2 * Unix SMB/CIFS implementation.
3 * Group Policy Object Support
4 * Copyright (C) Guenther Deschner 2007
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
21 #include "libcli/security/security.h"
22 #include "../libgpo/gpo.h"
24 #include "../librpc/ndr/libndr.h"
26 /****************************************************************
27 ****************************************************************/
29 static bool gpo_sd_check_agp_object_guid(const struct security_ace_object
*object
)
31 struct GUID ext_right_apg_guid
;
38 status
= GUID_from_string(ADS_EXTENDED_RIGHT_APPLY_GROUP_POLICY
,
40 if (!NT_STATUS_IS_OK(status
)) {
44 switch (object
->flags
) {
45 case SEC_ACE_OBJECT_TYPE_PRESENT
:
46 if (GUID_equal(&object
->type
.type
,
47 &ext_right_apg_guid
)) {
50 case SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT
:
51 if (GUID_equal(&object
->inherited_type
.inherited_type
,
52 &ext_right_apg_guid
)) {
62 /****************************************************************
63 ****************************************************************/
65 static bool gpo_sd_check_agp_object(const struct security_ace
*ace
)
67 if (!sec_ace_object(ace
->type
)) {
71 return gpo_sd_check_agp_object_guid(&ace
->object
.object
);
74 /****************************************************************
75 ****************************************************************/
77 static bool gpo_sd_check_agp_access_bits(uint32_t access_mask
)
79 return (access_mask
& SEC_ADS_CONTROL_ACCESS
);
83 /****************************************************************
84 ****************************************************************/
86 static bool gpo_sd_check_read_access_bits(uint32_t access_mask
)
88 uint32_t read_bits
= SEC_RIGHTS_LIST_CONTENTS
|
89 SEC_RIGHTS_READ_ALL_PROP
|
90 SEC_RIGHTS_READ_PERMS
;
92 return (read_bits
== (access_mask
& read_bits
));
96 /****************************************************************
97 ****************************************************************/
99 static NTSTATUS
gpo_sd_check_ace_denied_object(const struct security_ace
*ace
,
100 const struct security_token
*token
)
104 if (gpo_sd_check_agp_object(ace
) &&
105 gpo_sd_check_agp_access_bits(ace
->access_mask
) &&
106 nt_token_check_sid(&ace
->trustee
, token
)) {
107 sid_str
= dom_sid_string(NULL
, &ace
->trustee
);
108 DEBUG(10,("gpo_sd_check_ace_denied_object: "
109 "Access denied as of ace for %s\n",
111 talloc_free(sid_str
);
112 return NT_STATUS_ACCESS_DENIED
;
115 return STATUS_MORE_ENTRIES
;
118 /****************************************************************
119 ****************************************************************/
121 static NTSTATUS
gpo_sd_check_ace_allowed_object(const struct security_ace
*ace
,
122 const struct security_token
*token
)
126 if (gpo_sd_check_agp_object(ace
) &&
127 gpo_sd_check_agp_access_bits(ace
->access_mask
) &&
128 nt_token_check_sid(&ace
->trustee
, token
)) {
129 sid_str
= dom_sid_string(NULL
, &ace
->trustee
);
130 DEBUG(10,("gpo_sd_check_ace_allowed_object: "
131 "Access granted as of ace for %s\n",
133 talloc_free(sid_str
);
138 return STATUS_MORE_ENTRIES
;
141 /****************************************************************
142 ****************************************************************/
144 static NTSTATUS
gpo_sd_check_ace(const struct security_ace
*ace
,
145 const struct security_token
*token
)
148 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
:
149 return gpo_sd_check_ace_denied_object(ace
, token
);
150 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT
:
151 return gpo_sd_check_ace_allowed_object(ace
, token
);
153 return STATUS_MORE_ENTRIES
;
157 /****************************************************************
158 ****************************************************************/
160 NTSTATUS
gpo_apply_security_filtering(const struct GROUP_POLICY_OBJECT
*gpo
,
161 const struct security_token
*token
)
163 struct security_descriptor
*sd
= gpo
->security_descriptor
;
164 struct security_acl
*dacl
= NULL
;
165 NTSTATUS status
= NT_STATUS_ACCESS_DENIED
;
169 return NT_STATUS_INVALID_USER_BUFFER
;
173 return NT_STATUS_INVALID_SECURITY_DESCR
;
178 return NT_STATUS_INVALID_SECURITY_DESCR
;
181 /* check all aces and only return NT_STATUS_OK (== Access granted) or
182 * NT_STATUS_ACCESS_DENIED ( == Access denied) - the default is to
185 for (i
= 0; i
< dacl
->num_aces
; i
++) {
187 status
= gpo_sd_check_ace(&dacl
->aces
[i
], token
);
189 if (NT_STATUS_EQUAL(status
, NT_STATUS_ACCESS_DENIED
)) {
191 } else if (NT_STATUS_IS_OK(status
)) {
198 return NT_STATUS_ACCESS_DENIED
;