summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2012-11-21 14:04:09 +0100
committerMichael Adam <obnox@samba.org>2012-11-30 17:17:20 +0100
commitfa676769e0d5d3f161b295f06f643fdacebb82ca (patch)
tree5f620d7c16a73bdb7fcc7d21bdab0d1547437a9b
parentca3c0e28ef5d43f0af487e45a56f2929f5f23b4e (diff)
downloadsamba-fa676769e0d5d3f161b295f06f643fdacebb82ca.tar.gz
samba-fa676769e0d5d3f161b295f06f643fdacebb82ca.tar.bz2
samba-fa676769e0d5d3f161b295f06f643fdacebb82ca.zip
s4:dsdb/acl_read: specify the correct access_mask for nTSecurityDescriptor
We need to base the access mask on the given SD Flags. Originally, we always checked for SEC_FLAG_SYSTEM_SECURITY, which could lead to INSUFFICIENT_RIGHTS when we should have been allowed to read. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
-rw-r--r--source4/dsdb/samdb/ldb_modules/acl_read.c20
1 files changed, 19 insertions, 1 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
index bc75d3221b..60b0d87d95 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -44,6 +44,7 @@ struct aclread_context {
struct ldb_request *req;
const char * const *attrs;
const struct dsdb_schema *schema;
+ uint32_t sd_flags;
bool sd;
bool instance_type;
bool object_sid;
@@ -149,7 +150,17 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
}
/* nTSecurityDescriptor is a special case */
if (is_sd) {
- access_mask = SEC_FLAG_SYSTEM_SECURITY|SEC_STD_READ_CONTROL;
+ access_mask = 0;
+
+ if (ac->sd_flags & (SECINFO_OWNER|SECINFO_GROUP)) {
+ access_mask |= SEC_STD_READ_CONTROL;
+ }
+ if (ac->sd_flags & SECINFO_DACL) {
+ access_mask |= SEC_STD_READ_CONTROL;
+ }
+ if (ac->sd_flags & SECINFO_SACL) {
+ access_mask |= SEC_FLAG_SYSTEM_SECURITY;
+ }
} else {
access_mask = SEC_ADS_READ_PROP;
}
@@ -158,6 +169,11 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
access_mask |= SEC_ADS_CONTROL_ACCESS;
}
+ if (access_mask == 0) {
+ aclread_mark_inaccesslible(&msg->elements[i]);
+ continue;
+ }
+
ret = acl_check_access_on_attribute(ac->module,
tmp_ctx,
sd,
@@ -332,6 +348,8 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
* expensive so we'd better had the ntsecuritydescriptor to the list of
* searched attribute and then remove it !
*/
+ ac->sd_flags = dsdb_request_sd_flags(ac->req, NULL);
+
ac->sd = !(ldb_attr_in_list(req->op.search.attrs, "nTSecurityDescriptor"));
if (req->op.search.attrs && !ldb_attr_in_list(req->op.search.attrs, "*")) {
if (!ldb_attr_in_list(req->op.search.attrs, "instanceType")) {