Fix bug #8873 - self granting privileges in security=ads.

author Jeremy Allison <jra@samba.org>

Tue, 17 Apr 2012 19:30:15 +0000 (12:30 -0700)

committer Stefan Metzmacher <metze@samba.org>

Mon, 30 Apr 2012 23:04:46 +0000 (01:04 +0200)
author Jeremy Allison <jra@samba.org>
Tue, 17 Apr 2012 19:30:15 +0000 (12:30 -0700)
committer Stefan Metzmacher <metze@samba.org>
Mon, 30 Apr 2012 23:04:46 +0000 (01:04 +0200)
diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c

index 48bdfdb8addaf69b367ea028aa3525ab015614ed..f1605afc6deac476679c554e1c6a8d628b3aeaa5 100644 (file)
--- a/source3/rpc_server/lsa/srv_lsa_nt.c
+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
@@ -2725,6 +2725,10 @@ NTSTATUS _lsa_CreateAccount(struct pipes_struct *p,
         uint32_t acc_granted;
         struct security_descriptor *psd;
         size_t sd_size;
+       uint32_t owner_access = (LSA_ACCOUNT_ALL_ACCESS &
+                       ~(LSA_ACCOUNT_ADJUST_PRIVILEGES|
+                       LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
+                       SEC_STD_DELETE));
  
         /* find the connection policy handle. */
         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
@@ -2750,7 +2754,7 @@ NTSTATUS _lsa_CreateAccount(struct pipes_struct *p,
  
         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
                                     &lsa_account_mapping,
-                                   r->in.sid, LSA_POLICY_ALL_ACCESS);
+                                   r->in.sid, owner_access);
         if (!NT_STATUS_IS_OK(status)) {
                 return status;
         }
@@ -2791,6 +2795,10 @@ NTSTATUS _lsa_OpenAccount(struct pipes_struct *p,
         size_t sd_size;
         uint32_t des_access = r->in.access_mask;
         uint32_t acc_granted;
+       uint32_t owner_access = (LSA_ACCOUNT_ALL_ACCESS &
+                       ~(LSA_ACCOUNT_ADJUST_PRIVILEGES|
+                       LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
+                       SEC_STD_DELETE));
         NTSTATUS status;
  
         /* find the connection policy handle. */
@@ -2815,7 +2823,7 @@ NTSTATUS _lsa_OpenAccount(struct pipes_struct *p,
         /* get the generic lsa account SD until we store it */
         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
                                 &lsa_account_mapping,
-                               r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
+                               r->in.sid, owner_access);
         if (!NT_STATUS_IS_OK(status)) {
                 return status;
         }
@@ -3174,7 +3182,7 @@ NTSTATUS _lsa_AddAccountRights(struct pipes_struct *p,
          /* get the generic lsa account SD for this SID until we store it */
          status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
                                  &lsa_account_mapping,
-                                r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
+                               NULL, 0);
          if (!NT_STATUS_IS_OK(status)) {
                  return status;
          }
@@ -3245,7 +3253,7 @@ NTSTATUS _lsa_RemoveAccountRights(struct pipes_struct *p,
          /* get the generic lsa account SD for this SID until we store it */
          status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
                                  &lsa_account_mapping,
-                                r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
+                               NULL, 0);
          if (!NT_STATUS_IS_OK(status)) {
                  return status;
          }
author	Jeremy Allison <jra@samba.org>
	Tue, 17 Apr 2012 19:30:15 +0000 (12:30 -0700)
committer	Stefan Metzmacher <metze@samba.org>
	Mon, 30 Apr 2012 23:04:46 +0000 (01:04 +0200)