2 * Unix SMB/CIFS implementation.
4 * Copyright (C) Guenther Deschner 2005-2008
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
21 #include "../libgpo/gpo_ini.h"
22 #include "../libgpo/gpo.h"
23 #include "libgpo/gpo_proto.h"
24 #include "libgpo/gpext/gpext.h"
26 #define GP_EXT_NAME "security"
28 #define GPTTMPL_UNIX_PATH "Microsoft/Windows NT/SecEdit/GptTmpl.inf"
30 #define GPTTMPL_SECTION_UNICODE "Unicode"
31 #define GPTTMPL_SECTION_VERSION "Version"
33 #define GPTTMPL_SECTION_REGISTRY_VALUES "Registry Values"
34 #define GPTTMPL_SECTION_SYSTEM_ACCESS "System Access"
35 #define GPTTMPL_SECTION_KERBEROS_POLICY "Kerberos Policy"
36 #define GPTTMPL_SECTION_EVENT_AUDIT "Event Audit"
37 #define GPTTMPL_SECTION_PRIVILEGE_RIGHTS "Privilege Rights"
38 #define GPTTMPL_SECTION_APPLICATION_LOG "Application Log"
39 #define GPTTMPL_SECTION_SECURITY_LOG "Security Log"
40 #define GPTTMPL_SECTION_SYSTEM_LOG "System Log"
41 #define GPTTMPL_SECTION_GROUP_MEMBERSHIP "Group Membership"
42 #define GPTTMPL_SECTION_FILE_SECURITY "File Security"
43 #define GPTTMPL_SECTION_SERVICE_GENERAL_SETTING "Service General Setting"
45 static TALLOC_CTX
*ctx
= NULL
;
47 struct gpttmpl_table
{
49 const char *parameter
;
50 enum winreg_Type type
;
53 /****************************************************************
54 parse the Version section from gpttmpl file
55 ****************************************************************/
57 #define GPTTMPL_PARAMETER_REVISION "Revision"
58 #define GPTTMPL_PARAMETER_SIGNATURE "signature"
59 #define GPTTMPL_VALUE_CHICAGO "\"$CHICAGO$\"" /* whatever this is good for... */
60 #define GPTTMPL_PARAMETER_UNICODE "Unicode"
62 static NTSTATUS
gpttmpl_parse_header(struct gp_inifile_context
*ini_ctx
,
63 uint32_t *version_out
)
65 char *signature
= NULL
;
68 bool is_unicode
= false;
71 return NT_STATUS_INVALID_PARAMETER
;
74 result
= gp_inifile_getstring(ini_ctx
, GPTTMPL_SECTION_VERSION
75 ":"GPTTMPL_PARAMETER_SIGNATURE
, &signature
);
76 if (!NT_STATUS_IS_OK(result
)) {
77 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
80 if (!strequal(signature
, GPTTMPL_VALUE_CHICAGO
)) {
81 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
83 result
= gp_inifile_getint(ini_ctx
, GPTTMPL_SECTION_VERSION
84 ":"GPTTMPL_PARAMETER_REVISION
, &version
);
85 if (!NT_STATUS_IS_OK(result
)) {
86 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
90 *version_out
= version
;
93 result
= gp_inifile_getbool(ini_ctx
, GPTTMPL_SECTION_UNICODE
94 ":"GPTTMPL_PARAMETER_UNICODE
, &is_unicode
);
95 if (!NT_STATUS_IS_OK(result
) || !is_unicode
) {
96 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
102 /****************************************************************
103 ****************************************************************/
105 static NTSTATUS
gpttmpl_init_context(TALLOC_CTX
*mem_ctx
,
107 const char *unix_path
,
108 struct gp_inifile_context
**ini_ctx
)
112 struct gp_inifile_context
*tmp_ctx
= NULL
;
114 status
= gp_inifile_init_context(mem_ctx
, flags
, unix_path
,
115 GPTTMPL_UNIX_PATH
, &tmp_ctx
);
116 NT_STATUS_NOT_OK_RETURN(status
);
118 status
= gpttmpl_parse_header(tmp_ctx
, &version
);
119 if (!NT_STATUS_IS_OK(status
)) {
120 DEBUG(1,("gpttmpl_init_context: failed: %s\n",
122 TALLOC_FREE(tmp_ctx
);
131 /****************************************************************
132 ****************************************************************/
134 static NTSTATUS
gpttmpl_process(struct gp_inifile_context
*ini_ctx
,
135 struct registry_key
*root_key
,
141 /****************************************************************
142 ****************************************************************/
144 static NTSTATUS
security_process_group_policy(TALLOC_CTX
*mem_ctx
,
146 struct registry_key
*root_key
,
147 const struct security_token
*token
,
148 struct GROUP_POLICY_OBJECT
*deleted_gpo_list
,
149 struct GROUP_POLICY_OBJECT
*changed_gpo_list
)
152 char *unix_path
= NULL
;
153 struct gp_inifile_context
*ini_ctx
= NULL
;
154 struct GROUP_POLICY_OBJECT
*gpo
;
156 /* implementation of the policy callback function, see
157 * http://msdn.microsoft.com/en-us/library/aa373494%28v=vs.85%29.aspx
158 * for details - gd */
160 /* for now do not process the list of deleted group policies
162 for (gpo = deleted_gpo_list; gpo; gpo = gpo->next) {
167 for (gpo
= changed_gpo_list
; gpo
; gpo
= gpo
->next
) {
169 gpext_debug_header(0, "security_process_group_policy", flags
,
170 gpo
, GP_EXT_GUID_SECURITY
, NULL
);
172 /* this handler processes the gpttmpl files and merge output to the
175 status
= gpo_get_unix_path(mem_ctx
, cache_path(GPO_CACHE_DIR
),
177 if (!NT_STATUS_IS_OK(status
)) {
181 status
= gpttmpl_init_context(mem_ctx
, flags
, unix_path
,
183 if (!NT_STATUS_IS_OK(status
)) {
187 status
= gpttmpl_process(ini_ctx
, root_key
, flags
);
188 if (!NT_STATUS_IS_OK(status
)) {
192 TALLOC_FREE(ini_ctx
);
196 if (!NT_STATUS_IS_OK(status
)) {
197 DEBUG(0,("security_process_group_policy: %s\n",
200 TALLOC_FREE(ini_ctx
);
205 /****************************************************************
206 ****************************************************************/
208 static NTSTATUS
security_get_reg_config(TALLOC_CTX
*mem_ctx
,
209 struct gp_extension_reg_info
**reg_info
)
212 struct gp_extension_reg_info
*info
= NULL
;
214 struct gp_extension_reg_table table
[] = {
215 /* FIXME: how can we store the "(Default)" value ??? */
216 /* { "", REG_SZ, "Security" }, */
217 { "ProcessGroupPolicy", REG_SZ
, "security_process_group_policy" },
218 { "NoUserPolicy", REG_DWORD
, "1" },
219 { "ExtensionDebugLevel", REG_DWORD
, "1" },
220 { NULL
, REG_NONE
, NULL
}
223 info
= talloc_zero(mem_ctx
, struct gp_extension_reg_info
);
224 NT_STATUS_HAVE_NO_MEMORY(info
);
226 status
= gpext_info_add_entry(mem_ctx
, GP_EXT_NAME
,
227 GP_EXT_GUID_SECURITY
,
229 NT_STATUS_NOT_OK_RETURN(status
);
237 /****************************************************************
238 ****************************************************************/
240 static NTSTATUS
security_initialize(TALLOC_CTX
*mem_ctx
)
245 /****************************************************************
246 ****************************************************************/
248 static NTSTATUS
security_shutdown(void)
252 status
= gpext_unregister_gp_extension(GP_EXT_NAME
);
253 if (NT_STATUS_IS_OK(status
)) {
262 /****************************************************************
263 ****************************************************************/
265 static struct gp_extension_methods security_methods
= {
266 .initialize
= security_initialize
,
267 .process_group_policy
= security_process_group_policy
,
268 .get_reg_config
= security_get_reg_config
,
269 .shutdown
= security_shutdown
272 /****************************************************************
273 ****************************************************************/
275 NTSTATUS
gpext_security_init(void)
279 ctx
= talloc_init("gpext_security_init");
280 NT_STATUS_HAVE_NO_MEMORY(ctx
);
282 status
= gpext_register_gp_extension(ctx
, SMB_GPEXT_INTERFACE_VERSION
,
283 GP_EXT_NAME
, GP_EXT_GUID_SECURITY
,
285 if (!NT_STATUS_IS_OK(status
)) {