search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
librpc:idl: Make netlogon_samlogon_response public
[Samba.git] / libcli / security / create_descriptor.c
blob3d9672f5c6a3b34063df50e6a588ed7d6afac911
1 /*
2 Copyright (C) Nadezhda Ivanova 2009
3
4 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation; either version 3 of the License, or
7 (at your option) any later version.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program. If not, see <http://www.gnu.org/licenses/>.
16 */
17
18 /*
19 * Name: create_descriptor
20 *
21 * Component: routines for calculating and creating security descriptors
22 * as described in MS-DTYP 2.5.3.x
23 *
24 * Description:
25 *
26 *
27 * Author: Nadezhda Ivanova
28 */
29 #include "replace.h"
30 #include "lib/util/debug.h"
31 #include "libcli/security/security.h"
32 #include "librpc/gen_ndr/ndr_security.h"
33
34 /* Todos:
35 * build the security token dacl as follows:
36 * SYSTEM: GA, OWNER: GA, LOGIN_SID:GW|GE
37 * Need session id information for the login SID. Probably
38 * the best place for this is during token creation
39 *
40 * Implement SD Invariants
41 * ACE sorting rules
42 * LDAP_SERVER_SD_FLAGS_OID control
43 * ADTS 7.1.3.3 needs to be clarified
44 */
45
46 /* the mapping function for generic rights for DS.(GA,GR,GW,GX)
47 * The mapping function is passed as an argument to the
48 * descriptor calculating routine and depends on the security
49 * manager that calls the calculating routine.
50 * TODO: need similar mappings for the file system and
51 * registry security managers in order to make this code
52 * generic for all security managers
53 */
54
55 uint32_t map_generic_rights_ds(uint32_t access_mask)
56 {
57 if (access_mask & SEC_GENERIC_ALL) {
58 access_mask |= SEC_ADS_GENERIC_ALL;
59 access_mask &= ~SEC_GENERIC_ALL;
60 }
61
62 if (access_mask & SEC_GENERIC_EXECUTE) {
63 access_mask |= SEC_ADS_GENERIC_EXECUTE;
64 access_mask &= ~SEC_GENERIC_EXECUTE;
65 }
66
67 if (access_mask & SEC_GENERIC_WRITE) {
68 access_mask |= SEC_ADS_GENERIC_WRITE;
69 access_mask &= ~SEC_GENERIC_WRITE;
70 }
71
72 if (access_mask & SEC_GENERIC_READ) {
73 access_mask |= SEC_ADS_GENERIC_READ;
74 access_mask &= ~SEC_GENERIC_READ;
75 }
76
77 return access_mask;
78 }
79
80 /* Not sure what this has to be,
81 * and it does not seem to have any influence */
82 static bool object_in_list(const struct GUID *object_list, const struct GUID *object)
83 {
84 size_t i;
85
86 if (object_list == NULL) {
87 return true;
88 }
89
90 if (GUID_all_zero(object)) {
91 return true;
92 }
93
94 for (i=0; ; i++) {
95 if (GUID_all_zero(&object_list[i])) {
96 return false;
97 }
98 if (!GUID_equal(&object_list[i], object)) {
99 continue;
100 }
101
102 return true;
103 }
104
105 return false;
106 }
107
108 /* returns true if the ACE gontains generic information
109 * that needs to be processed additionally */
110
111 static bool desc_ace_has_generic(const struct security_ace *ace)
112 {
113 if (ace->access_mask & SEC_GENERIC_ALL || ace->access_mask & SEC_GENERIC_READ ||
114 ace->access_mask & SEC_GENERIC_WRITE || ace->access_mask & SEC_GENERIC_EXECUTE) {
115 return true;
116 }
117 if (dom_sid_equal(&ace->trustee, &global_sid_Creator_Owner) ||
118 dom_sid_equal(&ace->trustee, &global_sid_Creator_Group)) {
119 return true;
120 }
121 return false;
122 }
123
124 /* creates an ace in which the generic information is expanded */
125
126 static void desc_expand_generic(struct security_ace *new_ace,
127 struct dom_sid *owner,
128 struct dom_sid *group)
129 {
130 new_ace->access_mask = map_generic_rights_ds(new_ace->access_mask);
131 if (dom_sid_equal(&new_ace->trustee, &global_sid_Creator_Owner)) {
132 new_ace->trustee = *owner;
133 }
134 if (dom_sid_equal(&new_ace->trustee, &global_sid_Creator_Group)) {
135 new_ace->trustee = *group;
136 }
137 new_ace->flags = 0x0;
138 }
139
140 static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx,
141 struct security_acl *acl,
142 bool is_container,
143 struct dom_sid *owner,
144 struct dom_sid *group,
145 struct GUID *object_list)
146 {
147 uint32_t i;
148 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
149 struct security_acl *tmp_acl = talloc_zero(mem_ctx, struct security_acl);
150 if (!tmp_acl) {
151 return NULL;
152 }
153
154 if (!acl) {
155 return NULL;
156 }
157
158 for (i=0; i < acl->num_aces; i++) {
159 const struct security_ace *ace = &acl->aces[i];
160 const struct GUID *inherited_object = NULL;
161 const struct GUID *inherited_property = NULL;
162 struct security_ace *tmp_ace = NULL;
163 bool applies = false;
164 bool inherited_only = false;
165 bool expand_ace = false;
166 bool expand_only = false;
167
168 if (is_container && (ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT)) {
169 applies = true;
170 } else if (!is_container && (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) {
171 applies = true;
172 }
173
174 if (!applies) {
175 /*
176 * If the ace doesn't apply to the
177 * current node, we should only keep
178 * it as SEC_ACE_FLAG_OBJECT_INHERIT
179 * on a container. We'll add
180 * SEC_ACE_FLAG_INHERITED_ACE
181 * and SEC_ACE_FLAG_INHERIT_ONLY below.
182 *
183 * Otherwise we should completely ignore it.
184 */
185 if (!(ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) {
186 continue;
187 }
188 }
189
190 switch (ace->type) {
191 case SEC_ACE_TYPE_ACCESS_ALLOWED:
192 case SEC_ACE_TYPE_ACCESS_DENIED:
193 case SEC_ACE_TYPE_SYSTEM_AUDIT:
194 case SEC_ACE_TYPE_SYSTEM_ALARM:
195 case SEC_ACE_TYPE_ALLOWED_COMPOUND:
196 break;
197
198 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
199 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
200 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
201 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
202 if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
203 inherited_property = &ace->object.object.type.type;
204 }
205 if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) {
206 inherited_object = &ace->object.object.inherited_type.inherited_type;
207 }
208
209 if (inherited_object != NULL && !object_in_list(object_list, inherited_object)) {
210 /*
211 * An explicit object class schemaId is given,
212 * but doesn't belong to the current object.
213 */
214 applies = false;
215 }
216
217 break;
218 }
219
220 if (ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) {
221 if (!applies) {
222 /*
223 * If the ACE doesn't apply to
224 * the current object, we should
225 * ignore it as it should not be
226 * inherited any further
227 */
228 continue;
229 }
230 /*
231 * We should only keep the expanded version
232 * of the ACE on the current object.
233 */
234 expand_ace = true;
235 expand_only = true;
236 } else if (applies) {
237 /*
238 * We check if should also add
239 * the expanded version of the ACE
240 * in addition, in case we should
241 * expand generic access bits or
242 * special sids.
243 *
244 * In that case we need to
245 * keep the original ACE with
246 * SEC_ACE_FLAG_INHERIT_ONLY.
247 */
248 expand_ace = desc_ace_has_generic(ace);
249 if (expand_ace) {
250 inherited_only = true;
251 }
252 } else {
253 /*
254 * If the ACE doesn't apply
255 * to the current object,
256 * we need to keep it with
257 * SEC_ACE_FLAG_INHERIT_ONLY
258 * in order to apply them to
259 * grandchildren
260 */
261 inherited_only = true;
262 }
263
264 if (expand_ace) {
265 tmp_acl->aces = talloc_realloc(tmp_acl,
266 tmp_acl->aces,
267 struct security_ace,
268 tmp_acl->num_aces+1);
269 if (tmp_acl->aces == NULL) {
270 talloc_free(tmp_ctx);
271 return NULL;
272 }
273
274 tmp_ace = &tmp_acl->aces[tmp_acl->num_aces];
275 tmp_acl->num_aces++;
276
277 *tmp_ace = *ace;
278
279 /*
280 * Expand generic access bits as well as special
281 * sids.
282 */
283 desc_expand_generic(tmp_ace, owner, group);
284
285 /*
286 * Expanded ACEs are marked as inherited,
287 * but never inherited any further to
288 * grandchildren.
289 */
290 tmp_ace->flags |= SEC_ACE_FLAG_INHERITED_ACE;
291 tmp_ace->flags &= ~SEC_ACE_FLAG_CONTAINER_INHERIT;
292 tmp_ace->flags &= ~SEC_ACE_FLAG_OBJECT_INHERIT;
293 tmp_ace->flags &= ~SEC_ACE_FLAG_NO_PROPAGATE_INHERIT;
294
295 /*
296 * Expanded ACEs never have an explicit
297 * object class schemaId, so clear it
298 * if present.
299 */
300 if (inherited_object != NULL) {
301 tmp_ace->object.object.flags &= ~SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT;
302 }
303
304 /*
305 * If the ACE had an explicit object class
306 * schemaId, but no attribute/propertySet
307 * we need to downgrade the _OBJECT variants
308 * to the normal ones.
309 */
310 if (inherited_property == NULL) {
311 switch (tmp_ace->type) {
312 case SEC_ACE_TYPE_ACCESS_ALLOWED:
313 case SEC_ACE_TYPE_ACCESS_DENIED:
314 case SEC_ACE_TYPE_SYSTEM_AUDIT:
315 case SEC_ACE_TYPE_SYSTEM_ALARM:
316 case SEC_ACE_TYPE_ALLOWED_COMPOUND:
317 break;
318 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
319 tmp_ace->type = SEC_ACE_TYPE_ACCESS_ALLOWED;
320 break;
321 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
322 tmp_ace->type = SEC_ACE_TYPE_ACCESS_DENIED;
323 break;
324 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
325 tmp_ace->type = SEC_ACE_TYPE_SYSTEM_ALARM;
326 break;
327 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
328 tmp_ace->type = SEC_ACE_TYPE_SYSTEM_AUDIT;
329 break;
330 }
331 }
332
333 if (expand_only) {
334 continue;
335 }
336 }
337
338 tmp_acl->aces = talloc_realloc(tmp_acl,
339 tmp_acl->aces,
340 struct security_ace,
341 tmp_acl->num_aces+1);
342 if (tmp_acl->aces == NULL) {
343 talloc_free(tmp_ctx);
344 return NULL;
345 }
346
347 tmp_ace = &tmp_acl->aces[tmp_acl->num_aces];
348 tmp_acl->num_aces++;
349
350 *tmp_ace = *ace;
351 tmp_ace->flags |= SEC_ACE_FLAG_INHERITED_ACE;
352
353 if (inherited_only) {
354 tmp_ace->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
355 } else {
356 tmp_ace->flags &= ~SEC_ACE_FLAG_INHERIT_ONLY;
357 }
358
359 if (ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) {
360 tmp_ace->flags &= ~SEC_ACE_FLAG_CONTAINER_INHERIT;
361 tmp_ace->flags &= ~SEC_ACE_FLAG_OBJECT_INHERIT;
362 tmp_ace->flags &= ~SEC_ACE_FLAG_NO_PROPAGATE_INHERIT;
363 }
364 }
365 if (tmp_acl->num_aces == 0) {
366 return NULL;
367 }
368 if (acl) {
369 tmp_acl->revision = acl->revision;
370 }
371 return tmp_acl;
372 }
373
374 static struct security_acl *process_user_acl(TALLOC_CTX *mem_ctx,
375 struct security_acl *acl,
376 bool is_container,
377 struct dom_sid *owner,
378 struct dom_sid *group,
379 struct GUID *object_list,
380 bool is_protected)
381 {
382 uint32_t i;
383 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
384 struct security_acl *tmp_acl = talloc_zero(tmp_ctx, struct security_acl);
385 struct security_acl *new_acl;
386
387 if (!acl)
388 return NULL;
389
390 if (!tmp_acl)
391 return NULL;
392
393 tmp_acl->revision = acl->revision;
394 DBG_DEBUG("acl revision %d\n", acl->revision);
395
396 for (i=0; i < acl->num_aces; i++){
397 struct security_ace *ace = &acl->aces[i];
398 /* Remove ID flags from user-provided ACEs
399 * if we break inheritance, ignore them otherwise */
400 if (ace->flags & SEC_ACE_FLAG_INHERITED_ACE) {
401 if (is_protected) {
402 ace->flags &= ~SEC_ACE_FLAG_INHERITED_ACE;
403 } else {
404 continue;
405 }
406 }
407
408 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY &&
409 !(ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT ||
410 ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT))
411 continue;
412
413 tmp_acl->aces = talloc_realloc(tmp_acl,
414 tmp_acl->aces,
415 struct security_ace,
416 tmp_acl->num_aces+1);
417 tmp_acl->aces[tmp_acl->num_aces] = *ace;
418 tmp_acl->num_aces++;
419 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
420 continue;
421 }
422 /* if the ACE contains CO, CG, GA, GE, GR or GW, and is inheritable
423 * it has to be expanded to two aces, the original as IO,
424 * and another one where these are translated */
425 if (desc_ace_has_generic(ace)) {
426 if (!(ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT)) {
427 desc_expand_generic(&tmp_acl->aces[tmp_acl->num_aces-1],
428 owner,
429 group);
430 } else {
431 /*The original ACE becomes read only */
432 tmp_acl->aces[tmp_acl->num_aces-1].flags |= SEC_ACE_FLAG_INHERIT_ONLY;
433 tmp_acl->aces = talloc_realloc(tmp_acl, tmp_acl->aces,
434 struct security_ace,
435 tmp_acl->num_aces+1);
436 /* add a new ACE with expanded generic info */
437 tmp_acl->aces[tmp_acl->num_aces] = *ace;
438 desc_expand_generic(&tmp_acl->aces[tmp_acl->num_aces],
439 owner,
440 group);
441 tmp_acl->num_aces++;
442 }
443 }
444 }
445 new_acl = security_acl_dup(mem_ctx,tmp_acl);
446
447 if (new_acl)
448 new_acl->revision = acl->revision;
449
450 talloc_free(tmp_ctx);
451 return new_acl;
452 }
453
454 static void cr_descr_log_descriptor(struct security_descriptor *sd,
455 const char *message,
456 int level)
457 {
458 if (sd) {
459 DEBUG(level,("%s: %s\n", message,
460 ndr_print_struct_string(0,(ndr_print_fn_t)ndr_print_security_descriptor,
461 "", sd)));
462 }
463 else {
464 DEBUG(level,("%s: NULL\n", message));
465 }
466 }
467
468 #if 0
469 static void cr_descr_log_acl(struct security_acl *acl,
470 const char *message,
471 int level)
472 {
473 if (acl) {
474 DEBUG(level,("%s: %s\n", message,
475 ndr_print_struct_string(0,(ndr_print_fn_t)ndr_print_security_acl,
476 "", acl)));
477 }
478 else {
479 DEBUG(level,("%s: NULL\n", message));
480 }
481 }
482 #endif
483
484 static bool compute_acl(struct security_descriptor *parent_sd,
485 struct security_descriptor *creator_sd,
486 bool is_container,
487 uint32_t inherit_flags,
488 struct GUID *object_list,
489 uint32_t (*generic_map)(uint32_t access_mask),
490 struct security_token *token,
491 struct security_descriptor *new_sd) /* INOUT argument */
492 {
493 struct security_acl *user_dacl, *user_sacl, *inherited_dacl, *inherited_sacl;
494 int level = 10;
495
496 if (!parent_sd || !(inherit_flags & SEC_DACL_AUTO_INHERIT)) {
497 inherited_dacl = NULL;
498 } else if (creator_sd && (creator_sd->type & SEC_DESC_DACL_PROTECTED)) {
499 inherited_dacl = NULL;
500 } else {
501 inherited_dacl = calculate_inherited_from_parent(new_sd,
502 parent_sd->dacl,
503 is_container,
504 new_sd->owner_sid,
505 new_sd->group_sid,
506 object_list);
507 }
508
509
510 if (!parent_sd || !(inherit_flags & SEC_SACL_AUTO_INHERIT)) {
511 inherited_sacl = NULL;
512 } else if (creator_sd && (creator_sd->type & SEC_DESC_SACL_PROTECTED)) {
513 inherited_sacl = NULL;
514 } else {
515 inherited_sacl = calculate_inherited_from_parent(new_sd,
516 parent_sd->sacl,
517 is_container,
518 new_sd->owner_sid,
519 new_sd->group_sid,
520 object_list);
521 }
522
523 if (!creator_sd || (inherit_flags & SEC_DEFAULT_DESCRIPTOR)) {
524 user_dacl = NULL;
525 user_sacl = NULL;
526 } else {
527 user_dacl = process_user_acl(new_sd,
528 creator_sd->dacl,
529 is_container,
530 new_sd->owner_sid,
531 new_sd->group_sid,
532 object_list,
533 creator_sd->type & SEC_DESC_DACL_PROTECTED);
534 user_sacl = process_user_acl(new_sd,
535 creator_sd->sacl,
536 is_container,
537 new_sd->owner_sid,
538 new_sd->group_sid,
539 object_list,
540 creator_sd->type & SEC_DESC_SACL_PROTECTED);
541 }
542 cr_descr_log_descriptor(parent_sd, __location__"parent_sd", level);
543 cr_descr_log_descriptor(creator_sd,__location__ "creator_sd", level);
544
545 new_sd->dacl = security_acl_concatenate(new_sd, user_dacl, inherited_dacl);
546 if (new_sd->dacl) {
547 new_sd->type |= SEC_DESC_DACL_PRESENT;
548 }
549 if (inherited_dacl) {
550 new_sd->type |= SEC_DESC_DACL_AUTO_INHERITED;
551 }
552
553 new_sd->sacl = security_acl_concatenate(new_sd, user_sacl, inherited_sacl);
554 if (new_sd->sacl) {
555 new_sd->type |= SEC_DESC_SACL_PRESENT;
556 }
557 if (inherited_sacl) {
558 new_sd->type |= SEC_DESC_SACL_AUTO_INHERITED;
559 }
560 /* This is a hack to handle the fact that
561 * apprantly any AI flag provided by the user is preserved */
562 if (creator_sd)
563 new_sd->type |= creator_sd->type;
564 cr_descr_log_descriptor(new_sd, __location__"final sd", level);
565 return true;
566 }
567
568 struct security_descriptor *create_security_descriptor(TALLOC_CTX *mem_ctx,
569 struct security_descriptor *parent_sd,
570 struct security_descriptor *creator_sd,
571 bool is_container,
572 struct GUID *object_list,
573 uint32_t inherit_flags,
574 struct security_token *token,
575 struct dom_sid *default_owner, /* valid only for DS, NULL for the other RSs */
576 struct dom_sid *default_group, /* valid only for DS, NULL for the other RSs */
577 uint32_t (*generic_map)(uint32_t access_mask))
578 {
579 struct security_descriptor *new_sd;
580 struct dom_sid *new_owner = NULL;
581 struct dom_sid *new_group = NULL;
582
583 new_sd = security_descriptor_initialise(mem_ctx);
584 if (!new_sd) {
585 return NULL;
586 }
587
588 if (!creator_sd || !creator_sd->owner_sid) {
589 if ((inherit_flags & SEC_OWNER_FROM_PARENT) && parent_sd) {
590 new_owner = parent_sd->owner_sid;
591 } else if (!default_owner) {
592 new_owner = &token->sids[PRIMARY_USER_SID_INDEX];
593 } else {
594 new_owner = default_owner;
595 new_sd->type |= SEC_DESC_OWNER_DEFAULTED;
596 }
597 } else {
598 new_owner = creator_sd->owner_sid;
599 }
600
601 if (!creator_sd || !creator_sd->group_sid){
602 if ((inherit_flags & SEC_GROUP_FROM_PARENT) && parent_sd) {
603 new_group = parent_sd->group_sid;
604 } else if (!default_group && token->num_sids > PRIMARY_GROUP_SID_INDEX) {
605 new_group = &token->sids[PRIMARY_GROUP_SID_INDEX];
606 } else if (!default_group) {
607 /* This will happen only for anonymous, which has no other groups */
608 new_group = &token->sids[PRIMARY_USER_SID_INDEX];
609 } else {
610 new_group = default_group;
611 new_sd->type |= SEC_DESC_GROUP_DEFAULTED;
612 }
613 } else {
614 new_group = creator_sd->group_sid;
615 }
616
617 new_sd->owner_sid = talloc_memdup(new_sd, new_owner, sizeof(struct dom_sid));
618 new_sd->group_sid = talloc_memdup(new_sd, new_group, sizeof(struct dom_sid));
619 if (!new_sd->owner_sid || !new_sd->group_sid){
620 talloc_free(new_sd);
621 return NULL;
622 }
623
624 if (!compute_acl(parent_sd, creator_sd,
625 is_container, inherit_flags, object_list,
626 generic_map,token,new_sd)){
627 talloc_free(new_sd);
628 return NULL;
629 }
630
631 return new_sd;
632 }
Samba GIT mirror