4 Copyright (C) Nadezhda Ivanova 2010
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 * Component: ldb ACL modules
25 * Description: Some auxiliary functions used for access checking
27 * Author: Nadezhda Ivanova
30 #include "ldb_module.h"
31 #include "auth/auth.h"
32 #include "libcli/security/security.h"
33 #include "dsdb/samdb/samdb.h"
34 #include "librpc/gen_ndr/ndr_security.h"
35 #include "param/param.h"
36 #include "dsdb/samdb/ldb_modules/util.h"
38 struct security_token
*acl_user_token(struct ldb_module
*module
)
40 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
41 struct auth_session_info
*session_info
42 = (struct auth_session_info
*)ldb_get_opaque(
48 return session_info
->security_token
;
51 /* performs an access check from inside the module stack
52 * given the dn of the object to be checked, the required access
53 * guid is either the guid of the extended right, or NULL
56 int dsdb_module_check_access_on_dn(struct ldb_module
*module
,
60 const struct GUID
*guid
,
61 struct ldb_request
*parent
)
64 struct ldb_result
*acl_res
;
65 static const char *acl_attrs
[] = {
66 "nTSecurityDescriptor",
70 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
71 struct auth_session_info
*session_info
72 = (struct auth_session_info
*)ldb_get_opaque(
76 return ldb_operr(ldb
);
78 ret
= dsdb_module_search_dn(module
, mem_ctx
, &acl_res
, dn
,
80 DSDB_FLAG_NEXT_MODULE
|
82 DSDB_SEARCH_SHOW_RECYCLED
,
84 if (ret
!= LDB_SUCCESS
) {
85 ldb_asprintf_errstring(ldb_module_get_ctx(module
),
86 "access_check: failed to find object %s\n",
87 ldb_dn_get_linearized(dn
));
90 return dsdb_check_access_on_dn_internal(ldb
, acl_res
,
92 session_info
->security_token
,
98 int acl_check_access_on_attribute(struct ldb_module
*module
,
100 struct security_descriptor
*sd
,
101 struct dom_sid
*rp_sid
,
102 uint32_t access_mask
,
103 const struct dsdb_attribute
*attr
,
104 const struct dsdb_class
*objectclass
)
108 uint32_t access_granted
;
109 struct object_tree
*root
= NULL
;
110 struct object_tree
*new_node
= NULL
;
111 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
112 struct security_token
*token
= acl_user_token(module
);
114 if (!insert_in_object_tree(tmp_ctx
,
115 &objectclass
->schemaIDGUID
,
118 DEBUG(10, ("acl_search: cannot add to object tree class schemaIDGUID\n"));
123 if (!GUID_all_zero(&attr
->attributeSecurityGUID
)) {
124 if (!insert_in_object_tree(tmp_ctx
,
125 &attr
->attributeSecurityGUID
,
126 access_mask
, new_node
,
128 DEBUG(10, ("acl_search: cannot add to object tree securityGUID\n"));
133 if (!insert_in_object_tree(tmp_ctx
,
135 access_mask
, new_node
,
137 DEBUG(10, ("acl_search: cannot add to object tree attributeGUID\n"));
141 status
= sec_access_check_ds(sd
, token
,
146 if (!NT_STATUS_IS_OK(status
)) {
147 ret
= LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS
;
152 talloc_free(tmp_ctx
);
155 talloc_free(tmp_ctx
);
156 return ldb_operr(ldb_module_get_ctx(module
));
159 int acl_check_access_on_objectclass(struct ldb_module
*module
,
161 struct security_descriptor
*sd
,
162 struct dom_sid
*rp_sid
,
163 uint32_t access_mask
,
164 const struct dsdb_class
*objectclass
)
168 uint32_t access_granted
;
169 struct object_tree
*root
= NULL
;
170 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
171 struct security_token
*token
= acl_user_token(module
);
173 if (!insert_in_object_tree(tmp_ctx
,
174 &objectclass
->schemaIDGUID
,
177 DEBUG(10, ("acl_search: cannot add to object tree class schemaIDGUID\n"));
181 status
= sec_access_check_ds(sd
, token
,
186 if (!NT_STATUS_IS_OK(status
)) {
187 ret
= LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS
;
191 talloc_free(tmp_ctx
);
194 talloc_free(tmp_ctx
);
195 return ldb_operr(ldb_module_get_ctx(module
));
198 /* checks for validated writes */
199 int acl_check_extended_right(TALLOC_CTX
*mem_ctx
,
200 struct ldb_module
*module
,
201 struct ldb_request
*req
,
202 const struct dsdb_class
*objectclass
,
203 struct security_descriptor
*sd
,
204 struct security_token
*token
,
205 const char *ext_right
,
211 uint32_t access_granted
;
212 struct object_tree
*root
= NULL
;
213 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
214 static const char *no_attrs
[] = { NULL
};
215 struct ldb_result
*extended_rights_res
= NULL
;
216 struct ldb_dn
*extended_rights_dn
= NULL
;
217 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
221 * Find the extended right and check if applies to
222 * the objectclass of the object
224 extended_rights_dn
= samdb_extended_rights_dn(ldb
, req
);
225 if (!extended_rights_dn
) {
226 ldb_set_errstring(ldb
,
227 "access_check: CN=Extended-Rights dn could not be generated!");
228 return LDB_ERR_OPERATIONS_ERROR
;
231 /* Note: we are checking only the structural object class. */
232 ret
= dsdb_module_search(module
, req
, &extended_rights_res
,
233 extended_rights_dn
, LDB_SCOPE_ONELEVEL
,
235 DSDB_FLAG_NEXT_MODULE
|
238 "(&(rightsGuid=%s)(appliesTo=%s))",
241 &(objectclass
->schemaIDGUID
)));
243 if (ret
!= LDB_SUCCESS
) {
245 } else if (extended_rights_res
->count
== 0 ) {
246 ldb_debug(ldb
, LDB_DEBUG_TRACE
,
247 "acl_check_extended_right: Could not find appliesTo for %s\n",
249 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS
;
252 GUID_from_string(ext_right
, &right
);
254 if (!insert_in_object_tree(tmp_ctx
, &right
, right_type
,
256 DEBUG(10, ("acl_ext_right: cannot add to object tree\n"));
257 talloc_free(tmp_ctx
);
258 return LDB_ERR_OPERATIONS_ERROR
;
260 status
= sec_access_check_ds(sd
, token
,
266 if (!NT_STATUS_IS_OK(status
)) {
267 talloc_free(tmp_ctx
);
268 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS
;
270 talloc_free(tmp_ctx
);
274 const char *acl_user_name(TALLOC_CTX
*mem_ctx
, struct ldb_module
*module
)
276 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
277 struct auth_session_info
*session_info
278 = (struct auth_session_info
*)ldb_get_opaque(
282 return "UNKNOWN (NULL)";
285 return talloc_asprintf(mem_ctx
, "%s\\%s",
286 session_info
->info
->domain_name
,
287 session_info
->info
->account_name
);
290 uint32_t dsdb_request_sd_flags(struct ldb_request
*req
, bool *explicit)
292 struct ldb_control
*sd_control
;
293 uint32_t sd_flags
= 0;
299 sd_control
= ldb_request_get_control(req
, LDB_CONTROL_SD_FLAGS_OID
);
300 if (sd_control
!= NULL
&& sd_control
->data
!= NULL
) {
301 struct ldb_sd_flags_control
*sdctr
= talloc_get_type_abort(sd_control
->data
, struct ldb_sd_flags_control
);
303 sd_flags
= sdctr
->secinfo_flags
;
309 /* mark it as handled */
310 sd_control
->critical
= 0;
313 /* we only care for the last 4 bits */
314 sd_flags
&= 0x0000000F;
317 * MS-ADTS 3.1.1.3.4.1.11 says that no bits
321 sd_flags
= SECINFO_OWNER
| SECINFO_GROUP
| SECINFO_DACL
| SECINFO_SACL
;
327 int dsdb_module_schedule_sd_propagation(struct ldb_module
*module
,
328 struct ldb_dn
*nc_root
,
330 struct GUID parent_guid
,
333 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
334 struct dsdb_extended_sec_desc_propagation_op
*op
;
337 op
= talloc_zero(module
, struct dsdb_extended_sec_desc_propagation_op
);
342 op
->nc_root
= nc_root
;
344 op
->include_self
= include_self
;
345 op
->parent_guid
= parent_guid
;
347 ret
= dsdb_module_extended(module
, op
, NULL
,
348 DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID
,
350 DSDB_FLAG_TOP_MODULE
|
351 DSDB_FLAG_AS_SYSTEM
|