diff options
author | Günther Deschner <gd@samba.org> | 2009-07-16 16:32:04 +0200 |
---|---|---|
committer | Günther Deschner <gd@samba.org> | 2009-07-17 13:50:34 +0200 |
commit | 3eea254e5bfacdac1d7bb2b72863a31e0c850968 (patch) | |
tree | f1fe81af634e707ac647acd9d0d98f6700673e7e /source3/rpc_server | |
parent | 864e8097525c2f4b05e139e78dd40dea42ab2c39 (diff) | |
download | samba-3eea254e5bfacdac1d7bb2b72863a31e0c850968.tar.gz samba-3eea254e5bfacdac1d7bb2b72863a31e0c850968.tar.xz samba-3eea254e5bfacdac1d7bb2b72863a31e0c850968.zip |
s3-lsa: add (not yet activate) level specific access checks for _lsa_QueryInfoPolicy.
Guenther
Diffstat (limited to 'source3/rpc_server')
-rw-r--r-- | source3/rpc_server/srv_lsa_nt.c | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c index c3eea6fe509..bbad9b18d20 100644 --- a/source3/rpc_server/srv_lsa_nt.c +++ b/source3/rpc_server/srv_lsa_nt.c @@ -505,6 +505,7 @@ NTSTATUS _lsa_QueryInfoPolicy(pipes_struct *p, const char *name; DOM_SID *sid = NULL; union lsa_PolicyInformation *info = NULL; + uint32_t acc_required = 0; if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) return NT_STATUS_INVALID_HANDLE; @@ -513,6 +514,47 @@ NTSTATUS _lsa_QueryInfoPolicy(pipes_struct *p, return NT_STATUS_INVALID_HANDLE; } + switch (r->in.level) { + case LSA_POLICY_INFO_AUDIT_LOG: + case LSA_POLICY_INFO_AUDIT_EVENTS: + acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION; + break; + case LSA_POLICY_INFO_DOMAIN: + acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION; + break; + case LSA_POLICY_INFO_PD: + acc_required = LSA_POLICY_GET_PRIVATE_INFORMATION; + break; + case LSA_POLICY_INFO_ACCOUNT_DOMAIN: + acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION; + break; + case LSA_POLICY_INFO_ROLE: + case LSA_POLICY_INFO_REPLICA: + acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION; + break; + case LSA_POLICY_INFO_QUOTA: + acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION; + break; + case LSA_POLICY_INFO_MOD: + case LSA_POLICY_INFO_AUDIT_FULL_SET: + /* according to MS-LSAD 3.1.4.4.3 */ + return NT_STATUS_INVALID_PARAMETER; + case LSA_POLICY_INFO_AUDIT_FULL_QUERY: + acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION; + break; + case LSA_POLICY_INFO_DNS: + case LSA_POLICY_INFO_DNS_INT: + case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN: + acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION; + break; + default: + break; + } + + if (!(handle->access & acc_required)) { + /* return NT_STATUS_ACCESS_DENIED; */ + } + info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation); if (!info) { return NT_STATUS_NO_MEMORY; |