Rev 5351: create a fake user token consisting of builtin administrators sid and in http://samba.sernet.de/ma/bzr/SAMBA_3_0-registry.bzr/

Michael Adam ma at sernet.de
Thu Apr 12 12:27:46 GMT 2007 

At http://samba.sernet.de/ma/bzr/SAMBA_3_0-registry.bzr/

------------------------------------------------------------
revno: 5351
revision-id: ma at sernet.de-20070412122743-d447faac65352b25
parent: ma at sernet.de-20070411150619-9f3271e9d353c422
committer: Michael Adam <ma at sernet.de>
branch nick: SAMBA_3_0-registry.bzr
timestamp: Thu 2007-04-12 14:27:43 +0200
message:
  create a fake user token consisting of builtin administrators sid and
  se_disk_operators privilege by hand instead of using get_root_nt_token()
  to minimize linker deps for bin/net.
  
  * new function registry_create_admin_token() in lib/util_reg.c
  * move dup_nt_token from auth/token_util.c to new file lib/util_nttoken.c
  * adapt net_conf.c and Makefile.in accordingly
added:
  source/lib/util_nttoken.c      util_nttoken.c-20070412121956-apjs5s3igy1ydc2e-1
modified:
  source/Makefile.in             Makefile.in-20060530022626-b16dac2328ebe703
  source/auth/token_util.c       token_util.c-20070409110214-hxmlg8kreyeuci30-1
  source/lib/util_reg.c          util_reg.c-20060711181331-c2d45d0e1f4a8648
  source/utils/net_conf.c        net_conf.c-20070409110216-64p0zt0mes4j6yoe-1
=== added file 'source/lib/util_nttoken.c'
--- a/source/lib/util_nttoken.c	1970-01-01 00:00:00 +0000
+++ b/source/lib/util_nttoken.c	2007-04-12 12:27:43 +0000
@@ -0,0 +1,70 @@
+/* 
+ *  Unix SMB/CIFS implementation.
+ *  Authentication utility functions
+ *  Copyright (C) Andrew Tridgell 1992-1998
+ *  Copyright (C) Andrew Bartlett 2001
+ *  Copyright (C) Jeremy Allison 2000-2001
+ *  Copyright (C) Rafal Szczesniak 2002
+ *  Copyright (C) Volker Lendecke 2006
+ *  Copyright (C) Michael Adam 2007
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *  
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *  
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+/* function(s) moved from auth/auth_util.c to minimize linker deps */
+
+#include "includes.h"
+
+/****************************************************************************
+ Duplicate a SID token.
+****************************************************************************/
+
+NT_USER_TOKEN *dup_nt_token(TALLOC_CTX *mem_ctx, const NT_USER_TOKEN *ptoken)
+{
+	NT_USER_TOKEN *token;
+
+	if (!ptoken)
+		return NULL;
+
+	token = TALLOC_P(mem_ctx, NT_USER_TOKEN);
+	if (token == NULL) {
+		DEBUG(0, ("talloc failed\n"));
+		return NULL;
+	}
+
+	ZERO_STRUCTP(token);
+
+	if (ptoken->user_sids && ptoken->num_sids) {
+		token->user_sids = (DOM_SID *)talloc_memdup(
+			token, ptoken->user_sids, sizeof(DOM_SID) * ptoken->num_sids );
+
+		if (token->user_sids == NULL) {
+			DEBUG(0, ("talloc_memdup failed\n"));
+			TALLOC_FREE(token);
+			return NULL;
+		}
+		token->num_sids = ptoken->num_sids;
+	}
+	
+	/* copy the privileges; don't consider failure to be critical here */
+	
+	if ( !se_priv_copy( &token->privileges, &ptoken->privileges ) ) {
+		DEBUG(0,("dup_nt_token: Failure to copy SE_PRIV!.  "
+			 "Continuing with 0 privileges assigned.\n"));
+	}
+
+	return token;
+}
+

=== modified file 'source/Makefile.in'
--- a/source/Makefile.in	2007-04-10 10:34:43 +0000
+++ b/source/Makefile.in	2007-04-12 12:27:43 +0000
@@ -464,6 +464,7 @@
 AUTH_SCRIPT_OBJ = auth/auth_script.o
 
 AUTH_OBJ = auth/auth.o @AUTH_STATIC@ auth/auth_util.o auth/token_util.o \
+	   lib/util_nttoken.o \
 	   auth/auth_compat.o auth/auth_ntlmssp.o \
 	   $(PLAINTEXT_AUTH_OBJ) $(SLCACHE_OBJ) $(DCUTIL_OBJ)
 
@@ -654,7 +655,7 @@
 	      registry/reg_perfcount.o \
 	      registry/reg_dynamic.o \
 	      \
-	      auth/token_util.o
+	      lib/util_nttoken.o
   
 NET_OBJ = $(NET_OBJ1) $(PARAM_OBJ) $(SECRETS_OBJ) $(LIBSMB_OBJ) \
 	  $(RPC_PARSE_OBJ) $(PASSDB_OBJ) $(GROUPDB_OBJ) \

=== modified file 'source/auth/token_util.c'
--- a/source/auth/token_util.c	2007-04-09 11:02:19 +0000
+++ b/source/auth/token_util.c	2007-04-12 12:27:43 +0000
@@ -28,47 +28,6 @@
 #include "includes.h"
 
 /****************************************************************************
- Duplicate a SID token.
-****************************************************************************/
-
-NT_USER_TOKEN *dup_nt_token(TALLOC_CTX *mem_ctx, const NT_USER_TOKEN *ptoken)
-{
-	NT_USER_TOKEN *token;
-
-	if (!ptoken)
-		return NULL;
-
-	token = TALLOC_P(mem_ctx, NT_USER_TOKEN);
-	if (token == NULL) {
-		DEBUG(0, ("talloc failed\n"));
-		return NULL;
-	}
-
-	ZERO_STRUCTP(token);
-
-	if (ptoken->user_sids && ptoken->num_sids) {
-		token->user_sids = (DOM_SID *)talloc_memdup(
-			token, ptoken->user_sids, sizeof(DOM_SID) * ptoken->num_sids );
-
-		if (token->user_sids == NULL) {
-			DEBUG(0, ("talloc_memdup failed\n"));
-			TALLOC_FREE(token);
-			return NULL;
-		}
-		token->num_sids = ptoken->num_sids;
-	}
-	
-	/* copy the privileges; don't consider failure to be critical here */
-	
-	if ( !se_priv_copy( &token->privileges, &ptoken->privileges ) ) {
-		DEBUG(0,("dup_nt_token: Failure to copy SE_PRIV!.  "
-			 "Continuing with 0 privileges assigned.\n"));
-	}
-
-	return token;
-}
-
-/****************************************************************************
  Check for a SID in an NT_USER_TOKEN
 ****************************************************************************/
 

=== modified file 'source/lib/util_reg.c'
--- a/source/lib/util_reg.c	2006-12-03 12:52:21 +0000
+++ b/source/lib/util_reg.c	2007-04-12 12:27:43 +0000
@@ -223,3 +223,26 @@
 
 	return WERR_OK;
 }
+
+NT_USER_TOKEN *registry_create_admin_token(TALLOC_CTX *mem_ctx)
+{
+	NT_USER_TOKEN *token = NULL;
+
+	/* fake a user token: builtin administrators sid and the
+	 * disk operators privilege is all we need to access the 
+	 * registry... */
+	if (!(token = TALLOC_ZERO_P(mem_ctx, NT_USER_TOKEN))) {
+		DEBUG(1, ("talloc failed\n"));
+		goto done;
+	}
+	token->privileges = se_disk_operators;
+	if (!add_sid_to_array(token, &global_sid_Builtin_Administrators,
+			 &token->user_sids, &token->num_sids)) {
+		DEBUG(1, ("Error adding builtin administrators sid "
+			  "to fake token.\n"));
+		goto done;
+	}
+done:
+	return token;
+}
+

=== modified file 'source/utils/net_conf.c'
--- a/source/utils/net_conf.c	2007-04-09 11:02:19 +0000
+++ b/source/utils/net_conf.c	2007-04-12 12:27:43 +0000
@@ -198,6 +198,12 @@
 {
 	WERROR werr = WERR_OK;
 	char *path = NULL;
+	NT_USER_TOKEN *token;
+
+	if (!(token = registry_create_admin_token(ctx))) {
+		DEBUG(1, ("Error creating admin token\n"));
+		goto done;
+	}
 
 	if (subkeyname == NULL) {
 		path = talloc_strdup(ctx, KEY_SMBCONF);
@@ -207,8 +213,9 @@
 	}
 
 	werr = reg_open_path(ctx, path, desired_access,
-			     get_root_nt_token(), key);
+			     token, key);
 
+done:
 	TALLOC_FREE(path);
 	return werr;
 }

More information about the samba-cvs mailing list