svn commit: samba r9956 - branches/SAMBA_3_0/source/rpc_server
trunk/source/rpc_server
jerry at samba.org
jerry at samba.org
Fri Sep 2 13:42:57 GMT 2005
Author: jerry
Date: 2005-09-02 13:42:56 +0000 (Fri, 02 Sep 2005)
New Revision: 9956
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9956
Log:
Ensure accounts with the SeAddUsersPrivilege can modify domain and local group attributes (posted to samba ml and confirmed fix)
Modified:
branches/SAMBA_3_0/source/rpc_server/srv_samr_nt.c
trunk/source/rpc_server/srv_samr_nt.c
Changeset:
Modified: branches/SAMBA_3_0/source/rpc_server/srv_samr_nt.c
===================================================================
--- branches/SAMBA_3_0/source/rpc_server/srv_samr_nt.c 2005-09-02 13:39:39 UTC (rev 9955)
+++ branches/SAMBA_3_0/source/rpc_server/srv_samr_nt.c 2005-09-02 13:42:56 UTC (rev 9956)
@@ -3924,6 +3924,8 @@
GROUP_MAP map;
GROUP_INFO_CTR *ctr;
uint32 acc_granted;
+ BOOL ret;
+ BOOL can_mod_accounts;
if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted))
return NT_STATUS_INVALID_HANDLE;
@@ -3948,11 +3950,21 @@
return NT_STATUS_INVALID_INFO_CLASS;
}
- if(!pdb_update_group_mapping_entry(&map)) {
- return NT_STATUS_NO_SUCH_GROUP;
- }
+ can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
- return NT_STATUS_OK;
+ /******** BEGIN SeAddUsers BLOCK *********/
+
+ if ( can_mod_accounts )
+ become_root();
+
+ ret = pdb_update_group_mapping_entry(&map);
+
+ if ( can_mod_accounts )
+ unbecome_root();
+
+ /******** End SeAddUsers BLOCK *********/
+
+ return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
}
/*********************************************************************
@@ -3967,6 +3979,8 @@
struct acct_info info;
ALIAS_INFO_CTR *ctr;
uint32 acc_granted;
+ BOOL ret;
+ BOOL can_mod_accounts;
if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid, &acc_granted))
return NT_STATUS_INVALID_HANDLE;
@@ -3989,11 +4003,21 @@
return NT_STATUS_INVALID_INFO_CLASS;
}
- if(!pdb_set_aliasinfo(&group_sid, &info)) {
- return NT_STATUS_ACCESS_DENIED;
- }
+ can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
- return NT_STATUS_OK;
+ /******** BEGIN SeAddUsers BLOCK *********/
+
+ if ( can_mod_accounts )
+ become_root();
+
+ ret = pdb_set_aliasinfo( &group_sid, &info );
+
+ if ( can_mod_accounts )
+ unbecome_root();
+
+ /******** End SeAddUsers BLOCK *********/
+
+ return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
}
/*********************************************************************
Modified: trunk/source/rpc_server/srv_samr_nt.c
===================================================================
--- trunk/source/rpc_server/srv_samr_nt.c 2005-09-02 13:39:39 UTC (rev 9955)
+++ trunk/source/rpc_server/srv_samr_nt.c 2005-09-02 13:42:56 UTC (rev 9956)
@@ -3932,6 +3932,8 @@
GROUP_MAP map;
GROUP_INFO_CTR *ctr;
uint32 acc_granted;
+ BOOL ret;
+ BOOL can_mod_accounts;
if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted))
return NT_STATUS_INVALID_HANDLE;
@@ -3956,11 +3958,21 @@
return NT_STATUS_INVALID_INFO_CLASS;
}
- if(!pdb_update_group_mapping_entry(&map)) {
- return NT_STATUS_NO_SUCH_GROUP;
- }
+ can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
- return NT_STATUS_OK;
+ /******** BEGIN SeAddUsers BLOCK *********/
+
+ if ( can_mod_accounts )
+ become_root();
+
+ ret = pdb_update_group_mapping_entry(&map);
+
+ if ( can_mod_accounts )
+ unbecome_root();
+
+ /******** End SeAddUsers BLOCK *********/
+
+ return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
}
/*********************************************************************
@@ -3975,6 +3987,8 @@
struct acct_info info;
ALIAS_INFO_CTR *ctr;
uint32 acc_granted;
+ BOOL ret;
+ BOOL can_mod_accounts;
if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid, &acc_granted))
return NT_STATUS_INVALID_HANDLE;
@@ -3997,11 +4011,21 @@
return NT_STATUS_INVALID_INFO_CLASS;
}
- if(!pdb_set_aliasinfo(&group_sid, &info)) {
- return NT_STATUS_ACCESS_DENIED;
- }
+ can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
- return NT_STATUS_OK;
+ /******** BEGIN SeAddUsers BLOCK *********/
+
+ if ( can_mod_accounts )
+ become_root();
+
+ ret = pdb_set_aliasinfo( &group_sid, &info );
+
+ if ( can_mod_accounts )
+ unbecome_root();
+
+ /******** End SeAddUsers BLOCK *********/
+
+ return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
}
/*********************************************************************
More information about the samba-cvs
mailing list