by privileges (mostly having to do with creating/modifying/deleting
users and groups) */
- if ( rights && user_has_any_privilege( token, rights ) ) {
+ if (rights && !se_priv_equal(rights, &se_priv_none) &&
+ user_has_any_privilege(token, rights)) {
saved_mask = (des_access & rights_mask);
des_access &= ~saved_mask;
make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 );
se_map_generic( &des_access, &dom_generic_mapping );
+ /*
+ * Users with SeMachineAccount or SeAddUser get additional
+ * SAMR_DOMAIN_ACCESS_CREATE_USER access, but no more.
+ */
se_priv_copy( &se_rights, &se_machine_account );
se_priv_add( &se_rights, &se_add_users );
status = access_check_samr_object( psd, p->server_info->ptok,
- &se_rights, GENERIC_RIGHTS_DOMAIN_WRITE, des_access,
+ &se_rights, SAMR_DOMAIN_ACCESS_CREATE_USER, des_access,
&acc_granted, "_samr_OpenDomain" );
if ( !NT_STATUS_IS_OK(status) )
SEC_DESC *psd = NULL;
uint32 acc_granted;
uint32 des_access = r->in.access_mask;
+ uint32_t extra_access = 0;
size_t sd_size;
bool ret;
NTSTATUS nt_status;
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW);
se_map_generic(&des_access, &usr_generic_mapping);
- se_priv_copy( &se_rights, &se_machine_account );
- se_priv_add( &se_rights, &se_add_users );
+ /*
+ * Get the sampass first as we need to check privilages
+ * based on what kind of user object this is.
+ * But don't reveal info too early if it didn't exist.
+ */
+
+ become_root();
+ ret=pdb_getsampwsid(sampass, &sid);
+ unbecome_root();
+
+ se_priv_copy(&se_rights, &se_priv_none);
+
+ /*
+ * We do the override access checks on *open*, not at
+ * SetUserInfo time.
+ */
+ if (ret) {
+ uint32_t acb_info = pdb_get_acct_ctrl(sampass);
+
+ if ((acb_info & ACB_WSTRUST) &&
+ user_has_any_privilege(p->server_info->ptok,
+ &se_machine_account)) {
+ /*
+ * SeMachineAccount is needed to add
+ * GENERIC_RIGHTS_USER_WRITE to a machine
+ * account.
+ */
+ se_priv_add(&se_rights, &se_machine_account);
+ DEBUG(10,("_samr_OpenUser: adding machine account "
+ "rights to handle for user %s\n",
+ pdb_get_username(sampass) ));
+ }
+ if ((acb_info & ACB_NORMAL) &&
+ user_has_any_privilege(p->server_info->ptok,
+ &se_add_users)) {
+ /*
+ * SeAddUsers is needed to add
+ * GENERIC_RIGHTS_USER_WRITE to a normal
+ * account.
+ */
+ se_priv_add(&se_rights, &se_add_users);
+ DEBUG(10,("_samr_OpenUser: adding add user "
+ "rights to handle for user %s\n",
+ pdb_get_username(sampass) ));
+ }
+ /*
+ * Cheat - allow GENERIC_RIGHTS_USER_WRITE if pipe user is
+ * in DOMAIN_GROUP_RID_ADMINS. This is almost certainly not
+ * what Windows does but is a hack for people who haven't
+ * set up privilages on groups in Samba.
+ */
+ if (acb_info & (ACB_SVRTRUST|ACB_DOMTRUST)) {
+ if (lp_enable_privileges() && nt_token_check_domain_rid(p->server_info->ptok,
+ DOMAIN_GROUP_RID_ADMINS)) {
+ des_access &= ~GENERIC_RIGHTS_USER_WRITE;
+ extra_access = GENERIC_RIGHTS_USER_WRITE;
+ DEBUG(4,("_samr_OpenUser: Allowing "
+ "GENERIC_RIGHTS_USER_WRITE for "
+ "rid admins\n"));
+ }
+ }
+ }
+
+ TALLOC_FREE(sampass);
nt_status = access_check_samr_object(psd, p->server_info->ptok,
&se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
if ( !NT_STATUS_IS_OK(nt_status) )
return nt_status;
- become_root();
- ret=pdb_getsampwsid(sampass, &sid);
- unbecome_root();
-
/* check that the SID exists in our domain. */
if (ret == False) {
return NT_STATUS_NO_SUCH_USER;
}
- TALLOC_FREE(sampass);
+ /* If we did the rid admins hack above, allow access. */
+ acc_granted |= extra_access;
uinfo = policy_handle_create(p, r->out.user_handle, acc_granted,
struct samr_user_info, &nt_status);
if (ret == False) {
DEBUG(4, ("User %s not found\n", sid_string_dbg(user_sid)));
TALLOC_FREE(smbpass);
- return (geteuid() == (uid_t)0) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED;
+ return (geteuid() == sec_initial_uid()) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED;
}
DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass), pdb_get_acct_ctrl(smbpass) ));
/* determine which user right we need to check based on the acb_info */
- if ( acb_info & ACB_WSTRUST )
- {
- se_priv_copy( &se_rights, &se_machine_account );
+ if (geteuid() == sec_initial_uid()) {
+ se_priv_copy(&se_rights, &se_priv_none);
+ can_add_account = true;
+ } else if (acb_info & ACB_WSTRUST) {
+ se_priv_copy(&se_rights, &se_machine_account);
can_add_account = user_has_privileges(
p->server_info->ptok, &se_rights );
- }
- /* usrmgr.exe (and net rpc trustdom grant) creates a normal user
- account for domain trusts and changes the ACB flags later */
- else if ( acb_info & ACB_NORMAL &&
- (account[strlen(account)-1] != '$') )
- {
- se_priv_copy( &se_rights, &se_add_users );
+ } else if (acb_info & ACB_NORMAL &&
+ (account[strlen(account)-1] != '$')) {
+ /* usrmgr.exe (and net rpc trustdom grant) creates a normal user
+ account for domain trusts and changes the ACB flags later */
+ se_priv_copy(&se_rights, &se_add_users);
can_add_account = user_has_privileges(
p->server_info->ptok, &se_rights );
- }
- else /* implicit assumption of a BDC or domain trust account here
+ } else if (lp_enable_privileges()) {
+ /* implicit assumption of a BDC or domain trust account here
* (we already check the flags earlier) */
- {
- if ( lp_enable_privileges() ) {
- /* only Domain Admins can add a BDC or domain trust */
- se_priv_copy( &se_rights, &se_priv_none );
- can_add_account = nt_token_check_domain_rid(
- p->server_info->ptok,
- DOMAIN_GROUP_RID_ADMINS );
- }
+ /* only Domain Admins can add a BDC or domain trust */
+ se_priv_copy(&se_rights, &se_priv_none);
+ can_add_account = nt_token_check_domain_rid(
+ p->server_info->ptok,
+ DOMAIN_GROUP_RID_ADMINS );
}
DEBUG(5, ("_samr_CreateUser2: %s can add this account : %s\n",
uidtoname(p->server_info->utok.uid),
can_add_account ? "True":"False" ));
- /********** BEGIN Admin BLOCK **********/
+ if (!can_add_account) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
- if ( can_add_account )
- become_root();
+ /********** BEGIN Admin BLOCK **********/
+ become_root();
nt_status = pdb_create_user(p->mem_ctx, account, acb_info,
r->out.rid);
-
- if ( can_add_account )
- unbecome_root();
+ unbecome_root();
/********** END Admin BLOCK **********/
&sid, SAMR_USR_RIGHTS_WRITE_PW);
se_map_generic(&des_access, &usr_generic_mapping);
+ /*
+ * JRA - TESTME. We just created this user so we
+ * had rights to create them. Do we need to check
+ * any further access on this object ? Can't we
+ * just assume we have all the rights we need ?
+ */
+
nt_status = access_check_samr_object(psd, p->server_info->ptok,
&se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
&acc_granted, "_samr_CreateUser2");
se_priv_copy( &se_rights, &se_add_users );
-
status = access_check_samr_object(psd, p->server_info->ptok,
- &se_rights, GENERIC_RIGHTS_ALIAS_WRITE, des_access,
- &acc_granted, "_samr_OpenAlias");
+ &se_rights, SAMR_ALIAS_ACCESS_ADD_MEMBER,
+ des_access, &acc_granted, "_samr_OpenAlias");
if ( !NT_STATUS_IS_OK(status) )
return status;
uint16_t switch_value = r->in.level;
uint32_t acc_required;
bool ret;
- bool has_enough_rights = False;
- uint32_t acb_info;
DEBUG(5,("_samr_SetUserInfo: %d\n", __LINE__));
return NT_STATUS_NO_SUCH_USER;
}
- /* deal with machine password changes differently from userinfo changes */
- /* check to see if we have the sufficient rights */
-
- acb_info = pdb_get_acct_ctrl(pwd);
- if (acb_info & ACB_WSTRUST)
- has_enough_rights = user_has_privileges(p->server_info->ptok,
- &se_machine_account);
- else if (acb_info & ACB_NORMAL)
- has_enough_rights = user_has_privileges(p->server_info->ptok,
- &se_add_users);
- else if (acb_info & (ACB_SVRTRUST|ACB_DOMTRUST)) {
- if (lp_enable_privileges()) {
- has_enough_rights = nt_token_check_domain_rid(p->server_info->ptok,
- DOMAIN_GROUP_RID_ADMINS);
- }
- }
+ /* ================ BEGIN Privilege BLOCK ================ */
- DEBUG(5, ("_samr_SetUserInfo: %s does%s possess sufficient rights\n",
- uidtoname(p->server_info->utok.uid),
- has_enough_rights ? "" : " not"));
-
- /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */
-
- if (has_enough_rights) {
- become_root();
- }
+ become_root();
/* ok! user info levels (lots: see MSDEV help), off we go... */
TALLOC_FREE(pwd);
- if (has_enough_rights) {
- unbecome_root();
- }
+ unbecome_root();
- /* ================ END SeMachineAccountPrivilege BLOCK ================ */
+ /* ================ END Privilege BLOCK ================ */
if (NT_STATUS_IS_OK(status)) {
force_flush_samr_cache(&uinfo->sid);
struct samr_AddAliasMember *r)
{
struct samr_alias_info *ainfo;
- SE_PRIV se_rights;
- bool can_add_accounts;
NTSTATUS status;
ainfo = policy_handle_find(p, r->in.alias_handle,
DEBUG(10, ("sid is %s\n", sid_string_dbg(&ainfo->sid)));
- se_priv_copy( &se_rights, &se_add_users );
- can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
-
/******** BEGIN SeAddUsers BLOCK *********/
- if ( can_add_accounts )
- become_root();
-
+ become_root();
status = pdb_add_aliasmem(&ainfo->sid, r->in.sid);
-
- if ( can_add_accounts )
- unbecome_root();
+ unbecome_root();
/******** END SeAddUsers BLOCK *********/
struct samr_DeleteAliasMember *r)
{
struct samr_alias_info *ainfo;
- SE_PRIV se_rights;
- bool can_add_accounts;
NTSTATUS status;
ainfo = policy_handle_find(p, r->in.alias_handle,
DEBUG(10, ("_samr_del_aliasmem:sid is %s\n",
sid_string_dbg(&ainfo->sid)));
- se_priv_copy( &se_rights, &se_add_users );
- can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
-
/******** BEGIN SeAddUsers BLOCK *********/
- if ( can_add_accounts )
- become_root();
-
+ become_root();
status = pdb_del_aliasmem(&ainfo->sid, r->in.sid);
-
- if ( can_add_accounts )
- unbecome_root();
+ unbecome_root();
/******** END SeAddUsers BLOCK *********/
struct samr_group_info *ginfo;
NTSTATUS status;
uint32 group_rid;
- SE_PRIV se_rights;
- bool can_add_accounts;
ginfo = policy_handle_find(p, r->in.group_handle,
SAMR_GROUP_ACCESS_ADD_MEMBER, NULL,
return NT_STATUS_INVALID_HANDLE;
}
- se_priv_copy( &se_rights, &se_add_users );
- can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
-
/******** BEGIN SeAddUsers BLOCK *********/
- if ( can_add_accounts )
- become_root();
-
+ become_root();
status = pdb_add_groupmem(p->mem_ctx, group_rid, r->in.rid);
-
- if ( can_add_accounts )
- unbecome_root();
+ unbecome_root();
/******** END SeAddUsers BLOCK *********/
struct samr_group_info *ginfo;
NTSTATUS status;
uint32 group_rid;
- SE_PRIV se_rights;
- bool can_add_accounts;
/*
* delete the group member named r->in.rid
return NT_STATUS_INVALID_HANDLE;
}
- se_priv_copy( &se_rights, &se_add_users );
- can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
-
/******** BEGIN SeAddUsers BLOCK *********/
- if ( can_add_accounts )
- become_root();
-
+ become_root();
status = pdb_del_groupmem(p->mem_ctx, group_rid, r->in.rid);
-
- if ( can_add_accounts )
- unbecome_root();
+ unbecome_root();
/******** END SeAddUsers BLOCK *********/
struct samr_user_info *uinfo;
NTSTATUS status;
struct samu *sam_pass=NULL;
- bool can_add_accounts;
- uint32 acb_info;
+ bool can_del_accounts = false;
+ uint32 acb_info = 0;
bool ret;
DEBUG(5, ("_samr_DeleteUser: %d\n", __LINE__));
ret = pdb_getsampwsid(sam_pass, &uinfo->sid);
unbecome_root();
- if( !ret ) {
- DEBUG(5,("_samr_DeleteUser: User %s doesn't exist.\n",
- sid_string_dbg(&uinfo->sid)));
- TALLOC_FREE(sam_pass);
- return NT_STATUS_NO_SUCH_USER;
+ if (ret) {
+ acb_info = pdb_get_acct_ctrl(sam_pass);
}
- acb_info = pdb_get_acct_ctrl(sam_pass);
-
/* For machine accounts it's the SeMachineAccountPrivilege that counts. */
- if ( acb_info & ACB_WSTRUST ) {
- can_add_accounts = user_has_privileges( p->server_info->ptok, &se_machine_account );
+ if (geteuid() == sec_initial_uid()) {
+ can_del_accounts = true;
+ } else if (acb_info & ACB_WSTRUST) {
+ can_del_accounts = user_has_privileges( p->server_info->ptok, &se_machine_account );
} else {
- can_add_accounts = user_has_privileges( p->server_info->ptok, &se_add_users );
+ can_del_accounts = user_has_privileges( p->server_info->ptok, &se_add_users );
}
- /******** BEGIN SeAddUsers BLOCK *********/
+ if (!can_del_accounts) {
+ TALLOC_FREE(sam_pass);
+ return NT_STATUS_ACCESS_DENIED;
+ }
- if ( can_add_accounts )
- become_root();
+ if(!ret) {
+ DEBUG(5,("_samr_DeleteUser: User %s doesn't exist.\n",
+ sid_string_dbg(&uinfo->sid)));
+ TALLOC_FREE(sam_pass);
+ return NT_STATUS_NO_SUCH_USER;
+ }
- status = pdb_delete_user(p->mem_ctx, sam_pass);
+ /******** BEGIN SeAddUsers BLOCK *********/
- if ( can_add_accounts )
- unbecome_root();
+ become_root();
+ status = pdb_delete_user(p->mem_ctx, sam_pass);
+ unbecome_root();
/******** END SeAddUsers BLOCK *********/
struct samr_group_info *ginfo;
NTSTATUS status;
uint32 group_rid;
- SE_PRIV se_rights;
- bool can_add_accounts;
DEBUG(5, ("samr_DeleteDomainGroup: %d\n", __LINE__));
return NT_STATUS_NO_SUCH_GROUP;
}
- se_priv_copy( &se_rights, &se_add_users );
- can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
-
/******** BEGIN SeAddUsers BLOCK *********/
- if ( can_add_accounts )
- become_root();
-
+ become_root();
status = pdb_delete_dom_group(p->mem_ctx, group_rid);
-
- if ( can_add_accounts )
- unbecome_root();
+ unbecome_root();
/******** END SeAddUsers BLOCK *********/
struct samr_DeleteDomAlias *r)
{
struct samr_alias_info *ainfo;
- SE_PRIV se_rights;
- bool can_add_accounts;
NTSTATUS status;
DEBUG(5, ("_samr_DeleteDomAlias: %d\n", __LINE__));
DEBUG(10, ("lookup on Local SID\n"));
- se_priv_copy( &se_rights, &se_add_users );
- can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
-
/******** BEGIN SeAddUsers BLOCK *********/
- if ( can_add_accounts )
- become_root();
-
+ become_root();
/* Have passdb delete the alias */
status = pdb_delete_alias(&ainfo->sid);
-
- if ( can_add_accounts )
- unbecome_root();
+ unbecome_root();
/******** END SeAddUsers BLOCK *********/
const char *name;
struct samr_domain_info *dinfo;
struct samr_group_info *ginfo;
- SE_PRIV se_rights;
- bool can_add_accounts;
dinfo = policy_handle_find(p, r->in.domain_handle,
SAMR_DOMAIN_ACCESS_CREATE_GROUP, NULL,
return status;
}
- se_priv_copy( &se_rights, &se_add_users );
- can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
-
/******** BEGIN SeAddUsers BLOCK *********/
- if ( can_add_accounts )
- become_root();
-
+ become_root();
/* check that we successfully create the UNIX group */
-
status = pdb_create_dom_group(p->mem_ctx, name, r->out.rid);
-
- if ( can_add_accounts )
- unbecome_root();
+ unbecome_root();
/******** END SeAddUsers BLOCK *********/
struct samr_alias_info *ainfo;
gid_t gid;
NTSTATUS result;
- SE_PRIV se_rights;
- bool can_add_accounts;
dinfo = policy_handle_find(p, r->in.domain_handle,
SAMR_DOMAIN_ACCESS_CREATE_ALIAS, NULL,
name = r->in.alias_name->string;
- se_priv_copy( &se_rights, &se_add_users );
- can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
-
result = can_create(p->mem_ctx, name);
if (!NT_STATUS_IS_OK(result)) {
return result;
/******** BEGIN SeAddUsers BLOCK *********/
- if ( can_add_accounts )
- become_root();
-
+ become_root();
/* Have passdb create the alias */
result = pdb_create_alias(name, r->out.rid);
-
- if ( can_add_accounts )
- unbecome_root();
+ unbecome_root();
/******** END SeAddUsers BLOCK *********/
GROUP_MAP map;
NTSTATUS status;
bool ret;
- bool can_mod_accounts;
ginfo = policy_handle_find(p, r->in.group_handle,
SAMR_GROUP_ACCESS_SET_INFO, NULL,
return NT_STATUS_INVALID_INFO_CLASS;
}
- can_mod_accounts = user_has_privileges( p->server_info->ptok, &se_add_users );
-
/******** BEGIN SeAddUsers BLOCK *********/
- if ( can_mod_accounts )
- become_root();
-
+ become_root();
status = pdb_update_group_mapping_entry(&map);
-
- if ( can_mod_accounts )
- unbecome_root();
+ unbecome_root();
/******** End SeAddUsers BLOCK *********/
{
struct samr_alias_info *ainfo;
struct acct_info info;
- bool can_mod_accounts;
NTSTATUS status;
ainfo = policy_handle_find(p, r->in.alias_handle,
return NT_STATUS_INVALID_INFO_CLASS;
}
- can_mod_accounts = user_has_privileges( p->server_info->ptok, &se_add_users );
-
/******** BEGIN SeAddUsers BLOCK *********/
- if ( can_mod_accounts )
- become_root();
-
+ become_root();
status = pdb_set_aliasinfo( &ainfo->sid, &info );
-
- if ( can_mod_accounts )
- unbecome_root();
+ unbecome_root();
/******** End SeAddUsers BLOCK *********/
se_priv_copy( &se_rights, &se_add_users );
status = access_check_samr_object(psd, p->server_info->ptok,
- &se_rights, GENERIC_RIGHTS_GROUP_WRITE, des_access,
- &acc_granted, "_samr_OpenGroup");
+ &se_rights, SAMR_GROUP_ACCESS_ADD_MEMBER,
+ des_access, &acc_granted, "_samr_OpenGroup");
if ( !NT_STATUS_IS_OK(status) )
return status;
git.samba.org / ira / wip.git / blobdiff