From c47f95baab5ec565ed778e98e95ee5fabba862da Mon Sep 17 00:00:00 2001 From: Karolin Seeger Date: Mon, 17 Nov 2008 14:02:45 +0100 Subject: [PATCH] Revert "Remove the requirement for ldap call made as root. Add in security" This reverts commit b339f17132b18edad52b4c2f6b348e4b8d789bcb. --- source/lib/smbldap.c | 7 +++++ source/rpc_server/srv_samr_nt.c | 67 +++-------------------------------------- 2 files changed, 11 insertions(+), 63 deletions(-) diff --git a/source/lib/smbldap.c b/source/lib/smbldap.c index 315b1e3b456..bcde53c3e5c 100644 --- a/source/lib/smbldap.c +++ b/source/lib/smbldap.c @@ -1023,6 +1023,13 @@ static int smbldap_open(struct smbldap_state *ldap_state) int rc, opt_rc; bool reopen = False; SMB_ASSERT(ldap_state); + +#ifndef NO_LDAP_SECURITY + if (geteuid() != 0) { + DEBUG(0, ("smbldap_open: cannot access LDAP when not root\n")); + return LDAP_INSUFFICIENT_ACCESS; + } +#endif if ((ldap_state->ldap_struct != NULL) && ((ldap_state->last_ping + SMBLDAP_DONT_PING_TIME) < time(NULL))) { diff --git a/source/rpc_server/srv_samr_nt.c b/source/rpc_server/srv_samr_nt.c index da415f9ec5a..a32d35f4081 100644 --- a/source/rpc_server/srv_samr_nt.c +++ b/source/rpc_server/srv_samr_nt.c @@ -869,13 +869,6 @@ NTSTATUS _samr_QuerySecurity(pipes_struct *p, DEBUG(10,("_samr_QuerySecurity: querying security on SID: %s\n", sid_string_dbg(&pol_sid))); - status = access_check_samr_function(acc_granted, - STD_RIGHT_READ_CONTROL_ACCESS, - "_samr_QuerySecurity"); - if (NT_STATUS_IS_OK(status)) { - return status; - } - /* Check what typ of SID is beeing queried (e.g Domain SID, User SID, Group SID) */ /* To query the security of the SAM it self an invalid SID with S-0-0 is passed to this function */ @@ -1204,9 +1197,6 @@ NTSTATUS _samr_EnumDomainAliases(pipes_struct *p, if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - DEBUG(5,("_samr_EnumDomainAliases: sid %s\n", - sid_string_dbg(&info->sid))); - status = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, "_samr_EnumDomainAliases"); @@ -1214,6 +1204,9 @@ NTSTATUS _samr_EnumDomainAliases(pipes_struct *p, return status; } + DEBUG(5,("_samr_EnumDomainAliases: sid %s\n", + sid_string_dbg(&info->sid))); + samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray); if (!samr_array) { return NT_STATUS_NO_MEMORY; @@ -1480,13 +1473,6 @@ NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p, if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - status = access_check_samr_function(info->acc_granted, - SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, - "_samr_QueryDisplayInfo"); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - /* * calculate how many entries we will return. * based on @@ -2120,13 +2106,6 @@ NTSTATUS _samr_LookupRids(pipes_struct *p, if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &pol_sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; - status = access_check_samr_function(acc_granted, - SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, - "_samr__LookupRids"); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - if (num_rids > 1000) { DEBUG(0, ("Got asked for %d rids (more than 1000) -- according " "to samba4 idl this is not possible\n", num_rids)); @@ -2699,13 +2678,6 @@ NTSTATUS _samr_QueryUserInfo(pipes_struct *p, if (!find_policy_by_hnd(p, r->in.user_handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - status = access_check_samr_function(info->acc_granted, - SA_RIGHT_DOMAIN_OPEN_ACCOUNT, - "_samr_QueryUserInfo"); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - domain_sid = info->sid; sid_split_rid(&domain_sid, &rid); @@ -2954,13 +2926,6 @@ static NTSTATUS samr_QueryDomainInfo_internal(const char *fn_name, return NT_STATUS_INVALID_HANDLE; } - status = access_check_samr_function(info->acc_granted, - SA_RIGHT_SAM_OPEN_DOMAIN, - "_samr_QueryDomainInfo_internal" ); - - if ( !NT_STATUS_IS_OK(status) ) - return status; - switch (level) { case 0x01: @@ -5695,32 +5660,16 @@ NTSTATUS _samr_QueryDomainInfo2(pipes_struct *p, NTSTATUS _samr_SetDomainInfo(pipes_struct *p, struct samr_SetDomainInfo *r) { - struct samr_info *info = NULL; time_t u_expire, u_min_age; time_t u_logout; time_t u_lock_duration, u_reset_time; - NTSTATUS result; DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__)); /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) + if (!find_policy_by_hnd(p, r->in.domain_handle, NULL)) return NT_STATUS_INVALID_HANDLE; - /* We do have different access bits for info - * levels here, but we're really just looking for - * GENERIC_RIGHTS_DOMAIN_WRITE access. Unfortunately - * this maps to different specific bits. So - * assume if we have SA_RIGHT_DOMAIN_SET_INFO_1 - * set we are ok. */ - - result = access_check_samr_function(info->acc_granted, - SA_RIGHT_DOMAIN_SET_INFO_1, - "_samr_SetDomainInfo"); - - if (!NT_STATUS_IS_OK(result)) - return result; - DEBUG(5,("_samr_SetDomainInfo: level: %d\n", r->in.level)); switch (r->in.level) { @@ -5778,7 +5727,6 @@ NTSTATUS _samr_GetDisplayEnumerationIndex(pipes_struct *p, int i; uint32_t num_account = 0; struct samr_displayentry *entries = NULL; - NTSTATUS status; DEBUG(5,("_samr_GetDisplayEnumerationIndex: %d\n", __LINE__)); @@ -5787,13 +5735,6 @@ NTSTATUS _samr_GetDisplayEnumerationIndex(pipes_struct *p, return NT_STATUS_INVALID_HANDLE; } - status = access_check_samr_function(info->acc_granted, - SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, - "_samr_GetDisplayEnumerationIndex"); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - if ((r->in.level < 1) || (r->in.level > 3)) { DEBUG(0,("_samr_GetDisplayEnumerationIndex: " "Unknown info level (%u)\n", -- 2.11.4.GIT