svn commit: samba r9960 - in branches/tmp/RPCREWRITE/source: .
include lib python rpc_server smbd
jra at samba.org
jra at samba.org
Fri Sep 2 15:45:16 GMT 2005
Author: jra
Date: 2005-09-02 15:45:13 +0000 (Fri, 02 Sep 2005)
New Revision: 9960
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9960
Log:
Merge up to current HEAD.
Jeremy
Modified:
branches/tmp/RPCREWRITE/source/Makefile.in
branches/tmp/RPCREWRITE/source/include/privileges.h
branches/tmp/RPCREWRITE/source/include/smb_macros.h
branches/tmp/RPCREWRITE/source/lib/privileges.c
branches/tmp/RPCREWRITE/source/python/setup.py
branches/tmp/RPCREWRITE/source/rpc_server/srv_samr_nt.c
branches/tmp/RPCREWRITE/source/rpc_server/srv_spoolss_nt.c
branches/tmp/RPCREWRITE/source/smbd/posix_acls.c
Changeset:
Modified: branches/tmp/RPCREWRITE/source/Makefile.in
===================================================================
--- branches/tmp/RPCREWRITE/source/Makefile.in 2005-09-02 14:45:40 UTC (rev 9959)
+++ branches/tmp/RPCREWRITE/source/Makefile.in 2005-09-02 15:45:13 UTC (rev 9960)
@@ -693,9 +693,9 @@
TDBBACKUP_OBJ = tdb/tdbbackup.o tdb/tdbback.o $(SNPRINTF_OBJ) $(TDBBASE_OBJ)
-TDBTOOL_OBJ = tdb/tdbtool.o $(TDBBASE_OBJ)
+TDBTOOL_OBJ = tdb/tdbtool.o $(TDBBASE_OBJ) $(SNPRINTF_OBJ)
-TDBDUMP_OBJ = tdb/tdbdump.o $(TDBBASE_OBJ)
+TDBDUMP_OBJ = tdb/tdbdump.o $(TDBBASE_OBJ) $(SNPRINTF_OBJ)
NTLM_AUTH_OBJ1 = utils/ntlm_auth.o utils/ntlm_auth_diagnostics.o
@@ -1298,15 +1298,15 @@
bin/tdbbackup at EXEEXT@: $(TDBBACKUP_OBJ) bin/.dummy
@echo Linking $@
- @$(CC) $(FLAGS) @PIE_LDFLAGS@ -o $@ $(DYNEXP) $(LIBS) $(TDBBACKUP_OBJ) $(SNPRINTF_OBJ) @SOCKWRAP@
+ @$(CC) $(FLAGS) @PIE_LDFLAGS@ -o $@ $(DYNEXP) $(LIBS) $(TDBBACKUP_OBJ) @SOCKWRAP@
bin/tdbtool at EXEEXT@: $(TDBTOOL_OBJ) bin/.dummy
@echo Linking $@
- @$(CC) $(FLAGS) @PIE_LDFLAGS@ -o $@ $(DYNEXP) $(LIBS) $(TDBTOOL_OBJ) $(SNPRINTF_OBJ) @SOCKWRAP@
+ @$(CC) $(FLAGS) @PIE_LDFLAGS@ -o $@ $(DYNEXP) $(LIBS) $(TDBTOOL_OBJ) @SOCKWRAP@
bin/tdbdump at EXEEXT@: $(TDBDUMP_OBJ) bin/.dummy
@echo Linking $@
- @$(CC) $(FLAGS) @PIE_LDFLAGS@ -o $@ $(DYNEXP) $(LIBS) $(TDBDUMP_OBJ) $(SNPRINTF_OBJ) @SOCKWRAP@
+ @$(CC) $(FLAGS) @PIE_LDFLAGS@ -o $@ $(DYNEXP) $(LIBS) $(TDBDUMP_OBJ) @SOCKWRAP@
bin/t_strcmp at EXEEXT@: bin/libbigballofmud. at SHLIBEXT@ torture/t_strcmp.o
$(CC) $(FLAGS) @PIE_LDFLAGS@ -o $@ $(DYNEXP) $(LIBS) torture/t_strcmp.o -L ./bin -lbigballofmud
Modified: branches/tmp/RPCREWRITE/source/include/privileges.h
===================================================================
--- branches/tmp/RPCREWRITE/source/include/privileges.h 2005-09-02 14:45:40 UTC (rev 9959)
+++ branches/tmp/RPCREWRITE/source/include/privileges.h 2005-09-02 15:45:13 UTC (rev 9960)
@@ -70,6 +70,7 @@
extern const SE_PRIV se_disk_operators;
extern const SE_PRIV se_remote_shutdown;
extern const SE_PRIV se_restore;
+extern const SE_PRIV se_take_ownership;
/*
Modified: branches/tmp/RPCREWRITE/source/include/smb_macros.h
===================================================================
--- branches/tmp/RPCREWRITE/source/include/smb_macros.h 2005-09-02 14:45:40 UTC (rev 9959)
+++ branches/tmp/RPCREWRITE/source/include/smb_macros.h 2005-09-02 15:45:13 UTC (rev 9960)
@@ -261,7 +261,7 @@
#define dos_format(fname) string_replace(fname,'/','\\')
/*****************************************************************************
- Check to see if we are a DO for this domain
+ Check to see if we are a DC for this domain
*****************************************************************************/
#define IS_DC (lp_server_role()==ROLE_DOMAIN_PDC || lp_server_role()==ROLE_DOMAIN_BDC)
Modified: branches/tmp/RPCREWRITE/source/lib/privileges.c
===================================================================
--- branches/tmp/RPCREWRITE/source/lib/privileges.c 2005-09-02 14:45:40 UTC (rev 9959)
+++ branches/tmp/RPCREWRITE/source/lib/privileges.c 2005-09-02 15:45:13 UTC (rev 9960)
@@ -38,6 +38,7 @@
const SE_PRIV se_disk_operators = SE_DISK_OPERATOR;
const SE_PRIV se_remote_shutdown = SE_REMOTE_SHUTDOWN;
const SE_PRIV se_restore = SE_RESTORE;
+const SE_PRIV se_take_ownership = SE_TAKE_OWNERSHIP;
/********************************************************************
This is a list of privileges reported by a WIndows 2000 SP4 AD DC
Modified: branches/tmp/RPCREWRITE/source/python/setup.py
===================================================================
--- branches/tmp/RPCREWRITE/source/python/setup.py 2005-09-02 14:45:40 UTC (rev 9959)
+++ branches/tmp/RPCREWRITE/source/python/setup.py 2005-09-02 15:45:13 UTC (rev 9960)
@@ -56,6 +56,9 @@
if lib[0:2] == "-l":
libraries.append(lib[2:])
continue
+ if lib[0:8] == "-pthread":
+ libraries.append(lib[2:])
+ continue
if lib[0:2] == "-L":
library_dirs.append(lib[2:])
continue
Modified: branches/tmp/RPCREWRITE/source/rpc_server/srv_samr_nt.c
===================================================================
--- branches/tmp/RPCREWRITE/source/rpc_server/srv_samr_nt.c 2005-09-02 14:45:40 UTC (rev 9959)
+++ branches/tmp/RPCREWRITE/source/rpc_server/srv_samr_nt.c 2005-09-02 15:45:13 UTC (rev 9960)
@@ -3932,6 +3932,8 @@
GROUP_MAP map;
GROUP_INFO_CTR *ctr;
uint32 acc_granted;
+ BOOL ret;
+ BOOL can_mod_accounts;
if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted))
return NT_STATUS_INVALID_HANDLE;
@@ -3956,11 +3958,21 @@
return NT_STATUS_INVALID_INFO_CLASS;
}
- if(!pdb_update_group_mapping_entry(&map)) {
- return NT_STATUS_NO_SUCH_GROUP;
- }
+ can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
- return NT_STATUS_OK;
+ /******** BEGIN SeAddUsers BLOCK *********/
+
+ if ( can_mod_accounts )
+ become_root();
+
+ ret = pdb_update_group_mapping_entry(&map);
+
+ if ( can_mod_accounts )
+ unbecome_root();
+
+ /******** End SeAddUsers BLOCK *********/
+
+ return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
}
/*********************************************************************
@@ -3975,6 +3987,8 @@
struct acct_info info;
ALIAS_INFO_CTR *ctr;
uint32 acc_granted;
+ BOOL ret;
+ BOOL can_mod_accounts;
if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid, &acc_granted))
return NT_STATUS_INVALID_HANDLE;
@@ -3997,11 +4011,21 @@
return NT_STATUS_INVALID_INFO_CLASS;
}
- if(!pdb_set_aliasinfo(&group_sid, &info)) {
- return NT_STATUS_ACCESS_DENIED;
- }
+ can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
- return NT_STATUS_OK;
+ /******** BEGIN SeAddUsers BLOCK *********/
+
+ if ( can_mod_accounts )
+ become_root();
+
+ ret = pdb_set_aliasinfo( &group_sid, &info );
+
+ if ( can_mod_accounts )
+ unbecome_root();
+
+ /******** End SeAddUsers BLOCK *********/
+
+ return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
}
/*********************************************************************
Modified: branches/tmp/RPCREWRITE/source/rpc_server/srv_spoolss_nt.c
===================================================================
--- branches/tmp/RPCREWRITE/source/rpc_server/srv_spoolss_nt.c 2005-09-02 14:45:40 UTC (rev 9959)
+++ branches/tmp/RPCREWRITE/source/rpc_server/srv_spoolss_nt.c 2005-09-02 15:45:13 UTC (rev 9960)
@@ -1594,7 +1594,7 @@
if (printer_default->access_required &
~(SERVER_ACCESS_ADMINISTER | SERVER_ACCESS_ENUMERATE)) {
- DEBUG(3, ("access DENIED for non-printserver bits"));
+ DEBUG(3, ("access DENIED for non-printserver bits\n"));
close_printer_handle(p, handle);
return WERR_ACCESS_DENIED;
}
Modified: branches/tmp/RPCREWRITE/source/smbd/posix_acls.c
===================================================================
--- branches/tmp/RPCREWRITE/source/smbd/posix_acls.c 2005-09-02 14:45:40 UTC (rev 9959)
+++ branches/tmp/RPCREWRITE/source/smbd/posix_acls.c 2005-09-02 15:45:13 UTC (rev 9960)
@@ -2998,7 +2998,8 @@
1) If we have root privileges, then it will just work.
2) If we have SeTakeOwnershipPrivilege we can change the user to the current user.
- 3) If we have write permission to the file and dos_filemodes is set
+ 3) If we have SeRestorePrivilege we can change the user to any other user.
+ 4) If we have write permission to the file and dos_filemodes is set
then allow chown to the currently authenticated user.
****************************************************************************/
@@ -3007,7 +3008,6 @@
int ret;
files_struct *fsp;
SMB_STRUCT_STAT st;
- SE_PRIV se_take_ownership = SE_TAKE_OWNERSHIP;
if(!CAN_WRITE(conn)) {
return -1;
@@ -3019,18 +3019,28 @@
if (ret == 0)
return 0;
- /* Case (2). */
- if (lp_enable_privileges() &&
- (uid == current_user.uid) &&
- (user_has_privileges(current_user.nt_user_token,&se_take_ownership))) {
- become_root();
- /* Keep the current file gid the same - take ownership doesn't imply group change. */
- ret = SMB_VFS_CHOWN(conn, fname, uid, (gid_t)-1);
- unbecome_root();
- return ret;
+ /* Case (2) / (3) */
+ if (lp_enable_privileges()) {
+
+ BOOL has_take_ownership_priv = user_has_privileges(current_user.nt_user_token,
+ &se_take_ownership);
+ BOOL has_restore_priv = user_has_privileges(current_user.nt_user_token,
+ &se_restore);
+
+ /* Case (2) */
+ if ( ( has_take_ownership_priv && ( uid == current_user.uid ) ) ||
+ /* Case (3) */
+ ( has_restore_priv ) ) {
+
+ become_root();
+ /* Keep the current file gid the same - take ownership doesn't imply group change. */
+ ret = SMB_VFS_CHOWN(conn, fname, uid, (gid_t)-1);
+ unbecome_root();
+ return ret;
+ }
}
- /* Case (3). */
+ /* Case (4). */
if (!lp_dos_filemode(SNUM(conn))) {
return -1;
}
More information about the samba-cvs
mailing list