diff options
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/acl.c | 39 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/config.mk | 12 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/samba_dsdb.c | 1 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/util.c | 8 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/wscript_build | 10 |
5 files changed, 47 insertions, 23 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index 1b85c5ded9..11fffa4053 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -1335,6 +1335,44 @@ static int acl_search(struct ldb_module *module, struct ldb_request *req) return ldb_next_request(module, down_req); } +static const char *acl_user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module) +{ + struct ldb_context *ldb = ldb_module_get_ctx(module); + struct auth_session_info *session_info + = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo"); + if (!session_info) { + return "UNKNOWN (NULL)"; + } + + return talloc_asprintf(mem_ctx, "%s\\%s", + session_info->server_info->domain_name, + session_info->server_info->account_name); +} + +static int acl_extended(struct ldb_module *module, struct ldb_request *req) +{ + struct ldb_context *ldb = ldb_module_get_ctx(module); + struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID); + + /* allow everybody to read the sequence number */ + if (strcmp(req->op.extended.oid, + LDB_EXTENDED_SEQUENCE_NUMBER) == 0) { + return ldb_next_request(module, req); + } + + if (dsdb_module_am_system(module) || + dsdb_module_am_administrator(module) || as_system) { + return ldb_next_request(module, req); + } else { + ldb_asprintf_errstring(ldb, + "acl_extended: " + "attempted database modify not permitted. " + "User %s is not SYSTEM or an administrator", + acl_user_name(req, module)); + return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS; + } +} + _PUBLIC_ const struct ldb_module_ops ldb_acl_module_ops = { .name = "acl", .search = acl_search, @@ -1342,5 +1380,6 @@ _PUBLIC_ const struct ldb_module_ops ldb_acl_module_ops = { .modify = acl_modify, .del = acl_delete, .rename = acl_rename, + .extended = acl_extended, .init_context = acl_module_init }; diff --git a/source4/dsdb/samdb/ldb_modules/config.mk b/source4/dsdb/samdb/ldb_modules/config.mk index 39e07214d5..4c968cd713 100644 --- a/source4/dsdb/samdb/ldb_modules/config.mk +++ b/source4/dsdb/samdb/ldb_modules/config.mk @@ -218,18 +218,6 @@ INIT_FUNCTION = LDB_MODULE(local_password) ldb_local_password_OBJ_FILES = $(dsdbsrcdir)/samdb/ldb_modules/local_password.o ################################################ -# Start MODULE ldb_kludge_acl -[MODULE::ldb_kludge_acl] -PRIVATE_DEPENDENCIES = LIBTALLOC LIBEVENTS LIBSECURITY SAMDB -SUBSYSTEM = LIBLDB -INIT_FUNCTION = LDB_MODULE(kludge_acl) - -# End MODULE ldb_kludge_acl -################################################ - -ldb_kludge_acl_OBJ_FILES = $(dsdbsrcdir)/samdb/ldb_modules/kludge_acl.o - -################################################ # Start MODULE ldb_extended_dn_in [MODULE::ldb_extended_dn_in] SUBSYSTEM = LIBLDB diff --git a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c index 392e215203..82f5ec39d4 100644 --- a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c +++ b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c @@ -178,7 +178,6 @@ static int samba_dsdb_init(struct ldb_module *module) "samldb", "password_hash", "operational", - "kludge_acl", "schema_load", "instancetype", "objectclass_attrs", diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c index 75940c837d..fda1733f62 100644 --- a/source4/dsdb/samdb/ldb_modules/util.c +++ b/source4/dsdb/samdb/ldb_modules/util.c @@ -910,6 +910,14 @@ bool dsdb_module_am_system(struct ldb_module *module) return security_session_user_level(session_info, NULL) == SECURITY_SYSTEM; } +bool dsdb_module_am_administrator(struct ldb_module *module) +{ + struct ldb_context *ldb = ldb_module_get_ctx(module); + struct auth_session_info *session_info + = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo"); + return security_session_user_level(session_info, NULL) == SECURITY_ADMINISTRATOR; +} + /* check if the recyclebin is enabled */ diff --git a/source4/dsdb/samdb/ldb_modules/wscript_build b/source4/dsdb/samdb/ldb_modules/wscript_build index 577d495287..05a8641532 100644 --- a/source4/dsdb/samdb/ldb_modules/wscript_build +++ b/source4/dsdb/samdb/ldb_modules/wscript_build @@ -151,16 +151,6 @@ bld.SAMBA_MODULE('ldb_local_password', deps='talloc LIBEVENTS LIBNDR SAMDB' ) - -bld.SAMBA_MODULE('ldb_kludge_acl', - source='kludge_acl.c', - subsystem='ldb', - init_function='LDB_MODULE(kludge_acl)', - internal_module=not bld.CONFIG_SET('USING_SYSTEM_LDB'), - deps='talloc LIBEVENTS LIBSECURITY SAMDB' - ) - - bld.SAMBA_MODULE('ldb_extended_dn_in', source='extended_dn_in.c', subsystem='ldb', |