diff options
author | Günther Deschner <gd@samba.org> | 2009-06-29 20:34:03 +0200 |
---|---|---|
committer | Günther Deschner <gd@samba.org> | 2009-07-13 15:38:20 +0200 |
commit | f7ff6bd1425cc4f0aa13ce8e7498cdac3967acf3 (patch) | |
tree | 2d00247662e99b2453c4dbfa8b8aa1503c8cb8b2 | |
parent | 05fbe0c7f763fbe8c1c48eb82ebdfe04bfa034ea (diff) | |
download | samba-f7ff6bd1425cc4f0aa13ce8e7498cdac3967acf3.tar.gz samba-f7ff6bd1425cc4f0aa13ce8e7498cdac3967acf3.tar.bz2 samba-f7ff6bd1425cc4f0aa13ce8e7498cdac3967acf3.zip |
s3-rpc_server: pass down full unix token to map_max_allowed_access().
Also use unix_token->uid instead of geteuid() when checking for mapping of the
SEC_FLAG_MAXIMUM_ALLOWED flag.
Guenther
-rw-r--r-- | source3/include/proto.h | 5 | ||||
-rw-r--r-- | source3/rpc_server/srv_lsa_nt.c | 8 | ||||
-rw-r--r-- | source3/rpc_server/srv_samr_nt.c | 42 |
3 files changed, 37 insertions, 18 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h index 44132b6519..c0ce35a865 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -7253,8 +7253,9 @@ NTSTATUS access_check_object( SEC_DESC *psd, NT_USER_TOKEN *token, SE_PRIV *rights, uint32 rights_mask, uint32 des_access, uint32 *acc_granted, const char *debug); -void map_max_allowed_access(const NT_USER_TOKEN *token, - uint32_t *pacc_requested); +void map_max_allowed_access(const NT_USER_TOKEN *nt_token, + const struct unix_user_token *unix_token, + uint32_t *pacc_requested); /* The following definitions come from ../libds/common/flag_mapping.c */ diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c index 324483b3ee..c62991ee01 100644 --- a/source3/rpc_server/srv_lsa_nt.c +++ b/source3/rpc_server/srv_lsa_nt.c @@ -349,7 +349,9 @@ NTSTATUS _lsa_OpenPolicy2(pipes_struct *p, NTSTATUS status; /* Work out max allowed. */ - map_max_allowed_access(p->server_info->ptok, &des_access); + map_max_allowed_access(p->server_info->ptok, + &p->server_info->utok, + &des_access); /* map the generic bits to the lsa policy ones */ se_map_generic(&des_access, &lsa_policy_mapping); @@ -1628,7 +1630,9 @@ NTSTATUS _lsa_OpenAccount(pipes_struct *p, * handle - so don't check against policy handle. */ /* Work out max allowed. */ - map_max_allowed_access(p->server_info->ptok, &des_access); + map_max_allowed_access(p->server_info->ptok, + &p->server_info->utok, + &des_access); /* map the generic bits to the lsa account ones */ se_map_generic(&des_access, &lsa_account_mapping); diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 8560ee97c6..1085251421 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -236,8 +236,9 @@ done: Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set. ********************************************************************/ -void map_max_allowed_access(const NT_USER_TOKEN *token, - uint32_t *pacc_requested) +void map_max_allowed_access(const NT_USER_TOKEN *nt_token, + const struct unix_user_token *unix_token, + uint32_t *pacc_requested) { if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) { return; @@ -248,15 +249,15 @@ void map_max_allowed_access(const NT_USER_TOKEN *token, *pacc_requested = GENERIC_READ_ACCESS|GENERIC_EXECUTE_ACCESS; /* root gets anything. */ - if (geteuid() == sec_initial_uid()) { + if (unix_token->uid == sec_initial_uid()) { *pacc_requested |= GENERIC_ALL_ACCESS; return; } /* Full Access for 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */ - if (is_sid_in_token(token, &global_sid_Builtin_Administrators) || - is_sid_in_token(token, &global_sid_Builtin_Account_Operators)) { + if (is_sid_in_token(nt_token, &global_sid_Builtin_Administrators) || + is_sid_in_token(nt_token, &global_sid_Builtin_Account_Operators)) { *pacc_requested |= GENERIC_ALL_ACCESS; return; } @@ -266,7 +267,7 @@ void map_max_allowed_access(const NT_USER_TOKEN *token, DOM_SID domadmin_sid; sid_copy( &domadmin_sid, get_global_sam_sid() ); sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS ); - if (is_sid_in_token(token, &domadmin_sid)) { + if (is_sid_in_token(nt_token, &domadmin_sid)) { *pacc_requested |= GENERIC_ALL_ACCESS; return; } @@ -550,7 +551,9 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p, } /*check if access can be granted as requested by client. */ - map_max_allowed_access(p->server_info->ptok, &des_access); + map_max_allowed_access(p->server_info->ptok, + &p->server_info->utok, + &des_access); make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 ); se_map_generic( &des_access, &dom_generic_mapping ); @@ -2260,8 +2263,9 @@ NTSTATUS _samr_OpenUser(pipes_struct *p, return NT_STATUS_NO_SUCH_USER; /* check if access can be granted as requested by client. */ - - map_max_allowed_access(p->server_info->ptok, &des_access); + map_max_allowed_access(p->server_info->ptok, + &p->server_info->utok, + &des_access); make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW); se_map_generic(&des_access, &usr_generic_mapping); @@ -3834,7 +3838,9 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p, sid_compose(&sid, get_global_sam_sid(), *r->out.rid); - map_max_allowed_access(p->server_info->ptok, &des_access); + map_max_allowed_access(p->server_info->ptok, + &p->server_info->utok, + &des_access); make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW); @@ -3914,7 +3920,9 @@ NTSTATUS _samr_Connect(pipes_struct *p, was observed from a win98 client trying to enumerate users (when configured user level access control on shares) --jerry */ - map_max_allowed_access(p->server_info->ptok, &des_access); + map_max_allowed_access(p->server_info->ptok, + &p->server_info->utok, + &des_access); se_map_generic( &des_access, &sam_generic_mapping ); @@ -3974,7 +3982,9 @@ NTSTATUS _samr_Connect2(pipes_struct *p, return NT_STATUS_ACCESS_DENIED; } - map_max_allowed_access(p->server_info->ptok, &des_access); + map_max_allowed_access(p->server_info->ptok, + &p->server_info->utok, + &des_access); make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); se_map_generic(&des_access, &sam_generic_mapping); @@ -4187,7 +4197,9 @@ NTSTATUS _samr_OpenAlias(pipes_struct *p, /*check if access can be granted as requested by client. */ - map_max_allowed_access(p->server_info->ptok, &des_access); + map_max_allowed_access(p->server_info->ptok, + &p->server_info->utok, + &des_access); make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0); se_map_generic(&des_access,&ali_generic_mapping); @@ -6237,7 +6249,9 @@ NTSTATUS _samr_OpenGroup(pipes_struct *p, } /*check if access can be granted as requested by client. */ - map_max_allowed_access(p->server_info->ptok, &des_access); + map_max_allowed_access(p->server_info->ptok, + &p->server_info->utok, + &des_access); make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0); se_map_generic(&des_access,&grp_generic_mapping); |