diff options
author | Volker Lendecke <vl@samba.org> | 2008-11-23 23:48:17 +0100 |
---|---|---|
committer | Volker Lendecke <vl@samba.org> | 2008-11-24 11:39:03 +0100 |
commit | 907f126d3e84b7acddf70f8da12010d6b22d8e99 (patch) | |
tree | 62c046002cca3f8f99a3ff72d1f428db3a05487f | |
parent | 6f840dd678f8f19b84c042816e75e85d1077904e (diff) | |
download | samba-907f126d3e84b7acddf70f8da12010d6b22d8e99.tar.gz samba-907f126d3e84b7acddf70f8da12010d6b22d8e99.tar.bz2 samba-907f126d3e84b7acddf70f8da12010d6b22d8e99.zip |
Get rid of pipes_struct->pipe_user, we have server_info now --- YESSS!
-rw-r--r-- | source3/include/ntdomain.h | 6 | ||||
-rw-r--r-- | source3/include/proto.h | 1 | ||||
-rw-r--r-- | source3/rpc_server/srv_dfs_nt.c | 4 | ||||
-rw-r--r-- | source3/rpc_server/srv_eventlog_nt.c | 4 | ||||
-rw-r--r-- | source3/rpc_server/srv_lsa_nt.c | 42 | ||||
-rw-r--r-- | source3/rpc_server/srv_ntsvcs_nt.c | 3 | ||||
-rw-r--r-- | source3/rpc_server/srv_pipe.c | 50 | ||||
-rw-r--r-- | source3/rpc_server/srv_pipe_hnd.c | 10 | ||||
-rw-r--r-- | source3/rpc_server/srv_samr_nt.c | 74 | ||||
-rw-r--r-- | source3/rpc_server/srv_spoolss_nt.c | 41 | ||||
-rw-r--r-- | source3/rpc_server/srv_srvsvc_nt.c | 48 | ||||
-rw-r--r-- | source3/rpc_server/srv_svcctl_nt.c | 20 | ||||
-rw-r--r-- | source3/rpc_server/srv_winreg_nt.c | 10 | ||||
-rw-r--r-- | source3/rpc_server/srv_wkssvc_nt.c | 4 | ||||
-rw-r--r-- | source3/smbd/uid.c | 6 |
15 files changed, 132 insertions, 191 deletions
diff --git a/source3/include/ntdomain.h b/source3/include/ntdomain.h index e6c97c69dc..1684e2d432 100644 --- a/source3/include/ntdomain.h +++ b/source3/include/ntdomain.h @@ -231,12 +231,6 @@ typedef struct pipes_struct { struct dcinfo *dc; /* Keeps the creds data from netlogon. */ /* - * Unix user name and credentials used when a pipe is authenticated. - */ - - struct current_user pipe_user; - - /* * Set to true when an RPC bind has been done on this pipe. */ diff --git a/source3/include/proto.h b/source3/include/proto.h index 605066f763..a02672351c 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -6966,7 +6966,6 @@ bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p); bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len, NTSTATUS *pstatus); bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len); -struct current_user *get_current_user(struct current_user *user, pipes_struct *p); void free_pipe_rpc_context( PIPE_RPC_FNS *list ); bool api_pipe_request(pipes_struct *p); diff --git a/source3/rpc_server/srv_dfs_nt.c b/source3/rpc_server/srv_dfs_nt.c index 661d262dc4..bef8d83103 100644 --- a/source3/rpc_server/srv_dfs_nt.c +++ b/source3/rpc_server/srv_dfs_nt.c @@ -48,7 +48,7 @@ WERROR _dfs_Add(pipes_struct *p, struct dfs_Add *r) NTSTATUS status; TALLOC_CTX *ctx = talloc_tos(); - if (p->pipe_user.ut.uid != sec_initial_uid()) { + if (p->server_info->utok.uid != sec_initial_uid()) { DEBUG(10,("_dfs_add: uid != 0. Access denied.\n")); return WERR_ACCESS_DENIED; } @@ -113,7 +113,7 @@ WERROR _dfs_Remove(pipes_struct *p, struct dfs_Remove *r) TALLOC_CTX *ctx = talloc_tos(); char *altpath = NULL; - if (p->pipe_user.ut.uid != sec_initial_uid()) { + if (p->server_info->utok.uid != sec_initial_uid()) { DEBUG(10,("_dfs_remove: uid != 0. Access denied.\n")); return WERR_ACCESS_DENIED; } diff --git a/source3/rpc_server/srv_eventlog_nt.c b/source3/rpc_server/srv_eventlog_nt.c index 4ff10390f7..d12b490d21 100644 --- a/source3/rpc_server/srv_eventlog_nt.c +++ b/source3/rpc_server/srv_eventlog_nt.c @@ -209,7 +209,7 @@ static NTSTATUS elog_open( pipes_struct * p, const char *logname, POLICY_HND *hn elog->logname = talloc_strdup( elog, ELOG_APPL ); /* do the access check */ - if ( !elog_check_access( elog, p->pipe_user.nt_user_token ) ) { + if ( !elog_check_access( elog, p->server_info->ptok ) ) { TALLOC_FREE( elog ); return NT_STATUS_ACCESS_DENIED; } @@ -227,7 +227,7 @@ static NTSTATUS elog_open( pipes_struct * p, const char *logname, POLICY_HND *hn /* now do the access check. Close the tdb if we fail here */ - if ( !elog_check_access( elog, p->pipe_user.nt_user_token ) ) { + if ( !elog_check_access( elog, p->server_info->ptok ) ) { elog_close_tdb( elog->etdb, False ); TALLOC_FREE( elog ); return NT_STATUS_ACCESS_DENIED; diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c index f4e891ca8c..05452112ca 100644 --- a/source3/rpc_server/srv_lsa_nt.c +++ b/source3/rpc_server/srv_lsa_nt.c @@ -381,9 +381,10 @@ NTSTATUS _lsa_OpenPolicy2(pipes_struct *p, /* get the generic lsa policy SD until we store it */ lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size); - status = se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted); + status = se_access_check(psd, p->server_info->ptok, des_access, + &acc_granted); if (!NT_STATUS_IS_OK(status)) { - if (p->pipe_user.ut.uid != sec_initial_uid()) { + if (p->server_info->utok.uid != sec_initial_uid()) { return status; } DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n", @@ -393,7 +394,7 @@ NTSTATUS _lsa_OpenPolicy2(pipes_struct *p, /* This is needed for lsa_open_account and rpcclient .... :-) */ - if (p->pipe_user.ut.uid == sec_initial_uid()) + if (p->server_info->utok.uid == sec_initial_uid()) acc_granted = LSA_POLICY_ALL_ACCESS; /* associate the domain SID with the (unique) handle. */ @@ -432,9 +433,10 @@ NTSTATUS _lsa_OpenPolicy(pipes_struct *p, /* get the generic lsa policy SD until we store it */ lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size); - status = se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted); + status = se_access_check(psd, p->server_info->ptok, des_access, + &acc_granted); if (!NT_STATUS_IS_OK(status)) { - if (p->pipe_user.ut.uid != sec_initial_uid()) { + if (p->server_info->utok.uid != sec_initial_uid()) { return status; } DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n", @@ -1539,8 +1541,9 @@ NTSTATUS _lsa_CreateAccount(pipes_struct *p, /* check to see if the pipe_user is a Domain Admin since account_pol.tdb was already opened as root, this is all we have */ - if ( p->pipe_user.ut.uid != sec_initial_uid() - && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) + if ( p->server_info->utok.uid != sec_initial_uid() + && !nt_token_check_domain_rid( p->server_info->ptok, + DOMAIN_GROUP_RID_ADMINS ) ) return NT_STATUS_ACCESS_DENIED; if ( is_privileged_sid( r->in.sid ) ) @@ -1726,8 +1729,9 @@ NTSTATUS _lsa_SetSystemAccessAccount(pipes_struct *p, /* check to see if the pipe_user is a Domain Admin since account_pol.tdb was already opened as root, this is all we have */ - if ( p->pipe_user.ut.uid != sec_initial_uid() - && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) + if ( p->server_info->utok.uid != sec_initial_uid() + && !nt_token_check_domain_rid( p->server_info->ptok, + DOMAIN_GROUP_RID_ADMINS ) ) return NT_STATUS_ACCESS_DENIED; if (!pdb_getgrsid(&map, info->sid)) @@ -1755,8 +1759,9 @@ NTSTATUS _lsa_AddPrivilegesToAccount(pipes_struct *p, /* check to see if the pipe_user is root or a Domain Admin since account_pol.tdb was already opened as root, this is all we have */ - if ( p->pipe_user.ut.uid != sec_initial_uid() - && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) + if ( p->server_info->utok.uid != sec_initial_uid() + && !nt_token_check_domain_rid( p->server_info->ptok, + DOMAIN_GROUP_RID_ADMINS ) ) { return NT_STATUS_ACCESS_DENIED; } @@ -1795,8 +1800,9 @@ NTSTATUS _lsa_RemovePrivilegesFromAccount(pipes_struct *p, /* check to see if the pipe_user is root or a Domain Admin since account_pol.tdb was already opened as root, this is all we have */ - if ( p->pipe_user.ut.uid != sec_initial_uid() - && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) + if ( p->server_info->utok.uid != sec_initial_uid() + && !nt_token_check_domain_rid( p->server_info->ptok, + DOMAIN_GROUP_RID_ADMINS ) ) { return NT_STATUS_ACCESS_DENIED; } @@ -1952,8 +1958,9 @@ NTSTATUS _lsa_AddAccountRights(pipes_struct *p, /* check to see if the pipe_user is a Domain Admin since account_pol.tdb was already opened as root, this is all we have */ - if ( p->pipe_user.ut.uid != sec_initial_uid() - && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) + if ( p->server_info->utok.uid != sec_initial_uid() + && !nt_token_check_domain_rid( p->server_info->ptok, + DOMAIN_GROUP_RID_ADMINS ) ) { return NT_STATUS_ACCESS_DENIED; } @@ -2001,8 +2008,9 @@ NTSTATUS _lsa_RemoveAccountRights(pipes_struct *p, /* check to see if the pipe_user is a Domain Admin since account_pol.tdb was already opened as root, this is all we have */ - if ( p->pipe_user.ut.uid != sec_initial_uid() - && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) + if ( p->server_info->utok.uid != sec_initial_uid() + && !nt_token_check_domain_rid( p->server_info->ptok, + DOMAIN_GROUP_RID_ADMINS ) ) { return NT_STATUS_ACCESS_DENIED; } diff --git a/source3/rpc_server/srv_ntsvcs_nt.c b/source3/rpc_server/srv_ntsvcs_nt.c index abeb2ca856..f2c85bbd3e 100644 --- a/source3/rpc_server/srv_ntsvcs_nt.c +++ b/source3/rpc_server/srv_ntsvcs_nt.c @@ -116,7 +116,8 @@ WERROR _PNP_GetDeviceRegProp(pipes_struct *p, return WERR_GENERAL_FAILURE; ptr++; - if ( !(values = svcctl_fetch_regvalues( ptr, p->pipe_user.nt_user_token )) ) + if ( !(values = svcctl_fetch_regvalues( + ptr, p->server_info->ptok))) return WERR_GENERAL_FAILURE; if ( !(val = regval_ctr_getvalue( values, "DisplayName" )) ) { diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index 2c31d7b3f1..5610e0bf71 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -614,11 +614,6 @@ static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob) ZERO_STRUCT(reply); - /* Set up for non-authenticated user. */ - TALLOC_FREE(p->pipe_user.nt_user_token); - p->pipe_user.ut.ngroups = 0; - SAFE_FREE( p->pipe_user.ut.groups); - /* this has to be done as root in order to verify the password */ become_root(); status = auth_ntlmssp_update(a, *p_resp_blob, &reply); @@ -656,29 +651,8 @@ static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob) "workstation: %s\n", a->ntlmssp_state->user, a->ntlmssp_state->domain, a->ntlmssp_state->workstation)); - /* - * Store the UNIX credential data (uid/gid pair) in the pipe structure. - */ - - p->pipe_user.ut.uid = a->server_info->utok.uid; - p->pipe_user.ut.gid = a->server_info->utok.gid; - - p->pipe_user.ut.ngroups = a->server_info->utok.ngroups; - if (p->pipe_user.ut.ngroups) { - if (!(p->pipe_user.ut.groups = (gid_t *)memdup( - a->server_info->utok.groups, - sizeof(gid_t) * p->pipe_user.ut.ngroups))) { - DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n")); - return False; - } - } - - if (a->server_info->ptok) { - p->pipe_user.nt_user_token = - dup_nt_token(NULL, a->server_info->ptok); - } else { + if (a->server_info->ptok == NULL) { DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n")); - p->pipe_user.nt_user_token = NULL; return False; } @@ -1711,11 +1685,6 @@ bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p) case RPC_ANONYMOUS_AUTH_TYPE: /* Unauthenticated bind request. */ - /* Get the authenticated pipe user from current_user */ - if (!copy_current_user(&p->pipe_user, ¤t_user)) { - DEBUG(10, ("Could not copy current user\n")); - goto err_exit; - } /* We're finished - no more packets. */ p->auth.auth_type = PIPE_AUTH_TYPE_NONE; /* We must set the pipe auth_level here also. */ @@ -2226,23 +2195,6 @@ bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss } /**************************************************************************** - Return a user struct for a pipe user. -****************************************************************************/ - -struct current_user *get_current_user(struct current_user *user, pipes_struct *p) -{ - if (p->pipe_bound && - (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP || - (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) { - memcpy(user, &p->pipe_user, sizeof(struct current_user)); - } else { - memcpy(user, ¤t_user, sizeof(struct current_user)); - } - - return user; -} - -/**************************************************************************** Find the set of RPC functions associated with this context_id ****************************************************************************/ diff --git a/source3/rpc_server/srv_pipe_hnd.c b/source3/rpc_server/srv_pipe_hnd.c index d359b9b339..03a0f72b33 100644 --- a/source3/rpc_server/srv_pipe_hnd.c +++ b/source3/rpc_server/srv_pipe_hnd.c @@ -162,13 +162,6 @@ static struct pipes_struct *make_internal_rpc_pipe_p(TALLOC_CTX *mem_ctx, p->endian = RPC_LITTLE_ENDIAN; - ZERO_STRUCT(p->pipe_user); - - p->pipe_user.vuid = vuid; - p->pipe_user.ut.uid = (uid_t)-1; - p->pipe_user.ut.gid = (gid_t)-1; - p->pipe_user.nt_user_token = dup_nt_token(NULL, server_info->ptok); - /* * Initialize the outgoing RPC data buffer with no memory. */ @@ -900,9 +893,6 @@ static int close_internal_rpc_pipe_hnd(struct pipes_struct *p) /* Free the handles database. */ close_policy_by_pipe(p); - TALLOC_FREE(p->pipe_user.nt_user_token); - SAFE_FREE(p->pipe_user.ut.groups); - DLIST_REMOVE(InternalPipes, p); ZERO_STRUCTP(p); diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 62ac1cb5c3..3cc86edd62 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -632,7 +632,7 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p, return status; /*check if access can be granted as requested by client. */ - map_max_allowed_access(p->pipe_user.nt_user_token, &des_access); + map_max_allowed_access(p->server_info->ptok, &des_access); make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 ); se_map_generic( &des_access, &dom_generic_mapping ); @@ -640,7 +640,7 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p, se_priv_copy( &se_rights, &se_machine_account ); se_priv_add( &se_rights, &se_add_users ); - status = access_check_samr_object( psd, p->pipe_user.nt_user_token, + status = access_check_samr_object( psd, p->server_info->ptok, &se_rights, GENERIC_RIGHTS_DOMAIN_WRITE, des_access, &acc_granted, "_samr_OpenDomain" ); @@ -2166,7 +2166,7 @@ NTSTATUS _samr_OpenUser(pipes_struct *p, /* check if access can be granted as requested by client. */ - map_max_allowed_access(p->pipe_user.nt_user_token, &des_access); + map_max_allowed_access(p->server_info->ptok, &des_access); make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW); se_map_generic(&des_access, &usr_generic_mapping); @@ -2174,7 +2174,7 @@ NTSTATUS _samr_OpenUser(pipes_struct *p, se_priv_copy( &se_rights, &se_machine_account ); se_priv_add( &se_rights, &se_add_users ); - nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, + nt_status = access_check_samr_object(psd, p->server_info->ptok, &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access, &acc_granted, "_samr_OpenUser"); @@ -3179,7 +3179,7 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p, { se_priv_copy( &se_rights, &se_machine_account ); can_add_account = user_has_privileges( - p->pipe_user.nt_user_token, &se_rights ); + p->server_info->ptok, &se_rights ); } /* usrmgr.exe (and net rpc trustdom grant) creates a normal user account for domain trusts and changes the ACB flags later */ @@ -3188,7 +3188,7 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p, { se_priv_copy( &se_rights, &se_add_users ); can_add_account = user_has_privileges( - p->pipe_user.nt_user_token, &se_rights ); + p->server_info->ptok, &se_rights ); } else /* implicit assumption of a BDC or domain trust account here * (we already check the flags earlier) */ @@ -3197,13 +3197,13 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p, /* only Domain Admins can add a BDC or domain trust */ se_priv_copy( &se_rights, &se_priv_none ); can_add_account = nt_token_check_domain_rid( - p->pipe_user.nt_user_token, + p->server_info->ptok, DOMAIN_GROUP_RID_ADMINS ); } } DEBUG(5, ("_samr_CreateUser2: %s can add this account : %s\n", - uidtoname(p->pipe_user.ut.uid), + uidtoname(p->server_info->utok.uid), can_add_account ? "True":"False" )); /********** BEGIN Admin BLOCK **********/ @@ -3228,13 +3228,13 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p, sid_compose(&sid, get_global_sam_sid(), *r->out.rid); - map_max_allowed_access(p->pipe_user.nt_user_token, &des_access); + map_max_allowed_access(p->server_info->ptok, &des_access); make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW); se_map_generic(&des_access, &usr_generic_mapping); - nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, + nt_status = access_check_samr_object(psd, p->server_info->ptok, &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access, &acc_granted, "_samr_CreateUser2"); @@ -3291,7 +3291,7 @@ NTSTATUS _samr_Connect(pipes_struct *p, was observed from a win98 client trying to enumerate users (when configured user level access control on shares) --jerry */ - map_max_allowed_access(p->pipe_user.nt_user_token, &des_access); + map_max_allowed_access(p->server_info->ptok, &des_access); se_map_generic( &des_access, &sam_generic_mapping ); info->acc_granted = des_access & (SAMR_ACCESS_ENUM_DOMAINS|SAMR_ACCESS_OPEN_DOMAIN); @@ -3327,12 +3327,12 @@ NTSTATUS _samr_Connect2(pipes_struct *p, return NT_STATUS_ACCESS_DENIED; } - map_max_allowed_access(p->pipe_user.nt_user_token, &des_access); + map_max_allowed_access(p->server_info->ptok, &des_access); make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); se_map_generic(&des_access, &sam_generic_mapping); - nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, + nt_status = access_check_samr_object(psd, p->server_info->ptok, NULL, 0, des_access, &acc_granted, "_samr_Connect2"); if ( !NT_STATUS_IS_OK(nt_status) ) @@ -3378,12 +3378,12 @@ NTSTATUS _samr_Connect4(pipes_struct *p, return NT_STATUS_ACCESS_DENIED; } - map_max_allowed_access(p->pipe_user.nt_user_token, &des_access); + map_max_allowed_access(p->server_info->ptok, &des_access); make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); se_map_generic(&des_access, &sam_generic_mapping); - nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, + nt_status = access_check_samr_object(psd, p->server_info->ptok, NULL, 0, des_access, &acc_granted, "_samr_Connect4"); if ( !NT_STATUS_IS_OK(nt_status) ) @@ -3429,12 +3429,12 @@ NTSTATUS _samr_Connect5(pipes_struct *p, return NT_STATUS_ACCESS_DENIED; } - map_max_allowed_access(p->pipe_user.nt_user_token, &des_access); + map_max_allowed_access(p->server_info->ptok, &des_access); make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); se_map_generic(&des_access, &sam_generic_mapping); - nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, + nt_status = access_check_samr_object(psd, p->server_info->ptok, NULL, 0, des_access, &acc_granted, "_samr_Connect5"); if ( !NT_STATUS_IS_OK(nt_status) ) @@ -3598,7 +3598,7 @@ NTSTATUS _samr_OpenAlias(pipes_struct *p, /*check if access can be granted as requested by client. */ - map_max_allowed_access(p->pipe_user.nt_user_token, &des_access); + map_max_allowed_access(p->server_info->ptok, &des_access); make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0); se_map_generic(&des_access,&ali_generic_mapping); @@ -3606,7 +3606,7 @@ NTSTATUS _samr_OpenAlias(pipes_struct *p, se_priv_copy( &se_rights, &se_add_users ); - status = access_check_samr_object(psd, p->pipe_user.nt_user_token, + status = access_check_samr_object(psd, p->server_info->ptok, &se_rights, GENERIC_RIGHTS_ALIAS_WRITE, des_access, &acc_granted, "_samr_OpenAlias"); @@ -4165,20 +4165,20 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p, acb_info = pdb_get_acct_ctrl(pwd); if (acb_info & ACB_WSTRUST) - has_enough_rights = user_has_privileges(p->pipe_user.nt_user_token, + has_enough_rights = user_has_privileges(p->server_info->ptok, &se_machine_account); else if (acb_info & ACB_NORMAL) - has_enough_rights = user_has_privileges(p->pipe_user.nt_user_token, + has_enough_rights = user_has_privileges(p->server_info->ptok, &se_add_users); else if (acb_info & (ACB_SVRTRUST|ACB_DOMTRUST)) { if (lp_enable_privileges()) { - has_enough_rights = nt_token_check_domain_rid(p->pipe_user.nt_user_token, + has_enough_rights = nt_token_check_domain_rid(p->server_info->ptok, DOMAIN_GROUP_RID_ADMINS); } } DEBUG(5, ("_samr_SetUserInfo: %s does%s possess sufficient rights\n", - uidtoname(p->pipe_user.ut.uid), + uidtoname(p->server_info->utok.uid), has_enough_rights ? "" : " not")); /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */ @@ -4556,7 +4556,7 @@ NTSTATUS _samr_AddAliasMember(pipes_struct *p, DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid))); se_priv_copy( &se_rights, &se_add_users ); - can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights ); /******** BEGIN SeAddUsers BLOCK *********/ @@ -4606,7 +4606,7 @@ NTSTATUS _samr_DeleteAliasMember(pipes_struct *p, sid_string_dbg(&alias_sid))); se_priv_copy( &se_rights, &se_add_users ); - can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights ); /******** BEGIN SeAddUsers BLOCK *********/ @@ -4661,7 +4661,7 @@ NTSTATUS _samr_AddGroupMember(pipes_struct *p, } se_priv_copy( &se_rights, &se_add_users ); - can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights ); /******** BEGIN SeAddUsers BLOCK *********/ @@ -4719,7 +4719,7 @@ NTSTATUS _samr_DeleteGroupMember(pipes_struct *p, } se_priv_copy( &se_rights, &se_add_users ); - can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights ); /******** BEGIN SeAddUsers BLOCK *********/ @@ -4790,9 +4790,9 @@ NTSTATUS _samr_DeleteUser(pipes_struct *p, /* For machine accounts it's the SeMachineAccountPrivilege that counts. */ if ( acb_info & ACB_WSTRUST ) { - can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_machine_account ); + can_add_accounts = user_has_privileges( p->server_info->ptok, &se_machine_account ); } else { - can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users ); + can_add_accounts = user_has_privileges( p->server_info->ptok, &se_add_users ); } /******** BEGIN SeAddUsers BLOCK *********/ @@ -4864,7 +4864,7 @@ NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p, } se_priv_copy( &se_rights, &se_add_users ); - can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights ); /******** BEGIN SeAddUsers BLOCK *********/ @@ -4939,7 +4939,7 @@ NTSTATUS _samr_DeleteDomAlias(pipes_struct *p, DEBUG(10, ("lookup on Local SID\n")); se_priv_copy( &se_rights, &se_add_users ); - can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights ); /******** BEGIN SeAddUsers BLOCK *********/ @@ -5008,7 +5008,7 @@ NTSTATUS _samr_CreateDomainGroup(pipes_struct *p, } se_priv_copy( &se_rights, &se_add_users ); - can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights ); /******** BEGIN SeAddUsers BLOCK *********/ @@ -5082,7 +5082,7 @@ NTSTATUS _samr_CreateDomAlias(pipes_struct *p, name = r->in.alias_name->string; se_priv_copy( &se_rights, &se_add_users ); - can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights ); result = can_create(p->mem_ctx, name); if (!NT_STATUS_IS_OK(result)) { @@ -5294,7 +5294,7 @@ NTSTATUS _samr_SetGroupInfo(pipes_struct *p, return NT_STATUS_INVALID_INFO_CLASS; } - can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users ); + can_mod_accounts = user_has_privileges( p->server_info->ptok, &se_add_users ); /******** BEGIN SeAddUsers BLOCK *********/ @@ -5396,7 +5396,7 @@ NTSTATUS _samr_SetAliasInfo(pipes_struct *p, return NT_STATUS_INVALID_INFO_CLASS; } - can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users ); + can_mod_accounts = user_has_privileges( p->server_info->ptok, &se_add_users ); /******** BEGIN SeAddUsers BLOCK *********/ @@ -5484,14 +5484,14 @@ NTSTATUS _samr_OpenGroup(pipes_struct *p, return status; /*check if access can be granted as requested by client. */ - map_max_allowed_access(p->pipe_user.nt_user_token, &des_access); + map_max_allowed_access(p->server_info->ptok, &des_access); make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0); se_map_generic(&des_access,&grp_generic_mapping); se_priv_copy( &se_rights, &se_add_users ); - status = access_check_samr_object(psd, p->pipe_user.nt_user_token, + status = access_check_samr_object(psd, p->server_info->ptok, &se_rights, GENERIC_RIGHTS_GROUP_WRITE, des_access, &acc_granted, "_samr_OpenGroup"); diff --git a/source3/rpc_server/srv_spoolss_nt.c b/source3/rpc_server/srv_spoolss_nt.c index 46aed7ce65..744de67db4 100644 --- a/source3/rpc_server/srv_spoolss_nt.c +++ b/source3/rpc_server/srv_spoolss_nt.c @@ -388,7 +388,8 @@ static WERROR delete_printer_handle(pipes_struct *p, POLICY_HND *hnd) return WERR_BADFID; } - return delete_printer_hook(p->mem_ctx, p->pipe_user.nt_user_token, Printer->sharename ); + return delete_printer_hook(p->mem_ctx, p->server_info->ptok, + Printer->sharename ); } /**************************************************************************** @@ -1656,13 +1657,13 @@ WERROR _spoolss_open_printer_ex( pipes_struct *p, SPOOL_Q_OPEN_PRINTER_EX *q_u, /* if the user is not root, doesn't have SE_PRINT_OPERATOR privilege, and not a printer admin, then fail */ - if ((p->pipe_user.ut.uid != 0) && - !user_has_privileges(p->pipe_user.nt_user_token, + if ((p->server_info->utok.uid != 0) && + !user_has_privileges(p->server_info->ptok, &se_printop ) && !token_contains_name_in_list( - uidtoname(p->pipe_user.ut.uid), + uidtoname(p->server_info->utok.uid), NULL, NULL, - p->pipe_user.nt_user_token, + p->server_info->ptok, lp_printer_admin(snum))) { close_printer_handle(p, handle); return WERR_ACCESS_DENIED; @@ -1715,8 +1716,8 @@ WERROR _spoolss_open_printer_ex( pipes_struct *p, SPOOL_Q_OPEN_PRINTER_EX *q_u, return WERR_ACCESS_DENIED; } - if (!user_ok_token(uidtoname(p->pipe_user.ut.uid), NULL, - p->pipe_user.nt_user_token, snum) || + if (!user_ok_token(uidtoname(p->server_info->utok.uid), NULL, + p->server_info->ptok, snum) || !print_access_check(p->server_info, snum, printer_default->access_required)) { DEBUG(3, ("access DENIED for printer open\n")); @@ -2018,11 +2019,11 @@ WERROR _spoolss_deleteprinterdriver(pipes_struct *p, SPOOL_Q_DELETEPRINTERDRIVER /* if the user is not root, doesn't have SE_PRINT_OPERATOR privilege, and not a printer admin, then fail */ - if ( (p->pipe_user.ut.uid != 0) - && !user_has_privileges(p->pipe_user.nt_user_token, &se_printop ) + if ( (p->server_info->utok.uid != 0) + && !user_has_privileges(p->server_info->ptok, &se_printop ) && !token_contains_name_in_list( - uidtoname(p->pipe_user.ut.uid), NULL, - NULL, p->pipe_user.nt_user_token, + uidtoname(p->server_info->utok.uid), NULL, + NULL, p->server_info->ptok, lp_printer_admin(-1)) ) { return WERR_ACCESS_DENIED; @@ -2116,11 +2117,11 @@ WERROR _spoolss_deleteprinterdriverex(pipes_struct *p, SPOOL_Q_DELETEPRINTERDRIV /* if the user is not root, doesn't have SE_PRINT_OPERATOR privilege, and not a printer admin, then fail */ - if ( (p->pipe_user.ut.uid != 0) - && !user_has_privileges(p->pipe_user.nt_user_token, &se_printop ) + if ( (p->server_info->utok.uid != 0) + && !user_has_privileges(p->server_info->ptok, &se_printop ) && !token_contains_name_in_list( - uidtoname(p->pipe_user.ut.uid), NULL, NULL, - p->pipe_user.nt_user_token, lp_printer_admin(-1)) ) + uidtoname(p->server_info->utok.uid), NULL, NULL, + p->server_info->ptok, lp_printer_admin(-1)) ) { return WERR_ACCESS_DENIED; } @@ -6390,7 +6391,8 @@ static WERROR update_printer(pipes_struct *p, POLICY_HND *handle, uint32 level, { /* add_printer_hook() will call reload_services() */ - if ( !add_printer_hook(p->mem_ctx, p->pipe_user.nt_user_token, printer) ) { + if ( !add_printer_hook(p->mem_ctx, p->server_info->ptok, + printer) ) { result = WERR_ACCESS_DENIED; goto done; } @@ -7730,7 +7732,8 @@ static WERROR spoolss_addprinterex_level_2( pipes_struct *p, const UNISTR2 *uni_ trying to add a printer like this --jerry */ if (*lp_addprinter_cmd() ) { - if ( !add_printer_hook(p->mem_ctx, p->pipe_user.nt_user_token, printer) ) { + if ( !add_printer_hook(p->mem_ctx, p->server_info->ptok, + printer) ) { free_a_printer(&printer,2); return WERR_ACCESS_DENIED; } @@ -9938,10 +9941,10 @@ WERROR _spoolss_xcvdataport(pipes_struct *p, SPOOL_Q_XCVDATAPORT *q_u, SPOOL_R_X switch ( Printer->printer_type ) { case SPLHND_PORTMON_TCP: - return process_xcvtcp_command( p->pipe_user.nt_user_token, command, + return process_xcvtcp_command( p->server_info->ptok, command, &q_u->indata, &r_u->outdata, &r_u->needed ); case SPLHND_PORTMON_LOCAL: - return process_xcvlocal_command( p->pipe_user.nt_user_token, command, + return process_xcvlocal_command( p->server_info->ptok, command, &q_u->indata, &r_u->outdata, &r_u->needed ); } diff --git a/source3/rpc_server/srv_srvsvc_nt.c b/source3/rpc_server/srv_srvsvc_nt.c index 274deab88b..bf3669022d 100644 --- a/source3/rpc_server/srv_srvsvc_nt.c +++ b/source3/rpc_server/srv_srvsvc_nt.c @@ -262,7 +262,7 @@ static void init_srv_share_info_1(pipes_struct *p, struct srvsvc_NetShareInfo1 * remark = talloc_sub_advanced( p->mem_ctx, lp_servicename(snum), get_current_username(), lp_pathname(snum), - p->pipe_user.ut.uid, get_current_username(), + p->server_info->utok.uid, get_current_username(), "", remark); } @@ -289,7 +289,7 @@ static void init_srv_share_info_2(pipes_struct *p, struct srvsvc_NetShareInfo2 * remark = talloc_sub_advanced( p->mem_ctx, lp_servicename(snum), get_current_username(), lp_pathname(snum), - p->pipe_user.ut.uid, get_current_username(), + p->server_info->utok.uid, get_current_username(), "", remark); } path = talloc_asprintf(p->mem_ctx, @@ -355,7 +355,7 @@ static void init_srv_share_info_501(pipes_struct *p, struct srvsvc_NetShareInfo5 remark = talloc_sub_advanced( p->mem_ctx, lp_servicename(snum), get_current_username(), lp_pathname(snum), - p->pipe_user.ut.uid, get_current_username(), + p->server_info->utok.uid, get_current_username(), "", remark); } @@ -383,7 +383,7 @@ static void init_srv_share_info_502(pipes_struct *p, struct srvsvc_NetShareInfo5 remark = talloc_sub_advanced( p->mem_ctx, lp_servicename(snum), get_current_username(), lp_pathname(snum), - p->pipe_user.ut.uid, get_current_username(), + p->server_info->utok.uid, get_current_username(), "", remark); } path = talloc_asprintf(ctx, "C:%s", lp_pathname(snum)); @@ -422,7 +422,7 @@ static void init_srv_share_info_1004(pipes_struct *p, struct srvsvc_NetShareInfo remark = talloc_sub_advanced( p->mem_ctx, lp_servicename(snum), get_current_username(), lp_pathname(snum), - p->pipe_user.ut.uid, get_current_username(), + p->server_info->utok.uid, get_current_username(), "", remark); } @@ -1225,7 +1225,6 @@ WERROR _srvsvc_NetSessDel(pipes_struct *p, struct srvsvc_NetSessDel *r) { struct sessionid *session_list; - struct current_user user; int num_sessions, snum; const char *username; const char *machine; @@ -1246,12 +1245,11 @@ WERROR _srvsvc_NetSessDel(pipes_struct *p, werr = WERR_ACCESS_DENIED; - get_current_user(&user, p); - /* fail out now if you are not root or not a domain admin */ - if ((user.ut.uid != sec_initial_uid()) && - ( ! nt_token_check_domain_rid(p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS))) { + if ((p->server_info->utok.uid != sec_initial_uid()) && + ( ! nt_token_check_domain_rid(p->server_info->ptok, + DOMAIN_GROUP_RID_ADMINS))) { goto done; } @@ -1263,7 +1261,7 @@ WERROR _srvsvc_NetSessDel(pipes_struct *p, NTSTATUS ntstat; - if (user.ut.uid != sec_initial_uid()) { + if (p->server_info->utok.uid != sec_initial_uid()) { not_root = True; become_root(); } @@ -1466,7 +1464,6 @@ char *valid_share_pathname(TALLOC_CTX *ctx, const char *dos_pathname) WERROR _srvsvc_NetShareSetInfo(pipes_struct *p, struct srvsvc_NetShareSetInfo *r) { - struct current_user user; char *command = NULL; char *share_name = NULL; char *comment = NULL; @@ -1510,13 +1507,11 @@ WERROR _srvsvc_NetShareSetInfo(pipes_struct *p, if (lp_print_ok(snum)) return WERR_ACCESS_DENIED; - get_current_user(&user,p); - - is_disk_op = user_has_privileges( p->pipe_user.nt_user_token, &se_diskop ); + is_disk_op = user_has_privileges( p->server_info->ptok, &se_diskop ); /* fail out now if you are not root and not a disk op */ - if ( user.ut.uid != sec_initial_uid() && !is_disk_op ) + if ( p->server_info->utok.uid != sec_initial_uid() && !is_disk_op ) return WERR_ACCESS_DENIED; switch (r->in.level) { @@ -1683,7 +1678,6 @@ WERROR _srvsvc_NetShareSetInfo(pipes_struct *p, WERROR _srvsvc_NetShareAdd(pipes_struct *p, struct srvsvc_NetShareAdd *r) { - struct current_user user; char *command = NULL; char *share_name = NULL; char *comment = NULL; @@ -1704,11 +1698,9 @@ WERROR _srvsvc_NetShareAdd(pipes_struct *p, *r->out.parm_error = 0; } - get_current_user(&user,p); - - is_disk_op = user_has_privileges( p->pipe_user.nt_user_token, &se_diskop ); + is_disk_op = user_has_privileges( p->server_info->ptok, &se_diskop ); - if (user.ut.uid != sec_initial_uid() && !is_disk_op ) + if (p->server_info->utok.uid != sec_initial_uid() && !is_disk_op ) return WERR_ACCESS_DENIED; if (!lp_add_share_cmd() || !*lp_add_share_cmd()) { @@ -1868,7 +1860,6 @@ WERROR _srvsvc_NetShareAdd(pipes_struct *p, WERROR _srvsvc_NetShareDel(pipes_struct *p, struct srvsvc_NetShareDel *r) { - struct current_user user; char *command = NULL; char *share_name = NULL; int ret; @@ -1901,11 +1892,9 @@ WERROR _srvsvc_NetShareDel(pipes_struct *p, if (lp_print_ok(snum)) return WERR_ACCESS_DENIED; - get_current_user(&user,p); + is_disk_op = user_has_privileges( p->server_info->ptok, &se_diskop ); - is_disk_op = user_has_privileges( p->pipe_user.nt_user_token, &se_diskop ); - - if (user.ut.uid != sec_initial_uid() && !is_disk_op ) + if (p->server_info->utok.uid != sec_initial_uid() && !is_disk_op ) return WERR_ACCESS_DENIED; if (!lp_delete_share_cmd() || !*lp_delete_share_cmd()) { @@ -2409,17 +2398,14 @@ static void enum_file_close_fn( const struct share_mode_entry *e, WERROR _srvsvc_NetFileClose(pipes_struct *p, struct srvsvc_NetFileClose *r) { - struct current_user user; SE_PRIV se_diskop = SE_DISK_OPERATOR; bool is_disk_op; DEBUG(5,("_srvsvc_NetFileClose: %d\n", __LINE__)); - get_current_user(&user,p); - - is_disk_op = user_has_privileges( p->pipe_user.nt_user_token, &se_diskop ); + is_disk_op = user_has_privileges( p->server_info->ptok, &se_diskop ); - if (user.ut.uid != sec_initial_uid() && !is_disk_op) { + if (p->server_info->utok.uid != sec_initial_uid() && !is_disk_op) { return WERR_ACCESS_DENIED; } diff --git a/source3/rpc_server/srv_svcctl_nt.c b/source3/rpc_server/srv_svcctl_nt.c index 0bed13e522..6692160ba2 100644 --- a/source3/rpc_server/srv_svcctl_nt.c +++ b/source3/rpc_server/srv_svcctl_nt.c @@ -272,7 +272,8 @@ WERROR _svcctl_OpenSCManagerW(pipes_struct *p, return WERR_NOMEM; se_map_generic( &r->in.access_mask, &scm_generic_map ); - status = svcctl_access_check( sec_desc, p->pipe_user.nt_user_token, r->in.access_mask, &access_granted ); + status = svcctl_access_check( sec_desc, p->server_info->ptok, + r->in.access_mask, &access_granted ); if ( !NT_STATUS_IS_OK(status) ) return ntstatus_to_werror( status ); @@ -309,7 +310,8 @@ WERROR _svcctl_OpenServiceW(pipes_struct *p, return WERR_NOMEM; se_map_generic( &r->in.access_mask, &svc_generic_map ); - status = svcctl_access_check( sec_desc, p->pipe_user.nt_user_token, r->in.access_mask, &access_granted ); + status = svcctl_access_check( sec_desc, p->server_info->ptok, + r->in.access_mask, &access_granted ); if ( !NT_STATUS_IS_OK(status) ) return ntstatus_to_werror( status ); @@ -347,7 +349,8 @@ WERROR _svcctl_GetServiceDisplayNameW(pipes_struct *p, service = r->in.service_name; - display_name = svcctl_lookup_dispname(p->mem_ctx, service, p->pipe_user.nt_user_token ); + display_name = svcctl_lookup_dispname(p->mem_ctx, service, + p->server_info->ptok); if (!display_name) { display_name = ""; } @@ -424,7 +427,7 @@ WERROR _svcctl_enum_services_status(pipes_struct *p, SVCCTL_Q_ENUM_SERVICES_STAT size_t buffer_size = 0; WERROR result = WERR_OK; SERVICE_INFO *info = find_service_info_by_hnd( p, &q_u->handle ); - NT_USER_TOKEN *token = p->pipe_user.nt_user_token; + NT_USER_TOKEN *token = p->server_info->ptok; /* perform access checks */ @@ -680,7 +683,8 @@ WERROR _svcctl_QueryServiceConfigW(pipes_struct *p, *r->out.bytes_needed = r->in.buf_size; - wresult = fill_svc_config( p->mem_ctx, info->name, r->out.query, p->pipe_user.nt_user_token ); + wresult = fill_svc_config( p->mem_ctx, info->name, r->out.query, + p->server_info->ptok); if ( !W_ERROR_IS_OK(wresult) ) return wresult; @@ -723,7 +727,8 @@ WERROR _svcctl_query_service_config2( pipes_struct *p, SVCCTL_Q_QUERY_SERVICE_CO SERVICE_DESCRIPTION desc_buf; const char *description; - description = svcctl_lookup_description(p->mem_ctx, info->name, p->pipe_user.nt_user_token ); + description = svcctl_lookup_description( + p->mem_ctx, info->name, p->server_info->ptok); ZERO_STRUCTP( &desc_buf ); @@ -903,7 +908,8 @@ WERROR _svcctl_SetServiceObjectSecurity(pipes_struct *p, /* store the new SD */ - if ( !svcctl_set_secdesc( p->mem_ctx, info->name, sec_desc, p->pipe_user.nt_user_token ) ) + if ( !svcctl_set_secdesc( p->mem_ctx, info->name, sec_desc, + p->server_info->ptok) ) return WERR_ACCESS_DENIED; return WERR_OK; diff --git a/source3/rpc_server/srv_winreg_nt.c b/source3/rpc_server/srv_winreg_nt.c index 7e842ed54d..1131033b04 100644 --- a/source3/rpc_server/srv_winreg_nt.c +++ b/source3/rpc_server/srv_winreg_nt.c @@ -70,7 +70,7 @@ static WERROR open_registry_key( pipes_struct *p, POLICY_HND *hnd, if (parent == NULL) { result = reg_openhive(NULL, subkeyname, access_desired, - p->pipe_user.nt_user_token, &key); + p->server_info->ptok, &key); } else { result = reg_openkey(NULL, parent, subkeyname, access_desired, @@ -556,7 +556,8 @@ WERROR _winreg_InitiateSystemShutdownEx(pipes_struct *p, struct winreg_InitiateS return WERR_NOMEM; } - can_shutdown = user_has_privileges( p->pipe_user.nt_user_token, &se_remote_shutdown ); + can_shutdown = user_has_privileges( p->server_info->ptok, + &se_remote_shutdown ); /* IF someone has privs, run the shutdown script as root. OTHERWISE run it as not root Take the error return from the script and provide it as the Windows return code. */ @@ -594,7 +595,8 @@ WERROR _winreg_AbortSystemShutdown(pipes_struct *p, struct winreg_AbortSystemShu if (!*abort_shutdown_script) return WERR_ACCESS_DENIED; - can_shutdown = user_has_privileges( p->pipe_user.nt_user_token, &se_remote_shutdown ); + can_shutdown = user_has_privileges( p->server_info->ptok, + &se_remote_shutdown ); /********** BEGIN SeRemoteShutdownPrivilege BLOCK **********/ @@ -682,7 +684,7 @@ WERROR _winreg_RestoreKey(pipes_struct *p, struct winreg_RestoreKey *r) /* user must posses SeRestorePrivilege for this this proceed */ - if ( !user_has_privileges( p->pipe_user.nt_user_token, &se_restore ) ) + if ( !user_has_privileges( p->server_info->ptok, &se_restore ) ) return WERR_ACCESS_DENIED; DEBUG(2,("_winreg_RestoreKey: Restoring [%s] from %s in share %s\n", diff --git a/source3/rpc_server/srv_wkssvc_nt.c b/source3/rpc_server/srv_wkssvc_nt.c index 0a54b0dd3f..7071b55e7c 100644 --- a/source3/rpc_server/srv_wkssvc_nt.c +++ b/source3/rpc_server/srv_wkssvc_nt.c @@ -293,7 +293,7 @@ WERROR _wkssvc_NetrJoinDomain2(pipes_struct *p, char *admin_domain = NULL; char *admin_account = NULL; WERROR werr; - struct nt_user_token *token = p->pipe_user.nt_user_token; + struct nt_user_token *token = p->server_info->ptok; if (!r->in.domain_name) { return WERR_INVALID_PARAM; @@ -368,7 +368,7 @@ WERROR _wkssvc_NetrUnjoinDomain2(pipes_struct *p, char *admin_domain = NULL; char *admin_account = NULL; WERROR werr; - struct nt_user_token *token = p->pipe_user.nt_user_token; + struct nt_user_token *token = p->server_info->ptok; if (!r->in.account || !r->in.encrypted_password) { return WERR_INVALID_PARAM; diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c index c238f40cfd..ca7df264e2 100644 --- a/source3/smbd/uid.c +++ b/source3/smbd/uid.c @@ -318,9 +318,9 @@ bool become_authenticated_pipe_user(pipes_struct *p) if (!push_sec_ctx()) return False; - set_sec_ctx(p->pipe_user.ut.uid, p->pipe_user.ut.gid, - p->pipe_user.ut.ngroups, p->pipe_user.ut.groups, - p->pipe_user.nt_user_token); + set_sec_ctx(p->server_info->utok.uid, p->server_info->utok.gid, + p->server_info->utok.ngroups, p->server_info->utok.groups, + p->server_info->ptok); return True; } |