From 01b1eff630bb07553a2eadb82df5246b3f70b3b7 Mon Sep 17 00:00:00 2001 From: =?utf8?q?G=C3=BCnther=20Deschner?= Date: Wed, 15 Apr 2009 01:30:12 +0200 Subject: [PATCH] s3-secdesc: move all winreg access bits to IDL. Guenther (cherry picked from commit 38264bb3b86a3c9da941070f29ec08227c471d2b) (cherry picked from commit 904bc5011fc7df40111f493ff28972640b95c0d1) --- librpc/gen_ndr/winreg.h | 4 ++++ librpc/idl/winreg.idl | 20 ++++++++++++++++++++ source3/include/rpc_secdes.h | 35 ----------------------------------- source3/lib/smbconf/smbconf_reg.c | 2 +- source3/registry/reg_api.c | 28 ++++++++++++++-------------- source3/rpcclient/cmd_test.c | 2 +- source3/utils/net_rpc.c | 6 +++--- 7 files changed, 43 insertions(+), 54 deletions(-) diff --git a/librpc/gen_ndr/winreg.h b/librpc/gen_ndr/winreg.h index e0300fd0e7a..103817c4666 100644 --- a/librpc/gen_ndr/winreg.h +++ b/librpc/gen_ndr/winreg.h @@ -9,6 +9,10 @@ #ifndef _HEADER_winreg #define _HEADER_winreg +#define REG_KEY_READ ( (STANDARD_RIGHTS_READ_ACCESS|KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY) ) +#define REG_KEY_EXECUTE ( REG_KEY_READ ) +#define REG_KEY_WRITE ( (STANDARD_RIGHTS_WRITE_ACCESS|KEY_SET_VALUE|KEY_CREATE_SUB_KEY) ) +#define REG_KEY_ALL ( (STANDARD_RIGHTS_REQUIRED_ACCESS|REG_KEY_READ|REG_KEY_WRITE|KEY_CREATE_LINK) ) /* bitmap winreg_AccessMask */ #define KEY_QUERY_VALUE ( 0x00001 ) #define KEY_SET_VALUE ( 0x00002 ) diff --git a/librpc/idl/winreg.idl b/librpc/idl/winreg.idl index b905bdea7bd..18b5edcb5d9 100644 --- a/librpc/idl/winreg.idl +++ b/librpc/idl/winreg.idl @@ -14,6 +14,10 @@ import "lsa.idl", "security.idl"; { typedef bitmap security_secinfo security_secinfo; + /* + * Access Bits for registry ACLS + */ + typedef [bitmap32bit] bitmap { KEY_QUERY_VALUE = 0x00001, KEY_SET_VALUE = 0x00002, @@ -25,6 +29,22 @@ import "lsa.idl", "security.idl"; KEY_WOW64_32KEY = 0x00200 } winreg_AccessMask; + const int REG_KEY_READ = ( STANDARD_RIGHTS_READ_ACCESS | + KEY_QUERY_VALUE | + KEY_ENUMERATE_SUB_KEYS | + KEY_NOTIFY); + + const int REG_KEY_EXECUTE = REG_KEY_READ; + + const int REG_KEY_WRITE = ( STANDARD_RIGHTS_WRITE_ACCESS | + KEY_SET_VALUE | + KEY_CREATE_SUB_KEY); + + const int REG_KEY_ALL = ( STANDARD_RIGHTS_REQUIRED_ACCESS | + REG_KEY_READ | + REG_KEY_WRITE | + KEY_CREATE_LINK); + typedef [public,v1_enum] enum { REG_NONE = 0, REG_SZ = 1, diff --git a/source3/include/rpc_secdes.h b/source3/include/rpc_secdes.h index c74d621f35d..1ce3f846003 100644 --- a/source3/include/rpc_secdes.h +++ b/source3/include/rpc_secdes.h @@ -194,39 +194,4 @@ struct standard_mapping { SA_RIGHT_FILE_WRITE_DATA | \ SA_RIGHT_FILE_READ_DATA) -/* - * Access Bits for registry ACLS - */ - -/* used by registry ACLs */ - -#define SEC_RIGHTS_QUERY_VALUE 0x00000001 -#define SEC_RIGHTS_SET_VALUE 0x00000002 -#define SEC_RIGHTS_CREATE_SUBKEY 0x00000004 -#define SEC_RIGHTS_ENUM_SUBKEYS 0x00000008 -#define SEC_RIGHTS_NOTIFY 0x00000010 -#define SEC_RIGHTS_CREATE_LINK 0x00000020 -#define SEC_RIGHTS_MAXIMUM_ALLOWED 0x02000000 - - -#define REG_KEY_READ \ - ( STANDARD_RIGHTS_READ_ACCESS |\ - SEC_RIGHTS_QUERY_VALUE |\ - SEC_RIGHTS_ENUM_SUBKEYS |\ - SEC_RIGHTS_NOTIFY ) - -#define REG_KEY_EXECUTE REG_KEY_READ - -#define REG_KEY_WRITE \ - ( STANDARD_RIGHTS_WRITE_ACCESS |\ - SEC_RIGHTS_SET_VALUE |\ - SEC_RIGHTS_CREATE_SUBKEY ) - -#define REG_KEY_ALL \ - ( STANDARD_RIGHTS_REQUIRED_ACCESS |\ - REG_KEY_READ |\ - REG_KEY_WRITE |\ - SEC_RIGHTS_CREATE_LINK ) - - #endif /* _RPC_SECDES_H */ diff --git a/source3/lib/smbconf/smbconf_reg.c b/source3/lib/smbconf/smbconf_reg.c index 0ecac97575e..54ce5348a74 100644 --- a/source3/lib/smbconf/smbconf_reg.c +++ b/source3/lib/smbconf/smbconf_reg.c @@ -567,7 +567,7 @@ static WERROR smbconf_reg_init(struct smbconf_ctx *ctx, const char *path) } werr = reg_open_path(ctx, ctx->path, - SEC_RIGHTS_ENUM_SUBKEYS | REG_KEY_WRITE, + KEY_ENUMERATE_SUB_KEYS | REG_KEY_WRITE, token, &rpd(ctx)->base_key); if (!W_ERROR_IS_OK(werr)) { goto done; diff --git a/source3/registry/reg_api.c b/source3/registry/reg_api.c index c1a78c14dc7..817d43be6b9 100644 --- a/source3/registry/reg_api.c +++ b/source3/registry/reg_api.c @@ -272,7 +272,7 @@ WERROR reg_openkey(TALLOC_CTX *mem_ctx, struct registry_key *parent, err = regkey_open_onelevel(mem_ctx, direct_parent, name_component, parent->token, - SEC_RIGHTS_ENUM_SUBKEYS, &tmp); + KEY_ENUMERATE_SUB_KEYS, &tmp); SAFE_FREE(name_component); if (!W_ERROR_IS_OK(err)) { @@ -301,7 +301,7 @@ WERROR reg_enumkey(TALLOC_CTX *mem_ctx, struct registry_key *key, { WERROR err; - if (!(key->key->access_granted & SEC_RIGHTS_ENUM_SUBKEYS)) { + if (!(key->key->access_granted & KEY_ENUMERATE_SUB_KEYS)) { return WERR_ACCESS_DENIED; } @@ -332,7 +332,7 @@ WERROR reg_enumvalue(TALLOC_CTX *mem_ctx, struct registry_key *key, struct registry_value *val; WERROR err; - if (!(key->key->access_granted & SEC_RIGHTS_QUERY_VALUE)) { + if (!(key->key->access_granted & KEY_QUERY_VALUE)) { return WERR_ACCESS_DENIED; } @@ -370,7 +370,7 @@ WERROR reg_queryvalue(TALLOC_CTX *mem_ctx, struct registry_key *key, WERROR err; uint32 i; - if (!(key->key->access_granted & SEC_RIGHTS_QUERY_VALUE)) { + if (!(key->key->access_granted & KEY_QUERY_VALUE)) { return WERR_ACCESS_DENIED; } @@ -399,7 +399,7 @@ WERROR reg_queryinfokey(struct registry_key *key, uint32_t *num_subkeys, WERROR err; struct security_descriptor *secdesc; - if (!(key->key->access_granted & SEC_RIGHTS_QUERY_VALUE)) { + if (!(key->key->access_granted & KEY_QUERY_VALUE)) { return WERR_ACCESS_DENIED; } @@ -483,7 +483,7 @@ WERROR reg_createkey(TALLOC_CTX *ctx, struct registry_key *parent, *end = '\0'; err = reg_createkey(mem_ctx, key, path, - SEC_RIGHTS_ENUM_SUBKEYS, &tmp, &action); + KEY_ENUMERATE_SUB_KEYS, &tmp, &action); if (!W_ERROR_IS_OK(err)) { goto done; } @@ -521,7 +521,7 @@ WERROR reg_createkey(TALLOC_CTX *ctx, struct registry_key *parent, * with ENUM_SUBKEY access. */ - err = reg_openkey(mem_ctx, key, "", SEC_RIGHTS_CREATE_SUBKEY, + err = reg_openkey(mem_ctx, key, "", KEY_CREATE_SUB_KEY, &create_parent); if (!W_ERROR_IS_OK(err)) { goto done; @@ -582,7 +582,7 @@ WERROR reg_deletekey(struct registry_key *parent, const char *path) *end = '\0'; err = reg_openkey(mem_ctx, parent, name, - SEC_RIGHTS_CREATE_SUBKEY, &tmp_key); + KEY_CREATE_SUB_KEY, &tmp_key); W_ERROR_NOT_OK_GOTO_DONE(err); parent = tmp_key; @@ -608,7 +608,7 @@ WERROR reg_setvalue(struct registry_key *key, const char *name, DATA_BLOB value_data; int res; - if (!(key->key->access_granted & SEC_RIGHTS_SET_VALUE)) { + if (!(key->key->access_granted & KEY_SET_VALUE)) { return WERR_ACCESS_DENIED; } @@ -655,7 +655,7 @@ WERROR reg_deletevalue(struct registry_key *key, const char *name) { WERROR err; - if (!(key->key->access_granted & SEC_RIGHTS_SET_VALUE)) { + if (!(key->key->access_granted & KEY_SET_VALUE)) { return WERR_ACCESS_DENIED; } @@ -982,7 +982,7 @@ WERROR reg_deleteallvalues(struct registry_key *key) WERROR err; int i; - if (!(key->key->access_granted & SEC_RIGHTS_SET_VALUE)) { + if (!(key->key->access_granted & KEY_SET_VALUE)) { return WERR_ACCESS_DENIED; } @@ -1038,7 +1038,7 @@ WERROR reg_open_path(TALLOC_CTX *mem_ctx, const char *orig_path, *p = '\0'; - err = reg_openhive(mem_ctx, path, SEC_RIGHTS_ENUM_SUBKEYS, token, + err = reg_openhive(mem_ctx, path, KEY_ENUMERATE_SUB_KEYS, token, &hive); if (!W_ERROR_IS_OK(err)) { SAFE_FREE(path); @@ -1209,7 +1209,7 @@ WERROR reg_create_path(TALLOC_CTX *mem_ctx, const char *orig_path, err = reg_openhive(mem_ctx, path, (strchr(p+1, '\\') != NULL) ? - SEC_RIGHTS_ENUM_SUBKEYS : SEC_RIGHTS_CREATE_SUBKEY, + KEY_ENUMERATE_SUB_KEYS : KEY_CREATE_SUB_KEY, token, &hive); if (!W_ERROR_IS_OK(err)) { SAFE_FREE(path); @@ -1249,7 +1249,7 @@ WERROR reg_delete_path(const struct nt_user_token *token, err = reg_openhive(NULL, path, (strchr(p+1, '\\') != NULL) ? - SEC_RIGHTS_ENUM_SUBKEYS : SEC_RIGHTS_CREATE_SUBKEY, + KEY_ENUMERATE_SUB_KEYS : KEY_CREATE_SUB_KEY, token, &hive); if (!W_ERROR_IS_OK(err)) { SAFE_FREE(path); diff --git a/source3/rpcclient/cmd_test.c b/source3/rpcclient/cmd_test.c index b7be038539d..85e90a19b51 100644 --- a/source3/rpcclient/cmd_test.c +++ b/source3/rpcclient/cmd_test.c @@ -45,7 +45,7 @@ static NTSTATUS cmd_testme(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, } status = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, False, - SEC_RIGHTS_QUERY_VALUE, &pol); + KEY_QUERY_VALUE, &pol); if (!NT_STATUS_IS_OK(status)) goto done; diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c index 25ecf4a4d6f..d100189bfcc 100644 --- a/source3/utils/net_rpc.c +++ b/source3/utils/net_rpc.c @@ -5595,7 +5595,7 @@ static int rpc_trustdom_establish(struct net_context *c, int argc, return -1; } - nt_status = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, true, SEC_RIGHTS_QUERY_VALUE, + nt_status = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, true, KEY_QUERY_VALUE, &connect_hnd); if (NT_STATUS_IS_ERR(nt_status)) { DEBUG(0, ("Couldn't open policy handle. Error was %s\n", @@ -5851,7 +5851,7 @@ static int rpc_trustdom_vampire(struct net_context *c, int argc, return -1; }; - nt_status = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, false, SEC_RIGHTS_QUERY_VALUE, + nt_status = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, false, KEY_QUERY_VALUE, &connect_hnd); if (NT_STATUS_IS_ERR(nt_status)) { DEBUG(0, ("Couldn't open policy handle. Error was %s\n", @@ -6008,7 +6008,7 @@ static int rpc_trustdom_list(struct net_context *c, int argc, const char **argv) return -1; }; - nt_status = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, false, SEC_RIGHTS_QUERY_VALUE, + nt_status = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, false, KEY_QUERY_VALUE, &connect_hnd); if (NT_STATUS_IS_ERR(nt_status)) { DEBUG(0, ("Couldn't open policy handle. Error was %s\n", -- 2.11.4.GIT