summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2008-10-17 15:24:15 -0700
committerJeremy Allison <jra@samba.org>2008-10-17 15:24:15 -0700
commit7c94c874c41f367cd9660ee4610d322b837cbcd5 (patch)
treee14fc4c00943c57257c02a5c0129ebeb9d88524b
parentef8f3c0e56a398ca445ccb6e77e0a443109fb5cd (diff)
downloadsamba-7c94c874c41f367cd9660ee4610d322b837cbcd5.tar.gz
samba-7c94c874c41f367cd9660ee4610d322b837cbcd5.tar.bz2
samba-7c94c874c41f367cd9660ee4610d322b837cbcd5.zip
Unify access checks for lsa server functions.
Jeremy.
-rw-r--r--source3/include/rpc_lsa.h1
-rw-r--r--source3/rpc_server/srv_lsa_nt.c21
2 files changed, 18 insertions, 4 deletions
diff --git a/source3/include/rpc_lsa.h b/source3/include/rpc_lsa.h
index b4021afd0a..1dc5ba4a7b 100644
--- a/source3/include/rpc_lsa.h
+++ b/source3/include/rpc_lsa.h
@@ -39,6 +39,7 @@
#define LSA_POLICY_READ ( STANDARD_RIGHTS_READ_ACCESS |\
+ LSA_POLICY_VIEW_LOCAL_INFORMATION |\
LSA_POLICY_VIEW_AUDIT_INFORMATION |\
LSA_POLICY_GET_PRIVATE_INFORMATION)
diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index cb0075ace8..317c1c17bb 100644
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -430,7 +430,7 @@ NTSTATUS _lsa_OpenPolicy(pipes_struct *p,
lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status)) {
- if (geteuid() != 0) {
+ if (p->pipe_user.ut.uid != sec_initial_uid()) {
return status;
}
DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
@@ -1522,7 +1522,8 @@ NTSTATUS _lsa_CreateAccount(pipes_struct *p,
/* check to see if the pipe_user is a Domain Admin since
account_pol.tdb was already opened as root, this is all we have */
- if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+ if ( p->pipe_user.ut.uid != sec_initial_uid()
+ && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
return NT_STATUS_ACCESS_DENIED;
if ( is_privileged_sid( r->in.sid ) )
@@ -1608,6 +1609,9 @@ NTSTATUS _lsa_EnumPrivsAccount(pipes_struct *p,
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
return NT_STATUS_INVALID_HANDLE;
+ if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
+ return NT_STATUS_ACCESS_DENIED;
+
if ( !get_privileges_for_sids( &mask, &info->sid, 1 ) )
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
@@ -1668,6 +1672,9 @@ NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p,
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
return NT_STATUS_INVALID_HANDLE;
+ if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
+ return NT_STATUS_ACCESS_DENIED;
+
if (!lookup_sid(p->mem_ctx, &info->sid, NULL, NULL, NULL))
return NT_STATUS_ACCESS_DENIED;
@@ -1702,7 +1709,8 @@ NTSTATUS _lsa_SetSystemAccessAccount(pipes_struct *p,
/* check to see if the pipe_user is a Domain Admin since
account_pol.tdb was already opened as root, this is all we have */
- if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+ if ( p->pipe_user.ut.uid != sec_initial_uid()
+ && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
return NT_STATUS_ACCESS_DENIED;
if (!pdb_getgrsid(&map, info->sid))
@@ -1812,7 +1820,6 @@ NTSTATUS _lsa_QuerySecurity(pipes_struct *p,
if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
return NT_STATUS_ACCESS_DENIED;
-
switch (r->in.sec_info) {
case 1:
/* SD contains only the owner */
@@ -2070,6 +2077,9 @@ NTSTATUS _lsa_EnumAccountRights(pipes_struct *p,
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
return NT_STATUS_INVALID_HANDLE;
+ if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
+ return NT_STATUS_ACCESS_DENIED;
+
/* according to an NT4 PDC, you can add privileges to SIDs even without
call_lsa_create_account() first. And you can use any arbitrary SID. */
@@ -2112,6 +2122,9 @@ NTSTATUS _lsa_LookupPrivValue(pipes_struct *p,
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
return NT_STATUS_INVALID_HANDLE;
+ if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
+ return NT_STATUS_ACCESS_DENIED;
+
name = r->in.name->string;
DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));