Line data Source code
1 : /*
2 : * Unix SMB/CIFS implementation.
3 : * RPC Pipe client / server routines
4 : * Copyright (C) Andrew Tridgell 1992-1997,
5 : * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 : * Copyright (C) Paul Ashton 1997,
7 : * Copyright (C) Marc Jacobsen 1999,
8 : * Copyright (C) Jeremy Allison 2001-2008,
9 : * Copyright (C) Jean François Micouleau 1998-2001,
10 : * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
11 : * Copyright (C) Gerald (Jerry) Carter 2003-2004,
12 : * Copyright (C) Simo Sorce 2003.
13 : * Copyright (C) Volker Lendecke 2005.
14 : * Copyright (C) Guenther Deschner 2008.
15 : *
16 : * This program is free software; you can redistribute it and/or modify
17 : * it under the terms of the GNU General Public License as published by
18 : * the Free Software Foundation; either version 3 of the License, or
19 : * (at your option) any later version.
20 : *
21 : * This program is distributed in the hope that it will be useful,
22 : * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 : * GNU General Public License for more details.
25 : *
26 : * You should have received a copy of the GNU General Public License
27 : * along with this program; if not, see <http://www.gnu.org/licenses/>.
28 : */
29 :
30 : #include "includes.h"
31 : #include "system/passwd.h" /* uid_wrapper */
32 : #include "rpc_server/srv_access_check.h"
33 : #include "../libcli/security/security.h"
34 : #include "passdb/machine_sid.h"
35 :
36 : #undef DBGC_CLASS
37 : #define DBGC_CLASS DBGC_RPC_SRV
38 :
39 : /*******************************************************************
40 : Checks if access to an object should be granted, and returns that
41 : level of access for further checks.
42 :
43 : If the user has either of needed_priv_1 or needed_priv_2 then they
44 : get the rights in rights_mask in addition to any calulated rights.
45 :
46 : This handles the unusual case where we need to allow two different
47 : privileges to obtain exactly the same rights, which occours only in
48 : SAMR.
49 : ********************************************************************/
50 :
51 239 : NTSTATUS access_check_object( struct security_descriptor *psd, struct security_token *token,
52 : enum sec_privilege needed_priv_1, enum sec_privilege needed_priv_2,
53 : uint32_t rights_mask,
54 : uint32_t des_access, uint32_t *acc_granted,
55 : const char *debug )
56 : {
57 239 : NTSTATUS status = NT_STATUS_ACCESS_DENIED;
58 239 : uint32_t saved_mask = 0;
59 239 : bool priv_granted = false;
60 239 : bool is_system = false;
61 239 : bool is_root = false;
62 :
63 : /* Check if we are are the system token */
64 416 : if (security_token_is_system(token) &&
65 177 : security_token_system_privilege(token)) {
66 177 : is_system = true;
67 : }
68 :
69 : /* Check if we are root */
70 239 : if (root_mode()) {
71 208 : is_root = true;
72 : }
73 :
74 : /* Check if we are root */
75 :
76 : /* check privileges; certain SAM access bits should be overridden
77 : by privileges (mostly having to do with creating/modifying/deleting
78 : users and groups) */
79 :
80 239 : if ((needed_priv_1 != SEC_PRIV_INVALID && security_token_has_privilege(token, needed_priv_1)) ||
81 7 : (needed_priv_2 != SEC_PRIV_INVALID && security_token_has_privilege(token, needed_priv_2))) {
82 61 : priv_granted = true;
83 61 : saved_mask = (des_access & rights_mask);
84 61 : des_access &= ~saved_mask;
85 :
86 61 : DEBUG(4,("access_check_object: user rights access mask [0x%x]\n",
87 : rights_mask));
88 : }
89 :
90 :
91 : /* check the security descriptor first */
92 239 : status = se_access_check(psd, token, des_access, acc_granted);
93 239 : if (NT_STATUS_IS_OK(status)) {
94 64 : goto done;
95 : }
96 :
97 175 : if (is_system || is_root) {
98 175 : DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", debug, des_access));
99 175 : DEBUGADD(4,("but overritten by %s\n",
100 : is_root ? "euid == initial uid" : "system token"));
101 :
102 175 : priv_granted = true;
103 175 : *acc_granted = des_access;
104 :
105 175 : status = NT_STATUS_OK;
106 175 : goto done;
107 : }
108 :
109 :
110 146 : done:
111 239 : if (priv_granted) {
112 : /* add in any bits saved during the privilege check (only
113 : matters if status is ok) */
114 :
115 187 : *acc_granted |= rights_mask;
116 : }
117 :
118 239 : DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n",
119 : debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED",
120 : des_access, *acc_granted));
121 :
122 239 : return status;
123 : }
124 :
125 :
126 : /*******************************************************************
127 : Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
128 : ********************************************************************/
129 :
130 239 : void map_max_allowed_access(const struct security_token *nt_token,
131 : const struct security_unix_token *unix_token,
132 : uint32_t *pacc_requested)
133 : {
134 239 : if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) {
135 61 : return;
136 : }
137 178 : *pacc_requested &= ~MAXIMUM_ALLOWED_ACCESS;
138 :
139 : /* At least try for generic read|execute - Everyone gets that. */
140 178 : *pacc_requested |= GENERIC_READ_ACCESS|GENERIC_EXECUTE_ACCESS;
141 :
142 : /* root gets anything. */
143 178 : if (unix_token->uid == sec_initial_uid()) {
144 155 : *pacc_requested |= GENERIC_ALL_ACCESS;
145 155 : return;
146 : }
147 :
148 : /* Full Access for 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
149 :
150 26 : if (security_token_has_sid(nt_token, &global_sid_Builtin_Administrators) ||
151 3 : security_token_has_sid(nt_token, &global_sid_Builtin_Account_Operators)) {
152 20 : *pacc_requested |= GENERIC_ALL_ACCESS;
153 20 : return;
154 : }
155 :
156 : /* Full access for DOMAIN\Domain Admins. */
157 3 : if ( IS_DC ) {
158 : struct dom_sid domadmin_sid;
159 3 : sid_compose(&domadmin_sid, get_global_sam_sid(),
160 : DOMAIN_RID_ADMINS);
161 3 : if (security_token_has_sid(nt_token, &domadmin_sid)) {
162 0 : *pacc_requested |= GENERIC_ALL_ACCESS;
163 0 : return;
164 : }
165 : }
166 : /* TODO ! Check privileges. */
167 : }
|
