source3/libgpo/gpext/security.c

   1 /*
   2  *  Unix SMB/CIFS implementation.
   3  *  Group Policy Support
   4  *  Copyright (C) Guenther Deschner 2005-2008
   5  *
   6  *  This program is free software; you can redistribute it and/or modify
   7  *  it under the terms of the GNU General Public License as published by
   8  *  the Free Software Foundation; either version 3 of the License, or
   9  *  (at your option) any later version.
  10  *
  11  *  This program is distributed in the hope that it will be useful,
  12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  *  GNU General Public License for more details.
  15  *
  16  *  You should have received a copy of the GNU General Public License
  17  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
  18  */
  19
  20 #include "includes.h"
  21 #include "../libgpo/gpo_ini.h"
  22 #include "../libgpo/gpo.h"
  23 #include "libgpo/gpo_proto.h"
  24 #include "libgpo/gpext/gpext.h"
  25
  26 #define GP_EXT_NAME "security"
  27
  28 #define GPTTMPL_UNIX_PATH  "Microsoft/Windows NT/SecEdit/GptTmpl.inf"
  29
  30 #define GPTTMPL_SECTION_UNICODE                 "Unicode"
  31 #define GPTTMPL_SECTION_VERSION                 "Version"
  32
  33 #define GPTTMPL_SECTION_REGISTRY_VALUES         "Registry Values"
  34 #define GPTTMPL_SECTION_SYSTEM_ACCESS           "System Access"
  35 #define GPTTMPL_SECTION_KERBEROS_POLICY         "Kerberos Policy"
  36 #define GPTTMPL_SECTION_EVENT_AUDIT             "Event Audit"
  37 #define GPTTMPL_SECTION_PRIVILEGE_RIGHTS        "Privilege Rights"
  38 #define GPTTMPL_SECTION_APPLICATION_LOG         "Application Log"
  39 #define GPTTMPL_SECTION_SECURITY_LOG            "Security Log"
  40 #define GPTTMPL_SECTION_SYSTEM_LOG              "System Log"
  41 #define GPTTMPL_SECTION_GROUP_MEMBERSHIP        "Group Membership"
  42 #define GPTTMPL_SECTION_FILE_SECURITY           "File Security"
  43 #define GPTTMPL_SECTION_SERVICE_GENERAL_SETTING "Service General Setting"
  44
  45 static TALLOC_CTX *ctx = NULL;
  46
  47 struct gpttmpl_table {
  48         const char *section;
  49         const char *parameter;
  50         enum winreg_Type type;
  51 };
  52
  53 /****************************************************************
  54  parse the Version section from gpttmpl file
  55 ****************************************************************/
  56
  57 #define GPTTMPL_PARAMETER_REVISION "Revision"
  58 #define GPTTMPL_PARAMETER_SIGNATURE "signature"
  59 #define GPTTMPL_VALUE_CHICAGO "\"$CHICAGO$\"" /* whatever this is good for... */
  60 #define GPTTMPL_PARAMETER_UNICODE "Unicode"
  61
  62 static NTSTATUS gpttmpl_parse_header(struct gp_inifile_context *ini_ctx,
  63                                      uint32_t *version_out)
  64 {
  65         char *signature = NULL;
  66         NTSTATUS result;
  67         int version;
  68         bool is_unicode = false;
  69
  70         if (!ini_ctx) {
  71                 return NT_STATUS_INVALID_PARAMETER;
  72         }
  73
  74         result = gp_inifile_getstring(ini_ctx, GPTTMPL_SECTION_VERSION
  75                         ":"GPTTMPL_PARAMETER_SIGNATURE, &signature);
  76         if (!NT_STATUS_IS_OK(result)) {
  77                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
  78         }
  79
  80         if (!strequal(signature, GPTTMPL_VALUE_CHICAGO)) {
  81                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
  82         }
  83         result = gp_inifile_getint(ini_ctx, GPTTMPL_SECTION_VERSION
  84                         ":"GPTTMPL_PARAMETER_REVISION, &version);
  85         if (!NT_STATUS_IS_OK(result)) {
  86                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
  87         }
  88
  89         if (version_out) {
  90                 *version_out = version;
  91         }
  92
  93         result = gp_inifile_getbool(ini_ctx, GPTTMPL_SECTION_UNICODE
  94                         ":"GPTTMPL_PARAMETER_UNICODE, &is_unicode);
  95         if (!NT_STATUS_IS_OK(result) || !is_unicode) {
  96                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
  97         }
  98
  99         return NT_STATUS_OK;
 100 }
 101
 102 /****************************************************************
 103 ****************************************************************/
 104
 105 static NTSTATUS gpttmpl_init_context(TALLOC_CTX *mem_ctx,
 106                                      uint32_t flags,
 107                                      const char *unix_path,
 108                                      struct gp_inifile_context **ini_ctx)
 109 {
 110         NTSTATUS status;
 111         uint32_t version;
 112         struct gp_inifile_context *tmp_ctx = NULL;
 113
 114         status = gp_inifile_init_context(mem_ctx, flags, unix_path,
 115                                          GPTTMPL_UNIX_PATH, &tmp_ctx);
 116         NT_STATUS_NOT_OK_RETURN(status);
 117
 118         status = gpttmpl_parse_header(tmp_ctx, &version);
 119         if (!NT_STATUS_IS_OK(status)) {
 120                 DEBUG(1,("gpttmpl_init_context: failed: %s\n",
 121                         nt_errstr(status)));
 122                 TALLOC_FREE(tmp_ctx);
 123                 return status;
 124         }
 125
 126         *ini_ctx = tmp_ctx;
 127
 128         return NT_STATUS_OK;
 129 }
 130
 131 /****************************************************************
 132 ****************************************************************/
 133
 134 static NTSTATUS gpttmpl_process(struct gp_inifile_context *ini_ctx,
 135                                 struct registry_key *root_key,
 136                                 uint32_t flags)
 137 {
 138         return NT_STATUS_OK;
 139 }
 140
 141 /****************************************************************
 142 ****************************************************************/
 143
 144 static NTSTATUS security_process_group_policy(TALLOC_CTX *mem_ctx,
 145                                               uint32_t flags,
 146                                               struct registry_key *root_key,
 147                                               const struct security_token *token,
 148                                               struct GROUP_POLICY_OBJECT *deleted_gpo_list,
 149                                               struct GROUP_POLICY_OBJECT *changed_gpo_list)
 150 {
 151         NTSTATUS status;
 152         char *unix_path = NULL;
 153         struct gp_inifile_context *ini_ctx = NULL;
 154         struct GROUP_POLICY_OBJECT *gpo;
 155
 156         /* implementation of the policy callback function, see
 157          * http://msdn.microsoft.com/en-us/library/aa373494%28v=vs.85%29.aspx
 158          * for details - gd */
 159
 160         /* for now do not process the list of deleted group policies
 161
 162         for (gpo = deleted_gpo_list; gpo; gpo = gpo->next) {
 163         }
 164
 165         */
 166
 167         for (gpo = changed_gpo_list; gpo; gpo = gpo->next) {
 168
 169                 gpext_debug_header(0, "security_process_group_policy", flags,
 170                                    gpo, GP_EXT_GUID_SECURITY, NULL);
 171
 172                 /* this handler processes the gpttmpl files and merge output to the
 173                  * registry */
 174
 175                 status = gpo_get_unix_path(mem_ctx, cache_path(GPO_CACHE_DIR),
 176                                            gpo, &unix_path);
 177                 if (!NT_STATUS_IS_OK(status)) {
 178                         goto out;
 179                 }
 180
 181                 status = gpttmpl_init_context(mem_ctx, flags, unix_path,
 182                                               &ini_ctx);
 183                 if (!NT_STATUS_IS_OK(status)) {
 184                         goto out;
 185                 }
 186
 187                 status = gpttmpl_process(ini_ctx, root_key, flags);
 188                 if (!NT_STATUS_IS_OK(status)) {
 189                         goto out;
 190                 }
 191
 192                 TALLOC_FREE(ini_ctx);
 193         }
 194
 195  out:
 196         if (!NT_STATUS_IS_OK(status)) {
 197                 DEBUG(0,("security_process_group_policy: %s\n",
 198                         nt_errstr(status)));
 199         }
 200         TALLOC_FREE(ini_ctx);
 201
 202         return status;
 203 }
 204
 205 /****************************************************************
 206 ****************************************************************/
 207
 208 static NTSTATUS security_get_reg_config(TALLOC_CTX *mem_ctx,
 209                                         struct gp_extension_reg_info **reg_info)
 210 {
 211         NTSTATUS status;
 212         struct gp_extension_reg_info *info = NULL;
 213
 214         struct gp_extension_reg_table table[] = {
 215                 /* FIXME: how can we store the "(Default)" value ??? */
 216                 /* { "", REG_SZ, "Security" }, */
 217                 { "ProcessGroupPolicy", REG_SZ, "security_process_group_policy" },
 218                 { "NoUserPolicy", REG_DWORD, "1" },
 219                 { "ExtensionDebugLevel", REG_DWORD, "1" },
 220                 { NULL, REG_NONE, NULL }
 221         };
 222
 223         info = talloc_zero(mem_ctx, struct gp_extension_reg_info);
 224         NT_STATUS_HAVE_NO_MEMORY(info);
 225
 226         status = gpext_info_add_entry(mem_ctx, GP_EXT_NAME,
 227                                       GP_EXT_GUID_SECURITY,
 228                                       table, info);
 229         NT_STATUS_NOT_OK_RETURN(status);
 230
 231         *reg_info = info;
 232
 233         return NT_STATUS_OK;
 234 }
 235
 236
 237 /****************************************************************
 238 ****************************************************************/
 239
 240 static NTSTATUS security_initialize(TALLOC_CTX *mem_ctx)
 241 {
 242         return NT_STATUS_OK;
 243 }
 244
 245 /****************************************************************
 246 ****************************************************************/
 247
 248 static NTSTATUS security_shutdown(void)
 249 {
 250         NTSTATUS status;
 251
 252         status = gpext_unregister_gp_extension(GP_EXT_NAME);
 253         if (NT_STATUS_IS_OK(status)) {
 254                 return status;
 255         }
 256
 257         TALLOC_FREE(ctx);
 258
 259         return NT_STATUS_OK;
 260 }
 261
 262 /****************************************************************
 263 ****************************************************************/
 264
 265 static struct gp_extension_methods security_methods = {
 266         .initialize             = security_initialize,
 267         .process_group_policy   = security_process_group_policy,
 268         .get_reg_config         = security_get_reg_config,
 269         .shutdown               = security_shutdown
 270 };
 271
 272 /****************************************************************
 273 ****************************************************************/
 274
 275 NTSTATUS gpext_security_init(void)
 276 {
 277         NTSTATUS status;
 278
 279         ctx = talloc_init("gpext_security_init");
 280         NT_STATUS_HAVE_NO_MEMORY(ctx);
 281
 282         status = gpext_register_gp_extension(ctx, SMB_GPEXT_INTERFACE_VERSION,
 283                                              GP_EXT_NAME, GP_EXT_GUID_SECURITY,
 284                                              &security_methods);
 285         if (!NT_STATUS_IS_OK(status)) {
 286                 TALLOC_FREE(ctx);
 287         }
 288
 289         return status;
 290 }