Author: jra Date: 2005-09-02 15:45:13 +0000 (Fri, 02 Sep 2005) New Revision: 9960
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9960 Log: Merge up to current HEAD. Jeremy Modified: branches/tmp/RPCREWRITE/source/Makefile.in branches/tmp/RPCREWRITE/source/include/privileges.h branches/tmp/RPCREWRITE/source/include/smb_macros.h branches/tmp/RPCREWRITE/source/lib/privileges.c branches/tmp/RPCREWRITE/source/python/setup.py branches/tmp/RPCREWRITE/source/rpc_server/srv_samr_nt.c branches/tmp/RPCREWRITE/source/rpc_server/srv_spoolss_nt.c branches/tmp/RPCREWRITE/source/smbd/posix_acls.c Changeset: Modified: branches/tmp/RPCREWRITE/source/Makefile.in =================================================================== --- branches/tmp/RPCREWRITE/source/Makefile.in 2005-09-02 14:45:40 UTC (rev 9959) +++ branches/tmp/RPCREWRITE/source/Makefile.in 2005-09-02 15:45:13 UTC (rev 9960) @@ -693,9 +693,9 @@ TDBBACKUP_OBJ = tdb/tdbbackup.o tdb/tdbback.o $(SNPRINTF_OBJ) $(TDBBASE_OBJ) -TDBTOOL_OBJ = tdb/tdbtool.o $(TDBBASE_OBJ) +TDBTOOL_OBJ = tdb/tdbtool.o $(TDBBASE_OBJ) $(SNPRINTF_OBJ) -TDBDUMP_OBJ = tdb/tdbdump.o $(TDBBASE_OBJ) +TDBDUMP_OBJ = tdb/tdbdump.o $(TDBBASE_OBJ) $(SNPRINTF_OBJ) NTLM_AUTH_OBJ1 = utils/ntlm_auth.o utils/ntlm_auth_diagnostics.o @@ -1298,15 +1298,15 @@ bin/[EMAIL PROTECTED]@: $(TDBBACKUP_OBJ) bin/.dummy @echo Linking $@ - @$(CC) $(FLAGS) @PIE_LDFLAGS@ -o $@ $(DYNEXP) $(LIBS) $(TDBBACKUP_OBJ) $(SNPRINTF_OBJ) @SOCKWRAP@ + @$(CC) $(FLAGS) @PIE_LDFLAGS@ -o $@ $(DYNEXP) $(LIBS) $(TDBBACKUP_OBJ) @SOCKWRAP@ bin/[EMAIL PROTECTED]@: $(TDBTOOL_OBJ) bin/.dummy @echo Linking $@ - @$(CC) $(FLAGS) @PIE_LDFLAGS@ -o $@ $(DYNEXP) $(LIBS) $(TDBTOOL_OBJ) $(SNPRINTF_OBJ) @SOCKWRAP@ + @$(CC) $(FLAGS) @PIE_LDFLAGS@ -o $@ $(DYNEXP) $(LIBS) $(TDBTOOL_OBJ) @SOCKWRAP@ bin/[EMAIL PROTECTED]@: $(TDBDUMP_OBJ) bin/.dummy @echo Linking $@ - @$(CC) $(FLAGS) @PIE_LDFLAGS@ -o $@ $(DYNEXP) $(LIBS) $(TDBDUMP_OBJ) $(SNPRINTF_OBJ) @SOCKWRAP@ + @$(CC) $(FLAGS) @PIE_LDFLAGS@ -o $@ $(DYNEXP) $(LIBS) $(TDBDUMP_OBJ) @SOCKWRAP@ bin/[EMAIL PROTECTED]@: bin/[EMAIL PROTECTED]@ torture/t_strcmp.o $(CC) $(FLAGS) @PIE_LDFLAGS@ -o $@ $(DYNEXP) $(LIBS) torture/t_strcmp.o -L ./bin -lbigballofmud Modified: branches/tmp/RPCREWRITE/source/include/privileges.h =================================================================== --- branches/tmp/RPCREWRITE/source/include/privileges.h 2005-09-02 14:45:40 UTC (rev 9959) +++ branches/tmp/RPCREWRITE/source/include/privileges.h 2005-09-02 15:45:13 UTC (rev 9960) @@ -70,6 +70,7 @@ extern const SE_PRIV se_disk_operators; extern const SE_PRIV se_remote_shutdown; extern const SE_PRIV se_restore; +extern const SE_PRIV se_take_ownership; /* Modified: branches/tmp/RPCREWRITE/source/include/smb_macros.h =================================================================== --- branches/tmp/RPCREWRITE/source/include/smb_macros.h 2005-09-02 14:45:40 UTC (rev 9959) +++ branches/tmp/RPCREWRITE/source/include/smb_macros.h 2005-09-02 15:45:13 UTC (rev 9960) @@ -261,7 +261,7 @@ #define dos_format(fname) string_replace(fname,'/','\\') /***************************************************************************** - Check to see if we are a DO for this domain + Check to see if we are a DC for this domain *****************************************************************************/ #define IS_DC (lp_server_role()==ROLE_DOMAIN_PDC || lp_server_role()==ROLE_DOMAIN_BDC) Modified: branches/tmp/RPCREWRITE/source/lib/privileges.c =================================================================== --- branches/tmp/RPCREWRITE/source/lib/privileges.c 2005-09-02 14:45:40 UTC (rev 9959) +++ branches/tmp/RPCREWRITE/source/lib/privileges.c 2005-09-02 15:45:13 UTC (rev 9960) @@ -38,6 +38,7 @@ const SE_PRIV se_disk_operators = SE_DISK_OPERATOR; const SE_PRIV se_remote_shutdown = SE_REMOTE_SHUTDOWN; const SE_PRIV se_restore = SE_RESTORE; +const SE_PRIV se_take_ownership = SE_TAKE_OWNERSHIP; /******************************************************************** This is a list of privileges reported by a WIndows 2000 SP4 AD DC Modified: branches/tmp/RPCREWRITE/source/python/setup.py =================================================================== --- branches/tmp/RPCREWRITE/source/python/setup.py 2005-09-02 14:45:40 UTC (rev 9959) +++ branches/tmp/RPCREWRITE/source/python/setup.py 2005-09-02 15:45:13 UTC (rev 9960) @@ -56,6 +56,9 @@ if lib[0:2] == "-l": libraries.append(lib[2:]) continue + if lib[0:8] == "-pthread": + libraries.append(lib[2:]) + continue if lib[0:2] == "-L": library_dirs.append(lib[2:]) continue Modified: branches/tmp/RPCREWRITE/source/rpc_server/srv_samr_nt.c =================================================================== --- branches/tmp/RPCREWRITE/source/rpc_server/srv_samr_nt.c 2005-09-02 14:45:40 UTC (rev 9959) +++ branches/tmp/RPCREWRITE/source/rpc_server/srv_samr_nt.c 2005-09-02 15:45:13 UTC (rev 9960) @@ -3932,6 +3932,8 @@ GROUP_MAP map; GROUP_INFO_CTR *ctr; uint32 acc_granted; + BOOL ret; + BOOL can_mod_accounts; if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; @@ -3956,11 +3958,21 @@ return NT_STATUS_INVALID_INFO_CLASS; } - if(!pdb_update_group_mapping_entry(&map)) { - return NT_STATUS_NO_SUCH_GROUP; - } + can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users ); - return NT_STATUS_OK; + /******** BEGIN SeAddUsers BLOCK *********/ + + if ( can_mod_accounts ) + become_root(); + + ret = pdb_update_group_mapping_entry(&map); + + if ( can_mod_accounts ) + unbecome_root(); + + /******** End SeAddUsers BLOCK *********/ + + return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED; } /********************************************************************* @@ -3975,6 +3987,8 @@ struct acct_info info; ALIAS_INFO_CTR *ctr; uint32 acc_granted; + BOOL ret; + BOOL can_mod_accounts; if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; @@ -3997,11 +4011,21 @@ return NT_STATUS_INVALID_INFO_CLASS; } - if(!pdb_set_aliasinfo(&group_sid, &info)) { - return NT_STATUS_ACCESS_DENIED; - } + can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users ); - return NT_STATUS_OK; + /******** BEGIN SeAddUsers BLOCK *********/ + + if ( can_mod_accounts ) + become_root(); + + ret = pdb_set_aliasinfo( &group_sid, &info ); + + if ( can_mod_accounts ) + unbecome_root(); + + /******** End SeAddUsers BLOCK *********/ + + return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED; } /********************************************************************* Modified: branches/tmp/RPCREWRITE/source/rpc_server/srv_spoolss_nt.c =================================================================== --- branches/tmp/RPCREWRITE/source/rpc_server/srv_spoolss_nt.c 2005-09-02 14:45:40 UTC (rev 9959) +++ branches/tmp/RPCREWRITE/source/rpc_server/srv_spoolss_nt.c 2005-09-02 15:45:13 UTC (rev 9960) @@ -1594,7 +1594,7 @@ if (printer_default->access_required & ~(SERVER_ACCESS_ADMINISTER | SERVER_ACCESS_ENUMERATE)) { - DEBUG(3, ("access DENIED for non-printserver bits")); + DEBUG(3, ("access DENIED for non-printserver bits\n")); close_printer_handle(p, handle); return WERR_ACCESS_DENIED; } Modified: branches/tmp/RPCREWRITE/source/smbd/posix_acls.c =================================================================== --- branches/tmp/RPCREWRITE/source/smbd/posix_acls.c 2005-09-02 14:45:40 UTC (rev 9959) +++ branches/tmp/RPCREWRITE/source/smbd/posix_acls.c 2005-09-02 15:45:13 UTC (rev 9960) @@ -2998,7 +2998,8 @@ 1) If we have root privileges, then it will just work. 2) If we have SeTakeOwnershipPrivilege we can change the user to the current user. - 3) If we have write permission to the file and dos_filemodes is set + 3) If we have SeRestorePrivilege we can change the user to any other user. + 4) If we have write permission to the file and dos_filemodes is set then allow chown to the currently authenticated user. ****************************************************************************/ @@ -3007,7 +3008,6 @@ int ret; files_struct *fsp; SMB_STRUCT_STAT st; - SE_PRIV se_take_ownership = SE_TAKE_OWNERSHIP; if(!CAN_WRITE(conn)) { return -1; @@ -3019,18 +3019,28 @@ if (ret == 0) return 0; - /* Case (2). */ - if (lp_enable_privileges() && - (uid == current_user.uid) && - (user_has_privileges(current_user.nt_user_token,&se_take_ownership))) { - become_root(); - /* Keep the current file gid the same - take ownership doesn't imply group change. */ - ret = SMB_VFS_CHOWN(conn, fname, uid, (gid_t)-1); - unbecome_root(); - return ret; + /* Case (2) / (3) */ + if (lp_enable_privileges()) { + + BOOL has_take_ownership_priv = user_has_privileges(current_user.nt_user_token, + &se_take_ownership); + BOOL has_restore_priv = user_has_privileges(current_user.nt_user_token, + &se_restore); + + /* Case (2) */ + if ( ( has_take_ownership_priv && ( uid == current_user.uid ) ) || + /* Case (3) */ + ( has_restore_priv ) ) { + + become_root(); + /* Keep the current file gid the same - take ownership doesn't imply group change. */ + ret = SMB_VFS_CHOWN(conn, fname, uid, (gid_t)-1); + unbecome_root(); + return ret; + } } - /* Case (3). */ + /* Case (4). */ if (!lp_dos_filemode(SNUM(conn))) { return -1; }
