From 4f81ef9353ad76390aa910c8c17456fec21916c6 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 6 Mar 2018 23:36:03 +0100 Subject: s3:auth: don't try to expand system or anonymous tokens in finalize_local_nt_token() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme --- source3/auth/token_util.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) (limited to 'source3/auth/token_util.c') diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index 30f2f8d346b..6ebfa54126b 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -613,6 +613,13 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, struct acct_info *info; bool ok; + result->privilege_mask = 0; + result->rights_mask = 0; + + if (result->num_sids == 0) { + return NT_STATUS_INVALID_TOKEN; + } + /* Add in BUILTIN sids */ status = add_sid_to_array(result, &global_sid_World, @@ -626,6 +633,23 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, return status; } + /* + * Don't expand nested groups of system, anonymous etc + * + * Note that they still get SID_WORLD and SID_NETWORK + * for now in order let existing tests pass. + * + * But SYSTEM doesn't get AUTHENTICATED_USERS + * and ANONYMOUS doesn't get BUILTIN GUESTS anymore. + */ + if (security_token_is_anonymous(result)) { + return NT_STATUS_OK; + } + if (security_token_is_system(result)) { + result->privilege_mask = ~0; + return NT_STATUS_OK; + } + if (!is_guest) { status = add_sid_to_array(result, &global_sid_Authenticated_Users, -- cgit v1.2.1