summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2013-05-02 16:29:21 +1200
committerStefan Metzmacher <metze@samba.org>2013-05-16 19:02:00 +0200
commit10f6926aaa6a8c49b29e183d12f6f767072ecff7 (patch)
treebd306f62491dad2c0c46ecc04dec395d8c4bf3ab
parent9430310dc3adaf98dbff494a1056e02f8750c41d (diff)
downloadsamba-10f6926aaa6a8c49b29e183d12f6f767072ecff7.tar.gz
samba-10f6926aaa6a8c49b29e183d12f6f767072ecff7.tar.bz2
samba-10f6926aaa6a8c49b29e183d12f6f767072ecff7.zip
s3-rpc_server: Ensure we are root when starting and usiing gensec
This fixes bug 9465. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
-rw-r--r--source3/rpc_server/dcesrv_auth_generic.c38
1 files changed, 32 insertions, 6 deletions
diff --git a/source3/rpc_server/dcesrv_auth_generic.c b/source3/rpc_server/dcesrv_auth_generic.c
index c4c08b2dd3..77d76fc6c3 100644
--- a/source3/rpc_server/dcesrv_auth_generic.c
+++ b/source3/rpc_server/dcesrv_auth_generic.c
@@ -24,12 +24,12 @@
#include "auth.h"
#include "auth/gensec/gensec.h"
-NTSTATUS auth_generic_server_authtype_start(TALLOC_CTX *mem_ctx,
- uint8_t auth_type, uint8_t auth_level,
- DATA_BLOB *token_in,
- DATA_BLOB *token_out,
- const struct tsocket_address *remote_address,
- struct gensec_security **ctx)
+static NTSTATUS auth_generic_server_authtype_start_as_root(TALLOC_CTX *mem_ctx,
+ uint8_t auth_type, uint8_t auth_level,
+ DATA_BLOB *token_in,
+ DATA_BLOB *token_out,
+ const struct tsocket_address *remote_address,
+ struct gensec_security **ctx)
{
struct gensec_security *gensec_security = NULL;
NTSTATUS status;
@@ -62,6 +62,27 @@ NTSTATUS auth_generic_server_authtype_start(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
+NTSTATUS auth_generic_server_authtype_start(TALLOC_CTX *mem_ctx,
+ uint8_t auth_type, uint8_t auth_level,
+ DATA_BLOB *token_in,
+ DATA_BLOB *token_out,
+ const struct tsocket_address *remote_address,
+ struct gensec_security **ctx)
+{
+ NTSTATUS status;
+ become_root();
+
+ /* this has to be done as root in order to create the messaging socket */
+ status = auth_generic_server_authtype_start_as_root(mem_ctx,
+ auth_type, auth_level,
+ token_in,
+ token_out,
+ remote_address,
+ ctx);
+ unbecome_root();
+ return status;
+}
+
NTSTATUS auth_generic_server_step(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
DATA_BLOB *token_in,
@@ -101,7 +122,12 @@ NTSTATUS auth_generic_server_get_user_info(struct gensec_security *gensec_securi
{
NTSTATUS status;
+ /* this has to be done as root in order to get to the
+ * messaging sockets for IDMAP and privilege.ldb in the AD
+ * DC */
+ become_root();
status = gensec_session_info(gensec_security, mem_ctx, session_info);
+ unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, (__location__ ": Failed to get authenticated user "
"info: %s\n", nt_errstr(status)));