diff options
author | Andreas Schneider <asn@samba.org> | 2013-07-31 16:49:36 +0200 |
---|---|---|
committer | Günther Deschner <gd@samba.org> | 2013-08-06 14:42:14 +0200 |
commit | 4520787080b84cd25034bb340513b15de6df1eb0 (patch) | |
tree | adbbf7c7e9ee664178a85c7bbc184ac2f46c916f /source3 | |
parent | 0ede70c51af54212c700fb1791e2a192e412d851 (diff) | |
download | samba-4520787080b84cd25034bb340513b15de6df1eb0.tar.gz samba-4520787080b84cd25034bb340513b15de6df1eb0.tar.bz2 samba-4520787080b84cd25034bb340513b15de6df1eb0.zip |
s3-rpc_server: Grant the system token full access.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Diffstat (limited to 'source3')
-rw-r--r-- | source3/rpc_server/srv_access_check.c | 24 |
1 files changed, 18 insertions, 6 deletions
diff --git a/source3/rpc_server/srv_access_check.c b/source3/rpc_server/srv_access_check.c index f667d7b23d..3efc75b3cb 100644 --- a/source3/rpc_server/srv_access_check.c +++ b/source3/rpc_server/srv_access_check.c @@ -54,6 +54,21 @@ NTSTATUS access_check_object( struct security_descriptor *psd, struct security_t NTSTATUS status = NT_STATUS_ACCESS_DENIED; uint32 saved_mask = 0; bool priv_granted = false; + bool is_system = false; + bool is_root = false; + + /* Check if we are are the system token */ + if (security_token_is_system(token) && + security_token_system_privilege(token)) { + is_system = true; + } + + /* Check if we are root */ + if (geteuid() == sec_initial_uid()) { + is_root = true; + } + + /* Check if we are root */ /* check privileges; certain SAM access bits should be overridden by privileges (mostly having to do with creating/modifying/deleting @@ -71,18 +86,15 @@ NTSTATUS access_check_object( struct security_descriptor *psd, struct security_t /* check the security descriptor first */ - status = se_access_check(psd, token, des_access, acc_granted); if (NT_STATUS_IS_OK(status)) { goto done; } - /* give root a free pass */ - - if ( geteuid() == sec_initial_uid() ) { - + if (is_system || is_root) { DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", debug, des_access)); - DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n")); + DEBUGADD(4,("but overritten by %s\n", + is_root ? "euid == initial uid" : "system token")); priv_granted = true; *acc_granted = des_access; |