search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:dsdb/acl_read: return the nTSecurityDescriptor attr if the sd_flags control is...
[Samba/gebeck_regimport.git] / source4 / dsdb / samdb / ldb_modules / acl_read.c
blob9955451e7787416ae92e73091e25275e5b8cbc91
1 /*
2 ldb database library
3
4 Copyright (C) Simo Sorce 2006-2008
5 Copyright (C) Nadezhda Ivanova 2010
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 /*
22 * Name: ldb
23 *
24 * Component: ldb ACL Read module
25 *
26 * Description: Module that performs authorisation access checks on read requests
27 * Only DACL checks implemented at this point
28 *
29 * Author: Nadezhda Ivanova
30 */
31
32 #include "includes.h"
33 #include "ldb_module.h"
34 #include "auth/auth.h"
35 #include "libcli/security/security.h"
36 #include "dsdb/samdb/samdb.h"
37 #include "librpc/gen_ndr/ndr_security.h"
38 #include "param/param.h"
39 #include "dsdb/samdb/ldb_modules/util.h"
40
41
42 struct aclread_context {
43 struct ldb_module *module;
44 struct ldb_request *req;
45 const char * const *attrs;
46 const struct dsdb_schema *schema;
47 uint32_t sd_flags;
48 bool added_nTSecurityDescriptor;
49 bool added_instanceType;
50 bool added_objectSid;
51 bool indirsync;
52 };
53
54 struct aclread_private {
55 bool enabled;
56 };
57
58 static void aclread_mark_inaccesslible(struct ldb_message_element *el) {
59 el->flags |= LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE;
60 }
61
62 static bool aclread_is_inaccessible(struct ldb_message_element *el) {
63 return el->flags & LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE;
64 }
65
66 static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
67 {
68 struct ldb_context *ldb;
69 struct aclread_context *ac;
70 struct ldb_message *ret_msg;
71 struct ldb_message *msg;
72 int ret, num_of_attrs = 0;
73 unsigned int i, k = 0;
74 struct security_descriptor *sd;
75 struct dom_sid *sid = NULL;
76 TALLOC_CTX *tmp_ctx;
77 uint32_t instanceType;
78
79 ac = talloc_get_type(req->context, struct aclread_context);
80 ldb = ldb_module_get_ctx(ac->module);
81 if (!ares) {
82 return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR );
83 }
84 if (ares->error != LDB_SUCCESS) {
85 return ldb_module_done(ac->req, ares->controls,
86 ares->response, ares->error);
87 }
88 tmp_ctx = talloc_new(ac);
89 switch (ares->type) {
90 case LDB_REPLY_ENTRY:
91 msg = ares->message;
92 ret = dsdb_get_sd_from_ldb_message(ldb, tmp_ctx, msg, &sd);
93 if (ret != LDB_SUCCESS || sd == NULL ) {
94 ldb_debug_set(ldb, LDB_DEBUG_FATAL,
95 "acl_read: cannot get descriptor of %s\n",
96 ldb_dn_get_linearized(msg->dn));
97 ret = LDB_ERR_OPERATIONS_ERROR;
98 goto fail;
99 }
100 sid = samdb_result_dom_sid(tmp_ctx, msg, "objectSid");
101 /* get the object instance type */
102 instanceType = ldb_msg_find_attr_as_uint(msg,
103 "instanceType", 0);
104 if (!ldb_dn_is_null(msg->dn) && !(instanceType & INSTANCE_TYPE_IS_NC_HEAD))
105 {
106 /* the object has a parent, so we have to check for visibility */
107 struct ldb_dn *parent_dn = ldb_dn_get_parent(tmp_ctx, msg->dn);
108
109 ret = dsdb_module_check_access_on_dn(ac->module,
110 tmp_ctx,
111 parent_dn,
112 SEC_ADS_LIST,
113 NULL, req);
114 if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
115 talloc_free(tmp_ctx);
116 return LDB_SUCCESS;
117 } else if (ret != LDB_SUCCESS) {
118 ldb_debug_set(ldb, LDB_DEBUG_FATAL,
119 "acl_read: %s check parent %s - %s\n",
120 ldb_dn_get_linearized(msg->dn),
121 ldb_strerror(ret),
122 ldb_errstring(ldb));
123 goto fail;
124 }
125 }
126 /* for every element in the message check RP */
127 for (i=0; i < msg->num_elements; i++) {
128 const struct dsdb_attribute *attr;
129 bool is_sd, is_objectsid, is_instancetype;
130 uint32_t access_mask;
131 attr = dsdb_attribute_by_lDAPDisplayName(ac->schema,
132 msg->elements[i].name);
133 if (!attr) {
134 ldb_debug_set(ldb, LDB_DEBUG_FATAL,
135 "acl_read: %s cannot find attr[%s] in of schema\n",
136 ldb_dn_get_linearized(msg->dn),
137 msg->elements[i].name);
138 ret = LDB_ERR_OPERATIONS_ERROR;
139 goto fail;
140 }
141 is_sd = ldb_attr_cmp("nTSecurityDescriptor",
142 msg->elements[i].name) == 0;
143 is_objectsid = ldb_attr_cmp("objectSid",
144 msg->elements[i].name) == 0;
145 is_instancetype = ldb_attr_cmp("instanceType",
146 msg->elements[i].name) == 0;
147 /* these attributes were added to perform access checks and must be removed */
148 if (is_objectsid && ac->added_objectSid) {
149 aclread_mark_inaccesslible(&msg->elements[i]);
150 continue;
151 }
152 if (is_instancetype && ac->added_instanceType) {
153 aclread_mark_inaccesslible(&msg->elements[i]);
154 continue;
155 }
156 if (is_sd && ac->added_nTSecurityDescriptor) {
157 aclread_mark_inaccesslible(&msg->elements[i]);
158 continue;
159 }
160 /* nTSecurityDescriptor is a special case */
161 if (is_sd) {
162 access_mask = 0;
163
164 if (ac->sd_flags & (SECINFO_OWNER|SECINFO_GROUP)) {
165 access_mask |= SEC_STD_READ_CONTROL;
166 }
167 if (ac->sd_flags & SECINFO_DACL) {
168 access_mask |= SEC_STD_READ_CONTROL;
169 }
170 if (ac->sd_flags & SECINFO_SACL) {
171 access_mask |= SEC_FLAG_SYSTEM_SECURITY;
172 }
173 } else {
174 access_mask = SEC_ADS_READ_PROP;
175 }
176
177 if (attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL) {
178 access_mask |= SEC_ADS_CONTROL_ACCESS;
179 }
180
181 if (access_mask == 0) {
182 aclread_mark_inaccesslible(&msg->elements[i]);
183 continue;
184 }
185
186 ret = acl_check_access_on_attribute(ac->module,
187 tmp_ctx,
188 sd,
189 sid,
190 access_mask,
191 attr);
192
193 /*
194 * Dirsync control needs the replpropertymetadata attribute
195 * so return it as it will be removed by the control
196 * in anycase.
197 */
198 if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
199 if (!ac->indirsync) {
200 /*
201 * do not return this entry if attribute is
202 * part of the search filter
203 */
204 if (dsdb_attr_in_parse_tree(ac->req->op.search.tree,
205 msg->elements[i].name)) {
206 talloc_free(tmp_ctx);
207 return LDB_SUCCESS;
208 }
209 aclread_mark_inaccesslible(&msg->elements[i]);
210 } else {
211 /*
212 * We are doing dirysnc answers
213 * and the object shouldn't be returned (normally)
214 * but we will return it without replPropertyMetaData
215 * so that the dirysync module will do what is needed
216 * (remove the object if it is not deleted, or return
217 * just the objectGUID if it's deleted).
218 */
219 if (dsdb_attr_in_parse_tree(ac->req->op.search.tree,
220 msg->elements[i].name)) {
221 ldb_msg_remove_attr(msg, "replPropertyMetaData");
222 break;
223 } else {
224 aclread_mark_inaccesslible(&msg->elements[i]);
225 }
226 }
227 } else if (ret != LDB_SUCCESS) {
228 ldb_debug_set(ldb, LDB_DEBUG_FATAL,
229 "acl_read: %s check attr[%s] gives %s - %s\n",
230 ldb_dn_get_linearized(msg->dn),
231 msg->elements[i].name,
232 ldb_strerror(ret),
233 ldb_errstring(ldb));
234 goto fail;
235 }
236 }
237 for (i=0; i < msg->num_elements; i++) {
238 if (!aclread_is_inaccessible(&msg->elements[i])) {
239 num_of_attrs++;
240 }
241 }
242 /*create a new message to return*/
243 ret_msg = ldb_msg_new(ac->req);
244 ret_msg->dn = msg->dn;
245 talloc_steal(ret_msg, msg->dn);
246 ret_msg->num_elements = num_of_attrs;
247 if (num_of_attrs > 0) {
248 ret_msg->elements = talloc_array(ret_msg,
249 struct ldb_message_element,
250 num_of_attrs);
251 if (ret_msg->elements == NULL) {
252 return ldb_oom(ldb);
253 }
254 for (i=0; i < msg->num_elements; i++) {
255 bool to_remove = aclread_is_inaccessible(&msg->elements[i]);
256 if (!to_remove) {
257 ret_msg->elements[k] = msg->elements[i];
258 talloc_steal(ret_msg->elements, msg->elements[i].name);
259 talloc_steal(ret_msg->elements, msg->elements[i].values);
260 k++;
261 }
262 }
263 /*
264 * This should not be needed, but some modules
265 * may allocate values on the wrong context...
266 */
267 talloc_steal(ret_msg->elements, msg);
268 } else {
269 ret_msg->elements = NULL;
270 }
271 talloc_free(tmp_ctx);
272
273 return ldb_module_send_entry(ac->req, ret_msg, ares->controls);
274 case LDB_REPLY_REFERRAL:
275 return ldb_module_send_referral(ac->req, ares->referral);
276 case LDB_REPLY_DONE:
277 return ldb_module_done(ac->req, ares->controls,
278 ares->response, LDB_SUCCESS);
279
280 }
281 return LDB_SUCCESS;
282 fail:
283 talloc_free(tmp_ctx);
284 return ldb_module_done(ac->req, NULL, NULL, ret);
285 }
286
287
288 static int aclread_search(struct ldb_module *module, struct ldb_request *req)
289 {
290 struct ldb_context *ldb;
291 int ret;
292 struct aclread_context *ac;
293 struct ldb_request *down_req;
294 struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
295 uint32_t flags = ldb_req_get_custom_flags(req);
296 struct ldb_result *res;
297 struct aclread_private *p;
298 bool need_sd = false;
299 bool explicit_sd_flags = false;
300 bool is_untrusted = ldb_req_is_untrusted(req);
301 static const char * const _all_attrs[] = { "*", NULL };
302 bool all_attrs = false;
303 const char * const *attrs = NULL;
304 uint32_t instanceType;
305 static const char *acl_attrs[] = {
306 "instanceType",
307 NULL
308 };
309
310 ldb = ldb_module_get_ctx(module);
311 p = talloc_get_type(ldb_module_get_private(module), struct aclread_private);
312
313 /* skip access checks if we are system or system control is supplied
314 * or this is not LDAP server request */
315 if (!p || !p->enabled ||
316 dsdb_module_am_system(module)
317 || as_system || !is_untrusted) {
318 return ldb_next_request(module, req);
319 }
320 /* no checks on special dn */
321 if (ldb_dn_is_special(req->op.search.base)) {
322 return ldb_next_request(module, req);
323 }
324
325 /* check accessibility of base */
326 if (!ldb_dn_is_null(req->op.search.base)) {
327 ret = dsdb_module_search_dn(module, req, &res, req->op.search.base,
328 acl_attrs,
329 DSDB_FLAG_NEXT_MODULE |
330 DSDB_FLAG_AS_SYSTEM |
331 DSDB_SEARCH_SHOW_RECYCLED,
332 req);
333 if (ret != LDB_SUCCESS) {
334 return ldb_error(ldb, ret,
335 "acl_read: Error retrieving instanceType for base.");
336 }
337 instanceType = ldb_msg_find_attr_as_uint(res->msgs[0],
338 "instanceType", 0);
339 if (instanceType != 0 && !(instanceType & INSTANCE_TYPE_IS_NC_HEAD))
340 {
341 /* the object has a parent, so we have to check for visibility */
342 struct ldb_dn *parent_dn = ldb_dn_get_parent(req, req->op.search.base);
343 ret = dsdb_module_check_access_on_dn(module,
344 req,
345 parent_dn,
346 SEC_ADS_LIST,
347 NULL, req);
348 if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
349 return ldb_module_done(req, NULL, NULL, LDB_ERR_NO_SUCH_OBJECT);
350 } else if (ret != LDB_SUCCESS) {
351 return ldb_module_done(req, NULL, NULL, ret);
352 }
353 }
354 }
355 ac = talloc_zero(req, struct aclread_context);
356 if (ac == NULL) {
357 return ldb_oom(ldb);
358 }
359 ac->module = module;
360 ac->req = req;
361 ac->schema = dsdb_get_schema(ldb, req);
362 if (flags & DSDB_ACL_CHECKS_DIRSYNC_FLAG) {
363 ac->indirsync = true;
364 } else {
365 ac->indirsync = false;
366 }
367 if (!ac->schema) {
368 return ldb_operr(ldb);
369 }
370
371 attrs = req->op.search.attrs;
372 if (attrs == NULL) {
373 all_attrs = true;
374 attrs = _all_attrs;
375 } else if (attrs[0] == NULL) {
376 all_attrs = true;
377 attrs = _all_attrs;
378 } else if (ldb_attr_in_list(attrs, "*")) {
379 all_attrs = true;
380 }
381
382 /*
383 * In theory we should also check for the SD control but control verification is
384 * expensive so we'd better had the ntsecuritydescriptor to the list of
385 * searched attribute and then remove it !
386 */
387 ac->sd_flags = dsdb_request_sd_flags(ac->req, &explicit_sd_flags);
388
389 if (ldb_attr_in_list(attrs, "nTSecurityDescriptor")) {
390 need_sd = false;
391 } else if (explicit_sd_flags && all_attrs) {
392 need_sd = false;
393 } else {
394 need_sd = true;
395 }
396
397 if (!all_attrs) {
398 if (!ldb_attr_in_list(attrs, "instanceType")) {
399 attrs = ldb_attr_list_copy_add(ac, attrs, "instanceType");
400 if (attrs == NULL) {
401 return ldb_oom(ldb);
402 }
403 ac->added_instanceType = true;
404 }
405 if (!ldb_attr_in_list(req->op.search.attrs, "objectSid")) {
406 attrs = ldb_attr_list_copy_add(ac, attrs, "objectSid");
407 if (attrs == NULL) {
408 return ldb_oom(ldb);
409 }
410 ac->added_objectSid = true;
411 }
412 }
413
414 if (need_sd) {
415 attrs = ldb_attr_list_copy_add(ac, attrs, "nTSecurityDescriptor");
416 if (attrs == NULL) {
417 return ldb_oom(ldb);
418 }
419 ac->added_nTSecurityDescriptor = true;
420 }
421
422 ac->attrs = req->op.search.attrs;
423 ret = ldb_build_search_req_ex(&down_req,
424 ldb, ac,
425 req->op.search.base,
426 req->op.search.scope,
427 req->op.search.tree,
428 attrs,
429 req->controls,
430 ac, aclread_callback,
431 req);
432
433 if (ret != LDB_SUCCESS) {
434 return LDB_ERR_OPERATIONS_ERROR;
435 }
436
437 return ldb_next_request(module, down_req);
438 }
439
440 static int aclread_init(struct ldb_module *module)
441 {
442 struct ldb_context *ldb = ldb_module_get_ctx(module);
443 struct aclread_private *p = talloc_zero(module, struct aclread_private);
444 if (p == NULL) {
445 return ldb_module_oom(module);
446 }
447 p->enabled = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"), NULL, "acl", "search", true);
448 ldb_module_set_private(module, p);
449 return ldb_next_init(module);
450 }
451
452 static const struct ldb_module_ops ldb_aclread_module_ops = {
453 .name = "aclread",
454 .search = aclread_search,
455 .init_context = aclread_init
456 };
457
458 int ldb_aclread_module_init(const char *version)
459 {
460 LDB_MODULE_CHECK_VERSION(version);
461 return ldb_register_module(&ldb_aclread_module_ops);
462 }
reg import