s3:auth: don't try to expand system or anonymous tokens in finalize_local_nt_token()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

1 files changed, 24 insertions, 0 deletions

diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c
index 30f2f8d346b..6ebfa54126b 100644
--- a/source3/auth/token_util.c
+++ b/source3/auth/token_util.c
@@ -613,6 +613,13 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result,
 	struct acct_info *info;
 	bool ok;
 
+	result->privilege_mask = 0;
+	result->rights_mask = 0;
+
+	if (result->num_sids == 0) {
+		return NT_STATUS_INVALID_TOKEN;
+	}
+
 	/* Add in BUILTIN sids */
 
 	status = add_sid_to_array(result, &global_sid_World,
@@ -626,6 +633,23 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result,
 		return status;
 	}
 
+	/*
+	 * Don't expand nested groups of system, anonymous etc
+	 *
+	 * Note that they still get SID_WORLD and SID_NETWORK
+	 * for now in order let existing tests pass.
+	 *
+	 * But SYSTEM doesn't get AUTHENTICATED_USERS
+	 * and ANONYMOUS doesn't get BUILTIN GUESTS anymore.
+	 */
+	if (security_token_is_anonymous(result)) {
+		return NT_STATUS_OK;
+	}
+	if (security_token_is_system(result)) {
+		result->privilege_mask = ~0;
+		return NT_STATUS_OK;
+	}
+
 	if (!is_guest) {
 		status = add_sid_to_array(result,
 					  &global_sid_Authenticated_Users,