summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2009-05-18 15:44:03 -0700
committerJeremy Allison <jra@samba.org>2009-05-18 15:44:03 -0700
commit459dc8f39c085d16bb8b4a04db33e5844f104395 (patch)
tree5c8378f7b161acab73b5ff7356d588b410ca2c84 /source3
parentd06051cc51ded9649d4c201afdf338c2426e6f5f (diff)
downloadsamba-459dc8f39c085d16bb8b4a04db33e5844f104395.tar.gz
samba-459dc8f39c085d16bb8b4a04db33e5844f104395.tar.bz2
samba-459dc8f39c085d16bb8b4a04db33e5844f104395.zip
Change access_check_samr_object -> access_check_object.
Make map_max_allowed_access global. Change lsa_get_generic_sd to add Everyone:LSA_POLICY_READ|LSA_POLICY_EXECUTE, not just LSA_POLICY_EXECUTE. Jeremy.
Diffstat (limited to 'source3')
-rw-r--r--source3/include/proto.h7
-rw-r--r--source3/rpc_server/srv_lsa_nt.c24
-rw-r--r--source3/rpc_server/srv_samr_nt.c18
3 files changed, 25 insertions, 24 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 5b5f9098e0..68c312568b 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -7174,4 +7174,11 @@ struct tevent_req *fncall_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev,
void *private_data);
int fncall_recv(struct tevent_req *req, int *perr);
+/* The following definitions come from rpc_server/srv_samr_nt.c */
+NTSTATUS access_check_object( SEC_DESC *psd, NT_USER_TOKEN *token,
+ SE_PRIV *rights, uint32 rights_mask,
+ uint32 des_access, uint32 *acc_granted,
+ const char *debug);
+void map_max_allowed_access(const NT_USER_TOKEN *token,
+ uint32_t *pacc_requested);
#endif /* _PROTO_H_ */
diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index 27519a5c94..007467a42d 100644
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -286,7 +286,8 @@ static NTSTATUS lsa_get_generic_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *s
SEC_ACL *psa = NULL;
- init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, LSA_POLICY_EXECUTE, 0);
+ init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
+ LSA_POLICY_READ|LSA_POLICY_EXECUTE, 0);
sid_copy(&adm_sid, get_global_sam_sid());
sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS);
@@ -365,6 +366,8 @@ NTSTATUS _lsa_OpenPolicy2(pipes_struct *p,
uint32 acc_granted;
NTSTATUS status;
+ /* Work out max allowed. */
+ map_max_allowed_access(p->server_info->ptok, &des_access);
/* map the generic bits to the lsa policy ones */
se_map_generic(&des_access, &lsa_generic_mapping);
@@ -372,22 +375,14 @@ NTSTATUS _lsa_OpenPolicy2(pipes_struct *p,
/* get the generic lsa policy SD until we store it */
lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
- status = se_access_check(psd, p->server_info->ptok, des_access,
- &acc_granted);
+ status = access_check_object(psd, p->server_info->ptok,
+ NULL, 0, des_access,
+ &acc_granted, "_lsa_OpenPolicy2" );
+
if (!NT_STATUS_IS_OK(status)) {
- if (p->server_info->utok.uid != sec_initial_uid()) {
- return status;
- }
- DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
- acc_granted, des_access));
- DEBUGADD(4,("but overwritten by euid == 0\n"));
+ return status;
}
- /* This is needed for lsa_open_account and rpcclient .... :-) */
-
- if (p->server_info->utok.uid == sec_initial_uid())
- acc_granted = LSA_POLICY_ALL_ACCESS;
-
/* associate the domain SID with the (unique) handle. */
info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
if (info == NULL) {
@@ -1565,7 +1560,6 @@ NTSTATUS _lsa_CreateAccount(pipes_struct *p,
return privilege_create_account( &info->sid );
}
-
/***************************************************************************
_lsa_OpenAccount
***************************************************************************/
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index 09b97b2b39..d528c802e5 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -173,7 +173,7 @@ static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd
level of access for further checks.
********************************************************************/
-static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
+NTSTATUS access_check_object( SEC_DESC *psd, NT_USER_TOKEN *token,
SE_PRIV *rights, uint32 rights_mask,
uint32 des_access, uint32 *acc_granted,
const char *debug )
@@ -191,7 +191,7 @@ static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
saved_mask = (des_access & rights_mask);
des_access &= ~saved_mask;
- DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n",
+ DEBUG(4,("access_check_object: user rights access mask [0x%x]\n",
rights_mask));
}
@@ -235,7 +235,7 @@ done:
Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
********************************************************************/
-static void map_max_allowed_access(const NT_USER_TOKEN *token,
+void map_max_allowed_access(const NT_USER_TOKEN *token,
uint32_t *pacc_requested)
{
if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) {
@@ -573,7 +573,7 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p,
SAMR_DOMAIN_ACCESS_CREATE_ALIAS);
}
- status = access_check_samr_object( psd, p->server_info->ptok,
+ status = access_check_object( psd, p->server_info->ptok,
&se_rights, extra_access, des_access,
&acc_granted, "_samr_OpenDomain" );
@@ -2320,7 +2320,7 @@ NTSTATUS _samr_OpenUser(pipes_struct *p,
TALLOC_FREE(sampass);
- nt_status = access_check_samr_object(psd, p->server_info->ptok,
+ nt_status = access_check_object(psd, p->server_info->ptok,
&se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
&acc_granted, "_samr_OpenUser");
@@ -3727,7 +3727,7 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p,
* just assume we have all the rights we need ?
*/
- nt_status = access_check_samr_object(psd, p->server_info->ptok,
+ nt_status = access_check_object(psd, p->server_info->ptok,
&se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
&acc_granted, "_samr_CreateUser2");
@@ -3859,7 +3859,7 @@ NTSTATUS _samr_Connect2(pipes_struct *p,
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
se_map_generic(&des_access, &sam_generic_mapping);
- nt_status = access_check_samr_object(psd, p->server_info->ptok,
+ nt_status = access_check_object(psd, p->server_info->ptok,
NULL, 0, des_access, &acc_granted, fn);
if ( !NT_STATUS_IS_OK(nt_status) )
@@ -4074,7 +4074,7 @@ NTSTATUS _samr_OpenAlias(pipes_struct *p,
se_priv_copy( &se_rights, &se_add_users );
- status = access_check_samr_object(psd, p->server_info->ptok,
+ status = access_check_object(psd, p->server_info->ptok,
&se_rights, GENERIC_RIGHTS_ALIAS_ALL_ACCESS,
des_access, &acc_granted, "_samr_OpenAlias");
@@ -6124,7 +6124,7 @@ NTSTATUS _samr_OpenGroup(pipes_struct *p,
se_priv_copy( &se_rights, &se_add_users );
- status = access_check_samr_object(psd, p->server_info->ptok,
+ status = access_check_object(psd, p->server_info->ptok,
&se_rights, GENERIC_RIGHTS_GROUP_ALL_ACCESS,
des_access, &acc_granted, "_samr_OpenGroup");