From 459dc8f39c085d16bb8b4a04db33e5844f104395 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 18 May 2009 15:44:03 -0700 Subject: [PATCH] Change access_check_samr_object -> access_check_object. Make map_max_allowed_access global. Change lsa_get_generic_sd to add Everyone:LSA_POLICY_READ|LSA_POLICY_EXECUTE, not just LSA_POLICY_EXECUTE. Jeremy. --- source3/include/proto.h | 7 +++++++ source3/rpc_server/srv_lsa_nt.c | 24 +++++++++--------------- source3/rpc_server/srv_samr_nt.c | 18 +++++++++--------- 3 files changed, 25 insertions(+), 24 deletions(-) diff --git a/source3/include/proto.h b/source3/include/proto.h index 5b5f9098e02..68c312568ba 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -7174,4 +7174,11 @@ struct tevent_req *fncall_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, void *private_data); int fncall_recv(struct tevent_req *req, int *perr); +/* The following definitions come from rpc_server/srv_samr_nt.c */ +NTSTATUS access_check_object( SEC_DESC *psd, NT_USER_TOKEN *token, + SE_PRIV *rights, uint32 rights_mask, + uint32 des_access, uint32 *acc_granted, + const char *debug); +void map_max_allowed_access(const NT_USER_TOKEN *token, + uint32_t *pacc_requested); #endif /* _PROTO_H_ */ diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c index 27519a5c94f..007467a42d9 100644 --- a/source3/rpc_server/srv_lsa_nt.c +++ b/source3/rpc_server/srv_lsa_nt.c @@ -286,7 +286,8 @@ static NTSTATUS lsa_get_generic_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *s SEC_ACL *psa = NULL; - init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, LSA_POLICY_EXECUTE, 0); + init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, + LSA_POLICY_READ|LSA_POLICY_EXECUTE, 0); sid_copy(&adm_sid, get_global_sam_sid()); sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS); @@ -365,6 +366,8 @@ NTSTATUS _lsa_OpenPolicy2(pipes_struct *p, uint32 acc_granted; NTSTATUS status; + /* Work out max allowed. */ + map_max_allowed_access(p->server_info->ptok, &des_access); /* map the generic bits to the lsa policy ones */ se_map_generic(&des_access, &lsa_generic_mapping); @@ -372,22 +375,14 @@ NTSTATUS _lsa_OpenPolicy2(pipes_struct *p, /* get the generic lsa policy SD until we store it */ lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size); - status = se_access_check(psd, p->server_info->ptok, des_access, - &acc_granted); + status = access_check_object(psd, p->server_info->ptok, + NULL, 0, des_access, + &acc_granted, "_lsa_OpenPolicy2" ); + if (!NT_STATUS_IS_OK(status)) { - if (p->server_info->utok.uid != sec_initial_uid()) { - return status; - } - DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n", - acc_granted, des_access)); - DEBUGADD(4,("but overwritten by euid == 0\n")); + return status; } - /* This is needed for lsa_open_account and rpcclient .... :-) */ - - if (p->server_info->utok.uid == sec_initial_uid()) - acc_granted = LSA_POLICY_ALL_ACCESS; - /* associate the domain SID with the (unique) handle. */ info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info); if (info == NULL) { @@ -1565,7 +1560,6 @@ NTSTATUS _lsa_CreateAccount(pipes_struct *p, return privilege_create_account( &info->sid ); } - /*************************************************************************** _lsa_OpenAccount ***************************************************************************/ diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 09b97b2b39d..d528c802e56 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -173,7 +173,7 @@ static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd level of access for further checks. ********************************************************************/ -static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token, +NTSTATUS access_check_object( SEC_DESC *psd, NT_USER_TOKEN *token, SE_PRIV *rights, uint32 rights_mask, uint32 des_access, uint32 *acc_granted, const char *debug ) @@ -191,7 +191,7 @@ static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token, saved_mask = (des_access & rights_mask); des_access &= ~saved_mask; - DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n", + DEBUG(4,("access_check_object: user rights access mask [0x%x]\n", rights_mask)); } @@ -235,7 +235,7 @@ done: Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set. ********************************************************************/ -static void map_max_allowed_access(const NT_USER_TOKEN *token, +void map_max_allowed_access(const NT_USER_TOKEN *token, uint32_t *pacc_requested) { if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) { @@ -573,7 +573,7 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p, SAMR_DOMAIN_ACCESS_CREATE_ALIAS); } - status = access_check_samr_object( psd, p->server_info->ptok, + status = access_check_object( psd, p->server_info->ptok, &se_rights, extra_access, des_access, &acc_granted, "_samr_OpenDomain" ); @@ -2320,7 +2320,7 @@ NTSTATUS _samr_OpenUser(pipes_struct *p, TALLOC_FREE(sampass); - nt_status = access_check_samr_object(psd, p->server_info->ptok, + nt_status = access_check_object(psd, p->server_info->ptok, &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access, &acc_granted, "_samr_OpenUser"); @@ -3727,7 +3727,7 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p, * just assume we have all the rights we need ? */ - nt_status = access_check_samr_object(psd, p->server_info->ptok, + nt_status = access_check_object(psd, p->server_info->ptok, &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access, &acc_granted, "_samr_CreateUser2"); @@ -3859,7 +3859,7 @@ NTSTATUS _samr_Connect2(pipes_struct *p, make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); se_map_generic(&des_access, &sam_generic_mapping); - nt_status = access_check_samr_object(psd, p->server_info->ptok, + nt_status = access_check_object(psd, p->server_info->ptok, NULL, 0, des_access, &acc_granted, fn); if ( !NT_STATUS_IS_OK(nt_status) ) @@ -4074,7 +4074,7 @@ NTSTATUS _samr_OpenAlias(pipes_struct *p, se_priv_copy( &se_rights, &se_add_users ); - status = access_check_samr_object(psd, p->server_info->ptok, + status = access_check_object(psd, p->server_info->ptok, &se_rights, GENERIC_RIGHTS_ALIAS_ALL_ACCESS, des_access, &acc_granted, "_samr_OpenAlias"); @@ -6124,7 +6124,7 @@ NTSTATUS _samr_OpenGroup(pipes_struct *p, se_priv_copy( &se_rights, &se_add_users ); - status = access_check_samr_object(psd, p->server_info->ptok, + status = access_check_object(psd, p->server_info->ptok, &se_rights, GENERIC_RIGHTS_GROUP_ALL_ACCESS, des_access, &acc_granted, "_samr_OpenGroup"); -- 2.34.1