diff options
author | Andrew Bartlett <abartlet@samba.org> | 2002-09-26 13:31:49 +0000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2002-09-26 13:31:49 +0000 |
commit | a5c8985215758d37bcd89f63b97f2ad86393f9c2 (patch) | |
tree | 233fb2438230f04a9a72bedd786ebad2219a84da /source3 | |
parent | fc4100eabe702c99dd157044fff2587098b3075b (diff) | |
download | samba-a5c8985215758d37bcd89f63b97f2ad86393f9c2.tar.gz samba-a5c8985215758d37bcd89f63b97f2ad86393f9c2.tar.bz2 samba-a5c8985215758d37bcd89f63b97f2ad86393f9c2.zip |
Patch from "Kai Krueger" <kai@kruegernetz.de> to get some more of our access
control bits right on the SAMR pipe.
Andrew Bartlett
(This used to be commit e87948c777b59592b130da081ef5d25600455d29)
Diffstat (limited to 'source3')
-rw-r--r-- | source3/include/rpc_samr.h | 86 | ||||
-rw-r--r-- | source3/rpc_server/srv_samr_nt.c | 19 |
2 files changed, 58 insertions, 47 deletions
diff --git a/source3/include/rpc_samr.h b/source3/include/rpc_samr.h index 72c65ebfb7..95e79b39ad 100644 --- a/source3/include/rpc_samr.h +++ b/source3/include/rpc_samr.h @@ -177,49 +177,49 @@ SamrTestPrivateFunctionsUser SAMR_ACCESS_UNKNOWN_1 ) /* Access bits to Domain-objects */ - -#define DOMAIN_ACCESS_LOOKUP_INFO_1 0x00000001 -#define DOMAIN_ACCESS_SET_INFO_1 0x00000002 -#define DOMAIN_ACCESS_LOOKUP_INFO_2 0x00000004 -#define DOMAIN_ACCESS_SET_INFO_2 0x00000008 -#define DOMAIN_ACCESS_CREATE_USER 0x00000010 -#define DOMAIN_ACCESS_CREATE_GROUP 0x00000020 -#define DOMAIN_ACCESS_CREATE_ALIAS 0x00000040 -#define DOMAIN_ACCESS_UNKNOWN_80 0x00000080 -#define DOMAIN_ACCESS_ENUM_ACCOUNTS 0x00000100 -#define DOMAIN_ACCESS_OPEN_ACCOUNT 0x00000200 -#define DOMAIN_ACCESS_SET_INFO_3 0x00000400 - -#define DOMAIN_ALL_ACCESS ( STANDARD_RIGHTS_REQUIRED_ACCESS | \ - DOMAIN_ACCESS_SET_INFO_3 | \ - DOMAIN_ACCESS_OPEN_ACCOUNT | \ - DOMAIN_ACCESS_ENUM_ACCOUNTS | \ - DOMAIN_ACCESS_UNKNOWN_80 | \ - DOMAIN_ACCESS_CREATE_ALIAS | \ - DOMAIN_ACCESS_CREATE_GROUP | \ - DOMAIN_ACCESS_CREATE_USER | \ - DOMAIN_ACCESS_SET_INFO_2 | \ - DOMAIN_ACCESS_LOOKUP_INFO_2 | \ - DOMAIN_ACCESS_SET_INFO_1 | \ - DOMAIN_ACCESS_LOOKUP_INFO_1 ) - -#define DOMAIN_READ ( STANDARD_RIGHTS_READ_ACCESS | \ - DOMAIN_ACCESS_UNKNOWN_80 | \ - DOMAIN_ACCESS_LOOKUP_INFO_2 ) - -#define DOMAIN_WRITE ( STANDARD_RIGHTS_WRITE_ACCESS | \ - DOMAIN_ACCESS_SET_INFO_3 | \ - DOMAIN_ACCESS_CREATE_ALIAS | \ - DOMAIN_ACCESS_CREATE_GROUP | \ - DOMAIN_ACCESS_CREATE_USER | \ - DOMAIN_ACCESS_SET_INFO_2 | \ - DOMAIN_ACCESS_SET_INFO_1 ) - -#define DOMAIN_EXECUTE ( STANDARD_RIGHTS_EXECUTE_ACCESS | \ - DOMAIN_ACCESS_OPEN_ACCOUNT | \ - DOMAIN_ACCESS_ENUM_ACCOUNTS | \ - DOMAIN_ACCESS_LOOKUP_INFO_1 ) - + +#define DOMAIN_ACCESS_LOOKUP_INFO_1 0x000000001 +#define DOMAIN_ACCESS_SET_INFO_1 0x000000002 +#define DOMAIN_ACCESS_LOOKUP_INFO_2 0x000000004 +#define DOMAIN_ACCESS_SET_INFO_2 0x000000008 +#define DOMAIN_ACCESS_CREATE_USER 0x000000010 +#define DOMAIN_ACCESS_CREATE_GROUP 0x000000020 +#define DOMAIN_ACCESS_CREATE_ALIAS 0x000000040 +#define DOMAIN_ACCESS_LOOKUP_ALIAS_BY_MEM 0x000000080 +#define DOMAIN_ACCESS_ENUM_ACCOUNTS 0x000000100 +#define DOMAIN_ACCESS_OPEN_ACCOUNT 0x000000200 +#define DOMAIN_ACCESS_SET_INFO_3 0x000000400 + +#define DOMAIN_ALL_ACCESS ( STANDARD_RIGHTS_REQUIRED_ACCESS | \ + DOMAIN_ACCESS_SET_INFO_3 | \ + DOMAIN_ACCESS_OPEN_ACCOUNT | \ + DOMAIN_ACCESS_ENUM_ACCOUNTS | \ + DOMAIN_ACCESS_LOOKUP_ALIAS_BY_MEM | \ + DOMAIN_ACCESS_CREATE_ALIAS | \ + DOMAIN_ACCESS_CREATE_GROUP | \ + DOMAIN_ACCESS_CREATE_USER | \ + DOMAIN_ACCESS_SET_INFO_2 | \ + DOMAIN_ACCESS_LOOKUP_INFO_2 | \ + DOMAIN_ACCESS_SET_INFO_1 | \ + DOMAIN_ACCESS_LOOKUP_INFO_1 ) + +#define DOMAIN_READ ( STANDARD_RIGHTS_READ_ACCESS | \ + DOMAIN_ACCESS_LOOKUP_ALIAS_BY_MEM | \ + DOMAIN_ACCESS_LOOKUP_INFO_2 ) + +#define DOMAIN_WRITE ( STANDARD_RIGHTS_WRITE_ACCESS | \ + DOMAIN_ACCESS_SET_INFO_3 | \ + DOMAIN_ACCESS_CREATE_ALIAS | \ + DOMAIN_ACCESS_CREATE_GROUP | \ + DOMAIN_ACCESS_CREATE_USER | \ + DOMAIN_ACCESS_SET_INFO_2 | \ + DOMAIN_ACCESS_SET_INFO_1 ) + +#define DOMAIN_EXECUTE ( STANDARD_RIGHTS_EXECUTE_ACCESS | \ + DOMAIN_ACCESS_OPEN_ACCOUNT | \ + DOMAIN_ACCESS_ENUM_ACCOUNTS | \ + DOMAIN_ACCESS_LOOKUP_INFO_1 ) + /* Access bits to User-objects */ #define USER_ACCESS_GET_NAME_ETC 0x00000001 diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 6e9ba2f026..c5a2c54511 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3059,6 +3059,10 @@ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, uint32 *rids=NULL, *new_rids=NULL, *tmp_rids=NULL; struct samr_info *info = NULL; int i,j; + + NTSTATUS ntstatus1; + NTSTATUS ntstatus2; + /* until i see a real useraliases query, we fack one up */ /* I have seen one, JFM 2/12/2001 */ @@ -3084,9 +3088,15 @@ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, USER_ACCESS_GET_GROUPS, "_samr_query_useraliases"))) { - return r_u->status; - } + ntstatus1 = access_check_samr_function(info->acc_granted, DOMAIN_ACCESS_LOOKUP_ALIAS_BY_MEM, "_samr_query_useraliases"); + ntstatus2 = access_check_samr_function(info->acc_granted, DOMAIN_ACCESS_OPEN_ACCOUNT, "_samr_query_useraliases"); + + if (!NT_STATUS_IS_OK(ntstatus1) || !NT_STATUS_IS_OK(ntstatus2)) { + if (!(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus2)) && + !(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus1))) { + return (NT_STATUS_IS_OK(ntstatus1)) ? ntstatus2 : ntstatus1; + } + } if (!sid_check_is_domain(&info->sid) && !sid_check_is_builtin(&info->sid)) @@ -3157,7 +3167,8 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, ALIAS_ACCESS_GET_MEMBERS, "_samr_query_aliasmem"))) { + if (!NT_STATUS_IS_OK(r_u->status = + access_check_samr_function(acc_granted, ALIAS_ACCESS_GET_MEMBERS, "_samr_query_aliasmem"))) { return r_u->status; } |