4 Copyright (C) Andrew Bartlett 2005
5 Copyright (C) Simo Sorce 2006
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program; if not, write to the Free Software
19 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 * Component: ldb kludge ACL module
27 * Description: Simple module to enforce a simple form of access
28 * control, sufficient for securing a default Samba4
31 * Author: Andrew Bartlett
35 #include "ldb/include/ldb.h"
36 #include "ldb/include/ldb_errors.h"
37 #include "ldb/include/ldb_private.h"
38 #include "auth/auth.h"
39 #include "libcli/security/security.h"
43 * - System can read passwords
44 * - Administrators can write anything
45 * - Users can read anything that is not a password
56 struct kludge_private_data {
57 const char **password_attrs;
60 static enum user_is what_is_user(struct ldb_module *module)
62 struct auth_session_info *session_info
63 = ldb_get_opaque(module->ldb, "sessionInfo");
68 if (security_token_is_system(session_info->security_token)) {
72 if (security_token_is_anonymous(session_info->security_token)) {
76 if (security_token_has_builtin_administrators(session_info->security_token)) {
80 if (security_token_has_nt_authenticated_users(session_info->security_token)) {
87 static const char *user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module)
89 struct auth_session_info *session_info
90 = ldb_get_opaque(module->ldb, "sessionInfo");
92 return "UNKNOWN (NULL)";
95 return talloc_asprintf(mem_ctx, "%s\\%s",
96 session_info->server_info->domain_name,
97 session_info->server_info->account_name);
101 struct kludge_acl_context {
103 struct ldb_module *module;
105 int (*up_callback)(struct ldb_context *, void *, struct ldb_reply *);
107 enum user_is user_type;
110 static int kludge_acl_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
112 struct kludge_acl_context *ac;
113 struct kludge_private_data *data;
116 if (!context || !ares) {
117 ldb_set_errstring(ldb, "NULL Context or Result in callback");
121 ac = talloc_get_type(context, struct kludge_acl_context);
122 data = talloc_get_type(ac->module->private_data, struct kludge_private_data);
124 if (ares->type == LDB_REPLY_ENTRY
125 && data && data->password_attrs) /* if we are not initialized just get through */
127 switch (ac->user_type) {
132 /* remove password attributes */
133 for (i = 0; data->password_attrs[i]; i++) {
134 ldb_msg_remove_attr(ares->message, data->password_attrs[i]);
139 return ac->up_callback(ldb, ac->up_context, ares);
143 return LDB_ERR_OPERATIONS_ERROR;
146 static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
148 struct kludge_acl_context *ac;
149 struct ldb_request *down_req;
150 struct kludge_private_data *data;
155 ac = talloc(req, struct kludge_acl_context);
157 return LDB_ERR_OPERATIONS_ERROR;
160 data = talloc_get_type(module->private_data, struct kludge_private_data);
163 ac->up_context = req->context;
164 ac->up_callback = req->callback;
165 ac->user_type = what_is_user(module);
167 down_req = talloc_zero(req, struct ldb_request);
168 if (down_req == NULL) {
169 return LDB_ERR_OPERATIONS_ERROR;
172 down_req->operation = req->operation;
173 down_req->op.search.base = req->op.search.base;
174 down_req->op.search.scope = req->op.search.scope;
175 down_req->op.search.tree = req->op.search.tree;
176 down_req->op.search.attrs = req->op.search.attrs;
179 /* FIXME: I hink we should copy the tree and keep the original
181 /* replace any attributes in the parse tree that are private,
182 so we don't allow a search for 'sambaPassword=penguin',
183 just as we would not allow that attribute to be returned */
184 switch (ac->user_type) {
188 /* remove password attributes */
189 for (i = 0; data && data->password_attrs && data->password_attrs[i]; i++) {
190 ldb_parse_tree_attr_replace(down_req->op.search.tree,
191 data->password_attrs[i],
192 "kludgeACLredactedattribute");
196 down_req->controls = req->controls;
198 down_req->context = ac;
199 down_req->callback = kludge_acl_callback;
200 ldb_set_timeout_from_prev_req(module->ldb, req, down_req);
202 /* perform the search */
203 ret = ldb_next_request(module, down_req);
205 /* do not free down_req as the call results may be linked to it,
206 * it will be freed when the upper level request get freed */
207 if (ret == LDB_SUCCESS) {
208 req->handle = down_req->handle;
214 /* ANY change type */
215 static int kludge_acl_change(struct ldb_module *module, struct ldb_request *req)
217 enum user_is user_type = what_is_user(module);
221 return ldb_next_request(module, req);
223 ldb_asprintf_errstring(module->ldb,
224 "kludge_acl_change: "
225 "attempted database modify not permitted. "
226 "User %s is not SYSTEM or an administrator",
227 user_name(req, module));
228 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
232 static int kludge_acl_init(struct ldb_module *module)
235 TALLOC_CTX *mem_ctx = talloc_new(module);
236 static const char *attrs[] = { "passwordAttribute", NULL };
237 struct ldb_result *res;
238 struct ldb_message *msg;
239 struct ldb_message_element *password_attributes;
241 struct kludge_private_data *data;
243 data = talloc(module, struct kludge_private_data);
245 return LDB_ERR_OPERATIONS_ERROR;
248 data->password_attrs = NULL;
249 module->private_data = data;
252 return LDB_ERR_OPERATIONS_ERROR;
255 ret = ldb_search(module->ldb, ldb_dn_new(mem_ctx, module->ldb, "@KLUDGEACL"),
259 if (ret != LDB_SUCCESS) {
262 talloc_steal(mem_ctx, res);
263 if (res->count == 0) {
267 if (res->count > 1) {
268 talloc_free(mem_ctx);
269 return LDB_ERR_CONSTRAINT_VIOLATION;
274 password_attributes = ldb_msg_find_element(msg, "passwordAttribute");
275 if (!password_attributes) {
278 data->password_attrs = talloc_array(data, const char *, password_attributes->num_values + 1);
279 if (!data->password_attrs) {
280 talloc_free(mem_ctx);
281 return LDB_ERR_OPERATIONS_ERROR;
283 for (i=0; i < password_attributes->num_values; i++) {
284 data->password_attrs[i] = (const char *)password_attributes->values[i].data;
285 talloc_steal(data->password_attrs, password_attributes->values[i].data);
287 data->password_attrs[i] = NULL;
290 talloc_free(mem_ctx);
291 return ldb_next_init(module);
294 static const struct ldb_module_ops kludge_acl_ops = {
295 .name = "kludge_acl",
296 .search = kludge_acl_search,
297 .add = kludge_acl_change,
298 .modify = kludge_acl_change,
299 .del = kludge_acl_change,
300 .rename = kludge_acl_change,
301 .extended = kludge_acl_change,
302 .init_context = kludge_acl_init
305 int ldb_kludge_acl_init(void)
307 return ldb_register_module(&kludge_acl_ops);