librpc: Add named_pipe_auth_req_info5->transport

This will serve as a check to make sure that in particular a SAMR
client is really root. This is for example used in get_user_info_18()
handing out a machine password.

The unix domain sockets for NCACN_NP can only be contacted by root,
the "np\" subdirectory for those sockets is root/root 0700.

Connecting to such a socket is done in two situations: First, local
real root processes connecting and smbd on behalf of SMB clients
connecting to \\pipe\name, smbd does become_root() there. Via the
named_pipe_auth_req_info4 smbd hands over the SMB session information
that the RPC server blindly trusts. The session information (i.e. the
NT token) is heavily influenced by external sources like the KDC. It
is highly unlikely that we get a system token via SMB, but who knows,
this is information not fully controlled by smbd.

This is where this additional field in named_pipe_auth_req_info5 makes
a difference: This field is set to NCACN_NP by smbd's code, not
directly controlled by the clients. Other clients directly connecting
to a socket in "np\" is root anyway (only smbd can do become_root())
and can set this field to NCALRPC.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/libcli/named_pipe_auth/npa_tstream.c b/libcli/named_pipe_auth/npa_tstream.c
index 7638d97f9920ec3d6f86f5848a2525b97c4a54d6..fefab2d1a07e89c4c877413a3314654b6fa087df 100644 (file)
--- a/libcli/named_pipe_auth/npa_tstream.c
+++ b/libcli/named_pipe_auth/npa_tstream.c
@@ -60,6 +60,7 @@ struct tevent_req *tstream_npa_connect_send(TALLOC_CTX *mem_ctx,
                                            struct tevent_context *ev,
                                            const char *directory,
                                            const char *npipe,
+                                           enum dcerpc_transport_t transport,
                                            const struct tsocket_address *remote_client_addr,
                                            const char *remote_client_name_in,
                                            const struct tsocket_address *local_server_addr,
@@ -121,6 +122,9 @@ struct tevent_req *tstream_npa_connect_send(TALLOC_CTX *mem_ctx,
        state->auth_req.level = 5;
        info5 = &state->auth_req.info.info5;
 
+       info5->transport = transport;
+       SMB_ASSERT(info5->transport == transport); /* Assert no overflow */
+
        info5->remote_client_name = remote_client_name_in;
        info5->remote_client_addr = tsocket_address_inet_addr_string(remote_client_addr,
                                                                     state);

diff --git a/libcli/named_pipe_auth/npa_tstream.h b/libcli/named_pipe_auth/npa_tstream.h
index ce158fb12dd83611e5d609e1ee2bed9d221ffe59..3253e66a9f3f346b21d0cc8d7b6c561601f480df 100644 (file)
--- a/libcli/named_pipe_auth/npa_tstream.h
+++ b/libcli/named_pipe_auth/npa_tstream.h
@@ -20,6 +20,9 @@
 #ifndef NPA_TSTREAM_H
 #define NPA_TSTREAM_H
 
+#include <replace.h>
+#include "librpc/rpc/rpc_common.h"
+
 struct tevent_req;
 struct tevent_context;
 struct auth_session_info_transport;
@@ -30,6 +33,7 @@ struct tevent_req *tstream_npa_connect_send(TALLOC_CTX *mem_ctx,
                                            struct tevent_context *ev,
                                            const char *directory,
                                            const char *npipe,
+                                           enum dcerpc_transport_t transport,
                                            const struct tsocket_address *remote_client_addr,
                                            const char *remote_client_name_in,
                                            const struct tsocket_address *local_server_addr,

diff --git a/librpc/idl/named_pipe_auth.idl b/librpc/idl/named_pipe_auth.idl
index bc727d2e538f2cad9733c5c9cc600ed1743880ee..6f26cceab1728c6c865ca0cf639dca34bbe8789a 100644 (file)
--- a/librpc/idl/named_pipe_auth.idl
+++ b/librpc/idl/named_pipe_auth.idl
@@ -13,6 +13,7 @@ interface named_pipe_auth
        const char *NAMED_PIPE_AUTH_MAGIC = "NPAM";
 
        typedef [public] struct {
+               uint8 transport;
                [charset(UTF8),string] uint8 *remote_client_name;
                [charset(DOS),string] uint8 *remote_client_addr;
                uint16 remote_client_port;

diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c
index bb95c678e7b11f853b3f82afa8befca083f57a77..0cc7b42f91b30a228e84d4eeee2a46f15717f4bd 100644 (file)
--- a/source3/rpc_server/rpc_ncacn_np.c
+++ b/source3/rpc_server/rpc_ncacn_np.c
@@ -902,6 +902,7 @@ NTSTATUS make_external_rpc_pipe(TALLOC_CTX *mem_ctx,
                                          ev_ctx,
                                          socket_np_dir,
                                          pipe_name,
+                                         NCACN_NP,
                                          remote_client_address,
                                          NULL, /* client_name */
                                          local_server_address,
@@ -1034,6 +1035,7 @@ static struct np_proxy_state *make_external_rpc_pipe_p(TALLOC_CTX *mem_ctx,
        subreq = tstream_npa_connect_send(talloc_tos(), ev,
                                          socket_np_dir,
                                          pipe_name,
+                                         NCACN_NP,
                                          remote_address,
                                          NULL, /* client_name */
                                          local_address,

diff --git a/source4/ntvfs/ipc/vfs_ipc.c b/source4/ntvfs/ipc/vfs_ipc.c
index 967c80d299591f9b4837947725c3956f5d413ac4..f6c1bf43e31bcf13579bd6236f922f6a4e203c5f 100644 (file)
--- a/source4/ntvfs/ipc/vfs_ipc.c
+++ b/source4/ntvfs/ipc/vfs_ipc.c
@@ -330,6 +330,7 @@ static NTSTATUS ipc_open(struct ntvfs_module_context *ntvfs,
                                          ipriv->ntvfs->ctx->event_ctx,
                                          directory,
                                          fname,
+                                         NCACN_NP,
                                          remote_client_addr,
                                          NULL,
                                          local_server_addr,