2 * Unix SMB/CIFS implementation.
3 * Group Policy Object Support
4 * Copyright (C) Wilco Baan Hofman 2010
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
20 #include "../libcli/security/dom_sid.h"
21 #include "../libcli/security/security_descriptor.h"
22 #include "../librpc/ndr/libndr.h"
23 #include "param/param.h"
24 #include "lib/policy/policy.h"
26 static uint32_t gp_ads_to_dir_access_mask(uint32_t access_mask)
30 /* Copy the standard access mask */
31 fs_mask = access_mask & 0x001F0000;
33 /* When READ_PROP and LIST_CONTENTS are set, read access is granted on the GPT */
34 if (access_mask & SEC_ADS_READ_PROP && access_mask & SEC_ADS_LIST) {
35 fs_mask |= SEC_STD_SYNCHRONIZE | SEC_DIR_LIST | SEC_DIR_READ_ATTRIBUTE |
36 SEC_DIR_READ_EA | SEC_DIR_TRAVERSE;
39 /* When WRITE_PROP is set, full write access is granted on the GPT */
40 if (access_mask & SEC_ADS_WRITE_PROP) {
41 fs_mask |= SEC_STD_SYNCHRONIZE | SEC_DIR_WRITE_ATTRIBUTE |
42 SEC_DIR_WRITE_EA | SEC_DIR_ADD_FILE |
46 /* Map CREATE_CHILD to add file and add subdir */
47 if (access_mask & SEC_ADS_CREATE_CHILD)
48 fs_mask |= SEC_DIR_ADD_FILE | SEC_DIR_ADD_SUBDIR;
50 /* Map ADS delete child to dir delete child */
51 if (access_mask & SEC_ADS_DELETE_CHILD)
52 fs_mask |= SEC_DIR_DELETE_CHILD;
57 NTSTATUS gp_create_gpt_security_descriptor (TALLOC_CTX *mem_ctx, struct security_descriptor *ds_sd, struct security_descriptor **ret)
59 struct security_descriptor *fs_sd;
62 /* Allocate the file system security descriptor */
63 fs_sd = talloc(mem_ctx, struct security_descriptor);
65 /* Copy the basic information from the directory server security descriptor */
66 fs_sd->owner_sid = talloc_memdup(fs_sd, ds_sd->owner_sid, sizeof(struct dom_sid));
67 fs_sd->group_sid = talloc_memdup(fs_sd, ds_sd->group_sid, sizeof(struct dom_sid));
68 fs_sd->type = ds_sd->type;
69 fs_sd->revision = ds_sd->revision;
72 fs_sd->sacl = security_acl_dup(fs_sd, ds_sd->sacl);
75 fs_sd->dacl = talloc_zero(fs_sd, struct security_acl);
77 for (i = 0; i < ds_sd->dacl->num_aces; i++) {
78 char *trustee = dom_sid_string(fs_sd, &ds_sd->dacl->aces[i].trustee);
79 struct security_ace *ace;
81 /* Don't add the allow for SID_BUILTIN_PREW2K */
82 if (!(ds_sd->dacl->aces[i].type & SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) &&
83 strcmp(trustee, SID_BUILTIN_PREW2K) == 0) {
88 /* Copy the ace from the directory server security descriptor */
89 ace = talloc_memdup(fs_sd, &ds_sd->dacl->aces[i], sizeof(struct security_ace));
91 /* Set specific inheritance flags for within the GPO */
92 ace->flags |= SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_CONTAINER_INHERIT;
93 if (strcmp(trustee, SID_CREATOR_OWNER) == 0) {
94 ace->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
97 /* Get a directory access mask from the assigned access mask on the LDAP object */
98 ace->access_mask = gp_ads_to_dir_access_mask(ace->access_mask);
100 /* Add the ace to the security descriptor DACL */
101 security_descriptor_dacl_add(fs_sd, ace);
103 /* Clean up the allocated data in this iteration */
104 talloc_free(trustee);
112 NTSTATUS gp_create_gpo (struct gp_context *gp_ctx, const char *display_name, struct gp_object **ret)
114 struct GUID guid_struct;
117 struct security_descriptor *sd;
119 struct gp_object *gpo;
123 /* Create a forked memory context, as a base for everything here */
124 mem_ctx = talloc_new(gp_ctx);
126 /* Create the gpo struct to return later */
127 gpo = talloc(gp_ctx, struct gp_object);
129 /* Generate a GUID */
130 guid_struct = GUID_random();
131 guid_str = GUID_string(mem_ctx, &guid_struct);
132 name = talloc_asprintf(gpo, "{%s}", guid_str);
133 for (i = 0; name[i] != '\0'; i++) {
134 name[i] = toupper(name[i]);
137 /* Prepare the GPO struct */
142 gpo->display_name = talloc_strdup(gpo, display_name);
143 gpo->file_sys_path = talloc_asprintf(gpo, "\\\\%s\\sysvol\\%s\\Policies\\%s", lp_realm(gp_ctx->lp_ctx), lp_realm(gp_ctx->lp_ctx), name);
146 status = gp_create_gpt(gp_ctx, name, gpo->file_sys_path);
147 if (!NT_STATUS_IS_OK(status)) {
148 DEBUG(0, ("Failed to create GPT\n"));
149 talloc_free(mem_ctx);
154 /* Create the LDAP GPO, including CN=User and CN=Machine */
155 status = gp_create_ldap_gpo(gp_ctx, gpo);
156 if (!NT_STATUS_IS_OK(status)) {
157 DEBUG(0, ("Failed to create LDAP group policy object\n"));
158 talloc_free(mem_ctx);
162 /* Get the new security descriptor */
163 status = gp_get_gpo_info(gp_ctx, gpo->dn, &gpo);
164 if (!NT_STATUS_IS_OK(status)) {
165 DEBUG(0, ("Failed to fetch LDAP group policy object\n"));
166 talloc_free(mem_ctx);
170 /* Create matching file and DS security descriptors */
171 status = gp_create_gpt_security_descriptor(mem_ctx, gpo->security_descriptor, &sd);
172 if (!NT_STATUS_IS_OK(status)) {
173 DEBUG(0, ("Failed to convert ADS security descriptor to filesystem security descriptor\n"));
174 talloc_free(mem_ctx);
178 /* Set the security descriptor on the filesystem for this GPO */
179 status = gp_set_gpt_security_descriptor(gp_ctx, gpo, sd);
180 if (!NT_STATUS_IS_OK(status)) {
181 DEBUG(0, ("Failed to set security descriptor (ACL) on the file system\n"));
182 talloc_free(mem_ctx);
186 talloc_free(mem_ctx);
192 NTSTATUS gp_set_acl (struct gp_context *gp_ctx, const char *dn_str, const struct security_descriptor *sd)
195 struct security_descriptor *fs_sd;
196 struct gp_object *gpo;
199 /* Create a forked memory context, as a base for everything here */
200 mem_ctx = talloc_new(gp_ctx);
202 /* Set the ACL on LDAP database */
203 status = gp_set_ads_acl(gp_ctx, dn_str, sd);
204 if (!NT_STATUS_IS_OK(status)) {
205 DEBUG(0, ("Failed to set ACL on ADS\n"));
206 talloc_free(mem_ctx);
210 /* Get the group policy object information, for filesystem location and merged sd */
211 status = gp_get_gpo_info(gp_ctx, dn_str, &gpo);
212 if (!NT_STATUS_IS_OK(status)) {
213 DEBUG(0, ("Failed to set ACL on ADS\n"));
214 talloc_free(mem_ctx);
218 /* Create matching file and DS security descriptors */
219 status = gp_create_gpt_security_descriptor(mem_ctx, gpo->security_descriptor, &fs_sd);
220 if (!NT_STATUS_IS_OK(status)) {
221 DEBUG(0, ("Failed to convert ADS security descriptor to filesystem security descriptor\n"));
222 talloc_free(mem_ctx);
226 /* Set the security descriptor on the filesystem for this GPO */
227 status = gp_set_gpt_security_descriptor(gp_ctx, gpo, fs_sd);
228 if (!NT_STATUS_IS_OK(status)) {
229 DEBUG(0, ("Failed to set security descriptor (ACL) on the file system\n"));
230 talloc_free(mem_ctx);
234 talloc_free(mem_ctx);