search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert "s3: vfs: add user_vfs_evg to connection_struct"
[Samba.git] / libcli / security / access_check.c
blob03a7dca4adf899d9e72c1d0c52645db32aa17989
1 /*
2 Unix SMB/CIFS implementation.
3
4 Copyright (C) Andrew Tridgell 2004
5 Copyright (C) Gerald Carter 2005
6 Copyright (C) Volker Lendecke 2007
7 Copyright (C) Jeremy Allison 2008
8 Copyright (C) Andrew Bartlett 2010
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "libcli/security/security.h"
26
27 /* Map generic access rights to object specific rights. This technique is
28 used to give meaning to assigning read, write, execute and all access to
29 objects. Each type of object has its own mapping of generic to object
30 specific access rights. */
31
32 void se_map_generic(uint32_t *access_mask, const struct generic_mapping *mapping)
33 {
34 uint32_t old_mask = *access_mask;
35
36 if (*access_mask & GENERIC_READ_ACCESS) {
37 *access_mask &= ~GENERIC_READ_ACCESS;
38 *access_mask |= mapping->generic_read;
39 }
40
41 if (*access_mask & GENERIC_WRITE_ACCESS) {
42 *access_mask &= ~GENERIC_WRITE_ACCESS;
43 *access_mask |= mapping->generic_write;
44 }
45
46 if (*access_mask & GENERIC_EXECUTE_ACCESS) {
47 *access_mask &= ~GENERIC_EXECUTE_ACCESS;
48 *access_mask |= mapping->generic_execute;
49 }
50
51 if (*access_mask & GENERIC_ALL_ACCESS) {
52 *access_mask &= ~GENERIC_ALL_ACCESS;
53 *access_mask |= mapping->generic_all;
54 }
55
56 if (old_mask != *access_mask) {
57 DEBUG(10, ("se_map_generic(): mapped mask 0x%08x to 0x%08x\n",
58 old_mask, *access_mask));
59 }
60 }
61
62 /* Map generic access rights to object specific rights for all the ACE's
63 * in a security_acl.
64 */
65
66 void security_acl_map_generic(struct security_acl *sa,
67 const struct generic_mapping *mapping)
68 {
69 unsigned int i;
70
71 if (!sa) {
72 return;
73 }
74
75 for (i = 0; i < sa->num_aces; i++) {
76 se_map_generic(&sa->aces[i].access_mask, mapping);
77 }
78 }
79
80 /* Map standard access rights to object specific rights. This technique is
81 used to give meaning to assigning read, write, execute and all access to
82 objects. Each type of object has its own mapping of standard to object
83 specific access rights. */
84
85 void se_map_standard(uint32_t *access_mask, const struct standard_mapping *mapping)
86 {
87 uint32_t old_mask = *access_mask;
88
89 if (*access_mask & SEC_STD_READ_CONTROL) {
90 *access_mask &= ~SEC_STD_READ_CONTROL;
91 *access_mask |= mapping->std_read;
92 }
93
94 if (*access_mask & (SEC_STD_DELETE|SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|SEC_STD_SYNCHRONIZE)) {
95 *access_mask &= ~(SEC_STD_DELETE|SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|SEC_STD_SYNCHRONIZE);
96 *access_mask |= mapping->std_all;
97 }
98
99 if (old_mask != *access_mask) {
100 DEBUG(10, ("se_map_standard(): mapped mask 0x%08x to 0x%08x\n",
101 old_mask, *access_mask));
102 }
103 }
104
105 /*
106 perform a SEC_FLAG_MAXIMUM_ALLOWED access check
107 */
108 static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
109 const struct security_token *token)
110 {
111 uint32_t denied = 0, granted = 0;
112 unsigned i;
113
114 if (security_token_has_sid(token, sd->owner_sid)) {
115 granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL;
116 }
117
118 if (sd->dacl == NULL) {
119 return granted & ~denied;
120 }
121
122 for (i = 0;i<sd->dacl->num_aces; i++) {
123 struct security_ace *ace = &sd->dacl->aces[i];
124
125 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
126 continue;
127 }
128
129 if (!security_token_has_sid(token, &ace->trustee)) {
130 continue;
131 }
132
133 switch (ace->type) {
134 case SEC_ACE_TYPE_ACCESS_ALLOWED:
135 granted |= ace->access_mask;
136 break;
137 case SEC_ACE_TYPE_ACCESS_DENIED:
138 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
139 denied |= ace->access_mask;
140 break;
141 default: /* Other ACE types not handled/supported */
142 break;
143 }
144 }
145
146 return granted & ~denied;
147 }
148
149 /*
150 The main entry point for access checking. If returning ACCESS_DENIED
151 this function returns the denied bits in the uint32_t pointed
152 to by the access_granted pointer.
153 */
154 NTSTATUS se_access_check(const struct security_descriptor *sd,
155 const struct security_token *token,
156 uint32_t access_desired,
157 uint32_t *access_granted)
158 {
159 uint32_t i;
160 uint32_t bits_remaining;
161 uint32_t explicitly_denied_bits = 0;
162 /*
163 * Up until Windows Server 2008, owner always had these rights. Now
164 * we have to use Owner Rights perms if they are on the file.
165 *
166 * In addition we have to accumulate these bits and apply them
167 * correctly. See bug #8795
168 */
169 uint32_t owner_rights_allowed = 0;
170 uint32_t owner_rights_denied = 0;
171 bool owner_rights_default = true;
172
173 *access_granted = access_desired;
174 bits_remaining = access_desired;
175
176 /* handle the maximum allowed flag */
177 if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
178 uint32_t orig_access_desired = access_desired;
179
180 access_desired |= access_check_max_allowed(sd, token);
181 access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
182 *access_granted = access_desired;
183 bits_remaining = access_desired;
184
185 DEBUG(10,("se_access_check: MAX desired = 0x%x, granted = 0x%x, remaining = 0x%x\n",
186 orig_access_desired,
187 *access_granted,
188 bits_remaining));
189 }
190
191 /* a NULL dacl allows access */
192 if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
193 *access_granted = access_desired;
194 return NT_STATUS_OK;
195 }
196
197 if (sd->dacl == NULL) {
198 goto done;
199 }
200
201 /* check each ace in turn. */
202 for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
203 struct security_ace *ace = &sd->dacl->aces[i];
204
205 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
206 continue;
207 }
208
209 /*
210 * We need the Owner Rights permissions to ensure we
211 * give or deny the correct permissions to the owner. Replace
212 * owner_rights with the perms here if it is present.
213 *
214 * We don't care if we are not the owner because that is taken
215 * care of below when we check if our token has the owner SID.
216 *
217 */
218 if (dom_sid_equal(&ace->trustee, &global_sid_Owner_Rights)) {
219 if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) {
220 owner_rights_allowed |= ace->access_mask;
221 owner_rights_default = false;
222 } else if (ace->type == SEC_ACE_TYPE_ACCESS_DENIED) {
223 owner_rights_denied |= (bits_remaining & ace->access_mask);
224 owner_rights_default = false;
225 }
226 continue;
227 }
228
229 if (!security_token_has_sid(token, &ace->trustee)) {
230 continue;
231 }
232
233 switch (ace->type) {
234 case SEC_ACE_TYPE_ACCESS_ALLOWED:
235 bits_remaining &= ~ace->access_mask;
236 break;
237 case SEC_ACE_TYPE_ACCESS_DENIED:
238 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
239 explicitly_denied_bits |= (bits_remaining & ace->access_mask);
240 break;
241 default: /* Other ACE types not handled/supported */
242 break;
243 }
244 }
245
246 /* Explicitly denied bits always override */
247 bits_remaining |= explicitly_denied_bits;
248
249 /* The owner always gets owner rights as defined above. */
250 if (security_token_has_sid(token, sd->owner_sid)) {
251 if (owner_rights_default) {
252 /*
253 * Just remove them, no need to check if they are
254 * there.
255 */
256 bits_remaining &= ~(SEC_STD_WRITE_DAC |
257 SEC_STD_READ_CONTROL);
258 } else {
259 bits_remaining &= ~owner_rights_allowed;
260 bits_remaining |= owner_rights_denied;
261 }
262 }
263
264 /*
265 * We check privileges here because they override even DENY entries.
266 */
267
268 /* Does the user have the privilege to gain SEC_PRIV_SECURITY? */
269 if (bits_remaining & SEC_FLAG_SYSTEM_SECURITY) {
270 if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
271 bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
272 } else {
273 return NT_STATUS_PRIVILEGE_NOT_HELD;
274 }
275 }
276
277 if ((bits_remaining & SEC_STD_WRITE_OWNER) &&
278 security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
279 bits_remaining &= ~(SEC_STD_WRITE_OWNER);
280 }
281
282 done:
283 if (bits_remaining != 0) {
284 *access_granted = bits_remaining;
285 return NT_STATUS_ACCESS_DENIED;
286 }
287
288 return NT_STATUS_OK;
289 }
290
291 /*
292 The main entry point for access checking FOR THE FILE SERVER ONLY !
293 If returning ACCESS_DENIED this function returns the denied bits in
294 the uint32_t pointed to by the access_granted pointer.
295 */
296 NTSTATUS se_file_access_check(const struct security_descriptor *sd,
297 const struct security_token *token,
298 bool priv_open_requested,
299 uint32_t access_desired,
300 uint32_t *access_granted)
301 {
302 uint32_t bits_remaining;
303 NTSTATUS status;
304
305 if (!priv_open_requested) {
306 /* Fall back to generic se_access_check(). */
307 return se_access_check(sd,
308 token,
309 access_desired,
310 access_granted);
311 }
312
313 /*
314 * We need to handle the maximum allowed flag
315 * outside of se_access_check(), as we need to
316 * add in the access allowed by the privileges
317 * as well.
318 */
319
320 if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
321 uint32_t orig_access_desired = access_desired;
322
323 access_desired |= access_check_max_allowed(sd, token);
324 access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
325
326 if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
327 access_desired |= SEC_RIGHTS_PRIV_BACKUP;
328 }
329
330 if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
331 access_desired |= SEC_RIGHTS_PRIV_RESTORE;
332 }
333
334 DEBUG(10,("se_file_access_check: MAX desired = 0x%x "
335 "mapped to 0x%x\n",
336 orig_access_desired,
337 access_desired));
338 }
339
340 status = se_access_check(sd,
341 token,
342 access_desired,
343 access_granted);
344
345 if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
346 return status;
347 }
348
349 bits_remaining = *access_granted;
350
351 /* Check if we should override with privileges. */
352 if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) &&
353 security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
354 bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
355 }
356 if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
357 security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
358 bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
359 }
360 if (bits_remaining != 0) {
361 *access_granted = bits_remaining;
362 return NT_STATUS_ACCESS_DENIED;
363 }
364
365 return NT_STATUS_OK;
366 }
367
368 static const struct GUID *get_ace_object_type(struct security_ace *ace)
369 {
370 if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
371 return &ace->object.object.type.type;
372 }
373
374 return NULL;
375 }
376
377 /**
378 * Evaluates access rights specified in a object-specific ACE for an AD object.
379 * This logic corresponds to MS-ADTS 5.1.3.3.3 Checking Object-Specific Access.
380 * @param[in] ace - the ACE being processed
381 * @param[in/out] tree - remaining_access gets updated for the tree
382 * @param[out] grant_access - set to true if the ACE grants sufficient access
383 * rights to the object/attribute
384 * @returns NT_STATUS_OK, unless access was denied
385 */
386 static NTSTATUS check_object_specific_access(struct security_ace *ace,
387 struct object_tree *tree,
388 bool *grant_access)
389 {
390 struct object_tree *node = NULL;
391 const struct GUID *type = NULL;
392
393 *grant_access = false;
394
395 /* if no tree was supplied, we can't do object-specific access checks */
396 if (!tree) {
397 return NT_STATUS_OK;
398 }
399
400 /* Get the ObjectType GUID this ACE applies to */
401 type = get_ace_object_type(ace);
402
403 /*
404 * If the ACE doesn't have a type, then apply it to the whole tree, i.e.
405 * treat 'OA' ACEs as 'A' and 'OD' as 'D'
406 */
407 if (!type) {
408 node = tree;
409 } else {
410
411 /* skip it if the ACE's ObjectType GUID is not in the tree */
412 node = get_object_tree_by_GUID(tree, type);
413 if (!node) {
414 return NT_STATUS_OK;
415 }
416 }
417
418 if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) {
419
420 /* apply the access rights to this node, and any children */
421 object_tree_modify_access(node, ace->access_mask);
422
423 /*
424 * Currently all nodes in the tree request the same access mask,
425 * so we can use any node to check if processing this ACE now
426 * means the requested access has been granted
427 */
428 if (node->remaining_access == 0) {
429 *grant_access = true;
430 return NT_STATUS_OK;
431 }
432
433 /*
434 * As per 5.1.3.3.4 Checking Control Access Right-Based Access,
435 * if the CONTROL_ACCESS right is present, then we can grant
436 * access and stop any further access checks
437 */
438 if (ace->access_mask & SEC_ADS_CONTROL_ACCESS) {
439 *grant_access = true;
440 return NT_STATUS_OK;
441 }
442 } else {
443
444 /* this ACE denies access to the requested object/attribute */
445 if (node->remaining_access & ace->access_mask){
446 return NT_STATUS_ACCESS_DENIED;
447 }
448 }
449 return NT_STATUS_OK;
450 }
451
452 /**
453 * @brief Perform directoryservice (DS) related access checks for a given user
454 *
455 * Perform DS access checks for the user represented by its security_token, on
456 * the provided security descriptor. If an tree associating GUID and access
457 * required is provided then object access (OA) are checked as well. *
458 * @param[in] sd The security descritor against which the required
459 * access are requested
460 *
461 * @param[in] token The security_token associated with the user to
462 * test
463 *
464 * @param[in] access_desired A bitfield of rights that must be granted for the
465 * given user in the specified SD.
466 *
467 * If one
468 * of the entry in the tree grants all the requested rights for the given GUID
469 * FIXME
470 * tree can be null if not null it's the
471 * Lots of code duplication, it will ve united in just one
472 * function eventually */
473
474 NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
475 const struct security_token *token,
476 uint32_t access_desired,
477 uint32_t *access_granted,
478 struct object_tree *tree,
479 struct dom_sid *replace_sid)
480 {
481 uint32_t i;
482 uint32_t bits_remaining;
483 struct dom_sid self_sid;
484
485 dom_sid_parse(SID_NT_SELF, &self_sid);
486
487 *access_granted = access_desired;
488 bits_remaining = access_desired;
489
490 /* handle the maximum allowed flag */
491 if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
492 access_desired |= access_check_max_allowed(sd, token);
493 access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
494 *access_granted = access_desired;
495 bits_remaining = access_desired;
496 }
497
498 if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
499 if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
500 bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
501 } else {
502 return NT_STATUS_PRIVILEGE_NOT_HELD;
503 }
504 }
505
506 /* the owner always gets SEC_STD_WRITE_DAC and SEC_STD_READ_CONTROL */
507 if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL)) &&
508 security_token_has_sid(token, sd->owner_sid)) {
509 bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL);
510 }
511
512 /* SEC_PRIV_TAKE_OWNERSHIP grants SEC_STD_WRITE_OWNER */
513 if ((bits_remaining & (SEC_STD_WRITE_OWNER)) &&
514 security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
515 bits_remaining &= ~(SEC_STD_WRITE_OWNER);
516 }
517
518 /* a NULL dacl allows access */
519 if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
520 *access_granted = access_desired;
521 return NT_STATUS_OK;
522 }
523
524 if (sd->dacl == NULL) {
525 goto done;
526 }
527
528 /* check each ace in turn. */
529 for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
530 struct dom_sid *trustee;
531 struct security_ace *ace = &sd->dacl->aces[i];
532 NTSTATUS status;
533 bool grant_access = false;
534
535 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
536 continue;
537 }
538
539 if (dom_sid_equal(&ace->trustee, &self_sid) && replace_sid) {
540 trustee = replace_sid;
541 } else {
542 trustee = &ace->trustee;
543 }
544
545 if (!security_token_has_sid(token, trustee)) {
546 continue;
547 }
548
549 switch (ace->type) {
550 case SEC_ACE_TYPE_ACCESS_ALLOWED:
551 if (tree) {
552 object_tree_modify_access(tree, ace->access_mask);
553 }
554
555 bits_remaining &= ~ace->access_mask;
556 break;
557 case SEC_ACE_TYPE_ACCESS_DENIED:
558 if (bits_remaining & ace->access_mask) {
559 return NT_STATUS_ACCESS_DENIED;
560 }
561 break;
562 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
563 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
564 status = check_object_specific_access(ace, tree,
565 &grant_access);
566
567 if (!NT_STATUS_IS_OK(status)) {
568 return status;
569 }
570
571 if (grant_access) {
572 return NT_STATUS_OK;
573 }
574 break;
575 default: /* Other ACE types not handled/supported */
576 break;
577 }
578 }
579
580 done:
581 if (bits_remaining != 0) {
582 return NT_STATUS_ACCESS_DENIED;
583 }
584
585 return NT_STATUS_OK;
586 }
Samba GIT mirror