From: Jeremy Allison Date: Fri, 17 Oct 2008 22:25:58 +0000 (-0700) Subject: Unify access checks for lsa server functions. X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ef15ff6abec34377ab7fa75201e2799c0bb72aeb;p=thirdparty%2Fsamba.git Unify access checks for lsa server functions. Jeremy. --- diff --git a/source/include/rpc_lsa.h b/source/include/rpc_lsa.h index b4021afd0a6..1dc5ba4a7ba 100644 --- a/source/include/rpc_lsa.h +++ b/source/include/rpc_lsa.h @@ -39,6 +39,7 @@ #define LSA_POLICY_READ ( STANDARD_RIGHTS_READ_ACCESS |\ + LSA_POLICY_VIEW_LOCAL_INFORMATION |\ LSA_POLICY_VIEW_AUDIT_INFORMATION |\ LSA_POLICY_GET_PRIVATE_INFORMATION) diff --git a/source/rpc_server/srv_lsa_nt.c b/source/rpc_server/srv_lsa_nt.c index 79b6d468e0b..9ce992ce25d 100644 --- a/source/rpc_server/srv_lsa_nt.c +++ b/source/rpc_server/srv_lsa_nt.c @@ -434,7 +434,7 @@ NTSTATUS _lsa_OpenPolicy(pipes_struct *p, lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size); if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status)) { - if (geteuid() != 0) { + if (p->pipe_user.ut.uid != sec_initial_uid()) { return status; } DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n", @@ -1530,7 +1530,8 @@ NTSTATUS _lsa_CreateAccount(pipes_struct *p, /* check to see if the pipe_user is a Domain Admin since account_pol.tdb was already opened as root, this is all we have */ - if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) + if ( p->pipe_user.ut.uid != sec_initial_uid() + && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) return NT_STATUS_ACCESS_DENIED; if ( is_privileged_sid( r->in.sid ) ) @@ -1616,6 +1617,9 @@ NTSTATUS _lsa_EnumPrivsAccount(pipes_struct *p, if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; + if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) + return NT_STATUS_ACCESS_DENIED; + if ( !get_privileges_for_sids( &mask, &info->sid, 1 ) ) return NT_STATUS_OBJECT_NAME_NOT_FOUND; @@ -1676,6 +1680,9 @@ NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p, if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; + if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) + return NT_STATUS_ACCESS_DENIED; + if (!lookup_sid(p->mem_ctx, &info->sid, NULL, NULL, NULL)) return NT_STATUS_ACCESS_DENIED; @@ -1710,7 +1717,8 @@ NTSTATUS _lsa_SetSystemAccessAccount(pipes_struct *p, /* check to see if the pipe_user is a Domain Admin since account_pol.tdb was already opened as root, this is all we have */ - if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) + if ( p->pipe_user.ut.uid != sec_initial_uid() + && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) return NT_STATUS_ACCESS_DENIED; if (!pdb_getgrsid(&map, info->sid)) @@ -1820,7 +1828,6 @@ NTSTATUS _lsa_QuerySecurity(pipes_struct *p, if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) return NT_STATUS_ACCESS_DENIED; - switch (r->in.sec_info) { case 1: /* SD contains only the owner */ @@ -2078,6 +2085,9 @@ NTSTATUS _lsa_EnumAccountRights(pipes_struct *p, if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; + if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) + return NT_STATUS_ACCESS_DENIED; + /* according to an NT4 PDC, you can add privileges to SIDs even without call_lsa_create_account() first. And you can use any arbitrary SID. */ @@ -2120,6 +2130,9 @@ NTSTATUS _lsa_LookupPrivValue(pipes_struct *p, if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; + if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) + return NT_STATUS_ACCESS_DENIED; + name = r->in.name->string; DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));