Volker Lendecke 277eac1a8e lsa4_srv: Factor out dcesrc_lsa_valid_AccountRight() ... The previous code in dcesrv_lsa_AddRemoveAccountRights had the following snippet: if (sec_privilege_id(rights->names[i].string) == SEC_PRIV_INVALID) { if (sec_right_bit(rights->names[i].string) == 0) { talloc_free(msg); return NT_STATUS_NO_SUCH_PRIVILEGE; } talloc_free(msg); return NT_STATUS_NO_SUCH_PRIVILEGE; } If I'm not mistaken, the inner if-statement is essentially dead code, as regardless of the outcome of the if-condition we execute the same code. The effect of this is that you can't "net rpc rights grant" a right, for example SeInteractiveLogonRight. A quick test against a W2k12 server shows that W2k12 allows this call. This patch changes the semantics of dcesrv_lsa_AddRemoveAccountRights to also allow "rights" to be granted and revoked. At the same time, it centralizes the check for validity of user input from dcesrv_lsa_EnumAccountsWithUserRight into dcesrc_lsa_valid_AccountRight too. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Apr 29 09:20:02 CEST 2017 on sn-devel-144		2017-04-29 09:20:02 +02:00
..
dcesrv_lsa.c	lsa4_srv: Factor out dcesrc_lsa_valid_AccountRight()	2017-04-29 09:20:02 +02:00
lsa_init.c	s4:rpc_server/lsa: implement the policy security descriptor	2015-03-30 13:41:25 +02:00
lsa_lookup.c	CVE-2015-5370: s4:rpc_server/lsa: make use of dce_call->conn->auth_state.auth_{level,type}	2016-04-12 19:25:29 +02:00
lsa.h	s4:rpc_server/lsa: implement the policy security descriptor	2015-03-30 13:41:25 +02:00