From 2739336e8321a490e7b9dc85bc5f6ea9cc8df8cd Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 2 May 2013 16:29:21 +1200
Subject: [PATCH] s3-rpc_server: Ensure we are root when starting and usiing
 gensec

This fixes bug 9465.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 10f6926aaa6a8c49b29e183d12f6f767072ecff7)
---
 source3/rpc_server/dcesrv_auth_generic.c | 38 +++++++++++++++++++++++++++-----
 1 file changed, 32 insertions(+), 6 deletions(-)

diff --git a/source3/rpc_server/dcesrv_auth_generic.c b/source3/rpc_server/dcesrv_auth_generic.c
index c4c08b2..77d76fc 100644
--- a/source3/rpc_server/dcesrv_auth_generic.c
+++ b/source3/rpc_server/dcesrv_auth_generic.c
@@ -24,12 +24,12 @@
 #include "auth.h"
 #include "auth/gensec/gensec.h"
 
-NTSTATUS auth_generic_server_authtype_start(TALLOC_CTX *mem_ctx,
-					    uint8_t auth_type, uint8_t auth_level,
-					    DATA_BLOB *token_in,
-					    DATA_BLOB *token_out,
-					    const struct tsocket_address *remote_address,
-					    struct gensec_security **ctx)
+static NTSTATUS auth_generic_server_authtype_start_as_root(TALLOC_CTX *mem_ctx,
+							   uint8_t auth_type, uint8_t auth_level,
+							   DATA_BLOB *token_in,
+							   DATA_BLOB *token_out,
+							   const struct tsocket_address *remote_address,
+							   struct gensec_security **ctx)
 {
 	struct gensec_security *gensec_security = NULL;
 	NTSTATUS status;
@@ -62,6 +62,27 @@ NTSTATUS auth_generic_server_authtype_start(TALLOC_CTX *mem_ctx,
 	return NT_STATUS_OK;
 }
 
+NTSTATUS auth_generic_server_authtype_start(TALLOC_CTX *mem_ctx,
+					    uint8_t auth_type, uint8_t auth_level,
+					    DATA_BLOB *token_in,
+					    DATA_BLOB *token_out,
+					    const struct tsocket_address *remote_address,
+					    struct gensec_security **ctx)
+{
+	NTSTATUS status;
+	become_root();
+
+	/* this has to be done as root in order to create the messaging socket */
+	status = auth_generic_server_authtype_start_as_root(mem_ctx,
+							    auth_type, auth_level,
+							    token_in,
+							    token_out,
+							    remote_address,
+							    ctx);
+	unbecome_root();
+	return status;
+}
+
 NTSTATUS auth_generic_server_step(struct gensec_security *gensec_security,
 			     TALLOC_CTX *mem_ctx,
 			     DATA_BLOB *token_in,
@@ -101,7 +122,12 @@ NTSTATUS auth_generic_server_get_user_info(struct gensec_security *gensec_securi
 {
 	NTSTATUS status;
 
+	/* this has to be done as root in order to get to the
+	 * messaging sockets for IDMAP and privilege.ldb in the AD
+	 * DC */
+	become_root();
 	status = gensec_session_info(gensec_security, mem_ctx, session_info);
+	unbecome_root();
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(1, (__location__ ": Failed to get authenticated user "
 			  "info: %s\n", nt_errstr(status)));
-- 
1.7.11.7