sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-10-23 11:33:16 +03:00
Code Activity

r23966: It isn't great, but at least now we have some access control in SWAT

Browse Source 
This patch prevents non-root and non-administrator users from running
the provision, upgrade and vampire pages.  *I think* the rest of SWAT
is LDB operations, or otherwise authenticated, so we should now be
secure.

I wish I had a better way to 'prove' we got this right, but this is better than nothing, and moves us closer to an alpha.

Andrew Bartlett
This commit is contained in:
Andrew Bartlett
2007-07-19 07:48:26 +00:00
committed by Gerald (Jerry) Carter
parent 4fab53432a
commit d61061052d
4 changed files with 120 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
source/scripting/ejs/smbcalls_auth.c
View File

@@ -27,6 +27,7 @@
#include "scripting/ejs/smbcalls.h"
#include "lib/events/events.h"
#include "lib/messaging/irpc.h"
#include "libcli/security/security.h"
static int ejs_doauth(MprVarHandle eid,
TALLOC_CTX *tmp_ctx, struct MprVar *auth, const char *username,
@@ -39,6 +40,7 @@ static int ejs_doauth(MprVarHandle eid,
struct auth_context *auth_context;
struct MprVar *session_info_obj;
NTSTATUS nt_status;
bool set;
struct smbcalls_context *c;
struct event_context *ev;
@@ -111,6 +113,32 @@ static int ejs_doauth(MprVarHandle eid,
goto done;
}
if (security_token_has_nt_authenticated_users(session_info->security_token)) {
mprSetPropertyValue(auth, "user_class", mprString("USER"));
set = true;
}
if (security_token_has_builtin_administrators(session_info->security_token)) {
mprSetPropertyValue(auth, "user_class", mprString("ADMINISTRATOR"));
set = true;
}
if (security_token_is_system(session_info->security_token)) {
mprSetPropertyValue(auth, "user_class", mprString("SYSTEM"));
set = true;
}
if (security_token_is_anonymous(session_info->security_token)) {
mprSetPropertyValue(auth, "report", mprString("Anonymous login not permitted"));
mprSetPropertyValue(auth, "result", mprCreateBoolVar(False));
goto done;
}
if (!set) {
mprSetPropertyValue(auth, "report", mprString("Session Info generation failed"));
mprSetPropertyValue(auth, "result", mprCreateBoolVar(False));
}
session_info_obj = mprInitObject(eid, "session_info", 0, NULL);
mprSetPtrChild(session_info_obj, "session_info", session_info);
@@ -121,6 +149,23 @@ static int ejs_doauth(MprVarHandle eid,
mprSetPropertyValue(auth, "username", mprString(server_info->account_name));
mprSetPropertyValue(auth, "domain", mprString(server_info->domain_name));
if (security_token_is_system(session_info->security_token)) {
mprSetPropertyValue(auth, "report", mprString("SYSTEM"));
}
if (security_token_is_anonymous(session_info->security_token)) {
mprSetPropertyValue(auth, "report", mprString("ANONYMOUS"));
}
if (security_token_has_builtin_administrators(session_info->security_token)) {
mprSetPropertyValue(auth, "report", mprString("ADMINISTRATOR"));
}
if (security_token_has_nt_authenticated_users(session_info->security_token)) {
mprSetPropertyValue(auth, "report", mprString("USER"));
}
done:
return 0;
}