Attachment 7735 Details for Bug 9066 – Backported patch to v3-6-test

[patch] Backported patch to v3-6-test

0001-Revert-s3-auth-make-sure-the-primary-group-sid-is-us.patch (text/plain), 3.46 KB, created by Christof Schmitt on 2012-08-02 23:25:43 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Christof Schmitt

Created: 2012-08-02 23:25:43 UTC

Size: 3.46 KB

patch

obsolete

>From ab9bb53297ef224ea7764731fc2c78979534747b Mon Sep 17 00:00:00 2001
>From: Andrew Bartlett <abartlet@samba.org>
>Date: Sun, 15 Jul 2012 12:22:44 +1000
>Subject: [PATCH 1/2] Revert "s3:auth make sure the primary group sid is usable"
>
>This reverts commit 00089fd74af740f832573d904312854e494a869e.
>
>The issue with this patch, which I did sign off on, is that for the
>domain member case, we already know that the SID is reasonable and
>valid, and we indeed rely on that, because we keep it as an additonal
>group anyway.  The primary group is not so special that we need to do
>extra validation.
>
>Calling this function may put a user into the domain 'domain users'
>group, even if they are not in that group to start with.
>
>Andrew Bartlett
>---
> source3/auth/auth_util.c |   43 +++++++++++++------------------------------
> 1 files changed, 13 insertions(+), 30 deletions(-)
>
>diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
>index c7e266a..cb1d319 100644
>--- a/source3/auth/auth_util.c
>+++ b/source3/auth/auth_util.c
>@@ -1250,11 +1250,11 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
> 	char *found_username = NULL;
> 	const char *nt_domain;
> 	const char *nt_username;
>+	struct dom_sid user_sid;
>+	struct dom_sid group_sid;
> 	bool username_was_mapped;
> 	struct passwd *pwd;
> 	struct auth_serversupplied_info *result;
>-	struct dom_sid *group_sid;
>-	struct netr_SamInfo3 *i3;
> 
> 	/* 
> 	   Here is where we should check the list of
>@@ -1262,6 +1262,15 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
> 	   matches.
> 	*/
> 
>+	if (!sid_compose(&user_sid, info3->base.domain_sid, info3->base.rid)) {
>+		return NT_STATUS_INVALID_PARAMETER;
>+	}
>+
>+	if (!sid_compose(&group_sid, info3->base.domain_sid,
>+			 info3->base.primary_gid)) {
>+		return NT_STATUS_INVALID_PARAMETER;
>+	}
>+
> 	nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
> 	if (!nt_username) {
> 		/* If the server didn't give us one, just use the one we sent
>@@ -1313,43 +1322,17 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
> 	}
> 
> 	/* copy in the info3 */
>-	result->info3 = i3 = copy_netr_SamInfo3(result, info3);
>+	result->info3 = copy_netr_SamInfo3(result, info3);
> 	if (result->info3 == NULL) {
> 		TALLOC_FREE(result);
> 		return NT_STATUS_NO_MEMORY;
> 	}
> 
> 	/* Fill in the unix info we found on the way */
>+
> 	result->utok.uid = pwd->pw_uid;
> 	result->utok.gid = pwd->pw_gid;
> 
>-	/* We can't just trust that the primary group sid sent us is something
>-	 * we can really use. Obtain the useable sid, and store the original
>-	 * one as an additional group if it had to be replaced */
>-	nt_status = get_primary_group_sid(mem_ctx, found_username,
>-					  &pwd, &group_sid);
>-	if (!NT_STATUS_IS_OK(nt_status)) {
>-		TALLOC_FREE(result);
>-		return nt_status;
>-	}
>-
>-	/* store and check if it is the same we got originally */
>-	sid_peek_rid(group_sid, &i3->base.primary_gid);
>-	if (i3->base.primary_gid != info3->base.primary_gid) {
>-		uint32_t n = i3->base.groups.count;
>-		/* not the same, store the original as an additional group */
>-		i3->base.groups.rids =
>-			talloc_realloc(i3, i3->base.groups.rids,
>-					struct samr_RidWithAttribute, n + 1);
>-		if (i3->base.groups.rids == NULL) {
>-			TALLOC_FREE(result);
>-			return NT_STATUS_NO_MEMORY;
>-		}
>-		i3->base.groups.rids[n].rid = info3->base.primary_gid;
>-		i3->base.groups.rids[n].attributes = SE_GROUP_ENABLED;
>-		i3->base.groups.count = n + 1;
>-	}
>-
> 	/* ensure we are never given NULL session keys */
> 
> 	if (memcmp(info3->base.key.key, zeros, sizeof(zeros)) == 0) {
>-- 
>1.7.1
>

Flags:

abartlet: review+
jra: review+

Actions: View

Attachments on bug 9066: 7735