svn commit: samba r4739 - in branches/SAMBA_3_0/source/rpc_server: .
jerry at samba.org
jerry at samba.org
Fri Jan 14 21:05:55 GMT 2005
Author: jerry
Date: 2005-01-14 21:05:54 +0000 (Fri, 14 Jan 2005)
New Revision: 4739
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=4739
Log:
require membership in Domain Admins to be able to set privileges
Modified:
branches/SAMBA_3_0/source/rpc_server/srv_lsa_nt.c
Changeset:
Modified: branches/SAMBA_3_0/source/rpc_server/srv_lsa_nt.c
===================================================================
--- branches/SAMBA_3_0/source/rpc_server/srv_lsa_nt.c 2005-01-14 20:23:22 UTC (rev 4738)
+++ branches/SAMBA_3_0/source/rpc_server/srv_lsa_nt.c 2005-01-14 21:05:54 UTC (rev 4739)
@@ -954,7 +954,14 @@
if (!(handle->access & POLICY_GET_PRIVATE_INFORMATION))
return NT_STATUS_ACCESS_DENIED;
+ /* check to see if the pipe_user is a Domain Admin since
+ account_pol.tdb was already opened as root, this is all we have */
+
+ if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+ return NT_STATUS_ACCESS_DENIED;
+
/* associate the user/group SID with the (unique) handle. */
+
if ((info = SMB_MALLOC_P(struct lsa_info)) == NULL)
return NT_STATUS_NO_MEMORY;
@@ -1085,6 +1092,12 @@
if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
return NT_STATUS_INVALID_HANDLE;
+ /* check to see if the pipe_user is a Domain Admin since
+ account_pol.tdb was already opened as root, this is all we have */
+
+ if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+ return NT_STATUS_ACCESS_DENIED;
+
if (!pdb_getgrsid(&map, info->sid))
return NT_STATUS_NO_SUCH_GROUP;
@@ -1108,6 +1121,12 @@
/* find the connection policy handle. */
if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
return NT_STATUS_INVALID_HANDLE;
+
+ /* check to see if the pipe_user is a Domain Admin since
+ account_pol.tdb was already opened as root, this is all we have */
+
+ if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+ return NT_STATUS_ACCESS_DENIED;
set = &q_u->set;
@@ -1142,6 +1161,12 @@
if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
return NT_STATUS_INVALID_HANDLE;
+ /* check to see if the pipe_user is a Domain Admin since
+ account_pol.tdb was already opened as root, this is all we have */
+
+ if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+ return NT_STATUS_ACCESS_DENIED;
+
set = &q_u->set;
for (i = 0; i < set->count; i++) {
More information about the samba-cvs
mailing list