From: Jo Sutton Date: Tue, 13 Feb 2024 01:12:30 +0000 (+1300) Subject: s4:dsdb: Make use of dsdb_have_system_access() X-Git-Tag: tdb-1.4.11~1704 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eece2e8a9c6c5bf32c2824ed5853b88d1e3f679b;p=thirdparty%2Fsamba.git s4:dsdb: Make use of dsdb_have_system_access() There should not be any change in behaviour. Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett --- diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index b7c4b399058..720d71c7a4a 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -1188,7 +1188,6 @@ static int acl_add(struct ldb_module *module, struct ldb_request *req) const struct dsdb_class *computer_objectclass = NULL; const struct ldb_message_element *oc_el = NULL; struct ldb_message_element sorted_oc_el; - struct ldb_control *as_system; struct ldb_control *sd_ctrl = NULL; struct ldb_message_element *el; unsigned int instanceType = 0; @@ -1205,12 +1204,8 @@ static int acl_add(struct ldb_module *module, struct ldb_request *req) return ldb_next_request(module, req); } - as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID); - if (as_system != NULL) { - as_system->critical = 0; - } - - if (dsdb_module_am_system(module) || as_system) { + if (dsdb_have_system_access(module, req, SYSTEM_CONTROL_STRIP_CRITICAL)) + { return ldb_next_request(module, req); } @@ -1879,7 +1874,6 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req) struct ldb_result *acl_res; struct security_descriptor *sd; struct dom_sid *sid = NULL; - struct ldb_control *as_system; struct ldb_control *is_undelete; struct ldb_control *implicit_validated_write_control = NULL; bool userPassword; @@ -1901,11 +1895,6 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req) return ldb_next_request(module, req); } - as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID); - if (as_system != NULL) { - as_system->critical = 0; - } - is_undelete = ldb_request_get_control(req, DSDB_CONTROL_RESTORE_TOMBSTONE_OID); implicit_validated_write_control = ldb_request_get_control( @@ -1918,7 +1907,8 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req) if (msg->num_elements > 0) { DEBUG(10, ("ldb:acl_modify: %s\n", msg->elements[0].name)); } - if (dsdb_module_am_system(module) || as_system) { + if (dsdb_have_system_access(module, req, SYSTEM_CONTROL_STRIP_CRITICAL)) + { return ldb_next_request(module, req); } @@ -2207,7 +2197,6 @@ static int acl_delete(struct ldb_module *module, struct ldb_request *req) struct ldb_dn *parent; struct ldb_context *ldb; struct ldb_dn *nc_root; - struct ldb_control *as_system; const struct dsdb_schema *schema; const struct dsdb_class *objectclass; struct security_descriptor *sd = NULL; @@ -2224,12 +2213,8 @@ static int acl_delete(struct ldb_module *module, struct ldb_request *req) return ldb_next_request(module, req); } - as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID); - if (as_system != NULL) { - as_system->critical = 0; - } - - if (dsdb_module_am_system(module) || as_system) { + if (dsdb_have_system_access(module, req, SYSTEM_CONTROL_STRIP_CRITICAL)) + { return ldb_next_request(module, req); } @@ -2384,7 +2369,6 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req) struct dom_sid *sid = NULL; struct ldb_result *acl_res; struct ldb_dn *nc_root; - struct ldb_control *as_system; struct ldb_control *is_undelete; TALLOC_CTX *tmp_ctx; const char *rdn_name; @@ -2399,13 +2383,9 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req) return ldb_next_request(module, req); } - as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID); - if (as_system != NULL) { - as_system->critical = 0; - } - DEBUG(10, ("ldb:acl_rename: %s\n", ldb_dn_get_linearized(req->op.rename.olddn))); - if (dsdb_module_am_system(module) || as_system) { + if (dsdb_have_system_access(module, req, SYSTEM_CONTROL_STRIP_CRITICAL)) + { return ldb_next_request(module, req); } @@ -2853,7 +2833,6 @@ static int acl_search(struct ldb_module *module, struct ldb_request *req) static int acl_extended(struct ldb_module *module, struct ldb_request *req) { struct ldb_context *ldb = ldb_module_get_ctx(module); - struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID); /* allow everybody to read the sequence number */ if (strcmp(req->op.extended.oid, @@ -2861,8 +2840,11 @@ static int acl_extended(struct ldb_module *module, struct ldb_request *req) return ldb_next_request(module, req); } - if (dsdb_module_am_system(module) || - dsdb_module_am_administrator(module) || as_system) { + if (dsdb_have_system_access(module, + req, + SYSTEM_CONTROL_KEEP_CRITICAL) || + dsdb_module_am_administrator(module)) + { return ldb_next_request(module, req); } else { ldb_asprintf_errstring(ldb, diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c index 0b6280c3a8f..dde1ec68e7b 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_read.c +++ b/source4/dsdb/samdb/ldb_modules/acl_read.c @@ -883,10 +883,9 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) ldb = ldb_module_get_ctx(module); p = talloc_get_type(ldb_module_get_private(module), struct aclread_private); - am_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID) != NULL; - if (!am_system) { - am_system = dsdb_module_am_system(module); - } + am_system = dsdb_have_system_access(module, + req, + SYSTEM_CONTROL_KEEP_CRITICAL); /* skip access checks if we are system or system control is supplied * or this is not LDAP server request */ diff --git a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c index 4d7f3d10b31..40bd63f5afd 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c @@ -259,9 +259,11 @@ static int attr_handler(struct oc_context *ac) * fschemaUpgradeInProgress and other specific schema checks. */ if (ldb_dn_compare_base(ldb_get_schema_basedn(ldb), msg->dn) != 0) { - struct ldb_control *as_system = ldb_request_get_control(ac->req, - LDB_CONTROL_AS_SYSTEM_OID); - if (!dsdb_module_am_system(ac->module) && !as_system) { + if (!dsdb_have_system_access( + ac->module, + ac->req, + SYSTEM_CONTROL_KEEP_CRITICAL)) + { ldb_asprintf_errstring(ldb, "objectclass_attrs: attribute '%s' on entry '%s' can only be modified as system", msg->elements[i].name,