search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
this now works as a add|delete share command :-)
[Samba.git] / source / lib / util_seaccess.c
blob8b75a5f48769b4c80bead677de4b4fb926ad2ca6
1 /*
2 Unix SMB/Netbios implementation.
3 Version 2.0
4 Copyright (C) Luke Kenneth Casson Leighton 1996-2000.
5 Copyright (C) Tim Potter 2000.
6 Copyright (C) Re-written by Jeremy Allison 2000.
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21 */
22
23 #include "includes.h"
24 #include "nterr.h"
25 #include "sids.h"
26
27 extern int DEBUGLEVEL;
28
29 /**********************************************************************************
30 Check if this ACE has a SID in common with the token.
31 **********************************************************************************/
32
33 static BOOL token_sid_in_ace( NT_USER_TOKEN *token, SEC_ACE *ace)
34 {
35 size_t i;
36
37 for (i = 0; i < token->num_sids; i++) {
38 if (sid_equal(&ace->sid, &token->user_sids[i]))
39 return True;
40 }
41
42 return False;
43 }
44
45 /*********************************************************************************
46 Check an ACE against a SID. We return the remaining needed permission
47 bits not yet granted. Zero means permission allowed (no more needed bits).
48 **********************************************************************************/
49
50 static uint32 check_ace(SEC_ACE *ace, NT_USER_TOKEN *token, uint32 acc_desired, uint32 *status)
51 {
52 uint32 mask = ace->info.mask;
53
54 /*
55 * Inherit only is ignored.
56 */
57
58 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
59 return acc_desired;
60 }
61
62 /*
63 * If this ACE has no SID in common with the token,
64 * ignore it as it cannot be used to make an access
65 * determination.
66 */
67
68 if (!token_sid_in_ace( token, ace))
69 return acc_desired;
70
71 switch (ace->type) {
72 case SEC_ACE_TYPE_ACCESS_ALLOWED:
73 /*
74 * This is explicitly allowed.
75 * Remove the bits from the remaining
76 * access required. Return the remaining
77 * bits needed.
78 */
79 acc_desired &= ~mask;
80 break;
81 case SEC_ACE_TYPE_ACCESS_DENIED:
82 /*
83 * This is explicitly denied.
84 * If any bits match terminate here,
85 * we are denied.
86 */
87 if (acc_desired & mask) {
88 *status = NT_STATUS_ACCESS_DENIED;
89 return 0xFFFFFFFF;
90 }
91 break;
92 case SEC_ACE_TYPE_SYSTEM_ALARM:
93 case SEC_ACE_TYPE_SYSTEM_AUDIT:
94 *status = NT_STATUS_NOT_IMPLEMENTED;
95 return 0xFFFFFFFF;
96 default:
97 *status = NT_STATUS_INVALID_PARAMETER;
98 return 0xFFFFFFFF;
99 }
100
101 return acc_desired;
102 }
103
104 /*********************************************************************************
105 Maximum access was requested. Calculate the max possible. Fail if it doesn't
106 include other bits requested.
107 **********************************************************************************/
108
109 static BOOL get_max_access( SEC_ACL *the_acl, NT_USER_TOKEN *token, uint32 *granted, uint32 desired, uint32 *status)
110 {
111 uint32 acc_denied = 0;
112 uint32 acc_granted = 0;
113 size_t i;
114
115 for ( i = 0 ; i < the_acl->num_aces; i++) {
116 SEC_ACE *ace = &the_acl->ace[i];
117 uint32 mask = ace->info.mask;
118
119 if (!token_sid_in_ace( token, ace))
120 continue;
121
122 switch (ace->type) {
123 case SEC_ACE_TYPE_ACCESS_ALLOWED:
124 acc_granted |= (mask & ~acc_denied);
125 break;
126 case SEC_ACE_TYPE_ACCESS_DENIED:
127 acc_denied |= (mask & ~acc_granted);
128 break;
129 case SEC_ACE_TYPE_SYSTEM_ALARM:
130 case SEC_ACE_TYPE_SYSTEM_AUDIT:
131 *status = NT_STATUS_NOT_IMPLEMENTED;
132 *granted = 0;
133 return False;
134 default:
135 *status = NT_STATUS_INVALID_PARAMETER;
136 *granted = 0;
137 return False;
138 }
139 }
140
141 /*
142 * If we were granted no access, or we desired bits that we
143 * didn't get, then deny.
144 */
145
146 if ((acc_granted == 0) || ((acc_granted & desired) != desired)) {
147 *status = NT_STATUS_ACCESS_DENIED;
148 *granted = 0;
149 return False;
150 }
151
152 /*
153 * Return the access we did get.
154 */
155
156 *granted = acc_granted;
157 *status = NT_STATUS_NOPROBLEMO;
158 return True;
159 }
160
161 /* Map generic access rights to object specific rights. This technique is
162 used to give meaning to assigning read, write, execute and all access to
163 objects. Each type of object has its own mapping of generic to object
164 specific access rights. */
165
166 void se_map_generic(uint32 *access_mask, struct generic_mapping *mapping)
167 {
168 uint32 old_mask = *access_mask;
169
170 if (*access_mask & GENERIC_READ_ACCESS) {
171 *access_mask &= ~GENERIC_READ_ACCESS;
172 *access_mask |= mapping->generic_read;
173 }
174
175 if (*access_mask & GENERIC_WRITE_ACCESS) {
176 *access_mask &= ~GENERIC_WRITE_ACCESS;
177 *access_mask |= mapping->generic_write;
178 }
179
180 if (*access_mask & GENERIC_EXECUTE_ACCESS) {
181 *access_mask &= ~GENERIC_EXECUTE_ACCESS;
182 *access_mask |= mapping->generic_execute;
183 }
184
185 if (*access_mask & GENERIC_ALL_ACCESS) {
186 *access_mask &= ~GENERIC_ALL_ACCESS;
187 *access_mask |= mapping->generic_all;
188 }
189
190 if (old_mask != *access_mask) {
191 DEBUG(10, ("se_map_generic(): mapped mask 0x%08x to 0x%08x\n",
192 old_mask, *access_mask));
193 }
194 }
195
196 /*****************************************************************************
197 Check access rights of a user against a security descriptor. Look at
198 each ACE in the security descriptor until an access denied ACE denies
199 any of the desired rights to the user or any of the users groups, or one
200 or more ACEs explicitly grant all requested access rights. See
201 "Access-Checking" document in MSDN.
202 *****************************************************************************/
203
204 BOOL se_access_check(SEC_DESC *sd, struct current_user *user,
205 uint32 acc_desired, uint32 *acc_granted, uint32 *status)
206 {
207 extern NT_USER_TOKEN anonymous_token;
208 size_t i;
209 SEC_ACL *the_acl;
210 fstring sid_str;
211 NT_USER_TOKEN *token = user->nt_user_token ? user->nt_user_token : &anonymous_token;
212 uint32 tmp_acc_desired = acc_desired;
213
214 if (!status || !acc_granted)
215 return False;
216
217 *status = NT_STATUS_NOPROBLEMO;
218 *acc_granted = 0;
219
220 DEBUG(10,("se_access_check: requested access %x, for uid %u\n",
221 (unsigned int)acc_desired, (unsigned int)user->uid ));
222
223 /*
224 * No security descriptor or security descriptor with no DACL
225 * present allows all access.
226 */
227
228 /* ACL must have something in it */
229
230 if (!sd || (sd && (!(sd->type & SEC_DESC_DACL_PRESENT) || sd->dacl == NULL))) {
231 *status = NT_STATUS_NOPROBLEMO;
232 *acc_granted = acc_desired;
233 DEBUG(5, ("se_access_check: no sd or blank DACL, access allowed\n"));
234 return True;
235 }
236
237 /* The user sid is the first in the token */
238
239 DEBUG(3, ("se_access_check: user sid is %s\n", sid_to_string(sid_str, &token->user_sids[0]) ));
240
241 for (i = 1; i < token->num_sids; i++) {
242 DEBUG(3, ("se_access_check: also %s\n",
243 sid_to_string(sid_str, &token->user_sids[i])));
244 }
245
246 /* Is the token the owner of the SID ? */
247
248 if (sd->owner_sid) {
249 for (i = 0; i < token->num_sids; i++) {
250 if (sid_equal(&token->user_sids[i], sd->owner_sid)) {
251 /*
252 * The owner always has SEC_RIGHTS_WRITE_DAC & READ_CONTROL.
253 */
254 if (tmp_acc_desired & WRITE_DAC_ACCESS)
255 tmp_acc_desired &= ~WRITE_DAC_ACCESS;
256 if (tmp_acc_desired & READ_CONTROL_ACCESS)
257 tmp_acc_desired &= ~READ_CONTROL_ACCESS;
258 }
259 }
260 }
261
262 the_acl = sd->dacl;
263
264 if (tmp_acc_desired & MAXIMUM_ALLOWED_ACCESS) {
265 tmp_acc_desired &= ~MAXIMUM_ALLOWED_ACCESS;
266 return get_max_access( the_acl, token, acc_granted, tmp_acc_desired, status);
267 }
268
269 for ( i = 0 ; i < the_acl->num_aces && tmp_acc_desired != 0; i++) {
270 SEC_ACE *ace = &the_acl->ace[i];
271
272 DEBUG(10,("se_access_check: ACE %u: type %d, flags = 0x%02x, SID = %s mask = %x, current desired = %x\n",
273 (unsigned int)i, ace->type, ace->flags,
274 sid_to_string(sid_str, &ace->sid),
275 (unsigned int) ace->info.mask,
276 (unsigned int)tmp_acc_desired ));
277
278 tmp_acc_desired = check_ace( ace, token, tmp_acc_desired, status);
279 if (*status != NT_STATUS_NOPROBLEMO) {
280 *acc_granted = 0;
281 DEBUG(5,("se_access_check: ACE %u denied with status %x.\n", (unsigned int)i, (unsigned int)*status ));
282 return False;
283 }
284 }
285
286 /*
287 * If there are no more desired permissions left then
288 * access was allowed.
289 */
290
291 if (tmp_acc_desired == 0) {
292 *acc_granted = acc_desired;
293 *status = NT_STATUS_NOPROBLEMO;
294 DEBUG(5,("se_access_check: access (%x) granted.\n", (unsigned int)acc_desired ));
295 return True;
296 }
297
298 *acc_granted = 0;
299 *status = NT_STATUS_ACCESS_DENIED;
300 DEBUG(5,("se_access_check: access (%x) denied.\n", (unsigned int)acc_desired ));
301 return False;
302 }
303
304 /* Create a child security descriptor using another security descriptor as
305 the parent container. This child object can either be a container or
306 non-container object. */
307
308 SEC_DESC_BUF *se_create_child_secdesc(TALLOC_CTX *ctx, SEC_DESC *parent_ctr,
309 BOOL child_container)
310 {
311 SEC_DESC_BUF *sdb;
312 SEC_DESC *sd;
313 SEC_ACL *new_dacl, *the_acl;
314 SEC_ACE *new_ace_list = NULL;
315 int new_ace_list_ndx = 0, i;
316 size_t size;
317
318 /* Currently we only process the dacl when creating the child. The
319 sacl should also be processed but this is left out as sacls are
320 not implemented in Samba at the moment.*/
321
322 the_acl = parent_ctr->dacl;
323
324 if (!(new_ace_list = talloc(ctx, sizeof(SEC_ACE) * the_acl->num_aces)))
325 return NULL;
326
327 for (i = 0; the_acl && i < the_acl->num_aces; i++) {
328 SEC_ACE *ace = &the_acl->ace[i];
329 SEC_ACE *new_ace = &new_ace_list[new_ace_list_ndx];
330 uint8 new_flags = 0;
331 BOOL inherit = False;
332 fstring sid_str;
333
334 /* The OBJECT_INHERIT_ACE flag causes the ACE to be
335 inherited by non-container children objects. Container
336 children objects will inherit it as an INHERIT_ONLY
337 ACE. */
338
339 if (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT) {
340
341 if (!child_container) {
342 new_flags |= SEC_ACE_FLAG_OBJECT_INHERIT;
343 } else {
344 new_flags |= SEC_ACE_FLAG_INHERIT_ONLY;
345 }
346
347 inherit = True;
348 }
349
350 /* The CONAINER_INHERIT_ACE flag means all child container
351 objects will inherit and use the ACE. */
352
353 if (ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT) {
354 if (!child_container) {
355 inherit = False;
356 } else {
357 new_flags |= SEC_ACE_FLAG_CONTAINER_INHERIT;
358 }
359 }
360
361 /* The INHERIT_ONLY_ACE is not used by the se_access_check()
362 function for the parent container, but is inherited by
363 all child objects as a normal ACE. */
364
365 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
366 /* Move along, nothing to see here */
367 }
368
369 /* The SEC_ACE_FLAG_NO_PROPAGATE_INHERIT flag means the ACE
370 is inherited by child objects but not grandchildren
371 objects. We clear the object inherit and container
372 inherit flags in the inherited ACE. */
373
374 if (ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) {
375 new_flags &= ~(SEC_ACE_FLAG_OBJECT_INHERIT |
376 SEC_ACE_FLAG_CONTAINER_INHERIT);
377 }
378
379 /* Add ACE to ACE list */
380
381 if (!inherit)
382 continue;
383
384 init_sec_access(&new_ace->info, ace->info.mask);
385 init_sec_ace(new_ace, &ace->sid, ace->type,
386 new_ace->info, new_flags);
387
388 sid_to_string(sid_str, &ace->sid);
389
390 DEBUG(5, ("se_create_child_secdesc(): %s:%d/0x%02x/0x%08x "
391 " inherited as %s:%d/0x%02x/0x%08x\n", sid_str,
392 ace->type, ace->flags, ace->info.mask,
393 sid_str, new_ace->type, new_ace->flags,
394 new_ace->info.mask));
395
396 new_ace_list_ndx++;
397 }
398
399 /* Create child security descriptor to return */
400
401 new_dacl = make_sec_acl(ctx, ACL_REVISION, new_ace_list_ndx, new_ace_list);
402
403 /* Use the existing user and group sids. I don't think this is
404 correct. Perhaps the user and group should be passed in as
405 parameters by the caller? */
406
407 sd = make_sec_desc(ctx, SEC_DESC_REVISION,
408 parent_ctr->owner_sid,
409 parent_ctr->grp_sid,
410 parent_ctr->sacl,
411 new_dacl, &size);
412
413 sdb = make_sec_desc_buf(ctx, size, sd);
414
415 return sdb;
416 }
Samba GIT mirror