r22504: Fix bug Jerry found during his tutorial. Sorry :-(

Allows authorized users (e.g. BUILTIN\Administrators members) to set attributes on an account, particularly "user cannot change password". add become_root() around updating attributes, after checking that access has been granted. (This used to be commit b1ab360519a1f67f50446ca8599e5b7aa58e7db3)
author: Jim McDonough <jmcd@samba.org> 2007-04-24 15:56:02 +0000
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-10-10 12:19:40 -0500
commit: 70806db06adb1dafd4de8728bb7b367b84f3740a (patch)
tree: a4c2b417ad8d8a306b31ab1034c0404afaec8c73 /source3/rpc_server
parent: 2ad66881dfd0fb8a03efc409af7f5bb6d3d204b2 (diff)
download: samba-70806db06adb1dafd4de8728bb7b367b84f3740a.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index c743e68530f..be73b33265c 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -724,7 +724,12 @@ NTSTATUS _samr_set_sec_obj(pipes_struct *p, SAMR_Q_SET_SEC_OBJ *q_u, SAMR_R_SET_
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	status = pdb_update_sam_account(sampass);
+	status = access_check_samr_function(acc_granted, SA_RIGHT_USER_SET_ATTRIBUTES, "_samr_set_sec_obj");
+	if NT_STATUS_IS_OK(status) {
+		become_root();
+		status = pdb_update_sam_account(sampass);
+		unbecome_root();
+	}
 
 	TALLOC_FREE(sampass);
author	Jim McDonough <jmcd@samba.org>	2007-04-24 15:56:02 +0000
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-10-10 12:19:40 -0500
commit	70806db06adb1dafd4de8728bb7b367b84f3740a (patch)
tree	a4c2b417ad8d8a306b31ab1034c0404afaec8c73 /source3/rpc_server
parent	2ad66881dfd0fb8a03efc409af7f5bb6d3d204b2 (diff)
download	samba-70806db06adb1dafd4de8728bb7b367b84f3740a.tar.gz