search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:dsdb/acl_read: keep the ldb_message of the sub search (bug #9470)
[Samba/gebeck_regimport.git] / source4 / dsdb / samdb / ldb_modules / acl_read.c
blob0b0f3636609ee711eccd3fe9b214c30be7f6c091
1 /*
2 ldb database library
3
4 Copyright (C) Simo Sorce 2006-2008
5 Copyright (C) Nadezhda Ivanova 2010
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 /*
22 * Name: ldb
23 *
24 * Component: ldb ACL Read module
25 *
26 * Description: Module that performs authorisation access checks on read requests
27 * Only DACL checks implemented at this point
28 *
29 * Author: Nadezhda Ivanova
30 */
31
32 #include "includes.h"
33 #include "ldb_module.h"
34 #include "auth/auth.h"
35 #include "libcli/security/security.h"
36 #include "dsdb/samdb/samdb.h"
37 #include "librpc/gen_ndr/ndr_security.h"
38 #include "param/param.h"
39 #include "dsdb/samdb/ldb_modules/util.h"
40
41
42 struct aclread_context {
43 struct ldb_module *module;
44 struct ldb_request *req;
45 const char * const *attrs;
46 const struct dsdb_schema *schema;
47 uint32_t sd_flags;
48 bool sd;
49 bool instance_type;
50 bool object_sid;
51 bool indirsync;
52 };
53
54 struct aclread_private {
55 bool enabled;
56 };
57
58 static void aclread_mark_inaccesslible(struct ldb_message_element *el) {
59 el->flags |= LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE;
60 }
61
62 static bool aclread_is_inaccessible(struct ldb_message_element *el) {
63 return el->flags & LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE;
64 }
65
66 static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
67 {
68 struct ldb_context *ldb;
69 struct aclread_context *ac;
70 struct ldb_message *ret_msg;
71 struct ldb_message *msg;
72 int ret, num_of_attrs = 0;
73 unsigned int i, k = 0;
74 struct security_descriptor *sd;
75 struct dom_sid *sid = NULL;
76 TALLOC_CTX *tmp_ctx;
77 uint32_t instanceType;
78
79 ac = talloc_get_type(req->context, struct aclread_context);
80 ldb = ldb_module_get_ctx(ac->module);
81 if (!ares) {
82 return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR );
83 }
84 if (ares->error != LDB_SUCCESS) {
85 return ldb_module_done(ac->req, ares->controls,
86 ares->response, ares->error);
87 }
88 tmp_ctx = talloc_new(ac);
89 switch (ares->type) {
90 case LDB_REPLY_ENTRY:
91 msg = ares->message;
92 ret = dsdb_get_sd_from_ldb_message(ldb, tmp_ctx, msg, &sd);
93 if (ret != LDB_SUCCESS || sd == NULL ) {
94 DEBUG(10, ("acl_read: cannot get descriptor\n"));
95 ret = LDB_ERR_OPERATIONS_ERROR;
96 goto fail;
97 }
98 sid = samdb_result_dom_sid(tmp_ctx, msg, "objectSid");
99 /* get the object instance type */
100 instanceType = ldb_msg_find_attr_as_uint(msg,
101 "instanceType", 0);
102 if (!ldb_dn_is_null(msg->dn) && !(instanceType & INSTANCE_TYPE_IS_NC_HEAD))
103 {
104 /* the object has a parent, so we have to check for visibility */
105 struct ldb_dn *parent_dn = ldb_dn_get_parent(tmp_ctx, msg->dn);
106
107 ret = dsdb_module_check_access_on_dn(ac->module,
108 tmp_ctx,
109 parent_dn,
110 SEC_ADS_LIST,
111 NULL, req);
112 if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
113 talloc_free(tmp_ctx);
114 return LDB_SUCCESS;
115 } else if (ret != LDB_SUCCESS) {
116 goto fail;
117 }
118 }
119 /* for every element in the message check RP */
120 for (i=0; i < msg->num_elements; i++) {
121 const struct dsdb_attribute *attr;
122 bool is_sd, is_objectsid, is_instancetype;
123 uint32_t access_mask;
124 attr = dsdb_attribute_by_lDAPDisplayName(ac->schema,
125 msg->elements[i].name);
126 if (!attr) {
127 DEBUG(2, ("acl_read: cannot find attribute %s in schema\n",
128 msg->elements[i].name));
129 ret = LDB_ERR_OPERATIONS_ERROR;
130 goto fail;
131 }
132 is_sd = ldb_attr_cmp("nTSecurityDescriptor",
133 msg->elements[i].name) == 0;
134 is_objectsid = ldb_attr_cmp("objectSid",
135 msg->elements[i].name) == 0;
136 is_instancetype = ldb_attr_cmp("instanceType",
137 msg->elements[i].name) == 0;
138 /* these attributes were added to perform access checks and must be removed */
139 if (is_objectsid && ac->object_sid) {
140 aclread_mark_inaccesslible(&msg->elements[i]);
141 continue;
142 }
143 if (is_instancetype && ac->instance_type) {
144 aclread_mark_inaccesslible(&msg->elements[i]);
145 continue;
146 }
147 if (is_sd && ac->sd) {
148 aclread_mark_inaccesslible(&msg->elements[i]);
149 continue;
150 }
151 /* nTSecurityDescriptor is a special case */
152 if (is_sd) {
153 access_mask = 0;
154
155 if (ac->sd_flags & (SECINFO_OWNER|SECINFO_GROUP)) {
156 access_mask |= SEC_STD_READ_CONTROL;
157 }
158 if (ac->sd_flags & SECINFO_DACL) {
159 access_mask |= SEC_STD_READ_CONTROL;
160 }
161 if (ac->sd_flags & SECINFO_SACL) {
162 access_mask |= SEC_FLAG_SYSTEM_SECURITY;
163 }
164 } else {
165 access_mask = SEC_ADS_READ_PROP;
166 }
167
168 if (attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL) {
169 access_mask |= SEC_ADS_CONTROL_ACCESS;
170 }
171
172 if (access_mask == 0) {
173 aclread_mark_inaccesslible(&msg->elements[i]);
174 continue;
175 }
176
177 ret = acl_check_access_on_attribute(ac->module,
178 tmp_ctx,
179 sd,
180 sid,
181 access_mask,
182 attr);
183
184 /*
185 * Dirsync control needs the replpropertymetadata attribute
186 * so return it as it will be removed by the control
187 * in anycase.
188 */
189 if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
190 if (!ac->indirsync) {
191 /*
192 * do not return this entry if attribute is
193 * part of the search filter
194 */
195 if (dsdb_attr_in_parse_tree(ac->req->op.search.tree,
196 msg->elements[i].name)) {
197 talloc_free(tmp_ctx);
198 return LDB_SUCCESS;
199 }
200 aclread_mark_inaccesslible(&msg->elements[i]);
201 } else {
202 /*
203 * We are doing dirysnc answers
204 * and the object shouldn't be returned (normally)
205 * but we will return it without replPropertyMetaData
206 * so that the dirysync module will do what is needed
207 * (remove the object if it is not deleted, or return
208 * just the objectGUID if it's deleted).
209 */
210 if (dsdb_attr_in_parse_tree(ac->req->op.search.tree,
211 msg->elements[i].name)) {
212 ldb_msg_remove_attr(msg, "replPropertyMetaData");
213 break;
214 } else {
215 aclread_mark_inaccesslible(&msg->elements[i]);
216 }
217 }
218 } else if (ret != LDB_SUCCESS) {
219 goto fail;
220 }
221 }
222 for (i=0; i < msg->num_elements; i++) {
223 if (!aclread_is_inaccessible(&msg->elements[i])) {
224 num_of_attrs++;
225 }
226 }
227 /*create a new message to return*/
228 ret_msg = ldb_msg_new(ac->req);
229 ret_msg->dn = msg->dn;
230 talloc_steal(ret_msg, msg->dn);
231 ret_msg->num_elements = num_of_attrs;
232 if (num_of_attrs > 0) {
233 ret_msg->elements = talloc_array(ret_msg,
234 struct ldb_message_element,
235 num_of_attrs);
236 if (ret_msg->elements == NULL) {
237 return ldb_oom(ldb);
238 }
239 for (i=0; i < msg->num_elements; i++) {
240 bool to_remove = aclread_is_inaccessible(&msg->elements[i]);
241 if (!to_remove) {
242 ret_msg->elements[k] = msg->elements[i];
243 talloc_steal(ret_msg->elements, msg->elements[i].name);
244 talloc_steal(ret_msg->elements, msg->elements[i].values);
245 k++;
246 }
247 }
248 /*
249 * This should not be needed, but some modules
250 * may allocate values on the wrong context...
251 */
252 talloc_steal(ret_msg->elements, msg);
253 } else {
254 ret_msg->elements = NULL;
255 }
256 talloc_free(tmp_ctx);
257
258 return ldb_module_send_entry(ac->req, ret_msg, ares->controls);
259 case LDB_REPLY_REFERRAL:
260 return ldb_module_send_referral(ac->req, ares->referral);
261 case LDB_REPLY_DONE:
262 return ldb_module_done(ac->req, ares->controls,
263 ares->response, LDB_SUCCESS);
264
265 }
266 return LDB_SUCCESS;
267 fail:
268 talloc_free(tmp_ctx);
269 return ldb_module_done(ac->req, NULL, NULL, ret);
270 }
271
272
273 static int aclread_search(struct ldb_module *module, struct ldb_request *req)
274 {
275 struct ldb_context *ldb;
276 int ret;
277 struct aclread_context *ac;
278 struct ldb_request *down_req;
279 struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
280 uint32_t flags = ldb_req_get_custom_flags(req);
281 struct ldb_result *res;
282 struct aclread_private *p;
283 bool is_untrusted = ldb_req_is_untrusted(req);
284 const char * const *attrs = NULL;
285 uint32_t instanceType;
286 static const char *acl_attrs[] = {
287 "instanceType",
288 NULL
289 };
290
291 ldb = ldb_module_get_ctx(module);
292 p = talloc_get_type(ldb_module_get_private(module), struct aclread_private);
293
294 /* skip access checks if we are system or system control is supplied
295 * or this is not LDAP server request */
296 if (!p || !p->enabled ||
297 dsdb_module_am_system(module)
298 || as_system || !is_untrusted) {
299 return ldb_next_request(module, req);
300 }
301 /* no checks on special dn */
302 if (ldb_dn_is_special(req->op.search.base)) {
303 return ldb_next_request(module, req);
304 }
305
306 /* check accessibility of base */
307 if (!ldb_dn_is_null(req->op.search.base)) {
308 ret = dsdb_module_search_dn(module, req, &res, req->op.search.base,
309 acl_attrs,
310 DSDB_FLAG_NEXT_MODULE |
311 DSDB_FLAG_AS_SYSTEM |
312 DSDB_SEARCH_SHOW_RECYCLED,
313 req);
314 if (ret != LDB_SUCCESS) {
315 return ldb_error(ldb, ret,
316 "acl_read: Error retrieving instanceType for base.");
317 }
318 instanceType = ldb_msg_find_attr_as_uint(res->msgs[0],
319 "instanceType", 0);
320 if (instanceType != 0 && !(instanceType & INSTANCE_TYPE_IS_NC_HEAD))
321 {
322 /* the object has a parent, so we have to check for visibility */
323 struct ldb_dn *parent_dn = ldb_dn_get_parent(req, req->op.search.base);
324 ret = dsdb_module_check_access_on_dn(module,
325 req,
326 parent_dn,
327 SEC_ADS_LIST,
328 NULL, req);
329 if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
330 return ldb_module_done(req, NULL, NULL, LDB_ERR_NO_SUCH_OBJECT);
331 } else if (ret != LDB_SUCCESS) {
332 return ldb_module_done(req, NULL, NULL, ret);
333 }
334 }
335 }
336 ac = talloc_zero(req, struct aclread_context);
337 if (ac == NULL) {
338 return ldb_oom(ldb);
339 }
340 ac->module = module;
341 ac->req = req;
342 ac->schema = dsdb_get_schema(ldb, req);
343 if (flags & DSDB_ACL_CHECKS_DIRSYNC_FLAG) {
344 ac->indirsync = true;
345 } else {
346 ac->indirsync = false;
347 }
348 if (!ac->schema) {
349 return ldb_operr(ldb);
350 }
351 /*
352 * In theory we should also check for the SD control but control verification is
353 * expensive so we'd better had the ntsecuritydescriptor to the list of
354 * searched attribute and then remove it !
355 */
356 ac->sd_flags = dsdb_request_sd_flags(ac->req, NULL);
357
358 ac->sd = !(ldb_attr_in_list(req->op.search.attrs, "nTSecurityDescriptor"));
359 if (req->op.search.attrs && !ldb_attr_in_list(req->op.search.attrs, "*")) {
360 if (!ldb_attr_in_list(req->op.search.attrs, "instanceType")) {
361 ac->instance_type = true;
362 attrs = ldb_attr_list_copy_add(ac, req->op.search.attrs, "instanceType");
363 } else {
364 attrs = req->op.search.attrs;
365 }
366 if (!ldb_attr_in_list(req->op.search.attrs, "objectSid")) {
367 ac->object_sid = true;
368 attrs = ldb_attr_list_copy_add(ac, attrs, "objectSid");
369 }
370 }
371
372 if (ac->sd) {
373 /* avoid replacing all attributes with nTSecurityDescriptor
374 * if attribute list is empty */
375 if (!attrs) {
376 attrs = ldb_attr_list_copy_add(ac, req->op.search.attrs, "*");
377 }
378 attrs = ldb_attr_list_copy_add(ac, attrs, "nTSecurityDescriptor");
379 }
380 ac->attrs = req->op.search.attrs;
381 ret = ldb_build_search_req_ex(&down_req,
382 ldb, ac,
383 req->op.search.base,
384 req->op.search.scope,
385 req->op.search.tree,
386 attrs,
387 req->controls,
388 ac, aclread_callback,
389 req);
390
391 if (ret != LDB_SUCCESS) {
392 return LDB_ERR_OPERATIONS_ERROR;
393 }
394
395 return ldb_next_request(module, down_req);
396 }
397
398 static int aclread_init(struct ldb_module *module)
399 {
400 struct ldb_context *ldb = ldb_module_get_ctx(module);
401 struct aclread_private *p = talloc_zero(module, struct aclread_private);
402 if (p == NULL) {
403 return ldb_module_oom(module);
404 }
405 p->enabled = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"), NULL, "acl", "search", true);
406 ldb_module_set_private(module, p);
407 return ldb_next_init(module);
408 }
409
410 static const struct ldb_module_ops ldb_aclread_module_ops = {
411 .name = "aclread",
412 .search = aclread_search,
413 .init_context = aclread_init
414 };
415
416 int ldb_aclread_module_init(const char *version)
417 {
418 LDB_MODULE_CHECK_VERSION(version);
419 return ldb_register_module(&ldb_aclread_module_ops);
420 }
reg import