Need a change to the ACL code

Andrew Bartlett abartlet at samba.org
Tue Mar 2 15:17:52 MST 2010 

On Wed, 2010-03-03 at 00:08 +0200, Nadezhda Ivanova wrote:
> Hi Andrew,
> Currently, during a rename operation the acl module checks for
> permission to modify "name" attribute, and in case the rename is
> actually moving the object, permissions to delete the object and
> re-create it under the new parent - these were the access checks
> mentioned in the documentation. We do not check for permissions on the
> rdn, as according to docs its not required. This case is working, at
> least with user objects, we have the python tests to prove it.
> I will add some test for renaming an OU, maybe we have a bug there.
> If we do not have permission to modify another attribute, this will be
> handled again by the acl module, on a modify operation.
> This is done by the acl_modify and acl_rename functions in acl.c.
> The rdn module - as I read the code - forbids modify operation on the
> rdn. On a rename, it creates a new rename request, which should fail
> if we do not have permissions to modify name or move. If it succeeds,
> the callback modifies the rdn and the name attribute, which should
> fail again if we do not have permission to modify those. So if we move
> the rdn module below the acl, we will indeed not have an access check
> when modifying rdn any more, and we may get insufficient access rights
> error instead of  LDB_ERR_NOT_ALLOWED_ON_RDN on modify. 
> 
> So - and I hopefully got it this time :) - we may need to add a check
> for permission to modify the rdn in the acl_rename? I say may, because
> this is not documented, and I want to make a test against windows to
> assure we need to do it.

Also on acl_add, but yes, this is what I mean.  Tests certainly
required. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100303/b2338029/attachment.pgp>

More information about the samba-technical mailing list