The branch, master has been updated via 6a10255 dsdb-acl: calculate sDRightsEffective based on "nTSecurityDescriptor" via ccf577d dsdb-acl: add helper variable 'ldb' in acl_sDRightsEffective via 629ce2a libcli/security: don't look at the inherited type in get_ace_object_type() via 7046060 dsdb-acl: fix the order of special and system checks via a0c59b4 dsdb-acl: Do not apply ACL on special DNs to hide attributes that the user shouldn't see via 961a1fb dsdb-acl: talloc_free the private context when we pass to the next module via 947985b dsdb-acl: don't call dsdb_user_password_support() if we don't use the result from 8e63a72 smb2_ioctl: copychunk request max output validation
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 6a1025551eb5b343ec996ae0c642d542162e8910 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 8 15:55:36 2013 +0100 dsdb-acl: calculate sDRightsEffective based on "nTSecurityDescriptor" acl_check_access_on_attribute should never be called with attr=NULL because we don't check access on an attribute in that case Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Matthieu Patou <m...@matws.net> Autobuild-User(master): Matthieu Patou <m...@samba.org> Autobuild-Date(master): Thu Jan 17 11:21:10 CET 2013 on sn-devel-104 commit ccf577da14194f5f3377226bcdb7e69b62a94851 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 8 15:54:47 2013 +0100 dsdb-acl: add helper variable 'ldb' in acl_sDRightsEffective Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Matthieu Patou <m...@matws.net> commit 629ce2a1ba392f2e8b632752c583843777471378 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jan 4 16:03:42 2013 +0100 libcli/security: don't look at the inherited type in get_ace_object_type() The inherited_type is only used to decide if aces should be inherited effectively or not (INHERIT_ONLY) for the specified object. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Matthieu Patou <m...@matws.net> commit 70460605c6132ffbc6be825c24f188674c0ac979 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Jan 17 08:51:23 2013 +0100 dsdb-acl: fix the order of special and system checks First we check for a special dn, then for system access. All allocations happen after this checks in order to avoid allocations we won't use. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Matthieu Patou <m...@matws.net> commit a0c59b4da1c5d8637c92e65c7cf54bb82bc8fca5 Author: Matthieu Patou <m...@matws.net> Date: Sun Dec 30 02:27:25 2012 -0800 dsdb-acl: Do not apply ACL on special DNs to hide attributes that the user shouldn't see This fix frequent reindexing when using python script with a user that is not system. The reindexing is caused by ACL module hidding (removing) attributes in the search request for all attributes in dn=@ATTRIBUTES and because dsdb_schema_set_indices_and_attributes checks that the list of attributes that it just calculated from the schema is the same as the list written in @ATTRIBUTES, if not the list is replaced and a reindexing is triggered. Signed-off-by: Matthieu Patou <m...@matws.net> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 961a1fbbbccb7fbb14634ec230985f3fd000b050 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Jan 17 08:37:58 2013 +0100 dsdb-acl: talloc_free the private context when we pass to the next module Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Matthieu Patou <m...@matws.net> commit 947985b259ac05e95d65be19c67f384579a797ce Author: Stefan Metzmacher <me...@samba.org> Date: Thu Jan 17 08:37:12 2013 +0100 dsdb-acl: don't call dsdb_user_password_support() if we don't use the result Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Matthieu Patou <m...@matws.net> ----------------------------------------------------------------------- Summary of changes: libcli/security/access_check.c | 2 - source4/dsdb/samdb/ldb_modules/acl.c | 115 +++++++++++++++++++++++++-------- 2 files changed, 87 insertions(+), 30 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c index 9153dad..70345f5 100644 --- a/libcli/security/access_check.c +++ b/libcli/security/access_check.c @@ -371,8 +371,6 @@ static const struct GUID *get_ace_object_type(struct security_ace *ace) if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) type = &ace->object.object.type.type; - else if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) - type = &ace->object.object.inherited_type.inherited_type; /* This doesn't look right. Is something wrong with the IDL? */ else type = NULL; diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index 9056a41..539363c 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -458,6 +458,7 @@ static int acl_sDRightsEffective(struct ldb_module *module, struct ldb_message *msg, struct acl_context *ac) { + struct ldb_context *ldb = ldb_module_get_ctx(module); struct ldb_message_element *rightsEffective; int ret; struct security_descriptor *sd; @@ -480,8 +481,16 @@ static int acl_sDRightsEffective(struct ldb_module *module, flags = SECINFO_OWNER | SECINFO_GROUP | SECINFO_SACL | SECINFO_DACL; } else { + const struct dsdb_attribute *attr; + + attr = dsdb_attribute_by_lDAPDisplayName(ac->schema, + "nTSecurityDescriptor"); + if (attr == NULL) { + return ldb_operr(ldb); + } + /* Get the security descriptor from the message */ - ret = dsdb_get_sd_from_ldb_message(ldb_module_get_ctx(module), msg, sd_msg, &sd); + ret = dsdb_get_sd_from_ldb_message(ldb, msg, sd_msg, &sd); if (ret != LDB_SUCCESS) { return ret; } @@ -491,7 +500,7 @@ static int acl_sDRightsEffective(struct ldb_module *module, sd, sid, SEC_STD_WRITE_OWNER, - NULL); + attr); if (ret == LDB_SUCCESS) { flags |= SECINFO_OWNER | SECINFO_GROUP; } @@ -500,7 +509,7 @@ static int acl_sDRightsEffective(struct ldb_module *module, sd, sid, SEC_STD_WRITE_DAC, - NULL); + attr); if (ret == LDB_SUCCESS) { flags |= SECINFO_DACL; } @@ -509,7 +518,7 @@ static int acl_sDRightsEffective(struct ldb_module *module, sd, sid, SEC_FLAG_SYSTEM_SECURITY, - NULL); + attr); if (ret == LDB_SUCCESS) { flags |= SECINFO_SACL; } @@ -751,14 +760,19 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx, static int acl_add(struct ldb_module *module, struct ldb_request *req) { int ret; - struct ldb_dn *parent = ldb_dn_get_parent(req, req->op.add.message->dn); + struct ldb_dn *parent; struct ldb_context *ldb; const struct dsdb_schema *schema; struct ldb_message_element *oc_el; const struct GUID *guid; struct ldb_dn *nc_root; - struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID); + struct ldb_control *as_system; + + if (ldb_dn_is_special(req->op.add.message->dn)) { + return ldb_next_request(module, req); + } + as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID); if (as_system != NULL) { as_system->critical = 0; } @@ -766,12 +780,14 @@ static int acl_add(struct ldb_module *module, struct ldb_request *req) if (dsdb_module_am_system(module) || as_system) { return ldb_next_request(module, req); } - if (ldb_dn_is_special(req->op.add.message->dn)) { - return ldb_next_request(module, req); - } ldb = ldb_module_get_ctx(module); + parent = ldb_dn_get_parent(req, req->op.add.message->dn); + if (parent == NULL) { + return ldb_oom(ldb); + } + /* Creating an NC. There is probably something we should do here, * but we will establish that later */ @@ -981,9 +997,9 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req) struct ldb_result *acl_res; struct security_descriptor *sd; struct dom_sid *sid = NULL; - struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID); - bool userPassword = dsdb_user_password_support(module, req, req); - TALLOC_CTX *tmp_ctx = talloc_new(req); + struct ldb_control *as_system; + bool userPassword; + TALLOC_CTX *tmp_ctx; static const char *acl_attrs[] = { "nTSecurityDescriptor", "objectClass", @@ -991,6 +1007,11 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req) NULL }; + if (ldb_dn_is_special(req->op.mod.message->dn)) { + return ldb_next_request(module, req); + } + + as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID); if (as_system != NULL) { as_system->critical = 0; } @@ -1003,9 +1024,12 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req) if (dsdb_module_am_system(module) || as_system) { return ldb_next_request(module, req); } - if (ldb_dn_is_special(req->op.mod.message->dn)) { - return ldb_next_request(module, req); + + tmp_ctx = talloc_new(req); + if (tmp_ctx == NULL) { + return ldb_oom(ldb); } + ret = dsdb_module_search_dn(module, tmp_ctx, &acl_res, req->op.mod.message->dn, acl_attrs, DSDB_FLAG_NEXT_MODULE | @@ -1017,6 +1041,8 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req) goto fail; } + userPassword = dsdb_user_password_support(module, req, req); + schema = dsdb_get_schema(ldb, tmp_ctx); if (!schema) { talloc_free(tmp_ctx); @@ -1196,25 +1222,33 @@ fail: static int acl_delete(struct ldb_module *module, struct ldb_request *req) { int ret; - struct ldb_dn *parent = ldb_dn_get_parent(req, req->op.del.dn); + struct ldb_dn *parent; struct ldb_context *ldb; struct ldb_dn *nc_root; - struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID); + struct ldb_control *as_system; + if (ldb_dn_is_special(req->op.del.dn)) { + return ldb_next_request(module, req); + } + + as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID); if (as_system != NULL) { as_system->critical = 0; } - DEBUG(10, ("ldb:acl_delete: %s\n", ldb_dn_get_linearized(req->op.del.dn))); if (dsdb_module_am_system(module) || as_system) { return ldb_next_request(module, req); } - if (ldb_dn_is_special(req->op.del.dn)) { - return ldb_next_request(module, req); - } + + DEBUG(10, ("ldb:acl_delete: %s\n", ldb_dn_get_linearized(req->op.del.dn))); ldb = ldb_module_get_ctx(module); + parent = ldb_dn_get_parent(req, req->op.del.dn); + if (parent == NULL) { + return ldb_oom(ldb); + } + /* Make sure we aren't deleting a NC */ ret = dsdb_find_nc_root(ldb, req, req->op.del.dn, &nc_root); @@ -1263,8 +1297,8 @@ static int acl_delete(struct ldb_module *module, struct ldb_request *req) static int acl_rename(struct ldb_module *module, struct ldb_request *req) { int ret; - struct ldb_dn *oldparent = ldb_dn_get_parent(req, req->op.rename.olddn); - struct ldb_dn *newparent = ldb_dn_get_parent(req, req->op.rename.newdn); + struct ldb_dn *oldparent; + struct ldb_dn *newparent; const struct dsdb_schema *schema; struct ldb_context *ldb; struct security_descriptor *sd = NULL; @@ -1274,8 +1308,8 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req) struct ldb_dn *nc_root; struct object_tree *root = NULL; struct object_tree *new_node = NULL; - struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID); - TALLOC_CTX *tmp_ctx = talloc_new(req); + struct ldb_control *as_system; + TALLOC_CTX *tmp_ctx; NTSTATUS status; uint32_t access_granted; const char *rdn_name; @@ -1286,6 +1320,11 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req) NULL }; + if (ldb_dn_is_special(req->op.rename.olddn)) { + return ldb_next_request(module, req); + } + + as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID); if (as_system != NULL) { as_system->critical = 0; } @@ -1294,12 +1333,23 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req) if (dsdb_module_am_system(module) || as_system) { return ldb_next_request(module, req); } - if (ldb_dn_is_special(req->op.rename.olddn)) { - return ldb_next_request(module, req); - } ldb = ldb_module_get_ctx(module); + tmp_ctx = talloc_new(req); + if (tmp_ctx == NULL) { + return ldb_oom(ldb); + } + + oldparent = ldb_dn_get_parent(tmp_ctx, req->op.rename.olddn); + if (oldparent == NULL) { + return ldb_oom(ldb); + } + newparent = ldb_dn_get_parent(tmp_ctx, req->op.rename.newdn); + if (newparent == NULL) { + return ldb_oom(ldb); + } + /* Make sure we aren't renaming/moving a NC */ ret = dsdb_find_nc_root(ldb, req, req->op.rename.olddn, &nc_root); @@ -1642,6 +1692,10 @@ static int acl_search(struct ldb_module *module, struct ldb_request *req) int ret; unsigned int i; + if (ldb_dn_is_special(req->op.search.base)) { + return ldb_next_request(module, req); + } + ldb = ldb_module_get_ctx(module); ac = talloc_zero(req, struct acl_context); @@ -1661,7 +1715,7 @@ static int acl_search(struct ldb_module *module, struct ldb_request *req) ac->allowedChildClasses = ldb_attr_in_list(req->op.search.attrs, "allowedChildClasses"); ac->allowedChildClassesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedChildClassesEffective"); ac->sDRightsEffective = ldb_attr_in_list(req->op.search.attrs, "sDRightsEffective"); - ac->userPassword = dsdb_user_password_support(module, ac, req); + ac->userPassword = true; ac->schema = dsdb_get_schema(ldb, ac); ac->constructed_attrs |= ac->allowedAttributes; @@ -1678,9 +1732,14 @@ static int acl_search(struct ldb_module *module, struct ldb_request *req) } if (!ac->constructed_attrs && !ac->modify_search) { + talloc_free(ac); return ldb_next_request(module, req); } + if (!ac->am_system) { + ac->userPassword = dsdb_user_password_support(module, ac, req); + } + ret = acl_search_update_confidential_attrs(ac, data); if (ret != LDB_SUCCESS) { return ret; -- Samba Shared Repository