bool is_privilege_assigned(const SE_PRIV *privileges,
const SE_PRIV *check)
{
SE_PRIV p1, p2;
if ( !privileges || !check )
return False;
/* everyone has privileges if you aren't checking for any */
if ( se_priv_empty( check ) ) {
DEBUG(1,("is_privilege_assigned: no privileges in check_mask!\n"));
return True;
}
se_priv_copy( &p1, check );
/* invert the SE_PRIV we want to check for and remove that from the
original set. If we are left with the SE_PRIV we are checking
for then return True */
se_priv_invert( &p1, check );
se_priv_copy( &p2, privileges );
se_priv_remove( &p2, &p1 );
return se_priv_equal( &p2, check );
}
LUID_ATTR get_privilege_luid( SE_PRIV *mask )
{
LUID_ATTR priv_luid;
int i;
ZERO_STRUCT( priv_luid );
for ( i=0; !se_priv_equal(&privs[i].se_priv, &se_priv_end); i++ ) {
if ( se_priv_equal( &privs[i].se_priv, mask ) ) {
priv_luid.luid = privs[i].luid;
break;
}
}
return priv_luid;
}
static int priv_traverse_fn(struct db_record *rec, void *state)
{
PRIV_SID_LIST *priv = (PRIV_SID_LIST *)state;
int prefixlen = strlen(PRIVPREFIX);
DOM_SID sid;
fstring sid_string;
/* easy check first */
if (rec->value.dsize != sizeof(SE_PRIV) )
return 0;
/* check we have a PRIV_+SID entry */
if ( strncmp((char *)rec->key.dptr, PRIVPREFIX, prefixlen) != 0)
return 0;
/* check to see if we are looking for a particular privilege */
if ( !se_priv_equal(&priv->privilege, &se_priv_none) ) {
SE_PRIV mask;
se_priv_copy( &mask, (SE_PRIV*)rec->value.dptr );
/* if the SID does not have the specified privilege
then just return */
if ( !is_privilege_assigned( &mask, &priv->privilege) )
return 0;
}
fstrcpy( sid_string, (char *)&(rec->key.dptr[strlen(PRIVPREFIX)]) );
/* this is a last ditch safety check to preventing returning
and invalid SID (i've somehow run into this on development branches) */
if ( strcmp( "S-0-0", sid_string ) == 0 )
return 0;
if ( !string_to_sid(&sid, sid_string) ) {
DEBUG(0,("travsersal_fn_enum__acct: Could not convert SID [%s]\n",
sid_string));
return 0;
}
if (!NT_STATUS_IS_OK(add_sid_to_array(priv->mem_ctx, &sid,
&priv->sids.list,
&priv->sids.count)))
{
return 0;
}
return 0;
}
int count_all_privileges( void )
{
static int count;
if ( count )
return count;
/* loop over the array and count it */
for ( count=0; !se_priv_equal(&privs[count].se_priv, &se_priv_end); count++ ) ;
return count;
}
bool se_priv_from_name( const char *name, SE_PRIV *mask )
{
int i;
for ( i=0; !se_priv_equal(&privs[i].se_priv, &se_priv_end); i++ ) {
if ( strequal( privs[i].name, name ) ) {
se_priv_copy( mask, &privs[i].se_priv );
return True;
}
}
return False;
}
static bool se_priv_empty( const SE_PRIV *mask )
{
SE_PRIV p1;
int i;
se_priv_copy( &p1, mask );
for ( i=0; i<SE_PRIV_MASKSIZE; i++ ) {
p1.mask[i] &= se_priv_all.mask[i];
}
return se_priv_equal( &p1, &se_priv_none );
}
const char* get_privilege_dispname( const char *name )
{
int i;
for ( i=0; !se_priv_equal(&privs[i].se_priv, &se_priv_end); i++ ) {
if ( strequal( privs[i].name, name ) ) {
return privs[i].description;
}
}
return NULL;
}
BOOL revoke_privilege_by_name(DOM_SID *sid, const char *name)
{
int i;
for ( i=0; !se_priv_equal(&privs[i].se_priv, &se_priv_end); i++ ) {
if ( strequal(privs[i].name, name) ) {
return revoke_privilege( sid, &privs[i].se_priv );
}
}
DEBUG(3, ("revoke_privilege_by_name: No Such Privilege Found (%s)\n", name));
return False;
}
static int priv_traverse_fn(TDB_CONTEXT *t, TDB_DATA key, TDB_DATA data, void *state)
{
PRIV_SID_LIST *priv = state;
int prefixlen = strlen(PRIVPREFIX);
DOM_SID sid;
fstring sid_string;
/* easy check first */
if ( data.dsize != sizeof(SE_PRIV) )
return 0;
/* check we have a PRIV_+SID entry */
if ( strncmp(key.dptr, PRIVPREFIX, prefixlen) != 0)
return 0;
/* check to see if we are looking for a particular privilege */
if ( !se_priv_equal(&priv->privilege, &se_priv_none) ) {
SE_PRIV mask;
se_priv_copy( &mask, (SE_PRIV*)data.dptr );
/* if the SID does not have the specified privilege
then just return */
if ( !is_privilege_assigned( &mask, &priv->privilege) )
return 0;
}
fstrcpy( sid_string, &key.dptr[strlen(PRIVPREFIX)] );
/* this is a last ditch safety check to preventing returning
and invalid SID (i've somehow run into this on development branches) */
if ( strcmp( "S-0-0", sid_string ) == 0 )
return 0;
if ( !string_to_sid(&sid, sid_string) ) {
DEBUG(0,("travsersal_fn_enum__acct: Could not convert SID [%s]\n",
sid_string));
return 0;
}
add_sid_to_array( NULL, &sid, &priv->sids.list, &priv->sids.count );
return 0;
}
const char *luid_to_privilege_name(const LUID *set)
{
int i;
if (set->high != 0)
return NULL;
for ( i=0; !se_priv_equal(&privs[i].se_priv, &se_priv_end); i++ ) {
if ( set->low == privs[i].luid.low ) {
return privs[i].name;
}
}
return NULL;
}
char* luid_to_privilege_name(const LUID *set)
{
static fstring name;
int i;
if (set->high != 0)
return NULL;
for ( i=0; !se_priv_equal(&privs[i].se_priv, &se_priv_end); i++ ) {
if ( set->low == privs[i].luid.low ) {
fstrcpy( name, privs[i].name );
return name;
}
}
return NULL;
}
