Bug 9142 - Need to check ACLs for TSIG updates
Summary: Need to check ACLs for TSIG updates
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: Other (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Kai Blin
QA Contact: samba4-qa@samba.org
URL:
Keywords:
Depends on:
Blocks: 8622
  Show dependency treegraph
 
Reported: 2012-09-06 07:43 UTC by Kai Blin
Modified: 2012-09-17 21:52 UTC (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kai Blin 2012-09-06 07:43:52 UTC 
Currently the update check only checks for a valid user, not if the user has permissions to actually create/modify a record.
Comment 1 Michael Adam 2012-09-06 13:16:56 UTC 
should be fixed before 4.0 final.
Comment 2 Kai Blin 2012-09-06 22:33:13 UTC 
Fixed by 319b239dc4aeb2c6a928a70fc7a7dbad56d273cd
Comment 3 Andrew Bartlett 2012-09-07 01:19:08 UTC 
Kai,

I mislead you a little when I suggested this task is as simple as just
checking the ACL.  As I noticed when I started diving into the
equivalent code in the bind9 dlz code, we need to actually impersonate
the incoming user, or else we won't set owners correctly.  This could then mean that a subsequent ACL check fails. 

Have a look over all the uses of 'session_info' in the dlz code, because
we will need to do the same in your code.  

Then we really, really need tests.  Perhaps added to smbtorture, what we
need to do is create a record using libadds, then verify it's ownership
and the expected ACL AD using LDAP calls. 

(The advantage of an smbtorture test here is that you can run it against
AD, and against bind9_dlz to ensure the test is correct). 

Thanks,

Andrew Bartlett
Comment 4 Kai Blin 2012-09-17 21:52:19 UTC 
Should be fixed in RC1