s3-lsa: add (not yet activate) level specific access checks for _lsa_QueryInfoPolicy.

author Günther Deschner <gd@samba.org>

Thu, 16 Jul 2009 14:32:04 +0000 (16:32 +0200)

committer Günther Deschner <gd@samba.org>

Fri, 17 Jul 2009 11:50:34 +0000 (13:50 +0200)
author Günther Deschner <gd@samba.org>
Thu, 16 Jul 2009 14:32:04 +0000 (16:32 +0200)
committer Günther Deschner <gd@samba.org>
Fri, 17 Jul 2009 11:50:34 +0000 (13:50 +0200)
diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c

index c3eea6fe509c20a435c5a697b947bcdd7f87717e..bbad9b18d20a7fd65e20fc18ecc3407ee9224f5f 100644 (file)
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -505,6 +505,7 @@ NTSTATUS _lsa_QueryInfoPolicy(pipes_struct *p,
         const char *name;
         DOM_SID *sid = NULL;
         union lsa_PolicyInformation *info = NULL;
         const char *name;
         DOM_SID *sid = NULL;
         union lsa_PolicyInformation *info = NULL;
+       uint32_t acc_required = 0;
  
         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
                 return NT_STATUS_INVALID_HANDLE;
  
         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
                 return NT_STATUS_INVALID_HANDLE;
@@ -513,6 +514,47 @@ NTSTATUS _lsa_QueryInfoPolicy(pipes_struct *p,
                 return NT_STATUS_INVALID_HANDLE;
         }
  
                 return NT_STATUS_INVALID_HANDLE;
         }
  
+       switch (r->in.level) {
+       case LSA_POLICY_INFO_AUDIT_LOG:
+       case LSA_POLICY_INFO_AUDIT_EVENTS:
+               acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
+               break;
+       case LSA_POLICY_INFO_DOMAIN:
+               acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
+               break;
+       case LSA_POLICY_INFO_PD:
+               acc_required = LSA_POLICY_GET_PRIVATE_INFORMATION;
+               break;
+       case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
+               acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
+               break;
+       case LSA_POLICY_INFO_ROLE:
+       case LSA_POLICY_INFO_REPLICA:
+               acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
+               break;
+       case LSA_POLICY_INFO_QUOTA:
+               acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
+               break;
+       case LSA_POLICY_INFO_MOD:
+       case LSA_POLICY_INFO_AUDIT_FULL_SET:
+               /* according to MS-LSAD 3.1.4.4.3 */
+               return NT_STATUS_INVALID_PARAMETER;
+       case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
+               acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
+               break;
+       case LSA_POLICY_INFO_DNS:
+       case LSA_POLICY_INFO_DNS_INT:
+       case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN:
+               acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
+               break;
+       default:
+               break;
+       }
+
+       if (!(handle->access & acc_required)) {
+               /* return NT_STATUS_ACCESS_DENIED; */
+       }
+
         info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation);
         if (!info) {
                 return NT_STATUS_NO_MEMORY;
         info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation);
         if (!info) {
                 return NT_STATUS_NO_MEMORY;
author	Günther Deschner <gd@samba.org>
	Thu, 16 Jul 2009 14:32:04 +0000 (16:32 +0200)
committer	Günther Deschner <gd@samba.org>
	Fri, 17 Jul 2009 11:50:34 +0000 (13:50 +0200)