From 9e52e989ab46bf131185c05651dca1799d73f0a3 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 14 Feb 2005 01:13:14 +0000 Subject: r5383: add missing checks to allow root to manage user rights (This used to be commit ead54b14f6b34f087d3affc2853e16bbbaceb7cc) --- source3/rpc_server/srv_lsa_nt.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server') diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c index 5b92b65edd..b4c8e033ff 100644 --- a/source3/rpc_server/srv_lsa_nt.c +++ b/source3/rpc_server/srv_lsa_nt.c @@ -1333,6 +1333,7 @@ NTSTATUS _lsa_add_acct_rights(pipes_struct *p, LSA_Q_ADD_ACCT_RIGHTS *q_u, LSA_R DOM_SID sid; fstring privname; UNISTR2_ARRAY *uni_privnames = &q_u->rights; + struct current_user user; /* find the connection policy handle. */ @@ -1342,8 +1343,12 @@ NTSTATUS _lsa_add_acct_rights(pipes_struct *p, LSA_Q_ADD_ACCT_RIGHTS *q_u, LSA_R /* check to see if the pipe_user is a Domain Admin since account_pol.tdb was already opened as root, this is all we have */ - if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) + get_current_user( &user, p ); + if ( user.uid != sec_initial_uid() + && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) + { return NT_STATUS_ACCESS_DENIED; + } /* according to an NT4 PDC, you can add privileges to SIDs even without call_lsa_create_account() first. And you can use any arbitrary SID. */ @@ -1381,6 +1386,7 @@ NTSTATUS _lsa_remove_acct_rights(pipes_struct *p, LSA_Q_REMOVE_ACCT_RIGHTS *q_u, DOM_SID sid; fstring privname; UNISTR2_ARRAY *uni_privnames = &q_u->rights; + struct current_user user; /* find the connection policy handle. */ @@ -1390,8 +1396,12 @@ NTSTATUS _lsa_remove_acct_rights(pipes_struct *p, LSA_Q_REMOVE_ACCT_RIGHTS *q_u, /* check to see if the pipe_user is a Domain Admin since account_pol.tdb was already opened as root, this is all we have */ - if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) + get_current_user( &user, p ); + if ( user.uid != sec_initial_uid() + && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) + { return NT_STATUS_ACCESS_DENIED; + } sid_copy( &sid, &q_u->sid.sid ); -- cgit