diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2013-01-02 15:01:00 +1100 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2013-01-21 16:12:45 +0100 |
| commit | e8cc59eb781006c6193249128a1ffc4bcba8f28a (patch) | |
| tree | 19fe37d014192be8ca3bc8ce45892434384d286a /source4/dsdb/samdb/ldb_modules/acl.c | |
| parent | 93944ea90069df5379993f5c186ffd68e166f1c4 (diff) | |
| download | samba-e8cc59eb781006c6193249128a1ffc4bcba8f28a.tar.gz samba-e8cc59eb781006c6193249128a1ffc4bcba8f28a.tar.bz2 samba-e8cc59eb781006c6193249128a1ffc4bcba8f28a.zip | |
dsdb-acl: Pass the structural objectClass into acl_check_access_on_attribute
This will, when the GUID is entered into the object tree (not in this
commit) ensure that access rights assigned to the structural
objectClass are also available, as well as rights assigned to the
attribute property groups.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/dsdb/samdb/ldb_modules/acl.c')
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/acl.c | 59 |
1 files changed, 41 insertions, 18 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index 0a244f9bef..638955de97 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -191,6 +191,7 @@ static int acl_allowedAttributes(struct ldb_module *module, TALLOC_CTX *mem_ctx; const char **attr_list; int i, ret; + const struct dsdb_class *objectclass; /* If we don't have a schema yet, we can't do anything... */ if (schema == NULL) { @@ -215,6 +216,19 @@ static int acl_allowedAttributes(struct ldb_module *module, talloc_free(mem_ctx); return LDB_ERR_OPERATIONS_ERROR; } + + /* + * Get the top-most structural object class for the ACL check + */ + objectclass = dsdb_get_last_structural_class(ac->schema, + oc_el); + if (objectclass == NULL) { + ldb_asprintf_errstring(ldb, "acl_read: Failed to find a structural class for %s", + ldb_dn_get_linearized(sd_msg->dn)); + talloc_free(mem_ctx); + return LDB_ERR_OPERATIONS_ERROR; + } + if (ac->allowedAttributes) { for (i=0; attr_list && attr_list[i]; i++) { ldb_msg_add_string(msg, "allowedAttributes", attr_list[i]); @@ -262,7 +276,8 @@ static int acl_allowedAttributes(struct ldb_module *module, sd, sid, SEC_ADS_WRITE_PROP, - attr); + attr, + objectclass); if (ret == LDB_SUCCESS) { ldb_msg_add_string(msg, "allowedAttributesEffective", attr_list[i]); } @@ -479,10 +494,15 @@ static int acl_sDRightsEffective(struct ldb_module *module, } if (ac->am_system || as_system) { flags = SECINFO_OWNER | SECINFO_GROUP | SECINFO_SACL | SECINFO_DACL; - } - else { + } else { + const struct dsdb_class *objectclass; const struct dsdb_attribute *attr; + objectclass = dsdb_get_structural_oc_from_msg(ac->schema, sd_msg); + if (objectclass == NULL) { + return ldb_operr(ldb); + } + attr = dsdb_attribute_by_lDAPDisplayName(ac->schema, "nTSecurityDescriptor"); if (attr == NULL) { @@ -500,7 +520,8 @@ static int acl_sDRightsEffective(struct ldb_module *module, sd, sid, SEC_STD_WRITE_OWNER, - attr); + attr, + objectclass); if (ret == LDB_SUCCESS) { flags |= SECINFO_OWNER | SECINFO_GROUP; } @@ -509,7 +530,8 @@ static int acl_sDRightsEffective(struct ldb_module *module, sd, sid, SEC_STD_WRITE_DAC, - attr); + attr, + objectclass); if (ret == LDB_SUCCESS) { flags |= SECINFO_DACL; } @@ -518,7 +540,8 @@ static int acl_sDRightsEffective(struct ldb_module *module, sd, sid, SEC_FLAG_SYSTEM_SECURITY, - attr); + attr, + objectclass); if (ret == LDB_SUCCESS) { flags |= SECINFO_SACL; } @@ -636,8 +659,8 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx, struct ldb_request *req, struct security_descriptor *sd, struct dom_sid *sid, - const struct GUID *oc_guid, - const struct dsdb_attribute *attr) + const struct dsdb_attribute *attr, + const struct dsdb_class *objectclass) { int ret; unsigned int i; @@ -671,7 +694,7 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx, sd, sid, SEC_ADS_WRITE_PROP, - attr) == LDB_SUCCESS) { + attr, objectclass) == LDB_SUCCESS) { talloc_free(tmp_ctx); return LDB_SUCCESS; } @@ -828,8 +851,8 @@ static int acl_check_self_membership(TALLOC_CTX *mem_ctx, struct ldb_request *req, struct security_descriptor *sd, struct dom_sid *sid, - const struct GUID *oc_guid, - const struct dsdb_attribute *attr) + const struct dsdb_attribute *attr, + const struct dsdb_class *objectclass) { int ret; unsigned int i; @@ -842,7 +865,7 @@ static int acl_check_self_membership(TALLOC_CTX *mem_ctx, sd, sid, SEC_ADS_WRITE_PROP, - attr) == LDB_SUCCESS) { + attr, objectclass) == LDB_SUCCESS) { return LDB_SUCCESS; } /* if we are adding/deleting ourselves, check for self membership */ @@ -884,7 +907,7 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx, struct ldb_request *req, struct security_descriptor *sd, struct dom_sid *sid, - const struct GUID *oc_guid, + const struct dsdb_class *objectclass, bool userPassword) { int ret = LDB_SUCCESS; @@ -1109,8 +1132,8 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req) req, sd, sid, - &objectclass->schemaIDGUID, - attr); + attr, + objectclass); if (ret != LDB_SUCCESS) { goto fail; } @@ -1126,7 +1149,7 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req) req, sd, sid, - &objectclass->schemaIDGUID, + objectclass, userPassword); if (ret != LDB_SUCCESS) { goto fail; @@ -1137,8 +1160,8 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req) req, sd, sid, - &objectclass->schemaIDGUID, - attr); + attr, + objectclass); if (ret != LDB_SUCCESS) { goto fail; } |