s3-rpc_server: pass down full unix token to map_max_allowed_access().

Also use unix_token->uid instead of geteuid() when checking for mapping of the
SEC_FLAG_MAXIMUM_ALLOWED flag.

Guenther

diff --git a/source3/include/proto.h b/source3/include/proto.h
index 44132b6519c2f9d2f1607e2c0380ef54c02111d7..c0ce35a86501742310507e30bd273a273b8b2a5c 100644 (file)
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -7253,8 +7253,9 @@ NTSTATUS access_check_object( SEC_DESC *psd, NT_USER_TOKEN *token,
                                SE_PRIV *rights, uint32 rights_mask,
                                uint32 des_access, uint32 *acc_granted,
                                const char *debug);
-void map_max_allowed_access(const NT_USER_TOKEN *token,
-                               uint32_t *pacc_requested);
+void map_max_allowed_access(const NT_USER_TOKEN *nt_token,
+                           const struct unix_user_token *unix_token,
+                           uint32_t *pacc_requested);
 
 /* The following definitions come from ../libds/common/flag_mapping.c  */
 

diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index 324483b3ee174c03091cfed48c6341812a0a1a53..c62991ee01a767a118e724437f9e1c12c5a1dcdb 100644 (file)
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -349,7 +349,9 @@ NTSTATUS _lsa_OpenPolicy2(pipes_struct *p,
        NTSTATUS status;
 
        /* Work out max allowed. */
-       map_max_allowed_access(p->server_info->ptok, &des_access);
+       map_max_allowed_access(p->server_info->ptok,
+                              &p->server_info->utok,
+                              &des_access);
 
        /* map the generic bits to the lsa policy ones */
        se_map_generic(&des_access, &lsa_policy_mapping);
@@ -1628,7 +1630,9 @@ NTSTATUS _lsa_OpenAccount(pipes_struct *p,
         * handle - so don't check against policy handle. */
 
        /* Work out max allowed. */
-       map_max_allowed_access(p->server_info->ptok, &des_access);
+       map_max_allowed_access(p->server_info->ptok,
+                              &p->server_info->utok,
+                              &des_access);
 
        /* map the generic bits to the lsa account ones */
        se_map_generic(&des_access, &lsa_account_mapping);

diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index 8560ee97c61d5cc6254e40228f48ad19c04fcd60..108525142124deae832c2e99870553b730b657b2 100644 (file)
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -236,8 +236,9 @@ done:
  Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
 ********************************************************************/
 
-void map_max_allowed_access(const NT_USER_TOKEN *token,
-                                       uint32_t *pacc_requested)
+void map_max_allowed_access(const NT_USER_TOKEN *nt_token,
+                           const struct unix_user_token *unix_token,
+                           uint32_t *pacc_requested)
 {
        if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) {
                return;
@@ -248,15 +249,15 @@ void map_max_allowed_access(const NT_USER_TOKEN *token,
        *pacc_requested = GENERIC_READ_ACCESS|GENERIC_EXECUTE_ACCESS;
 
        /* root gets anything. */
-       if (geteuid() == sec_initial_uid()) {
+       if (unix_token->uid == sec_initial_uid()) {
                *pacc_requested |= GENERIC_ALL_ACCESS;
                return;
        }
 
        /* Full Access for 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
 
-       if (is_sid_in_token(token, &global_sid_Builtin_Administrators) ||
-                       is_sid_in_token(token, &global_sid_Builtin_Account_Operators)) {
+       if (is_sid_in_token(nt_token, &global_sid_Builtin_Administrators) ||
+                       is_sid_in_token(nt_token, &global_sid_Builtin_Account_Operators)) {
                *pacc_requested |= GENERIC_ALL_ACCESS;
                return;
        }
@@ -266,7 +267,7 @@ void map_max_allowed_access(const NT_USER_TOKEN *token,
                DOM_SID domadmin_sid;
                sid_copy( &domadmin_sid, get_global_sam_sid() );
                sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
-               if (is_sid_in_token(token, &domadmin_sid)) {
+               if (is_sid_in_token(nt_token, &domadmin_sid)) {
                        *pacc_requested |= GENERIC_ALL_ACCESS;
                        return;
                }
@@ -550,7 +551,9 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p,
        }
 
        /*check if access can be granted as requested by client. */
-       map_max_allowed_access(p->server_info->ptok, &des_access);
+       map_max_allowed_access(p->server_info->ptok,
+                              &p->server_info->utok,
+                              &des_access);
 
        make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 );
        se_map_generic( &des_access, &dom_generic_mapping );
@@ -2260,8 +2263,9 @@ NTSTATUS _samr_OpenUser(pipes_struct *p,
                return NT_STATUS_NO_SUCH_USER;
 
        /* check if access can be granted as requested by client. */
-
-       map_max_allowed_access(p->server_info->ptok, &des_access);
+       map_max_allowed_access(p->server_info->ptok,
+                              &p->server_info->utok,
+                              &des_access);
 
        make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW);
        se_map_generic(&des_access, &usr_generic_mapping);
@@ -3834,7 +3838,9 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p,
 
        sid_compose(&sid, get_global_sam_sid(), *r->out.rid);
 
-       map_max_allowed_access(p->server_info->ptok, &des_access);
+       map_max_allowed_access(p->server_info->ptok,
+                              &p->server_info->utok,
+                              &des_access);
 
        make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
                            &sid, SAMR_USR_RIGHTS_WRITE_PW);
@@ -3914,7 +3920,9 @@ NTSTATUS _samr_Connect(pipes_struct *p,
           was observed from a win98 client trying to enumerate users (when configured
           user level access control on shares)   --jerry */
 
-       map_max_allowed_access(p->server_info->ptok, &des_access);
+       map_max_allowed_access(p->server_info->ptok,
+                              &p->server_info->utok,
+                              &des_access);
 
        se_map_generic( &des_access, &sam_generic_mapping );
 
@@ -3974,7 +3982,9 @@ NTSTATUS _samr_Connect2(pipes_struct *p,
                return NT_STATUS_ACCESS_DENIED;
        }
 
-       map_max_allowed_access(p->server_info->ptok, &des_access);
+       map_max_allowed_access(p->server_info->ptok,
+                              &p->server_info->utok,
+                              &des_access);
 
        make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
        se_map_generic(&des_access, &sam_generic_mapping);
@@ -4187,7 +4197,9 @@ NTSTATUS _samr_OpenAlias(pipes_struct *p,
 
        /*check if access can be granted as requested by client. */
 
-       map_max_allowed_access(p->server_info->ptok, &des_access);
+       map_max_allowed_access(p->server_info->ptok,
+                              &p->server_info->utok,
+                              &des_access);
 
        make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0);
        se_map_generic(&des_access,&ali_generic_mapping);
@@ -6237,7 +6249,9 @@ NTSTATUS _samr_OpenGroup(pipes_struct *p,
        }
 
        /*check if access can be granted as requested by client. */
-       map_max_allowed_access(p->server_info->ptok, &des_access);
+       map_max_allowed_access(p->server_info->ptok,
+                              &p->server_info->utok,
+                              &des_access);
 
        make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0);
        se_map_generic(&des_access,&grp_generic_mapping);