/*
* Determine whether to process an FSRVP operation from connected user @p.
* Windows checks for Administrators or Backup Operators group membership. We
* also allow for the SEC_PRIV_BACKUP privilege.
*/
static bool fss_permitted(struct pipes_struct *p)
{
if (p->session_info->unix_token->uid == sec_initial_uid()) {
DEBUG(6, ("Granting FSRVP op, user started smbd\n"));
return true;
}
if (nt_token_check_sid(&global_sid_Builtin_Administrators,
p->session_info->security_token)) {
DEBUG(6, ("Granting FSRVP op, administrators group member\n"));
return true;
}
if (nt_token_check_sid(&global_sid_Builtin_Backup_Operators,
p->session_info->security_token)) {
DEBUG(6, ("Granting FSRVP op, backup operators group member\n"));
return true;
}
if (security_token_has_privilege(p->session_info->security_token,
SEC_PRIV_BACKUP)) {
DEBUG(6, ("Granting FSRVP op, backup privilege present\n"));
return true;
}
DEBUG(2, ("FSRVP operation blocked due to lack of backup privilege "
"or Administrators/Backup Operators group membership\n"));
return false;
}
WERROR _wkssvc_NetWkstaGetInfo(struct pipes_struct *p,
struct wkssvc_NetWkstaGetInfo *r)
{
switch (r->in.level) {
case 100:
/* Level 100 can be allowed from anyone including anonymous
* so no access checks are needed for this case */
r->out.info->info100 = create_wks_info_100(p->mem_ctx);
if (r->out.info->info100 == NULL) {
return WERR_NOMEM;
}
break;
case 101:
/* Level 101 can be allowed from any logged in user */
if (!nt_token_check_sid(&global_sid_Authenticated_Users,
p->session_info->security_token)) {
DEBUG(1,("User not allowed for NetWkstaGetInfo level "
"101\n"));
DEBUGADD(3,(" - does not have sid for Authenticated "
"Users %s:\n",
sid_string_dbg(
&global_sid_Authenticated_Users)));
security_token_debug(DBGC_CLASS, 3,
p->session_info->security_token);
return WERR_ACCESS_DENIED;
}
r->out.info->info101 = create_wks_info_101(p->mem_ctx);
if (r->out.info->info101 == NULL) {
return WERR_NOMEM;
}
break;
case 102:
/* Level 102 Should only be allowed from a domain administrator */
if (!nt_token_check_sid(&global_sid_Builtin_Administrators,
p->session_info->security_token)) {
DEBUG(1,("User not allowed for NetWkstaGetInfo level "
"102\n"));
DEBUGADD(3,(" - does not have sid for Administrators "
"group %s, sids are:\n",
sid_string_dbg(&global_sid_Builtin_Administrators)));
security_token_debug(DBGC_CLASS, 3,
p->session_info->security_token);
return WERR_ACCESS_DENIED;
}
r->out.info->info102 = create_wks_info_102(p->mem_ctx);
if (r->out.info->info102 == NULL) {
return WERR_NOMEM;
}
break;
default:
return WERR_UNKNOWN_LEVEL;
}
return WERR_OK;
}
static NTSTATUS gpo_sd_check_ace_denied_object(const struct security_ace *ace,
const struct security_token *token)
{
char *sid_str;
if (gpo_sd_check_agp_object(ace) &&
gpo_sd_check_agp_access_bits(ace->access_mask) &&
nt_token_check_sid(&ace->trustee, token)) {
sid_str = dom_sid_string(NULL, &ace->trustee);
DEBUG(10,("gpo_sd_check_ace_denied_object: "
"Access denied as of ace for %s\n",
sid_str));
talloc_free(sid_str);
return NT_STATUS_ACCESS_DENIED;
}
return STATUS_MORE_ENTRIES;
}
WERROR _wkssvc_NetWkstaEnumUsers(struct pipes_struct *p,
struct wkssvc_NetWkstaEnumUsers *r)
{
/* This with any level should only be allowed from a domain administrator */
if (!nt_token_check_sid(&global_sid_Builtin_Administrators,
p->session_info->security_token)) {
DEBUG(1,("User not allowed for NetWkstaEnumUsers\n"));
DEBUGADD(3,(" - does not have sid for Administrators group "
"%s\n", sid_string_dbg(
&global_sid_Builtin_Administrators)));
security_token_debug(DBGC_CLASS, 3, p->session_info->security_token);
return WERR_ACCESS_DENIED;
}
switch (r->in.info->level) {
case 0:
r->out.info->ctr.user0 = create_enum_users0(p->mem_ctx);
if (r->out.info->ctr.user0 == NULL) {
return WERR_NOMEM;
}
r->out.info->level = r->in.info->level;
*r->out.entries_read = r->out.info->ctr.user0->entries_read;
*r->out.resume_handle = 0;
break;
case 1:
r->out.info->ctr.user1 = create_enum_users1(p->mem_ctx);
if (r->out.info->ctr.user1 == NULL) {
return WERR_NOMEM;
}
r->out.info->level = r->in.info->level;
*r->out.entries_read = r->out.info->ctr.user1->entries_read;
*r->out.resume_handle = 0;
break;
default:
return WERR_UNKNOWN_LEVEL;
}
return WERR_OK;
}
WERROR _wkssvc_NetrUnjoinDomain2(struct pipes_struct *p,
struct wkssvc_NetrUnjoinDomain2 *r)
{
struct libnet_UnjoinCtx *u = NULL;
char *cleartext_pwd = NULL;
char *admin_domain = NULL;
char *admin_account = NULL;
WERROR werr;
struct security_token *token = p->session_info->security_token;
if (!r->in.account || !r->in.encrypted_password) {
return WERR_INVALID_PARAM;
}
if (!security_token_has_privilege(token, SEC_PRIV_MACHINE_ACCOUNT) &&
!nt_token_check_domain_rid(token, DOMAIN_RID_ADMINS) &&
!nt_token_check_sid(&global_sid_Builtin_Administrators, token)) {
DEBUG(5,("_wkssvc_NetrUnjoinDomain2: account doesn't have "
"sufficient privileges\n"));
return WERR_ACCESS_DENIED;
}
werr = decode_wkssvc_join_password_buffer(
p->mem_ctx, r->in.encrypted_password,
&p->session_info->session_key, &cleartext_pwd);
if (!W_ERROR_IS_OK(werr)) {
return werr;
}
split_domain_user(p->mem_ctx,
r->in.account,
&admin_domain,
&admin_account);
werr = libnet_init_UnjoinCtx(p->mem_ctx, &u);
if (!W_ERROR_IS_OK(werr)) {
return werr;
}
u->in.domain_name = lp_realm();
u->in.unjoin_flags = r->in.unjoin_flags |
WKSSVC_JOIN_FLAGS_JOIN_TYPE;
u->in.admin_account = admin_account;
u->in.admin_password = cleartext_pwd;
u->in.debug = true;
u->in.modify_config = lp_config_backend_is_registry();
u->in.msg_ctx = p->msg_ctx;
become_root();
werr = libnet_Unjoin(p->mem_ctx, u);
unbecome_root();
if (!W_ERROR_IS_OK(werr)) {
DEBUG(5,("_wkssvc_NetrUnjoinDomain2: libnet_Unjoin failed with: %s\n",
u->out.error_string ? u->out.error_string :
win_errstr(werr)));
}
TALLOC_FREE(u);
return werr;
}
static bool token_contains_name(TALLOC_CTX *mem_ctx,
const char *username,
const char *domain,
const char *sharename,
const struct nt_user_token *token,
const char *name)
{
const char *prefix;
DOM_SID sid;
enum lsa_SidType type;
struct smbd_server_connection *sconn = smbd_server_conn;
if (username != NULL) {
name = talloc_sub_basic(mem_ctx, username, domain, name);
}
if (sharename != NULL) {
name = talloc_string_sub(mem_ctx, name, "%S", sharename);
}
if (name == NULL) {
/* This is too security sensitive, better panic than return a
* result that might be interpreted in a wrong way. */
smb_panic("substitutions failed");
}
/* check to see is we already have a SID */
if ( string_to_sid( &sid, name ) ) {
DEBUG(5,("token_contains_name: Checking for SID [%s] in token\n", name));
return nt_token_check_sid( &sid, token );
}
if (!do_group_checks(&name, &prefix)) {
if (!lookup_name_smbconf(mem_ctx, name, LOOKUP_NAME_ALL,
NULL, NULL, &sid, &type)) {
DEBUG(5, ("lookup_name %s failed\n", name));
return False;
}
if (type != SID_NAME_USER) {
DEBUG(5, ("%s is a %s, expected a user\n",
name, sid_type_lookup(type)));
return False;
}
return nt_token_check_sid(&sid, token);
}
for (/* initialized above */ ; *prefix != '\0'; prefix++) {
if (*prefix == '+') {
if (!lookup_name_smbconf(mem_ctx, name,
LOOKUP_NAME_ALL|LOOKUP_NAME_GROUP,
NULL, NULL, &sid, &type)) {
DEBUG(5, ("lookup_name %s failed\n", name));
return False;
}
if ((type != SID_NAME_DOM_GRP) &&
(type != SID_NAME_ALIAS) &&
(type != SID_NAME_WKN_GRP)) {
DEBUG(5, ("%s is a %s, expected a group\n",
name, sid_type_lookup(type)));
return False;
}
if (nt_token_check_sid(&sid, token)) {
return True;
}
continue;
}
if (*prefix == '&') {
if (username) {
if (user_in_netgroup(sconn, username, name)) {
return True;
}
}
continue;
}
smb_panic("got invalid prefix from do_groups_check");
}
return False;
}
