search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dsdb-acl: Pass the structural objectClass into acl_check_access_on_attribute
[Samba/gbeck.git] / source4 / dsdb / samdb / ldb_modules / acl_read.c
blob07b1bc4e5e02f988ec331b7bd762322e3fde15bb
1 /*
2 ldb database library
3
4 Copyright (C) Simo Sorce 2006-2008
5 Copyright (C) Nadezhda Ivanova 2010
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 /*
22 * Name: ldb
23 *
24 * Component: ldb ACL Read module
25 *
26 * Description: Module that performs authorisation access checks on read requests
27 * Only DACL checks implemented at this point
28 *
29 * Author: Nadezhda Ivanova
30 */
31
32 #include "includes.h"
33 #include "ldb_module.h"
34 #include "auth/auth.h"
35 #include "libcli/security/security.h"
36 #include "dsdb/samdb/samdb.h"
37 #include "librpc/gen_ndr/ndr_security.h"
38 #include "param/param.h"
39 #include "dsdb/samdb/ldb_modules/util.h"
40
41
42 struct aclread_context {
43 struct ldb_module *module;
44 struct ldb_request *req;
45 const char * const *attrs;
46 const struct dsdb_schema *schema;
47 uint32_t sd_flags;
48 bool added_nTSecurityDescriptor;
49 bool added_instanceType;
50 bool added_objectSid;
51 bool added_objectClass;
52 bool indirsync;
53 };
54
55 struct aclread_private {
56 bool enabled;
57 };
58
59 static void aclread_mark_inaccesslible(struct ldb_message_element *el) {
60 el->flags |= LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE;
61 }
62
63 static bool aclread_is_inaccessible(struct ldb_message_element *el) {
64 return el->flags & LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE;
65 }
66
67 static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
68 {
69 struct ldb_context *ldb;
70 struct aclread_context *ac;
71 struct ldb_message *ret_msg;
72 struct ldb_message *msg;
73 int ret, num_of_attrs = 0;
74 unsigned int i, k = 0;
75 struct security_descriptor *sd;
76 struct dom_sid *sid = NULL;
77 TALLOC_CTX *tmp_ctx;
78 uint32_t instanceType;
79 const struct dsdb_class *objectclass;
80
81 ac = talloc_get_type(req->context, struct aclread_context);
82 ldb = ldb_module_get_ctx(ac->module);
83 if (!ares) {
84 return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR );
85 }
86 if (ares->error != LDB_SUCCESS) {
87 return ldb_module_done(ac->req, ares->controls,
88 ares->response, ares->error);
89 }
90 tmp_ctx = talloc_new(ac);
91 switch (ares->type) {
92 case LDB_REPLY_ENTRY:
93 msg = ares->message;
94 ret = dsdb_get_sd_from_ldb_message(ldb, tmp_ctx, msg, &sd);
95 if (ret != LDB_SUCCESS || sd == NULL ) {
96 ldb_debug_set(ldb, LDB_DEBUG_FATAL,
97 "acl_read: cannot get descriptor of %s\n",
98 ldb_dn_get_linearized(msg->dn));
99 ret = LDB_ERR_OPERATIONS_ERROR;
100 goto fail;
101 }
102 /*
103 * Get the most specific structural object class for the ACL check
104 */
105 objectclass = dsdb_get_structural_oc_from_msg(ac->schema, msg);
106 if (objectclass == NULL) {
107 ldb_asprintf_errstring(ldb, "acl_read: Failed to find a structural class for %s",
108 ldb_dn_get_linearized(msg->dn));
109 ret = LDB_ERR_OPERATIONS_ERROR;
110 goto fail;
111 }
112
113 sid = samdb_result_dom_sid(tmp_ctx, msg, "objectSid");
114 /* get the object instance type */
115 instanceType = ldb_msg_find_attr_as_uint(msg,
116 "instanceType", 0);
117 if (!ldb_dn_is_null(msg->dn) && !(instanceType & INSTANCE_TYPE_IS_NC_HEAD))
118 {
119 /* the object has a parent, so we have to check for visibility */
120 struct ldb_dn *parent_dn = ldb_dn_get_parent(tmp_ctx, msg->dn);
121
122 ret = dsdb_module_check_access_on_dn(ac->module,
123 tmp_ctx,
124 parent_dn,
125 SEC_ADS_LIST,
126 NULL, req);
127 if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
128 talloc_free(tmp_ctx);
129 return LDB_SUCCESS;
130 } else if (ret != LDB_SUCCESS) {
131 ldb_debug_set(ldb, LDB_DEBUG_FATAL,
132 "acl_read: %s check parent %s - %s\n",
133 ldb_dn_get_linearized(msg->dn),
134 ldb_strerror(ret),
135 ldb_errstring(ldb));
136 goto fail;
137 }
138 }
139
140 /* for every element in the message check RP */
141 for (i=0; i < msg->num_elements; i++) {
142 const struct dsdb_attribute *attr;
143 bool is_sd, is_objectsid, is_instancetype, is_objectclass;
144 uint32_t access_mask;
145 attr = dsdb_attribute_by_lDAPDisplayName(ac->schema,
146 msg->elements[i].name);
147 if (!attr) {
148 ldb_debug_set(ldb, LDB_DEBUG_FATAL,
149 "acl_read: %s cannot find attr[%s] in of schema\n",
150 ldb_dn_get_linearized(msg->dn),
151 msg->elements[i].name);
152 ret = LDB_ERR_OPERATIONS_ERROR;
153 goto fail;
154 }
155 is_sd = ldb_attr_cmp("nTSecurityDescriptor",
156 msg->elements[i].name) == 0;
157 is_objectsid = ldb_attr_cmp("objectSid",
158 msg->elements[i].name) == 0;
159 is_instancetype = ldb_attr_cmp("instanceType",
160 msg->elements[i].name) == 0;
161 is_objectclass = ldb_attr_cmp("objectClass",
162 msg->elements[i].name) == 0;
163 /* these attributes were added to perform access checks and must be removed */
164 if (is_objectsid && ac->added_objectSid) {
165 aclread_mark_inaccesslible(&msg->elements[i]);
166 continue;
167 }
168 if (is_instancetype && ac->added_instanceType) {
169 aclread_mark_inaccesslible(&msg->elements[i]);
170 continue;
171 }
172 if (is_objectclass && ac->added_objectClass) {
173 aclread_mark_inaccesslible(&msg->elements[i]);
174 continue;
175 }
176 if (is_sd && ac->added_nTSecurityDescriptor) {
177 aclread_mark_inaccesslible(&msg->elements[i]);
178 continue;
179 }
180 /* nTSecurityDescriptor is a special case */
181 if (is_sd) {
182 access_mask = 0;
183
184 if (ac->sd_flags & (SECINFO_OWNER|SECINFO_GROUP)) {
185 access_mask |= SEC_STD_READ_CONTROL;
186 }
187 if (ac->sd_flags & SECINFO_DACL) {
188 access_mask |= SEC_STD_READ_CONTROL;
189 }
190 if (ac->sd_flags & SECINFO_SACL) {
191 access_mask |= SEC_FLAG_SYSTEM_SECURITY;
192 }
193 } else {
194 access_mask = SEC_ADS_READ_PROP;
195 }
196
197 if (attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL) {
198 access_mask |= SEC_ADS_CONTROL_ACCESS;
199 }
200
201 if (access_mask == 0) {
202 aclread_mark_inaccesslible(&msg->elements[i]);
203 continue;
204 }
205
206 ret = acl_check_access_on_attribute(ac->module,
207 tmp_ctx,
208 sd,
209 sid,
210 access_mask,
211 attr,
212 objectclass);
213
214 /*
215 * Dirsync control needs the replpropertymetadata attribute
216 * so return it as it will be removed by the control
217 * in anycase.
218 */
219 if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
220 if (!ac->indirsync) {
221 /*
222 * do not return this entry if attribute is
223 * part of the search filter
224 */
225 if (dsdb_attr_in_parse_tree(ac->req->op.search.tree,
226 msg->elements[i].name)) {
227 talloc_free(tmp_ctx);
228 return LDB_SUCCESS;
229 }
230 aclread_mark_inaccesslible(&msg->elements[i]);
231 } else {
232 /*
233 * We are doing dirysnc answers
234 * and the object shouldn't be returned (normally)
235 * but we will return it without replPropertyMetaData
236 * so that the dirysync module will do what is needed
237 * (remove the object if it is not deleted, or return
238 * just the objectGUID if it's deleted).
239 */
240 if (dsdb_attr_in_parse_tree(ac->req->op.search.tree,
241 msg->elements[i].name)) {
242 ldb_msg_remove_attr(msg, "replPropertyMetaData");
243 break;
244 } else {
245 aclread_mark_inaccesslible(&msg->elements[i]);
246 }
247 }
248 } else if (ret != LDB_SUCCESS) {
249 ldb_debug_set(ldb, LDB_DEBUG_FATAL,
250 "acl_read: %s check attr[%s] gives %s - %s\n",
251 ldb_dn_get_linearized(msg->dn),
252 msg->elements[i].name,
253 ldb_strerror(ret),
254 ldb_errstring(ldb));
255 goto fail;
256 }
257 }
258 for (i=0; i < msg->num_elements; i++) {
259 if (!aclread_is_inaccessible(&msg->elements[i])) {
260 num_of_attrs++;
261 }
262 }
263 /*create a new message to return*/
264 ret_msg = ldb_msg_new(ac->req);
265 ret_msg->dn = msg->dn;
266 talloc_steal(ret_msg, msg->dn);
267 ret_msg->num_elements = num_of_attrs;
268 if (num_of_attrs > 0) {
269 ret_msg->elements = talloc_array(ret_msg,
270 struct ldb_message_element,
271 num_of_attrs);
272 if (ret_msg->elements == NULL) {
273 return ldb_oom(ldb);
274 }
275 for (i=0; i < msg->num_elements; i++) {
276 bool to_remove = aclread_is_inaccessible(&msg->elements[i]);
277 if (!to_remove) {
278 ret_msg->elements[k] = msg->elements[i];
279 talloc_steal(ret_msg->elements, msg->elements[i].name);
280 talloc_steal(ret_msg->elements, msg->elements[i].values);
281 k++;
282 }
283 }
284 /*
285 * This should not be needed, but some modules
286 * may allocate values on the wrong context...
287 */
288 talloc_steal(ret_msg->elements, msg);
289 } else {
290 ret_msg->elements = NULL;
291 }
292 talloc_free(tmp_ctx);
293
294 return ldb_module_send_entry(ac->req, ret_msg, ares->controls);
295 case LDB_REPLY_REFERRAL:
296 return ldb_module_send_referral(ac->req, ares->referral);
297 case LDB_REPLY_DONE:
298 return ldb_module_done(ac->req, ares->controls,
299 ares->response, LDB_SUCCESS);
300
301 }
302 return LDB_SUCCESS;
303 fail:
304 talloc_free(tmp_ctx);
305 return ldb_module_done(ac->req, NULL, NULL, ret);
306 }
307
308
309 static int aclread_search(struct ldb_module *module, struct ldb_request *req)
310 {
311 struct ldb_context *ldb;
312 int ret;
313 struct aclread_context *ac;
314 struct ldb_request *down_req;
315 struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
316 uint32_t flags = ldb_req_get_custom_flags(req);
317 struct ldb_result *res;
318 struct aclread_private *p;
319 bool need_sd = false;
320 bool explicit_sd_flags = false;
321 bool is_untrusted = ldb_req_is_untrusted(req);
322 static const char * const _all_attrs[] = { "*", NULL };
323 bool all_attrs = false;
324 const char * const *attrs = NULL;
325 uint32_t instanceType;
326 static const char *acl_attrs[] = {
327 "instanceType",
328 NULL
329 };
330
331 ldb = ldb_module_get_ctx(module);
332 p = talloc_get_type(ldb_module_get_private(module), struct aclread_private);
333
334 /* skip access checks if we are system or system control is supplied
335 * or this is not LDAP server request */
336 if (!p || !p->enabled ||
337 dsdb_module_am_system(module)
338 || as_system || !is_untrusted) {
339 return ldb_next_request(module, req);
340 }
341 /* no checks on special dn */
342 if (ldb_dn_is_special(req->op.search.base)) {
343 return ldb_next_request(module, req);
344 }
345
346 /* check accessibility of base */
347 if (!ldb_dn_is_null(req->op.search.base)) {
348 ret = dsdb_module_search_dn(module, req, &res, req->op.search.base,
349 acl_attrs,
350 DSDB_FLAG_NEXT_MODULE |
351 DSDB_FLAG_AS_SYSTEM |
352 DSDB_SEARCH_SHOW_RECYCLED,
353 req);
354 if (ret != LDB_SUCCESS) {
355 return ldb_error(ldb, ret,
356 "acl_read: Error retrieving instanceType for base.");
357 }
358 instanceType = ldb_msg_find_attr_as_uint(res->msgs[0],
359 "instanceType", 0);
360 if (instanceType != 0 && !(instanceType & INSTANCE_TYPE_IS_NC_HEAD))
361 {
362 /* the object has a parent, so we have to check for visibility */
363 struct ldb_dn *parent_dn = ldb_dn_get_parent(req, req->op.search.base);
364 ret = dsdb_module_check_access_on_dn(module,
365 req,
366 parent_dn,
367 SEC_ADS_LIST,
368 NULL, req);
369 if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
370 return ldb_module_done(req, NULL, NULL, LDB_ERR_NO_SUCH_OBJECT);
371 } else if (ret != LDB_SUCCESS) {
372 return ldb_module_done(req, NULL, NULL, ret);
373 }
374 }
375 }
376 ac = talloc_zero(req, struct aclread_context);
377 if (ac == NULL) {
378 return ldb_oom(ldb);
379 }
380 ac->module = module;
381 ac->req = req;
382 ac->schema = dsdb_get_schema(ldb, req);
383 if (flags & DSDB_ACL_CHECKS_DIRSYNC_FLAG) {
384 ac->indirsync = true;
385 } else {
386 ac->indirsync = false;
387 }
388 if (!ac->schema) {
389 return ldb_operr(ldb);
390 }
391
392 attrs = req->op.search.attrs;
393 if (attrs == NULL) {
394 all_attrs = true;
395 attrs = _all_attrs;
396 } else if (attrs[0] == NULL) {
397 all_attrs = true;
398 attrs = _all_attrs;
399 } else if (ldb_attr_in_list(attrs, "*")) {
400 all_attrs = true;
401 }
402
403 /*
404 * In theory we should also check for the SD control but control verification is
405 * expensive so we'd better had the ntsecuritydescriptor to the list of
406 * searched attribute and then remove it !
407 */
408 ac->sd_flags = dsdb_request_sd_flags(ac->req, &explicit_sd_flags);
409
410 if (ldb_attr_in_list(attrs, "nTSecurityDescriptor")) {
411 need_sd = false;
412 } else if (explicit_sd_flags && all_attrs) {
413 need_sd = false;
414 } else {
415 need_sd = true;
416 }
417
418 if (!all_attrs) {
419 if (!ldb_attr_in_list(attrs, "instanceType")) {
420 attrs = ldb_attr_list_copy_add(ac, attrs, "instanceType");
421 if (attrs == NULL) {
422 return ldb_oom(ldb);
423 }
424 ac->added_instanceType = true;
425 }
426 if (!ldb_attr_in_list(req->op.search.attrs, "objectSid")) {
427 attrs = ldb_attr_list_copy_add(ac, attrs, "objectSid");
428 if (attrs == NULL) {
429 return ldb_oom(ldb);
430 }
431 ac->added_objectSid = true;
432 }
433 if (!ldb_attr_in_list(req->op.search.attrs, "objectClass")) {
434 attrs = ldb_attr_list_copy_add(ac, attrs, "objectClass");
435 if (attrs == NULL) {
436 return ldb_oom(ldb);
437 }
438 ac->added_objectClass = true;
439 }
440 }
441
442 if (need_sd) {
443 attrs = ldb_attr_list_copy_add(ac, attrs, "nTSecurityDescriptor");
444 if (attrs == NULL) {
445 return ldb_oom(ldb);
446 }
447 ac->added_nTSecurityDescriptor = true;
448 }
449
450 ac->attrs = req->op.search.attrs;
451 ret = ldb_build_search_req_ex(&down_req,
452 ldb, ac,
453 req->op.search.base,
454 req->op.search.scope,
455 req->op.search.tree,
456 attrs,
457 req->controls,
458 ac, aclread_callback,
459 req);
460
461 if (ret != LDB_SUCCESS) {
462 return LDB_ERR_OPERATIONS_ERROR;
463 }
464
465 return ldb_next_request(module, down_req);
466 }
467
468 static int aclread_init(struct ldb_module *module)
469 {
470 struct ldb_context *ldb = ldb_module_get_ctx(module);
471 struct aclread_private *p = talloc_zero(module, struct aclread_private);
472 if (p == NULL) {
473 return ldb_module_oom(module);
474 }
475 p->enabled = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"), NULL, "acl", "search", true);
476 ldb_module_set_private(module, p);
477 return ldb_next_init(module);
478 }
479
480 static const struct ldb_module_ops ldb_aclread_module_ops = {
481 .name = "aclread",
482 .search = aclread_search,
483 .init_context = aclread_init
484 };
485
486 int ldb_aclread_module_init(const char *version)
487 {
488 LDB_MODULE_CHECK_VERSION(version);
489 return ldb_register_module(&ldb_aclread_module_ops);
490 }
WIP