s4:rpc_server: add a min_auth_level to context handles

BUG: https://bugzilla.samba.org/show_bug.cgi?id=7113
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11892

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

2 files changed, 8 insertions, 0 deletions

diff --git a/source4/rpc_server/dcerpc_server.h b/source4/rpc_server/dcerpc_server.h
index 4b6c0d145bf..abfb5c0b894 100644
--- a/source4/rpc_server/dcerpc_server.h
+++ b/source4/rpc_server/dcerpc_server.h
@@ -189,6 +189,7 @@ struct dcesrv_handle {
 	struct dcesrv_assoc_group *assoc_group;
 	struct policy_handle wire_handle;
 	struct dom_sid *sid;
+	enum dcerpc_AuthLevel min_auth_level;
 	const struct dcesrv_interface *iface;
 	void *data;
 };
diff --git a/source4/rpc_server/handles.c b/source4/rpc_server/handles.c
index b0cef1c27f7..68bacefaaf5 100644
--- a/source4/rpc_server/handles.c
+++ b/source4/rpc_server/handles.c
@@ -65,6 +65,7 @@ struct dcesrv_handle *dcesrv_handle_create(struct dcesrv_call_state *call,
 		talloc_free(h);
 		return NULL;
 	}
+	h->min_auth_level = call->auth_state->auth_level;
 	h->assoc_group = context->conn->assoc_group;
 	h->iface = context->iface;
 	h->wire_handle.handle_type = handle_type;
@@ -120,6 +121,12 @@ struct dcesrv_handle *dcesrv_handle_lookup(struct dcesrv_call_state *call,
 					 dom_sid_string(context, sid)));
 				return NULL;
 			}
+			if (call->auth_state->auth_level < h->min_auth_level) {
+				DEBUG(0,(__location__ ": Attempt to use invalid auth_level %u < %u\n",
+					 call->auth_state->auth_level,
+					 h->min_auth_level));
+				return NULL;
+			}
 			if (h->iface != context->iface) {
 				DEBUG(0,(__location__ ": Attempt to use invalid iface\n"));
 				return NULL;