[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Thu Nov 25 16:37:02 MST 2010 

The branch, master has been updated
       via  fab9d94 s4-dsdb Remove rootDSE and anonymous checks from acl_read
       via  d184da8 s4-dsdb Add 'block anonymous' checks to the rootdse module
       via  885ecd7 s4-dsdb Remove mem_ctx argument from dsdb_module_find_dsheuristics().
      from  fad57d8 s4-tests: Made acl tests to reconnect if dSHeuristics is being manipulated

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit fab9d94006351793fddd7f06eef7a05c62f8817c
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Nov 25 16:17:10 2010 +1100

    s4-dsdb Remove rootDSE and anonymous checks from acl_read
    
    The rootdse module handles rootDSE requests, and blocks anonymous
    access, so we on't need to do it again here.
    
    Andrew Bartlett
    
    Autobuild-User: Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date: Fri Nov 26 00:36:19 CET 2010 on sn-devel-104

commit d184da806550c2edb6113206048ea78c3d2d27a0
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Nov 25 16:13:17 2010 +1100

    s4-dsdb Add 'block anonymous' checks to the rootdse module
    
    This ensures that one single point checks for and blocks anonymous
    read access to the database over LDAP.
    
    Andrew Bartlett

commit 885ecd7b6b567a50067c9d3298e67c6e0f85b82a
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Nov 25 16:12:39 2010 +1100

    s4-dsdb Remove mem_ctx argument from dsdb_module_find_dsheuristics().
    
    A function that does not return memory should not take a memory context.
    
    Andrew Bartlett

-----------------------------------------------------------------------

Summary of changes:
 source4/dsdb/samdb/ldb_modules/acl_read.c |   15 ----
 source4/dsdb/samdb/ldb_modules/rootdse.c  |  100 +++++++++++++++++++++++++++++
 source4/dsdb/samdb/ldb_modules/util.c     |    5 +-
 3 files changed, 102 insertions(+), 18 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
index 401e0dc..81f9bf6 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -191,11 +191,9 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
 {
 	struct ldb_context *ldb;
 	int ret;
-	bool block_anonymous;
 	struct aclread_context *ac;
 	struct ldb_request *down_req;
 	struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
-	struct auth_session_info *session_info;
 	struct ldb_result *res;
 	struct ldb_message_element *parent;
 	struct aclread_private *p;
@@ -219,19 +217,6 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
 	if (ldb_dn_is_special(req->op.search.base)) {
 		return ldb_next_request(module, req);
 	}
-	/* allow all access to rootDSE */
-	if (req->op.search.scope == LDB_SCOPE_BASE && ldb_dn_is_null(req->op.search.base)) {
-		return ldb_next_request(module, req);
-	}
-
-	session_info = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
-	if (session_info && security_token_is_anonymous(session_info->security_token)) {
-		block_anonymous = dsdb_block_anonymous_ops(module, req);
-		if (block_anonymous) {
-			return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
-					 "This request is not allowed to an anonymous connection.");
-		}
-	}
 
 	/* check accessibility of base */
 	if (!ldb_dn_is_null(req->op.search.base)) {
diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c b/source4/dsdb/samdb/ldb_modules/rootdse.c
index 8a3f0cf..263c6f5 100644
--- a/source4/dsdb/samdb/ldb_modules/rootdse.c
+++ b/source4/dsdb/samdb/ldb_modules/rootdse.c
@@ -40,6 +40,7 @@ struct private_data {
 	char **controls;
 	unsigned int num_partitions;
 	struct ldb_dn **partitions;
+	bool block_anonymous;
 };
 
 /*
@@ -613,6 +614,35 @@ static int rootdse_filter_controls(struct ldb_module *module, struct ldb_request
 	return LDB_SUCCESS;
 }
 
+/* Ensure that anonymous users are not allowed to make anything other than rootDSE search operations */
+
+static int rootdse_filter_operations(struct ldb_module *module, struct ldb_request *req)
+{
+	struct auth_session_info *session_info;
+	struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data);
+	bool is_untrusted = ldb_req_is_untrusted(req);
+	bool is_anonymous = true;
+	if (is_untrusted == false) {
+		return LDB_SUCCESS;
+	}
+
+	session_info = (struct auth_session_info *)ldb_get_opaque(ldb_module_get_ctx(module), "sessionInfo");
+	if (session_info) {
+		is_anonymous = security_token_is_anonymous(session_info->security_token);
+	}
+	
+	if (is_anonymous == false || (priv && priv->block_anonymous == false)) {
+		return LDB_SUCCESS;
+	}
+	
+	if (req->operation == LDB_SEARCH) {
+		if (req->op.search.scope == LDB_SCOPE_BASE && ldb_dn_is_null(req->op.search.base)) {
+			return LDB_SUCCESS;
+		}
+	}
+	ldb_set_errstring(ldb_module_get_ctx(module), "Operation unavailable without authentication");
+	return LDB_ERR_STRONG_AUTH_REQUIRED;
+}
 
 static int rootdse_search(struct ldb_module *module, struct ldb_request *req)
 {
@@ -621,6 +651,11 @@ static int rootdse_search(struct ldb_module *module, struct ldb_request *req)
 	struct ldb_request *down_req;
 	int ret;
 
+	ret = rootdse_filter_operations(module, req);
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+
 	ret = rootdse_filter_controls(module, req);
 	if (ret != LDB_SUCCESS) {
 		return ret;
@@ -735,6 +770,8 @@ static int rootdse_init(struct ldb_module *module)
 	data->controls = NULL;
 	data->num_partitions = 0;
 	data->partitions = NULL;
+	data->block_anonymous = true;
+
 	ldb_module_set_private(module, data);
 
 	ldb_set_default_dns(ldb);
@@ -833,6 +870,8 @@ static int rootdse_init(struct ldb_module *module)
 		}
 	}
 
+	data->block_anonymous = dsdb_block_anonymous_ops(module);
+
 	talloc_free(mem_ctx);
 
 	return LDB_SUCCESS;
@@ -1092,6 +1131,11 @@ static int rootdse_add(struct ldb_module *module, struct ldb_request *req)
 	struct ldb_context *ldb = ldb_module_get_ctx(module);
 	int ret;
 
+	ret = rootdse_filter_operations(module, req);
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+
 	ret = rootdse_filter_controls(module, req);
 	if (ret != LDB_SUCCESS) {
 		return ret;
@@ -1163,6 +1207,11 @@ static int rootdse_modify(struct ldb_module *module, struct ldb_request *req)
 	struct ldb_context *ldb = ldb_module_get_ctx(module);
 	int ret;
 
+	ret = rootdse_filter_operations(module, req);
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+
 	ret = rootdse_filter_controls(module, req);
 	if (ret != LDB_SUCCESS) {
 		return ret;
@@ -1205,11 +1254,42 @@ static int rootdse_modify(struct ldb_module *module, struct ldb_request *req)
 	return LDB_ERR_UNWILLING_TO_PERFORM;
 }
 
+static int rootdse_rename(struct ldb_module *module, struct ldb_request *req)
+{
+	struct ldb_context *ldb = ldb_module_get_ctx(module);
+	int ret;
+
+	ret = rootdse_filter_operations(module, req);
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+
+	ret = rootdse_filter_controls(module, req);
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+
+	/*
+		If dn is not "" we should let it pass through
+	*/
+	if (!ldb_dn_is_null(req->op.rename.olddn)) {
+		return ldb_next_request(module, req);
+	}
+
+	ldb_set_errstring(ldb, "rootdse_remove: you cannot rename the rootdse entry!");
+	return LDB_ERR_NO_SUCH_OBJECT;
+}
+
 static int rootdse_delete(struct ldb_module *module, struct ldb_request *req)
 {
 	struct ldb_context *ldb = ldb_module_get_ctx(module);
 	int ret;
 
+	ret = rootdse_filter_operations(module, req);
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+
 	ret = rootdse_filter_controls(module, req);
 	if (ret != LDB_SUCCESS) {
 		return ret;
@@ -1226,6 +1306,24 @@ static int rootdse_delete(struct ldb_module *module, struct ldb_request *req)
 	return LDB_ERR_NO_SUCH_OBJECT;
 }
 
+static int rootdse_extended(struct ldb_module *module, struct ldb_request *req)
+{
+	struct ldb_context *ldb = ldb_module_get_ctx(module);
+	int ret;
+
+	ret = rootdse_filter_operations(module, req);
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+
+	ret = rootdse_filter_controls(module, req);
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+
+	return ldb_next_request(module, req);
+}
+
 static const struct ldb_module_ops ldb_rootdse_module_ops = {
 	.name		= "rootdse",
 	.init_context   = rootdse_init,
@@ -1233,6 +1331,8 @@ static const struct ldb_module_ops ldb_rootdse_module_ops = {
 	.request	= rootdse_request,
 	.add		= rootdse_add,
 	.modify         = rootdse_modify,
+	.rename         = rootdse_rename,
+	.extended       = rootdse_extended,
 	.del		= rootdse_delete
 };
 
diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c
index 01d7347..9608b06 100644
--- a/source4/dsdb/samdb/ldb_modules/util.c
+++ b/source4/dsdb/samdb/ldb_modules/util.c
@@ -1080,10 +1080,9 @@ const struct ldb_val *dsdb_module_find_dsheuristics(struct ldb_module *module,
 	return NULL;
 }
 
-bool dsdb_block_anonymous_ops(struct ldb_module *module,
-			      TALLOC_CTX *mem_ctx)
+bool dsdb_block_anonymous_ops(struct ldb_module *module)
 {
-	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+	TALLOC_CTX *tmp_ctx = talloc_new(module);
 	bool result;
 	const struct ldb_val *hr_val = dsdb_module_find_dsheuristics(module,
 								     tmp_ctx);


-- 
Samba Shared Repository

More information about the samba-cvs mailing list