trying to get HEAD building again. If you want the code

prior to this merge, checkout HEAD_PRE_3_0_0_BETA_3_MERGE (This used to be commit adb98e7b7cd0f025b52c570e4034eebf4047b1ad)
author: Gerald Carter <jerry@samba.org> 2003-07-16 05:34:56 +0000
committer: Gerald Carter <jerry@samba.org> 2003-07-16 05:34:56 +0000
commit: 4a090ba06a54f5da179ac02bb307cc03d08831bf (patch)
tree: ed652ef36be7f16682c358816334f969a22f1c27 /source3/rpc_server/srv_lsa_nt.c
parent: 95fe82670032a3a43571b46d7bbf2c26bc8cdcd9 (diff)
download: samba-4a090ba06a54f5da179ac02bb307cc03d08831bf.tar.gz
samba-4a090ba06a54f5da179ac02bb307cc03d08831bf.tar.bz2
samba-4a090ba06a54f5da179ac02bb307cc03d08831bf.zip
1 files changed, 44 insertions, 178 deletions
diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index 3581be0181..ca3021a876 100644
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -403,8 +403,16 @@ NTSTATUS _lsa_open_policy2(pipes_struct *p, LSA_Q_OPEN_POL2 *q_u, LSA_R_OPEN_POL
 	/* get the generic lsa policy SD until we store it */
 	lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
 
-	if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status))
-		return status;
+	if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status)) {
+		if (geteuid() != 0) {
+			return status;
+		}
+		DEBUG(4,("ACCESS should be DENIED (granted: %#010x;  required: %#010x)\n",
+			 acc_granted, des_access));
+		DEBUGADD(4,("but overwritten by euid == 0\n"));
+		acc_granted = des_access;
+	}
+
 
 	/* associate the domain SID with the (unique) handle. */
 	if ((info = (struct lsa_info *)malloc(sizeof(struct lsa_info))) == NULL)
@@ -441,8 +449,15 @@ NTSTATUS _lsa_open_policy(pipes_struct *p, LSA_Q_OPEN_POL *q_u, LSA_R_OPEN_POL *
 	/* get the generic lsa policy SD until we store it */
 	lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
 
-	if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status))
-		return status;
+	if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status)) {
+		if (geteuid() != 0) {
+			return status;
+		}
+		DEBUG(4,("ACCESS should be DENIED (granted: %#010x;  required: %#010x)\n",
+			 acc_granted, des_access));
+		DEBUGADD(4,("but overwritten by euid == 0\n"));
+		acc_granted = des_access;
+	}
 
 	/* associate the domain SID with the (unique) handle. */
 	if ((info = (struct lsa_info *)malloc(sizeof(struct lsa_info))) == NULL)
@@ -547,7 +562,7 @@ NTSTATUS _lsa_query_info(pipes_struct *p, LSA_Q_QUERY_INFO *q_u, LSA_R_QUERY_INF
 		switch (lp_server_role()) {
 			case ROLE_DOMAIN_PDC:
 			case ROLE_DOMAIN_BDC:
-				name = lp_workgroup();
+				name = get_global_sam_name();
 				sid = get_global_sam_sid();
 				break;
 			case ROLE_DOMAIN_MEMBER:
@@ -573,23 +588,8 @@ NTSTATUS _lsa_query_info(pipes_struct *p, LSA_Q_QUERY_INFO *q_u, LSA_R_QUERY_INF
 			return NT_STATUS_ACCESS_DENIED;
 
 		/* Request PolicyAccountDomainInformation. */
-		switch (lp_server_role()) {
-			case ROLE_DOMAIN_PDC:
-			case ROLE_DOMAIN_BDC:
-				name = lp_workgroup();
-				sid = get_global_sam_sid();
-				break;
-			case ROLE_DOMAIN_MEMBER:
-				name = global_myname();
-				sid = get_global_sam_sid();
-				break;
-			case ROLE_STANDALONE:
-				name = global_myname();
-				sid = get_global_sam_sid();
-				break;
-			default:
-				return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
-		}
+		name = get_global_sam_name();
+		sid = get_global_sam_sid();
 		init_dom_query(&r_u->dom.id5, name, sid);
 		break;
 	case 0x06:
@@ -645,7 +645,7 @@ NTSTATUS _lsa_lookup_sids(pipes_struct *p, LSA_Q_LOOKUP_SIDS *q_u, LSA_R_LOOKUP_
 		num_entries = MAX_LOOKUP_SIDS;
 		DEBUG(5,("_lsa_lookup_sids: truncating SID lookup list to %d\n", num_entries));
 	}
-		
+
 	ref = (DOM_R_REF *)talloc_zero(p->mem_ctx, sizeof(DOM_R_REF));
 	names = (LSA_TRANS_NAME_ENUM *)talloc_zero(p->mem_ctx, sizeof(LSA_TRANS_NAME_ENUM));
 
@@ -859,7 +859,7 @@ NTSTATUS _lsa_enum_accounts(pipes_struct *p, LSA_Q_ENUM_ACCOUNTS *q_u, LSA_R_ENU
 		return NT_STATUS_ACCESS_DENIED;
 
 	/* get the list of mapped groups (domain, local, builtin) */
-	if(!pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV))
+	if(!pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, ENUM_ONLY_MAPPED))
 		return NT_STATUS_OK;
 
 	if (q_u->enum_context >= num_entries)
@@ -964,8 +964,6 @@ NTSTATUS _lsa_enum_privsaccount(pipes_struct *p, LSA_Q_ENUMPRIVSACCOUNT *q_u, LS
 {
 	struct lsa_info *info=NULL;
 	GROUP_MAP map;
-	int i=0;
-
 	LUID_ATTR *set=NULL;
 
 	r_u->status = NT_STATUS_OK;
@@ -974,9 +972,10 @@ NTSTATUS _lsa_enum_privsaccount(pipes_struct *p, LSA_Q_ENUMPRIVSACCOUNT *q_u, LS
 	if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
 		return NT_STATUS_INVALID_HANDLE;
 
-	if (!pdb_getgrsid(&map, info->sid, MAPPING_WITH_PRIV))
+	if (!pdb_getgrsid(&map, info->sid))
 		return NT_STATUS_NO_SUCH_GROUP;
 
+#if 0 /* privileges currently not implemented! */
 	DEBUG(10,("_lsa_enum_privsaccount: %d privileges\n", map.priv_set.count));
 	if (map.priv_set.count!=0) {
 	
@@ -997,6 +996,9 @@ NTSTATUS _lsa_enum_privsaccount(pipes_struct *p, LSA_Q_ENUMPRIVSACCOUNT *q_u, LS
 
 	init_lsa_r_enum_privsaccount(r_u, set, map.priv_set.count, 0);	
 	free_privilege(&map.priv_set);	
+#endif
+
+	init_lsa_r_enum_privsaccount(r_u, set, 0, 0);
 
 	return r_u->status;
 }
@@ -1015,7 +1017,7 @@ NTSTATUS _lsa_getsystemaccount(pipes_struct *p, LSA_Q_GETSYSTEMACCOUNT *q_u, LSA
 	if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
 		return NT_STATUS_INVALID_HANDLE;
 
-	if (!pdb_getgrsid(&map, info->sid, MAPPING_WITHOUT_PRIV))
+	if (!pdb_getgrsid(&map, info->sid))
 		return NT_STATUS_NO_SUCH_GROUP;
 
 	/*
@@ -1027,7 +1029,7 @@ NTSTATUS _lsa_getsystemaccount(pipes_struct *p, LSA_Q_GETSYSTEMACCOUNT *q_u, LSA
 	  they can be ORed together
 	*/
 
-	r_u->access=map.systemaccount;
+	r_u->access = PR_LOG_ON_LOCALLY | PR_ACCESS_FROM_NETWORK;
 
 	return r_u->status;
 }
@@ -1046,16 +1048,12 @@ NTSTATUS _lsa_setsystemaccount(pipes_struct *p, LSA_Q_SETSYSTEMACCOUNT *q_u, LSA
 	if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
 		return NT_STATUS_INVALID_HANDLE;
 
-	if (!pdb_getgrsid(&map, info->sid, MAPPING_WITH_PRIV))
+	if (!pdb_getgrsid(&map, info->sid))
 		return NT_STATUS_NO_SUCH_GROUP;
 
-	map.systemaccount=q_u->access;
-
 	if(!pdb_update_group_mapping_entry(&map))
 		return NT_STATUS_NO_SUCH_GROUP;
 
-	free_privilege(&map.priv_set);
-
 	return r_u->status;
 }
 
@@ -1065,20 +1063,22 @@ NTSTATUS _lsa_setsystemaccount(pipes_struct *p, LSA_Q_SETSYSTEMACCOUNT *q_u, LSA
 
 NTSTATUS _lsa_addprivs(pipes_struct *p, LSA_Q_ADDPRIVS *q_u, LSA_R_ADDPRIVS *r_u)
 {
+#if 0
 	struct lsa_info *info=NULL;
 	GROUP_MAP map;
 	int i=0;
-
 	LUID_ATTR *luid_attr=NULL;
 	PRIVILEGE_SET *set=NULL;
+#endif
 
 	r_u->status = NT_STATUS_OK;
 
+#if 0 /* privileges are not implemented */
 	/* find the connection policy handle. */
 	if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
 		return NT_STATUS_INVALID_HANDLE;
 
-	if (!pdb_getgrsid(&map, info->sid, MAPPING_WITH_PRIV))
+	if (!pdb_getgrsid(&map, info->sid))
 		return NT_STATUS_NO_SUCH_GROUP;
 
 	set=&q_u->set;
@@ -1100,6 +1100,7 @@ NTSTATUS _lsa_addprivs(pipes_struct *p, LSA_Q_ADDPRIVS *q_u, LSA_R_ADDPRIVS *r_u
 	
 	free_privilege(&map.priv_set);	
 
+#endif
 	return r_u->status;
 }
 
@@ -1109,20 +1110,22 @@ NTSTATUS _lsa_addprivs(pipes_struct *p, LSA_Q_ADDPRIVS *q_u, LSA_R_ADDPRIVS *r_u
 
 NTSTATUS _lsa_removeprivs(pipes_struct *p, LSA_Q_REMOVEPRIVS *q_u, LSA_R_REMOVEPRIVS *r_u)
 {
+#if 0
 	struct lsa_info *info=NULL;
 	GROUP_MAP map;
 	int i=0;
-
 	LUID_ATTR *luid_attr=NULL;
 	PRIVILEGE_SET *set=NULL;
+#endif
 
 	r_u->status = NT_STATUS_OK;
 
+#if 0 /* privileges are not implemented */
 	/* find the connection policy handle. */
 	if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
 		return NT_STATUS_INVALID_HANDLE;
 
-	if (!pdb_getgrsid(&map, info->sid, MAPPING_WITH_PRIV))
+	if (!pdb_getgrsid(&map, info->sid))
 		return NT_STATUS_NO_SUCH_GROUP;
 
 	if (q_u->allrights!=0) {
@@ -1156,7 +1159,7 @@ NTSTATUS _lsa_removeprivs(pipes_struct *p, LSA_Q_REMOVEPRIVS *q_u, LSA_R_REMOVEP
 		return NT_STATUS_NO_SUCH_GROUP;
 	
 	free_privilege(&map.priv_set);	
-
+#endif
 	return r_u->status;
 }
 
@@ -1240,13 +1243,13 @@ NTSTATUS _lsa_query_info2(pipes_struct *p, LSA_Q_QUERY_INFO2 *q_u, LSA_R_QUERY_I
 		switch (lp_server_role()) {
 			case ROLE_DOMAIN_PDC:
 			case ROLE_DOMAIN_BDC:
-				nb_name = lp_workgroup();
+				nb_name = get_global_sam_name();
 				/* ugly temp hack for these next two */
 
 				/* This should be a 'netbios domain -> DNS domain' mapping */
 				dnsdomname[0] = '\0';
 				get_mydomname(dnsdomname);
-				strlower(dnsdomname);
+				strlower_m(dnsdomname);
 				
 				dns_name = dnsdomname;
 				forest_name = dnsdomname;
@@ -1273,140 +1276,3 @@ NTSTATUS _lsa_query_info2(pipes_struct *p, LSA_Q_QUERY_INFO2 *q_u, LSA_R_QUERY_I
 
 	return r_u->status;
 }
-
-
-/***************************************************************************
- For a given SID, enumerate all the privilege this account has.
- ***************************************************************************/
-NTSTATUS _lsa_enum_acct_rights(pipes_struct *p, LSA_Q_ENUM_ACCT_RIGHTS *q_u, LSA_R_ENUM_ACCT_RIGHTS *r_u)
-{
-	struct lsa_info *info=NULL;
-	char **rights = NULL;
-	int num_rights = 0;
-	int i;
-
-	r_u->status = NT_STATUS_OK;
-
-	/* find the connection policy handle. */
-	if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
-		return NT_STATUS_INVALID_HANDLE;
-
-	r_u->status = privilege_enum_account_rights(&q_u->sid.sid, &num_rights, &rights);
-
-	init_r_enum_acct_rights(r_u, num_rights, (const char **)rights);
-
-	for (i=0;i<num_rights;i++) {
-		free(rights[i]);
-	}
-	safe_free(rights);
-
-	return r_u->status;
-}
-
-/***************************************************************************
-return a list of SIDs for a particular privilege
- ***************************************************************************/
-NTSTATUS _lsa_enum_acct_with_right(pipes_struct *p, 
-				   LSA_Q_ENUM_ACCT_WITH_RIGHT *q_u, 
-				   LSA_R_ENUM_ACCT_WITH_RIGHT *r_u)
-{
-	struct lsa_info *info=NULL;
-	char *right;
-	DOM_SID *sids = NULL;
-	uint32 count = 0;
-
-	r_u->status = NT_STATUS_OK;
-
-	/* find the connection policy handle. */
-	if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
-		return NT_STATUS_INVALID_HANDLE;
-
-	right = unistr2_tdup(p->mem_ctx, &q_u->right);
-
-	DEBUG(5,("lsa_enum_acct_with_right on right %s\n", right));
-
-	r_u->status = privilege_enum_account_with_right(right, &count, &sids);
-
-	init_r_enum_acct_with_right(r_u, count, sids);
-
-	safe_free(sids);
-
-	return r_u->status;
-}
-
-/***************************************************************************
- add privileges to a acct by SID
- ***************************************************************************/
-NTSTATUS _lsa_add_acct_rights(pipes_struct *p, LSA_Q_ADD_ACCT_RIGHTS *q_u, LSA_R_ADD_ACCT_RIGHTS *r_u)
-{
-	struct lsa_info *info=NULL;
-	int i;
-
-	r_u->status = NT_STATUS_OK;
-
-	/* find the connection policy handle. */
-	if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
-		return NT_STATUS_INVALID_HANDLE;
-
-	DEBUG(5,("_lsa_add_acct_rights to %s (%d rights)\n", 
-		 sid_string_static(&q_u->sid.sid), q_u->rights.count));
-
-	for (i=0;i<q_u->rights.count;i++) {
-		DEBUG(5,("\t%s\n", unistr2_static(&q_u->rights.strings[i].string)));
-	}
-
-
-	for (i=0;i<q_u->rights.count;i++) {
-		r_u->status = privilege_add_account_right(unistr2_static(&q_u->rights.strings[i].string),
-							  &q_u->sid.sid);
-		if (!NT_STATUS_IS_OK(r_u->status)) {
-			DEBUG(2,("Failed to add right '%s'\n", 
-				 unistr2_static(&q_u->rights.strings[i].string)));
-			break;
-		}
-	}
-
-	init_r_add_acct_rights(r_u);
-
-	return r_u->status;
-}
-
-
-/***************************************************************************
- remove privileges from a acct by SID
- ***************************************************************************/
-NTSTATUS _lsa_remove_acct_rights(pipes_struct *p, LSA_Q_REMOVE_ACCT_RIGHTS *q_u, LSA_R_REMOVE_ACCT_RIGHTS *r_u)
-{
-	struct lsa_info *info=NULL;
-	int i;
-
-	r_u->status = NT_STATUS_OK;
-
-	/* find the connection policy handle. */
-	if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
-		return NT_STATUS_INVALID_HANDLE;
-
-
-	DEBUG(5,("_lsa_remove_acct_rights from %s all=%d (%d rights)\n", 
-		 sid_string_static(&q_u->sid.sid),
-		 q_u->removeall,
-		 q_u->rights.count));
-
-	for (i=0;i<q_u->rights.count;i++) {
-		DEBUG(5,("\t%s\n", unistr2_static(&q_u->rights.strings[i].string)));
-	}
-
-	for (i=0;i<q_u->rights.count;i++) {
-		r_u->status = privilege_remove_account_right(unistr2_static(&q_u->rights.strings[i].string),
-							     &q_u->sid.sid);
-		if (!NT_STATUS_IS_OK(r_u->status)) {
-			DEBUG(2,("Failed to remove right '%s'\n", 
-				 unistr2_static(&q_u->rights.strings[i].string)));
-			break;
-		}
-	}
-
-	init_r_remove_acct_rights(r_u);
-
-	return r_u->status;
-}
author	Gerald Carter <jerry@samba.org>	2003-07-16 05:34:56 +0000
committer	Gerald Carter <jerry@samba.org>	2003-07-16 05:34:56 +0000
commit	4a090ba06a54f5da179ac02bb307cc03d08831bf (patch)
tree	ed652ef36be7f16682c358816334f969a22f1c27 /source3/rpc_server/srv_lsa_nt.c
parent	95fe82670032a3a43571b46d7bbf2c26bc8cdcd9 (diff)
download	samba-4a090ba06a54f5da179ac02bb307cc03d08831bf.tar.gz samba-4a090ba06a54f5da179ac02bb307cc03d08831bf.tar.bz2 samba-4a090ba06a54f5da179ac02bb307cc03d08831bf.zip