mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
s3-rpc_server: pass down full unix token to map_max_allowed_access().
Also use unix_token->uid instead of geteuid() when checking for mapping of the SEC_FLAG_MAXIMUM_ALLOWED flag. Guenther
This commit is contained in:
parent
05fbe0c7f7
commit
f7ff6bd142
@ -7253,8 +7253,9 @@ NTSTATUS access_check_object( SEC_DESC *psd, NT_USER_TOKEN *token,
|
||||
SE_PRIV *rights, uint32 rights_mask,
|
||||
uint32 des_access, uint32 *acc_granted,
|
||||
const char *debug);
|
||||
void map_max_allowed_access(const NT_USER_TOKEN *token,
|
||||
uint32_t *pacc_requested);
|
||||
void map_max_allowed_access(const NT_USER_TOKEN *nt_token,
|
||||
const struct unix_user_token *unix_token,
|
||||
uint32_t *pacc_requested);
|
||||
|
||||
/* The following definitions come from ../libds/common/flag_mapping.c */
|
||||
|
||||
|
@ -349,7 +349,9 @@ NTSTATUS _lsa_OpenPolicy2(pipes_struct *p,
|
||||
NTSTATUS status;
|
||||
|
||||
/* Work out max allowed. */
|
||||
map_max_allowed_access(p->server_info->ptok, &des_access);
|
||||
map_max_allowed_access(p->server_info->ptok,
|
||||
&p->server_info->utok,
|
||||
&des_access);
|
||||
|
||||
/* map the generic bits to the lsa policy ones */
|
||||
se_map_generic(&des_access, &lsa_policy_mapping);
|
||||
@ -1628,7 +1630,9 @@ NTSTATUS _lsa_OpenAccount(pipes_struct *p,
|
||||
* handle - so don't check against policy handle. */
|
||||
|
||||
/* Work out max allowed. */
|
||||
map_max_allowed_access(p->server_info->ptok, &des_access);
|
||||
map_max_allowed_access(p->server_info->ptok,
|
||||
&p->server_info->utok,
|
||||
&des_access);
|
||||
|
||||
/* map the generic bits to the lsa account ones */
|
||||
se_map_generic(&des_access, &lsa_account_mapping);
|
||||
|
@ -236,8 +236,9 @@ done:
|
||||
Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
|
||||
********************************************************************/
|
||||
|
||||
void map_max_allowed_access(const NT_USER_TOKEN *token,
|
||||
uint32_t *pacc_requested)
|
||||
void map_max_allowed_access(const NT_USER_TOKEN *nt_token,
|
||||
const struct unix_user_token *unix_token,
|
||||
uint32_t *pacc_requested)
|
||||
{
|
||||
if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) {
|
||||
return;
|
||||
@ -248,15 +249,15 @@ void map_max_allowed_access(const NT_USER_TOKEN *token,
|
||||
*pacc_requested = GENERIC_READ_ACCESS|GENERIC_EXECUTE_ACCESS;
|
||||
|
||||
/* root gets anything. */
|
||||
if (geteuid() == sec_initial_uid()) {
|
||||
if (unix_token->uid == sec_initial_uid()) {
|
||||
*pacc_requested |= GENERIC_ALL_ACCESS;
|
||||
return;
|
||||
}
|
||||
|
||||
/* Full Access for 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
|
||||
|
||||
if (is_sid_in_token(token, &global_sid_Builtin_Administrators) ||
|
||||
is_sid_in_token(token, &global_sid_Builtin_Account_Operators)) {
|
||||
if (is_sid_in_token(nt_token, &global_sid_Builtin_Administrators) ||
|
||||
is_sid_in_token(nt_token, &global_sid_Builtin_Account_Operators)) {
|
||||
*pacc_requested |= GENERIC_ALL_ACCESS;
|
||||
return;
|
||||
}
|
||||
@ -266,7 +267,7 @@ void map_max_allowed_access(const NT_USER_TOKEN *token,
|
||||
DOM_SID domadmin_sid;
|
||||
sid_copy( &domadmin_sid, get_global_sam_sid() );
|
||||
sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
|
||||
if (is_sid_in_token(token, &domadmin_sid)) {
|
||||
if (is_sid_in_token(nt_token, &domadmin_sid)) {
|
||||
*pacc_requested |= GENERIC_ALL_ACCESS;
|
||||
return;
|
||||
}
|
||||
@ -550,7 +551,9 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p,
|
||||
}
|
||||
|
||||
/*check if access can be granted as requested by client. */
|
||||
map_max_allowed_access(p->server_info->ptok, &des_access);
|
||||
map_max_allowed_access(p->server_info->ptok,
|
||||
&p->server_info->utok,
|
||||
&des_access);
|
||||
|
||||
make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 );
|
||||
se_map_generic( &des_access, &dom_generic_mapping );
|
||||
@ -2260,8 +2263,9 @@ NTSTATUS _samr_OpenUser(pipes_struct *p,
|
||||
return NT_STATUS_NO_SUCH_USER;
|
||||
|
||||
/* check if access can be granted as requested by client. */
|
||||
|
||||
map_max_allowed_access(p->server_info->ptok, &des_access);
|
||||
map_max_allowed_access(p->server_info->ptok,
|
||||
&p->server_info->utok,
|
||||
&des_access);
|
||||
|
||||
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW);
|
||||
se_map_generic(&des_access, &usr_generic_mapping);
|
||||
@ -3834,7 +3838,9 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p,
|
||||
|
||||
sid_compose(&sid, get_global_sam_sid(), *r->out.rid);
|
||||
|
||||
map_max_allowed_access(p->server_info->ptok, &des_access);
|
||||
map_max_allowed_access(p->server_info->ptok,
|
||||
&p->server_info->utok,
|
||||
&des_access);
|
||||
|
||||
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
|
||||
&sid, SAMR_USR_RIGHTS_WRITE_PW);
|
||||
@ -3914,7 +3920,9 @@ NTSTATUS _samr_Connect(pipes_struct *p,
|
||||
was observed from a win98 client trying to enumerate users (when configured
|
||||
user level access control on shares) --jerry */
|
||||
|
||||
map_max_allowed_access(p->server_info->ptok, &des_access);
|
||||
map_max_allowed_access(p->server_info->ptok,
|
||||
&p->server_info->utok,
|
||||
&des_access);
|
||||
|
||||
se_map_generic( &des_access, &sam_generic_mapping );
|
||||
|
||||
@ -3974,7 +3982,9 @@ NTSTATUS _samr_Connect2(pipes_struct *p,
|
||||
return NT_STATUS_ACCESS_DENIED;
|
||||
}
|
||||
|
||||
map_max_allowed_access(p->server_info->ptok, &des_access);
|
||||
map_max_allowed_access(p->server_info->ptok,
|
||||
&p->server_info->utok,
|
||||
&des_access);
|
||||
|
||||
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
|
||||
se_map_generic(&des_access, &sam_generic_mapping);
|
||||
@ -4187,7 +4197,9 @@ NTSTATUS _samr_OpenAlias(pipes_struct *p,
|
||||
|
||||
/*check if access can be granted as requested by client. */
|
||||
|
||||
map_max_allowed_access(p->server_info->ptok, &des_access);
|
||||
map_max_allowed_access(p->server_info->ptok,
|
||||
&p->server_info->utok,
|
||||
&des_access);
|
||||
|
||||
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0);
|
||||
se_map_generic(&des_access,&ali_generic_mapping);
|
||||
@ -6237,7 +6249,9 @@ NTSTATUS _samr_OpenGroup(pipes_struct *p,
|
||||
}
|
||||
|
||||
/*check if access can be granted as requested by client. */
|
||||
map_max_allowed_access(p->server_info->ptok, &des_access);
|
||||
map_max_allowed_access(p->server_info->ptok,
|
||||
&p->server_info->utok,
|
||||
&des_access);
|
||||
|
||||
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0);
|
||||
se_map_generic(&des_access,&grp_generic_mapping);
|
||||
|
Loading…
Reference in New Issue
Block a user