関数 | |
static uint32 | check_ace (SEC_ACE *ace, const NT_USER_TOKEN *token, uint32 acc_desired, NTSTATUS *status) |
static BOOL | get_max_access (SEC_ACL *the_acl, const NT_USER_TOKEN *token, uint32 *granted, uint32 desired, NTSTATUS *status) |
void | se_map_generic (uint32 *access_mask, struct generic_mapping *mapping) |
void | se_map_standard (uint32 *access_mask, struct standard_mapping *mapping) |
BOOL | se_access_check (const SEC_DESC *sd, const NT_USER_TOKEN *token, uint32 acc_desired, uint32 *acc_granted, NTSTATUS *status) |
NTSTATUS | samr_make_sam_obj_sd (TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size) |
変数 | |
NT_USER_TOKEN | anonymous_token |
static uint32 check_ace | ( | SEC_ACE * | ace, | |
const NT_USER_TOKEN * | token, | |||
uint32 | acc_desired, | |||
NTSTATUS * | status | |||
) | [static] |
util_seaccess.c の 31 行で定義されています。
参照先 security_ace_info::access_mask・security_ace_info::flags・SEC_ACE_TYPE_ACCESS_ALLOWED・SEC_ACE_TYPE_ACCESS_DENIED・SEC_ACE_TYPE_SYSTEM_ALARM・SEC_ACE_TYPE_SYSTEM_AUDIT・status・token_sid_in_ace()・security_ace_info::type.
00033 { 00034 uint32 mask = ace->access_mask; 00035 00036 /* 00037 * Inherit only is ignored. 00038 */ 00039 00040 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) { 00041 return acc_desired; 00042 } 00043 00044 /* 00045 * If this ACE has no SID in common with the token, 00046 * ignore it as it cannot be used to make an access 00047 * determination. 00048 */ 00049 00050 if (!token_sid_in_ace( token, ace)) 00051 return acc_desired; 00052 00053 switch (ace->type) { 00054 case SEC_ACE_TYPE_ACCESS_ALLOWED: 00055 /* 00056 * This is explicitly allowed. 00057 * Remove the bits from the remaining 00058 * access required. Return the remaining 00059 * bits needed. 00060 */ 00061 acc_desired &= ~mask; 00062 break; 00063 case SEC_ACE_TYPE_ACCESS_DENIED: 00064 /* 00065 * This is explicitly denied. 00066 * If any bits match terminate here, 00067 * we are denied. 00068 */ 00069 if (acc_desired & mask) { 00070 *status = NT_STATUS_ACCESS_DENIED; 00071 return 0xFFFFFFFF; 00072 } 00073 break; 00074 case SEC_ACE_TYPE_SYSTEM_ALARM: 00075 case SEC_ACE_TYPE_SYSTEM_AUDIT: 00076 *status = NT_STATUS_NOT_IMPLEMENTED; 00077 return 0xFFFFFFFF; 00078 default: 00079 *status = NT_STATUS_INVALID_PARAMETER; 00080 return 0xFFFFFFFF; 00081 } 00082 00083 return acc_desired; 00084 }
static BOOL get_max_access | ( | SEC_ACL * | the_acl, | |
const NT_USER_TOKEN * | token, | |||
uint32 * | granted, | |||
uint32 | desired, | |||
NTSTATUS * | status | |||
) | [static] |
util_seaccess.c の 91 行で定義されています。
参照先 security_ace_info::access_mask・security_acl_info::aces・security_acl_info::num_aces・SEC_ACE_TYPE_ACCESS_ALLOWED・SEC_ACE_TYPE_ACCESS_DENIED・SEC_ACE_TYPE_SYSTEM_ALARM・SEC_ACE_TYPE_SYSTEM_AUDIT・status・token_sid_in_ace().
00094 { 00095 uint32 acc_denied = 0; 00096 uint32 acc_granted = 0; 00097 size_t i; 00098 00099 for ( i = 0 ; i < the_acl->num_aces; i++) { 00100 SEC_ACE *ace = &the_acl->aces[i]; 00101 uint32 mask = ace->access_mask; 00102 00103 if (!token_sid_in_ace( token, ace)) 00104 continue; 00105 00106 switch (ace->type) { 00107 case SEC_ACE_TYPE_ACCESS_ALLOWED: 00108 acc_granted |= (mask & ~acc_denied); 00109 break; 00110 case SEC_ACE_TYPE_ACCESS_DENIED: 00111 acc_denied |= (mask & ~acc_granted); 00112 break; 00113 case SEC_ACE_TYPE_SYSTEM_ALARM: 00114 case SEC_ACE_TYPE_SYSTEM_AUDIT: 00115 *status = NT_STATUS_NOT_IMPLEMENTED; 00116 *granted = 0; 00117 return False; 00118 default: 00119 *status = NT_STATUS_INVALID_PARAMETER; 00120 *granted = 0; 00121 return False; 00122 } 00123 } 00124 00125 /* 00126 * If we were granted no access, or we desired bits that we 00127 * didn't get, then deny. 00128 */ 00129 00130 if ((acc_granted == 0) || ((acc_granted & desired) != desired)) { 00131 *status = NT_STATUS_ACCESS_DENIED; 00132 *granted = 0; 00133 return False; 00134 } 00135 00136 /* 00137 * Return the access we did get. 00138 */ 00139 00140 *granted = acc_granted; 00141 *status = NT_STATUS_OK; 00142 return True; 00143 }
void se_map_generic | ( | uint32 * | access_mask, | |
struct generic_mapping * | mapping | |||
) |
util_seaccess.c の 150 行で定義されています。
参照先 generic_mapping::generic_all・generic_mapping::generic_execute・generic_mapping::generic_read・generic_mapping::generic_write.
参照元 _lsa_open_policy()・_lsa_open_policy2()・_samr_connect()・_samr_connect4()・_samr_connect5()・_samr_connect_anon()・_samr_create_user()・_samr_open_alias()・_samr_open_domain()・_samr_open_group()・_samr_open_user()・_svcctl_open_scmanager()・_svcctl_open_service()・create_canon_ace_lists()・get_share_security_default()・map_generic_share_sd_bits()・map_job_permissions()・map_printer_permissions()・open_file_ntcreate()・parse_usershare_acl()・registry_access_check().
00151 { 00152 uint32 old_mask = *access_mask; 00153 00154 if (*access_mask & GENERIC_READ_ACCESS) { 00155 *access_mask &= ~GENERIC_READ_ACCESS; 00156 *access_mask |= mapping->generic_read; 00157 } 00158 00159 if (*access_mask & GENERIC_WRITE_ACCESS) { 00160 *access_mask &= ~GENERIC_WRITE_ACCESS; 00161 *access_mask |= mapping->generic_write; 00162 } 00163 00164 if (*access_mask & GENERIC_EXECUTE_ACCESS) { 00165 *access_mask &= ~GENERIC_EXECUTE_ACCESS; 00166 *access_mask |= mapping->generic_execute; 00167 } 00168 00169 if (*access_mask & GENERIC_ALL_ACCESS) { 00170 *access_mask &= ~GENERIC_ALL_ACCESS; 00171 *access_mask |= mapping->generic_all; 00172 } 00173 00174 if (old_mask != *access_mask) { 00175 DEBUG(10, ("se_map_generic(): mapped mask 0x%08x to 0x%08x\n", 00176 old_mask, *access_mask)); 00177 } 00178 }
void se_map_standard | ( | uint32 * | access_mask, | |
struct standard_mapping * | mapping | |||
) |
util_seaccess.c の 185 行で定義されています。
参照先 standard_mapping::std_all・standard_mapping::std_read.
参照元 _spoolss_open_printer_ex().
00186 { 00187 uint32 old_mask = *access_mask; 00188 00189 if (*access_mask & READ_CONTROL_ACCESS) { 00190 *access_mask &= ~READ_CONTROL_ACCESS; 00191 *access_mask |= mapping->std_read; 00192 } 00193 00194 if (*access_mask & (DELETE_ACCESS|WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS|SYNCHRONIZE_ACCESS)) { 00195 *access_mask &= ~(DELETE_ACCESS|WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS|SYNCHRONIZE_ACCESS); 00196 *access_mask |= mapping->std_all; 00197 } 00198 00199 if (old_mask != *access_mask) { 00200 DEBUG(10, ("se_map_standard(): mapped mask 0x%08x to 0x%08x\n", 00201 old_mask, *access_mask)); 00202 } 00203 }
BOOL se_access_check | ( | const SEC_DESC * | sd, | |
const NT_USER_TOKEN * | token, | |||
uint32 | acc_desired, | |||
uint32 * | acc_granted, | |||
NTSTATUS * | status | |||
) |
util_seaccess.c の 213 行で定義されています。
参照先 anonymous_token・security_descriptor_info::dacl・nt_user_token::num_sids・security_descriptor_info::owner_sid・sid_equal()・sid_to_string()・status・security_descriptor_info::type・nt_user_token::user_sids.
参照元 _lsa_open_policy()・_lsa_open_policy2()・access_check_samr_object()・can_access_file_acl()・elog_check_access()・print_access_check()・registry_access_check()・share_access_check()・show_userlist()・svcctl_access_check()・user_can_read_file()・user_can_write_file().
00216 { 00217 size_t i; 00218 SEC_ACL *the_acl; 00219 fstring sid_str; 00220 uint32 tmp_acc_desired = acc_desired; 00221 00222 if (!status || !acc_granted) 00223 return False; 00224 00225 if (!token) 00226 token = &anonymous_token; 00227 00228 *status = NT_STATUS_OK; 00229 *acc_granted = 0; 00230 00231 DEBUG(10,("se_access_check: requested access 0x%08x, for NT token with %u entries and first sid %s.\n", 00232 (unsigned int)acc_desired, (unsigned int)token->num_sids, 00233 sid_to_string(sid_str, &token->user_sids[0]))); 00234 00235 /* 00236 * No security descriptor or security descriptor with no DACL 00237 * present allows all access. 00238 */ 00239 00240 /* ACL must have something in it */ 00241 00242 if (!sd || (sd && (!(sd->type & SEC_DESC_DACL_PRESENT) || sd->dacl == NULL))) { 00243 *status = NT_STATUS_OK; 00244 *acc_granted = acc_desired; 00245 DEBUG(5, ("se_access_check: no sd or blank DACL, access allowed\n")); 00246 return True; 00247 } 00248 00249 /* The user sid is the first in the token */ 00250 if (DEBUGLVL(3)) { 00251 DEBUG(3, ("se_access_check: user sid is %s\n", sid_to_string(sid_str, &token->user_sids[PRIMARY_USER_SID_INDEX]) )); 00252 00253 for (i = 1; i < token->num_sids; i++) { 00254 DEBUGADD(3, ("se_access_check: also %s\n", 00255 sid_to_string(sid_str, &token->user_sids[i]))); 00256 } 00257 } 00258 00259 /* Is the token the owner of the SID ? */ 00260 00261 if (sd->owner_sid) { 00262 for (i = 0; i < token->num_sids; i++) { 00263 if (sid_equal(&token->user_sids[i], sd->owner_sid)) { 00264 /* 00265 * The owner always has SEC_RIGHTS_WRITE_DAC & READ_CONTROL. 00266 */ 00267 if (tmp_acc_desired & WRITE_DAC_ACCESS) 00268 tmp_acc_desired &= ~WRITE_DAC_ACCESS; 00269 if (tmp_acc_desired & READ_CONTROL_ACCESS) 00270 tmp_acc_desired &= ~READ_CONTROL_ACCESS; 00271 } 00272 } 00273 } 00274 00275 the_acl = sd->dacl; 00276 00277 if (tmp_acc_desired & MAXIMUM_ALLOWED_ACCESS) { 00278 tmp_acc_desired &= ~MAXIMUM_ALLOWED_ACCESS; 00279 return get_max_access( the_acl, token, acc_granted, tmp_acc_desired, 00280 status); 00281 } 00282 00283 for ( i = 0 ; i < the_acl->num_aces && tmp_acc_desired != 0; i++) { 00284 SEC_ACE *ace = &the_acl->aces[i]; 00285 00286 DEBUGADD(10,("se_access_check: ACE %u: type %d, flags = 0x%02x, SID = %s mask = %x, current desired = %x\n", 00287 (unsigned int)i, ace->type, ace->flags, 00288 sid_to_string(sid_str, &ace->trustee), 00289 (unsigned int) ace->access_mask, 00290 (unsigned int)tmp_acc_desired )); 00291 00292 tmp_acc_desired = check_ace( ace, token, tmp_acc_desired, status); 00293 if (NT_STATUS_V(*status)) { 00294 *acc_granted = 0; 00295 DEBUG(5,("se_access_check: ACE %u denied with status %s.\n", (unsigned int)i, nt_errstr(*status))); 00296 return False; 00297 } 00298 } 00299 00300 /* 00301 * If there are no more desired permissions left then 00302 * access was allowed. 00303 */ 00304 00305 if (tmp_acc_desired == 0) { 00306 *acc_granted = acc_desired; 00307 *status = NT_STATUS_OK; 00308 DEBUG(5,("se_access_check: access (%x) granted.\n", (unsigned int)acc_desired )); 00309 return True; 00310 } 00311 00312 *acc_granted = 0; 00313 *status = NT_STATUS_ACCESS_DENIED; 00314 DEBUG(5,("se_access_check: access (%x) denied.\n", (unsigned int)acc_desired )); 00315 return False; 00316 }
NTSTATUS samr_make_sam_obj_sd | ( | TALLOC_CTX * | ctx, | |
SEC_DESC ** | psd, | |||
size_t * | sd_size | |||
) |
util_seaccess.c の 323 行で定義されています。
参照先 global_sid_Builtin・global_sid_World・init_sec_access()・init_sec_ace()・make_sec_acl()・make_sec_desc()・SEC_ACE_TYPE_ACCESS_ALLOWED・sid_append_rid()・sid_copy().
00324 { 00325 DOM_SID adm_sid; 00326 DOM_SID act_sid; 00327 00328 SEC_ACE ace[3]; 00329 SEC_ACCESS mask; 00330 00331 SEC_ACL *psa = NULL; 00332 00333 sid_copy(&adm_sid, &global_sid_Builtin); 00334 sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS); 00335 00336 sid_copy(&act_sid, &global_sid_Builtin); 00337 sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS); 00338 00339 /*basic access for every one*/ 00340 init_sec_access(&mask, GENERIC_RIGHTS_SAM_EXECUTE | GENERIC_RIGHTS_SAM_READ); 00341 init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); 00342 00343 /*full access for builtin aliases Administrators and Account Operators*/ 00344 init_sec_access(&mask, GENERIC_RIGHTS_SAM_ALL_ACCESS); 00345 init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); 00346 init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); 00347 00348 if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) == NULL) 00349 return NT_STATUS_NO_MEMORY; 00350 00351 if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL) 00352 return NT_STATUS_NO_MEMORY; 00353 00354 return NT_STATUS_OK; 00355 }