diff options
author | Tim Potter <tpot@samba.org> | 2002-06-20 05:42:00 +0000 |
---|---|---|
committer | Tim Potter <tpot@samba.org> | 2002-06-20 05:42:00 +0000 |
commit | b7e4b7f0e20c08da89526306a7e361757bd23e8f (patch) | |
tree | 4dd8a68714bc7fc6918da9359eed807695868d6b | |
parent | 6905730c3eede966f574c35794e559ab93235245 (diff) | |
download | samba-b7e4b7f0e20c08da89526306a7e361757bd23e8f.tar.gz samba-b7e4b7f0e20c08da89526306a7e361757bd23e8f.tar.bz2 samba-b7e4b7f0e20c08da89526306a7e361757bd23e8f.zip |
Got rid of unused flags field in lanman api_commands[].
Added an auth_user field which denotes whether the api call can be made
anonymously. In combination with lp_restrict_anonymous() this can
decrease the amount of information that can be retrieved anonymously.
So far NetShareEnum, NetSessionEnum, NetGroupEnum, NetGroupGetUsers,
NetUserEnum, PrintQEnum, NetFileEnum cannot be called anonymously.
SamOEMChangePassword and NetServerEnum can be called anonymously.
All other functions can be called anonymously until it can be proven
that they can't to avoid breaking anything.
(This used to be commit ead6ab9602640aca5d1d8ac336f3a129f9466159)
-rw-r--r-- | source3/smbd/lanman.c | 85 |
1 files changed, 49 insertions, 36 deletions
diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c index b3ee9b5737..f64140daf8 100644 --- a/source3/smbd/lanman.c +++ b/source3/smbd/lanman.c @@ -3555,43 +3555,47 @@ struct int id; BOOL (*fn)(connection_struct *,uint16,char *,char *, int,int,char **,char **,int *,int *); - int flags; + BOOL auth_user; /* Deny anonymous access? */ } api_commands[] = { - {"RNetShareEnum", RAP_WshareEnum, api_RNetShareEnum,0}, - {"RNetShareGetInfo", RAP_WshareGetInfo, api_RNetShareGetInfo,0}, - {"RNetShareAdd", RAP_WshareAdd, api_RNetShareAdd,0}, - {"RNetSessionEnum", RAP_WsessionEnum, api_RNetSessionEnum,0}, - {"RNetServerGetInfo", RAP_WserverGetInfo, api_RNetServerGetInfo,0}, - {"RNetGroupEnum", RAP_WGroupEnum, api_RNetGroupEnum,0}, - {"RNetGroupGetUsers", RAP_WGroupGetUsers, api_RNetGroupGetUsers,0}, - {"RNetUserEnum", RAP_WUserEnum, api_RNetUserEnum,0}, - {"RNetUserGetInfo", RAP_WUserGetInfo, api_RNetUserGetInfo,0}, - {"NetUserGetGroups", RAP_WUserGetGroups, api_NetUserGetGroups,0}, - {"NetWkstaGetInfo", RAP_WWkstaGetInfo, api_NetWkstaGetInfo,0}, - {"DosPrintQEnum", RAP_WPrintQEnum, api_DosPrintQEnum,0}, - {"DosPrintQGetInfo", RAP_WPrintQGetInfo, api_DosPrintQGetInfo,0}, - {"WPrintQueuePause", RAP_WPrintQPause, api_WPrintQueueCtrl,0}, - {"WPrintQueueResume", RAP_WPrintQContinue, api_WPrintQueueCtrl,0}, - {"WPrintJobEnumerate",RAP_WPrintJobEnum, api_WPrintJobEnumerate,0}, - {"WPrintJobGetInfo", RAP_WPrintJobGetInfo, api_WPrintJobGetInfo,0}, - {"RDosPrintJobDel", RAP_WPrintJobDel, api_RDosPrintJobDel,0}, - {"RDosPrintJobPause", RAP_WPrintJobPause, api_RDosPrintJobDel,0}, - {"RDosPrintJobResume",RAP_WPrintJobContinue, api_RDosPrintJobDel,0}, - {"WPrintDestEnum", RAP_WPrintDestEnum, api_WPrintDestEnum,0}, - {"WPrintDestGetInfo", RAP_WPrintDestGetInfo, api_WPrintDestGetInfo,0}, - {"NetRemoteTOD", RAP_NetRemoteTOD, api_NetRemoteTOD,0}, - {"WPrintQueuePurge", RAP_WPrintQPurge, api_WPrintQueueCtrl,0}, - {"NetServerEnum", RAP_NetServerEnum2, api_RNetServerEnum,0}, - {"WAccessGetUserPerms",RAP_WAccessGetUserPerms,api_WAccessGetUserPerms,0}, - {"SetUserPassword", RAP_WUserPasswordSet2, api_SetUserPassword,0}, - {"WWkstaUserLogon", RAP_WWkstaUserLogon, api_WWkstaUserLogon,0}, - {"PrintJobInfo", RAP_WPrintJobSetInfo, api_PrintJobInfo,0}, - {"WPrintDriverEnum", RAP_WPrintDriverEnum, api_WPrintDriverEnum,0}, - {"WPrintQProcEnum", RAP_WPrintQProcessorEnum,api_WPrintQProcEnum,0}, - {"WPrintPortEnum", RAP_WPrintPortEnum, api_WPrintPortEnum,0}, - {"SamOEMChangePassword",RAP_SamOEMChgPasswordUser2_P,api_SamOEMChangePassword,0}, - {NULL, -1, api_Unsupported,0}}; - + {"RNetShareEnum", RAP_WshareEnum, api_RNetShareEnum, True}, + {"RNetShareGetInfo", RAP_WshareGetInfo, api_RNetShareGetInfo}, + {"RNetShareAdd", RAP_WshareAdd, api_RNetShareAdd}, + {"RNetSessionEnum", RAP_WsessionEnum, api_RNetSessionEnum, True}, + {"RNetServerGetInfo", RAP_WserverGetInfo, api_RNetServerGetInfo}, + {"RNetGroupEnum", RAP_WGroupEnum, api_RNetGroupEnum, True}, + {"RNetGroupGetUsers", RAP_WGroupGetUsers, api_RNetGroupGetUsers, True}, + {"RNetUserEnum", RAP_WUserEnum, api_RNetUserEnum, True}, + {"RNetUserGetInfo", RAP_WUserGetInfo, api_RNetUserGetInfo}, + {"NetUserGetGroups", RAP_WUserGetGroups, api_NetUserGetGroups}, + {"NetWkstaGetInfo", RAP_WWkstaGetInfo, api_NetWkstaGetInfo}, + {"DosPrintQEnum", RAP_WPrintQEnum, api_DosPrintQEnum, True}, + {"DosPrintQGetInfo", RAP_WPrintQGetInfo, api_DosPrintQGetInfo}, + {"WPrintQueuePause", RAP_WPrintQPause, api_WPrintQueueCtrl}, + {"WPrintQueueResume", RAP_WPrintQContinue, api_WPrintQueueCtrl}, + {"WPrintJobEnumerate",RAP_WPrintJobEnum, api_WPrintJobEnumerate}, + {"WPrintJobGetInfo", RAP_WPrintJobGetInfo, api_WPrintJobGetInfo}, + {"RDosPrintJobDel", RAP_WPrintJobDel, api_RDosPrintJobDel}, + {"RDosPrintJobPause", RAP_WPrintJobPause, api_RDosPrintJobDel}, + {"RDosPrintJobResume",RAP_WPrintJobContinue, api_RDosPrintJobDel}, + {"WPrintDestEnum", RAP_WPrintDestEnum, api_WPrintDestEnum}, + {"WPrintDestGetInfo", RAP_WPrintDestGetInfo, api_WPrintDestGetInfo}, + {"NetRemoteTOD", RAP_NetRemoteTOD, api_NetRemoteTOD}, + {"WPrintQueuePurge", RAP_WPrintQPurge, api_WPrintQueueCtrl}, + {"NetServerEnum", RAP_NetServerEnum2, api_RNetServerEnum}, /* anon OK */ + {"WAccessGetUserPerms",RAP_WAccessGetUserPerms,api_WAccessGetUserPerms}, + {"SetUserPassword", RAP_WUserPasswordSet2, api_SetUserPassword}, + {"WWkstaUserLogon", RAP_WWkstaUserLogon, api_WWkstaUserLogon}, + {"PrintJobInfo", RAP_WPrintJobSetInfo, api_PrintJobInfo}, + {"WPrintDriverEnum", RAP_WPrintDriverEnum, api_WPrintDriverEnum}, + {"WPrintQProcEnum", RAP_WPrintQProcessorEnum,api_WPrintQProcEnum}, + {"WPrintPortEnum", RAP_WPrintPortEnum, api_WPrintPortEnum}, + {"SamOEMChangePassword",RAP_SamOEMChgPasswordUser2_P,api_SamOEMChangePassword}, /* anon OK */ + {NULL, -1, api_Unsupported}}; + +/* The following RAP calls are not implemented by Samba: + + RAP_WFileEnum2 - anon not OK +*/ /**************************************************************************** Handle remote api calls @@ -3628,6 +3632,15 @@ int api_reply(connection_struct *conn,uint16 vuid,char *outbuf,char *data,char * } } + /* Check whether this api call can be done anonymously */ + + if (api_commands[i].auth_user && lp_restrict_anonymous()) { + user_struct *user = get_valid_user_struct(vuid); + + if (!user || user->guest) + return ERROR_NT(NT_STATUS_ACCESS_DENIED); + } + rdata = (char *)malloc(1024); if (rdata) memset(rdata,'\0',1024); |