From 08439c72c494565669bdd260050d061a005e89fe Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 9 Jan 2007 03:45:50 +0000 Subject: r20622: Add in a hack to avoid permitting searches on the value of protected attributes. Andrew Bartlett (This used to be commit 5aa2195ec26d9ddf82e51f2b242cdf7c8ab52f52) --- source4/dsdb/samdb/ldb_modules/kludge_acl.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) (limited to 'source4/dsdb/samdb') diff --git a/source4/dsdb/samdb/ldb_modules/kludge_acl.c b/source4/dsdb/samdb/ldb_modules/kludge_acl.c index 176cfbf3a5..7b2150bec8 100644 --- a/source4/dsdb/samdb/ldb_modules/kludge_acl.c +++ b/source4/dsdb/samdb/ldb_modules/kludge_acl.c @@ -147,7 +147,8 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req) { struct kludge_acl_context *ac; struct ldb_request *down_req; - int ret; + struct kludge_private_data *data; + int ret, i; req->handle = NULL; @@ -156,6 +157,8 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req) return LDB_ERR_OPERATIONS_ERROR; } + data = talloc_get_type(module->private_data, struct kludge_private_data); + ac->module = module; ac->up_context = req->context; ac->up_callback = req->callback; @@ -172,6 +175,25 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req) down_req->op.search.tree = req->op.search.tree; down_req->op.search.attrs = req->op.search.attrs; + + /* FIXME: I hink we should copy the tree and keep the original + * unmodified. SSS */ + /* replace any attributes in the parse tree that are private, + so we don't allow a search for 'sambaPassword=penguin', + just as we would not allow that attribute to be returned */ + switch (ac->user_type) { + case SYSTEM: + case ADMINISTRATOR: + break; + default: + /* remove password attributes */ + for (i = 0; data && data->password_attrs && data->password_attrs[i]; i++) { + ldb_parse_tree_attr_replace(down_req->op.search.tree, + data->password_attrs[i], + "kludgeACLredactedattribute"); + } + } + down_req->controls = req->controls; down_req->context = ac; -- cgit