[SCM] Samba Shared Repository - branch master updated
Nadezhda Ivanova
nivanova at samba.org
Wed Aug 4 06:26:09 MDT 2010
The branch, master has been updated
via d50a9e8... s4-dsdb: Removed kludge_acl as it is no longer necessary
from f4e60b4... small optimizations for shadowcopy2 module
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit d50a9e8d9e706f545862ab1f5b9a8eaa27447844
Author: Nadezhda Ivanova <nivanova at samba.org>
Date: Wed Aug 4 15:22:17 2010 +0300
s4-dsdb: Removed kludge_acl as it is no longer necessary
Moved the access check on extended operations to acl module and removed kludge_acl
-----------------------------------------------------------------------
Summary of changes:
source4/dsdb/samdb/ldb_modules/acl.c | 39 ++++++++++++++++++++++++++
source4/dsdb/samdb/ldb_modules/config.mk | 12 --------
source4/dsdb/samdb/ldb_modules/samba_dsdb.c | 1 -
source4/dsdb/samdb/ldb_modules/util.c | 8 +++++
source4/dsdb/samdb/ldb_modules/wscript_build | 10 ------
5 files changed, 47 insertions(+), 23 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 1b85c5d..11fffa4 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -1335,6 +1335,44 @@ static int acl_search(struct ldb_module *module, struct ldb_request *req)
return ldb_next_request(module, down_req);
}
+static const char *acl_user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module)
+{
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ struct auth_session_info *session_info
+ = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
+ if (!session_info) {
+ return "UNKNOWN (NULL)";
+ }
+
+ return talloc_asprintf(mem_ctx, "%s\\%s",
+ session_info->server_info->domain_name,
+ session_info->server_info->account_name);
+}
+
+static int acl_extended(struct ldb_module *module, struct ldb_request *req)
+{
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
+
+ /* allow everybody to read the sequence number */
+ if (strcmp(req->op.extended.oid,
+ LDB_EXTENDED_SEQUENCE_NUMBER) == 0) {
+ return ldb_next_request(module, req);
+ }
+
+ if (dsdb_module_am_system(module) ||
+ dsdb_module_am_administrator(module) || as_system) {
+ return ldb_next_request(module, req);
+ } else {
+ ldb_asprintf_errstring(ldb,
+ "acl_extended: "
+ "attempted database modify not permitted. "
+ "User %s is not SYSTEM or an administrator",
+ acl_user_name(req, module));
+ return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+ }
+}
+
_PUBLIC_ const struct ldb_module_ops ldb_acl_module_ops = {
.name = "acl",
.search = acl_search,
@@ -1342,5 +1380,6 @@ _PUBLIC_ const struct ldb_module_ops ldb_acl_module_ops = {
.modify = acl_modify,
.del = acl_delete,
.rename = acl_rename,
+ .extended = acl_extended,
.init_context = acl_module_init
};
diff --git a/source4/dsdb/samdb/ldb_modules/config.mk b/source4/dsdb/samdb/ldb_modules/config.mk
index 39e0721..4c968cd 100644
--- a/source4/dsdb/samdb/ldb_modules/config.mk
+++ b/source4/dsdb/samdb/ldb_modules/config.mk
@@ -218,18 +218,6 @@ INIT_FUNCTION = LDB_MODULE(local_password)
ldb_local_password_OBJ_FILES = $(dsdbsrcdir)/samdb/ldb_modules/local_password.o
################################################
-# Start MODULE ldb_kludge_acl
-[MODULE::ldb_kludge_acl]
-PRIVATE_DEPENDENCIES = LIBTALLOC LIBEVENTS LIBSECURITY SAMDB
-SUBSYSTEM = LIBLDB
-INIT_FUNCTION = LDB_MODULE(kludge_acl)
-
-# End MODULE ldb_kludge_acl
-################################################
-
-ldb_kludge_acl_OBJ_FILES = $(dsdbsrcdir)/samdb/ldb_modules/kludge_acl.o
-
-################################################
# Start MODULE ldb_extended_dn_in
[MODULE::ldb_extended_dn_in]
SUBSYSTEM = LIBLDB
diff --git a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
index 392e215..82f5ec3 100644
--- a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
+++ b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
@@ -178,7 +178,6 @@ static int samba_dsdb_init(struct ldb_module *module)
"samldb",
"password_hash",
"operational",
- "kludge_acl",
"schema_load",
"instancetype",
"objectclass_attrs",
diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c
index 75940c8..fda1733 100644
--- a/source4/dsdb/samdb/ldb_modules/util.c
+++ b/source4/dsdb/samdb/ldb_modules/util.c
@@ -910,6 +910,14 @@ bool dsdb_module_am_system(struct ldb_module *module)
return security_session_user_level(session_info, NULL) == SECURITY_SYSTEM;
}
+bool dsdb_module_am_administrator(struct ldb_module *module)
+{
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ struct auth_session_info *session_info
+ = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
+ return security_session_user_level(session_info, NULL) == SECURITY_ADMINISTRATOR;
+}
+
/*
check if the recyclebin is enabled
*/
diff --git a/source4/dsdb/samdb/ldb_modules/wscript_build b/source4/dsdb/samdb/ldb_modules/wscript_build
index 577d495..05a8641 100644
--- a/source4/dsdb/samdb/ldb_modules/wscript_build
+++ b/source4/dsdb/samdb/ldb_modules/wscript_build
@@ -151,16 +151,6 @@ bld.SAMBA_MODULE('ldb_local_password',
deps='talloc LIBEVENTS LIBNDR SAMDB'
)
-
-bld.SAMBA_MODULE('ldb_kludge_acl',
- source='kludge_acl.c',
- subsystem='ldb',
- init_function='LDB_MODULE(kludge_acl)',
- internal_module=not bld.CONFIG_SET('USING_SYSTEM_LDB'),
- deps='talloc LIBEVENTS LIBSECURITY SAMDB'
- )
-
-
bld.SAMBA_MODULE('ldb_extended_dn_in',
source='extended_dn_in.c',
subsystem='ldb',
--
Samba Shared Repository
More information about the samba-cvs
mailing list