samba.git/libcli/security/access_check.c, branch master Unnamed repository; edit this file 'description' to name the repository. libcli: Modernize a DEBUG 2024-12-17T12:30:30+00:00 Volker Lendecke vl@samba.org 2024-11-29T14:35:50+00:00 f41dc1440beedcd85a0b4526336cdb26bfead721 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org> 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
libcli: Make handling implicit_owner_rights bit easier to read 2024-12-17T12:30:30+00:00 Volker Lendecke vl@samba.org 2024-11-29T12:06:03+00:00 ddc88fa8b6e8c7facfc4b972d8316989b11eeade The first time I came across this I missed the "FALL_THROUGH" and had to look closely at what happens. I had expected IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS to grant two rights, which to me is now more obvious. It was correct before, but to me this is now more obvious. YMMV. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org> 
The first time I came across this I missed the "FALL_THROUGH" and had
to look closely at what happens. I had expected
IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS to grant two rights,
which to me is now more obvious. It was correct before, but to me this
is now more obvious. YMMV.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
libcli/security: Make ‘replace_sid’ parameter const 2024-02-08T02:48:44+00:00 Jo Sutton josutton@catalyst.net.nz 2024-01-09T02:33:38+00:00 437e3dd1e6aa985f3d731a1be15baae34d9ded62 Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
libcli:security: Use SELF SID constant 2023-09-27T02:43:28+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-09-11T02:13:47+00:00 2782df62ad5259a173ace46c3dcf9cc1dbc3e8c2 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
libcli/security: access_check handles CALLBACK_OBJECT types 2023-09-26T23:45:36+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2023-09-25T01:36:59+00:00 1e45a4d10a5c7b79ae73f6cf4173f9112cbade12 These are like an object type if the callback (i.e. condtional ACE conditions) succeeds, otherwise they are ignored. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
These are like an object type if the callback (i.e. condtional ACE
conditions) succeeds, otherwise they are ignored.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
libcli/security: se_access_check uses new callback checks 2023-09-26T23:45:36+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2023-09-20T05:35:18+00:00 c5345f18d710edff0a67144e2b539e18f1808ede With the last caller of check_callback_ace_access() gone, so is that function. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
With the last caller of check_callback_ace_access() gone, so is that
function.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
libcli/security: sec_access_check_ds uses new callback ACE checks 2023-09-26T23:45:36+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2023-09-13T05:24:57+00:00 5d6f0927f5416c0bae057a2b5d0032bf4607e323 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
libcli/security: access_check with MAXIMUM_ALLOWED checks callbacks 2023-09-26T23:45:36+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2023-09-13T05:25:52+00:00 117d4c55006da88c6117f9d4dfec8347bc589ea6 To help clarify the logic, we make new functions that separate the deny and allow cases, which helps keep track of what 'yes' and 'no' mean and which incorporate the logic of token->evaluate_claims handling, which determines when we want to run a conditional ACE, when we want to ignore it, and when we want to take offence. In the case when we decide to run it, we then need to decide whether to apply it or ignore it based on the result. This last bit differs between allow and deny aces, hence the two functions. These functions will replace check_callback_ace_access() over the next few commits. In the case where token->evaluate_claims is CLAIMS_EVALUATION_INVALID_STATE and the DACL contains a conditional ACE, the maximum allowed is 0, as if it was a "deny everything" ACE. This is an unexpected case. Most likely the evaluate_claims state will be NEVER or ALWAYS. In the NEVER case the conditional ACE is skipped, as would have happened in all cases before 4.20, while in the ALWAYS case the conditional ACE is run and applied if successful. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
To help clarify the logic, we make new functions that separate the
deny and allow cases, which helps keep track of what 'yes' and 'no'
mean and which incorporate the logic of token->evaluate_claims
handling, which determines when we want to run a conditional ACE, when
we want to ignore it, and when we want to take offence. In the case
when we decide to run it, we then need to decide whether to apply it
or ignore it based on the result. This last bit differs between allow
and deny aces, hence the two functions.

These functions will replace check_callback_ace_access() over the next
few commits.

In the case where token->evaluate_claims is
CLAIMS_EVALUATION_INVALID_STATE and the DACL contains a conditional
ACE, the maximum allowed is 0, as if it was a "deny everything" ACE.

This is an unexpected case. Most likely the evaluate_claims state
will be NEVER or ALWAYS. In the NEVER case the conditional ACE is
skipped, as would have happened in all cases before 4.20, while in the
ALWAYS case the conditional ACE is run and applied if successful.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
libcli/security: Hook in ability to disable conditional ACE evaluation 2023-09-26T23:45:36+00:00 Andrew Bartlett abartlet@samba.org 2023-09-15T00:36:56+00:00 e3f28c2ecf6a8cd335d21e1dbf8d247520de2177 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
libcli/security: conditional ace access checks for file server 2023-09-26T23:45:35+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2023-09-13T05:25:34+00:00 b7bd1f438bef450dec891d6cab672d689e8c555f Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>