Add code to implement SeSecurityPrivilege in net rpc rights, and in the

open and get/set NT security descriptor code.

Jeremy.

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Thu Oct 21 00:15:57 UTC 2010 on sn-devel-104

diff --git a/libcli/security/privileges.c b/libcli/security/privileges.c
index 5d4cf77490f3b119f584d04260bf299b1c9271ae..57c485dbe60ec3a4e1826edd911333b0819b1fe2 100644 (file)
--- a/libcli/security/privileges.c
+++ b/libcli/security/privileges.c
@@ -40,7 +40,7 @@
 /* The use of strcasecmp here is safe, all the comparison strings are ASCII */
 #undef strcasecmp
 
-#define NUM_SHORT_LIST_PRIVS 8
+#define NUM_SHORT_LIST_PRIVS 9
 
 static const struct {
        enum sec_privilege luid;
@@ -58,16 +58,13 @@ static const struct {
        {SEC_PRIV_PRINT_OPERATOR,  SEC_PRIV_PRINT_OPERATOR_BIT,  "SePrintOperatorPrivilege",    "Manage printers"},
        {SEC_PRIV_ADD_USERS,       SEC_PRIV_ADD_USERS_BIT,       "SeAddUsersPrivilege",         "Add users and groups to the domain"},
        {SEC_PRIV_DISK_OPERATOR,   SEC_PRIV_DISK_OPERATOR_BIT,   "SeDiskOperatorPrivilege",     "Manage disk shares"},
+       {SEC_PRIV_SECURITY,        SEC_PRIV_SECURITY_BIT,        "SeSecurityPrivilege", "System security"},
+
 
        /* The list from here on is not displayed in the code from
         * source3, and is after index NUM_SHORT_LIST_PRIVS for that
         * reason */ 
 
-       {SEC_PRIV_SECURITY,
-        SEC_PRIV_SECURITY_BIT,
-        "SeSecurityPrivilege",
-       "System security"},
-
        {SEC_PRIV_SYSTEMTIME,
         SEC_PRIV_SYSTEMTIME_BIT,
         "SeSystemtimePrivilege",

diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 3a9f6813ecded55f96adcf8c45da7c2a15c819c0..caba21161c13ce299549e95689e65fe3b16bf2b6 100644 (file)
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -1837,6 +1837,16 @@ NTSTATUS smbd_do_query_security_desc(connection_struct *conn,
         * Get the permissions to return.
         */
 
+       if ((security_info_wanted & SECINFO_SACL) &&
+                       !(fsp->access_mask & SEC_FLAG_SYSTEM_SECURITY)) {
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
+       if ((security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|SECINFO_GROUP)) &&
+                       !(fsp->access_mask & SEC_STD_READ_CONTROL)) {
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
        if (!lp_nt_acl_support(SNUM(conn))) {
                status = get_null_nt_acl(mem_ctx, &psd);
        } else {

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 01f0cd699a0a7c751a01f7b323a0ccaf6e7252c2..f5de607713ced273cb5908256912bafef389a682 100644 (file)
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -2506,8 +2506,9 @@ static NTSTATUS open_directory(connection_struct *conn,
                return status;
        }
 
-       /* We need to support SeSecurityPrivilege for this. */
-       if (access_mask & SEC_FLAG_SYSTEM_SECURITY) {
+       if ((access_mask & SEC_FLAG_SYSTEM_SECURITY) &
+                       !security_token_has_privilege(get_current_nttok(conn),
+                                       SEC_PRIV_SECURITY)) {
                DEBUG(10, ("open_directory: open on %s "
                        "failed - SEC_FLAG_SYSTEM_SECURITY denied.\n",
                        smb_fname_str_dbg(smb_dname)));
@@ -3029,29 +3030,15 @@ static NTSTATUS create_file_unixpath(connection_struct *conn,
                goto fail;
        }
 
-#if 0
-       /* We need to support SeSecurityPrivilege for this. */
        if ((access_mask & SEC_FLAG_SYSTEM_SECURITY) &&
-           !user_has_privileges(current_user.nt_user_token,
-                                &se_security)) {
-               status = NT_STATUS_PRIVILEGE_NOT_HELD;
-               goto fail;
-       }
-#else
-       /* We need to support SeSecurityPrivilege for this. */
-       if (access_mask & SEC_FLAG_SYSTEM_SECURITY) {
-               status = NT_STATUS_PRIVILEGE_NOT_HELD;
-               goto fail;
-       }
-       /* Don't allow a SACL set from an NTtrans create until we
-        * support SeSecurityPrivilege. */
-       if (!VALID_STAT(smb_fname->st) &&
-                       lp_nt_acl_support(SNUM(conn)) &&
-                       sd && (sd->sacl != NULL)) {
+                       !security_token_has_privilege(get_current_nttok(conn),
+                                       SEC_PRIV_SECURITY)) {
+               DEBUG(10, ("create_file_unixpath: open on %s "
+                       "failed - SEC_FLAG_SYSTEM_SECURITY denied.\n",
+                       smb_fname_str_dbg(smb_fname)));
                status = NT_STATUS_PRIVILEGE_NOT_HELD;
                goto fail;
        }
-#endif
 
        if ((conn->fs_capabilities & FILE_NAMED_STREAMS)
            && is_ntfs_stream_smb_fname(smb_fname)