From 35e6a0e618db99287d12092cd8048276ffdb2356 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 18 Apr 2009 16:46:53 +0200 Subject: Add "uint32_t access_granted" to policy handles All policy handles have a mask of allowed operations attached that were calculated at creation time, so they should carry this mask. This is the basis for consolidating all our policy handle access checks. If you want to do your own more complicated access checks further down, just pass "0" to policy_handle_find. --- source3/rpc_server/srv_samr_nt.c | 63 +++++++++++++++++----------------------- 1 file changed, 27 insertions(+), 36 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 159760c4c8..b18011c1f9 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -49,7 +49,7 @@ #define MAX_SAM_ENTRIES_W95 50 struct samr_connect_info { - uint32_t acc_granted; + uint8_t dummy; }; typedef struct disp_info { @@ -613,10 +613,10 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p, /* find the connection policy handle. */ - cinfo = policy_handle_find(p, r->in.connect_handle, - struct samr_connect_info); - if (cinfo == NULL) { - return NT_STATUS_INVALID_HANDLE; + cinfo = policy_handle_find(p, r->in.connect_handle, 0, NULL, + struct samr_connect_info, &status); + if (!NT_STATUS_IS_OK(status)) { + return status; } /*check if access can be granted as requested by client. */ @@ -3198,6 +3198,7 @@ NTSTATUS _samr_Connect(pipes_struct *p, struct samr_Connect *r) { struct samr_connect_info *info; + uint32_t acc_granted; struct policy_handle hnd; uint32 des_access = r->in.access_mask; NTSTATUS status; @@ -3209,14 +3210,6 @@ NTSTATUS _samr_Connect(pipes_struct *p, return NT_STATUS_ACCESS_DENIED; } - /* set up the SAMR connect_anon response */ - - status = policy_handle_create(p, &hnd, &info, - struct samr_connect_info); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - /* don't give away the farm but this is probably ok. The SAMR_ACCESS_ENUM_DOMAINS was observed from a win98 client trying to enumerate users (when configured user level access control on shares) --jerry */ @@ -3224,7 +3217,18 @@ NTSTATUS _samr_Connect(pipes_struct *p, map_max_allowed_access(p->server_info->ptok, &des_access); se_map_generic( &des_access, &sam_generic_mapping ); - info->acc_granted = des_access & (SAMR_ACCESS_ENUM_DOMAINS|SAMR_ACCESS_LOOKUP_DOMAIN); + + acc_granted = des_access & (SAMR_ACCESS_ENUM_DOMAINS + |SAMR_ACCESS_LOOKUP_DOMAIN); + + /* set up the SAMR connect_anon response */ + + info = policy_handle_create(p, &hnd, acc_granted, + struct samr_connect_info, + &status); + if (!NT_STATUS_IS_OK(status)) { + return status; + } *r->out.connect_handle = hnd; return NT_STATUS_OK; @@ -3281,14 +3285,12 @@ NTSTATUS _samr_Connect2(pipes_struct *p, if ( !NT_STATUS_IS_OK(nt_status) ) return nt_status; - nt_status = policy_handle_create(p, &hnd, &info, - struct samr_connect_info); + info = policy_handle_create(p, &hnd, acc_granted, + struct samr_connect_info, &nt_status); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } - info->acc_granted = acc_granted; - DEBUG(5,("%s: %d\n", fn, __LINE__)); *r->out.connect_handle = hnd; @@ -3363,23 +3365,18 @@ NTSTATUS _samr_Connect5(pipes_struct *p, NTSTATUS _samr_LookupDomain(pipes_struct *p, struct samr_LookupDomain *r) { - NTSTATUS status = NT_STATUS_OK; + NTSTATUS status; struct samr_connect_info *info; const char *domain_name; DOM_SID *sid = NULL; - info = policy_handle_find(p, r->in.connect_handle, - struct samr_connect_info); - if (info == NULL) { - return NT_STATUS_INVALID_HANDLE; - } - /* win9x user manager likes to use SAMR_ACCESS_ENUM_DOMAINS here. Reverted that change so we will work with RAS servers again */ - status = access_check_samr_function(info->acc_granted, - SAMR_ACCESS_LOOKUP_DOMAIN, - "_samr_LookupDomain"); + info = policy_handle_find(p, r->in.connect_handle, + SAMR_ACCESS_LOOKUP_DOMAIN, NULL, + struct samr_connect_info, + &status); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -3424,14 +3421,8 @@ NTSTATUS _samr_EnumDomains(pipes_struct *p, struct samr_SamArray *sam; info = policy_handle_find(p, r->in.connect_handle, - struct samr_connect_info); - if (info == NULL) { - return NT_STATUS_INVALID_HANDLE; - } - - status = access_check_samr_function(info->acc_granted, - SAMR_ACCESS_ENUM_DOMAINS, - "_samr_EnumDomains"); + SAMR_ACCESS_ENUM_DOMAINS, NULL, + struct samr_connect_info, &status); if (!NT_STATUS_IS_OK(status)) { return status; } -- cgit