search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
auth/credentials: don't ignore "client use kerberos" and --use-kerberos for machine...
[Samba.git] / libcli / security / access_check.c
blob3dc982332da6e8dc4601e2b07ca9849b5fe8643a
1 /*
2 Unix SMB/CIFS implementation.
3
4 Copyright (C) Andrew Tridgell 2004
5 Copyright (C) Gerald Carter 2005
6 Copyright (C) Volker Lendecke 2007
7 Copyright (C) Jeremy Allison 2008
8 Copyright (C) Andrew Bartlett 2010
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "replace.h"
25 #include "lib/util/debug.h"
26 #include "libcli/security/security.h"
27 #include "librpc/gen_ndr/conditional_ace.h"
28 #include "libcli/security/conditional_ace.h"
29
30 /* Map generic access rights to object specific rights. This technique is
31 used to give meaning to assigning read, write, execute and all access to
32 objects. Each type of object has its own mapping of generic to object
33 specific access rights. */
34
35 void se_map_generic(uint32_t *access_mask, const struct generic_mapping *mapping)
36 {
37 uint32_t old_mask = *access_mask;
38
39 if (*access_mask & GENERIC_READ_ACCESS) {
40 *access_mask &= ~GENERIC_READ_ACCESS;
41 *access_mask |= mapping->generic_read;
42 }
43
44 if (*access_mask & GENERIC_WRITE_ACCESS) {
45 *access_mask &= ~GENERIC_WRITE_ACCESS;
46 *access_mask |= mapping->generic_write;
47 }
48
49 if (*access_mask & GENERIC_EXECUTE_ACCESS) {
50 *access_mask &= ~GENERIC_EXECUTE_ACCESS;
51 *access_mask |= mapping->generic_execute;
52 }
53
54 if (*access_mask & GENERIC_ALL_ACCESS) {
55 *access_mask &= ~GENERIC_ALL_ACCESS;
56 *access_mask |= mapping->generic_all;
57 }
58
59 if (old_mask != *access_mask) {
60 DEBUG(10, ("se_map_generic(): mapped mask 0x%08x to 0x%08x\n",
61 old_mask, *access_mask));
62 }
63 }
64
65 /* Map generic access rights to object specific rights for all the ACE's
66 * in a security_acl.
67 */
68
69 void security_acl_map_generic(struct security_acl *sa,
70 const struct generic_mapping *mapping)
71 {
72 unsigned int i;
73
74 if (!sa) {
75 return;
76 }
77
78 for (i = 0; i < sa->num_aces; i++) {
79 se_map_generic(&sa->aces[i].access_mask, mapping);
80 }
81 }
82
83 /* Map standard access rights to object specific rights. This technique is
84 used to give meaning to assigning read, write, execute and all access to
85 objects. Each type of object has its own mapping of standard to object
86 specific access rights. */
87
88 void se_map_standard(uint32_t *access_mask, const struct standard_mapping *mapping)
89 {
90 uint32_t old_mask = *access_mask;
91
92 if (*access_mask & SEC_STD_READ_CONTROL) {
93 *access_mask &= ~SEC_STD_READ_CONTROL;
94 *access_mask |= mapping->std_read;
95 }
96
97 if (*access_mask & (SEC_STD_DELETE|SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|SEC_STD_SYNCHRONIZE)) {
98 *access_mask &= ~(SEC_STD_DELETE|SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|SEC_STD_SYNCHRONIZE);
99 *access_mask |= mapping->std_all;
100 }
101
102 if (old_mask != *access_mask) {
103 DEBUG(10, ("se_map_standard(): mapped mask 0x%08x to 0x%08x\n",
104 old_mask, *access_mask));
105 }
106 }
107
108 enum ace_callback_result {
109 ACE_CALLBACK_DENY,
110 ACE_CALLBACK_ALLOW,
111 ACE_CALLBACK_SKIP, /* do not apply this ACE */
112 ACE_CALLBACK_INVALID /* we don't want to process the conditional ACE */
113 };
114
115
116 static enum ace_callback_result check_callback_ace_allow(
117 const struct security_ace *ace,
118 const struct security_token *token,
119 const struct security_descriptor *sd)
120 {
121 bool ok;
122 int result;
123
124 switch (token->evaluate_claims) {
125 case CLAIMS_EVALUATION_ALWAYS:
126 break;
127
128 case CLAIMS_EVALUATION_INVALID_STATE:
129 DBG_WARNING("Refusing to evaluate ACL with "
130 "conditional ACE against security "
131 "token with CLAIMS_EVALUATION_INVALID_STATE\n");
132 return ACE_CALLBACK_INVALID;
133 case CLAIMS_EVALUATION_NEVER:
134 default:
135 /*
136 * We are asked to pretend we never understood this
137 * ACE type.
138 *
139 * By returning SKIP, this ACE will not adjust any
140 * permission bits making it an effective no-op, which
141 * was the default behaviour up to Samba 4.19.
142 */
143 return ACE_CALLBACK_SKIP;
144 }
145
146 if (ace->type != SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK &&
147 ace->type != SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT) {
148 /* This indicates a programming error */
149 DBG_ERR("bad conditional allow ACE type: %u\n", ace->type);
150 return ACE_CALLBACK_INVALID;
151 }
152
153 /*
154 * Until we discover otherwise, we assume all callback ACEs
155 * are conditional ACEs.
156 */
157 ok = access_check_conditional_ace(ace, token, sd, &result);
158 if (!ok) {
159 /*
160 * An error in processing the conditional ACE is
161 * treated as UNKNOWN, which amounts to a DENY/SKIP
162 * result.
163 *
164 * This is different from the INVALID result which
165 * means we should not be thinking about conditional
166 * ACES at all, and will abort the whole access check.
167 */
168 DBG_WARNING("callback ACE was not a valid conditional ACE\n");
169 return ACE_CALLBACK_SKIP;
170 }
171 if (result == ACE_CONDITION_TRUE) {
172 return ACE_CALLBACK_ALLOW;
173 }
174 /* UNKNOWN means do not allow */
175 return ACE_CALLBACK_SKIP;
176 }
177
178
179 static enum ace_callback_result check_callback_ace_deny(
180 const struct security_ace *ace,
181 const struct security_token *token,
182 const struct security_descriptor *sd)
183 {
184 bool ok;
185 int result;
186
187 switch (token->evaluate_claims) {
188 case CLAIMS_EVALUATION_ALWAYS:
189 break;
190
191 case CLAIMS_EVALUATION_INVALID_STATE:
192 DBG_WARNING("Refusing to evaluate ACL with "
193 "conditional ACE against security "
194 "token with CLAIMS_EVALUATION_INVALID_STATE\n");
195 return ACE_CALLBACK_INVALID;
196 case CLAIMS_EVALUATION_NEVER:
197 default:
198 /*
199 * We are asked to pretend we never understood this
200 * ACE type.
201 */
202 return ACE_CALLBACK_SKIP;
203 }
204
205 if (ace->type != SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK &&
206 ace->type != SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT) {
207 DBG_ERR("bad conditional deny ACE type: %u\n", ace->type);
208 return ACE_CALLBACK_INVALID;
209 }
210
211 /*
212 * Until we discover otherwise, we assume all callback ACEs
213 * are conditional ACEs.
214 */
215 ok = access_check_conditional_ace(ace, token, sd, &result);
216 if (!ok) {
217 /*
218 * An error in processing the conditional ACE is
219 * treated as UNKNOWN, which means DENY.
220 */
221 DBG_WARNING("callback ACE was not a valid conditional ACE\n");
222 return ACE_CALLBACK_DENY;
223 }
224 if (result != ACE_CONDITION_FALSE) {
225 /* UNKNOWN means deny */
226 return ACE_CALLBACK_DENY;
227 }
228 return ACE_CALLBACK_SKIP;
229 }
230
231
232 /*
233 perform a SEC_FLAG_MAXIMUM_ALLOWED access check
234 */
235 static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
236 const struct security_token *token,
237 enum implicit_owner_rights implicit_owner_rights)
238 {
239 uint32_t denied = 0, granted = 0;
240 bool am_owner = false;
241 bool have_owner_rights_ace = false;
242 unsigned i;
243
244 if (sd->dacl == NULL) {
245 if (security_token_has_sid(token, sd->owner_sid)) {
246 switch (implicit_owner_rights) {
247 case IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS:
248 granted |= SEC_STD_WRITE_DAC;
249 FALL_THROUGH;
250 case IMPLICIT_OWNER_READ_CONTROL_RIGHTS:
251 granted |= SEC_STD_READ_CONTROL;
252 break;
253 }
254 }
255 return granted;
256 }
257
258 if (security_token_has_sid(token, sd->owner_sid)) {
259 /*
260 * Check for explicit owner rights: if there are none, we remove
261 * the default owner right SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL
262 * from remaining_access. Otherwise we just process the
263 * explicitly granted rights when processing the ACEs.
264 */
265 am_owner = true;
266
267 for (i=0; i < sd->dacl->num_aces; i++) {
268 struct security_ace *ace = &sd->dacl->aces[i];
269
270 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
271 continue;
272 }
273
274 have_owner_rights_ace = dom_sid_equal(
275 &ace->trustee, &global_sid_Owner_Rights);
276 if (have_owner_rights_ace) {
277 break;
278 }
279 }
280 }
281
282 if (am_owner && !have_owner_rights_ace) {
283 switch (implicit_owner_rights) {
284 case IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS:
285 granted |= SEC_STD_WRITE_DAC;
286 FALL_THROUGH;
287 case IMPLICIT_OWNER_READ_CONTROL_RIGHTS:
288 granted |= SEC_STD_READ_CONTROL;
289 break;
290 }
291 }
292
293 for (i = 0;i<sd->dacl->num_aces; i++) {
294 struct security_ace *ace = &sd->dacl->aces[i];
295 bool is_owner_rights_ace = false;
296
297 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
298 continue;
299 }
300
301 if (am_owner) {
302 is_owner_rights_ace = dom_sid_equal(
303 &ace->trustee, &global_sid_Owner_Rights);
304 }
305
306 if (!is_owner_rights_ace &&
307 !security_token_has_sid(token, &ace->trustee))
308 {
309 continue;
310 }
311
312 switch (ace->type) {
313 case SEC_ACE_TYPE_ACCESS_ALLOWED:
314 granted |= ace->access_mask;
315 break;
316 case SEC_ACE_TYPE_ACCESS_DENIED:
317 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
318 denied |= ~granted & ace->access_mask;
319 break;
320
321 case SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK:
322 {
323 enum ace_callback_result allow =
324 check_callback_ace_allow(ace, token, sd);
325 if (allow == ACE_CALLBACK_INVALID) {
326 return 0;
327 }
328 if (allow == ACE_CALLBACK_ALLOW) {
329 granted |= ace->access_mask;
330 }
331 break;
332 }
333
334 case SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK:
335 {
336 enum ace_callback_result deny =
337 check_callback_ace_deny(ace, token, sd);
338 if (deny == ACE_CALLBACK_INVALID) {
339 return 0;
340 }
341 if (deny == ACE_CALLBACK_DENY) {
342 denied |= ~granted & ace->access_mask;
343 }
344 break;
345 }
346
347 default: /* Other ACE types not handled/supported */
348 break;
349 }
350 }
351
352 return granted & ~denied;
353 }
354
355
356
357 static NTSTATUS se_access_check_implicit_owner(const struct security_descriptor *sd,
358 const struct security_token *token,
359 uint32_t access_desired,
360 uint32_t *access_granted,
361 enum implicit_owner_rights implicit_owner_rights)
362 {
363 uint32_t i;
364 uint32_t bits_remaining;
365 uint32_t explicitly_denied_bits = 0;
366 bool am_owner = false;
367 bool have_owner_rights_ace = false;
368
369 switch (token->evaluate_claims) {
370 case CLAIMS_EVALUATION_INVALID_STATE:
371 if (token->num_local_claims > 0 ||
372 token->num_user_claims > 0 ||
373 token->num_device_claims > 0 ||
374 token->num_device_sids > 0) {
375 DBG_WARNING("Refusing to evaluate token with claims or device SIDs but also "
376 "with CLAIMS_EVALUATION_INVALID_STATE\n");
377 return NT_STATUS_INVALID_TOKEN;
378 }
379 break;
380 case CLAIMS_EVALUATION_ALWAYS:
381 case CLAIMS_EVALUATION_NEVER:
382 break;
383 }
384
385 *access_granted = access_desired;
386 bits_remaining = access_desired;
387
388 /* handle the maximum allowed flag */
389 if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
390 uint32_t orig_access_desired = access_desired;
391
392 access_desired |= access_check_max_allowed(sd, token, implicit_owner_rights);
393 access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
394 *access_granted = access_desired;
395 bits_remaining = access_desired;
396
397 DEBUG(10,("se_access_check: MAX desired = 0x%x, granted = 0x%x, remaining = 0x%x\n",
398 orig_access_desired,
399 *access_granted,
400 bits_remaining));
401 }
402
403 /* a NULL dacl allows access */
404 if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
405 *access_granted = access_desired;
406 return NT_STATUS_OK;
407 }
408
409 if (sd->dacl == NULL) {
410 goto done;
411 }
412
413 if (security_token_has_sid(token, sd->owner_sid)) {
414 /*
415 * Check for explicit owner rights: if there are none, we remove
416 * the default owner right SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL
417 * from remaining_access. Otherwise we just process the
418 * explicitly granted rights when processing the ACEs.
419 */
420 am_owner = true;
421
422 for (i=0; i < sd->dacl->num_aces; i++) {
423 struct security_ace *ace = &sd->dacl->aces[i];
424
425 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
426 continue;
427 }
428
429 have_owner_rights_ace = dom_sid_equal(
430 &ace->trustee, &global_sid_Owner_Rights);
431 if (have_owner_rights_ace) {
432 break;
433 }
434 }
435 }
436 if (am_owner && !have_owner_rights_ace) {
437 switch (implicit_owner_rights) {
438 case IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS:
439 bits_remaining &= ~SEC_STD_WRITE_DAC;
440 FALL_THROUGH;
441 case IMPLICIT_OWNER_READ_CONTROL_RIGHTS:
442 bits_remaining &= ~SEC_STD_READ_CONTROL;
443 break;
444 }
445 }
446
447 /* check each ace in turn. */
448 for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
449 struct security_ace *ace = &sd->dacl->aces[i];
450 bool is_owner_rights_ace = false;
451
452 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
453 continue;
454 }
455
456 if (am_owner) {
457 is_owner_rights_ace = dom_sid_equal(
458 &ace->trustee, &global_sid_Owner_Rights);
459 }
460
461 if (!is_owner_rights_ace &&
462 !security_token_has_sid(token, &ace->trustee))
463 {
464 continue;
465 }
466
467 switch (ace->type) {
468 case SEC_ACE_TYPE_ACCESS_ALLOWED:
469 bits_remaining &= ~ace->access_mask;
470 break;
471 case SEC_ACE_TYPE_ACCESS_DENIED:
472 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
473 explicitly_denied_bits |= (bits_remaining & ace->access_mask);
474 break;
475
476 case SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK:
477 {
478 enum ace_callback_result allow =
479 check_callback_ace_allow(ace, token, sd);
480 if (allow == ACE_CALLBACK_INVALID) {
481 return NT_STATUS_INVALID_ACE_CONDITION;
482 }
483 if (allow == ACE_CALLBACK_ALLOW) {
484 bits_remaining &= ~ace->access_mask;
485 }
486 break;
487 }
488
489 case SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK:
490 case SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT:
491 {
492 enum ace_callback_result deny =
493 check_callback_ace_deny(ace, token, sd);
494 if (deny == ACE_CALLBACK_INVALID) {
495 return NT_STATUS_INVALID_ACE_CONDITION;
496 }
497 if (deny == ACE_CALLBACK_DENY) {
498 explicitly_denied_bits |= (bits_remaining & ace->access_mask);
499 }
500 break;
501 }
502
503 default: /* Other ACE types not handled/supported */
504 break;
505 }
506 }
507
508 /* Explicitly denied bits always override */
509 bits_remaining |= explicitly_denied_bits;
510
511 /*
512 * We check privileges here because they override even DENY entries.
513 */
514
515 /* Does the user have the privilege to gain SEC_PRIV_SECURITY? */
516 if (bits_remaining & SEC_FLAG_SYSTEM_SECURITY) {
517 if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
518 bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
519 } else {
520 return NT_STATUS_PRIVILEGE_NOT_HELD;
521 }
522 }
523
524 if ((bits_remaining & SEC_STD_WRITE_OWNER) &&
525 security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
526 bits_remaining &= ~(SEC_STD_WRITE_OWNER);
527 }
528
529 done:
530 if (bits_remaining != 0) {
531 *access_granted = bits_remaining;
532 return NT_STATUS_ACCESS_DENIED;
533 }
534
535 return NT_STATUS_OK;
536 }
537
538 /*
539 The main entry point for access checking. If returning ACCESS_DENIED
540 this function returns the denied bits in the uint32_t pointed
541 to by the access_granted pointer.
542 */
543 NTSTATUS se_access_check(const struct security_descriptor *sd,
544 const struct security_token *token,
545 uint32_t access_desired,
546 uint32_t *access_granted)
547 {
548 return se_access_check_implicit_owner(sd,
549 token,
550 access_desired,
551 access_granted,
552 IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS);
553 }
554
555 /*
556 The main entry point for access checking FOR THE FILE SERVER ONLY !
557 If returning ACCESS_DENIED this function returns the denied bits in
558 the uint32_t pointed to by the access_granted pointer.
559 */
560 NTSTATUS se_file_access_check(const struct security_descriptor *sd,
561 const struct security_token *token,
562 bool priv_open_requested,
563 uint32_t access_desired,
564 uint32_t *access_granted)
565 {
566 uint32_t bits_remaining;
567 NTSTATUS status;
568
569 if (!priv_open_requested) {
570 /* Fall back to generic se_access_check(). */
571 return se_access_check_implicit_owner(sd,
572 token,
573 access_desired,
574 access_granted,
575 IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS);
576 }
577
578 /*
579 * We need to handle the maximum allowed flag
580 * outside of se_access_check(), as we need to
581 * add in the access allowed by the privileges
582 * as well.
583 */
584
585 if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
586 uint32_t orig_access_desired = access_desired;
587
588 access_desired |= access_check_max_allowed(sd, token, true);
589 access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
590
591 if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
592 access_desired |= SEC_RIGHTS_PRIV_BACKUP;
593 }
594
595 if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
596 access_desired |= SEC_RIGHTS_PRIV_RESTORE;
597 }
598
599 DEBUG(10,("se_file_access_check: MAX desired = 0x%x "
600 "mapped to 0x%x\n",
601 orig_access_desired,
602 access_desired));
603 }
604
605 status = se_access_check_implicit_owner(sd,
606 token,
607 access_desired,
608 access_granted,
609 IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS);
610
611 if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
612 return status;
613 }
614
615 bits_remaining = *access_granted;
616
617 /* Check if we should override with privileges. */
618 if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) &&
619 security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
620 bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
621 }
622 if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
623 security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
624 bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
625 }
626 if (bits_remaining != 0) {
627 *access_granted = bits_remaining;
628 return NT_STATUS_ACCESS_DENIED;
629 }
630
631 return NT_STATUS_OK;
632 }
633
634 static const struct GUID *get_ace_object_type(const struct security_ace *ace)
635 {
636 if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
637 return &ace->object.object.type.type;
638 }
639
640 return NULL;
641 }
642
643 /**
644 * Evaluates access rights specified in a object-specific ACE for an AD object.
645 * This logic corresponds to MS-ADTS 5.1.3.3.3 Checking Object-Specific Access.
646 * @param[in] ace - the ACE being processed
647 * @param[in/out] tree - remaining_access gets updated for the tree
648 * @param[out] grant_access - set to true if the ACE grants sufficient access
649 * rights to the object/attribute
650 * @returns NT_STATUS_OK, unless access was denied
651 */
652 static NTSTATUS check_object_specific_access(const struct security_ace *ace,
653 struct object_tree *tree,
654 bool *grant_access)
655 {
656 struct object_tree *node = NULL;
657 const struct GUID *type = NULL;
658
659 *grant_access = false;
660
661 /* if no tree was supplied, we can't do object-specific access checks */
662 if (!tree) {
663 return NT_STATUS_OK;
664 }
665
666 /* Get the ObjectType GUID this ACE applies to */
667 type = get_ace_object_type(ace);
668
669 /*
670 * If the ACE doesn't have a type, then apply it to the whole tree, i.e.
671 * treat 'OA' ACEs as 'A' and 'OD' as 'D'
672 */
673 if (!type) {
674 node = tree;
675 } else {
676
677 /* skip it if the ACE's ObjectType GUID is not in the tree */
678 node = get_object_tree_by_GUID(tree, type);
679 if (!node) {
680 return NT_STATUS_OK;
681 }
682 }
683
684 if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT ||
685 ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT) {
686 /* apply the access rights to this node, and any children */
687 object_tree_modify_access(node, ace->access_mask);
688
689 /*
690 * Currently all nodes in the tree request the same access mask,
691 * so we can use any node to check if processing this ACE now
692 * means the requested access has been granted
693 */
694 if (node->remaining_access == 0) {
695 *grant_access = true;
696 return NT_STATUS_OK;
697 }
698
699 /*
700 * As per 5.1.3.3.4 Checking Control Access Right-Based Access,
701 * if the CONTROL_ACCESS right is present, then we can grant
702 * access and stop any further access checks
703 */
704 if (ace->access_mask & SEC_ADS_CONTROL_ACCESS) {
705 *grant_access = true;
706 return NT_STATUS_OK;
707 }
708 } else {
709
710 /* this ACE denies access to the requested object/attribute */
711 if (node->remaining_access & ace->access_mask){
712 return NT_STATUS_ACCESS_DENIED;
713 }
714 }
715 return NT_STATUS_OK;
716 }
717
718
719 NTSTATUS sec_access_check_ds_implicit_owner(const struct security_descriptor *sd,
720 const struct security_token *token,
721 uint32_t access_desired,
722 uint32_t *access_granted,
723 struct object_tree *tree,
724 const struct dom_sid *replace_sid,
725 enum implicit_owner_rights implicit_owner_rights)
726 {
727 uint32_t i;
728 uint32_t bits_remaining;
729
730 *access_granted = access_desired;
731 bits_remaining = access_desired;
732
733 /* handle the maximum allowed flag */
734 if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
735 access_desired |= access_check_max_allowed(sd, token, implicit_owner_rights);
736 access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
737 *access_granted = access_desired;
738 bits_remaining = access_desired;
739 }
740
741 if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
742 if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
743 bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
744 } else {
745 return NT_STATUS_PRIVILEGE_NOT_HELD;
746 }
747 }
748
749 /* the owner always gets SEC_STD_WRITE_DAC and SEC_STD_READ_CONTROL */
750 if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL)) &&
751 security_token_has_sid(token, sd->owner_sid)) {
752 switch (implicit_owner_rights) {
753 case IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS:
754 bits_remaining &= ~SEC_STD_WRITE_DAC;
755 FALL_THROUGH;
756 case IMPLICIT_OWNER_READ_CONTROL_RIGHTS:
757 bits_remaining &= ~SEC_STD_READ_CONTROL;
758 break;
759 }
760 }
761
762 /* SEC_PRIV_TAKE_OWNERSHIP grants SEC_STD_WRITE_OWNER */
763 if ((bits_remaining & (SEC_STD_WRITE_OWNER)) &&
764 security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
765 bits_remaining &= ~(SEC_STD_WRITE_OWNER);
766 }
767
768 /* a NULL dacl allows access */
769 if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
770 *access_granted = access_desired;
771 return NT_STATUS_OK;
772 }
773
774 if (sd->dacl == NULL) {
775 goto done;
776 }
777
778 /* check each ace in turn. */
779 for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
780 const struct dom_sid *trustee;
781 const struct security_ace *ace = &sd->dacl->aces[i];
782 NTSTATUS status;
783 bool grant_access = false;
784
785 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
786 continue;
787 }
788
789 if (dom_sid_equal(&ace->trustee, &global_sid_Self) && replace_sid) {
790 trustee = replace_sid;
791 } else {
792 trustee = &ace->trustee;
793 }
794
795 if (!security_token_has_sid(token, trustee)) {
796 continue;
797 }
798
799 switch (ace->type) {
800 case SEC_ACE_TYPE_ACCESS_ALLOWED:
801 if (tree) {
802 object_tree_modify_access(tree, ace->access_mask);
803 }
804
805 bits_remaining &= ~ace->access_mask;
806 break;
807 case SEC_ACE_TYPE_ACCESS_DENIED:
808 if (bits_remaining & ace->access_mask) {
809 return NT_STATUS_ACCESS_DENIED;
810 }
811 break;
812 case SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK:
813 {
814 enum ace_callback_result allow =
815 check_callback_ace_allow(ace, token, sd);
816 if (allow == ACE_CALLBACK_INVALID) {
817 return NT_STATUS_INVALID_ACE_CONDITION;
818 }
819 if (allow == ACE_CALLBACK_ALLOW) {
820 bits_remaining &= ~ace->access_mask;
821 }
822 break;
823 }
824
825 case SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK:
826 {
827 enum ace_callback_result deny =
828 check_callback_ace_deny(ace, token, sd);
829 if (deny == ACE_CALLBACK_INVALID) {
830 return NT_STATUS_INVALID_ACE_CONDITION;
831 }
832 if (deny == ACE_CALLBACK_DENY) {
833 if (bits_remaining & ace->access_mask) {
834 return NT_STATUS_ACCESS_DENIED;
835 }
836 }
837 break;
838 }
839
840 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
841 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
842 status = check_object_specific_access(ace, tree,
843 &grant_access);
844
845 if (!NT_STATUS_IS_OK(status)) {
846 return status;
847 }
848
849 if (grant_access) {
850 return NT_STATUS_OK;
851 }
852 break;
853 case SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT:
854 {
855 /*
856 * if the callback says ALLOW, we treat this as a
857 * SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT.
858 *
859 * Otherwise we act as if this ACE does not exist.
860 */
861 enum ace_callback_result allow =
862 check_callback_ace_allow(ace, token, sd);
863 if (allow == ACE_CALLBACK_INVALID) {
864 return NT_STATUS_INVALID_ACE_CONDITION;
865 }
866 if (allow != ACE_CALLBACK_ALLOW) {
867 break;
868 }
869
870 status = check_object_specific_access(ace, tree,
871 &grant_access);
872
873 if (!NT_STATUS_IS_OK(status)) {
874 return status;
875 }
876
877 if (grant_access) {
878 return NT_STATUS_OK;
879 }
880 break;
881 }
882 case SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT:
883 {
884 /*
885 * ACCESS_DENIED_OBJECT ACEs can't grant access --
886 * they either don't match the object and slide
887 * harmlessly past or they return
888 * NT_STATUS_ACCESS_DENIED.
889 *
890 * ACCESS_DENIED_CALLBACK_OBJECT ACEs add another way
891 * of not applying, and another way of failing.
892 */
893 enum ace_callback_result deny =
894 check_callback_ace_deny(ace, token, sd);
895 if (deny == ACE_CALLBACK_INVALID) {
896 return NT_STATUS_INVALID_ACE_CONDITION;
897 }
898 if (deny != ACE_CALLBACK_DENY) {
899 break;
900 }
901 status = check_object_specific_access(ace, tree,
902 &grant_access);
903
904 if (!NT_STATUS_IS_OK(status)) {
905 return status;
906 }
907 break;
908 }
909 default: /* Other ACE types not handled/supported */
910 break;
911 }
912 }
913
914 done:
915 if (bits_remaining != 0) {
916 return NT_STATUS_ACCESS_DENIED;
917 }
918
919 return NT_STATUS_OK;
920 }
921
922 /**
923 * @brief Perform directoryservice (DS) related access checks for a given user
924 *
925 * Perform DS access checks for the user represented by its security_token, on
926 * the provided security descriptor. If an tree associating GUID and access
927 * required is provided then object access (OA) are checked as well. *
928 * @param[in] sd The security descriptor against which the required
929 * access are requested
930 *
931 * @param[in] token The security_token associated with the user to
932 * test
933 *
934 * @param[in] access_desired A bitfield of rights that must be granted for the
935 * given user in the specified SD.
936 *
937 * If one
938 * of the entry in the tree grants all the requested rights for the given GUID
939 * FIXME
940 * tree can be null if not null it's the
941 * Lots of code duplication, it will be united in just one
942 * function eventually */
943
944 NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
945 const struct security_token *token,
946 uint32_t access_desired,
947 uint32_t *access_granted,
948 struct object_tree *tree,
949 const struct dom_sid *replace_sid)
950 {
951 return sec_access_check_ds_implicit_owner(sd,
952 token,
953 access_desired,
954 access_granted,
955 tree,
956 replace_sid,
957 IMPLICIT_OWNER_READ_CONTROL_RIGHTS);
958 }
Samba GIT mirror