source4/dsdb/samdb/ldb_modules/kludge_acl.c

   1 /*
   2    ldb database library
   3
   4    Copyright (C) Andrew Bartlett 2005
   5    Copyright (C) Simo Sorce 2006
   6
   7     This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License as published by
   9    the Free Software Foundation; either version 3 of the License, or
  10    (at your option) any later version.
  11
  12    This program is distributed in the hope that it will be useful,
  13    but WITHOUT ANY WARRANTY; without even the implied warranty of
  14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15    GNU General Public License for more details.
  16
  17    You should have received a copy of the GNU General Public License
  18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  19 */
  20
  21 /*
  22  *  Name: ldb
  23  *
  24  *  Component: ldb kludge ACL module
  25  *
  26  *  Description: Simple module to enforce a simple form of access
  27  *               control, sufficient for securing a default Samba4
  28  *               installation.
  29  *
  30  *  Author: Andrew Bartlett
  31  */
  32
  33 #include "includes.h"
  34 #include "ldb/include/ldb.h"
  35 #include "ldb/include/ldb_errors.h"
  36 #include "ldb/include/ldb_private.h"
  37 #include "auth/auth.h"
  38 #include "libcli/security/security.h"
  39 #include "dsdb/samdb/samdb.h"
  40
  41 /* Kludge ACL rules:
  42  *
  43  * - System can read passwords
  44  * - Administrators can write anything
  45  * - Users can read anything that is not a password
  46  *
  47  */
  48
  49 enum user_is {
  50         ANONYMOUS,
  51         USER,
  52         ADMINISTRATOR,
  53         SYSTEM
  54 };
  55
  56 struct kludge_private_data {
  57         const char **password_attrs;
  58 };
  59
  60 static enum user_is what_is_user(struct ldb_module *module)
  61 {
  62         struct auth_session_info *session_info
  63                 = (struct auth_session_info *)ldb_get_opaque(module->ldb, "sessionInfo");
  64         if (!session_info) {
  65                 return ANONYMOUS;
  66         }
  67
  68         if (security_token_is_system(session_info->security_token)) {
  69                 return SYSTEM;
  70         }
  71
  72         if (security_token_is_anonymous(session_info->security_token)) {
  73                 return ANONYMOUS;
  74         }
  75
  76         if (security_token_has_builtin_administrators(session_info->security_token)) {
  77                 return ADMINISTRATOR;
  78         }
  79
  80         if (security_token_has_nt_authenticated_users(session_info->security_token)) {
  81                 return USER;
  82         }
  83
  84         return ANONYMOUS;
  85 }
  86
  87 static const char *user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module)
  88 {
  89         struct auth_session_info *session_info
  90                 = (struct auth_session_info *)ldb_get_opaque(module->ldb, "sessionInfo");
  91         if (!session_info) {
  92                 return "UNKNOWN (NULL)";
  93         }
  94
  95         return talloc_asprintf(mem_ctx, "%s\\%s",
  96                                session_info->server_info->domain_name,
  97                                session_info->server_info->account_name);
  98 }
  99
 100 /* search */
 101 struct kludge_acl_context {
 102
 103         struct ldb_module *module;
 104         void *up_context;
 105         int (*up_callback)(struct ldb_context *, void *, struct ldb_reply *);
 106
 107         enum user_is user_type;
 108         bool allowedAttributes;
 109         bool allowedAttributesEffective;
 110         bool allowedChildClasses;
 111         bool allowedChildClassesEffective;
 112         const char **attrs;
 113 };
 114
 115 /* read all objectClasses */
 116
 117 static int kludge_acl_allowedAttributes(struct ldb_context *ldb, struct ldb_message *msg,
 118                                         const char *attrName)
 119 {
 120         struct ldb_message_element *oc_el;
 121         struct ldb_message_element *allowedAttributes;
 122         const struct dsdb_schema *schema = dsdb_get_schema(ldb);
 123         const struct dsdb_class *class;
 124         int i, j, ret;
 125
 126         /* If we don't have a schema yet, we can't do anything... */
 127         if (schema == NULL) {
 128                 return LDB_SUCCESS;
 129         }
 130
 131         /* Must remove any existing attribute, or else confusion reins */
 132         ldb_msg_remove_attr(msg, attrName);
 133         ret = ldb_msg_add_empty(msg, attrName, 0, &allowedAttributes);
 134         if (ret != LDB_SUCCESS) {
 135                 return ret;
 136         }
 137
 138         /* To ensure that oc_el is valid, we must look for it after
 139            we alter the element array in ldb_msg_add_empty() */
 140         oc_el = ldb_msg_find_element(msg, "objectClass");
 141
 142         for (i=0; oc_el && i < oc_el->num_values; i++) {
 143                 class = dsdb_class_by_lDAPDisplayName(schema, (const char *)oc_el->values[i].data);
 144                 if (!class) {
 145                         /* We don't know this class?  what is going on? */
 146                         continue;
 147                 }
 148
 149                 for (j=0; class->mayContain && class->mayContain[j]; j++) {
 150                         ldb_msg_add_string(msg, attrName, class->mayContain[j]);
 151                 }
 152                 for (j=0; class->mustContain && class->mustContain[j]; j++) {
 153                         ldb_msg_add_string(msg, attrName, class->mustContain[j]);
 154                 }
 155                 for (j=0; class->systemMayContain && class->systemMayContain[j]; j++) {
 156                         ldb_msg_add_string(msg, attrName, class->systemMayContain[j]);
 157                 }
 158                 for (j=0; class->systemMustContain && class->systemMustContain[j]; j++) {
 159                         ldb_msg_add_string(msg, attrName, class->systemMustContain[j]);
 160                 }
 161         }
 162
 163         if (allowedAttributes->num_values > 1) {
 164                 qsort(allowedAttributes->values,
 165                       allowedAttributes->num_values,
 166                       sizeof(*allowedAttributes->values),
 167                       (comparison_fn_t)data_blob_cmp);
 168
 169                 for (i=1 ; i < allowedAttributes->num_values; i++) {
 170                         struct ldb_val *val1 = &allowedAttributes->values[i-1];
 171                         struct ldb_val *val2 = &allowedAttributes->values[i];
 172                         if (data_blob_cmp(val1, val2) == 0) {
 173                                 memmove(val1, val2, (allowedAttributes->num_values - i) * sizeof( struct ldb_val));
 174                                 allowedAttributes->num_values--;
 175                                 i--;
 176                         }
 177                 }
 178         }
 179
 180         return 0;
 181
 182 }
 183 /* read all objectClasses */
 184
 185 static int kludge_acl_childClasses(struct ldb_context *ldb, struct ldb_message *msg,
 186                                    const char *attrName)
 187 {
 188         struct ldb_message_element *oc_el;
 189         struct ldb_message_element *allowedClasses;
 190         const struct dsdb_schema *schema = dsdb_get_schema(ldb);
 191         const struct dsdb_class *class;
 192         int i, j, ret;
 193
 194         /* If we don't have a schema yet, we can't do anything... */
 195         if (schema == NULL) {
 196                 return LDB_SUCCESS;
 197         }
 198
 199         /* Must remove any existing attribute, or else confusion reins */
 200         ldb_msg_remove_attr(msg, attrName);
 201         ret = ldb_msg_add_empty(msg, attrName, 0, &allowedClasses);
 202         if (ret != LDB_SUCCESS) {
 203                 return ret;
 204         }
 205
 206         /* To ensure that oc_el is valid, we must look for it after
 207            we alter the element array in ldb_msg_add_empty() */
 208         oc_el = ldb_msg_find_element(msg, "objectClass");
 209
 210         for (i=0; oc_el && i < oc_el->num_values; i++) {
 211                 class = dsdb_class_by_lDAPDisplayName(schema, (const char *)oc_el->values[i].data);
 212                 if (!class) {
 213                         /* We don't know this class?  what is going on? */
 214                         continue;
 215                 }
 216
 217                 for (j=0; class->possibleInferiors && class->possibleInferiors[j]; j++) {
 218                         ldb_msg_add_string(msg, attrName, class->possibleInferiors[j]);
 219                 }
 220         }
 221
 222         if (allowedClasses->num_values > 1) {
 223                 qsort(allowedClasses->values,
 224                       allowedClasses->num_values,
 225                       sizeof(*allowedClasses->values),
 226                       (comparison_fn_t)data_blob_cmp);
 227
 228                 for (i=1 ; i < allowedClasses->num_values; i++) {
 229                         struct ldb_val *val1 = &allowedClasses->values[i-1];
 230                         struct ldb_val *val2 = &allowedClasses->values[i];
 231                         if (data_blob_cmp(val1, val2) == 0) {
 232                                 memmove(val1, val2, (allowedClasses->num_values - i) * sizeof( struct ldb_val));
 233                                 allowedClasses->num_values--;
 234                                 i--;
 235                         }
 236                 }
 237         }
 238
 239         return 0;
 240
 241 }
 242
 243 /* find all attributes allowed by all these objectClasses */
 244
 245 static int kludge_acl_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
 246 {
 247         struct kludge_acl_context *ac;
 248         struct kludge_private_data *data;
 249         int i, ret;
 250
 251         ac = talloc_get_type(context, struct kludge_acl_context);
 252         data = talloc_get_type(ac->module->private_data, struct kludge_private_data);
 253
 254         if (ares->type != LDB_REPLY_ENTRY) {
 255                 return ac->up_callback(ldb, ac->up_context, ares);
 256         }
 257
 258         if (ac->allowedAttributes) {
 259                 ret = kludge_acl_allowedAttributes(ldb, ares->message, "allowedAttributes");
 260                 if (ret != LDB_SUCCESS) {
 261                         return ret;
 262
 263                 }
 264         }
 265         if (ac->allowedChildClasses) {
 266                 ret = kludge_acl_childClasses(ldb, ares->message, "allowedChildClasses");
 267                 if (ret != LDB_SUCCESS) {
 268                         return ret;
 269                 }
 270         }
 271
 272         if (data && data->password_attrs) /* if we are not initialized just get through */
 273         {
 274                 switch (ac->user_type) {
 275                 case SYSTEM:
 276                 case ADMINISTRATOR:
 277                         if (ac->allowedAttributesEffective) {
 278                                 ret = kludge_acl_allowedAttributes(ldb, ares->message, "allowedAttributesEffective");
 279                                 if (ret != LDB_SUCCESS) {
 280                                         return ret;
 281                                 }
 282                         }
 283                         if (ac->allowedChildClassesEffective) {
 284                                 ret = kludge_acl_childClasses(ldb, ares->message, "allowedChildClassesEffective");
 285                                 if (ret != LDB_SUCCESS) {
 286                                         return ret;
 287                                 }
 288                         }
 289                         break;
 290                 default:
 291                         /* remove password attributes */
 292                         for (i = 0; data->password_attrs[i]; i++) {
 293                                 ldb_msg_remove_attr(ares->message, data->password_attrs[i]);
 294                         }
 295                 }
 296         }
 297
 298         if ((ac->allowedAttributes || ac->allowedAttributesEffective
 299              || ac->allowedChildClasses || ac->allowedChildClassesEffective) &&
 300             (!ldb_attr_in_list(ac->attrs, "objectClass") &&
 301              !ldb_attr_in_list(ac->attrs, "*"))) {
 302                 ldb_msg_remove_attr(ares->message, "objectClass");
 303         }
 304
 305         return ac->up_callback(ldb, ac->up_context, ares);
 306 }
 307
 308 static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
 309 {
 310         struct kludge_acl_context *ac;
 311         struct ldb_request *down_req;
 312         struct kludge_private_data *data;
 313         int ret, i;
 314
 315         req->handle = NULL;
 316
 317         ac = talloc(req, struct kludge_acl_context);
 318         if (ac == NULL) {
 319                 ldb_oom(module->ldb);
 320                 return LDB_ERR_OPERATIONS_ERROR;
 321         }
 322
 323         data = talloc_get_type(module->private_data, struct kludge_private_data);
 324
 325         ac->module = module;
 326         ac->up_context = req->context;
 327         ac->up_callback = req->callback;
 328         ac->user_type = what_is_user(module);
 329         ac->attrs = req->op.search.attrs;
 330
 331         down_req = talloc_zero(req, struct ldb_request);
 332         if (down_req == NULL) {
 333                 ldb_oom(module->ldb);
 334                 return LDB_ERR_OPERATIONS_ERROR;
 335         }
 336
 337         down_req->operation = req->operation;
 338         down_req->op.search.base = req->op.search.base;
 339         down_req->op.search.scope = req->op.search.scope;
 340         down_req->op.search.tree = req->op.search.tree;
 341         down_req->op.search.attrs = req->op.search.attrs;
 342
 343         ac->allowedAttributes = ldb_attr_in_list(req->op.search.attrs, "allowedAttributes");
 344
 345         ac->allowedAttributesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedAttributesEffective");
 346
 347         ac->allowedChildClasses = ldb_attr_in_list(req->op.search.attrs, "allowedChildClasses");
 348
 349         ac->allowedChildClassesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedChildClassesEffective");
 350
 351         if (ac->allowedAttributes || ac->allowedAttributesEffective || ac->allowedChildClasses || ac->allowedChildClassesEffective) {
 352                 down_req->op.search.attrs
 353                         = ldb_attr_list_copy_add(down_req, down_req->op.search.attrs, "objectClass");
 354         }
 355
 356         /*  FIXME: I hink we should copy the tree and keep the original
 357          *  unmodified. SSS */
 358         /* replace any attributes in the parse tree that are private,
 359            so we don't allow a search for 'sambaPassword=penguin',
 360            just as we would not allow that attribute to be returned */
 361         switch (ac->user_type) {
 362         case SYSTEM:
 363                 break;
 364         default:
 365                 /* remove password attributes */
 366                 for (i = 0; data && data->password_attrs && data->password_attrs[i]; i++) {
 367                         ldb_parse_tree_attr_replace(down_req->op.search.tree,
 368                                                     data->password_attrs[i],
 369                                                     "kludgeACLredactedattribute");
 370                 }
 371         }
 372
 373         down_req->controls = req->controls;
 374
 375         down_req->context = ac;
 376         down_req->callback = kludge_acl_callback;
 377         ldb_set_timeout_from_prev_req(module->ldb, req, down_req);
 378
 379         /* perform the search */
 380         ret = ldb_next_request(module, down_req);
 381
 382         /* do not free down_req as the call results may be linked to it,
 383          * it will be freed when the upper level request get freed */
 384         if (ret == LDB_SUCCESS) {
 385                 req->handle = down_req->handle;
 386         }
 387
 388         return ret;
 389 }
 390
 391 /* ANY change type */
 392 static int kludge_acl_change(struct ldb_module *module, struct ldb_request *req)
 393 {
 394         enum user_is user_type = what_is_user(module);
 395         switch (user_type) {
 396         case SYSTEM:
 397         case ADMINISTRATOR:
 398                 return ldb_next_request(module, req);
 399         default:
 400                 ldb_asprintf_errstring(module->ldb,
 401                                        "kludge_acl_change: "
 402                                        "attempted database modify not permitted. "
 403                                        "User %s is not SYSTEM or an administrator",
 404                                        user_name(req, module));
 405                 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
 406         }
 407 }
 408
 409 static int kludge_acl_init(struct ldb_module *module)
 410 {
 411         int ret, i;
 412         TALLOC_CTX *mem_ctx = talloc_new(module);
 413         static const char *attrs[] = { "passwordAttribute", NULL };
 414         struct ldb_result *res;
 415         struct ldb_message *msg;
 416         struct ldb_message_element *password_attributes;
 417
 418         struct kludge_private_data *data;
 419
 420         data = talloc(module, struct kludge_private_data);
 421         if (data == NULL) {
 422                 ldb_oom(module->ldb);
 423                 return LDB_ERR_OPERATIONS_ERROR;
 424         }
 425
 426         data->password_attrs = NULL;
 427         module->private_data = data;
 428
 429         if (!mem_ctx) {
 430                 ldb_oom(module->ldb);
 431                 return LDB_ERR_OPERATIONS_ERROR;
 432         }
 433
 434         ret = ldb_search(module->ldb, ldb_dn_new(mem_ctx, module->ldb, "@KLUDGEACL"),
 435                          LDB_SCOPE_BASE,
 436                          NULL, attrs,
 437                          &res);
 438         if (ret != LDB_SUCCESS) {
 439                 goto done;
 440         }
 441         talloc_steal(mem_ctx, res);
 442         if (res->count == 0) {
 443                 goto done;
 444         }
 445
 446         if (res->count > 1) {
 447                 talloc_free(mem_ctx);
 448                 return LDB_ERR_CONSTRAINT_VIOLATION;
 449         }
 450
 451         msg = res->msgs[0];
 452
 453         password_attributes = ldb_msg_find_element(msg, "passwordAttribute");
 454         if (!password_attributes) {
 455                 goto done;
 456         }
 457         data->password_attrs = talloc_array(data, const char *, password_attributes->num_values + 1);
 458         if (!data->password_attrs) {
 459                 talloc_free(mem_ctx);
 460                 ldb_oom(module->ldb);
 461                 return LDB_ERR_OPERATIONS_ERROR;
 462         }
 463         for (i=0; i < password_attributes->num_values; i++) {
 464                 data->password_attrs[i] = (const char *)password_attributes->values[i].data;
 465                 talloc_steal(data->password_attrs, password_attributes->values[i].data);
 466         }
 467         data->password_attrs[i] = NULL;
 468
 469 done:
 470         talloc_free(mem_ctx);
 471         return ldb_next_init(module);
 472 }
 473
 474 _PUBLIC_ const struct ldb_module_ops ldb_kludge_acl_module_ops = {
 475         .name              = "kludge_acl",
 476         .search            = kludge_acl_search,
 477         .add               = kludge_acl_change,
 478         .modify            = kludge_acl_change,
 479         .del               = kludge_acl_change,
 480         .rename            = kludge_acl_change,
 481         .extended          = kludge_acl_change,
 482         .init_context      = kludge_acl_init
 483 };