Attachment 4148 Details for Bug 6342 – Patch for master/3.4 to test.

[patch] Patch for master/3.4 to test.

look (text/plain), 4.86 KB, created by Jeremy Allison on 2009-05-13 12:05:36 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Jeremy Allison

Created: 2009-05-13 12:05:36 UTC

Size: 4.86 KB

patch

obsolete

>diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
>index dea1a8f..7f434bd 100644
>--- a/source3/rpc_server/srv_samr_nt.c
>+++ b/source3/rpc_server/srv_samr_nt.c
>@@ -2207,6 +2207,7 @@ NTSTATUS _samr_OpenUser(pipes_struct *p,
> 	SEC_DESC *psd = NULL;
> 	uint32    acc_granted;
> 	uint32    des_access = r->in.access_mask;
>+	uint32_t extra_access = 0;
> 	size_t    sd_size;
> 	bool ret;
> 	NTSTATUS nt_status;
>@@ -2236,8 +2237,67 @@ NTSTATUS _samr_OpenUser(pipes_struct *p,
> 	make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW);
> 	se_map_generic(&des_access, &usr_generic_mapping);
> 
>-	se_priv_copy( &se_rights, &se_machine_account );
>-	se_priv_add( &se_rights, &se_add_users );
>+	/*
>+	 * Get the sampass first as we need to check privilages
>+	 * based on what kind of user object this is.
>+	 * But don't reveal info too early if it didn't exist.
>+	 */
>+
>+	become_root();
>+	ret=pdb_getsampwsid(sampass, &sid);
>+	unbecome_root();
>+
>+	ZERO_STRUCT(se_rights);
>+
>+	/*
>+	 * We do the override access checks on *open*, not at
>+	 * SetUserInfo time.
>+	 */
>+	if (ret) {
>+		SE_PRIV tmp_rights;
>+		uint32_t acb_info = pdb_get_acct_ctrl(sampass);
>+
>+		se_priv_copy(&tmp_rights, &se_machine_account);
>+		if ((acb_info & ACB_WSTRUST) &&
>+				user_has_any_privilege(p->server_info->ptok,
>+						&tmp_rights)) {
>+			/*
>+			 * SeMachineAccount is needed to add
>+			 * GENERIC_RIGHTS_USER_WRITE to a machine
>+			 * account.
>+			 */
>+			se_priv_add(&se_rights, &se_machine_account);
>+		}
>+		se_priv_copy(&tmp_rights, &se_add_users);
>+		if ((acb_info & ACB_NORMAL) &&
>+				user_has_any_privilege(p->server_info->ptok,
>+						&tmp_rights)) {
>+			/*
>+			 * SeAddUsers is needed to add
>+			 * GENERIC_RIGHTS_USER_WRITE to a normal
>+			 * account.
>+			 */
>+			se_priv_add(&se_rights, &se_add_users );
>+		}
>+		/*
>+		 * Cheat - allow GENERIC_RIGHTS_USER_WRITE if pipe user is
>+		 * in DOMAIN_GROUP_RID_ADMINS. This is almost certainly not
>+		 * what Windows does but is a hack for people who haven't
>+		 * set up privilages on groups in Samba.
>+		 */
>+		if (acb_info & (ACB_SVRTRUST|ACB_DOMTRUST)) {
>+			if (lp_enable_privileges() && nt_token_check_domain_rid(p->server_info->ptok,
>+							DOMAIN_GROUP_RID_ADMINS)) {
>+				des_access &= ~GENERIC_RIGHTS_USER_WRITE;
>+				extra_access = GENERIC_RIGHTS_USER_WRITE;
>+				DEBUG(4,("_samr_OpenUser: Allowing "
>+					"GENERIC_RIGHTS_USER_WRITE for "
>+					"rid admins\n"));
>+			}
>+		}
>+	}
>+
>+	TALLOC_FREE(sampass);
> 
> 	nt_status = access_check_samr_object(psd, p->server_info->ptok,
> 		&se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
>@@ -2246,16 +2306,13 @@ NTSTATUS _samr_OpenUser(pipes_struct *p,
> 	if ( !NT_STATUS_IS_OK(nt_status) )
> 		return nt_status;
> 
>-	become_root();
>-	ret=pdb_getsampwsid(sampass, &sid);
>-	unbecome_root();
>-
> 	/* check that the SID exists in our domain. */
> 	if (ret == False) {
>         	return NT_STATUS_NO_SUCH_USER;
> 	}
> 
>-	TALLOC_FREE(sampass);
>+	/* If we did the rid admins hack above, allow access. */
>+	acc_granted |= extra_access;
> 
> 	uinfo = policy_handle_create(p, r->out.user_handle, acc_granted,
> 				     struct samr_user_info, &nt_status);
>@@ -4660,8 +4717,6 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p,
> 	uint16_t switch_value = r->in.level;
> 	uint32_t acc_required;
> 	bool ret;
>-	bool has_enough_rights = False;
>-	uint32_t acb_info;
> 
> 	DEBUG(5,("_samr_SetUserInfo: %d\n", __LINE__));
> 
>@@ -4716,32 +4771,9 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p,
> 		return NT_STATUS_NO_SUCH_USER;
>  	}
> 
>-	/* deal with machine password changes differently from userinfo changes */
>-	/* check to see if we have the sufficient rights */
>-
>-	acb_info = pdb_get_acct_ctrl(pwd);
>-	if (acb_info & ACB_WSTRUST)
>-		has_enough_rights = user_has_privileges(p->server_info->ptok,
>-							&se_machine_account);
>-	else if (acb_info & ACB_NORMAL)
>-		has_enough_rights = user_has_privileges(p->server_info->ptok,
>-							&se_add_users);
>-	else if (acb_info & (ACB_SVRTRUST|ACB_DOMTRUST)) {
>-		if (lp_enable_privileges()) {
>-			has_enough_rights = nt_token_check_domain_rid(p->server_info->ptok,
>-								      DOMAIN_GROUP_RID_ADMINS);
>-		}
>-	}
>+	/* ================ BEGIN Privilege BLOCK ================ */
> 
>-	DEBUG(5, ("_samr_SetUserInfo: %s does%s possess sufficient rights\n",
>-		  uidtoname(p->server_info->utok.uid),
>-		  has_enough_rights ? "" : " not"));
>-
>-	/* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */
>-
>-	if (has_enough_rights) {
>-		become_root();
>-	}
>+	become_root();
> 
> 	/* ok!  user info levels (lots: see MSDEV help), off we go... */
> 
>@@ -4888,11 +4920,9 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p,
> 
> 	TALLOC_FREE(pwd);
> 
>-	if (has_enough_rights) {
>-		unbecome_root();
>-	}
>+	unbecome_root();
> 
>-	/* ================ END SeMachineAccountPrivilege BLOCK ================ */
>+	/* ================ END Privilege BLOCK ================ */
> 
> 	if (NT_STATUS_IS_OK(status)) {
> 		force_flush_samr_cache(&uinfo->sid);

Actions: View

Attachments on bug 6342: 4148 | 4150 | 4151