diff options
Diffstat (limited to 'source3/rpc_server/srv_lsa_nt.c')
| -rw-r--r-- | source3/rpc_server/srv_lsa_nt.c | 107 |
1 files changed, 107 insertions, 0 deletions
diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c index 328f409cf3..d5bddef739 100644 --- a/source3/rpc_server/srv_lsa_nt.c +++ b/source3/rpc_server/srv_lsa_nt.c @@ -1237,6 +1237,8 @@ NTSTATUS _lsa_query_secobj(pipes_struct *p, LSA_Q_QUERY_SEC_OBJ *q_u, LSA_R_QUER return r_u->status; } +/*************************************************************************** + ***************************************************************************/ NTSTATUS _lsa_query_info2(pipes_struct *p, LSA_Q_QUERY_INFO2 *q_u, LSA_R_QUERY_INFO2 *r_u) { @@ -1297,3 +1299,108 @@ NTSTATUS _lsa_query_info2(pipes_struct *p, LSA_Q_QUERY_INFO2 *q_u, LSA_R_QUERY_I return r_u->status; } + +/*************************************************************************** + ***************************************************************************/ + +NTSTATUS _lsa_add_acct_rights(pipes_struct *p, LSA_Q_ADD_ACCT_RIGHTS *q_u, LSA_R_ADD_ACCT_RIGHTS *r_u) +{ + struct lsa_info *info = NULL; + int i = 0; + DOM_SID sid; + fstring privname; + UNISTR2_ARRAY *uni_privnames = &q_u->rights; + + + /* find the connection policy handle. */ + if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) + return NT_STATUS_INVALID_HANDLE; + + /* check to see if the pipe_user is a Domain Admin since + account_pol.tdb was already opened as root, this is all we have */ + + if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) + return NT_STATUS_ACCESS_DENIED; + + /* according to an NT4 PDC, you can add privileges to SIDs even without + call_lsa_create_account() first. And you can use any arbitrary SID. */ + + sid_copy( &sid, &q_u->sid.sid ); + + /* just a little sanity check */ + + if ( q_u->count != uni_privnames->count ) { + DEBUG(0,("_lsa_add_acct_rights: count != number of UNISTR2 elements!\n")); + return NT_STATUS_INVALID_HANDLE; + } + + for ( i=0; i<q_u->count; i++ ) { + unistr2_to_ascii( privname, &uni_privnames->strings[i].string, sizeof(fstring)-1 ); + + /* only try to add non-null strings */ + + if ( *privname && !grant_privilege_by_name( &sid, privname ) ) { + DEBUG(2,("_lsa_add_acct_rights: Failed to add privilege [%s]\n", privname )); + return NT_STATUS_NO_SUCH_PRIVILEGE; + } + } + + return NT_STATUS_OK; +} + +/*************************************************************************** + ***************************************************************************/ + +NTSTATUS _lsa_remove_acct_rights(pipes_struct *p, LSA_Q_REMOVE_ACCT_RIGHTS *q_u, LSA_R_REMOVE_ACCT_RIGHTS *r_u) +{ + struct lsa_info *info = NULL; + int i = 0; + DOM_SID sid; + fstring privname; + UNISTR2_ARRAY *uni_privnames = &q_u->rights; + + + /* find the connection policy handle. */ + if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) + return NT_STATUS_INVALID_HANDLE; + + /* check to see if the pipe_user is a Domain Admin since + account_pol.tdb was already opened as root, this is all we have */ + + if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) + return NT_STATUS_ACCESS_DENIED; + + /* according to an NT4 PDC, you can add privileges to SIDs even without + call_lsa_create_account() first. And you can use any arbitrary SID. */ + + sid_copy( &sid, &q_u->sid.sid ); + + if ( q_u->removeall ) { + if ( !revoke_privilege( &sid, SE_ALL_PRIVS ) ) + return NT_STATUS_ACCESS_DENIED; + + return NT_STATUS_OK; + } + + /* just a little sanity check */ + + if ( q_u->count != uni_privnames->count ) { + DEBUG(0,("_lsa_add_acct_rights: count != number of UNISTR2 elements!\n")); + return NT_STATUS_INVALID_HANDLE; + } + + for ( i=0; i<q_u->count; i++ ) { + unistr2_to_ascii( privname, &uni_privnames->strings[i].string, sizeof(fstring)-1 ); + + /* only try to add non-null strings */ + + if ( *privname && !revoke_privilege_by_name( &sid, privname ) ) { + DEBUG(2,("_lsa_remove_acct_rights: Failed to add privilege [%s]\n", privname )); + return NT_STATUS_NO_SUCH_PRIVILEGE; + } + } + + return NT_STATUS_OK; +} + + |