diff options
author | Stefan Metzmacher <metze@samba.org> | 2020-10-06 15:07:19 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2020-10-21 07:25:37 +0000 |
commit | d2dd7c2a5c1f8ee30f0f3b41f933d082b0c75f7c (patch) | |
tree | 13ba41427e9df1f0963c8eb045f5286efd1b7b76 /source4 | |
parent | 06d134406739e76b97273db3023855150dbaebbc (diff) | |
download | samba-d2dd7c2a5c1f8ee30f0f3b41f933d082b0c75f7c.tar.gz |
s4:dsdb:acl_read: introduce aclread_check_object_visible() helper
In future this will do more than aclread_check_parent(),
if we implement fDoListObject and SEC_ADS_LIST_OBJECT handling.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Diffstat (limited to 'source4')
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/acl_read.c | 34 |
1 files changed, 25 insertions, 9 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c index 7249a1a6c11..b66c4641129 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_read.c +++ b/source4/dsdb/samdb/ldb_modules/acl_read.c @@ -154,6 +154,25 @@ static int aclread_check_parent(struct aclread_context *ac, return ret; } +static int aclread_check_object_visible(struct aclread_context *ac, + struct ldb_message *msg, + struct ldb_request *req) +{ + uint32_t instanceType; + + /* get the object instance type */ + instanceType = ldb_msg_find_attr_as_uint(msg, + "instanceType", 0); + if (instanceType & INSTANCE_TYPE_IS_NC_HEAD) { + /* + * NC_HEAD objects are always visible + */ + return LDB_SUCCESS; + } + + return aclread_check_parent(ac, msg, req); +} + /* * The sd returned from this function is valid until the next call on * this module context @@ -466,7 +485,6 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) struct security_descriptor *sd = NULL; struct dom_sid *sid = NULL; TALLOC_CTX *tmp_ctx; - uint32_t instanceType; const struct dsdb_class *objectclass; bool suppress_result = false; @@ -509,14 +527,12 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) } sid = samdb_result_dom_sid(tmp_ctx, msg, "objectSid"); - /* get the object instance type */ - instanceType = ldb_msg_find_attr_as_uint(msg, - "instanceType", 0); - if (!ldb_dn_is_null(msg->dn) && !(instanceType & INSTANCE_TYPE_IS_NC_HEAD)) - { - /* the object has a parent, so we have to check for visibility */ - ret = aclread_check_parent(ac, msg, req); - + if (!ldb_dn_is_null(msg->dn)) { + /* + * this is a real object, so we have + * to check for visibility + */ + ret = aclread_check_object_visible(ac, msg, req); if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) { talloc_free(tmp_ctx); return LDB_SUCCESS; |