summaryrefslogtreecommitdiff
path: root/source4/dsdb
diff options
context:
space:
mode:
Diffstat (limited to 'source4/dsdb')
-rw-r--r--source4/dsdb/samdb/ldb_modules/acl_read.c33
1 files changed, 19 insertions, 14 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
index c42db5f13b..e4adcde8f3 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -296,6 +296,8 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
struct ldb_result *res;
struct aclread_private *p;
bool is_untrusted = ldb_req_is_untrusted(req);
+ static const char * const _all_attrs[] = { "*", NULL };
+ bool all_attrs = false;
const char * const *attrs = NULL;
uint32_t instanceType;
static const char *acl_attrs[] = {
@@ -363,6 +365,18 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
if (!ac->schema) {
return ldb_operr(ldb);
}
+
+ attrs = req->op.search.attrs;
+ if (attrs == NULL) {
+ all_attrs = true;
+ attrs = _all_attrs;
+ } else if (attrs[0] == NULL) {
+ all_attrs = true;
+ attrs = _all_attrs;
+ } else if (ldb_attr_in_list(attrs, "*")) {
+ all_attrs = true;
+ }
+
/*
* In theory we should also check for the SD control but control verification is
* expensive so we'd better had the ntsecuritydescriptor to the list of
@@ -370,16 +384,15 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
*/
ac->sd_flags = dsdb_request_sd_flags(ac->req, NULL);
- ac->sd = !(ldb_attr_in_list(req->op.search.attrs, "nTSecurityDescriptor"));
- if (req->op.search.attrs && !ldb_attr_in_list(req->op.search.attrs, "*")) {
- if (!ldb_attr_in_list(req->op.search.attrs, "instanceType")) {
+ ac->sd = !(ldb_attr_in_list(attrs, "nTSecurityDescriptor"));
+
+ if (!all_attrs) {
+ if (!ldb_attr_in_list(attrs, "instanceType")) {
ac->instance_type = true;
- attrs = ldb_attr_list_copy_add(ac, req->op.search.attrs, "instanceType");
+ attrs = ldb_attr_list_copy_add(ac, attrs, "instanceType");
if (attrs == NULL) {
return ldb_oom(ldb);
}
- } else {
- attrs = req->op.search.attrs;
}
if (!ldb_attr_in_list(req->op.search.attrs, "objectSid")) {
ac->object_sid = true;
@@ -391,14 +404,6 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
}
if (ac->sd) {
- /* avoid replacing all attributes with nTSecurityDescriptor
- * if attribute list is empty */
- if (!attrs) {
- attrs = ldb_attr_list_copy_add(ac, req->op.search.attrs, "*");
- if (attrs == NULL) {
- return ldb_oom(ldb);
- }
- }
attrs = ldb_attr_list_copy_add(ac, attrs, "nTSecurityDescriptor");
if (attrs == NULL) {
return ldb_oom(ldb);