source/libcli/security/access_check.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    security access checking routines
   5
   6    Copyright (C) Andrew Tridgell 2004
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 2 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program; if not, write to the Free Software
  20    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  21 */
  22
  23 #include "includes.h"
  24 #include "libcli/security/security.h"
  25
  26
  27 /*
  28   perform a SEC_FLAG_MAXIMUM_ALLOWED access check
  29 */
  30 static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
  31                                          const struct security_token *token)
  32 {
  33         uint32_t denied = 0, granted = 0;
  34         unsigned i;
  35
  36         if (security_token_has_sid(token, sd->owner_sid)) {
  37                 granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL | SEC_STD_DELETE;
  38         } else if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
  39                 granted |= SEC_STD_DELETE;
  40         }
  41
  42         for (i = 0;i<sd->dacl->num_aces; i++) {
  43                 struct security_ace *ace = &sd->dacl->aces[i];
  44
  45                 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
  46                         continue;
  47                 }
  48
  49                 if (!security_token_has_sid(token, &ace->trustee)) {
  50                         continue;
  51                 }
  52
  53                 switch (ace->type) {
  54                 case SEC_ACE_TYPE_ACCESS_ALLOWED:
  55                         granted |= ace->access_mask;
  56                         break;
  57                 case SEC_ACE_TYPE_ACCESS_DENIED:
  58                 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
  59                         denied |= ace->access_mask;
  60                         break;
  61                 default:        /* Other ACE types not handled/supported */
  62                         break;
  63                 }
  64         }
  65
  66         return granted & ~denied;
  67 }
  68
  69 /*
  70   the main entry point for access checking.
  71 */
  72 NTSTATUS sec_access_check(const struct security_descriptor *sd,
  73                           const struct security_token *token,
  74                           uint32_t access_desired,
  75                           uint32_t *access_granted)
  76 {
  77         int i;
  78         uint32_t bits_remaining;
  79
  80         *access_granted = access_desired;
  81         bits_remaining = access_desired;
  82
  83         /* handle the maximum allowed flag */
  84         if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
  85                 access_desired |= access_check_max_allowed(sd, token);
  86                 access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
  87                 *access_granted = access_desired;
  88                 bits_remaining = access_desired & ~SEC_STD_DELETE;
  89         }
  90
  91         if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
  92                 if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
  93                         bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
  94                 } else {
  95                         return NT_STATUS_PRIVILEGE_NOT_HELD;
  96                 }
  97         }
  98
  99         /* dacl not present allows access */
 100         if (!(sd->type & SEC_DESC_DACL_PRESENT)) {
 101                 *access_granted = access_desired;
 102                 return NT_STATUS_OK;
 103         }
 104
 105         /* empty dacl denies access */
 106         if (sd->dacl == NULL || sd->dacl->num_aces == 0) {
 107                 return NT_STATUS_ACCESS_DENIED;
 108         }
 109
 110         /* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */
 111         if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE)) &&
 112             security_token_has_sid(token, sd->owner_sid)) {
 113                 bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE);
 114         }
 115         if ((bits_remaining & SEC_STD_DELETE) &&
 116             security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
 117                 bits_remaining &= ~SEC_STD_DELETE;
 118         }
 119
 120         /* check each ace in turn. */
 121         for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
 122                 struct security_ace *ace = &sd->dacl->aces[i];
 123
 124                 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
 125                         continue;
 126                 }
 127
 128                 if (!security_token_has_sid(token, &ace->trustee)) {
 129                         continue;
 130                 }
 131
 132                 switch (ace->type) {
 133                 case SEC_ACE_TYPE_ACCESS_ALLOWED:
 134                         bits_remaining &= ~ace->access_mask;
 135                         break;
 136                 case SEC_ACE_TYPE_ACCESS_DENIED:
 137                 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
 138                         if (bits_remaining & ace->access_mask) {
 139                                 return NT_STATUS_ACCESS_DENIED;
 140                         }
 141                         break;
 142                 default:        /* Other ACE types not handled/supported */
 143                         break;
 144                 }
 145         }
 146
 147         if (bits_remaining != 0) {
 148                 return NT_STATUS_ACCESS_DENIED;
 149         }
 150
 151         return NT_STATUS_OK;
 152 }