samba/samba-3.0.20-usrmgr_groups_v1.patch

diff -ubBrN --exclude-from=diff.excludes samba-3.0.20-orig/source/rpc_server/srv_samr_nt.c samba-3.0.20-new/source/rpc_server/srv_samr_nt.c
--- samba-3.0.20-orig/source/rpc_server/srv_samr_nt.c	2005-08-07 18:09:55.000000000 -0500
+++ samba-3.0.20-new/source/rpc_server/srv_samr_nt.c	2005-09-01 16:34:06.000000000 -0500
@@ -3927,6 +3927,8 @@
 	GROUP_MAP map;
 	GROUP_INFO_CTR *ctr;
 	uint32 acc_granted;
+	BOOL ret;
+	BOOL can_mod_accounts;
 
 	if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted))
 		return NT_STATUS_INVALID_HANDLE;
@@ -3951,11 +3953,21 @@
 			return NT_STATUS_INVALID_INFO_CLASS;
 	}
 
-	if(!pdb_update_group_mapping_entry(&map)) {
-		return NT_STATUS_NO_SUCH_GROUP;
-	}
+	can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
 
-	return NT_STATUS_OK;
+	/******** BEGIN SeAddUsers BLOCK *********/
+
+	if ( can_mod_accounts )
+		become_root();
+	  
+	ret = pdb_update_group_mapping_entry(&map);
+
+	if ( can_mod_accounts )
+		unbecome_root();
+
+	/******** End SeAddUsers BLOCK *********/
+
+	return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
 }
 
 /*********************************************************************
@@ -3970,6 +3982,8 @@
 	struct acct_info info;
 	ALIAS_INFO_CTR *ctr;
 	uint32 acc_granted;
+	BOOL ret;
+	BOOL can_mod_accounts;
 
 	if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid, &acc_granted))
 		return NT_STATUS_INVALID_HANDLE;
@@ -3992,11 +4006,21 @@
 			return NT_STATUS_INVALID_INFO_CLASS;
 	}
 
-	if(!pdb_set_aliasinfo(&group_sid, &info)) {
-		return NT_STATUS_ACCESS_DENIED;
-	}
+        can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
 
-	return NT_STATUS_OK;
+        /******** BEGIN SeAddUsers BLOCK *********/
+
+        if ( can_mod_accounts )
+                become_root();
+
+        ret = pdb_set_aliasinfo( &group_sid, &info );
+
+        if ( can_mod_accounts )
+                unbecome_root();
+
+        /******** End SeAddUsers BLOCK *********/
+
+	return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
 }
 
 /*********************************************************************
* Mon Aug 22 2005 Jay Fenlason <fenlason@redhat.com> 3.0.20-2 - New upstream release Includes five upstream patches -bug3010_v1, -groupname_enumeration_v3, -regcreatekey_winxp_v1, -usrmgr_groups_v1, and -winbindd_v1 This obsoletes the -pie and -delim patches the -warning and -gcc4 patches are obsolete too The -man, -passwd, and -smbspool patches were updated to match 3.0.20pre1 Also, the -quoting patch was implemented differently upstream There is now a umount.cifs executable and manpage We run autogen.sh as part of the build phase The testprns command is now gone libsmbclient now has a man page - Include -bug106483 patch to close bz#106483 smbclient: -N negates the provided password, despite documentation - Added the -warnings patch to quiet some compiler warnings. - Removed many obsolete patches from CVS. 2005-09-12 20:40:11 +00:00			`diff -ubBrN --exclude-from=diff.excludes samba-3.0.20-orig/source/rpc_server/srv_samr_nt.c samba-3.0.20-new/source/rpc_server/srv_samr_nt.c`
			`--- samba-3.0.20-orig/source/rpc_server/srv_samr_nt.c 2005-08-07 18:09:55.000000000 -0500`
			`+++ samba-3.0.20-new/source/rpc_server/srv_samr_nt.c 2005-09-01 16:34:06.000000000 -0500`
			`@@ -3927,6 +3927,8 @@`
			`GROUP_MAP map;`
			`GROUP_INFO_CTR *ctr;`
			`uint32 acc_granted;`
			`+ BOOL ret;`
			`+ BOOL can_mod_accounts;`

			`if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted))`
			`return NT_STATUS_INVALID_HANDLE;`
			`@@ -3951,11 +3953,21 @@`
			`return NT_STATUS_INVALID_INFO_CLASS;`
			`}`

			`- if(!pdb_update_group_mapping_entry(&map)) {`
			`- return NT_STATUS_NO_SUCH_GROUP;`
			`- }`
			`+ can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );`

			`- return NT_STATUS_OK;`
			`+ /****** BEGIN SeAddUsers BLOCK *******/`
			`+`
			`+ if ( can_mod_accounts )`
			`+ become_root();`
			`+`
			`+ ret = pdb_update_group_mapping_entry(&map);`
			`+`
			`+ if ( can_mod_accounts )`
			`+ unbecome_root();`
			`+`
			`+ /****** End SeAddUsers BLOCK *******/`
			`+`
			`+ return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;`
			`}`

			`/*********************************************************************`
			`@@ -3970,6 +3982,8 @@`
			`struct acct_info info;`
			`ALIAS_INFO_CTR *ctr;`
			`uint32 acc_granted;`
			`+ BOOL ret;`
			`+ BOOL can_mod_accounts;`

			`if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid, &acc_granted))`
			`return NT_STATUS_INVALID_HANDLE;`
			`@@ -3992,11 +4006,21 @@`
			`return NT_STATUS_INVALID_INFO_CLASS;`
			`}`

			`- if(!pdb_set_aliasinfo(&group_sid, &info)) {`
			`- return NT_STATUS_ACCESS_DENIED;`
			`- }`
			`+ can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );`

			`- return NT_STATUS_OK;`
			`+ /****** BEGIN SeAddUsers BLOCK *******/`
			`+`
			`+ if ( can_mod_accounts )`
			`+ become_root();`
			`+`
			`+ ret = pdb_set_aliasinfo( &group_sid, &info );`
			`+`
			`+ if ( can_mod_accounts )`
			`+ unbecome_root();`
			`+`
			`+ /****** End SeAddUsers BLOCK *******/`
			`+`
			`+ return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;`
			`}`

			`/*********************************************************************`