diff options
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/acl.c | 59 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/acl_read.c | 15 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/acl_util.c | 3 |
3 files changed, 57 insertions, 20 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index 0a244f9bef..638955de97 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -191,6 +191,7 @@ static int acl_allowedAttributes(struct ldb_module *module, TALLOC_CTX *mem_ctx; const char **attr_list; int i, ret; + const struct dsdb_class *objectclass; /* If we don't have a schema yet, we can't do anything... */ if (schema == NULL) { @@ -215,6 +216,19 @@ static int acl_allowedAttributes(struct ldb_module *module, talloc_free(mem_ctx); return LDB_ERR_OPERATIONS_ERROR; } + + /* + * Get the top-most structural object class for the ACL check + */ + objectclass = dsdb_get_last_structural_class(ac->schema, + oc_el); + if (objectclass == NULL) { + ldb_asprintf_errstring(ldb, "acl_read: Failed to find a structural class for %s", + ldb_dn_get_linearized(sd_msg->dn)); + talloc_free(mem_ctx); + return LDB_ERR_OPERATIONS_ERROR; + } + if (ac->allowedAttributes) { for (i=0; attr_list && attr_list[i]; i++) { ldb_msg_add_string(msg, "allowedAttributes", attr_list[i]); @@ -262,7 +276,8 @@ static int acl_allowedAttributes(struct ldb_module *module, sd, sid, SEC_ADS_WRITE_PROP, - attr); + attr, + objectclass); if (ret == LDB_SUCCESS) { ldb_msg_add_string(msg, "allowedAttributesEffective", attr_list[i]); } @@ -479,10 +494,15 @@ static int acl_sDRightsEffective(struct ldb_module *module, } if (ac->am_system || as_system) { flags = SECINFO_OWNER | SECINFO_GROUP | SECINFO_SACL | SECINFO_DACL; - } - else { + } else { + const struct dsdb_class *objectclass; const struct dsdb_attribute *attr; + objectclass = dsdb_get_structural_oc_from_msg(ac->schema, sd_msg); + if (objectclass == NULL) { + return ldb_operr(ldb); + } + attr = dsdb_attribute_by_lDAPDisplayName(ac->schema, "nTSecurityDescriptor"); if (attr == NULL) { @@ -500,7 +520,8 @@ static int acl_sDRightsEffective(struct ldb_module *module, sd, sid, SEC_STD_WRITE_OWNER, - attr); + attr, + objectclass); if (ret == LDB_SUCCESS) { flags |= SECINFO_OWNER | SECINFO_GROUP; } @@ -509,7 +530,8 @@ static int acl_sDRightsEffective(struct ldb_module *module, sd, sid, SEC_STD_WRITE_DAC, - attr); + attr, + objectclass); if (ret == LDB_SUCCESS) { flags |= SECINFO_DACL; } @@ -518,7 +540,8 @@ static int acl_sDRightsEffective(struct ldb_module *module, sd, sid, SEC_FLAG_SYSTEM_SECURITY, - attr); + attr, + objectclass); if (ret == LDB_SUCCESS) { flags |= SECINFO_SACL; } @@ -636,8 +659,8 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx, struct ldb_request *req, struct security_descriptor *sd, struct dom_sid *sid, - const struct GUID *oc_guid, - const struct dsdb_attribute *attr) + const struct dsdb_attribute *attr, + const struct dsdb_class *objectclass) { int ret; unsigned int i; @@ -671,7 +694,7 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx, sd, sid, SEC_ADS_WRITE_PROP, - attr) == LDB_SUCCESS) { + attr, objectclass) == LDB_SUCCESS) { talloc_free(tmp_ctx); return LDB_SUCCESS; } @@ -828,8 +851,8 @@ static int acl_check_self_membership(TALLOC_CTX *mem_ctx, struct ldb_request *req, struct security_descriptor *sd, struct dom_sid *sid, - const struct GUID *oc_guid, - const struct dsdb_attribute *attr) + const struct dsdb_attribute *attr, + const struct dsdb_class *objectclass) { int ret; unsigned int i; @@ -842,7 +865,7 @@ static int acl_check_self_membership(TALLOC_CTX *mem_ctx, sd, sid, SEC_ADS_WRITE_PROP, - attr) == LDB_SUCCESS) { + attr, objectclass) == LDB_SUCCESS) { return LDB_SUCCESS; } /* if we are adding/deleting ourselves, check for self membership */ @@ -884,7 +907,7 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx, struct ldb_request *req, struct security_descriptor *sd, struct dom_sid *sid, - const struct GUID *oc_guid, + const struct dsdb_class *objectclass, bool userPassword) { int ret = LDB_SUCCESS; @@ -1109,8 +1132,8 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req) req, sd, sid, - &objectclass->schemaIDGUID, - attr); + attr, + objectclass); if (ret != LDB_SUCCESS) { goto fail; } @@ -1126,7 +1149,7 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req) req, sd, sid, - &objectclass->schemaIDGUID, + objectclass, userPassword); if (ret != LDB_SUCCESS) { goto fail; @@ -1137,8 +1160,8 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req) req, sd, sid, - &objectclass->schemaIDGUID, - attr); + attr, + objectclass); if (ret != LDB_SUCCESS) { goto fail; } diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c index dcabd56a78..07b1bc4e5e 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_read.c +++ b/source4/dsdb/samdb/ldb_modules/acl_read.c @@ -76,6 +76,7 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) struct dom_sid *sid = NULL; TALLOC_CTX *tmp_ctx; uint32_t instanceType; + const struct dsdb_class *objectclass; ac = talloc_get_type(req->context, struct aclread_context); ldb = ldb_module_get_ctx(ac->module); @@ -98,6 +99,17 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) ret = LDB_ERR_OPERATIONS_ERROR; goto fail; } + /* + * Get the most specific structural object class for the ACL check + */ + objectclass = dsdb_get_structural_oc_from_msg(ac->schema, msg); + if (objectclass == NULL) { + ldb_asprintf_errstring(ldb, "acl_read: Failed to find a structural class for %s", + ldb_dn_get_linearized(msg->dn)); + ret = LDB_ERR_OPERATIONS_ERROR; + goto fail; + } + sid = samdb_result_dom_sid(tmp_ctx, msg, "objectSid"); /* get the object instance type */ instanceType = ldb_msg_find_attr_as_uint(msg, @@ -196,7 +208,8 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) sd, sid, access_mask, - attr); + attr, + objectclass); /* * Dirsync control needs the replpropertymetadata attribute diff --git a/source4/dsdb/samdb/ldb_modules/acl_util.c b/source4/dsdb/samdb/ldb_modules/acl_util.c index bbf8e660a6..95ab2752c7 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_util.c +++ b/source4/dsdb/samdb/ldb_modules/acl_util.c @@ -96,7 +96,8 @@ int acl_check_access_on_attribute(struct ldb_module *module, struct security_descriptor *sd, struct dom_sid *rp_sid, uint32_t access_mask, - const struct dsdb_attribute *attr) + const struct dsdb_attribute *attr, + const struct dsdb_class *objectclass) { int ret; NTSTATUS status; |