From 6a1025551eb5b343ec996ae0c642d542162e8910 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 8 Jan 2013 15:55:36 +0100 Subject: [PATCH] dsdb-acl: calculate sDRightsEffective based on "nTSecurityDescriptor" acl_check_access_on_attribute should never be called with attr=NULL because we don't check access on an attribute in that case Signed-off-by: Stefan Metzmacher Reviewed-by: Matthieu Patou Autobuild-User(master): Matthieu Patou Autobuild-Date(master): Thu Jan 17 11:21:10 CET 2013 on sn-devel-104 --- source4/dsdb/samdb/ldb_modules/acl.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index 24b65078030..539363cb109 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -481,6 +481,14 @@ static int acl_sDRightsEffective(struct ldb_module *module, flags = SECINFO_OWNER | SECINFO_GROUP | SECINFO_SACL | SECINFO_DACL; } else { + const struct dsdb_attribute *attr; + + attr = dsdb_attribute_by_lDAPDisplayName(ac->schema, + "nTSecurityDescriptor"); + if (attr == NULL) { + return ldb_operr(ldb); + } + /* Get the security descriptor from the message */ ret = dsdb_get_sd_from_ldb_message(ldb, msg, sd_msg, &sd); if (ret != LDB_SUCCESS) { @@ -492,7 +500,7 @@ static int acl_sDRightsEffective(struct ldb_module *module, sd, sid, SEC_STD_WRITE_OWNER, - NULL); + attr); if (ret == LDB_SUCCESS) { flags |= SECINFO_OWNER | SECINFO_GROUP; } @@ -501,7 +509,7 @@ static int acl_sDRightsEffective(struct ldb_module *module, sd, sid, SEC_STD_WRITE_DAC, - NULL); + attr); if (ret == LDB_SUCCESS) { flags |= SECINFO_DACL; } @@ -510,7 +518,7 @@ static int acl_sDRightsEffective(struct ldb_module *module, sd, sid, SEC_FLAG_SYSTEM_SECURITY, - NULL); + attr); if (ret == LDB_SUCCESS) { flags |= SECINFO_SACL; } -- 2.11.4.GIT