From: Jo Sutton Date: Tue, 13 Feb 2024 01:09:23 +0000 (+1300) Subject: s4:dsdb: Add function to determine whether we have system access X-Git-Tag: tdb-1.4.11~1705 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1ad9b93dbf6dd2b899bcb11c20c841735aede12f;p=thirdparty%2Fsamba.git s4:dsdb: Add function to determine whether we have system access This takes into account the dsdb session info, as well as the presence or absence of an AS_SYSTEM control. Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett --- diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c index 04dd055ef4d..6e87531ed38 100644 --- a/source4/dsdb/samdb/ldb_modules/util.c +++ b/source4/dsdb/samdb/ldb_modules/util.c @@ -1155,6 +1155,33 @@ bool dsdb_module_am_administrator(struct ldb_module *module) return security_session_user_level(session_info, NULL) == SECURITY_ADMINISTRATOR; } +/* + * Return ‘true’ if the caller has system access. The ‘acl’ module passes + * SYSTEM_CONTROL_STRIP_CRITICAL when it wants to strip the critical flag. + */ +bool dsdb_have_system_access( + struct ldb_module *module, + struct ldb_request *req, + const enum system_control_strip_critical strip_critical) +{ + struct ldb_control *as_system = NULL; + + as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID); + if (as_system != NULL) { + switch (strip_critical) { + case SYSTEM_CONTROL_KEEP_CRITICAL: + break; + case SYSTEM_CONTROL_STRIP_CRITICAL: + as_system->critical = 0; + break; + } + + return true; + } + + return dsdb_module_am_system(module); +} + /* check if the recyclebin is enabled */ diff --git a/source4/dsdb/samdb/ldb_modules/util.h b/source4/dsdb/samdb/ldb_modules/util.h index e512992b7a6..b4102a4306e 100644 --- a/source4/dsdb/samdb/ldb_modules/util.h +++ b/source4/dsdb/samdb/ldb_modules/util.h @@ -30,6 +30,11 @@ struct security_descriptor; struct dom_sid; struct netlogon_samlogon_response; +enum system_control_strip_critical { + SYSTEM_CONTROL_KEEP_CRITICAL, + SYSTEM_CONTROL_STRIP_CRITICAL, +}; + #include "librpc/gen_ndr/misc.h" #include "librpc/gen_ndr/security.h" #include "dsdb/samdb/ldb_modules/util_proto.h"