source3/lib/util_seaccess.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Copyright (C) Andrew Tridgell 2004
   5    Copyright (C) Gerald Carter 2005
   6    Copyright (C) Volker Lendecke 2007
   7    Copyright (C) Jeremy Allison 2008
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23 #include "includes.h"
  24
  25 extern NT_USER_TOKEN anonymous_token;
  26
  27 /* Map generic access rights to object specific rights.  This technique is
  28    used to give meaning to assigning read, write, execute and all access to
  29    objects.  Each type of object has its own mapping of generic to object
  30    specific access rights. */
  31
  32 void se_map_generic(uint32 *access_mask, const struct generic_mapping *mapping)
  33 {
  34         uint32 old_mask = *access_mask;
  35
  36         if (*access_mask & GENERIC_READ_ACCESS) {
  37                 *access_mask &= ~GENERIC_READ_ACCESS;
  38                 *access_mask |= mapping->generic_read;
  39         }
  40
  41         if (*access_mask & GENERIC_WRITE_ACCESS) {
  42                 *access_mask &= ~GENERIC_WRITE_ACCESS;
  43                 *access_mask |= mapping->generic_write;
  44         }
  45
  46         if (*access_mask & GENERIC_EXECUTE_ACCESS) {
  47                 *access_mask &= ~GENERIC_EXECUTE_ACCESS;
  48                 *access_mask |= mapping->generic_execute;
  49         }
  50
  51         if (*access_mask & GENERIC_ALL_ACCESS) {
  52                 *access_mask &= ~GENERIC_ALL_ACCESS;
  53                 *access_mask |= mapping->generic_all;
  54         }
  55
  56         if (old_mask != *access_mask) {
  57                 DEBUG(10, ("se_map_generic(): mapped mask 0x%08x to 0x%08x\n",
  58                            old_mask, *access_mask));
  59         }
  60 }
  61
  62 /* Map generic access rights to object specific rights for all the ACE's
  63  * in a security_acl.
  64  */
  65
  66 void security_acl_map_generic(struct security_acl *sa,
  67                                 const struct generic_mapping *mapping)
  68 {
  69         unsigned int i;
  70
  71         if (!sa) {
  72                 return;
  73         }
  74
  75         for (i = 0; i < sa->num_aces; i++) {
  76                 se_map_generic(&sa->aces[i].access_mask, mapping);
  77         }
  78 }
  79
  80 /* Map standard access rights to object specific rights.  This technique is
  81    used to give meaning to assigning read, write, execute and all access to
  82    objects.  Each type of object has its own mapping of standard to object
  83    specific access rights. */
  84
  85 void se_map_standard(uint32 *access_mask, struct standard_mapping *mapping)
  86 {
  87         uint32 old_mask = *access_mask;
  88
  89         if (*access_mask & SEC_STD_READ_CONTROL) {
  90                 *access_mask &= ~SEC_STD_READ_CONTROL;
  91                 *access_mask |= mapping->std_read;
  92         }
  93
  94         if (*access_mask & (SEC_STD_DELETE|SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|SEC_STD_SYNCHRONIZE)) {
  95                 *access_mask &= ~(SEC_STD_DELETE|SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|SEC_STD_SYNCHRONIZE);
  96                 *access_mask |= mapping->std_all;
  97         }
  98
  99         if (old_mask != *access_mask) {
 100                 DEBUG(10, ("se_map_standard(): mapped mask 0x%08x to 0x%08x\n",
 101                            old_mask, *access_mask));
 102         }
 103 }
 104
 105 /*
 106   perform a SEC_FLAG_MAXIMUM_ALLOWED access check
 107 */
 108 static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
 109                                         const NT_USER_TOKEN *token)
 110 {
 111         uint32_t denied = 0, granted = 0;
 112         unsigned i;
 113
 114         if (is_sid_in_token(token, sd->owner_sid)) {
 115                 granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL | SEC_STD_DELETE;
 116         } else if (user_has_privileges(token, &se_restore)) {
 117                 granted |= SEC_STD_DELETE;
 118         }
 119
 120         if (sd->dacl == NULL) {
 121                 return granted & ~denied;
 122         }
 123
 124         for (i = 0;i<sd->dacl->num_aces; i++) {
 125                 struct security_ace *ace = &sd->dacl->aces[i];
 126
 127                 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
 128                         continue;
 129                 }
 130
 131                 if (!is_sid_in_token(token, &ace->trustee)) {
 132                         continue;
 133                 }
 134
 135                 switch (ace->type) {
 136                 case SEC_ACE_TYPE_ACCESS_ALLOWED:
 137                         granted |= ace->access_mask;
 138                         break;
 139                 case SEC_ACE_TYPE_ACCESS_DENIED:
 140                 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
 141                         denied |= ace->access_mask;
 142                         break;
 143                 default:        /* Other ACE types not handled/supported */
 144                         break;
 145                 }
 146         }
 147
 148         return granted & ~denied;
 149 }
 150
 151 /*
 152   The main entry point for access checking. If returning ACCESS_DENIED
 153   this function returns the denied bits in the uint32_t pointed
 154   to by the access_granted pointer.
 155 */
 156 NTSTATUS se_access_check(const struct security_descriptor *sd,
 157                           const NT_USER_TOKEN *token,
 158                           uint32_t access_desired,
 159                           uint32_t *access_granted)
 160 {
 161         int i;
 162         uint32_t bits_remaining;
 163
 164         *access_granted = access_desired;
 165         bits_remaining = access_desired;
 166
 167         /* handle the maximum allowed flag */
 168         if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
 169                 uint32_t orig_access_desired = access_desired;
 170
 171                 access_desired |= access_check_max_allowed(sd, token);
 172                 access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
 173                 *access_granted = access_desired;
 174                 bits_remaining = access_desired & ~SEC_STD_DELETE;
 175
 176                 DEBUG(10,("se_access_check: MAX desired = 0x%x, granted = 0x%x, remaining = 0x%x\n",
 177                         orig_access_desired,
 178                         *access_granted,
 179                         bits_remaining));
 180         }
 181
 182 #if 0
 183         /* We need to support SeSecurityPrivilege for this. */
 184
 185         if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
 186                 if (user_has_privileges(token, &sec_security)) {
 187                         bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
 188                 } else {
 189                         return NT_STATUS_PRIVILEGE_NOT_HELD;
 190                 }
 191         }
 192 #endif
 193
 194         /* a NULL dacl allows access */
 195         if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
 196                 *access_granted = access_desired;
 197                 return NT_STATUS_OK;
 198         }
 199
 200         /* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */
 201         if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE)) &&
 202             is_sid_in_token(token, sd->owner_sid)) {
 203                 bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE);
 204         }
 205         if ((bits_remaining & SEC_STD_DELETE) &&
 206             user_has_privileges(token, &se_restore)) {
 207                 bits_remaining &= ~SEC_STD_DELETE;
 208         }
 209
 210         if (sd->dacl == NULL) {
 211                 goto done;
 212         }
 213
 214         /* check each ace in turn. */
 215         for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
 216                 struct security_ace *ace = &sd->dacl->aces[i];
 217
 218                 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
 219                         continue;
 220                 }
 221
 222                 if (!is_sid_in_token(token, &ace->trustee)) {
 223                         continue;
 224                 }
 225
 226                 switch (ace->type) {
 227                 case SEC_ACE_TYPE_ACCESS_ALLOWED:
 228                         bits_remaining &= ~ace->access_mask;
 229                         break;
 230                 case SEC_ACE_TYPE_ACCESS_DENIED:
 231                 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
 232                         if (bits_remaining & ace->access_mask) {
 233                                 return NT_STATUS_ACCESS_DENIED;
 234                         }
 235                         break;
 236                 default:        /* Other ACE types not handled/supported */
 237                         break;
 238                 }
 239         }
 240
 241 done:
 242         if (bits_remaining != 0) {
 243                 *access_granted = bits_remaining;
 244                 return NT_STATUS_ACCESS_DENIED;
 245         }
 246
 247         return NT_STATUS_OK;
 248 }
 249
 250 /*******************************************************************
 251  samr_make_sam_obj_sd
 252  ********************************************************************/
 253
 254 NTSTATUS samr_make_sam_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size)
 255 {
 256         DOM_SID adm_sid;
 257         DOM_SID act_sid;
 258
 259         SEC_ACE ace[3];
 260
 261         SEC_ACL *psa = NULL;
 262
 263         sid_copy(&adm_sid, &global_sid_Builtin);
 264         sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS);
 265
 266         sid_copy(&act_sid, &global_sid_Builtin);
 267         sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS);
 268
 269         /*basic access for every one*/
 270         init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
 271                 GENERIC_RIGHTS_SAM_EXECUTE | GENERIC_RIGHTS_SAM_READ, 0);
 272
 273         /*full access for builtin aliases Administrators and Account Operators*/
 274         init_sec_ace(&ace[1], &adm_sid,
 275                 SEC_ACE_TYPE_ACCESS_ALLOWED, GENERIC_RIGHTS_SAM_ALL_ACCESS, 0);
 276         init_sec_ace(&ace[2], &act_sid,
 277                 SEC_ACE_TYPE_ACCESS_ALLOWED, GENERIC_RIGHTS_SAM_ALL_ACCESS, 0);
 278
 279         if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) == NULL)
 280                 return NT_STATUS_NO_MEMORY;
 281
 282         if ((*psd = make_sec_desc(ctx, SECURITY_DESCRIPTOR_REVISION_1,
 283                                   SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL,
 284                                   psa, sd_size)) == NULL)
 285                 return NT_STATUS_NO_MEMORY;
 286
 287         return NT_STATUS_OK;
 288 }