sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00
Code
a72eecd5bf
samba-mirror/source4/rpc_server
History
Volker Lendecke 277eac1a8e lsa4_srv: Factor out dcesrc_lsa_valid_AccountRight() 
The previous code in dcesrv_lsa_AddRemoveAccountRights had the following snippet:

if (sec_privilege_id(rights->names[i].string) == SEC_PRIV_INVALID) {
        if (sec_right_bit(rights->names[i].string) == 0) {
                talloc_free(msg);
                return NT_STATUS_NO_SUCH_PRIVILEGE;
        }
        talloc_free(msg);
        return NT_STATUS_NO_SUCH_PRIVILEGE;
}

If I'm not mistaken, the inner if-statement is essentially dead code,
as regardless of the outcome of the if-condition we execute the same
code. The effect of this is that you can't "net rpc rights grant" a right,
for example SeInteractiveLogonRight. A quick test against a W2k12 server
shows that W2k12 allows this call.

This patch changes the semantics of dcesrv_lsa_AddRemoveAccountRights
to also allow "rights" to be granted and revoked. At the same
time, it centralizes the check for validity of user input from
dcesrv_lsa_EnumAccountsWithUserRight into dcesrc_lsa_valid_AccountRight
too.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr 29 09:20:02 CEST 2017 on sn-devel-144
2017-04-29 09:20:02 +02:00
..
backupkey werror: replace WERR_INVALID_PARAM with WERR_INVALID_PARAMETER in source4/rpc_server/ 2016-09-28 00:04:23 +02:00
browser werror: replace WERR_UNKNOWN_LEVEL with WERR_INVALID_LEVEL in source4/rpc_server/ 2016-09-28 00:04:35 +02:00
common s4:rpc_server: return the context_id of a RESPONSE in the same way as windows 2016-10-26 11:20:17 +02:00
dnsserver dnsserver: add dns name checking 2016-12-12 05:00:18 +01:00
drsuapi updaterefs: Do not open transaction even when unnecessary 2017-04-13 11:25:06 +02:00
echo CVE-2016-2118: s4:rpc_server/rpcecho: allow DCERPC_AUTH_LEVEL_CONNECT by default 2016-04-12 19:25:27 +02:00
epmapper CVE-2016-2118: s4:rpc_server/epmapper: allow DCERPC_AUTH_LEVEL_CONNECT by default 2016-04-12 19:25:27 +02:00
eventlog s4-eventlog: fixed dcerpc handle return 2010-11-16 07:16:04 +00:00
lsa lsa4_srv: Factor out dcesrc_lsa_valid_AccountRight() 2017-04-29 09:20:02 +02:00
netlogon auth: Add "auth_description" to allow logs to distinguish simple bind (etc) 2017-03-29 02:37:26 +02:00
remote s4-rpc_server: Allow each interface to declare if it uses handles 2016-12-20 01:11:23 +01:00
samr samr: Add logging of password change success and failure 2017-03-29 02:37:29 +02:00
srvsvc werror: replace WERR_UNKNOWN_LEVEL with WERR_INVALID_LEVEL in source4/rpc_server/ 2016-09-28 00:04:35 +02:00
unixinfo wbclient: "ev" is no longer used in wbc_xids_to_sids 2016-09-28 00:04:36 +02:00
winreg werror: replace WERR_INVALID_PARAM with WERR_INVALID_PARAMETER in source4/rpc_server/ 2016-09-28 00:04:23 +02:00
wkssvc werror: replace WERR_UNKNOWN_LEVEL with WERR_INVALID_LEVEL in source4/rpc_server/ 2016-09-28 00:04:35 +02:00
dcerpc_server.c lib: modules: Change XXX_init interface from XXX_init(void) to XXX_init(TALLOC_CTX *) 2017-04-22 01:17:00 +02:00
dcerpc_server.h s4-rpc_server: Allow listener for RPC servers to use multiple processes 2016-12-20 01:11:23 +01:00
dcerpc_server.pc.in dcerpc_server: Add 'modulesdir' variable to pkg-config file. 2012-02-23 16:26:25 +01:00
dcesrv_auth.c auth: Add hooks for notification of authentication events over the message bus 2017-03-29 02:37:28 +02:00
dcesrv_mgmt.c s4-rpc_server: Allow each interface to declare if it uses handles 2016-12-20 01:11:23 +01:00
handles.c s4-rpc_server: Allow each interface to declare if it uses handles 2016-12-20 01:11:23 +01:00
service_rpc.c lib: modules: Change XXX_init interface from XXX_init(void) to XXX_init(TALLOC_CTX *) 2017-04-22 01:17:00 +02:00
wscript_build wscript: remove executable bits for all wscript* files 2017-01-11 20:21:01 +01:00