From f742623b7b8a19ff3230754562deeac7657cd8cd Mon Sep 17 00:00:00 2001 From: Nadezhda Ivanova Date: Sun, 7 Mar 2010 21:42:53 +0200 Subject: Added a check for permissions to modify the RDN attribute on rename. Necessary because rdn module will be moved lower than acl in the stack. --- source4/dsdb/samdb/ldb_modules/acl.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'source4/dsdb/samdb') diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index c10624d55f..e7665c792f 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -958,6 +958,7 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req) TALLOC_CTX *tmp_ctx = talloc_new(req); NTSTATUS status; uint32_t access_granted; + const char *rdn_name; static const char *acl_attrs[] = { "nTSecurityDescriptor", "objectClass", @@ -1001,6 +1002,17 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req) return LDB_ERR_OPERATIONS_ERROR; }; + rdn_name = ldb_dn_get_rdn_name(req->op.rename.olddn); + if (rdn_name == NULL) { + return LDB_ERR_OPERATIONS_ERROR; + } + guid = attribute_schemaid_guid_by_lDAPDisplayName(dsdb_get_schema(ldb), + rdn_name); + if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP, + &new_node, &new_node)) { + return LDB_ERR_OPERATIONS_ERROR; + }; + ret = get_sd_from_ldb_message(req, acl_res->msgs[0], &sd); if (ret != LDB_SUCCESS) { -- cgit