From 406e6e71b80769bebddbb720de2dd353e5fcda8e Mon Sep 17 00:00:00 2001
From: Karolin Seeger <kseeger@samba.org>
Date: Mon, 17 Nov 2008 14:02:46 +0100
Subject: [PATCH] Revert "Cope with MAXIMUM_ALLOWED_ACCESS requests when
 opening handles."

This reverts commit 042e50f8709cfbe45d5b184cb3c4fe1b16bdc3b0.
---
 source/lib/util_sid.c           | 11 -------
 source/rpc_server/srv_samr_nt.c | 64 ++++-------------------------------------
 source/utils/net_rpc.c          | 11 +++++++
 3 files changed, 16 insertions(+), 70 deletions(-)

diff --git a/source/lib/util_sid.c b/source/lib/util_sid.c
index f656bb13dc8..53614ed1ac2 100644
--- a/source/lib/util_sid.c
+++ b/source/lib/util_sid.c
@@ -664,17 +664,6 @@ bool is_null_sid(const DOM_SID *sid)
 	return sid_equal(sid, &null_sid);
 }
 
-bool is_sid_in_token(const NT_USER_TOKEN *token, const DOM_SID *sid)
-{
-        int i;
-
-        for (i=0; i<token->num_sids; i++) {
-                if (sid_compare(sid, &token->user_sids[i]) == 0)
-                        return true;
-        }
-        return false;
-}
-
 NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx,
 			      const struct netr_SamInfo3 *info3,
 			      DOM_SID **user_sids,
diff --git a/source/rpc_server/srv_samr_nt.c b/source/rpc_server/srv_samr_nt.c
index 22b18c01702..c59a46c1da8 100644
--- a/source/rpc_server/srv_samr_nt.c
+++ b/source/rpc_server/srv_samr_nt.c
@@ -5,7 +5,7 @@
  *  Copyright (C) Luke Kenneth Casson Leighton      1996-1997,
  *  Copyright (C) Paul Ashton                       1997,
  *  Copyright (C) Marc Jacobsen			    1999,
- *  Copyright (C) Jeremy Allison                    2001-2008,
+ *  Copyright (C) Jeremy Allison                    2001-2005,
  *  Copyright (C) Jean François Micouleau           1998-2001,
  *  Copyright (C) Jim McDonough <jmcd@us.ibm.com>   2002,
  *  Copyright (C) Gerald (Jerry) Carter             2003-2004,
@@ -249,48 +249,6 @@ static NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_requir
 }
 
 /*******************************************************************
- Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
-********************************************************************/
-
-static void map_max_allowed_access(const NT_USER_TOKEN *token,
-					uint32_t *pacc_requested)
-{
-	if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) {
-		return;
-	}
-	*pacc_requested &= ~MAXIMUM_ALLOWED_ACCESS;
-
-	/* At least try for generic read. */
-	*pacc_requested = GENERIC_READ_ACCESS;
-
-	/* root gets anything. */
-	if (geteuid() == sec_initial_uid()) {
-		*pacc_requested |= GENERIC_ALL_ACCESS;
-		return;
-	}
-
-	/* Full Access for 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
-
-	if (is_sid_in_token(token, &global_sid_Builtin_Administrators) ||
-			is_sid_in_token(token, &global_sid_Builtin_Account_Operators)) {
-		*pacc_requested |= GENERIC_ALL_ACCESS;
-		return;
-	}
-
-	/* Full access for DOMAIN\Domain Admins. */
-	if ( IS_DC ) {
-		DOM_SID domadmin_sid;
-		sid_copy( &domadmin_sid, get_global_sam_sid() );
-		sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
-		if (is_sid_in_token(token, &domadmin_sid)) {
-			*pacc_requested |= GENERIC_ALL_ACCESS;
-			return;
-		}
-	}
-	/* TODO ! Check privileges. */
-}
-
-/*******************************************************************
  Fetch or create a dispinfo struct.
 ********************************************************************/
 
@@ -628,7 +586,6 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p,
 		return status;
 
 	/*check if access can be granted as requested by client. */
-	map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
 
 	make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 );
 	se_map_generic( &des_access, &dom_generic_mapping );
@@ -2201,8 +2158,6 @@ NTSTATUS _samr_OpenUser(pipes_struct *p,
 
 	/* check if access can be granted as requested by client. */
 
-	map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
-
 	make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW);
 	se_map_generic(&des_access, &usr_generic_mapping);
 
@@ -3266,8 +3221,6 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p,
 
 	sid_compose(&sid, get_global_sam_sid(), *r->out.rid);
 
-	map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
-
 	make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
 			    &sid, SAMR_USR_RIGHTS_WRITE_PW);
 	se_map_generic(&des_access, &usr_generic_mapping);
@@ -3329,7 +3282,10 @@ NTSTATUS _samr_Connect(pipes_struct *p,
 	   was observed from a win98 client trying to enumerate users (when configured
 	   user level access control on shares)   --jerry */
 
-	map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
+	if (des_access == MAXIMUM_ALLOWED_ACCESS) {
+		/* Map to max possible knowing we're filtered below. */
+		des_access = GENERIC_ALL_ACCESS;
+	}
 
 	se_map_generic( &des_access, &sam_generic_mapping );
 	info->acc_granted = des_access & (SA_RIGHT_SAM_ENUM_DOMAINS|SA_RIGHT_SAM_OPEN_DOMAIN);
@@ -3365,8 +3321,6 @@ NTSTATUS _samr_Connect2(pipes_struct *p,
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
-
 	make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
 	se_map_generic(&des_access, &sam_generic_mapping);
 
@@ -3416,8 +3370,6 @@ NTSTATUS _samr_Connect4(pipes_struct *p,
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
-
 	make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
 	se_map_generic(&des_access, &sam_generic_mapping);
 
@@ -3467,8 +3419,6 @@ NTSTATUS _samr_Connect5(pipes_struct *p,
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
-
 	make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
 	se_map_generic(&des_access, &sam_generic_mapping);
 
@@ -3636,8 +3586,6 @@ NTSTATUS _samr_OpenAlias(pipes_struct *p,
 
 	/*check if access can be granted as requested by client. */
 
-	map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
-
 	make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0);
 	se_map_generic(&des_access,&ali_generic_mapping);
 
@@ -5530,8 +5478,6 @@ NTSTATUS _samr_OpenGroup(pipes_struct *p,
 		return status;
 
 	/*check if access can be granted as requested by client. */
-	map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
-
 	make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0);
 	se_map_generic(&des_access,&grp_generic_mapping);
 
diff --git a/source/utils/net_rpc.c b/source/utils/net_rpc.c
index ef1ebd3491f..a5c2de0df32 100644
--- a/source/utils/net_rpc.c
+++ b/source/utils/net_rpc.c
@@ -4187,6 +4187,17 @@ static void free_user_token(NT_USER_TOKEN *token)
 	SAFE_FREE(token->user_sids);
 }
 
+static bool is_sid_in_token(NT_USER_TOKEN *token, DOM_SID *sid)
+{
+	int i;
+
+	for (i=0; i<token->num_sids; i++) {
+		if (sid_compare(sid, &token->user_sids[i]) == 0)
+			return True;
+	}
+	return False;
+}
+
 static void add_sid_to_token(NT_USER_TOKEN *token, DOM_SID *sid)
 {
 	if (is_sid_in_token(token, sid))
-- 
2.11.4.GIT