4 Copyright (C) Simo Sorce 2006-2008
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2007
6 Copyright (C) Nadezhda Ivanova 2009
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 * Component: DS Security descriptor module
28 * - Calculate the security descriptor of a newly created object
29 * - Perform sd recalculation on a move operation
30 * - Handle sd modification invariants
32 * Author: Nadezhda Ivanova
36 #include <ldb_module.h>
37 #include "util/dlinklist.h"
38 #include "dsdb/samdb/samdb.h"
39 #include "librpc/ndr/libndr.h"
40 #include "librpc/gen_ndr/ndr_security.h"
41 #include "libcli/security/security.h"
42 #include "auth/auth.h"
43 #include "param/param.h"
44 #include "dsdb/samdb/ldb_modules/util.h"
45 #include "lib/util/binsearch.h"
47 struct descriptor_changes {
48 struct descriptor_changes *prev, *next;
49 struct descriptor_changes *children;
50 struct ldb_dn *nc_root;
54 struct ldb_dn *stopped_dn;
57 struct descriptor_data {
58 TALLOC_CTX *trans_mem;
59 struct descriptor_changes *changes;
62 struct descriptor_context {
63 struct ldb_module *module;
64 struct ldb_request *req;
65 struct ldb_message *msg;
66 struct ldb_reply *search_res;
67 struct ldb_reply *search_oc_res;
68 struct ldb_val *parentsd_val;
69 struct ldb_message_element *sd_element;
70 struct ldb_val *sd_val;
72 int (*step_fn)(struct descriptor_context *);
75 static struct dom_sid *get_default_ag(TALLOC_CTX *mem_ctx,
77 struct security_token *token,
78 struct ldb_context *ldb)
80 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
81 const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
82 struct dom_sid *da_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ADMINS);
83 struct dom_sid *ea_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ENTERPRISE_ADMINS);
84 struct dom_sid *sa_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_SCHEMA_ADMINS);
85 struct dom_sid *dag_sid;
86 struct ldb_dn *nc_root;
89 ret = dsdb_find_nc_root(ldb, tmp_ctx, dn, &nc_root);
90 if (ret != LDB_SUCCESS) {
95 if (ldb_dn_compare(nc_root, ldb_get_schema_basedn(ldb)) == 0) {
96 if (security_token_has_sid(token, sa_sid)) {
97 dag_sid = dom_sid_dup(mem_ctx, sa_sid);
98 } else if (security_token_has_sid(token, ea_sid)) {
99 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
100 } else if (security_token_has_sid(token, da_sid)) {
101 dag_sid = dom_sid_dup(mem_ctx, da_sid);
102 } else if (security_token_is_system(token)) {
103 dag_sid = dom_sid_dup(mem_ctx, sa_sid);
107 } else if (ldb_dn_compare(nc_root, ldb_get_config_basedn(ldb)) == 0) {
108 if (security_token_has_sid(token, ea_sid)) {
109 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
110 } else if (security_token_has_sid(token, da_sid)) {
111 dag_sid = dom_sid_dup(mem_ctx, da_sid);
112 } else if (security_token_is_system(token)) {
113 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
117 } else if (ldb_dn_compare(nc_root, ldb_get_default_basedn(ldb)) == 0) {
118 if (security_token_has_sid(token, da_sid)) {
119 dag_sid = dom_sid_dup(mem_ctx, da_sid);
120 } else if (security_token_has_sid(token, ea_sid)) {
121 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
122 } else if (security_token_is_system(token)) {
123 dag_sid = dom_sid_dup(mem_ctx, da_sid);
131 talloc_free(tmp_ctx);
135 static struct security_descriptor *get_sd_unpacked(struct ldb_module *module, TALLOC_CTX *mem_ctx,
136 const struct dsdb_class *objectclass)
138 struct ldb_context *ldb = ldb_module_get_ctx(module);
139 struct security_descriptor *sd;
140 const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
142 if (!objectclass->defaultSecurityDescriptor || !domain_sid) {
146 sd = sddl_decode(mem_ctx,
147 objectclass->defaultSecurityDescriptor,
152 static struct dom_sid *get_default_group(TALLOC_CTX *mem_ctx,
153 struct ldb_context *ldb,
156 if (dsdb_functional_level(ldb) >= DS_DOMAIN_FUNCTION_2008) {
163 static struct security_descriptor *descr_handle_sd_flags(TALLOC_CTX *mem_ctx,
164 struct security_descriptor *new_sd,
165 struct security_descriptor *old_sd,
168 struct security_descriptor *final_sd;
169 /* if there is no control or control == 0 modify everything */
174 final_sd = talloc_zero(mem_ctx, struct security_descriptor);
175 final_sd->revision = SECURITY_DESCRIPTOR_REVISION_1;
176 final_sd->type = SEC_DESC_SELF_RELATIVE;
178 if (sd_flags & (SECINFO_OWNER)) {
179 final_sd->owner_sid = talloc_memdup(mem_ctx, new_sd->owner_sid, sizeof(struct dom_sid));
180 final_sd->type |= new_sd->type & SEC_DESC_OWNER_DEFAULTED;
183 final_sd->owner_sid = talloc_memdup(mem_ctx, old_sd->owner_sid, sizeof(struct dom_sid));
184 final_sd->type |= old_sd->type & SEC_DESC_OWNER_DEFAULTED;
187 if (sd_flags & (SECINFO_GROUP)) {
188 final_sd->group_sid = talloc_memdup(mem_ctx, new_sd->group_sid, sizeof(struct dom_sid));
189 final_sd->type |= new_sd->type & SEC_DESC_GROUP_DEFAULTED;
192 final_sd->group_sid = talloc_memdup(mem_ctx, old_sd->group_sid, sizeof(struct dom_sid));
193 final_sd->type |= old_sd->type & SEC_DESC_GROUP_DEFAULTED;
196 if (sd_flags & (SECINFO_SACL)) {
197 final_sd->sacl = security_acl_dup(mem_ctx,new_sd->sacl);
198 final_sd->type |= new_sd->type & (SEC_DESC_SACL_PRESENT |
199 SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ |
200 SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED |
201 SEC_DESC_SERVER_SECURITY);
203 else if (old_sd && old_sd->sacl) {
204 final_sd->sacl = security_acl_dup(mem_ctx,old_sd->sacl);
205 final_sd->type |= old_sd->type & (SEC_DESC_SACL_PRESENT |
206 SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ |
207 SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED |
208 SEC_DESC_SERVER_SECURITY);
211 if (sd_flags & (SECINFO_DACL)) {
212 final_sd->dacl = security_acl_dup(mem_ctx,new_sd->dacl);
213 final_sd->type |= new_sd->type & (SEC_DESC_DACL_PRESENT |
214 SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ |
215 SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED |
216 SEC_DESC_DACL_TRUSTED);
218 else if (old_sd && old_sd->dacl) {
219 final_sd->dacl = security_acl_dup(mem_ctx,old_sd->dacl);
220 final_sd->type |= old_sd->type & (SEC_DESC_DACL_PRESENT |
221 SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ |
222 SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED |
223 SEC_DESC_DACL_TRUSTED);
225 /* not so sure about this */
226 final_sd->type |= new_sd->type & SEC_DESC_RM_CONTROL_VALID;
230 static DATA_BLOB *get_new_descriptor(struct ldb_module *module,
233 const struct dsdb_class *objectclass,
234 const struct ldb_val *parent,
235 const struct ldb_val *object,
236 const struct ldb_val *old_sd,
239 struct security_descriptor *user_descriptor = NULL, *parent_descriptor = NULL;
240 struct security_descriptor *old_descriptor = NULL;
241 struct security_descriptor *new_sd, *final_sd;
242 DATA_BLOB *linear_sd;
243 enum ndr_err_code ndr_err;
244 struct ldb_context *ldb = ldb_module_get_ctx(module);
245 struct auth_session_info *session_info
246 = ldb_get_opaque(ldb, "sessionInfo");
247 const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
249 struct dom_sid *default_owner;
250 struct dom_sid *default_group;
251 struct security_descriptor *default_descriptor = NULL;
253 if (objectclass != NULL) {
254 default_descriptor = get_sd_unpacked(module, mem_ctx, objectclass);
258 user_descriptor = talloc(mem_ctx, struct security_descriptor);
259 if (!user_descriptor) {
262 ndr_err = ndr_pull_struct_blob(object, user_descriptor,
264 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
266 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
267 talloc_free(user_descriptor);
271 user_descriptor = default_descriptor;
275 old_descriptor = talloc(mem_ctx, struct security_descriptor);
276 if (!old_descriptor) {
279 ndr_err = ndr_pull_struct_blob(old_sd, old_descriptor,
281 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
283 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
284 talloc_free(old_descriptor);
290 parent_descriptor = talloc(mem_ctx, struct security_descriptor);
291 if (!parent_descriptor) {
294 ndr_err = ndr_pull_struct_blob(parent, parent_descriptor,
296 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
298 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
299 talloc_free(parent_descriptor);
304 if (user_descriptor && default_descriptor &&
305 (user_descriptor->dacl == NULL))
307 user_descriptor->dacl = default_descriptor->dacl;
308 user_descriptor->type |= default_descriptor->type & (
309 SEC_DESC_DACL_PRESENT |
310 SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ |
311 SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED |
312 SEC_DESC_DACL_TRUSTED);
315 if (user_descriptor && default_descriptor &&
316 (user_descriptor->sacl == NULL))
318 user_descriptor->sacl = default_descriptor->sacl;
319 user_descriptor->type |= default_descriptor->type & (
320 SEC_DESC_SACL_PRESENT |
321 SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ |
322 SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED |
323 SEC_DESC_SERVER_SECURITY);
327 if (!(sd_flags & SECINFO_OWNER) && user_descriptor) {
328 user_descriptor->owner_sid = NULL;
331 * We need the correct owner sid
332 * when calculating the DACL or SACL
334 if (old_descriptor) {
335 user_descriptor->owner_sid = old_descriptor->owner_sid;
338 if (!(sd_flags & SECINFO_GROUP) && user_descriptor) {
339 user_descriptor->group_sid = NULL;
342 * We need the correct group sid
343 * when calculating the DACL or SACL
345 if (old_descriptor) {
346 user_descriptor->group_sid = old_descriptor->group_sid;
349 if (!(sd_flags & SECINFO_DACL) && user_descriptor) {
350 user_descriptor->dacl = NULL;
353 * We add SEC_DESC_DACL_PROTECTED so that
354 * create_security_descriptor() skips
355 * the unused inheritance calculation
357 user_descriptor->type |= SEC_DESC_DACL_PROTECTED;
359 if (!(sd_flags & SECINFO_SACL) && user_descriptor) {
360 user_descriptor->sacl = NULL;
363 * We add SEC_DESC_SACL_PROTECTED so that
364 * create_security_descriptor() skips
365 * the unused inheritance calculation
367 user_descriptor->type |= SEC_DESC_SACL_PROTECTED;
370 default_owner = get_default_ag(mem_ctx, dn,
371 session_info->security_token, ldb);
372 default_group = get_default_group(mem_ctx, ldb, default_owner);
373 new_sd = create_security_descriptor(mem_ctx, parent_descriptor, user_descriptor, true,
374 NULL, SEC_DACL_AUTO_INHERIT|SEC_SACL_AUTO_INHERIT,
375 session_info->security_token,
376 default_owner, default_group,
377 map_generic_rights_ds);
381 final_sd = descr_handle_sd_flags(mem_ctx, new_sd, old_descriptor, sd_flags);
387 if (final_sd->dacl) {
388 final_sd->dacl->revision = SECURITY_ACL_REVISION_ADS;
390 if (final_sd->sacl) {
391 final_sd->sacl->revision = SECURITY_ACL_REVISION_ADS;
394 sddl_sd = sddl_encode(mem_ctx, final_sd, domain_sid);
395 DEBUG(10, ("Object %s created with desriptor %s\n\n", ldb_dn_get_linearized(dn), sddl_sd));
397 linear_sd = talloc(mem_ctx, DATA_BLOB);
402 ndr_err = ndr_push_struct_blob(linear_sd, mem_ctx,
404 (ndr_push_flags_fn_t)ndr_push_security_descriptor);
405 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
412 static DATA_BLOB *descr_get_descriptor_to_show(struct ldb_module *module,
417 struct security_descriptor *old_sd, *final_sd;
418 DATA_BLOB *linear_sd;
419 enum ndr_err_code ndr_err;
421 old_sd = talloc(mem_ctx, struct security_descriptor);
425 ndr_err = ndr_pull_struct_blob(sd, old_sd,
427 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
429 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
434 final_sd = descr_handle_sd_flags(mem_ctx, old_sd, NULL, sd_flags);
440 linear_sd = talloc(mem_ctx, DATA_BLOB);
445 ndr_err = ndr_push_struct_blob(linear_sd, mem_ctx,
447 (ndr_push_flags_fn_t)ndr_push_security_descriptor);
448 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
455 static struct descriptor_context *descriptor_init_context(struct ldb_module *module,
456 struct ldb_request *req)
458 struct ldb_context *ldb;
459 struct descriptor_context *ac;
461 ldb = ldb_module_get_ctx(module);
463 ac = talloc_zero(req, struct descriptor_context);
465 ldb_set_errstring(ldb, "Out of Memory");
474 static int descriptor_search_callback(struct ldb_request *req, struct ldb_reply *ares)
476 struct descriptor_context *ac;
477 struct ldb_val *sd_val = NULL;
478 struct ldb_message_element *sd_el;
482 ac = talloc_get_type(req->context, struct descriptor_context);
485 ret = LDB_ERR_OPERATIONS_ERROR;
488 if (ares->error != LDB_SUCCESS) {
489 return ldb_module_done(ac->req, ares->controls,
490 ares->response, ares->error);
493 switch (ares->type) {
494 case LDB_REPLY_ENTRY:
495 sd_el = ldb_msg_find_element(ares->message, "nTSecurityDescriptor");
497 sd_val = sd_el->values;
501 show_sd = descr_get_descriptor_to_show(ac->module, ac->req,
502 sd_val, ac->sd_flags);
504 ret = LDB_ERR_OPERATIONS_ERROR;
507 ldb_msg_remove_attr(ares->message, "nTSecurityDescriptor");
508 ret = ldb_msg_add_steal_value(ares->message, "nTSecurityDescriptor", show_sd);
509 if (ret != LDB_SUCCESS) {
513 return ldb_module_send_entry(ac->req, ares->message, ares->controls);
515 case LDB_REPLY_REFERRAL:
516 return ldb_module_send_referral(ac->req, ares->referral);
519 return ldb_module_done(ac->req, ares->controls,
520 ares->response, ares->error);
525 return ldb_module_done(ac->req, NULL, NULL, ret);
528 static int descriptor_add(struct ldb_module *module, struct ldb_request *req)
530 struct ldb_context *ldb = ldb_module_get_ctx(module);
531 struct ldb_request *add_req;
532 struct ldb_message *msg;
533 struct ldb_result *parent_res;
534 const struct ldb_val *parent_sd = NULL;
535 const struct ldb_val *user_sd;
536 struct ldb_dn *dn = req->op.add.message->dn;
537 struct ldb_dn *parent_dn, *nc_root;
538 struct ldb_message_element *objectclass_element, *sd_element;
540 const struct dsdb_schema *schema;
542 const struct dsdb_class *objectclass;
543 static const char * const parent_attrs[] = { "nTSecurityDescriptor", NULL };
544 uint32_t instanceType;
546 uint32_t sd_flags = dsdb_request_sd_flags(req, NULL);
548 /* do not manipulate our control entries */
549 if (ldb_dn_is_special(dn)) {
550 return ldb_next_request(module, req);
553 user_sd = ldb_msg_find_ldb_val(req->op.add.message, "nTSecurityDescriptor");
554 sd_element = ldb_msg_find_element(req->op.add.message, "nTSecurityDescriptor");
555 /* nTSecurityDescriptor without a value is an error, letting through so it is handled */
556 if (user_sd == NULL && sd_element) {
557 return ldb_next_request(module, req);
560 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: %s\n", ldb_dn_get_linearized(dn));
562 instanceType = ldb_msg_find_attr_as_uint(req->op.add.message, "instanceType", 0);
564 if (instanceType & INSTANCE_TYPE_IS_NC_HEAD) {
569 ret = dsdb_find_nc_root(ldb, req, dn, &nc_root);
570 if (ret != LDB_SUCCESS) {
571 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: Could not find NC root for %s\n",
572 ldb_dn_get_linearized(dn));
576 if (ldb_dn_compare(dn, nc_root) == 0) {
577 DEBUG(0, ("Found DN %s being a NC by the old method\n", ldb_dn_get_linearized(dn)));
583 DEBUG(2, ("DN: %s is a NC\n", ldb_dn_get_linearized(dn)));
586 /* if the object has a parent, retrieve its SD to
587 * use for calculation. Unfortunately we do not yet have
588 * instanceType, so we use dsdb_find_nc_root. */
590 parent_dn = ldb_dn_get_parent(req, dn);
591 if (parent_dn == NULL) {
595 /* we aren't any NC */
596 ret = dsdb_module_search_dn(module, req, &parent_res, parent_dn,
598 DSDB_FLAG_NEXT_MODULE |
599 DSDB_FLAG_AS_SYSTEM |
600 DSDB_SEARCH_SHOW_RECYCLED,
602 if (ret != LDB_SUCCESS) {
603 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: Could not find SD for %s\n",
604 ldb_dn_get_linearized(parent_dn));
607 if (parent_res->count != 1) {
608 return ldb_operr(ldb);
610 parent_sd = ldb_msg_find_ldb_val(parent_res->msgs[0], "nTSecurityDescriptor");
613 schema = dsdb_get_schema(ldb, req);
615 objectclass_element = ldb_msg_find_element(req->op.add.message, "objectClass");
616 if (objectclass_element == NULL) {
617 return ldb_operr(ldb);
620 objectclass = dsdb_get_last_structural_class(schema,
621 objectclass_element);
622 if (objectclass == NULL) {
623 return ldb_operr(ldb);
627 * The SD_FLAG control is ignored on add
628 * and we default to all bits set.
632 sd = get_new_descriptor(module, dn, req,
633 objectclass, parent_sd,
634 user_sd, NULL, sd_flags);
636 return ldb_operr(ldb);
638 msg = ldb_msg_copy_shallow(req, req->op.add.message);
642 if (sd_element != NULL) {
643 sd_element->values[0] = *sd;
645 ret = ldb_msg_add_steal_value(msg,
646 "nTSecurityDescriptor",
648 if (ret != LDB_SUCCESS) {
653 ret = ldb_build_add_req(&add_req, ldb, req,
656 req, dsdb_next_callback,
658 LDB_REQ_SET_LOCATION(add_req);
659 if (ret != LDB_SUCCESS) {
660 return ldb_error(ldb, ret,
661 "descriptor_add: Error creating new add request.");
664 return ldb_next_request(module, add_req);
667 static int descriptor_modify(struct ldb_module *module, struct ldb_request *req)
669 struct ldb_context *ldb = ldb_module_get_ctx(module);
670 struct ldb_request *mod_req;
671 struct ldb_message *msg;
672 struct ldb_result *current_res, *parent_res;
673 const struct ldb_val *old_sd = NULL;
674 const struct ldb_val *parent_sd = NULL;
675 const struct ldb_val *user_sd;
676 struct ldb_dn *dn = req->op.mod.message->dn;
677 struct ldb_dn *parent_dn;
678 struct ldb_message_element *objectclass_element, *sd_element;
680 uint32_t instanceType;
681 bool explicit_sd_flags = false;
682 uint32_t sd_flags = dsdb_request_sd_flags(req, &explicit_sd_flags);
683 const struct dsdb_schema *schema;
685 const struct dsdb_class *objectclass;
686 static const char * const parent_attrs[] = { "nTSecurityDescriptor", NULL };
687 static const char * const current_attrs[] = { "nTSecurityDescriptor",
689 "objectClass", NULL };
690 struct ldb_control *sd_propagation_control;
693 /* do not manipulate our control entries */
694 if (ldb_dn_is_special(dn)) {
695 return ldb_next_request(module, req);
698 sd_propagation_control = ldb_request_get_control(req,
699 DSDB_CONTROL_SEC_DESC_PROPAGATION_OID);
700 if (sd_propagation_control != NULL) {
701 if (sd_propagation_control->data != module) {
702 return ldb_operr(ldb);
704 if (req->op.mod.message->num_elements != 0) {
705 return ldb_operr(ldb);
707 if (explicit_sd_flags) {
708 return ldb_operr(ldb);
710 if (sd_flags != 0xF) {
711 return ldb_operr(ldb);
713 if (sd_propagation_control->critical == 0) {
714 return ldb_operr(ldb);
717 sd_propagation_control->critical = 0;
720 sd_element = ldb_msg_find_element(req->op.mod.message, "nTSecurityDescriptor");
721 if (sd_propagation_control == NULL && sd_element == NULL) {
722 return ldb_next_request(module, req);
726 * nTSecurityDescriptor with DELETE is not supported yet.
727 * TODO: handle this correctly.
729 if (sd_propagation_control == NULL &&
730 LDB_FLAG_MOD_TYPE(sd_element->flags) == LDB_FLAG_MOD_DELETE)
732 return ldb_module_error(module,
733 LDB_ERR_UNWILLING_TO_PERFORM,
734 "MOD_DELETE for nTSecurityDescriptor "
735 "not supported yet");
738 user_sd = ldb_msg_find_ldb_val(req->op.mod.message, "nTSecurityDescriptor");
739 /* nTSecurityDescriptor without a value is an error, letting through so it is handled */
740 if (sd_propagation_control == NULL && user_sd == NULL) {
741 return ldb_next_request(module, req);
744 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_modify: %s\n", ldb_dn_get_linearized(dn));
746 ret = dsdb_module_search_dn(module, req, ¤t_res, dn,
748 DSDB_FLAG_NEXT_MODULE |
749 DSDB_FLAG_AS_SYSTEM |
750 DSDB_SEARCH_SHOW_RECYCLED,
752 if (ret != LDB_SUCCESS) {
753 ldb_debug(ldb, LDB_DEBUG_ERROR,"descriptor_modify: Could not find %s\n",
754 ldb_dn_get_linearized(dn));
758 instanceType = ldb_msg_find_attr_as_uint(current_res->msgs[0],
760 /* if the object has a parent, retrieve its SD to
761 * use for calculation */
762 if (!ldb_dn_is_null(current_res->msgs[0]->dn) &&
763 !(instanceType & INSTANCE_TYPE_IS_NC_HEAD)) {
764 parent_dn = ldb_dn_get_parent(req, dn);
765 if (parent_dn == NULL) {
768 ret = dsdb_module_search_dn(module, req, &parent_res, parent_dn,
770 DSDB_FLAG_NEXT_MODULE |
771 DSDB_FLAG_AS_SYSTEM |
772 DSDB_SEARCH_SHOW_RECYCLED,
774 if (ret != LDB_SUCCESS) {
775 ldb_debug(ldb, LDB_DEBUG_ERROR, "descriptor_modify: Could not find SD for %s\n",
776 ldb_dn_get_linearized(parent_dn));
779 if (parent_res->count != 1) {
780 return ldb_operr(ldb);
782 parent_sd = ldb_msg_find_ldb_val(parent_res->msgs[0], "nTSecurityDescriptor");
785 schema = dsdb_get_schema(ldb, req);
787 objectclass_element = ldb_msg_find_element(current_res->msgs[0], "objectClass");
788 if (objectclass_element == NULL) {
789 return ldb_operr(ldb);
792 objectclass = dsdb_get_last_structural_class(schema,
793 objectclass_element);
794 if (objectclass == NULL) {
795 return ldb_operr(ldb);
798 old_sd = ldb_msg_find_ldb_val(current_res->msgs[0], "nTSecurityDescriptor");
799 if (old_sd == NULL) {
800 return ldb_operr(ldb);
803 if (sd_propagation_control != NULL) {
805 * This just triggers a recalculation of the
811 sd = get_new_descriptor(module, dn, req,
812 objectclass, parent_sd,
813 user_sd, old_sd, sd_flags);
815 return ldb_operr(ldb);
817 msg = ldb_msg_copy_shallow(req, req->op.mod.message);
821 cmp_ret = data_blob_cmp(old_sd, sd);
822 if (sd_propagation_control != NULL) {
825 * The nTSecurityDescriptor is unchanged,
826 * which means we can stop the processing.
828 * We mark the control as critical again,
829 * as we have not processed it, so the caller
830 * can tell that the descriptor was unchanged.
832 sd_propagation_control->critical = 1;
833 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
836 ret = ldb_msg_add_empty(msg, "nTSecurityDescriptor",
837 LDB_FLAG_MOD_REPLACE,
839 if (ret != LDB_SUCCESS) {
842 ret = ldb_msg_add_value(msg, "nTSecurityDescriptor",
844 if (ret != LDB_SUCCESS) {
847 } else if (cmp_ret != 0) {
848 struct ldb_dn *nc_root;
850 ret = dsdb_find_nc_root(ldb, msg, dn, &nc_root);
851 if (ret != LDB_SUCCESS) {
855 ret = dsdb_module_schedule_sd_propagation(module, nc_root,
857 if (ret != LDB_SUCCESS) {
858 return ldb_operr(ldb);
860 sd_element->values[0] = *sd;
862 sd_element->values[0] = *sd;
865 ret = ldb_build_mod_req(&mod_req, ldb, req,
871 LDB_REQ_SET_LOCATION(mod_req);
872 if (ret != LDB_SUCCESS) {
876 return ldb_next_request(module, mod_req);
879 static int descriptor_search(struct ldb_module *module, struct ldb_request *req)
882 struct ldb_context *ldb;
883 struct ldb_request *down_req;
884 struct descriptor_context *ac;
885 bool explicit_sd_flags = false;
886 uint32_t sd_flags = dsdb_request_sd_flags(req, &explicit_sd_flags);
887 bool show_sd = explicit_sd_flags;
890 ldb_attr_in_list(req->op.search.attrs, "nTSecurityDescriptor"))
896 return ldb_next_request(module, req);
899 ldb = ldb_module_get_ctx(module);
900 ac = descriptor_init_context(module, req);
902 return ldb_operr(ldb);
904 ac->sd_flags = sd_flags;
906 ret = ldb_build_search_req_ex(&down_req, ldb, ac,
908 req->op.search.scope,
910 req->op.search.attrs,
912 ac, descriptor_search_callback,
914 LDB_REQ_SET_LOCATION(down_req);
915 if (ret != LDB_SUCCESS) {
919 return ldb_next_request(ac->module, down_req);
922 static int descriptor_rename(struct ldb_module *module, struct ldb_request *req)
924 struct ldb_context *ldb = ldb_module_get_ctx(module);
925 struct ldb_dn *olddn = req->op.rename.olddn;
926 struct ldb_dn *newdn = req->op.rename.newdn;
929 /* do not manipulate our control entries */
930 if (ldb_dn_is_special(req->op.rename.olddn)) {
931 return ldb_next_request(module, req);
934 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_rename: %s\n",
935 ldb_dn_get_linearized(olddn));
937 if (ldb_dn_compare(olddn, newdn) != 0) {
938 struct ldb_dn *nc_root;
940 ret = dsdb_find_nc_root(ldb, req, newdn, &nc_root);
941 if (ret != LDB_SUCCESS) {
945 ret = dsdb_module_schedule_sd_propagation(module, nc_root,
947 if (ret != LDB_SUCCESS) {
948 return ldb_operr(ldb);
952 return ldb_next_request(module, req);
955 static int descriptor_extended_sec_desc_propagation(struct ldb_module *module,
956 struct ldb_request *req)
958 struct descriptor_data *descriptor_private =
959 talloc_get_type_abort(ldb_module_get_private(module),
960 struct descriptor_data);
961 struct ldb_context *ldb = ldb_module_get_ctx(module);
962 struct dsdb_extended_sec_desc_propagation_op *op;
963 TALLOC_CTX *parent_mem = NULL;
964 struct descriptor_changes *parent_change = NULL;
965 struct descriptor_changes *c;
968 op = talloc_get_type(req->op.extended.data,
969 struct dsdb_extended_sec_desc_propagation_op);
971 ldb_debug(ldb, LDB_DEBUG_FATAL,
972 "descriptor_extended_sec_desc_propagation: "
973 "invalid extended data\n");
974 return LDB_ERR_PROTOCOL_ERROR;
977 if (descriptor_private->trans_mem == NULL) {
978 return ldb_module_operr(module);
981 parent_mem = descriptor_private->trans_mem;
983 for (c = descriptor_private->changes; c; c = c->next) {
984 ret = ldb_dn_compare(c->nc_root, op->nc_root);
989 ret = ldb_dn_compare(c->dn, op->dn);
991 if (op->include_self) {
992 c->force_self = true;
994 c->force_children = true;
996 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
999 ret = ldb_dn_compare_base(c->dn, op->dn);
1009 c = talloc_zero(parent_mem, struct descriptor_changes);
1011 return ldb_module_oom(module);
1013 c->nc_root = ldb_dn_copy(c, op->nc_root);
1014 if (c->nc_root == NULL) {
1015 return ldb_module_oom(module);
1017 c->dn = ldb_dn_copy(c, op->dn);
1018 if (c->dn == NULL) {
1019 return ldb_module_oom(module);
1021 if (op->include_self) {
1022 c->force_self = true;
1024 c->force_children = true;
1027 if (parent_change != NULL) {
1028 DLIST_ADD_END(parent_change->children, c, NULL);
1030 DLIST_ADD_END(descriptor_private->changes, c, NULL);
1033 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
1036 static int descriptor_extended(struct ldb_module *module, struct ldb_request *req)
1038 if (strcmp(req->op.extended.oid, DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID) == 0) {
1039 return descriptor_extended_sec_desc_propagation(module, req);
1042 return ldb_next_request(module, req);
1045 static int descriptor_init(struct ldb_module *module)
1047 struct ldb_context *ldb = ldb_module_get_ctx(module);
1049 struct descriptor_data *descriptor_private;
1051 ret = ldb_mod_register_control(module, LDB_CONTROL_SD_FLAGS_OID);
1052 if (ret != LDB_SUCCESS) {
1053 ldb_debug(ldb, LDB_DEBUG_ERROR,
1054 "descriptor: Unable to register control with rootdse!\n");
1055 return ldb_operr(ldb);
1058 descriptor_private = talloc_zero(module, struct descriptor_data);
1059 if (descriptor_private == NULL) {
1061 return LDB_ERR_OPERATIONS_ERROR;
1063 ldb_module_set_private(module, descriptor_private);
1065 return ldb_next_init(module);
1068 static int descriptor_sd_propagation_object(struct ldb_module *module,
1069 struct ldb_message *msg,
1072 struct ldb_context *ldb = ldb_module_get_ctx(module);
1073 struct ldb_request *sub_req;
1074 struct ldb_result *mod_res;
1075 struct ldb_control *sd_propagation_control;
1080 mod_res = talloc_zero(msg, struct ldb_result);
1081 if (mod_res == NULL) {
1082 return ldb_module_oom(module);
1085 ret = ldb_build_mod_req(&sub_req, ldb, mod_res,
1089 ldb_modify_default_callback,
1091 LDB_REQ_SET_LOCATION(sub_req);
1092 if (ret != LDB_SUCCESS) {
1093 return ldb_module_operr(module);
1096 ldb_req_mark_trusted(sub_req);
1098 ret = ldb_request_add_control(sub_req,
1099 DSDB_CONTROL_SEC_DESC_PROPAGATION_OID,
1101 if (ret != LDB_SUCCESS) {
1102 return ldb_module_operr(module);
1105 sd_propagation_control = ldb_request_get_control(sub_req,
1106 DSDB_CONTROL_SEC_DESC_PROPAGATION_OID);
1107 if (sd_propagation_control == NULL) {
1108 return ldb_module_operr(module);
1111 ret = dsdb_request_add_controls(sub_req,
1112 DSDB_FLAG_AS_SYSTEM |
1113 DSDB_SEARCH_SHOW_RECYCLED);
1114 if (ret != LDB_SUCCESS) {
1115 return ldb_module_operr(module);
1118 ret = descriptor_modify(module, sub_req);
1119 if (ret == LDB_SUCCESS) {
1120 ret = ldb_wait(sub_req->handle, LDB_WAIT_ALL);
1122 if (ret != LDB_SUCCESS) {
1123 return ldb_module_operr(module);
1126 if (sd_propagation_control->critical != 0) {
1130 talloc_free(mod_res);
1135 static int descriptor_sd_propagation_msg_sort(struct ldb_message **m1,
1136 struct ldb_message **m2)
1138 struct ldb_dn *dn1 = (*m1)->dn;
1139 struct ldb_dn *dn2 = (*m2)->dn;
1142 * This sorts in tree order, parents first
1144 return ldb_dn_compare(dn2, dn1);
1147 static int descriptor_sd_propagation_dn_sort(struct ldb_dn *dn1,
1151 * This sorts in tree order, parents first
1153 return ldb_dn_compare(dn2, dn1);
1156 static int descriptor_sd_propagation_recursive(struct ldb_module *module,
1157 struct descriptor_changes *change)
1159 struct ldb_context *ldb = ldb_module_get_ctx(module);
1160 struct ldb_result *res = NULL;
1162 const char * const no_attrs[] = { "@__NONE__", NULL };
1163 struct descriptor_changes *c;
1164 struct descriptor_changes *stopped_stack = NULL;
1168 * Note: that we do not search for deleted/recycled objects
1170 ret = dsdb_module_search(module,
1176 DSDB_FLAG_NEXT_MODULE |
1177 DSDB_FLAG_AS_SYSTEM,
1178 NULL, /* parent_req */
1180 if (ret != LDB_SUCCESS) {
1184 TYPESAFE_QSORT(res->msgs, res->count,
1185 descriptor_sd_propagation_msg_sort);
1187 for (c = change->children; c; c = c->next) {
1188 struct ldb_message *msg = NULL;
1190 BINARY_ARRAY_SEARCH_P(res->msgs, res->count, dn, c->dn,
1191 descriptor_sd_propagation_dn_sort,
1195 ldb_debug_set(ldb, LDB_DEBUG_FATAL,
1196 "descriptor_sd_propagation_recursive: "
1197 "%s not found under %s",
1198 ldb_dn_get_linearized(c->dn),
1199 ldb_dn_get_linearized(change->dn));
1200 return LDB_ERR_OPERATIONS_ERROR;
1203 msg->elements = (struct ldb_message_element *)c;
1206 DLIST_ADD(stopped_stack, change);
1208 if (change->force_self) {
1214 for (; i < res->count; i++) {
1215 struct descriptor_changes *cur;
1218 cur = talloc_get_type(res->msgs[i]->elements,
1219 struct descriptor_changes);
1220 res->msgs[i]->elements = NULL;
1221 res->msgs[i]->num_elements = 0;
1224 DLIST_REMOVE(change->children, cur);
1227 for (c = stopped_stack; c; c = stopped_stack) {
1228 ret = ldb_dn_compare_base(c->dn,
1234 c->stopped_dn = NULL;
1235 DLIST_REMOVE(stopped_stack, c);
1239 DLIST_ADD(stopped_stack, cur);
1242 if (stopped_stack->stopped_dn != NULL) {
1243 ret = ldb_dn_compare_base(stopped_stack->stopped_dn,
1248 stopped_stack->stopped_dn = NULL;
1251 ret = descriptor_sd_propagation_object(module, res->msgs[i],
1253 if (ret != LDB_SUCCESS) {
1257 if (cur != NULL && cur->force_children) {
1262 stopped_stack->stopped_dn = res->msgs[i]->dn;
1271 static int descriptor_start_transaction(struct ldb_module *module)
1273 struct descriptor_data *descriptor_private =
1274 talloc_get_type_abort(ldb_module_get_private(module),
1275 struct descriptor_data);
1277 if (descriptor_private->trans_mem != NULL) {
1278 return ldb_module_operr(module);
1281 descriptor_private->trans_mem = talloc_new(descriptor_private);
1282 if (descriptor_private->trans_mem == NULL) {
1283 return ldb_module_oom(module);
1285 descriptor_private->changes = NULL;
1287 return ldb_next_start_trans(module);
1290 static int descriptor_prepare_commit(struct ldb_module *module)
1292 struct descriptor_data *descriptor_private =
1293 talloc_get_type_abort(ldb_module_get_private(module),
1294 struct descriptor_data);
1295 struct descriptor_changes *c, *n;
1298 for (c = descriptor_private->changes; c; c = n) {
1300 DLIST_REMOVE(descriptor_private->changes, c);
1302 ret = descriptor_sd_propagation_recursive(module, c);
1303 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
1306 if (ret != LDB_SUCCESS) {
1311 return ldb_next_prepare_commit(module);
1314 static int descriptor_end_transaction(struct ldb_module *module)
1316 struct descriptor_data *descriptor_private =
1317 talloc_get_type_abort(ldb_module_get_private(module),
1318 struct descriptor_data);
1320 TALLOC_FREE(descriptor_private->trans_mem);
1321 descriptor_private->changes = NULL;
1323 return ldb_next_end_trans(module);
1326 static int descriptor_del_transaction(struct ldb_module *module)
1328 struct descriptor_data *descriptor_private =
1329 talloc_get_type_abort(ldb_module_get_private(module),
1330 struct descriptor_data);
1332 TALLOC_FREE(descriptor_private->trans_mem);
1333 descriptor_private->changes = NULL;
1335 return ldb_next_del_trans(module);
1338 static const struct ldb_module_ops ldb_descriptor_module_ops = {
1339 .name = "descriptor",
1340 .search = descriptor_search,
1341 .add = descriptor_add,
1342 .modify = descriptor_modify,
1343 .rename = descriptor_rename,
1344 .init_context = descriptor_init,
1345 .extended = descriptor_extended,
1346 .start_transaction = descriptor_start_transaction,
1347 .prepare_commit = descriptor_prepare_commit,
1348 .end_transaction = descriptor_end_transaction,
1349 .del_transaction = descriptor_del_transaction,
1352 int ldb_descriptor_module_init(const char *version)
1354 LDB_MODULE_CHECK_VERSION(version);
1355 return ldb_register_module(&ldb_descriptor_module_ops);
git.samba.org / kai / samba-autobuild / .git / blob