summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2003-11-24 17:31:38 +0000
committerGerald Carter <jerry@samba.org>2003-11-24 17:31:38 +0000
commitc39f5fea4ad7b57ee8ad4d2b115163f76753f853 (patch)
treee65a6577d044de2fdbfd354bbd1a72c47aec3199
parent62685054962f4be7d8791b87dff85e89347269e8 (diff)
downloadsamba-c39f5fea4ad7b57ee8ad4d2b115163f76753f853.tar.gz
samba-c39f5fea4ad7b57ee8ad4d2b115163f76753f853.tar.bz2
samba-c39f5fea4ad7b57ee8ad4d2b115163f76753f853.zip
more access fixes for group enumeration in LDAP; bug 281
(This used to be commit 68283407e0f366d8315f4be6caed67eb6fe84b85)
-rw-r--r--source3/groupdb/mapping.c8
-rw-r--r--source3/passdb/passdb.c17
-rw-r--r--source3/rpc_server/srv_lsa_nt.c9
-rw-r--r--source3/rpc_server/srv_samr_nt.c8
-rw-r--r--source3/rpc_server/srv_util.c15
-rw-r--r--source3/smbd/lanman.c9
6 files changed, 52 insertions, 14 deletions
diff --git a/source3/groupdb/mapping.c b/source3/groupdb/mapping.c
index 7a07b5c344..8f534d779e 100644
--- a/source3/groupdb/mapping.c
+++ b/source3/groupdb/mapping.c
@@ -629,6 +629,7 @@ Returns a GROUP_MAP struct based on the gid.
BOOL get_group_from_gid(gid_t gid, GROUP_MAP *map)
{
struct group *grp;
+ BOOL ret;
if(!init_group_mapping()) {
DEBUG(0,("failed to initialize group mapping"));
@@ -641,7 +642,12 @@ BOOL get_group_from_gid(gid_t gid, GROUP_MAP *map)
/*
* make a group map from scratch if doesn't exist.
*/
- if (!pdb_getgrgid(map, gid)) {
+
+ become_root();
+ ret = pdb_getgrgid(map, gid);
+ unbecome_root();
+
+ if ( !ret ) {
map->gid=gid;
map->sid_name_use=SID_NAME_ALIAS;
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index 6e33bc7746..6246cdaee1 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -416,6 +416,7 @@ NTSTATUS pdb_set_sam_sids(SAM_ACCOUNT *account_data, const struct passwd *pwd)
{
const char *guest_account = lp_guestaccount();
GROUP_MAP map;
+ BOOL ret;
if (!account_data || !pwd) {
return NT_STATUS_INVALID_PARAMETER;
@@ -445,7 +446,11 @@ NTSTATUS pdb_set_sam_sids(SAM_ACCOUNT *account_data, const struct passwd *pwd)
}
/* call the mapping code here */
- if(pdb_getgrgid(&map, pwd->pw_gid)) {
+ become_root();
+ ret = pdb_getgrgid(&map, pwd->pw_gid);
+ unbecome_root();
+
+ if( ret ) {
if (!pdb_set_group_sid(account_data, &map.sid, PDB_SET)){
DEBUG(0,("Can't set Group SID!\n"));
return NT_STATUS_INVALID_PARAMETER;
@@ -850,6 +855,8 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi
return False;
}
+ /* BEGIN ROOT BLOCK */
+
become_root();
if (pdb_getsampwnam(sam_account, user)) {
unbecome_root();
@@ -859,7 +866,6 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi
pdb_free_sam(&sam_account);
return True;
}
- unbecome_root();
pdb_free_sam(&sam_account);
@@ -875,8 +881,10 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi
} else {
/* it's not a mapped group */
grp = getgrnam(user);
- if(!grp)
+ if(!grp) {
+ unbecome_root(); /* ---> exit form block */
return False;
+ }
/*
*check if it's mapped, if it is reply it doesn't exist
@@ -891,12 +899,15 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi
*/
if (pdb_getgrgid(&map, grp->gr_gid)){
+ unbecome_root(); /* ---> exit form block */
return False;
}
sid_append_rid( &local_sid, pdb_gid_to_group_rid(grp->gr_gid));
*psid_name_use = SID_NAME_ALIAS;
}
+ unbecome_root();
+ /* END ROOT BLOCK */
sid_copy( psid, &local_sid);
diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index 0a8ad404cb..e545d8c267 100644
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -845,6 +845,7 @@ NTSTATUS _lsa_enum_accounts(pipes_struct *p, LSA_Q_ENUM_ACCOUNTS *q_u, LSA_R_ENU
int num_entries=0;
LSA_SID_ENUM *sids=&r_u->sids;
int i=0,j=0;
+ BOOL ret;
if (!find_policy_by_hnd(p, &q_u->pol, (void **)&handle))
return NT_STATUS_INVALID_HANDLE;
@@ -858,8 +859,14 @@ NTSTATUS _lsa_enum_accounts(pipes_struct *p, LSA_Q_ENUM_ACCOUNTS *q_u, LSA_R_ENU
return NT_STATUS_ACCESS_DENIED;
/* get the list of mapped groups (domain, local, builtin) */
- if(!pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, ENUM_ONLY_MAPPED))
+ become_root();
+ ret = pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, ENUM_ONLY_MAPPED);
+ unbecome_root();
+ if( !ret ) {
+ DEBUG(3,("_lsa_enum_accounts: enumeration of groups failed!\n"));
return NT_STATUS_OK;
+ }
+
if (q_u->enum_context >= num_entries)
return NT_STATUS_NO_MORE_ENTRIES;
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index 6cd5da4892..d3da830991 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -292,6 +292,7 @@ static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid)
uint32 group_entries = 0;
uint32 i;
TALLOC_CTX *mem_ctx = info->mem_ctx;
+ BOOL ret;
DEBUG(10,("load_group_domain_entries\n"));
@@ -303,13 +304,14 @@ static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid)
become_root();
-
- if (!pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED)) {
+ ret = pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED);
+ unbecome_root();
+
+ if ( !ret ) {
DEBUG(1, ("load_group_domain_entries: pdb_enum_group_mapping() failed!\n"));
return NT_STATUS_NO_MEMORY;
}
- unbecome_root();
info->disp_info.num_group_account=group_entries;
diff --git a/source3/rpc_server/srv_util.c b/source3/rpc_server/srv_util.c
index 632d381503..d5b87b7c10 100644
--- a/source3/rpc_server/srv_util.c
+++ b/source3/rpc_server/srv_util.c
@@ -281,6 +281,7 @@ BOOL get_domain_user_groups(TALLOC_CTX *ctx, int *numgroups, DOM_GID **pgids, SA
fstring user_name;
uint32 grid;
uint32 tmp_rid;
+ BOOL ret;
*numgroups= 0;
@@ -290,15 +291,21 @@ BOOL get_domain_user_groups(TALLOC_CTX *ctx, int *numgroups, DOM_GID **pgids, SA
DEBUG(10,("get_domain_user_groups: searching domain groups [%s] is a member of\n", user_name));
/* we must wrap this is become/unbecome root for ldap backends */
+
become_root();
-
/* first get the list of the domain groups */
- if (!pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, &num_entries, ENUM_ONLY_MAPPED))
+ ret = pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, &num_entries, ENUM_ONLY_MAPPED);
+
+ unbecome_root();
+
+ /* end wrapper for group enumeration */
+
+
+ if ( !ret )
return False;
+
DEBUG(10,("get_domain_user_groups: there are %d mapped groups\n", num_entries));
- unbecome_root();
- /* end wrapper for group enumeration */
/*
* alloc memory. In the worse case, we alloc memory for nothing.
diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c
index 3ea6ab483b..c53889a7a4 100644
--- a/source3/smbd/lanman.c
+++ b/source3/smbd/lanman.c
@@ -1635,6 +1635,7 @@ static BOOL api_RNetGroupEnum(connection_struct *conn,uint16 vuid, char *param,c
char *str1 = param+2;
char *str2 = skip_string(str1,1);
char *p = skip_string(str2,1);
+ BOOL ret;
GROUP_MAP *group_list;
int num_entries;
@@ -1653,8 +1654,12 @@ static BOOL api_RNetGroupEnum(connection_struct *conn,uint16 vuid, char *param,c
return False;
/* get list of domain groups SID_DOMAIN_GRP=2 */
- if(!pdb_enum_group_mapping(SID_NAME_DOM_GRP , &group_list, &num_entries, False)) {
- DEBUG(3,("api_RNetGroupEnum:failed to get group list"));
+ become_root();
+ ret = pdb_enum_group_mapping(SID_NAME_DOM_GRP , &group_list, &num_entries, False);
+ unbecome_root();
+
+ if( !ret ) {
+ DEBUG(3,("api_RNetGroupEnum:failed to get group list"));
return False;
}