[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Mon Jan 21 09:52:03 MST 2013
The branch, master has been updated
via abc0030 dsdb: Fix warning about unused var
via c52408f dsdb: Explain ordering constraints on the ACL module as well.
via 8f078cd dsdb: Ensure "authenticated users" is processed for group memberships
via d36c030 libcli/security: remove useless if (root->num_of_children > 0) statements
via 853ecd4 libcli/security: add init_mask to existing children in insert_in_object_tree
via 5b4e3de libcli/security: handle node initialisation in one spot in insert_in_object_tree()
via a359aef libcli/security: avoid usage of dom_sid_parse_talloc() in sec_access_check_ds()
via a3fffde libcli/security: simplify get_ace_object_type()
via b0f731f libcli/security: fix formating in access_check.c
via 10a90ce libcli/security: fix whitespaces in access_check.c
via 0ebb937 dsdb-acl: the SEC_ADS_DELETE_CHILD checks need objectclass->schemaIDGUID
via 8f8d97f dsdb-acl: make use of acl_check_access_on_objectclass() for the object in acl_delete()
via 8aa8555 dsdb-acl: make use of acl_check_access_on_{attribute,objectclass} in acl_rename()
via 8d31e42 dsdb-acl: make use of acl_check_access_on_attribute() in acl_modify()
via 8e47e64 dsdb-acl: remove unused acl_check_access_on_class()
via 34f1a52 dsdb-acl: use acl_check_access_on_objectclass() instead of acl_check_access_on_class()
via 6a4063f dsdb-acl: Use the structural objectClass in acl_check_access_on_attribute()
via e8cc59e dsdb-acl: Pass the structural objectClass into acl_check_access_on_attribute
via 93944ea dsdb-acl: Remove unused get_oc_guid_from_message()
via a1b421e dsdb-acl: ask for the objectClass attribute if it's not in the scope of the clients search
via 6ab4150 dsdb-acl: use dsdb_get_structural_oc_from_msg() rather than class_schemaid_guid_by_lDAPDisplayName
via 7304339 dsdb-acl: Use dsdb_get_structural_oc_from_msg() in acl_rename()
via 6d7e53a dsdb-acl: Use dsdb_get_structural_oc_from_msg() in acl_modify()
via 097fae2 dsdb-acl: add acl_check_access_on_objectclass() helper
via 74bfec0 dsdb-acl: Add helper function dsdb_get_structural_oc_from_msg()
via 2685a4e dsdb-acl: attr is not optional to acl_check_access_on_attribute()
via d695b8a dsdb-acl: dsdb_attribute_by_lDAPDisplayName() is needed for all attributes
via ddfb8fe dsdb-acl: introduce a 'el' helper variable to acl_modify()
via 71b856a dsdb-acl: introduce a 'msg' helper variable to acl_modify()
via c2853f5 dsdb-schema: make sure we build [system]PossibleInferiors completely
via 1f673bf dsdb-schema: make sure use clean caches in schema_inferiors.c
via c4b9ee2 dsdb-schema: make schema_subclasses_order_recurse() static
from 58fadf2 BUG 9474: Downgrade v4 printer driver requests to v3.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit abc0030f780b775bf7656b572ee754ebd8079b5d
Author: Matthieu Patou <mat at matws.net>
Date: Sat Dec 29 16:43:44 2012 -0800
dsdb: Fix warning about unused var
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Mon Jan 21 17:51:16 CET 2013 on sn-devel-104
commit c52408f461fb3515cde17eebb458b566fd0a049c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jan 2 09:27:51 2013 +1100
dsdb: Explain ordering constraints on the ACL module as well.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8f078cdf247476fad511bb6d7e00c8654fd26e85
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Dec 29 15:13:54 2012 +1100
dsdb: Ensure "authenticated users" is processed for group memberships
This change moves the addition of "Authenticated Users" from the very end of the
token processing to the start. The reason is that we need to see if
"Authenticated Users" is a member of other builtin groups, just as we
would for any other SID. This picks up the "Pre-Windows 2000 Compatible Access"
group, which is in turn often used in ACLs on LDAP objects.
Without this change, the eventual token does not contain S-1-5-32-554
and users other than "Administrator" are unable to read uidNumber
(in particular).
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d36c03056fb85dfedbafd3a59497e35db63ade17
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jan 3 21:30:12 2013 +1100
libcli/security: remove useless if (root->num_of_children > 0) statements
The for loop does this implicitly when comparing for (i = 0; i < root->num_of_children; i++)
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 853ecd418afe15973d3e8844ad0e01d3d54536d5
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 15 19:03:00 2013 +0100
libcli/security: add init_mask to existing children in insert_in_object_tree
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5b4e3de2bb25eeb85d72a886386c853cea3e9468
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jan 3 20:40:32 2013 +1100
libcli/security: handle node initialisation in one spot in insert_in_object_tree()
This removes special-case for initalising the children array in
insert_in_object_tree(). talloc_realloc() handles the intial allocate
case perfectly well, so there is no need to have this duplicated.
This also restores having just one place were the rest of the elements
are intialised, to ensure uniform behaviour.
To do this, we have to rework insert_in_object_tree to have only one
output variable, both because having both root and new_node as output
variables was too confusing, and because otherwise the two pointers
were being allowed to point at the same memory.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a359aef0837781c42bf9dbcdd069796c72cc94c7
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 16 09:49:20 2013 +0100
libcli/security: avoid usage of dom_sid_parse_talloc() in sec_access_check_ds()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a3fffde368fa0c6594f7fd5309e0b20d3fa7c68e
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 16 10:05:56 2013 +0100
libcli/security: simplify get_ace_object_type()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b0f731fc3b96edf91216829bd0dc63bb4269f458
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 16 09:46:48 2013 +0100
libcli/security: fix formating in access_check.c
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 10a90ce8422ac4ff4461b13a3dd03bbcd9bd2258
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 16 09:43:44 2013 +0100
libcli/security: fix whitespaces in access_check.c
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0ebb93708eb377e29eaaf4400c65399d18c229b6
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 17 16:22:09 2013 +0100
dsdb-acl: the SEC_ADS_DELETE_CHILD checks need objectclass->schemaIDGUID
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8f8d97f9fe05b2de1403676a148ab7b90a83812b
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 17 16:21:10 2013 +0100
dsdb-acl: make use of acl_check_access_on_objectclass() for the object in acl_delete()
We should only use dsdb_module_check_access_on_dn() on the parent.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8aa855573067418c84f71aa3a20e5f472343851d
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 16 16:43:14 2013 +0100
dsdb-acl: make use of acl_check_access_on_{attribute,objectclass} in acl_rename()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8d31e42eed71e9686b03c496eeff1ff96a6742ea
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 16 16:41:51 2013 +0100
dsdb-acl: make use of acl_check_access_on_attribute() in acl_modify()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8e47e64f5d73441b6eb13d59001d52ec77c1c7d5
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 16 16:36:07 2013 +0100
dsdb-acl: remove unused acl_check_access_on_class()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 34f1a52689f4cc64fb63118e685a4442e3fe187a
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 16 16:35:33 2013 +0100
dsdb-acl: use acl_check_access_on_objectclass() instead of acl_check_access_on_class()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6a4063f30273ff184364f276c5206c3507f37644
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jan 2 15:01:23 2013 +1100
dsdb-acl: Use the structural objectClass in acl_check_access_on_attribute()
This commit enters the GUID into the object tree so that that access
rights assigned to the structural objectClass are also available, as
well as rights assigned to the attribute property groups.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e8cc59eb781006c6193249128a1ffc4bcba8f28a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jan 2 15:01:00 2013 +1100
dsdb-acl: Pass the structural objectClass into acl_check_access_on_attribute
This will, when the GUID is entered into the object tree (not in this
commit) ensure that access rights assigned to the structural
objectClass are also available, as well as rights assigned to the
attribute property groups.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 93944ea90069df5379993f5c186ffd68e166f1c4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jan 2 14:55:36 2013 +1100
dsdb-acl: Remove unused get_oc_guid_from_message()
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a1b421e8cca24a5831f4c6d77714cf54faf8c48e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jan 2 15:01:00 2013 +1100
dsdb-acl: ask for the objectClass attribute if it's not in the scope of the clients search
This will be used later.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6ab41506857814d69d897471a14002d98fb4c172
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jan 2 09:26:15 2013 +1100
dsdb-acl: use dsdb_get_structural_oc_from_msg() rather than class_schemaid_guid_by_lDAPDisplayName
This uses dsdb_get_last_structural_objectclass(), which encodes this ordering
knowledge in one place in the code, rather than using this uncommented
magic expression:
(char *)oc_el->values[oc_el->num_values-1].data
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 730433984c9f3dd30ee0b07dc22af56b4d3a062f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jan 2 14:54:20 2013 +1100
dsdb-acl: Use dsdb_get_structural_oc_from_msg() in acl_rename()
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6d7e53aaac8c95f86e1eb8593880ae1c09d973d4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jan 2 14:53:02 2013 +1100
dsdb-acl: Use dsdb_get_structural_oc_from_msg() in acl_modify()
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 097fae2d1d6ae04a7bfc795803f200b6f703a904
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 16 16:34:56 2013 +0100
dsdb-acl: add acl_check_access_on_objectclass() helper
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 74bfec026921fcfc430fb7cfaee44ed75f135a99
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jan 2 14:52:21 2013 +1100
dsdb-acl: Add helper function dsdb_get_structural_oc_from_msg()
This will eventually replace get_oc_guid_from_message(), returning the full dsdb_class.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2685a4ed6681b1a20fb26087867737ecbf8fad73
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 16 11:45:46 2013 +0100
dsdb-acl: attr is not optional to acl_check_access_on_attribute()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d695b8abc7a2e4f7e1853d0c61fe0c03fc786111
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 16 16:39:35 2013 +0100
dsdb-acl: dsdb_attribute_by_lDAPDisplayName() is needed for all attributes
"clearTextPassword" is the only exception.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ddfb8fe89c493c485250d59868312614c79a9cc1
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 18 09:17:25 2013 +0100
dsdb-acl: introduce a 'el' helper variable to acl_modify()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 71b856a3f08fbd095833c27c59d7ed382be70d2a
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 18 09:17:25 2013 +0100
dsdb-acl: introduce a 'msg' helper variable to acl_modify()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c2853f55fc603d4875bb1e50a1cbf409df0421ea
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 17 14:41:39 2013 +0100
dsdb-schema: make sure we build [system]PossibleInferiors completely
Otherwise callers like dsdb_schema_copy_shallow() will corrupt the
talloc hierarchie.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1f673bf9209405dfa2593859bbc45d1c6dc2a960
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 17 14:40:24 2013 +0100
dsdb-schema: make sure use clean caches in schema_inferiors.c
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c4b9ee255814b8121d13e33cd9b0cd7c093d736c
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 17 14:14:37 2013 +0100
dsdb-schema: make schema_subclasses_order_recurse() static
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
libcli/security/access_check.c | 206 +++++-----
libcli/security/access_check.h | 8 +-
libcli/security/object_tree.c | 80 ++--
source4/auth/session.c | 44 ++-
source4/dsdb/common/dsdb_access.c | 5 +-
source4/dsdb/common/util_groups.c | 25 ++
source4/dsdb/samdb/ldb_modules/acl.c | 478 +++++++++++-----------
source4/dsdb/samdb/ldb_modules/acl_read.c | 32 ++-
source4/dsdb/samdb/ldb_modules/acl_util.c | 95 +++--
source4/dsdb/samdb/ldb_modules/extended_dn_out.c | 2 -
source4/dsdb/samdb/ldb_modules/samba_dsdb.c | 4 +-
source4/dsdb/samdb/ldb_modules/util.c | 13 +
source4/dsdb/samdb/samdb.c | 31 --
source4/dsdb/schema/schema.h | 11 +-
source4/dsdb/schema/schema_inferiors.c | 59 ++--
15 files changed, 592 insertions(+), 501 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index 70345f5..f0a7b66 100644
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -367,15 +367,11 @@ NTSTATUS se_file_access_check(const struct security_descriptor *sd,
static const struct GUID *get_ace_object_type(struct security_ace *ace)
{
- struct GUID *type;
-
- if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT)
- type = &ace->object.object.type.type;
- else
- type = NULL;
-
- return type;
+ if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
+ return &ace->object.object.type.type;
+ }
+ return NULL;
}
/* modified access check for the purposes of DS security
@@ -389,31 +385,32 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
struct object_tree *tree,
struct dom_sid *replace_sid)
{
- uint32_t i;
- uint32_t bits_remaining;
- struct object_tree *node;
- const struct GUID *type;
- struct dom_sid *ps_sid = dom_sid_parse_talloc(NULL, SID_NT_SELF);
-
- *access_granted = access_desired;
- bits_remaining = access_desired;
-
- /* handle the maximum allowed flag */
- if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
- access_desired |= access_check_max_allowed(sd, token);
- access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
- *access_granted = access_desired;
+ uint32_t i;
+ uint32_t bits_remaining;
+ struct object_tree *node;
+ const struct GUID *type;
+ struct dom_sid self_sid;
+
+ dom_sid_parse(SID_NT_SELF, &self_sid);
+
+ *access_granted = access_desired;
+ bits_remaining = access_desired;
+
+ /* handle the maximum allowed flag */
+ if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
+ access_desired |= access_check_max_allowed(sd, token);
+ access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
+ *access_granted = access_desired;
bits_remaining = access_desired;
- }
+ }
- if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
- if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
- bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
- } else {
- talloc_free(ps_sid);
- return NT_STATUS_PRIVILEGE_NOT_HELD;
- }
- }
+ if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
+ if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
+ bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
+ } else {
+ return NT_STATUS_PRIVILEGE_NOT_HELD;
+ }
+ }
/* the owner always gets SEC_STD_WRITE_DAC and SEC_STD_READ_CONTROL */
if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL)) &&
@@ -431,88 +428,89 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
}
- /* a NULL dacl allows access */
- if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
- *access_granted = access_desired;
- talloc_free(ps_sid);
- return NT_STATUS_OK;
- }
+ /* a NULL dacl allows access */
+ if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
+ *access_granted = access_desired;
+ return NT_STATUS_OK;
+ }
- if (sd->dacl == NULL) {
- goto done;
- }
+ if (sd->dacl == NULL) {
+ goto done;
+ }
- /* check each ace in turn. */
- for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
+ /* check each ace in turn. */
+ for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
struct dom_sid *trustee;
struct security_ace *ace = &sd->dacl->aces[i];
- if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
- continue;
- }
- if (dom_sid_equal(&ace->trustee, ps_sid) && replace_sid) {
- trustee = replace_sid;
+ if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
+ continue;
}
- else
- {
+
+ if (dom_sid_equal(&ace->trustee, &self_sid) && replace_sid) {
+ trustee = replace_sid;
+ } else {
trustee = &ace->trustee;
}
- if (!security_token_has_sid(token, trustee)) {
- continue;
- }
-
- switch (ace->type) {
- case SEC_ACE_TYPE_ACCESS_ALLOWED:
- if (tree)
- object_tree_modify_access(tree, ace->access_mask);
-
- bits_remaining &= ~ace->access_mask;
- break;
- case SEC_ACE_TYPE_ACCESS_DENIED:
- if (bits_remaining & ace->access_mask) {
- talloc_free(ps_sid);
- return NT_STATUS_ACCESS_DENIED;
- }
- break;
- case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
- case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
- /* check only in case we have provided a tree,
- * the ACE has an object type and that type
- * is in the tree */
- type = get_ace_object_type(ace);
-
- if (!tree)
- continue;
-
- if (!type)
- node = tree;
- else
- if (!(node = get_object_tree_by_GUID(tree, type)))
- continue;
-
- if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) {
- object_tree_modify_access(node, ace->access_mask);
- if (node->remaining_access == 0) {
- talloc_free(ps_sid);
- return NT_STATUS_OK;
- }
- } else {
- if (node->remaining_access & ace->access_mask){
- talloc_free(ps_sid);
- return NT_STATUS_ACCESS_DENIED;
- }
- }
- break;
- default: /* Other ACE types not handled/supported */
- break;
- }
- }
+
+ if (!security_token_has_sid(token, trustee)) {
+ continue;
+ }
+
+ switch (ace->type) {
+ case SEC_ACE_TYPE_ACCESS_ALLOWED:
+ if (tree) {
+ object_tree_modify_access(tree, ace->access_mask);
+ }
+
+ bits_remaining &= ~ace->access_mask;
+ break;
+ case SEC_ACE_TYPE_ACCESS_DENIED:
+ if (bits_remaining & ace->access_mask) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ break;
+ case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
+ case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
+ /*
+ * check only in case we have provided a tree,
+ * the ACE has an object type and that type
+ * is in the tree
+ */
+ type = get_ace_object_type(ace);
+
+ if (!tree) {
+ continue;
+ }
+
+ if (!type) {
+ node = tree;
+ } else {
+ if (!(node = get_object_tree_by_GUID(tree, type))) {
+ continue;
+ }
+ }
+
+ if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) {
+ object_tree_modify_access(node, ace->access_mask);
+ if (node->remaining_access == 0) {
+ return NT_STATUS_OK;
+ }
+ } else {
+ if (node->remaining_access & ace->access_mask){
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ }
+ break;
+ default: /* Other ACE types not handled/supported */
+ break;
+ }
+ }
done:
- talloc_free(ps_sid);
- if (bits_remaining != 0) {
- return NT_STATUS_ACCESS_DENIED;
- }
+ if (bits_remaining != 0) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
- return NT_STATUS_OK;
+ return NT_STATUS_OK;
}
diff --git a/libcli/security/access_check.h b/libcli/security/access_check.h
index 84b2e5f..952589d 100644
--- a/libcli/security/access_check.h
+++ b/libcli/security/access_check.h
@@ -77,10 +77,10 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
struct dom_sid *replace_sid);
bool insert_in_object_tree(TALLOC_CTX *mem_ctx,
- const struct GUID *guid,
- uint32_t init_access,
- struct object_tree **root,
- struct object_tree **new_node);
+ const struct GUID *guid,
+ uint32_t init_access,
+ struct object_tree *root,
+ struct object_tree **new_node_out);
/* search by GUID */
struct object_tree *get_object_tree_by_GUID(struct object_tree *root,
diff --git a/libcli/security/object_tree.c b/libcli/security/object_tree.c
index dcbd310..3e5ee10 100644
--- a/libcli/security/object_tree.c
+++ b/libcli/security/object_tree.c
@@ -38,52 +38,52 @@
*/
bool insert_in_object_tree(TALLOC_CTX *mem_ctx,
- const struct GUID *guid,
- uint32_t init_access,
- struct object_tree **root,
- struct object_tree **new_node)
+ const struct GUID *guid,
+ uint32_t init_access,
+ struct object_tree *root,
+ struct object_tree **new_node_out)
{
+ struct object_tree *new_node;
+
if (!guid || GUID_all_zero(guid)){
return true;
}
- if (!*root){
- *root = talloc_zero(mem_ctx, struct object_tree);
- if (!*root) {
+ if (!root) {
+ root = talloc_zero(mem_ctx, struct object_tree);
+ if (!root) {
return false;
}
- (*root)->guid = *guid;
- (*root)->remaining_access = init_access;
- *new_node = *root;
- return true;
- }
-
- if (!(*root)->children) {
- (*root)->children = talloc_array(mem_ctx, struct object_tree, 1);
- (*root)->children[0].guid = *guid;
- (*root)->children[0].num_of_children = 0;
- (*root)->children[0].children = NULL;
- (*root)->num_of_children++;
- (*root)->children[0].remaining_access = init_access;
- *new_node = &((*root)->children[0]);
- return true;
- }
- else {
+ new_node = root;
+ } else {
int i;
- for (i = 0; i < (*root)->num_of_children; i++) {
- if (GUID_equal(&((*root)->children[i].guid), guid)) {
- *new_node = &((*root)->children[i]);
+
+ for (i = 0; i < root->num_of_children; i++) {
+ if (GUID_equal(&root->children[i].guid, guid)) {
+ new_node = &root->children[i];
+ new_node->remaining_access |= init_access;
+ *new_node_out = new_node;
return true;
}
}
- (*root)->children = talloc_realloc(mem_ctx, (*root)->children, struct object_tree,
- (*root)->num_of_children +1);
- (*root)->children[(*root)->num_of_children].guid = *guid;
- (*root)->children[(*root)->num_of_children].remaining_access = init_access;
- *new_node = &((*root)->children[(*root)->num_of_children]);
- (*root)->num_of_children++;
- return true;
+
+ root->children = talloc_realloc(mem_ctx, root->children,
+ struct object_tree,
+ root->num_of_children + 1);
+ if (!root->children) {
+ return false;
+ }
+ new_node = &root->children[root->num_of_children];
+ root->num_of_children++;
}
+
+ new_node->children = NULL;
+ new_node->guid = *guid;
+ new_node->remaining_access = init_access;
+ new_node->num_of_children = 0;
+
+ *new_node_out = new_node;
+ return true;
}
/* search by GUID */
@@ -97,11 +97,9 @@ struct object_tree *get_object_tree_by_GUID(struct object_tree *root,
result = root;
return result;
}
- else if (root->num_of_children > 0) {
- for (i = 0; i < root->num_of_children; i++) {
+ for (i = 0; i < root->num_of_children; i++) {
if ((result = get_object_tree_by_GUID(&root->children[i], guid)))
break;
- }
}
return result;
}
@@ -111,11 +109,9 @@ struct object_tree *get_object_tree_by_GUID(struct object_tree *root,
void object_tree_modify_access(struct object_tree *root,
uint32_t access_mask)
{
+ int i;
root->remaining_access &= ~access_mask;
- if (root->num_of_children > 0) {
- int i;
- for (i = 0; i < root->num_of_children; i++) {
- object_tree_modify_access(&root->children[i], access_mask);
- }
+ for (i = 0; i < root->num_of_children; i++) {
+ object_tree_modify_access(&root->children[i], access_mask);
}
}
diff --git a/source4/auth/session.c b/source4/auth/session.c
index de417cc..bb0b5bc 100644
--- a/source4/auth/session.c
+++ b/source4/auth/session.c
@@ -102,22 +102,56 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
sids[i] = user_info_dc->sids[i];
}
- if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &user_info_dc->sids[PRIMARY_USER_SID_INDEX])) {
+ /*
+ * Finally add the "standard" sids.
+ * The only difference between guest and "anonymous"
+ * is the addition of Authenticated_Users.
+ */
+
+ if (session_info_flags & AUTH_SESSION_INFO_DEFAULT_GROUPS) {
+ sids = talloc_realloc(tmp_ctx, sids, struct dom_sid, num_sids + 2);
+ NT_STATUS_HAVE_NO_MEMORY(sids);
+
+ if (!dom_sid_parse(SID_WORLD, &sids[num_sids])) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ num_sids++;
+
+ if (!dom_sid_parse(SID_NT_NETWORK, &sids[num_sids])) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ num_sids++;
+ }
+
+ if (session_info_flags & AUTH_SESSION_INFO_AUTHENTICATED) {
+ sids = talloc_realloc(tmp_ctx, sids, struct dom_sid, num_sids + 1);
+ NT_STATUS_HAVE_NO_MEMORY(sids);
+
+ if (!dom_sid_parse(SID_NT_AUTHENTICATED_USERS, &sids[num_sids])) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ num_sids++;
+ }
+
+
+
+ if (num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &sids[PRIMARY_USER_SID_INDEX])) {
/* Don't expand nested groups of system, anonymous etc*/
- } else if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &user_info_dc->sids[PRIMARY_USER_SID_INDEX])) {
+ } else if (num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &sids[PRIMARY_USER_SID_INDEX])) {
/* Don't expand nested groups of system, anonymous etc*/
} else if (sam_ctx) {
filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))",
GROUP_TYPE_BUILTIN_LOCAL_GROUP);
/* Search for each group in the token */
- for (i = 0; i < user_info_dc->num_sids; i++) {
+ for (i = 0; i < num_sids; i++) {
char *sid_string;
const char *sid_dn;
DATA_BLOB sid_blob;
-
+ int ret;
+
sid_string = dom_sid_string(tmp_ctx,
- &user_info_dc->sids[i]);
+ &sids[i]);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_string, user_info_dc);
sid_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", sid_string);
diff --git a/source4/dsdb/common/dsdb_access.c b/source4/dsdb/common/dsdb_access.c
index fd75e77..6af5c3a 100644
--- a/source4/dsdb/common/dsdb_access.c
+++ b/source4/dsdb/common/dsdb_access.c
@@ -93,7 +93,6 @@ int dsdb_check_access_on_dn_internal(struct ldb_context *ldb,
struct security_descriptor *sd = NULL;
struct dom_sid *sid = NULL;
struct object_tree *root = NULL;
- struct object_tree *new_node = NULL;
NTSTATUS status;
uint32_t access_granted;
int ret;
@@ -108,8 +107,8 @@ int dsdb_check_access_on_dn_internal(struct ldb_context *ldb,
}
sid = samdb_result_dom_sid(mem_ctx, acl_res->msgs[0], "objectSid");
if (guid) {
- if (!insert_in_object_tree(mem_ctx, guid, access_mask, &root,
- &new_node)) {
+ if (!insert_in_object_tree(mem_ctx, guid, access_mask, NULL,
+ &root)) {
return ldb_operr(ldb);
}
}
diff --git a/source4/dsdb/common/util_groups.c b/source4/dsdb/common/util_groups.c
index b5aecba..6a96ce8 100644
--- a/source4/dsdb/common/util_groups.c
+++ b/source4/dsdb/common/util_groups.c
@@ -126,6 +126,31 @@ NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx,
filter);
}
+ /*
+ * We have the problem with the caller creating a <SID=S-....>
+ * DN for ForeignSecurityPrincipals as they also have
+ * duplicate objects with the SAME SID under CN=Configuration.
+ * This causes a SID= DN to fail with NO_SUCH_OBJECT on Samba
+ * and on Windows. So, we allow this to fail, and
+ * double-check if we can find it with a search in the main
+ * domain partition.
+ */
+ if (ret == LDB_ERR_NO_SUCH_OBJECT && only_childs) {
+ char *sid_string = dom_sid_string(tmp_ctx,
+ &sid);
+ if (!sid_string) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_OK;
+ }
+
+ ret = dsdb_search(sam_ctx, tmp_ctx, &res,
+ ldb_get_default_basedn(sam_ctx),
+ LDB_SCOPE_SUBTREE,
+ attrs, DSDB_SEARCH_SHOW_EXTENDED_DN,
+ "(&(objectClass=foreignSecurityPrincipal)(objectSID=%s))",
--
Samba Shared Repository
More information about the samba-cvs
mailing list