source4/dsdb/samdb/ldb_modules/acl_util.c

   1 /*
   2   ACL utility functions
   3
   4   Copyright (C) Nadezhda Ivanova 2010
   5
   6   This program is free software; you can redistribute it and/or modify
   7   it under the terms of the GNU General Public License as published by
   8   the Free Software Foundation; either version 3 of the License, or
   9   (at your option) any later version.
  10
  11   This program is distributed in the hope that it will be useful,
  12   but WITHOUT ANY WARRANTY; without even the implied warranty of
  13   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14   GNU General Public License for more details.
  15
  16   You should have received a copy of the GNU General Public License
  17   along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18 */
  19
  20 /*
  21  *  Name: acl_util
  22  *
  23  *  Component: ldb ACL modules
  24  *
  25  *  Description: Some auxiliary functions used for access checking
  26  *
  27  *  Author: Nadezhda Ivanova
  28  */
  29 #include "includes.h"
  30 #include "ldb_module.h"
  31 #include "auth/auth.h"
  32 #include "libcli/security/security.h"
  33 #include "dsdb/samdb/samdb.h"
  34 #include "librpc/gen_ndr/ndr_security.h"
  35 #include "param/param.h"
  36 #include "dsdb/samdb/ldb_modules/util.h"
  37
  38 struct security_token *acl_user_token(struct ldb_module *module)
  39 {
  40         struct ldb_context *ldb = ldb_module_get_ctx(module);
  41         struct auth_session_info *session_info
  42                 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
  43         if(!session_info) {
  44                 return NULL;
  45         }
  46         return session_info->security_token;
  47 }
  48
  49 /* performs an access check from inside the module stack
  50  * given the dn of the object to be checked, the required access
  51  * guid is either the guid of the extended right, or NULL
  52  */
  53
  54 int dsdb_module_check_access_on_dn(struct ldb_module *module,
  55                                    TALLOC_CTX *mem_ctx,
  56                                    struct ldb_dn *dn,
  57                                    uint32_t access_mask,
  58                                    const struct GUID *guid,
  59                                    struct ldb_request *parent)
  60 {
  61         int ret;
  62         struct ldb_result *acl_res;
  63         static const char *acl_attrs[] = {
  64                 "nTSecurityDescriptor",
  65                 "objectSid",
  66                 NULL
  67         };
  68         struct ldb_context *ldb = ldb_module_get_ctx(module);
  69         struct auth_session_info *session_info
  70                 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
  71         if(!session_info) {
  72                 return ldb_operr(ldb);
  73         }
  74         ret = dsdb_module_search_dn(module, mem_ctx, &acl_res, dn,
  75                                     acl_attrs,
  76                                     DSDB_FLAG_NEXT_MODULE |
  77                                     DSDB_SEARCH_SHOW_RECYCLED,
  78                                     parent);
  79         if (ret != LDB_SUCCESS) {
  80                 DEBUG(0,("access_check: failed to find object %s\n", ldb_dn_get_linearized(dn)));
  81                 return ret;
  82         }
  83         return dsdb_check_access_on_dn_internal(ldb, acl_res,
  84                                                 mem_ctx,
  85                                                 session_info->security_token,
  86                                                 dn,
  87                                                 access_mask,
  88                                                 guid);
  89 }
  90
  91 int acl_check_access_on_attribute(struct ldb_module *module,
  92                                   TALLOC_CTX *mem_ctx,
  93                                   struct security_descriptor *sd,
  94                                   struct dom_sid *rp_sid,
  95                                   uint32_t access_mask,
  96                                   const struct dsdb_attribute *attr)
  97 {
  98         int ret;
  99         NTSTATUS status;
 100         uint32_t access_granted;
 101         struct object_tree *root = NULL;
 102         struct object_tree *new_node = NULL;
 103         TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
 104         struct security_token *token = acl_user_token(module);
 105         if (attr) {
 106                 if (!GUID_all_zero(&attr->attributeSecurityGUID)) {
 107                         if (!insert_in_object_tree(tmp_ctx,
 108                                                    &attr->attributeSecurityGUID,
 109                                                    access_mask, &root,
 110                                                    &new_node)) {
 111                                 DEBUG(10, ("acl_search: cannot add to object tree securityGUID\n"));
 112                                 goto fail;
 113                         }
 114
 115                         if (!insert_in_object_tree(tmp_ctx,
 116                                                    &attr->schemaIDGUID,
 117                                                    access_mask, &new_node,
 118                                                    &new_node)) {
 119                                 DEBUG(10, ("acl_search: cannot add to object tree attributeGUID\n"));
 120                                 goto fail;
 121                         }
 122                 }
 123                 else {
 124                         if (!insert_in_object_tree(tmp_ctx,
 125                                                    &attr->schemaIDGUID,
 126                                                    access_mask, &root,
 127                                                    &new_node)) {
 128                                 DEBUG(10, ("acl_search: cannot add to object tree attributeGUID\n"));
 129                                 goto fail;
 130                         }
 131                 }
 132         }
 133         status = sec_access_check_ds(sd, token,
 134                                      access_mask,
 135                                      &access_granted,
 136                                      root,
 137                                      rp_sid);
 138         if (!NT_STATUS_IS_OK(status)) {
 139                 ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
 140         }
 141         else {
 142                 ret = LDB_SUCCESS;
 143         }
 144         talloc_free(tmp_ctx);
 145         return ret;
 146 fail:
 147         talloc_free(tmp_ctx);
 148         return ldb_operr(ldb_module_get_ctx(module));
 149 }
 150
 151
 152 /* checks for validated writes */
 153 int acl_check_extended_right(TALLOC_CTX *mem_ctx,
 154                              struct security_descriptor *sd,
 155                              struct security_token *token,
 156                              const char *ext_right,
 157                              uint32_t right_type,
 158                              struct dom_sid *sid)
 159 {
 160         struct GUID right;
 161         NTSTATUS status;
 162         uint32_t access_granted;
 163         struct object_tree *root = NULL;
 164         struct object_tree *new_node = NULL;
 165         TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
 166
 167         GUID_from_string(ext_right, &right);
 168
 169         if (!insert_in_object_tree(tmp_ctx, &right, right_type,
 170                                    &root, &new_node)) {
 171                 DEBUG(10, ("acl_ext_right: cannot add to object tree\n"));
 172                 talloc_free(tmp_ctx);
 173                 return LDB_ERR_OPERATIONS_ERROR;
 174         }
 175         status = sec_access_check_ds(sd, token,
 176                                      right_type,
 177                                      &access_granted,
 178                                      root,
 179                                      sid);
 180
 181         if (!NT_STATUS_IS_OK(status)) {
 182                 talloc_free(tmp_ctx);
 183                 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
 184         }
 185         talloc_free(tmp_ctx);
 186         return LDB_SUCCESS;
 187 }
 188
 189 const char *acl_user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module)
 190 {
 191         struct ldb_context *ldb = ldb_module_get_ctx(module);
 192         struct auth_session_info *session_info
 193                 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
 194         if (!session_info) {
 195                 return "UNKNOWN (NULL)";
 196         }
 197
 198         return talloc_asprintf(mem_ctx, "%s\\%s",
 199                                session_info->info->domain_name,
 200                                session_info->info->account_name);
 201 }