s3-rpc_server: allow to set minimal auth level for a DCE/RPC service

Guenther

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/source3/rpc_server/rpc_pipes.h b/source3/rpc_server/rpc_pipes.h
index d44ee92bd5c0b137151530b98220a877eea4af4b..8a8f8e58169182006f492fef9c3f26ae45111dd5 100644 (file)
--- a/source3/rpc_server/rpc_pipes.h
+++ b/source3/rpc_server/rpc_pipes.h
@@ -98,6 +98,11 @@ struct pipe_rpc_fns {
         * shall we allow "connect" auth level for this interface ?
         */
        bool allow_connect;
+
+       /*
+        * minimal required auth level
+        */
+       enum dcerpc_AuthLevel min_auth_level;
 };
 
 /*

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 0633b5fa78cecb9b4f4b7a73144fc9463790fb76..3af0daf410ec8a13722ec799186955122bc712d5 100644 (file)
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -1357,6 +1357,18 @@ static bool api_pipe_request(struct pipes_struct *p,
                                            pipe_fns->syntax.if_version);
        SMB_ASSERT(interface_name != NULL);
 
+       if (p->auth.auth_level < pipe_fns->min_auth_level) {
+
+               DEBUG(1, ("%s: auth level required for %s: 0x%x, got: 0x%0x\n",
+                         __func__, interface_name,
+                         pipe_fns->min_auth_level,
+                         p->auth.auth_level));
+
+               setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_ACCESS_DENIED));
+               TALLOC_FREE(frame);
+               return true;
+       }
+
        switch (p->auth.auth_level) {
        case DCERPC_AUTH_LEVEL_NONE:
        case DCERPC_AUTH_LEVEL_PACKET: