diff options
author | Andrew Bartlett <abartlet@samba.org> | 2013-05-02 16:29:21 +1200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2013-05-16 19:02:00 +0200 |
commit | 10f6926aaa6a8c49b29e183d12f6f767072ecff7 (patch) | |
tree | bd306f62491dad2c0c46ecc04dec395d8c4bf3ab | |
parent | 9430310dc3adaf98dbff494a1056e02f8750c41d (diff) | |
download | samba-10f6926aaa6a8c49b29e183d12f6f767072ecff7.tar.gz samba-10f6926aaa6a8c49b29e183d12f6f767072ecff7.tar.bz2 samba-10f6926aaa6a8c49b29e183d12f6f767072ecff7.zip |
s3-rpc_server: Ensure we are root when starting and usiing gensec
This fixes bug 9465.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze@samba.org>
-rw-r--r-- | source3/rpc_server/dcesrv_auth_generic.c | 38 |
1 files changed, 32 insertions, 6 deletions
diff --git a/source3/rpc_server/dcesrv_auth_generic.c b/source3/rpc_server/dcesrv_auth_generic.c index c4c08b2dd3..77d76fc6c3 100644 --- a/source3/rpc_server/dcesrv_auth_generic.c +++ b/source3/rpc_server/dcesrv_auth_generic.c @@ -24,12 +24,12 @@ #include "auth.h" #include "auth/gensec/gensec.h" -NTSTATUS auth_generic_server_authtype_start(TALLOC_CTX *mem_ctx, - uint8_t auth_type, uint8_t auth_level, - DATA_BLOB *token_in, - DATA_BLOB *token_out, - const struct tsocket_address *remote_address, - struct gensec_security **ctx) +static NTSTATUS auth_generic_server_authtype_start_as_root(TALLOC_CTX *mem_ctx, + uint8_t auth_type, uint8_t auth_level, + DATA_BLOB *token_in, + DATA_BLOB *token_out, + const struct tsocket_address *remote_address, + struct gensec_security **ctx) { struct gensec_security *gensec_security = NULL; NTSTATUS status; @@ -62,6 +62,27 @@ NTSTATUS auth_generic_server_authtype_start(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } +NTSTATUS auth_generic_server_authtype_start(TALLOC_CTX *mem_ctx, + uint8_t auth_type, uint8_t auth_level, + DATA_BLOB *token_in, + DATA_BLOB *token_out, + const struct tsocket_address *remote_address, + struct gensec_security **ctx) +{ + NTSTATUS status; + become_root(); + + /* this has to be done as root in order to create the messaging socket */ + status = auth_generic_server_authtype_start_as_root(mem_ctx, + auth_type, auth_level, + token_in, + token_out, + remote_address, + ctx); + unbecome_root(); + return status; +} + NTSTATUS auth_generic_server_step(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx, DATA_BLOB *token_in, @@ -101,7 +122,12 @@ NTSTATUS auth_generic_server_get_user_info(struct gensec_security *gensec_securi { NTSTATUS status; + /* this has to be done as root in order to get to the + * messaging sockets for IDMAP and privilege.ldb in the AD + * DC */ + become_root(); status = gensec_session_info(gensec_security, mem_ctx, session_info); + unbecome_root(); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, (__location__ ": Failed to get authenticated user " "info: %s\n", nt_errstr(status))); |