source3/libgpo/gpo_sec.c

   1 /*
   2  *  Unix SMB/CIFS implementation.
   3  *  Group Policy Object Support
   4  *  Copyright (C) Guenther Deschner 2007
   5  *
   6  *  This program is free software; you can redistribute it and/or modify
   7  *  it under the terms of the GNU General Public License as published by
   8  *  the Free Software Foundation; either version 3 of the License, or
   9  *  (at your option) any later version.
  10  *
  11  *  This program is distributed in the hope that it will be useful,
  12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  *  GNU General Public License for more details.
  15  *
  16  *  You should have received a copy of the GNU General Public License
  17  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
  18  */
  19
  20 #include "includes.h"
  21
  22 /****************************************************************
  23 ****************************************************************/
  24
  25 static bool gpo_sd_check_agp_object_guid(const struct security_ace_object *object)
  26 {
  27         struct GUID ext_right_apg_guid;
  28         NTSTATUS status;
  29
  30         if (!object) {
  31                 return False;
  32         }
  33
  34         status = GUID_from_string(ADS_EXTENDED_RIGHT_APPLY_GROUP_POLICY,
  35                                   &ext_right_apg_guid);
  36         if (!NT_STATUS_IS_OK(status)) {
  37                 return False;
  38         }
  39
  40         switch (object->flags) {
  41                 case SEC_ACE_OBJECT_PRESENT:
  42                         if (GUID_equal(&object->type.type,
  43                                        &ext_right_apg_guid)) {
  44                                 return True;
  45                         }
  46                 case SEC_ACE_OBJECT_INHERITED_PRESENT:
  47                         if (GUID_equal(&object->inherited_type.inherited_type,
  48                                        &ext_right_apg_guid)) {
  49                                 return True;
  50                         }
  51                 default:
  52                         break;
  53         }
  54
  55         return False;
  56 }
  57
  58 /****************************************************************
  59 ****************************************************************/
  60
  61 static bool gpo_sd_check_agp_object(const SEC_ACE *ace)
  62 {
  63         if (!sec_ace_object(ace->type)) {
  64                 return False;
  65         }
  66
  67         return gpo_sd_check_agp_object_guid(&ace->object.object);
  68 }
  69
  70 /****************************************************************
  71 ****************************************************************/
  72
  73 static bool gpo_sd_check_agp_access_bits(uint32_t access_mask)
  74 {
  75         return (access_mask & SEC_RIGHTS_EXTENDED);
  76 }
  77
  78 #if 0
  79 /****************************************************************
  80 ****************************************************************/
  81
  82 static bool gpo_sd_check_read_access_bits(uint32_t access_mask)
  83 {
  84         uint32_t read_bits = SEC_RIGHTS_LIST_CONTENTS |
  85                            SEC_RIGHTS_READ_ALL_PROP |
  86                            SEC_RIGHTS_READ_PERMS;
  87
  88         return (read_bits == (access_mask & read_bits));
  89 }
  90 #endif
  91
  92 /****************************************************************
  93 ****************************************************************/
  94
  95 static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace,
  96                                                const struct nt_user_token *token)
  97 {
  98         if (gpo_sd_check_agp_object(ace) &&
  99             gpo_sd_check_agp_access_bits(ace->access_mask) &&
 100             nt_token_check_sid(&ace->trustee, token)) {
 101                 DEBUG(10,("gpo_sd_check_ace_denied_object: "
 102                         "Access denied as of ace for %s\n",
 103                         sid_string_dbg(&ace->trustee)));
 104                 return NT_STATUS_ACCESS_DENIED;
 105         }
 106
 107         return STATUS_MORE_ENTRIES;
 108 }
 109
 110 /****************************************************************
 111 ****************************************************************/
 112
 113 static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace,
 114                                                 const struct nt_user_token *token)
 115 {
 116         if (gpo_sd_check_agp_object(ace) &&
 117             gpo_sd_check_agp_access_bits(ace->access_mask) &&
 118             nt_token_check_sid(&ace->trustee, token)) {
 119                 DEBUG(10,("gpo_sd_check_ace_allowed_object: "
 120                         "Access granted as of ace for %s\n",
 121                         sid_string_dbg(&ace->trustee)));
 122                 return NT_STATUS_OK;
 123         }
 124
 125         return STATUS_MORE_ENTRIES;
 126 }
 127
 128 /****************************************************************
 129 ****************************************************************/
 130
 131 static NTSTATUS gpo_sd_check_ace(const SEC_ACE *ace,
 132                                  const struct nt_user_token *token)
 133 {
 134         switch (ace->type) {
 135                 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
 136                         return gpo_sd_check_ace_denied_object(ace, token);
 137                 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
 138                         return gpo_sd_check_ace_allowed_object(ace, token);
 139                 default:
 140                         return STATUS_MORE_ENTRIES;
 141         }
 142 }
 143
 144 /****************************************************************
 145 ****************************************************************/
 146
 147 NTSTATUS gpo_apply_security_filtering(const struct GROUP_POLICY_OBJECT *gpo,
 148                                       const struct nt_user_token *token)
 149 {
 150         SEC_DESC *sd = gpo->security_descriptor;
 151         SEC_ACL *dacl = NULL;
 152         NTSTATUS status = NT_STATUS_ACCESS_DENIED;
 153         int i;
 154
 155         if (!token) {
 156                 return NT_STATUS_INVALID_USER_BUFFER;
 157         }
 158
 159         if (!sd) {
 160                 return NT_STATUS_INVALID_SECURITY_DESCR;
 161         }
 162
 163         dacl = sd->dacl;
 164         if (!dacl) {
 165                 return NT_STATUS_INVALID_SECURITY_DESCR;
 166         }
 167
 168         /* check all aces and only return NT_STATUS_OK (== Access granted) or
 169          * NT_STATUS_ACCESS_DENIED ( == Access denied) - the default is to
 170          * deny access */
 171
 172         for (i = 0; i < dacl->num_aces; i ++) {
 173
 174                 status = gpo_sd_check_ace(&dacl->aces[i], token);
 175
 176                 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
 177                         return status;
 178                 } else if (NT_STATUS_IS_OK(status)) {
 179                         return status;
 180                 }
 181
 182                 continue;
 183         }
 184
 185         return NT_STATUS_ACCESS_DENIED;
 186 }