[PATCH] Re: ACLs on Attributes that do not have attributeSecurityGUID

Andrew Bartlett abartlet at samba.org
Wed Jan 2 01:44:18 MST 2013 

On Mon, 2012-12-31 at 08:07 +1100, Andrew Bartlett wrote:
> On Sun, 2012-12-30 at 16:56 +0200, Nadezhda Ivanova wrote:
> > Hi Andrew,
> >  As far as I remember, the attributesecurityguid contains the property
> > set to which the attribute belongs, and some permissions are given per
> > property set rather than an attribute. We build an object tree with
> > the object as root, property sets as children and attributes as their
> > children and apply all permissions, so that when we get to the bottom
> > of the tree we have the final permissions mask for that attribute. (I
> > really have to think of a way to optimize this code, I do not
> > particularly like it.) If there isn't a attributesecurityguid, we add
> > the attribute directly under the ObjectId. I took a look at the code,
> > and do not see an obvious bug (acl_check_access_on_attribute
> > in acl_util.c) which does not mean there isn't one. Do you have a
> > particular example or even better, a test that fails? That will really
> > help with debugging. 
> 
> So, the issue I see is that I can't see where the overriding or fallback
> 'read all attributes' is processed. 

Nadya,

Thanks for the hints offline, I have worked up this set of patches based
on your suggestions.  We now pass in the structural objectClass schemaID
GUID into the object tree to evaluate the ACL against. 

I'm maintaining this (and my summer collection of un-reviewed patches)
in my acl-read-fixes branch.

So far I've found that the fix for getting 'pre-windows 2000 compatible
access' as a group in the token seems to break our write ACL tests,
which isn't a great start, but I'm sure I'll work it out.

Thanks for all your help on this, and for any more help you can provide
in sorting this complex area out.  I'm incredibly grateful for the
impressive groundwork you have prepared here, and I'm quite confident we
can get the rest sorted. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-dsdb-acl-Add-helper-function-get_structural_oc_from_.patch
Type: text/x-patch
Size: 1158 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130102/1e4e8250/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-dsdb-acl-Use-get_structural_oc_from_message-in-acl_m.patch
Type: text/x-patch
Size: 1753 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130102/1e4e8250/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-dsdb-acl-Use-get_structural_oc_from_message-in-acl_r.patch
Type: text/x-patch
Size: 2847 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130102/1e4e8250/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-dsdb-acl-Remove-unused-get_oc_guid_from_message.patch
Type: text/x-patch
Size: 1178 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130102/1e4e8250/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0005-dsdb-acl-use-get_structural_oc_from_message-rather-t.patch
Type: text/x-patch
Size: 2324 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130102/1e4e8250/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0006-acl-Pass-the-structural-objectClass-into-acl_check_a.patch
Type: text/x-patch
Size: 9436 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130102/1e4e8250/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0007-acl-Use-the-structural-objectClass-in-acl_check_acce.patch
Type: text/x-patch
Size: 1971 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130102/1e4e8250/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0008-dsdb-acl-Do-not-add-an-all-zero-missing-attributeSec.patch
Type: text/x-patch
Size: 1613 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130102/1e4e8250/attachment-0007.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0009-dsdb-Explain-ordering-constraints-on-the-ACL-module-.patch
Type: text/x-patch
Size: 1220 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130102/1e4e8250/attachment-0008.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0010-dsdb-Ensure-authenticated-users-is-processed-for-gro.patch
Type: text/x-patch
Size: 6128 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130102/1e4e8250/attachment-0009.bin>

More information about the samba-technical mailing list