The branch, master has been updated via 1352a94 s4:objectclass LDB module - LSA objects - allow them if the SYSTEM control is specified via 8c01d6a s4:objectclass LDB module - move one checks into the "objectclass derivation loop" via 0a6834e s4:objectclass LDB module - some more or less cosmetic return value macro changes from dab4e00 s4-tests: Modified sec_descriptor to use samdb.newgroup instead of locally defined method.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 1352a9406f3e3067a8e751ac157eab67796bc0c6 Author: Matthias Dieter Wallnöfer <m...@samba.org> Date: Tue Nov 23 15:15:09 2010 +0100 s4:objectclass LDB module - LSA objects - allow them if the SYSTEM control is specified This fits better than the RELAX one. Autobuild-User: Matthias Dieter Wallnöfer <m...@samba.org> Autobuild-Date: Wed Nov 24 18:23:01 CET 2010 on sn-devel-104 commit 8c01d6a837718344b52aa117820d0dba7655f295 Author: Matthias Dieter Wallnöfer <m...@samba.org> Date: Tue Nov 23 15:07:49 2010 +0100 s4:objectclass LDB module - move one checks into the "objectclass derivation loop" This denies objects created from possible derivated classes from the prohibited ones. Also small cosmetic improvements for another check. commit 0a6834e6305c99b74662c4bea97e2291d8b42cb3 Author: Matthias Dieter Wallnöfer <m...@samba.org> Date: Wed Nov 24 17:02:35 2010 +0100 s4:objectclass LDB module - some more or less cosmetic return value macro changes Sometimes "ldb_module_oom" fits better than "ldb_operr" or "ldb_oom". ----------------------------------------------------------------------- Summary of changes: source4/dsdb/samdb/ldb_modules/objectclass.c | 72 ++++++++++++++++---------- source4/rpc_server/lsa/dcesrv_lsa.c | 4 +- 2 files changed, 47 insertions(+), 29 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c index 7dc3ae2..d69c3f4 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c @@ -319,14 +319,18 @@ static int fix_dn(struct ldb_context *ldb, char *upper_rdn_attr; const struct ldb_val *rdn_val; - /* Fix up the DN to be in the standard form, taking particular care to match the parent DN */ + /* Fix up the DN to be in the standard form, taking particular care to + * match the parent DN */ *fixed_dn = ldb_dn_copy(mem_ctx, parent_dn); + if (*fixed_dn == NULL) { + return ldb_oom(ldb); + } /* We need the attribute name in upper case */ upper_rdn_attr = strupper_talloc(*fixed_dn, ldb_dn_get_rdn_name(newdn)); - if (!upper_rdn_attr) { - return ldb_operr(ldb); + if (upper_rdn_attr == NULL) { + return ldb_oom(ldb); } /* Create a new child */ @@ -397,7 +401,7 @@ static int objectclass_add(struct ldb_module *module, struct ldb_request *req) value = talloc_asprintf(req, "ldap://%s/%s", val->data, ldb_dn_get_linearized(req->op.add.message->dn)); if (value == NULL) { - return ldb_oom(ldb); + return ldb_module_oom(module); } return ldb_module_send_referral(req, value); @@ -417,7 +421,7 @@ static int objectclass_add(struct ldb_module *module, struct ldb_request *req) /* get copy of parent DN */ parent_dn = ldb_dn_get_parent(ac, ac->req->op.add.message->dn); if (parent_dn == NULL) { - return ldb_oom(ldb); + return ldb_operr(ldb); } ret = ldb_build_search_req(&search_req, ldb, @@ -459,10 +463,12 @@ static bool check_rodc_ntdsdsa_add(struct oc_context *ac, static int objectclass_do_add(struct oc_context *ac) { - struct ldb_context *ldb; + struct ldb_context *ldb = ldb_module_get_ctx(ac->module); struct ldb_request *add_req; struct ldb_message_element *objectclass_element, *el; struct ldb_message *msg; + struct ldb_control *as_system = ldb_request_get_control(ac->req, + LDB_CONTROL_AS_SYSTEM_OID); TALLOC_CTX *mem_ctx; struct class_list *sorted, *current; const char *rdn_name = NULL; @@ -474,9 +480,14 @@ static int objectclass_do_add(struct oc_context *ac) bool found; int ret; - ldb = ldb_module_get_ctx(ac->module); + if (as_system != NULL) { + as_system->critical = 0; + } msg = ldb_msg_copy_shallow(ac, ac->req->op.add.message); + if (msg == NULL) { + return ldb_module_oom(ac->module); + } /* Check if we have a valid parent - this check is needed since * we don't get a LDB_ERR_NO_SUCH_OBJECT error. */ @@ -511,7 +522,7 @@ static int objectclass_do_add(struct oc_context *ac) mem_ctx = talloc_new(ac); if (mem_ctx == NULL) { - return ldb_oom(ldb); + return ldb_module_oom(ac->module); } if (ac->schema != NULL) { @@ -560,10 +571,22 @@ static int objectclass_do_add(struct oc_context *ac) /* Move from the linked list back into an ldb msg */ for (current = sorted; current; current = current->next) { - value = talloc_strdup(msg, current->objectclass->lDAPDisplayName); + value = talloc_strdup(msg, + current->objectclass->lDAPDisplayName); if (value == NULL) { talloc_free(mem_ctx); - return ldb_oom(ldb); + return ldb_module_oom(ac->module); + } + + /* LSA-specific objectclasses per default not allowed */ + if (((strcmp(value, "secret") == 0) || + (strcmp(value, "trustedDomain") == 0)) && + !(dsdb_module_am_system(ac->module) || as_system)) { + ldb_asprintf_errstring(ldb, + "objectclass: object class '%s' is LSA-specific, rejecting creation of '%s'!", + value, + ldb_dn_get_linearized(msg->dn)); + return LDB_ERR_UNWILLING_TO_PERFORM; } ret = ldb_msg_add_string(msg, "objectClass", value); @@ -617,16 +640,10 @@ static int objectclass_do_add(struct oc_context *ac) if (objectclass->systemOnly && !ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID) && !check_rodc_ntdsdsa_add(ac, objectclass)) { - ldb_asprintf_errstring(ldb, "objectClass %s is systemOnly, rejecting creation of %s", - objectclass->lDAPDisplayName, ldb_dn_get_linearized(msg->dn)); - return LDB_ERR_UNWILLING_TO_PERFORM; - } - - if (((strcmp(objectclass->lDAPDisplayName, "secret") == 0) || - (strcmp(objectclass->lDAPDisplayName, "trustedDomain") == 0)) && - !ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID)) { - ldb_asprintf_errstring(ldb, "objectClass %s is LSA-specific, rejecting creation of %s", - objectclass->lDAPDisplayName, ldb_dn_get_linearized(msg->dn)); + ldb_asprintf_errstring(ldb, + "objectclass: object class '%s' is system-only, rejecting creation of '%s'!", + objectclass->lDAPDisplayName, + ldb_dn_get_linearized(msg->dn)); return LDB_ERR_UNWILLING_TO_PERFORM; } @@ -676,7 +693,7 @@ static int objectclass_do_add(struct oc_context *ac) objectclass->defaultObjectCategory); } if (value == NULL) { - return ldb_oom(ldb); + return ldb_module_oom(ac->module); } ret = ldb_msg_add_string(msg, "objectCategory", value); @@ -829,7 +846,7 @@ static int objectclass_modify(struct ldb_module *module, struct ldb_request *req msg = ldb_msg_copy_shallow(ac, req->op.mod.message); if (msg == NULL) { - return ldb_operr(ldb); + return ldb_module_oom(ac->module); } /* For now change everything except the objectclasses */ @@ -965,14 +982,14 @@ static int objectclass_do_mod(struct oc_context *ac) /* use a new message structure */ msg = ldb_msg_new(ac); if (msg == NULL) { - return ldb_oom(ldb); + return ldb_module_oom(ac->module); } msg->dn = ac->req->op.mod.message->dn; mem_ctx = talloc_new(ac); if (mem_ctx == NULL) { - return ldb_oom(ldb); + return ldb_module_oom(ac->module); } /* We've to walk over all "objectClass" message elements */ @@ -1006,7 +1023,7 @@ static int objectclass_do_mod(struct oc_context *ac) oc_el_entry->num_values + 1); if (vals == NULL) { talloc_free(mem_ctx); - return ldb_oom(ldb); + return ldb_module_oom(ac->module); } oc_el_entry->values = vals; oc_el_entry->values[oc_el_entry->num_values] = @@ -1053,6 +1070,7 @@ static int objectclass_do_mod(struct oc_context *ac) objectclass = get_last_structural_class(ac->schema, oc_el_entry); if (objectclass == NULL) { + /* no structural objectclass? */ talloc_free(mem_ctx); return ldb_operr(ldb); } @@ -1124,7 +1142,7 @@ static int objectclass_do_mod(struct oc_context *ac) LDB_FLAG_MOD_REPLACE, &oc_el_change); if (ret != LDB_SUCCESS) { talloc_free(mem_ctx); - return ldb_oom(ldb); + return ret; } /* Move from the linked list back into an ldb msg */ @@ -1133,7 +1151,7 @@ static int objectclass_do_mod(struct oc_context *ac) current->objectclass->lDAPDisplayName); if (value == NULL) { talloc_free(mem_ctx); - return ldb_oom(ldb); + return ldb_module_oom(ac->module); } ret = ldb_msg_add_string(msg, "objectClass", value); if (ret != LDB_SUCCESS) { diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index 4014ae0..1b55824 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -1056,7 +1056,7 @@ static NTSTATUS dcesrv_lsa_CreateTrustedDomain_base(struct dcesrv_call_state *dc trusted_domain_state->trusted_domain_dn = talloc_reference(trusted_domain_state, msg->dn); /* create the trusted_domain */ - ret = dsdb_add(sam_ldb, msg, DSDB_MODIFY_RELAX); + ret = dsdb_add(sam_ldb, msg, DSDB_FLAG_AS_SYSTEM); switch (ret) { case LDB_SUCCESS: break; @@ -2949,7 +2949,7 @@ static NTSTATUS dcesrv_lsa_CreateSecret(struct dcesrv_call_state *dce_call, TALL secret_state->secret_dn = talloc_reference(secret_state, msg->dn); /* create the secret */ - ret = dsdb_add(secret_state->sam_ldb, msg, DSDB_MODIFY_RELAX); + ret = dsdb_add(secret_state->sam_ldb, msg, DSDB_FLAG_AS_SYSTEM); if (ret != LDB_SUCCESS) { DEBUG(0,("Failed to create secret record %s: %s\n", ldb_dn_get_linearized(msg->dn), -- Samba Shared Repository