From cade42c05b4d050f0b222594e1d1ccc13097c339 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 12 Dec 2000 20:41:02 +0000 Subject: Fixed bug noticed by JF. se_access_check needs user SID as first in token. Jeremy. (This used to be commit f0d7867801e3f78bfc55fdb36ca965e35457f51b) --- source3/smbd/password.c | 33 +++++++++++++++++++++++---------- 1 file changed, 23 insertions(+), 10 deletions(-) diff --git a/source3/smbd/password.c b/source3/smbd/password.c index 193653a867..1924bf3217 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -192,28 +192,41 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, psids = token->user_sids; - sid_copy( &psids[psid_ndx++], &global_sid_World); - sid_copy( &psids[psid_ndx++], &global_sid_Network); - /* - * The only difference between guest and "anonymous" (which we - * don't really support) is the addition of Authenticated_Users. + * Note - user SID *MUST* be first in token ! + * se_access_check depends on this. */ - if (is_guest) - sid_copy( &psids[psid_ndx++], &global_sid_Builtin_Guests); - else - sid_copy( &psids[psid_ndx++], &global_sid_Authenticated_Users); - uid_to_sid( &psids[psid_ndx++], uid); + + /* + * Primary group SID is second in token. Convention. + */ + gid_to_sid( &psids[psid_ndx++], gid); + /* Now add the group SIDs. */ + for (i = 0; i < ngroups; i++) { if (groups[i] != gid) { gid_to_sid( &psids[psid_ndx++], groups[i]); } } + /* + * Finally add the "standard" SIDs. + * The only difference between guest and "anonymous" (which we + * don't really support) is the addition of Authenticated_Users. + */ + + sid_copy( &psids[psid_ndx++], &global_sid_World); + sid_copy( &psids[psid_ndx++], &global_sid_Network); + + if (is_guest) + sid_copy( &psids[psid_ndx++], &global_sid_Builtin_Guests); + else + sid_copy( &psids[psid_ndx++], &global_sid_Authenticated_Users); + token->num_sids = psid_ndx; return token; -- cgit