s4-lsasrv: make sure only admins can alter privileges
authorAndrew Tridgell <tridge@samba.org>
Fri, 16 Oct 2009 07:22:48 +0000 (18:22 +1100)
committerAndrew Tridgell <tridge@samba.org>
Sat, 17 Oct 2009 02:01:02 +0000 (13:01 +1100)
source4/rpc_server/lsa/dcesrv_lsa.c

index 0a5fc54d684e151514d68fa50dbcdc9c8d5576a9..0e6a55ec2f5df42d6c948179e58c1161a0ad0d5b 100644 (file)
@@ -1939,6 +1939,12 @@ static NTSTATUS dcesrv_lsa_AddRemoveAccountRights(struct dcesrv_call_state *dce_
        struct lsa_EnumAccountRights r2;
        char *dnstr;
 
        struct lsa_EnumAccountRights r2;
        char *dnstr;
 
+       if (security_session_user_level(dce_call->conn->auth_state.session_info) < 
+           SECURITY_ADMINISTRATOR) {
+               DEBUG(0,("lsa_AddRemoveAccount refused for supplied security token\n"));
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
        msg = ldb_msg_new(mem_ctx);
        if (msg == NULL) {
                return NT_STATUS_NO_MEMORY;
        msg = ldb_msg_new(mem_ctx);
        if (msg == NULL) {
                return NT_STATUS_NO_MEMORY;