summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2007-01-09 03:45:50 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 14:37:16 -0500
commit08439c72c494565669bdd260050d061a005e89fe (patch)
tree07bed0f7a5ed23187aa63b62e863f50c5edbfe02 /source4
parent131cfe0399df8d65208dab90c70cb600e20cc0c5 (diff)
downloadsamba-08439c72c494565669bdd260050d061a005e89fe.tar.gz
samba-08439c72c494565669bdd260050d061a005e89fe.tar.bz2
samba-08439c72c494565669bdd260050d061a005e89fe.zip
r20622: Add in a hack to avoid permitting searches on the value of protected
attributes. Andrew Bartlett (This used to be commit 5aa2195ec26d9ddf82e51f2b242cdf7c8ab52f52)
Diffstat (limited to 'source4')
-rw-r--r--source4/dsdb/samdb/ldb_modules/kludge_acl.c24
1 files changed, 23 insertions, 1 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/kludge_acl.c b/source4/dsdb/samdb/ldb_modules/kludge_acl.c
index 176cfbf3a5..7b2150bec8 100644
--- a/source4/dsdb/samdb/ldb_modules/kludge_acl.c
+++ b/source4/dsdb/samdb/ldb_modules/kludge_acl.c
@@ -147,7 +147,8 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
{
struct kludge_acl_context *ac;
struct ldb_request *down_req;
- int ret;
+ struct kludge_private_data *data;
+ int ret, i;
req->handle = NULL;
@@ -156,6 +157,8 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
return LDB_ERR_OPERATIONS_ERROR;
}
+ data = talloc_get_type(module->private_data, struct kludge_private_data);
+
ac->module = module;
ac->up_context = req->context;
ac->up_callback = req->callback;
@@ -172,6 +175,25 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
down_req->op.search.tree = req->op.search.tree;
down_req->op.search.attrs = req->op.search.attrs;
+
+ /* FIXME: I hink we should copy the tree and keep the original
+ * unmodified. SSS */
+ /* replace any attributes in the parse tree that are private,
+ so we don't allow a search for 'sambaPassword=penguin',
+ just as we would not allow that attribute to be returned */
+ switch (ac->user_type) {
+ case SYSTEM:
+ case ADMINISTRATOR:
+ break;
+ default:
+ /* remove password attributes */
+ for (i = 0; data && data->password_attrs && data->password_attrs[i]; i++) {
+ ldb_parse_tree_attr_replace(down_req->op.search.tree,
+ data->password_attrs[i],
+ "kludgeACLredactedattribute");
+ }
+ }
+
down_req->controls = req->controls;
down_req->context = ac;