diff options
| author | Stefan Metzmacher <metze@samba.org> | 2012-11-21 14:04:09 +0100 |
|---|---|---|
| committer | Michael Adam <obnox@samba.org> | 2012-11-30 17:17:20 +0100 |
| commit | fa676769e0d5d3f161b295f06f643fdacebb82ca (patch) | |
| tree | 5f620d7c16a73bdb7fcc7d21bdab0d1547437a9b | |
| parent | ca3c0e28ef5d43f0af487e45a56f2929f5f23b4e (diff) | |
| download | samba-fa676769e0d5d3f161b295f06f643fdacebb82ca.tar.gz samba-fa676769e0d5d3f161b295f06f643fdacebb82ca.tar.bz2 samba-fa676769e0d5d3f161b295f06f643fdacebb82ca.zip | |
s4:dsdb/acl_read: specify the correct access_mask for nTSecurityDescriptor
We need to base the access mask on the given SD Flags.
Originally, we always checked for SEC_FLAG_SYSTEM_SECURITY,
which could lead to INSUFFICIENT_RIGHTS when we should
have been allowed to read.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/acl_read.c | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c index bc75d3221b..60b0d87d95 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_read.c +++ b/source4/dsdb/samdb/ldb_modules/acl_read.c @@ -44,6 +44,7 @@ struct aclread_context { struct ldb_request *req; const char * const *attrs; const struct dsdb_schema *schema; + uint32_t sd_flags; bool sd; bool instance_type; bool object_sid; @@ -149,7 +150,17 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) } /* nTSecurityDescriptor is a special case */ if (is_sd) { - access_mask = SEC_FLAG_SYSTEM_SECURITY|SEC_STD_READ_CONTROL; + access_mask = 0; + + if (ac->sd_flags & (SECINFO_OWNER|SECINFO_GROUP)) { + access_mask |= SEC_STD_READ_CONTROL; + } + if (ac->sd_flags & SECINFO_DACL) { + access_mask |= SEC_STD_READ_CONTROL; + } + if (ac->sd_flags & SECINFO_SACL) { + access_mask |= SEC_FLAG_SYSTEM_SECURITY; + } } else { access_mask = SEC_ADS_READ_PROP; } @@ -158,6 +169,11 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) access_mask |= SEC_ADS_CONTROL_ACCESS; } + if (access_mask == 0) { + aclread_mark_inaccesslible(&msg->elements[i]); + continue; + } + ret = acl_check_access_on_attribute(ac->module, tmp_ctx, sd, @@ -332,6 +348,8 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) * expensive so we'd better had the ntsecuritydescriptor to the list of * searched attribute and then remove it ! */ + ac->sd_flags = dsdb_request_sd_flags(ac->req, NULL); + ac->sd = !(ldb_attr_in_list(req->op.search.attrs, "nTSecurityDescriptor")); if (req->op.search.attrs && !ldb_attr_in_list(req->op.search.attrs, "*")) { if (!ldb_attr_in_list(req->op.search.attrs, "instanceType")) { |