusrmgr plugin includes these perms and more in the SamrOpenUser().  But the
-         standard Win32 API calls just ask for SA_RIGHT_USER_SET_PASSWORD in the SamrOpenUser().
+         standard Win32 API calls just ask for SAMR_USER_ACCESS_SET_PASSWORD in the SamrOpenUser().
          This should be enough for levels 18, 24, 25,& 26.  Info level 23 can set more so
          we'll use the set from the WinXP join as the basis. */
 
@@ -4120,12 +4120,12 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p,
        case 24:
        case 25:
        case 26:
-               acc_required = SA_RIGHT_USER_SET_PASSWORD;
+               acc_required = SAMR_USER_ACCESS_SET_PASSWORD;
                break;
        default:
-               acc_required = SA_RIGHT_USER_SET_PASSWORD |
-                              SA_RIGHT_USER_SET_ATTRIBUTES |
-                              SA_RIGHT_USER_ACCT_FLAGS_EXPIRY;
+               acc_required = SAMR_USER_ACCESS_SET_PASSWORD |
+                              SAMR_USER_ACCESS_SET_ATTRIBUTES |
+                              SAMR_USER_ACCESS_GET_ATTRIBUTES;
                break;
        }