From a503231a8f4cda077d07776b9682fc77ee42046a Mon Sep 17 00:00:00 2001
From: Gerald Carter <jerry@samba.org>
Date: Fri, 2 Sep 2005 13:42:56 +0000
Subject: [PATCH] r9956: Ensure accounts with the SeAddUsersPrivilege can
 modify domain and local group attributes (posted to samba ml and confirmed
 fix)

---
 source/rpc_server/srv_samr_nt.c | 40 ++++++++++++++++++++++++++++++++--------
 1 file changed, 32 insertions(+), 8 deletions(-)

diff --git a/source/rpc_server/srv_samr_nt.c b/source/rpc_server/srv_samr_nt.c
index aeb5c44894c..b124dad0f79 100644
--- a/source/rpc_server/srv_samr_nt.c
+++ b/source/rpc_server/srv_samr_nt.c
@@ -3932,6 +3932,8 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_
 	GROUP_MAP map;
 	GROUP_INFO_CTR *ctr;
 	uint32 acc_granted;
+	BOOL ret;
+	BOOL can_mod_accounts;
 
 	if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted))
 		return NT_STATUS_INVALID_HANDLE;
@@ -3956,11 +3958,21 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_
 			return NT_STATUS_INVALID_INFO_CLASS;
 	}
 
-	if(!pdb_update_group_mapping_entry(&map)) {
-		return NT_STATUS_NO_SUCH_GROUP;
-	}
+	can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
 
-	return NT_STATUS_OK;
+	/******** BEGIN SeAddUsers BLOCK *********/
+
+	if ( can_mod_accounts )
+		become_root();
+	  
+	ret = pdb_update_group_mapping_entry(&map);
+
+	if ( can_mod_accounts )
+		unbecome_root();
+
+	/******** End SeAddUsers BLOCK *********/
+
+	return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
 }
 
 /*********************************************************************
@@ -3975,6 +3987,8 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_
 	struct acct_info info;
 	ALIAS_INFO_CTR *ctr;
 	uint32 acc_granted;
+	BOOL ret;
+	BOOL can_mod_accounts;
 
 	if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid, &acc_granted))
 		return NT_STATUS_INVALID_HANDLE;
@@ -3997,11 +4011,21 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_
 			return NT_STATUS_INVALID_INFO_CLASS;
 	}
 
-	if(!pdb_set_aliasinfo(&group_sid, &info)) {
-		return NT_STATUS_ACCESS_DENIED;
-	}
+        can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
 
-	return NT_STATUS_OK;
+        /******** BEGIN SeAddUsers BLOCK *********/
+
+        if ( can_mod_accounts )
+                become_root();
+
+        ret = pdb_set_aliasinfo( &group_sid, &info );
+
+        if ( can_mod_accounts )
+                unbecome_root();
+
+        /******** End SeAddUsers BLOCK *********/
+
+	return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
 }
 
 /*********************************************************************
-- 
2.11.4.GIT