summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorTim Potter <tpot@samba.org>2002-06-20 05:42:00 +0000
committerTim Potter <tpot@samba.org>2002-06-20 05:42:00 +0000
commitb7e4b7f0e20c08da89526306a7e361757bd23e8f (patch)
tree4dd8a68714bc7fc6918da9359eed807695868d6b /source3
parent6905730c3eede966f574c35794e559ab93235245 (diff)
downloadsamba-b7e4b7f0e20c08da89526306a7e361757bd23e8f.tar.gz
samba-b7e4b7f0e20c08da89526306a7e361757bd23e8f.tar.bz2
samba-b7e4b7f0e20c08da89526306a7e361757bd23e8f.zip
Got rid of unused flags field in lanman api_commands[].
Added an auth_user field which denotes whether the api call can be made anonymously. In combination with lp_restrict_anonymous() this can decrease the amount of information that can be retrieved anonymously. So far NetShareEnum, NetSessionEnum, NetGroupEnum, NetGroupGetUsers, NetUserEnum, PrintQEnum, NetFileEnum cannot be called anonymously. SamOEMChangePassword and NetServerEnum can be called anonymously. All other functions can be called anonymously until it can be proven that they can't to avoid breaking anything. (This used to be commit ead6ab9602640aca5d1d8ac336f3a129f9466159)
Diffstat (limited to 'source3')
-rw-r--r--source3/smbd/lanman.c85
1 files changed, 49 insertions, 36 deletions
diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c
index b3ee9b5737..f64140daf8 100644
--- a/source3/smbd/lanman.c
+++ b/source3/smbd/lanman.c
@@ -3555,43 +3555,47 @@ struct
int id;
BOOL (*fn)(connection_struct *,uint16,char *,char *,
int,int,char **,char **,int *,int *);
- int flags;
+ BOOL auth_user; /* Deny anonymous access? */
} api_commands[] = {
- {"RNetShareEnum", RAP_WshareEnum, api_RNetShareEnum,0},
- {"RNetShareGetInfo", RAP_WshareGetInfo, api_RNetShareGetInfo,0},
- {"RNetShareAdd", RAP_WshareAdd, api_RNetShareAdd,0},
- {"RNetSessionEnum", RAP_WsessionEnum, api_RNetSessionEnum,0},
- {"RNetServerGetInfo", RAP_WserverGetInfo, api_RNetServerGetInfo,0},
- {"RNetGroupEnum", RAP_WGroupEnum, api_RNetGroupEnum,0},
- {"RNetGroupGetUsers", RAP_WGroupGetUsers, api_RNetGroupGetUsers,0},
- {"RNetUserEnum", RAP_WUserEnum, api_RNetUserEnum,0},
- {"RNetUserGetInfo", RAP_WUserGetInfo, api_RNetUserGetInfo,0},
- {"NetUserGetGroups", RAP_WUserGetGroups, api_NetUserGetGroups,0},
- {"NetWkstaGetInfo", RAP_WWkstaGetInfo, api_NetWkstaGetInfo,0},
- {"DosPrintQEnum", RAP_WPrintQEnum, api_DosPrintQEnum,0},
- {"DosPrintQGetInfo", RAP_WPrintQGetInfo, api_DosPrintQGetInfo,0},
- {"WPrintQueuePause", RAP_WPrintQPause, api_WPrintQueueCtrl,0},
- {"WPrintQueueResume", RAP_WPrintQContinue, api_WPrintQueueCtrl,0},
- {"WPrintJobEnumerate",RAP_WPrintJobEnum, api_WPrintJobEnumerate,0},
- {"WPrintJobGetInfo", RAP_WPrintJobGetInfo, api_WPrintJobGetInfo,0},
- {"RDosPrintJobDel", RAP_WPrintJobDel, api_RDosPrintJobDel,0},
- {"RDosPrintJobPause", RAP_WPrintJobPause, api_RDosPrintJobDel,0},
- {"RDosPrintJobResume",RAP_WPrintJobContinue, api_RDosPrintJobDel,0},
- {"WPrintDestEnum", RAP_WPrintDestEnum, api_WPrintDestEnum,0},
- {"WPrintDestGetInfo", RAP_WPrintDestGetInfo, api_WPrintDestGetInfo,0},
- {"NetRemoteTOD", RAP_NetRemoteTOD, api_NetRemoteTOD,0},
- {"WPrintQueuePurge", RAP_WPrintQPurge, api_WPrintQueueCtrl,0},
- {"NetServerEnum", RAP_NetServerEnum2, api_RNetServerEnum,0},
- {"WAccessGetUserPerms",RAP_WAccessGetUserPerms,api_WAccessGetUserPerms,0},
- {"SetUserPassword", RAP_WUserPasswordSet2, api_SetUserPassword,0},
- {"WWkstaUserLogon", RAP_WWkstaUserLogon, api_WWkstaUserLogon,0},
- {"PrintJobInfo", RAP_WPrintJobSetInfo, api_PrintJobInfo,0},
- {"WPrintDriverEnum", RAP_WPrintDriverEnum, api_WPrintDriverEnum,0},
- {"WPrintQProcEnum", RAP_WPrintQProcessorEnum,api_WPrintQProcEnum,0},
- {"WPrintPortEnum", RAP_WPrintPortEnum, api_WPrintPortEnum,0},
- {"SamOEMChangePassword",RAP_SamOEMChgPasswordUser2_P,api_SamOEMChangePassword,0},
- {NULL, -1, api_Unsupported,0}};
-
+ {"RNetShareEnum", RAP_WshareEnum, api_RNetShareEnum, True},
+ {"RNetShareGetInfo", RAP_WshareGetInfo, api_RNetShareGetInfo},
+ {"RNetShareAdd", RAP_WshareAdd, api_RNetShareAdd},
+ {"RNetSessionEnum", RAP_WsessionEnum, api_RNetSessionEnum, True},
+ {"RNetServerGetInfo", RAP_WserverGetInfo, api_RNetServerGetInfo},
+ {"RNetGroupEnum", RAP_WGroupEnum, api_RNetGroupEnum, True},
+ {"RNetGroupGetUsers", RAP_WGroupGetUsers, api_RNetGroupGetUsers, True},
+ {"RNetUserEnum", RAP_WUserEnum, api_RNetUserEnum, True},
+ {"RNetUserGetInfo", RAP_WUserGetInfo, api_RNetUserGetInfo},
+ {"NetUserGetGroups", RAP_WUserGetGroups, api_NetUserGetGroups},
+ {"NetWkstaGetInfo", RAP_WWkstaGetInfo, api_NetWkstaGetInfo},
+ {"DosPrintQEnum", RAP_WPrintQEnum, api_DosPrintQEnum, True},
+ {"DosPrintQGetInfo", RAP_WPrintQGetInfo, api_DosPrintQGetInfo},
+ {"WPrintQueuePause", RAP_WPrintQPause, api_WPrintQueueCtrl},
+ {"WPrintQueueResume", RAP_WPrintQContinue, api_WPrintQueueCtrl},
+ {"WPrintJobEnumerate",RAP_WPrintJobEnum, api_WPrintJobEnumerate},
+ {"WPrintJobGetInfo", RAP_WPrintJobGetInfo, api_WPrintJobGetInfo},
+ {"RDosPrintJobDel", RAP_WPrintJobDel, api_RDosPrintJobDel},
+ {"RDosPrintJobPause", RAP_WPrintJobPause, api_RDosPrintJobDel},
+ {"RDosPrintJobResume",RAP_WPrintJobContinue, api_RDosPrintJobDel},
+ {"WPrintDestEnum", RAP_WPrintDestEnum, api_WPrintDestEnum},
+ {"WPrintDestGetInfo", RAP_WPrintDestGetInfo, api_WPrintDestGetInfo},
+ {"NetRemoteTOD", RAP_NetRemoteTOD, api_NetRemoteTOD},
+ {"WPrintQueuePurge", RAP_WPrintQPurge, api_WPrintQueueCtrl},
+ {"NetServerEnum", RAP_NetServerEnum2, api_RNetServerEnum}, /* anon OK */
+ {"WAccessGetUserPerms",RAP_WAccessGetUserPerms,api_WAccessGetUserPerms},
+ {"SetUserPassword", RAP_WUserPasswordSet2, api_SetUserPassword},
+ {"WWkstaUserLogon", RAP_WWkstaUserLogon, api_WWkstaUserLogon},
+ {"PrintJobInfo", RAP_WPrintJobSetInfo, api_PrintJobInfo},
+ {"WPrintDriverEnum", RAP_WPrintDriverEnum, api_WPrintDriverEnum},
+ {"WPrintQProcEnum", RAP_WPrintQProcessorEnum,api_WPrintQProcEnum},
+ {"WPrintPortEnum", RAP_WPrintPortEnum, api_WPrintPortEnum},
+ {"SamOEMChangePassword",RAP_SamOEMChgPasswordUser2_P,api_SamOEMChangePassword}, /* anon OK */
+ {NULL, -1, api_Unsupported}};
+
+/* The following RAP calls are not implemented by Samba:
+
+ RAP_WFileEnum2 - anon not OK
+*/
/****************************************************************************
Handle remote api calls
@@ -3628,6 +3632,15 @@ int api_reply(connection_struct *conn,uint16 vuid,char *outbuf,char *data,char *
}
}
+ /* Check whether this api call can be done anonymously */
+
+ if (api_commands[i].auth_user && lp_restrict_anonymous()) {
+ user_struct *user = get_valid_user_struct(vuid);
+
+ if (!user || user->guest)
+ return ERROR_NT(NT_STATUS_ACCESS_DENIED);
+ }
+
rdata = (char *)malloc(1024);
if (rdata)
memset(rdata,'\0',1024);