s4-dsdb: Removed kludge_acl as it is no longer necessary

Moved the access check on extended operations to acl module and removed kludge_acl
author: Nadezhda Ivanova <nivanova@samba.org> 2010-08-04 15:22:17 +0300
committer: Nadezhda Ivanova <nivanova@samba.org> 2010-08-04 15:22:17 +0300
commit: d50a9e8d9e706f545862ab1f5b9a8eaa27447844 (patch)
tree: a40d1e11882aecae85d0b8b38417f6891e2d51ff /source4
parent: f4e60b42d37b5136dfd124de8bb5c1c9cd084957 (diff)
download: samba-d50a9e8d9e706f545862ab1f5b9a8eaa27447844.tar.gz
samba-d50a9e8d9e706f545862ab1f5b9a8eaa27447844.tar.bz2
samba-d50a9e8d9e706f545862ab1f5b9a8eaa27447844.zip
5 files changed, 47 insertions, 23 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 1b85c5ded9..11fffa4053 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -1335,6 +1335,44 @@ static int acl_search(struct ldb_module *module, struct ldb_request *req)
 	return ldb_next_request(module, down_req);
 }
 
+static const char *acl_user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module)
+{
+	struct ldb_context *ldb = ldb_module_get_ctx(module);
+	struct auth_session_info *session_info
+		= (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
+	if (!session_info) {
+		return "UNKNOWN (NULL)";
+	}
+
+	return talloc_asprintf(mem_ctx, "%s\\%s",
+			       session_info->server_info->domain_name,
+			       session_info->server_info->account_name);
+}
+
+static int acl_extended(struct ldb_module *module, struct ldb_request *req)
+{
+	struct ldb_context *ldb = ldb_module_get_ctx(module);
+	struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
+
+	/* allow everybody to read the sequence number */
+	if (strcmp(req->op.extended.oid,
+		   LDB_EXTENDED_SEQUENCE_NUMBER) == 0) {
+		return ldb_next_request(module, req);
+	}
+
+	if (dsdb_module_am_system(module) ||
+	    dsdb_module_am_administrator(module) || as_system) {
+		return ldb_next_request(module, req);
+	} else {
+		ldb_asprintf_errstring(ldb,
+				       "acl_extended: "
+				       "attempted database modify not permitted. "
+				       "User %s is not SYSTEM or an administrator",
+				       acl_user_name(req, module));
+		return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+	}
+}
+
 _PUBLIC_ const struct ldb_module_ops ldb_acl_module_ops = {
 	.name		   = "acl",
 	.search            = acl_search,
@@ -1342,5 +1380,6 @@ _PUBLIC_ const struct ldb_module_ops ldb_acl_module_ops = {
 	.modify            = acl_modify,
 	.del               = acl_delete,
 	.rename            = acl_rename,
+	.extended          = acl_extended,
 	.init_context	   = acl_module_init
 };
diff --git a/source4/dsdb/samdb/ldb_modules/config.mk b/source4/dsdb/samdb/ldb_modules/config.mk
index 39e07214d5..4c968cd713 100644
--- a/source4/dsdb/samdb/ldb_modules/config.mk
+++ b/source4/dsdb/samdb/ldb_modules/config.mk
@@ -218,18 +218,6 @@ INIT_FUNCTION = LDB_MODULE(local_password)
 ldb_local_password_OBJ_FILES = $(dsdbsrcdir)/samdb/ldb_modules/local_password.o
 
 ################################################
-# Start MODULE ldb_kludge_acl
-[MODULE::ldb_kludge_acl]
-PRIVATE_DEPENDENCIES = LIBTALLOC LIBEVENTS LIBSECURITY SAMDB
-SUBSYSTEM = LIBLDB
-INIT_FUNCTION = LDB_MODULE(kludge_acl)
-
-# End MODULE ldb_kludge_acl
-################################################
-
-ldb_kludge_acl_OBJ_FILES = $(dsdbsrcdir)/samdb/ldb_modules/kludge_acl.o
-
-################################################
 # Start MODULE ldb_extended_dn_in
 [MODULE::ldb_extended_dn_in]
 SUBSYSTEM = LIBLDB
diff --git a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
index 392e215203..82f5ec39d4 100644
--- a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
+++ b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
@@ -178,7 +178,6 @@ static int samba_dsdb_init(struct ldb_module *module)
 					     "samldb",
 					     "password_hash",
 					     "operational",
-					     "kludge_acl",
 					     "schema_load",
 					     "instancetype",
 					     "objectclass_attrs",
diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c
index 75940c837d..fda1733f62 100644
--- a/source4/dsdb/samdb/ldb_modules/util.c
+++ b/source4/dsdb/samdb/ldb_modules/util.c
@@ -910,6 +910,14 @@ bool dsdb_module_am_system(struct ldb_module *module)
 	return security_session_user_level(session_info, NULL) == SECURITY_SYSTEM;
 }
 
+bool dsdb_module_am_administrator(struct ldb_module *module)
+{
+	struct ldb_context *ldb = ldb_module_get_ctx(module);
+	struct auth_session_info *session_info
+		= (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
+	return security_session_user_level(session_info, NULL) == SECURITY_ADMINISTRATOR;
+}
+
 /*
   check if the recyclebin is enabled
  */
diff --git a/source4/dsdb/samdb/ldb_modules/wscript_build b/source4/dsdb/samdb/ldb_modules/wscript_build
index 577d495287..05a8641532 100644
--- a/source4/dsdb/samdb/ldb_modules/wscript_build
+++ b/source4/dsdb/samdb/ldb_modules/wscript_build
@@ -151,16 +151,6 @@ bld.SAMBA_MODULE('ldb_local_password',
 	deps='talloc LIBEVENTS LIBNDR SAMDB'
 	)
 
-
-bld.SAMBA_MODULE('ldb_kludge_acl',
-	source='kludge_acl.c',
-	subsystem='ldb',
-	init_function='LDB_MODULE(kludge_acl)',
-	internal_module=not bld.CONFIG_SET('USING_SYSTEM_LDB'),
-	deps='talloc LIBEVENTS LIBSECURITY SAMDB'
-	)
-
-
 bld.SAMBA_MODULE('ldb_extended_dn_in',
 	source='extended_dn_in.c',
 	subsystem='ldb',
author	Nadezhda Ivanova <nivanova@samba.org>	2010-08-04 15:22:17 +0300
committer	Nadezhda Ivanova <nivanova@samba.org>	2010-08-04 15:22:17 +0300
commit	d50a9e8d9e706f545862ab1f5b9a8eaa27447844 (patch)
tree	a40d1e11882aecae85d0b8b38417f6891e2d51ff /source4
parent	f4e60b42d37b5136dfd124de8bb5c1c9cd084957 (diff)
download	samba-d50a9e8d9e706f545862ab1f5b9a8eaa27447844.tar.gz samba-d50a9e8d9e706f545862ab1f5b9a8eaa27447844.tar.bz2 samba-d50a9e8d9e706f545862ab1f5b9a8eaa27447844.zip