Windows: Improve SMB detection of Local System account
Depending on the authentication method, the smb session authenticated
name for the "local system" account may be the nul string. In this
case it is impossible to use the name to determine if the authenticated
entity is the "local system" account as required by smb_SetToken.
To work around this problem, smb_AuthenticateUserExt() will now obtain
the Security Identifier (SID) for the authenticated account. The string
representation of the SID will be used in place of the name by
smb_ReceiveV3SessionSetupX() when constructing the smb_user_t object.
A new flag, SMB_USERNAMEFLAG_SID, indicates when the name is in fact
a SID.
smb_userIsLocalSystem() checks for the SMB_USERNAMEFLAG_SID flag and
performs a SID comparison when it is set.
smb_SetToken() will accept either MACHINE\user or a SID string as
the smbname. It will obtain the SID if possible and create a SID-based
smb_user_t.
It is possible that a SYSTEM service will use an anonymous (S-1-5-7)
SMB connection. In that case, we also check the RPC Impersonation
SID to see if it is SYSTEM. If so, the RPC identity supercedes the
SMB identity for SetToken.
smb_IoctlRead, smb_IoctlV3Read and smb_IoctlRawRead are now all
consistent with regards to name processing.
projects / packages / o / openafs.git / commit