search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Version 1.0 of the directory service acls module.
[Samba/gebeck_regimport.git] / source4 / dsdb / samdb / ldb_modules / kludge_acl.c
blob0cec95b1c2b8786fc832679550595ab8182119c4
1 /*
2 ldb database library
3
4 Copyright (C) Andrew Bartlett 2005
5 Copyright (C) Simo Sorce 2006-2008
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 /*
22 * Name: ldb
23 *
24 * Component: ldb kludge ACL module
25 *
26 * Description: Simple module to enforce a simple form of access
27 * control, sufficient for securing a default Samba4
28 * installation.
29 *
30 * Author: Andrew Bartlett
31 */
32
33 #include "includes.h"
34 #include "ldb_module.h"
35 #include "auth/auth.h"
36 #include "libcli/security/security.h"
37 #include "dsdb/samdb/samdb.h"
38 #include "param/param.h"
39
40 /* Kludge ACL rules:
41 *
42 * - System can read passwords
43 * - Administrators can write anything
44 * - Users can read anything that is not a password
45 *
46 */
47
48 struct kludge_private_data {
49 const char **password_attrs;
50 bool acl_perform;
51 };
52
53 static enum security_user_level what_is_user(struct ldb_module *module)
54 {
55 struct ldb_context *ldb = ldb_module_get_ctx(module);
56 struct auth_session_info *session_info
57 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
58 return security_session_user_level(session_info);
59 }
60
61 static const char *user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module)
62 {
63 struct ldb_context *ldb = ldb_module_get_ctx(module);
64 struct auth_session_info *session_info
65 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
66 if (!session_info) {
67 return "UNKNOWN (NULL)";
68 }
69
70 return talloc_asprintf(mem_ctx, "%s\\%s",
71 session_info->server_info->domain_name,
72 session_info->server_info->account_name);
73 }
74
75 /* search */
76 struct kludge_acl_context {
77
78 struct ldb_module *module;
79 struct ldb_request *req;
80
81 enum security_user_level user_type;
82 bool allowedAttributes;
83 bool allowedAttributesEffective;
84 bool allowedChildClasses;
85 bool allowedChildClassesEffective;
86 const char * const *attrs;
87 };
88
89 /* read all objectClasses */
90
91 static int kludge_acl_allowedAttributes(struct ldb_context *ldb, struct ldb_message *msg,
92 const char *attrName)
93 {
94 struct ldb_message_element *oc_el;
95 struct ldb_message_element *allowedAttributes;
96 const struct dsdb_schema *schema = dsdb_get_schema(ldb);
97 TALLOC_CTX *mem_ctx;
98 const char **attr_list;
99 int i, ret;
100
101 /* If we don't have a schema yet, we can't do anything... */
102 if (schema == NULL) {
103 return LDB_SUCCESS;
104 }
105
106 /* Must remove any existing attribute, or else confusion reins */
107 ldb_msg_remove_attr(msg, attrName);
108 ret = ldb_msg_add_empty(msg, attrName, 0, &allowedAttributes);
109 if (ret != LDB_SUCCESS) {
110 return ret;
111 }
112
113 mem_ctx = talloc_new(msg);
114 if (!mem_ctx) {
115 ldb_oom(ldb);
116 return LDB_ERR_OPERATIONS_ERROR;
117 }
118
119 /* To ensure that oc_el is valid, we must look for it after
120 we alter the element array in ldb_msg_add_empty() */
121 oc_el = ldb_msg_find_element(msg, "objectClass");
122
123 attr_list = dsdb_full_attribute_list(mem_ctx, schema, oc_el, DSDB_SCHEMA_ALL);
124 if (!attr_list) {
125 ldb_asprintf_errstring(ldb, "kludge_acl: Failed to get list of attributes create %s attribute", attrName);
126 talloc_free(mem_ctx);
127 return LDB_ERR_OPERATIONS_ERROR;
128 }
129
130 for (i=0; attr_list && attr_list[i]; i++) {
131 ldb_msg_add_string(msg, attrName, attr_list[i]);
132 }
133 talloc_free(mem_ctx);
134 return LDB_SUCCESS;
135
136 }
137 /* read all objectClasses */
138
139 static int kludge_acl_childClasses(struct ldb_context *ldb, struct ldb_message *msg,
140 const char *attrName)
141 {
142 struct ldb_message_element *oc_el;
143 struct ldb_message_element *allowedClasses;
144 const struct dsdb_schema *schema = dsdb_get_schema(ldb);
145 const struct dsdb_class *sclass;
146 int i, j, ret;
147
148 /* If we don't have a schema yet, we can't do anything... */
149 if (schema == NULL) {
150 return LDB_SUCCESS;
151 }
152
153 /* Must remove any existing attribute, or else confusion reins */
154 ldb_msg_remove_attr(msg, attrName);
155 ret = ldb_msg_add_empty(msg, attrName, 0, &allowedClasses);
156 if (ret != LDB_SUCCESS) {
157 return ret;
158 }
159
160 /* To ensure that oc_el is valid, we must look for it after
161 we alter the element array in ldb_msg_add_empty() */
162 oc_el = ldb_msg_find_element(msg, "objectClass");
163
164 for (i=0; oc_el && i < oc_el->num_values; i++) {
165 sclass = dsdb_class_by_lDAPDisplayName_ldb_val(schema, &oc_el->values[i]);
166 if (!sclass) {
167 /* We don't know this class? what is going on? */
168 continue;
169 }
170
171 for (j=0; sclass->possibleInferiors && sclass->possibleInferiors[j]; j++) {
172 ldb_msg_add_string(msg, attrName, sclass->possibleInferiors[j]);
173 }
174 }
175
176 if (allowedClasses->num_values > 1) {
177 qsort(allowedClasses->values,
178 allowedClasses->num_values,
179 sizeof(*allowedClasses->values),
180 (comparison_fn_t)data_blob_cmp);
181
182 for (i=1 ; i < allowedClasses->num_values; i++) {
183
184 struct ldb_val *val1 = &allowedClasses->values[i-1];
185 struct ldb_val *val2 = &allowedClasses->values[i];
186 if (data_blob_cmp(val1, val2) == 0) {
187 memmove(val1, val2, (allowedClasses->num_values - i) * sizeof( struct ldb_val));
188 allowedClasses->num_values--;
189 i--;
190 }
191 }
192 }
193
194 return LDB_SUCCESS;
195
196 }
197
198 /* find all attributes allowed by all these objectClasses */
199
200 static int kludge_acl_callback(struct ldb_request *req, struct ldb_reply *ares)
201 {
202 struct ldb_context *ldb;
203 struct kludge_acl_context *ac;
204 struct kludge_private_data *data;
205 int i, ret;
206
207 ac = talloc_get_type(req->context, struct kludge_acl_context);
208 data = talloc_get_type(ldb_module_get_private(ac->module), struct kludge_private_data);
209 ldb = ldb_module_get_ctx(ac->module);
210
211 if (!ares) {
212 return ldb_module_done(ac->req, NULL, NULL,
213 LDB_ERR_OPERATIONS_ERROR);
214 }
215 if (ares->error != LDB_SUCCESS) {
216 return ldb_module_done(ac->req, ares->controls,
217 ares->response, ares->error);
218 }
219
220 switch (ares->type) {
221 case LDB_REPLY_ENTRY:
222 if (ac->allowedAttributes) {
223 ret = kludge_acl_allowedAttributes(ldb,
224 ares->message,
225 "allowedAttributes");
226 if (ret != LDB_SUCCESS) {
227 return ldb_module_done(ac->req, NULL, NULL, ret);
228 }
229 }
230 if (ac->allowedChildClasses) {
231 ret = kludge_acl_childClasses(ldb,
232 ares->message,
233 "allowedChildClasses");
234 if (ret != LDB_SUCCESS) {
235 return ldb_module_done(ac->req, NULL, NULL, ret);
236 }
237 }
238
239 if (data && data->password_attrs) /* if we are not initialized just get through */
240 {
241 switch (ac->user_type) {
242 case SECURITY_SYSTEM:
243 if (ac->allowedAttributesEffective) {
244 ret = kludge_acl_allowedAttributes(ldb, ares->message,
245 "allowedAttributesEffective");
246 if (ret != LDB_SUCCESS) {
247 return ldb_module_done(ac->req, NULL, NULL, ret);
248 }
249 }
250 if (ac->allowedChildClassesEffective) {
251 ret = kludge_acl_childClasses(ldb, ares->message,
252 "allowedChildClassesEffective");
253 if (ret != LDB_SUCCESS) {
254 return ldb_module_done(ac->req, NULL, NULL, ret);
255 }
256 }
257 break;
258
259 case SECURITY_ADMINISTRATOR:
260 if (ac->allowedAttributesEffective) {
261 ret = kludge_acl_allowedAttributes(ldb, ares->message,
262 "allowedAttributesEffective");
263 if (ret != LDB_SUCCESS) {
264 return ldb_module_done(ac->req, NULL, NULL, ret);
265 }
266 }
267 if (ac->allowedChildClassesEffective) {
268 ret = kludge_acl_childClasses(ldb, ares->message,
269 "allowedChildClassesEffective");
270 if (ret != LDB_SUCCESS) {
271 return ldb_module_done(ac->req, NULL, NULL, ret);
272 }
273 }
274 /* fall through */
275 default:
276 /* remove password attributes */
277 for (i = 0; data->password_attrs[i]; i++) {
278 ldb_msg_remove_attr(ares->message, data->password_attrs[i]);
279 }
280 }
281 }
282
283 if (ac->allowedAttributes ||
284 ac->allowedAttributesEffective ||
285 ac->allowedChildClasses ||
286 ac->allowedChildClassesEffective) {
287
288 if (!ldb_attr_in_list(ac->attrs, "objectClass") &&
289 !ldb_attr_in_list(ac->attrs, "*")) {
290
291 ldb_msg_remove_attr(ares->message,
292 "objectClass");
293 }
294 }
295
296 return ldb_module_send_entry(ac->req, ares->message, ares->controls);
297
298 case LDB_REPLY_REFERRAL:
299 return ldb_module_send_referral(ac->req, ares->referral);
300
301 case LDB_REPLY_DONE:
302 return ldb_module_done(ac->req, ares->controls,
303 ares->response, LDB_SUCCESS);
304
305 }
306 return LDB_SUCCESS;
307 }
308
309 static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
310 {
311 struct ldb_context *ldb;
312 struct kludge_acl_context *ac;
313 struct ldb_request *down_req;
314 struct kludge_private_data *data;
315 const char * const *attrs;
316 int ret, i;
317 struct ldb_control *sd_control;
318 struct ldb_control **sd_saved_controls;
319
320 ldb = ldb_module_get_ctx(module);
321
322 ac = talloc(req, struct kludge_acl_context);
323 if (ac == NULL) {
324 ldb_oom(ldb);
325 return LDB_ERR_OPERATIONS_ERROR;
326 }
327
328 data = talloc_get_type(ldb_module_get_private(module), struct kludge_private_data);
329
330 if (data && data->acl_perform)
331 return ldb_next_request(module, req);
332
333 ac->module = module;
334 ac->req = req;
335 ac->user_type = what_is_user(module);
336 ac->attrs = req->op.search.attrs;
337
338 ac->allowedAttributes = ldb_attr_in_list(req->op.search.attrs, "allowedAttributes");
339
340 ac->allowedAttributesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedAttributesEffective");
341
342 ac->allowedChildClasses = ldb_attr_in_list(req->op.search.attrs, "allowedChildClasses");
343
344 ac->allowedChildClassesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedChildClassesEffective");
345
346 if (ac->allowedAttributes || ac->allowedAttributesEffective || ac->allowedChildClasses || ac->allowedChildClassesEffective) {
347 attrs = ldb_attr_list_copy_add(ac, req->op.search.attrs, "objectClass");
348 } else {
349 attrs = req->op.search.attrs;
350 }
351
352 /* replace any attributes in the parse tree that are private,
353 so we don't allow a search for 'userPassword=penguin',
354 just as we would not allow that attribute to be returned */
355 switch (ac->user_type) {
356 case SECURITY_SYSTEM:
357 break;
358 default:
359 /* FIXME: We should copy the tree and keep the original unmodified. */
360 /* remove password attributes */
361
362 if (!data || !data->password_attrs) {
363 break;
364 }
365 for (i = 0; data->password_attrs[i]; i++) {
366 ldb_parse_tree_attr_replace(req->op.search.tree,
367 data->password_attrs[i],
368 "kludgeACLredactedattribute");
369 }
370 }
371
372 ret = ldb_build_search_req_ex(&down_req,
373 ldb, ac,
374 req->op.search.base,
375 req->op.search.scope,
376 req->op.search.tree,
377 attrs,
378 req->controls,
379 ac, kludge_acl_callback,
380 req);
381 if (ret != LDB_SUCCESS) {
382 return ret;
383 }
384
385 /* check if there's an SD_FLAGS control */
386 sd_control = ldb_request_get_control(down_req, LDB_CONTROL_SD_FLAGS_OID);
387 if (sd_control) {
388 /* save it locally and remove it from the list */
389 /* we do not need to replace them later as we
390 * are keeping the original req intact */
391 if (!save_controls(sd_control, down_req, &sd_saved_controls)) {
392 return LDB_ERR_OPERATIONS_ERROR;
393 }
394 }
395
396 /* perform the search */
397 return ldb_next_request(module, down_req);
398 }
399
400 /* ANY change type */
401 static int kludge_acl_change(struct ldb_module *module, struct ldb_request *req)
402 {
403 struct ldb_context *ldb = ldb_module_get_ctx(module);
404 enum security_user_level user_type = what_is_user(module);
405 struct kludge_private_data *data = talloc_get_type(ldb_module_get_private(module),
406 struct kludge_private_data);
407
408 if (data->acl_perform)
409 return ldb_next_request(module, req);
410
411 switch (user_type) {
412 case SECURITY_SYSTEM:
413 case SECURITY_ADMINISTRATOR:
414 return ldb_next_request(module, req);
415 default:
416 ldb_asprintf_errstring(ldb,
417 "kludge_acl_change: "
418 "attempted database modify not permitted. "
419 "User %s is not SYSTEM or an administrator",
420 user_name(req, module));
421 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
422 }
423 }
424
425 static int kludge_acl_extended(struct ldb_module *module, struct ldb_request *req)
426 {
427 struct ldb_context *ldb = ldb_module_get_ctx(module);
428 enum security_user_level user_type;
429
430 /* allow everybody to read the sequence number */
431 if (strcmp(req->op.extended.oid,
432 LDB_EXTENDED_SEQUENCE_NUMBER) == 0) {
433 return ldb_next_request(module, req);
434 }
435
436 user_type = what_is_user(module);
437
438 switch (user_type) {
439 case SECURITY_SYSTEM:
440 case SECURITY_ADMINISTRATOR:
441 return ldb_next_request(module, req);
442 default:
443 ldb_asprintf_errstring(ldb,
444 "kludge_acl_change: "
445 "attempted database modify not permitted. "
446 "User %s is not SYSTEM or an administrator",
447 user_name(req, module));
448 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
449 }
450 }
451
452 static int kludge_acl_init(struct ldb_module *module)
453 {
454 struct ldb_context *ldb;
455 int ret, i;
456 TALLOC_CTX *mem_ctx = talloc_new(module);
457 static const char *attrs[] = { "passwordAttribute", NULL };
458 struct ldb_result *res;
459 struct ldb_message *msg;
460 struct ldb_message_element *password_attributes;
461
462 struct kludge_private_data *data;
463
464 ldb = ldb_module_get_ctx(module);
465
466 data = talloc(module, struct kludge_private_data);
467 if (data == NULL) {
468 ldb_oom(ldb);
469 return LDB_ERR_OPERATIONS_ERROR;
470 }
471
472 data->password_attrs = NULL;
473 data->acl_perform = lp_parm_bool(ldb_get_opaque(ldb, "loadparm"),
474 NULL, "acl", "perform", false);
475 ldb_module_set_private(module, data);
476
477 if (!mem_ctx) {
478 ldb_oom(ldb);
479 return LDB_ERR_OPERATIONS_ERROR;
480 }
481
482 ret = ldb_search(ldb, mem_ctx, &res,
483 ldb_dn_new(mem_ctx, ldb, "@KLUDGEACL"),
484 LDB_SCOPE_BASE, attrs, NULL);
485 if (ret != LDB_SUCCESS) {
486 goto done;
487 }
488 if (res->count == 0) {
489 goto done;
490 }
491
492 if (res->count > 1) {
493 talloc_free(mem_ctx);
494 return LDB_ERR_CONSTRAINT_VIOLATION;
495 }
496
497 msg = res->msgs[0];
498
499 password_attributes = ldb_msg_find_element(msg, "passwordAttribute");
500 if (!password_attributes) {
501 goto done;
502 }
503 data->password_attrs = talloc_array(data, const char *, password_attributes->num_values + 1);
504 if (!data->password_attrs) {
505 talloc_free(mem_ctx);
506 ldb_oom(ldb);
507 return LDB_ERR_OPERATIONS_ERROR;
508 }
509 for (i=0; i < password_attributes->num_values; i++) {
510 data->password_attrs[i] = (const char *)password_attributes->values[i].data;
511 talloc_steal(data->password_attrs, password_attributes->values[i].data);
512 }
513 data->password_attrs[i] = NULL;
514
515 ret = ldb_mod_register_control(module, LDB_CONTROL_SD_FLAGS_OID);
516 if (ret != LDB_SUCCESS) {
517 ldb_debug(ldb, LDB_DEBUG_ERROR,
518 "kludge_acl: Unable to register control with rootdse!\n");
519 return LDB_ERR_OPERATIONS_ERROR;
520 }
521
522 done:
523 talloc_free(mem_ctx);
524 return ldb_next_init(module);
525 }
526
527 _PUBLIC_ const struct ldb_module_ops ldb_kludge_acl_module_ops = {
528 .name = "kludge_acl",
529 .search = kludge_acl_search,
530 /* .add = kludge_acl_change,
531 .modify = kludge_acl_change,
532 .del = kludge_acl_change,
533 .rename = kludge_acl_change, */
534 .extended = kludge_acl_extended,
535 .init_context = kludge_acl_init
536 };
reg import