summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2009-10-16 18:22:48 +1100
committerAndrew Tridgell <tridge@samba.org>2009-10-17 13:01:02 +1100
commit9526487010fff240d2f55f29352e7f74d3cec65a (patch)
treeba8d440aa57b15411488c98704f44c93008c8e28
parentf794e8d43de1c2fb577b883f0e0b49f392fa14a1 (diff)
downloadsamba-9526487010fff240d2f55f29352e7f74d3cec65a.tar.gz
samba-9526487010fff240d2f55f29352e7f74d3cec65a.tar.bz2
samba-9526487010fff240d2f55f29352e7f74d3cec65a.zip
s4-lsasrv: make sure only admins can alter privileges
-rw-r--r--source4/rpc_server/lsa/dcesrv_lsa.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index 0a5fc54d68..0e6a55ec2f 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -1939,6 +1939,12 @@ static NTSTATUS dcesrv_lsa_AddRemoveAccountRights(struct dcesrv_call_state *dce_
struct lsa_EnumAccountRights r2;
char *dnstr;
+ if (security_session_user_level(dce_call->conn->auth_state.session_info) <
+ SECURITY_ADMINISTRATOR) {
+ DEBUG(0,("lsa_AddRemoveAccount refused for supplied security token\n"));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
msg = ldb_msg_new(mem_ctx);
if (msg == NULL) {
return NT_STATUS_NO_MEMORY;