The Samba-Bugzilla – Attachment 4150 Details for
Bug 6342
SeMachineAccountPrivilege works same as SeAddUsersPrivilege
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Pater patch - fixes more....
look (text/plain), 6.29 KB, created by
Jeremy Allison
on 2009-05-13 18:01:54 UTC
(
hide
)
Description:
Pater patch - fixes more....
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2009-05-13 18:01:54 UTC
Size:
6.29 KB
patch
obsolete
>diff --git a/source3/lib/privileges_basic.c b/source3/lib/privileges_basic.c >index 865c1f6..31a6fae 100644 >--- a/source3/lib/privileges_basic.c >+++ b/source3/lib/privileges_basic.c >@@ -195,7 +195,7 @@ bool se_priv_equal( const SE_PRIV *mask1, const SE_PRIV *mask2 ) > check if a SE_PRIV has any assigned privileges > ****************************************************************************/ > >-static bool se_priv_empty( const SE_PRIV *mask ) >+bool se_priv_empty( const SE_PRIV *mask ) > { > SE_PRIV p1; > int i; >diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c >index dea1a8f..3e27aaf 100644 >--- a/source3/rpc_server/srv_samr_nt.c >+++ b/source3/rpc_server/srv_samr_nt.c >@@ -185,7 +185,7 @@ static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token, > by privileges (mostly having to do with creating/modifying/deleting > users and groups) */ > >- if ( rights && user_has_any_privilege( token, rights ) ) { >+ if ( rights && !se_priv_equal(rights, &se_priv_none) && user_has_any_privilege( token, rights ) ) { > > saved_mask = (des_access & rights_mask); > des_access &= ~saved_mask; >@@ -2207,6 +2207,7 @@ NTSTATUS _samr_OpenUser(pipes_struct *p, > SEC_DESC *psd = NULL; > uint32 acc_granted; > uint32 des_access = r->in.access_mask; >+ uint32_t extra_access = 0; > size_t sd_size; > bool ret; > NTSTATUS nt_status; >@@ -2236,26 +2237,94 @@ NTSTATUS _samr_OpenUser(pipes_struct *p, > make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW); > se_map_generic(&des_access, &usr_generic_mapping); > >- se_priv_copy( &se_rights, &se_machine_account ); >- se_priv_add( &se_rights, &se_add_users ); >+ /* >+ * Get the sampass first as we need to check privilages >+ * based on what kind of user object this is. >+ * But don't reveal info too early if it didn't exist. >+ */ >+ >+ become_root(); >+ ret=pdb_getsampwsid(sampass, &sid); >+ unbecome_root(); >+ >+ se_priv_copy(&se_rights, &se_priv_none); >+ >+ /* >+ * We do the override access checks on *open*, not at >+ * SetUserInfo time. >+ */ >+ if (ret) { >+ uint32_t acb_info = pdb_get_acct_ctrl(sampass); >+ >+ if ((acb_info & ACB_WSTRUST) && >+ user_has_any_privilege(p->server_info->ptok, >+ &se_machine_account)) { >+ /* >+ * SeMachineAccount is needed to add >+ * GENERIC_RIGHTS_USER_WRITE to a machine >+ * account. >+ */ >+ se_priv_add(&se_rights, &se_machine_account); >+ DEBUG(10,("_samr_OpenUser: adding machine account " >+ "rights to handle for user %s\n", >+ pdb_get_username(sampass) )); >+ } >+ if ((acb_info & ACB_NORMAL) && >+ user_has_any_privilege(p->server_info->ptok, >+ &se_add_users)) { >+ /* >+ * SeAddUsers is needed to add >+ * GENERIC_RIGHTS_USER_WRITE to a normal >+ * account. >+ */ >+ se_priv_add(&se_rights, &se_add_users); >+ DEBUG(10,("_samr_OpenUser: adding add user " >+ "rights to handle for user %s\n", >+ pdb_get_username(sampass) )); >+ } >+ /* >+ * Cheat - allow GENERIC_RIGHTS_USER_WRITE if pipe user is >+ * in DOMAIN_GROUP_RID_ADMINS. This is almost certainly not >+ * what Windows does but is a hack for people who haven't >+ * set up privilages on groups in Samba. >+ */ >+ if (acb_info & (ACB_SVRTRUST|ACB_DOMTRUST)) { >+ if (lp_enable_privileges() && nt_token_check_domain_rid(p->server_info->ptok, >+ DOMAIN_GROUP_RID_ADMINS)) { >+ des_access &= ~GENERIC_RIGHTS_USER_WRITE; >+ extra_access = GENERIC_RIGHTS_USER_WRITE; >+ DEBUG(4,("_samr_OpenUser: Allowing " >+ "GENERIC_RIGHTS_USER_WRITE for " >+ "rid admins\n")); >+ } >+ } >+ >+ if (geteuid() == sec_initial_uid()) { >+ des_access &= ~GENERIC_RIGHTS_USER_WRITE; >+ extra_access = GENERIC_RIGHTS_USER_WRITE; >+ DEBUG(4,("_samr_OpenUser: Allowing " >+ "GENERIC_RIGHTS_USER_WRITE for " >+ "root\n")); >+ } >+ } >+ >+ TALLOC_FREE(sampass); > > nt_status = access_check_samr_object(psd, p->server_info->ptok, >- &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access, >- &acc_granted, "_samr_OpenUser"); >+ se_priv_equal(&se_rights, &se_priv_none) ? NULL : &se_rights, >+ GENERIC_RIGHTS_USER_WRITE, des_access, >+ &acc_granted, "_samr_OpenUser"); > > if ( !NT_STATUS_IS_OK(nt_status) ) > return nt_status; > >- become_root(); >- ret=pdb_getsampwsid(sampass, &sid); >- unbecome_root(); >- > /* check that the SID exists in our domain. */ > if (ret == False) { > return NT_STATUS_NO_SUCH_USER; > } > >- TALLOC_FREE(sampass); >+ /* If we did the rid admins hack above, allow access. */ >+ acc_granted |= extra_access; > > uinfo = policy_handle_create(p, r->out.user_handle, acc_granted, > struct samr_user_info, &nt_status); >@@ -4660,8 +4729,6 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p, > uint16_t switch_value = r->in.level; > uint32_t acc_required; > bool ret; >- bool has_enough_rights = False; >- uint32_t acb_info; > > DEBUG(5,("_samr_SetUserInfo: %d\n", __LINE__)); > >@@ -4716,32 +4783,9 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p, > return NT_STATUS_NO_SUCH_USER; > } > >- /* deal with machine password changes differently from userinfo changes */ >- /* check to see if we have the sufficient rights */ >- >- acb_info = pdb_get_acct_ctrl(pwd); >- if (acb_info & ACB_WSTRUST) >- has_enough_rights = user_has_privileges(p->server_info->ptok, >- &se_machine_account); >- else if (acb_info & ACB_NORMAL) >- has_enough_rights = user_has_privileges(p->server_info->ptok, >- &se_add_users); >- else if (acb_info & (ACB_SVRTRUST|ACB_DOMTRUST)) { >- if (lp_enable_privileges()) { >- has_enough_rights = nt_token_check_domain_rid(p->server_info->ptok, >- DOMAIN_GROUP_RID_ADMINS); >- } >- } >- >- DEBUG(5, ("_samr_SetUserInfo: %s does%s possess sufficient rights\n", >- uidtoname(p->server_info->utok.uid), >- has_enough_rights ? "" : " not")); >+ /* ================ BEGIN Privilege BLOCK ================ */ > >- /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */ >- >- if (has_enough_rights) { >- become_root(); >- } >+ become_root(); > > /* ok! user info levels (lots: see MSDEV help), off we go... */ > >@@ -4888,11 +4932,9 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p, > > TALLOC_FREE(pwd); > >- if (has_enough_rights) { >- unbecome_root(); >- } >+ unbecome_root(); > >- /* ================ END SeMachineAccountPrivilege BLOCK ================ */ >+ /* ================ END Privilege BLOCK ================ */ > > if (NT_STATUS_IS_OK(status)) { > force_flush_samr_cache(&uinfo->sid);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=4150">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 6342
:
4148
|
4150
|
4151