From: Stefan Metzmacher Date: Fri, 22 Jul 2022 13:15:56 +0000 (+0200) Subject: s3:winbindd: add winbindd_domain_verify_sid() helper X-Git-Tag: tdb-1.4.13~149 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9e7025834fd58df9d986e0b52cb28c76962be124;p=thirdparty%2Fsamba.git s3:winbindd: add winbindd_domain_verify_sid() helper Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider --- diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c index d2dcc7b295a..42b8df2623d 100644 --- a/source3/winbindd/winbindd_ads.c +++ b/source3/winbindd/winbindd_ads.c @@ -568,6 +568,20 @@ static NTSTATUS rids_to_names(struct winbindd_domain *domain, domain_name, names, types); } +static NTSTATUS winbindd_domain_verify_sid(struct winbindd_domain *domain, + const struct dom_sid *extra_sid) +{ + bool ret; + + ret = sid_check_is_in_builtin(extra_sid); + if (ret) { + /* don't allow Builtin groups from ADS */ + return NT_STATUS_INVALID_SUB_AUTHORITY; + } + + return NT_STATUS_OK; +} + /* Lookup groups a user is a member of - alternate method, for when tokenGroups are not available. */ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain, @@ -655,8 +669,9 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain, continue; } - /* ignore Builtin groups from ADS - Guenther */ - if (sid_check_is_in_builtin(&group_sid)) { + /* filter unexpected sids */ + status = winbindd_domain_verify_sid(domain, &group_sid); + if (!NT_STATUS_IS_OK(status)) { continue; } @@ -770,8 +785,9 @@ static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain, for (i=0; i