diff options
author | Nadezhda Ivanova <nadezhda.ivanova@postpath.com> | 2010-03-07 21:42:53 +0200 |
---|---|---|
committer | Nadezhda Ivanova <nadezhda.ivanova@postpath.com> | 2010-03-09 13:07:18 +0200 |
commit | f742623b7b8a19ff3230754562deeac7657cd8cd (patch) | |
tree | ef33cf9231cff19b7e09562396930520192a95b2 | |
parent | ec53a0ca5a568627df8dac91ec2c736b0d106829 (diff) | |
download | samba-f742623b7b8a19ff3230754562deeac7657cd8cd.tar.gz samba-f742623b7b8a19ff3230754562deeac7657cd8cd.tar.bz2 samba-f742623b7b8a19ff3230754562deeac7657cd8cd.zip |
Added a check for permissions to modify the RDN attribute on rename.
Necessary because rdn module will be moved lower than acl in the stack.
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/acl.c | 12 | ||||
-rwxr-xr-x | source4/lib/ldb/tests/python/acl.py | 32 |
2 files changed, 44 insertions, 0 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index c10624d55f..e7665c792f 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -958,6 +958,7 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req) TALLOC_CTX *tmp_ctx = talloc_new(req); NTSTATUS status; uint32_t access_granted; + const char *rdn_name; static const char *acl_attrs[] = { "nTSecurityDescriptor", "objectClass", @@ -1001,6 +1002,17 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req) return LDB_ERR_OPERATIONS_ERROR; }; + rdn_name = ldb_dn_get_rdn_name(req->op.rename.olddn); + if (rdn_name == NULL) { + return LDB_ERR_OPERATIONS_ERROR; + } + guid = attribute_schemaid_guid_by_lDAPDisplayName(dsdb_get_schema(ldb), + rdn_name); + if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP, + &new_node, &new_node)) { + return LDB_ERR_OPERATIONS_ERROR; + }; + ret = get_sd_from_ldb_message(req, acl_res->msgs[0], &sd); if (ret != LDB_SUCCESS) { diff --git a/source4/lib/ldb/tests/python/acl.py b/source4/lib/ldb/tests/python/acl.py index 083c7ae1a2..42c8c7efda 100755 --- a/source4/lib/ldb/tests/python/acl.py +++ b/source4/lib/ldb/tests/python/acl.py @@ -785,6 +785,7 @@ class AclRenameTests(AclTests): self.delete_force(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou1," + self.base_dn) self.delete_force(self.ldb_admin, "CN=test_rename_user2,OU=test_rename_ou1," + self.base_dn) self.delete_force(self.ldb_admin, "CN=test_rename_user5,OU=test_rename_ou1," + self.base_dn) + self.delete_force(self.ldb_admin, "OU=test_rename_ou3,OU=test_rename_ou1," + self.base_dn) self.delete_force(self.ldb_admin, "OU=test_rename_ou1," + self.base_dn) if self.SAMBA: self.delete_force(self.ldb_admin, self.get_user_dn(self.regular_user)) @@ -939,6 +940,37 @@ class AclRenameTests(AclTests): % rename_user_dn ) self.assertNotEqual( res, [] ) + def test_rename_u8(self): + """Test rename on an object with and without modify access on the RDN attribute""" + ou1_dn = "OU=test_rename_ou1," + self.base_dn + ou2_dn = "OU=test_rename_ou2," + ou1_dn + ou3_dn = "OU=test_rename_ou3," + ou1_dn + # Create OU structure + self.create_ou(self.ldb_admin, ou1_dn) + self.create_ou(self.ldb_admin, ou2_dn) + sid = self.get_object_sid(self.get_user_dn(self.regular_user)) + mod = "(OA;;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;%s)" % str(sid) + self.dacl_add_ace(ou2_dn, mod) + mod = "(OD;;WP;bf9679f0-0de6-11d0-a285-00aa003049e2;;%s)" % str(sid) + self.dacl_add_ace(ou2_dn, mod) + try: + self.ldb_user.rename(ou2_dn, ou3_dn) + except LdbError, (num, _): + self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) + else: + # This rename operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS + self.fail() + sid = self.get_object_sid(self.get_user_dn(self.regular_user)) + mod = "(A;;WP;bf9679f0-0de6-11d0-a285-00aa003049e2;;%s)" % str(sid) + self.dacl_add_ace(ou2_dn, mod) + self.ldb_user.rename(ou2_dn, ou3_dn) + res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \ + % ou2_dn ) + self.assertEqual( res, [] ) + res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \ + % ou3_dn ) + self.assertNotEqual( res, [] ) + # Important unit running information if not "://" in host: |