search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
libgpo: open the registry in gp_init_reg_ctx().
[Samba.git] / source / libgpo / gpo_reg.c
blob9c6df9caf3811f117c43c5f72a6c596992e10bbb
1 /*
2 * Unix SMB/CIFS implementation.
3 * Group Policy Object Support
4 * Copyright (C) Guenther Deschner 2007-2008
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21
22
23 /****************************************************************
24 ****************************************************************/
25
26 struct nt_user_token *registry_create_system_token(TALLOC_CTX *mem_ctx)
27 {
28 struct nt_user_token *token = NULL;
29
30 token = TALLOC_ZERO_P(mem_ctx, struct nt_user_token);
31 if (!token) {
32 DEBUG(1,("talloc failed\n"));
33 return NULL;
34 }
35
36 token->privileges = se_priv_all;
37
38 if (!NT_STATUS_IS_OK(add_sid_to_array(token, &global_sid_System,
39 &token->user_sids, &token->num_sids))) {
40 DEBUG(1,("Error adding nt-authority system sid to token\n"));
41 return NULL;
42 }
43
44 return token;
45 }
46
47 /****************************************************************
48 ****************************************************************/
49
50 WERROR gp_init_reg_ctx(TALLOC_CTX *mem_ctx,
51 const char *initial_path,
52 uint32_t desired_access,
53 const struct nt_user_token *token,
54 struct gp_registry_context **reg_ctx)
55 {
56 struct gp_registry_context *tmp_ctx;
57 WERROR werr;
58
59 if (!reg_ctx) {
60 return WERR_INVALID_PARAM;
61 }
62
63 if (!registry_init_basic()) {
64 return WERR_CAN_NOT_COMPLETE;
65 }
66
67 tmp_ctx = TALLOC_ZERO_P(mem_ctx, struct gp_registry_context);
68 W_ERROR_HAVE_NO_MEMORY(tmp_ctx);
69
70 if (token) {
71 tmp_ctx->token = token;
72 } else {
73 tmp_ctx->token = registry_create_system_token(mem_ctx);
74 }
75 if (!tmp_ctx->token) {
76 TALLOC_FREE(tmp_ctx);
77 return WERR_NOMEM;
78 }
79
80 werr = regdb_open();
81 if (!W_ERROR_IS_OK(werr)) {
82 return werr;
83 }
84
85 if (initial_path) {
86 tmp_ctx->path = talloc_strdup(mem_ctx, initial_path);
87 if (!tmp_ctx->path) {
88 TALLOC_FREE(tmp_ctx);
89 return WERR_NOMEM;
90 }
91
92 werr = reg_open_path(mem_ctx, tmp_ctx->path, desired_access,
93 tmp_ctx->token, &tmp_ctx->curr_key);
94 if (!W_ERROR_IS_OK(werr)) {
95 TALLOC_FREE(tmp_ctx);
96 return werr;
97 }
98 }
99
100 *reg_ctx = tmp_ctx;
101
102 return WERR_OK;
103 }
104
105 /****************************************************************
106 ****************************************************************/
107
108 void gp_free_reg_ctx(struct gp_registry_context *reg_ctx)
109 {
110 TALLOC_FREE(reg_ctx);
111 }
112
113 /****************************************************************
114 ****************************************************************/
115
116 WERROR gp_store_reg_subkey(TALLOC_CTX *mem_ctx,
117 const char *subkeyname,
118 struct registry_key *curr_key,
119 struct registry_key **new_key)
120 {
121 enum winreg_CreateAction action = REG_ACTION_NONE;
122 WERROR werr;
123
124 werr = reg_createkey(mem_ctx, curr_key, subkeyname,
125 REG_KEY_WRITE, new_key, &action);
126 if (W_ERROR_IS_OK(werr) && (action != REG_CREATED_NEW_KEY)) {
127 return WERR_OK;
128 }
129
130 return werr;
131 }
132
133 /****************************************************************
134 ****************************************************************/
135
136 WERROR gp_read_reg_subkey(TALLOC_CTX *mem_ctx,
137 struct gp_registry_context *reg_ctx,
138 const char *subkeyname,
139 struct registry_key **key)
140 {
141 const char *tmp = NULL;
142
143 if (!reg_ctx || !subkeyname || !key) {
144 return WERR_INVALID_PARAM;
145 }
146
147 tmp = talloc_asprintf(mem_ctx, "%s\\%s", reg_ctx->path, subkeyname);
148 W_ERROR_HAVE_NO_MEMORY(tmp);
149
150 return reg_open_path(mem_ctx, tmp, REG_KEY_READ,
151 reg_ctx->token, key);
152 }
153
154 /****************************************************************
155 ****************************************************************/
156
157 WERROR gp_store_reg_val_sz(TALLOC_CTX *mem_ctx,
158 struct registry_key *key,
159 const char *val_name,
160 const char *val)
161 {
162 struct registry_value reg_val;
163 ZERO_STRUCT(reg_val);
164
165 /* FIXME: hack */
166 val = val ? val : " ";
167
168 reg_val.type = REG_SZ;
169 reg_val.v.sz.len = strlen(val);
170 reg_val.v.sz.str = talloc_strdup(mem_ctx, val);
171 W_ERROR_HAVE_NO_MEMORY(reg_val.v.sz.str);
172
173 return reg_setvalue(key, val_name, &reg_val);
174 }
175
176 /****************************************************************
177 ****************************************************************/
178
179 static WERROR gp_store_reg_val_dword(TALLOC_CTX *mem_ctx,
180 struct registry_key *key,
181 const char *val_name,
182 uint32_t val)
183 {
184 struct registry_value reg_val;
185 ZERO_STRUCT(reg_val);
186
187 reg_val.type = REG_DWORD;
188 reg_val.v.dword = val;
189
190 return reg_setvalue(key, val_name, &reg_val);
191 }
192
193 /****************************************************************
194 ****************************************************************/
195
196 WERROR gp_read_reg_val_sz(TALLOC_CTX *mem_ctx,
197 struct registry_key *key,
198 const char *val_name,
199 const char **val)
200 {
201 WERROR werr;
202 struct registry_value *reg_val = NULL;
203
204 werr = reg_queryvalue(mem_ctx, key, val_name, &reg_val);
205 W_ERROR_NOT_OK_RETURN(werr);
206
207 if (reg_val->type != REG_SZ) {
208 return WERR_INVALID_DATATYPE;
209 }
210
211 *val = talloc_strdup(mem_ctx, reg_val->v.sz.str);
212 W_ERROR_HAVE_NO_MEMORY(*val);
213
214 return WERR_OK;
215 }
216
217 /****************************************************************
218 ****************************************************************/
219
220 static WERROR gp_read_reg_val_dword(TALLOC_CTX *mem_ctx,
221 struct registry_key *key,
222 const char *val_name,
223 uint32_t *val)
224 {
225 WERROR werr;
226 struct registry_value *reg_val = NULL;
227
228 werr = reg_queryvalue(mem_ctx, key, val_name, &reg_val);
229 W_ERROR_NOT_OK_RETURN(werr);
230
231 if (reg_val->type != REG_DWORD) {
232 return WERR_INVALID_DATATYPE;
233 }
234
235 *val = reg_val->v.dword;
236
237 return WERR_OK;
238 }
239
240 /****************************************************************
241 ****************************************************************/
242
243 static WERROR gp_store_reg_gpovals(TALLOC_CTX *mem_ctx,
244 struct registry_key *key,
245 struct GROUP_POLICY_OBJECT *gpo)
246 {
247 WERROR werr;
248
249 if (!key || !gpo) {
250 return WERR_INVALID_PARAM;
251 }
252
253 werr = gp_store_reg_val_dword(mem_ctx, key, "Version",
254 gpo->version);
255 W_ERROR_NOT_OK_RETURN(werr);
256
257 werr = gp_store_reg_val_dword(mem_ctx, key, "WQLFilterPass",
258 true); /* fake */
259 W_ERROR_NOT_OK_RETURN(werr);
260
261 werr = gp_store_reg_val_dword(mem_ctx, key, "AccessDenied",
262 false); /* fake */
263 W_ERROR_NOT_OK_RETURN(werr);
264
265 werr = gp_store_reg_val_dword(mem_ctx, key, "GPO-Disabled",
266 (gpo->options & GPO_FLAG_DISABLE));
267 W_ERROR_NOT_OK_RETURN(werr);
268
269 werr = gp_store_reg_val_dword(mem_ctx, key, "Options",
270 gpo->options);
271 W_ERROR_NOT_OK_RETURN(werr);
272
273 werr = gp_store_reg_val_sz(mem_ctx, key, "GPOID",
274 gpo->name);
275 W_ERROR_NOT_OK_RETURN(werr);
276
277 werr = gp_store_reg_val_sz(mem_ctx, key, "SOM",
278 gpo->link);
279 W_ERROR_NOT_OK_RETURN(werr);
280
281 werr = gp_store_reg_val_sz(mem_ctx, key, "DisplayName",
282 gpo->display_name);
283 W_ERROR_NOT_OK_RETURN(werr);
284
285 werr = gp_store_reg_val_sz(mem_ctx, key, "WQL-Id",
286 NULL);
287 W_ERROR_NOT_OK_RETURN(werr);
288
289 return werr;
290 }
291
292 /****************************************************************
293 ****************************************************************/
294
295 static const char *gp_reg_groupmembership_path(TALLOC_CTX *mem_ctx,
296 const DOM_SID *sid,
297 uint32_t flags)
298 {
299 if (flags & GPO_LIST_FLAG_MACHINE) {
300 return "GroupMembership";
301 }
302
303 return talloc_asprintf(mem_ctx, "%s\\%s", sid_string_tos(sid),
304 "GroupMembership");
305 }
306
307 /****************************************************************
308 ****************************************************************/
309
310 static WERROR gp_reg_del_groupmembership(TALLOC_CTX *mem_ctx,
311 struct registry_key *key,
312 const struct nt_user_token *token,
313 uint32_t flags)
314 {
315 const char *path = NULL;
316
317 path = gp_reg_groupmembership_path(mem_ctx, &token->user_sids[0],
318 flags);
319 W_ERROR_HAVE_NO_MEMORY(path);
320
321 return reg_deletekey_recursive(mem_ctx, key, path);
322
323 }
324
325 /****************************************************************
326 ****************************************************************/
327
328 static WERROR gp_reg_store_groupmembership(TALLOC_CTX *mem_ctx,
329 struct gp_registry_context *reg_ctx,
330 const struct nt_user_token *token,
331 uint32_t flags)
332 {
333 struct registry_key *key = NULL;
334 WERROR werr;
335 int i = 0;
336 const char *valname = NULL;
337 const char *path = NULL;
338 const char *val = NULL;
339 int count = 0;
340
341 path = gp_reg_groupmembership_path(mem_ctx, &token->user_sids[0],
342 flags);
343 W_ERROR_HAVE_NO_MEMORY(path);
344
345 gp_reg_del_groupmembership(mem_ctx, reg_ctx->curr_key, token, flags);
346
347 werr = gp_store_reg_subkey(mem_ctx, path,
348 reg_ctx->curr_key, &key);
349 W_ERROR_NOT_OK_RETURN(werr);
350
351 for (i=0; i<token->num_sids; i++) {
352
353 valname = talloc_asprintf(mem_ctx, "Group%d", count++);
354 W_ERROR_HAVE_NO_MEMORY(valname);
355
356 val = sid_string_talloc(mem_ctx, &token->user_sids[i]);
357 W_ERROR_HAVE_NO_MEMORY(val);
358 werr = gp_store_reg_val_sz(mem_ctx, key, valname, val);
359 W_ERROR_NOT_OK_RETURN(werr);
360 }
361
362 werr = gp_store_reg_val_dword(mem_ctx, key, "Count", count);
363 W_ERROR_NOT_OK_RETURN(werr);
364
365 return WERR_OK;
366 }
367
368 /****************************************************************
369 ****************************************************************/
370 #if 0
371 /* not used yet */
372 static WERROR gp_reg_read_groupmembership(TALLOC_CTX *mem_ctx,
373 struct gp_registry_context *reg_ctx,
374 const DOM_SID *object_sid,
375 struct nt_user_token **token,
376 uint32_t flags)
377 {
378 struct registry_key *key = NULL;
379 WERROR werr;
380 int i = 0;
381 const char *valname = NULL;
382 const char *val = NULL;
383 const char *path = NULL;
384 uint32_t count = 0;
385 int num_token_sids = 0;
386 struct nt_user_token *tmp_token = NULL;
387
388 tmp_token = TALLOC_ZERO_P(mem_ctx, struct nt_user_token);
389 W_ERROR_HAVE_NO_MEMORY(tmp_token);
390
391 path = gp_reg_groupmembership_path(mem_ctx, object_sid, flags);
392 W_ERROR_HAVE_NO_MEMORY(path);
393
394 werr = gp_read_reg_subkey(mem_ctx, reg_ctx, path, &key);
395 W_ERROR_NOT_OK_RETURN(werr);
396
397 werr = gp_read_reg_val_dword(mem_ctx, key, "Count", &count);
398 W_ERROR_NOT_OK_RETURN(werr);
399
400 for (i=0; i<count; i++) {
401
402 valname = talloc_asprintf(mem_ctx, "Group%d", i);
403 W_ERROR_HAVE_NO_MEMORY(valname);
404
405 werr = gp_read_reg_val_sz(mem_ctx, key, valname, &val);
406 W_ERROR_NOT_OK_RETURN(werr);
407
408 if (!string_to_sid(&tmp_token->user_sids[num_token_sids++],
409 val)) {
410 return WERR_INSUFFICIENT_BUFFER;
411 }
412 }
413
414 tmp_token->num_sids = num_token_sids;
415
416 *token = tmp_token;
417
418 return WERR_OK;
419 }
420 #endif
421 /****************************************************************
422 ****************************************************************/
423
424 static const char *gp_req_state_path(TALLOC_CTX *mem_ctx,
425 const DOM_SID *sid,
426 uint32_t flags)
427 {
428 if (flags & GPO_LIST_FLAG_MACHINE) {
429 return GPO_REG_STATE_MACHINE;
430 }
431
432 return talloc_asprintf(mem_ctx, "%s\\%s", "State", sid_string_tos(sid));
433 }
434
435 /****************************************************************
436 ****************************************************************/
437
438 static WERROR gp_del_reg_state(TALLOC_CTX *mem_ctx,
439 struct registry_key *key,
440 const char *path)
441 {
442 return reg_deletesubkeys_recursive(mem_ctx, key, path);
443 }
444
445 /****************************************************************
446 ****************************************************************/
447
448 WERROR gp_reg_state_store(TALLOC_CTX *mem_ctx,
449 uint32_t flags,
450 const char *dn,
451 const struct nt_user_token *token,
452 struct GROUP_POLICY_OBJECT *gpo_list)
453 {
454 struct gp_registry_context *reg_ctx = NULL;
455 WERROR werr = WERR_GENERAL_FAILURE;
456 const char *subkeyname = NULL;
457 struct GROUP_POLICY_OBJECT *gpo;
458 int count = 0;
459 struct registry_key *key;
460
461 werr = gp_init_reg_ctx(mem_ctx, KEY_GROUP_POLICY, REG_KEY_WRITE,
462 token, &reg_ctx);
463 W_ERROR_NOT_OK_RETURN(werr);
464
465 werr = gp_secure_key(mem_ctx, flags, reg_ctx->curr_key,
466 &token->user_sids[0]);
467 if (!W_ERROR_IS_OK(werr)) {
468 DEBUG(0,("failed to secure key: %s\n", dos_errstr(werr)));
469 goto done;
470 }
471
472 werr = gp_reg_store_groupmembership(mem_ctx, reg_ctx, token, flags);
473 if (!W_ERROR_IS_OK(werr)) {
474 DEBUG(0,("failed to store group membership: %s\n", dos_errstr(werr)));
475 goto done;
476 }
477
478 subkeyname = gp_req_state_path(mem_ctx, &token->user_sids[0], flags);
479 if (!subkeyname) {
480 werr = WERR_NOMEM;
481 goto done;
482 }
483
484 werr = gp_del_reg_state(mem_ctx, reg_ctx->curr_key, subkeyname);
485 if (!W_ERROR_IS_OK(werr)) {
486 DEBUG(0,("failed to delete old state: %s\n", dos_errstr(werr)));
487 /* goto done; */
488 }
489
490 werr = gp_store_reg_subkey(mem_ctx, subkeyname,
491 reg_ctx->curr_key, &reg_ctx->curr_key);
492 if (!W_ERROR_IS_OK(werr)) {
493 goto done;
494 }
495
496 werr = gp_store_reg_val_sz(mem_ctx, reg_ctx->curr_key,
497 "Distinguished-Name", dn);
498 if (!W_ERROR_IS_OK(werr)) {
499 goto done;
500 }
501
502 /* store link list */
503
504 werr = gp_store_reg_subkey(mem_ctx, "GPLink-List",
505 reg_ctx->curr_key, &key);
506 if (!W_ERROR_IS_OK(werr)) {
507 goto done;
508 }
509
510 /* store gpo list */
511
512 werr = gp_store_reg_subkey(mem_ctx, "GPO-List",
513 reg_ctx->curr_key, &reg_ctx->curr_key);
514 if (!W_ERROR_IS_OK(werr)) {
515 goto done;
516 }
517
518 for (gpo = gpo_list; gpo; gpo = gpo->next) {
519
520 subkeyname = talloc_asprintf(mem_ctx, "%d", count++);
521 if (!subkeyname) {
522 werr = WERR_NOMEM;
523 goto done;
524 }
525
526 werr = gp_store_reg_subkey(mem_ctx, subkeyname,
527 reg_ctx->curr_key, &key);
528 if (!W_ERROR_IS_OK(werr)) {
529 goto done;
530 }
531
532 werr = gp_store_reg_gpovals(mem_ctx, key, gpo);
533 if (!W_ERROR_IS_OK(werr)) {
534 DEBUG(0,("gp_reg_state_store: "
535 "gpo_store_reg_gpovals failed for %s: %s\n",
536 gpo->display_name, dos_errstr(werr)));
537 goto done;
538 }
539 }
540 done:
541 gp_free_reg_ctx(reg_ctx);
542 return werr;
543 }
544
545 /****************************************************************
546 ****************************************************************/
547
548 static WERROR gp_read_reg_gpovals(TALLOC_CTX *mem_ctx,
549 struct registry_key *key,
550 struct GROUP_POLICY_OBJECT *gpo)
551 {
552 WERROR werr;
553
554 if (!key || !gpo) {
555 return WERR_INVALID_PARAM;
556 }
557
558 werr = gp_read_reg_val_dword(mem_ctx, key, "Version",
559 &gpo->version);
560 W_ERROR_NOT_OK_RETURN(werr);
561
562 werr = gp_read_reg_val_dword(mem_ctx, key, "Options",
563 &gpo->options);
564 W_ERROR_NOT_OK_RETURN(werr);
565
566 werr = gp_read_reg_val_sz(mem_ctx, key, "GPOID",
567 &gpo->name);
568 W_ERROR_NOT_OK_RETURN(werr);
569
570 werr = gp_read_reg_val_sz(mem_ctx, key, "SOM",
571 &gpo->link);
572 W_ERROR_NOT_OK_RETURN(werr);
573
574 werr = gp_read_reg_val_sz(mem_ctx, key, "DisplayName",
575 &gpo->display_name);
576 W_ERROR_NOT_OK_RETURN(werr);
577
578 return werr;
579 }
580
581 /****************************************************************
582 ****************************************************************/
583
584 static WERROR gp_read_reg_gpo(TALLOC_CTX *mem_ctx,
585 struct registry_key *key,
586 struct GROUP_POLICY_OBJECT **gpo_ret)
587 {
588 struct GROUP_POLICY_OBJECT *gpo = NULL;
589 WERROR werr;
590
591 if (!gpo_ret || !key) {
592 return WERR_INVALID_PARAM;
593 }
594
595 gpo = TALLOC_ZERO_P(mem_ctx, struct GROUP_POLICY_OBJECT);
596 W_ERROR_HAVE_NO_MEMORY(gpo);
597
598 werr = gp_read_reg_gpovals(mem_ctx, key, gpo);
599 W_ERROR_NOT_OK_RETURN(werr);
600
601 *gpo_ret = gpo;
602
603 return werr;
604 }
605
606 /****************************************************************
607 ****************************************************************/
608
609 WERROR gp_reg_state_read(TALLOC_CTX *mem_ctx,
610 uint32_t flags,
611 const DOM_SID *sid,
612 struct GROUP_POLICY_OBJECT **gpo_list)
613 {
614 struct gp_registry_context *reg_ctx = NULL;
615 WERROR werr = WERR_GENERAL_FAILURE;
616 const char *subkeyname = NULL;
617 struct GROUP_POLICY_OBJECT *gpo = NULL;
618 int count = 0;
619 struct registry_key *key = NULL;
620 const char *path = NULL;
621 const char *gp_state_path = NULL;
622
623 if (!gpo_list) {
624 return WERR_INVALID_PARAM;
625 }
626
627 ZERO_STRUCTP(gpo_list);
628
629 gp_state_path = gp_req_state_path(mem_ctx, sid, flags);
630 if (!gp_state_path) {
631 werr = WERR_NOMEM;
632 goto done;
633 }
634
635 path = talloc_asprintf(mem_ctx, "%s\\%s\\%s",
636 KEY_GROUP_POLICY,
637 gp_state_path,
638 "GPO-List");
639 if (!path) {
640 werr = WERR_NOMEM;
641 goto done;
642 }
643
644 werr = gp_init_reg_ctx(mem_ctx, path, REG_KEY_READ, NULL, &reg_ctx);
645 if (!W_ERROR_IS_OK(werr)) {
646 goto done;
647 }
648
649 while (1) {
650
651 subkeyname = talloc_asprintf(mem_ctx, "%d", count++);
652 if (!subkeyname) {
653 werr = WERR_NOMEM;
654 goto done;
655 }
656
657 werr = gp_read_reg_subkey(mem_ctx, reg_ctx, subkeyname, &key);
658 if (W_ERROR_EQUAL(werr, WERR_BADFILE)) {
659 werr = WERR_OK;
660 break;
661 }
662 if (!W_ERROR_IS_OK(werr)) {
663 DEBUG(0,("gp_reg_state_read: "
664 "gp_read_reg_subkey gave: %s\n",
665 dos_errstr(werr)));
666 goto done;
667 }
668
669 werr = gp_read_reg_gpo(mem_ctx, key, &gpo);
670 if (!W_ERROR_IS_OK(werr)) {
671 goto done;
672 }
673
674 DLIST_ADD(*gpo_list, gpo);
675 }
676
677 done:
678 gp_free_reg_ctx(reg_ctx);
679 return werr;
680 }
681
682 /****************************************************************
683 ****************************************************************/
684
685 static WERROR gp_reg_generate_sd(TALLOC_CTX *mem_ctx,
686 const DOM_SID *sid,
687 struct security_descriptor **sd,
688 size_t *sd_size)
689 {
690 SEC_ACE ace[6];
691 SEC_ACCESS mask;
692
693 SEC_ACL *acl = NULL;
694
695 uint8_t inherit_flags;
696
697 init_sec_access(&mask, REG_KEY_ALL);
698 init_sec_ace(&ace[0],
699 &global_sid_System,
700 SEC_ACE_TYPE_ACCESS_ALLOWED,
701 mask, 0);
702
703 init_sec_access(&mask, REG_KEY_ALL);
704 init_sec_ace(&ace[1],
705 &global_sid_Builtin_Administrators,
706 SEC_ACE_TYPE_ACCESS_ALLOWED,
707 mask, 0);
708
709 init_sec_access(&mask, REG_KEY_READ);
710 init_sec_ace(&ace[2],
711 sid ? sid : &global_sid_Authenticated_Users,
712 SEC_ACE_TYPE_ACCESS_ALLOWED,
713 mask, 0);
714
715 inherit_flags = SEC_ACE_FLAG_OBJECT_INHERIT |
716 SEC_ACE_FLAG_CONTAINER_INHERIT |
717 SEC_ACE_FLAG_INHERIT_ONLY;
718
719 init_sec_access(&mask, REG_KEY_ALL);
720 init_sec_ace(&ace[3],
721 &global_sid_System,
722 SEC_ACE_TYPE_ACCESS_ALLOWED,
723 mask, inherit_flags);
724
725 init_sec_access(&mask, REG_KEY_ALL);
726 init_sec_ace(&ace[4],
727 &global_sid_Builtin_Administrators,
728 SEC_ACE_TYPE_ACCESS_ALLOWED,
729 mask, inherit_flags);
730
731 init_sec_access(&mask, REG_KEY_READ);
732 init_sec_ace(&ace[5],
733 sid ? sid : &global_sid_Authenticated_Users,
734 SEC_ACE_TYPE_ACCESS_ALLOWED,
735 mask, inherit_flags);
736
737 acl = make_sec_acl(mem_ctx, NT4_ACL_REVISION, 6, ace);
738 W_ERROR_HAVE_NO_MEMORY(acl);
739
740 *sd = make_sec_desc(mem_ctx, SEC_DESC_REVISION,
741 SEC_DESC_SELF_RELATIVE |
742 SEC_DESC_DACL_AUTO_INHERITED | /* really ? */
743 SEC_DESC_DACL_AUTO_INHERIT_REQ, /* really ? */
744 NULL, NULL, NULL,
745 acl, sd_size);
746 W_ERROR_HAVE_NO_MEMORY(*sd);
747
748 return WERR_OK;
749 }
750
751 /****************************************************************
752 ****************************************************************/
753
754 WERROR gp_secure_key(TALLOC_CTX *mem_ctx,
755 uint32_t flags,
756 struct registry_key *key,
757 const DOM_SID *sid)
758 {
759 struct security_descriptor *sd = NULL;
760 size_t sd_size = 0;
761 const DOM_SID *sd_sid = NULL;
762 WERROR werr;
763
764 if (!(flags & GPO_LIST_FLAG_MACHINE)) {
765 sd_sid = sid;
766 }
767
768 werr = gp_reg_generate_sd(mem_ctx, sd_sid, &sd, &sd_size);
769 W_ERROR_NOT_OK_RETURN(werr);
770
771 return reg_setkeysecurity(key, sd);
772 }
773
774 /****************************************************************
775 ****************************************************************/
776
777 void dump_reg_val(int lvl, const char *direction,
778 const char *key, const char *subkey,
779 struct registry_value *val)
780 {
781 int i = 0;
782 const char *type_str = NULL;
783
784 if (!val) {
785 DEBUG(lvl,("no val!\n"));
786 return;
787 }
788
789 type_str = reg_type_lookup(val->type);
790
791 DEBUG(lvl,("\tdump_reg_val: %s '%s' '%s' %s: ",
792 direction, key, subkey, type_str));
793
794 switch (val->type) {
795 case REG_DWORD:
796 DEBUG(lvl,("%d\n", (int)val->v.dword));
797 break;
798 case REG_QWORD:
799 DEBUG(lvl,("%d\n", (int)val->v.qword));
800 break;
801 case REG_SZ:
802 DEBUG(lvl,("%s (length: %d)\n",
803 val->v.sz.str,
804 (int)val->v.sz.len));
805 break;
806 case REG_MULTI_SZ:
807 DEBUG(lvl,("(num_strings: %d)\n",
808 val->v.multi_sz.num_strings));
809 for (i=0; i < val->v.multi_sz.num_strings; i++) {
810 DEBUGADD(lvl,("\t%s\n",
811 val->v.multi_sz.strings[i]));
812 }
813 break;
814 case REG_NONE:
815 DEBUG(lvl,("\n"));
816 break;
817 case REG_BINARY:
818 dump_data(lvl, val->v.binary.data,
819 val->v.binary.length);
820 break;
821 default:
822 DEBUG(lvl,("unsupported type: %d\n", val->type));
823 break;
824 }
825 }
826
827 /****************************************************************
828 ****************************************************************/
829
830 void dump_reg_entry(uint32_t flags,
831 const char *dir,
832 struct gp_registry_entry *entry)
833 {
834 if (!(flags & GPO_INFO_FLAG_VERBOSE))
835 return;
836
837 dump_reg_val(1, dir,
838 entry->key,
839 entry->value,
840 entry->data);
841 }
842
843 /****************************************************************
844 ****************************************************************/
845
846 void dump_reg_entries(uint32_t flags,
847 const char *dir,
848 struct gp_registry_entry *entries,
849 size_t num_entries)
850 {
851 size_t i;
852
853 if (!(flags & GPO_INFO_FLAG_VERBOSE))
854 return;
855
856 for (i=0; i < num_entries; i++) {
857 dump_reg_entry(flags, dir, &entries[i]);
858 }
859 }
860
861 /****************************************************************
862 ****************************************************************/
863
864 bool add_gp_registry_entry_to_array(TALLOC_CTX *mem_ctx,
865 struct gp_registry_entry *entry,
866 struct gp_registry_entry **entries,
867 size_t *num)
868 {
869 *entries = TALLOC_REALLOC_ARRAY(mem_ctx, *entries,
870 struct gp_registry_entry,
871 (*num)+1);
872
873 if (*entries == NULL) {
874 *num = 0;
875 return false;
876 }
877
878 (*entries)[*num].action = entry->action;
879 (*entries)[*num].key = entry->key;
880 (*entries)[*num].value = entry->value;
881 (*entries)[*num].data = entry->data;
882
883 *num += 1;
884 return true;
885 }
886
887 /****************************************************************
888 ****************************************************************/
889
890 static const char *gp_reg_action_str(enum gp_reg_action action)
891 {
892 switch (action) {
893 case GP_REG_ACTION_NONE:
894 return "GP_REG_ACTION_NONE";
895 case GP_REG_ACTION_ADD_VALUE:
896 return "GP_REG_ACTION_ADD_VALUE";
897 case GP_REG_ACTION_ADD_KEY:
898 return "GP_REG_ACTION_ADD_KEY";
899 case GP_REG_ACTION_DEL_VALUES:
900 return "GP_REG_ACTION_DEL_VALUES";
901 case GP_REG_ACTION_DEL_VALUE:
902 return "GP_REG_ACTION_DEL_VALUE";
903 case GP_REG_ACTION_DEL_ALL_VALUES:
904 return "GP_REG_ACTION_DEL_ALL_VALUES";
905 case GP_REG_ACTION_DEL_KEYS:
906 return "GP_REG_ACTION_DEL_KEYS";
907 case GP_REG_ACTION_SEC_KEY_SET:
908 return "GP_REG_ACTION_SEC_KEY_SET";
909 case GP_REG_ACTION_SEC_KEY_RESET:
910 return "GP_REG_ACTION_SEC_KEY_RESET";
911 default:
912 return "unknown";
913 }
914 };
915
916 /****************************************************************
917 ****************************************************************/
918
919 WERROR reg_apply_registry_entry(TALLOC_CTX *mem_ctx,
920 struct registry_key *root_key,
921 struct gp_registry_context *reg_ctx,
922 struct gp_registry_entry *entry,
923 const struct nt_user_token *token,
924 uint32_t flags)
925 {
926 WERROR werr;
927 struct registry_key *key = NULL;
928
929 if (flags & GPO_INFO_FLAG_VERBOSE) {
930 printf("about to store key: [%s]\n", entry->key);
931 printf(" value: [%s]\n", entry->value);
932 printf(" data: [%s]\n", reg_type_lookup(entry->data->type));
933 printf(" action: [%s]\n", gp_reg_action_str(entry->action));
934 }
935
936 werr = gp_store_reg_subkey(mem_ctx, entry->key,
937 root_key, &key);
938 /* reg_ctx->curr_key, &key); */
939 if (!W_ERROR_IS_OK(werr)) {
940 DEBUG(0,("gp_store_reg_subkey failed: %s\n", dos_errstr(werr)));
941 return werr;
942 }
943
944 switch (entry->action) {
945 case GP_REG_ACTION_NONE:
946 case GP_REG_ACTION_ADD_KEY:
947 return WERR_OK;
948
949 case GP_REG_ACTION_SEC_KEY_SET:
950 werr = gp_secure_key(mem_ctx, flags,
951 key,
952 &token->user_sids[0]);
953 if (!W_ERROR_IS_OK(werr)) {
954 DEBUG(0,("reg_apply_registry_entry: "
955 "gp_secure_key failed: %s\n",
956 dos_errstr(werr)));
957 return werr;
958 }
959 break;
960 case GP_REG_ACTION_ADD_VALUE:
961 werr = reg_setvalue(key, entry->value, entry->data);
962 if (!W_ERROR_IS_OK(werr)) {
963 DEBUG(0,("reg_apply_registry_entry: "
964 "reg_setvalue failed: %s\n",
965 dos_errstr(werr)));
966 dump_reg_entry(flags, "STORE", entry);
967 return werr;
968 }
969 break;
970 case GP_REG_ACTION_DEL_VALUE:
971 werr = reg_deletevalue(key, entry->value);
972 if (!W_ERROR_IS_OK(werr)) {
973 DEBUG(0,("reg_apply_registry_entry: "
974 "reg_deletevalue failed: %s\n",
975 dos_errstr(werr)));
976 dump_reg_entry(flags, "STORE", entry);
977 return werr;
978 }
979 break;
980 case GP_REG_ACTION_DEL_ALL_VALUES:
981 werr = reg_deleteallvalues(key);
982 if (!W_ERROR_IS_OK(werr)) {
983 DEBUG(0,("reg_apply_registry_entry: "
984 "reg_deleteallvalues failed: %s\n",
985 dos_errstr(werr)));
986 dump_reg_entry(flags, "STORE", entry);
987 return werr;
988 }
989 break;
990 case GP_REG_ACTION_DEL_VALUES:
991 case GP_REG_ACTION_DEL_KEYS:
992 case GP_REG_ACTION_SEC_KEY_RESET:
993 DEBUG(0,("reg_apply_registry_entry: "
994 "not yet supported: %s (%d)\n",
995 gp_reg_action_str(entry->action),
996 entry->action));
997 return WERR_NOT_SUPPORTED;
998 default:
999 DEBUG(0,("invalid action: %d\n", entry->action));
1000 return WERR_INVALID_PARAM;
1001 }
1002
1003 return werr;
1004 }
1005
Samba GIT mirror