From d706b5dc555bd61670359955770cb85ed0ce2896 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Mon, 3 Jun 2002 02:55:16 +0000 Subject: Move restrict anonymous checks into a general function called pipe_access_check(). Eventually this can take a security descriptor as an argument as well. (This used to be commit 8bbdc674afef32621bf473ba1af76bae7270b818) --- source3/rpc_server/srv_lsa_hnd.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) (limited to 'source3/rpc_server/srv_lsa_hnd.c') diff --git a/source3/rpc_server/srv_lsa_hnd.c b/source3/rpc_server/srv_lsa_hnd.c index 62af0ecac8..5af1e8c265 100644 --- a/source3/rpc_server/srv_lsa_hnd.c +++ b/source3/rpc_server/srv_lsa_hnd.c @@ -249,3 +249,31 @@ void close_policy_by_pipe(pipes_struct *p) DEBUG(10,("close_policy_by_pipe: deleted handle list for pipe %s\n", p->name )); } } + +/******************************************************************* +Shall we allow access to this rpc? Currently this function +implements the 'restrict anonymous' setting by denying access to +anonymous users if the restrict anonymous level is > 0. Further work +will be checking a security descriptor to determine whether a user +token has enough access to access the pipe. +********************************************************************/ + +BOOL pipe_access_check(pipes_struct *p) +{ + /* Don't let anonymous users access this RPC if restrict + anonymous > 0 */ + + if (lp_restrict_anonymous() > 0) { + user_struct *user = get_valid_user_struct(p->vuid); + + if (!user) { + DEBUG(3, ("invalid vuid %d\n", p->vuid)); + return False; + } + + if (user->guest) + return False; + } + + return True; +} -- cgit