diff options
-rw-r--r-- | source3/lib/util_str.c | 16 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_cm.c | 15 | ||||
-rw-r--r-- | source3/rpc_parse/parse_lsa.c | 27 | ||||
-rw-r--r-- | source3/rpc_server/srv_lsa.c | 32 | ||||
-rw-r--r-- | source3/rpc_server/srv_lsa_nt.c | 34 |
5 files changed, 105 insertions, 19 deletions
diff --git a/source3/lib/util_str.c b/source3/lib/util_str.c index 6ebada94d7..6b6581b4a7 100644 --- a/source3/lib/util_str.c +++ b/source3/lib/util_str.c @@ -2092,3 +2092,19 @@ void string_append(char **left, const char *right) safe_strcat(*left, right, new_len-1); } + +BOOL add_string_to_array(TALLOC_CTX *mem_ctx, + const char *str, const char ***strings, + int *num) +{ + char *dup_str = talloc_strdup(mem_ctx, str); + + *strings = TALLOC_REALLOC_ARRAY(mem_ctx, *strings, const char *, (*num)+1); + + if ((*strings == NULL) || (dup_str == NULL)) + return False; + + (*strings)[*num] = dup_str; + *num += 1; + return True; +} diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c index 3b7459ab1d..9822d8d10e 100644 --- a/source3/nsswitch/winbindd_cm.c +++ b/source3/nsswitch/winbindd_cm.c @@ -446,21 +446,6 @@ static BOOL add_one_dc_unique(TALLOC_CTX *mem_ctx, const char *domain_name, return True; } -static BOOL add_string_to_array(TALLOC_CTX *mem_ctx, - const char *str, char ***array, int *num) -{ - char *dup_str = talloc_strdup(mem_ctx, str); - - *array = TALLOC_REALLOC_ARRAY(mem_ctx, *array, char *, (*num)+1); - - if ((*array == NULL) || (dup_str == NULL)) - return False; - - (*array)[*num] = dup_str; - *num += 1; - return True; -} - static BOOL add_sockaddr_to_array(TALLOC_CTX *mem_ctx, struct in_addr ip, uint16 port, struct sockaddr_in **addrs, int *num) diff --git a/source3/rpc_parse/parse_lsa.c b/source3/rpc_parse/parse_lsa.c index a4a3917d2e..c4ff240cef 100644 --- a/source3/rpc_parse/parse_lsa.c +++ b/source3/rpc_parse/parse_lsa.c @@ -2300,6 +2300,33 @@ void init_q_enum_acct_rights(LSA_Q_ENUM_ACCT_RIGHTS *q_q, } /******************************************************************* +********************************************************************/ +NTSTATUS init_r_enum_acct_rights( LSA_R_ENUM_ACCT_RIGHTS *r_u, PRIVILEGE_SET *privileges ) +{ + uint32 i; + char *privname; + const char **privname_array = NULL; + int num_priv = 0; + + for ( i=0; i<privileges->count; i++ ) { + privname = luid_to_privilege_name( &privileges->set[i].luid ); + if ( privname ) { + if ( !add_string_to_array( get_talloc_ctx(), privname, &privname_array, &num_priv ) ) + return NT_STATUS_NO_MEMORY; + } + } + + if ( num_priv ) { + if ( !init_unistr2_array( &r_u->rights, num_priv, privname_array ) ) + return NT_STATUS_NO_MEMORY; + + r_u->count = num_priv; + } + + return NT_STATUS_OK; +} + +/******************************************************************* reads or writes a LSA_Q_ENUM_ACCT_RIGHTS structure. ********************************************************************/ BOOL lsa_io_q_enum_acct_rights(const char *desc, LSA_Q_ENUM_ACCT_RIGHTS *q_q, prs_struct *ps, int depth) diff --git a/source3/rpc_server/srv_lsa.c b/source3/rpc_server/srv_lsa.c index e250677534..e3c7832aac 100644 --- a/source3/rpc_server/srv_lsa.c +++ b/source3/rpc_server/srv_lsa.c @@ -704,6 +704,37 @@ static BOOL api_lsa_remove_acct_rights(pipes_struct *p) } /*************************************************************************** + api_lsa_enum_acct_rights + ***************************************************************************/ + +static BOOL api_lsa_enum_acct_rights(pipes_struct *p) +{ + LSA_Q_ENUM_ACCT_RIGHTS q_u; + LSA_R_ENUM_ACCT_RIGHTS r_u; + + prs_struct *data = &p->in_data.data; + prs_struct *rdata = &p->out_data.rdata; + + ZERO_STRUCT(q_u); + ZERO_STRUCT(r_u); + + if(!lsa_io_q_enum_acct_rights("", &q_u, data, 0)) { + DEBUG(0,("api_lsa_enum_acct_rights: failed to unmarshall LSA_Q_ENUM_ACCT_RIGHTS.\n")); + return False; + } + + r_u.status = _lsa_enum_acct_rights(p, &q_u, &r_u); + + /* store the response in the SMB stream */ + if(!lsa_io_r_enum_acct_rights("", &r_u, rdata, 0)) { + DEBUG(0,("api_lsa_enum_acct_rights: Failed to marshall LSA_R_ENUM_ACCT_RIGHTS.\n")); + return False; + } + + return True; +} + +/*************************************************************************** api_lsa_query_info2 ***************************************************************************/ @@ -761,6 +792,7 @@ static struct api_struct api_lsa_cmds[] = { "LSA_REMOVEPRIVS" , LSA_REMOVEPRIVS , api_lsa_removeprivs }, { "LSA_ADDACCTRIGHTS" , LSA_ADDACCTRIGHTS , api_lsa_add_acct_rights }, { "LSA_REMOVEACCTRIGHTS", LSA_REMOVEACCTRIGHTS, api_lsa_remove_acct_rights }, + { "LSA_ENUMACCTRIGHTS" , LSA_ENUMACCTRIGHTS , api_lsa_enum_acct_rights }, { "LSA_QUERYSECOBJ" , LSA_QUERYSECOBJ , api_lsa_query_secobj }, /* be careful of the adding of new RPC's. See commentrs below about ADS DC capabilities */ diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c index d5bddef739..304e1d363c 100644 --- a/source3/rpc_server/srv_lsa_nt.c +++ b/source3/rpc_server/srv_lsa_nt.c @@ -1370,9 +1370,6 @@ NTSTATUS _lsa_remove_acct_rights(pipes_struct *p, LSA_Q_REMOVE_ACCT_RIGHTS *q_u, if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) return NT_STATUS_ACCESS_DENIED; - /* according to an NT4 PDC, you can add privileges to SIDs even without - call_lsa_create_account() first. And you can use any arbitrary SID. */ - sid_copy( &sid, &q_u->sid.sid ); if ( q_u->removeall ) { @@ -1395,7 +1392,7 @@ NTSTATUS _lsa_remove_acct_rights(pipes_struct *p, LSA_Q_REMOVE_ACCT_RIGHTS *q_u, /* only try to add non-null strings */ if ( *privname && !revoke_privilege_by_name( &sid, privname ) ) { - DEBUG(2,("_lsa_remove_acct_rights: Failed to add privilege [%s]\n", privname )); + DEBUG(2,("_lsa_remove_acct_rights: Failed to revoke privilege [%s]\n", privname )); return NT_STATUS_NO_SUCH_PRIVILEGE; } } @@ -1404,3 +1401,32 @@ NTSTATUS _lsa_remove_acct_rights(pipes_struct *p, LSA_Q_REMOVE_ACCT_RIGHTS *q_u, } +NTSTATUS _lsa_enum_acct_rights(pipes_struct *p, LSA_Q_ENUM_ACCT_RIGHTS *q_u, LSA_R_ENUM_ACCT_RIGHTS *r_u) +{ + struct lsa_info *info = NULL; + DOM_SID sid; + PRIVILEGE_SET privileges; + + + /* find the connection policy handle. */ + + if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) + return NT_STATUS_INVALID_HANDLE; + + /* according to an NT4 PDC, you can add privileges to SIDs even without + call_lsa_create_account() first. And you can use any arbitrary SID. */ + + sid_copy( &sid, &q_u->sid.sid ); + + privilege_set_init( &privileges ); + + get_privileges_for_sids( &privileges, &sid, 1 ); + + r_u->status = init_r_enum_acct_rights( r_u, &privileges ); + + privilege_set_free( &privileges ); + + return r_u->status; +} + + |