summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNadezhda Ivanova <nadezhda.ivanova@postpath.com>2009-12-18 18:00:15 +0200
committerAndrew Tridgell <tridge@samba.org>2009-12-21 23:45:06 +1100
commit35b8808b94808f5d689c2b034ff5c21c739c11a4 (patch)
treee158037c511d36034040cd7d3bb8a5accbc95f48
parent9f6c81874f6e63f30432814e4f443a69c4e04429 (diff)
downloadsamba-35b8808b94808f5d689c2b034ff5c21c739c11a4.tar.gz
samba-35b8808b94808f5d689c2b034ff5c21c739c11a4.tar.bz2
samba-35b8808b94808f5d689c2b034ff5c21c739c11a4.zip
Adapted acl module to skip checks if as_system control is provided.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
-rw-r--r--source4/dsdb/samdb/ldb_modules/acl.c24
1 files changed, 17 insertions, 7 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index b70b8956bb..a3298362f3 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -447,8 +447,10 @@ static int acl_allowedAttributes(struct ldb_module *module,
if (ac->allowedAttributesEffective) {
struct security_descriptor *sd;
struct dom_sid *sid = NULL;
+ struct ldb_control *as_system = ldb_request_get_control(ac->req,
+ LDB_CONTROL_AS_SYSTEM_OID);
ldb_msg_remove_attr(msg, "allowedAttributesEffective");
- if (ac->user_type == SECURITY_SYSTEM) {
+ if (ac->user_type == SECURITY_SYSTEM || as_system) {
for (i=0; attr_list && attr_list[i]; i++) {
ldb_msg_add_string(msg, "allowedAttributesEffective", attr_list[i]);
}
@@ -559,10 +561,12 @@ static int acl_childClassesEffective(struct ldb_module *module,
const struct dsdb_schema *schema = dsdb_get_schema(ldb);
const struct dsdb_class *sclass;
struct security_descriptor *sd;
+ struct ldb_control *as_system = ldb_request_get_control(ac->req,
+ LDB_CONTROL_AS_SYSTEM_OID);
struct dom_sid *sid = NULL;
int i, j, ret;
- if (ac->user_type == SECURITY_SYSTEM) {
+ if (ac->user_type == SECURITY_SYSTEM || as_system) {
return acl_childClasses(module, sd_msg, msg, "allowedChildClassesEffective");
}
@@ -635,6 +639,8 @@ static int acl_sDRightsEffective(struct ldb_module *module,
struct ldb_message_element *rightsEffective;
int ret;
struct security_descriptor *sd;
+ struct ldb_control *as_system = ldb_request_get_control(ac->req,
+ LDB_CONTROL_AS_SYSTEM_OID);
struct dom_sid *sid = NULL;
uint32_t flags = 0;
@@ -644,7 +650,7 @@ static int acl_sDRightsEffective(struct ldb_module *module,
if (ret != LDB_SUCCESS) {
return ret;
}
- if (ac->user_type == SECURITY_SYSTEM) {
+ if (ac->user_type == SECURITY_SYSTEM || as_system) {
flags = SECINFO_OWNER | SECINFO_GROUP | SECINFO_SACL | SECINFO_DACL;
}
else {
@@ -699,8 +705,9 @@ static int acl_add(struct ldb_module *module, struct ldb_request *req)
const struct GUID *guid;
struct object_tree *root = NULL;
struct object_tree *new_node = NULL;
+ struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
- if (what_is_user(module) == SECURITY_SYSTEM) {
+ if (what_is_user(module) == SECURITY_SYSTEM || as_system) {
return ldb_next_request(module, req);
}
@@ -752,6 +759,7 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
struct ldb_result *acl_res;
struct security_descriptor *sd;
struct dom_sid *sid = NULL;
+ struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
TALLOC_CTX *tmp_ctx = talloc_new(req);
static const char *acl_attrs[] = {
"nTSecurityDescriptor",
@@ -765,7 +773,7 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
{
DEBUG(10, ("ldb:acl_modify: %s\n", req->op.mod.message->elements[0].name));
}
- if (what_is_user(module) == SECURITY_SYSTEM) {
+ if (what_is_user(module) == SECURITY_SYSTEM || as_system) {
return ldb_next_request(module, req);
}
if (ldb_dn_is_special(req->op.mod.message->dn)) {
@@ -890,9 +898,10 @@ static int acl_delete(struct ldb_module *module, struct ldb_request *req)
int ret;
struct ldb_dn *parent = ldb_dn_get_parent(req, req->op.del.dn);
struct ldb_context *ldb;
+ struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
DEBUG(10, ("ldb:acl_delete: %s\n", ldb_dn_get_linearized(req->op.del.dn)));
- if (what_is_user(module) == SECURITY_SYSTEM) {
+ if (what_is_user(module) == SECURITY_SYSTEM || as_system) {
return ldb_next_request(module, req);
}
@@ -934,6 +943,7 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req)
const struct GUID *guid;
struct object_tree *root = NULL;
struct object_tree *new_node = NULL;
+ struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
TALLOC_CTX *tmp_ctx = talloc_new(req);
NTSTATUS status;
uint32_t access_granted;
@@ -945,7 +955,7 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req)
};
DEBUG(10, ("ldb:acl_rename: %s\n", ldb_dn_get_linearized(req->op.rename.olddn)));
- if (what_is_user(module) == SECURITY_SYSTEM) {
+ if (what_is_user(module) == SECURITY_SYSTEM || as_system) {
return ldb_next_request(module, req);
}
if (ldb_dn_is_special(req->op.rename.olddn)) {