/* * Determine whether to process an FSRVP operation from connected user @p. * Windows checks for Administrators or Backup Operators group membership. We * also allow for the SEC_PRIV_BACKUP privilege. */ static bool fss_permitted(struct pipes_struct *p) { if (p->session_info->unix_token->uid == sec_initial_uid()) { DEBUG(6, ("Granting FSRVP op, user started smbd\n")); return true; } if (nt_token_check_sid(&global_sid_Builtin_Administrators, p->session_info->security_token)) { DEBUG(6, ("Granting FSRVP op, administrators group member\n")); return true; } if (nt_token_check_sid(&global_sid_Builtin_Backup_Operators, p->session_info->security_token)) { DEBUG(6, ("Granting FSRVP op, backup operators group member\n")); return true; } if (security_token_has_privilege(p->session_info->security_token, SEC_PRIV_BACKUP)) { DEBUG(6, ("Granting FSRVP op, backup privilege present\n")); return true; } DEBUG(2, ("FSRVP operation blocked due to lack of backup privilege " "or Administrators/Backup Operators group membership\n")); return false; }
WERROR _wkssvc_NetWkstaGetInfo(struct pipes_struct *p, struct wkssvc_NetWkstaGetInfo *r) { switch (r->in.level) { case 100: /* Level 100 can be allowed from anyone including anonymous * so no access checks are needed for this case */ r->out.info->info100 = create_wks_info_100(p->mem_ctx); if (r->out.info->info100 == NULL) { return WERR_NOMEM; } break; case 101: /* Level 101 can be allowed from any logged in user */ if (!nt_token_check_sid(&global_sid_Authenticated_Users, p->session_info->security_token)) { DEBUG(1,("User not allowed for NetWkstaGetInfo level " "101\n")); DEBUGADD(3,(" - does not have sid for Authenticated " "Users %s:\n", sid_string_dbg( &global_sid_Authenticated_Users))); security_token_debug(DBGC_CLASS, 3, p->session_info->security_token); return WERR_ACCESS_DENIED; } r->out.info->info101 = create_wks_info_101(p->mem_ctx); if (r->out.info->info101 == NULL) { return WERR_NOMEM; } break; case 102: /* Level 102 Should only be allowed from a domain administrator */ if (!nt_token_check_sid(&global_sid_Builtin_Administrators, p->session_info->security_token)) { DEBUG(1,("User not allowed for NetWkstaGetInfo level " "102\n")); DEBUGADD(3,(" - does not have sid for Administrators " "group %s, sids are:\n", sid_string_dbg(&global_sid_Builtin_Administrators))); security_token_debug(DBGC_CLASS, 3, p->session_info->security_token); return WERR_ACCESS_DENIED; } r->out.info->info102 = create_wks_info_102(p->mem_ctx); if (r->out.info->info102 == NULL) { return WERR_NOMEM; } break; default: return WERR_UNKNOWN_LEVEL; } return WERR_OK; }
static NTSTATUS gpo_sd_check_ace_denied_object(const struct security_ace *ace, const struct security_token *token) { char *sid_str; if (gpo_sd_check_agp_object(ace) && gpo_sd_check_agp_access_bits(ace->access_mask) && nt_token_check_sid(&ace->trustee, token)) { sid_str = dom_sid_string(NULL, &ace->trustee); DEBUG(10,("gpo_sd_check_ace_denied_object: " "Access denied as of ace for %s\n", sid_str)); talloc_free(sid_str); return NT_STATUS_ACCESS_DENIED; } return STATUS_MORE_ENTRIES; }
WERROR _wkssvc_NetWkstaEnumUsers(struct pipes_struct *p, struct wkssvc_NetWkstaEnumUsers *r) { /* This with any level should only be allowed from a domain administrator */ if (!nt_token_check_sid(&global_sid_Builtin_Administrators, p->session_info->security_token)) { DEBUG(1,("User not allowed for NetWkstaEnumUsers\n")); DEBUGADD(3,(" - does not have sid for Administrators group " "%s\n", sid_string_dbg( &global_sid_Builtin_Administrators))); security_token_debug(DBGC_CLASS, 3, p->session_info->security_token); return WERR_ACCESS_DENIED; } switch (r->in.info->level) { case 0: r->out.info->ctr.user0 = create_enum_users0(p->mem_ctx); if (r->out.info->ctr.user0 == NULL) { return WERR_NOMEM; } r->out.info->level = r->in.info->level; *r->out.entries_read = r->out.info->ctr.user0->entries_read; *r->out.resume_handle = 0; break; case 1: r->out.info->ctr.user1 = create_enum_users1(p->mem_ctx); if (r->out.info->ctr.user1 == NULL) { return WERR_NOMEM; } r->out.info->level = r->in.info->level; *r->out.entries_read = r->out.info->ctr.user1->entries_read; *r->out.resume_handle = 0; break; default: return WERR_UNKNOWN_LEVEL; } return WERR_OK; }
WERROR _wkssvc_NetrUnjoinDomain2(struct pipes_struct *p, struct wkssvc_NetrUnjoinDomain2 *r) { struct libnet_UnjoinCtx *u = NULL; char *cleartext_pwd = NULL; char *admin_domain = NULL; char *admin_account = NULL; WERROR werr; struct security_token *token = p->session_info->security_token; if (!r->in.account || !r->in.encrypted_password) { return WERR_INVALID_PARAM; } if (!security_token_has_privilege(token, SEC_PRIV_MACHINE_ACCOUNT) && !nt_token_check_domain_rid(token, DOMAIN_RID_ADMINS) && !nt_token_check_sid(&global_sid_Builtin_Administrators, token)) { DEBUG(5,("_wkssvc_NetrUnjoinDomain2: account doesn't have " "sufficient privileges\n")); return WERR_ACCESS_DENIED; } werr = decode_wkssvc_join_password_buffer( p->mem_ctx, r->in.encrypted_password, &p->session_info->session_key, &cleartext_pwd); if (!W_ERROR_IS_OK(werr)) { return werr; } split_domain_user(p->mem_ctx, r->in.account, &admin_domain, &admin_account); werr = libnet_init_UnjoinCtx(p->mem_ctx, &u); if (!W_ERROR_IS_OK(werr)) { return werr; } u->in.domain_name = lp_realm(); u->in.unjoin_flags = r->in.unjoin_flags | WKSSVC_JOIN_FLAGS_JOIN_TYPE; u->in.admin_account = admin_account; u->in.admin_password = cleartext_pwd; u->in.debug = true; u->in.modify_config = lp_config_backend_is_registry(); u->in.msg_ctx = p->msg_ctx; become_root(); werr = libnet_Unjoin(p->mem_ctx, u); unbecome_root(); if (!W_ERROR_IS_OK(werr)) { DEBUG(5,("_wkssvc_NetrUnjoinDomain2: libnet_Unjoin failed with: %s\n", u->out.error_string ? u->out.error_string : win_errstr(werr))); } TALLOC_FREE(u); return werr; }
static bool token_contains_name(TALLOC_CTX *mem_ctx, const char *username, const char *domain, const char *sharename, const struct nt_user_token *token, const char *name) { const char *prefix; DOM_SID sid; enum lsa_SidType type; struct smbd_server_connection *sconn = smbd_server_conn; if (username != NULL) { name = talloc_sub_basic(mem_ctx, username, domain, name); } if (sharename != NULL) { name = talloc_string_sub(mem_ctx, name, "%S", sharename); } if (name == NULL) { /* This is too security sensitive, better panic than return a * result that might be interpreted in a wrong way. */ smb_panic("substitutions failed"); } /* check to see is we already have a SID */ if ( string_to_sid( &sid, name ) ) { DEBUG(5,("token_contains_name: Checking for SID [%s] in token\n", name)); return nt_token_check_sid( &sid, token ); } if (!do_group_checks(&name, &prefix)) { if (!lookup_name_smbconf(mem_ctx, name, LOOKUP_NAME_ALL, NULL, NULL, &sid, &type)) { DEBUG(5, ("lookup_name %s failed\n", name)); return False; } if (type != SID_NAME_USER) { DEBUG(5, ("%s is a %s, expected a user\n", name, sid_type_lookup(type))); return False; } return nt_token_check_sid(&sid, token); } for (/* initialized above */ ; *prefix != '\0'; prefix++) { if (*prefix == '+') { if (!lookup_name_smbconf(mem_ctx, name, LOOKUP_NAME_ALL|LOOKUP_NAME_GROUP, NULL, NULL, &sid, &type)) { DEBUG(5, ("lookup_name %s failed\n", name)); return False; } if ((type != SID_NAME_DOM_GRP) && (type != SID_NAME_ALIAS) && (type != SID_NAME_WKN_GRP)) { DEBUG(5, ("%s is a %s, expected a group\n", name, sid_type_lookup(type))); return False; } if (nt_token_check_sid(&sid, token)) { return True; } continue; } if (*prefix == '&') { if (username) { if (user_in_netgroup(sconn, username, name)) { return True; } } continue; } smb_panic("got invalid prefix from do_groups_check"); } return False; }