[SCM] Samba Shared Repository - branch master updated

Nadezhda Ivanova nivanova at samba.org
Tue Mar 9 04:09:25 MST 2010 

The branch, master has been updated
       via  f742623... Added a check for permissions to modify the RDN attribute on rename.
      from  ec53a0c... s4:dsdb/dns: change callers of samba_runcmd()

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit f742623b7b8a19ff3230754562deeac7657cd8cd
Author: Nadezhda Ivanova <nadezhda.ivanova at postpath.com>
Date:   Sun Mar 7 21:42:53 2010 +0200

    Added a check for permissions to modify the RDN attribute on rename.
    
    Necessary because rdn module will be moved lower than acl in the stack.

-----------------------------------------------------------------------

Summary of changes:
 source4/dsdb/samdb/ldb_modules/acl.c |   12 ++++++++++++
 source4/lib/ldb/tests/python/acl.py  |   32 ++++++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+), 0 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index c10624d..e7665c7 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -958,6 +958,7 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req)
 	TALLOC_CTX *tmp_ctx = talloc_new(req);
 	NTSTATUS status;
 	uint32_t access_granted;
+	const char *rdn_name;
 	static const char *acl_attrs[] = {
 		"nTSecurityDescriptor",
 		"objectClass",
@@ -1001,6 +1002,17 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req)
 		return LDB_ERR_OPERATIONS_ERROR;
 	};
 
+	rdn_name = ldb_dn_get_rdn_name(req->op.rename.olddn);
+	if (rdn_name == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	guid = attribute_schemaid_guid_by_lDAPDisplayName(dsdb_get_schema(ldb),
+							  rdn_name);
+	if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
+				   &new_node, &new_node)) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	};
+
 	ret = get_sd_from_ldb_message(req, acl_res->msgs[0], &sd);
 
 	if (ret != LDB_SUCCESS) {
diff --git a/source4/lib/ldb/tests/python/acl.py b/source4/lib/ldb/tests/python/acl.py
index 083c7ae..42c8c7e 100755
--- a/source4/lib/ldb/tests/python/acl.py
+++ b/source4/lib/ldb/tests/python/acl.py
@@ -785,6 +785,7 @@ class AclRenameTests(AclTests):
         self.delete_force(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou1," + self.base_dn)
         self.delete_force(self.ldb_admin, "CN=test_rename_user2,OU=test_rename_ou1," + self.base_dn)
         self.delete_force(self.ldb_admin, "CN=test_rename_user5,OU=test_rename_ou1," + self.base_dn)
+        self.delete_force(self.ldb_admin, "OU=test_rename_ou3,OU=test_rename_ou1," + self.base_dn)
         self.delete_force(self.ldb_admin, "OU=test_rename_ou1," + self.base_dn)
         if self.SAMBA:
             self.delete_force(self.ldb_admin, self.get_user_dn(self.regular_user))
@@ -939,6 +940,37 @@ class AclRenameTests(AclTests):
                 % rename_user_dn )
         self.assertNotEqual( res, [] )
 
+    def test_rename_u8(self):
+        """Test rename on an object with and without modify access on the RDN attribute"""
+        ou1_dn = "OU=test_rename_ou1," + self.base_dn
+        ou2_dn = "OU=test_rename_ou2," + ou1_dn
+        ou3_dn = "OU=test_rename_ou3," + ou1_dn
+        # Create OU structure
+        self.create_ou(self.ldb_admin, ou1_dn)
+        self.create_ou(self.ldb_admin, ou2_dn)
+        sid = self.get_object_sid(self.get_user_dn(self.regular_user))
+        mod = "(OA;;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;%s)" % str(sid)
+        self.dacl_add_ace(ou2_dn, mod)
+        mod = "(OD;;WP;bf9679f0-0de6-11d0-a285-00aa003049e2;;%s)" % str(sid)
+        self.dacl_add_ace(ou2_dn, mod)
+        try:
+            self.ldb_user.rename(ou2_dn, ou3_dn)
+        except LdbError, (num, _):
+            self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
+        else:
+            # This rename operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
+            self.fail()
+        sid = self.get_object_sid(self.get_user_dn(self.regular_user))
+        mod = "(A;;WP;bf9679f0-0de6-11d0-a285-00aa003049e2;;%s)" % str(sid)
+        self.dacl_add_ace(ou2_dn, mod)
+        self.ldb_user.rename(ou2_dn, ou3_dn)
+        res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
+                % ou2_dn )
+        self.assertEqual( res, [] )
+        res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
+                % ou3_dn )
+        self.assertNotEqual( res, [] )
+
 # Important unit running information
 
 if not "://" in host:


-- 
Samba Shared Repository

More information about the samba-cvs mailing list