search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
CVE-2023-0614 s4:dsdb: Use talloc_get_type_abort() more consistently
[Samba.git] / source4 / dsdb / samdb / ldb_modules / acl_util.c
blob367c11d1ba9514a0d5b87d1e36af416a4d65fec4
1 /*
2 ACL utility functions
3
4 Copyright (C) Nadezhda Ivanova 2010
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /*
21 * Name: acl_util
22 *
23 * Component: ldb ACL modules
24 *
25 * Description: Some auxiliary functions used for access checking
26 *
27 * Author: Nadezhda Ivanova
28 */
29 #include "includes.h"
30 #include "ldb_module.h"
31 #include "auth/auth.h"
32 #include "libcli/security/security.h"
33 #include "dsdb/samdb/samdb.h"
34 #include "librpc/gen_ndr/ndr_security.h"
35 #include "param/param.h"
36 #include "dsdb/samdb/ldb_modules/util.h"
37
38 struct security_token *acl_user_token(struct ldb_module *module)
39 {
40 struct ldb_context *ldb = ldb_module_get_ctx(module);
41 struct auth_session_info *session_info
42 = (struct auth_session_info *)ldb_get_opaque(
43 ldb,
44 DSDB_SESSION_INFO);
45 if(!session_info) {
46 return NULL;
47 }
48 return session_info->security_token;
49 }
50
51 /* performs an access check from inside the module stack
52 * given the dn of the object to be checked, the required access
53 * guid is either the guid of the extended right, or NULL
54 */
55
56 int dsdb_module_check_access_on_dn(struct ldb_module *module,
57 TALLOC_CTX *mem_ctx,
58 struct ldb_dn *dn,
59 uint32_t access_mask,
60 const struct GUID *guid,
61 struct ldb_request *parent)
62 {
63 int ret;
64 struct ldb_result *acl_res;
65 static const char *acl_attrs[] = {
66 "nTSecurityDescriptor",
67 "objectSid",
68 NULL
69 };
70 struct ldb_context *ldb = ldb_module_get_ctx(module);
71 struct auth_session_info *session_info
72 = (struct auth_session_info *)ldb_get_opaque(
73 ldb,
74 DSDB_SESSION_INFO);
75 if(!session_info) {
76 return ldb_operr(ldb);
77 }
78 ret = dsdb_module_search_dn(module, mem_ctx, &acl_res, dn,
79 acl_attrs,
80 DSDB_FLAG_NEXT_MODULE |
81 DSDB_FLAG_AS_SYSTEM |
82 DSDB_SEARCH_SHOW_RECYCLED,
83 parent);
84 if (ret != LDB_SUCCESS) {
85 ldb_asprintf_errstring(ldb_module_get_ctx(module),
86 "access_check: failed to find object %s\n",
87 ldb_dn_get_linearized(dn));
88 return ret;
89 }
90 return dsdb_check_access_on_dn_internal(ldb, acl_res,
91 mem_ctx,
92 session_info->security_token,
93 dn,
94 access_mask,
95 guid);
96 }
97
98 int acl_check_access_on_attribute(struct ldb_module *module,
99 TALLOC_CTX *mem_ctx,
100 struct security_descriptor *sd,
101 struct dom_sid *rp_sid,
102 uint32_t access_mask,
103 const struct dsdb_attribute *attr,
104 const struct dsdb_class *objectclass)
105 {
106 int ret;
107 NTSTATUS status;
108 uint32_t access_granted;
109 struct object_tree *root = NULL;
110 struct object_tree *new_node = NULL;
111 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
112 struct security_token *token = acl_user_token(module);
113
114 if (!insert_in_object_tree(tmp_ctx,
115 &objectclass->schemaIDGUID,
116 access_mask, NULL,
117 &root)) {
118 DEBUG(10, ("acl_search: cannot add to object tree class schemaIDGUID\n"));
119 goto fail;
120 }
121 new_node = root;
122
123 if (!GUID_all_zero(&attr->attributeSecurityGUID)) {
124 if (!insert_in_object_tree(tmp_ctx,
125 &attr->attributeSecurityGUID,
126 access_mask, new_node,
127 &new_node)) {
128 DEBUG(10, ("acl_search: cannot add to object tree securityGUID\n"));
129 goto fail;
130 }
131 }
132
133 if (!insert_in_object_tree(tmp_ctx,
134 &attr->schemaIDGUID,
135 access_mask, new_node,
136 &new_node)) {
137 DEBUG(10, ("acl_search: cannot add to object tree attributeGUID\n"));
138 goto fail;
139 }
140
141 status = sec_access_check_ds(sd, token,
142 access_mask,
143 &access_granted,
144 root,
145 rp_sid);
146 if (!NT_STATUS_IS_OK(status)) {
147 ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
148 }
149 else {
150 ret = LDB_SUCCESS;
151 }
152 talloc_free(tmp_ctx);
153 return ret;
154 fail:
155 talloc_free(tmp_ctx);
156 return ldb_operr(ldb_module_get_ctx(module));
157 }
158
159 int acl_check_access_on_objectclass(struct ldb_module *module,
160 TALLOC_CTX *mem_ctx,
161 struct security_descriptor *sd,
162 struct dom_sid *rp_sid,
163 uint32_t access_mask,
164 const struct dsdb_class *objectclass)
165 {
166 int ret;
167 NTSTATUS status;
168 uint32_t access_granted;
169 struct object_tree *root = NULL;
170 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
171 struct security_token *token = acl_user_token(module);
172
173 if (!insert_in_object_tree(tmp_ctx,
174 &objectclass->schemaIDGUID,
175 access_mask, NULL,
176 &root)) {
177 DEBUG(10, ("acl_search: cannot add to object tree class schemaIDGUID\n"));
178 goto fail;
179 }
180
181 status = sec_access_check_ds(sd, token,
182 access_mask,
183 &access_granted,
184 root,
185 rp_sid);
186 if (!NT_STATUS_IS_OK(status)) {
187 ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
188 } else {
189 ret = LDB_SUCCESS;
190 }
191 talloc_free(tmp_ctx);
192 return ret;
193 fail:
194 talloc_free(tmp_ctx);
195 return ldb_operr(ldb_module_get_ctx(module));
196 }
197
198 /* checks for validated writes */
199 int acl_check_extended_right(TALLOC_CTX *mem_ctx,
200 struct ldb_module *module,
201 struct ldb_request *req,
202 const struct dsdb_class *objectclass,
203 struct security_descriptor *sd,
204 struct security_token *token,
205 const char *ext_right,
206 uint32_t right_type,
207 struct dom_sid *sid)
208 {
209 struct GUID right;
210 NTSTATUS status;
211 uint32_t access_granted;
212 struct object_tree *root = NULL;
213 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
214 static const char *no_attrs[] = { NULL };
215 struct ldb_result *extended_rights_res = NULL;
216 struct ldb_dn *extended_rights_dn = NULL;
217 struct ldb_context *ldb = ldb_module_get_ctx(module);
218 int ret = 0;
219
220 /*
221 * Find the extended right and check if applies to
222 * the objectclass of the object
223 */
224 extended_rights_dn = samdb_extended_rights_dn(ldb, req);
225 if (!extended_rights_dn) {
226 ldb_set_errstring(ldb,
227 "access_check: CN=Extended-Rights dn could not be generated!");
228 return LDB_ERR_OPERATIONS_ERROR;
229 }
230
231 /* Note: we are checking only the structural object class. */
232 ret = dsdb_module_search(module, req, &extended_rights_res,
233 extended_rights_dn, LDB_SCOPE_ONELEVEL,
234 no_attrs,
235 DSDB_FLAG_NEXT_MODULE |
236 DSDB_FLAG_AS_SYSTEM,
237 req,
238 "(&(rightsGuid=%s)(appliesTo=%s))",
239 ext_right,
240 GUID_string(tmp_ctx,
241 &(objectclass->schemaIDGUID)));
242
243 if (ret != LDB_SUCCESS) {
244 return ret;
245 } else if (extended_rights_res->count == 0 ) {
246 ldb_debug(ldb, LDB_DEBUG_TRACE,
247 "acl_check_extended_right: Could not find appliesTo for %s\n",
248 ext_right);
249 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
250 }
251
252 GUID_from_string(ext_right, &right);
253
254 if (!insert_in_object_tree(tmp_ctx, &right, right_type,
255 NULL, &root)) {
256 DEBUG(10, ("acl_ext_right: cannot add to object tree\n"));
257 talloc_free(tmp_ctx);
258 return LDB_ERR_OPERATIONS_ERROR;
259 }
260 status = sec_access_check_ds(sd, token,
261 right_type,
262 &access_granted,
263 root,
264 sid);
265
266 if (!NT_STATUS_IS_OK(status)) {
267 talloc_free(tmp_ctx);
268 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
269 }
270 talloc_free(tmp_ctx);
271 return LDB_SUCCESS;
272 }
273
274 const char *acl_user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module)
275 {
276 struct ldb_context *ldb = ldb_module_get_ctx(module);
277 struct auth_session_info *session_info
278 = (struct auth_session_info *)ldb_get_opaque(
279 ldb,
280 DSDB_SESSION_INFO);
281 if (!session_info) {
282 return "UNKNOWN (NULL)";
283 }
284
285 return talloc_asprintf(mem_ctx, "%s\\%s",
286 session_info->info->domain_name,
287 session_info->info->account_name);
288 }
289
290 uint32_t dsdb_request_sd_flags(struct ldb_request *req, bool *explicit)
291 {
292 struct ldb_control *sd_control;
293 uint32_t sd_flags = 0;
294
295 if (explicit) {
296 *explicit = false;
297 }
298
299 sd_control = ldb_request_get_control(req, LDB_CONTROL_SD_FLAGS_OID);
300 if (sd_control != NULL && sd_control->data != NULL) {
301 struct ldb_sd_flags_control *sdctr = talloc_get_type_abort(sd_control->data, struct ldb_sd_flags_control);
302
303 sd_flags = sdctr->secinfo_flags;
304
305 if (explicit) {
306 *explicit = true;
307 }
308
309 /* mark it as handled */
310 sd_control->critical = 0;
311 }
312
313 /* we only care for the last 4 bits */
314 sd_flags &= 0x0000000F;
315
316 /*
317 * MS-ADTS 3.1.1.3.4.1.11 says that no bits
318 * equals all 4 bits
319 */
320 if (sd_flags == 0) {
321 sd_flags = SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL | SECINFO_SACL;
322 }
323
324 return sd_flags;
325 }
326
327 int dsdb_module_schedule_sd_propagation(struct ldb_module *module,
328 struct ldb_dn *nc_root,
329 struct GUID guid,
330 struct GUID parent_guid,
331 bool include_self)
332 {
333 struct ldb_context *ldb = ldb_module_get_ctx(module);
334 struct dsdb_extended_sec_desc_propagation_op *op;
335 int ret;
336
337 op = talloc_zero(module, struct dsdb_extended_sec_desc_propagation_op);
338 if (op == NULL) {
339 return ldb_oom(ldb);
340 }
341
342 op->nc_root = nc_root;
343 op->guid = guid;
344 op->include_self = include_self;
345 op->parent_guid = parent_guid;
346
347 ret = dsdb_module_extended(module, op, NULL,
348 DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID,
349 op,
350 DSDB_FLAG_TOP_MODULE |
351 DSDB_FLAG_AS_SYSTEM |
352 DSDB_FLAG_TRUSTED,
353 NULL);
354 TALLOC_FREE(op);
355 return ret;
356 }
Samba GIT mirror