r22504: Fix bug Jerry found during his tutorial. Sorry :-(

Allows authorized users (e.g. BUILTIN\Administrators members) to
set attributes on an account, particularly "user cannot change
password".

add become_root() around updating attributes, after checking that
access has been granted.
(This used to be commit b1ab360519a1f67f50446ca8599e5b7aa58e7db3)

diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index c743e68530fb5387ca08a9caa0b23afef791bb49..be73b33265c74447fafa6980fff71d0d472db3da 100644 (file)
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -724,7 +724,12 @@ NTSTATUS _samr_set_sec_obj(pipes_struct *p, SAMR_Q_SET_SEC_OBJ *q_u, SAMR_R_SET_
                return NT_STATUS_ACCESS_DENIED;
        }
 
-       status = pdb_update_sam_account(sampass);
+       status = access_check_samr_function(acc_granted, SA_RIGHT_USER_SET_ATTRIBUTES, "_samr_set_sec_obj");
+       if NT_STATUS_IS_OK(status) {
+               become_root();
+               status = pdb_update_sam_account(sampass);
+               unbecome_root();
+       }
 
        TALLOC_FREE(sampass);