2 Unix SMB/CIFS implementation.
4 Copyright (C) Andrew Tridgell 2004
5 Copyright (C) Gerald Carter 2005
6 Copyright (C) Volker Lendecke 2007
7 Copyright (C) Jeremy Allison 2008
8 Copyright (C) Andrew Bartlett 2010
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "libcli/security/security.h"
27 /* Map generic access rights to object specific rights. This technique is
28 used to give meaning to assigning read, write, execute and all access to
29 objects. Each type of object has its own mapping of generic to object
30 specific access rights. */
32 void se_map_generic(uint32_t *access_mask
, const struct generic_mapping
*mapping
)
34 uint32_t old_mask
= *access_mask
;
36 if (*access_mask
& GENERIC_READ_ACCESS
) {
37 *access_mask
&= ~GENERIC_READ_ACCESS
;
38 *access_mask
|= mapping
->generic_read
;
41 if (*access_mask
& GENERIC_WRITE_ACCESS
) {
42 *access_mask
&= ~GENERIC_WRITE_ACCESS
;
43 *access_mask
|= mapping
->generic_write
;
46 if (*access_mask
& GENERIC_EXECUTE_ACCESS
) {
47 *access_mask
&= ~GENERIC_EXECUTE_ACCESS
;
48 *access_mask
|= mapping
->generic_execute
;
51 if (*access_mask
& GENERIC_ALL_ACCESS
) {
52 *access_mask
&= ~GENERIC_ALL_ACCESS
;
53 *access_mask
|= mapping
->generic_all
;
56 if (old_mask
!= *access_mask
) {
57 DEBUG(10, ("se_map_generic(): mapped mask 0x%08x to 0x%08x\n",
58 old_mask
, *access_mask
));
62 /* Map generic access rights to object specific rights for all the ACE's
66 void security_acl_map_generic(struct security_acl
*sa
,
67 const struct generic_mapping
*mapping
)
75 for (i
= 0; i
< sa
->num_aces
; i
++) {
76 se_map_generic(&sa
->aces
[i
].access_mask
, mapping
);
80 /* Map standard access rights to object specific rights. This technique is
81 used to give meaning to assigning read, write, execute and all access to
82 objects. Each type of object has its own mapping of standard to object
83 specific access rights. */
85 void se_map_standard(uint32_t *access_mask
, const struct standard_mapping
*mapping
)
87 uint32_t old_mask
= *access_mask
;
89 if (*access_mask
& SEC_STD_READ_CONTROL
) {
90 *access_mask
&= ~SEC_STD_READ_CONTROL
;
91 *access_mask
|= mapping
->std_read
;
94 if (*access_mask
& (SEC_STD_DELETE
|SEC_STD_WRITE_DAC
|SEC_STD_WRITE_OWNER
|SEC_STD_SYNCHRONIZE
)) {
95 *access_mask
&= ~(SEC_STD_DELETE
|SEC_STD_WRITE_DAC
|SEC_STD_WRITE_OWNER
|SEC_STD_SYNCHRONIZE
);
96 *access_mask
|= mapping
->std_all
;
99 if (old_mask
!= *access_mask
) {
100 DEBUG(10, ("se_map_standard(): mapped mask 0x%08x to 0x%08x\n",
101 old_mask
, *access_mask
));
106 perform a SEC_FLAG_MAXIMUM_ALLOWED access check
108 static uint32_t access_check_max_allowed(const struct security_descriptor
*sd
,
109 const struct security_token
*token
)
111 uint32_t denied
= 0, granted
= 0;
114 if (security_token_has_sid(token
, sd
->owner_sid
)) {
115 granted
|= SEC_STD_WRITE_DAC
| SEC_STD_READ_CONTROL
;
118 if (sd
->dacl
== NULL
) {
119 return granted
& ~denied
;
122 for (i
= 0;i
<sd
->dacl
->num_aces
; i
++) {
123 struct security_ace
*ace
= &sd
->dacl
->aces
[i
];
125 if (ace
->flags
& SEC_ACE_FLAG_INHERIT_ONLY
) {
129 if (!security_token_has_sid(token
, &ace
->trustee
)) {
134 case SEC_ACE_TYPE_ACCESS_ALLOWED
:
135 granted
|= ace
->access_mask
;
137 case SEC_ACE_TYPE_ACCESS_DENIED
:
138 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
:
139 denied
|= ace
->access_mask
;
141 default: /* Other ACE types not handled/supported */
146 return granted
& ~denied
;
150 The main entry point for access checking. If returning ACCESS_DENIED
151 this function returns the denied bits in the uint32_t pointed
152 to by the access_granted pointer.
154 NTSTATUS
se_access_check(const struct security_descriptor
*sd
,
155 const struct security_token
*token
,
156 uint32_t access_desired
,
157 uint32_t *access_granted
)
160 uint32_t bits_remaining
;
161 uint32_t explicitly_denied_bits
= 0;
163 *access_granted
= access_desired
;
164 bits_remaining
= access_desired
;
166 /* handle the maximum allowed flag */
167 if (access_desired
& SEC_FLAG_MAXIMUM_ALLOWED
) {
168 uint32_t orig_access_desired
= access_desired
;
170 access_desired
|= access_check_max_allowed(sd
, token
);
171 access_desired
&= ~SEC_FLAG_MAXIMUM_ALLOWED
;
172 *access_granted
= access_desired
;
173 bits_remaining
= access_desired
;
175 DEBUG(10,("se_access_check: MAX desired = 0x%x, granted = 0x%x, remaining = 0x%x\n",
181 /* s3 had this with #if 0 previously. To be sure the merge
182 doesn't change any behaviour, we have the above #if check
184 if (access_desired
& SEC_FLAG_SYSTEM_SECURITY
) {
185 if (security_token_has_privilege(token
, SEC_PRIV_SECURITY
)) {
186 bits_remaining
&= ~SEC_FLAG_SYSTEM_SECURITY
;
188 return NT_STATUS_PRIVILEGE_NOT_HELD
;
192 /* the owner always gets SEC_STD_WRITE_DAC and SEC_STD_READ_CONTROL */
193 if ((bits_remaining
& (SEC_STD_WRITE_DAC
|SEC_STD_READ_CONTROL
)) &&
194 security_token_has_sid(token
, sd
->owner_sid
)) {
195 bits_remaining
&= ~(SEC_STD_WRITE_DAC
|SEC_STD_READ_CONTROL
);
198 /* TODO: remove this, as it is file server specific */
199 if ((bits_remaining
& SEC_RIGHTS_PRIV_RESTORE
) &&
200 security_token_has_privilege(token
, SEC_PRIV_RESTORE
)) {
201 bits_remaining
&= ~(SEC_RIGHTS_PRIV_RESTORE
);
203 if ((bits_remaining
& SEC_RIGHTS_PRIV_BACKUP
) &&
204 security_token_has_privilege(token
, SEC_PRIV_BACKUP
)) {
205 bits_remaining
&= ~(SEC_RIGHTS_PRIV_BACKUP
);
208 /* a NULL dacl allows access */
209 if ((sd
->type
& SEC_DESC_DACL_PRESENT
) && sd
->dacl
== NULL
) {
210 *access_granted
= access_desired
;
214 if (sd
->dacl
== NULL
) {
218 /* check each ace in turn. */
219 for (i
=0; bits_remaining
&& i
< sd
->dacl
->num_aces
; i
++) {
220 struct security_ace
*ace
= &sd
->dacl
->aces
[i
];
222 if (ace
->flags
& SEC_ACE_FLAG_INHERIT_ONLY
) {
226 if (!security_token_has_sid(token
, &ace
->trustee
)) {
231 case SEC_ACE_TYPE_ACCESS_ALLOWED
:
232 bits_remaining
&= ~ace
->access_mask
;
234 case SEC_ACE_TYPE_ACCESS_DENIED
:
235 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
:
236 explicitly_denied_bits
|= (bits_remaining
& ace
->access_mask
);
238 default: /* Other ACE types not handled/supported */
243 bits_remaining
|= explicitly_denied_bits
;
246 if (bits_remaining
!= 0) {
247 *access_granted
= bits_remaining
;
248 return NT_STATUS_ACCESS_DENIED
;
255 static const struct GUID
*get_ace_object_type(struct security_ace
*ace
)
259 if (ace
->object
.object
.flags
& SEC_ACE_OBJECT_TYPE_PRESENT
)
260 type
= &ace
->object
.object
.type
.type
;
261 else if (ace
->object
.object
.flags
& SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT
)
262 type
= &ace
->object
.object
.inherited_type
.inherited_type
; /* This doesn't look right. Is something wrong with the IDL? */
270 /* modified access check for the purposes of DS security
271 * Lots of code duplication, it will ve united in just one
272 * function eventually */
274 NTSTATUS
sec_access_check_ds(const struct security_descriptor
*sd
,
275 const struct security_token
*token
,
276 uint32_t access_desired
,
277 uint32_t *access_granted
,
278 struct object_tree
*tree
,
279 struct dom_sid
*replace_sid
)
282 uint32_t bits_remaining
;
283 struct object_tree
*node
;
284 const struct GUID
*type
;
285 struct dom_sid
*ps_sid
= dom_sid_parse_talloc(NULL
, SID_NT_SELF
);
287 *access_granted
= access_desired
;
288 bits_remaining
= access_desired
;
290 /* handle the maximum allowed flag */
291 if (access_desired
& SEC_FLAG_MAXIMUM_ALLOWED
) {
292 access_desired
|= access_check_max_allowed(sd
, token
);
293 access_desired
&= ~SEC_FLAG_MAXIMUM_ALLOWED
;
294 *access_granted
= access_desired
;
295 bits_remaining
= access_desired
;
298 if (access_desired
& SEC_FLAG_SYSTEM_SECURITY
) {
299 if (security_token_has_privilege(token
, SEC_PRIV_SECURITY
)) {
300 bits_remaining
&= ~SEC_FLAG_SYSTEM_SECURITY
;
303 return NT_STATUS_PRIVILEGE_NOT_HELD
;
307 /* the owner always gets SEC_STD_WRITE_DAC and SEC_STD_READ_CONTROL */
308 if ((bits_remaining
& (SEC_STD_WRITE_DAC
|SEC_STD_READ_CONTROL
)) &&
309 security_token_has_sid(token
, sd
->owner_sid
)) {
310 bits_remaining
&= ~(SEC_STD_WRITE_DAC
|SEC_STD_READ_CONTROL
);
313 /* TODO: remove this, as it is file server specific */
314 if ((bits_remaining
& SEC_RIGHTS_PRIV_RESTORE
) &&
315 security_token_has_privilege(token
, SEC_PRIV_RESTORE
)) {
316 bits_remaining
&= ~(SEC_RIGHTS_PRIV_RESTORE
);
318 if ((bits_remaining
& SEC_RIGHTS_PRIV_BACKUP
) &&
319 security_token_has_privilege(token
, SEC_PRIV_BACKUP
)) {
320 bits_remaining
&= ~(SEC_RIGHTS_PRIV_BACKUP
);
323 /* a NULL dacl allows access */
324 if ((sd
->type
& SEC_DESC_DACL_PRESENT
) && sd
->dacl
== NULL
) {
325 *access_granted
= access_desired
;
330 if (sd
->dacl
== NULL
) {
334 /* check each ace in turn. */
335 for (i
=0; bits_remaining
&& i
< sd
->dacl
->num_aces
; i
++) {
336 struct dom_sid
*trustee
;
337 struct security_ace
*ace
= &sd
->dacl
->aces
[i
];
339 if (ace
->flags
& SEC_ACE_FLAG_INHERIT_ONLY
) {
342 if (dom_sid_equal(&ace
->trustee
, ps_sid
) && replace_sid
) {
343 trustee
= replace_sid
;
347 trustee
= &ace
->trustee
;
349 if (!security_token_has_sid(token
, trustee
)) {
354 case SEC_ACE_TYPE_ACCESS_ALLOWED
:
356 object_tree_modify_access(tree
, ace
->access_mask
);
358 bits_remaining
&= ~ace
->access_mask
;
360 case SEC_ACE_TYPE_ACCESS_DENIED
:
361 if (bits_remaining
& ace
->access_mask
) {
363 return NT_STATUS_ACCESS_DENIED
;
366 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
:
367 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT
:
368 /* check only in case we have provided a tree,
369 * the ACE has an object type and that type
371 type
= get_ace_object_type(ace
);
379 if (!(node
= get_object_tree_by_GUID(tree
, type
)))
382 if (ace
->type
== SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT
) {
383 object_tree_modify_access(node
, ace
->access_mask
);
384 if (node
->remaining_access
== 0) {
389 if (node
->remaining_access
& ace
->access_mask
){
391 return NT_STATUS_ACCESS_DENIED
;
395 default: /* Other ACE types not handled/supported */
402 if (bits_remaining
!= 0) {
403 return NT_STATUS_ACCESS_DENIED
;