search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
librpc:idl: Make netlogon_samlogon_response public
[Samba.git] / libcli / security / access_check.c
blob81bacc90e78ef397c0a714efc6a5e15785f7e563
1 /*
2 Unix SMB/CIFS implementation.
3
4 Copyright (C) Andrew Tridgell 2004
5 Copyright (C) Gerald Carter 2005
6 Copyright (C) Volker Lendecke 2007
7 Copyright (C) Jeremy Allison 2008
8 Copyright (C) Andrew Bartlett 2010
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "replace.h"
25 #include "lib/util/debug.h"
26 #include "libcli/security/security.h"
27
28 /* Map generic access rights to object specific rights. This technique is
29 used to give meaning to assigning read, write, execute and all access to
30 objects. Each type of object has its own mapping of generic to object
31 specific access rights. */
32
33 void se_map_generic(uint32_t *access_mask, const struct generic_mapping *mapping)
34 {
35 uint32_t old_mask = *access_mask;
36
37 if (*access_mask & GENERIC_READ_ACCESS) {
38 *access_mask &= ~GENERIC_READ_ACCESS;
39 *access_mask |= mapping->generic_read;
40 }
41
42 if (*access_mask & GENERIC_WRITE_ACCESS) {
43 *access_mask &= ~GENERIC_WRITE_ACCESS;
44 *access_mask |= mapping->generic_write;
45 }
46
47 if (*access_mask & GENERIC_EXECUTE_ACCESS) {
48 *access_mask &= ~GENERIC_EXECUTE_ACCESS;
49 *access_mask |= mapping->generic_execute;
50 }
51
52 if (*access_mask & GENERIC_ALL_ACCESS) {
53 *access_mask &= ~GENERIC_ALL_ACCESS;
54 *access_mask |= mapping->generic_all;
55 }
56
57 if (old_mask != *access_mask) {
58 DEBUG(10, ("se_map_generic(): mapped mask 0x%08x to 0x%08x\n",
59 old_mask, *access_mask));
60 }
61 }
62
63 /* Map generic access rights to object specific rights for all the ACE's
64 * in a security_acl.
65 */
66
67 void security_acl_map_generic(struct security_acl *sa,
68 const struct generic_mapping *mapping)
69 {
70 unsigned int i;
71
72 if (!sa) {
73 return;
74 }
75
76 for (i = 0; i < sa->num_aces; i++) {
77 se_map_generic(&sa->aces[i].access_mask, mapping);
78 }
79 }
80
81 /* Map standard access rights to object specific rights. This technique is
82 used to give meaning to assigning read, write, execute and all access to
83 objects. Each type of object has its own mapping of standard to object
84 specific access rights. */
85
86 void se_map_standard(uint32_t *access_mask, const struct standard_mapping *mapping)
87 {
88 uint32_t old_mask = *access_mask;
89
90 if (*access_mask & SEC_STD_READ_CONTROL) {
91 *access_mask &= ~SEC_STD_READ_CONTROL;
92 *access_mask |= mapping->std_read;
93 }
94
95 if (*access_mask & (SEC_STD_DELETE|SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|SEC_STD_SYNCHRONIZE)) {
96 *access_mask &= ~(SEC_STD_DELETE|SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|SEC_STD_SYNCHRONIZE);
97 *access_mask |= mapping->std_all;
98 }
99
100 if (old_mask != *access_mask) {
101 DEBUG(10, ("se_map_standard(): mapped mask 0x%08x to 0x%08x\n",
102 old_mask, *access_mask));
103 }
104 }
105
106 /*
107 perform a SEC_FLAG_MAXIMUM_ALLOWED access check
108 */
109 static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
110 const struct security_token *token,
111 enum implicit_owner_rights implicit_owner_rights)
112 {
113 uint32_t denied = 0, granted = 0;
114 bool am_owner = false;
115 bool have_owner_rights_ace = false;
116 unsigned i;
117
118 if (sd->dacl == NULL) {
119 if (security_token_has_sid(token, sd->owner_sid)) {
120 switch (implicit_owner_rights) {
121 case IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS:
122 granted |= SEC_STD_WRITE_DAC;
123 FALL_THROUGH;
124 case IMPLICIT_OWNER_READ_CONTROL_RIGHTS:
125 granted |= SEC_STD_READ_CONTROL;
126 break;
127 }
128 }
129 return granted;
130 }
131
132 if (security_token_has_sid(token, sd->owner_sid)) {
133 /*
134 * Check for explicit owner rights: if there are none, we remove
135 * the default owner right SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL
136 * from remaining_access. Otherwise we just process the
137 * explicitly granted rights when processing the ACEs.
138 */
139 am_owner = true;
140
141 for (i=0; i < sd->dacl->num_aces; i++) {
142 struct security_ace *ace = &sd->dacl->aces[i];
143
144 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
145 continue;
146 }
147
148 have_owner_rights_ace = dom_sid_equal(
149 &ace->trustee, &global_sid_Owner_Rights);
150 if (have_owner_rights_ace) {
151 break;
152 }
153 }
154 }
155
156 if (am_owner && !have_owner_rights_ace) {
157 switch (implicit_owner_rights) {
158 case IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS:
159 granted |= SEC_STD_WRITE_DAC;
160 FALL_THROUGH;
161 case IMPLICIT_OWNER_READ_CONTROL_RIGHTS:
162 granted |= SEC_STD_READ_CONTROL;
163 break;
164 }
165 }
166
167 for (i = 0;i<sd->dacl->num_aces; i++) {
168 struct security_ace *ace = &sd->dacl->aces[i];
169 bool is_owner_rights_ace = false;
170
171 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
172 continue;
173 }
174
175 if (am_owner) {
176 is_owner_rights_ace = dom_sid_equal(
177 &ace->trustee, &global_sid_Owner_Rights);
178 }
179
180 if (!is_owner_rights_ace &&
181 !security_token_has_sid(token, &ace->trustee))
182 {
183 continue;
184 }
185
186 switch (ace->type) {
187 case SEC_ACE_TYPE_ACCESS_ALLOWED:
188 granted |= ace->access_mask;
189 break;
190 case SEC_ACE_TYPE_ACCESS_DENIED:
191 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
192 denied |= ~granted & ace->access_mask;
193 break;
194 default: /* Other ACE types not handled/supported */
195 break;
196 }
197 }
198
199 return granted & ~denied;
200 }
201
202 static NTSTATUS se_access_check_implicit_owner(const struct security_descriptor *sd,
203 const struct security_token *token,
204 uint32_t access_desired,
205 uint32_t *access_granted,
206 enum implicit_owner_rights implicit_owner_rights)
207 {
208 uint32_t i;
209 uint32_t bits_remaining;
210 uint32_t explicitly_denied_bits = 0;
211 bool am_owner = false;
212 bool have_owner_rights_ace = false;
213
214 *access_granted = access_desired;
215 bits_remaining = access_desired;
216
217 /* handle the maximum allowed flag */
218 if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
219 uint32_t orig_access_desired = access_desired;
220
221 access_desired |= access_check_max_allowed(sd, token, implicit_owner_rights);
222 access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
223 *access_granted = access_desired;
224 bits_remaining = access_desired;
225
226 DEBUG(10,("se_access_check: MAX desired = 0x%x, granted = 0x%x, remaining = 0x%x\n",
227 orig_access_desired,
228 *access_granted,
229 bits_remaining));
230 }
231
232 /* a NULL dacl allows access */
233 if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
234 *access_granted = access_desired;
235 return NT_STATUS_OK;
236 }
237
238 if (sd->dacl == NULL) {
239 goto done;
240 }
241
242 if (security_token_has_sid(token, sd->owner_sid)) {
243 /*
244 * Check for explicit owner rights: if there are none, we remove
245 * the default owner right SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL
246 * from remaining_access. Otherwise we just process the
247 * explicitly granted rights when processing the ACEs.
248 */
249 am_owner = true;
250
251 for (i=0; i < sd->dacl->num_aces; i++) {
252 struct security_ace *ace = &sd->dacl->aces[i];
253
254 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
255 continue;
256 }
257
258 have_owner_rights_ace = dom_sid_equal(
259 &ace->trustee, &global_sid_Owner_Rights);
260 if (have_owner_rights_ace) {
261 break;
262 }
263 }
264 }
265 if (am_owner && !have_owner_rights_ace) {
266 switch (implicit_owner_rights) {
267 case IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS:
268 bits_remaining &= ~SEC_STD_WRITE_DAC;
269 FALL_THROUGH;
270 case IMPLICIT_OWNER_READ_CONTROL_RIGHTS:
271 bits_remaining &= ~SEC_STD_READ_CONTROL;
272 break;
273 }
274 }
275
276 /* check each ace in turn. */
277 for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
278 struct security_ace *ace = &sd->dacl->aces[i];
279 bool is_owner_rights_ace = false;
280
281 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
282 continue;
283 }
284
285 if (am_owner) {
286 is_owner_rights_ace = dom_sid_equal(
287 &ace->trustee, &global_sid_Owner_Rights);
288 }
289
290 if (!is_owner_rights_ace &&
291 !security_token_has_sid(token, &ace->trustee))
292 {
293 continue;
294 }
295
296 switch (ace->type) {
297 case SEC_ACE_TYPE_ACCESS_ALLOWED:
298 bits_remaining &= ~ace->access_mask;
299 break;
300 case SEC_ACE_TYPE_ACCESS_DENIED:
301 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
302 explicitly_denied_bits |= (bits_remaining & ace->access_mask);
303 break;
304 default: /* Other ACE types not handled/supported */
305 break;
306 }
307 }
308
309 /* Explicitly denied bits always override */
310 bits_remaining |= explicitly_denied_bits;
311
312 /*
313 * We check privileges here because they override even DENY entries.
314 */
315
316 /* Does the user have the privilege to gain SEC_PRIV_SECURITY? */
317 if (bits_remaining & SEC_FLAG_SYSTEM_SECURITY) {
318 if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
319 bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
320 } else {
321 return NT_STATUS_PRIVILEGE_NOT_HELD;
322 }
323 }
324
325 if ((bits_remaining & SEC_STD_WRITE_OWNER) &&
326 security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
327 bits_remaining &= ~(SEC_STD_WRITE_OWNER);
328 }
329
330 done:
331 if (bits_remaining != 0) {
332 *access_granted = bits_remaining;
333 return NT_STATUS_ACCESS_DENIED;
334 }
335
336 return NT_STATUS_OK;
337 }
338
339 /*
340 The main entry point for access checking. If returning ACCESS_DENIED
341 this function returns the denied bits in the uint32_t pointed
342 to by the access_granted pointer.
343 */
344 NTSTATUS se_access_check(const struct security_descriptor *sd,
345 const struct security_token *token,
346 uint32_t access_desired,
347 uint32_t *access_granted)
348 {
349 return se_access_check_implicit_owner(sd,
350 token,
351 access_desired,
352 access_granted,
353 IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS);
354 }
355
356 /*
357 The main entry point for access checking FOR THE FILE SERVER ONLY !
358 If returning ACCESS_DENIED this function returns the denied bits in
359 the uint32_t pointed to by the access_granted pointer.
360 */
361 NTSTATUS se_file_access_check(const struct security_descriptor *sd,
362 const struct security_token *token,
363 bool priv_open_requested,
364 uint32_t access_desired,
365 uint32_t *access_granted)
366 {
367 uint32_t bits_remaining;
368 NTSTATUS status;
369
370 if (!priv_open_requested) {
371 /* Fall back to generic se_access_check(). */
372 return se_access_check_implicit_owner(sd,
373 token,
374 access_desired,
375 access_granted,
376 IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS);
377 }
378
379 /*
380 * We need to handle the maximum allowed flag
381 * outside of se_access_check(), as we need to
382 * add in the access allowed by the privileges
383 * as well.
384 */
385
386 if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
387 uint32_t orig_access_desired = access_desired;
388
389 access_desired |= access_check_max_allowed(sd, token, true);
390 access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
391
392 if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
393 access_desired |= SEC_RIGHTS_PRIV_BACKUP;
394 }
395
396 if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
397 access_desired |= SEC_RIGHTS_PRIV_RESTORE;
398 }
399
400 DEBUG(10,("se_file_access_check: MAX desired = 0x%x "
401 "mapped to 0x%x\n",
402 orig_access_desired,
403 access_desired));
404 }
405
406 status = se_access_check_implicit_owner(sd,
407 token,
408 access_desired,
409 access_granted,
410 IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS);
411
412 if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
413 return status;
414 }
415
416 bits_remaining = *access_granted;
417
418 /* Check if we should override with privileges. */
419 if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) &&
420 security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
421 bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
422 }
423 if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
424 security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
425 bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
426 }
427 if (bits_remaining != 0) {
428 *access_granted = bits_remaining;
429 return NT_STATUS_ACCESS_DENIED;
430 }
431
432 return NT_STATUS_OK;
433 }
434
435 static const struct GUID *get_ace_object_type(const struct security_ace *ace)
436 {
437 if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
438 return &ace->object.object.type.type;
439 }
440
441 return NULL;
442 }
443
444 /**
445 * Evaluates access rights specified in a object-specific ACE for an AD object.
446 * This logic corresponds to MS-ADTS 5.1.3.3.3 Checking Object-Specific Access.
447 * @param[in] ace - the ACE being processed
448 * @param[in/out] tree - remaining_access gets updated for the tree
449 * @param[out] grant_access - set to true if the ACE grants sufficient access
450 * rights to the object/attribute
451 * @returns NT_STATUS_OK, unless access was denied
452 */
453 static NTSTATUS check_object_specific_access(const struct security_ace *ace,
454 struct object_tree *tree,
455 bool *grant_access)
456 {
457 struct object_tree *node = NULL;
458 const struct GUID *type = NULL;
459
460 *grant_access = false;
461
462 /* if no tree was supplied, we can't do object-specific access checks */
463 if (!tree) {
464 return NT_STATUS_OK;
465 }
466
467 /* Get the ObjectType GUID this ACE applies to */
468 type = get_ace_object_type(ace);
469
470 /*
471 * If the ACE doesn't have a type, then apply it to the whole tree, i.e.
472 * treat 'OA' ACEs as 'A' and 'OD' as 'D'
473 */
474 if (!type) {
475 node = tree;
476 } else {
477
478 /* skip it if the ACE's ObjectType GUID is not in the tree */
479 node = get_object_tree_by_GUID(tree, type);
480 if (!node) {
481 return NT_STATUS_OK;
482 }
483 }
484
485 if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) {
486
487 /* apply the access rights to this node, and any children */
488 object_tree_modify_access(node, ace->access_mask);
489
490 /*
491 * Currently all nodes in the tree request the same access mask,
492 * so we can use any node to check if processing this ACE now
493 * means the requested access has been granted
494 */
495 if (node->remaining_access == 0) {
496 *grant_access = true;
497 return NT_STATUS_OK;
498 }
499
500 /*
501 * As per 5.1.3.3.4 Checking Control Access Right-Based Access,
502 * if the CONTROL_ACCESS right is present, then we can grant
503 * access and stop any further access checks
504 */
505 if (ace->access_mask & SEC_ADS_CONTROL_ACCESS) {
506 *grant_access = true;
507 return NT_STATUS_OK;
508 }
509 } else {
510
511 /* this ACE denies access to the requested object/attribute */
512 if (node->remaining_access & ace->access_mask){
513 return NT_STATUS_ACCESS_DENIED;
514 }
515 }
516 return NT_STATUS_OK;
517 }
518
519 NTSTATUS sec_access_check_ds_implicit_owner(const struct security_descriptor *sd,
520 const struct security_token *token,
521 uint32_t access_desired,
522 uint32_t *access_granted,
523 struct object_tree *tree,
524 const struct dom_sid *replace_sid,
525 enum implicit_owner_rights implicit_owner_rights)
526 {
527 uint32_t i;
528 uint32_t bits_remaining;
529 struct dom_sid self_sid;
530
531 dom_sid_parse(SID_NT_SELF, &self_sid);
532
533 *access_granted = access_desired;
534 bits_remaining = access_desired;
535
536 /* handle the maximum allowed flag */
537 if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
538 access_desired |= access_check_max_allowed(sd, token, implicit_owner_rights);
539 access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
540 *access_granted = access_desired;
541 bits_remaining = access_desired;
542 }
543
544 if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
545 if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
546 bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
547 } else {
548 return NT_STATUS_PRIVILEGE_NOT_HELD;
549 }
550 }
551
552 /* the owner always gets SEC_STD_WRITE_DAC and SEC_STD_READ_CONTROL */
553 if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL)) &&
554 security_token_has_sid(token, sd->owner_sid)) {
555 switch (implicit_owner_rights) {
556 case IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS:
557 bits_remaining &= ~SEC_STD_WRITE_DAC;
558 FALL_THROUGH;
559 case IMPLICIT_OWNER_READ_CONTROL_RIGHTS:
560 bits_remaining &= ~SEC_STD_READ_CONTROL;
561 break;
562 }
563 }
564
565 /* SEC_PRIV_TAKE_OWNERSHIP grants SEC_STD_WRITE_OWNER */
566 if ((bits_remaining & (SEC_STD_WRITE_OWNER)) &&
567 security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
568 bits_remaining &= ~(SEC_STD_WRITE_OWNER);
569 }
570
571 /* a NULL dacl allows access */
572 if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
573 *access_granted = access_desired;
574 return NT_STATUS_OK;
575 }
576
577 if (sd->dacl == NULL) {
578 goto done;
579 }
580
581 /* check each ace in turn. */
582 for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
583 const struct dom_sid *trustee;
584 const struct security_ace *ace = &sd->dacl->aces[i];
585 NTSTATUS status;
586 bool grant_access = false;
587
588 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
589 continue;
590 }
591
592 if (dom_sid_equal(&ace->trustee, &self_sid) && replace_sid) {
593 trustee = replace_sid;
594 } else {
595 trustee = &ace->trustee;
596 }
597
598 if (!security_token_has_sid(token, trustee)) {
599 continue;
600 }
601
602 switch (ace->type) {
603 case SEC_ACE_TYPE_ACCESS_ALLOWED:
604 if (tree) {
605 object_tree_modify_access(tree, ace->access_mask);
606 }
607
608 bits_remaining &= ~ace->access_mask;
609 break;
610 case SEC_ACE_TYPE_ACCESS_DENIED:
611 if (bits_remaining & ace->access_mask) {
612 return NT_STATUS_ACCESS_DENIED;
613 }
614 break;
615 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
616 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
617 status = check_object_specific_access(ace, tree,
618 &grant_access);
619
620 if (!NT_STATUS_IS_OK(status)) {
621 return status;
622 }
623
624 if (grant_access) {
625 return NT_STATUS_OK;
626 }
627 break;
628 default: /* Other ACE types not handled/supported */
629 break;
630 }
631 }
632
633 done:
634 if (bits_remaining != 0) {
635 return NT_STATUS_ACCESS_DENIED;
636 }
637
638 return NT_STATUS_OK;
639 }
640
641 /**
642 * @brief Perform directoryservice (DS) related access checks for a given user
643 *
644 * Perform DS access checks for the user represented by its security_token, on
645 * the provided security descriptor. If an tree associating GUID and access
646 * required is provided then object access (OA) are checked as well. *
647 * @param[in] sd The security descriptor against which the required
648 * access are requested
649 *
650 * @param[in] token The security_token associated with the user to
651 * test
652 *
653 * @param[in] access_desired A bitfield of rights that must be granted for the
654 * given user in the specified SD.
655 *
656 * If one
657 * of the entry in the tree grants all the requested rights for the given GUID
658 * FIXME
659 * tree can be null if not null it's the
660 * Lots of code duplication, it will be united in just one
661 * function eventually */
662
663 NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
664 const struct security_token *token,
665 uint32_t access_desired,
666 uint32_t *access_granted,
667 struct object_tree *tree,
668 struct dom_sid *replace_sid)
669 {
670 return sec_access_check_ds_implicit_owner(sd,
671 token,
672 access_desired,
673 access_granted,
674 tree,
675 replace_sid,
676 IMPLICIT_OWNER_READ_CONTROL_RIGHTS);
677 }
Samba GIT mirror