summaryrefslogtreecommitdiff
path: root/source4/dsdb/samdb
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2013-01-02 15:01:00 +1100
committerStefan Metzmacher <metze@samba.org>2013-01-21 16:12:45 +0100
commite8cc59eb781006c6193249128a1ffc4bcba8f28a (patch)
tree19fe37d014192be8ca3bc8ce45892434384d286a /source4/dsdb/samdb
parent93944ea90069df5379993f5c186ffd68e166f1c4 (diff)
downloadsamba-e8cc59eb781006c6193249128a1ffc4bcba8f28a.tar.gz
samba-e8cc59eb781006c6193249128a1ffc4bcba8f28a.tar.bz2
samba-e8cc59eb781006c6193249128a1ffc4bcba8f28a.zip
dsdb-acl: Pass the structural objectClass into acl_check_access_on_attribute
This will, when the GUID is entered into the object tree (not in this commit) ensure that access rights assigned to the structural objectClass are also available, as well as rights assigned to the attribute property groups. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/dsdb/samdb')
-rw-r--r--source4/dsdb/samdb/ldb_modules/acl.c59
-rw-r--r--source4/dsdb/samdb/ldb_modules/acl_read.c15
-rw-r--r--source4/dsdb/samdb/ldb_modules/acl_util.c3
3 files changed, 57 insertions, 20 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 0a244f9bef..638955de97 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -191,6 +191,7 @@ static int acl_allowedAttributes(struct ldb_module *module,
TALLOC_CTX *mem_ctx;
const char **attr_list;
int i, ret;
+ const struct dsdb_class *objectclass;
/* If we don't have a schema yet, we can't do anything... */
if (schema == NULL) {
@@ -215,6 +216,19 @@ static int acl_allowedAttributes(struct ldb_module *module,
talloc_free(mem_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
+
+ /*
+ * Get the top-most structural object class for the ACL check
+ */
+ objectclass = dsdb_get_last_structural_class(ac->schema,
+ oc_el);
+ if (objectclass == NULL) {
+ ldb_asprintf_errstring(ldb, "acl_read: Failed to find a structural class for %s",
+ ldb_dn_get_linearized(sd_msg->dn));
+ talloc_free(mem_ctx);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
if (ac->allowedAttributes) {
for (i=0; attr_list && attr_list[i]; i++) {
ldb_msg_add_string(msg, "allowedAttributes", attr_list[i]);
@@ -262,7 +276,8 @@ static int acl_allowedAttributes(struct ldb_module *module,
sd,
sid,
SEC_ADS_WRITE_PROP,
- attr);
+ attr,
+ objectclass);
if (ret == LDB_SUCCESS) {
ldb_msg_add_string(msg, "allowedAttributesEffective", attr_list[i]);
}
@@ -479,10 +494,15 @@ static int acl_sDRightsEffective(struct ldb_module *module,
}
if (ac->am_system || as_system) {
flags = SECINFO_OWNER | SECINFO_GROUP | SECINFO_SACL | SECINFO_DACL;
- }
- else {
+ } else {
+ const struct dsdb_class *objectclass;
const struct dsdb_attribute *attr;
+ objectclass = dsdb_get_structural_oc_from_msg(ac->schema, sd_msg);
+ if (objectclass == NULL) {
+ return ldb_operr(ldb);
+ }
+
attr = dsdb_attribute_by_lDAPDisplayName(ac->schema,
"nTSecurityDescriptor");
if (attr == NULL) {
@@ -500,7 +520,8 @@ static int acl_sDRightsEffective(struct ldb_module *module,
sd,
sid,
SEC_STD_WRITE_OWNER,
- attr);
+ attr,
+ objectclass);
if (ret == LDB_SUCCESS) {
flags |= SECINFO_OWNER | SECINFO_GROUP;
}
@@ -509,7 +530,8 @@ static int acl_sDRightsEffective(struct ldb_module *module,
sd,
sid,
SEC_STD_WRITE_DAC,
- attr);
+ attr,
+ objectclass);
if (ret == LDB_SUCCESS) {
flags |= SECINFO_DACL;
}
@@ -518,7 +540,8 @@ static int acl_sDRightsEffective(struct ldb_module *module,
sd,
sid,
SEC_FLAG_SYSTEM_SECURITY,
- attr);
+ attr,
+ objectclass);
if (ret == LDB_SUCCESS) {
flags |= SECINFO_SACL;
}
@@ -636,8 +659,8 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx,
struct ldb_request *req,
struct security_descriptor *sd,
struct dom_sid *sid,
- const struct GUID *oc_guid,
- const struct dsdb_attribute *attr)
+ const struct dsdb_attribute *attr,
+ const struct dsdb_class *objectclass)
{
int ret;
unsigned int i;
@@ -671,7 +694,7 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx,
sd,
sid,
SEC_ADS_WRITE_PROP,
- attr) == LDB_SUCCESS) {
+ attr, objectclass) == LDB_SUCCESS) {
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
@@ -828,8 +851,8 @@ static int acl_check_self_membership(TALLOC_CTX *mem_ctx,
struct ldb_request *req,
struct security_descriptor *sd,
struct dom_sid *sid,
- const struct GUID *oc_guid,
- const struct dsdb_attribute *attr)
+ const struct dsdb_attribute *attr,
+ const struct dsdb_class *objectclass)
{
int ret;
unsigned int i;
@@ -842,7 +865,7 @@ static int acl_check_self_membership(TALLOC_CTX *mem_ctx,
sd,
sid,
SEC_ADS_WRITE_PROP,
- attr) == LDB_SUCCESS) {
+ attr, objectclass) == LDB_SUCCESS) {
return LDB_SUCCESS;
}
/* if we are adding/deleting ourselves, check for self membership */
@@ -884,7 +907,7 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
struct ldb_request *req,
struct security_descriptor *sd,
struct dom_sid *sid,
- const struct GUID *oc_guid,
+ const struct dsdb_class *objectclass,
bool userPassword)
{
int ret = LDB_SUCCESS;
@@ -1109,8 +1132,8 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
req,
sd,
sid,
- &objectclass->schemaIDGUID,
- attr);
+ attr,
+ objectclass);
if (ret != LDB_SUCCESS) {
goto fail;
}
@@ -1126,7 +1149,7 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
req,
sd,
sid,
- &objectclass->schemaIDGUID,
+ objectclass,
userPassword);
if (ret != LDB_SUCCESS) {
goto fail;
@@ -1137,8 +1160,8 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
req,
sd,
sid,
- &objectclass->schemaIDGUID,
- attr);
+ attr,
+ objectclass);
if (ret != LDB_SUCCESS) {
goto fail;
}
diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
index dcabd56a78..07b1bc4e5e 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -76,6 +76,7 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
struct dom_sid *sid = NULL;
TALLOC_CTX *tmp_ctx;
uint32_t instanceType;
+ const struct dsdb_class *objectclass;
ac = talloc_get_type(req->context, struct aclread_context);
ldb = ldb_module_get_ctx(ac->module);
@@ -98,6 +99,17 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
ret = LDB_ERR_OPERATIONS_ERROR;
goto fail;
}
+ /*
+ * Get the most specific structural object class for the ACL check
+ */
+ objectclass = dsdb_get_structural_oc_from_msg(ac->schema, msg);
+ if (objectclass == NULL) {
+ ldb_asprintf_errstring(ldb, "acl_read: Failed to find a structural class for %s",
+ ldb_dn_get_linearized(msg->dn));
+ ret = LDB_ERR_OPERATIONS_ERROR;
+ goto fail;
+ }
+
sid = samdb_result_dom_sid(tmp_ctx, msg, "objectSid");
/* get the object instance type */
instanceType = ldb_msg_find_attr_as_uint(msg,
@@ -196,7 +208,8 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
sd,
sid,
access_mask,
- attr);
+ attr,
+ objectclass);
/*
* Dirsync control needs the replpropertymetadata attribute
diff --git a/source4/dsdb/samdb/ldb_modules/acl_util.c b/source4/dsdb/samdb/ldb_modules/acl_util.c
index bbf8e660a6..95ab2752c7 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_util.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_util.c
@@ -96,7 +96,8 @@ int acl_check_access_on_attribute(struct ldb_module *module,
struct security_descriptor *sd,
struct dom_sid *rp_sid,
uint32_t access_mask,
- const struct dsdb_attribute *attr)
+ const struct dsdb_attribute *attr,
+ const struct dsdb_class *objectclass)
{
int ret;
NTSTATUS status;