The Samba-Bugzilla – Attachment 1411 Details for
Bug 3047
"smbldap_open: cannot access LDAP when not root.." when trying to manage users/groups via NT Groupmanager
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
add necessary priviliege checks around setting group and alias attributes
usrmgr_groups_v1.patch (text/plain), 2.09 KB, created by
Gerald (Jerry) Carter (dead mail address)
on 2005-09-01 14:38:07 UTC
(
hide
)
Description:
add necessary priviliege checks around setting group and alias attributes
Filename:
MIME Type:
Creator:
Gerald (Jerry) Carter (dead mail address)
Created:
2005-09-01 14:38:07 UTC
Size:
2.09 KB
patch
obsolete
>diff -ubBrN --exclude-from=diff.excludes samba-3.0.20-orig/source/rpc_server/srv_samr_nt.c samba-3.0.20-new/source/rpc_server/srv_samr_nt.c >--- samba-3.0.20-orig/source/rpc_server/srv_samr_nt.c 2005-08-07 18:09:55.000000000 -0500 >+++ samba-3.0.20-new/source/rpc_server/srv_samr_nt.c 2005-09-01 16:34:06.000000000 -0500 >@@ -3927,6 +3927,8 @@ > GROUP_MAP map; > GROUP_INFO_CTR *ctr; > uint32 acc_granted; >+ BOOL ret; >+ BOOL can_mod_accounts; > > if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted)) > return NT_STATUS_INVALID_HANDLE; >@@ -3951,11 +3953,21 @@ > return NT_STATUS_INVALID_INFO_CLASS; > } > >- if(!pdb_update_group_mapping_entry(&map)) { >- return NT_STATUS_NO_SUCH_GROUP; >- } >+ can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users ); > >- return NT_STATUS_OK; >+ /******** BEGIN SeAddUsers BLOCK *********/ >+ >+ if ( can_mod_accounts ) >+ become_root(); >+ >+ ret = pdb_update_group_mapping_entry(&map); >+ >+ if ( can_mod_accounts ) >+ unbecome_root(); >+ >+ /******** End SeAddUsers BLOCK *********/ >+ >+ return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED; > } > > /********************************************************************* >@@ -3970,6 +3982,8 @@ > struct acct_info info; > ALIAS_INFO_CTR *ctr; > uint32 acc_granted; >+ BOOL ret; >+ BOOL can_mod_accounts; > > if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid, &acc_granted)) > return NT_STATUS_INVALID_HANDLE; >@@ -3992,11 +4006,21 @@ > return NT_STATUS_INVALID_INFO_CLASS; > } > >- if(!pdb_set_aliasinfo(&group_sid, &info)) { >- return NT_STATUS_ACCESS_DENIED; >- } >+ can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users ); > >- return NT_STATUS_OK; >+ /******** BEGIN SeAddUsers BLOCK *********/ >+ >+ if ( can_mod_accounts ) >+ become_root(); >+ >+ ret = pdb_set_aliasinfo( &group_sid, &info ); >+ >+ if ( can_mod_accounts ) >+ unbecome_root(); >+ >+ /******** End SeAddUsers BLOCK *********/ >+ >+ return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED; > } > > /*********************************************************************
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1411">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 3047
:
1408
| 1411