summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2012-11-29 10:00:03 +0100
committerMichael Adam <obnox@samba.org>2012-12-02 18:31:00 +0100
commit0a3396b53683f5efe439bfb8395e275f53108255 (patch)
tree5021484a0d45b0062f876135290fe430adc7d777
parent8ababf4367eb4faaeeda6cf66191aaf66a3a69da (diff)
downloadsamba-0a3396b53683f5efe439bfb8395e275f53108255.tar.gz
samba-0a3396b53683f5efe439bfb8395e275f53108255.tar.bz2
samba-0a3396b53683f5efe439bfb8395e275f53108255.zip
s3:smbd/open: use Builtin_Administrators as owner of files (if possible)
We do this if the idmap layer resolves Builtin_Administrators as ID_TYPE_BOTH and if the current token has the Builtin_Administrators SID or it's SYSTEM. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
-rw-r--r--source3/smbd/open.c45
1 files changed, 41 insertions, 4 deletions
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index d736f4f795..955660c148 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -28,6 +28,8 @@
#include "../libcli/security/security.h"
#include "../librpc/gen_ndr/ndr_security.h"
#include "../librpc/gen_ndr/open_files.h"
+#include "../librpc/gen_ndr/idmap.h"
+#include "passdb/lookup_sid.h"
#include "auth.h"
#include "serverid.h"
#include "messages.h"
@@ -3452,11 +3454,14 @@ static NTSTATUS inherit_new_acl(files_struct *fsp)
struct security_descriptor *parent_desc = NULL;
NTSTATUS status = NT_STATUS_OK;
struct security_descriptor *psd = NULL;
- struct dom_sid *owner_sid = NULL;
- struct dom_sid *group_sid = NULL;
+ const struct dom_sid *owner_sid = NULL;
+ const struct dom_sid *group_sid = NULL;
uint32_t security_info_sent = (SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL);
+ struct security_token *token = fsp->conn->session_info->security_token;
bool inherit_owner = lp_inherit_owner(SNUM(fsp->conn));
bool inheritable_components = false;
+ bool try_builtin_administrators = false;
+ const struct dom_sid *BA_U_sid = NULL;
size_t size = 0;
if (!parent_dirname(frame, fsp->fsp_name->base_name, &parent_name, NULL)) {
@@ -3498,10 +3503,42 @@ static NTSTATUS inherit_new_acl(files_struct *fsp)
}
if (owner_sid == NULL) {
- owner_sid = &fsp->conn->session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
+ if (security_token_has_builtin_administrators(token)) {
+ try_builtin_administrators = true;
+ } else if (security_token_is_system(token)) {
+ try_builtin_administrators = true;
+ }
+ }
+
+ if (try_builtin_administrators) {
+ struct unixid ids;
+ bool ok;
+
+ ZERO_STRUCT(ids);
+ ok = sids_to_unixids(&global_sid_Builtin_Administrators, 1, &ids);
+ if (ok) {
+ switch (ids.type) {
+ case ID_TYPE_BOTH:
+ BA_U_sid = &global_sid_Builtin_Administrators;
+ break;
+ case ID_TYPE_UID:
+ BA_U_sid = &global_sid_Builtin_Administrators;
+ break;
+ default:
+ break;
+ }
+ }
+ }
+
+ if (owner_sid == NULL) {
+ owner_sid = BA_U_sid;
+ }
+
+ if (owner_sid == NULL) {
+ owner_sid = &token->sids[PRIMARY_USER_SID_INDEX];
}
if (group_sid == NULL) {
- group_sid = &fsp->conn->session_info->security_token->sids[PRIMARY_GROUP_SID_INDEX];
+ group_sid = &token->sids[PRIMARY_GROUP_SID_INDEX];
}
status = se_create_child_secdesc(frame,