From: Gerald Carter <jerry@samba.org> 
Date: Mon, 24 Nov 2003 17:31:38 +0000 (+0000)
Subject: more access fixes for group enumeration in LDAP; bug 281
X-Git-Tag: initial-v3-0-unstable~6904
X-Git-Url: http://git.samba.org/samba.git/?p=jra%2Fsamba%2F.git;a=commitdiff_plain;h=68283407e0f366d8315f4be6caed67eb6fe84b85

more access fixes for group enumeration in LDAP; bug 281
---

diff --git a/source/groupdb/mapping.c b/source/groupdb/mapping.c
index 7a07b5c3448..8f534d779ef 100644
--- a/source/groupdb/mapping.c
+++ b/source/groupdb/mapping.c
@@ -629,6 +629,7 @@ Returns a GROUP_MAP struct based on the gid.
 BOOL get_group_from_gid(gid_t gid, GROUP_MAP *map)
 {
 	struct group *grp;
+	BOOL ret;
 
 	if(!init_group_mapping()) {
 		DEBUG(0,("failed to initialize group mapping"));
@@ -641,7 +642,12 @@ BOOL get_group_from_gid(gid_t gid, GROUP_MAP *map)
 	/*
 	 * make a group map from scratch if doesn't exist.
 	 */
-	if (!pdb_getgrgid(map, gid)) {
+	
+	become_root();
+	ret = pdb_getgrgid(map, gid);
+	unbecome_root();
+	
+	if ( !ret ) {
 		map->gid=gid;
 		map->sid_name_use=SID_NAME_ALIAS;
 
diff --git a/source/passdb/passdb.c b/source/passdb/passdb.c
index 6e33bc7746f..6246cdaee13 100644
--- a/source/passdb/passdb.c
+++ b/source/passdb/passdb.c
@@ -416,6 +416,7 @@ NTSTATUS pdb_set_sam_sids(SAM_ACCOUNT *account_data, const struct passwd *pwd)
 {
 	const char *guest_account = lp_guestaccount();
 	GROUP_MAP map;
+	BOOL ret;
 	
 	if (!account_data || !pwd) {
 		return NT_STATUS_INVALID_PARAMETER;
@@ -445,7 +446,11 @@ NTSTATUS pdb_set_sam_sids(SAM_ACCOUNT *account_data, const struct passwd *pwd)
 	}
 	
 	/* call the mapping code here */
-	if(pdb_getgrgid(&map, pwd->pw_gid)) {
+	become_root();
+	ret = pdb_getgrgid(&map, pwd->pw_gid);
+	unbecome_root();
+	
+	if( ret ) {
 		if (!pdb_set_group_sid(account_data, &map.sid, PDB_SET)){
 			DEBUG(0,("Can't set Group SID!\n"));
 			return NT_STATUS_INVALID_PARAMETER;
@@ -850,6 +855,8 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi
 		return False;
 	}
 	
+	/* BEGIN ROOT BLOCK */
+	
 	become_root();
 	if (pdb_getsampwnam(sam_account, user)) {
 		unbecome_root();
@@ -859,7 +866,6 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi
 		pdb_free_sam(&sam_account);
 		return True;
 	}
-	unbecome_root();
 
 	pdb_free_sam(&sam_account);
 
@@ -875,8 +881,10 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi
 	} else {
 		/* it's not a mapped group */
 		grp = getgrnam(user);
-		if(!grp)
+		if(!grp) {
+			unbecome_root();		/* ---> exit form block */	
 			return False;
+		}
 		
 		/* 
 		 *check if it's mapped, if it is reply it doesn't exist
@@ -891,12 +899,15 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi
 		 */
 		
 		if (pdb_getgrgid(&map, grp->gr_gid)){
+			unbecome_root();		/* ---> exit form block */
 			return False;
 		}
 		
 		sid_append_rid( &local_sid, pdb_gid_to_group_rid(grp->gr_gid));
 		*psid_name_use = SID_NAME_ALIAS;
 	}
+	unbecome_root();
+	/* END ROOT BLOCK */
 
 	sid_copy( psid, &local_sid);
 
diff --git a/source/rpc_server/srv_lsa_nt.c b/source/rpc_server/srv_lsa_nt.c
index 0a8ad404cb3..e545d8c2673 100644
--- a/source/rpc_server/srv_lsa_nt.c
+++ b/source/rpc_server/srv_lsa_nt.c
@@ -845,6 +845,7 @@ NTSTATUS _lsa_enum_accounts(pipes_struct *p, LSA_Q_ENUM_ACCOUNTS *q_u, LSA_R_ENU
 	int num_entries=0;
 	LSA_SID_ENUM *sids=&r_u->sids;
 	int i=0,j=0;
+	BOOL ret;
 
 	if (!find_policy_by_hnd(p, &q_u->pol, (void **)&handle))
 		return NT_STATUS_INVALID_HANDLE;
@@ -858,8 +859,14 @@ NTSTATUS _lsa_enum_accounts(pipes_struct *p, LSA_Q_ENUM_ACCOUNTS *q_u, LSA_R_ENU
 		return NT_STATUS_ACCESS_DENIED;
 
 	/* get the list of mapped groups (domain, local, builtin) */
-	if(!pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, ENUM_ONLY_MAPPED))
+	become_root();
+	ret = pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, ENUM_ONLY_MAPPED);
+	unbecome_root();
+	if( !ret ) {
+		DEBUG(3,("_lsa_enum_accounts: enumeration of groups failed!\n"));
 		return NT_STATUS_OK;
+	}
+	
 
 	if (q_u->enum_context >= num_entries)
 		return NT_STATUS_NO_MORE_ENTRIES;
diff --git a/source/rpc_server/srv_samr_nt.c b/source/rpc_server/srv_samr_nt.c
index 6cd5da4892f..d3da830991f 100644
--- a/source/rpc_server/srv_samr_nt.c
+++ b/source/rpc_server/srv_samr_nt.c
@@ -292,6 +292,7 @@ static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid)
 	uint32 group_entries = 0;
 	uint32 i;
 	TALLOC_CTX *mem_ctx = info->mem_ctx;
+	BOOL ret;
 
 	DEBUG(10,("load_group_domain_entries\n"));
 
@@ -303,13 +304,14 @@ static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid)
 	
 
 	become_root();
-
-	if (!pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED)) {
+	ret = pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED); 
+	unbecome_root();
+	
+	if ( !ret ) {
 		DEBUG(1, ("load_group_domain_entries: pdb_enum_group_mapping() failed!\n"));
 		return NT_STATUS_NO_MEMORY;
 	}
 	
-	unbecome_root();
 
 	info->disp_info.num_group_account=group_entries;
 
diff --git a/source/rpc_server/srv_util.c b/source/rpc_server/srv_util.c
index 632d381503e..d5b87b7c10d 100644
--- a/source/rpc_server/srv_util.c
+++ b/source/rpc_server/srv_util.c
@@ -281,6 +281,7 @@ BOOL get_domain_user_groups(TALLOC_CTX *ctx, int *numgroups, DOM_GID **pgids, SA
 	fstring user_name;
 	uint32 grid;
 	uint32 tmp_rid;
+	BOOL ret;
 
 	*numgroups= 0;
 
@@ -290,15 +291,21 @@ BOOL get_domain_user_groups(TALLOC_CTX *ctx, int *numgroups, DOM_GID **pgids, SA
 	DEBUG(10,("get_domain_user_groups: searching domain groups [%s] is a member of\n", user_name));
 
 	/* we must wrap this is become/unbecome root for ldap backends */
+	
 	become_root();
-
 	/* first get the list of the domain groups */
-	if (!pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, &num_entries, ENUM_ONLY_MAPPED))
+	ret = pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, &num_entries, ENUM_ONLY_MAPPED);
+	
+	unbecome_root();
+
+	/* end wrapper for group enumeration */
+
+	
+	if ( !ret )
 		return False;
+		
 	DEBUG(10,("get_domain_user_groups: there are %d mapped groups\n", num_entries));
 
-	unbecome_root();
-	/* end wrapper for group enumeration */
 
 	/* 
 	 * alloc memory. In the worse case, we alloc memory for nothing.
diff --git a/source/smbd/lanman.c b/source/smbd/lanman.c
index 3ea6ab483be..c53889a7a47 100644
--- a/source/smbd/lanman.c
+++ b/source/smbd/lanman.c
@@ -1635,6 +1635,7 @@ static BOOL api_RNetGroupEnum(connection_struct *conn,uint16 vuid, char *param,c
 	char *str1 = param+2;
 	char *str2 = skip_string(str1,1);
 	char *p = skip_string(str2,1);
+	BOOL ret;
 
 	GROUP_MAP *group_list;
 	int num_entries;
@@ -1653,8 +1654,12 @@ static BOOL api_RNetGroupEnum(connection_struct *conn,uint16 vuid, char *param,c
 		return False;
 
 	/* get list of domain groups SID_DOMAIN_GRP=2 */
-	if(!pdb_enum_group_mapping(SID_NAME_DOM_GRP , &group_list, &num_entries, False)) {
-		DEBUG(3,("api_RNetGroupEnum:failed to get group list"));
+	become_root();
+	ret = pdb_enum_group_mapping(SID_NAME_DOM_GRP , &group_list, &num_entries, False);
+	unbecome_root();
+	
+	if( !ret ) {
+		DEBUG(3,("api_RNetGroupEnum:failed to get group list"));	
 		return False;
 	}