107-srv_samr_nt.c.diff [plain text]
--- samba/source/rpc_server/srv_samr_nt.c.orig 2005-01-06 15:23:02.000000000 -0800
+++ samba/source/rpc_server/srv_samr_nt.c 2005-02-18 14:57:14.000000000 -0800
@@ -99,7 +99,38 @@
/*******************************************************************
Checks if access to a function can be granted
********************************************************************/
+#ifdef WITH_MEMBERD
+int is_member_of_group(uid_t uid, gid_t gid)
+{
+ uuid_t user_uuid;
+ uuid_t grp_uuid;
+ int result = 0;
+ char uustr[50];
+ int ismember = 0;
+
+ DEBUG(4,("is_member_of_group(uid<%d>, gid<%d>)\n", uid, gid));
+ uuid_clear(user_uuid);
+ if ((result = mbr_uid_to_uuid( uid, user_uuid)) != 0) {
+ DEBUG(0,("[%d]mbr_uid_to_uuid: errno(%d) - (%s)\n", result, errno, strerror(errno)));
+ } else {
+ uuid_clear(grp_uuid);
+ if ((result = mbr_gid_to_uuid( gid, grp_uuid)) != 0) {
+ DEBUG(0,("[%d]mbr_gid_to_uuid: errno(%d) - (%s)\n", result, errno, strerror(errno)));
+ } else {
+ uuid_unparse(grp_uuid, uustr);
+ DEBUG(4,("mbr_gid_to_uuid: (%s)\n",uustr));
+ }
+
+ if ((result = mbr_check_membership(user_uuid, grp_uuid, &ismember)) != 0) {
+ DEBUG(0,("[%d]mbr_check_membership: errno(%d) - (%s)\n", result, errno, strerror(errno)));
+ } else {
+ DEBUG(4,("mbr_check_membership: ismember(%d)\n",ismember));
+ }
+ }
+ return ismember;
+}
+#endif
NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_required, const char *debug)
{
DEBUG(5,("%s: access check ((granted: %#010x; required: %#010x)\n",
@@ -111,6 +142,14 @@
DEBUGADD(4,("but overwritten by euid == 0\n"));
return NT_STATUS_OK;
}
+#ifdef WITH_MEMBERD
+ else if (is_member_of_group(geteuid(), 80)) { // admin group
+ DEBUG(4,("%s: ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
+ debug, acc_granted, acc_required));
+ DEBUGADD(4,("but overwritten by egid == 80\n"));
+ return NT_STATUS_OK;
+ }
+#endif
DEBUG(2,("%s: ACCESS DENIED (granted: %#010x; required: %#010x)\n",
debug, acc_granted, acc_required));
return NT_STATUS_ACCESS_DENIED;
@@ -2246,7 +2285,14 @@
if (*add_script) {
int add_ret;
all_string_sub(add_script, "%u", account, sizeof(add_script));
+ // access_check_samr_function checks for membership in admin group (gid=80) when memberd is available
+#ifdef WITH_MEMBERD
+ become_root();
+#endif
add_ret = smbrun(add_script,NULL);
+#ifdef WITH_MEMBERD
+ unbecome_root();
+#endif
DEBUG(3,("_samr_create_user: Running the command `%s' gave %d\n", add_script, add_ret));
}
else /* no add user script -- ask winbindd to do it */
@@ -2264,6 +2310,8 @@
if ( !NT_STATUS_IS_OK(nt_status = pdb_init_sam_new(&sam_pass, account, new_rid)) )
return nt_status;
+ if (!lp_opendirectory())
+ {
pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED);
if (!pdb_add_sam_account(sam_pass)) {
@@ -2272,6 +2320,7 @@
account));
return NT_STATUS_ACCESS_DENIED;
}
+ }
/* Get the user's SID */
sid_copy(&sid, pdb_get_user_sid(sam_pass));