Skip to content

Commit

Permalink
Minor refinements
Browse files Browse the repository at this point in the history
  • Loading branch information
@lkarlslund
lkarlslund committed Sep 9, 2022
1 parent 614f55e commit 6964b0d
Showing 1 changed file with 8 additions and 15 deletions.
23 changes: 8 additions & 15 deletions modules/engine/securitydescriptor.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -210,7 +210,8 @@ func (a ACL) IsObjectClassAccessAllowed(index int, testObject *Object, mask Mask
// we've been processing direct DENY, but there are some inherited, so skip to them
i = a.firstinheriteddeny
} else {
break
// no more DENY entries so we're granted access
return true
}
}

Expand All @@ -237,16 +238,8 @@ func (a ACL) IsObjectClassAccessAllowed(index int, testObject *Object, mask Mask
}
}

if sidmatch {
if a.Entries[i].matchObjectClassAndGUID(testObject, mask, guid, ao) {
return false // Access denied
}
if !guid.IsNil() {
// Is there a generic deny?
if a.Entries[i].matchObjectClassAndGUID(testObject, mask, uuid.Nil, ao) {
return false // Access denied
}
}
if sidmatch && a.Entries[i].matchObjectClassAndGUID(testObject, mask, guid, ao) {
return false // Access denied
}
}
}
Expand All @@ -258,7 +251,7 @@ func (a ACL) IsObjectClassAccessAllowed(index int, testObject *Object, mask Mask
var objectSecurityGUIDcache gsync.MapOf[uuid.UUID, uuid.UUID]

// Is the ACE something that allows or denies this type of GUID?
func (a ACE) matchObjectClassAndGUID(o *Object, mask Mask, g uuid.UUID, ao *Objects) bool {
func (a ACE) matchObjectClassAndGUID(o *Object, requestedAccess Mask, g uuid.UUID, ao *Objects) bool {
// http://www.selfadsi.org/deep-inside/ad-security-descriptors.htm
// Don't to drugs while reading the above ^^^^^

Expand All @@ -267,12 +260,12 @@ func (a ACE) matchObjectClassAndGUID(o *Object, mask Mask, g uuid.UUID, ao *Obje
return false
}

if mask != 0 && a.Mask&mask != mask {
if a.Mask&requestedAccess != requestedAccess {
return false
}

// This ACE only applies to some kinds of attributes / extended rights?
if a.ObjectType != NullGUID {
if !a.ObjectType.IsNil() {
typematch := a.ObjectType == g
if !typematch {
// Lets chack if this requested guid is part of a group which is allowed
Expand All @@ -299,7 +292,7 @@ func (a ACE) matchObjectClassAndGUID(o *Object, mask Mask, g uuid.UUID, ao *Obje
}
}

if a.InheritedObjectType != NullGUID {
if !a.InheritedObjectType.IsNil() {
// We weren't passed a type, so if we don't have general access return false
if o == nil {
return false
Expand Down

0 comments on commit 6964b0d

Please sign in to comment.