[SCM] Samba Shared Repository - branch master updated
Matthieu Patou
mat at samba.org
Thu Jan 17 03:22:03 MST 2013
The branch, master has been updated
via 6a10255 dsdb-acl: calculate sDRightsEffective based on "nTSecurityDescriptor"
via ccf577d dsdb-acl: add helper variable 'ldb' in acl_sDRightsEffective
via 629ce2a libcli/security: don't look at the inherited type in get_ace_object_type()
via 7046060 dsdb-acl: fix the order of special and system checks
via a0c59b4 dsdb-acl: Do not apply ACL on special DNs to hide attributes that the user shouldn't see
via 961a1fb dsdb-acl: talloc_free the private context when we pass to the next module
via 947985b dsdb-acl: don't call dsdb_user_password_support() if we don't use the result
from 8e63a72 smb2_ioctl: copychunk request max output validation
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 6a1025551eb5b343ec996ae0c642d542162e8910
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 8 15:55:36 2013 +0100
dsdb-acl: calculate sDRightsEffective based on "nTSecurityDescriptor"
acl_check_access_on_attribute should never be called with attr=NULL
because we don't check access on an attribute in that case
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Matthieu Patou <mat at matws.net>
Autobuild-User(master): Matthieu Patou <mat at samba.org>
Autobuild-Date(master): Thu Jan 17 11:21:10 CET 2013 on sn-devel-104
commit ccf577da14194f5f3377226bcdb7e69b62a94851
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 8 15:54:47 2013 +0100
dsdb-acl: add helper variable 'ldb' in acl_sDRightsEffective
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Matthieu Patou <mat at matws.net>
commit 629ce2a1ba392f2e8b632752c583843777471378
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 4 16:03:42 2013 +0100
libcli/security: don't look at the inherited type in get_ace_object_type()
The inherited_type is only used to decide if aces should be inherited
effectively or not (INHERIT_ONLY) for the specified object.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Matthieu Patou <mat at matws.net>
commit 70460605c6132ffbc6be825c24f188674c0ac979
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 17 08:51:23 2013 +0100
dsdb-acl: fix the order of special and system checks
First we check for a special dn, then for system access.
All allocations happen after this checks in order to avoid
allocations we won't use.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Matthieu Patou <mat at matws.net>
commit a0c59b4da1c5d8637c92e65c7cf54bb82bc8fca5
Author: Matthieu Patou <mat at matws.net>
Date: Sun Dec 30 02:27:25 2012 -0800
dsdb-acl: Do not apply ACL on special DNs to hide attributes that the user shouldn't see
This fix frequent reindexing when using python script with a
user that is not system.
The reindexing is caused by ACL module hidding (removing) attributes in
the search request for all attributes in dn=@ATTRIBUTES and because
dsdb_schema_set_indices_and_attributes checks that the list of
attributes that it just calculated from the schema is the same as the
list written in @ATTRIBUTES, if not the list is replaced and a
reindexing is triggered.
Signed-off-by: Matthieu Patou <mat at matws.net>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 961a1fbbbccb7fbb14634ec230985f3fd000b050
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 17 08:37:58 2013 +0100
dsdb-acl: talloc_free the private context when we pass to the next module
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Matthieu Patou <mat at matws.net>
commit 947985b259ac05e95d65be19c67f384579a797ce
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 17 08:37:12 2013 +0100
dsdb-acl: don't call dsdb_user_password_support() if we don't use the result
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Matthieu Patou <mat at matws.net>
-----------------------------------------------------------------------
Summary of changes:
libcli/security/access_check.c | 2 -
source4/dsdb/samdb/ldb_modules/acl.c | 115 +++++++++++++++++++++++++--------
2 files changed, 87 insertions(+), 30 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index 9153dad..70345f5 100644
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -371,8 +371,6 @@ static const struct GUID *get_ace_object_type(struct security_ace *ace)
if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT)
type = &ace->object.object.type.type;
- else if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)
- type = &ace->object.object.inherited_type.inherited_type; /* This doesn't look right. Is something wrong with the IDL? */
else
type = NULL;
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 9056a41..539363c 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -458,6 +458,7 @@ static int acl_sDRightsEffective(struct ldb_module *module,
struct ldb_message *msg,
struct acl_context *ac)
{
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
struct ldb_message_element *rightsEffective;
int ret;
struct security_descriptor *sd;
@@ -480,8 +481,16 @@ static int acl_sDRightsEffective(struct ldb_module *module,
flags = SECINFO_OWNER | SECINFO_GROUP | SECINFO_SACL | SECINFO_DACL;
}
else {
+ const struct dsdb_attribute *attr;
+
+ attr = dsdb_attribute_by_lDAPDisplayName(ac->schema,
+ "nTSecurityDescriptor");
+ if (attr == NULL) {
+ return ldb_operr(ldb);
+ }
+
/* Get the security descriptor from the message */
- ret = dsdb_get_sd_from_ldb_message(ldb_module_get_ctx(module), msg, sd_msg, &sd);
+ ret = dsdb_get_sd_from_ldb_message(ldb, msg, sd_msg, &sd);
if (ret != LDB_SUCCESS) {
return ret;
}
@@ -491,7 +500,7 @@ static int acl_sDRightsEffective(struct ldb_module *module,
sd,
sid,
SEC_STD_WRITE_OWNER,
- NULL);
+ attr);
if (ret == LDB_SUCCESS) {
flags |= SECINFO_OWNER | SECINFO_GROUP;
}
@@ -500,7 +509,7 @@ static int acl_sDRightsEffective(struct ldb_module *module,
sd,
sid,
SEC_STD_WRITE_DAC,
- NULL);
+ attr);
if (ret == LDB_SUCCESS) {
flags |= SECINFO_DACL;
}
@@ -509,7 +518,7 @@ static int acl_sDRightsEffective(struct ldb_module *module,
sd,
sid,
SEC_FLAG_SYSTEM_SECURITY,
- NULL);
+ attr);
if (ret == LDB_SUCCESS) {
flags |= SECINFO_SACL;
}
@@ -751,14 +760,19 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx,
static int acl_add(struct ldb_module *module, struct ldb_request *req)
{
int ret;
- struct ldb_dn *parent = ldb_dn_get_parent(req, req->op.add.message->dn);
+ struct ldb_dn *parent;
struct ldb_context *ldb;
const struct dsdb_schema *schema;
struct ldb_message_element *oc_el;
const struct GUID *guid;
struct ldb_dn *nc_root;
- struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
+ struct ldb_control *as_system;
+
+ if (ldb_dn_is_special(req->op.add.message->dn)) {
+ return ldb_next_request(module, req);
+ }
+ as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
if (as_system != NULL) {
as_system->critical = 0;
}
@@ -766,12 +780,14 @@ static int acl_add(struct ldb_module *module, struct ldb_request *req)
if (dsdb_module_am_system(module) || as_system) {
return ldb_next_request(module, req);
}
- if (ldb_dn_is_special(req->op.add.message->dn)) {
- return ldb_next_request(module, req);
- }
ldb = ldb_module_get_ctx(module);
+ parent = ldb_dn_get_parent(req, req->op.add.message->dn);
+ if (parent == NULL) {
+ return ldb_oom(ldb);
+ }
+
/* Creating an NC. There is probably something we should do here,
* but we will establish that later */
@@ -981,9 +997,9 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
struct ldb_result *acl_res;
struct security_descriptor *sd;
struct dom_sid *sid = NULL;
- struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
- bool userPassword = dsdb_user_password_support(module, req, req);
- TALLOC_CTX *tmp_ctx = talloc_new(req);
+ struct ldb_control *as_system;
+ bool userPassword;
+ TALLOC_CTX *tmp_ctx;
static const char *acl_attrs[] = {
"nTSecurityDescriptor",
"objectClass",
@@ -991,6 +1007,11 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
NULL
};
+ if (ldb_dn_is_special(req->op.mod.message->dn)) {
+ return ldb_next_request(module, req);
+ }
+
+ as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
if (as_system != NULL) {
as_system->critical = 0;
}
@@ -1003,9 +1024,12 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
if (dsdb_module_am_system(module) || as_system) {
return ldb_next_request(module, req);
}
- if (ldb_dn_is_special(req->op.mod.message->dn)) {
- return ldb_next_request(module, req);
+
+ tmp_ctx = talloc_new(req);
+ if (tmp_ctx == NULL) {
+ return ldb_oom(ldb);
}
+
ret = dsdb_module_search_dn(module, tmp_ctx, &acl_res, req->op.mod.message->dn,
acl_attrs,
DSDB_FLAG_NEXT_MODULE |
@@ -1017,6 +1041,8 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
goto fail;
}
+ userPassword = dsdb_user_password_support(module, req, req);
+
schema = dsdb_get_schema(ldb, tmp_ctx);
if (!schema) {
talloc_free(tmp_ctx);
@@ -1196,25 +1222,33 @@ fail:
static int acl_delete(struct ldb_module *module, struct ldb_request *req)
{
int ret;
- struct ldb_dn *parent = ldb_dn_get_parent(req, req->op.del.dn);
+ struct ldb_dn *parent;
struct ldb_context *ldb;
struct ldb_dn *nc_root;
- struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
+ struct ldb_control *as_system;
+ if (ldb_dn_is_special(req->op.del.dn)) {
+ return ldb_next_request(module, req);
+ }
+
+ as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
if (as_system != NULL) {
as_system->critical = 0;
}
- DEBUG(10, ("ldb:acl_delete: %s\n", ldb_dn_get_linearized(req->op.del.dn)));
if (dsdb_module_am_system(module) || as_system) {
return ldb_next_request(module, req);
}
- if (ldb_dn_is_special(req->op.del.dn)) {
- return ldb_next_request(module, req);
- }
+
+ DEBUG(10, ("ldb:acl_delete: %s\n", ldb_dn_get_linearized(req->op.del.dn)));
ldb = ldb_module_get_ctx(module);
+ parent = ldb_dn_get_parent(req, req->op.del.dn);
+ if (parent == NULL) {
+ return ldb_oom(ldb);
+ }
+
/* Make sure we aren't deleting a NC */
ret = dsdb_find_nc_root(ldb, req, req->op.del.dn, &nc_root);
@@ -1263,8 +1297,8 @@ static int acl_delete(struct ldb_module *module, struct ldb_request *req)
static int acl_rename(struct ldb_module *module, struct ldb_request *req)
{
int ret;
- struct ldb_dn *oldparent = ldb_dn_get_parent(req, req->op.rename.olddn);
- struct ldb_dn *newparent = ldb_dn_get_parent(req, req->op.rename.newdn);
+ struct ldb_dn *oldparent;
+ struct ldb_dn *newparent;
const struct dsdb_schema *schema;
struct ldb_context *ldb;
struct security_descriptor *sd = NULL;
@@ -1274,8 +1308,8 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req)
struct ldb_dn *nc_root;
struct object_tree *root = NULL;
struct object_tree *new_node = NULL;
- struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
- TALLOC_CTX *tmp_ctx = talloc_new(req);
+ struct ldb_control *as_system;
+ TALLOC_CTX *tmp_ctx;
NTSTATUS status;
uint32_t access_granted;
const char *rdn_name;
@@ -1286,6 +1320,11 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req)
NULL
};
+ if (ldb_dn_is_special(req->op.rename.olddn)) {
+ return ldb_next_request(module, req);
+ }
+
+ as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
if (as_system != NULL) {
as_system->critical = 0;
}
@@ -1294,12 +1333,23 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req)
if (dsdb_module_am_system(module) || as_system) {
return ldb_next_request(module, req);
}
- if (ldb_dn_is_special(req->op.rename.olddn)) {
- return ldb_next_request(module, req);
- }
ldb = ldb_module_get_ctx(module);
+ tmp_ctx = talloc_new(req);
+ if (tmp_ctx == NULL) {
+ return ldb_oom(ldb);
+ }
+
+ oldparent = ldb_dn_get_parent(tmp_ctx, req->op.rename.olddn);
+ if (oldparent == NULL) {
+ return ldb_oom(ldb);
+ }
+ newparent = ldb_dn_get_parent(tmp_ctx, req->op.rename.newdn);
+ if (newparent == NULL) {
+ return ldb_oom(ldb);
+ }
+
/* Make sure we aren't renaming/moving a NC */
ret = dsdb_find_nc_root(ldb, req, req->op.rename.olddn, &nc_root);
@@ -1642,6 +1692,10 @@ static int acl_search(struct ldb_module *module, struct ldb_request *req)
int ret;
unsigned int i;
+ if (ldb_dn_is_special(req->op.search.base)) {
+ return ldb_next_request(module, req);
+ }
+
ldb = ldb_module_get_ctx(module);
ac = talloc_zero(req, struct acl_context);
@@ -1661,7 +1715,7 @@ static int acl_search(struct ldb_module *module, struct ldb_request *req)
ac->allowedChildClasses = ldb_attr_in_list(req->op.search.attrs, "allowedChildClasses");
ac->allowedChildClassesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedChildClassesEffective");
ac->sDRightsEffective = ldb_attr_in_list(req->op.search.attrs, "sDRightsEffective");
- ac->userPassword = dsdb_user_password_support(module, ac, req);
+ ac->userPassword = true;
ac->schema = dsdb_get_schema(ldb, ac);
ac->constructed_attrs |= ac->allowedAttributes;
@@ -1678,9 +1732,14 @@ static int acl_search(struct ldb_module *module, struct ldb_request *req)
}
if (!ac->constructed_attrs && !ac->modify_search) {
+ talloc_free(ac);
return ldb_next_request(module, req);
}
+ if (!ac->am_system) {
+ ac->userPassword = dsdb_user_password_support(module, ac, req);
+ }
+
ret = acl_search_update_confidential_attrs(ac, data);
if (ret != LDB_SUCCESS) {
return ret;
--
Samba Shared Repository
More information about the samba-cvs
mailing list