mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
r20622: Add in a hack to avoid permitting searches on the value of protected
attributes.
Andrew Bartlett
(This used to be commit 5aa2195ec2
)
This commit is contained in:
parent
131cfe0399
commit
08439c72c4
@ -147,7 +147,8 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
|
||||
{
|
||||
struct kludge_acl_context *ac;
|
||||
struct ldb_request *down_req;
|
||||
int ret;
|
||||
struct kludge_private_data *data;
|
||||
int ret, i;
|
||||
|
||||
req->handle = NULL;
|
||||
|
||||
@ -156,6 +157,8 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
|
||||
return LDB_ERR_OPERATIONS_ERROR;
|
||||
}
|
||||
|
||||
data = talloc_get_type(module->private_data, struct kludge_private_data);
|
||||
|
||||
ac->module = module;
|
||||
ac->up_context = req->context;
|
||||
ac->up_callback = req->callback;
|
||||
@ -172,6 +175,25 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
|
||||
down_req->op.search.tree = req->op.search.tree;
|
||||
down_req->op.search.attrs = req->op.search.attrs;
|
||||
|
||||
|
||||
/* FIXME: I hink we should copy the tree and keep the original
|
||||
* unmodified. SSS */
|
||||
/* replace any attributes in the parse tree that are private,
|
||||
so we don't allow a search for 'sambaPassword=penguin',
|
||||
just as we would not allow that attribute to be returned */
|
||||
switch (ac->user_type) {
|
||||
case SYSTEM:
|
||||
case ADMINISTRATOR:
|
||||
break;
|
||||
default:
|
||||
/* remove password attributes */
|
||||
for (i = 0; data && data->password_attrs && data->password_attrs[i]; i++) {
|
||||
ldb_parse_tree_attr_replace(down_req->op.search.tree,
|
||||
data->password_attrs[i],
|
||||
"kludgeACLredactedattribute");
|
||||
}
|
||||
}
|
||||
|
||||
down_req->controls = req->controls;
|
||||
|
||||
down_req->context = ac;
|
||||
|
Loading…
Reference in New Issue
Block a user