[SCM] Samba Shared Repository - branch v3-2-test updated - release-3-2-0pre2-3098-gef15ff6

Jeremy Allison Fri, 17 Oct 2008 15:27:21 -0700

The branch, v3-2-test has been updated
       via  ef15ff6abec34377ab7fa75201e2799c0bb72aeb (commit)
      from  5b1d8588d01d11251541829c5a3dff211fe925fd (commit)


http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test


- Log -----------------------------------------------------------------
commit ef15ff6abec34377ab7fa75201e2799c0bb72aeb
Author: Jeremy Allison <[EMAIL PROTECTED]>
Date:   Fri Oct 17 15:25:58 2008 -0700

    Unify access checks for lsa server functions.
    Jeremy.

-----------------------------------------------------------------------

Summary of changes:
 source/include/rpc_lsa.h       |    1 +
 source/rpc_server/srv_lsa_nt.c |   21 +++++++++++++++++----
 2 files changed, 18 insertions(+), 4 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source/include/rpc_lsa.h b/source/include/rpc_lsa.h
index b4021af..1dc5ba4 100644
--- a/source/include/rpc_lsa.h
+++ b/source/include/rpc_lsa.h
@@ -39,6 +39,7 @@
 
 
 #define LSA_POLICY_READ       ( STANDARD_RIGHTS_READ_ACCESS      |\
+                            LSA_POLICY_VIEW_LOCAL_INFORMATION    |\
                             LSA_POLICY_VIEW_AUDIT_INFORMATION    |\
                             LSA_POLICY_GET_PRIVATE_INFORMATION)
 
diff --git a/source/rpc_server/srv_lsa_nt.c b/source/rpc_server/srv_lsa_nt.c
index 79b6d46..9ce992c 100644
--- a/source/rpc_server/srv_lsa_nt.c
+++ b/source/rpc_server/srv_lsa_nt.c
@@ -434,7 +434,7 @@ NTSTATUS _lsa_OpenPolicy(pipes_struct *p,
        lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
 
        if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, 
&acc_granted, &status)) {
-               if (geteuid() != 0) {
+               if (p->pipe_user.ut.uid != sec_initial_uid()) {
                        return status;
                }
                DEBUG(4,("ACCESS should be DENIED (granted: %#010x;  required: 
%#010x)\n",
@@ -1530,7 +1530,8 @@ NTSTATUS _lsa_CreateAccount(pipes_struct *p,
        /* check to see if the pipe_user is a Domain Admin since
           account_pol.tdb was already opened as root, this is all we have */
 
-       if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, 
DOMAIN_GROUP_RID_ADMINS ) )
+       if ( p->pipe_user.ut.uid != sec_initial_uid()
+               && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, 
DOMAIN_GROUP_RID_ADMINS ) )
                return NT_STATUS_ACCESS_DENIED;
 
        if ( is_privileged_sid( r->in.sid ) )
@@ -1616,6 +1617,9 @@ NTSTATUS _lsa_EnumPrivsAccount(pipes_struct *p,
        if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
                return NT_STATUS_INVALID_HANDLE;
 
+       if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
+               return NT_STATUS_ACCESS_DENIED;
+
        if ( !get_privileges_for_sids( &mask, &info->sid, 1 ) )
                return NT_STATUS_OBJECT_NAME_NOT_FOUND;
 
@@ -1676,6 +1680,9 @@ NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p,
        if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
                return NT_STATUS_INVALID_HANDLE;
 
+       if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
+               return NT_STATUS_ACCESS_DENIED;
+
        if (!lookup_sid(p->mem_ctx, &info->sid, NULL, NULL, NULL))
                return NT_STATUS_ACCESS_DENIED;
 
@@ -1710,7 +1717,8 @@ NTSTATUS _lsa_SetSystemAccessAccount(pipes_struct *p,
        /* check to see if the pipe_user is a Domain Admin since
           account_pol.tdb was already opened as root, this is all we have */
 
-       if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, 
DOMAIN_GROUP_RID_ADMINS ) )
+       if ( p->pipe_user.ut.uid != sec_initial_uid()
+               && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, 
DOMAIN_GROUP_RID_ADMINS ) )
                return NT_STATUS_ACCESS_DENIED;
 
        if (!pdb_getgrsid(&map, info->sid))
@@ -1820,7 +1828,6 @@ NTSTATUS _lsa_QuerySecurity(pipes_struct *p,
        if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
                return NT_STATUS_ACCESS_DENIED;
 
-
        switch (r->in.sec_info) {
        case 1:
                /* SD contains only the owner */
@@ -2078,6 +2085,9 @@ NTSTATUS _lsa_EnumAccountRights(pipes_struct *p,
        if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
                return NT_STATUS_INVALID_HANDLE;
 
+       if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
+               return NT_STATUS_ACCESS_DENIED;
+
        /* according to an NT4 PDC, you can add privileges to SIDs even without
           call_lsa_create_account() first.  And you can use any arbitrary SID. 
*/
 
@@ -2120,6 +2130,9 @@ NTSTATUS _lsa_LookupPrivValue(pipes_struct *p,
        if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
                return NT_STATUS_INVALID_HANDLE;
 
+       if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
+               return NT_STATUS_ACCESS_DENIED;
+
        name = r->in.name->string;
 
        DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v3-2-test updated - release-3-2-0pre2-3098-gef15ff6

Reply via email to