Move restrict anonymous checks into a general function called

pipe_access_check().  Eventually this can take a security descriptor
as an argument as well.
(This used to be commit 8bbdc674afef32621bf473ba1af76bae7270b818)

2 files changed, 49 insertions, 18 deletions

diff --git a/source3/rpc_server/srv_lsa_hnd.c b/source3/rpc_server/srv_lsa_hnd.c
index 62af0ecac8..5af1e8c265 100644
--- a/source3/rpc_server/srv_lsa_hnd.c
+++ b/source3/rpc_server/srv_lsa_hnd.c
@@ -249,3 +249,31 @@ void close_policy_by_pipe(pipes_struct *p)
 		DEBUG(10,("close_policy_by_pipe: deleted handle list for pipe %s\n", p->name ));
 	}
 }
+
+/*******************************************************************
+Shall we allow access to this rpc?  Currently this function
+implements the 'restrict anonymous' setting by denying access to
+anonymous users if the restrict anonymous level is > 0.  Further work
+will be checking a security descriptor to determine whether a user
+token has enough access to access the pipe.
+********************************************************************/
+
+BOOL pipe_access_check(pipes_struct *p)
+{
+	/* Don't let anonymous users access this RPC if restrict
+	   anonymous > 0 */
+
+	if (lp_restrict_anonymous() > 0) {
+		user_struct *user = get_valid_user_struct(p->vuid);
+
+		if (!user) {
+			DEBUG(3, ("invalid vuid %d\n", p->vuid));
+			return False;
+		}
+
+		if (user->guest)
+			return False;
+	}
+
+	return True;
+}
diff --git a/source3/rpc_server/srv_srvsvc_nt.c b/source3/rpc_server/srv_srvsvc_nt.c
index 967c7a8747..8965b11fe5 100644
--- a/source3/rpc_server/srv_srvsvc_nt.c
+++ b/source3/rpc_server/srv_srvsvc_nt.c
@@ -564,25 +564,8 @@ static BOOL init_srv_share_info_ctr(pipes_struct *p, SRV_SHARE_INFO_CTR *ctr,
 static void init_srv_r_net_share_enum(pipes_struct *p, SRV_R_NET_SHARE_ENUM *r_n,
 				      uint32 info_level, uint32 resume_hnd, BOOL all)  
 {
-	user_struct *user;
-
 	DEBUG(5,("init_srv_r_net_share_enum: %d\n", __LINE__));
 
-	/* Don't let anonymous users access this RPC */
-
-	if (!(user = get_valid_user_struct(p->vuid))) {
-		DEBUG(3, ("invalid vuid %d in init_srv_r_net_share_enum()\n",
-			  p->vuid));
-		r_n->status = WERR_ACCESS_DENIED;
-		return;
-	}
-
-	if (lp_restrict_anonymous() > 0 && user->guest) {
-		DEBUG(5, ("access denied to anonymous connection"));
-		r_n->status = WERR_ACCESS_DENIED;
-		return;
-	}
-
 	if (init_srv_share_info_ctr(p, &r_n->ctr, info_level,
 				    &resume_hnd, &r_n->total_entries, all)) {
 		r_n->status = WERR_OK;
@@ -1042,11 +1025,21 @@ WERROR _srv_net_srv_get_info(pipes_struct *p, SRV_Q_NET_SRV_GET_INFO *q_u, SRV_R
 
 	DEBUG(5,("srv_net_srv_get_info: %d\n", __LINE__));
 
+	if (!pipe_access_check(p)) {
+		DEBUG(3, ("access denied to srv_net_srv_get_info\n"));
+		return WERR_ACCESS_DENIED;
+	}
+
 	switch (q_u->switch_value) {
+
+		/* Technically level 102 should only be available to
+		   Administrators but there isn't anything super-secret
+		   here, as most of it is made up. */
+
 	case 102:
 		init_srv_info_102(&ctr->srv.sv102,
 		                  500, global_myname, 
-						string_truncate(lp_serverstring(), MAX_SERVER_STRING_LENGTH),
+				  string_truncate(lp_serverstring(), MAX_SERVER_STRING_LENGTH),
 		                  lp_major_announce_version(), lp_minor_announce_version(),
 		                  lp_default_server_announce(),
 		                  0xffffffff, /* users */
@@ -1176,6 +1169,11 @@ WERROR _srv_net_share_enum_all(pipes_struct *p, SRV_Q_NET_SHARE_ENUM *q_u, SRV_R
 {
 	DEBUG(5,("_srv_net_share_enum: %d\n", __LINE__));
 
+	if (!pipe_access_check(p)) {
+		DEBUG(3, ("access denied to srv_net_share_enum_all\n"));
+		return WERR_ACCESS_DENIED;
+	}
+
 	/* Create the list of shares for the response. */
 	init_srv_r_net_share_enum(p, r_u,
 				q_u->ctr.info_level,
@@ -1194,6 +1192,11 @@ WERROR _srv_net_share_enum(pipes_struct *p, SRV_Q_NET_SHARE_ENUM *q_u, SRV_R_NET
 {
 	DEBUG(5,("_srv_net_share_enum: %d\n", __LINE__));
 
+	if (!pipe_access_check(p)) {
+		DEBUG(3, ("access denied to srv_net_share_enum\n"));
+		return WERR_ACCESS_DENIED;
+	}
+
 	/* Create the list of shares for the response. */
 	init_srv_r_net_share_enum(p, r_u,
 				q_u->ctr.info_level,