search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
provision: Add support for BIND 9.16.x
[Samba.git] / libcli / security / access_check.c
blob322f4fdb0c64d572d76b667c632e9421428e797b
1 /*
2 Unix SMB/CIFS implementation.
3
4 Copyright (C) Andrew Tridgell 2004
5 Copyright (C) Gerald Carter 2005
6 Copyright (C) Volker Lendecke 2007
7 Copyright (C) Jeremy Allison 2008
8 Copyright (C) Andrew Bartlett 2010
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "libcli/security/security.h"
26
27 /* Map generic access rights to object specific rights. This technique is
28 used to give meaning to assigning read, write, execute and all access to
29 objects. Each type of object has its own mapping of generic to object
30 specific access rights. */
31
32 void se_map_generic(uint32_t *access_mask, const struct generic_mapping *mapping)
33 {
34 uint32_t old_mask = *access_mask;
35
36 if (*access_mask & GENERIC_READ_ACCESS) {
37 *access_mask &= ~GENERIC_READ_ACCESS;
38 *access_mask |= mapping->generic_read;
39 }
40
41 if (*access_mask & GENERIC_WRITE_ACCESS) {
42 *access_mask &= ~GENERIC_WRITE_ACCESS;
43 *access_mask |= mapping->generic_write;
44 }
45
46 if (*access_mask & GENERIC_EXECUTE_ACCESS) {
47 *access_mask &= ~GENERIC_EXECUTE_ACCESS;
48 *access_mask |= mapping->generic_execute;
49 }
50
51 if (*access_mask & GENERIC_ALL_ACCESS) {
52 *access_mask &= ~GENERIC_ALL_ACCESS;
53 *access_mask |= mapping->generic_all;
54 }
55
56 if (old_mask != *access_mask) {
57 DEBUG(10, ("se_map_generic(): mapped mask 0x%08x to 0x%08x\n",
58 old_mask, *access_mask));
59 }
60 }
61
62 /* Map generic access rights to object specific rights for all the ACE's
63 * in a security_acl.
64 */
65
66 void security_acl_map_generic(struct security_acl *sa,
67 const struct generic_mapping *mapping)
68 {
69 unsigned int i;
70
71 if (!sa) {
72 return;
73 }
74
75 for (i = 0; i < sa->num_aces; i++) {
76 se_map_generic(&sa->aces[i].access_mask, mapping);
77 }
78 }
79
80 /* Map standard access rights to object specific rights. This technique is
81 used to give meaning to assigning read, write, execute and all access to
82 objects. Each type of object has its own mapping of standard to object
83 specific access rights. */
84
85 void se_map_standard(uint32_t *access_mask, const struct standard_mapping *mapping)
86 {
87 uint32_t old_mask = *access_mask;
88
89 if (*access_mask & SEC_STD_READ_CONTROL) {
90 *access_mask &= ~SEC_STD_READ_CONTROL;
91 *access_mask |= mapping->std_read;
92 }
93
94 if (*access_mask & (SEC_STD_DELETE|SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|SEC_STD_SYNCHRONIZE)) {
95 *access_mask &= ~(SEC_STD_DELETE|SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|SEC_STD_SYNCHRONIZE);
96 *access_mask |= mapping->std_all;
97 }
98
99 if (old_mask != *access_mask) {
100 DEBUG(10, ("se_map_standard(): mapped mask 0x%08x to 0x%08x\n",
101 old_mask, *access_mask));
102 }
103 }
104
105 /*
106 perform a SEC_FLAG_MAXIMUM_ALLOWED access check
107 */
108 static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
109 const struct security_token *token)
110 {
111 uint32_t denied = 0, granted = 0;
112 bool am_owner = false;
113 bool have_owner_rights_ace = false;
114 unsigned i;
115
116 if (sd->dacl == NULL) {
117 if (security_token_has_sid(token, sd->owner_sid)) {
118 granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL;
119 }
120 return granted;
121 }
122
123 if (security_token_has_sid(token, sd->owner_sid)) {
124 /*
125 * Check for explicit owner rights: if there are none, we remove
126 * the default owner right SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL
127 * from remaining_access. Otherwise we just process the
128 * explicitly granted rights when processing the ACEs.
129 */
130 am_owner = true;
131
132 for (i=0; i < sd->dacl->num_aces; i++) {
133 struct security_ace *ace = &sd->dacl->aces[i];
134
135 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
136 continue;
137 }
138
139 have_owner_rights_ace = dom_sid_equal(
140 &ace->trustee, &global_sid_Owner_Rights);
141 if (have_owner_rights_ace) {
142 break;
143 }
144 }
145 }
146
147 if (am_owner && !have_owner_rights_ace) {
148 granted |= SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL;
149 }
150
151 for (i = 0;i<sd->dacl->num_aces; i++) {
152 struct security_ace *ace = &sd->dacl->aces[i];
153 bool is_owner_rights_ace = false;
154
155 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
156 continue;
157 }
158
159 if (am_owner) {
160 is_owner_rights_ace = dom_sid_equal(
161 &ace->trustee, &global_sid_Owner_Rights);
162 }
163
164 if (!is_owner_rights_ace &&
165 !security_token_has_sid(token, &ace->trustee))
166 {
167 continue;
168 }
169
170 switch (ace->type) {
171 case SEC_ACE_TYPE_ACCESS_ALLOWED:
172 granted |= ace->access_mask;
173 break;
174 case SEC_ACE_TYPE_ACCESS_DENIED:
175 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
176 denied |= ~granted & ace->access_mask;
177 break;
178 default: /* Other ACE types not handled/supported */
179 break;
180 }
181 }
182
183 return granted & ~denied;
184 }
185
186 /*
187 The main entry point for access checking. If returning ACCESS_DENIED
188 this function returns the denied bits in the uint32_t pointed
189 to by the access_granted pointer.
190 */
191 NTSTATUS se_access_check(const struct security_descriptor *sd,
192 const struct security_token *token,
193 uint32_t access_desired,
194 uint32_t *access_granted)
195 {
196 uint32_t i;
197 uint32_t bits_remaining;
198 uint32_t explicitly_denied_bits = 0;
199 bool am_owner = false;
200 bool have_owner_rights_ace = false;
201
202 *access_granted = access_desired;
203 bits_remaining = access_desired;
204
205 /* handle the maximum allowed flag */
206 if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
207 uint32_t orig_access_desired = access_desired;
208
209 access_desired |= access_check_max_allowed(sd, token);
210 access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
211 *access_granted = access_desired;
212 bits_remaining = access_desired;
213
214 DEBUG(10,("se_access_check: MAX desired = 0x%x, granted = 0x%x, remaining = 0x%x\n",
215 orig_access_desired,
216 *access_granted,
217 bits_remaining));
218 }
219
220 /* a NULL dacl allows access */
221 if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
222 *access_granted = access_desired;
223 return NT_STATUS_OK;
224 }
225
226 if (sd->dacl == NULL) {
227 goto done;
228 }
229
230 if (security_token_has_sid(token, sd->owner_sid)) {
231 /*
232 * Check for explicit owner rights: if there are none, we remove
233 * the default owner right SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL
234 * from remaining_access. Otherwise we just process the
235 * explicitly granted rights when processing the ACEs.
236 */
237 am_owner = true;
238
239 for (i=0; i < sd->dacl->num_aces; i++) {
240 struct security_ace *ace = &sd->dacl->aces[i];
241
242 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
243 continue;
244 }
245
246 have_owner_rights_ace = dom_sid_equal(
247 &ace->trustee, &global_sid_Owner_Rights);
248 if (have_owner_rights_ace) {
249 break;
250 }
251 }
252 }
253 if (am_owner && !have_owner_rights_ace) {
254 bits_remaining &= ~(SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL);
255 }
256
257 /* check each ace in turn. */
258 for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
259 struct security_ace *ace = &sd->dacl->aces[i];
260 bool is_owner_rights_ace = false;
261
262 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
263 continue;
264 }
265
266 if (am_owner) {
267 is_owner_rights_ace = dom_sid_equal(
268 &ace->trustee, &global_sid_Owner_Rights);
269 }
270
271 if (!is_owner_rights_ace &&
272 !security_token_has_sid(token, &ace->trustee))
273 {
274 continue;
275 }
276
277 switch (ace->type) {
278 case SEC_ACE_TYPE_ACCESS_ALLOWED:
279 bits_remaining &= ~ace->access_mask;
280 break;
281 case SEC_ACE_TYPE_ACCESS_DENIED:
282 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
283 explicitly_denied_bits |= (bits_remaining & ace->access_mask);
284 break;
285 default: /* Other ACE types not handled/supported */
286 break;
287 }
288 }
289
290 /* Explicitly denied bits always override */
291 bits_remaining |= explicitly_denied_bits;
292
293 /*
294 * We check privileges here because they override even DENY entries.
295 */
296
297 /* Does the user have the privilege to gain SEC_PRIV_SECURITY? */
298 if (bits_remaining & SEC_FLAG_SYSTEM_SECURITY) {
299 if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
300 bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
301 } else {
302 return NT_STATUS_PRIVILEGE_NOT_HELD;
303 }
304 }
305
306 if ((bits_remaining & SEC_STD_WRITE_OWNER) &&
307 security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
308 bits_remaining &= ~(SEC_STD_WRITE_OWNER);
309 }
310
311 done:
312 if (bits_remaining != 0) {
313 *access_granted = bits_remaining;
314 return NT_STATUS_ACCESS_DENIED;
315 }
316
317 return NT_STATUS_OK;
318 }
319
320 /*
321 The main entry point for access checking FOR THE FILE SERVER ONLY !
322 If returning ACCESS_DENIED this function returns the denied bits in
323 the uint32_t pointed to by the access_granted pointer.
324 */
325 NTSTATUS se_file_access_check(const struct security_descriptor *sd,
326 const struct security_token *token,
327 bool priv_open_requested,
328 uint32_t access_desired,
329 uint32_t *access_granted)
330 {
331 uint32_t bits_remaining;
332 NTSTATUS status;
333
334 if (!priv_open_requested) {
335 /* Fall back to generic se_access_check(). */
336 return se_access_check(sd,
337 token,
338 access_desired,
339 access_granted);
340 }
341
342 /*
343 * We need to handle the maximum allowed flag
344 * outside of se_access_check(), as we need to
345 * add in the access allowed by the privileges
346 * as well.
347 */
348
349 if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
350 uint32_t orig_access_desired = access_desired;
351
352 access_desired |= access_check_max_allowed(sd, token);
353 access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
354
355 if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
356 access_desired |= SEC_RIGHTS_PRIV_BACKUP;
357 }
358
359 if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
360 access_desired |= SEC_RIGHTS_PRIV_RESTORE;
361 }
362
363 DEBUG(10,("se_file_access_check: MAX desired = 0x%x "
364 "mapped to 0x%x\n",
365 orig_access_desired,
366 access_desired));
367 }
368
369 status = se_access_check(sd,
370 token,
371 access_desired,
372 access_granted);
373
374 if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
375 return status;
376 }
377
378 bits_remaining = *access_granted;
379
380 /* Check if we should override with privileges. */
381 if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) &&
382 security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
383 bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
384 }
385 if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
386 security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
387 bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
388 }
389 if (bits_remaining != 0) {
390 *access_granted = bits_remaining;
391 return NT_STATUS_ACCESS_DENIED;
392 }
393
394 return NT_STATUS_OK;
395 }
396
397 static const struct GUID *get_ace_object_type(struct security_ace *ace)
398 {
399 if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
400 return &ace->object.object.type.type;
401 }
402
403 return NULL;
404 }
405
406 /**
407 * Evaluates access rights specified in a object-specific ACE for an AD object.
408 * This logic corresponds to MS-ADTS 5.1.3.3.3 Checking Object-Specific Access.
409 * @param[in] ace - the ACE being processed
410 * @param[in/out] tree - remaining_access gets updated for the tree
411 * @param[out] grant_access - set to true if the ACE grants sufficient access
412 * rights to the object/attribute
413 * @returns NT_STATUS_OK, unless access was denied
414 */
415 static NTSTATUS check_object_specific_access(struct security_ace *ace,
416 struct object_tree *tree,
417 bool *grant_access)
418 {
419 struct object_tree *node = NULL;
420 const struct GUID *type = NULL;
421
422 *grant_access = false;
423
424 /* if no tree was supplied, we can't do object-specific access checks */
425 if (!tree) {
426 return NT_STATUS_OK;
427 }
428
429 /* Get the ObjectType GUID this ACE applies to */
430 type = get_ace_object_type(ace);
431
432 /*
433 * If the ACE doesn't have a type, then apply it to the whole tree, i.e.
434 * treat 'OA' ACEs as 'A' and 'OD' as 'D'
435 */
436 if (!type) {
437 node = tree;
438 } else {
439
440 /* skip it if the ACE's ObjectType GUID is not in the tree */
441 node = get_object_tree_by_GUID(tree, type);
442 if (!node) {
443 return NT_STATUS_OK;
444 }
445 }
446
447 if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) {
448
449 /* apply the access rights to this node, and any children */
450 object_tree_modify_access(node, ace->access_mask);
451
452 /*
453 * Currently all nodes in the tree request the same access mask,
454 * so we can use any node to check if processing this ACE now
455 * means the requested access has been granted
456 */
457 if (node->remaining_access == 0) {
458 *grant_access = true;
459 return NT_STATUS_OK;
460 }
461
462 /*
463 * As per 5.1.3.3.4 Checking Control Access Right-Based Access,
464 * if the CONTROL_ACCESS right is present, then we can grant
465 * access and stop any further access checks
466 */
467 if (ace->access_mask & SEC_ADS_CONTROL_ACCESS) {
468 *grant_access = true;
469 return NT_STATUS_OK;
470 }
471 } else {
472
473 /* this ACE denies access to the requested object/attribute */
474 if (node->remaining_access & ace->access_mask){
475 return NT_STATUS_ACCESS_DENIED;
476 }
477 }
478 return NT_STATUS_OK;
479 }
480
481 /**
482 * @brief Perform directoryservice (DS) related access checks for a given user
483 *
484 * Perform DS access checks for the user represented by its security_token, on
485 * the provided security descriptor. If an tree associating GUID and access
486 * required is provided then object access (OA) are checked as well. *
487 * @param[in] sd The security descritor against which the required
488 * access are requested
489 *
490 * @param[in] token The security_token associated with the user to
491 * test
492 *
493 * @param[in] access_desired A bitfield of rights that must be granted for the
494 * given user in the specified SD.
495 *
496 * If one
497 * of the entry in the tree grants all the requested rights for the given GUID
498 * FIXME
499 * tree can be null if not null it's the
500 * Lots of code duplication, it will ve united in just one
501 * function eventually */
502
503 NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
504 const struct security_token *token,
505 uint32_t access_desired,
506 uint32_t *access_granted,
507 struct object_tree *tree,
508 struct dom_sid *replace_sid)
509 {
510 uint32_t i;
511 uint32_t bits_remaining;
512 struct dom_sid self_sid;
513
514 dom_sid_parse(SID_NT_SELF, &self_sid);
515
516 *access_granted = access_desired;
517 bits_remaining = access_desired;
518
519 /* handle the maximum allowed flag */
520 if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
521 access_desired |= access_check_max_allowed(sd, token);
522 access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
523 *access_granted = access_desired;
524 bits_remaining = access_desired;
525 }
526
527 if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
528 if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
529 bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
530 } else {
531 return NT_STATUS_PRIVILEGE_NOT_HELD;
532 }
533 }
534
535 /* the owner always gets SEC_STD_WRITE_DAC and SEC_STD_READ_CONTROL */
536 if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL)) &&
537 security_token_has_sid(token, sd->owner_sid)) {
538 bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL);
539 }
540
541 /* SEC_PRIV_TAKE_OWNERSHIP grants SEC_STD_WRITE_OWNER */
542 if ((bits_remaining & (SEC_STD_WRITE_OWNER)) &&
543 security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
544 bits_remaining &= ~(SEC_STD_WRITE_OWNER);
545 }
546
547 /* a NULL dacl allows access */
548 if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
549 *access_granted = access_desired;
550 return NT_STATUS_OK;
551 }
552
553 if (sd->dacl == NULL) {
554 goto done;
555 }
556
557 /* check each ace in turn. */
558 for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
559 struct dom_sid *trustee;
560 struct security_ace *ace = &sd->dacl->aces[i];
561 NTSTATUS status;
562 bool grant_access = false;
563
564 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
565 continue;
566 }
567
568 if (dom_sid_equal(&ace->trustee, &self_sid) && replace_sid) {
569 trustee = replace_sid;
570 } else {
571 trustee = &ace->trustee;
572 }
573
574 if (!security_token_has_sid(token, trustee)) {
575 continue;
576 }
577
578 switch (ace->type) {
579 case SEC_ACE_TYPE_ACCESS_ALLOWED:
580 if (tree) {
581 object_tree_modify_access(tree, ace->access_mask);
582 }
583
584 bits_remaining &= ~ace->access_mask;
585 break;
586 case SEC_ACE_TYPE_ACCESS_DENIED:
587 if (bits_remaining & ace->access_mask) {
588 return NT_STATUS_ACCESS_DENIED;
589 }
590 break;
591 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
592 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
593 status = check_object_specific_access(ace, tree,
594 &grant_access);
595
596 if (!NT_STATUS_IS_OK(status)) {
597 return status;
598 }
599
600 if (grant_access) {
601 return NT_STATUS_OK;
602 }
603 break;
604 default: /* Other ACE types not handled/supported */
605 break;
606 }
607 }
608
609 done:
610 if (bits_remaining != 0) {
611 return NT_STATUS_ACCESS_DENIED;
612 }
613
614 return NT_STATUS_OK;
615 }
Samba GIT mirror