[SCM] Samba Shared Repository - branch master updated
Günther Deschner
gd at samba.org
Tue Aug 6 10:23:02 MDT 2013
The branch, master has been updated
via 8b1a214 s3-netlogon: Connecting with the system token should be sufficient.
via 4520787 s3-rpc_server: Grant the system token full access.
via 0ede70c libcli: Add security_token_system_privilege().
from eb50fb8 FSCTL_GET_SHADOW_COPY_DATA: Don't return 4 extra bytes at end
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 8b1a2144feddc12e818938f025d3ab62f3e3426b
Author: Andreas Schneider <asn at samba.org>
Date: Tue Aug 6 11:10:04 2013 +0200
s3-netlogon: Connecting with the system token should be sufficient.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Tue Aug 6 18:22:06 CEST 2013 on sn-devel-104
commit 4520787080b84cd25034bb340513b15de6df1eb0
Author: Andreas Schneider <asn at samba.org>
Date: Wed Jul 31 16:49:36 2013 +0200
s3-rpc_server: Grant the system token full access.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 0ede70c51af54212c700fb1791e2a192e412d851
Author: Andreas Schneider <asn at samba.org>
Date: Tue Aug 6 13:26:53 2013 +0200
libcli: Add security_token_system_privilege().
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
-----------------------------------------------------------------------
Summary of changes:
libcli/security/privileges.c | 13 +++++++++++++
libcli/security/privileges.h | 10 ++++++++++
source3/rpc_server/netlogon/srv_netlog_nt.c | 2 --
source3/rpc_server/srv_access_check.c | 24 ++++++++++++++++++------
4 files changed, 41 insertions(+), 8 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/security/privileges.c b/libcli/security/privileges.c
index adb67c1..d2731c3 100644
--- a/libcli/security/privileges.c
+++ b/libcli/security/privileges.c
@@ -422,6 +422,19 @@ bool security_token_has_privilege(const struct security_token *token, enum sec_p
return false;
}
+bool security_token_system_privilege(const struct security_token *token)
+{
+ if (token == NULL) {
+ return false;
+ }
+
+ if (token->privilege_mask == (uint64_t)~0) {
+ return true;
+ }
+
+ return false;
+}
+
/*
set a bit in the privilege mask
*/
diff --git a/libcli/security/privileges.h b/libcli/security/privileges.h
index a65dbdf..eb3ab5e 100644
--- a/libcli/security/privileges.h
+++ b/libcli/security/privileges.h
@@ -89,6 +89,16 @@ const char *sec_privilege_name_from_index(int idx);
*/
bool security_token_has_privilege(const struct security_token *token, enum sec_privilege privilege);
+
+/**
+ * @brief Check if the security token has system privileges.
+ *
+ * @param[in] token The token to check.
+ *
+ * @return True if the token has system privileges, false if not.
+ */
+bool security_token_system_privilege(const struct security_token *token);
+
/*
set a bit in the privilege mask
*/
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 4f66dfe..53eff5f 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -698,12 +698,10 @@ static NTSTATUS get_md4pw(struct samr_Password *md4pw, const char *mach_acct,
goto out;
}
- become_root();
status = samr_find_machine_account(mem_ctx, h, mach_acct,
SEC_FLAG_MAXIMUM_ALLOWED,
&domain_sid, &user_rid,
&user_handle);
- unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
goto out;
}
diff --git a/source3/rpc_server/srv_access_check.c b/source3/rpc_server/srv_access_check.c
index f667d7b..3efc75b 100644
--- a/source3/rpc_server/srv_access_check.c
+++ b/source3/rpc_server/srv_access_check.c
@@ -54,6 +54,21 @@ NTSTATUS access_check_object( struct security_descriptor *psd, struct security_t
NTSTATUS status = NT_STATUS_ACCESS_DENIED;
uint32 saved_mask = 0;
bool priv_granted = false;
+ bool is_system = false;
+ bool is_root = false;
+
+ /* Check if we are are the system token */
+ if (security_token_is_system(token) &&
+ security_token_system_privilege(token)) {
+ is_system = true;
+ }
+
+ /* Check if we are root */
+ if (geteuid() == sec_initial_uid()) {
+ is_root = true;
+ }
+
+ /* Check if we are root */
/* check privileges; certain SAM access bits should be overridden
by privileges (mostly having to do with creating/modifying/deleting
@@ -71,18 +86,15 @@ NTSTATUS access_check_object( struct security_descriptor *psd, struct security_t
/* check the security descriptor first */
-
status = se_access_check(psd, token, des_access, acc_granted);
if (NT_STATUS_IS_OK(status)) {
goto done;
}
- /* give root a free pass */
-
- if ( geteuid() == sec_initial_uid() ) {
-
+ if (is_system || is_root) {
DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", debug, des_access));
- DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n"));
+ DEBUGADD(4,("but overritten by %s\n",
+ is_root ? "euid == initial uid" : "system token"));
priv_granted = true;
*acc_granted = des_access;
--
Samba Shared Repository
More information about the samba-cvs
mailing list