[SCM] Samba Shared Repository - branch master updated -
release-4-0-0alpha7-1683-g459dc8f
Jeremy Allison
jra at samba.org
Mon May 18 22:46:12 GMT 2009
The branch, master has been updated
via 459dc8f39c085d16bb8b4a04db33e5844f104395 (commit)
from d06051cc51ded9649d4c201afdf338c2426e6f5f (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 459dc8f39c085d16bb8b4a04db33e5844f104395
Author: Jeremy Allison <jra at samba.org>
Date: Mon May 18 15:44:03 2009 -0700
Change access_check_samr_object -> access_check_object.
Make map_max_allowed_access global. Change lsa_get_generic_sd
to add Everyone:LSA_POLICY_READ|LSA_POLICY_EXECUTE, not just
LSA_POLICY_EXECUTE.
Jeremy.
-----------------------------------------------------------------------
Summary of changes:
source3/include/proto.h | 7 +++++++
source3/rpc_server/srv_lsa_nt.c | 24 +++++++++---------------
source3/rpc_server/srv_samr_nt.c | 18 +++++++++---------
3 files changed, 25 insertions(+), 24 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 5b5f909..68c3125 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -7174,4 +7174,11 @@ struct tevent_req *fncall_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev,
void *private_data);
int fncall_recv(struct tevent_req *req, int *perr);
+/* The following definitions come from rpc_server/srv_samr_nt.c */
+NTSTATUS access_check_object( SEC_DESC *psd, NT_USER_TOKEN *token,
+ SE_PRIV *rights, uint32 rights_mask,
+ uint32 des_access, uint32 *acc_granted,
+ const char *debug);
+void map_max_allowed_access(const NT_USER_TOKEN *token,
+ uint32_t *pacc_requested);
#endif /* _PROTO_H_ */
diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index 27519a5..007467a 100644
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -286,7 +286,8 @@ static NTSTATUS lsa_get_generic_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *s
SEC_ACL *psa = NULL;
- init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, LSA_POLICY_EXECUTE, 0);
+ init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
+ LSA_POLICY_READ|LSA_POLICY_EXECUTE, 0);
sid_copy(&adm_sid, get_global_sam_sid());
sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS);
@@ -365,6 +366,8 @@ NTSTATUS _lsa_OpenPolicy2(pipes_struct *p,
uint32 acc_granted;
NTSTATUS status;
+ /* Work out max allowed. */
+ map_max_allowed_access(p->server_info->ptok, &des_access);
/* map the generic bits to the lsa policy ones */
se_map_generic(&des_access, &lsa_generic_mapping);
@@ -372,22 +375,14 @@ NTSTATUS _lsa_OpenPolicy2(pipes_struct *p,
/* get the generic lsa policy SD until we store it */
lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
- status = se_access_check(psd, p->server_info->ptok, des_access,
- &acc_granted);
+ status = access_check_object(psd, p->server_info->ptok,
+ NULL, 0, des_access,
+ &acc_granted, "_lsa_OpenPolicy2" );
+
if (!NT_STATUS_IS_OK(status)) {
- if (p->server_info->utok.uid != sec_initial_uid()) {
- return status;
- }
- DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
- acc_granted, des_access));
- DEBUGADD(4,("but overwritten by euid == 0\n"));
+ return status;
}
- /* This is needed for lsa_open_account and rpcclient .... :-) */
-
- if (p->server_info->utok.uid == sec_initial_uid())
- acc_granted = LSA_POLICY_ALL_ACCESS;
-
/* associate the domain SID with the (unique) handle. */
info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
if (info == NULL) {
@@ -1565,7 +1560,6 @@ NTSTATUS _lsa_CreateAccount(pipes_struct *p,
return privilege_create_account( &info->sid );
}
-
/***************************************************************************
_lsa_OpenAccount
***************************************************************************/
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index 09b97b2..d528c80 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -173,7 +173,7 @@ static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd
level of access for further checks.
********************************************************************/
-static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
+NTSTATUS access_check_object( SEC_DESC *psd, NT_USER_TOKEN *token,
SE_PRIV *rights, uint32 rights_mask,
uint32 des_access, uint32 *acc_granted,
const char *debug )
@@ -191,7 +191,7 @@ static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
saved_mask = (des_access & rights_mask);
des_access &= ~saved_mask;
- DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n",
+ DEBUG(4,("access_check_object: user rights access mask [0x%x]\n",
rights_mask));
}
@@ -235,7 +235,7 @@ done:
Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
********************************************************************/
-static void map_max_allowed_access(const NT_USER_TOKEN *token,
+void map_max_allowed_access(const NT_USER_TOKEN *token,
uint32_t *pacc_requested)
{
if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) {
@@ -573,7 +573,7 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p,
SAMR_DOMAIN_ACCESS_CREATE_ALIAS);
}
- status = access_check_samr_object( psd, p->server_info->ptok,
+ status = access_check_object( psd, p->server_info->ptok,
&se_rights, extra_access, des_access,
&acc_granted, "_samr_OpenDomain" );
@@ -2320,7 +2320,7 @@ NTSTATUS _samr_OpenUser(pipes_struct *p,
TALLOC_FREE(sampass);
- nt_status = access_check_samr_object(psd, p->server_info->ptok,
+ nt_status = access_check_object(psd, p->server_info->ptok,
&se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
&acc_granted, "_samr_OpenUser");
@@ -3727,7 +3727,7 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p,
* just assume we have all the rights we need ?
*/
- nt_status = access_check_samr_object(psd, p->server_info->ptok,
+ nt_status = access_check_object(psd, p->server_info->ptok,
&se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
&acc_granted, "_samr_CreateUser2");
@@ -3859,7 +3859,7 @@ NTSTATUS _samr_Connect2(pipes_struct *p,
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
se_map_generic(&des_access, &sam_generic_mapping);
- nt_status = access_check_samr_object(psd, p->server_info->ptok,
+ nt_status = access_check_object(psd, p->server_info->ptok,
NULL, 0, des_access, &acc_granted, fn);
if ( !NT_STATUS_IS_OK(nt_status) )
@@ -4074,7 +4074,7 @@ NTSTATUS _samr_OpenAlias(pipes_struct *p,
se_priv_copy( &se_rights, &se_add_users );
- status = access_check_samr_object(psd, p->server_info->ptok,
+ status = access_check_object(psd, p->server_info->ptok,
&se_rights, GENERIC_RIGHTS_ALIAS_ALL_ACCESS,
des_access, &acc_granted, "_samr_OpenAlias");
@@ -6124,7 +6124,7 @@ NTSTATUS _samr_OpenGroup(pipes_struct *p,
se_priv_copy( &se_rights, &se_add_users );
- status = access_check_samr_object(psd, p->server_info->ptok,
+ status = access_check_object(psd, p->server_info->ptok,
&se_rights, GENERIC_RIGHTS_GROUP_ALL_ACCESS,
des_access, &acc_granted, "_samr_OpenGroup");
--
Samba Shared Repository
More information about the samba-cvs
mailing list