Fix self granting privileges in security=ads.

author Jeremy Allison <jra@samba.org>

Tue, 17 Apr 2012 19:30:15 +0000 (12:30 -0700)

committer Karolin Seeger <kseeger@samba.org>

Mon, 30 Apr 2012 18:41:32 +0000 (20:41 +0200)
author Jeremy Allison <jra@samba.org>
Tue, 17 Apr 2012 19:30:15 +0000 (12:30 -0700)
committer Karolin Seeger <kseeger@samba.org>
Mon, 30 Apr 2012 18:41:32 +0000 (20:41 +0200)
diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c

index f8c77bab546792fe36902afbb43f2821b4b711b4..a7b55e71eb63c81288b4be725bf909011abfe770 100644 (file)
--- a/source3/rpc_server/lsa/srv_lsa_nt.c
+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
@@ -2448,6 +2448,10 @@ NTSTATUS _lsa_CreateAccount(struct pipes_struct *p,
         uint32_t acc_granted;
         struct security_descriptor *psd;
         size_t sd_size;
+       uint32_t owner_access = (LSA_ACCOUNT_ALL_ACCESS &
+                       ~(LSA_ACCOUNT_ADJUST_PRIVILEGES|
+                       LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
+                       SEC_STD_DELETE));
  
         /* find the connection policy handle. */
         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
@@ -2473,7 +2477,7 @@ NTSTATUS _lsa_CreateAccount(struct pipes_struct *p,
  
         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
                                     &lsa_account_mapping,
-                                   r->in.sid, LSA_POLICY_ALL_ACCESS);
+                                   r->in.sid, owner_access);
         if (!NT_STATUS_IS_OK(status)) {
                 return status;
         }
@@ -2514,6 +2518,10 @@ NTSTATUS _lsa_OpenAccount(struct pipes_struct *p,
         size_t sd_size;
         uint32_t des_access = r->in.access_mask;
         uint32_t acc_granted;
+       uint32_t owner_access = (LSA_ACCOUNT_ALL_ACCESS &
+                       ~(LSA_ACCOUNT_ADJUST_PRIVILEGES|
+                       LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
+                       SEC_STD_DELETE));
         NTSTATUS status;
  
         /* find the connection policy handle. */
@@ -2538,7 +2546,7 @@ NTSTATUS _lsa_OpenAccount(struct pipes_struct *p,
         /* get the generic lsa account SD until we store it */
         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
                                 &lsa_account_mapping,
-                               r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
+                               r->in.sid, owner_access);
         if (!NT_STATUS_IS_OK(status)) {
                 return status;
         }
@@ -2886,7 +2894,7 @@ NTSTATUS _lsa_AddAccountRights(struct pipes_struct *p,
          /* get the generic lsa account SD for this SID until we store it */
          status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
                                  &lsa_account_mapping,
-                                r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
+                               NULL, 0);
          if (!NT_STATUS_IS_OK(status)) {
                  return status;
          }
@@ -2957,7 +2965,7 @@ NTSTATUS _lsa_RemoveAccountRights(struct pipes_struct *p,
          /* get the generic lsa account SD for this SID until we store it */
          status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
                                  &lsa_account_mapping,
-                                r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
+                               NULL, 0);
          if (!NT_STATUS_IS_OK(status)) {
                  return status;
          }
author	Jeremy Allison <jra@samba.org>
	Tue, 17 Apr 2012 19:30:15 +0000 (12:30 -0700)
committer	Karolin Seeger <kseeger@samba.org>
	Mon, 30 Apr 2012 18:41:32 +0000 (20:41 +0200)