svn commit: samba r20622 - in
branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules: .
abartlet at samba.org
abartlet at samba.org
Tue Jan 9 03:45:51 GMT 2007
Author: abartlet
Date: 2007-01-09 03:45:50 +0000 (Tue, 09 Jan 2007)
New Revision: 20622
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=20622
Log:
Add in a hack to avoid permitting searches on the value of protected
attributes.
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/kludge_acl.c
Changeset:
Modified: branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/kludge_acl.c
===================================================================
--- branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/kludge_acl.c 2007-01-09 00:00:30 UTC (rev 20621)
+++ branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/kludge_acl.c 2007-01-09 03:45:50 UTC (rev 20622)
@@ -147,7 +147,8 @@
{
struct kludge_acl_context *ac;
struct ldb_request *down_req;
- int ret;
+ struct kludge_private_data *data;
+ int ret, i;
req->handle = NULL;
@@ -156,6 +157,8 @@
return LDB_ERR_OPERATIONS_ERROR;
}
+ data = talloc_get_type(module->private_data, struct kludge_private_data);
+
ac->module = module;
ac->up_context = req->context;
ac->up_callback = req->callback;
@@ -172,6 +175,25 @@
down_req->op.search.tree = req->op.search.tree;
down_req->op.search.attrs = req->op.search.attrs;
+
+ /* FIXME: I hink we should copy the tree and keep the original
+ * unmodified. SSS */
+ /* replace any attributes in the parse tree that are private,
+ so we don't allow a search for 'sambaPassword=penguin',
+ just as we would not allow that attribute to be returned */
+ switch (ac->user_type) {
+ case SYSTEM:
+ case ADMINISTRATOR:
+ break;
+ default:
+ /* remove password attributes */
+ for (i = 0; data && data->password_attrs && data->password_attrs[i]; i++) {
+ ldb_parse_tree_attr_replace(down_req->op.search.tree,
+ data->password_attrs[i],
+ "kludgeACLredactedattribute");
+ }
+ }
+
down_req->controls = req->controls;
down_req->context = ac;
More information about the samba-cvs
mailing list