2 Unix SMB/CIFS implementation.
4 Copyright (C) Andrew Tridgell 2004
5 Copyright (C) Gerald Carter 2005
6 Copyright (C) Volker Lendecke 2007
7 Copyright (C) Jeremy Allison 2008
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "libcli/security/security.h"
26 /* Map generic access rights to object specific rights. This technique is
27 used to give meaning to assigning read, write, execute and all access to
28 objects. Each type of object has its own mapping of generic to object
29 specific access rights. */
31 void se_map_generic(uint32 *access_mask, const struct generic_mapping *mapping)
33 uint32 old_mask = *access_mask;
35 if (*access_mask & GENERIC_READ_ACCESS) {
36 *access_mask &= ~GENERIC_READ_ACCESS;
37 *access_mask |= mapping->generic_read;
40 if (*access_mask & GENERIC_WRITE_ACCESS) {
41 *access_mask &= ~GENERIC_WRITE_ACCESS;
42 *access_mask |= mapping->generic_write;
45 if (*access_mask & GENERIC_EXECUTE_ACCESS) {
46 *access_mask &= ~GENERIC_EXECUTE_ACCESS;
47 *access_mask |= mapping->generic_execute;
50 if (*access_mask & GENERIC_ALL_ACCESS) {
51 *access_mask &= ~GENERIC_ALL_ACCESS;
52 *access_mask |= mapping->generic_all;
55 if (old_mask != *access_mask) {
56 DEBUG(10, ("se_map_generic(): mapped mask 0x%08x to 0x%08x\n",
57 old_mask, *access_mask));
61 /* Map generic access rights to object specific rights for all the ACE's
65 void security_acl_map_generic(struct security_acl *sa,
66 const struct generic_mapping *mapping)
74 for (i = 0; i < sa->num_aces; i++) {
75 se_map_generic(&sa->aces[i].access_mask, mapping);
79 /* Map standard access rights to object specific rights. This technique is
80 used to give meaning to assigning read, write, execute and all access to
81 objects. Each type of object has its own mapping of standard to object
82 specific access rights. */
84 void se_map_standard(uint32 *access_mask, const struct standard_mapping *mapping)
86 uint32 old_mask = *access_mask;
88 if (*access_mask & SEC_STD_READ_CONTROL) {
89 *access_mask &= ~SEC_STD_READ_CONTROL;
90 *access_mask |= mapping->std_read;
93 if (*access_mask & (SEC_STD_DELETE|SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|SEC_STD_SYNCHRONIZE)) {
94 *access_mask &= ~(SEC_STD_DELETE|SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|SEC_STD_SYNCHRONIZE);
95 *access_mask |= mapping->std_all;
98 if (old_mask != *access_mask) {
99 DEBUG(10, ("se_map_standard(): mapped mask 0x%08x to 0x%08x\n",
100 old_mask, *access_mask));
105 perform a SEC_FLAG_MAXIMUM_ALLOWED access check
107 static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
108 const struct security_token *token)
110 uint32_t denied = 0, granted = 0;
113 if (is_sid_in_token(token, sd->owner_sid)) {
114 granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL | SEC_STD_DELETE;
115 } else if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
116 granted |= SEC_STD_DELETE;
119 if (sd->dacl == NULL) {
120 return granted & ~denied;
123 for (i = 0;i<sd->dacl->num_aces; i++) {
124 struct security_ace *ace = &sd->dacl->aces[i];
126 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
130 if (!is_sid_in_token(token, &ace->trustee)) {
135 case SEC_ACE_TYPE_ACCESS_ALLOWED:
136 granted |= ace->access_mask;
138 case SEC_ACE_TYPE_ACCESS_DENIED:
139 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
140 denied |= ace->access_mask;
142 default: /* Other ACE types not handled/supported */
147 return granted & ~denied;
151 The main entry point for access checking. If returning ACCESS_DENIED
152 this function returns the denied bits in the uint32_t pointed
153 to by the access_granted pointer.
155 NTSTATUS se_access_check(const struct security_descriptor *sd,
156 const struct security_token *token,
157 uint32_t access_desired,
158 uint32_t *access_granted)
161 uint32_t bits_remaining;
163 *access_granted = access_desired;
164 bits_remaining = access_desired;
166 /* handle the maximum allowed flag */
167 if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
168 uint32_t orig_access_desired = access_desired;
170 access_desired |= access_check_max_allowed(sd, token);
171 access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
172 *access_granted = access_desired;
173 bits_remaining = access_desired & ~SEC_STD_DELETE;
175 DEBUG(10,("se_access_check: MAX desired = 0x%x, granted = 0x%x, remaining = 0x%x\n",
182 /* We need to support SeSecurityPrivilege for this. */
184 if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
185 if (user_has_privileges(token, &sec_security)) {
186 bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
188 return NT_STATUS_PRIVILEGE_NOT_HELD;
193 /* a NULL dacl allows access */
194 if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
195 *access_granted = access_desired;
199 /* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */
200 if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE)) &&
201 is_sid_in_token(token, sd->owner_sid)) {
202 bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE);
204 if ((bits_remaining & SEC_STD_DELETE) &&
205 (security_token_has_privilege(token, SEC_PRIV_RESTORE))) {
206 bits_remaining &= ~SEC_STD_DELETE;
209 if (sd->dacl == NULL) {
213 /* check each ace in turn. */
214 for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
215 struct security_ace *ace = &sd->dacl->aces[i];
217 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
221 if (!is_sid_in_token(token, &ace->trustee)) {
226 case SEC_ACE_TYPE_ACCESS_ALLOWED:
227 bits_remaining &= ~ace->access_mask;
229 case SEC_ACE_TYPE_ACCESS_DENIED:
230 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
231 if (bits_remaining & ace->access_mask) {
232 return NT_STATUS_ACCESS_DENIED;
235 default: /* Other ACE types not handled/supported */
241 if (bits_remaining != 0) {
242 *access_granted = bits_remaining;
243 return NT_STATUS_ACCESS_DENIED;