source3/lib/util_seaccess.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Copyright (C) Andrew Tridgell 2004
   5    Copyright (C) Gerald Carter 2005
   6    Copyright (C) Volker Lendecke 2007
   7    Copyright (C) Jeremy Allison 2008
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23 #include "includes.h"
  24 #include "libcli/security/security.h"
  25
  26 /* Map generic access rights to object specific rights.  This technique is
  27    used to give meaning to assigning read, write, execute and all access to
  28    objects.  Each type of object has its own mapping of generic to object
  29    specific access rights. */
  30
  31 void se_map_generic(uint32 *access_mask, const struct generic_mapping *mapping)
  32 {
  33         uint32 old_mask = *access_mask;
  34
  35         if (*access_mask & GENERIC_READ_ACCESS) {
  36                 *access_mask &= ~GENERIC_READ_ACCESS;
  37                 *access_mask |= mapping->generic_read;
  38         }
  39
  40         if (*access_mask & GENERIC_WRITE_ACCESS) {
  41                 *access_mask &= ~GENERIC_WRITE_ACCESS;
  42                 *access_mask |= mapping->generic_write;
  43         }
  44
  45         if (*access_mask & GENERIC_EXECUTE_ACCESS) {
  46                 *access_mask &= ~GENERIC_EXECUTE_ACCESS;
  47                 *access_mask |= mapping->generic_execute;
  48         }
  49
  50         if (*access_mask & GENERIC_ALL_ACCESS) {
  51                 *access_mask &= ~GENERIC_ALL_ACCESS;
  52                 *access_mask |= mapping->generic_all;
  53         }
  54
  55         if (old_mask != *access_mask) {
  56                 DEBUG(10, ("se_map_generic(): mapped mask 0x%08x to 0x%08x\n",
  57                            old_mask, *access_mask));
  58         }
  59 }
  60
  61 /* Map generic access rights to object specific rights for all the ACE's
  62  * in a security_acl.
  63  */
  64
  65 void security_acl_map_generic(struct security_acl *sa,
  66                                 const struct generic_mapping *mapping)
  67 {
  68         unsigned int i;
  69
  70         if (!sa) {
  71                 return;
  72         }
  73
  74         for (i = 0; i < sa->num_aces; i++) {
  75                 se_map_generic(&sa->aces[i].access_mask, mapping);
  76         }
  77 }
  78
  79 /* Map standard access rights to object specific rights.  This technique is
  80    used to give meaning to assigning read, write, execute and all access to
  81    objects.  Each type of object has its own mapping of standard to object
  82    specific access rights. */
  83
  84 void se_map_standard(uint32 *access_mask, const struct standard_mapping *mapping)
  85 {
  86         uint32 old_mask = *access_mask;
  87
  88         if (*access_mask & SEC_STD_READ_CONTROL) {
  89                 *access_mask &= ~SEC_STD_READ_CONTROL;
  90                 *access_mask |= mapping->std_read;
  91         }
  92
  93         if (*access_mask & (SEC_STD_DELETE|SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|SEC_STD_SYNCHRONIZE)) {
  94                 *access_mask &= ~(SEC_STD_DELETE|SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|SEC_STD_SYNCHRONIZE);
  95                 *access_mask |= mapping->std_all;
  96         }
  97
  98         if (old_mask != *access_mask) {
  99                 DEBUG(10, ("se_map_standard(): mapped mask 0x%08x to 0x%08x\n",
 100                            old_mask, *access_mask));
 101         }
 102 }
 103
 104 /*
 105   perform a SEC_FLAG_MAXIMUM_ALLOWED access check
 106 */
 107 static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
 108                                         const struct security_token *token)
 109 {
 110         uint32_t denied = 0, granted = 0;
 111         unsigned i;
 112
 113         if (is_sid_in_token(token, sd->owner_sid)) {
 114                 granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL | SEC_STD_DELETE;
 115         } else if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
 116                 granted |= SEC_STD_DELETE;
 117         }
 118
 119         if (sd->dacl == NULL) {
 120                 return granted & ~denied;
 121         }
 122
 123         for (i = 0;i<sd->dacl->num_aces; i++) {
 124                 struct security_ace *ace = &sd->dacl->aces[i];
 125
 126                 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
 127                         continue;
 128                 }
 129
 130                 if (!is_sid_in_token(token, &ace->trustee)) {
 131                         continue;
 132                 }
 133
 134                 switch (ace->type) {
 135                 case SEC_ACE_TYPE_ACCESS_ALLOWED:
 136                         granted |= ace->access_mask;
 137                         break;
 138                 case SEC_ACE_TYPE_ACCESS_DENIED:
 139                 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
 140                         denied |= ace->access_mask;
 141                         break;
 142                 default:        /* Other ACE types not handled/supported */
 143                         break;
 144                 }
 145         }
 146
 147         return granted & ~denied;
 148 }
 149
 150 /*
 151   The main entry point for access checking. If returning ACCESS_DENIED
 152   this function returns the denied bits in the uint32_t pointed
 153   to by the access_granted pointer.
 154 */
 155 NTSTATUS se_access_check(const struct security_descriptor *sd,
 156                           const struct security_token *token,
 157                           uint32_t access_desired,
 158                           uint32_t *access_granted)
 159 {
 160         int i;
 161         uint32_t bits_remaining;
 162
 163         *access_granted = access_desired;
 164         bits_remaining = access_desired;
 165
 166         /* handle the maximum allowed flag */
 167         if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
 168                 uint32_t orig_access_desired = access_desired;
 169
 170                 access_desired |= access_check_max_allowed(sd, token);
 171                 access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
 172                 *access_granted = access_desired;
 173                 bits_remaining = access_desired & ~SEC_STD_DELETE;
 174
 175                 DEBUG(10,("se_access_check: MAX desired = 0x%x, granted = 0x%x, remaining = 0x%x\n",
 176                         orig_access_desired,
 177                         *access_granted,
 178                         bits_remaining));
 179         }
 180
 181 #if 0
 182         /* We need to support SeSecurityPrivilege for this. */
 183
 184         if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
 185                 if (user_has_privileges(token, &sec_security)) {
 186                         bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
 187                 } else {
 188                         return NT_STATUS_PRIVILEGE_NOT_HELD;
 189                 }
 190         }
 191 #endif
 192
 193         /* a NULL dacl allows access */
 194         if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
 195                 *access_granted = access_desired;
 196                 return NT_STATUS_OK;
 197         }
 198
 199         /* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */
 200         if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE)) &&
 201             is_sid_in_token(token, sd->owner_sid)) {
 202                 bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE);
 203         }
 204         if ((bits_remaining & SEC_STD_DELETE) &&
 205             (security_token_has_privilege(token, SEC_PRIV_RESTORE))) {
 206                 bits_remaining &= ~SEC_STD_DELETE;
 207         }
 208
 209         if (sd->dacl == NULL) {
 210                 goto done;
 211         }
 212
 213         /* check each ace in turn. */
 214         for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
 215                 struct security_ace *ace = &sd->dacl->aces[i];
 216
 217                 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
 218                         continue;
 219                 }
 220
 221                 if (!is_sid_in_token(token, &ace->trustee)) {
 222                         continue;
 223                 }
 224
 225                 switch (ace->type) {
 226                 case SEC_ACE_TYPE_ACCESS_ALLOWED:
 227                         bits_remaining &= ~ace->access_mask;
 228                         break;
 229                 case SEC_ACE_TYPE_ACCESS_DENIED:
 230                 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
 231                         if (bits_remaining & ace->access_mask) {
 232                                 return NT_STATUS_ACCESS_DENIED;
 233                         }
 234                         break;
 235                 default:        /* Other ACE types not handled/supported */
 236                         break;
 237                 }
 238         }
 239
 240 done:
 241         if (bits_remaining != 0) {
 242                 *access_granted = bits_remaining;
 243                 return NT_STATUS_ACCESS_DENIED;
 244         }
 245
 246         return NT_STATUS_OK;
 247 }