diff options
| author | Tim Beale <timbeale@catalyst.net.nz> | 2018-07-31 16:00:12 +1200 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2018-08-13 09:13:36 +0200 |
| commit | fa7bcea388b310f461f1f2c1788687523c6f1a18 (patch) | |
| tree | 5a99b99a3b324e8b278751aa781f12d1909d9654 | |
| parent | f6cbad5f5039570973ecb7dfa4686eb384fe6f7f (diff) | |
| download | samba-fa7bcea388b310f461f1f2c1788687523c6f1a18.tar.gz | |
CVE-2018-10919 acl_read: Split access_mask logic out into helper function
So we can re-use the same logic laster for checking the search-ops.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/acl_read.c | 56 |
1 files changed, 36 insertions, 20 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c index f15633f28f8..4aa517c9980 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_read.c +++ b/source4/dsdb/samdb/ldb_modules/acl_read.c @@ -64,6 +64,41 @@ static bool aclread_is_inaccessible(struct ldb_message_element *el) { return el->flags & LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE; } +/* + * Returns the access mask required to read a given attribute + */ +static uint32_t get_attr_access_mask(const struct dsdb_attribute *attr, + uint32_t sd_flags) +{ + + uint32_t access_mask = 0; + bool is_sd; + + /* nTSecurityDescriptor is a special case */ + is_sd = (ldb_attr_cmp("nTSecurityDescriptor", + attr->lDAPDisplayName) == 0); + + if (is_sd) { + if (sd_flags & (SECINFO_OWNER|SECINFO_GROUP)) { + access_mask |= SEC_STD_READ_CONTROL; + } + if (sd_flags & SECINFO_DACL) { + access_mask |= SEC_STD_READ_CONTROL; + } + if (sd_flags & SECINFO_SACL) { + access_mask |= SEC_FLAG_SYSTEM_SECURITY; + } + } else { + access_mask = SEC_ADS_READ_PROP; + } + + if (attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL) { + access_mask |= SEC_ADS_CONTROL_ACCESS; + } + + return access_mask; +} + static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) { struct ldb_context *ldb; @@ -183,26 +218,7 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) aclread_mark_inaccesslible(&msg->elements[i]); continue; } - /* nTSecurityDescriptor is a special case */ - if (is_sd) { - access_mask = 0; - - if (ac->sd_flags & (SECINFO_OWNER|SECINFO_GROUP)) { - access_mask |= SEC_STD_READ_CONTROL; - } - if (ac->sd_flags & SECINFO_DACL) { - access_mask |= SEC_STD_READ_CONTROL; - } - if (ac->sd_flags & SECINFO_SACL) { - access_mask |= SEC_FLAG_SYSTEM_SECURITY; - } - } else { - access_mask = SEC_ADS_READ_PROP; - } - - if (attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL) { - access_mask |= SEC_ADS_CONTROL_ACCESS; - } + access_mask = get_attr_access_mask(attr, ac->sd_flags); if (access_mask == 0) { aclread_mark_inaccesslible(&msg->elements[i]); |