Access control to SAM / _samr_query_sec_obj

Kai Krueger kai at kruegernetz.de
Mon Jun 10 16:07:01 GMT 2002 

Hi

Here comes the next part of the access control patch.
It fixes the nt_user_token in the pipes_struct and should therefore make the
whole patch function correctly so that it probably could then be applied.

Till now the current_user struct in pipes_struct was only initialised in the
code for the verification of sign&seal connections. Therefore normal
connections
stayed un-initialised and left all users with a null token. The patch now
initialises it
when the pipe is created, so that all connections have it set correctly.

Kai

P.S. hopefully my mail client doesn't mess up the patches to much.


--- ./samba-orig/source/rpc_server/srv_pipe_hnd.c Tue Apr 23 20:34:52 2002
+++ ./samba/source/rpc_server/srv_pipe_hnd.c Mon Jun 10 23:45:50 2002
@@ -317,9 +317,16 @@
  p->pipe_user.uid = (uid_t)-1;
  p->pipe_user.gid = (gid_t)-1;

- /* Store the session key */
+ /* Store the session key and pipe user */
  if (vuser) {
   memcpy(p->session_key, vuser->session_key, sizeof(p->session_key));
+  fstrcpy(p->user_name, vuser->user.smb_name);
+  fstrcpy(p->domain,vuser->user.domain);
+  fstrcpy(p->pipe_user_name, vuser->user.unix_name);
+  p->pipe_user.uid = vuser->uid;
+  p->pipe_user.gid = vuser->gid;
+  p->pipe_user.nt_user_token = create_nt_token(vuser->uid, vuser->gid,
vuser->n_groups,
+   vuser->groups, vuser->guest, NULL);
  }

  /*

--- ./samba-orig/source/groupdb/mapping.c Fri Jun  7 17:06:14 2002
+++ ./samba/source/groupdb/mapping.c Tue Jun 11 00:32:25 2002
@@ -170,7 +170,7 @@

  /* Add the Wellknown groups */

- add_initial_entry(-1, "S-1-5-32-544", SID_NAME_ALIAS, "Administrators",
"", privilege_all, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
+ add_initial_entry( 0, "S-1-5-32-544", SID_NAME_ALIAS, "Administrators",
"", privilege_all, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
  add_initial_entry(-1, "S-1-5-32-545", SID_NAME_ALIAS, "Users", "",
privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
  add_initial_entry(-1, "S-1-5-32-546", SID_NAME_ALIAS, "Guests", "",
privilege_none, PR_ACCESS_FROM_NETWORK);
  add_initial_entry(-1, "S-1-5-32-547", SID_NAME_ALIAS, "Power Users", "",
privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);

More information about the samba-technical mailing list