svn commit: samba r5383 - in branches/SAMBA_3_0/source/rpc_server: .

jerry at samba.org jerry at samba.org
Mon Feb 14 01:13:14 GMT 2005 

Author: jerry
Date: 2005-02-14 01:13:14 +0000 (Mon, 14 Feb 2005)
New Revision: 5383

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=5383

Log:
add missing checks to allow root to manage user rights
Modified:
   branches/SAMBA_3_0/source/rpc_server/srv_lsa_nt.c


Changeset:
Modified: branches/SAMBA_3_0/source/rpc_server/srv_lsa_nt.c
===================================================================
--- branches/SAMBA_3_0/source/rpc_server/srv_lsa_nt.c	2005-02-14 01:02:47 UTC (rev 5382)
+++ branches/SAMBA_3_0/source/rpc_server/srv_lsa_nt.c	2005-02-14 01:13:14 UTC (rev 5383)
@@ -1333,6 +1333,7 @@
 	DOM_SID sid;
 	fstring privname;
 	UNISTR2_ARRAY *uni_privnames = &q_u->rights;
+	struct current_user user;
 	
 
 	/* find the connection policy handle. */
@@ -1342,8 +1343,12 @@
 	/* check to see if the pipe_user is a Domain Admin since 
 	   account_pol.tdb was already opened as root, this is all we have */
 	   
-	if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+	get_current_user( &user, p );
+	if ( user.uid != sec_initial_uid()
+		&& !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) 
+	{
 		return NT_STATUS_ACCESS_DENIED;
+	}
 
 	/* according to an NT4 PDC, you can add privileges to SIDs even without
 	   call_lsa_create_account() first.  And you can use any arbitrary SID. */
@@ -1381,6 +1386,7 @@
 	DOM_SID sid;
 	fstring privname;
 	UNISTR2_ARRAY *uni_privnames = &q_u->rights;
+	struct current_user user;
 	
 
 	/* find the connection policy handle. */
@@ -1390,8 +1396,12 @@
 	/* check to see if the pipe_user is a Domain Admin since 
 	   account_pol.tdb was already opened as root, this is all we have */
 	   
-	if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+	get_current_user( &user, p );
+	if ( user.uid != sec_initial_uid()
+		&& !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+	{
 		return NT_STATUS_ACCESS_DENIED;
+	}
 
 	sid_copy( &sid, &q_u->sid.sid );

More information about the samba-cvs mailing list