2 Copyright (C) Nadezhda Ivanova 2009
4 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation; either version 3 of the License, or
7 (at your option) any later version.
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
14 You should have received a copy of the GNU General Public License
15 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 * Name: create_descriptor
21 * Component: routines for calculating and creating security descriptors
22 * as described in MS-DTYP 2.5.2.2
27 * Author: Nadezhda Ivanova
30 #include "libcli/security/security.h"
31 #include "librpc/gen_ndr/ndr_security.h"
34 * build the security token dacl as follows:
35 * SYSTEM: GA, OWNER: GA, LOGIN_SID:GW|GE
36 * Need session id information for the login SID. Probably
37 * the best place for this is during token creation
39 * Implement SD Invariants
41 * LDAP_SERVER_SD_FLAGS_OID control
42 * ADTS 7.1.3.3 needs to be clarified
45 /* the mapping function for generic rights for DS.(GA,GR,GW,GX)
46 * The mapping function is passed as an argument to the
47 * descriptor calculating routine and depends on the security
48 * manager that calls the calculating routine.
49 * TODO: need similar mappings for the file system and
50 * registry security managers in order to make this code
51 * generic for all security managers
54 uint32_t map_generic_rights_ds(uint32_t access_mask)
56 if (access_mask & SEC_GENERIC_ALL){
57 access_mask |= SEC_ADS_GENERIC_ALL;
58 access_mask = ~SEC_GENERIC_ALL;
61 if (access_mask & SEC_GENERIC_EXECUTE){
62 access_mask |= SEC_ADS_GENERIC_EXECUTE;
63 access_mask = ~SEC_GENERIC_EXECUTE;
66 if (access_mask & SEC_GENERIC_WRITE){
67 access_mask |= SEC_ADS_GENERIC_WRITE;
68 access_mask &= ~SEC_GENERIC_WRITE;
71 if (access_mask & SEC_GENERIC_READ){
72 access_mask |= SEC_ADS_GENERIC_READ;
73 access_mask &= ~SEC_GENERIC_READ;
79 /* Not sure what this has to be,
80 * and it does not seem to have any influence */
81 static bool object_in_list(struct GUID *object_list, struct GUID *object)
87 static bool contains_inheritable_aces(struct security_acl *acl)
93 for (i=0; i < acl->num_aces; i++) {
94 struct security_ace *ace = &acl->aces[i];
95 if ((ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT) ||
96 (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT))
103 static struct security_acl *preprocess_creator_acl(TALLOC_CTX *mem, struct security_acl *acl)
106 struct security_acl *new_acl;
111 new_acl = talloc_zero(mem, struct security_acl);
113 for (i=0; i < acl->num_aces; i++) {
114 struct security_ace *ace = &acl->aces[i];
115 if (!(ace->flags & SEC_ACE_FLAG_INHERITED_ACE)){
116 new_acl->aces = talloc_realloc(new_acl, new_acl->aces, struct security_ace,
117 new_acl->num_aces+1);
118 if (new_acl->aces == NULL) {
119 talloc_free(new_acl);
122 new_acl->aces[new_acl->num_aces] = *ace;
127 new_acl->revision = acl->revision;
132 /* This is not exactly as described in the docs. The original seemed to return
133 * only a list of the inherited or flagless ones... */
135 static bool postprocess_acl(struct security_acl *acl,
136 struct dom_sid *owner,
137 struct dom_sid *group,
138 uint32_t (*generic_map)(uint32_t access_mask))
141 struct dom_sid *co, *cg;
142 TALLOC_CTX *tmp_ctx = talloc_new(acl);
146 co = dom_sid_parse_talloc(tmp_ctx, SID_CREATOR_OWNER);
147 cg = dom_sid_parse_talloc(tmp_ctx, SID_CREATOR_GROUP);
148 for (i=0; i < acl->num_aces; i++) {
149 struct security_ace *ace = &acl->aces[i];
150 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY)
152 if (dom_sid_equal(&ace->trustee, co)){
153 ace->trustee = *owner;
154 /* perhaps this should be done somewhere else? */
155 ace->flags &= ~SEC_ACE_FLAG_CONTAINER_INHERIT;
157 if (dom_sid_equal(&ace->trustee, cg)){
158 ace->trustee = *group;
159 ace->flags &= ~SEC_ACE_FLAG_CONTAINER_INHERIT;
161 ace->access_mask = generic_map(ace->access_mask);
164 talloc_free(tmp_ctx);
168 static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx,
169 struct security_acl *acl,
171 struct GUID *object_list)
174 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
175 struct security_acl *tmp_acl = talloc_zero(tmp_ctx, struct security_acl);
176 struct security_acl *inh_acl = talloc_zero(tmp_ctx, struct security_acl);
177 struct security_acl *new_acl;
178 struct dom_sid *co, *cg;
179 if (!tmp_acl || !inh_acl)
182 co = dom_sid_parse_talloc(tmp_ctx, SID_CREATOR_OWNER);
183 cg = dom_sid_parse_talloc(tmp_ctx, SID_CREATOR_GROUP);
185 for (i=0; i < acl->num_aces; i++){
186 struct security_ace *ace = &acl->aces[i];
187 if ((ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT) ||
188 (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) {
189 tmp_acl->aces = talloc_realloc(tmp_acl, tmp_acl->aces, struct security_ace,
190 tmp_acl->num_aces+1);
191 if (tmp_acl->aces == NULL) {
192 talloc_free(tmp_ctx);
196 tmp_acl->aces[tmp_acl->num_aces] = *ace;
197 tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERITED_ACE;
199 if (is_container && (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT))
200 tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY;
202 if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT ||
203 ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT){
204 if (!object_in_list(object_list, &ace->object.object.type.type)){
205 tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY;
214 for (i=0; i < acl->num_aces; i++){
215 struct security_ace *ace = &acl->aces[i];
217 if (ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT)
219 if (!dom_sid_equal(&ace->trustee, co) && !dom_sid_equal(&ace->trustee, cg))
222 if ((ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT) ||
223 (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)){
224 inh_acl->aces = talloc_realloc(inh_acl, inh_acl->aces, struct security_ace,
225 inh_acl->num_aces+1);
226 if (inh_acl->aces == NULL){
227 talloc_free(tmp_ctx);
230 inh_acl->aces[inh_acl->num_aces] = *ace;
231 inh_acl->aces[inh_acl->num_aces].flags &= ~SEC_ACE_FLAG_INHERIT_ONLY;
232 inh_acl->aces[inh_acl->num_aces].flags |= SEC_ACE_FLAG_INHERITED_ACE;
237 new_acl = security_acl_concatenate(mem_ctx, inh_acl, tmp_acl);
239 new_acl->revision = acl->revision;
240 talloc_free(tmp_ctx);
244 /* In the docs this looks == calculate_inherited_from_parent. However,
245 * It shouldn't return the inherited, rather filter them out....
247 static struct security_acl *calculate_inherited_from_creator(TALLOC_CTX *mem_ctx,
248 struct security_acl *acl,
250 struct GUID *object_list)
253 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
254 struct security_acl *tmp_acl = talloc_zero(tmp_ctx, struct security_acl);
255 struct security_acl *new_acl;
256 struct dom_sid *co, *cg;
261 tmp_acl->revision = acl->revision;
262 DEBUG(6,(__location__ ": acl revision %u\n", acl->revision));
264 co = dom_sid_parse_talloc(tmp_ctx, SID_CREATOR_OWNER);
265 cg = dom_sid_parse_talloc(tmp_ctx, SID_CREATOR_GROUP);
267 for (i=0; i < acl->num_aces; i++){
268 struct security_ace *ace = &acl->aces[i];
269 if (ace->flags & SEC_ACE_FLAG_INHERITED_ACE)
272 tmp_acl->aces = talloc_realloc(tmp_acl, tmp_acl->aces, struct security_ace,
273 tmp_acl->num_aces+1);
274 tmp_acl->aces[tmp_acl->num_aces] = *ace;
277 if (!dom_sid_equal(&ace->trustee, co) && !dom_sid_equal(&ace->trustee, cg))
280 tmp_acl->aces = talloc_realloc(tmp_acl, tmp_acl->aces, struct security_ace,
281 tmp_acl->num_aces+1);
282 tmp_acl->aces[tmp_acl->num_aces] = *ace;
283 tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY;
286 new_acl = security_acl_dup(mem_ctx,tmp_acl);
289 new_acl->revision = acl->revision;
291 talloc_free(tmp_ctx);
295 static void cr_descr_log_descriptor(struct security_descriptor *sd,
300 DEBUG(level,("%s: %s\n", message,
301 ndr_print_struct_string(0,(ndr_print_fn_t)ndr_print_security_descriptor,
305 DEBUG(level,("%s: NULL\n", message));
309 static void cr_descr_log_acl(struct security_acl *acl,
314 DEBUG(level,("%s: %s\n", message,
315 ndr_print_struct_string(0,(ndr_print_fn_t)ndr_print_security_acl,
319 DEBUG(level,("%s: NULL\n", message));
323 static bool compute_acl(int acl_type,
324 struct security_descriptor *parent_sd,
325 struct security_descriptor *creator_sd,
327 uint32_t inherit_flags,
328 struct GUID *object_list,
329 uint32_t (*generic_map)(uint32_t access_mask),
330 struct security_token *token,
331 struct security_descriptor *new_sd) /* INOUT argument */
333 struct security_acl *p_acl = NULL, *c_acl = NULL, **new_acl;
335 if (acl_type == SEC_DESC_DACL_PRESENT){
337 p_acl = parent_sd->dacl;
339 c_acl = creator_sd->dacl;
340 new_acl = &new_sd->dacl;
344 p_acl = parent_sd->sacl;
346 c_acl = creator_sd->sacl;
347 new_acl = &new_sd->sacl;
350 cr_descr_log_descriptor(parent_sd, __location__"parent_sd", level);
351 cr_descr_log_descriptor(creator_sd,__location__ "creator_sd", level);
353 if (contains_inheritable_aces(p_acl)){
354 if (!c_acl || (c_acl && inherit_flags & SEC_DEFAULT_DESCRIPTOR)){
355 *new_acl = calculate_inherited_from_parent(new_sd,
359 if (*new_acl == NULL)
361 if (acl_type == SEC_DESC_DACL_PRESENT && new_sd->dacl)
362 new_sd->type |= SEC_DESC_DACL_AUTO_INHERITED;
364 if (acl_type == SEC_DESC_SACL_PRESENT && new_sd->sacl)
365 new_sd->type |= SEC_DESC_SACL_AUTO_INHERITED;
367 if (!postprocess_acl(*new_acl, new_sd->owner_sid,
368 new_sd->group_sid, generic_map))
371 cr_descr_log_descriptor(new_sd,
372 __location__": Nothing from creator, newsd is", level);
376 if (c_acl && !(inherit_flags & SEC_DEFAULT_DESCRIPTOR)){
377 struct security_acl *pr_acl = NULL, *tmp_acl = NULL, *tpr_acl = NULL;
378 tpr_acl = preprocess_creator_acl(new_sd, c_acl);
379 tmp_acl = calculate_inherited_from_creator(new_sd,
384 cr_descr_log_acl(tmp_acl, __location__"Inherited from creator", level);
385 /* Todo some refactoring here! */
386 if (acl_type == SEC_DESC_DACL_PRESENT &&
387 !(creator_sd->type & SEC_DESC_DACL_PROTECTED) &&
388 (inherit_flags & SEC_DACL_AUTO_INHERIT)) {
389 pr_acl = calculate_inherited_from_parent(new_sd,
393 cr_descr_log_acl(pr_acl, __location__"Inherited from parent", level);
394 new_sd->type |= SEC_DESC_DACL_AUTO_INHERITED;
396 else if (acl_type == SEC_DESC_SACL_PRESENT &&
397 !(creator_sd->type & SEC_DESC_SACL_PROTECTED) &&
398 (inherit_flags & SEC_SACL_AUTO_INHERIT)){
399 pr_acl = calculate_inherited_from_parent(new_sd,
403 cr_descr_log_acl(pr_acl, __location__"Inherited from parent", level);
404 new_sd->type |= SEC_DESC_SACL_AUTO_INHERITED;
406 *new_acl = security_acl_concatenate(new_sd, tmp_acl, pr_acl);
408 if (*new_acl == NULL)
410 if (!postprocess_acl(*new_acl, new_sd->owner_sid,
411 new_sd->group_sid,generic_map))
417 *new_acl = preprocess_creator_acl(new_sd,c_acl);
418 if (*new_acl == NULL)
420 if (!postprocess_acl(*new_acl, new_sd->owner_sid,
421 new_sd->group_sid,generic_map))
427 if (acl_type == SEC_DESC_DACL_PRESENT && new_sd->dacl)
428 new_sd->type |= SEC_DESC_DACL_PRESENT;
430 if (acl_type == SEC_DESC_SACL_PRESENT && new_sd->sacl)
431 new_sd->type |= SEC_DESC_SACL_PRESENT;
432 /* This is a hack to handle the fact that
433 * apprantly any AI flag provided by the user is preserved */
435 new_sd->type |= creator_sd->type;
436 cr_descr_log_descriptor(new_sd, __location__"final sd", level);
440 struct security_descriptor *create_security_descriptor(TALLOC_CTX *mem_ctx,
441 struct security_descriptor *parent_sd,
442 struct security_descriptor *creator_sd,
444 struct GUID *object_list,
445 uint32_t inherit_flags,
446 struct security_token *token,
447 struct dom_sid *default_owner, /* valid only for DS, NULL for the other RSs */
448 struct dom_sid *default_group, /* valid only for DS, NULL for the other RSs */
449 uint32_t (*generic_map)(uint32_t access_mask))
451 struct security_descriptor *new_sd;
452 struct dom_sid *new_owner = NULL;
453 struct dom_sid *new_group = NULL;
455 new_sd = security_descriptor_initialise(mem_ctx);
460 if (!creator_sd || !creator_sd->owner_sid) {
461 if ((inherit_flags & SEC_OWNER_FROM_PARENT) && parent_sd) {
462 new_owner = parent_sd->owner_sid;
463 } else if (!default_owner) {
464 new_owner = token->user_sid;
466 new_owner = default_owner;
467 new_sd->type |= SEC_DESC_OWNER_DEFAULTED;
470 new_owner = creator_sd->owner_sid;
473 if (!creator_sd || !creator_sd->group_sid){
474 if ((inherit_flags & SEC_GROUP_FROM_PARENT) && parent_sd) {
475 new_group = parent_sd->group_sid;
476 } else if (!default_group) {
477 new_group = token->group_sid;
479 new_group = default_group;
480 new_sd->type |= SEC_DESC_GROUP_DEFAULTED;
483 new_group = creator_sd->group_sid;
486 new_sd->owner_sid = talloc_memdup(new_sd, new_owner, sizeof(struct dom_sid));
487 new_sd->group_sid = talloc_memdup(new_sd, new_group, sizeof(struct dom_sid));
488 if (!new_sd->owner_sid || !new_sd->group_sid){
493 if (!compute_acl(SEC_DESC_DACL_PRESENT, parent_sd, creator_sd,
494 is_container, inherit_flags, object_list,
495 generic_map,token,new_sd)){
500 if (!compute_acl(SEC_DESC_SACL_PRESENT, parent_sd, creator_sd,
501 is_container, inherit_flags, object_list,
502 generic_map, token,new_sd)){