svn commit: samba r6008 - in trunk/source/rpc_server: .
Simo Sorce
idra at samba.org
Wed Mar 23 23:03:28 GMT 2005
On Wed, 2005-03-23 at 16:52 -0600, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Simo Sorce wrote:
>
> | Agree, I'm trying to determine witch privilege is needed,
> | Power Users can manage connections as administrators, normal
> | users seem not able to get any info at all from a NT4 to W2K server,
> | so we may already be giving ou more informations than a normal
> | w2k server do.
>
> Technically we need to implement access control on all pipes like
> we do on the samr and spoolss pipes. I have it in the works
> for svcctl. We should have some rudimentary control on srvsvc as well.
Well from empirical tests it seem these functions are not controlled by
a privilege. Even giving a normal users all the privileges present on
the Power Users group will not give the user any right to do anything.
I'm going to change the code to explicitly test for root or Domain
Admins right now (should we test for BUTILIN/Administrators ? IMHO yes
but maybe in future).
Simo.
--
Simo Sorce - idra at samba.org
Samba Team - http://www.samba.org
Italian Site - http://samba.xsec.it
More information about the samba-technical
mailing list