1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

make some auth functions return an NTSTATUS like other similar functions for better diagnostics.

Signed-off-by: Kristján Valur <kristjan@rvx.is>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Apr  2 02:12:48 UTC 2019 on sn-devel-144
This commit is contained in:
Kristján Valur 2019-03-12 09:33:15 +00:00 committed by Andrew Bartlett
parent 959a4837b5
commit 92c726dc7a
4 changed files with 56 additions and 41 deletions

View File

@ -688,9 +688,12 @@ ADS_STATUS ads_get_sid_token(ADS_STRUCT *ads,
}
}
new_token = create_local_nt_token(mem_ctx, &object_sid, false,
num_token_sids, token_sids);
ADS_ERROR_HAVE_NO_MEMORY(new_token);
status = ADS_ERROR_NT(create_local_nt_token(mem_ctx,
&object_sid, false,
num_token_sids, token_sids, &new_token));
if (!ADS_ERR_OK(status)) {
return status;
}
*token = new_token;

View File

@ -383,14 +383,15 @@ NTSTATUS pass_check(const struct passwd *pass,
bool nt_token_check_sid ( const struct dom_sid *sid, const struct security_token *token );
bool nt_token_check_domain_rid( struct security_token *token, uint32_t rid );
struct security_token *get_root_nt_token( void );
NTSTATUS get_root_nt_token( struct security_token **token );
NTSTATUS add_aliases(const struct dom_sid *domain_sid,
struct security_token *token);
struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
NTSTATUS create_local_nt_token(TALLOC_CTX *mem_ctx,
const struct dom_sid *user_sid,
bool is_guest,
int num_groupsids,
const struct dom_sid *groupsids);
const struct dom_sid *groupsids,
struct security_token **token);
NTSTATUS finalize_local_nt_token(struct security_token *result,
uint32_t session_info_flags);
NTSTATUS get_user_sid_info3_and_extra(const struct netr_SamInfo3 *info3,

View File

@ -78,27 +78,29 @@ bool nt_token_check_domain_rid( struct security_token *token, uint32_t rid )
Create a copy if you need to change it.
******************************************************************************/
struct security_token *get_root_nt_token( void )
NTSTATUS get_root_nt_token( struct security_token **token )
{
struct security_token *token, *for_cache;
struct security_token *for_cache;
struct dom_sid u_sid, g_sid;
struct passwd *pw;
void *cache_data;
NTSTATUS status = NT_STATUS_OK;
cache_data = memcache_lookup_talloc(
NULL, SINGLETON_CACHE_TALLOC,
data_blob_string_const_null("root_nt_token"));
if (cache_data != NULL) {
return talloc_get_type_abort(
*token = talloc_get_type_abort(
cache_data, struct security_token);
return NT_STATUS_OK;
}
if ( !(pw = getpwuid(0)) ) {
if ( !(pw = getpwnam("root")) ) {
DEBUG(0,("get_root_nt_token: both getpwuid(0) "
"and getpwnam(\"root\") failed!\n"));
return NULL;
DBG_ERR("get_root_nt_token: both getpwuid(0) "
"and getpwnam(\"root\") failed!\n");
return NT_STATUS_NO_SUCH_USER;
}
}
@ -108,18 +110,21 @@ struct security_token *get_root_nt_token( void )
uid_to_sid(&u_sid, pw->pw_uid);
gid_to_sid(&g_sid, pw->pw_gid);
token = create_local_nt_token(talloc_tos(), &u_sid, False,
1, &global_sid_Builtin_Administrators);
status = create_local_nt_token(talloc_tos(), &u_sid, False,
1, &global_sid_Builtin_Administrators, token);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
security_token_set_privilege(token, SEC_PRIV_DISK_OPERATOR);
security_token_set_privilege(*token, SEC_PRIV_DISK_OPERATOR);
for_cache = token;
for_cache = *token;
memcache_add_talloc(
NULL, SINGLETON_CACHE_TALLOC,
data_blob_string_const_null("root_nt_token"), &for_cache);
return token;
return status;
}
@ -420,11 +425,12 @@ NTSTATUS create_local_nt_token_from_info3(TALLOC_CTX *mem_ctx,
Create a NT token for the user, expanding local aliases
*******************************************************************/
struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
NTSTATUS create_local_nt_token(TALLOC_CTX *mem_ctx,
const struct dom_sid *user_sid,
bool is_guest,
int num_groupsids,
const struct dom_sid *groupsids)
const struct dom_sid *groupsids,
struct security_token **token)
{
struct security_token *result = NULL;
int i;
@ -437,7 +443,8 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
if (!(result = talloc_zero(mem_ctx, struct security_token))) {
DEBUG(0, ("talloc failed\n"));
return NULL;
status = NT_STATUS_NO_MEMORY;
goto err;
}
/* Add the user and primary group sid */
@ -445,8 +452,7 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
status = add_sid_to_array(result, user_sid,
&result->sids, &result->num_sids);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(result);
return NULL;
goto err;
}
/* For guest, num_groupsids may be zero. */
@ -455,8 +461,7 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
&result->sids,
&result->num_sids);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(result);
return NULL;
goto err;
}
}
@ -471,15 +476,13 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
&result->sids,
&result->num_sids);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(result);
return NULL;
goto err;
}
}
status = add_local_groups(result, is_guest);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(result);
return NULL;
goto err;
}
session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
@ -489,8 +492,7 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
status = finalize_local_nt_token(result, session_info_flags);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(result);
return NULL;
goto err;
}
if (is_guest) {
@ -511,12 +513,16 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
&result->num_sids);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(3, ("Failed to add SID to nt token\n"));
TALLOC_FREE(result);
return NULL;
goto err;
}
}
return result;
*token = result;
return NT_STATUS_SUCCESS;
err:
TALLOC_FREE(result);
return status;
}
/***************************************************
@ -556,9 +562,11 @@ static NTSTATUS add_local_groups(struct security_token *result,
pass = getpwuid_alloc(tmp_ctx, uid);
if (pass == NULL) {
struct dom_sid_buf buf;
DEBUG(1, ("SID %s -> getpwuid(%u) failed\n",
DBG_ERR("SID %s -> getpwuid(%u) failed, is nsswitch configured?\n",
dom_sid_str_buf(&result->sids[0], &buf),
(unsigned int)uid));
(unsigned int)uid);
TALLOC_FREE(tmp_ctx);
return NT_STATUS_NO_SUCH_USER;
}
}
@ -1115,11 +1123,10 @@ static NTSTATUS create_token_from_sid(TALLOC_CTX *mem_ctx,
}
/* Ensure we're creating the nt_token on the right context. */
*token = create_local_nt_token(mem_ctx, user_sid,
is_guest, num_group_sids, group_sids);
result = create_local_nt_token(mem_ctx, user_sid,
is_guest, num_group_sids, group_sids, token);
if (*token == NULL) {
result = NT_STATUS_NO_MEMORY;
if (!NT_STATUS_IS_OK(result)) {
goto done;
}

View File

@ -137,9 +137,13 @@ static struct service_control_op* find_service_by_name( const char *name )
static NTSTATUS svcctl_access_check( struct security_descriptor *sec_desc, struct security_token *token,
uint32_t access_desired, uint32_t *access_granted )
{
NTSTATUS status;
if ( geteuid() == sec_initial_uid() ) {
DEBUG(5,("svcctl_access_check: using root's token\n"));
token = get_root_nt_token();
status = get_root_nt_token(&token);
if(!NT_STATUS_IS_OK(status)) {
return status;
}
}
return se_access_check( sec_desc, token, access_desired, access_granted);