git.samba.org / kai / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ccf577d)
dsdb-acl: calculate sDRightsEffective based on "nTSecurityDescriptor"
authorStefan Metzmacher <metze@samba.org>
Tue, 8 Jan 2013 14:55:36 +0000 (15:55 +0100)
committerMatthieu Patou <mat@samba.org>
Thu, 17 Jan 2013 10:21:10 +0000 (11:21 +0100)
acl_check_access_on_attribute should never be called with attr=NULL
because we don't check access on an attribute in that case

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Matthieu Patou <mat@matws.net>
Autobuild-User(master): Matthieu Patou <mat@samba.org>
Autobuild-Date(master): Thu Jan 17 11:21:10 CET 2013 on sn-devel-104

source4/dsdb/samdb/ldb_modules/acl.c patch | blob | history

diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 24b65078030cb471fee8366d3ff14ef989561d73..539363cb109cb87c15444c9eca074eb1425b2756 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -481,6 +481,14 @@ static int acl_sDRightsEffective(struct ldb_module *module,
                flags = SECINFO_OWNER | SECINFO_GROUP |  SECINFO_SACL |  SECINFO_DACL;
        }
        else {
+               const struct dsdb_attribute *attr;
+
+               attr = dsdb_attribute_by_lDAPDisplayName(ac->schema,
+                                                        "nTSecurityDescriptor");
+               if (attr == NULL) {
+                       return ldb_operr(ldb);
+               }
+
                /* Get the security descriptor from the message */
                ret = dsdb_get_sd_from_ldb_message(ldb, msg, sd_msg, &sd);
                if (ret != LDB_SUCCESS) {
@@ -492,7 +500,7 @@ static int acl_sDRightsEffective(struct ldb_module *module,
                                                    sd,
                                                    sid,
                                                    SEC_STD_WRITE_OWNER,
-                                                   NULL);
+                                                   attr);
                if (ret == LDB_SUCCESS) {
                        flags |= SECINFO_OWNER | SECINFO_GROUP;
                }
@@ -501,7 +509,7 @@ static int acl_sDRightsEffective(struct ldb_module *module,
                                                    sd,
                                                    sid,
                                                    SEC_STD_WRITE_DAC,
-                                                   NULL);
+                                                   attr);
                if (ret == LDB_SUCCESS) {
                        flags |= SECINFO_DACL;
                }
@@ -510,7 +518,7 @@ static int acl_sDRightsEffective(struct ldb_module *module,
                                                    sd,
                                                    sid,
                                                    SEC_FLAG_SYSTEM_SECURITY,
-                                                   NULL);
+                                                   attr);
                if (ret == LDB_SUCCESS) {
                        flags |= SECINFO_SACL;
                }
Kai's WIP code