From: Jeremy Allison Date: Fri, 12 Jun 2009 08:27:07 +0000 (+0200) Subject: Revert the extra SAMR and LSA checks. X-Git-Tag: samba-3.2.12~10 X-Git-Url: http://git.samba.org/?p=samba.git;a=commitdiff_plain;h=efc993a2aa6d0745c5868080640ebea3409b6818 Revert the extra SAMR and LSA checks. These were added between 3.2.4 and 3.2.5 that have caused users problems. This fixes among others bug #6089 and #6112. (cherry picked from commit f2a29585123e6072a75eb9abdd202f99f5a01e1e) --- diff --git a/source/rpc_server/srv_lsa_nt.c b/source/rpc_server/srv_lsa_nt.c index fd6cdfab030..697cc5208db 100644 --- a/source/rpc_server/srv_lsa_nt.c +++ b/source/rpc_server/srv_lsa_nt.c @@ -1629,9 +1629,6 @@ NTSTATUS _lsa_EnumPrivsAccount(pipes_struct *p, if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) - return NT_STATUS_ACCESS_DENIED; - if ( !get_privileges_for_sids( &mask, &info->sid, 1 ) ) return NT_STATUS_OBJECT_NAME_NOT_FOUND; @@ -1692,9 +1689,6 @@ NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p, if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) - return NT_STATUS_ACCESS_DENIED; - if (!lookup_sid(p->mem_ctx, &info->sid, NULL, NULL, NULL)) return NT_STATUS_ACCESS_DENIED; @@ -2097,9 +2091,6 @@ NTSTATUS _lsa_EnumAccountRights(pipes_struct *p, if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) - return NT_STATUS_ACCESS_DENIED; - /* according to an NT4 PDC, you can add privileges to SIDs even without call_lsa_create_account() first. And you can use any arbitrary SID. */ @@ -2142,9 +2133,6 @@ NTSTATUS _lsa_LookupPrivValue(pipes_struct *p, if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) - return NT_STATUS_ACCESS_DENIED; - name = r->in.name->string; DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name)); diff --git a/source/rpc_server/srv_samr_nt.c b/source/rpc_server/srv_samr_nt.c index a394eb3b90c..47aa1e9a9b0 100644 --- a/source/rpc_server/srv_samr_nt.c +++ b/source/rpc_server/srv_samr_nt.c @@ -862,13 +862,6 @@ NTSTATUS _samr_QuerySecurity(pipes_struct *p, DEBUG(10,("_samr_QuerySecurity: querying security on SID: %s\n", sid_string_dbg(&pol_sid))); - status = access_check_samr_function(acc_granted, - STD_RIGHT_READ_CONTROL_ACCESS, - "_samr_QuerySecurity"); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - /* Check what typ of SID is beeing queried (e.g Domain SID, User SID, Group SID) */ /* To query the security of the SAM it self an invalid SID with S-0-0 is passed to this function */ @@ -1483,13 +1476,6 @@ NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p, if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - status = access_check_samr_function(info->acc_granted, - SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, - "_samr_QueryDisplayInfo"); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - /* * calculate how many entries we will return. * based on @@ -2132,13 +2118,6 @@ NTSTATUS _samr_LookupRids(pipes_struct *p, if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &pol_sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; - status = access_check_samr_function(acc_granted, - 0, /* Don't know the acc_bits yet */ - "_samr__LookupRids"); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - if (num_rids > 1000) { DEBUG(0, ("Got asked for %d rids (more than 1000) -- according " "to samba4 idl this is not possible\n", num_rids)); @@ -2711,13 +2690,6 @@ NTSTATUS _samr_QueryUserInfo(pipes_struct *p, if (!find_policy_by_hnd(p, r->in.user_handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - status = access_check_samr_function(info->acc_granted, - SAMR_USER_ACCESS_GET_ATTRIBUTES, - "_samr_QueryUserInfo"); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - domain_sid = info->sid; sid_split_rid(&domain_sid, &rid); @@ -2961,13 +2933,6 @@ NTSTATUS _samr_QueryDomainInfo(pipes_struct *p, return NT_STATUS_INVALID_HANDLE; } - status = access_check_samr_function(info->acc_granted, - SA_RIGHT_SAM_LOOKUP_DOMAIN, - "_samr_QueryDomainInfo" ); - - if ( !NT_STATUS_IS_OK(status) ) - return status; - switch (r->in.level) { case 0x01: @@ -5682,7 +5647,6 @@ NTSTATUS _samr_SetDomainInfo(pipes_struct *p, time_t u_expire, u_min_age; time_t u_logout; time_t u_lock_duration, u_reset_time; - NTSTATUS result; DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__)); @@ -5690,20 +5654,6 @@ NTSTATUS _samr_SetDomainInfo(pipes_struct *p, if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - /* We do have different access bits for info - * levels here, but we're really just looking for - * GENERIC_RIGHTS_DOMAIN_WRITE access. Unfortunately - * this maps to different specific bits. So - * assume if we have SA_RIGHT_DOMAIN_SET_INFO_1 - * set we are ok. */ - - result = access_check_samr_function(info->acc_granted, - SA_RIGHT_DOMAIN_SET_INFO_1, - "_samr_SetDomainInfo"); - - if (!NT_STATUS_IS_OK(result)) - return result; - DEBUG(5,("_samr_SetDomainInfo: level: %d\n", r->in.level)); switch (r->in.level) { @@ -5761,7 +5711,6 @@ NTSTATUS _samr_GetDisplayEnumerationIndex(pipes_struct *p, int i; uint32_t num_account = 0; struct samr_displayentry *entries = NULL; - NTSTATUS status; DEBUG(5,("_samr_GetDisplayEnumerationIndex: %d\n", __LINE__)); @@ -5770,13 +5719,6 @@ NTSTATUS _samr_GetDisplayEnumerationIndex(pipes_struct *p, return NT_STATUS_INVALID_HANDLE; } - status = access_check_samr_function(info->acc_granted, - SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, - "_samr_GetDisplayEnumerationIndex"); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - if ((r->in.level < 1) || (r->in.level > 3)) { DEBUG(0,("_samr_GetDisplayEnumerationIndex: " "Unknown info level (%u)\n",