[SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha8-321-gf7ff6bd

Günther Deschner gd at samba.org
Mon Jul 13 13:43:05 GMT 2009 

The branch, master has been updated
       via  f7ff6bd1425cc4f0aa13ce8e7498cdac3967acf3 (commit)
      from  05fbe0c7f763fbe8c1c48eb82ebdfe04bfa034ea (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit f7ff6bd1425cc4f0aa13ce8e7498cdac3967acf3
Author: Günther Deschner <gd at samba.org>
Date:   Mon Jun 29 20:34:03 2009 +0200

    s3-rpc_server: pass down full unix token to map_max_allowed_access().
    
    Also use unix_token->uid instead of geteuid() when checking for mapping of the
    SEC_FLAG_MAXIMUM_ALLOWED flag.
    
    Guenther

-----------------------------------------------------------------------

Summary of changes:
 source3/include/proto.h          |    5 ++-
 source3/rpc_server/srv_lsa_nt.c  |    8 +++++-
 source3/rpc_server/srv_samr_nt.c |   42 +++++++++++++++++++++++++------------
 3 files changed, 37 insertions(+), 18 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/include/proto.h b/source3/include/proto.h
index 44132b6..c0ce35a 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -7253,8 +7253,9 @@ NTSTATUS access_check_object( SEC_DESC *psd, NT_USER_TOKEN *token,
 				SE_PRIV *rights, uint32 rights_mask,
 				uint32 des_access, uint32 *acc_granted,
 				const char *debug);
-void map_max_allowed_access(const NT_USER_TOKEN *token,
-				uint32_t *pacc_requested);
+void map_max_allowed_access(const NT_USER_TOKEN *nt_token,
+			    const struct unix_user_token *unix_token,
+			    uint32_t *pacc_requested);
 
 /* The following definitions come from ../libds/common/flag_mapping.c  */
 
diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index 324483b..c62991e 100644
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -349,7 +349,9 @@ NTSTATUS _lsa_OpenPolicy2(pipes_struct *p,
 	NTSTATUS status;
 
 	/* Work out max allowed. */
-	map_max_allowed_access(p->server_info->ptok, &des_access);
+	map_max_allowed_access(p->server_info->ptok,
+			       &p->server_info->utok,
+			       &des_access);
 
 	/* map the generic bits to the lsa policy ones */
 	se_map_generic(&des_access, &lsa_policy_mapping);
@@ -1628,7 +1630,9 @@ NTSTATUS _lsa_OpenAccount(pipes_struct *p,
  	 * handle - so don't check against policy handle. */
 
 	/* Work out max allowed. */
-	map_max_allowed_access(p->server_info->ptok, &des_access);
+	map_max_allowed_access(p->server_info->ptok,
+			       &p->server_info->utok,
+			       &des_access);
 
 	/* map the generic bits to the lsa account ones */
 	se_map_generic(&des_access, &lsa_account_mapping);
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index 8560ee9..1085251 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -236,8 +236,9 @@ done:
  Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
 ********************************************************************/
 
-void map_max_allowed_access(const NT_USER_TOKEN *token,
-					uint32_t *pacc_requested)
+void map_max_allowed_access(const NT_USER_TOKEN *nt_token,
+			    const struct unix_user_token *unix_token,
+			    uint32_t *pacc_requested)
 {
 	if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) {
 		return;
@@ -248,15 +249,15 @@ void map_max_allowed_access(const NT_USER_TOKEN *token,
 	*pacc_requested = GENERIC_READ_ACCESS|GENERIC_EXECUTE_ACCESS;
 
 	/* root gets anything. */
-	if (geteuid() == sec_initial_uid()) {
+	if (unix_token->uid == sec_initial_uid()) {
 		*pacc_requested |= GENERIC_ALL_ACCESS;
 		return;
 	}
 
 	/* Full Access for 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
 
-	if (is_sid_in_token(token, &global_sid_Builtin_Administrators) ||
-			is_sid_in_token(token, &global_sid_Builtin_Account_Operators)) {
+	if (is_sid_in_token(nt_token, &global_sid_Builtin_Administrators) ||
+			is_sid_in_token(nt_token, &global_sid_Builtin_Account_Operators)) {
 		*pacc_requested |= GENERIC_ALL_ACCESS;
 		return;
 	}
@@ -266,7 +267,7 @@ void map_max_allowed_access(const NT_USER_TOKEN *token,
 		DOM_SID domadmin_sid;
 		sid_copy( &domadmin_sid, get_global_sam_sid() );
 		sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
-		if (is_sid_in_token(token, &domadmin_sid)) {
+		if (is_sid_in_token(nt_token, &domadmin_sid)) {
 			*pacc_requested |= GENERIC_ALL_ACCESS;
 			return;
 		}
@@ -550,7 +551,9 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p,
 	}
 
 	/*check if access can be granted as requested by client. */
-	map_max_allowed_access(p->server_info->ptok, &des_access);
+	map_max_allowed_access(p->server_info->ptok,
+			       &p->server_info->utok,
+			       &des_access);
 
 	make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 );
 	se_map_generic( &des_access, &dom_generic_mapping );
@@ -2260,8 +2263,9 @@ NTSTATUS _samr_OpenUser(pipes_struct *p,
 		return NT_STATUS_NO_SUCH_USER;
 
 	/* check if access can be granted as requested by client. */
-
-	map_max_allowed_access(p->server_info->ptok, &des_access);
+	map_max_allowed_access(p->server_info->ptok,
+			       &p->server_info->utok,
+			       &des_access);
 
 	make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW);
 	se_map_generic(&des_access, &usr_generic_mapping);
@@ -3834,7 +3838,9 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p,
 
 	sid_compose(&sid, get_global_sam_sid(), *r->out.rid);
 
-	map_max_allowed_access(p->server_info->ptok, &des_access);
+	map_max_allowed_access(p->server_info->ptok,
+			       &p->server_info->utok,
+			       &des_access);
 
 	make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
 			    &sid, SAMR_USR_RIGHTS_WRITE_PW);
@@ -3914,7 +3920,9 @@ NTSTATUS _samr_Connect(pipes_struct *p,
 	   was observed from a win98 client trying to enumerate users (when configured
 	   user level access control on shares)   --jerry */
 
-	map_max_allowed_access(p->server_info->ptok, &des_access);
+	map_max_allowed_access(p->server_info->ptok,
+			       &p->server_info->utok,
+			       &des_access);
 
 	se_map_generic( &des_access, &sam_generic_mapping );
 
@@ -3974,7 +3982,9 @@ NTSTATUS _samr_Connect2(pipes_struct *p,
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	map_max_allowed_access(p->server_info->ptok, &des_access);
+	map_max_allowed_access(p->server_info->ptok,
+			       &p->server_info->utok,
+			       &des_access);
 
 	make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
 	se_map_generic(&des_access, &sam_generic_mapping);
@@ -4187,7 +4197,9 @@ NTSTATUS _samr_OpenAlias(pipes_struct *p,
 
 	/*check if access can be granted as requested by client. */
 
-	map_max_allowed_access(p->server_info->ptok, &des_access);
+	map_max_allowed_access(p->server_info->ptok,
+			       &p->server_info->utok,
+			       &des_access);
 
 	make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0);
 	se_map_generic(&des_access,&ali_generic_mapping);
@@ -6237,7 +6249,9 @@ NTSTATUS _samr_OpenGroup(pipes_struct *p,
 	}
 
 	/*check if access can be granted as requested by client. */
-	map_max_allowed_access(p->server_info->ptok, &des_access);
+	map_max_allowed_access(p->server_info->ptok,
+			       &p->server_info->utok,
+			       &des_access);
 
 	make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0);
 	se_map_generic(&des_access,&grp_generic_mapping);


-- 
Samba Shared Repository

More information about the samba-cvs mailing list