diff options
| author | Gerald Carter <jerry@samba.org> | 2005-09-02 13:42:56 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 11:03:29 -0500 |
| commit | d4f2df5d5cfe50de71eadbb14cf920c6af29bc39 (patch) | |
| tree | f4415bc15d583236641f15a64c93f9a9df779191 | |
| parent | a451584b2a83f0e63a072d6ccea8cbce5a2a465e (diff) | |
| download | samba-d4f2df5d5cfe50de71eadbb14cf920c6af29bc39.tar.gz samba-d4f2df5d5cfe50de71eadbb14cf920c6af29bc39.tar.bz2 samba-d4f2df5d5cfe50de71eadbb14cf920c6af29bc39.zip | |
r9956: Ensure accounts with the SeAddUsersPrivilege can modify domain and local group attributes (posted to samba ml and confirmed fix)
(This used to be commit 005d4cb3c636383ccf70c4891cd7cc4bd3b48ad2)
| -rw-r--r-- | source3/rpc_server/srv_samr_nt.c | 40 |
1 files changed, 32 insertions, 8 deletions
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 1f79ce5c14..656241a73f 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3924,6 +3924,8 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ GROUP_MAP map; GROUP_INFO_CTR *ctr; uint32 acc_granted; + BOOL ret; + BOOL can_mod_accounts; if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; @@ -3948,11 +3950,21 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ return NT_STATUS_INVALID_INFO_CLASS; } - if(!pdb_update_group_mapping_entry(&map)) { - return NT_STATUS_NO_SUCH_GROUP; - } + can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users ); - return NT_STATUS_OK; + /******** BEGIN SeAddUsers BLOCK *********/ + + if ( can_mod_accounts ) + become_root(); + + ret = pdb_update_group_mapping_entry(&map); + + if ( can_mod_accounts ) + unbecome_root(); + + /******** End SeAddUsers BLOCK *********/ + + return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED; } /********************************************************************* @@ -3967,6 +3979,8 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ struct acct_info info; ALIAS_INFO_CTR *ctr; uint32 acc_granted; + BOOL ret; + BOOL can_mod_accounts; if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; @@ -3989,11 +4003,21 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ return NT_STATUS_INVALID_INFO_CLASS; } - if(!pdb_set_aliasinfo(&group_sid, &info)) { - return NT_STATUS_ACCESS_DENIED; - } + can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users ); - return NT_STATUS_OK; + /******** BEGIN SeAddUsers BLOCK *********/ + + if ( can_mod_accounts ) + become_root(); + + ret = pdb_set_aliasinfo( &group_sid, &info ); + + if ( can_mod_accounts ) + unbecome_root(); + + /******** End SeAddUsers BLOCK *********/ + + return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED; } /********************************************************************* |