s3-rpc_server: Ensure we are root when starting and usiing gensec

This fixes bug 9465.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source3/rpc_server/dcesrv_auth_generic.c b/source3/rpc_server/dcesrv_auth_generic.c
index c4c08b2dd394e0f2661b81d8880d3fee9535ca51..77d76fc6c39c442f029e3b76ffb3baa10b5a6e3c 100644 (file)
--- a/source3/rpc_server/dcesrv_auth_generic.c
+++ b/source3/rpc_server/dcesrv_auth_generic.c
@@ -24,12 +24,12 @@
 #include "auth.h"
 #include "auth/gensec/gensec.h"
 
-NTSTATUS auth_generic_server_authtype_start(TALLOC_CTX *mem_ctx,
-                                           uint8_t auth_type, uint8_t auth_level,
-                                           DATA_BLOB *token_in,
-                                           DATA_BLOB *token_out,
-                                           const struct tsocket_address *remote_address,
-                                           struct gensec_security **ctx)
+static NTSTATUS auth_generic_server_authtype_start_as_root(TALLOC_CTX *mem_ctx,
+                                                          uint8_t auth_type, uint8_t auth_level,
+                                                          DATA_BLOB *token_in,
+                                                          DATA_BLOB *token_out,
+                                                          const struct tsocket_address *remote_address,
+                                                          struct gensec_security **ctx)
 {
        struct gensec_security *gensec_security = NULL;
        NTSTATUS status;
@@ -62,6 +62,27 @@ NTSTATUS auth_generic_server_authtype_start(TALLOC_CTX *mem_ctx,
        return NT_STATUS_OK;
 }
 
+NTSTATUS auth_generic_server_authtype_start(TALLOC_CTX *mem_ctx,
+                                           uint8_t auth_type, uint8_t auth_level,
+                                           DATA_BLOB *token_in,
+                                           DATA_BLOB *token_out,
+                                           const struct tsocket_address *remote_address,
+                                           struct gensec_security **ctx)
+{
+       NTSTATUS status;
+       become_root();
+
+       /* this has to be done as root in order to create the messaging socket */
+       status = auth_generic_server_authtype_start_as_root(mem_ctx,
+                                                           auth_type, auth_level,
+                                                           token_in,
+                                                           token_out,
+                                                           remote_address,
+                                                           ctx);
+       unbecome_root();
+       return status;
+}
+
 NTSTATUS auth_generic_server_step(struct gensec_security *gensec_security,
                             TALLOC_CTX *mem_ctx,
                             DATA_BLOB *token_in,
@@ -101,7 +122,12 @@ NTSTATUS auth_generic_server_get_user_info(struct gensec_security *gensec_securi
 {
        NTSTATUS status;
 
+       /* this has to be done as root in order to get to the
+        * messaging sockets for IDMAP and privilege.ldb in the AD
+        * DC */
+       become_root();
        status = gensec_session_info(gensec_security, mem_ctx, session_info);
+       unbecome_root();
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(1, (__location__ ": Failed to get authenticated user "
                          "info: %s\n", nt_errstr(status)));