diff options
| author | Jeremy Allison <jra@samba.org> | 2008-10-21 17:06:53 -0700 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2008-10-23 10:53:13 +0200 |
| commit | 042e50f8709cfbe45d5b184cb3c4fe1b16bdc3b0 (patch) | |
| tree | f40280a0d645f9b1b435d208e557955bfbbbfcfa | |
| parent | ddba89d7713923bfbf1c8492c5dc6c6d5b220f1e (diff) | |
| download | samba-042e50f8709cfbe45d5b184cb3c4fe1b16bdc3b0.tar.gz samba-042e50f8709cfbe45d5b184cb3c4fe1b16bdc3b0.tar.xz samba-042e50f8709cfbe45d5b184cb3c4fe1b16bdc3b0.zip | |
Cope with MAXIMUM_ALLOWED_ACCESS requests when opening handles.
Jeremy.
(cherry picked from commit 82ec832f7edffe2fcfd1bb067e092c159bed2973)
| -rw-r--r-- | source/lib/util_sid.c | 11 | ||||
| -rw-r--r-- | source/rpc_server/srv_samr_nt.c | 64 | ||||
| -rw-r--r-- | source/utils/net_rpc.c | 11 |
3 files changed, 70 insertions, 16 deletions
diff --git a/source/lib/util_sid.c b/source/lib/util_sid.c index 53614ed1ac2..f656bb13dc8 100644 --- a/source/lib/util_sid.c +++ b/source/lib/util_sid.c @@ -664,6 +664,17 @@ bool is_null_sid(const DOM_SID *sid) return sid_equal(sid, &null_sid); } +bool is_sid_in_token(const NT_USER_TOKEN *token, const DOM_SID *sid) +{ + int i; + + for (i=0; i<token->num_sids; i++) { + if (sid_compare(sid, &token->user_sids[i]) == 0) + return true; + } + return false; +} + NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx, const struct netr_SamInfo3 *info3, DOM_SID **user_sids, diff --git a/source/rpc_server/srv_samr_nt.c b/source/rpc_server/srv_samr_nt.c index c59a46c1da8..22b18c01702 100644 --- a/source/rpc_server/srv_samr_nt.c +++ b/source/rpc_server/srv_samr_nt.c @@ -5,7 +5,7 @@ * Copyright (C) Luke Kenneth Casson Leighton 1996-1997, * Copyright (C) Paul Ashton 1997, * Copyright (C) Marc Jacobsen 1999, - * Copyright (C) Jeremy Allison 2001-2005, + * Copyright (C) Jeremy Allison 2001-2008, * Copyright (C) Jean François Micouleau 1998-2001, * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002, * Copyright (C) Gerald (Jerry) Carter 2003-2004, @@ -249,6 +249,48 @@ static NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_requir } /******************************************************************* + Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set. +********************************************************************/ + +static void map_max_allowed_access(const NT_USER_TOKEN *token, + uint32_t *pacc_requested) +{ + if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) { + return; + } + *pacc_requested &= ~MAXIMUM_ALLOWED_ACCESS; + + /* At least try for generic read. */ + *pacc_requested = GENERIC_READ_ACCESS; + + /* root gets anything. */ + if (geteuid() == sec_initial_uid()) { + *pacc_requested |= GENERIC_ALL_ACCESS; + return; + } + + /* Full Access for 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */ + + if (is_sid_in_token(token, &global_sid_Builtin_Administrators) || + is_sid_in_token(token, &global_sid_Builtin_Account_Operators)) { + *pacc_requested |= GENERIC_ALL_ACCESS; + return; + } + + /* Full access for DOMAIN\Domain Admins. */ + if ( IS_DC ) { + DOM_SID domadmin_sid; + sid_copy( &domadmin_sid, get_global_sam_sid() ); + sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS ); + if (is_sid_in_token(token, &domadmin_sid)) { + *pacc_requested |= GENERIC_ALL_ACCESS; + return; + } + } + /* TODO ! Check privileges. */ +} + +/******************************************************************* Fetch or create a dispinfo struct. ********************************************************************/ @@ -586,6 +628,7 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p, return status; /*check if access can be granted as requested by client. */ + map_max_allowed_access(p->pipe_user.nt_user_token, &des_access); make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 ); se_map_generic( &des_access, &dom_generic_mapping ); @@ -2158,6 +2201,8 @@ NTSTATUS _samr_OpenUser(pipes_struct *p, /* check if access can be granted as requested by client. */ + map_max_allowed_access(p->pipe_user.nt_user_token, &des_access); + make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW); se_map_generic(&des_access, &usr_generic_mapping); @@ -3221,6 +3266,8 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p, sid_compose(&sid, get_global_sam_sid(), *r->out.rid); + map_max_allowed_access(p->pipe_user.nt_user_token, &des_access); + make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW); se_map_generic(&des_access, &usr_generic_mapping); @@ -3282,10 +3329,7 @@ NTSTATUS _samr_Connect(pipes_struct *p, was observed from a win98 client trying to enumerate users (when configured user level access control on shares) --jerry */ - if (des_access == MAXIMUM_ALLOWED_ACCESS) { - /* Map to max possible knowing we're filtered below. */ - des_access = GENERIC_ALL_ACCESS; - } + map_max_allowed_access(p->pipe_user.nt_user_token, &des_access); se_map_generic( &des_access, &sam_generic_mapping ); info->acc_granted = des_access & (SA_RIGHT_SAM_ENUM_DOMAINS|SA_RIGHT_SAM_OPEN_DOMAIN); @@ -3321,6 +3365,8 @@ NTSTATUS _samr_Connect2(pipes_struct *p, return NT_STATUS_ACCESS_DENIED; } + map_max_allowed_access(p->pipe_user.nt_user_token, &des_access); + make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); se_map_generic(&des_access, &sam_generic_mapping); @@ -3370,6 +3416,8 @@ NTSTATUS _samr_Connect4(pipes_struct *p, return NT_STATUS_ACCESS_DENIED; } + map_max_allowed_access(p->pipe_user.nt_user_token, &des_access); + make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); se_map_generic(&des_access, &sam_generic_mapping); @@ -3419,6 +3467,8 @@ NTSTATUS _samr_Connect5(pipes_struct *p, return NT_STATUS_ACCESS_DENIED; } + map_max_allowed_access(p->pipe_user.nt_user_token, &des_access); + make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); se_map_generic(&des_access, &sam_generic_mapping); @@ -3586,6 +3636,8 @@ NTSTATUS _samr_OpenAlias(pipes_struct *p, /*check if access can be granted as requested by client. */ + map_max_allowed_access(p->pipe_user.nt_user_token, &des_access); + make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0); se_map_generic(&des_access,&ali_generic_mapping); @@ -5478,6 +5530,8 @@ NTSTATUS _samr_OpenGroup(pipes_struct *p, return status; /*check if access can be granted as requested by client. */ + map_max_allowed_access(p->pipe_user.nt_user_token, &des_access); + make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0); se_map_generic(&des_access,&grp_generic_mapping); diff --git a/source/utils/net_rpc.c b/source/utils/net_rpc.c index a5c2de0df32..ef1ebd3491f 100644 --- a/source/utils/net_rpc.c +++ b/source/utils/net_rpc.c @@ -4187,17 +4187,6 @@ static void free_user_token(NT_USER_TOKEN *token) SAFE_FREE(token->user_sids); } -static bool is_sid_in_token(NT_USER_TOKEN *token, DOM_SID *sid) -{ - int i; - - for (i=0; i<token->num_sids; i++) { - if (sid_compare(sid, &token->user_sids[i]) == 0) - return True; - } - return False; -} - static void add_sid_to_token(NT_USER_TOKEN *token, DOM_SID *sid) { if (is_sid_in_token(token, sid)) |