search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dsdb: use AS_SYSTEM | SHOW_RECYCLED for access check searches
[Samba/vl.git] / source4 / dsdb / common / dsdb_access.c
blob84005b3e5ef355b2f63bfeb0248f5b67c9e179f9
1 /*
2 ldb database library
3
4 Copyright (C) Nadezhda Ivanova 2010
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /*
21 * Name: dsdb_access
22 *
23 * Description: utility functions for access checking on objects
24 *
25 * Authors: Nadezhda Ivanova
26 */
27
28 #include "includes.h"
29 #include "ldb.h"
30 #include "ldb_module.h"
31 #include "ldb_errors.h"
32 #include "libcli/security/security.h"
33 #include "librpc/gen_ndr/ndr_security.h"
34 #include "libcli/ldap/ldap_ndr.h"
35 #include "param/param.h"
36 #include "auth/auth.h"
37 #include "dsdb/samdb/samdb.h"
38 #include "dsdb/common/util.h"
39
40 void dsdb_acl_debug(struct security_descriptor *sd,
41 struct security_token *token,
42 struct ldb_dn *dn,
43 bool denied,
44 int level)
45 {
46 if (denied) {
47 DEBUG(level, ("Access on %s denied", ldb_dn_get_linearized(dn)));
48 } else {
49 DEBUG(level, ("Access on %s granted", ldb_dn_get_linearized(dn)));
50 }
51
52 DEBUG(level,("Security context: %s\n",
53 ndr_print_struct_string(0,(ndr_print_fn_t)ndr_print_security_token,"", token)));
54 DEBUG(level,("Security descriptor: %s\n",
55 ndr_print_struct_string(0,(ndr_print_fn_t)ndr_print_security_descriptor,"", sd)));
56 }
57
58 int dsdb_get_sd_from_ldb_message(struct ldb_context *ldb,
59 TALLOC_CTX *mem_ctx,
60 struct ldb_message *acl_res,
61 struct security_descriptor **sd)
62 {
63 struct ldb_message_element *sd_element;
64 enum ndr_err_code ndr_err;
65
66 sd_element = ldb_msg_find_element(acl_res, "nTSecurityDescriptor");
67 if (!sd_element) {
68 *sd = NULL;
69 return LDB_SUCCESS;
70 }
71 *sd = talloc(mem_ctx, struct security_descriptor);
72 if(!*sd) {
73 return ldb_oom(ldb);
74 }
75 ndr_err = ndr_pull_struct_blob(&sd_element->values[0], *sd, *sd,
76 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
77
78 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
79 return ldb_operr(ldb);
80 }
81
82 return LDB_SUCCESS;
83 }
84
85 int dsdb_check_access_on_dn_internal(struct ldb_context *ldb,
86 struct ldb_result *acl_res,
87 TALLOC_CTX *mem_ctx,
88 struct security_token *token,
89 struct ldb_dn *dn,
90 uint32_t access_mask,
91 const struct GUID *guid)
92 {
93 struct security_descriptor *sd = NULL;
94 struct dom_sid *sid = NULL;
95 struct object_tree *root = NULL;
96 NTSTATUS status;
97 uint32_t access_granted;
98 int ret;
99
100 ret = dsdb_get_sd_from_ldb_message(ldb, mem_ctx, acl_res->msgs[0], &sd);
101 if (ret != LDB_SUCCESS) {
102 return ldb_operr(ldb);
103 }
104 /* Theoretically we pass the check if the object has no sd */
105 if (!sd) {
106 return LDB_SUCCESS;
107 }
108 sid = samdb_result_dom_sid(mem_ctx, acl_res->msgs[0], "objectSid");
109 if (guid) {
110 if (!insert_in_object_tree(mem_ctx, guid, access_mask, NULL,
111 &root)) {
112 return ldb_operr(ldb);
113 }
114 }
115 status = sec_access_check_ds(sd, token,
116 access_mask,
117 &access_granted,
118 root,
119 sid);
120 if (!NT_STATUS_IS_OK(status)) {
121 dsdb_acl_debug(sd,
122 token,
123 dn,
124 true,
125 10);
126 ldb_asprintf_errstring(ldb,
127 "dsdb_access: Access check failed on %s",
128 ldb_dn_get_linearized(dn));
129 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
130 }
131 return LDB_SUCCESS;
132 }
133
134 /* performs an access check from outside the module stack
135 * given the dn of the object to be checked, the required access
136 * guid is either the guid of the extended right, or NULL
137 */
138
139 int dsdb_check_access_on_dn(struct ldb_context *ldb,
140 TALLOC_CTX *mem_ctx,
141 struct ldb_dn *dn,
142 struct security_token *token,
143 uint32_t access_mask,
144 const char *ext_right)
145 {
146 int ret;
147 struct GUID guid;
148 struct ldb_result *acl_res;
149 static const char *acl_attrs[] = {
150 "nTSecurityDescriptor",
151 "objectSid",
152 NULL
153 };
154
155 if (ext_right != NULL) {
156 NTSTATUS status = GUID_from_string(ext_right, &guid);
157 if (!NT_STATUS_IS_OK(status)) {
158 return LDB_ERR_OPERATIONS_ERROR;
159 }
160 }
161
162 /*
163 * We need AS_SYSTEM in order to get the nTSecurityDescriptor attribute.
164 * Also the result of this search not controlled by the client
165 * nor is the result exposed to the client.
166 */
167 ret = dsdb_search_dn(ldb, mem_ctx, &acl_res, dn, acl_attrs,
168 DSDB_FLAG_AS_SYSTEM | DSDB_SEARCH_SHOW_RECYCLED);
169 if (ret != LDB_SUCCESS) {
170 DEBUG(10,("access_check: failed to find object %s\n", ldb_dn_get_linearized(dn)));
171 return ret;
172 }
173
174 return dsdb_check_access_on_dn_internal(ldb, acl_res,
175 mem_ctx,
176 token,
177 dn,
178 access_mask,
179 ext_right ? &guid : NULL);
180 }
181