Line data Source code
1 : /*
2 : ACL utility functions
3 :
4 : Copyright (C) Nadezhda Ivanova 2010
5 :
6 : This program is free software; you can redistribute it and/or modify
7 : it under the terms of the GNU General Public License as published by
8 : the Free Software Foundation; either version 3 of the License, or
9 : (at your option) any later version.
10 :
11 : This program is distributed in the hope that it will be useful,
12 : but WITHOUT ANY WARRANTY; without even the implied warranty of
13 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 : GNU General Public License for more details.
15 :
16 : You should have received a copy of the GNU General Public License
17 : along with this program. If not, see <http://www.gnu.org/licenses/>.
18 : */
19 :
20 : /*
21 : * Name: acl_util
22 : *
23 : * Component: ldb ACL modules
24 : *
25 : * Description: Some auxiliary functions used for access checking
26 : *
27 : * Author: Nadezhda Ivanova
28 : */
29 : #include "includes.h"
30 : #include "ldb_module.h"
31 : #include "auth/auth.h"
32 : #include "libcli/security/security.h"
33 : #include "dsdb/samdb/samdb.h"
34 : #include "librpc/gen_ndr/ndr_security.h"
35 : #include "param/param.h"
36 : #include "dsdb/samdb/ldb_modules/util.h"
37 :
38 7179520 : struct security_token *acl_user_token(struct ldb_module *module)
39 : {
40 7179520 : struct ldb_context *ldb = ldb_module_get_ctx(module);
41 6605204 : struct auth_session_info *session_info
42 574316 : = (struct auth_session_info *)ldb_get_opaque(
43 : ldb,
44 : DSDB_SESSION_INFO);
45 7179520 : if(!session_info) {
46 0 : return NULL;
47 : }
48 7179520 : return session_info->security_token;
49 : }
50 :
51 : /* performs an access check from inside the module stack
52 : * given the dn of the object to be checked, the required access
53 : * guid is either the guid of the extended right, or NULL
54 : */
55 :
56 1110163 : int dsdb_module_check_access_on_dn(struct ldb_module *module,
57 : TALLOC_CTX *mem_ctx,
58 : struct ldb_dn *dn,
59 : uint32_t access_mask,
60 : const struct GUID *guid,
61 : struct ldb_request *parent)
62 : {
63 : int ret;
64 : struct ldb_result *acl_res;
65 : static const char *acl_attrs[] = {
66 : "nTSecurityDescriptor",
67 : "objectSid",
68 : NULL
69 : };
70 1110163 : struct ldb_context *ldb = ldb_module_get_ctx(module);
71 929089 : struct auth_session_info *session_info
72 181074 : = (struct auth_session_info *)ldb_get_opaque(
73 : ldb,
74 : DSDB_SESSION_INFO);
75 1110163 : if(!session_info) {
76 0 : return ldb_operr(ldb);
77 : }
78 1110163 : ret = dsdb_module_search_dn(module, mem_ctx, &acl_res, dn,
79 : acl_attrs,
80 : DSDB_FLAG_NEXT_MODULE |
81 : DSDB_FLAG_AS_SYSTEM |
82 : DSDB_SEARCH_SHOW_RECYCLED,
83 : parent);
84 1110163 : if (ret != LDB_SUCCESS) {
85 228 : ldb_asprintf_errstring(ldb_module_get_ctx(module),
86 : "access_check: failed to find object %s\n",
87 : ldb_dn_get_linearized(dn));
88 228 : return ret;
89 : }
90 1109935 : return dsdb_check_access_on_dn_internal(ldb, acl_res,
91 : mem_ctx,
92 : session_info->security_token,
93 : dn,
94 : access_mask,
95 : guid);
96 : }
97 :
98 6214717 : int acl_check_access_on_attribute(struct ldb_module *module,
99 : TALLOC_CTX *mem_ctx,
100 : const struct security_descriptor *sd,
101 : const struct dom_sid *rp_sid,
102 : uint32_t access_mask,
103 : const struct dsdb_attribute *attr,
104 : const struct dsdb_class *objectclass)
105 : {
106 : int ret;
107 : NTSTATUS status;
108 : uint32_t access_granted;
109 6214717 : struct object_tree *root = NULL;
110 6214717 : struct object_tree *new_node = NULL;
111 6214717 : TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
112 6214717 : struct security_token *token = acl_user_token(module);
113 :
114 6214717 : if (!insert_in_object_tree(tmp_ctx,
115 : &objectclass->schemaIDGUID,
116 : access_mask, NULL,
117 : &root)) {
118 0 : DEBUG(10, ("acl_search: cannot add to object tree class schemaIDGUID\n"));
119 0 : goto fail;
120 : }
121 6214717 : new_node = root;
122 :
123 6214717 : if (!GUID_all_zero(&attr->attributeSecurityGUID)) {
124 4560243 : if (!insert_in_object_tree(tmp_ctx,
125 : &attr->attributeSecurityGUID,
126 : access_mask, new_node,
127 : &new_node)) {
128 0 : DEBUG(10, ("acl_search: cannot add to object tree securityGUID\n"));
129 0 : goto fail;
130 : }
131 : }
132 :
133 6214717 : if (!insert_in_object_tree(tmp_ctx,
134 : &attr->schemaIDGUID,
135 : access_mask, new_node,
136 : &new_node)) {
137 0 : DEBUG(10, ("acl_search: cannot add to object tree attributeGUID\n"));
138 0 : goto fail;
139 : }
140 :
141 6214717 : status = sec_access_check_ds(sd, token,
142 : access_mask,
143 : &access_granted,
144 : root,
145 : rp_sid);
146 6214717 : if (!NT_STATUS_IS_OK(status)) {
147 32589 : ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
148 : }
149 : else {
150 6182128 : ret = LDB_SUCCESS;
151 : }
152 6214717 : talloc_free(tmp_ctx);
153 6214717 : return ret;
154 0 : fail:
155 0 : talloc_free(tmp_ctx);
156 0 : return ldb_operr(ldb_module_get_ctx(module));
157 : }
158 :
159 30057 : int acl_check_access_on_objectclass(struct ldb_module *module,
160 : TALLOC_CTX *mem_ctx,
161 : struct security_descriptor *sd,
162 : struct dom_sid *rp_sid,
163 : uint32_t access_mask,
164 : const struct dsdb_class *objectclass)
165 : {
166 : int ret;
167 : NTSTATUS status;
168 : uint32_t access_granted;
169 30057 : struct object_tree *root = NULL;
170 30057 : TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
171 30057 : struct security_token *token = acl_user_token(module);
172 :
173 30057 : if (!insert_in_object_tree(tmp_ctx,
174 : &objectclass->schemaIDGUID,
175 : access_mask, NULL,
176 : &root)) {
177 0 : DEBUG(10, ("acl_search: cannot add to object tree class schemaIDGUID\n"));
178 0 : goto fail;
179 : }
180 :
181 30057 : status = sec_access_check_ds(sd, token,
182 : access_mask,
183 : &access_granted,
184 : root,
185 : rp_sid);
186 30057 : if (!NT_STATUS_IS_OK(status)) {
187 1883 : ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
188 : } else {
189 28174 : ret = LDB_SUCCESS;
190 : }
191 30057 : talloc_free(tmp_ctx);
192 30057 : return ret;
193 0 : fail:
194 0 : talloc_free(tmp_ctx);
195 0 : return ldb_operr(ldb_module_get_ctx(module));
196 : }
197 :
198 : /* checks for validated writes */
199 15913 : int acl_check_extended_right(TALLOC_CTX *mem_ctx,
200 : struct ldb_module *module,
201 : struct ldb_request *req,
202 : const struct dsdb_class *objectclass,
203 : struct security_descriptor *sd,
204 : struct security_token *token,
205 : const char *ext_right,
206 : uint32_t right_type,
207 : struct dom_sid *sid)
208 : {
209 : struct GUID right;
210 : NTSTATUS status;
211 : uint32_t access_granted;
212 15913 : struct object_tree *root = NULL;
213 15913 : TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
214 : static const char *no_attrs[] = { NULL };
215 15913 : struct ldb_result *extended_rights_res = NULL;
216 15913 : struct ldb_dn *extended_rights_dn = NULL;
217 15913 : struct ldb_context *ldb = ldb_module_get_ctx(module);
218 15913 : int ret = 0;
219 :
220 : /*
221 : * Find the extended right and check if applies to
222 : * the objectclass of the object
223 : */
224 15913 : extended_rights_dn = samdb_extended_rights_dn(ldb, req);
225 15913 : if (!extended_rights_dn) {
226 0 : ldb_set_errstring(ldb,
227 : "access_check: CN=Extended-Rights dn could not be generated!");
228 0 : return LDB_ERR_OPERATIONS_ERROR;
229 : }
230 :
231 : /* Note: we are checking only the structural object class. */
232 15913 : ret = dsdb_module_search(module, req, &extended_rights_res,
233 : extended_rights_dn, LDB_SCOPE_ONELEVEL,
234 : no_attrs,
235 : DSDB_FLAG_NEXT_MODULE |
236 : DSDB_FLAG_AS_SYSTEM,
237 : req,
238 : "(&(rightsGuid=%s)(appliesTo=%s))",
239 : ext_right,
240 : GUID_string(tmp_ctx,
241 : &(objectclass->schemaIDGUID)));
242 :
243 15913 : if (ret != LDB_SUCCESS) {
244 0 : return ret;
245 15913 : } else if (extended_rights_res->count == 0 ) {
246 42 : ldb_debug(ldb, LDB_DEBUG_TRACE,
247 : "acl_check_extended_right: Could not find appliesTo for %s\n",
248 : ext_right);
249 42 : return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
250 : }
251 :
252 15871 : GUID_from_string(ext_right, &right);
253 :
254 15871 : if (!insert_in_object_tree(tmp_ctx, &right, right_type,
255 : NULL, &root)) {
256 0 : DEBUG(10, ("acl_ext_right: cannot add to object tree\n"));
257 0 : talloc_free(tmp_ctx);
258 0 : return LDB_ERR_OPERATIONS_ERROR;
259 : }
260 15871 : status = sec_access_check_ds(sd, token,
261 : right_type,
262 : &access_granted,
263 : root,
264 : sid);
265 :
266 15871 : if (!NT_STATUS_IS_OK(status)) {
267 262 : talloc_free(tmp_ctx);
268 262 : return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
269 : }
270 15609 : talloc_free(tmp_ctx);
271 15609 : return LDB_SUCCESS;
272 : }
273 :
274 0 : const char *acl_user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module)
275 : {
276 0 : struct ldb_context *ldb = ldb_module_get_ctx(module);
277 0 : struct auth_session_info *session_info
278 0 : = (struct auth_session_info *)ldb_get_opaque(
279 : ldb,
280 : DSDB_SESSION_INFO);
281 0 : if (!session_info) {
282 0 : return "UNKNOWN (NULL)";
283 : }
284 :
285 0 : return talloc_asprintf(mem_ctx, "%s\\%s",
286 0 : session_info->info->domain_name,
287 0 : session_info->info->account_name);
288 : }
289 :
290 19676711 : uint32_t dsdb_request_sd_flags(struct ldb_request *req, bool *explicit)
291 : {
292 : struct ldb_control *sd_control;
293 19676711 : uint32_t sd_flags = 0;
294 :
295 19676711 : if (explicit) {
296 19331201 : *explicit = false;
297 : }
298 :
299 19676711 : sd_control = ldb_request_get_control(req, LDB_CONTROL_SD_FLAGS_OID);
300 19676711 : if (sd_control != NULL && sd_control->data != NULL) {
301 870432 : struct ldb_sd_flags_control *sdctr = talloc_get_type_abort(sd_control->data, struct ldb_sd_flags_control);
302 :
303 870432 : sd_flags = sdctr->secinfo_flags;
304 :
305 870432 : if (explicit) {
306 849797 : *explicit = true;
307 : }
308 :
309 : /* mark it as handled */
310 870432 : sd_control->critical = 0;
311 : }
312 :
313 : /* we only care for the last 4 bits */
314 19676711 : sd_flags &= 0x0000000F;
315 :
316 : /*
317 : * MS-ADTS 3.1.1.3.4.1.11 says that no bits
318 : * equals all 4 bits
319 : */
320 19676711 : if (sd_flags == 0) {
321 18806333 : sd_flags = SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL | SECINFO_SACL;
322 : }
323 :
324 19676711 : return sd_flags;
325 : }
326 :
327 333437 : int dsdb_module_schedule_sd_propagation(struct ldb_module *module,
328 : struct ldb_dn *nc_root,
329 : struct GUID guid,
330 : struct GUID parent_guid,
331 : bool include_self)
332 : {
333 333437 : struct ldb_context *ldb = ldb_module_get_ctx(module);
334 : struct dsdb_extended_sec_desc_propagation_op *op;
335 : int ret;
336 :
337 333437 : op = talloc_zero(module, struct dsdb_extended_sec_desc_propagation_op);
338 333437 : if (op == NULL) {
339 0 : return ldb_oom(ldb);
340 : }
341 :
342 333437 : op->nc_root = nc_root;
343 333437 : op->guid = guid;
344 333437 : op->include_self = include_self;
345 333437 : op->parent_guid = parent_guid;
346 :
347 333437 : ret = dsdb_module_extended(module, op, NULL,
348 : DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID,
349 : op,
350 : DSDB_FLAG_TOP_MODULE |
351 : DSDB_FLAG_AS_SYSTEM |
352 : DSDB_FLAG_TRUSTED,
353 : NULL);
354 333437 : TALLOC_FREE(op);
355 333437 : return ret;
356 : }
|
