From 6e56261eb7d417b488da2d3b051fb8284abb3fbd Mon Sep 17 00:00:00 2001 From: Anatoliy Atanasov Date: Sat, 19 Sep 2009 15:08:19 -0700 Subject: [PATCH] Add drs_security_level_check for dcesrv calls security checks There is also an option to disable the security check by specifying in the smb.conf file: drs:disable_sec_check = true --- source4/rpc_server/drsuapi/addentry.c | 7 +++---- source4/rpc_server/drsuapi/dcesrv_drsuapi.c | 18 ++++++++++-------- source4/rpc_server/drsuapi/dcesrv_drsuapi.h | 2 ++ source4/rpc_server/drsuapi/drsutil.c | 15 +++++++++++++++ source4/rpc_server/drsuapi/getncchanges.c | 7 +++---- source4/rpc_server/drsuapi/updaterefs.c | 7 +++---- 6 files changed, 36 insertions(+), 20 deletions(-) diff --git a/source4/rpc_server/drsuapi/addentry.c b/source4/rpc_server/drsuapi/addentry.c index 25f2aaaa295..74de772f7ac 100644 --- a/source4/rpc_server/drsuapi/addentry.c +++ b/source4/rpc_server/drsuapi/addentry.c @@ -151,10 +151,9 @@ WERROR dcesrv_drsuapi_DsAddEntry(struct dcesrv_call_state *dce_call, TALLOC_CTX DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE); b_state = h->data; - if (security_session_user_level(dce_call->conn->auth_state.session_info) < - SECURITY_DOMAIN_CONTROLLER) { - DEBUG(0,("DsAddEntry refused for security token\n")); - return WERR_DS_DRA_ACCESS_DENIED; + status = drs_security_level_check(dce_call, "DsAddEntry"); + if (!W_ERROR_IS_OK(status)) { + return status; } switch (r->in.level) { diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c index f96c4c03da5..9903f087463 100644 --- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c +++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c @@ -228,15 +228,17 @@ static WERROR dcesrv_drsuapi_DsUnbind(struct dcesrv_call_state *dce_call, TALLOC static WERROR dcesrv_drsuapi_DsReplicaSync(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct drsuapi_DsReplicaSync *r) { - if (security_session_user_level(dce_call->conn->auth_state.session_info) < - SECURITY_DOMAIN_CONTROLLER) { - DEBUG(0,("DsReplicaSync refused for security token\n")); - return WERR_DS_DRA_ACCESS_DENIED; + WERROR status; + + status = drs_security_level_check(dce_call, "DsReplicaSync"); + if (!W_ERROR_IS_OK(status)) { + return status; } dcesrv_irpc_forward_rpc_call(dce_call, mem_ctx, r, NDR_DRSUAPI_DSREPLICASYNC, &ndr_table_drsuapi, "dreplsrv", "DsReplicaSync"); + return WERR_OK; } @@ -453,14 +455,14 @@ static WERROR dcesrv_drsuapi_DsRemoveDSServer(struct dcesrv_call_state *dce_call struct ldb_dn *ntds_dn; int ret; bool ok; + WERROR status; ZERO_STRUCT(r->out.res); *r->out.level_out = 1; - if (security_session_user_level(dce_call->conn->auth_state.session_info) < - SECURITY_DOMAIN_CONTROLLER) { - DEBUG(0,("DsRemoveDSServer refused for security token\n")); - return WERR_DS_DRA_ACCESS_DENIED; + status = drs_security_level_check(dce_call, "DsRemoveDSServer"); + if (!W_ERROR_IS_OK(status)) { + return status; } DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE); diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.h b/source4/rpc_server/drsuapi/dcesrv_drsuapi.h index 3f69a3fb52e..685203360b5 100644 --- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.h +++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.h @@ -56,3 +56,5 @@ int drsuapi_search_with_extended_dn(struct ldb_context *ldb, const char * const *attrs, const char *format, ...) PRINTF_ATTRIBUTE(7,8); +WERROR drs_security_level_check(struct dcesrv_call_state *dce_call, + const char* call); diff --git a/source4/rpc_server/drsuapi/drsutil.c b/source4/rpc_server/drsuapi/drsutil.c index 305e298e006..f4155192d77 100644 --- a/source4/rpc_server/drsuapi/drsutil.c +++ b/source4/rpc_server/drsuapi/drsutil.c @@ -24,6 +24,7 @@ #include "dsdb/samdb/samdb.h" #include "libcli/security/dom_sid.h" #include "rpc_server/drsuapi/dcesrv_drsuapi.h" +#include "libcli/security/security.h" /* format a drsuapi_DsReplicaObjectIdentifier naming context as a string @@ -101,3 +102,17 @@ int drsuapi_search_with_extended_dn(struct ldb_context *ldb, return ret; } +WERROR drs_security_level_check(struct dcesrv_call_state *dce_call, const char* call) +{ + if (lp_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL, "drs", "disable_sec_check", true)) { + return WERR_OK; + } + + if (security_session_user_level(dce_call->conn->auth_state.session_info) < + SECURITY_DOMAIN_CONTROLLER) { + DEBUG(0,("DsReplicaGetInfo refused for security token\n")); + return WERR_DS_DRA_ACCESS_DENIED; + } + + return WERR_OK; +} diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c index 52d751bcd7e..f84ffda0944 100644 --- a/source4/rpc_server/drsuapi/getncchanges.c +++ b/source4/rpc_server/drsuapi/getncchanges.c @@ -301,10 +301,9 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_ return WERR_DS_DRA_BAD_NC; } - if (security_session_user_level(dce_call->conn->auth_state.session_info) < - SECURITY_DOMAIN_CONTROLLER) { - DEBUG(0,("getncchanges refused for security token\n")); - return WERR_DS_DRA_ACCESS_DENIED; + werr = drs_security_level_check(dce_call, "DsGetNCChanges"); + if (!W_ERROR_IS_OK(werr)) { + return werr; } /* diff --git a/source4/rpc_server/drsuapi/updaterefs.c b/source4/rpc_server/drsuapi/updaterefs.c index 6e97024d779..e12be6f0587 100644 --- a/source4/rpc_server/drsuapi/updaterefs.c +++ b/source4/rpc_server/drsuapi/updaterefs.c @@ -105,10 +105,9 @@ WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TA WERROR werr; struct ldb_dn *dn; - if (security_session_user_level(dce_call->conn->auth_state.session_info) < - SECURITY_DOMAIN_CONTROLLER) { - DEBUG(0,("DsReplicaUpdateRefs refused for security token\n")); - return WERR_DS_DRA_ACCESS_DENIED; + werr = drs_security_level_check(dce_call, "DsReplicaUpdateRefs"); + if (!W_ERROR_IS_OK(werr)) { + return werr; } if (r->in.level != 1) { -- 2.34.1