From: Jeffrey Altman Date: Sun, 17 Oct 2004 16:18:24 +0000 (+0000) Subject: local-system-acct-20041017 X-Git-Tag: BP-disconnected~197 X-Git-Url: http://git.openafs.org/?p=openafs.git;a=commitdiff_plain;h=3c89433fc9e5229ad19c2096f5758a7730c47f0c local-system-acct-20041017 When testing for Administrator privileges always grant them to the Local System account --- diff --git a/src/WINNT/afsd/fs.c b/src/WINNT/afsd/fs.c index 9dc00e0..1f3630e 100644 --- a/src/WINNT/afsd/fs.c +++ b/src/WINNT/afsd/fs.c @@ -609,8 +609,6 @@ BOOL IsAdmin (void) return FALSE; } - fTested = TRUE; - dwSize = 0; dwSize2 = 0; @@ -645,39 +643,76 @@ BOOL IsAdmin (void) if (OpenProcessToken (GetCurrentProcess(), TOKEN_QUERY, &hToken)) { - /* We'll have to allocate a chunk of memory to store the list of - * groups to which this user belongs; find out how much memory - * we'll need. - */ - DWORD dwSize = 0; - PTOKEN_GROUPS pGroups; - - GetTokenInformation (hToken, TokenGroups, NULL, dwSize, &dwSize); - - pGroups = (PTOKEN_GROUPS)malloc(dwSize); - - /* Allocate that buffer, and read in the list of groups. */ - if (GetTokenInformation (hToken, TokenGroups, pGroups, dwSize, &dwSize)) - { - /* Look through the list of group SIDs and see if any of them - * matches the AFS Client Admin group SID. + + if (!CheckTokenMembership(hToken, psidAdmin, &fAdmin)) { + /* We'll have to allocate a chunk of memory to store the list of + * groups to which this user belongs; find out how much memory + * we'll need. */ - size_t iGroup = 0; - for (; (!fAdmin) && (iGroup < pGroups->GroupCount); ++iGroup) + DWORD dwSize = 0; + PTOKEN_GROUPS pGroups; + + GetTokenInformation (hToken, TokenGroups, NULL, dwSize, &dwSize); + + pGroups = (PTOKEN_GROUPS)malloc(dwSize); + + /* Allocate that buffer, and read in the list of groups. */ + if (GetTokenInformation (hToken, TokenGroups, pGroups, dwSize, &dwSize)) { - if (EqualSid (psidAdmin, pGroups->Groups[ iGroup ].Sid)) { - fAdmin = TRUE; + /* Look through the list of group SIDs and see if any of them + * matches the AFS Client Admin group SID. + */ + size_t iGroup = 0; + for (; (!fAdmin) && (iGroup < pGroups->GroupCount); ++iGroup) + { + if (EqualSid (psidAdmin, pGroups->Groups[ iGroup ].Sid)) { + fAdmin = TRUE; + } } } + + if (pGroups) + free(pGroups); } - if (pGroups) - free(pGroups); + /* if do not have permission because we were not explicitly listed + * in the Admin Client Group let's see if we are the SYSTEM account + */ + if (!fAdmin) { + PTOKEN_USER pTokenUser; + SID_IDENTIFIER_AUTHORITY SIDAuth = SECURITY_NT_AUTHORITY; + PSID pSidLocalSystem = 0; + DWORD gle; + + GetTokenInformation(hToken, TokenUser, NULL, 0, &dwSize); + + pTokenUser = (PTOKEN_USER)malloc(dwSize); + + if (!GetTokenInformation(hToken, TokenUser, pTokenUser, dwSize, &dwSize)) + gle = GetLastError(); + + if (AllocateAndInitializeSid( &SIDAuth, 1, + SECURITY_LOCAL_SYSTEM_RID, + 0, 0, 0, 0, 0, 0, 0, + &pSidLocalSystem)) + { + if (EqualSid(pTokenUser->User.Sid, pSidLocalSystem)) { + fAdmin = TRUE; + } + + FreeSid(pSidLocalSystem); + } + + if ( pTokenUser ) + free(pTokenUser); + } } } free(psidAdmin); free(pszRefDomain); + + fTested = TRUE; } return fAdmin; diff --git a/src/WINNT/client_config/isadmin.cpp b/src/WINNT/client_config/isadmin.cpp index 2013b7b..8cf1daf 100644 --- a/src/WINNT/client_config/isadmin.cpp +++ b/src/WINNT/client_config/isadmin.cpp @@ -76,8 +76,6 @@ BOOL IsAdmin (void) return FALSE; } - fTested = TRUE; - dwSize = 0; dwSize2 = 0; @@ -99,7 +97,7 @@ BOOL IsAdmin (void) return TRUE; } - psidAdmin = (PSID) malloc(dwSize); memset(psidAdmin,0,dwSize); + psidAdmin = (PSID)malloc(dwSize); memset(psidAdmin,0,dwSize); pszRefDomain = (char *)malloc(dwSize2); if (!LookupAccountName(NULL, pszAdminGroup, psidAdmin, &dwSize, pszRefDomain, &dwSize2, &snu)) { @@ -112,39 +110,76 @@ BOOL IsAdmin (void) if (OpenProcessToken (GetCurrentProcess(), TOKEN_QUERY, &hToken)) { - /* We'll have to allocate a chunk of memory to store the list of - * groups to which this user belongs; find out how much memory - * we'll need. - */ - DWORD dwSize = 0; - PTOKEN_GROUPS pGroups; - - GetTokenInformation (hToken, TokenGroups, NULL, dwSize, &dwSize); - - pGroups = (PTOKEN_GROUPS)malloc(dwSize); - - /* Allocate that buffer, and read in the list of groups. */ - if (GetTokenInformation (hToken, TokenGroups, pGroups, dwSize, &dwSize)) - { - /* Look through the list of group SIDs and see if any of them - * matches the AFS Client Admin group SID. + + if (!CheckTokenMembership(hToken, psidAdmin, &fAdmin)) { + /* We'll have to allocate a chunk of memory to store the list of + * groups to which this user belongs; find out how much memory + * we'll need. */ - size_t iGroup = 0; - for (; (!fAdmin) && (iGroup < pGroups->GroupCount); ++iGroup) + DWORD dwSize = 0; + PTOKEN_GROUPS pGroups; + + GetTokenInformation (hToken, TokenGroups, NULL, dwSize, &dwSize); + + pGroups = (PTOKEN_GROUPS)malloc(dwSize); + + /* Allocate that buffer, and read in the list of groups. */ + if (GetTokenInformation (hToken, TokenGroups, pGroups, dwSize, &dwSize)) { - if (EqualSid (psidAdmin, pGroups->Groups[ iGroup ].Sid)) { - fAdmin = TRUE; + /* Look through the list of group SIDs and see if any of them + * matches the AFS Client Admin group SID. + */ + size_t iGroup = 0; + for (; (!fAdmin) && (iGroup < pGroups->GroupCount); ++iGroup) + { + if (EqualSid (psidAdmin, pGroups->Groups[ iGroup ].Sid)) { + fAdmin = TRUE; + } } } + + if (pGroups) + free(pGroups); } - if (pGroups) - free(pGroups); + /* if do not have permission because we were not explicitly listed + * in the Admin Client Group let's see if we are the SYSTEM account + */ + if (!fAdmin) { + PTOKEN_USER pTokenUser; + SID_IDENTIFIER_AUTHORITY SIDAuth = SECURITY_NT_AUTHORITY; + PSID pSidLocalSystem = 0; + DWORD gle; + + GetTokenInformation(hToken, TokenUser, NULL, 0, &dwSize); + + pTokenUser = (PTOKEN_USER)malloc(dwSize); + + if (!GetTokenInformation(hToken, TokenUser, pTokenUser, dwSize, &dwSize)) + gle = GetLastError(); + + if (AllocateAndInitializeSid( &SIDAuth, 1, + SECURITY_LOCAL_SYSTEM_RID, + 0, 0, 0, 0, 0, 0, 0, + &pSidLocalSystem)) + { + if (EqualSid(pTokenUser->User.Sid, pSidLocalSystem)) { + fAdmin = TRUE; + } + + FreeSid(pSidLocalSystem); + } + + if ( pTokenUser ) + free(pTokenUser); + } } } free(psidAdmin); free(pszRefDomain); + + fTested = TRUE; } return fAdmin;