Need a change to the ACL code
Nadezhda Ivanova
nivanova at samba.org
Sun Mar 7 17:09:49 MST 2010
Hi Andrew,
I still do not see this as a use case, because during object creation, no
per-attribute access checks are performed, all we care about is whether we
can add the new object or not, which is specified in the descriptor of the
parent. Per-attribute access is only checked on modify and search
operations. It does not make any sense to check on add, as we actually do
not have the new object's security descriptor. I will, however, make some
tests tomorrow to see what happens if a user is forbidden by an inheritable
ACE to modify an attribute, and then create an object that has this
attribute. It may be a case I have missed.
Regards,
Nadya
On Mon, Mar 8, 2010 at 1:10 AM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Mon, 2010-03-08 at 00:16 +0200, Nadezhda Ivanova wrote:
> > Sorry, still dont understand... an add fails an access check if the
> > user does not have permission to create children under the new
> > object's parent, We do not check any attributes. Perhaps I need an
> > example on when such access check would fail...
>
> Presume you don't have the right to add an attribute 'attr2' to an
> object.
>
> Then, you create:
>
> dn: attr2=foo,dc=bla,dc=com
> objectclass: weird
> objectclass: object
> cn: bar
>
> Then, the rdn_name module translates this to:
>
> dn: attr2=foo,dc=bla,dc=com
> objectclass: weird
> objectclass: object
> cn: bar
> attr2: foo
>
> The ACL code needs to treat attr2 as if it was in the list of attributes
> (not just a DN part), because it will soon be.
>
> Thank you for your patience on this,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/<http://samba.org/%7Eabartlet/>
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Cisco Inc.
>
>
More information about the samba-technical
mailing list