From 0a3396b53683f5efe439bfb8395e275f53108255 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 29 Nov 2012 10:00:03 +0100 Subject: s3:smbd/open: use Builtin_Administrators as owner of files (if possible) We do this if the idmap layer resolves Builtin_Administrators as ID_TYPE_BOTH and if the current token has the Builtin_Administrators SID or it's SYSTEM. Signed-off-by: Stefan Metzmacher Reviewed-by: Michael Adam --- source3/smbd/open.c | 45 +++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 41 insertions(+), 4 deletions(-) diff --git a/source3/smbd/open.c b/source3/smbd/open.c index d736f4f795..955660c148 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -28,6 +28,8 @@ #include "../libcli/security/security.h" #include "../librpc/gen_ndr/ndr_security.h" #include "../librpc/gen_ndr/open_files.h" +#include "../librpc/gen_ndr/idmap.h" +#include "passdb/lookup_sid.h" #include "auth.h" #include "serverid.h" #include "messages.h" @@ -3452,11 +3454,14 @@ static NTSTATUS inherit_new_acl(files_struct *fsp) struct security_descriptor *parent_desc = NULL; NTSTATUS status = NT_STATUS_OK; struct security_descriptor *psd = NULL; - struct dom_sid *owner_sid = NULL; - struct dom_sid *group_sid = NULL; + const struct dom_sid *owner_sid = NULL; + const struct dom_sid *group_sid = NULL; uint32_t security_info_sent = (SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL); + struct security_token *token = fsp->conn->session_info->security_token; bool inherit_owner = lp_inherit_owner(SNUM(fsp->conn)); bool inheritable_components = false; + bool try_builtin_administrators = false; + const struct dom_sid *BA_U_sid = NULL; size_t size = 0; if (!parent_dirname(frame, fsp->fsp_name->base_name, &parent_name, NULL)) { @@ -3498,10 +3503,42 @@ static NTSTATUS inherit_new_acl(files_struct *fsp) } if (owner_sid == NULL) { - owner_sid = &fsp->conn->session_info->security_token->sids[PRIMARY_USER_SID_INDEX]; + if (security_token_has_builtin_administrators(token)) { + try_builtin_administrators = true; + } else if (security_token_is_system(token)) { + try_builtin_administrators = true; + } + } + + if (try_builtin_administrators) { + struct unixid ids; + bool ok; + + ZERO_STRUCT(ids); + ok = sids_to_unixids(&global_sid_Builtin_Administrators, 1, &ids); + if (ok) { + switch (ids.type) { + case ID_TYPE_BOTH: + BA_U_sid = &global_sid_Builtin_Administrators; + break; + case ID_TYPE_UID: + BA_U_sid = &global_sid_Builtin_Administrators; + break; + default: + break; + } + } + } + + if (owner_sid == NULL) { + owner_sid = BA_U_sid; + } + + if (owner_sid == NULL) { + owner_sid = &token->sids[PRIMARY_USER_SID_INDEX]; } if (group_sid == NULL) { - group_sid = &fsp->conn->session_info->security_token->sids[PRIMARY_GROUP_SID_INDEX]; + group_sid = &token->sids[PRIMARY_GROUP_SID_INDEX]; } status = se_create_child_secdesc(frame, -- cgit