From 1ba611a56c2b12f5138172be7bc23d187893cf16 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 1 Jun 2010 23:02:13 +0200 Subject: s3-eventlog: try to pass RPC-EVENTLOG during make test as non-root. Guenther --- source3/rpc_server/srv_eventlog_nt.c | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/source3/rpc_server/srv_eventlog_nt.c b/source3/rpc_server/srv_eventlog_nt.c index 4171ef6d97..99185ef552 100644 --- a/source3/rpc_server/srv_eventlog_nt.c +++ b/source3/rpc_server/srv_eventlog_nt.c @@ -73,6 +73,7 @@ static bool elog_check_access( EVENTLOG_INFO *info, NT_USER_TOKEN *token ) { char *tdbname = elog_tdbname(talloc_tos(), info->logname ); struct security_descriptor *sec_desc; + struct security_ace *ace; NTSTATUS status; if ( !tdbname ) @@ -89,11 +90,28 @@ static bool elog_check_access( EVENTLOG_INFO *info, NT_USER_TOKEN *token ) return False; } + ace = talloc_zero(sec_desc, struct security_ace); + if (ace == NULL) { + TALLOC_FREE(sec_desc); + return false; + } + + ace->type = SEC_ACE_TYPE_ACCESS_ALLOWED; + ace->flags = 0; + ace->access_mask = REG_KEY_ALL; + ace->trustee = global_sid_System; + + status = security_descriptor_dacl_add(sec_desc, ace); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(sec_desc); + return false; + } + /* root free pass */ if ( geteuid() == sec_initial_uid() ) { - DEBUG(5,("elog_check_access: using root's token\n")); - token = get_root_nt_token(); + DEBUG(5,("elog_check_access: running as root, using system token\n")); + token = get_system_token(); } /* run the check, try for the max allowed */ @@ -101,8 +119,7 @@ static bool elog_check_access( EVENTLOG_INFO *info, NT_USER_TOKEN *token ) status = se_access_check( sec_desc, token, MAXIMUM_ALLOWED_ACCESS, &info->access_granted); - if ( sec_desc ) - TALLOC_FREE( sec_desc ); + TALLOC_FREE(sec_desc); if (!NT_STATUS_IS_OK(status)) { DEBUG(8,("elog_check_access: se_access_check() return %s\n", @@ -317,7 +334,7 @@ static bool sync_eventlog_params( EVENTLOG_INFO *info ) goto done; } - wresult = reg_open_path(ctx, path, REG_KEY_READ, get_root_nt_token(), + wresult = reg_open_path(ctx, path, REG_KEY_READ, get_system_token(), &key); if ( !W_ERROR_IS_OK( wresult ) ) { -- cgit