mirror of
https://github.com/samba-team/samba.git
synced 2025-01-08 21:18:16 +03:00
make some auth functions return an NTSTATUS like other similar functions for better diagnostics.
Signed-off-by: Kristján Valur <kristjan@rvx.is> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Apr 2 02:12:48 UTC 2019 on sn-devel-144
This commit is contained in:
parent
959a4837b5
commit
92c726dc7a
@ -688,9 +688,12 @@ ADS_STATUS ads_get_sid_token(ADS_STRUCT *ads,
|
||||
}
|
||||
}
|
||||
|
||||
new_token = create_local_nt_token(mem_ctx, &object_sid, false,
|
||||
num_token_sids, token_sids);
|
||||
ADS_ERROR_HAVE_NO_MEMORY(new_token);
|
||||
status = ADS_ERROR_NT(create_local_nt_token(mem_ctx,
|
||||
&object_sid, false,
|
||||
num_token_sids, token_sids, &new_token));
|
||||
if (!ADS_ERR_OK(status)) {
|
||||
return status;
|
||||
}
|
||||
|
||||
*token = new_token;
|
||||
|
||||
|
@ -383,14 +383,15 @@ NTSTATUS pass_check(const struct passwd *pass,
|
||||
|
||||
bool nt_token_check_sid ( const struct dom_sid *sid, const struct security_token *token );
|
||||
bool nt_token_check_domain_rid( struct security_token *token, uint32_t rid );
|
||||
struct security_token *get_root_nt_token( void );
|
||||
NTSTATUS get_root_nt_token( struct security_token **token );
|
||||
NTSTATUS add_aliases(const struct dom_sid *domain_sid,
|
||||
struct security_token *token);
|
||||
struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
|
||||
NTSTATUS create_local_nt_token(TALLOC_CTX *mem_ctx,
|
||||
const struct dom_sid *user_sid,
|
||||
bool is_guest,
|
||||
int num_groupsids,
|
||||
const struct dom_sid *groupsids);
|
||||
const struct dom_sid *groupsids,
|
||||
struct security_token **token);
|
||||
NTSTATUS finalize_local_nt_token(struct security_token *result,
|
||||
uint32_t session_info_flags);
|
||||
NTSTATUS get_user_sid_info3_and_extra(const struct netr_SamInfo3 *info3,
|
||||
|
@ -78,27 +78,29 @@ bool nt_token_check_domain_rid( struct security_token *token, uint32_t rid )
|
||||
Create a copy if you need to change it.
|
||||
******************************************************************************/
|
||||
|
||||
struct security_token *get_root_nt_token( void )
|
||||
NTSTATUS get_root_nt_token( struct security_token **token )
|
||||
{
|
||||
struct security_token *token, *for_cache;
|
||||
struct security_token *for_cache;
|
||||
struct dom_sid u_sid, g_sid;
|
||||
struct passwd *pw;
|
||||
void *cache_data;
|
||||
NTSTATUS status = NT_STATUS_OK;
|
||||
|
||||
cache_data = memcache_lookup_talloc(
|
||||
NULL, SINGLETON_CACHE_TALLOC,
|
||||
data_blob_string_const_null("root_nt_token"));
|
||||
|
||||
if (cache_data != NULL) {
|
||||
return talloc_get_type_abort(
|
||||
*token = talloc_get_type_abort(
|
||||
cache_data, struct security_token);
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
if ( !(pw = getpwuid(0)) ) {
|
||||
if ( !(pw = getpwnam("root")) ) {
|
||||
DEBUG(0,("get_root_nt_token: both getpwuid(0) "
|
||||
"and getpwnam(\"root\") failed!\n"));
|
||||
return NULL;
|
||||
DBG_ERR("get_root_nt_token: both getpwuid(0) "
|
||||
"and getpwnam(\"root\") failed!\n");
|
||||
return NT_STATUS_NO_SUCH_USER;
|
||||
}
|
||||
}
|
||||
|
||||
@ -108,18 +110,21 @@ struct security_token *get_root_nt_token( void )
|
||||
uid_to_sid(&u_sid, pw->pw_uid);
|
||||
gid_to_sid(&g_sid, pw->pw_gid);
|
||||
|
||||
token = create_local_nt_token(talloc_tos(), &u_sid, False,
|
||||
1, &global_sid_Builtin_Administrators);
|
||||
status = create_local_nt_token(talloc_tos(), &u_sid, False,
|
||||
1, &global_sid_Builtin_Administrators, token);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
return status;
|
||||
}
|
||||
|
||||
security_token_set_privilege(token, SEC_PRIV_DISK_OPERATOR);
|
||||
security_token_set_privilege(*token, SEC_PRIV_DISK_OPERATOR);
|
||||
|
||||
for_cache = token;
|
||||
for_cache = *token;
|
||||
|
||||
memcache_add_talloc(
|
||||
NULL, SINGLETON_CACHE_TALLOC,
|
||||
data_blob_string_const_null("root_nt_token"), &for_cache);
|
||||
|
||||
return token;
|
||||
return status;
|
||||
}
|
||||
|
||||
|
||||
@ -420,11 +425,12 @@ NTSTATUS create_local_nt_token_from_info3(TALLOC_CTX *mem_ctx,
|
||||
Create a NT token for the user, expanding local aliases
|
||||
*******************************************************************/
|
||||
|
||||
struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
|
||||
NTSTATUS create_local_nt_token(TALLOC_CTX *mem_ctx,
|
||||
const struct dom_sid *user_sid,
|
||||
bool is_guest,
|
||||
int num_groupsids,
|
||||
const struct dom_sid *groupsids)
|
||||
const struct dom_sid *groupsids,
|
||||
struct security_token **token)
|
||||
{
|
||||
struct security_token *result = NULL;
|
||||
int i;
|
||||
@ -437,7 +443,8 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
|
||||
|
||||
if (!(result = talloc_zero(mem_ctx, struct security_token))) {
|
||||
DEBUG(0, ("talloc failed\n"));
|
||||
return NULL;
|
||||
status = NT_STATUS_NO_MEMORY;
|
||||
goto err;
|
||||
}
|
||||
|
||||
/* Add the user and primary group sid */
|
||||
@ -445,8 +452,7 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
|
||||
status = add_sid_to_array(result, user_sid,
|
||||
&result->sids, &result->num_sids);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
TALLOC_FREE(result);
|
||||
return NULL;
|
||||
goto err;
|
||||
}
|
||||
|
||||
/* For guest, num_groupsids may be zero. */
|
||||
@ -455,8 +461,7 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
|
||||
&result->sids,
|
||||
&result->num_sids);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
TALLOC_FREE(result);
|
||||
return NULL;
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
|
||||
@ -471,15 +476,13 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
|
||||
&result->sids,
|
||||
&result->num_sids);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
TALLOC_FREE(result);
|
||||
return NULL;
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
|
||||
status = add_local_groups(result, is_guest);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
TALLOC_FREE(result);
|
||||
return NULL;
|
||||
goto err;
|
||||
}
|
||||
|
||||
session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
|
||||
@ -489,8 +492,7 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
|
||||
|
||||
status = finalize_local_nt_token(result, session_info_flags);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
TALLOC_FREE(result);
|
||||
return NULL;
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (is_guest) {
|
||||
@ -511,12 +513,16 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
|
||||
&result->num_sids);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(3, ("Failed to add SID to nt token\n"));
|
||||
TALLOC_FREE(result);
|
||||
return NULL;
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
|
||||
return result;
|
||||
*token = result;
|
||||
return NT_STATUS_SUCCESS;
|
||||
|
||||
err:
|
||||
TALLOC_FREE(result);
|
||||
return status;
|
||||
}
|
||||
|
||||
/***************************************************
|
||||
@ -556,9 +562,11 @@ static NTSTATUS add_local_groups(struct security_token *result,
|
||||
pass = getpwuid_alloc(tmp_ctx, uid);
|
||||
if (pass == NULL) {
|
||||
struct dom_sid_buf buf;
|
||||
DEBUG(1, ("SID %s -> getpwuid(%u) failed\n",
|
||||
DBG_ERR("SID %s -> getpwuid(%u) failed, is nsswitch configured?\n",
|
||||
dom_sid_str_buf(&result->sids[0], &buf),
|
||||
(unsigned int)uid));
|
||||
(unsigned int)uid);
|
||||
TALLOC_FREE(tmp_ctx);
|
||||
return NT_STATUS_NO_SUCH_USER;
|
||||
}
|
||||
}
|
||||
|
||||
@ -1115,11 +1123,10 @@ static NTSTATUS create_token_from_sid(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
/* Ensure we're creating the nt_token on the right context. */
|
||||
*token = create_local_nt_token(mem_ctx, user_sid,
|
||||
is_guest, num_group_sids, group_sids);
|
||||
result = create_local_nt_token(mem_ctx, user_sid,
|
||||
is_guest, num_group_sids, group_sids, token);
|
||||
|
||||
if (*token == NULL) {
|
||||
result = NT_STATUS_NO_MEMORY;
|
||||
if (!NT_STATUS_IS_OK(result)) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
|
@ -137,9 +137,13 @@ static struct service_control_op* find_service_by_name( const char *name )
|
||||
static NTSTATUS svcctl_access_check( struct security_descriptor *sec_desc, struct security_token *token,
|
||||
uint32_t access_desired, uint32_t *access_granted )
|
||||
{
|
||||
NTSTATUS status;
|
||||
if ( geteuid() == sec_initial_uid() ) {
|
||||
DEBUG(5,("svcctl_access_check: using root's token\n"));
|
||||
token = get_root_nt_token();
|
||||
status = get_root_nt_token(&token);
|
||||
if(!NT_STATUS_IS_OK(status)) {
|
||||
return status;
|
||||
}
|
||||
}
|
||||
|
||||
return se_access_check( sec_desc, token, access_desired, access_granted);
|
||||
|
Loading…
Reference in New Issue
Block a user