Fixed up the user/group contexts when using authenticated pipes.

Added a become_root()/unbecome_root() (push/pop security context)
around the initgroups() call to ensure it would succeed. Hmmm - I
wonder if this call being done as non-root might explain any "group access"
bugs we've had in the past....
Jeremy.
(This used to be commit 06a65972e8)

source3/include/proto.h

@@ -3546,6 +3546,7 @@ void invalidate_vuid(uint16 vuid);
 char *validated_username(uint16 vuid);
 char *validated_domain(uint16 vuid);
 int initialize_groups(char *user, uid_t uid, gid_t gid);
+NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups);
 uint16 register_vuid(uid_t uid,gid_t gid, char *unix_name, char *requested_name, 
 		     char *domain,BOOL guest);
 void add_session_user(char *user);
@@ -3673,6 +3674,7 @@ int reply_getattrE(connection_struct *conn, char *inbuf,char *outbuf, int size,
 
 int get_current_groups(int *p_ngroups, gid_t **p_groups);
 void delete_nt_token(NT_USER_TOKEN **pptoken);
+NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken);
 BOOL push_sec_ctx(void);
 void set_sec_ctx(uid_t uid, gid_t gid, int ngroups, gid_t *groups, NT_USER_TOKEN *token);
 void set_root_sec_ctx(void);

source3/rpc_server/srv_pipe.c

@@ -282,6 +282,11 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm
 	memset(p->domain, '\0', sizeof(p->domain));
 	memset(p->wks, '\0', sizeof(p->wks));
 
+	/* Set up for non-authenticated user. */
+	delete_nt_token(&p->pipe_user.nt_user_token);
+	p->pipe_user.ngroups = 0;
+	safe_free( p->pipe_user.groups);
+
 	/* 
 	 * Setup an empty password for a guest user.
 	 */
@@ -456,7 +461,13 @@ failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name
 	p->pipe_user.uid = pass->pw_uid;
 	p->pipe_user.gid = pass->pw_gid;
 
-	/* XXX also set up pipe user group membership */
+	/* Set up pipe user group membership. */
+	initialize_groups(pipe_user_name, p->pipe_user.uid, p->pipe_user.gid);
+	get_current_groups( &p->pipe_user.ngroups, &p->pipe_user.groups);
+
+	/* Create an NT_USER_TOKEN struct for this user. */
+	p->pipe_user.nt_user_token = create_nt_token(p->pipe_user.uid,p->pipe_user.gid,
+												p->pipe_user.ngroups, p->pipe_user.groups);
 
 	p->ntlmssp_auth_validated = True;
 	return True;

source3/rpc_server/srv_pipe_hnd.c

@@ -825,6 +825,9 @@ BOOL close_rpc_pipe_hnd(pipes_struct *p, connection_struct *conn)
 
 	DLIST_REMOVE(Pipes, p);
 
+	delete_nt_token(&p->pipe_user.nt_user_token);
+	safe_free(p->pipe_user.groups);
+
 	ZERO_STRUCTP(p);
 
 	free(p);

source3/script/mkproto.awk

@@ -112,7 +112,7 @@ END {
     gotstart = 1;
   }
 
-  if( $0 ~ /^TDB_CONTEXT|^TDB_DATA|^smb_ucs2_t|^TALLOC_CTX|^hash_element|^NT_DEVICEMODE|^enum nss_status/ ) {
+  if( $0 ~ /^TDB_CONTEXT|^TDB_DATA|^smb_ucs2_t|^TALLOC_CTX|^hash_element|^NT_DEVICEMODE|^enum nss_status|^NT_USER_TOKEN/ ) {
     gotstart = 1;
   }
 

source3/smbd/password.c

@@ -163,8 +163,9 @@ char *validated_domain(uint16 vuid)
  Initialize the groups a user belongs to.
 ****************************************************************************/
 
-int initialize_groups(char *user, uid_t uid, gid_t gid)
+BOOL initialize_groups(char *user, uid_t uid, gid_t gid)
 {
+	become_root();
 	if (initgroups(user,gid) == -1) {
 		DEBUG(0,("Unable to initgroups. Error was %s\n", strerror(errno) ));
 		if (getuid() == 0) {
@@ -172,9 +173,11 @@ int initialize_groups(char *user, uid_t uid, gid_t gid)
 				DEBUG(0,("This is probably a problem with the account %s\n", user));
 			}
 		}
-		return -1;
+		unbecome_root();
+		return False;
 	}
-	return 0;
+	become_root();
+	return True;
 }
 
 /****************************************************************************

source3/smbd/uid.c

@@ -207,9 +207,8 @@ BOOL become_authenticated_pipe_user(pipes_struct *p)
 		return False;
 	}
 
-	/* JRATEST - this needs fixined w.r.t. NT user tokens... */
 	set_sec_ctx(p->pipe_user.uid, p->pipe_user.gid, 
-		    p->pipe_user.ngroups, p->pipe_user.groups, NULL);
+		    p->pipe_user.ngroups, p->pipe_user.groups, p->pipe_user.nt_user_token);
 
 	return True;
 }