s3:winbindd: add winbindd_domain_verify_sid() helper

author Stefan Metzmacher <metze@samba.org>

Fri, 22 Jul 2022 13:15:56 +0000 (15:15 +0200)

committer Stefan Metzmacher <metze@samba.org>

Wed, 15 Jan 2025 13:03:34 +0000 (13:03 +0000)
author Stefan Metzmacher <metze@samba.org>
Fri, 22 Jul 2022 13:15:56 +0000 (15:15 +0200)
committer Stefan Metzmacher <metze@samba.org>
Wed, 15 Jan 2025 13:03:34 +0000 (13:03 +0000)
diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c

index d2dcc7b295a374018c2080027400e0d5f81bcf5f..42b8df2623d5e4586c17b88f4745451ddaa4a762 100644 (file)
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -568,6 +568,20 @@ static NTSTATUS rids_to_names(struct winbindd_domain *domain,
                                            domain_name, names, types);
  }
  
+static NTSTATUS winbindd_domain_verify_sid(struct winbindd_domain *domain,
+                                          const struct dom_sid *extra_sid)
+{
+       bool ret;
+
+       ret = sid_check_is_in_builtin(extra_sid);
+       if (ret) {
+               /* don't allow Builtin groups from ADS */
+               return NT_STATUS_INVALID_SUB_AUTHORITY;
+       }
+
+       return NT_STATUS_OK;
+}
+
  /* Lookup groups a user is a member of - alternate method, for when
     tokenGroups are not available. */
  static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
@@ -655,8 +669,9 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
                                 continue;
                         }
  
-                       /* ignore Builtin groups from ADS - Guenther */
-                       if (sid_check_is_in_builtin(&group_sid)) {
+                       /* filter unexpected sids */
+                       status = winbindd_domain_verify_sid(domain, &group_sid);
+                       if (!NT_STATUS_IS_OK(status)) {
                                 continue;
                         }
  
@@ -770,8 +785,9 @@ static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain,
  
         for (i=0; i<num_sids; i++) {
  
-               /* ignore Builtin groups from ADS - Guenther */
-               if (sid_check_is_in_builtin(&group_sids[i])) {
+               /* filter unexpected sids */
+               status = winbindd_domain_verify_sid(domain, &group_sids[i]);
+               if (!NT_STATUS_IS_OK(status)) {
                         continue;
                 }
  
@@ -933,8 +949,9 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
  
         for (i=0;i<count;i++) {
  
-               /* ignore Builtin groups from ADS - Guenther */
-               if (sid_check_is_in_builtin(&sids[i])) {
+               /* filter unexpected sids */
+               status = winbindd_domain_verify_sid(domain, &sids[i]);
+               if (!NT_STATUS_IS_OK(status)) {
                         continue;
                 }
author	Stefan Metzmacher <metze@samba.org>
	Fri, 22 Jul 2022 13:15:56 +0000 (15:15 +0200)
committer	Stefan Metzmacher <metze@samba.org>
	Wed, 15 Jan 2025 13:03:34 +0000 (13:03 +0000)