struct dcinfo *dc; /* Keeps the creds data from netlogon. */
- /*
- * Unix user name and credentials used when a pipe is authenticated.
- */
-
- struct current_user pipe_user;
-
/*
* Set to true when an RPC bind has been done on this pipe.
*/
bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
uint32 *p_ss_padding_len, NTSTATUS *pstatus);
bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len);
-struct current_user *get_current_user(struct current_user *user, pipes_struct *p);
void free_pipe_rpc_context( PIPE_RPC_FNS *list );
bool api_pipe_request(pipes_struct *p);
NTSTATUS status;
TALLOC_CTX *ctx = talloc_tos();
- if (p->pipe_user.ut.uid != sec_initial_uid()) {
+ if (p->server_info->utok.uid != sec_initial_uid()) {
DEBUG(10,("_dfs_add: uid != 0. Access denied.\n"));
return WERR_ACCESS_DENIED;
}
TALLOC_CTX *ctx = talloc_tos();
char *altpath = NULL;
- if (p->pipe_user.ut.uid != sec_initial_uid()) {
+ if (p->server_info->utok.uid != sec_initial_uid()) {
DEBUG(10,("_dfs_remove: uid != 0. Access denied.\n"));
return WERR_ACCESS_DENIED;
}
elog->logname = talloc_strdup( elog, ELOG_APPL );
/* do the access check */
- if ( !elog_check_access( elog, p->pipe_user.nt_user_token ) ) {
+ if ( !elog_check_access( elog, p->server_info->ptok ) ) {
TALLOC_FREE( elog );
return NT_STATUS_ACCESS_DENIED;
}
/* now do the access check. Close the tdb if we fail here */
- if ( !elog_check_access( elog, p->pipe_user.nt_user_token ) ) {
+ if ( !elog_check_access( elog, p->server_info->ptok ) ) {
elog_close_tdb( elog->etdb, False );
TALLOC_FREE( elog );
return NT_STATUS_ACCESS_DENIED;
/* get the generic lsa policy SD until we store it */
lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
- status = se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted);
+ status = se_access_check(psd, p->server_info->ptok, des_access,
+ &acc_granted);
if (!NT_STATUS_IS_OK(status)) {
- if (p->pipe_user.ut.uid != sec_initial_uid()) {
+ if (p->server_info->utok.uid != sec_initial_uid()) {
return status;
}
DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
/* This is needed for lsa_open_account and rpcclient .... :-) */
- if (p->pipe_user.ut.uid == sec_initial_uid())
+ if (p->server_info->utok.uid == sec_initial_uid())
acc_granted = LSA_POLICY_ALL_ACCESS;
/* associate the domain SID with the (unique) handle. */
/* get the generic lsa policy SD until we store it */
lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
- status = se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted);
+ status = se_access_check(psd, p->server_info->ptok, des_access,
+ &acc_granted);
if (!NT_STATUS_IS_OK(status)) {
- if (p->pipe_user.ut.uid != sec_initial_uid()) {
+ if (p->server_info->utok.uid != sec_initial_uid()) {
return status;
}
DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
/* check to see if the pipe_user is a Domain Admin since
account_pol.tdb was already opened as root, this is all we have */
- if ( p->pipe_user.ut.uid != sec_initial_uid()
- && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+ if ( p->server_info->utok.uid != sec_initial_uid()
+ && !nt_token_check_domain_rid( p->server_info->ptok,
+ DOMAIN_GROUP_RID_ADMINS ) )
return NT_STATUS_ACCESS_DENIED;
if ( is_privileged_sid( r->in.sid ) )
/* check to see if the pipe_user is a Domain Admin since
account_pol.tdb was already opened as root, this is all we have */
- if ( p->pipe_user.ut.uid != sec_initial_uid()
- && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+ if ( p->server_info->utok.uid != sec_initial_uid()
+ && !nt_token_check_domain_rid( p->server_info->ptok,
+ DOMAIN_GROUP_RID_ADMINS ) )
return NT_STATUS_ACCESS_DENIED;
if (!pdb_getgrsid(&map, info->sid))
/* check to see if the pipe_user is root or a Domain Admin since
account_pol.tdb was already opened as root, this is all we have */
- if ( p->pipe_user.ut.uid != sec_initial_uid()
- && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+ if ( p->server_info->utok.uid != sec_initial_uid()
+ && !nt_token_check_domain_rid( p->server_info->ptok,
+ DOMAIN_GROUP_RID_ADMINS ) )
{
return NT_STATUS_ACCESS_DENIED;
}
/* check to see if the pipe_user is root or a Domain Admin since
account_pol.tdb was already opened as root, this is all we have */
- if ( p->pipe_user.ut.uid != sec_initial_uid()
- && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+ if ( p->server_info->utok.uid != sec_initial_uid()
+ && !nt_token_check_domain_rid( p->server_info->ptok,
+ DOMAIN_GROUP_RID_ADMINS ) )
{
return NT_STATUS_ACCESS_DENIED;
}
/* check to see if the pipe_user is a Domain Admin since
account_pol.tdb was already opened as root, this is all we have */
- if ( p->pipe_user.ut.uid != sec_initial_uid()
- && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+ if ( p->server_info->utok.uid != sec_initial_uid()
+ && !nt_token_check_domain_rid( p->server_info->ptok,
+ DOMAIN_GROUP_RID_ADMINS ) )
{
return NT_STATUS_ACCESS_DENIED;
}
/* check to see if the pipe_user is a Domain Admin since
account_pol.tdb was already opened as root, this is all we have */
- if ( p->pipe_user.ut.uid != sec_initial_uid()
- && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+ if ( p->server_info->utok.uid != sec_initial_uid()
+ && !nt_token_check_domain_rid( p->server_info->ptok,
+ DOMAIN_GROUP_RID_ADMINS ) )
{
return NT_STATUS_ACCESS_DENIED;
}
return WERR_GENERAL_FAILURE;
ptr++;
- if ( !(values = svcctl_fetch_regvalues( ptr, p->pipe_user.nt_user_token )) )
+ if ( !(values = svcctl_fetch_regvalues(
+ ptr, p->server_info->ptok)))
return WERR_GENERAL_FAILURE;
if ( !(val = regval_ctr_getvalue( values, "DisplayName" )) ) {
ZERO_STRUCT(reply);
- /* Set up for non-authenticated user. */
- TALLOC_FREE(p->pipe_user.nt_user_token);
- p->pipe_user.ut.ngroups = 0;
- SAFE_FREE( p->pipe_user.ut.groups);
-
/* this has to be done as root in order to verify the password */
become_root();
status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
"workstation: %s\n", a->ntlmssp_state->user,
a->ntlmssp_state->domain, a->ntlmssp_state->workstation));
- /*
- * Store the UNIX credential data (uid/gid pair) in the pipe structure.
- */
-
- p->pipe_user.ut.uid = a->server_info->utok.uid;
- p->pipe_user.ut.gid = a->server_info->utok.gid;
-
- p->pipe_user.ut.ngroups = a->server_info->utok.ngroups;
- if (p->pipe_user.ut.ngroups) {
- if (!(p->pipe_user.ut.groups = (gid_t *)memdup(
- a->server_info->utok.groups,
- sizeof(gid_t) * p->pipe_user.ut.ngroups))) {
- DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
- return False;
- }
- }
-
- if (a->server_info->ptok) {
- p->pipe_user.nt_user_token =
- dup_nt_token(NULL, a->server_info->ptok);
- } else {
+ if (a->server_info->ptok == NULL) {
DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
- p->pipe_user.nt_user_token = NULL;
return False;
}
case RPC_ANONYMOUS_AUTH_TYPE:
/* Unauthenticated bind request. */
- /* Get the authenticated pipe user from current_user */
- if (!copy_current_user(&p->pipe_user, ¤t_user)) {
- DEBUG(10, ("Could not copy current user\n"));
- goto err_exit;
- }
/* We're finished - no more packets. */
p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
/* We must set the pipe auth_level here also. */
return True;
}
-/****************************************************************************
- Return a user struct for a pipe user.
-****************************************************************************/
-
-struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
-{
- if (p->pipe_bound &&
- (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP ||
- (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
- memcpy(user, &p->pipe_user, sizeof(struct current_user));
- } else {
- memcpy(user, ¤t_user, sizeof(struct current_user));
- }
-
- return user;
-}
-
/****************************************************************************
Find the set of RPC functions associated with this context_id
****************************************************************************/
p->endian = RPC_LITTLE_ENDIAN;
- ZERO_STRUCT(p->pipe_user);
-
- p->pipe_user.vuid = vuid;
- p->pipe_user.ut.uid = (uid_t)-1;
- p->pipe_user.ut.gid = (gid_t)-1;
- p->pipe_user.nt_user_token = dup_nt_token(NULL, server_info->ptok);
-
/*
* Initialize the outgoing RPC data buffer with no memory.
*/
/* Free the handles database. */
close_policy_by_pipe(p);
- TALLOC_FREE(p->pipe_user.nt_user_token);
- SAFE_FREE(p->pipe_user.ut.groups);
-
DLIST_REMOVE(InternalPipes, p);
ZERO_STRUCTP(p);
return status;
/*check if access can be granted as requested by client. */
- map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
+ map_max_allowed_access(p->server_info->ptok, &des_access);
make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 );
se_map_generic( &des_access, &dom_generic_mapping );
se_priv_copy( &se_rights, &se_machine_account );
se_priv_add( &se_rights, &se_add_users );
- status = access_check_samr_object( psd, p->pipe_user.nt_user_token,
+ status = access_check_samr_object( psd, p->server_info->ptok,
&se_rights, GENERIC_RIGHTS_DOMAIN_WRITE, des_access,
&acc_granted, "_samr_OpenDomain" );
/* check if access can be granted as requested by client. */
- map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
+ map_max_allowed_access(p->server_info->ptok, &des_access);
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW);
se_map_generic(&des_access, &usr_generic_mapping);
se_priv_copy( &se_rights, &se_machine_account );
se_priv_add( &se_rights, &se_add_users );
- nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
+ nt_status = access_check_samr_object(psd, p->server_info->ptok,
&se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
&acc_granted, "_samr_OpenUser");
{
se_priv_copy( &se_rights, &se_machine_account );
can_add_account = user_has_privileges(
- p->pipe_user.nt_user_token, &se_rights );
+ p->server_info->ptok, &se_rights );
}
/* usrmgr.exe (and net rpc trustdom grant) creates a normal user
account for domain trusts and changes the ACB flags later */
{
se_priv_copy( &se_rights, &se_add_users );
can_add_account = user_has_privileges(
- p->pipe_user.nt_user_token, &se_rights );
+ p->server_info->ptok, &se_rights );
}
else /* implicit assumption of a BDC or domain trust account here
* (we already check the flags earlier) */
/* only Domain Admins can add a BDC or domain trust */
se_priv_copy( &se_rights, &se_priv_none );
can_add_account = nt_token_check_domain_rid(
- p->pipe_user.nt_user_token,
+ p->server_info->ptok,
DOMAIN_GROUP_RID_ADMINS );
}
}
DEBUG(5, ("_samr_CreateUser2: %s can add this account : %s\n",
- uidtoname(p->pipe_user.ut.uid),
+ uidtoname(p->server_info->utok.uid),
can_add_account ? "True":"False" ));
/********** BEGIN Admin BLOCK **********/
sid_compose(&sid, get_global_sam_sid(), *r->out.rid);
- map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
+ map_max_allowed_access(p->server_info->ptok, &des_access);
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
&sid, SAMR_USR_RIGHTS_WRITE_PW);
se_map_generic(&des_access, &usr_generic_mapping);
- nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
+ nt_status = access_check_samr_object(psd, p->server_info->ptok,
&se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
&acc_granted, "_samr_CreateUser2");
was observed from a win98 client trying to enumerate users (when configured
user level access control on shares) --jerry */
- map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
+ map_max_allowed_access(p->server_info->ptok, &des_access);
se_map_generic( &des_access, &sam_generic_mapping );
info->acc_granted = des_access & (SAMR_ACCESS_ENUM_DOMAINS|SAMR_ACCESS_OPEN_DOMAIN);
return NT_STATUS_ACCESS_DENIED;
}
- map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
+ map_max_allowed_access(p->server_info->ptok, &des_access);
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
se_map_generic(&des_access, &sam_generic_mapping);
- nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
+ nt_status = access_check_samr_object(psd, p->server_info->ptok,
NULL, 0, des_access, &acc_granted, "_samr_Connect2");
if ( !NT_STATUS_IS_OK(nt_status) )
return NT_STATUS_ACCESS_DENIED;
}
- map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
+ map_max_allowed_access(p->server_info->ptok, &des_access);
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
se_map_generic(&des_access, &sam_generic_mapping);
- nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
+ nt_status = access_check_samr_object(psd, p->server_info->ptok,
NULL, 0, des_access, &acc_granted, "_samr_Connect4");
if ( !NT_STATUS_IS_OK(nt_status) )
return NT_STATUS_ACCESS_DENIED;
}
- map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
+ map_max_allowed_access(p->server_info->ptok, &des_access);
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
se_map_generic(&des_access, &sam_generic_mapping);
- nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
+ nt_status = access_check_samr_object(psd, p->server_info->ptok,
NULL, 0, des_access, &acc_granted, "_samr_Connect5");
if ( !NT_STATUS_IS_OK(nt_status) )
/*check if access can be granted as requested by client. */
- map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
+ map_max_allowed_access(p->server_info->ptok, &des_access);
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0);
se_map_generic(&des_access,&ali_generic_mapping);
se_priv_copy( &se_rights, &se_add_users );
- status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
+ status = access_check_samr_object(psd, p->server_info->ptok,
&se_rights, GENERIC_RIGHTS_ALIAS_WRITE, des_access,
&acc_granted, "_samr_OpenAlias");
acb_info = pdb_get_acct_ctrl(pwd);
if (acb_info & ACB_WSTRUST)
- has_enough_rights = user_has_privileges(p->pipe_user.nt_user_token,
+ has_enough_rights = user_has_privileges(p->server_info->ptok,
&se_machine_account);
else if (acb_info & ACB_NORMAL)
- has_enough_rights = user_has_privileges(p->pipe_user.nt_user_token,
+ has_enough_rights = user_has_privileges(p->server_info->ptok,
&se_add_users);
else if (acb_info & (ACB_SVRTRUST|ACB_DOMTRUST)) {
if (lp_enable_privileges()) {
- has_enough_rights = nt_token_check_domain_rid(p->pipe_user.nt_user_token,
+ has_enough_rights = nt_token_check_domain_rid(p->server_info->ptok,
DOMAIN_GROUP_RID_ADMINS);
}
}
DEBUG(5, ("_samr_SetUserInfo: %s does%s possess sufficient rights\n",
- uidtoname(p->pipe_user.ut.uid),
+ uidtoname(p->server_info->utok.uid),
has_enough_rights ? "" : " not"));
/* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */
DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid)));
se_priv_copy( &se_rights, &se_add_users );
- can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
+ can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
/******** BEGIN SeAddUsers BLOCK *********/
sid_string_dbg(&alias_sid)));
se_priv_copy( &se_rights, &se_add_users );
- can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
+ can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
/******** BEGIN SeAddUsers BLOCK *********/
}
se_priv_copy( &se_rights, &se_add_users );
- can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
+ can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
/******** BEGIN SeAddUsers BLOCK *********/
}
se_priv_copy( &se_rights, &se_add_users );
- can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
+ can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
/******** BEGIN SeAddUsers BLOCK *********/
/* For machine accounts it's the SeMachineAccountPrivilege that counts. */
if ( acb_info & ACB_WSTRUST ) {
- can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_machine_account );
+ can_add_accounts = user_has_privileges( p->server_info->ptok, &se_machine_account );
} else {
- can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
+ can_add_accounts = user_has_privileges( p->server_info->ptok, &se_add_users );
}
/******** BEGIN SeAddUsers BLOCK *********/
}
se_priv_copy( &se_rights, &se_add_users );
- can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
+ can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
/******** BEGIN SeAddUsers BLOCK *********/
DEBUG(10, ("lookup on Local SID\n"));
se_priv_copy( &se_rights, &se_add_users );
- can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
+ can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
/******** BEGIN SeAddUsers BLOCK *********/
}
se_priv_copy( &se_rights, &se_add_users );
- can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
+ can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
/******** BEGIN SeAddUsers BLOCK *********/
name = r->in.alias_name->string;
se_priv_copy( &se_rights, &se_add_users );
- can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
+ can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
result = can_create(p->mem_ctx, name);
if (!NT_STATUS_IS_OK(result)) {
return NT_STATUS_INVALID_INFO_CLASS;
}
- can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
+ can_mod_accounts = user_has_privileges( p->server_info->ptok, &se_add_users );
/******** BEGIN SeAddUsers BLOCK *********/
return NT_STATUS_INVALID_INFO_CLASS;
}
- can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
+ can_mod_accounts = user_has_privileges( p->server_info->ptok, &se_add_users );
/******** BEGIN SeAddUsers BLOCK *********/
return status;
/*check if access can be granted as requested by client. */
- map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
+ map_max_allowed_access(p->server_info->ptok, &des_access);
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0);
se_map_generic(&des_access,&grp_generic_mapping);
se_priv_copy( &se_rights, &se_add_users );
- status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
+ status = access_check_samr_object(psd, p->server_info->ptok,
&se_rights, GENERIC_RIGHTS_GROUP_WRITE, des_access,
&acc_granted, "_samr_OpenGroup");
return WERR_BADFID;
}
- return delete_printer_hook(p->mem_ctx, p->pipe_user.nt_user_token, Printer->sharename );
+ return delete_printer_hook(p->mem_ctx, p->server_info->ptok,
+ Printer->sharename );
}
/****************************************************************************
/* if the user is not root, doesn't have SE_PRINT_OPERATOR privilege,
and not a printer admin, then fail */
- if ((p->pipe_user.ut.uid != 0) &&
- !user_has_privileges(p->pipe_user.nt_user_token,
+ if ((p->server_info->utok.uid != 0) &&
+ !user_has_privileges(p->server_info->ptok,
&se_printop ) &&
!token_contains_name_in_list(
- uidtoname(p->pipe_user.ut.uid),
+ uidtoname(p->server_info->utok.uid),
NULL, NULL,
- p->pipe_user.nt_user_token,
+ p->server_info->ptok,
lp_printer_admin(snum))) {
close_printer_handle(p, handle);
return WERR_ACCESS_DENIED;
return WERR_ACCESS_DENIED;
}
- if (!user_ok_token(uidtoname(p->pipe_user.ut.uid), NULL,
- p->pipe_user.nt_user_token, snum) ||
+ if (!user_ok_token(uidtoname(p->server_info->utok.uid), NULL,
+ p->server_info->ptok, snum) ||
!print_access_check(p->server_info, snum,
printer_default->access_required)) {
DEBUG(3, ("access DENIED for printer open\n"));
/* if the user is not root, doesn't have SE_PRINT_OPERATOR privilege,
and not a printer admin, then fail */
- if ( (p->pipe_user.ut.uid != 0)
- && !user_has_privileges(p->pipe_user.nt_user_token, &se_printop )
+ if ( (p->server_info->utok.uid != 0)
+ && !user_has_privileges(p->server_info->ptok, &se_printop )
&& !token_contains_name_in_list(
- uidtoname(p->pipe_user.ut.uid), NULL,
- NULL, p->pipe_user.nt_user_token,
+ uidtoname(p->server_info->utok.uid), NULL,
+ NULL, p->server_info->ptok,
lp_printer_admin(-1)) )
{
return WERR_ACCESS_DENIED;
/* if the user is not root, doesn't have SE_PRINT_OPERATOR privilege,
and not a printer admin, then fail */
- if ( (p->pipe_user.ut.uid != 0)
- && !user_has_privileges(p->pipe_user.nt_user_token, &se_printop )
+ if ( (p->server_info->utok.uid != 0)
+ && !user_has_privileges(p->server_info->ptok, &se_printop )
&& !token_contains_name_in_list(
- uidtoname(p->pipe_user.ut.uid), NULL, NULL,
- p->pipe_user.nt_user_token, lp_printer_admin(-1)) )
+ uidtoname(p->server_info->utok.uid), NULL, NULL,
+ p->server_info->ptok, lp_printer_admin(-1)) )
{
return WERR_ACCESS_DENIED;
}
{
/* add_printer_hook() will call reload_services() */
- if ( !add_printer_hook(p->mem_ctx, p->pipe_user.nt_user_token, printer) ) {
+ if ( !add_printer_hook(p->mem_ctx, p->server_info->ptok,
+ printer) ) {
result = WERR_ACCESS_DENIED;
goto done;
}
trying to add a printer like this --jerry */
if (*lp_addprinter_cmd() ) {
- if ( !add_printer_hook(p->mem_ctx, p->pipe_user.nt_user_token, printer) ) {
+ if ( !add_printer_hook(p->mem_ctx, p->server_info->ptok,
+ printer) ) {
free_a_printer(&printer,2);
return WERR_ACCESS_DENIED;
}
switch ( Printer->printer_type ) {
case SPLHND_PORTMON_TCP:
- return process_xcvtcp_command( p->pipe_user.nt_user_token, command,
+ return process_xcvtcp_command( p->server_info->ptok, command,
&q_u->indata, &r_u->outdata, &r_u->needed );
case SPLHND_PORTMON_LOCAL:
- return process_xcvlocal_command( p->pipe_user.nt_user_token, command,
+ return process_xcvlocal_command( p->server_info->ptok, command,
&q_u->indata, &r_u->outdata, &r_u->needed );
}
remark = talloc_sub_advanced(
p->mem_ctx, lp_servicename(snum),
get_current_username(), lp_pathname(snum),
- p->pipe_user.ut.uid, get_current_username(),
+ p->server_info->utok.uid, get_current_username(),
"", remark);
}
remark = talloc_sub_advanced(
p->mem_ctx, lp_servicename(snum),
get_current_username(), lp_pathname(snum),
- p->pipe_user.ut.uid, get_current_username(),
+ p->server_info->utok.uid, get_current_username(),
"", remark);
}
path = talloc_asprintf(p->mem_ctx,
remark = talloc_sub_advanced(
p->mem_ctx, lp_servicename(snum),
get_current_username(), lp_pathname(snum),
- p->pipe_user.ut.uid, get_current_username(),
+ p->server_info->utok.uid, get_current_username(),
"", remark);
}
remark = talloc_sub_advanced(
p->mem_ctx, lp_servicename(snum),
get_current_username(), lp_pathname(snum),
- p->pipe_user.ut.uid, get_current_username(),
+ p->server_info->utok.uid, get_current_username(),
"", remark);
}
path = talloc_asprintf(ctx, "C:%s", lp_pathname(snum));
remark = talloc_sub_advanced(
p->mem_ctx, lp_servicename(snum),
get_current_username(), lp_pathname(snum),
- p->pipe_user.ut.uid, get_current_username(),
+ p->server_info->utok.uid, get_current_username(),
"", remark);
}
struct srvsvc_NetSessDel *r)
{
struct sessionid *session_list;
- struct current_user user;
int num_sessions, snum;
const char *username;
const char *machine;
werr = WERR_ACCESS_DENIED;
- get_current_user(&user, p);
-
/* fail out now if you are not root or not a domain admin */
- if ((user.ut.uid != sec_initial_uid()) &&
- ( ! nt_token_check_domain_rid(p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS))) {
+ if ((p->server_info->utok.uid != sec_initial_uid()) &&
+ ( ! nt_token_check_domain_rid(p->server_info->ptok,
+ DOMAIN_GROUP_RID_ADMINS))) {
goto done;
}
NTSTATUS ntstat;
- if (user.ut.uid != sec_initial_uid()) {
+ if (p->server_info->utok.uid != sec_initial_uid()) {
not_root = True;
become_root();
}
WERROR _srvsvc_NetShareSetInfo(pipes_struct *p,
struct srvsvc_NetShareSetInfo *r)
{
- struct current_user user;
char *command = NULL;
char *share_name = NULL;
char *comment = NULL;
if (lp_print_ok(snum))
return WERR_ACCESS_DENIED;
- get_current_user(&user,p);
-
- is_disk_op = user_has_privileges( p->pipe_user.nt_user_token, &se_diskop );
+ is_disk_op = user_has_privileges( p->server_info->ptok, &se_diskop );
/* fail out now if you are not root and not a disk op */
- if ( user.ut.uid != sec_initial_uid() && !is_disk_op )
+ if ( p->server_info->utok.uid != sec_initial_uid() && !is_disk_op )
return WERR_ACCESS_DENIED;
switch (r->in.level) {
WERROR _srvsvc_NetShareAdd(pipes_struct *p,
struct srvsvc_NetShareAdd *r)
{
- struct current_user user;
char *command = NULL;
char *share_name = NULL;
char *comment = NULL;
*r->out.parm_error = 0;
}
- get_current_user(&user,p);
-
- is_disk_op = user_has_privileges( p->pipe_user.nt_user_token, &se_diskop );
+ is_disk_op = user_has_privileges( p->server_info->ptok, &se_diskop );
- if (user.ut.uid != sec_initial_uid() && !is_disk_op )
+ if (p->server_info->utok.uid != sec_initial_uid() && !is_disk_op )
return WERR_ACCESS_DENIED;
if (!lp_add_share_cmd() || !*lp_add_share_cmd()) {
WERROR _srvsvc_NetShareDel(pipes_struct *p,
struct srvsvc_NetShareDel *r)
{
- struct current_user user;
char *command = NULL;
char *share_name = NULL;
int ret;
if (lp_print_ok(snum))
return WERR_ACCESS_DENIED;
- get_current_user(&user,p);
+ is_disk_op = user_has_privileges( p->server_info->ptok, &se_diskop );
- is_disk_op = user_has_privileges( p->pipe_user.nt_user_token, &se_diskop );
-
- if (user.ut.uid != sec_initial_uid() && !is_disk_op )
+ if (p->server_info->utok.uid != sec_initial_uid() && !is_disk_op )
return WERR_ACCESS_DENIED;
if (!lp_delete_share_cmd() || !*lp_delete_share_cmd()) {
WERROR _srvsvc_NetFileClose(pipes_struct *p, struct srvsvc_NetFileClose *r)
{
- struct current_user user;
SE_PRIV se_diskop = SE_DISK_OPERATOR;
bool is_disk_op;
DEBUG(5,("_srvsvc_NetFileClose: %d\n", __LINE__));
- get_current_user(&user,p);
-
- is_disk_op = user_has_privileges( p->pipe_user.nt_user_token, &se_diskop );
+ is_disk_op = user_has_privileges( p->server_info->ptok, &se_diskop );
- if (user.ut.uid != sec_initial_uid() && !is_disk_op) {
+ if (p->server_info->utok.uid != sec_initial_uid() && !is_disk_op) {
return WERR_ACCESS_DENIED;
}
return WERR_NOMEM;
se_map_generic( &r->in.access_mask, &scm_generic_map );
- status = svcctl_access_check( sec_desc, p->pipe_user.nt_user_token, r->in.access_mask, &access_granted );
+ status = svcctl_access_check( sec_desc, p->server_info->ptok,
+ r->in.access_mask, &access_granted );
if ( !NT_STATUS_IS_OK(status) )
return ntstatus_to_werror( status );
return WERR_NOMEM;
se_map_generic( &r->in.access_mask, &svc_generic_map );
- status = svcctl_access_check( sec_desc, p->pipe_user.nt_user_token, r->in.access_mask, &access_granted );
+ status = svcctl_access_check( sec_desc, p->server_info->ptok,
+ r->in.access_mask, &access_granted );
if ( !NT_STATUS_IS_OK(status) )
return ntstatus_to_werror( status );
service = r->in.service_name;
- display_name = svcctl_lookup_dispname(p->mem_ctx, service, p->pipe_user.nt_user_token );
+ display_name = svcctl_lookup_dispname(p->mem_ctx, service,
+ p->server_info->ptok);
if (!display_name) {
display_name = "";
}
size_t buffer_size = 0;
WERROR result = WERR_OK;
SERVICE_INFO *info = find_service_info_by_hnd( p, &q_u->handle );
- NT_USER_TOKEN *token = p->pipe_user.nt_user_token;
+ NT_USER_TOKEN *token = p->server_info->ptok;
/* perform access checks */
*r->out.bytes_needed = r->in.buf_size;
- wresult = fill_svc_config( p->mem_ctx, info->name, r->out.query, p->pipe_user.nt_user_token );
+ wresult = fill_svc_config( p->mem_ctx, info->name, r->out.query,
+ p->server_info->ptok);
if ( !W_ERROR_IS_OK(wresult) )
return wresult;
SERVICE_DESCRIPTION desc_buf;
const char *description;
- description = svcctl_lookup_description(p->mem_ctx, info->name, p->pipe_user.nt_user_token );
+ description = svcctl_lookup_description(
+ p->mem_ctx, info->name, p->server_info->ptok);
ZERO_STRUCTP( &desc_buf );
/* store the new SD */
- if ( !svcctl_set_secdesc( p->mem_ctx, info->name, sec_desc, p->pipe_user.nt_user_token ) )
+ if ( !svcctl_set_secdesc( p->mem_ctx, info->name, sec_desc,
+ p->server_info->ptok) )
return WERR_ACCESS_DENIED;
return WERR_OK;
if (parent == NULL) {
result = reg_openhive(NULL, subkeyname, access_desired,
- p->pipe_user.nt_user_token, &key);
+ p->server_info->ptok, &key);
}
else {
result = reg_openkey(NULL, parent, subkeyname, access_desired,
return WERR_NOMEM;
}
- can_shutdown = user_has_privileges( p->pipe_user.nt_user_token, &se_remote_shutdown );
+ can_shutdown = user_has_privileges( p->server_info->ptok,
+ &se_remote_shutdown );
/* IF someone has privs, run the shutdown script as root. OTHERWISE run it as not root
Take the error return from the script and provide it as the Windows return code. */
if (!*abort_shutdown_script)
return WERR_ACCESS_DENIED;
- can_shutdown = user_has_privileges( p->pipe_user.nt_user_token, &se_remote_shutdown );
+ can_shutdown = user_has_privileges( p->server_info->ptok,
+ &se_remote_shutdown );
/********** BEGIN SeRemoteShutdownPrivilege BLOCK **********/
/* user must posses SeRestorePrivilege for this this proceed */
- if ( !user_has_privileges( p->pipe_user.nt_user_token, &se_restore ) )
+ if ( !user_has_privileges( p->server_info->ptok, &se_restore ) )
return WERR_ACCESS_DENIED;
DEBUG(2,("_winreg_RestoreKey: Restoring [%s] from %s in share %s\n",
char *admin_domain = NULL;
char *admin_account = NULL;
WERROR werr;
- struct nt_user_token *token = p->pipe_user.nt_user_token;
+ struct nt_user_token *token = p->server_info->ptok;
if (!r->in.domain_name) {
return WERR_INVALID_PARAM;
char *admin_domain = NULL;
char *admin_account = NULL;
WERROR werr;
- struct nt_user_token *token = p->pipe_user.nt_user_token;
+ struct nt_user_token *token = p->server_info->ptok;
if (!r->in.account || !r->in.encrypted_password) {
return WERR_INVALID_PARAM;
if (!push_sec_ctx())
return False;
- set_sec_ctx(p->pipe_user.ut.uid, p->pipe_user.ut.gid,
- p->pipe_user.ut.ngroups, p->pipe_user.ut.groups,
- p->pipe_user.nt_user_token);
+ set_sec_ctx(p->server_info->utok.uid, p->server_info->utok.gid,
+ p->server_info->utok.ngroups, p->server_info->utok.groups,
+ p->server_info->ptok);
return True;
}