diff options
| -rw-r--r-- | docs/manpages/smb.conf.5 | 9 | ||||
| -rw-r--r-- | source3/groupdb/mapping.c | 30 | ||||
| -rw-r--r-- | source3/rpc_server/srv_samr_nt.c | 12 | ||||
| -rw-r--r-- | source3/utils/net_rpc_samsync.c | 5 |
4 files changed, 46 insertions, 10 deletions
diff --git a/docs/manpages/smb.conf.5 b/docs/manpages/smb.conf.5 index 990ba027ab..8967134481 100644 --- a/docs/manpages/smb.conf.5 +++ b/docs/manpages/smb.conf.5 @@ -1616,8 +1616,13 @@ Example: \fBadd user script = /usr/local/samba/bin/add_user %u\fR .TP \fBadd group script (G)\fR -This is the full pathname to a script that will -be run \fBAS ROOT\fR by smbd(8) when a new group is requested. It will expand any \fI%g\fR to the group name passed. This script is only useful for installations using the Windows NT domain administration tools. +This is the full pathname to a script that will be run \fBAS ROOT\fR +by smbd(8) when a new group is requested. It will expand any \fI%g\fR +to the group name passed. This script is only useful for +installations using the Windows NT domain administration tools. The +script is free to create a group with an arbitrary name to circumvent +unix group name restrictions. In that case the script must print the +numeric gid of the created group on stdout. .TP \fBadmin users (S)\fR This is a list of users who will be granted diff --git a/source3/groupdb/mapping.c b/source3/groupdb/mapping.c index 2c9c7f47ea..5641431246 100644 --- a/source3/groupdb/mapping.c +++ b/source3/groupdb/mapping.c @@ -1156,16 +1156,42 @@ BOOL get_uid_list_of_group(gid_t gid, uid_t **uid, int *num_uids) Create a UNIX group on demand. ****************************************************************************/ -int smb_create_group(char *unix_group) +int smb_create_group(char *unix_group, gid_t *new_gid) { pstring add_script; int ret; + int fd = 0; pstrcpy(add_script, lp_addgroup_script()); if (! *add_script) return -1; pstring_sub(add_script, "%g", unix_group); - ret = smbrun(add_script,NULL); + ret = smbrun(add_script, (new_gid!=NULL) ? &fd : NULL); DEBUG(3,("smb_create_group: Running the command `%s' gave %d\n",add_script,ret)); + if (ret != 0) + return ret; + + if (fd != 0) { + fstring output; + + *new_gid = 0; + if (read(fd, output, sizeof(output)) > 0) { + *new_gid = (gid_t)strtoul(output, NULL, 10); + } + close(fd); + + if (*new_gid == 0) { + /* The output was garbage. We assume nobody + will create group 0 via smbd. Now we try to + get the group via getgrnam. */ + + struct group *grp = getgrnam(unix_group); + if (grp != NULL) + *new_gid = grp->gr_gid; + else + return 1; + } + } + return ret; } diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index fd1111d5dc..ea631838da 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3857,6 +3857,7 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S struct samr_info *info; PRIVILEGE_SET priv_set; uint32 acc_granted; + gid_t gid; init_privilege(&priv_set); @@ -3880,10 +3881,11 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S return NT_STATUS_GROUP_EXISTS; /* we can create the UNIX group */ - smb_create_group(name); + if (smb_create_group(name, &gid) != 0) + return NT_STATUS_ACCESS_DENIED; /* check if the group has been successfully created */ - if ((grp=getgrnam(name)) == NULL) + if ((grp=getgrgid(gid)) == NULL) return NT_STATUS_ACCESS_DENIED; r_u->rid=pdb_gid_to_group_rid(grp->gr_gid); @@ -3920,6 +3922,7 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S struct samr_info *info; PRIVILEGE_SET priv_set; uint32 acc_granted; + gid_t gid; init_privilege(&priv_set); @@ -3943,10 +3946,11 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S return NT_STATUS_GROUP_EXISTS; /* we can create the UNIX group */ - smb_create_group(name); + if (smb_create_group(name, &gid) != 0) + return NT_STATUS_ACCESS_DENIED; /* check if the group has been successfully created */ - if ((grp=getgrnam(name)) == NULL) + if ((grp=getgrgid(gid)) == NULL) return NT_STATUS_ACCESS_DENIED; r_u->rid=pdb_gid_to_group_rid(grp->gr_gid); diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c index 9d54a771fc..95a813dcfd 100644 --- a/source3/utils/net_rpc_samsync.c +++ b/source3/utils/net_rpc_samsync.c @@ -323,14 +323,15 @@ fetch_group_info(uint32 rid, SAM_GROUP_INFO *delta) fstring sid_string; GROUP_MAP map; int flag = TDB_INSERT; + gid_t gid; unistr2_to_ascii(name, &delta->uni_grp_name, sizeof(name)-1); unistr2_to_ascii(comment, &delta->uni_grp_desc, sizeof(comment)-1); if ((grp = getgrnam(name)) == NULL) - smb_create_group(name); + smb_create_group(name, &gid); - if ((grp = getgrnam(name)) == NULL) + if ((grp = getgrgid(gid)) == NULL) return NT_STATUS_ACCESS_DENIED; /* add the group to the mapping table */ |