diff options
author | Jim McDonough <jmcd@samba.org> | 2007-04-24 15:56:02 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:19:40 -0500 |
commit | 70806db06adb1dafd4de8728bb7b367b84f3740a (patch) | |
tree | a4c2b417ad8d8a306b31ab1034c0404afaec8c73 /source3 | |
parent | 2ad66881dfd0fb8a03efc409af7f5bb6d3d204b2 (diff) | |
download | samba-70806db06adb1dafd4de8728bb7b367b84f3740a.tar.gz samba-70806db06adb1dafd4de8728bb7b367b84f3740a.tar.bz2 samba-70806db06adb1dafd4de8728bb7b367b84f3740a.zip |
r22504: Fix bug Jerry found during his tutorial. Sorry :-(
Allows authorized users (e.g. BUILTIN\Administrators members) to
set attributes on an account, particularly "user cannot change
password".
add become_root() around updating attributes, after checking that
access has been granted.
(This used to be commit b1ab360519a1f67f50446ca8599e5b7aa58e7db3)
Diffstat (limited to 'source3')
-rw-r--r-- | source3/rpc_server/srv_samr_nt.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index c743e68530..be73b33265 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -724,7 +724,12 @@ NTSTATUS _samr_set_sec_obj(pipes_struct *p, SAMR_Q_SET_SEC_OBJ *q_u, SAMR_R_SET_ return NT_STATUS_ACCESS_DENIED; } - status = pdb_update_sam_account(sampass); + status = access_check_samr_function(acc_granted, SA_RIGHT_USER_SET_ATTRIBUTES, "_samr_set_sec_obj"); + if NT_STATUS_IS_OK(status) { + become_root(); + status = pdb_update_sam_account(sampass); + unbecome_root(); + } TALLOC_FREE(sampass); |