Need a change to the ACL code

Nadezhda Ivanova nivanova at samba.org
Sun Mar 7 12:54:42 MST 2010


Hi Andrew,
Attached is the check for access on RDN + test, so far only on rename. I
looked the the rdn module code and just could not see what needs to be added
on add - I do not see the rdn doing any additional adds, and if the user has
no permissions to add an object, the acl module will handle it before it
gets to the rdn. I could of course be wrong. Let me know if there's anything
else I can help you with.

Regards,
Nadya

On Wed, Mar 3, 2010 at 12:17 AM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Wed, 2010-03-03 at 00:08 +0200, Nadezhda Ivanova wrote:
> > Hi Andrew,
> > Currently, during a rename operation the acl module checks for
> > permission to modify "name" attribute, and in case the rename is
> > actually moving the object, permissions to delete the object and
> > re-create it under the new parent - these were the access checks
> > mentioned in the documentation. We do not check for permissions on the
> > rdn, as according to docs its not required. This case is working, at
> > least with user objects, we have the python tests to prove it.
> > I will add some test for renaming an OU, maybe we have a bug there.
> > If we do not have permission to modify another attribute, this will be
> > handled again by the acl module, on a modify operation.
> > This is done by the acl_modify and acl_rename functions in acl.c.
> > The rdn module - as I read the code - forbids modify operation on the
> > rdn. On a rename, it creates a new rename request, which should fail
> > if we do not have permissions to modify name or move. If it succeeds,
> > the callback modifies the rdn and the name attribute, which should
> > fail again if we do not have permission to modify those. So if we move
> > the rdn module below the acl, we will indeed not have an access check
> > when modifying rdn any more, and we may get insufficient access rights
> > error instead of  LDB_ERR_NOT_ALLOWED_ON_RDN on modify.
> >
> > So - and I hopefully got it this time :) - we may need to add a check
> > for permission to modify the rdn in the acl_rename? I say may, because
> > this is not documented, and I want to make a test against windows to
> > assure we need to do it.
>
> Also on acl_add, but yes, this is what I mean.  Tests certainly
> required.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                                http://samba.org/~abartlet/<http://samba.org/%7Eabartlet/>
> Authentication Developer, Samba Team           http://samba.org
> Samba Developer, Cisco Inc.
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Added-a-check-for-permissions-to-modify-the-RDN-attr.patch
Type: application/octet-stream
Size: 4205 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100307/6f07c357/attachment.obj>


More information about the samba-technical mailing list