Hello!
Jerry you are right about script and permissions!
I'm looking again to usrmgr.exe and has corrected most of the problems
of which I spoke earlier
This patch is corrected most problems, but i can't fixed, current
moment, problems where "not root" create "global group" ...
sorry :(
This patch not create security holes and another holes ... :)
I'm testing and is looking good ...
Is try help you, i hope :)
Sergey Loskutov
-------------- next part --------------
--- srv_samr_nt.c.orig 2005-03-16 09:33:15.394423183 -1000
+++ srv_samr_nt.c 2005-03-17 17:41:13.297259499 -1000
@@ -2865,8 +2865,10 @@
* id21. I don't know if they need to be set. --jerry
*/
- if (IS_SAM_CHANGED(pwd, PDB_GROUPSID))
- set_unix_primary_group(pwd);
+ if (IS_SAM_CHANGED(pwd, PDB_GROUPSID) && !set_unix_primary_group(pwd)
) {
+ pdb_free_sam(&pwd);
+ return False;
+ }
/* write the change out */
if(!pdb_update_sam_account(pwd)) {
@@ -2933,8 +2935,10 @@
ZERO_STRUCT(plaintext_buf);
- if (IS_SAM_CHANGED(pwd, PDB_GROUPSID))
- set_unix_primary_group(pwd);
+ if (IS_SAM_CHANGED(pwd, PDB_GROUPSID) && !set_unix_primary_group(pwd)
) {
+ pdb_free_sam(&pwd);
+ return False;
+ }
if(!pdb_update_sam_account(pwd)) {
pdb_free_sam(&pwd);
@@ -3624,12 +3628,16 @@
sid_copy(&user_sid, get_global_sam_sid());
sid_append_rid(&user_sid, q_u->rid);
-
+
+
ret = pdb_init_sam(&sam_user);
+
if (!NT_STATUS_IS_OK(ret))
return ret;
+ become_root();
check = pdb_getsampwsid(sam_user, &user_sid);
+ unbecome_root();
if (check != True) {
pdb_free_sam(&sam_user);
@@ -3708,6 +3716,7 @@
uint32 acc_granted;
SE_PRIV se_rights;
BOOL can_add_accounts;
+ BOOL ret;
/*
* delete the group member named q_u->rid
@@ -3740,7 +3749,12 @@
/* check if the user exists before trying to remove it from the group */
pdb_init_sam(&sam_pass);
- if (!pdb_getsampwsid(sam_pass, &user_sid)) {
+
+ become_root();
+ ret = pdb_getsampwsid(sam_pass, &user_sid);
+ unbecome_root();
+
+ if (!ret) {
DEBUG(5,("User %s doesn't exist.\n",
pdb_get_username(sam_pass)));
pdb_free_sam(&sam_pass);
return NT_STATUS_NO_SUCH_USER;
@@ -4253,6 +4267,7 @@
GROUP_MAP map;
GROUP_INFO_CTR *ctr;
uint32 acc_granted;
+ BOOL ret;
if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid,
&acc_granted))
return NT_STATUS_INVALID_HANDLE;
@@ -4276,9 +4291,13 @@
default:
return NT_STATUS_INVALID_INFO_CLASS;
}
+
+ become_root();
+ ret = pdb_update_group_mapping_entry(&map);
+ unbecome_root();
- if(!pdb_update_group_mapping_entry(&map)) {
- return NT_STATUS_NO_SUCH_GROUP;
+ if(!ret) {
+ return NT_STATUS_NO_SUCH_GROUP;
}
return NT_STATUS_OK;
@@ -4430,6 +4449,7 @@
BOOL is_user = False;
NTSTATUS result;
enum SID_NAME_USE type = SID_NAME_UNKNOWN;
+ BOOL ret;
sid_copy( &delete_sid, &q_u->sid.sid );
@@ -4466,18 +4486,27 @@
pdb_init_sam(&sam_pass);
- if ( pdb_getsampwsid(sam_pass, &delete_sid) ) {
- is_user = True;
+ become_root();
+
+ ret = pdb_getsampwsid(sam_pass, &delete_sid);
+
+ if ( ret ) {
+ is_user = True;
} else {
- /* maybe it is a group */
- if( !pdb_getgrsid(&map, delete_sid) ) {
- DEBUG(3,("_samr_remove_sid_foreign_domain: %s is not a user or a
group!\n",
- sid_string_static(&delete_sid)));
- result = NT_STATUS_INVALID_SID;
- goto done;
- }
+ /* maybe it is a group */
+ ret = pdb_getgrsid(&map, delete_sid);
+ }
+
+ unbecome_root();
+
+ if ( !ret ) {
+ DEBUG(3,("_samr_remove_sid_foreign_domain: %s is not a user or a
group!\n",
+ sid_string_static(&delete_sid)));
+ result = NT_STATUS_INVALID_SID;
+ goto done;
}
+
/* we can only delete a user from a group since we don't have
nested groups anyways. So in the latter case, just say OK */
@@ -4486,7 +4515,10 @@
int num_groups, i;
struct group *grp2;
- if ( pdb_enum_group_mapping(type, &mappings, &num_groups, False)
&& num_groups>0 ) {
+ become_root();
+ ret = pdb_enum_group_mapping(type, &mappings, &num_groups, False);
+ unbecome_root();
+ if ( ret && num_groups>0 ) {
/* interate over the groups */
for ( i=0; i<num_groups; i++ ) {
