From ba06cdb413de29fe3e33ef9891dcf61c25cfbbbe Mon Sep 17 00:00:00 2001 From: Nadezhda Ivanova Date: Thu, 3 Feb 2011 10:29:35 +0200 Subject: [PATCH] s4-dsdb: Explicitly mark some internal ldb requests as trusted Now all requests are untrusted by default and the acl_read module depends on this to check if access checks should be applied. So all internal requests above this module should be trusted. --- source4/dsdb/samdb/ldb_modules/acl.c | 12 ++++++------ source4/dsdb/samdb/ldb_modules/acl_util.c | 6 ++++-- source4/dsdb/samdb/ldb_modules/anr.c | 1 + source4/dsdb/samdb/ldb_modules/extended_dn_in.c | 1 + .../dsdb/samdb/ldb_modules/extended_dn_store.c | 1 + source4/dsdb/samdb/ldb_modules/lazy_commit.c | 1 + source4/dsdb/samdb/ldb_modules/objectclass.c | 1 + source4/dsdb/samdb/ldb_modules/ranged_results.c | 1 + source4/dsdb/samdb/ldb_modules/resolve_oids.c | 1 + source4/dsdb/samdb/ldb_modules/rootdse.c | 15 ++++++++------- source4/lib/ldb/modules/asq.c | 1 + source4/lib/ldb/modules/paged_results.c | 1 + source4/lib/ldb/modules/sort.c | 1 + 13 files changed, 28 insertions(+), 15 deletions(-) diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index 69ff2aae942..877ba888860 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -107,7 +107,7 @@ static int acl_module_init(struct ldb_module *module) ret = dsdb_module_search_dn(module, mem_ctx, &res, ldb_dn_new(mem_ctx, ldb, "@KLUDGEACL"), attrs, - DSDB_FLAG_NEXT_MODULE, NULL); + DSDB_FLAG_NEXT_MODULE|DSDB_FLAG_TRUSTED, NULL); if (ret != LDB_SUCCESS) { goto done; } @@ -590,7 +590,7 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx, ret = dsdb_module_search_dn(module, tmp_ctx, &acl_res, req->op.mod.message->dn, acl_attrs, - DSDB_FLAG_NEXT_MODULE | + DSDB_FLAG_NEXT_MODULE | DSDB_FLAG_TRUSTED | DSDB_SEARCH_SHOW_DELETED, req); if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); @@ -605,7 +605,7 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx, &netbios_res, partitions_dn, LDB_SCOPE_ONELEVEL, netbios_attrs, - DSDB_FLAG_NEXT_MODULE, + DSDB_FLAG_NEXT_MODULE | DSDB_FLAG_TRUSTED, req, "(ncName=%s)", ldb_dn_get_linearized(ldb_get_default_basedn(ldb))); @@ -877,7 +877,7 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req) } ret = dsdb_module_search_dn(module, tmp_ctx, &acl_res, req->op.mod.message->dn, acl_attrs, - DSDB_FLAG_NEXT_MODULE, req); + DSDB_FLAG_NEXT_MODULE | DSDB_FLAG_TRUSTED, req); if (ret != LDB_SUCCESS) { goto fail; @@ -1154,7 +1154,7 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req) ret = dsdb_module_search_dn(module, tmp_ctx, &acl_res, req->op.rename.olddn, acl_attrs, - DSDB_FLAG_NEXT_MODULE | + DSDB_FLAG_NEXT_MODULE | DSDB_FLAG_TRUSTED | DSDB_SEARCH_SHOW_RECYCLED, req); /* we sould be able to find the parent */ if (ret != LDB_SUCCESS) { @@ -1312,7 +1312,7 @@ static int acl_search_callback(struct ldb_request *req, struct ldb_reply *ares) || ac->sDRightsEffective) { ret = dsdb_module_search_dn(ac->module, ac, &acl_res, ares->message->dn, acl_attrs, - DSDB_FLAG_NEXT_MODULE, req); + DSDB_FLAG_NEXT_MODULE | DSDB_FLAG_TRUSTED, req); if (ret != LDB_SUCCESS) { return ldb_module_done(ac->req, NULL, NULL, ret); } diff --git a/source4/dsdb/samdb/ldb_modules/acl_util.c b/source4/dsdb/samdb/ldb_modules/acl_util.c index a7bc331f8ed..67b44b5d4d0 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_util.c +++ b/source4/dsdb/samdb/ldb_modules/acl_util.c @@ -74,7 +74,8 @@ int dsdb_module_check_access_on_dn(struct ldb_module *module, ret = dsdb_module_search_dn(module, mem_ctx, &acl_res, dn, acl_attrs, DSDB_FLAG_NEXT_MODULE | - DSDB_SEARCH_SHOW_RECYCLED, + DSDB_SEARCH_SHOW_RECYCLED | + DSDB_FLAG_TRUSTED, parent); if (ret != LDB_SUCCESS) { DEBUG(0,("access_check: failed to find object %s\n", ldb_dn_get_linearized(dn))); @@ -111,7 +112,8 @@ int dsdb_module_check_access_on_guid(struct ldb_module *module, ret = dsdb_module_search(module, mem_ctx, &acl_res, NULL, LDB_SCOPE_SUBTREE, acl_attrs, DSDB_FLAG_NEXT_MODULE | - DSDB_SEARCH_SHOW_RECYCLED, + DSDB_SEARCH_SHOW_RECYCLED | + DSDB_FLAG_TRUSTED, parent, "objectGUID=%s", GUID_string(mem_ctx, guid)); diff --git a/source4/dsdb/samdb/ldb_modules/anr.c b/source4/dsdb/samdb/ldb_modules/anr.c index ec9d82512c8..65cd8c43497 100644 --- a/source4/dsdb/samdb/ldb_modules/anr.c +++ b/source4/dsdb/samdb/ldb_modules/anr.c @@ -356,6 +356,7 @@ static int anr_search(struct ldb_module *module, struct ldb_request *req) req->controls, ac, anr_search_callback, req); + ldb_req_mark_trusted(down_req); LDB_REQ_SET_LOCATION(down_req); if (ret != LDB_SUCCESS) { return ldb_operr(ldb); diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c index c39953f4189..3d29b7554b4 100644 --- a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c +++ b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c @@ -173,6 +173,7 @@ static int extended_base_callback(struct ldb_request *req, struct ldb_reply *are ac->req->controls, ac, extended_final_callback, ac->req); + ldb_req_mark_trusted(down_req); LDB_REQ_SET_LOCATION(down_req); break; case LDB_ADD: diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_store.c b/source4/dsdb/samdb/ldb_modules/extended_dn_store.c index e38a45194b3..27fbbe72a4f 100644 --- a/source4/dsdb/samdb/ldb_modules/extended_dn_store.c +++ b/source4/dsdb/samdb/ldb_modules/extended_dn_store.c @@ -269,6 +269,7 @@ static int extended_store_replace(struct extended_dn_context *ac, ac->ldb, os, os->dsdb_dn->dn, LDB_SCOPE_BASE, NULL, attrs, NULL, os, extended_replace_dn, ac->req); + ldb_req_mark_trusted(os->search_req); LDB_REQ_SET_LOCATION(os->search_req); if (ret != LDB_SUCCESS) { talloc_free(os); diff --git a/source4/dsdb/samdb/ldb_modules/lazy_commit.c b/source4/dsdb/samdb/ldb_modules/lazy_commit.c index 24fc6dd9e85..938dc89955f 100644 --- a/source4/dsdb/samdb/ldb_modules/lazy_commit.c +++ b/source4/dsdb/samdb/ldb_modules/lazy_commit.c @@ -51,6 +51,7 @@ static int unlazy_op(struct ldb_module *module, struct ldb_request *req) req->controls, req, dsdb_next_callback, req); + ldb_req_mark_trusted(new_req); LDB_REQ_SET_LOCATION(new_req); break; case LDB_ADD: diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c index 39f456dccae..1fc4b06c22b 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c @@ -436,6 +436,7 @@ static int objectclass_add(struct ldb_module *module, struct ldb_request *req) } ac->step_fn = objectclass_do_add; + ldb_req_mark_trusted(search_req); return ldb_next_request(ac->module, search_req); } diff --git a/source4/dsdb/samdb/ldb_modules/ranged_results.c b/source4/dsdb/samdb/ldb_modules/ranged_results.c index 3b82de87447..5bb366e012d 100644 --- a/source4/dsdb/samdb/ldb_modules/ranged_results.c +++ b/source4/dsdb/samdb/ldb_modules/ranged_results.c @@ -249,6 +249,7 @@ static int rr_search(struct ldb_module *module, struct ldb_request *req) req->controls, ac, rr_search_callback, req); + ldb_req_mark_trusted(down_req); LDB_REQ_SET_LOCATION(down_req); if (ret != LDB_SUCCESS) { return ret; diff --git a/source4/dsdb/samdb/ldb_modules/resolve_oids.c b/source4/dsdb/samdb/ldb_modules/resolve_oids.c index 71f9a30635c..4a1e5044ab3 100644 --- a/source4/dsdb/samdb/ldb_modules/resolve_oids.c +++ b/source4/dsdb/samdb/ldb_modules/resolve_oids.c @@ -553,6 +553,7 @@ static int resolve_oids_search(struct ldb_module *module, struct ldb_request *re req->controls, ac, resolve_oids_callback, req); + ldb_req_mark_trusted(down_req); LDB_REQ_SET_LOCATION(down_req); if (ret != LDB_SUCCESS) { return ret; diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c b/source4/dsdb/samdb/ldb_modules/rootdse.c index c5486b539b8..0c2d569f852 100644 --- a/source4/dsdb/samdb/ldb_modules/rootdse.c +++ b/source4/dsdb/samdb/ldb_modules/rootdse.c @@ -1,6 +1,5 @@ /* Unix SMB/CIFS implementation. - rootDSE ldb module Copyright (C) Andrew Tridgell 2005 @@ -206,7 +205,7 @@ static int rootdse_add_dynamic(struct ldb_module *module, struct ldb_message *ms int ret; const char *dns_attrs[] = { "dNSHostName", NULL }; ret = dsdb_module_search_dn(module, msg, &res, samdb_server_dn(ldb, msg), - dns_attrs, DSDB_FLAG_NEXT_MODULE, req); + dns_attrs, DSDB_FLAG_NEXT_MODULE|DSDB_FLAG_TRUSTED, req); if (ret == LDB_SUCCESS) { const char *hostname = ldb_msg_find_attr_as_string(res->msgs[0], "dNSHostName", NULL); if (hostname != NULL) { @@ -804,7 +803,7 @@ static int rootdse_init(struct ldb_module *module) */ ret = dsdb_module_search(module, mem_ctx, &res, ldb_get_default_basedn(ldb), - LDB_SCOPE_BASE, attrs, DSDB_FLAG_NEXT_MODULE, NULL, NULL); + LDB_SCOPE_BASE, attrs, DSDB_FLAG_NEXT_MODULE|DSDB_FLAG_TRUSTED, NULL, NULL); if (ret == LDB_SUCCESS && res->count == 1) { int domain_behaviour_version = ldb_msg_find_attr_as_int(res->msgs[0], @@ -826,7 +825,7 @@ static int rootdse_init(struct ldb_module *module) ret = dsdb_module_search(module, mem_ctx, &res, samdb_partitions_dn(ldb, mem_ctx), - LDB_SCOPE_BASE, attrs, DSDB_FLAG_NEXT_MODULE, NULL, NULL); + LDB_SCOPE_BASE, attrs, DSDB_FLAG_NEXT_MODULE|DSDB_FLAG_TRUSTED, NULL, NULL); if (ret == LDB_SUCCESS && res->count == 1) { int forest_behaviour_version = ldb_msg_find_attr_as_int(res->msgs[0], @@ -850,14 +849,15 @@ static int rootdse_init(struct ldb_module *module) * the @ROOTDSE record */ ret = dsdb_module_search(module, mem_ctx, &res, ldb_dn_new(mem_ctx, ldb, "@ROOTDSE"), - LDB_SCOPE_BASE, ds_attrs, DSDB_FLAG_NEXT_MODULE, NULL, NULL); + LDB_SCOPE_BASE, ds_attrs, DSDB_FLAG_NEXT_MODULE|DSDB_FLAG_TRUSTED, NULL, NULL); if (ret == LDB_SUCCESS && res->count == 1) { struct ldb_dn *ds_dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx, res->msgs[0], "dsServiceName"); if (ds_dn) { ret = dsdb_module_search(module, mem_ctx, &res, ds_dn, - LDB_SCOPE_BASE, attrs, DSDB_FLAG_NEXT_MODULE, NULL, NULL); + LDB_SCOPE_BASE, attrs, + DSDB_FLAG_NEXT_MODULE|DSDB_FLAG_TRUSTED, NULL, NULL); if (ret == LDB_SUCCESS && res->count == 1) { int domain_controller_behaviour_version = ldb_msg_find_attr_as_int(res->msgs[0], @@ -950,7 +950,8 @@ static int dsdb_find_optional_feature(struct ldb_module *module, struct ldb_cont ret = dsdb_module_search(module, tmp_ctx, &res, NULL, LDB_SCOPE_SUBTREE, NULL, DSDB_FLAG_NEXT_MODULE | - DSDB_SEARCH_SEARCH_ALL_PARTITIONS, + DSDB_SEARCH_SEARCH_ALL_PARTITIONS | + DSDB_FLAG_TRUSTED, parent, "(&(objectClass=msDS-OptionalFeature)" "(msDS-OptionalFeatureGUID=%s))",GUID_string(tmp_ctx, &op_feature_guid)); diff --git a/source4/lib/ldb/modules/asq.c b/source4/lib/ldb/modules/asq.c index 7482de826f0..cf0ac73b2c8 100644 --- a/source4/lib/ldb/modules/asq.c +++ b/source4/lib/ldb/modules/asq.c @@ -239,6 +239,7 @@ static int asq_build_first_request(struct asq_context *ac, struct ldb_request ** NULL, ac, asq_base_callback, ac->req); + ldb_req_mark_trusted(*base_req); if (ret != LDB_SUCCESS) { return ret; } diff --git a/source4/lib/ldb/modules/paged_results.c b/source4/lib/ldb/modules/paged_results.c index 2d6c62fd54b..393d978f52b 100644 --- a/source4/lib/ldb/modules/paged_results.c +++ b/source4/lib/ldb/modules/paged_results.c @@ -354,6 +354,7 @@ static int paged_search(struct ldb_module *module, struct ldb_request *req) ac, paged_search_callback, req); + ldb_req_mark_trusted(search_req); if (ret != LDB_SUCCESS) { return ret; } diff --git a/source4/lib/ldb/modules/sort.c b/source4/lib/ldb/modules/sort.c index c6fce2d96e0..44cfa49d4c3 100644 --- a/source4/lib/ldb/modules/sort.c +++ b/source4/lib/ldb/modules/sort.c @@ -316,6 +316,7 @@ static int server_sort_search(struct ldb_module *module, struct ldb_request *req ac, server_sort_search_callback, req); + ldb_req_mark_trusted(down_req); if (ret != LDB_SUCCESS) { return ret; } -- 2.34.1