search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:dsdb Don't cast an ldb_val into a const char * for schema lookups
[Samba/ekacnet.git] / source4 / dsdb / samdb / ldb_modules / kludge_acl.c
blob15db491171f3e3045e6987be966ad054ac0965d9
1 /*
2 ldb database library
3
4 Copyright (C) Andrew Bartlett 2005
5 Copyright (C) Simo Sorce 2006-2008
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 /*
22 * Name: ldb
23 *
24 * Component: ldb kludge ACL module
25 *
26 * Description: Simple module to enforce a simple form of access
27 * control, sufficient for securing a default Samba4
28 * installation.
29 *
30 * Author: Andrew Bartlett
31 */
32
33 #include "includes.h"
34 #include "ldb_module.h"
35 #include "auth/auth.h"
36 #include "libcli/security/security.h"
37 #include "dsdb/samdb/samdb.h"
38
39 /* Kludge ACL rules:
40 *
41 * - System can read passwords
42 * - Administrators can write anything
43 * - Users can read anything that is not a password
44 *
45 */
46
47 struct kludge_private_data {
48 const char **password_attrs;
49 };
50
51 static enum security_user_level what_is_user(struct ldb_module *module)
52 {
53 struct ldb_context *ldb = ldb_module_get_ctx(module);
54 struct auth_session_info *session_info
55 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
56 return security_session_user_level(session_info);
57 }
58
59 static const char *user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module)
60 {
61 struct ldb_context *ldb = ldb_module_get_ctx(module);
62 struct auth_session_info *session_info
63 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
64 if (!session_info) {
65 return "UNKNOWN (NULL)";
66 }
67
68 return talloc_asprintf(mem_ctx, "%s\\%s",
69 session_info->server_info->domain_name,
70 session_info->server_info->account_name);
71 }
72
73 /* search */
74 struct kludge_acl_context {
75
76 struct ldb_module *module;
77 struct ldb_request *req;
78
79 enum security_user_level user_type;
80 bool allowedAttributes;
81 bool allowedAttributesEffective;
82 bool allowedChildClasses;
83 bool allowedChildClassesEffective;
84 const char * const *attrs;
85 };
86
87 /* read all objectClasses */
88
89 static int kludge_acl_allowedAttributes(struct ldb_context *ldb, struct ldb_message *msg,
90 const char *attrName)
91 {
92 struct ldb_message_element *oc_el;
93 struct ldb_message_element *allowedAttributes;
94 const struct dsdb_schema *schema = dsdb_get_schema(ldb);
95 TALLOC_CTX *mem_ctx;
96 const char **attr_list;
97 int i, ret;
98
99 /* If we don't have a schema yet, we can't do anything... */
100 if (schema == NULL) {
101 return LDB_SUCCESS;
102 }
103
104 /* Must remove any existing attribute, or else confusion reins */
105 ldb_msg_remove_attr(msg, attrName);
106 ret = ldb_msg_add_empty(msg, attrName, 0, &allowedAttributes);
107 if (ret != LDB_SUCCESS) {
108 return ret;
109 }
110
111 mem_ctx = talloc_new(msg);
112 if (!mem_ctx) {
113 ldb_oom(ldb);
114 return LDB_ERR_OPERATIONS_ERROR;
115 }
116
117 /* To ensure that oc_el is valid, we must look for it after
118 we alter the element array in ldb_msg_add_empty() */
119 oc_el = ldb_msg_find_element(msg, "objectClass");
120
121 attr_list = dsdb_full_attribute_list(mem_ctx, schema, oc_el, DSDB_SCHEMA_ALL);
122 if (!attr_list) {
123 ldb_asprintf_errstring(ldb, "kludge_acl: Failed to get list of attributes create %s attribute", attrName);
124 talloc_free(mem_ctx);
125 return LDB_ERR_OPERATIONS_ERROR;
126 }
127
128 for (i=0; attr_list && attr_list[i]; i++) {
129 ldb_msg_add_string(msg, attrName, attr_list[i]);
130 }
131 talloc_free(mem_ctx);
132 return LDB_SUCCESS;
133
134 }
135 /* read all objectClasses */
136
137 static int kludge_acl_childClasses(struct ldb_context *ldb, struct ldb_message *msg,
138 const char *attrName)
139 {
140 struct ldb_message_element *oc_el;
141 struct ldb_message_element *allowedClasses;
142 const struct dsdb_schema *schema = dsdb_get_schema(ldb);
143 const struct dsdb_class *sclass;
144 int i, j, ret;
145
146 /* If we don't have a schema yet, we can't do anything... */
147 if (schema == NULL) {
148 return LDB_SUCCESS;
149 }
150
151 /* Must remove any existing attribute, or else confusion reins */
152 ldb_msg_remove_attr(msg, attrName);
153 ret = ldb_msg_add_empty(msg, attrName, 0, &allowedClasses);
154 if (ret != LDB_SUCCESS) {
155 return ret;
156 }
157
158 /* To ensure that oc_el is valid, we must look for it after
159 we alter the element array in ldb_msg_add_empty() */
160 oc_el = ldb_msg_find_element(msg, "objectClass");
161
162 for (i=0; oc_el && i < oc_el->num_values; i++) {
163 sclass = dsdb_class_by_lDAPDisplayName_ldb_val(schema, &oc_el->values[i]);
164 if (!sclass) {
165 /* We don't know this class? what is going on? */
166 continue;
167 }
168
169 for (j=0; sclass->possibleInferiors && sclass->possibleInferiors[j]; j++) {
170 ldb_msg_add_string(msg, attrName, sclass->possibleInferiors[j]);
171 }
172 }
173
174 if (allowedClasses->num_values > 1) {
175 qsort(allowedClasses->values,
176 allowedClasses->num_values,
177 sizeof(*allowedClasses->values),
178 (comparison_fn_t)data_blob_cmp);
179
180 for (i=1 ; i < allowedClasses->num_values; i++) {
181
182 struct ldb_val *val1 = &allowedClasses->values[i-1];
183 struct ldb_val *val2 = &allowedClasses->values[i];
184 if (data_blob_cmp(val1, val2) == 0) {
185 memmove(val1, val2, (allowedClasses->num_values - i) * sizeof( struct ldb_val));
186 allowedClasses->num_values--;
187 i--;
188 }
189 }
190 }
191
192 return LDB_SUCCESS;
193
194 }
195
196 /* find all attributes allowed by all these objectClasses */
197
198 static int kludge_acl_callback(struct ldb_request *req, struct ldb_reply *ares)
199 {
200 struct ldb_context *ldb;
201 struct kludge_acl_context *ac;
202 struct kludge_private_data *data;
203 int i, ret;
204
205 ac = talloc_get_type(req->context, struct kludge_acl_context);
206 data = talloc_get_type(ldb_module_get_private(ac->module), struct kludge_private_data);
207 ldb = ldb_module_get_ctx(ac->module);
208
209 if (!ares) {
210 return ldb_module_done(ac->req, NULL, NULL,
211 LDB_ERR_OPERATIONS_ERROR);
212 }
213 if (ares->error != LDB_SUCCESS) {
214 return ldb_module_done(ac->req, ares->controls,
215 ares->response, ares->error);
216 }
217
218 switch (ares->type) {
219 case LDB_REPLY_ENTRY:
220 if (ac->allowedAttributes) {
221 ret = kludge_acl_allowedAttributes(ldb,
222 ares->message,
223 "allowedAttributes");
224 if (ret != LDB_SUCCESS) {
225 return ldb_module_done(ac->req, NULL, NULL, ret);
226 }
227 }
228 if (ac->allowedChildClasses) {
229 ret = kludge_acl_childClasses(ldb,
230 ares->message,
231 "allowedChildClasses");
232 if (ret != LDB_SUCCESS) {
233 return ldb_module_done(ac->req, NULL, NULL, ret);
234 }
235 }
236
237 if (data && data->password_attrs) /* if we are not initialized just get through */
238 {
239 switch (ac->user_type) {
240 case SECURITY_SYSTEM:
241 if (ac->allowedAttributesEffective) {
242 ret = kludge_acl_allowedAttributes(ldb, ares->message,
243 "allowedAttributesEffective");
244 if (ret != LDB_SUCCESS) {
245 return ldb_module_done(ac->req, NULL, NULL, ret);
246 }
247 }
248 if (ac->allowedChildClassesEffective) {
249 ret = kludge_acl_childClasses(ldb, ares->message,
250 "allowedChildClassesEffective");
251 if (ret != LDB_SUCCESS) {
252 return ldb_module_done(ac->req, NULL, NULL, ret);
253 }
254 }
255 break;
256
257 case SECURITY_ADMINISTRATOR:
258 if (ac->allowedAttributesEffective) {
259 ret = kludge_acl_allowedAttributes(ldb, ares->message,
260 "allowedAttributesEffective");
261 if (ret != LDB_SUCCESS) {
262 return ldb_module_done(ac->req, NULL, NULL, ret);
263 }
264 }
265 if (ac->allowedChildClassesEffective) {
266 ret = kludge_acl_childClasses(ldb, ares->message,
267 "allowedChildClassesEffective");
268 if (ret != LDB_SUCCESS) {
269 return ldb_module_done(ac->req, NULL, NULL, ret);
270 }
271 }
272 /* fall through */
273 default:
274 /* remove password attributes */
275 for (i = 0; data->password_attrs[i]; i++) {
276 ldb_msg_remove_attr(ares->message, data->password_attrs[i]);
277 }
278 }
279 }
280
281 if (ac->allowedAttributes ||
282 ac->allowedAttributesEffective ||
283 ac->allowedChildClasses ||
284 ac->allowedChildClassesEffective) {
285
286 if (!ldb_attr_in_list(ac->attrs, "objectClass") &&
287 !ldb_attr_in_list(ac->attrs, "*")) {
288
289 ldb_msg_remove_attr(ares->message,
290 "objectClass");
291 }
292 }
293
294 return ldb_module_send_entry(ac->req, ares->message, ares->controls);
295
296 case LDB_REPLY_REFERRAL:
297 return ldb_module_send_referral(ac->req, ares->referral);
298
299 case LDB_REPLY_DONE:
300 return ldb_module_done(ac->req, ares->controls,
301 ares->response, LDB_SUCCESS);
302
303 }
304 return LDB_SUCCESS;
305 }
306
307 static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
308 {
309 struct ldb_context *ldb;
310 struct kludge_acl_context *ac;
311 struct ldb_request *down_req;
312 struct kludge_private_data *data;
313 const char * const *attrs;
314 int ret, i;
315 struct ldb_control *sd_control;
316 struct ldb_control **sd_saved_controls;
317
318 ldb = ldb_module_get_ctx(module);
319
320 ac = talloc(req, struct kludge_acl_context);
321 if (ac == NULL) {
322 ldb_oom(ldb);
323 return LDB_ERR_OPERATIONS_ERROR;
324 }
325
326 data = talloc_get_type(ldb_module_get_private(module), struct kludge_private_data);
327
328 ac->module = module;
329 ac->req = req;
330 ac->user_type = what_is_user(module);
331 ac->attrs = req->op.search.attrs;
332
333 ac->allowedAttributes = ldb_attr_in_list(req->op.search.attrs, "allowedAttributes");
334
335 ac->allowedAttributesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedAttributesEffective");
336
337 ac->allowedChildClasses = ldb_attr_in_list(req->op.search.attrs, "allowedChildClasses");
338
339 ac->allowedChildClassesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedChildClassesEffective");
340
341 if (ac->allowedAttributes || ac->allowedAttributesEffective || ac->allowedChildClasses || ac->allowedChildClassesEffective) {
342 attrs = ldb_attr_list_copy_add(ac, req->op.search.attrs, "objectClass");
343 } else {
344 attrs = req->op.search.attrs;
345 }
346
347 /* replace any attributes in the parse tree that are private,
348 so we don't allow a search for 'userPassword=penguin',
349 just as we would not allow that attribute to be returned */
350 switch (ac->user_type) {
351 case SECURITY_SYSTEM:
352 break;
353 default:
354 /* FIXME: We should copy the tree and keep the original unmodified. */
355 /* remove password attributes */
356
357 if (!data || !data->password_attrs) {
358 break;
359 }
360 for (i = 0; data->password_attrs[i]; i++) {
361 ldb_parse_tree_attr_replace(req->op.search.tree,
362 data->password_attrs[i],
363 "kludgeACLredactedattribute");
364 }
365 }
366
367 ret = ldb_build_search_req_ex(&down_req,
368 ldb, ac,
369 req->op.search.base,
370 req->op.search.scope,
371 req->op.search.tree,
372 attrs,
373 req->controls,
374 ac, kludge_acl_callback,
375 req);
376 if (ret != LDB_SUCCESS) {
377 return LDB_ERR_OPERATIONS_ERROR;
378 }
379
380 /* check if there's an SD_FLAGS control */
381 sd_control = ldb_request_get_control(down_req, LDB_CONTROL_SD_FLAGS_OID);
382 if (sd_control) {
383 /* save it locally and remove it from the list */
384 /* we do not need to replace them later as we
385 * are keeping the original req intact */
386 if (!save_controls(sd_control, down_req, &sd_saved_controls)) {
387 return LDB_ERR_OPERATIONS_ERROR;
388 }
389 }
390
391 /* perform the search */
392 return ldb_next_request(module, down_req);
393 }
394
395 /* ANY change type */
396 static int kludge_acl_change(struct ldb_module *module, struct ldb_request *req)
397 {
398 struct ldb_context *ldb = ldb_module_get_ctx(module);
399 enum security_user_level user_type = what_is_user(module);
400 switch (user_type) {
401 case SECURITY_SYSTEM:
402 case SECURITY_ADMINISTRATOR:
403 return ldb_next_request(module, req);
404 default:
405 ldb_asprintf_errstring(ldb,
406 "kludge_acl_change: "
407 "attempted database modify not permitted. "
408 "User %s is not SYSTEM or an administrator",
409 user_name(req, module));
410 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
411 }
412 }
413
414 static int kludge_acl_extended(struct ldb_module *module, struct ldb_request *req)
415 {
416 struct ldb_context *ldb = ldb_module_get_ctx(module);
417 enum security_user_level user_type;
418
419 /* allow everybody to read the sequence number */
420 if (strcmp(req->op.extended.oid,
421 LDB_EXTENDED_SEQUENCE_NUMBER) == 0) {
422 return ldb_next_request(module, req);
423 }
424
425 user_type = what_is_user(module);
426
427 switch (user_type) {
428 case SECURITY_SYSTEM:
429 case SECURITY_ADMINISTRATOR:
430 return ldb_next_request(module, req);
431 default:
432 ldb_asprintf_errstring(ldb,
433 "kludge_acl_change: "
434 "attempted database modify not permitted. "
435 "User %s is not SYSTEM or an administrator",
436 user_name(req, module));
437 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
438 }
439 }
440
441 static int kludge_acl_init(struct ldb_module *module)
442 {
443 struct ldb_context *ldb;
444 int ret, i;
445 TALLOC_CTX *mem_ctx = talloc_new(module);
446 static const char *attrs[] = { "passwordAttribute", NULL };
447 struct ldb_result *res;
448 struct ldb_message *msg;
449 struct ldb_message_element *password_attributes;
450
451 struct kludge_private_data *data;
452
453 ldb = ldb_module_get_ctx(module);
454
455 data = talloc(module, struct kludge_private_data);
456 if (data == NULL) {
457 ldb_oom(ldb);
458 return LDB_ERR_OPERATIONS_ERROR;
459 }
460
461 data->password_attrs = NULL;
462 ldb_module_set_private(module, data);
463
464 if (!mem_ctx) {
465 ldb_oom(ldb);
466 return LDB_ERR_OPERATIONS_ERROR;
467 }
468
469 ret = ldb_search(ldb, mem_ctx, &res,
470 ldb_dn_new(mem_ctx, ldb, "@KLUDGEACL"),
471 LDB_SCOPE_BASE, attrs, NULL);
472 if (ret != LDB_SUCCESS) {
473 goto done;
474 }
475 if (res->count == 0) {
476 goto done;
477 }
478
479 if (res->count > 1) {
480 talloc_free(mem_ctx);
481 return LDB_ERR_CONSTRAINT_VIOLATION;
482 }
483
484 msg = res->msgs[0];
485
486 password_attributes = ldb_msg_find_element(msg, "passwordAttribute");
487 if (!password_attributes) {
488 goto done;
489 }
490 data->password_attrs = talloc_array(data, const char *, password_attributes->num_values + 1);
491 if (!data->password_attrs) {
492 talloc_free(mem_ctx);
493 ldb_oom(ldb);
494 return LDB_ERR_OPERATIONS_ERROR;
495 }
496 for (i=0; i < password_attributes->num_values; i++) {
497 data->password_attrs[i] = (const char *)password_attributes->values[i].data;
498 talloc_steal(data->password_attrs, password_attributes->values[i].data);
499 }
500 data->password_attrs[i] = NULL;
501
502 ret = ldb_mod_register_control(module, LDB_CONTROL_SD_FLAGS_OID);
503 if (ret != LDB_SUCCESS) {
504 ldb_debug(ldb, LDB_DEBUG_ERROR,
505 "kludge_acl: Unable to register control with rootdse!\n");
506 return LDB_ERR_OPERATIONS_ERROR;
507 }
508
509 done:
510 talloc_free(mem_ctx);
511 return ldb_next_init(module);
512 }
513
514 _PUBLIC_ const struct ldb_module_ops ldb_kludge_acl_module_ops = {
515 .name = "kludge_acl",
516 .search = kludge_acl_search,
517 .add = kludge_acl_change,
518 .modify = kludge_acl_change,
519 .del = kludge_acl_change,
520 .rename = kludge_acl_change,
521 .extended = kludge_acl_extended,
522 .init_context = kludge_acl_init
523 };