diff options
| author | Jeremy Allison <jra@samba.org> | 2011-10-07 11:09:44 -0700 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2011-10-07 21:51:27 +0200 |
| commit | c80ba57169cee2ec66e8afe3616956c17958a3ae (patch) | |
| tree | 2c0aa5b13bd5e9e32db156e33e53fe140b27e69b | |
| parent | bcb02129c3eaa3e22b74f65a44c7059a298831a3 (diff) | |
| download | samba-c80ba57169cee2ec66e8afe3616956c17958a3ae.tar.gz samba-c80ba57169cee2ec66e8afe3616956c17958a3ae.tar.bz2 samba-c80ba57169cee2ec66e8afe3616956c17958a3ae.zip | |
Fix bug #8509 - Read-only handles on SAMR allow SAMR_DOMAIN_ACCESS_CREATE_USER.
Not a security issue as we also check inside _samr_CreateUser2.
Thanks to Andreas Schneider <asn@samba.org> for finding and testing this.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Fri Oct 7 21:51:27 CEST 2011 on sn-devel-104
| -rw-r--r-- | source3/rpc_server/srv_access_check.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/source3/rpc_server/srv_access_check.c b/source3/rpc_server/srv_access_check.c index 12d90240b1..4e74b0443a 100644 --- a/source3/rpc_server/srv_access_check.c +++ b/source3/rpc_server/srv_access_check.c @@ -52,6 +52,7 @@ NTSTATUS access_check_object( struct security_descriptor *psd, struct security_t { NTSTATUS status = NT_STATUS_ACCESS_DENIED; uint32 saved_mask = 0; + bool priv_granted = false; /* check privileges; certain SAM access bits should be overridden by privileges (mostly having to do with creating/modifying/deleting @@ -59,6 +60,7 @@ NTSTATUS access_check_object( struct security_descriptor *psd, struct security_t if ((needed_priv_1 != SEC_PRIV_INVALID && security_token_has_privilege(token, needed_priv_1)) || (needed_priv_2 != SEC_PRIV_INVALID && security_token_has_privilege(token, needed_priv_2))) { + priv_granted = true; saved_mask = (des_access & rights_mask); des_access &= ~saved_mask; @@ -81,6 +83,7 @@ NTSTATUS access_check_object( struct security_descriptor *psd, struct security_t DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", debug, des_access)); DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n")); + priv_granted = true; *acc_granted = des_access; status = NT_STATUS_OK; @@ -89,10 +92,12 @@ NTSTATUS access_check_object( struct security_descriptor *psd, struct security_t done: - /* add in any bits saved during the privilege check (only - matters is status is ok) */ + if (priv_granted) { + /* add in any bits saved during the privilege check (only + matters if status is ok) */ - *acc_granted |= rights_mask; + *acc_granted |= rights_mask; + } DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n", debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED", |