Fixed up the user/group contexts when using authenticated pipes.

Added a become_root()/unbecome_root() (push/pop security context)
around the initgroups() call to ensure it would succeed. Hmmm - I
wonder if this call being done as non-root might explain any "group access"
bugs we've had in the past....
Jeremy.
(This used to be commit 06a65972e872f37d88b84f22ea714feebd38f6c0)

diff --git a/source3/include/proto.h b/source3/include/proto.h
index e630d7019f7d8a151dd6d5be1da899e214ced8e5..454c7f8c22afad8d003736d00aee66d890dbe231 100644 (file)
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -3546,6 +3546,7 @@ void invalidate_vuid(uint16 vuid);
 char *validated_username(uint16 vuid);
 char *validated_domain(uint16 vuid);
 int initialize_groups(char *user, uid_t uid, gid_t gid);
+NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups);
 uint16 register_vuid(uid_t uid,gid_t gid, char *unix_name, char *requested_name, 
                     char *domain,BOOL guest);
 void add_session_user(char *user);
@@ -3673,6 +3674,7 @@ int reply_getattrE(connection_struct *conn, char *inbuf,char *outbuf, int size,
 
 int get_current_groups(int *p_ngroups, gid_t **p_groups);
 void delete_nt_token(NT_USER_TOKEN **pptoken);
+NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken);
 BOOL push_sec_ctx(void);
 void set_sec_ctx(uid_t uid, gid_t gid, int ngroups, gid_t *groups, NT_USER_TOKEN *token);
 void set_root_sec_ctx(void);

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 049db69ca78f63b0ed332b5aa484f59e828ace19..ded01e4e2172804864407dcad19008a6b3d5ab05 100644 (file)
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -282,6 +282,11 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm
        memset(p->domain, '\0', sizeof(p->domain));
        memset(p->wks, '\0', sizeof(p->wks));
 
+       /* Set up for non-authenticated user. */
+       delete_nt_token(&p->pipe_user.nt_user_token);
+       p->pipe_user.ngroups = 0;
+       safe_free( p->pipe_user.groups);
+
        /* 
         * Setup an empty password for a guest user.
         */
@@ -456,7 +461,13 @@ failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name
        p->pipe_user.uid = pass->pw_uid;
        p->pipe_user.gid = pass->pw_gid;
 
-       /* XXX also set up pipe user group membership */
+       /* Set up pipe user group membership. */
+       initialize_groups(pipe_user_name, p->pipe_user.uid, p->pipe_user.gid);
+       get_current_groups( &p->pipe_user.ngroups, &p->pipe_user.groups);
+
+       /* Create an NT_USER_TOKEN struct for this user. */
+       p->pipe_user.nt_user_token = create_nt_token(p->pipe_user.uid,p->pipe_user.gid,
+                                                                                               p->pipe_user.ngroups, p->pipe_user.groups);
 
        p->ntlmssp_auth_validated = True;
        return True;

diff --git a/source3/rpc_server/srv_pipe_hnd.c b/source3/rpc_server/srv_pipe_hnd.c
index e6aeb26d6374d99bd348403c8cc80a9cd735ce34..b8ee2351850e0cfe065973a393dda4ba18205100 100644 (file)
--- a/source3/rpc_server/srv_pipe_hnd.c
+++ b/source3/rpc_server/srv_pipe_hnd.c
@@ -825,6 +825,9 @@ BOOL close_rpc_pipe_hnd(pipes_struct *p, connection_struct *conn)
 
        DLIST_REMOVE(Pipes, p);
 
+       delete_nt_token(&p->pipe_user.nt_user_token);
+       safe_free(p->pipe_user.groups);
+
        ZERO_STRUCTP(p);
 
        free(p);

diff --git a/source3/script/mkproto.awk b/source3/script/mkproto.awk
index 766b1f093bb882f764228185f7fbbe145d49b54f..b36eaca33bb124572f75a6e2fb1558bb810e6b26 100644 (file)
--- a/source3/script/mkproto.awk
+++ b/source3/script/mkproto.awk
@@ -112,7 +112,7 @@ END {
     gotstart = 1;
   }
 
-  if( $0 ~ /^TDB_CONTEXT|^TDB_DATA|^smb_ucs2_t|^TALLOC_CTX|^hash_element|^NT_DEVICEMODE|^enum nss_status/ ) {
+  if( $0 ~ /^TDB_CONTEXT|^TDB_DATA|^smb_ucs2_t|^TALLOC_CTX|^hash_element|^NT_DEVICEMODE|^enum nss_status|^NT_USER_TOKEN/ ) {
     gotstart = 1;
   }
 

diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index 9af7d3b1e94e99c0193105c20218905e76c0e3e0..4aa753c022a1575634185d7a688c8a5ecf2f84b4 100644 (file)
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -163,8 +163,9 @@ char *validated_domain(uint16 vuid)
  Initialize the groups a user belongs to.
 ****************************************************************************/
 
-int initialize_groups(char *user, uid_t uid, gid_t gid)
+BOOL initialize_groups(char *user, uid_t uid, gid_t gid)
 {
+       become_root();
        if (initgroups(user,gid) == -1) {
                DEBUG(0,("Unable to initgroups. Error was %s\n", strerror(errno) ));
                if (getuid() == 0) {
@@ -172,9 +173,11 @@ int initialize_groups(char *user, uid_t uid, gid_t gid)
                                DEBUG(0,("This is probably a problem with the account %s\n", user));
                        }
                }
-               return -1;
+               unbecome_root();
+               return False;
        }
-       return 0;
+       become_root();
+       return True;
 }
 
 /****************************************************************************

diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
index f6687e9a5ad74e82aa4117d5eebd33625239a328..fafcd71b1a3429f748344d25313f9e079c60212f 100644 (file)
--- a/source3/smbd/uid.c
+++ b/source3/smbd/uid.c
@@ -207,9 +207,8 @@ BOOL become_authenticated_pipe_user(pipes_struct *p)
                return False;
        }
 
-       /* JRATEST - this needs fixined w.r.t. NT user tokens... */
        set_sec_ctx(p->pipe_user.uid, p->pipe_user.gid, 
-                   p->pipe_user.ngroups, p->pipe_user.groups, NULL);
+                   p->pipe_user.ngroups, p->pipe_user.groups, p->pipe_user.nt_user_token);
 
        return True;
 }