static bool elog_check_access( EVENTLOG_INFO *info, NT_USER_TOKEN *token )
{
char *tdbname = elog_tdbname(talloc_tos(), info->logname );
SEC_DESC *sec_desc;
NTSTATUS status;
if ( !tdbname )
return False;
/* get the security descriptor for the file */
sec_desc = get_nt_acl_no_snum( info, tdbname );
TALLOC_FREE( tdbname );
if ( !sec_desc ) {
DEBUG(5,("elog_check_access: Unable to get NT ACL for %s\n",
tdbname));
return False;
}
/* root free pass */
if ( geteuid() == sec_initial_uid() ) {
DEBUG(5,("elog_check_access: using root's token\n"));
token = get_root_nt_token();
}
/* run the check, try for the max allowed */
status = se_access_check( sec_desc, token, MAXIMUM_ALLOWED_ACCESS,
&info->access_granted);
if ( sec_desc )
TALLOC_FREE( sec_desc );
if (!NT_STATUS_IS_OK(status)) {
DEBUG(8,("elog_check_access: se_access_check() return %s\n",
nt_errstr(status)));
return False;
}
/* we have to have READ permission for a successful open */
return ( info->access_granted & SA_RIGHT_FILE_READ_DATA );
}
static bool elog_check_access( EVENTLOG_INFO *info, const struct security_token *token )
{
char *tdbname = elog_tdbname(talloc_tos(), info->logname );
struct security_descriptor *sec_desc;
struct security_ace *ace;
NTSTATUS status;
if ( !tdbname )
return False;
/* get the security descriptor for the file */
sec_desc = get_nt_acl_no_snum( info, tdbname );
TALLOC_FREE( tdbname );
if ( !sec_desc ) {
DEBUG(5,("elog_check_access: Unable to get NT ACL for %s\n",
tdbname));
return False;
}
ace = talloc_zero(sec_desc, struct security_ace);
if (ace == NULL) {
TALLOC_FREE(sec_desc);
return false;
}
ace->type = SEC_ACE_TYPE_ACCESS_ALLOWED;
ace->flags = 0;
ace->access_mask = REG_KEY_ALL;
ace->trustee = global_sid_System;
status = security_descriptor_dacl_add(sec_desc, ace);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(sec_desc);
return false;
}
/* root free pass */
if ( geteuid() == sec_initial_uid() ) {
DEBUG(5,("elog_check_access: running as root, using system token\n"));
token = get_system_token();
}
/* run the check, try for the max allowed */
status = se_access_check( sec_desc, token, MAXIMUM_ALLOWED_ACCESS,
&info->access_granted);
TALLOC_FREE(sec_desc);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(8,("elog_check_access: se_access_check() return %s\n",
nt_errstr(status)));
return False;
}
/* we have to have READ permission for a successful open */
return ( info->access_granted & SEC_FILE_READ_DATA );
}
