2 Unix SMB/CIFS implementation.
4 security access checking routines
6 Copyright (C) Andrew Tridgell 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "libcli/security/security.h"
26 perform a SEC_FLAG_MAXIMUM_ALLOWED access check
28 static uint32_t access_check_max_allowed(const struct security_descriptor
*sd
,
29 const struct security_token
*token
)
31 uint32_t denied
= 0, granted
= 0;
34 if (security_token_has_sid(token
, sd
->owner_sid
)) {
35 granted
|= SEC_STD_WRITE_DAC
| SEC_STD_READ_CONTROL
| SEC_STD_DELETE
;
36 } else if (security_token_has_privilege(token
, SEC_PRIV_RESTORE
)) {
37 granted
|= SEC_STD_DELETE
;
40 if (sd
->dacl
== NULL
) {
41 return granted
& ~denied
;
44 for (i
= 0;i
<sd
->dacl
->num_aces
; i
++) {
45 struct security_ace
*ace
= &sd
->dacl
->aces
[i
];
47 if (ace
->flags
& SEC_ACE_FLAG_INHERIT_ONLY
) {
51 if (!security_token_has_sid(token
, &ace
->trustee
)) {
56 case SEC_ACE_TYPE_ACCESS_ALLOWED
:
57 granted
|= ace
->access_mask
;
59 case SEC_ACE_TYPE_ACCESS_DENIED
:
60 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
:
61 denied
|= ace
->access_mask
;
63 default: /* Other ACE types not handled/supported */
68 return granted
& ~denied
;
71 static const struct GUID
*get_ace_object_type(struct security_ace
*ace
)
75 if (ace
->object
.object
.flags
& SEC_ACE_OBJECT_TYPE_PRESENT
)
76 type
= &ace
->object
.object
.type
.type
;
77 else if (ace
->object
.object
.flags
& SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT
)
78 type
= &ace
->object
.object
.inherited_type
.inherited_type
; /* This doesn't look right. Is something wrong with the IDL? */
87 the main entry point for access checking.
89 NTSTATUS
sec_access_check(const struct security_descriptor
*sd
,
90 const struct security_token
*token
,
91 uint32_t access_desired
,
92 uint32_t *access_granted
)
95 uint32_t bits_remaining
;
97 *access_granted
= access_desired
;
98 bits_remaining
= access_desired
;
100 /* handle the maximum allowed flag */
101 if (access_desired
& SEC_FLAG_MAXIMUM_ALLOWED
) {
102 access_desired
|= access_check_max_allowed(sd
, token
);
103 access_desired
&= ~SEC_FLAG_MAXIMUM_ALLOWED
;
104 *access_granted
= access_desired
;
105 bits_remaining
= access_desired
& ~SEC_STD_DELETE
;
108 if (access_desired
& SEC_FLAG_SYSTEM_SECURITY
) {
109 if (security_token_has_privilege(token
, SEC_PRIV_SECURITY
)) {
110 bits_remaining
&= ~SEC_FLAG_SYSTEM_SECURITY
;
112 return NT_STATUS_PRIVILEGE_NOT_HELD
;
116 /* a NULL dacl allows access */
117 if ((sd
->type
& SEC_DESC_DACL_PRESENT
) && sd
->dacl
== NULL
) {
118 *access_granted
= access_desired
;
122 /* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */
123 if ((bits_remaining
& (SEC_STD_WRITE_DAC
|SEC_STD_READ_CONTROL
|SEC_STD_DELETE
)) &&
124 security_token_has_sid(token
, sd
->owner_sid
)) {
125 bits_remaining
&= ~(SEC_STD_WRITE_DAC
|SEC_STD_READ_CONTROL
|SEC_STD_DELETE
);
127 if ((bits_remaining
& SEC_RIGHTS_PRIV_RESTORE
) &&
128 security_token_has_privilege(token
, SEC_PRIV_RESTORE
)) {
129 bits_remaining
&= ~(SEC_RIGHTS_PRIV_RESTORE
);
131 if ((bits_remaining
& SEC_RIGHTS_PRIV_BACKUP
) &&
132 security_token_has_privilege(token
, SEC_PRIV_BACKUP
)) {
133 bits_remaining
&= ~(SEC_RIGHTS_PRIV_BACKUP
);
136 if (sd
->dacl
== NULL
) {
140 /* check each ace in turn. */
141 for (i
=0; bits_remaining
&& i
< sd
->dacl
->num_aces
; i
++) {
142 struct security_ace
*ace
= &sd
->dacl
->aces
[i
];
144 if (ace
->flags
& SEC_ACE_FLAG_INHERIT_ONLY
) {
148 if (!security_token_has_sid(token
, &ace
->trustee
)) {
153 case SEC_ACE_TYPE_ACCESS_ALLOWED
:
154 bits_remaining
&= ~ace
->access_mask
;
156 case SEC_ACE_TYPE_ACCESS_DENIED
:
157 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
:
158 if (bits_remaining
& ace
->access_mask
) {
159 return NT_STATUS_ACCESS_DENIED
;
162 default: /* Other ACE types not handled/supported */
168 if (bits_remaining
!= 0) {
169 return NT_STATUS_ACCESS_DENIED
;
175 /* modified access check for the purposes of DS security
176 * Lots of code duplication, it will ve united in just one
177 * function eventually */
179 NTSTATUS
sec_access_check_ds(const struct security_descriptor
*sd
,
180 const struct security_token
*token
,
181 uint32_t access_desired
,
182 uint32_t *access_granted
,
183 struct object_tree
*tree
)
186 uint32_t bits_remaining
;
187 struct object_tree
*node
;
188 const struct GUID
*type
;
190 *access_granted
= access_desired
;
191 bits_remaining
= access_desired
;
193 /* handle the maximum allowed flag */
194 if (access_desired
& SEC_FLAG_MAXIMUM_ALLOWED
) {
195 access_desired
|= access_check_max_allowed(sd
, token
);
196 access_desired
&= ~SEC_FLAG_MAXIMUM_ALLOWED
;
197 *access_granted
= access_desired
;
198 bits_remaining
= access_desired
& ~SEC_STD_DELETE
;
201 if (access_desired
& SEC_FLAG_SYSTEM_SECURITY
) {
202 if (security_token_has_privilege(token
, SEC_PRIV_SECURITY
)) {
203 bits_remaining
&= ~SEC_FLAG_SYSTEM_SECURITY
;
205 return NT_STATUS_PRIVILEGE_NOT_HELD
;
209 /* a NULL dacl allows access */
210 if ((sd
->type
& SEC_DESC_DACL_PRESENT
) && sd
->dacl
== NULL
) {
211 *access_granted
= access_desired
;
215 /* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */
216 if ((bits_remaining
& (SEC_STD_WRITE_DAC
|SEC_STD_READ_CONTROL
|SEC_STD_DELETE
)) &&
217 security_token_has_sid(token
, sd
->owner_sid
)) {
218 bits_remaining
&= ~(SEC_STD_WRITE_DAC
|SEC_STD_READ_CONTROL
|SEC_STD_DELETE
);
220 if ((bits_remaining
& SEC_STD_DELETE
) &&
221 security_token_has_privilege(token
, SEC_PRIV_RESTORE
)) {
222 bits_remaining
&= ~SEC_STD_DELETE
;
225 if (sd
->dacl
== NULL
) {
229 /* check each ace in turn. */
230 for (i
=0; bits_remaining
&& i
< sd
->dacl
->num_aces
; i
++) {
231 struct security_ace
*ace
= &sd
->dacl
->aces
[i
];
233 if (ace
->flags
& SEC_ACE_FLAG_INHERIT_ONLY
) {
237 if (!security_token_has_sid(token
, &ace
->trustee
)) {
242 case SEC_ACE_TYPE_ACCESS_ALLOWED
:
244 object_tree_modify_access(tree
, ace
->access_mask
);
246 bits_remaining
&= ~ace
->access_mask
;
248 case SEC_ACE_TYPE_ACCESS_DENIED
:
249 if (bits_remaining
& ace
->access_mask
) {
250 return NT_STATUS_ACCESS_DENIED
;
253 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
:
254 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT
:
255 /* check only in case we have provided a tree,
256 * the ACE has an object type and that type
258 type
= get_ace_object_type(ace
);
266 if (!(node
= get_object_tree_by_GUID(tree
, type
)))
269 if (ace
->type
== SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT
) {
270 object_tree_modify_access(node
, ace
->access_mask
);
271 if (node
->remaining_access
== 0) {
276 if (node
->remaining_access
& ace
->access_mask
){
277 return NT_STATUS_ACCESS_DENIED
;
281 default: /* Other ACE types not handled/supported */
287 if (bits_remaining
!= 0) {
288 return NT_STATUS_ACCESS_DENIED
;