summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorJim McDonough <jmcd@samba.org>2007-04-24 15:56:02 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:19:40 -0500
commit70806db06adb1dafd4de8728bb7b367b84f3740a (patch)
treea4c2b417ad8d8a306b31ab1034c0404afaec8c73 /source3
parent2ad66881dfd0fb8a03efc409af7f5bb6d3d204b2 (diff)
downloadsamba-70806db06adb1dafd4de8728bb7b367b84f3740a.tar.gz
samba-70806db06adb1dafd4de8728bb7b367b84f3740a.tar.bz2
samba-70806db06adb1dafd4de8728bb7b367b84f3740a.zip
r22504: Fix bug Jerry found during his tutorial. Sorry :-(
Allows authorized users (e.g. BUILTIN\Administrators members) to set attributes on an account, particularly "user cannot change password". add become_root() around updating attributes, after checking that access has been granted. (This used to be commit b1ab360519a1f67f50446ca8599e5b7aa58e7db3)
Diffstat (limited to 'source3')
-rw-r--r--source3/rpc_server/srv_samr_nt.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index c743e68530..be73b33265 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -724,7 +724,12 @@ NTSTATUS _samr_set_sec_obj(pipes_struct *p, SAMR_Q_SET_SEC_OBJ *q_u, SAMR_R_SET_
return NT_STATUS_ACCESS_DENIED;
}
- status = pdb_update_sam_account(sampass);
+ status = access_check_samr_function(acc_granted, SA_RIGHT_USER_SET_ATTRIBUTES, "_samr_set_sec_obj");
+ if NT_STATUS_IS_OK(status) {
+ become_root();
+ status = pdb_update_sam_account(sampass);
+ unbecome_root();
+ }
TALLOC_FREE(sampass);