Fixed up the user/group contexts when using authenticated pipes.

Added a become_root()/unbecome_root() (push/pop security context)
around the initgroups() call to ensure it would succeed. Hmmm - I
wonder if this call being done as non-root might explain any "group access"
bugs we've had in the past....
Jeremy.
(This used to be commit 06a65972e872f37d88b84f22ea714feebd38f6c0)

2 files changed, 7 insertions, 5 deletions

diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index 9af7d3b1e9..4aa753c022 100644
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -163,8 +163,9 @@ char *validated_domain(uint16 vuid)
  Initialize the groups a user belongs to.
 ****************************************************************************/
 
-int initialize_groups(char *user, uid_t uid, gid_t gid)
+BOOL initialize_groups(char *user, uid_t uid, gid_t gid)
 {
+	become_root();
 	if (initgroups(user,gid) == -1) {
 		DEBUG(0,("Unable to initgroups. Error was %s\n", strerror(errno) ));
 		if (getuid() == 0) {
@@ -172,9 +173,11 @@ int initialize_groups(char *user, uid_t uid, gid_t gid)
 				DEBUG(0,("This is probably a problem with the account %s\n", user));
 			}
 		}
-		return -1;
+		unbecome_root();
+		return False;
 	}
-	return 0;
+	become_root();
+	return True;
 }
 
 /****************************************************************************
diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
index f6687e9a5a..fafcd71b1a 100644
--- a/source3/smbd/uid.c
+++ b/source3/smbd/uid.c
@@ -207,9 +207,8 @@ BOOL become_authenticated_pipe_user(pipes_struct *p)
 		return False;
 	}
 
-	/* JRATEST - this needs fixined w.r.t. NT user tokens... */
 	set_sec_ctx(p->pipe_user.uid, p->pipe_user.gid, 
-		    p->pipe_user.ngroups, p->pipe_user.groups, NULL);
+		    p->pipe_user.ngroups, p->pipe_user.groups, p->pipe_user.nt_user_token);
 
 	return True;
 }