diff options
author | Nadezhda Ivanova <nadezhda.ivanova@postpath.com> | 2009-11-20 13:25:13 +0200 |
---|---|---|
committer | Nadezhda Ivanova <nadezhda.ivanova@postpath.com> | 2009-11-20 13:25:13 +0200 |
commit | 7c8b34657a19c96bbeb2181cd194f323a6827365 (patch) | |
tree | 9048d2124bc411bc65e157bc622a8df68d2a6f52 /source4/dsdb | |
parent | a760f169f4936d7e2677db9229181e2c5ac23bcd (diff) | |
download | samba-7c8b34657a19c96bbeb2181cd194f323a6827365.tar.gz samba-7c8b34657a19c96bbeb2181cd194f323a6827365.tar.bz2 samba-7c8b34657a19c96bbeb2181cd194f323a6827365.zip |
Implementation of LDAP_SERVER_SD_FLAGS_OID on modify requests.
Diffstat (limited to 'source4/dsdb')
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/descriptor.c | 149 |
1 files changed, 133 insertions, 16 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c index 6a57560314..98e54b19c1 100644 --- a/source4/dsdb/samdb/ldb_modules/descriptor.c +++ b/source4/dsdb/samdb/ldb_modules/descriptor.c @@ -154,15 +154,85 @@ static struct dom_sid *get_default_group(TALLOC_CTX *mem_ctx, return NULL; } +static struct security_descriptor *descr_handle_sd_flags(TALLOC_CTX *mem_ctx, + struct security_descriptor *new_sd, + struct security_descriptor *old_sd, + uint32_t sd_flags) +{ + struct security_descriptor *final_sd; + /* if there is no control or contlol == 0 modify everything */ + if (!sd_flags) { + return new_sd; + } + + final_sd = talloc_zero(mem_ctx, struct security_descriptor); + final_sd->revision = SECURITY_DESCRIPTOR_REVISION_1; + final_sd->type = SEC_DESC_SELF_RELATIVE; + + if (sd_flags & (SECINFO_OWNER)) { + final_sd->owner_sid = talloc_memdup(mem_ctx, new_sd->owner_sid, sizeof(struct dom_sid)); + final_sd->type |= new_sd->type & SEC_DESC_OWNER_DEFAULTED; + } + else if (old_sd) { + final_sd->owner_sid = talloc_memdup(mem_ctx, old_sd->owner_sid, sizeof(struct dom_sid)); + final_sd->type |= old_sd->type & SEC_DESC_OWNER_DEFAULTED; + } + + if (sd_flags & (SECINFO_GROUP)) { + final_sd->group_sid = talloc_memdup(mem_ctx, new_sd->group_sid, sizeof(struct dom_sid)); + final_sd->type |= new_sd->type & SEC_DESC_GROUP_DEFAULTED; + } + else if (old_sd) { + final_sd->group_sid = talloc_memdup(mem_ctx, old_sd->group_sid, sizeof(struct dom_sid)); + final_sd->type |= old_sd->type & SEC_DESC_GROUP_DEFAULTED; + } + + if (sd_flags & (SECINFO_SACL)) { + final_sd->sacl = security_acl_dup(mem_ctx,new_sd->sacl); + final_sd->type |= new_sd->type & (SEC_DESC_SACL_PRESENT | + SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ | + SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED | + SEC_DESC_SERVER_SECURITY); + } + else if (old_sd) { + final_sd->sacl = security_acl_dup(mem_ctx,old_sd->sacl); + final_sd->type |= old_sd->type & (SEC_DESC_SACL_PRESENT | + SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ | + SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED | + SEC_DESC_SERVER_SECURITY); + } + + if (sd_flags & (SECINFO_DACL)) { + final_sd->dacl = security_acl_dup(mem_ctx,new_sd->dacl); + final_sd->type |= new_sd->type & (SEC_DESC_DACL_PRESENT | + SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ | + SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED | + SEC_DESC_DACL_TRUSTED); + } + else if (old_sd) { + final_sd->dacl = security_acl_dup(mem_ctx,old_sd->dacl); + final_sd->type |= old_sd->type & (SEC_DESC_DACL_PRESENT | + SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ | + SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED | + SEC_DESC_DACL_TRUSTED); + } + /* not so sure about this */ + final_sd->type |= new_sd->type & SEC_DESC_RM_CONTROL_VALID; + return final_sd; +} + static DATA_BLOB *get_new_descriptor(struct ldb_module *module, struct ldb_dn *dn, TALLOC_CTX *mem_ctx, const struct dsdb_class *objectclass, const struct ldb_val *parent, - struct ldb_val *object) + struct ldb_val *object, + struct ldb_val *old_sd, + uint32_t sd_flags) { struct security_descriptor *user_descriptor = NULL, *parent_descriptor = NULL; - struct security_descriptor *new_sd; + struct security_descriptor *old_descriptor = NULL; + struct security_descriptor *new_sd, *final_sd; DATA_BLOB *linear_sd; enum ndr_err_code ndr_err; struct ldb_context *ldb = ldb_module_get_ctx(module); @@ -175,13 +245,14 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module, if (object) { user_descriptor = talloc(mem_ctx, struct security_descriptor); - if(!user_descriptor) + if (!user_descriptor) { return NULL; + } ndr_err = ndr_pull_struct_blob(object, user_descriptor, NULL, user_descriptor, (ndr_pull_flags_fn_t)ndr_pull_security_descriptor); - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)){ + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { talloc_free(user_descriptor); return NULL; } @@ -189,19 +260,36 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module, user_descriptor = get_sd_unpacked(module, mem_ctx, objectclass); } - if (parent){ + if (old_sd) { + old_descriptor = talloc(mem_ctx, struct security_descriptor); + if (!old_descriptor) { + return NULL; + } + ndr_err = ndr_pull_struct_blob(old_sd, old_descriptor, NULL, + old_descriptor, + (ndr_pull_flags_fn_t)ndr_pull_security_descriptor); + + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + talloc_free(old_descriptor); + return NULL; + } + } + + if (parent) { parent_descriptor = talloc(mem_ctx, struct security_descriptor); - if(!parent_descriptor) + if (!parent_descriptor) { return NULL; + } ndr_err = ndr_pull_struct_blob(parent, parent_descriptor, NULL, parent_descriptor, (ndr_pull_flags_fn_t)ndr_pull_security_descriptor); - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)){ + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { talloc_free(parent_descriptor); return NULL; } } + default_owner = get_default_ag(mem_ctx, dn, session_info->security_token, ldb); default_group = get_default_group(mem_ctx, ldb, default_owner); @@ -210,11 +298,15 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module, session_info->security_token, default_owner, default_group, map_generic_rights_ds); - if (!new_sd) + if (!new_sd) { return NULL; + } + final_sd = descr_handle_sd_flags(mem_ctx, new_sd, old_descriptor, sd_flags); - - sddl_sd = sddl_encode(mem_ctx, new_sd, domain_sid); + if (!final_sd) { + return NULL; + } + sddl_sd = sddl_encode(mem_ctx, final_sd, domain_sid); DEBUG(10, ("Object %s created with desriptor %s\n\n", ldb_dn_get_linearized(dn), sddl_sd)); linear_sd = talloc(mem_ctx, DATA_BLOB); @@ -224,7 +316,7 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module, ndr_err = ndr_push_struct_blob(linear_sd, mem_ctx, lp_iconv_convenience(ldb_get_opaque(ldb, "loadparm")), - new_sd, + final_sd, (ndr_push_flags_fn_t)ndr_push_security_descriptor); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { return NULL; @@ -383,12 +475,16 @@ static int descriptor_do_mod(struct descriptor_context *ac) struct ldb_context *ldb; const struct dsdb_schema *schema; struct ldb_request *mod_req; - struct ldb_message_element *objectclass_element, *tmp_element; + struct ldb_message_element *objectclass_element, *tmp_element, *oldsd_el; + struct ldb_val *oldsd_val = NULL; int ret; DATA_BLOB *sd; const struct dsdb_class *objectclass; struct ldb_message *msg; + struct ldb_control *sd_control; + struct ldb_control **saved_controls; int flags = 0; + uint32_t sd_flags = 0; ldb = ldb_module_get_ctx(ac->module); schema = dsdb_get_schema(ldb); @@ -402,9 +498,21 @@ static int descriptor_do_mod(struct descriptor_context *ac) ldb_dn_get_linearized(ac->search_oc_res->message->dn)); return LDB_ERR_OPERATIONS_ERROR; } - + sd_control = ldb_request_get_control(ac->req, LDB_CONTROL_SD_FLAGS_OID); + if (sd_control) { + struct ldb_sd_flags_control *sdctr = (struct ldb_sd_flags_control *)sd_control->data; + sd_flags = sdctr->secinfo_flags; + /* we only care for the last 4 bits */ + sd_flags = sd_flags & 0x0000000F; + } + if (sd_flags != 0) { + oldsd_el = ldb_msg_find_element(ac->search_oc_res->message, "nTSecurityDescriptor"); + if (oldsd_el) { + oldsd_val = oldsd_el->values; + } + } sd = get_new_descriptor(ac->module, msg->dn, ac, objectclass, - ac->parentsd_val, ac->sd_val); + ac->parentsd_val, ac->sd_val, oldsd_val, sd_flags); if (ac->sd_val) { tmp_element = ldb_msg_find_element(msg, "ntSecurityDescriptor"); flags = tmp_element->flags; @@ -427,6 +535,15 @@ static int descriptor_do_mod(struct descriptor_context *ac) if (ret != LDB_SUCCESS) { return ret; } + /* save it locally and remove it from the list */ + /* we do not need to replace them later as we + * are keeping the original req intact */ + if (sd_control) { + if (!save_controls(sd_control, mod_req, &saved_controls)) { + return LDB_ERR_OPERATIONS_ERROR; + } + } + return ldb_next_request(ac->module, mod_req); } @@ -441,7 +558,7 @@ static int descriptor_do_add(struct descriptor_context *ac) int ret; DATA_BLOB *sd; const struct dsdb_class *objectclass; - static const char *const attrs[] = { "objectClass", NULL }; + static const char *const attrs[] = { "objectClass", "nTSecurityDescriptor", NULL }; struct ldb_request *search_req; ldb = ldb_module_get_ctx(ac->module); @@ -491,7 +608,7 @@ static int descriptor_do_add(struct descriptor_context *ac) /* get the parent descriptor and the one provided. If not provided, get the default.*/ /* convert to security descriptor and calculate */ sd = get_new_descriptor(ac->module, msg->dn, mem_ctx, objectclass, - ac->parentsd_val, ac->sd_val); + ac->parentsd_val, ac->sd_val, NULL, 0); if (ac->sd_val) { ldb_msg_remove_attr(msg, "nTSecurityDescriptor"); } |