summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/smbd/password.c33
1 files changed, 23 insertions, 10 deletions
diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index 193653a867..1924bf3217 100644
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -192,28 +192,41 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups,
psids = token->user_sids;
- sid_copy( &psids[psid_ndx++], &global_sid_World);
- sid_copy( &psids[psid_ndx++], &global_sid_Network);
-
/*
- * The only difference between guest and "anonymous" (which we
- * don't really support) is the addition of Authenticated_Users.
+ * Note - user SID *MUST* be first in token !
+ * se_access_check depends on this.
*/
- if (is_guest)
- sid_copy( &psids[psid_ndx++], &global_sid_Builtin_Guests);
- else
- sid_copy( &psids[psid_ndx++], &global_sid_Authenticated_Users);
-
uid_to_sid( &psids[psid_ndx++], uid);
+
+ /*
+ * Primary group SID is second in token. Convention.
+ */
+
gid_to_sid( &psids[psid_ndx++], gid);
+ /* Now add the group SIDs. */
+
for (i = 0; i < ngroups; i++) {
if (groups[i] != gid) {
gid_to_sid( &psids[psid_ndx++], groups[i]);
}
}
+ /*
+ * Finally add the "standard" SIDs.
+ * The only difference between guest and "anonymous" (which we
+ * don't really support) is the addition of Authenticated_Users.
+ */
+
+ sid_copy( &psids[psid_ndx++], &global_sid_World);
+ sid_copy( &psids[psid_ndx++], &global_sid_Network);
+
+ if (is_guest)
+ sid_copy( &psids[psid_ndx++], &global_sid_Builtin_Guests);
+ else
+ sid_copy( &psids[psid_ndx++], &global_sid_Authenticated_Users);
+
token->num_sids = psid_ndx;
return token;