more group lookup access fixes on the neverending bug 281
authorGerald Carter <jerry@samba.org>
Wed, 10 Dec 2003 16:40:17 +0000 (16:40 +0000)
committerGerald Carter <jerry@samba.org>
Wed, 10 Dec 2003 16:40:17 +0000 (16:40 +0000)
(This used to be commit 9359a6ea80d1228e87ea825a100a2d289c37162d)

source3/groupdb/mapping.c
source3/passdb/passdb.c
source3/rpc_server/srv_samr_nt.c
source3/rpc_server/srv_util.c

index b1c260581ee5ef7f7b943a2199ae532be78a5385..08ac6a25a53c524e068d1cd37f371c3b07096671 100644 (file)
@@ -504,7 +504,8 @@ static BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap,
 BOOL get_domain_group_from_sid(DOM_SID sid, GROUP_MAP *map)
 {
        struct group *grp;
-
+       BOOL ret;
+       
        if(!init_group_mapping()) {
                DEBUG(0,("failed to initialize group mapping"));
                return(False);
@@ -513,7 +514,12 @@ BOOL get_domain_group_from_sid(DOM_SID sid, GROUP_MAP *map)
        DEBUG(10, ("get_domain_group_from_sid\n"));
 
        /* if the group is NOT in the database, it CAN NOT be a domain group */
-       if(!pdb_getgrsid(map, sid))
+       
+       become_root();
+       ret = pdb_getgrsid(map, sid);
+       unbecome_root();
+       
+       if ( !ret ) 
                return False;
 
        DEBUG(10, ("get_domain_group_from_sid: SID found in the TDB\n"));
@@ -547,14 +553,19 @@ BOOL get_domain_group_from_sid(DOM_SID sid, GROUP_MAP *map)
 
 BOOL get_local_group_from_sid(DOM_SID sid, GROUP_MAP *map)
 {
+       BOOL ret;
+       
        if(!init_group_mapping()) {
                DEBUG(0,("failed to initialize group mapping"));
                return(False);
        }
 
        /* The group is in the mapping table */
+       become_root();
+       ret = pdb_getgrsid(map, sid);
+       unbecome_root();
        
-       if( !pdb_getgrsid(map, sid) ) 
+       if ( !ret )
                return False;
                
        if ( (map->sid_name_use != SID_NAME_ALIAS)
@@ -564,7 +575,7 @@ BOOL get_local_group_from_sid(DOM_SID sid, GROUP_MAP *map)
                return False;
        }               
                        
-#if 0  /* JERRY */
+#if 1  /* JERRY */
        /* local groups only exist in the group mapping DB so this 
           is not necessary */
           
@@ -572,6 +583,7 @@ BOOL get_local_group_from_sid(DOM_SID sid, GROUP_MAP *map)
                /* the group isn't in the mapping table.
                 * make one based on the unix information */
                uint32 alias_rid;
+               struct group *grp;
 
                sid_peek_rid(&sid, &alias_rid);
                map->gid=pdb_group_rid_to_gid(alias_rid);
@@ -599,13 +611,19 @@ BOOL get_local_group_from_sid(DOM_SID sid, GROUP_MAP *map)
 BOOL get_builtin_group_from_sid(DOM_SID sid, GROUP_MAP *map)
 {
        struct group *grp;
+       BOOL ret;
+       
 
        if(!init_group_mapping()) {
                DEBUG(0,("failed to initialize group mapping"));
                return(False);
        }
 
-       if(!pdb_getgrsid(map, sid))
+       become_root();
+       ret = pdb_getgrsid(map, sid);
+       unbecome_root();
+       
+       if ( !ret )
                return False;
 
        if (map->sid_name_use!=SID_NAME_WKN_GRP) {
index 6246cdaee138ecc67efb3267df1a407a08427b72..cfa39685e39904fdb8efa8f9203b49a9057bac77 100644 (file)
@@ -707,6 +707,7 @@ BOOL local_lookup_sid(DOM_SID *sid, char *name, enum SID_NAME_USE *psid_name_use
        uint32 rid;
        SAM_ACCOUNT *sam_account = NULL;
        GROUP_MAP map;
+       BOOL ret;
 
        if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid)){
                DEBUG(0,("local_lookup_sid: sid_peek_check_rid return False! SID: %s\n",
@@ -736,9 +737,10 @@ BOOL local_lookup_sid(DOM_SID *sid, char *name, enum SID_NAME_USE *psid_name_use
        
        /* see if the passdb can help us with the name of the user */
 
+       /* BEING ROOT BLLOCK */
        become_root();
        if (pdb_getsampwsid(sam_account, sid)) {
-               unbecome_root();
+               unbecome_root();                        /* -----> EXIT BECOME_ROOT() */
                fstrcpy(name, pdb_get_username(sam_account));
                *psid_name_use = SID_NAME_USER;
 
@@ -746,10 +748,13 @@ BOOL local_lookup_sid(DOM_SID *sid, char *name, enum SID_NAME_USE *psid_name_use
                        
                return True;
        }
-       unbecome_root();
        pdb_free_sam(&sam_account);
-               
-       if (pdb_getgrsid(&map, *sid)) {
+       
+       ret = pdb_getgrsid(&map, *sid);
+       unbecome_root();
+       /* END BECOME_ROOT BLOCK */
+       
+       if ( ret ) {
                if (map.gid!=(gid_t)-1) {
                        DEBUG(5,("local_lookup_sid: mapped group %s to gid %u\n", map.nt_name, (unsigned int)map.gid));
                } else {
@@ -1233,6 +1238,7 @@ BOOL local_sid_to_gid(gid_t *pgid, const DOM_SID *psid, enum SID_NAME_USE *name_
 {
        uint32 rid;
        GROUP_MAP group;
+       BOOL ret;
 
        *name_type = SID_NAME_UNKNOWN;
 
@@ -1241,8 +1247,12 @@ BOOL local_sid_to_gid(gid_t *pgid, const DOM_SID *psid, enum SID_NAME_USE *name_
 
        /* we don't need to disable winbindd since the gid is stored in 
           the GROUP_MAP object */
-
-       if ( !pdb_getgrsid(&group, *psid) ) {
+          
+       become_root();
+       pdb_getgrsid(&group, *psid);
+       unbecome_root();
+       
+       if ( !ret ) {
 
                /* fallback to rid mapping if enabled */
 
index 7f57a9fc9d42d8c59dbe015470fe1bc49ee40d61..c84e288a4be2d32703368b1034042faa0393b772 100644 (file)
@@ -1246,6 +1246,7 @@ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAM
        DOM_SID   sid;
        GROUP_MAP map;
        uint32    acc_granted;
+       BOOL ret;
 
        r_u->status = NT_STATUS_OK;
 
@@ -1262,7 +1263,11 @@ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAM
            !sid_check_is_in_builtin(&sid))
                return NT_STATUS_OBJECT_TYPE_MISMATCH;
 
-       if (!pdb_getgrsid(&map, sid))
+       become_root();
+       ret = pdb_getgrsid(&map, sid);
+       unbecome_root();
+       
+       if ( !ret )
                return NT_STATUS_NO_SUCH_ALIAS;
 
        switch (q_u->switch_level) {
index c2395e6faecfeed4a78b171c28a9f69d90860679..504e6a83c008a566749c50c442db566bb9a883a3 100644 (file)
@@ -147,8 +147,6 @@ NTSTATUS get_alias_user_groups(TALLOC_CTX *ctx, DOM_SID *sid, int *numgroups, ui
                return NT_STATUS_UNSUCCESSFUL;
        }
 
-       become_root();
-       
        for (i=0;i<num_groups;i++) {
 
                if (!get_group_from_gid(groups[i], &map)) {
@@ -197,9 +195,8 @@ NTSTATUS get_alias_user_groups(TALLOC_CTX *ctx, DOM_SID *sid, int *numgroups, ui
                break;
        }
 
-       unbecome_root();
-       
-       if(num_groups) free(groups);
+       if(num_groups) 
+               free(groups);
 
        /* now check for the user's gid (the primary group rid) */
        for (i=0; i<cur_rid && grid!=rids[i]; i++)
@@ -213,15 +210,12 @@ NTSTATUS get_alias_user_groups(TALLOC_CTX *ctx, DOM_SID *sid, int *numgroups, ui
 
        DEBUG(10,("get_alias_user_groups: looking for gid %d of user %s\n", (int)gid, user_name));
 
-       become_root();
-
        if(!get_group_from_gid(gid, &map)) {
-               DEBUG(0,("get_alias_user_groups: gid of user %s doesn't exist. Check your /etc/passwd and /etc/group files\n", user_name));
+               DEBUG(0,("get_alias_user_groups: gid of user %s doesn't exist. Check your "
+               "/etc/passwd and /etc/group files\n", user_name));
                goto done;
        }       
 
-       unbecome_root();
-
        /* the primary group isn't an alias */
        if (map.sid_name_use!=SID_NAME_ALIAS) {
                DEBUG(10,("get_alias_user_groups: not returing %s, not an ALIAS group.\n", map.nt_name));