struct ldb_val sd_cached_blob;
};
+struct access_check_context {
+ struct security_descriptor *sd;
+ struct dom_sid sid_buf;
+ const struct dom_sid *sid;
+ const struct dsdb_class *objectclass;
+};
+
/*
* the object has a parent, so we have to check for visibility
*
*/
static int aclread_get_sd_from_ldb_message(struct aclread_context *ac,
- struct ldb_message *acl_res,
+ const struct ldb_message *acl_res,
struct security_descriptor **sd)
{
struct ldb_message_element *sd_element;
struct parse_tree_aclread_ctx {
struct aclread_context *ac;
TALLOC_CTX *mem_ctx;
- struct dom_sid *sid;
+ const struct dom_sid *sid;
struct ldb_dn *dn;
struct security_descriptor *sd;
const struct dsdb_class *objectclass;
struct aclread_context *ac,
struct security_descriptor *sd,
const struct dsdb_class *objectclass,
- struct dom_sid *sid, struct ldb_dn *dn)
+ const struct dom_sid *sid, struct ldb_dn *dn)
{
int ret;
const struct dsdb_attribute *attr = NULL;
return attr;
}
+static int setup_access_check_context(struct aclread_context *ac,
+ const struct ldb_message *msg,
+ struct access_check_context *ctx)
+{
+ int ret;
+
+ /*
+ * Fetch the schema so we can check which attributes are
+ * considered confidential.
+ */
+ if (ac->schema == NULL) {
+ struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
+
+ /* Cache the schema for later use. */
+ ac->schema = dsdb_get_schema(ldb, ac);
+
+ if (ac->schema == NULL) {
+ return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
+ "aclread_callback: Error obtaining schema.");
+ }
+ }
+
+ /* Fetch the object's security descriptor. */
+ ret = aclread_get_sd_from_ldb_message(ac, msg, &ctx->sd);
+ if (ret != LDB_SUCCESS) {
+ ldb_debug_set(ldb_module_get_ctx(ac->module), LDB_DEBUG_FATAL,
+ "acl_read: cannot get descriptor of %s: %s\n",
+ ldb_dn_get_linearized(msg->dn), ldb_strerror(ret));
+ return LDB_ERR_OPERATIONS_ERROR;
+ } else if (ctx->sd == NULL) {
+ ldb_debug_set(ldb_module_get_ctx(ac->module), LDB_DEBUG_FATAL,
+ "acl_read: cannot get descriptor of %s (attribute not found)\n",
+ ldb_dn_get_linearized(msg->dn));
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ /*
+ * Get the most specific structural object class for the ACL check
+ */
+ ctx->objectclass = dsdb_get_structural_oc_from_msg(ac->schema, msg);
+ if (ctx->objectclass == NULL) {
+ ldb_asprintf_errstring(ldb_module_get_ctx(ac->module),
+ "acl_read: Failed to find a structural class for %s",
+ ldb_dn_get_linearized(msg->dn));
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ /* Fetch the object's SID. */
+ ret = samdb_result_dom_sid_buf(msg, "objectSid", &ctx->sid_buf);
+ if (ret == LDB_SUCCESS) {
+ ctx->sid = &ctx->sid_buf;
+ } else if (ret == LDB_ERR_NO_SUCH_ATTRIBUTE) {
+ /* This is expected. */
+ ctx->sid = NULL;
+ } else {
+ ldb_asprintf_errstring(ldb_module_get_ctx(ac->module),
+ "acl_read: Failed to parse objectSid as dom_sid for %s",
+ ldb_dn_get_linearized(msg->dn));
+ return ret;
+ }
+
+ return LDB_SUCCESS;
+}
+
/*
* Checks a single attribute in the search parse-tree to make sure the user has
* sufficient rights to view it.
TALLOC_CTX *mem_ctx,
struct security_descriptor *sd,
const struct dsdb_class *objectclass,
- struct dom_sid *sid, struct ldb_dn *dn,
+ const struct dom_sid *sid, struct ldb_dn *dn,
bool *suppress_result)
{
int ret;
struct ldb_message *msg;
int ret;
unsigned int i;
- struct security_descriptor *sd = NULL;
- struct dom_sid *sid = NULL;
+ struct access_check_context acl_ctx;
TALLOC_CTX *tmp_ctx;
- const struct dsdb_class *objectclass;
bool suppress_result = false;
ac = talloc_get_type_abort(req->context, struct aclread_context);
switch (ares->type) {
case LDB_REPLY_ENTRY:
msg = ares->message;
- ret = aclread_get_sd_from_ldb_message(ac, msg, &sd);
+ ret = setup_access_check_context(ac, msg, &acl_ctx);
if (ret != LDB_SUCCESS) {
- ldb_debug_set(ldb, LDB_DEBUG_FATAL,
- "acl_read: cannot get descriptor of %s: %s\n",
- ldb_dn_get_linearized(msg->dn), ldb_strerror(ret));
- ret = LDB_ERR_OPERATIONS_ERROR;
- goto fail;
- } else if (sd == NULL) {
- ldb_debug_set(ldb, LDB_DEBUG_FATAL,
- "acl_read: cannot get descriptor of %s (attribute not found)\n",
- ldb_dn_get_linearized(msg->dn));
- ret = LDB_ERR_OPERATIONS_ERROR;
- goto fail;
- }
- /*
- * Get the most specific structural object class for the ACL check
- */
- objectclass = dsdb_get_structural_oc_from_msg(ac->schema, msg);
- if (objectclass == NULL) {
- ldb_asprintf_errstring(ldb, "acl_read: Failed to find a structural class for %s",
- ldb_dn_get_linearized(msg->dn));
- ret = LDB_ERR_OPERATIONS_ERROR;
- goto fail;
+ return ret;
}
- sid = samdb_result_dom_sid(tmp_ctx, msg, "objectSid");
if (!ldb_dn_is_null(msg->dn)) {
/*
* this is a real object, so we have
ret = acl_check_access_on_attribute(ac->module,
tmp_ctx,
- sd,
- sid,
+ acl_ctx.sd,
+ acl_ctx.sid,
access_mask,
attr,
objectclass);
* check access rights for the search attributes, as well as the
* attribute values actually being returned
*/
- ret = check_search_ops_access(ac, tmp_ctx, sd, objectclass, sid,
+ ret = check_search_ops_access(ac, tmp_ctx, acl_ctx.sd, acl_ctx.objectclass, acl_ctx.sid,
msg->dn, &suppress_result);
if (ret != LDB_SUCCESS) {
ldb_debug_set(ldb, LDB_DEBUG_FATAL,
projects / thirdparty / samba.git / commitdiff
