search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
lib/util: remove data_blob_talloc_reference()
[Samba/fernandojvsilva.git] / source4 / libcli / security / access_check.c
blob19fb160d58043c18572659d4098a347aa1662c0a
1 /*
2 Unix SMB/CIFS implementation.
3
4 security access checking routines
5
6 Copyright (C) Andrew Tridgell 2004
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "libcli/security/security.h"
24
25 /*
26 perform a SEC_FLAG_MAXIMUM_ALLOWED access check
27 */
28 static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
29 const struct security_token *token)
30 {
31 uint32_t denied = 0, granted = 0;
32 unsigned i;
33
34 if (security_token_has_sid(token, sd->owner_sid)) {
35 granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL | SEC_STD_DELETE;
36 } else if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
37 granted |= SEC_STD_DELETE;
38 }
39
40 if (sd->dacl == NULL) {
41 return granted & ~denied;
42 }
43
44 for (i = 0;i<sd->dacl->num_aces; i++) {
45 struct security_ace *ace = &sd->dacl->aces[i];
46
47 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
48 continue;
49 }
50
51 if (!security_token_has_sid(token, &ace->trustee)) {
52 continue;
53 }
54
55 switch (ace->type) {
56 case SEC_ACE_TYPE_ACCESS_ALLOWED:
57 granted |= ace->access_mask;
58 break;
59 case SEC_ACE_TYPE_ACCESS_DENIED:
60 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
61 denied |= ace->access_mask;
62 break;
63 default: /* Other ACE types not handled/supported */
64 break;
65 }
66 }
67
68 return granted & ~denied;
69 }
70
71 static const struct GUID *get_ace_object_type(struct security_ace *ace)
72 {
73 struct GUID *type;
74
75 if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT)
76 type = &ace->object.object.type.type;
77 else if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)
78 type = &ace->object.object.inherited_type.inherited_type; /* This doesn't look right. Is something wrong with the IDL? */
79 else
80 type = NULL;
81
82 return type;
83
84 }
85
86 /*
87 the main entry point for access checking.
88 */
89 NTSTATUS sec_access_check(const struct security_descriptor *sd,
90 const struct security_token *token,
91 uint32_t access_desired,
92 uint32_t *access_granted)
93 {
94 int i;
95 uint32_t bits_remaining;
96
97 *access_granted = access_desired;
98 bits_remaining = access_desired;
99
100 /* handle the maximum allowed flag */
101 if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
102 access_desired |= access_check_max_allowed(sd, token);
103 access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
104 *access_granted = access_desired;
105 bits_remaining = access_desired & ~SEC_STD_DELETE;
106 }
107
108 if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
109 if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
110 bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
111 } else {
112 return NT_STATUS_PRIVILEGE_NOT_HELD;
113 }
114 }
115
116 /* a NULL dacl allows access */
117 if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
118 *access_granted = access_desired;
119 return NT_STATUS_OK;
120 }
121
122 /* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */
123 if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE)) &&
124 security_token_has_sid(token, sd->owner_sid)) {
125 bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE);
126 }
127 if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
128 security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
129 bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
130 }
131 if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) &&
132 security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
133 bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
134 }
135
136 if (sd->dacl == NULL) {
137 goto done;
138 }
139
140 /* check each ace in turn. */
141 for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
142 struct security_ace *ace = &sd->dacl->aces[i];
143
144 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
145 continue;
146 }
147
148 if (!security_token_has_sid(token, &ace->trustee)) {
149 continue;
150 }
151
152 switch (ace->type) {
153 case SEC_ACE_TYPE_ACCESS_ALLOWED:
154 bits_remaining &= ~ace->access_mask;
155 break;
156 case SEC_ACE_TYPE_ACCESS_DENIED:
157 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
158 if (bits_remaining & ace->access_mask) {
159 return NT_STATUS_ACCESS_DENIED;
160 }
161 break;
162 default: /* Other ACE types not handled/supported */
163 break;
164 }
165 }
166
167 done:
168 if (bits_remaining != 0) {
169 return NT_STATUS_ACCESS_DENIED;
170 }
171
172 return NT_STATUS_OK;
173 }
174
175 /* modified access check for the purposes of DS security
176 * Lots of code duplication, it will ve united in just one
177 * function eventually */
178
179 NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
180 const struct security_token *token,
181 uint32_t access_desired,
182 uint32_t *access_granted,
183 struct object_tree *tree,
184 struct dom_sid *replace_sid)
185 {
186 int i;
187 uint32_t bits_remaining;
188 struct object_tree *node;
189 const struct GUID *type;
190 struct dom_sid *ps_sid = dom_sid_parse_talloc(NULL, SID_NT_SELF);
191
192 *access_granted = access_desired;
193 bits_remaining = access_desired;
194
195 /* handle the maximum allowed flag */
196 if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
197 access_desired |= access_check_max_allowed(sd, token);
198 access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
199 *access_granted = access_desired;
200 bits_remaining = access_desired & ~SEC_STD_DELETE;
201 }
202
203 if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
204 if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
205 bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
206 } else {
207 return NT_STATUS_PRIVILEGE_NOT_HELD;
208 }
209 }
210
211 /* a NULL dacl allows access */
212 if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
213 *access_granted = access_desired;
214 return NT_STATUS_OK;
215 }
216
217 /* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */
218 if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE)) &&
219 security_token_has_sid(token, sd->owner_sid)) {
220 bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE);
221 }
222 if ((bits_remaining & SEC_STD_DELETE) &&
223 security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
224 bits_remaining &= ~SEC_STD_DELETE;
225 }
226
227 if (sd->dacl == NULL) {
228 goto done;
229 }
230
231 /* check each ace in turn. */
232 for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
233 struct dom_sid *trustee;
234 struct security_ace *ace = &sd->dacl->aces[i];
235
236 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
237 continue;
238 }
239 if (dom_sid_equal(&ace->trustee, ps_sid) && replace_sid) {
240 trustee = replace_sid;
241 }
242 else
243 {
244 trustee = &ace->trustee;
245 }
246 if (!security_token_has_sid(token, trustee)) {
247 continue;
248 }
249
250 switch (ace->type) {
251 case SEC_ACE_TYPE_ACCESS_ALLOWED:
252 if (tree)
253 object_tree_modify_access(tree, ace->access_mask);
254
255 bits_remaining &= ~ace->access_mask;
256 break;
257 case SEC_ACE_TYPE_ACCESS_DENIED:
258 if (bits_remaining & ace->access_mask) {
259 return NT_STATUS_ACCESS_DENIED;
260 }
261 break;
262 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
263 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
264 /* check only in case we have provided a tree,
265 * the ACE has an object type and that type
266 * is in the tree */
267 type = get_ace_object_type(ace);
268
269 if (!tree)
270 continue;
271
272 if (!type)
273 node = tree;
274 else
275 if (!(node = get_object_tree_by_GUID(tree, type)))
276 continue;
277
278 if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) {
279 object_tree_modify_access(node, ace->access_mask);
280 if (node->remaining_access == 0) {
281 return NT_STATUS_OK;
282 }
283 }
284 else {
285 if (node->remaining_access & ace->access_mask){
286 return NT_STATUS_ACCESS_DENIED;
287 }
288 }
289 break;
290 default: /* Other ACE types not handled/supported */
291 break;
292 }
293 }
294
295 done:
296 if (bits_remaining != 0) {
297 return NT_STATUS_ACCESS_DENIED;
298 }
299
300 return NT_STATUS_OK;
301 }
302
303
304
305
fernandojvsilva's samba4 branch