1
From 5333a7040ba5c9e23649d38f4da78cd63cbb7051 Mon Sep 17 00:00:00 2001
2
From: Jeremy Allison <jra@samba.org>
3
Date: Tue, 17 Apr 2012 16:39:00 -0700
4
Subject: [PATCH] Fix bug #8873 - self granting privileges in security=ads.
6
Origin: other, https://bugzilla.samba.org/attachment.cgi?id=7463
7
Bug: https://bugzilla.samba.org/show_bug.cgi?id=8873
9
Index: samba-3.4.7~dfsg/source3/rpc_server/srv_lsa_nt.c
10
===================================================================
11
--- samba-3.4.7~dfsg.orig/source3/rpc_server/srv_lsa_nt.c 2010-03-08 13:53:38.000000000 -0600
12
+++ samba-3.4.7~dfsg/source3/rpc_server/srv_lsa_nt.c 2012-04-24 00:49:11.516355530 -0500
13
@@ -1579,6 +1579,15 @@
15
struct lsa_info *handle;
16
struct lsa_info *info;
17
+ uint32 des_access = r->in.access_mask;
19
+ uint32 owner_access = (LSA_ACCOUNT_ALL_ACCESS &
20
+ ~(LSA_ACCOUNT_ADJUST_PRIVILEGES|
21
+ LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
23
+ SEC_DESC *psd = NULL;
27
/* find the connection policy handle. */
28
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
29
@@ -1600,6 +1609,27 @@
30
if ( is_privileged_sid( r->in.sid ) )
31
return NT_STATUS_OBJECT_NAME_COLLISION;
33
+ /* Work out max allowed. */
34
+ map_max_allowed_access(p->server_info->ptok, &des_access);
36
+ /* map the generic bits to the lsa policy ones */
37
+ se_map_generic(&des_access, &lsa_policy_mapping);
39
+ /* get the generic lsa policy SD until we store it */
40
+ status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_policy_mapping,
41
+ r->in.sid, owner_access);
42
+ if (!NT_STATUS_IS_OK(status)) {
46
+ status = access_check_object(psd, p->server_info->ptok,
47
+ NULL, 0, des_access,
48
+ &acc_granted, "_lsa_CreateAccont" );
50
+ if (!NT_STATUS_IS_OK(status)) {
54
/* associate the user/group SID with the (unique) handle. */
56
info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
60
info->sid = *r->in.sid;
61
- info->access = r->in.access_mask;
62
+ info->access = acc_granted;
63
info->type = LSA_HANDLE_ACCOUNT_TYPE;
65
/* get a (unique) handle. open a policy on it. */
66
@@ -1631,6 +1661,10 @@
68
uint32_t des_access = r->in.access_mask;
70
+ uint32_t owner_access = (LSA_ACCOUNT_ALL_ACCESS &
71
+ ~(LSA_ACCOUNT_ADJUST_PRIVILEGES|
72
+ LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
73
+ STD_RIGHT_DELETE_ACCESS));
76
/* find the connection policy handle. */
78
/* get the generic lsa account SD until we store it */
79
status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
81
- r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
82
+ r->in.sid, owner_access);
83
if (!NT_STATUS_IS_OK(status)) {
87
/* get the generic lsa account SD for this SID until we store it */
88
status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
90
- r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
92
if (!NT_STATUS_IS_OK(status)) {
96
/* get the generic lsa account SD for this SID until we store it */
97
status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
99
- r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
101
if (!NT_STATUS_IS_OK(status)) {