s4: problems with DSDB_TRU
Nadezhda Ivanova
nivanova at samba.org
Thu Feb 3 02:27:30 MST 2011
If that is the idea, shouldn't we have something like:
if (dsdb_flags & DSDB_FLAG_TRUSTED || !ldb_req_is_untrusted(parent_req)) {
ldb_req_mark_trusted(req);
}
in the dsdb functions?
Perhaps it's there but I don't see it, checking how trusted the parent
request is.
In any case, we do have internal requests that should be trusted even if the
parent is not, for example - the objectclass module needs to make a search
in the schema partition to check if the object class provided by an add
operation is valid. The user may not have rights to read that, but have the
rights to create a new object with the specified object class.
Regards,
Nadya
On Thu, Feb 3, 2011 at 11:11 AM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Thu, 2011-02-03 at 10:54 +0200, Nadezhda Ivanova wrote:
> > Hi Tridge,
> > It appears that this patch:
> >
> http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=87f31510475c6debd56ff874130f4f5d48bef9a5#patch23
> > made it so all requests - internal and external - are now by default
> > untrusted, unless the DSDB_TRUSTED_FLAG is provided.
>
> The idea with that patch is that a request is only as trusted as it's
> parent. The problem previously was that all requests where marked as
> trusted, as soon as they were modified by any module.
>
> > I agree that it is best
> > to be paranoid, but the acl_read module counts on the trustedness of the
> > request to decide whether to apply access checks. Before it was only the
> > ldap server that marked the requests untrusted so we knew to only check
> and
> > filter out external requests based on this flag. Something like this:
> >
> http://gitweb.samba.org/?p=nivanova/samba.git;a=commit;h=ba06cdb413de29fe3e33ef9891dcf61c25cfbbbe
>
> That looks wrong. We should only add that flag when we carefully
> control the input parameters (such as reading internal records where the
> client can't influence things).
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/<http://samba.org/%7Eabartlet/>
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Cisco Inc.
>
>
More information about the samba-technical
mailing list