SEC_ACL *psa = NULL;
- init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, LSA_POLICY_EXECUTE, 0);
+ init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
+ LSA_POLICY_READ|LSA_POLICY_EXECUTE, 0);
sid_copy(&adm_sid, get_global_sam_sid());
sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS);
uint32 acc_granted;
NTSTATUS status;
+ /* Work out max allowed. */
+ map_max_allowed_access(p->server_info->ptok, &des_access);
/* map the generic bits to the lsa policy ones */
se_map_generic(&des_access, &lsa_generic_mapping);
/* get the generic lsa policy SD until we store it */
lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
- status = se_access_check(psd, p->server_info->ptok, des_access,
- &acc_granted);
+ status = access_check_object(psd, p->server_info->ptok,
+ NULL, 0, des_access,
+ &acc_granted, "_lsa_OpenPolicy2" );
+
if (!NT_STATUS_IS_OK(status)) {
- if (p->server_info->utok.uid != sec_initial_uid()) {
- return status;
- }
- DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
- acc_granted, des_access));
- DEBUGADD(4,("but overwritten by euid == 0\n"));
+ return status;
}
- /* This is needed for lsa_open_account and rpcclient .... :-) */
-
- if (p->server_info->utok.uid == sec_initial_uid())
- acc_granted = LSA_POLICY_ALL_ACCESS;
-
/* associate the domain SID with the (unique) handle. */
info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
if (info == NULL) {
return privilege_create_account( &info->sid );
}
-
/***************************************************************************
_lsa_OpenAccount
***************************************************************************/
level of access for further checks.
********************************************************************/
-static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
+NTSTATUS access_check_object( SEC_DESC *psd, NT_USER_TOKEN *token,
SE_PRIV *rights, uint32 rights_mask,
uint32 des_access, uint32 *acc_granted,
const char *debug )
saved_mask = (des_access & rights_mask);
des_access &= ~saved_mask;
- DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n",
+ DEBUG(4,("access_check_object: user rights access mask [0x%x]\n",
rights_mask));
}
Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
********************************************************************/
-static void map_max_allowed_access(const NT_USER_TOKEN *token,
+void map_max_allowed_access(const NT_USER_TOKEN *token,
uint32_t *pacc_requested)
{
if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) {
SAMR_DOMAIN_ACCESS_CREATE_ALIAS);
}
- status = access_check_samr_object( psd, p->server_info->ptok,
+ status = access_check_object( psd, p->server_info->ptok,
&se_rights, extra_access, des_access,
&acc_granted, "_samr_OpenDomain" );
TALLOC_FREE(sampass);
- nt_status = access_check_samr_object(psd, p->server_info->ptok,
+ nt_status = access_check_object(psd, p->server_info->ptok,
&se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
&acc_granted, "_samr_OpenUser");
* just assume we have all the rights we need ?
*/
- nt_status = access_check_samr_object(psd, p->server_info->ptok,
+ nt_status = access_check_object(psd, p->server_info->ptok,
&se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
&acc_granted, "_samr_CreateUser2");
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
se_map_generic(&des_access, &sam_generic_mapping);
- nt_status = access_check_samr_object(psd, p->server_info->ptok,
+ nt_status = access_check_object(psd, p->server_info->ptok,
NULL, 0, des_access, &acc_granted, fn);
if ( !NT_STATUS_IS_OK(nt_status) )
se_priv_copy( &se_rights, &se_add_users );
- status = access_check_samr_object(psd, p->server_info->ptok,
+ status = access_check_object(psd, p->server_info->ptok,
&se_rights, GENERIC_RIGHTS_ALIAS_ALL_ACCESS,
des_access, &acc_granted, "_samr_OpenAlias");
se_priv_copy( &se_rights, &se_add_users );
- status = access_check_samr_object(psd, p->server_info->ptok,
+ status = access_check_object(psd, p->server_info->ptok,
&se_rights, GENERIC_RIGHTS_GROUP_ALL_ACCESS,
des_access, &acc_granted, "_samr_OpenGroup");