summaryrefslogtreecommitdiff
path: root/source4/dsdb/samdb
diff options
context:
space:
mode:
authorNadezhda Ivanova <nivanova@samba.org>2010-06-28 10:34:14 +0300
committerNadezhda Ivanova <nivanova@samba.org>2010-06-28 10:43:50 +0300
commit5a18fc2b2a520977440e301d816bdf11ac966bc2 (patch)
treebd00c54b063c3b1be473b353c776e37ebf977e27 /source4/dsdb/samdb
parenta0bb31df5d48ddd346728971ff4e0506b8304d9a (diff)
downloadsamba-5a18fc2b2a520977440e301d816bdf11ac966bc2.tar.gz
samba-5a18fc2b2a520977440e301d816bdf11ac966bc2.tar.bz2
samba-5a18fc2b2a520977440e301d816bdf11ac966bc2.zip
Implementation of self membership validated right.
When this right is granted, the user can add or remove themselves from a group even if they dont have write property right.
Diffstat (limited to 'source4/dsdb/samdb')
-rw-r--r--source4/dsdb/samdb/ldb_modules/acl.c101
1 files changed, 100 insertions, 1 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index ccc7edf218..b2aeb2adb7 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -654,6 +654,95 @@ static int acl_add(struct ldb_module *module, struct ldb_request *req)
return ldb_next_request(module, req);
}
+/* checks for validated writes */
+static int acl_check_self_write(struct ldb_request *req,
+ struct security_descriptor *sd,
+ struct security_token *token,
+ const char *self_write,
+ struct dom_sid *sid)
+{
+ struct GUID right;
+ NTSTATUS status;
+ uint32_t access_granted;
+ struct object_tree *root = NULL;
+ struct object_tree *new_node = NULL;
+ TALLOC_CTX *tmp_ctx = talloc_new(req);
+
+ GUID_from_string(self_write, &right);
+
+ if (!insert_in_object_tree(tmp_ctx, &right, SEC_ADS_SELF_WRITE,
+ &root, &new_node)) {
+ DEBUG(10, ("acl_modify: cannot add to object tree\n"));
+ talloc_free(tmp_ctx);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ status = sec_access_check_ds(sd, token,
+ SEC_ADS_SELF_WRITE,
+ &access_granted,
+ root,
+ sid);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("Object %s has no self membershipself write right\n",
+ ldb_dn_get_linearized(req->op.mod.message->dn)));
+ dsdb_acl_debug(sd, token,
+ req->op.mod.message->dn,
+ true,
+ 10);
+ talloc_free(tmp_ctx);
+ return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+ }
+
+ return LDB_SUCCESS;
+}
+
+/* ckecks if modifications are allowed on "Member" attribute */
+static int acl_check_self_membership(struct ldb_module *module,
+ struct ldb_request *req,
+ struct security_descriptor *sd,
+ struct dom_sid *sid,
+ const struct GUID *oc_guid,
+ const struct dsdb_attribute *attr)
+{
+ int ret, i;
+ TALLOC_CTX *tmp_ctx = talloc_new(req);
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ struct ldb_dn *user_dn;
+ struct ldb_message_element *member_el;
+ /* if we have wp, we can do whatever we like */
+ if (acl_check_access_on_attribute(module,
+ req,
+ sd,
+ sid,
+ SEC_ADS_WRITE_PROP,
+ attr) == LDB_SUCCESS) {
+ return LDB_SUCCESS;
+ }
+ /* if we are adding/deleting ourselves, check for self membership */
+ ret = dsdb_find_dn_by_sid(ldb, req, acl_user_token(module)->user_sid, &user_dn);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ member_el = ldb_msg_find_element(req->op.mod.message, "Member");
+ if (!member_el) {
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ /* user can only remove oneself */
+ if (member_el->num_values == 0) {
+ return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+ }
+ for (i = 0; i < member_el->num_values; i++) {
+ if (strcasecmp((const char *)member_el->values[i].data,
+ ldb_dn_get_extended_linearized(tmp_ctx, user_dn, 1)) != 0) {
+ return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+ }
+ }
+ talloc_free(tmp_ctx);
+ return acl_check_self_write(req, sd, acl_user_token(module),
+ GUID_DRS_SELF_MEMBERSHIP,
+ sid);
+}
+
static int acl_modify(struct ldb_module *module, struct ldb_request *req)
{
int ret;
@@ -753,8 +842,18 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
if (ldb_attr_cmp("nTSecurityDescriptor", req->op.mod.message->elements[i].name) == 0) {
modify_sd = true;
+ }
+ else if (ldb_attr_cmp("Member", req->op.mod.message->elements[i].name) == 0) {
+ ret = acl_check_self_membership(module,
+ req,
+ sd,
+ sid,
+ guid,
+ attr);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
} else {
-
if (!insert_in_object_tree(tmp_ctx,
&attr->attributeSecurityGUID, SEC_ADS_WRITE_PROP,
&new_node, &new_node)) {