1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00

s3-rpc_server: pass down full unix token to map_max_allowed_access().

Also use unix_token->uid instead of geteuid() when checking for mapping of the
SEC_FLAG_MAXIMUM_ALLOWED flag.

Guenther
This commit is contained in:
Günther Deschner 2009-06-29 20:34:03 +02:00
parent 05fbe0c7f7
commit f7ff6bd142
3 changed files with 37 additions and 18 deletions

View File

@ -7253,8 +7253,9 @@ NTSTATUS access_check_object( SEC_DESC *psd, NT_USER_TOKEN *token,
SE_PRIV *rights, uint32 rights_mask,
uint32 des_access, uint32 *acc_granted,
const char *debug);
void map_max_allowed_access(const NT_USER_TOKEN *token,
uint32_t *pacc_requested);
void map_max_allowed_access(const NT_USER_TOKEN *nt_token,
const struct unix_user_token *unix_token,
uint32_t *pacc_requested);
/* The following definitions come from ../libds/common/flag_mapping.c */

View File

@ -349,7 +349,9 @@ NTSTATUS _lsa_OpenPolicy2(pipes_struct *p,
NTSTATUS status;
/* Work out max allowed. */
map_max_allowed_access(p->server_info->ptok, &des_access);
map_max_allowed_access(p->server_info->ptok,
&p->server_info->utok,
&des_access);
/* map the generic bits to the lsa policy ones */
se_map_generic(&des_access, &lsa_policy_mapping);
@ -1628,7 +1630,9 @@ NTSTATUS _lsa_OpenAccount(pipes_struct *p,
* handle - so don't check against policy handle. */
/* Work out max allowed. */
map_max_allowed_access(p->server_info->ptok, &des_access);
map_max_allowed_access(p->server_info->ptok,
&p->server_info->utok,
&des_access);
/* map the generic bits to the lsa account ones */
se_map_generic(&des_access, &lsa_account_mapping);

View File

@ -236,8 +236,9 @@ done:
Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
********************************************************************/
void map_max_allowed_access(const NT_USER_TOKEN *token,
uint32_t *pacc_requested)
void map_max_allowed_access(const NT_USER_TOKEN *nt_token,
const struct unix_user_token *unix_token,
uint32_t *pacc_requested)
{
if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) {
return;
@ -248,15 +249,15 @@ void map_max_allowed_access(const NT_USER_TOKEN *token,
*pacc_requested = GENERIC_READ_ACCESS|GENERIC_EXECUTE_ACCESS;
/* root gets anything. */
if (geteuid() == sec_initial_uid()) {
if (unix_token->uid == sec_initial_uid()) {
*pacc_requested |= GENERIC_ALL_ACCESS;
return;
}
/* Full Access for 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
if (is_sid_in_token(token, &global_sid_Builtin_Administrators) ||
is_sid_in_token(token, &global_sid_Builtin_Account_Operators)) {
if (is_sid_in_token(nt_token, &global_sid_Builtin_Administrators) ||
is_sid_in_token(nt_token, &global_sid_Builtin_Account_Operators)) {
*pacc_requested |= GENERIC_ALL_ACCESS;
return;
}
@ -266,7 +267,7 @@ void map_max_allowed_access(const NT_USER_TOKEN *token,
DOM_SID domadmin_sid;
sid_copy( &domadmin_sid, get_global_sam_sid() );
sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
if (is_sid_in_token(token, &domadmin_sid)) {
if (is_sid_in_token(nt_token, &domadmin_sid)) {
*pacc_requested |= GENERIC_ALL_ACCESS;
return;
}
@ -550,7 +551,9 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p,
}
/*check if access can be granted as requested by client. */
map_max_allowed_access(p->server_info->ptok, &des_access);
map_max_allowed_access(p->server_info->ptok,
&p->server_info->utok,
&des_access);
make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 );
se_map_generic( &des_access, &dom_generic_mapping );
@ -2260,8 +2263,9 @@ NTSTATUS _samr_OpenUser(pipes_struct *p,
return NT_STATUS_NO_SUCH_USER;
/* check if access can be granted as requested by client. */
map_max_allowed_access(p->server_info->ptok, &des_access);
map_max_allowed_access(p->server_info->ptok,
&p->server_info->utok,
&des_access);
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW);
se_map_generic(&des_access, &usr_generic_mapping);
@ -3834,7 +3838,9 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p,
sid_compose(&sid, get_global_sam_sid(), *r->out.rid);
map_max_allowed_access(p->server_info->ptok, &des_access);
map_max_allowed_access(p->server_info->ptok,
&p->server_info->utok,
&des_access);
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
&sid, SAMR_USR_RIGHTS_WRITE_PW);
@ -3914,7 +3920,9 @@ NTSTATUS _samr_Connect(pipes_struct *p,
was observed from a win98 client trying to enumerate users (when configured
user level access control on shares) --jerry */
map_max_allowed_access(p->server_info->ptok, &des_access);
map_max_allowed_access(p->server_info->ptok,
&p->server_info->utok,
&des_access);
se_map_generic( &des_access, &sam_generic_mapping );
@ -3974,7 +3982,9 @@ NTSTATUS _samr_Connect2(pipes_struct *p,
return NT_STATUS_ACCESS_DENIED;
}
map_max_allowed_access(p->server_info->ptok, &des_access);
map_max_allowed_access(p->server_info->ptok,
&p->server_info->utok,
&des_access);
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
se_map_generic(&des_access, &sam_generic_mapping);
@ -4187,7 +4197,9 @@ NTSTATUS _samr_OpenAlias(pipes_struct *p,
/*check if access can be granted as requested by client. */
map_max_allowed_access(p->server_info->ptok, &des_access);
map_max_allowed_access(p->server_info->ptok,
&p->server_info->utok,
&des_access);
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0);
se_map_generic(&des_access,&ali_generic_mapping);
@ -6237,7 +6249,9 @@ NTSTATUS _samr_OpenGroup(pipes_struct *p,
}
/*check if access can be granted as requested by client. */
map_max_allowed_access(p->server_info->ptok, &des_access);
map_max_allowed_access(p->server_info->ptok,
&p->server_info->utok,
&des_access);
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0);
se_map_generic(&des_access,&grp_generic_mapping);