Author: jmcd Date: 2007-04-24 15:56:02 +0000 (Tue, 24 Apr 2007) New Revision: 22504
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=22504 Log: Fix bug Jerry found during his tutorial. Sorry :-( Allows authorized users (e.g. BUILTIN\Administrators members) to set attributes on an account, particularly "user cannot change password". add become_root() around updating attributes, after checking that access has been granted. Modified: branches/SAMBA_3_0/source/rpc_server/srv_samr_nt.c branches/SAMBA_3_0_25/source/rpc_server/srv_samr_nt.c Changeset: Modified: branches/SAMBA_3_0/source/rpc_server/srv_samr_nt.c =================================================================== --- branches/SAMBA_3_0/source/rpc_server/srv_samr_nt.c 2007-04-24 13:55:04 UTC (rev 22503) +++ branches/SAMBA_3_0/source/rpc_server/srv_samr_nt.c 2007-04-24 15:56:02 UTC (rev 22504) @@ -724,7 +724,12 @@ return NT_STATUS_ACCESS_DENIED; } - status = pdb_update_sam_account(sampass); + status = access_check_samr_function(acc_granted, SA_RIGHT_USER_SET_ATTRIBUTES, "_samr_set_sec_obj"); + if NT_STATUS_IS_OK(status) { + become_root(); + status = pdb_update_sam_account(sampass); + unbecome_root(); + } TALLOC_FREE(sampass); Modified: branches/SAMBA_3_0_25/source/rpc_server/srv_samr_nt.c =================================================================== --- branches/SAMBA_3_0_25/source/rpc_server/srv_samr_nt.c 2007-04-24 13:55:04 UTC (rev 22503) +++ branches/SAMBA_3_0_25/source/rpc_server/srv_samr_nt.c 2007-04-24 15:56:02 UTC (rev 22504) @@ -739,7 +739,12 @@ return NT_STATUS_ACCESS_DENIED; } - status = pdb_update_sam_account(sampass); + status = access_check_samr_function(acc_granted, SA_RIGHT_USER_SET_ATTRIBUTES, "_samr_set_sec_obj"); + if NT_STATUS_IS_OK(status) { + become_root(); + status = pdb_update_sam_account(sampass); + unbecome_root(); + } TALLOC_FREE(sampass);