1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00

s4:dsdb: Make use of dsdb_have_system_access()

There should not be any change in behaviour.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Jo Sutton 2024-02-13 14:12:30 +13:00 committed by Andrew Bartlett
parent 1ad9b93dbf
commit eece2e8a9c
3 changed files with 21 additions and 38 deletions

View File

@ -1188,7 +1188,6 @@ static int acl_add(struct ldb_module *module, struct ldb_request *req)
const struct dsdb_class *computer_objectclass = NULL;
const struct ldb_message_element *oc_el = NULL;
struct ldb_message_element sorted_oc_el;
struct ldb_control *as_system;
struct ldb_control *sd_ctrl = NULL;
struct ldb_message_element *el;
unsigned int instanceType = 0;
@ -1205,12 +1204,8 @@ static int acl_add(struct ldb_module *module, struct ldb_request *req)
return ldb_next_request(module, req);
}
as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
if (as_system != NULL) {
as_system->critical = 0;
}
if (dsdb_module_am_system(module) || as_system) {
if (dsdb_have_system_access(module, req, SYSTEM_CONTROL_STRIP_CRITICAL))
{
return ldb_next_request(module, req);
}
@ -1879,7 +1874,6 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
struct ldb_result *acl_res;
struct security_descriptor *sd;
struct dom_sid *sid = NULL;
struct ldb_control *as_system;
struct ldb_control *is_undelete;
struct ldb_control *implicit_validated_write_control = NULL;
bool userPassword;
@ -1901,11 +1895,6 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
return ldb_next_request(module, req);
}
as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
if (as_system != NULL) {
as_system->critical = 0;
}
is_undelete = ldb_request_get_control(req, DSDB_CONTROL_RESTORE_TOMBSTONE_OID);
implicit_validated_write_control = ldb_request_get_control(
@ -1918,7 +1907,8 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
if (msg->num_elements > 0) {
DEBUG(10, ("ldb:acl_modify: %s\n", msg->elements[0].name));
}
if (dsdb_module_am_system(module) || as_system) {
if (dsdb_have_system_access(module, req, SYSTEM_CONTROL_STRIP_CRITICAL))
{
return ldb_next_request(module, req);
}
@ -2207,7 +2197,6 @@ static int acl_delete(struct ldb_module *module, struct ldb_request *req)
struct ldb_dn *parent;
struct ldb_context *ldb;
struct ldb_dn *nc_root;
struct ldb_control *as_system;
const struct dsdb_schema *schema;
const struct dsdb_class *objectclass;
struct security_descriptor *sd = NULL;
@ -2224,12 +2213,8 @@ static int acl_delete(struct ldb_module *module, struct ldb_request *req)
return ldb_next_request(module, req);
}
as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
if (as_system != NULL) {
as_system->critical = 0;
}
if (dsdb_module_am_system(module) || as_system) {
if (dsdb_have_system_access(module, req, SYSTEM_CONTROL_STRIP_CRITICAL))
{
return ldb_next_request(module, req);
}
@ -2384,7 +2369,6 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req)
struct dom_sid *sid = NULL;
struct ldb_result *acl_res;
struct ldb_dn *nc_root;
struct ldb_control *as_system;
struct ldb_control *is_undelete;
TALLOC_CTX *tmp_ctx;
const char *rdn_name;
@ -2399,13 +2383,9 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req)
return ldb_next_request(module, req);
}
as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
if (as_system != NULL) {
as_system->critical = 0;
}
DEBUG(10, ("ldb:acl_rename: %s\n", ldb_dn_get_linearized(req->op.rename.olddn)));
if (dsdb_module_am_system(module) || as_system) {
if (dsdb_have_system_access(module, req, SYSTEM_CONTROL_STRIP_CRITICAL))
{
return ldb_next_request(module, req);
}
@ -2853,7 +2833,6 @@ static int acl_search(struct ldb_module *module, struct ldb_request *req)
static int acl_extended(struct ldb_module *module, struct ldb_request *req)
{
struct ldb_context *ldb = ldb_module_get_ctx(module);
struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
/* allow everybody to read the sequence number */
if (strcmp(req->op.extended.oid,
@ -2861,8 +2840,11 @@ static int acl_extended(struct ldb_module *module, struct ldb_request *req)
return ldb_next_request(module, req);
}
if (dsdb_module_am_system(module) ||
dsdb_module_am_administrator(module) || as_system) {
if (dsdb_have_system_access(module,
req,
SYSTEM_CONTROL_KEEP_CRITICAL) ||
dsdb_module_am_administrator(module))
{
return ldb_next_request(module, req);
} else {
ldb_asprintf_errstring(ldb,

View File

@ -883,10 +883,9 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
ldb = ldb_module_get_ctx(module);
p = talloc_get_type(ldb_module_get_private(module), struct aclread_private);
am_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID) != NULL;
if (!am_system) {
am_system = dsdb_module_am_system(module);
}
am_system = dsdb_have_system_access(module,
req,
SYSTEM_CONTROL_KEEP_CRITICAL);
/* skip access checks if we are system or system control is supplied
* or this is not LDAP server request */

View File

@ -259,9 +259,11 @@ static int attr_handler(struct oc_context *ac)
* fschemaUpgradeInProgress and other specific schema checks.
*/
if (ldb_dn_compare_base(ldb_get_schema_basedn(ldb), msg->dn) != 0) {
struct ldb_control *as_system = ldb_request_get_control(ac->req,
LDB_CONTROL_AS_SYSTEM_OID);
if (!dsdb_module_am_system(ac->module) && !as_system) {
if (!dsdb_have_system_access(
ac->module,
ac->req,
SYSTEM_CONTROL_KEEP_CRITICAL))
{
ldb_asprintf_errstring(ldb,
"objectclass_attrs: attribute '%s' on entry '%s' can only be modified as system",
msg->elements[i].name,