diff options
author | Andrew Tridgell <tridge@samba.org> | 2009-10-16 18:22:48 +1100 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2009-10-17 13:01:02 +1100 |
commit | 9526487010fff240d2f55f29352e7f74d3cec65a (patch) | |
tree | ba8d440aa57b15411488c98704f44c93008c8e28 /source4/rpc_server | |
parent | f794e8d43de1c2fb577b883f0e0b49f392fa14a1 (diff) | |
download | samba-9526487010fff240d2f55f29352e7f74d3cec65a.tar.gz samba-9526487010fff240d2f55f29352e7f74d3cec65a.tar.bz2 samba-9526487010fff240d2f55f29352e7f74d3cec65a.zip |
s4-lsasrv: make sure only admins can alter privileges
Diffstat (limited to 'source4/rpc_server')
-rw-r--r-- | source4/rpc_server/lsa/dcesrv_lsa.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index 0a5fc54d68..0e6a55ec2f 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -1939,6 +1939,12 @@ static NTSTATUS dcesrv_lsa_AddRemoveAccountRights(struct dcesrv_call_state *dce_ struct lsa_EnumAccountRights r2; char *dnstr; + if (security_session_user_level(dce_call->conn->auth_state.session_info) < + SECURITY_ADMINISTRATOR) { + DEBUG(0,("lsa_AddRemoveAccount refused for supplied security token\n")); + return NT_STATUS_ACCESS_DENIED; + } + msg = ldb_msg_new(mem_ctx); if (msg == NULL) { return NT_STATUS_NO_MEMORY; |