diff options
author | Gerald Carter <jerry@samba.org> | 2003-11-24 17:31:38 +0000 |
---|---|---|
committer | Gerald Carter <jerry@samba.org> | 2003-11-24 17:31:38 +0000 |
commit | c39f5fea4ad7b57ee8ad4d2b115163f76753f853 (patch) | |
tree | e65a6577d044de2fdbfd354bbd1a72c47aec3199 | |
parent | 62685054962f4be7d8791b87dff85e89347269e8 (diff) | |
download | samba-c39f5fea4ad7b57ee8ad4d2b115163f76753f853.tar.gz samba-c39f5fea4ad7b57ee8ad4d2b115163f76753f853.tar.bz2 samba-c39f5fea4ad7b57ee8ad4d2b115163f76753f853.zip |
more access fixes for group enumeration in LDAP; bug 281
(This used to be commit 68283407e0f366d8315f4be6caed67eb6fe84b85)
-rw-r--r-- | source3/groupdb/mapping.c | 8 | ||||
-rw-r--r-- | source3/passdb/passdb.c | 17 | ||||
-rw-r--r-- | source3/rpc_server/srv_lsa_nt.c | 9 | ||||
-rw-r--r-- | source3/rpc_server/srv_samr_nt.c | 8 | ||||
-rw-r--r-- | source3/rpc_server/srv_util.c | 15 | ||||
-rw-r--r-- | source3/smbd/lanman.c | 9 |
6 files changed, 52 insertions, 14 deletions
diff --git a/source3/groupdb/mapping.c b/source3/groupdb/mapping.c index 7a07b5c344..8f534d779e 100644 --- a/source3/groupdb/mapping.c +++ b/source3/groupdb/mapping.c @@ -629,6 +629,7 @@ Returns a GROUP_MAP struct based on the gid. BOOL get_group_from_gid(gid_t gid, GROUP_MAP *map) { struct group *grp; + BOOL ret; if(!init_group_mapping()) { DEBUG(0,("failed to initialize group mapping")); @@ -641,7 +642,12 @@ BOOL get_group_from_gid(gid_t gid, GROUP_MAP *map) /* * make a group map from scratch if doesn't exist. */ - if (!pdb_getgrgid(map, gid)) { + + become_root(); + ret = pdb_getgrgid(map, gid); + unbecome_root(); + + if ( !ret ) { map->gid=gid; map->sid_name_use=SID_NAME_ALIAS; diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index 6e33bc7746..6246cdaee1 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -416,6 +416,7 @@ NTSTATUS pdb_set_sam_sids(SAM_ACCOUNT *account_data, const struct passwd *pwd) { const char *guest_account = lp_guestaccount(); GROUP_MAP map; + BOOL ret; if (!account_data || !pwd) { return NT_STATUS_INVALID_PARAMETER; @@ -445,7 +446,11 @@ NTSTATUS pdb_set_sam_sids(SAM_ACCOUNT *account_data, const struct passwd *pwd) } /* call the mapping code here */ - if(pdb_getgrgid(&map, pwd->pw_gid)) { + become_root(); + ret = pdb_getgrgid(&map, pwd->pw_gid); + unbecome_root(); + + if( ret ) { if (!pdb_set_group_sid(account_data, &map.sid, PDB_SET)){ DEBUG(0,("Can't set Group SID!\n")); return NT_STATUS_INVALID_PARAMETER; @@ -850,6 +855,8 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi return False; } + /* BEGIN ROOT BLOCK */ + become_root(); if (pdb_getsampwnam(sam_account, user)) { unbecome_root(); @@ -859,7 +866,6 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi pdb_free_sam(&sam_account); return True; } - unbecome_root(); pdb_free_sam(&sam_account); @@ -875,8 +881,10 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi } else { /* it's not a mapped group */ grp = getgrnam(user); - if(!grp) + if(!grp) { + unbecome_root(); /* ---> exit form block */ return False; + } /* *check if it's mapped, if it is reply it doesn't exist @@ -891,12 +899,15 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi */ if (pdb_getgrgid(&map, grp->gr_gid)){ + unbecome_root(); /* ---> exit form block */ return False; } sid_append_rid( &local_sid, pdb_gid_to_group_rid(grp->gr_gid)); *psid_name_use = SID_NAME_ALIAS; } + unbecome_root(); + /* END ROOT BLOCK */ sid_copy( psid, &local_sid); diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c index 0a8ad404cb..e545d8c267 100644 --- a/source3/rpc_server/srv_lsa_nt.c +++ b/source3/rpc_server/srv_lsa_nt.c @@ -845,6 +845,7 @@ NTSTATUS _lsa_enum_accounts(pipes_struct *p, LSA_Q_ENUM_ACCOUNTS *q_u, LSA_R_ENU int num_entries=0; LSA_SID_ENUM *sids=&r_u->sids; int i=0,j=0; + BOOL ret; if (!find_policy_by_hnd(p, &q_u->pol, (void **)&handle)) return NT_STATUS_INVALID_HANDLE; @@ -858,8 +859,14 @@ NTSTATUS _lsa_enum_accounts(pipes_struct *p, LSA_Q_ENUM_ACCOUNTS *q_u, LSA_R_ENU return NT_STATUS_ACCESS_DENIED; /* get the list of mapped groups (domain, local, builtin) */ - if(!pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, ENUM_ONLY_MAPPED)) + become_root(); + ret = pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, ENUM_ONLY_MAPPED); + unbecome_root(); + if( !ret ) { + DEBUG(3,("_lsa_enum_accounts: enumeration of groups failed!\n")); return NT_STATUS_OK; + } + if (q_u->enum_context >= num_entries) return NT_STATUS_NO_MORE_ENTRIES; diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 6cd5da4892..d3da830991 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -292,6 +292,7 @@ static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid) uint32 group_entries = 0; uint32 i; TALLOC_CTX *mem_ctx = info->mem_ctx; + BOOL ret; DEBUG(10,("load_group_domain_entries\n")); @@ -303,13 +304,14 @@ static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid) become_root(); - - if (!pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED)) { + ret = pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED); + unbecome_root(); + + if ( !ret ) { DEBUG(1, ("load_group_domain_entries: pdb_enum_group_mapping() failed!\n")); return NT_STATUS_NO_MEMORY; } - unbecome_root(); info->disp_info.num_group_account=group_entries; diff --git a/source3/rpc_server/srv_util.c b/source3/rpc_server/srv_util.c index 632d381503..d5b87b7c10 100644 --- a/source3/rpc_server/srv_util.c +++ b/source3/rpc_server/srv_util.c @@ -281,6 +281,7 @@ BOOL get_domain_user_groups(TALLOC_CTX *ctx, int *numgroups, DOM_GID **pgids, SA fstring user_name; uint32 grid; uint32 tmp_rid; + BOOL ret; *numgroups= 0; @@ -290,15 +291,21 @@ BOOL get_domain_user_groups(TALLOC_CTX *ctx, int *numgroups, DOM_GID **pgids, SA DEBUG(10,("get_domain_user_groups: searching domain groups [%s] is a member of\n", user_name)); /* we must wrap this is become/unbecome root for ldap backends */ + become_root(); - /* first get the list of the domain groups */ - if (!pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, &num_entries, ENUM_ONLY_MAPPED)) + ret = pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, &num_entries, ENUM_ONLY_MAPPED); + + unbecome_root(); + + /* end wrapper for group enumeration */ + + + if ( !ret ) return False; + DEBUG(10,("get_domain_user_groups: there are %d mapped groups\n", num_entries)); - unbecome_root(); - /* end wrapper for group enumeration */ /* * alloc memory. In the worse case, we alloc memory for nothing. diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c index 3ea6ab483b..c53889a7a4 100644 --- a/source3/smbd/lanman.c +++ b/source3/smbd/lanman.c @@ -1635,6 +1635,7 @@ static BOOL api_RNetGroupEnum(connection_struct *conn,uint16 vuid, char *param,c char *str1 = param+2; char *str2 = skip_string(str1,1); char *p = skip_string(str2,1); + BOOL ret; GROUP_MAP *group_list; int num_entries; @@ -1653,8 +1654,12 @@ static BOOL api_RNetGroupEnum(connection_struct *conn,uint16 vuid, char *param,c return False; /* get list of domain groups SID_DOMAIN_GRP=2 */ - if(!pdb_enum_group_mapping(SID_NAME_DOM_GRP , &group_list, &num_entries, False)) { - DEBUG(3,("api_RNetGroupEnum:failed to get group list")); + become_root(); + ret = pdb_enum_group_mapping(SID_NAME_DOM_GRP , &group_list, &num_entries, False); + unbecome_root(); + + if( !ret ) { + DEBUG(3,("api_RNetGroupEnum:failed to get group list")); return False; } |