git.samba.org - samba.git/commit

author	Volker Lendecke <vl@samba.org>
	Sat, 27 Nov 2021 15:38:38 +0000 (16:38 +0100)
committer	Volker Lendecke <vl@samba.org>
	Fri, 10 Dec 2021 14:02:30 +0000 (14:02 +0000)
commit	1bab76223cd1b87a96909a66143d02b8b6b5d5f6
tree	44835151a7e198704897eb364fd63a9a8eadb3ac	tree
parent	530fb4fdfb32d38cc55ed57cc6157bf63df069a7	commit \| diff

librpc: Add named_pipe_auth_req_info5->transport

This will serve as a check to make sure that in particular a SAMR
client is really root. This is for example used in get_user_info_18()
handing out a machine password.

The unix domain sockets for NCACN_NP can only be contacted by root,
the "np\" subdirectory for those sockets is root/root 0700.

Connecting to such a socket is done in two situations: First, local
real root processes connecting and smbd on behalf of SMB clients
connecting to \\pipe\name, smbd does become_root() there. Via the
named_pipe_auth_req_info4 smbd hands over the SMB session information
that the RPC server blindly trusts. The session information (i.e. the
NT token) is heavily influenced by external sources like the KDC. It
is highly unlikely that we get a system token via SMB, but who knows,
this is information not fully controlled by smbd.

This is where this additional field in named_pipe_auth_req_info5 makes
a difference: This field is set to NCACN_NP by smbd's code, not
directly controlled by the clients. Other clients directly connecting
to a socket in "np\" is root anyway (only smbd can do become_root())
and can set this field to NCALRPC.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

libcli/named_pipe_auth/npa_tstream.c		diff \| blob \| history
libcli/named_pipe_auth/npa_tstream.h		diff \| blob \| history
librpc/idl/named_pipe_auth.idl		diff \| blob \| history
source3/rpc_server/rpc_ncacn_np.c		diff \| blob \| history
source4/ntvfs/ipc/vfs_ipc.c		diff \| blob \| history