Now all requests are untrusted by default and the acl_read module depends on this to check if access checks should be applied. So all internal requests above this module should be trusted.
ret = dsdb_module_search_dn(module, mem_ctx, &res,
ldb_dn_new(mem_ctx, ldb, "@KLUDGEACL"),
attrs,
- DSDB_FLAG_NEXT_MODULE, NULL);
+ DSDB_FLAG_NEXT_MODULE|DSDB_FLAG_TRUSTED, NULL);
if (ret != LDB_SUCCESS) {
goto done;
}
ret = dsdb_module_search_dn(module, tmp_ctx,
&acl_res, req->op.mod.message->dn,
acl_attrs,
- DSDB_FLAG_NEXT_MODULE |
+ DSDB_FLAG_NEXT_MODULE | DSDB_FLAG_TRUSTED |
DSDB_SEARCH_SHOW_DELETED, req);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
&netbios_res, partitions_dn,
LDB_SCOPE_ONELEVEL,
netbios_attrs,
- DSDB_FLAG_NEXT_MODULE,
+ DSDB_FLAG_NEXT_MODULE | DSDB_FLAG_TRUSTED,
req,
"(ncName=%s)",
ldb_dn_get_linearized(ldb_get_default_basedn(ldb)));
}
ret = dsdb_module_search_dn(module, tmp_ctx, &acl_res, req->op.mod.message->dn,
acl_attrs,
- DSDB_FLAG_NEXT_MODULE, req);
+ DSDB_FLAG_NEXT_MODULE | DSDB_FLAG_TRUSTED, req);
if (ret != LDB_SUCCESS) {
goto fail;
ret = dsdb_module_search_dn(module, tmp_ctx, &acl_res,
req->op.rename.olddn, acl_attrs,
- DSDB_FLAG_NEXT_MODULE |
+ DSDB_FLAG_NEXT_MODULE | DSDB_FLAG_TRUSTED |
DSDB_SEARCH_SHOW_RECYCLED, req);
/* we sould be able to find the parent */
if (ret != LDB_SUCCESS) {
|| ac->sDRightsEffective) {
ret = dsdb_module_search_dn(ac->module, ac, &acl_res, ares->message->dn,
acl_attrs,
- DSDB_FLAG_NEXT_MODULE, req);
+ DSDB_FLAG_NEXT_MODULE | DSDB_FLAG_TRUSTED, req);
if (ret != LDB_SUCCESS) {
return ldb_module_done(ac->req, NULL, NULL, ret);
}
ret = dsdb_module_search_dn(module, mem_ctx, &acl_res, dn,
acl_attrs,
DSDB_FLAG_NEXT_MODULE |
- DSDB_SEARCH_SHOW_RECYCLED,
+ DSDB_SEARCH_SHOW_RECYCLED |
+ DSDB_FLAG_TRUSTED,
parent);
if (ret != LDB_SUCCESS) {
DEBUG(0,("access_check: failed to find object %s\n", ldb_dn_get_linearized(dn)));
ret = dsdb_module_search(module, mem_ctx, &acl_res, NULL, LDB_SCOPE_SUBTREE,
acl_attrs,
DSDB_FLAG_NEXT_MODULE |
- DSDB_SEARCH_SHOW_RECYCLED,
+ DSDB_SEARCH_SHOW_RECYCLED |
+ DSDB_FLAG_TRUSTED,
parent,
"objectGUID=%s", GUID_string(mem_ctx, guid));
req->controls,
ac, anr_search_callback,
req);
+ ldb_req_mark_trusted(down_req);
LDB_REQ_SET_LOCATION(down_req);
if (ret != LDB_SUCCESS) {
return ldb_operr(ldb);
ac->req->controls,
ac, extended_final_callback,
ac->req);
+ ldb_req_mark_trusted(down_req);
LDB_REQ_SET_LOCATION(down_req);
break;
case LDB_ADD:
ac->ldb, os, os->dsdb_dn->dn, LDB_SCOPE_BASE, NULL,
attrs, NULL, os, extended_replace_dn,
ac->req);
+ ldb_req_mark_trusted(os->search_req);
LDB_REQ_SET_LOCATION(os->search_req);
if (ret != LDB_SUCCESS) {
talloc_free(os);
req->controls,
req, dsdb_next_callback,
req);
+ ldb_req_mark_trusted(new_req);
LDB_REQ_SET_LOCATION(new_req);
break;
case LDB_ADD:
}
ac->step_fn = objectclass_do_add;
+ ldb_req_mark_trusted(search_req);
return ldb_next_request(ac->module, search_req);
}
req->controls,
ac, rr_search_callback,
req);
+ ldb_req_mark_trusted(down_req);
LDB_REQ_SET_LOCATION(down_req);
if (ret != LDB_SUCCESS) {
return ret;
req->controls,
ac, resolve_oids_callback,
req);
+ ldb_req_mark_trusted(down_req);
LDB_REQ_SET_LOCATION(down_req);
if (ret != LDB_SUCCESS) {
return ret;
/*
Unix SMB/CIFS implementation.
-
rootDSE ldb module
Copyright (C) Andrew Tridgell 2005
int ret;
const char *dns_attrs[] = { "dNSHostName", NULL };
ret = dsdb_module_search_dn(module, msg, &res, samdb_server_dn(ldb, msg),
- dns_attrs, DSDB_FLAG_NEXT_MODULE, req);
+ dns_attrs, DSDB_FLAG_NEXT_MODULE|DSDB_FLAG_TRUSTED, req);
if (ret == LDB_SUCCESS) {
const char *hostname = ldb_msg_find_attr_as_string(res->msgs[0], "dNSHostName", NULL);
if (hostname != NULL) {
*/
ret = dsdb_module_search(module, mem_ctx, &res,
ldb_get_default_basedn(ldb),
- LDB_SCOPE_BASE, attrs, DSDB_FLAG_NEXT_MODULE, NULL, NULL);
+ LDB_SCOPE_BASE, attrs, DSDB_FLAG_NEXT_MODULE|DSDB_FLAG_TRUSTED, NULL, NULL);
if (ret == LDB_SUCCESS && res->count == 1) {
int domain_behaviour_version
= ldb_msg_find_attr_as_int(res->msgs[0],
ret = dsdb_module_search(module, mem_ctx, &res,
samdb_partitions_dn(ldb, mem_ctx),
- LDB_SCOPE_BASE, attrs, DSDB_FLAG_NEXT_MODULE, NULL, NULL);
+ LDB_SCOPE_BASE, attrs, DSDB_FLAG_NEXT_MODULE|DSDB_FLAG_TRUSTED, NULL, NULL);
if (ret == LDB_SUCCESS && res->count == 1) {
int forest_behaviour_version
= ldb_msg_find_attr_as_int(res->msgs[0],
* the @ROOTDSE record */
ret = dsdb_module_search(module, mem_ctx, &res,
ldb_dn_new(mem_ctx, ldb, "@ROOTDSE"),
- LDB_SCOPE_BASE, ds_attrs, DSDB_FLAG_NEXT_MODULE, NULL, NULL);
+ LDB_SCOPE_BASE, ds_attrs, DSDB_FLAG_NEXT_MODULE|DSDB_FLAG_TRUSTED, NULL, NULL);
if (ret == LDB_SUCCESS && res->count == 1) {
struct ldb_dn *ds_dn
= ldb_msg_find_attr_as_dn(ldb, mem_ctx, res->msgs[0],
"dsServiceName");
if (ds_dn) {
ret = dsdb_module_search(module, mem_ctx, &res, ds_dn,
- LDB_SCOPE_BASE, attrs, DSDB_FLAG_NEXT_MODULE, NULL, NULL);
+ LDB_SCOPE_BASE, attrs,
+ DSDB_FLAG_NEXT_MODULE|DSDB_FLAG_TRUSTED, NULL, NULL);
if (ret == LDB_SUCCESS && res->count == 1) {
int domain_controller_behaviour_version
= ldb_msg_find_attr_as_int(res->msgs[0],
ret = dsdb_module_search(module, tmp_ctx, &res, NULL, LDB_SCOPE_SUBTREE,
NULL,
DSDB_FLAG_NEXT_MODULE |
- DSDB_SEARCH_SEARCH_ALL_PARTITIONS,
+ DSDB_SEARCH_SEARCH_ALL_PARTITIONS |
+ DSDB_FLAG_TRUSTED,
parent,
"(&(objectClass=msDS-OptionalFeature)"
"(msDS-OptionalFeatureGUID=%s))",GUID_string(tmp_ctx, &op_feature_guid));
NULL,
ac, asq_base_callback,
ac->req);
+ ldb_req_mark_trusted(*base_req);
if (ret != LDB_SUCCESS) {
return ret;
}
ac,
paged_search_callback,
req);
+ ldb_req_mark_trusted(search_req);
if (ret != LDB_SUCCESS) {
return ret;
}
ac,
server_sort_search_callback,
req);
+ ldb_req_mark_trusted(down_req);
if (ret != LDB_SUCCESS) {
return ret;
}