4 Copyright (C) Andrew Bartlett 2005
5 Copyright (C) Simo Sorce 2006-2008
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 * Component: ldb kludge ACL module
26 * Description: Simple module to enforce a simple form of access
27 * control, sufficient for securing a default Samba4
30 * Author: Andrew Bartlett
34 #include "ldb_module.h"
35 #include "auth/auth.h"
36 #include "libcli/security/security.h"
37 #include "dsdb/samdb/samdb.h"
38 #include "param/param.h"
42 * - System can read passwords
43 * - Administrators can write anything
44 * - Users can read anything that is not a password
48 struct kludge_private_data {
49 const char **password_attrs;
53 static enum security_user_level what_is_user(struct ldb_module *module)
55 struct ldb_context *ldb = ldb_module_get_ctx(module);
56 struct auth_session_info *session_info
57 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
58 return security_session_user_level(session_info);
61 static const char *user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module)
63 struct ldb_context *ldb = ldb_module_get_ctx(module);
64 struct auth_session_info *session_info
65 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
67 return "UNKNOWN (NULL)";
70 return talloc_asprintf(mem_ctx, "%s\\%s",
71 session_info->server_info->domain_name,
72 session_info->server_info->account_name);
76 struct kludge_acl_context {
78 struct ldb_module *module;
79 struct ldb_request *req;
81 enum security_user_level user_type;
82 bool allowedAttributes;
83 bool allowedAttributesEffective;
84 bool allowedChildClasses;
85 bool allowedChildClassesEffective;
86 const char * const *attrs;
89 /* read all objectClasses */
91 static int kludge_acl_allowedAttributes(struct ldb_context *ldb, struct ldb_message *msg,
94 struct ldb_message_element *oc_el;
95 struct ldb_message_element *allowedAttributes;
96 const struct dsdb_schema *schema = dsdb_get_schema(ldb);
98 const char **attr_list;
101 /* If we don't have a schema yet, we can't do anything... */
102 if (schema == NULL) {
106 /* Must remove any existing attribute, or else confusion reins */
107 ldb_msg_remove_attr(msg, attrName);
108 ret = ldb_msg_add_empty(msg, attrName, 0, &allowedAttributes);
109 if (ret != LDB_SUCCESS) {
113 mem_ctx = talloc_new(msg);
116 return LDB_ERR_OPERATIONS_ERROR;
119 /* To ensure that oc_el is valid, we must look for it after
120 we alter the element array in ldb_msg_add_empty() */
121 oc_el = ldb_msg_find_element(msg, "objectClass");
123 attr_list = dsdb_full_attribute_list(mem_ctx, schema, oc_el, DSDB_SCHEMA_ALL);
125 ldb_asprintf_errstring(ldb, "kludge_acl: Failed to get list of attributes create %s attribute", attrName);
126 talloc_free(mem_ctx);
127 return LDB_ERR_OPERATIONS_ERROR;
130 for (i=0; attr_list && attr_list[i]; i++) {
131 ldb_msg_add_string(msg, attrName, attr_list[i]);
133 talloc_free(mem_ctx);
137 /* read all objectClasses */
139 static int kludge_acl_childClasses(struct ldb_context *ldb, struct ldb_message *msg,
140 const char *attrName)
142 struct ldb_message_element *oc_el;
143 struct ldb_message_element *allowedClasses;
144 const struct dsdb_schema *schema = dsdb_get_schema(ldb);
145 const struct dsdb_class *sclass;
148 /* If we don't have a schema yet, we can't do anything... */
149 if (schema == NULL) {
153 /* Must remove any existing attribute, or else confusion reins */
154 ldb_msg_remove_attr(msg, attrName);
155 ret = ldb_msg_add_empty(msg, attrName, 0, &allowedClasses);
156 if (ret != LDB_SUCCESS) {
160 /* To ensure that oc_el is valid, we must look for it after
161 we alter the element array in ldb_msg_add_empty() */
162 oc_el = ldb_msg_find_element(msg, "objectClass");
164 for (i=0; oc_el && i < oc_el->num_values; i++) {
165 sclass = dsdb_class_by_lDAPDisplayName_ldb_val(schema, &oc_el->values[i]);
167 /* We don't know this class? what is going on? */
171 for (j=0; sclass->possibleInferiors && sclass->possibleInferiors[j]; j++) {
172 ldb_msg_add_string(msg, attrName, sclass->possibleInferiors[j]);
176 if (allowedClasses->num_values > 1) {
177 qsort(allowedClasses->values,
178 allowedClasses->num_values,
179 sizeof(*allowedClasses->values),
180 (comparison_fn_t)data_blob_cmp);
182 for (i=1 ; i < allowedClasses->num_values; i++) {
184 struct ldb_val *val1 = &allowedClasses->values[i-1];
185 struct ldb_val *val2 = &allowedClasses->values[i];
186 if (data_blob_cmp(val1, val2) == 0) {
187 memmove(val1, val2, (allowedClasses->num_values - i) * sizeof( struct ldb_val));
188 allowedClasses->num_values--;
198 /* find all attributes allowed by all these objectClasses */
200 static int kludge_acl_callback(struct ldb_request *req, struct ldb_reply *ares)
202 struct ldb_context *ldb;
203 struct kludge_acl_context *ac;
204 struct kludge_private_data *data;
207 ac = talloc_get_type(req->context, struct kludge_acl_context);
208 data = talloc_get_type(ldb_module_get_private(ac->module), struct kludge_private_data);
209 ldb = ldb_module_get_ctx(ac->module);
212 return ldb_module_done(ac->req, NULL, NULL,
213 LDB_ERR_OPERATIONS_ERROR);
215 if (ares->error != LDB_SUCCESS) {
216 return ldb_module_done(ac->req, ares->controls,
217 ares->response, ares->error);
220 switch (ares->type) {
221 case LDB_REPLY_ENTRY:
222 if (ac->allowedAttributes) {
223 ret = kludge_acl_allowedAttributes(ldb,
225 "allowedAttributes");
226 if (ret != LDB_SUCCESS) {
227 return ldb_module_done(ac->req, NULL, NULL, ret);
230 if (ac->allowedChildClasses) {
231 ret = kludge_acl_childClasses(ldb,
233 "allowedChildClasses");
234 if (ret != LDB_SUCCESS) {
235 return ldb_module_done(ac->req, NULL, NULL, ret);
239 if (data && data->password_attrs) /* if we are not initialized just get through */
241 switch (ac->user_type) {
242 case SECURITY_SYSTEM:
243 if (ac->allowedAttributesEffective) {
244 ret = kludge_acl_allowedAttributes(ldb, ares->message,
245 "allowedAttributesEffective");
246 if (ret != LDB_SUCCESS) {
247 return ldb_module_done(ac->req, NULL, NULL, ret);
250 if (ac->allowedChildClassesEffective) {
251 ret = kludge_acl_childClasses(ldb, ares->message,
252 "allowedChildClassesEffective");
253 if (ret != LDB_SUCCESS) {
254 return ldb_module_done(ac->req, NULL, NULL, ret);
259 case SECURITY_ADMINISTRATOR:
260 if (ac->allowedAttributesEffective) {
261 ret = kludge_acl_allowedAttributes(ldb, ares->message,
262 "allowedAttributesEffective");
263 if (ret != LDB_SUCCESS) {
264 return ldb_module_done(ac->req, NULL, NULL, ret);
267 if (ac->allowedChildClassesEffective) {
268 ret = kludge_acl_childClasses(ldb, ares->message,
269 "allowedChildClassesEffective");
270 if (ret != LDB_SUCCESS) {
271 return ldb_module_done(ac->req, NULL, NULL, ret);
276 /* remove password attributes */
277 for (i = 0; data->password_attrs[i]; i++) {
278 ldb_msg_remove_attr(ares->message, data->password_attrs[i]);
283 if (ac->allowedAttributes ||
284 ac->allowedAttributesEffective ||
285 ac->allowedChildClasses ||
286 ac->allowedChildClassesEffective) {
288 if (!ldb_attr_in_list(ac->attrs, "objectClass") &&
289 !ldb_attr_in_list(ac->attrs, "*")) {
291 ldb_msg_remove_attr(ares->message,
296 return ldb_module_send_entry(ac->req, ares->message, ares->controls);
298 case LDB_REPLY_REFERRAL:
299 return ldb_module_send_referral(ac->req, ares->referral);
302 return ldb_module_done(ac->req, ares->controls,
303 ares->response, LDB_SUCCESS);
309 static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
311 struct ldb_context *ldb;
312 struct kludge_acl_context *ac;
313 struct ldb_request *down_req;
314 struct kludge_private_data *data;
315 const char * const *attrs;
317 struct ldb_control *sd_control;
318 struct ldb_control **sd_saved_controls;
320 ldb = ldb_module_get_ctx(module);
322 ac = talloc(req, struct kludge_acl_context);
325 return LDB_ERR_OPERATIONS_ERROR;
328 data = talloc_get_type(ldb_module_get_private(module), struct kludge_private_data);
330 if (data && data->acl_perform)
331 return ldb_next_request(module, req);
335 ac->user_type = what_is_user(module);
336 ac->attrs = req->op.search.attrs;
338 ac->allowedAttributes = ldb_attr_in_list(req->op.search.attrs, "allowedAttributes");
340 ac->allowedAttributesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedAttributesEffective");
342 ac->allowedChildClasses = ldb_attr_in_list(req->op.search.attrs, "allowedChildClasses");
344 ac->allowedChildClassesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedChildClassesEffective");
346 if (ac->allowedAttributes || ac->allowedAttributesEffective || ac->allowedChildClasses || ac->allowedChildClassesEffective) {
347 attrs = ldb_attr_list_copy_add(ac, req->op.search.attrs, "objectClass");
349 attrs = req->op.search.attrs;
352 /* replace any attributes in the parse tree that are private,
353 so we don't allow a search for 'userPassword=penguin',
354 just as we would not allow that attribute to be returned */
355 switch (ac->user_type) {
356 case SECURITY_SYSTEM:
359 /* FIXME: We should copy the tree and keep the original unmodified. */
360 /* remove password attributes */
362 if (!data || !data->password_attrs) {
365 for (i = 0; data->password_attrs[i]; i++) {
366 ldb_parse_tree_attr_replace(req->op.search.tree,
367 data->password_attrs[i],
368 "kludgeACLredactedattribute");
372 ret = ldb_build_search_req_ex(&down_req,
375 req->op.search.scope,
379 ac, kludge_acl_callback,
381 if (ret != LDB_SUCCESS) {
385 /* check if there's an SD_FLAGS control */
386 sd_control = ldb_request_get_control(down_req, LDB_CONTROL_SD_FLAGS_OID);
388 /* save it locally and remove it from the list */
389 /* we do not need to replace them later as we
390 * are keeping the original req intact */
391 if (!save_controls(sd_control, down_req, &sd_saved_controls)) {
392 return LDB_ERR_OPERATIONS_ERROR;
396 /* perform the search */
397 return ldb_next_request(module, down_req);
400 /* ANY change type */
401 static int kludge_acl_change(struct ldb_module *module, struct ldb_request *req)
403 struct ldb_context *ldb = ldb_module_get_ctx(module);
404 enum security_user_level user_type = what_is_user(module);
405 struct kludge_private_data *data = talloc_get_type(ldb_module_get_private(module),
406 struct kludge_private_data);
408 if (data->acl_perform)
409 return ldb_next_request(module, req);
412 case SECURITY_SYSTEM:
413 case SECURITY_ADMINISTRATOR:
414 return ldb_next_request(module, req);
416 ldb_asprintf_errstring(ldb,
417 "kludge_acl_change: "
418 "attempted database modify not permitted. "
419 "User %s is not SYSTEM or an administrator",
420 user_name(req, module));
421 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
425 static int kludge_acl_extended(struct ldb_module *module, struct ldb_request *req)
427 struct ldb_context *ldb = ldb_module_get_ctx(module);
428 enum security_user_level user_type;
430 /* allow everybody to read the sequence number */
431 if (strcmp(req->op.extended.oid,
432 LDB_EXTENDED_SEQUENCE_NUMBER) == 0) {
433 return ldb_next_request(module, req);
436 user_type = what_is_user(module);
439 case SECURITY_SYSTEM:
440 case SECURITY_ADMINISTRATOR:
441 return ldb_next_request(module, req);
443 ldb_asprintf_errstring(ldb,
444 "kludge_acl_change: "
445 "attempted database modify not permitted. "
446 "User %s is not SYSTEM or an administrator",
447 user_name(req, module));
448 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
452 static int kludge_acl_init(struct ldb_module *module)
454 struct ldb_context *ldb;
456 TALLOC_CTX *mem_ctx = talloc_new(module);
457 static const char *attrs[] = { "passwordAttribute", NULL };
458 struct ldb_result *res;
459 struct ldb_message *msg;
460 struct ldb_message_element *password_attributes;
462 struct kludge_private_data *data;
464 ldb = ldb_module_get_ctx(module);
466 data = talloc(module, struct kludge_private_data);
469 return LDB_ERR_OPERATIONS_ERROR;
472 data->password_attrs = NULL;
473 data->acl_perform = lp_parm_bool(ldb_get_opaque(ldb, "loadparm"),
474 NULL, "acl", "perform", false);
475 ldb_module_set_private(module, data);
479 return LDB_ERR_OPERATIONS_ERROR;
482 ret = ldb_search(ldb, mem_ctx, &res,
483 ldb_dn_new(mem_ctx, ldb, "@KLUDGEACL"),
484 LDB_SCOPE_BASE, attrs, NULL);
485 if (ret != LDB_SUCCESS) {
488 if (res->count == 0) {
492 if (res->count > 1) {
493 talloc_free(mem_ctx);
494 return LDB_ERR_CONSTRAINT_VIOLATION;
499 password_attributes = ldb_msg_find_element(msg, "passwordAttribute");
500 if (!password_attributes) {
503 data->password_attrs = talloc_array(data, const char *, password_attributes->num_values + 1);
504 if (!data->password_attrs) {
505 talloc_free(mem_ctx);
507 return LDB_ERR_OPERATIONS_ERROR;
509 for (i=0; i < password_attributes->num_values; i++) {
510 data->password_attrs[i] = (const char *)password_attributes->values[i].data;
511 talloc_steal(data->password_attrs, password_attributes->values[i].data);
513 data->password_attrs[i] = NULL;
515 ret = ldb_mod_register_control(module, LDB_CONTROL_SD_FLAGS_OID);
516 if (ret != LDB_SUCCESS) {
517 ldb_debug(ldb, LDB_DEBUG_ERROR,
518 "kludge_acl: Unable to register control with rootdse!\n");
519 return LDB_ERR_OPERATIONS_ERROR;
523 talloc_free(mem_ctx);
524 return ldb_next_init(module);
527 _PUBLIC_ const struct ldb_module_ops ldb_kludge_acl_module_ops = {
528 .name = "kludge_acl",
529 .search = kludge_acl_search,
530 .add = kludge_acl_change,
531 .modify = kludge_acl_change,
532 .del = kludge_acl_change,
533 .rename = kludge_acl_change,
534 .extended = kludge_acl_extended,
535 .init_context = kludge_acl_init
git.samba.org / sfrench / samba-autobuild / .git / blob