Windows: Return error for SetToken PIOCTL_LOGON if not LocalSystem

If the PIOCTL_LOGON flag is set and the user is not LocalSystem, return Access Denied. LICENSE MIT Change-Id: I25f042353fb8b70aba4fb01ba1a5b204470416f5 Reviewed-on: http://gerrit.openafs.org/2568 Reviewed-by: Jeffrey Altman <jaltman@openafs.org> Tested-by: Jeffrey Altman <jaltman@openafs.org>
2025-02-01 05:57:43 +00:00 · 2010-08-16 14:27:44 -04:00 · 2010-08-16 14:27:44 -04:00 · 67ca70bfd3
commit 67ca70bfd3
parent ce24220004
1 changed files with 8 additions and 1 deletions
--- a/src/WINNT/afsd/smb_ioctl.c
+++ b/src/WINNT/afsd/smb_ioctl.c
@ -1032,7 +1032,7 @@ smb_IoctlSetToken(struct smb_ioctl *ioctlp, struct cm_user *userp, afs_uint32 pf
        uname = cm_ParseIoctlStringAlloc(&ioctlp->ioctl, tp);
        tp += strlen(tp) + 1;

-        if ((pflags & AFSCALL_FLAG_LOCAL_SYSTEM) && (flags & PIOCTL_LOGON)) {
+        if (flags & PIOCTL_LOGON) {
            /* SMB user name with which to associate tokens */
            smbname = cm_ParseIoctlStringAlloc(&ioctlp->ioctl, tp);
            osi_Log2(smb_logp,"cm_IoctlSetToken for user [%S] smbname [%S]",
@ -1051,6 +1051,11 @@ smb_IoctlSetToken(struct smb_ioctl *ioctlp, struct cm_user *userp, afs_uint32 pf
            code = CM_ERROR_INVAL;
            goto done;
        }
+
+        if (!(pflags & AFSCALL_FLAG_LOCAL_SYSTEM) && (flags & PIOCTL_LOGON)) {
+            code = CM_ERROR_NOACCESS;
+            goto done;
+        }
    } else {
        cellp = cm_data.rootCellp;
        osi_Log0(smb_logp,"cm_IoctlSetToken - no name specified");
@ -1100,6 +1105,8 @@ smb_IoctlSetToken(struct smb_ioctl *ioctlp, struct cm_user *userp, afs_uint32 pf
    cm_ResetACLCache(cellp, userp);

  done:
+    SecureZeroMemory(sessionKey, sizeof(sessionKey));
+
    if (release_userp)
 	cm_ReleaseUser(userp);