From 70806db06adb1dafd4de8728bb7b367b84f3740a Mon Sep 17 00:00:00 2001
From: Jim McDonough <jmcd@samba.org>
Date: Tue, 24 Apr 2007 15:56:02 +0000
Subject: [PATCH] r22504: Fix bug Jerry found during his tutorial.  Sorry :-(

Allows authorized users (e.g. BUILTIN\Administrators members) to
set attributes on an account, particularly "user cannot change
password".

add become_root() around updating attributes, after checking that
access has been granted.
(This used to be commit b1ab360519a1f67f50446ca8599e5b7aa58e7db3)
---
 source3/rpc_server/srv_samr_nt.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index c743e68530f..be73b33265c 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -724,7 +724,12 @@ NTSTATUS _samr_set_sec_obj(pipes_struct *p, SAMR_Q_SET_SEC_OBJ *q_u, SAMR_R_SET_
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	status = pdb_update_sam_account(sampass);
+	status = access_check_samr_function(acc_granted, SA_RIGHT_USER_SET_ATTRIBUTES, "_samr_set_sec_obj");
+	if NT_STATUS_IS_OK(status) {
+		become_root();
+		status = pdb_update_sam_account(sampass);
+		unbecome_root();
+	}
 
 	TALLOC_FREE(sampass);
 
-- 
2.11.4.GIT