s4: problems with DSDB_TRU

Nadezhda Ivanova nivanova at samba.org
Thu Feb 3 02:27:30 MST 2011 

If that is the idea, shouldn't we have something like:
if (dsdb_flags & DSDB_FLAG_TRUSTED || !ldb_req_is_untrusted(parent_req)) {
ldb_req_mark_trusted(req);
}
in the dsdb functions?
Perhaps it's there but I don't see it, checking how trusted the parent
request is.

In any case, we do have internal requests that should be trusted even if the
parent is not, for example - the objectclass module needs to make a search
in the schema partition to check if the object class provided by an add
operation is valid. The user may not have rights to read that, but have the
rights to create a new object with the specified object class.

Regards,
Nadya

On Thu, Feb 3, 2011 at 11:11 AM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Thu, 2011-02-03 at 10:54 +0200, Nadezhda Ivanova wrote:
> > Hi Tridge,
> > It appears that this patch:
> >
> http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=87f31510475c6debd56ff874130f4f5d48bef9a5#patch23
> > made it so all requests - internal and external - are now by default
> > untrusted, unless the DSDB_TRUSTED_FLAG is provided.
>
> The idea with that patch is that a request is only as trusted as it's
> parent.  The problem previously was that all requests where marked as
> trusted, as soon as they were modified by any module.
>
> > I agree that it is best
> > to be paranoid, but the acl_read module counts on the trustedness of the
> > request to decide whether to apply access checks. Before it was only the
> > ldap server that marked the requests untrusted so we knew to only check
> and
> > filter out external requests based on this flag. Something like this:
> >
> http://gitweb.samba.org/?p=nivanova/samba.git;a=commit;h=ba06cdb413de29fe3e33ef9891dcf61c25cfbbbe
>
> That looks wrong.  We should only add that flag when we carefully
> control the input parameters (such as reading internal records where the
> client can't influence things).
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                                http://samba.org/~abartlet/<http://samba.org/%7Eabartlet/>
> Authentication Developer, Samba Team           http://samba.org
> Samba Developer, Cisco Inc.
>
>

More information about the samba-technical mailing list