From: Andrew Bartlett Date: Tue, 9 Jan 2007 03:45:50 +0000 (+0000) Subject: r20622: Add in a hack to avoid permitting searches on the value of protected X-Git-Url: http://git.samba.org/?p=abartlet%2Fsamba.git%2F.git;a=commitdiff_plain;h=08439c72c494565669bdd260050d061a005e89fe r20622: Add in a hack to avoid permitting searches on the value of protected attributes. Andrew Bartlett (This used to be commit 5aa2195ec26d9ddf82e51f2b242cdf7c8ab52f52) --- diff --git a/source4/dsdb/samdb/ldb_modules/kludge_acl.c b/source4/dsdb/samdb/ldb_modules/kludge_acl.c index 176cfbf3a5f..7b2150bec8e 100644 --- a/source4/dsdb/samdb/ldb_modules/kludge_acl.c +++ b/source4/dsdb/samdb/ldb_modules/kludge_acl.c @@ -147,7 +147,8 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req) { struct kludge_acl_context *ac; struct ldb_request *down_req; - int ret; + struct kludge_private_data *data; + int ret, i; req->handle = NULL; @@ -156,6 +157,8 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req) return LDB_ERR_OPERATIONS_ERROR; } + data = talloc_get_type(module->private_data, struct kludge_private_data); + ac->module = module; ac->up_context = req->context; ac->up_callback = req->callback; @@ -172,6 +175,25 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req) down_req->op.search.tree = req->op.search.tree; down_req->op.search.attrs = req->op.search.attrs; + + /* FIXME: I hink we should copy the tree and keep the original + * unmodified. SSS */ + /* replace any attributes in the parse tree that are private, + so we don't allow a search for 'sambaPassword=penguin', + just as we would not allow that attribute to be returned */ + switch (ac->user_type) { + case SYSTEM: + case ADMINISTRATOR: + break; + default: + /* remove password attributes */ + for (i = 0; data && data->password_attrs && data->password_attrs[i]; i++) { + ldb_parse_tree_attr_replace(down_req->op.search.tree, + data->password_attrs[i], + "kludgeACLredactedattribute"); + } + } + down_req->controls = req->controls; down_req->context = ac;