2 Unix SMB/CIFS implementation.
4 security access checking routines
6 Copyright (C) Andrew Tridgell 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "libcli/security/security.h"
26 perform a SEC_FLAG_MAXIMUM_ALLOWED access check
28 static uint32_t access_check_max_allowed(const struct security_descriptor
*sd
,
29 const struct security_token
*token
)
31 uint32_t denied
= 0, granted
= 0;
34 if (security_token_has_sid(token
, sd
->owner_sid
)) {
35 granted
|= SEC_STD_WRITE_DAC
| SEC_STD_READ_CONTROL
| SEC_STD_DELETE
;
36 } else if (security_token_has_privilege(token
, SEC_PRIV_RESTORE
)) {
37 granted
|= SEC_STD_DELETE
;
40 if (sd
->dacl
== NULL
) {
41 return granted
& ~denied
;
44 for (i
= 0;i
<sd
->dacl
->num_aces
; i
++) {
45 struct security_ace
*ace
= &sd
->dacl
->aces
[i
];
47 if (ace
->flags
& SEC_ACE_FLAG_INHERIT_ONLY
) {
51 if (!security_token_has_sid(token
, &ace
->trustee
)) {
56 case SEC_ACE_TYPE_ACCESS_ALLOWED
:
57 granted
|= ace
->access_mask
;
59 case SEC_ACE_TYPE_ACCESS_DENIED
:
60 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
:
61 denied
|= ace
->access_mask
;
63 default: /* Other ACE types not handled/supported */
68 return granted
& ~denied
;
71 static const struct GUID
*get_ace_object_type(struct security_ace
*ace
)
75 if (ace
->object
.object
.flags
& SEC_ACE_OBJECT_TYPE_PRESENT
)
76 type
= &ace
->object
.object
.type
.type
;
77 else if (ace
->object
.object
.flags
& SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT
)
78 type
= &ace
->object
.object
.inherited_type
.inherited_type
; /* This doesn't look right. Is something wrong with the IDL? */
87 the main entry point for access checking.
89 NTSTATUS
sec_access_check(const struct security_descriptor
*sd
,
90 const struct security_token
*token
,
91 uint32_t access_desired
,
92 uint32_t *access_granted
)
95 uint32_t bits_remaining
;
97 *access_granted
= access_desired
;
98 bits_remaining
= access_desired
;
100 /* handle the maximum allowed flag */
101 if (access_desired
& SEC_FLAG_MAXIMUM_ALLOWED
) {
102 access_desired
|= access_check_max_allowed(sd
, token
);
103 access_desired
&= ~SEC_FLAG_MAXIMUM_ALLOWED
;
104 *access_granted
= access_desired
;
105 bits_remaining
= access_desired
& ~SEC_STD_DELETE
;
108 if (access_desired
& SEC_FLAG_SYSTEM_SECURITY
) {
109 if (security_token_has_privilege(token
, SEC_PRIV_SECURITY
)) {
110 bits_remaining
&= ~SEC_FLAG_SYSTEM_SECURITY
;
112 return NT_STATUS_PRIVILEGE_NOT_HELD
;
116 /* a NULL dacl allows access */
117 if ((sd
->type
& SEC_DESC_DACL_PRESENT
) && sd
->dacl
== NULL
) {
118 *access_granted
= access_desired
;
122 /* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */
123 if ((bits_remaining
& (SEC_STD_WRITE_DAC
|SEC_STD_READ_CONTROL
|SEC_STD_DELETE
)) &&
124 security_token_has_sid(token
, sd
->owner_sid
)) {
125 bits_remaining
&= ~(SEC_STD_WRITE_DAC
|SEC_STD_READ_CONTROL
|SEC_STD_DELETE
);
127 if ((bits_remaining
& SEC_RIGHTS_PRIV_RESTORE
) &&
128 security_token_has_privilege(token
, SEC_PRIV_RESTORE
)) {
129 bits_remaining
&= ~(SEC_RIGHTS_PRIV_RESTORE
);
131 if ((bits_remaining
& SEC_RIGHTS_PRIV_BACKUP
) &&
132 security_token_has_privilege(token
, SEC_PRIV_BACKUP
)) {
133 bits_remaining
&= ~(SEC_RIGHTS_PRIV_BACKUP
);
136 if (sd
->dacl
== NULL
) {
140 /* check each ace in turn. */
141 for (i
=0; bits_remaining
&& i
< sd
->dacl
->num_aces
; i
++) {
142 struct security_ace
*ace
= &sd
->dacl
->aces
[i
];
144 if (ace
->flags
& SEC_ACE_FLAG_INHERIT_ONLY
) {
148 if (!security_token_has_sid(token
, &ace
->trustee
)) {
153 case SEC_ACE_TYPE_ACCESS_ALLOWED
:
154 bits_remaining
&= ~ace
->access_mask
;
156 case SEC_ACE_TYPE_ACCESS_DENIED
:
157 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
:
158 if (bits_remaining
& ace
->access_mask
) {
159 return NT_STATUS_ACCESS_DENIED
;
162 default: /* Other ACE types not handled/supported */
168 if (bits_remaining
!= 0) {
169 return NT_STATUS_ACCESS_DENIED
;
175 /* modified access check for the purposes of DS security
176 * Lots of code duplication, it will ve united in just one
177 * function eventually */
179 NTSTATUS
sec_access_check_ds(const struct security_descriptor
*sd
,
180 const struct security_token
*token
,
181 uint32_t access_desired
,
182 uint32_t *access_granted
,
183 struct object_tree
*tree
,
184 struct dom_sid
*replace_sid
)
187 uint32_t bits_remaining
;
188 struct object_tree
*node
;
189 const struct GUID
*type
;
190 struct dom_sid
*ps_sid
= dom_sid_parse_talloc(NULL
, SID_NT_SELF
);
192 *access_granted
= access_desired
;
193 bits_remaining
= access_desired
;
195 /* handle the maximum allowed flag */
196 if (access_desired
& SEC_FLAG_MAXIMUM_ALLOWED
) {
197 access_desired
|= access_check_max_allowed(sd
, token
);
198 access_desired
&= ~SEC_FLAG_MAXIMUM_ALLOWED
;
199 *access_granted
= access_desired
;
200 bits_remaining
= access_desired
& ~SEC_STD_DELETE
;
203 if (access_desired
& SEC_FLAG_SYSTEM_SECURITY
) {
204 if (security_token_has_privilege(token
, SEC_PRIV_SECURITY
)) {
205 bits_remaining
&= ~SEC_FLAG_SYSTEM_SECURITY
;
207 return NT_STATUS_PRIVILEGE_NOT_HELD
;
211 /* a NULL dacl allows access */
212 if ((sd
->type
& SEC_DESC_DACL_PRESENT
) && sd
->dacl
== NULL
) {
213 *access_granted
= access_desired
;
217 /* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */
218 if ((bits_remaining
& (SEC_STD_WRITE_DAC
|SEC_STD_READ_CONTROL
|SEC_STD_DELETE
)) &&
219 security_token_has_sid(token
, sd
->owner_sid
)) {
220 bits_remaining
&= ~(SEC_STD_WRITE_DAC
|SEC_STD_READ_CONTROL
|SEC_STD_DELETE
);
222 if ((bits_remaining
& SEC_STD_DELETE
) &&
223 security_token_has_privilege(token
, SEC_PRIV_RESTORE
)) {
224 bits_remaining
&= ~SEC_STD_DELETE
;
227 if (sd
->dacl
== NULL
) {
231 /* check each ace in turn. */
232 for (i
=0; bits_remaining
&& i
< sd
->dacl
->num_aces
; i
++) {
233 struct dom_sid
*trustee
;
234 struct security_ace
*ace
= &sd
->dacl
->aces
[i
];
236 if (ace
->flags
& SEC_ACE_FLAG_INHERIT_ONLY
) {
239 if (dom_sid_equal(&ace
->trustee
, ps_sid
) && replace_sid
) {
240 trustee
= replace_sid
;
244 trustee
= &ace
->trustee
;
246 if (!security_token_has_sid(token
, trustee
)) {
251 case SEC_ACE_TYPE_ACCESS_ALLOWED
:
253 object_tree_modify_access(tree
, ace
->access_mask
);
255 bits_remaining
&= ~ace
->access_mask
;
257 case SEC_ACE_TYPE_ACCESS_DENIED
:
258 if (bits_remaining
& ace
->access_mask
) {
259 return NT_STATUS_ACCESS_DENIED
;
262 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
:
263 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT
:
264 /* check only in case we have provided a tree,
265 * the ACE has an object type and that type
267 type
= get_ace_object_type(ace
);
275 if (!(node
= get_object_tree_by_GUID(tree
, type
)))
278 if (ace
->type
== SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT
) {
279 object_tree_modify_access(node
, ace
->access_mask
);
280 if (node
->remaining_access
== 0) {
285 if (node
->remaining_access
& ace
->access_mask
){
286 return NT_STATUS_ACCESS_DENIED
;
290 default: /* Other ACE types not handled/supported */
296 if (bits_remaining
!= 0) {
297 return NT_STATUS_ACCESS_DENIED
;