2 Unix SMB/CIFS implementation.
4 Copyright (C) Andrew Tridgell 2004
5 Copyright (C) Gerald Carter 2005
6 Copyright (C) Volker Lendecke 2007
7 Copyright (C) Jeremy Allison 2008
8 Copyright (C) Andrew Bartlett 2010
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "libcli/security/security.h"
27 /* Map generic access rights to object specific rights. This technique is
28 used to give meaning to assigning read, write, execute and all access to
29 objects. Each type of object has its own mapping of generic to object
30 specific access rights. */
32 void se_map_generic(uint32_t *access_mask, const struct generic_mapping *mapping)
34 uint32_t old_mask = *access_mask;
36 if (*access_mask & GENERIC_READ_ACCESS) {
37 *access_mask &= ~GENERIC_READ_ACCESS;
38 *access_mask |= mapping->generic_read;
41 if (*access_mask & GENERIC_WRITE_ACCESS) {
42 *access_mask &= ~GENERIC_WRITE_ACCESS;
43 *access_mask |= mapping->generic_write;
46 if (*access_mask & GENERIC_EXECUTE_ACCESS) {
47 *access_mask &= ~GENERIC_EXECUTE_ACCESS;
48 *access_mask |= mapping->generic_execute;
51 if (*access_mask & GENERIC_ALL_ACCESS) {
52 *access_mask &= ~GENERIC_ALL_ACCESS;
53 *access_mask |= mapping->generic_all;
56 if (old_mask != *access_mask) {
57 DEBUG(10, ("se_map_generic(): mapped mask 0x%08x to 0x%08x\n",
58 old_mask, *access_mask));
62 /* Map generic access rights to object specific rights for all the ACE's
66 void security_acl_map_generic(struct security_acl *sa,
67 const struct generic_mapping *mapping)
75 for (i = 0; i < sa->num_aces; i++) {
76 se_map_generic(&sa->aces[i].access_mask, mapping);
80 /* Map standard access rights to object specific rights. This technique is
81 used to give meaning to assigning read, write, execute and all access to
82 objects. Each type of object has its own mapping of standard to object
83 specific access rights. */
85 void se_map_standard(uint32_t *access_mask, const struct standard_mapping *mapping)
87 uint32_t old_mask = *access_mask;
89 if (*access_mask & SEC_STD_READ_CONTROL) {
90 *access_mask &= ~SEC_STD_READ_CONTROL;
91 *access_mask |= mapping->std_read;
94 if (*access_mask & (SEC_STD_DELETE|SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|SEC_STD_SYNCHRONIZE)) {
95 *access_mask &= ~(SEC_STD_DELETE|SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|SEC_STD_SYNCHRONIZE);
96 *access_mask |= mapping->std_all;
99 if (old_mask != *access_mask) {
100 DEBUG(10, ("se_map_standard(): mapped mask 0x%08x to 0x%08x\n",
101 old_mask, *access_mask));
106 perform a SEC_FLAG_MAXIMUM_ALLOWED access check
108 static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
109 const struct security_token *token)
111 uint32_t denied = 0, granted = 0;
114 if (security_token_has_sid(token, sd->owner_sid)) {
115 granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL | SEC_STD_DELETE;
116 } else if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
117 granted |= SEC_STD_DELETE;
120 if (sd->dacl == NULL) {
121 return granted & ~denied;
124 for (i = 0;i<sd->dacl->num_aces; i++) {
125 struct security_ace *ace = &sd->dacl->aces[i];
127 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
131 if (!security_token_has_sid(token, &ace->trustee)) {
136 case SEC_ACE_TYPE_ACCESS_ALLOWED:
137 granted |= ace->access_mask;
139 case SEC_ACE_TYPE_ACCESS_DENIED:
140 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
141 denied |= ace->access_mask;
143 default: /* Other ACE types not handled/supported */
148 return granted & ~denied;
152 The main entry point for access checking. If returning ACCESS_DENIED
153 this function returns the denied bits in the uint32_t pointed
154 to by the access_granted pointer.
156 NTSTATUS se_access_check(const struct security_descriptor *sd,
157 const struct security_token *token,
158 uint32_t access_desired,
159 uint32_t *access_granted)
162 uint32_t bits_remaining;
164 *access_granted = access_desired;
165 bits_remaining = access_desired;
167 /* handle the maximum allowed flag */
168 if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
169 uint32_t orig_access_desired = access_desired;
171 access_desired |= access_check_max_allowed(sd, token);
172 access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
173 *access_granted = access_desired;
174 bits_remaining = access_desired & ~SEC_STD_DELETE;
176 DEBUG(10,("se_access_check: MAX desired = 0x%x, granted = 0x%x, remaining = 0x%x\n",
182 #if (_SAMBA_BUILD_ >= 4)
183 /* s3 had this with #if 0 previously. To be sure the merge
184 doesn't change any behaviour, we have the above #if check
186 if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
187 if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
188 bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
190 return NT_STATUS_PRIVILEGE_NOT_HELD;
195 /* a NULL dacl allows access */
196 if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
197 *access_granted = access_desired;
201 /* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */
202 if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE)) &&
203 security_token_has_sid(token, sd->owner_sid)) {
204 bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE);
206 if ((bits_remaining & SEC_STD_DELETE) &&
207 (security_token_has_privilege(token, SEC_PRIV_RESTORE))) {
208 bits_remaining &= ~SEC_STD_DELETE;
210 if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
211 security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
212 bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
214 if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) &&
215 security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
216 bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
219 if (sd->dacl == NULL) {
223 /* check each ace in turn. */
224 for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
225 struct security_ace *ace = &sd->dacl->aces[i];
227 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
231 if (!security_token_has_sid(token, &ace->trustee)) {
236 case SEC_ACE_TYPE_ACCESS_ALLOWED:
237 bits_remaining &= ~ace->access_mask;
239 case SEC_ACE_TYPE_ACCESS_DENIED:
240 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
241 if (bits_remaining & ace->access_mask) {
242 return NT_STATUS_ACCESS_DENIED;
245 default: /* Other ACE types not handled/supported */
251 if (bits_remaining != 0) {
252 *access_granted = bits_remaining;
253 return NT_STATUS_ACCESS_DENIED;
260 static const struct GUID *get_ace_object_type(struct security_ace *ace)
264 if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT)
265 type = &ace->object.object.type.type;
266 else if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)
267 type = &ace->object.object.inherited_type.inherited_type; /* This doesn't look right. Is something wrong with the IDL? */
275 /* modified access check for the purposes of DS security
276 * Lots of code duplication, it will ve united in just one
277 * function eventually */
279 NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
280 const struct security_token *token,
281 uint32_t access_desired,
282 uint32_t *access_granted,
283 struct object_tree *tree,
284 struct dom_sid *replace_sid)
287 uint32_t bits_remaining;
288 struct object_tree *node;
289 const struct GUID *type;
290 struct dom_sid *ps_sid = dom_sid_parse_talloc(NULL, SID_NT_SELF);
292 *access_granted = access_desired;
293 bits_remaining = access_desired;
295 /* handle the maximum allowed flag */
296 if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
297 access_desired |= access_check_max_allowed(sd, token);
298 access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
299 *access_granted = access_desired;
300 bits_remaining = access_desired & ~SEC_STD_DELETE;
303 if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
304 if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
305 bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
307 return NT_STATUS_PRIVILEGE_NOT_HELD;
311 /* a NULL dacl allows access */
312 if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
313 *access_granted = access_desired;
317 /* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */
318 if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE)) &&
319 security_token_has_sid(token, sd->owner_sid)) {
320 bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE);
322 if ((bits_remaining & SEC_STD_DELETE) &&
323 security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
324 bits_remaining &= ~SEC_STD_DELETE;
327 if (sd->dacl == NULL) {
331 /* check each ace in turn. */
332 for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
333 struct dom_sid *trustee;
334 struct security_ace *ace = &sd->dacl->aces[i];
336 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
339 if (dom_sid_equal(&ace->trustee, ps_sid) && replace_sid) {
340 trustee = replace_sid;
344 trustee = &ace->trustee;
346 if (!security_token_has_sid(token, trustee)) {
351 case SEC_ACE_TYPE_ACCESS_ALLOWED:
353 object_tree_modify_access(tree, ace->access_mask);
355 bits_remaining &= ~ace->access_mask;
357 case SEC_ACE_TYPE_ACCESS_DENIED:
358 if (bits_remaining & ace->access_mask) {
359 return NT_STATUS_ACCESS_DENIED;
362 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
363 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
364 /* check only in case we have provided a tree,
365 * the ACE has an object type and that type
367 type = get_ace_object_type(ace);
375 if (!(node = get_object_tree_by_GUID(tree, type)))
378 if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) {
379 object_tree_modify_access(node, ace->access_mask);
380 if (node->remaining_access == 0) {
385 if (node->remaining_access & ace->access_mask){
386 return NT_STATUS_ACCESS_DENIED;
390 default: /* Other ACE types not handled/supported */
396 if (bits_remaining != 0) {
397 return NT_STATUS_ACCESS_DENIED;