2025-01-13 13:18:06 +03:00 · 2008-10-17 15:24:15 -07:00 · 2008-10-17 15:24:15 -07:00 · 7c94c874c4
commit 7c94c874c4
parent ef8f3c0e56
2 changed files with 18 additions and 4 deletions
--- a/source3/include/rpc_lsa.h
+++ b/source3/include/rpc_lsa.h
@ -39,6 +39,7 @@


 #define LSA_POLICY_READ       ( STANDARD_RIGHTS_READ_ACCESS      |\
+                            LSA_POLICY_VIEW_LOCAL_INFORMATION    |\
                            LSA_POLICY_VIEW_AUDIT_INFORMATION    |\
                            LSA_POLICY_GET_PRIVATE_INFORMATION)

--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@ -430,7 +430,7 @@ NTSTATUS _lsa_OpenPolicy(pipes_struct *p,
 	lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);

 	if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status)) {
-		if (geteuid() != 0) {
+		if (p->pipe_user.ut.uid != sec_initial_uid()) {
 			return status;
 		}
 		DEBUG(4,("ACCESS should be DENIED (granted: %#010x;  required: %#010x)\n",
@ -1522,7 +1522,8 @@ NTSTATUS _lsa_CreateAccount(pipes_struct *p,
 	/* check to see if the pipe_user is a Domain Admin since
 	   account_pol.tdb was already opened as root, this is all we have */

-	if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+	if ( p->pipe_user.ut.uid != sec_initial_uid()
+		&& !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
 		return NT_STATUS_ACCESS_DENIED;

 	if ( is_privileged_sid( r->in.sid ) )
@ -1608,6 +1609,9 @@ NTSTATUS _lsa_EnumPrivsAccount(pipes_struct *p,
 	if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
 		return NT_STATUS_INVALID_HANDLE;

+	if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
+		return NT_STATUS_ACCESS_DENIED;
+
 	if ( !get_privileges_for_sids( &mask, &info->sid, 1 ) )
 		return NT_STATUS_OBJECT_NAME_NOT_FOUND;

@ -1668,6 +1672,9 @@ NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p,
 	if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
 		return NT_STATUS_INVALID_HANDLE;

+	if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
+		return NT_STATUS_ACCESS_DENIED;
+
 	if (!lookup_sid(p->mem_ctx, &info->sid, NULL, NULL, NULL))
 		return NT_STATUS_ACCESS_DENIED;

@ -1702,7 +1709,8 @@ NTSTATUS _lsa_SetSystemAccessAccount(pipes_struct *p,
 	/* check to see if the pipe_user is a Domain Admin since
 	   account_pol.tdb was already opened as root, this is all we have */

-	if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+	if ( p->pipe_user.ut.uid != sec_initial_uid()
+		&& !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
 		return NT_STATUS_ACCESS_DENIED;

 	if (!pdb_getgrsid(&map, info->sid))
@ -1812,7 +1820,6 @@ NTSTATUS _lsa_QuerySecurity(pipes_struct *p,
 	if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
 		return NT_STATUS_ACCESS_DENIED;

-
 	switch (r->in.sec_info) {
 	case 1:
 		/* SD contains only the owner */
@ -2070,6 +2077,9 @@ NTSTATUS _lsa_EnumAccountRights(pipes_struct *p,
 	if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
 		return NT_STATUS_INVALID_HANDLE;

+	if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
+		return NT_STATUS_ACCESS_DENIED;
+
 	/* according to an NT4 PDC, you can add privileges to SIDs even without
 	   call_lsa_create_account() first.  And you can use any arbitrary SID. */

@ -2112,6 +2122,9 @@ NTSTATUS _lsa_LookupPrivValue(pipes_struct *p,
 	if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
 		return NT_STATUS_INVALID_HANDLE;

+	if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
+		return NT_STATUS_ACCESS_DENIED;
+
 	name = r->in.name->string;

 	DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));