diff options
-rw-r--r-- | source3/include/proto.h | 8 | ||||
-rw-r--r-- | source3/rpc_server/srv_srvsvc_nt.c | 14 | ||||
-rw-r--r-- | source3/smbd/service.c | 44 |
3 files changed, 40 insertions, 26 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h index 453714c044..e606724363 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -1879,6 +1879,12 @@ BOOL pm_process( char *FileName, BOOL pdb_generate_sam_sid(void); +/*The following definitions come from passdb/pampass.c */ + +BOOL PAM_session(BOOL instance, const connection_struct *conn, char *tty); +BOOL pam_passcheck(char * user, char * password); +BOOL pam_passcheck( char * user, char * password ); + /*The following definitions come from passdb/pass_check.c */ void dfs_unlogin(void); @@ -3768,7 +3774,7 @@ BOOL api_srvsvc_rpc(pipes_struct *p); BOOL share_info_db_init(void); void map_generic_share_sd_bits(SEC_DESC *psd); -BOOL share_access_check(int snum, uint16 vuid, uint32 desired_access); +BOOL share_access_check(connection_struct *conn, int snum, uint16 vuid, uint32 desired_access); uint32 _srv_net_srv_get_info(pipes_struct *p, SRV_Q_NET_SRV_GET_INFO *q_u, SRV_R_NET_SRV_GET_INFO *r_u); uint32 _srv_net_file_enum(pipes_struct *p, SRV_Q_NET_FILE_ENUM *q_u, SRV_R_NET_FILE_ENUM *r_u); uint32 _srv_net_conn_enum(pipes_struct *p, SRV_Q_NET_CONN_ENUM *q_u, SRV_R_NET_CONN_ENUM *r_u); diff --git a/source3/rpc_server/srv_srvsvc_nt.c b/source3/rpc_server/srv_srvsvc_nt.c index bce5c33225..0c165bf9fa 100644 --- a/source3/rpc_server/srv_srvsvc_nt.c +++ b/source3/rpc_server/srv_srvsvc_nt.c @@ -293,7 +293,7 @@ void map_generic_share_sd_bits(SEC_DESC *psd) Can this user access with share with the required permissions ? ********************************************************************/ -BOOL share_access_check(int snum, uint16 vuid, uint32 desired_access) +BOOL share_access_check(connection_struct *conn, int snum, uint16 vuid, uint32 desired_access) { uint32 granted, status; TALLOC_CTX *mem_ctx = NULL; @@ -313,17 +313,25 @@ BOOL share_access_check(int snum, uint16 vuid, uint32 desired_access) if (!psd) goto out; + ZERO_STRUCT(tmp_user); if (vuser) { - ZERO_STRUCT(tmp_user); tmp_user.vuid = vuid; tmp_user.uid = vuser->uid; tmp_user.gid = vuser->gid; tmp_user.ngroups = vuser->n_groups; tmp_user.groups = vuser->groups; tmp_user.nt_user_token = vuser->nt_user_token; - puser = &tmp_user; + } else { + tmp_user.vuid = vuid; + tmp_user.uid = conn->uid; + tmp_user.gid = conn->gid; + tmp_user.ngroups = conn->ngroups; + tmp_user.groups = conn->groups; + tmp_user.nt_user_token = conn->nt_user_token; } + puser = &tmp_user; + ret = se_access_check(psd, puser, desired_access, &granted, &status); out: diff --git a/source3/smbd/service.c b/source3/smbd/service.c index 11ae11054a..507d07cc42 100644 --- a/source3/smbd/service.c +++ b/source3/smbd/service.c @@ -343,28 +343,6 @@ connection_struct *make_connection(char *service,char *user,char *password, int conn->read_only = lp_readonly(snum); - /* - * New code to check if there's a share security descripter - * added from NT server manager. This is an additional check - * before the smb.conf checks are done. JRA. - */ - - { - BOOL can_write = share_access_check(snum, vuid, FILE_WRITE_DATA); - - if (!can_write) { - if (!share_access_check(snum, vuid, FILE_READ_DATA)) { - /* No access, read or write. */ - *ecode = ERRaccess; - DEBUG(0,( "make_connection: connection to %s denied due to security descriptor.\n", - service )); - conn_free(conn); - return NULL; - } else { - conn->read_only = True; - } - } - } { pstring list; @@ -527,6 +505,28 @@ connection_struct *make_connection(char *service,char *user,char *password, int conn->ngroups, conn->groups, guest); + /* + * New code to check if there's a share security descripter + * added from NT server manager. This is done after the + * smb.conf checks are done as we need a uid and token. JRA. + */ + + { + BOOL can_write = share_access_check(conn, snum, vuid, FILE_WRITE_DATA); + + if (!can_write) { + if (!share_access_check(conn, snum, vuid, FILE_READ_DATA)) { + /* No access, read or write. */ + *ecode = ERRaccess; + DEBUG(0,( "make_connection: connection to %s denied due to security descriptor.\n", + service )); + conn_free(conn); + return NULL; + } else { + conn->read_only = True; + } + } + } /* Initialise VFS function pointers */ if (*lp_vfsobj(SNUM(conn))) { |