Change access_check_samr_object -> access_check_object.

Make map_max_allowed_access global. Change lsa_get_generic_sd
to add Everyone:LSA_POLICY_READ|LSA_POLICY_EXECUTE, not just
LSA_POLICY_EXECUTE.
Jeremy.

diff --git a/source3/include/proto.h b/source3/include/proto.h
index 5b5f9098e025e93b85e271408a5f5cbdbff26bc6..68c312568ba7ac547a9de2af3256015277bbdaad 100644 (file)
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -7174,4 +7174,11 @@ struct tevent_req *fncall_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev,
                               void *private_data);
 int fncall_recv(struct tevent_req *req, int *perr);
 
+/* The following definitions come from rpc_server/srv_samr_nt.c */
+NTSTATUS access_check_object( SEC_DESC *psd, NT_USER_TOKEN *token,
+                               SE_PRIV *rights, uint32 rights_mask,
+                               uint32 des_access, uint32 *acc_granted,
+                               const char *debug);
+void map_max_allowed_access(const NT_USER_TOKEN *token,
+                               uint32_t *pacc_requested);
 #endif /*  _PROTO_H_  */

diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index 27519a5c94f1172a7937f6531fc9f0e956695bdc..007467a42d91734acfb8c4daa445d81713829824 100644 (file)
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -286,7 +286,8 @@ static NTSTATUS lsa_get_generic_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *s
 
        SEC_ACL *psa = NULL;
 
-       init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, LSA_POLICY_EXECUTE, 0);
+       init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
+                       LSA_POLICY_READ|LSA_POLICY_EXECUTE, 0);
 
        sid_copy(&adm_sid, get_global_sam_sid());
        sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS);
@@ -365,6 +366,8 @@ NTSTATUS _lsa_OpenPolicy2(pipes_struct *p,
        uint32 acc_granted;
        NTSTATUS status;
 
+       /* Work out max allowed. */
+       map_max_allowed_access(p->server_info->ptok, &des_access);
 
        /* map the generic bits to the lsa policy ones */
        se_map_generic(&des_access, &lsa_generic_mapping);
@@ -372,22 +375,14 @@ NTSTATUS _lsa_OpenPolicy2(pipes_struct *p,
        /* get the generic lsa policy SD until we store it */
        lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
 
-       status = se_access_check(psd, p->server_info->ptok, des_access,
-                                &acc_granted);
+       status = access_check_object(psd, p->server_info->ptok,
+               NULL, 0, des_access,
+               &acc_granted, "_lsa_OpenPolicy2" );
+
        if (!NT_STATUS_IS_OK(status)) {
-               if (p->server_info->utok.uid != sec_initial_uid()) {
-                       return status;
-               }
-               DEBUG(4,("ACCESS should be DENIED (granted: %#010x;  required: %#010x)\n",
-                        acc_granted, des_access));
-               DEBUGADD(4,("but overwritten by euid == 0\n"));
+               return status;
        }
 
-       /* This is needed for lsa_open_account and rpcclient .... :-) */
-
-       if (p->server_info->utok.uid == sec_initial_uid())
-               acc_granted = LSA_POLICY_ALL_ACCESS;
-
        /* associate the domain SID with the (unique) handle. */
        info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
        if (info == NULL) {
@@ -1565,7 +1560,6 @@ NTSTATUS _lsa_CreateAccount(pipes_struct *p,
        return privilege_create_account( &info->sid );
 }
 
-
 /***************************************************************************
  _lsa_OpenAccount
  ***************************************************************************/

diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index 09b97b2b39dc5516e6520fbfc21b5478877dcbe3..d528c802e56a33753e036458b8c157cca87d7859 100644 (file)
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -173,7 +173,7 @@ static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd
  level of access for further checks.
 ********************************************************************/
 
-static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
+NTSTATUS access_check_object( SEC_DESC *psd, NT_USER_TOKEN *token,
                                           SE_PRIV *rights, uint32 rights_mask,
                                           uint32 des_access, uint32 *acc_granted,
                                          const char *debug )
@@ -191,7 +191,7 @@ static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
                saved_mask = (des_access & rights_mask);
                des_access &= ~saved_mask;
 
-               DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n",
+               DEBUG(4,("access_check_object: user rights access mask [0x%x]\n",
                        rights_mask));
        }
 
@@ -235,7 +235,7 @@ done:
  Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
 ********************************************************************/
 
-static void map_max_allowed_access(const NT_USER_TOKEN *token,
+void map_max_allowed_access(const NT_USER_TOKEN *token,
                                        uint32_t *pacc_requested)
 {
        if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) {
@@ -573,7 +573,7 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p,
                                SAMR_DOMAIN_ACCESS_CREATE_ALIAS);
        }
 
-       status = access_check_samr_object( psd, p->server_info->ptok,
+       status = access_check_object( psd, p->server_info->ptok,
                &se_rights, extra_access, des_access,
                &acc_granted, "_samr_OpenDomain" );
 
@@ -2320,7 +2320,7 @@ NTSTATUS _samr_OpenUser(pipes_struct *p,
 
        TALLOC_FREE(sampass);
 
-       nt_status = access_check_samr_object(psd, p->server_info->ptok,
+       nt_status = access_check_object(psd, p->server_info->ptok,
                &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
                &acc_granted, "_samr_OpenUser");
 
@@ -3727,7 +3727,7 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p,
         * just assume we have all the rights we need ?
         */
 
-       nt_status = access_check_samr_object(psd, p->server_info->ptok,
+       nt_status = access_check_object(psd, p->server_info->ptok,
                &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
                &acc_granted, "_samr_CreateUser2");
 
@@ -3859,7 +3859,7 @@ NTSTATUS _samr_Connect2(pipes_struct *p,
        make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
        se_map_generic(&des_access, &sam_generic_mapping);
 
-       nt_status = access_check_samr_object(psd, p->server_info->ptok,
+       nt_status = access_check_object(psd, p->server_info->ptok,
                NULL, 0, des_access, &acc_granted, fn);
 
        if ( !NT_STATUS_IS_OK(nt_status) )
@@ -4074,7 +4074,7 @@ NTSTATUS _samr_OpenAlias(pipes_struct *p,
 
        se_priv_copy( &se_rights, &se_add_users );
 
-       status = access_check_samr_object(psd, p->server_info->ptok,
+       status = access_check_object(psd, p->server_info->ptok,
                &se_rights, GENERIC_RIGHTS_ALIAS_ALL_ACCESS,
                des_access, &acc_granted, "_samr_OpenAlias");
 
@@ -6124,7 +6124,7 @@ NTSTATUS _samr_OpenGroup(pipes_struct *p,
 
        se_priv_copy( &se_rights, &se_add_users );
 
-       status = access_check_samr_object(psd, p->server_info->ptok,
+       status = access_check_object(psd, p->server_info->ptok,
                &se_rights, GENERIC_RIGHTS_GROUP_ALL_ACCESS,
                des_access, &acc_granted, "_samr_OpenGroup");