4 Copyright (C) Simo Sorce 2006-2008
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2007
6 Copyright (C) Nadezhda Ivanova 2009
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 * Component: DS Security descriptor module
28 * - Calculate the security descriptor of a newly created object
29 * - Perform sd recalculation on a move operation
30 * - Handle sd modification invariants
32 * Author: Nadezhda Ivanova
36 #include <ldb_module.h>
37 #include "util/dlinklist.h"
38 #include "dsdb/samdb/samdb.h"
39 #include "librpc/ndr/libndr.h"
40 #include "librpc/gen_ndr/ndr_security.h"
41 #include "libcli/security/security.h"
42 #include "auth/auth.h"
43 #include "param/param.h"
44 #include "dsdb/samdb/ldb_modules/util.h"
45 #include "lib/util/binsearch.h"
47 struct descriptor_changes {
48 struct descriptor_changes *prev, *next;
49 struct ldb_dn *nc_root;
53 struct ldb_dn *stopped_dn;
56 struct descriptor_data {
57 TALLOC_CTX *trans_mem;
58 struct descriptor_changes *changes;
61 struct descriptor_context {
62 struct ldb_module *module;
63 struct ldb_request *req;
64 struct ldb_message *msg;
65 struct ldb_reply *search_res;
66 struct ldb_reply *search_oc_res;
67 struct ldb_val *parentsd_val;
68 struct ldb_message_element *sd_element;
69 struct ldb_val *sd_val;
71 int (*step_fn)(struct descriptor_context *);
74 static struct dom_sid *get_default_ag(TALLOC_CTX *mem_ctx,
76 struct security_token *token,
77 struct ldb_context *ldb)
79 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
80 const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
81 struct dom_sid *da_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ADMINS);
82 struct dom_sid *ea_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ENTERPRISE_ADMINS);
83 struct dom_sid *sa_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_SCHEMA_ADMINS);
84 struct dom_sid *dag_sid;
85 struct ldb_dn *nc_root;
88 ret = dsdb_find_nc_root(ldb, tmp_ctx, dn, &nc_root);
89 if (ret != LDB_SUCCESS) {
94 if (ldb_dn_compare(nc_root, ldb_get_schema_basedn(ldb)) == 0) {
95 if (security_token_has_sid(token, sa_sid)) {
96 dag_sid = dom_sid_dup(mem_ctx, sa_sid);
97 } else if (security_token_has_sid(token, ea_sid)) {
98 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
99 } else if (security_token_has_sid(token, da_sid)) {
100 dag_sid = dom_sid_dup(mem_ctx, da_sid);
101 } else if (security_token_is_system(token)) {
102 dag_sid = dom_sid_dup(mem_ctx, sa_sid);
106 } else if (ldb_dn_compare(nc_root, ldb_get_config_basedn(ldb)) == 0) {
107 if (security_token_has_sid(token, ea_sid)) {
108 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
109 } else if (security_token_has_sid(token, da_sid)) {
110 dag_sid = dom_sid_dup(mem_ctx, da_sid);
111 } else if (security_token_is_system(token)) {
112 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
116 } else if (ldb_dn_compare(nc_root, ldb_get_default_basedn(ldb)) == 0) {
117 if (security_token_has_sid(token, da_sid)) {
118 dag_sid = dom_sid_dup(mem_ctx, da_sid);
119 } else if (security_token_has_sid(token, ea_sid)) {
120 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
121 } else if (security_token_is_system(token)) {
122 dag_sid = dom_sid_dup(mem_ctx, da_sid);
130 talloc_free(tmp_ctx);
134 static struct security_descriptor *get_sd_unpacked(struct ldb_module *module, TALLOC_CTX *mem_ctx,
135 const struct dsdb_class *objectclass)
137 struct ldb_context *ldb = ldb_module_get_ctx(module);
138 struct security_descriptor *sd;
139 const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
141 if (!objectclass->defaultSecurityDescriptor || !domain_sid) {
145 sd = sddl_decode(mem_ctx,
146 objectclass->defaultSecurityDescriptor,
151 static struct dom_sid *get_default_group(TALLOC_CTX *mem_ctx,
152 struct ldb_context *ldb,
156 * This depends on the function level of the DC
157 * which is 2008R2 in our case. Which means it is
158 * higher than 2003 and we should use the
159 * "default administrator group" also as owning group.
161 * This matches dcpromo for a 2003 domain
162 * on a Windows 2008R2 DC.
167 static struct security_descriptor *descr_handle_sd_flags(TALLOC_CTX *mem_ctx,
168 struct security_descriptor *new_sd,
169 struct security_descriptor *old_sd,
172 struct security_descriptor *final_sd;
173 /* if there is no control or control == 0 modify everything */
178 final_sd = talloc_zero(mem_ctx, struct security_descriptor);
179 final_sd->revision = SECURITY_DESCRIPTOR_REVISION_1;
180 final_sd->type = SEC_DESC_SELF_RELATIVE;
182 if (sd_flags & (SECINFO_OWNER)) {
183 if (new_sd->owner_sid) {
184 final_sd->owner_sid = talloc_memdup(mem_ctx, new_sd->owner_sid, sizeof(struct dom_sid));
186 final_sd->type |= new_sd->type & SEC_DESC_OWNER_DEFAULTED;
189 if (old_sd->owner_sid) {
190 final_sd->owner_sid = talloc_memdup(mem_ctx, old_sd->owner_sid, sizeof(struct dom_sid));
192 final_sd->type |= old_sd->type & SEC_DESC_OWNER_DEFAULTED;
195 if (sd_flags & (SECINFO_GROUP)) {
196 if (new_sd->group_sid) {
197 final_sd->group_sid = talloc_memdup(mem_ctx, new_sd->group_sid, sizeof(struct dom_sid));
199 final_sd->type |= new_sd->type & SEC_DESC_GROUP_DEFAULTED;
202 if (old_sd->group_sid) {
203 final_sd->group_sid = talloc_memdup(mem_ctx, old_sd->group_sid, sizeof(struct dom_sid));
205 final_sd->type |= old_sd->type & SEC_DESC_GROUP_DEFAULTED;
208 if (sd_flags & (SECINFO_SACL)) {
209 final_sd->sacl = security_acl_dup(mem_ctx,new_sd->sacl);
210 final_sd->type |= new_sd->type & (SEC_DESC_SACL_PRESENT |
211 SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ |
212 SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED |
213 SEC_DESC_SERVER_SECURITY);
215 else if (old_sd && old_sd->sacl) {
216 final_sd->sacl = security_acl_dup(mem_ctx,old_sd->sacl);
217 final_sd->type |= old_sd->type & (SEC_DESC_SACL_PRESENT |
218 SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ |
219 SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED |
220 SEC_DESC_SERVER_SECURITY);
223 if (sd_flags & (SECINFO_DACL)) {
224 final_sd->dacl = security_acl_dup(mem_ctx,new_sd->dacl);
225 final_sd->type |= new_sd->type & (SEC_DESC_DACL_PRESENT |
226 SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ |
227 SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED |
228 SEC_DESC_DACL_TRUSTED);
230 else if (old_sd && old_sd->dacl) {
231 final_sd->dacl = security_acl_dup(mem_ctx,old_sd->dacl);
232 final_sd->type |= old_sd->type & (SEC_DESC_DACL_PRESENT |
233 SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ |
234 SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED |
235 SEC_DESC_DACL_TRUSTED);
237 /* not so sure about this */
238 final_sd->type |= new_sd->type & SEC_DESC_RM_CONTROL_VALID;
242 static DATA_BLOB *get_new_descriptor(struct ldb_module *module,
245 const struct dsdb_class *objectclass,
246 const struct ldb_val *parent,
247 const struct ldb_val *object,
248 const struct ldb_val *old_sd,
251 struct security_descriptor *user_descriptor = NULL, *parent_descriptor = NULL;
252 struct security_descriptor *old_descriptor = NULL;
253 struct security_descriptor *new_sd, *final_sd;
254 DATA_BLOB *linear_sd;
255 enum ndr_err_code ndr_err;
256 struct ldb_context *ldb = ldb_module_get_ctx(module);
257 struct auth_session_info *session_info
258 = ldb_get_opaque(ldb, DSDB_SESSION_INFO);
259 const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
260 struct dom_sid *default_owner;
261 struct dom_sid *default_group;
262 struct security_descriptor *default_descriptor = NULL;
263 struct GUID *object_list = NULL;
265 if (objectclass != NULL) {
266 default_descriptor = get_sd_unpacked(module, mem_ctx, objectclass);
267 object_list = talloc_zero_array(mem_ctx, struct GUID, 2);
268 if (object_list == NULL) {
271 object_list[0] = objectclass->schemaIDGUID;
275 user_descriptor = talloc(mem_ctx, struct security_descriptor);
276 if (!user_descriptor) {
279 ndr_err = ndr_pull_struct_blob(object, user_descriptor,
281 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
283 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
284 talloc_free(user_descriptor);
288 user_descriptor = default_descriptor;
292 old_descriptor = talloc(mem_ctx, struct security_descriptor);
293 if (!old_descriptor) {
296 ndr_err = ndr_pull_struct_blob(old_sd, old_descriptor,
298 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
300 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
301 talloc_free(old_descriptor);
307 parent_descriptor = talloc(mem_ctx, struct security_descriptor);
308 if (!parent_descriptor) {
311 ndr_err = ndr_pull_struct_blob(parent, parent_descriptor,
313 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
315 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
316 talloc_free(parent_descriptor);
321 if (user_descriptor && default_descriptor &&
322 (user_descriptor->dacl == NULL))
324 user_descriptor->dacl = default_descriptor->dacl;
325 user_descriptor->type |= default_descriptor->type & (
326 SEC_DESC_DACL_PRESENT |
327 SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ |
328 SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED |
329 SEC_DESC_DACL_TRUSTED);
332 if (user_descriptor && default_descriptor &&
333 (user_descriptor->sacl == NULL))
335 user_descriptor->sacl = default_descriptor->sacl;
336 user_descriptor->type |= default_descriptor->type & (
337 SEC_DESC_SACL_PRESENT |
338 SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ |
339 SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED |
340 SEC_DESC_SERVER_SECURITY);
344 if (!(sd_flags & SECINFO_OWNER) && user_descriptor) {
345 user_descriptor->owner_sid = NULL;
348 * We need the correct owner sid
349 * when calculating the DACL or SACL
351 if (old_descriptor) {
352 user_descriptor->owner_sid = old_descriptor->owner_sid;
355 if (!(sd_flags & SECINFO_GROUP) && user_descriptor) {
356 user_descriptor->group_sid = NULL;
359 * We need the correct group sid
360 * when calculating the DACL or SACL
362 if (old_descriptor) {
363 user_descriptor->group_sid = old_descriptor->group_sid;
366 if (!(sd_flags & SECINFO_DACL) && user_descriptor) {
367 user_descriptor->dacl = NULL;
370 * We add SEC_DESC_DACL_PROTECTED so that
371 * create_security_descriptor() skips
372 * the unused inheritance calculation
374 user_descriptor->type |= SEC_DESC_DACL_PROTECTED;
376 if (!(sd_flags & SECINFO_SACL) && user_descriptor) {
377 user_descriptor->sacl = NULL;
380 * We add SEC_DESC_SACL_PROTECTED so that
381 * create_security_descriptor() skips
382 * the unused inheritance calculation
384 user_descriptor->type |= SEC_DESC_SACL_PROTECTED;
387 default_owner = get_default_ag(mem_ctx, dn,
388 session_info->security_token, ldb);
389 default_group = get_default_group(mem_ctx, ldb, default_owner);
390 new_sd = create_security_descriptor(mem_ctx,
395 SEC_DACL_AUTO_INHERIT |
396 SEC_SACL_AUTO_INHERIT,
397 session_info->security_token,
398 default_owner, default_group,
399 map_generic_rights_ds);
403 final_sd = descr_handle_sd_flags(mem_ctx, new_sd, old_descriptor, sd_flags);
409 if (final_sd->dacl) {
410 final_sd->dacl->revision = SECURITY_ACL_REVISION_ADS;
412 if (final_sd->sacl) {
413 final_sd->sacl->revision = SECURITY_ACL_REVISION_ADS;
417 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
418 DBG_DEBUG("Object %s created with descriptor %s\n\n",
419 ldb_dn_get_linearized(dn),
420 sddl_encode(tmp_ctx, final_sd, domain_sid));
421 TALLOC_FREE(tmp_ctx);
424 linear_sd = talloc(mem_ctx, DATA_BLOB);
429 ndr_err = ndr_push_struct_blob(linear_sd, mem_ctx,
431 (ndr_push_flags_fn_t)ndr_push_security_descriptor);
432 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
439 static DATA_BLOB *descr_get_descriptor_to_show(struct ldb_module *module,
444 struct security_descriptor *old_sd, *final_sd;
445 DATA_BLOB *linear_sd;
446 enum ndr_err_code ndr_err;
448 old_sd = talloc(mem_ctx, struct security_descriptor);
452 ndr_err = ndr_pull_struct_blob(sd, old_sd,
454 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
456 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
461 final_sd = descr_handle_sd_flags(mem_ctx, old_sd, NULL, sd_flags);
467 linear_sd = talloc(mem_ctx, DATA_BLOB);
472 ndr_err = ndr_push_struct_blob(linear_sd, mem_ctx,
474 (ndr_push_flags_fn_t)ndr_push_security_descriptor);
475 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
482 static struct descriptor_context *descriptor_init_context(struct ldb_module *module,
483 struct ldb_request *req)
485 struct ldb_context *ldb;
486 struct descriptor_context *ac;
488 ldb = ldb_module_get_ctx(module);
490 ac = talloc_zero(req, struct descriptor_context);
492 ldb_set_errstring(ldb, "Out of Memory");
501 static int descriptor_search_callback(struct ldb_request *req, struct ldb_reply *ares)
503 struct descriptor_context *ac;
504 struct ldb_val *sd_val = NULL;
505 struct ldb_message_element *sd_el;
507 int ret = LDB_SUCCESS;
509 ac = talloc_get_type(req->context, struct descriptor_context);
512 ret = LDB_ERR_OPERATIONS_ERROR;
515 if (ares->error != LDB_SUCCESS) {
516 return ldb_module_done(ac->req, ares->controls,
517 ares->response, ares->error);
520 switch (ares->type) {
521 case LDB_REPLY_ENTRY:
522 sd_el = ldb_msg_find_element(ares->message, "nTSecurityDescriptor");
524 sd_val = sd_el->values;
528 show_sd = descr_get_descriptor_to_show(ac->module, ac->req,
529 sd_val, ac->sd_flags);
531 ret = LDB_ERR_OPERATIONS_ERROR;
534 ldb_msg_remove_attr(ares->message, "nTSecurityDescriptor");
535 ret = ldb_msg_add_steal_value(ares->message, "nTSecurityDescriptor", show_sd);
536 if (ret != LDB_SUCCESS) {
540 return ldb_module_send_entry(ac->req, ares->message, ares->controls);
542 case LDB_REPLY_REFERRAL:
543 return ldb_module_send_referral(ac->req, ares->referral);
546 return ldb_module_done(ac->req, ares->controls,
547 ares->response, ares->error);
552 return ldb_module_done(ac->req, NULL, NULL, ret);
555 static int descriptor_add(struct ldb_module *module, struct ldb_request *req)
557 struct ldb_context *ldb = ldb_module_get_ctx(module);
558 struct ldb_request *add_req;
559 struct ldb_message *msg;
560 struct ldb_result *parent_res;
561 const struct ldb_val *parent_sd = NULL;
562 const struct ldb_val *user_sd;
563 struct ldb_dn *dn = req->op.add.message->dn;
564 struct ldb_dn *parent_dn, *nc_root;
565 struct ldb_message_element *objectclass_element, *sd_element;
567 const struct dsdb_schema *schema;
569 const struct dsdb_class *objectclass;
570 static const char * const parent_attrs[] = { "nTSecurityDescriptor", NULL };
571 uint32_t instanceType;
573 uint32_t sd_flags = dsdb_request_sd_flags(req, NULL);
575 /* do not manipulate our control entries */
576 if (ldb_dn_is_special(dn)) {
577 return ldb_next_request(module, req);
580 user_sd = ldb_msg_find_ldb_val(req->op.add.message, "nTSecurityDescriptor");
581 sd_element = ldb_msg_find_element(req->op.add.message, "nTSecurityDescriptor");
582 /* nTSecurityDescriptor without a value is an error, letting through so it is handled */
583 if (user_sd == NULL && sd_element) {
584 return ldb_next_request(module, req);
587 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: %s\n", ldb_dn_get_linearized(dn));
589 instanceType = ldb_msg_find_attr_as_uint(req->op.add.message, "instanceType", 0);
591 if (instanceType & INSTANCE_TYPE_IS_NC_HEAD) {
596 ret = dsdb_find_nc_root(ldb, req, dn, &nc_root);
597 if (ret != LDB_SUCCESS) {
598 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: Could not find NC root for %s\n",
599 ldb_dn_get_linearized(dn));
603 if (ldb_dn_compare(dn, nc_root) == 0) {
604 DEBUG(0, ("Found DN %s being a NC by the old method\n", ldb_dn_get_linearized(dn)));
610 DEBUG(2, ("DN: %s is a NC\n", ldb_dn_get_linearized(dn)));
613 /* if the object has a parent, retrieve its SD to
614 * use for calculation. Unfortunately we do not yet have
615 * instanceType, so we use dsdb_find_nc_root. */
617 parent_dn = ldb_dn_get_parent(req, dn);
618 if (parent_dn == NULL) {
622 /* we aren't any NC */
623 ret = dsdb_module_search_dn(module, req, &parent_res, parent_dn,
625 DSDB_FLAG_NEXT_MODULE |
626 DSDB_FLAG_AS_SYSTEM |
627 DSDB_SEARCH_SHOW_RECYCLED,
629 if (ret != LDB_SUCCESS) {
630 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: Could not find SD for %s\n",
631 ldb_dn_get_linearized(parent_dn));
634 if (parent_res->count != 1) {
635 return ldb_operr(ldb);
637 parent_sd = ldb_msg_find_ldb_val(parent_res->msgs[0], "nTSecurityDescriptor");
640 schema = dsdb_get_schema(ldb, req);
642 objectclass_element = ldb_msg_find_element(req->op.add.message, "objectClass");
643 if (objectclass_element == NULL) {
644 return ldb_operr(ldb);
647 objectclass = dsdb_get_last_structural_class(schema,
648 objectclass_element);
649 if (objectclass == NULL) {
650 return ldb_operr(ldb);
654 * The SD_FLAG control is ignored on add
655 * and we default to all bits set.
657 sd_flags = SECINFO_OWNER|SECINFO_GROUP|SECINFO_SACL|SECINFO_DACL;
659 sd = get_new_descriptor(module, dn, req,
660 objectclass, parent_sd,
661 user_sd, NULL, sd_flags);
663 return ldb_operr(ldb);
665 msg = ldb_msg_copy_shallow(req, req->op.add.message);
669 if (sd_element != NULL) {
670 sd_element->values[0] = *sd;
672 ret = ldb_msg_add_steal_value(msg,
673 "nTSecurityDescriptor",
675 if (ret != LDB_SUCCESS) {
680 ret = ldb_build_add_req(&add_req, ldb, req,
683 req, dsdb_next_callback,
685 LDB_REQ_SET_LOCATION(add_req);
686 if (ret != LDB_SUCCESS) {
687 return ldb_error(ldb, ret,
688 "descriptor_add: Error creating new add request.");
691 return ldb_next_request(module, add_req);
694 static int descriptor_modify(struct ldb_module *module, struct ldb_request *req)
696 struct ldb_context *ldb = ldb_module_get_ctx(module);
697 struct ldb_request *mod_req;
698 struct ldb_message *msg;
699 struct ldb_result *current_res, *parent_res;
700 const struct ldb_val *old_sd = NULL;
701 const struct ldb_val *parent_sd = NULL;
702 const struct ldb_val *user_sd;
703 struct ldb_dn *dn = req->op.mod.message->dn;
704 struct ldb_dn *parent_dn;
705 struct ldb_message_element *objectclass_element, *sd_element;
707 uint32_t instanceType;
708 bool explicit_sd_flags = false;
709 uint32_t sd_flags = dsdb_request_sd_flags(req, &explicit_sd_flags);
710 const struct dsdb_schema *schema;
712 const struct dsdb_class *objectclass;
713 static const char * const parent_attrs[] = { "nTSecurityDescriptor", NULL };
714 static const char * const current_attrs[] = { "nTSecurityDescriptor",
716 "objectClass", NULL };
717 struct ldb_control *sd_propagation_control;
720 /* do not manipulate our control entries */
721 if (ldb_dn_is_special(dn)) {
722 return ldb_next_request(module, req);
725 sd_propagation_control = ldb_request_get_control(req,
726 DSDB_CONTROL_SEC_DESC_PROPAGATION_OID);
727 if (sd_propagation_control != NULL) {
728 if (sd_propagation_control->data != module) {
729 return ldb_operr(ldb);
731 if (req->op.mod.message->num_elements != 0) {
732 return ldb_operr(ldb);
734 if (explicit_sd_flags) {
735 return ldb_operr(ldb);
737 if (sd_flags != 0xF) {
738 return ldb_operr(ldb);
740 if (sd_propagation_control->critical == 0) {
741 return ldb_operr(ldb);
744 sd_propagation_control->critical = 0;
747 sd_element = ldb_msg_find_element(req->op.mod.message, "nTSecurityDescriptor");
748 if (sd_propagation_control == NULL && sd_element == NULL) {
749 return ldb_next_request(module, req);
753 * nTSecurityDescriptor with DELETE is not supported yet.
754 * TODO: handle this correctly.
756 if (sd_propagation_control == NULL &&
757 LDB_FLAG_MOD_TYPE(sd_element->flags) == LDB_FLAG_MOD_DELETE)
759 return ldb_module_error(module,
760 LDB_ERR_UNWILLING_TO_PERFORM,
761 "MOD_DELETE for nTSecurityDescriptor "
762 "not supported yet");
765 user_sd = ldb_msg_find_ldb_val(req->op.mod.message, "nTSecurityDescriptor");
766 /* nTSecurityDescriptor without a value is an error, letting through so it is handled */
767 if (sd_propagation_control == NULL && user_sd == NULL) {
768 return ldb_next_request(module, req);
771 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_modify: %s\n", ldb_dn_get_linearized(dn));
773 ret = dsdb_module_search_dn(module, req, ¤t_res, dn,
775 DSDB_FLAG_NEXT_MODULE |
776 DSDB_FLAG_AS_SYSTEM |
777 DSDB_SEARCH_SHOW_RECYCLED |
778 DSDB_SEARCH_SHOW_EXTENDED_DN,
780 if (ret != LDB_SUCCESS) {
781 ldb_debug(ldb, LDB_DEBUG_ERROR,"descriptor_modify: Could not find %s\n",
782 ldb_dn_get_linearized(dn));
786 instanceType = ldb_msg_find_attr_as_uint(current_res->msgs[0],
788 /* if the object has a parent, retrieve its SD to
789 * use for calculation */
790 if (!ldb_dn_is_null(current_res->msgs[0]->dn) &&
791 !(instanceType & INSTANCE_TYPE_IS_NC_HEAD)) {
792 parent_dn = ldb_dn_get_parent(req, dn);
793 if (parent_dn == NULL) {
796 ret = dsdb_module_search_dn(module, req, &parent_res, parent_dn,
798 DSDB_FLAG_NEXT_MODULE |
799 DSDB_FLAG_AS_SYSTEM |
800 DSDB_SEARCH_SHOW_RECYCLED,
802 if (ret != LDB_SUCCESS) {
803 ldb_debug(ldb, LDB_DEBUG_ERROR, "descriptor_modify: Could not find SD for %s\n",
804 ldb_dn_get_linearized(parent_dn));
807 if (parent_res->count != 1) {
808 return ldb_operr(ldb);
810 parent_sd = ldb_msg_find_ldb_val(parent_res->msgs[0], "nTSecurityDescriptor");
813 schema = dsdb_get_schema(ldb, req);
815 objectclass_element = ldb_msg_find_element(current_res->msgs[0], "objectClass");
816 if (objectclass_element == NULL) {
817 return ldb_operr(ldb);
820 objectclass = dsdb_get_last_structural_class(schema,
821 objectclass_element);
822 if (objectclass == NULL) {
823 return ldb_operr(ldb);
826 old_sd = ldb_msg_find_ldb_val(current_res->msgs[0], "nTSecurityDescriptor");
827 if (old_sd == NULL) {
828 return ldb_operr(ldb);
831 if (sd_propagation_control != NULL) {
833 * This just triggers a recalculation of the
839 sd = get_new_descriptor(module, current_res->msgs[0]->dn, req,
840 objectclass, parent_sd,
841 user_sd, old_sd, sd_flags);
843 return ldb_operr(ldb);
845 msg = ldb_msg_copy_shallow(req, req->op.mod.message);
849 cmp_ret = data_blob_cmp(old_sd, sd);
850 if (sd_propagation_control != NULL) {
853 * The nTSecurityDescriptor is unchanged,
854 * which means we can stop the processing.
856 * We mark the control as critical again,
857 * as we have not processed it, so the caller
858 * can tell that the descriptor was unchanged.
860 sd_propagation_control->critical = 1;
861 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
864 ret = ldb_msg_add_empty(msg, "nTSecurityDescriptor",
865 LDB_FLAG_MOD_REPLACE,
867 if (ret != LDB_SUCCESS) {
870 ret = ldb_msg_add_value(msg, "nTSecurityDescriptor",
872 if (ret != LDB_SUCCESS) {
875 } else if (cmp_ret != 0) {
877 struct ldb_dn *nc_root;
880 ret = dsdb_find_nc_root(ldb,
882 current_res->msgs[0]->dn,
884 if (ret != LDB_SUCCESS) {
888 status = dsdb_get_extended_dn_guid(current_res->msgs[0]->dn,
891 if (!NT_STATUS_IS_OK(status)) {
892 return ldb_operr(ldb);
896 * Force SD propagation on children of this record
898 ret = dsdb_module_schedule_sd_propagation(module,
902 if (ret != LDB_SUCCESS) {
903 return ldb_operr(ldb);
905 sd_element->values[0] = *sd;
907 sd_element->values[0] = *sd;
910 ret = ldb_build_mod_req(&mod_req, ldb, req,
916 LDB_REQ_SET_LOCATION(mod_req);
917 if (ret != LDB_SUCCESS) {
921 return ldb_next_request(module, mod_req);
924 static int descriptor_search(struct ldb_module *module, struct ldb_request *req)
927 struct ldb_context *ldb;
928 struct ldb_request *down_req;
929 struct descriptor_context *ac;
930 bool explicit_sd_flags = false;
931 uint32_t sd_flags = dsdb_request_sd_flags(req, &explicit_sd_flags);
932 bool show_sd = explicit_sd_flags;
935 ldb_attr_in_list(req->op.search.attrs, "nTSecurityDescriptor"))
941 return ldb_next_request(module, req);
944 ldb = ldb_module_get_ctx(module);
945 ac = descriptor_init_context(module, req);
947 return ldb_operr(ldb);
949 ac->sd_flags = sd_flags;
951 ret = ldb_build_search_req_ex(&down_req, ldb, ac,
953 req->op.search.scope,
955 req->op.search.attrs,
957 ac, descriptor_search_callback,
959 LDB_REQ_SET_LOCATION(down_req);
960 if (ret != LDB_SUCCESS) {
964 return ldb_next_request(ac->module, down_req);
967 static int descriptor_rename(struct ldb_module *module, struct ldb_request *req)
969 struct ldb_context *ldb = ldb_module_get_ctx(module);
970 struct ldb_dn *olddn = req->op.rename.olddn;
971 struct ldb_dn *newdn = req->op.rename.newdn;
974 /* do not manipulate our control entries */
975 if (ldb_dn_is_special(req->op.rename.olddn)) {
976 return ldb_next_request(module, req);
979 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_rename: %s\n",
980 ldb_dn_get_linearized(olddn));
982 if (ldb_dn_compare(olddn, newdn) != 0) {
983 struct ldb_dn *nc_root;
986 ret = dsdb_find_nc_root(ldb, req, newdn, &nc_root);
987 if (ret != LDB_SUCCESS) {
991 ret = dsdb_module_guid_by_dn(module,
995 if (ret == LDB_SUCCESS) {
997 * Without disturbing any errors if the olddn
998 * does not exit, force SD propagation on
999 * this record (get a new inherited SD from
1000 * the potentially new parent
1002 ret = dsdb_module_schedule_sd_propagation(module,
1006 if (ret != LDB_SUCCESS) {
1007 return ldb_operr(ldb);
1012 return ldb_next_request(module, req);
1015 static int descriptor_extended_sec_desc_propagation(struct ldb_module *module,
1016 struct ldb_request *req)
1018 struct descriptor_data *descriptor_private =
1019 talloc_get_type_abort(ldb_module_get_private(module),
1020 struct descriptor_data);
1021 struct ldb_context *ldb = ldb_module_get_ctx(module);
1022 struct dsdb_extended_sec_desc_propagation_op *op;
1023 TALLOC_CTX *parent_mem = NULL;
1024 struct descriptor_changes *c;
1026 op = talloc_get_type(req->op.extended.data,
1027 struct dsdb_extended_sec_desc_propagation_op);
1029 ldb_debug(ldb, LDB_DEBUG_FATAL,
1030 "descriptor_extended_sec_desc_propagation: "
1031 "invalid extended data\n");
1032 return LDB_ERR_PROTOCOL_ERROR;
1035 if (descriptor_private->trans_mem == NULL) {
1036 return ldb_module_operr(module);
1039 parent_mem = descriptor_private->trans_mem;
1041 c = talloc_zero(parent_mem, struct descriptor_changes);
1043 return ldb_module_oom(module);
1045 c->nc_root = ldb_dn_copy(c, op->nc_root);
1046 if (c->nc_root == NULL) {
1047 return ldb_module_oom(module);
1050 if (op->include_self) {
1051 c->force_self = true;
1053 c->force_children = true;
1056 DLIST_ADD_END(descriptor_private->changes, c);
1058 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
1061 static int descriptor_extended(struct ldb_module *module, struct ldb_request *req)
1063 if (strcmp(req->op.extended.oid, DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID) == 0) {
1064 return descriptor_extended_sec_desc_propagation(module, req);
1067 return ldb_next_request(module, req);
1070 static int descriptor_init(struct ldb_module *module)
1072 struct ldb_context *ldb = ldb_module_get_ctx(module);
1074 struct descriptor_data *descriptor_private;
1076 ret = ldb_mod_register_control(module, LDB_CONTROL_SD_FLAGS_OID);
1077 if (ret != LDB_SUCCESS) {
1078 ldb_debug(ldb, LDB_DEBUG_ERROR,
1079 "descriptor: Unable to register control with rootdse!\n");
1080 return ldb_operr(ldb);
1083 descriptor_private = talloc_zero(module, struct descriptor_data);
1084 if (descriptor_private == NULL) {
1086 return LDB_ERR_OPERATIONS_ERROR;
1088 ldb_module_set_private(module, descriptor_private);
1090 return ldb_next_init(module);
1093 static int descriptor_sd_propagation_object(struct ldb_module *module,
1094 struct ldb_message *msg,
1097 struct ldb_context *ldb = ldb_module_get_ctx(module);
1098 struct ldb_request *sub_req;
1099 struct ldb_result *mod_res;
1100 struct ldb_control *sd_propagation_control;
1105 mod_res = talloc_zero(msg, struct ldb_result);
1106 if (mod_res == NULL) {
1107 return ldb_module_oom(module);
1110 ret = ldb_build_mod_req(&sub_req, ldb, mod_res,
1114 ldb_modify_default_callback,
1116 LDB_REQ_SET_LOCATION(sub_req);
1117 if (ret != LDB_SUCCESS) {
1118 return ldb_module_operr(module);
1121 ldb_req_mark_trusted(sub_req);
1123 ret = ldb_request_add_control(sub_req,
1124 DSDB_CONTROL_SEC_DESC_PROPAGATION_OID,
1126 if (ret != LDB_SUCCESS) {
1127 return ldb_module_operr(module);
1130 sd_propagation_control = ldb_request_get_control(sub_req,
1131 DSDB_CONTROL_SEC_DESC_PROPAGATION_OID);
1132 if (sd_propagation_control == NULL) {
1133 return ldb_module_operr(module);
1136 ret = dsdb_request_add_controls(sub_req,
1137 DSDB_FLAG_AS_SYSTEM |
1138 DSDB_SEARCH_SHOW_RECYCLED);
1139 if (ret != LDB_SUCCESS) {
1140 return ldb_module_operr(module);
1143 ret = descriptor_modify(module, sub_req);
1144 if (ret == LDB_SUCCESS) {
1145 ret = ldb_wait(sub_req->handle, LDB_WAIT_ALL);
1147 if (ret != LDB_SUCCESS) {
1148 ldb_asprintf_errstring(ldb_module_get_ctx(module),
1149 "descriptor_modify on %s failed: %s",
1150 ldb_dn_get_linearized(msg->dn),
1151 ldb_errstring(ldb_module_get_ctx(module)));
1152 return LDB_ERR_OPERATIONS_ERROR;
1155 if (sd_propagation_control->critical != 0) {
1159 talloc_free(mod_res);
1164 static int descriptor_sd_propagation_msg_sort(struct ldb_message **m1,
1165 struct ldb_message **m2)
1167 struct ldb_dn *dn1 = (*m1)->dn;
1168 struct ldb_dn *dn2 = (*m2)->dn;
1171 * This sorts in tree order, parents first
1173 return ldb_dn_compare(dn2, dn1);
1176 static int descriptor_sd_propagation_recursive(struct ldb_module *module,
1177 struct descriptor_changes *change)
1179 struct ldb_result *guid_res = NULL;
1180 struct ldb_result *res = NULL;
1182 const char * const no_attrs[] = { "@__NONE__", NULL };
1183 struct ldb_dn *stopped_dn = NULL;
1184 struct GUID_txt_buf guid_buf;
1189 * First confirm this object has children, or exists
1190 * (depending on change->force_self)
1192 * LDB_SCOPE_SUBTREE searches are expensive.
1194 * We know this is safe against a rename race as we are in the
1195 * prepare_commit(), so must be in a transaction.
1198 /* Find the DN by GUID, as this is stable under rename */
1199 ret = dsdb_module_search(module,
1205 DSDB_FLAG_NEXT_MODULE |
1206 DSDB_FLAG_AS_SYSTEM |
1207 DSDB_SEARCH_SHOW_DELETED |
1208 DSDB_SEARCH_SHOW_RECYCLED,
1209 NULL, /* parent_req */
1211 GUID_buf_string(&change->guid,
1214 if (ret != LDB_SUCCESS) {
1218 if (guid_res->count != 1) {
1220 * We were just given this GUID during the same
1221 * transaction, if it is missing this is a big
1224 * Cleanup of tombstones does not trigger this module
1225 * as it just does a delete.
1227 ldb_asprintf_errstring(ldb_module_get_ctx(module),
1228 "failed to find GUID %s under %s "
1229 "for transaction-end SD inheritance: %d results",
1230 GUID_buf_string(&change->guid,
1232 ldb_dn_get_linearized(change->nc_root),
1234 return LDB_ERR_OPERATIONS_ERROR;
1238 * OK, so there was a parent, are there children? Note: that
1239 * this time we do not search for deleted/recycled objects
1241 ret = dsdb_module_search(module,
1244 guid_res->msgs[0]->dn,
1247 DSDB_FLAG_NEXT_MODULE |
1248 DSDB_FLAG_AS_SYSTEM,
1249 NULL, /* parent_req */
1251 if (ret != LDB_SUCCESS) {
1253 * LDB_ERR_NO_SUCH_OBJECT, say if the DN was a deleted
1254 * object, is ignored by the caller
1259 if (res->count == 0 && !change->force_self) {
1260 /* All done, no children */
1266 * First, if we are in force_self mode (eg renamed under new
1267 * parent) then apply the SD to the top object
1269 if (change->force_self) {
1270 ret = descriptor_sd_propagation_object(module,
1273 if (ret != LDB_SUCCESS) {
1274 TALLOC_FREE(guid_res);
1278 if (stop == true && !change->force_children) {
1279 /* There was no change, nothing more to do */
1280 TALLOC_FREE(guid_res);
1284 if (res->count == 0) {
1286 TALLOC_FREE(guid_res);
1294 * Note: that we do not search for deleted/recycled objects
1296 ret = dsdb_module_search(module,
1299 guid_res->msgs[0]->dn,
1302 DSDB_FLAG_NEXT_MODULE |
1303 DSDB_FLAG_AS_SYSTEM,
1304 NULL, /* parent_req */
1306 if (ret != LDB_SUCCESS) {
1310 TYPESAFE_QSORT(res->msgs, res->count,
1311 descriptor_sd_propagation_msg_sort);
1313 /* We start from 1, the top object has been done */
1314 for (i = 1; i < res->count; i++) {
1316 * ldb_dn_compare_base() does not match for NULL but
1319 if (stopped_dn != NULL) {
1320 ret = ldb_dn_compare_base(stopped_dn,
1323 * Skip further processing of this
1330 ret = descriptor_sd_propagation_object(module,
1333 if (ret != LDB_SUCCESS) {
1339 * If this child didn't change, then nothing
1340 * under it needs to change
1342 * res has been sorted into tree order so the
1343 * next few entries can be skipped
1345 stopped_dn = res->msgs[i]->dn;
1353 static int descriptor_start_transaction(struct ldb_module *module)
1355 struct descriptor_data *descriptor_private =
1356 talloc_get_type_abort(ldb_module_get_private(module),
1357 struct descriptor_data);
1359 if (descriptor_private->trans_mem != NULL) {
1360 return ldb_module_operr(module);
1363 descriptor_private->trans_mem = talloc_new(descriptor_private);
1364 if (descriptor_private->trans_mem == NULL) {
1365 return ldb_module_oom(module);
1367 descriptor_private->changes = NULL;
1369 return ldb_next_start_trans(module);
1372 static int descriptor_prepare_commit(struct ldb_module *module)
1374 struct descriptor_data *descriptor_private =
1375 talloc_get_type_abort(ldb_module_get_private(module),
1376 struct descriptor_data);
1377 struct descriptor_changes *c, *n;
1380 for (c = descriptor_private->changes; c; c = n) {
1382 DLIST_REMOVE(descriptor_private->changes, c);
1384 ret = descriptor_sd_propagation_recursive(module, c);
1385 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
1388 if (ret != LDB_SUCCESS) {
1393 return ldb_next_prepare_commit(module);
1396 static int descriptor_end_transaction(struct ldb_module *module)
1398 struct descriptor_data *descriptor_private =
1399 talloc_get_type_abort(ldb_module_get_private(module),
1400 struct descriptor_data);
1402 TALLOC_FREE(descriptor_private->trans_mem);
1403 descriptor_private->changes = NULL;
1405 return ldb_next_end_trans(module);
1408 static int descriptor_del_transaction(struct ldb_module *module)
1410 struct descriptor_data *descriptor_private =
1411 talloc_get_type_abort(ldb_module_get_private(module),
1412 struct descriptor_data);
1414 TALLOC_FREE(descriptor_private->trans_mem);
1415 descriptor_private->changes = NULL;
1417 return ldb_next_del_trans(module);
1420 static const struct ldb_module_ops ldb_descriptor_module_ops = {
1421 .name = "descriptor",
1422 .search = descriptor_search,
1423 .add = descriptor_add,
1424 .modify = descriptor_modify,
1425 .rename = descriptor_rename,
1426 .init_context = descriptor_init,
1427 .extended = descriptor_extended,
1428 .start_transaction = descriptor_start_transaction,
1429 .prepare_commit = descriptor_prepare_commit,
1430 .end_transaction = descriptor_end_transaction,
1431 .del_transaction = descriptor_del_transaction,
1434 int ldb_descriptor_module_init(const char *version)
1436 LDB_MODULE_CHECK_VERSION(version);
1437 return ldb_register_module(&ldb_descriptor_module_ops);