search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
few edits
[Samba.git] / source / lib / util_seaccess.c
blobb80ba6e8046f9fede2ffb7d5b6b268703bbd3efa
1 /*
2 Unix SMB/Netbios implementation.
3 Version 2.0
4 Copyright (C) Luke Kenneth Casson Leighton 1996-2000.
5 Copyright (C) Tim Potter 2000.
6 Copyright (C) Re-written by Jeremy Allison 2000.
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21 */
22
23 #include "includes.h"
24 #include "nterr.h"
25 #include "sids.h"
26
27 /**********************************************************************************
28 Check if this ACE has a SID in common with the token.
29 **********************************************************************************/
30
31 static BOOL token_sid_in_ace(const NT_USER_TOKEN *token, const SEC_ACE *ace)
32 {
33 size_t i;
34
35 for (i = 0; i < token->num_sids; i++) {
36 if (sid_equal(&ace->trustee, &token->user_sids[i]))
37 return True;
38 }
39
40 return False;
41 }
42
43 /*********************************************************************************
44 Check an ACE against a SID. We return the remaining needed permission
45 bits not yet granted. Zero means permission allowed (no more needed bits).
46 **********************************************************************************/
47
48 static uint32 check_ace(SEC_ACE *ace, NT_USER_TOKEN *token, uint32 acc_desired,
49 NTSTATUS *status)
50 {
51 uint32 mask = ace->info.mask;
52
53 /*
54 * Inherit only is ignored.
55 */
56
57 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
58 return acc_desired;
59 }
60
61 /*
62 * If this ACE has no SID in common with the token,
63 * ignore it as it cannot be used to make an access
64 * determination.
65 */
66
67 if (!token_sid_in_ace( token, ace))
68 return acc_desired;
69
70 switch (ace->type) {
71 case SEC_ACE_TYPE_ACCESS_ALLOWED:
72 /*
73 * This is explicitly allowed.
74 * Remove the bits from the remaining
75 * access required. Return the remaining
76 * bits needed.
77 */
78 acc_desired &= ~mask;
79 break;
80 case SEC_ACE_TYPE_ACCESS_DENIED:
81 /*
82 * This is explicitly denied.
83 * If any bits match terminate here,
84 * we are denied.
85 */
86 if (acc_desired & mask) {
87 *status = NT_STATUS_ACCESS_DENIED;
88 return 0xFFFFFFFF;
89 }
90 break;
91 case SEC_ACE_TYPE_SYSTEM_ALARM:
92 case SEC_ACE_TYPE_SYSTEM_AUDIT:
93 *status = NT_STATUS_NOT_IMPLEMENTED;
94 return 0xFFFFFFFF;
95 default:
96 *status = NT_STATUS_INVALID_PARAMETER;
97 return 0xFFFFFFFF;
98 }
99
100 return acc_desired;
101 }
102
103 /*********************************************************************************
104 Maximum access was requested. Calculate the max possible. Fail if it doesn't
105 include other bits requested.
106 **********************************************************************************/
107
108 static BOOL get_max_access( SEC_ACL *the_acl, NT_USER_TOKEN *token, uint32 *granted,
109 uint32 desired,
110 NTSTATUS *status)
111 {
112 uint32 acc_denied = 0;
113 uint32 acc_granted = 0;
114 size_t i;
115
116 for ( i = 0 ; i < the_acl->num_aces; i++) {
117 SEC_ACE *ace = &the_acl->ace[i];
118 uint32 mask = ace->info.mask;
119
120 if (!token_sid_in_ace( token, ace))
121 continue;
122
123 switch (ace->type) {
124 case SEC_ACE_TYPE_ACCESS_ALLOWED:
125 acc_granted |= (mask & ~acc_denied);
126 break;
127 case SEC_ACE_TYPE_ACCESS_DENIED:
128 acc_denied |= (mask & ~acc_granted);
129 break;
130 case SEC_ACE_TYPE_SYSTEM_ALARM:
131 case SEC_ACE_TYPE_SYSTEM_AUDIT:
132 *status = NT_STATUS_NOT_IMPLEMENTED;
133 *granted = 0;
134 return False;
135 default:
136 *status = NT_STATUS_INVALID_PARAMETER;
137 *granted = 0;
138 return False;
139 }
140 }
141
142 /*
143 * If we were granted no access, or we desired bits that we
144 * didn't get, then deny.
145 */
146
147 if ((acc_granted == 0) || ((acc_granted & desired) != desired)) {
148 *status = NT_STATUS_ACCESS_DENIED;
149 *granted = 0;
150 return False;
151 }
152
153 /*
154 * Return the access we did get.
155 */
156
157 *granted = acc_granted;
158 *status = NT_STATUS_OK;
159 return True;
160 }
161
162 /* Map generic access rights to object specific rights. This technique is
163 used to give meaning to assigning read, write, execute and all access to
164 objects. Each type of object has its own mapping of generic to object
165 specific access rights. */
166
167 void se_map_generic(uint32 *access_mask, struct generic_mapping *mapping)
168 {
169 uint32 old_mask = *access_mask;
170
171 if (*access_mask & GENERIC_READ_ACCESS) {
172 *access_mask &= ~GENERIC_READ_ACCESS;
173 *access_mask |= mapping->generic_read;
174 }
175
176 if (*access_mask & GENERIC_WRITE_ACCESS) {
177 *access_mask &= ~GENERIC_WRITE_ACCESS;
178 *access_mask |= mapping->generic_write;
179 }
180
181 if (*access_mask & GENERIC_EXECUTE_ACCESS) {
182 *access_mask &= ~GENERIC_EXECUTE_ACCESS;
183 *access_mask |= mapping->generic_execute;
184 }
185
186 if (*access_mask & GENERIC_ALL_ACCESS) {
187 *access_mask &= ~GENERIC_ALL_ACCESS;
188 *access_mask |= mapping->generic_all;
189 }
190
191 if (old_mask != *access_mask) {
192 DEBUG(10, ("se_map_generic(): mapped mask 0x%08x to 0x%08x\n",
193 old_mask, *access_mask));
194 }
195 }
196
197 /* Map standard access rights to object specific rights. This technique is
198 used to give meaning to assigning read, write, execute and all access to
199 objects. Each type of object has its own mapping of standard to object
200 specific access rights. */
201
202 void se_map_standard(uint32 *access_mask, struct standard_mapping *mapping)
203 {
204 uint32 old_mask = *access_mask;
205
206 if (*access_mask & READ_CONTROL_ACCESS) {
207 *access_mask &= ~READ_CONTROL_ACCESS;
208 *access_mask |= mapping->std_read;
209 }
210
211 if (*access_mask & (DELETE_ACCESS|WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS|SYNCHRONIZE_ACCESS)) {
212 *access_mask &= ~(DELETE_ACCESS|WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS|SYNCHRONIZE_ACCESS);
213 *access_mask |= mapping->std_all;
214 }
215
216 if (old_mask != *access_mask) {
217 DEBUG(10, ("se_map_standard(): mapped mask 0x%08x to 0x%08x\n",
218 old_mask, *access_mask));
219 }
220 }
221
222 /*****************************************************************************
223 Check access rights of a user against a security descriptor. Look at
224 each ACE in the security descriptor until an access denied ACE denies
225 any of the desired rights to the user or any of the users groups, or one
226 or more ACEs explicitly grant all requested access rights. See
227 "Access-Checking" document in MSDN.
228 *****************************************************************************/
229
230 BOOL se_access_check(SEC_DESC *sd, NT_USER_TOKEN *token,
231 uint32 acc_desired, uint32 *acc_granted,
232 NTSTATUS *status)
233 {
234 extern NT_USER_TOKEN anonymous_token;
235 size_t i;
236 SEC_ACL *the_acl;
237 fstring sid_str;
238 uint32 tmp_acc_desired = acc_desired;
239
240 if (!status || !acc_granted)
241 return False;
242
243 if (!token)
244 token = &anonymous_token;
245
246 *status = NT_STATUS_OK;
247 *acc_granted = 0;
248
249 DEBUG(10,("se_access_check: requested access 0x%08x, for NT token with %u entries and first sid %s.\n",
250 (unsigned int)acc_desired, (unsigned int)token->num_sids,
251 sid_to_string(sid_str, &token->user_sids[0])));
252
253 /*
254 * No security descriptor or security descriptor with no DACL
255 * present allows all access.
256 */
257
258 /* ACL must have something in it */
259
260 if (!sd || (sd && (!(sd->type & SEC_DESC_DACL_PRESENT) || sd->dacl == NULL))) {
261 *status = NT_STATUS_OK;
262 *acc_granted = acc_desired;
263 DEBUG(5, ("se_access_check: no sd or blank DACL, access allowed\n"));
264 return True;
265 }
266
267 /* The user sid is the first in the token */
268
269 DEBUG(3, ("se_access_check: user sid is %s\n", sid_to_string(sid_str, &token->user_sids[PRIMARY_USER_SID_INDEX]) ));
270
271 for (i = 1; i < token->num_sids; i++) {
272 DEBUG(3, ("se_access_check: also %s\n",
273 sid_to_string(sid_str, &token->user_sids[i])));
274 }
275
276 /* Is the token the owner of the SID ? */
277
278 if (sd->owner_sid) {
279 for (i = 0; i < token->num_sids; i++) {
280 if (sid_equal(&token->user_sids[i], sd->owner_sid)) {
281 /*
282 * The owner always has SEC_RIGHTS_WRITE_DAC & READ_CONTROL.
283 */
284 if (tmp_acc_desired & WRITE_DAC_ACCESS)
285 tmp_acc_desired &= ~WRITE_DAC_ACCESS;
286 if (tmp_acc_desired & READ_CONTROL_ACCESS)
287 tmp_acc_desired &= ~READ_CONTROL_ACCESS;
288 }
289 }
290 }
291
292 the_acl = sd->dacl;
293
294 if (tmp_acc_desired & MAXIMUM_ALLOWED_ACCESS) {
295 tmp_acc_desired &= ~MAXIMUM_ALLOWED_ACCESS;
296 return get_max_access( the_acl, token, acc_granted, tmp_acc_desired,
297 status);
298 }
299
300 for ( i = 0 ; i < the_acl->num_aces && tmp_acc_desired != 0; i++) {
301 SEC_ACE *ace = &the_acl->ace[i];
302
303 DEBUG(10,("se_access_check: ACE %u: type %d, flags = 0x%02x, SID = %s mask = %x, current desired = %x\n",
304 (unsigned int)i, ace->type, ace->flags,
305 sid_to_string(sid_str, &ace->trustee),
306 (unsigned int) ace->info.mask,
307 (unsigned int)tmp_acc_desired ));
308
309 tmp_acc_desired = check_ace( ace, token, tmp_acc_desired, status);
310 if (NT_STATUS_V(*status)) {
311 *acc_granted = 0;
312 DEBUG(5,("se_access_check: ACE %u denied with status %s.\n", (unsigned int)i, get_nt_error_msg(*status)));
313 return False;
314 }
315 }
316
317 /*
318 * If there are no more desired permissions left then
319 * access was allowed.
320 */
321
322 if (tmp_acc_desired == 0) {
323 *acc_granted = acc_desired;
324 *status = NT_STATUS_OK;
325 DEBUG(5,("se_access_check: access (%x) granted.\n", (unsigned int)acc_desired ));
326 return True;
327 }
328
329 *acc_granted = 0;
330 *status = NT_STATUS_ACCESS_DENIED;
331 DEBUG(5,("se_access_check: access (%x) denied.\n", (unsigned int)acc_desired ));
332 return False;
333 }
334
335 /* Create a child security descriptor using another security descriptor as
336 the parent container. This child object can either be a container or
337 non-container object. */
338
339 SEC_DESC_BUF *se_create_child_secdesc(TALLOC_CTX *ctx, SEC_DESC *parent_ctr,
340 BOOL child_container)
341 {
342 SEC_DESC_BUF *sdb;
343 SEC_DESC *sd;
344 SEC_ACL *new_dacl, *the_acl;
345 SEC_ACE *new_ace_list = NULL;
346 int new_ace_list_ndx = 0, i;
347 size_t size;
348
349 /* Currently we only process the dacl when creating the child. The
350 sacl should also be processed but this is left out as sacls are
351 not implemented in Samba at the moment.*/
352
353 the_acl = parent_ctr->dacl;
354
355 if (!(new_ace_list = talloc(ctx, sizeof(SEC_ACE) * the_acl->num_aces)))
356 return NULL;
357
358 for (i = 0; the_acl && i < the_acl->num_aces; i++) {
359 SEC_ACE *ace = &the_acl->ace[i];
360 SEC_ACE *new_ace = &new_ace_list[new_ace_list_ndx];
361 uint8 new_flags = 0;
362 BOOL inherit = False;
363 fstring sid_str;
364
365 /* The OBJECT_INHERIT_ACE flag causes the ACE to be
366 inherited by non-container children objects. Container
367 children objects will inherit it as an INHERIT_ONLY
368 ACE. */
369
370 if (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT) {
371
372 if (!child_container) {
373 new_flags |= SEC_ACE_FLAG_OBJECT_INHERIT;
374 } else {
375 new_flags |= SEC_ACE_FLAG_INHERIT_ONLY;
376 }
377
378 inherit = True;
379 }
380
381 /* The CONAINER_INHERIT_ACE flag means all child container
382 objects will inherit and use the ACE. */
383
384 if (ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT) {
385 if (!child_container) {
386 inherit = False;
387 } else {
388 new_flags |= SEC_ACE_FLAG_CONTAINER_INHERIT;
389 }
390 }
391
392 /* The INHERIT_ONLY_ACE is not used by the se_access_check()
393 function for the parent container, but is inherited by
394 all child objects as a normal ACE. */
395
396 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
397 /* Move along, nothing to see here */
398 }
399
400 /* The SEC_ACE_FLAG_NO_PROPAGATE_INHERIT flag means the ACE
401 is inherited by child objects but not grandchildren
402 objects. We clear the object inherit and container
403 inherit flags in the inherited ACE. */
404
405 if (ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) {
406 new_flags &= ~(SEC_ACE_FLAG_OBJECT_INHERIT |
407 SEC_ACE_FLAG_CONTAINER_INHERIT);
408 }
409
410 /* Add ACE to ACE list */
411
412 if (!inherit)
413 continue;
414
415 init_sec_access(&new_ace->info, ace->info.mask);
416 init_sec_ace(new_ace, &ace->trustee, ace->type,
417 new_ace->info, new_flags);
418
419 sid_to_string(sid_str, &ace->trustee);
420
421 DEBUG(5, ("se_create_child_secdesc(): %s:%d/0x%02x/0x%08x "
422 " inherited as %s:%d/0x%02x/0x%08x\n", sid_str,
423 ace->type, ace->flags, ace->info.mask,
424 sid_str, new_ace->type, new_ace->flags,
425 new_ace->info.mask));
426
427 new_ace_list_ndx++;
428 }
429
430 /* Create child security descriptor to return */
431
432 new_dacl = make_sec_acl(ctx, ACL_REVISION, new_ace_list_ndx, new_ace_list);
433
434 /* Use the existing user and group sids. I don't think this is
435 correct. Perhaps the user and group should be passed in as
436 parameters by the caller? */
437
438 sd = make_sec_desc(ctx, SEC_DESC_REVISION,
439 parent_ctr->owner_sid,
440 parent_ctr->grp_sid,
441 parent_ctr->sacl,
442 new_dacl, &size);
443
444 sdb = make_sec_desc_buf(ctx, size, sd);
445
446 return sdb;
447 }
Samba GIT mirror