mirror of
https://github.com/samba-team/samba.git
synced 2024-12-27 03:21:53 +03:00
dsdb-acl: Pass the structural objectClass into acl_check_access_on_attribute
This will, when the GUID is entered into the object tree (not in this commit) ensure that access rights assigned to the structural objectClass are also available, as well as rights assigned to the attribute property groups. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
93944ea900
commit
e8cc59eb78
@ -191,6 +191,7 @@ static int acl_allowedAttributes(struct ldb_module *module,
|
|||||||
TALLOC_CTX *mem_ctx;
|
TALLOC_CTX *mem_ctx;
|
||||||
const char **attr_list;
|
const char **attr_list;
|
||||||
int i, ret;
|
int i, ret;
|
||||||
|
const struct dsdb_class *objectclass;
|
||||||
|
|
||||||
/* If we don't have a schema yet, we can't do anything... */
|
/* If we don't have a schema yet, we can't do anything... */
|
||||||
if (schema == NULL) {
|
if (schema == NULL) {
|
||||||
@ -215,6 +216,19 @@ static int acl_allowedAttributes(struct ldb_module *module,
|
|||||||
talloc_free(mem_ctx);
|
talloc_free(mem_ctx);
|
||||||
return LDB_ERR_OPERATIONS_ERROR;
|
return LDB_ERR_OPERATIONS_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Get the top-most structural object class for the ACL check
|
||||||
|
*/
|
||||||
|
objectclass = dsdb_get_last_structural_class(ac->schema,
|
||||||
|
oc_el);
|
||||||
|
if (objectclass == NULL) {
|
||||||
|
ldb_asprintf_errstring(ldb, "acl_read: Failed to find a structural class for %s",
|
||||||
|
ldb_dn_get_linearized(sd_msg->dn));
|
||||||
|
talloc_free(mem_ctx);
|
||||||
|
return LDB_ERR_OPERATIONS_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
if (ac->allowedAttributes) {
|
if (ac->allowedAttributes) {
|
||||||
for (i=0; attr_list && attr_list[i]; i++) {
|
for (i=0; attr_list && attr_list[i]; i++) {
|
||||||
ldb_msg_add_string(msg, "allowedAttributes", attr_list[i]);
|
ldb_msg_add_string(msg, "allowedAttributes", attr_list[i]);
|
||||||
@ -262,7 +276,8 @@ static int acl_allowedAttributes(struct ldb_module *module,
|
|||||||
sd,
|
sd,
|
||||||
sid,
|
sid,
|
||||||
SEC_ADS_WRITE_PROP,
|
SEC_ADS_WRITE_PROP,
|
||||||
attr);
|
attr,
|
||||||
|
objectclass);
|
||||||
if (ret == LDB_SUCCESS) {
|
if (ret == LDB_SUCCESS) {
|
||||||
ldb_msg_add_string(msg, "allowedAttributesEffective", attr_list[i]);
|
ldb_msg_add_string(msg, "allowedAttributesEffective", attr_list[i]);
|
||||||
}
|
}
|
||||||
@ -479,10 +494,15 @@ static int acl_sDRightsEffective(struct ldb_module *module,
|
|||||||
}
|
}
|
||||||
if (ac->am_system || as_system) {
|
if (ac->am_system || as_system) {
|
||||||
flags = SECINFO_OWNER | SECINFO_GROUP | SECINFO_SACL | SECINFO_DACL;
|
flags = SECINFO_OWNER | SECINFO_GROUP | SECINFO_SACL | SECINFO_DACL;
|
||||||
}
|
} else {
|
||||||
else {
|
const struct dsdb_class *objectclass;
|
||||||
const struct dsdb_attribute *attr;
|
const struct dsdb_attribute *attr;
|
||||||
|
|
||||||
|
objectclass = dsdb_get_structural_oc_from_msg(ac->schema, sd_msg);
|
||||||
|
if (objectclass == NULL) {
|
||||||
|
return ldb_operr(ldb);
|
||||||
|
}
|
||||||
|
|
||||||
attr = dsdb_attribute_by_lDAPDisplayName(ac->schema,
|
attr = dsdb_attribute_by_lDAPDisplayName(ac->schema,
|
||||||
"nTSecurityDescriptor");
|
"nTSecurityDescriptor");
|
||||||
if (attr == NULL) {
|
if (attr == NULL) {
|
||||||
@ -500,7 +520,8 @@ static int acl_sDRightsEffective(struct ldb_module *module,
|
|||||||
sd,
|
sd,
|
||||||
sid,
|
sid,
|
||||||
SEC_STD_WRITE_OWNER,
|
SEC_STD_WRITE_OWNER,
|
||||||
attr);
|
attr,
|
||||||
|
objectclass);
|
||||||
if (ret == LDB_SUCCESS) {
|
if (ret == LDB_SUCCESS) {
|
||||||
flags |= SECINFO_OWNER | SECINFO_GROUP;
|
flags |= SECINFO_OWNER | SECINFO_GROUP;
|
||||||
}
|
}
|
||||||
@ -509,7 +530,8 @@ static int acl_sDRightsEffective(struct ldb_module *module,
|
|||||||
sd,
|
sd,
|
||||||
sid,
|
sid,
|
||||||
SEC_STD_WRITE_DAC,
|
SEC_STD_WRITE_DAC,
|
||||||
attr);
|
attr,
|
||||||
|
objectclass);
|
||||||
if (ret == LDB_SUCCESS) {
|
if (ret == LDB_SUCCESS) {
|
||||||
flags |= SECINFO_DACL;
|
flags |= SECINFO_DACL;
|
||||||
}
|
}
|
||||||
@ -518,7 +540,8 @@ static int acl_sDRightsEffective(struct ldb_module *module,
|
|||||||
sd,
|
sd,
|
||||||
sid,
|
sid,
|
||||||
SEC_FLAG_SYSTEM_SECURITY,
|
SEC_FLAG_SYSTEM_SECURITY,
|
||||||
attr);
|
attr,
|
||||||
|
objectclass);
|
||||||
if (ret == LDB_SUCCESS) {
|
if (ret == LDB_SUCCESS) {
|
||||||
flags |= SECINFO_SACL;
|
flags |= SECINFO_SACL;
|
||||||
}
|
}
|
||||||
@ -636,8 +659,8 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx,
|
|||||||
struct ldb_request *req,
|
struct ldb_request *req,
|
||||||
struct security_descriptor *sd,
|
struct security_descriptor *sd,
|
||||||
struct dom_sid *sid,
|
struct dom_sid *sid,
|
||||||
const struct GUID *oc_guid,
|
const struct dsdb_attribute *attr,
|
||||||
const struct dsdb_attribute *attr)
|
const struct dsdb_class *objectclass)
|
||||||
{
|
{
|
||||||
int ret;
|
int ret;
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
@ -671,7 +694,7 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx,
|
|||||||
sd,
|
sd,
|
||||||
sid,
|
sid,
|
||||||
SEC_ADS_WRITE_PROP,
|
SEC_ADS_WRITE_PROP,
|
||||||
attr) == LDB_SUCCESS) {
|
attr, objectclass) == LDB_SUCCESS) {
|
||||||
talloc_free(tmp_ctx);
|
talloc_free(tmp_ctx);
|
||||||
return LDB_SUCCESS;
|
return LDB_SUCCESS;
|
||||||
}
|
}
|
||||||
@ -828,8 +851,8 @@ static int acl_check_self_membership(TALLOC_CTX *mem_ctx,
|
|||||||
struct ldb_request *req,
|
struct ldb_request *req,
|
||||||
struct security_descriptor *sd,
|
struct security_descriptor *sd,
|
||||||
struct dom_sid *sid,
|
struct dom_sid *sid,
|
||||||
const struct GUID *oc_guid,
|
const struct dsdb_attribute *attr,
|
||||||
const struct dsdb_attribute *attr)
|
const struct dsdb_class *objectclass)
|
||||||
{
|
{
|
||||||
int ret;
|
int ret;
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
@ -842,7 +865,7 @@ static int acl_check_self_membership(TALLOC_CTX *mem_ctx,
|
|||||||
sd,
|
sd,
|
||||||
sid,
|
sid,
|
||||||
SEC_ADS_WRITE_PROP,
|
SEC_ADS_WRITE_PROP,
|
||||||
attr) == LDB_SUCCESS) {
|
attr, objectclass) == LDB_SUCCESS) {
|
||||||
return LDB_SUCCESS;
|
return LDB_SUCCESS;
|
||||||
}
|
}
|
||||||
/* if we are adding/deleting ourselves, check for self membership */
|
/* if we are adding/deleting ourselves, check for self membership */
|
||||||
@ -884,7 +907,7 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
|
|||||||
struct ldb_request *req,
|
struct ldb_request *req,
|
||||||
struct security_descriptor *sd,
|
struct security_descriptor *sd,
|
||||||
struct dom_sid *sid,
|
struct dom_sid *sid,
|
||||||
const struct GUID *oc_guid,
|
const struct dsdb_class *objectclass,
|
||||||
bool userPassword)
|
bool userPassword)
|
||||||
{
|
{
|
||||||
int ret = LDB_SUCCESS;
|
int ret = LDB_SUCCESS;
|
||||||
@ -1109,8 +1132,8 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
|
|||||||
req,
|
req,
|
||||||
sd,
|
sd,
|
||||||
sid,
|
sid,
|
||||||
&objectclass->schemaIDGUID,
|
attr,
|
||||||
attr);
|
objectclass);
|
||||||
if (ret != LDB_SUCCESS) {
|
if (ret != LDB_SUCCESS) {
|
||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
@ -1126,7 +1149,7 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
|
|||||||
req,
|
req,
|
||||||
sd,
|
sd,
|
||||||
sid,
|
sid,
|
||||||
&objectclass->schemaIDGUID,
|
objectclass,
|
||||||
userPassword);
|
userPassword);
|
||||||
if (ret != LDB_SUCCESS) {
|
if (ret != LDB_SUCCESS) {
|
||||||
goto fail;
|
goto fail;
|
||||||
@ -1137,8 +1160,8 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
|
|||||||
req,
|
req,
|
||||||
sd,
|
sd,
|
||||||
sid,
|
sid,
|
||||||
&objectclass->schemaIDGUID,
|
attr,
|
||||||
attr);
|
objectclass);
|
||||||
if (ret != LDB_SUCCESS) {
|
if (ret != LDB_SUCCESS) {
|
||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
|
@ -76,6 +76,7 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
|
|||||||
struct dom_sid *sid = NULL;
|
struct dom_sid *sid = NULL;
|
||||||
TALLOC_CTX *tmp_ctx;
|
TALLOC_CTX *tmp_ctx;
|
||||||
uint32_t instanceType;
|
uint32_t instanceType;
|
||||||
|
const struct dsdb_class *objectclass;
|
||||||
|
|
||||||
ac = talloc_get_type(req->context, struct aclread_context);
|
ac = talloc_get_type(req->context, struct aclread_context);
|
||||||
ldb = ldb_module_get_ctx(ac->module);
|
ldb = ldb_module_get_ctx(ac->module);
|
||||||
@ -98,6 +99,17 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
|
|||||||
ret = LDB_ERR_OPERATIONS_ERROR;
|
ret = LDB_ERR_OPERATIONS_ERROR;
|
||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
|
/*
|
||||||
|
* Get the most specific structural object class for the ACL check
|
||||||
|
*/
|
||||||
|
objectclass = dsdb_get_structural_oc_from_msg(ac->schema, msg);
|
||||||
|
if (objectclass == NULL) {
|
||||||
|
ldb_asprintf_errstring(ldb, "acl_read: Failed to find a structural class for %s",
|
||||||
|
ldb_dn_get_linearized(msg->dn));
|
||||||
|
ret = LDB_ERR_OPERATIONS_ERROR;
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
|
||||||
sid = samdb_result_dom_sid(tmp_ctx, msg, "objectSid");
|
sid = samdb_result_dom_sid(tmp_ctx, msg, "objectSid");
|
||||||
/* get the object instance type */
|
/* get the object instance type */
|
||||||
instanceType = ldb_msg_find_attr_as_uint(msg,
|
instanceType = ldb_msg_find_attr_as_uint(msg,
|
||||||
@ -196,7 +208,8 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
|
|||||||
sd,
|
sd,
|
||||||
sid,
|
sid,
|
||||||
access_mask,
|
access_mask,
|
||||||
attr);
|
attr,
|
||||||
|
objectclass);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Dirsync control needs the replpropertymetadata attribute
|
* Dirsync control needs the replpropertymetadata attribute
|
||||||
|
@ -96,7 +96,8 @@ int acl_check_access_on_attribute(struct ldb_module *module,
|
|||||||
struct security_descriptor *sd,
|
struct security_descriptor *sd,
|
||||||
struct dom_sid *rp_sid,
|
struct dom_sid *rp_sid,
|
||||||
uint32_t access_mask,
|
uint32_t access_mask,
|
||||||
const struct dsdb_attribute *attr)
|
const struct dsdb_attribute *attr,
|
||||||
|
const struct dsdb_class *objectclass)
|
||||||
{
|
{
|
||||||
int ret;
|
int ret;
|
||||||
NTSTATUS status;
|
NTSTATUS status;
|
||||||
|
Loading…
Reference in New Issue
Block a user