diff options
author | Jeremy Allison <jra@samba.org> | 2009-05-15 13:36:43 -0700 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2009-05-15 13:36:43 -0700 |
commit | 5adb3b884130d6d292a4e25e3b32c50bc884dbf9 (patch) | |
tree | 6166bb03b9ae39d7f5f544c0da1d846a9328bb9c /source3 | |
parent | 2b784738d7ce444fb63e2cac91ad2e220cc6e551 (diff) | |
download | samba-5adb3b884130d6d292a4e25e3b32c50bc884dbf9.tar.gz samba-5adb3b884130d6d292a4e25e3b32c50bc884dbf9.tar.bz2 samba-5adb3b884130d6d292a4e25e3b32c50bc884dbf9.zip |
Add extra abilities for a user with SeAddUsers, so they
can manipulate groups and aliases.
Jeremy.
Diffstat (limited to 'source3')
-rw-r--r-- | source3/rpc_server/srv_samr_nt.c | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 8b1a90af02..f1725e2454 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -537,6 +537,7 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p, uint32 des_access = r->in.access_mask; NTSTATUS status; size_t sd_size; + uint32_t extra_access = SAMR_DOMAIN_ACCESS_CREATE_USER; SE_PRIV se_rights; /* find the connection policy handle. */ @@ -555,13 +556,25 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p, /* * Users with SeMachineAccount or SeAddUser get additional - * SAMR_DOMAIN_ACCESS_CREATE_USER access, but no more. + * SAMR_DOMAIN_ACCESS_CREATE_USER access. */ se_priv_copy( &se_rights, &se_machine_account ); se_priv_add( &se_rights, &se_add_users ); + /* + * Users with SeAddUser get the ability to manipulate groups + * and aliases. + */ + if (user_has_any_privilege(p->server_info->ptok, &se_add_users)) { + extra_access |= (SAMR_DOMAIN_ACCESS_CREATE_GROUP | + SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS | + SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT | + SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS | + SAMR_DOMAIN_ACCESS_CREATE_ALIAS); + } + status = access_check_samr_object( psd, p->server_info->ptok, - &se_rights, SAMR_DOMAIN_ACCESS_CREATE_USER, des_access, + &se_rights, extra_access, des_access, &acc_granted, "_samr_OpenDomain" ); if ( !NT_STATUS_IS_OK(status) ) |