2 Unix SMB/CIFS implementation.
4 Copyright (C) Andrew Tridgell 2004
5 Copyright (C) Gerald Carter 2005
6 Copyright (C) Volker Lendecke 2007
7 Copyright (C) Jeremy Allison 2008
8 Copyright (C) Andrew Bartlett 2010
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "libcli/security/security.h"
27 /* Map generic access rights to object specific rights. This technique is
28 used to give meaning to assigning read, write, execute and all access to
29 objects. Each type of object has its own mapping of generic to object
30 specific access rights. */
32 void se_map_generic(uint32_t *access_mask, const struct generic_mapping *mapping)
34 uint32_t old_mask = *access_mask;
36 if (*access_mask & GENERIC_READ_ACCESS) {
37 *access_mask &= ~GENERIC_READ_ACCESS;
38 *access_mask |= mapping->generic_read;
41 if (*access_mask & GENERIC_WRITE_ACCESS) {
42 *access_mask &= ~GENERIC_WRITE_ACCESS;
43 *access_mask |= mapping->generic_write;
46 if (*access_mask & GENERIC_EXECUTE_ACCESS) {
47 *access_mask &= ~GENERIC_EXECUTE_ACCESS;
48 *access_mask |= mapping->generic_execute;
51 if (*access_mask & GENERIC_ALL_ACCESS) {
52 *access_mask &= ~GENERIC_ALL_ACCESS;
53 *access_mask |= mapping->generic_all;
56 if (old_mask != *access_mask) {
57 DEBUG(10, ("se_map_generic(): mapped mask 0x%08x to 0x%08x\n",
58 old_mask, *access_mask));
62 /* Map generic access rights to object specific rights for all the ACE's
66 void security_acl_map_generic(struct security_acl *sa,
67 const struct generic_mapping *mapping)
75 for (i = 0; i < sa->num_aces; i++) {
76 se_map_generic(&sa->aces[i].access_mask, mapping);
80 /* Map standard access rights to object specific rights. This technique is
81 used to give meaning to assigning read, write, execute and all access to
82 objects. Each type of object has its own mapping of standard to object
83 specific access rights. */
85 void se_map_standard(uint32_t *access_mask, const struct standard_mapping *mapping)
87 uint32_t old_mask = *access_mask;
89 if (*access_mask & SEC_STD_READ_CONTROL) {
90 *access_mask &= ~SEC_STD_READ_CONTROL;
91 *access_mask |= mapping->std_read;
94 if (*access_mask & (SEC_STD_DELETE|SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|SEC_STD_SYNCHRONIZE)) {
95 *access_mask &= ~(SEC_STD_DELETE|SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|SEC_STD_SYNCHRONIZE);
96 *access_mask |= mapping->std_all;
99 if (old_mask != *access_mask) {
100 DEBUG(10, ("se_map_standard(): mapped mask 0x%08x to 0x%08x\n",
101 old_mask, *access_mask));
106 perform a SEC_FLAG_MAXIMUM_ALLOWED access check
108 static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
109 const struct security_token *token)
111 uint32_t denied = 0, granted = 0;
112 bool am_owner = false;
113 bool have_owner_rights_ace = false;
116 if (sd->dacl == NULL) {
117 if (security_token_has_sid(token, sd->owner_sid)) {
118 granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL;
123 if (security_token_has_sid(token, sd->owner_sid)) {
125 * Check for explicit owner rights: if there are none, we remove
126 * the default owner right SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL
127 * from remaining_access. Otherwise we just process the
128 * explicitly granted rights when processing the ACEs.
132 for (i=0; i < sd->dacl->num_aces; i++) {
133 struct security_ace *ace = &sd->dacl->aces[i];
135 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
139 have_owner_rights_ace = dom_sid_equal(
140 &ace->trustee, &global_sid_Owner_Rights);
141 if (have_owner_rights_ace) {
147 if (am_owner && !have_owner_rights_ace) {
148 granted |= SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL;
151 for (i = 0;i<sd->dacl->num_aces; i++) {
152 struct security_ace *ace = &sd->dacl->aces[i];
153 bool is_owner_rights_ace = false;
155 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
160 is_owner_rights_ace = dom_sid_equal(
161 &ace->trustee, &global_sid_Owner_Rights);
164 if (!is_owner_rights_ace &&
165 !security_token_has_sid(token, &ace->trustee))
171 case SEC_ACE_TYPE_ACCESS_ALLOWED:
172 granted |= ace->access_mask;
174 case SEC_ACE_TYPE_ACCESS_DENIED:
175 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
176 denied |= ~granted & ace->access_mask;
178 default: /* Other ACE types not handled/supported */
183 return granted & ~denied;
187 The main entry point for access checking. If returning ACCESS_DENIED
188 this function returns the denied bits in the uint32_t pointed
189 to by the access_granted pointer.
191 NTSTATUS se_access_check(const struct security_descriptor *sd,
192 const struct security_token *token,
193 uint32_t access_desired,
194 uint32_t *access_granted)
197 uint32_t bits_remaining;
198 uint32_t explicitly_denied_bits = 0;
199 bool am_owner = false;
200 bool have_owner_rights_ace = false;
202 *access_granted = access_desired;
203 bits_remaining = access_desired;
205 /* handle the maximum allowed flag */
206 if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
207 uint32_t orig_access_desired = access_desired;
209 access_desired |= access_check_max_allowed(sd, token);
210 access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
211 *access_granted = access_desired;
212 bits_remaining = access_desired;
214 DEBUG(10,("se_access_check: MAX desired = 0x%x, granted = 0x%x, remaining = 0x%x\n",
220 /* a NULL dacl allows access */
221 if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
222 *access_granted = access_desired;
226 if (sd->dacl == NULL) {
230 if (security_token_has_sid(token, sd->owner_sid)) {
232 * Check for explicit owner rights: if there are none, we remove
233 * the default owner right SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL
234 * from remaining_access. Otherwise we just process the
235 * explicitly granted rights when processing the ACEs.
239 for (i=0; i < sd->dacl->num_aces; i++) {
240 struct security_ace *ace = &sd->dacl->aces[i];
242 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
246 have_owner_rights_ace = dom_sid_equal(
247 &ace->trustee, &global_sid_Owner_Rights);
248 if (have_owner_rights_ace) {
253 if (am_owner && !have_owner_rights_ace) {
254 bits_remaining &= ~(SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL);
257 /* check each ace in turn. */
258 for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
259 struct security_ace *ace = &sd->dacl->aces[i];
260 bool is_owner_rights_ace = false;
262 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
267 is_owner_rights_ace = dom_sid_equal(
268 &ace->trustee, &global_sid_Owner_Rights);
271 if (!is_owner_rights_ace &&
272 !security_token_has_sid(token, &ace->trustee))
278 case SEC_ACE_TYPE_ACCESS_ALLOWED:
279 bits_remaining &= ~ace->access_mask;
281 case SEC_ACE_TYPE_ACCESS_DENIED:
282 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
283 explicitly_denied_bits |= (bits_remaining & ace->access_mask);
285 default: /* Other ACE types not handled/supported */
290 /* Explicitly denied bits always override */
291 bits_remaining |= explicitly_denied_bits;
294 * We check privileges here because they override even DENY entries.
297 /* Does the user have the privilege to gain SEC_PRIV_SECURITY? */
298 if (bits_remaining & SEC_FLAG_SYSTEM_SECURITY) {
299 if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
300 bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
302 return NT_STATUS_PRIVILEGE_NOT_HELD;
306 if ((bits_remaining & SEC_STD_WRITE_OWNER) &&
307 security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
308 bits_remaining &= ~(SEC_STD_WRITE_OWNER);
312 if (bits_remaining != 0) {
313 *access_granted = bits_remaining;
314 return NT_STATUS_ACCESS_DENIED;
321 The main entry point for access checking FOR THE FILE SERVER ONLY !
322 If returning ACCESS_DENIED this function returns the denied bits in
323 the uint32_t pointed to by the access_granted pointer.
325 NTSTATUS se_file_access_check(const struct security_descriptor *sd,
326 const struct security_token *token,
327 bool priv_open_requested,
328 uint32_t access_desired,
329 uint32_t *access_granted)
331 uint32_t bits_remaining;
334 if (!priv_open_requested) {
335 /* Fall back to generic se_access_check(). */
336 return se_access_check(sd,
343 * We need to handle the maximum allowed flag
344 * outside of se_access_check(), as we need to
345 * add in the access allowed by the privileges
349 if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
350 uint32_t orig_access_desired = access_desired;
352 access_desired |= access_check_max_allowed(sd, token);
353 access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
355 if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
356 access_desired |= SEC_RIGHTS_PRIV_BACKUP;
359 if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
360 access_desired |= SEC_RIGHTS_PRIV_RESTORE;
363 DEBUG(10,("se_file_access_check: MAX desired = 0x%x "
369 status = se_access_check(sd,
374 if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
378 bits_remaining = *access_granted;
380 /* Check if we should override with privileges. */
381 if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) &&
382 security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
383 bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
385 if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
386 security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
387 bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
389 if (bits_remaining != 0) {
390 *access_granted = bits_remaining;
391 return NT_STATUS_ACCESS_DENIED;
397 static const struct GUID *get_ace_object_type(struct security_ace *ace)
399 if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
400 return &ace->object.object.type.type;
407 * Evaluates access rights specified in a object-specific ACE for an AD object.
408 * This logic corresponds to MS-ADTS 5.1.3.3.3 Checking Object-Specific Access.
409 * @param[in] ace - the ACE being processed
410 * @param[in/out] tree - remaining_access gets updated for the tree
411 * @param[out] grant_access - set to true if the ACE grants sufficient access
412 * rights to the object/attribute
413 * @returns NT_STATUS_OK, unless access was denied
415 static NTSTATUS check_object_specific_access(struct security_ace *ace,
416 struct object_tree *tree,
419 struct object_tree *node = NULL;
420 const struct GUID *type = NULL;
422 *grant_access = false;
424 /* if no tree was supplied, we can't do object-specific access checks */
429 /* Get the ObjectType GUID this ACE applies to */
430 type = get_ace_object_type(ace);
433 * If the ACE doesn't have a type, then apply it to the whole tree, i.e.
434 * treat 'OA' ACEs as 'A' and 'OD' as 'D'
440 /* skip it if the ACE's ObjectType GUID is not in the tree */
441 node = get_object_tree_by_GUID(tree, type);
447 if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) {
449 /* apply the access rights to this node, and any children */
450 object_tree_modify_access(node, ace->access_mask);
453 * Currently all nodes in the tree request the same access mask,
454 * so we can use any node to check if processing this ACE now
455 * means the requested access has been granted
457 if (node->remaining_access == 0) {
458 *grant_access = true;
463 * As per 5.1.3.3.4 Checking Control Access Right-Based Access,
464 * if the CONTROL_ACCESS right is present, then we can grant
465 * access and stop any further access checks
467 if (ace->access_mask & SEC_ADS_CONTROL_ACCESS) {
468 *grant_access = true;
473 /* this ACE denies access to the requested object/attribute */
474 if (node->remaining_access & ace->access_mask){
475 return NT_STATUS_ACCESS_DENIED;
482 * @brief Perform directoryservice (DS) related access checks for a given user
484 * Perform DS access checks for the user represented by its security_token, on
485 * the provided security descriptor. If an tree associating GUID and access
486 * required is provided then object access (OA) are checked as well. *
487 * @param[in] sd The security descritor against which the required
488 * access are requested
490 * @param[in] token The security_token associated with the user to
493 * @param[in] access_desired A bitfield of rights that must be granted for the
494 * given user in the specified SD.
497 * of the entry in the tree grants all the requested rights for the given GUID
499 * tree can be null if not null it's the
500 * Lots of code duplication, it will ve united in just one
501 * function eventually */
503 NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
504 const struct security_token *token,
505 uint32_t access_desired,
506 uint32_t *access_granted,
507 struct object_tree *tree,
508 struct dom_sid *replace_sid)
511 uint32_t bits_remaining;
512 struct dom_sid self_sid;
514 dom_sid_parse(SID_NT_SELF, &self_sid);
516 *access_granted = access_desired;
517 bits_remaining = access_desired;
519 /* handle the maximum allowed flag */
520 if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
521 access_desired |= access_check_max_allowed(sd, token);
522 access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
523 *access_granted = access_desired;
524 bits_remaining = access_desired;
527 if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
528 if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
529 bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
531 return NT_STATUS_PRIVILEGE_NOT_HELD;
535 /* the owner always gets SEC_STD_WRITE_DAC and SEC_STD_READ_CONTROL */
536 if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL)) &&
537 security_token_has_sid(token, sd->owner_sid)) {
538 bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL);
541 /* SEC_PRIV_TAKE_OWNERSHIP grants SEC_STD_WRITE_OWNER */
542 if ((bits_remaining & (SEC_STD_WRITE_OWNER)) &&
543 security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
544 bits_remaining &= ~(SEC_STD_WRITE_OWNER);
547 /* a NULL dacl allows access */
548 if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
549 *access_granted = access_desired;
553 if (sd->dacl == NULL) {
557 /* check each ace in turn. */
558 for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
559 struct dom_sid *trustee;
560 struct security_ace *ace = &sd->dacl->aces[i];
562 bool grant_access = false;
564 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
568 if (dom_sid_equal(&ace->trustee, &self_sid) && replace_sid) {
569 trustee = replace_sid;
571 trustee = &ace->trustee;
574 if (!security_token_has_sid(token, trustee)) {
579 case SEC_ACE_TYPE_ACCESS_ALLOWED:
581 object_tree_modify_access(tree, ace->access_mask);
584 bits_remaining &= ~ace->access_mask;
586 case SEC_ACE_TYPE_ACCESS_DENIED:
587 if (bits_remaining & ace->access_mask) {
588 return NT_STATUS_ACCESS_DENIED;
591 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
592 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
593 status = check_object_specific_access(ace, tree,
596 if (!NT_STATUS_IS_OK(status)) {
604 default: /* Other ACE types not handled/supported */
610 if (bits_remaining != 0) {
611 return NT_STATUS_ACCESS_DENIED;
git.samba.org / gd / samba-autobuild / .git / blob