source4/dsdb/samdb/ldb_modules/acl_util.c

   1 /*
   2   ACL utility functions
   3
   4   Copyright (C) Nadezhda Ivanova 2010
   5
   6   This program is free software; you can redistribute it and/or modify
   7   it under the terms of the GNU General Public License as published by
   8   the Free Software Foundation; either version 3 of the License, or
   9   (at your option) any later version.
  10
  11   This program is distributed in the hope that it will be useful,
  12   but WITHOUT ANY WARRANTY; without even the implied warranty of
  13   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14   GNU General Public License for more details.
  15
  16   You should have received a copy of the GNU General Public License
  17   along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18 */
  19
  20 /*
  21  *  Name: acl_util
  22  *
  23  *  Component: ldb ACL modules
  24  *
  25  *  Description: Some auxiliary functions used for access checking
  26  *
  27  *  Author: Nadezhda Ivanova
  28  */
  29 #include "includes.h"
  30 #include "ldb_module.h"
  31 #include "auth/auth.h"
  32 #include "libcli/security/security.h"
  33 #include "dsdb/samdb/samdb.h"
  34 #include "librpc/gen_ndr/ndr_security.h"
  35 #include "param/param.h"
  36 #include "dsdb/samdb/ldb_modules/util.h"
  37
  38 struct security_token *acl_user_token(struct ldb_module *module)
  39 {
  40         struct ldb_context *ldb = ldb_module_get_ctx(module);
  41         struct auth_session_info *session_info
  42                 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
  43         if(!session_info) {
  44                 return NULL;
  45         }
  46         return session_info->security_token;
  47 }
  48
  49 /* performs an access check from inside the module stack
  50  * given the dn of the object to be checked, the required access
  51  * guid is either the guid of the extended right, or NULL
  52  */
  53
  54 int dsdb_module_check_access_on_dn(struct ldb_module *module,
  55                                    TALLOC_CTX *mem_ctx,
  56                                    struct ldb_dn *dn,
  57                                    uint32_t access_mask,
  58                                    const struct GUID *guid,
  59                                    struct ldb_request *parent)
  60 {
  61         int ret;
  62         struct ldb_result *acl_res;
  63         static const char *acl_attrs[] = {
  64                 "nTSecurityDescriptor",
  65                 "objectSid",
  66                 NULL
  67         };
  68         struct ldb_context *ldb = ldb_module_get_ctx(module);
  69         struct auth_session_info *session_info
  70                 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
  71         if(!session_info) {
  72                 return ldb_operr(ldb);
  73         }
  74         ret = dsdb_module_search_dn(module, mem_ctx, &acl_res, dn,
  75                                     acl_attrs,
  76                                     DSDB_FLAG_NEXT_MODULE |
  77                                     DSDB_FLAG_AS_SYSTEM |
  78                                     DSDB_SEARCH_SHOW_RECYCLED,
  79                                     parent);
  80         if (ret != LDB_SUCCESS) {
  81                 ldb_asprintf_errstring(ldb_module_get_ctx(module),
  82                                        "access_check: failed to find object %s\n",
  83                                        ldb_dn_get_linearized(dn));
  84                 return ret;
  85         }
  86         return dsdb_check_access_on_dn_internal(ldb, acl_res,
  87                                                 mem_ctx,
  88                                                 session_info->security_token,
  89                                                 dn,
  90                                                 access_mask,
  91                                                 guid);
  92 }
  93
  94 int acl_check_access_on_attribute(struct ldb_module *module,
  95                                   TALLOC_CTX *mem_ctx,
  96                                   struct security_descriptor *sd,
  97                                   struct dom_sid *rp_sid,
  98                                   uint32_t access_mask,
  99                                   const struct dsdb_attribute *attr,
 100                                   const struct dsdb_class *objectclass)
 101 {
 102         int ret;
 103         NTSTATUS status;
 104         uint32_t access_granted;
 105         struct object_tree *root = NULL;
 106         struct object_tree *new_node = NULL;
 107         TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
 108         struct security_token *token = acl_user_token(module);
 109
 110         if (!insert_in_object_tree(tmp_ctx,
 111                                    &objectclass->schemaIDGUID,
 112                                    access_mask, NULL,
 113                                    &root)) {
 114                 DEBUG(10, ("acl_search: cannot add to object tree class schemaIDGUID\n"));
 115                 goto fail;
 116         }
 117         new_node = root;
 118
 119         if (!GUID_all_zero(&attr->attributeSecurityGUID)) {
 120                 if (!insert_in_object_tree(tmp_ctx,
 121                                            &attr->attributeSecurityGUID,
 122                                            access_mask, new_node,
 123                                            &new_node)) {
 124                         DEBUG(10, ("acl_search: cannot add to object tree securityGUID\n"));
 125                         goto fail;
 126                 }
 127         }
 128
 129         if (!insert_in_object_tree(tmp_ctx,
 130                                    &attr->schemaIDGUID,
 131                                    access_mask, new_node,
 132                                    &new_node)) {
 133                 DEBUG(10, ("acl_search: cannot add to object tree attributeGUID\n"));
 134                 goto fail;
 135         }
 136
 137         status = sec_access_check_ds(sd, token,
 138                                      access_mask,
 139                                      &access_granted,
 140                                      root,
 141                                      rp_sid);
 142         if (!NT_STATUS_IS_OK(status)) {
 143                 ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
 144         }
 145         else {
 146                 ret = LDB_SUCCESS;
 147         }
 148         talloc_free(tmp_ctx);
 149         return ret;
 150 fail:
 151         talloc_free(tmp_ctx);
 152         return ldb_operr(ldb_module_get_ctx(module));
 153 }
 154
 155 int acl_check_access_on_objectclass(struct ldb_module *module,
 156                                     TALLOC_CTX *mem_ctx,
 157                                     struct security_descriptor *sd,
 158                                     struct dom_sid *rp_sid,
 159                                     uint32_t access_mask,
 160                                     const struct dsdb_class *objectclass)
 161 {
 162         int ret;
 163         NTSTATUS status;
 164         uint32_t access_granted;
 165         struct object_tree *root = NULL;
 166         TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
 167         struct security_token *token = acl_user_token(module);
 168
 169         if (!insert_in_object_tree(tmp_ctx,
 170                                    &objectclass->schemaIDGUID,
 171                                    access_mask, NULL,
 172                                    &root)) {
 173                 DEBUG(10, ("acl_search: cannot add to object tree class schemaIDGUID\n"));
 174                 goto fail;
 175         }
 176
 177         status = sec_access_check_ds(sd, token,
 178                                      access_mask,
 179                                      &access_granted,
 180                                      root,
 181                                      rp_sid);
 182         if (!NT_STATUS_IS_OK(status)) {
 183                 ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
 184         } else {
 185                 ret = LDB_SUCCESS;
 186         }
 187         talloc_free(tmp_ctx);
 188         return ret;
 189 fail:
 190         talloc_free(tmp_ctx);
 191         return ldb_operr(ldb_module_get_ctx(module));
 192 }
 193
 194 /* checks for validated writes */
 195 int acl_check_extended_right(TALLOC_CTX *mem_ctx,
 196                              struct security_descriptor *sd,
 197                              struct security_token *token,
 198                              const char *ext_right,
 199                              uint32_t right_type,
 200                              struct dom_sid *sid)
 201 {
 202         struct GUID right;
 203         NTSTATUS status;
 204         uint32_t access_granted;
 205         struct object_tree *root = NULL;
 206         TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
 207
 208         GUID_from_string(ext_right, &right);
 209
 210         if (!insert_in_object_tree(tmp_ctx, &right, right_type,
 211                                    NULL, &root)) {
 212                 DEBUG(10, ("acl_ext_right: cannot add to object tree\n"));
 213                 talloc_free(tmp_ctx);
 214                 return LDB_ERR_OPERATIONS_ERROR;
 215         }
 216         status = sec_access_check_ds(sd, token,
 217                                      right_type,
 218                                      &access_granted,
 219                                      root,
 220                                      sid);
 221
 222         if (!NT_STATUS_IS_OK(status)) {
 223                 talloc_free(tmp_ctx);
 224                 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
 225         }
 226         talloc_free(tmp_ctx);
 227         return LDB_SUCCESS;
 228 }
 229
 230 const char *acl_user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module)
 231 {
 232         struct ldb_context *ldb = ldb_module_get_ctx(module);
 233         struct auth_session_info *session_info
 234                 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
 235         if (!session_info) {
 236                 return "UNKNOWN (NULL)";
 237         }
 238
 239         return talloc_asprintf(mem_ctx, "%s\\%s",
 240                                session_info->info->domain_name,
 241                                session_info->info->account_name);
 242 }
 243
 244 uint32_t dsdb_request_sd_flags(struct ldb_request *req, bool *explicit)
 245 {
 246         struct ldb_control *sd_control;
 247         uint32_t sd_flags = 0;
 248
 249         if (explicit) {
 250                 *explicit = false;
 251         }
 252
 253         sd_control = ldb_request_get_control(req, LDB_CONTROL_SD_FLAGS_OID);
 254         if (sd_control) {
 255                 struct ldb_sd_flags_control *sdctr = (struct ldb_sd_flags_control *)sd_control->data;
 256
 257                 sd_flags = sdctr->secinfo_flags;
 258
 259                 if (explicit) {
 260                         *explicit = true;
 261                 }
 262
 263                 /* mark it as handled */
 264                 sd_control->critical = 0;
 265         }
 266
 267         /* we only care for the last 4 bits */
 268         sd_flags &= 0x0000000F;
 269
 270         /*
 271          * MS-ADTS 3.1.1.3.4.1.11 says that no bits
 272          * equals all 4 bits
 273          */
 274         if (sd_flags == 0) {
 275                 sd_flags = SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL | SECINFO_SACL;
 276         }
 277
 278         return sd_flags;
 279 }
 280
 281 int dsdb_module_schedule_sd_propagation(struct ldb_module *module,
 282                                         struct ldb_dn *nc_root,
 283                                         struct ldb_dn *dn,
 284                                         bool include_self)
 285 {
 286         struct ldb_context *ldb = ldb_module_get_ctx(module);
 287         struct dsdb_extended_sec_desc_propagation_op *op;
 288         int ret;
 289
 290         op = talloc_zero(module, struct dsdb_extended_sec_desc_propagation_op);
 291         if (op == NULL) {
 292                 return ldb_oom(ldb);
 293         }
 294
 295         op->nc_root = nc_root;
 296         op->dn = dn;
 297         op->include_self = include_self;
 298
 299         ret = dsdb_module_extended(module, op, NULL,
 300                                    DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID,
 301                                    op,
 302                                    DSDB_FLAG_TOP_MODULE |
 303                                    DSDB_FLAG_AS_SYSTEM |
 304                                    DSDB_FLAG_TRUSTED,
 305                                    NULL);
 306         TALLOC_FREE(op);
 307         return ret;
 308 }