4 Copyright (C) Andrew Bartlett 2005
5 Copyright (C) Simo Sorce 2006-2008
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 * Component: ldb kludge ACL module
26 * Description: Simple module to enforce a simple form of access
27 * control, sufficient for securing a default Samba4
30 * Author: Andrew Bartlett
34 #include "ldb_module.h"
35 #include "auth/auth.h"
36 #include "libcli/security/security.h"
37 #include "dsdb/samdb/samdb.h"
38 #include "param/param.h"
39 #include "lib/util/tsort.h"
43 * - System can read passwords
44 * - Administrators can write anything
45 * - Users can read anything that is not a password
49 struct kludge_private_data {
50 const char **password_attrs;
54 static enum security_user_level what_is_user(struct ldb_module *module)
56 struct ldb_context *ldb = ldb_module_get_ctx(module);
57 struct auth_session_info *session_info
58 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
59 return security_session_user_level(session_info, NULL);
62 static const char *user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module)
64 struct ldb_context *ldb = ldb_module_get_ctx(module);
65 struct auth_session_info *session_info
66 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
68 return "UNKNOWN (NULL)";
71 return talloc_asprintf(mem_ctx, "%s\\%s",
72 session_info->server_info->domain_name,
73 session_info->server_info->account_name);
77 struct kludge_acl_context {
79 struct ldb_module *module;
80 struct ldb_request *req;
82 enum security_user_level user_type;
83 bool allowedAttributes;
84 bool allowedAttributesEffective;
85 bool allowedChildClasses;
86 bool allowedChildClassesEffective;
87 const char * const *attrs;
90 /* read all objectClasses */
92 static int kludge_acl_allowedAttributes(struct ldb_context *ldb, struct ldb_message *msg,
95 struct ldb_message_element *oc_el;
96 struct ldb_message_element *allowedAttributes;
97 /* We need to ensure that the strings returned are valid for as long as the msg is valid */
98 const struct dsdb_schema *schema = dsdb_get_schema(ldb, msg);
100 const char **attr_list;
104 /* If we don't have a schema yet, we can't do anything... */
105 if (schema == NULL) {
109 /* Must remove any existing attribute, or else confusion reins */
110 ldb_msg_remove_attr(msg, attrName);
111 ret = ldb_msg_add_empty(msg, attrName, 0, &allowedAttributes);
112 if (ret != LDB_SUCCESS) {
116 mem_ctx = talloc_new(msg);
121 /* To ensure that oc_el is valid, we must look for it after
122 we alter the element array in ldb_msg_add_empty() */
123 oc_el = ldb_msg_find_element(msg, "objectClass");
125 attr_list = dsdb_full_attribute_list(mem_ctx, schema, oc_el, DSDB_SCHEMA_ALL);
127 ldb_asprintf_errstring(ldb, "kludge_acl: Failed to get list of attributes create %s attribute", attrName);
128 talloc_free(mem_ctx);
129 return LDB_ERR_OPERATIONS_ERROR;
132 for (i=0; attr_list && attr_list[i]; i++) {
133 ldb_msg_add_string(msg, attrName, attr_list[i]);
135 talloc_free(mem_ctx);
139 /* read all objectClasses */
141 static int kludge_acl_childClasses(struct ldb_context *ldb, struct ldb_message *msg,
142 const char *attrName)
144 struct ldb_message_element *oc_el;
145 struct ldb_message_element *allowedClasses;
147 /* We need to ensure that the strings returned are valid for as long as the msg is valid */
148 const struct dsdb_schema *schema = dsdb_get_schema(ldb, msg);
149 const struct dsdb_class *sclass;
153 /* If we don't have a schema yet, we can't do anything... */
154 if (schema == NULL) {
158 /* Must remove any existing attribute, or else confusion reins */
159 ldb_msg_remove_attr(msg, attrName);
160 ret = ldb_msg_add_empty(msg, attrName, 0, &allowedClasses);
161 if (ret != LDB_SUCCESS) {
165 /* To ensure that oc_el is valid, we must look for it after
166 we alter the element array in ldb_msg_add_empty() */
167 oc_el = ldb_msg_find_element(msg, "objectClass");
169 for (i=0; oc_el && i < oc_el->num_values; i++) {
170 sclass = dsdb_class_by_lDAPDisplayName_ldb_val(schema, &oc_el->values[i]);
172 /* We don't know this class? what is going on? */
176 for (j=0; sclass->possibleInferiors && sclass->possibleInferiors[j]; j++) {
177 ldb_msg_add_string(msg, attrName, sclass->possibleInferiors[j]);
181 if (allowedClasses->num_values > 1) {
182 TYPESAFE_QSORT(allowedClasses->values, allowedClasses->num_values, data_blob_cmp);
184 for (i=1 ; i < allowedClasses->num_values; i++) {
186 struct ldb_val *val1 = &allowedClasses->values[i-1];
187 struct ldb_val *val2 = &allowedClasses->values[i];
188 if (data_blob_cmp(val1, val2) == 0) {
189 memmove(val1, val2, (allowedClasses->num_values - i) * sizeof( struct ldb_val));
190 allowedClasses->num_values--;
199 /* find all attributes allowed by all these objectClasses */
201 static int kludge_acl_callback(struct ldb_request *req, struct ldb_reply *ares)
203 struct ldb_context *ldb;
204 struct kludge_acl_context *ac;
205 struct kludge_private_data *data;
209 ac = talloc_get_type(req->context, struct kludge_acl_context);
210 data = talloc_get_type(ldb_module_get_private(ac->module), struct kludge_private_data);
211 ldb = ldb_module_get_ctx(ac->module);
214 return ldb_module_done(ac->req, NULL, NULL,
215 LDB_ERR_OPERATIONS_ERROR);
217 if (ares->error != LDB_SUCCESS) {
218 return ldb_module_done(ac->req, ares->controls,
219 ares->response, ares->error);
222 switch (ares->type) {
223 case LDB_REPLY_ENTRY:
224 if (ac->allowedAttributes) {
225 ret = kludge_acl_allowedAttributes(ldb,
227 "allowedAttributes");
228 if (ret != LDB_SUCCESS) {
229 return ldb_module_done(ac->req, NULL, NULL, ret);
232 if (ac->allowedChildClasses) {
233 ret = kludge_acl_childClasses(ldb,
235 "allowedChildClasses");
236 if (ret != LDB_SUCCESS) {
237 return ldb_module_done(ac->req, NULL, NULL, ret);
241 if (data && data->password_attrs) /* if we are not initialized just get through */
243 switch (ac->user_type) {
244 case SECURITY_SYSTEM:
245 if (ac->allowedAttributesEffective) {
246 ret = kludge_acl_allowedAttributes(ldb, ares->message,
247 "allowedAttributesEffective");
248 if (ret != LDB_SUCCESS) {
249 return ldb_module_done(ac->req, NULL, NULL, ret);
252 if (ac->allowedChildClassesEffective) {
253 ret = kludge_acl_childClasses(ldb, ares->message,
254 "allowedChildClassesEffective");
255 if (ret != LDB_SUCCESS) {
256 return ldb_module_done(ac->req, NULL, NULL, ret);
261 case SECURITY_ADMINISTRATOR:
262 if (ac->allowedAttributesEffective) {
263 ret = kludge_acl_allowedAttributes(ldb, ares->message,
264 "allowedAttributesEffective");
265 if (ret != LDB_SUCCESS) {
266 return ldb_module_done(ac->req, NULL, NULL, ret);
269 if (ac->allowedChildClassesEffective) {
270 ret = kludge_acl_childClasses(ldb, ares->message,
271 "allowedChildClassesEffective");
272 if (ret != LDB_SUCCESS) {
273 return ldb_module_done(ac->req, NULL, NULL, ret);
278 /* remove password attributes */
279 for (i = 0; data->password_attrs[i]; i++) {
280 ldb_msg_remove_attr(ares->message, data->password_attrs[i]);
285 if (ac->allowedAttributes ||
286 ac->allowedAttributesEffective ||
287 ac->allowedChildClasses ||
288 ac->allowedChildClassesEffective) {
290 if (!ldb_attr_in_list(ac->attrs, "objectClass") &&
291 !ldb_attr_in_list(ac->attrs, "*")) {
293 ldb_msg_remove_attr(ares->message,
298 return ldb_module_send_entry(ac->req, ares->message, ares->controls);
300 case LDB_REPLY_REFERRAL:
301 return ldb_module_send_referral(ac->req, ares->referral);
304 return ldb_module_done(ac->req, ares->controls,
305 ares->response, LDB_SUCCESS);
311 static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
313 struct ldb_context *ldb;
314 struct kludge_acl_context *ac;
315 struct ldb_request *down_req;
316 struct kludge_private_data *data;
317 const char * const *attrs;
321 ldb = ldb_module_get_ctx(module);
323 ac = talloc(req, struct kludge_acl_context);
328 data = talloc_get_type(ldb_module_get_private(module), struct kludge_private_data);
330 if (data && data->acl_perform)
331 return ldb_next_request(module, req);
335 ac->user_type = what_is_user(module);
336 ac->attrs = req->op.search.attrs;
338 ac->allowedAttributes = ldb_attr_in_list(req->op.search.attrs, "allowedAttributes");
340 ac->allowedAttributesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedAttributesEffective");
342 ac->allowedChildClasses = ldb_attr_in_list(req->op.search.attrs, "allowedChildClasses");
344 ac->allowedChildClassesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedChildClassesEffective");
346 if (ac->allowedAttributes || ac->allowedAttributesEffective || ac->allowedChildClasses || ac->allowedChildClassesEffective) {
347 attrs = ldb_attr_list_copy_add(ac, req->op.search.attrs, "objectClass");
349 attrs = req->op.search.attrs;
352 /* replace any attributes in the parse tree that are private,
353 so we don't allow a search for 'userPassword=penguin',
354 just as we would not allow that attribute to be returned */
355 switch (ac->user_type) {
356 case SECURITY_SYSTEM:
359 /* FIXME: We should copy the tree and keep the original unmodified. */
360 /* remove password attributes */
362 if (!data || !data->password_attrs) {
365 for (i = 0; data->password_attrs[i]; i++) {
366 ldb_parse_tree_attr_replace(req->op.search.tree,
367 data->password_attrs[i],
368 "kludgeACLredactedattribute");
372 ret = ldb_build_search_req_ex(&down_req,
375 req->op.search.scope,
379 ac, kludge_acl_callback,
381 if (ret != LDB_SUCCESS) {
385 /* perform the search */
386 return ldb_next_request(module, down_req);
389 /* ANY change type */
390 static int kludge_acl_change(struct ldb_module *module, struct ldb_request *req)
392 struct ldb_context *ldb = ldb_module_get_ctx(module);
393 enum security_user_level user_type = what_is_user(module);
394 struct kludge_private_data *data = talloc_get_type(ldb_module_get_private(module),
395 struct kludge_private_data);
397 if (data->acl_perform)
398 return ldb_next_request(module, req);
401 case SECURITY_SYSTEM:
402 case SECURITY_ADMINISTRATOR:
403 return ldb_next_request(module, req);
405 ldb_asprintf_errstring(ldb,
406 "kludge_acl_change: "
407 "attempted database modify not permitted. "
408 "User %s is not SYSTEM or an administrator",
409 user_name(req, module));
410 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
414 static int kludge_acl_extended(struct ldb_module *module, struct ldb_request *req)
416 struct ldb_context *ldb = ldb_module_get_ctx(module);
417 enum security_user_level user_type;
419 /* allow everybody to read the sequence number */
420 if (strcmp(req->op.extended.oid,
421 LDB_EXTENDED_SEQUENCE_NUMBER) == 0) {
422 return ldb_next_request(module, req);
425 user_type = what_is_user(module);
428 case SECURITY_SYSTEM:
429 case SECURITY_ADMINISTRATOR:
430 return ldb_next_request(module, req);
432 ldb_asprintf_errstring(ldb,
433 "kludge_acl_change: "
434 "attempted database modify not permitted. "
435 "User %s is not SYSTEM or an administrator",
436 user_name(req, module));
437 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
441 static int kludge_acl_init(struct ldb_module *module)
443 struct ldb_context *ldb;
446 TALLOC_CTX *mem_ctx = talloc_new(module);
447 static const char *attrs[] = { "passwordAttribute", NULL };
448 struct ldb_result *res;
449 struct ldb_message *msg;
450 struct ldb_message_element *password_attributes;
452 struct kludge_private_data *data;
454 ldb = ldb_module_get_ctx(module);
456 data = talloc(module, struct kludge_private_data);
461 data->password_attrs = NULL;
462 data->acl_perform = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"),
463 NULL, "acl", "perform", false);
464 ldb_module_set_private(module, data);
470 ret = ldb_search(ldb, mem_ctx, &res,
471 ldb_dn_new(mem_ctx, ldb, "@KLUDGEACL"),
472 LDB_SCOPE_BASE, attrs, NULL);
473 if (ret != LDB_SUCCESS) {
476 if (res->count == 0) {
480 if (res->count > 1) {
481 talloc_free(mem_ctx);
482 return LDB_ERR_CONSTRAINT_VIOLATION;
487 password_attributes = ldb_msg_find_element(msg, "passwordAttribute");
488 if (!password_attributes) {
491 data->password_attrs = talloc_array(data, const char *, password_attributes->num_values + 1);
492 if (!data->password_attrs) {
493 talloc_free(mem_ctx);
496 for (i=0; i < password_attributes->num_values; i++) {
497 data->password_attrs[i] = (const char *)password_attributes->values[i].data;
498 talloc_steal(data->password_attrs, password_attributes->values[i].data);
500 data->password_attrs[i] = NULL;
503 talloc_free(mem_ctx);
504 return ldb_next_init(module);
507 _PUBLIC_ const struct ldb_module_ops ldb_kludge_acl_module_ops = {
508 .name = "kludge_acl",
509 /* .search = kludge_acl_search,
510 .add = kludge_acl_change,
511 .modify = kludge_acl_change,
512 .del = kludge_acl_change,
513 .rename = kludge_acl_change, */
514 .extended = kludge_acl_extended,
515 .init_context = kludge_acl_init