4 Copyright (C) Simo Sorce 2006-2008
5 Copyright (C) Nadezhda Ivanova 2010
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 * Component: ldb ACL Read module
26 * Description: Module that performs authorisation access checks on read requests
27 * Only DACL checks implemented at this point
29 * Author: Nadezhda Ivanova
33 #include "ldb_module.h"
34 #include "auth/auth.h"
35 #include "libcli/security/security.h"
36 #include "dsdb/samdb/samdb.h"
37 #include "librpc/gen_ndr/ndr_security.h"
38 #include "param/param.h"
39 #include "dsdb/samdb/ldb_modules/util.h"
42 struct aclread_context
{
43 struct ldb_module
*module
;
44 struct ldb_request
*req
;
45 const char * const *attrs
;
46 const struct dsdb_schema
*schema
;
48 bool added_nTSecurityDescriptor
;
49 bool added_instanceType
;
54 struct aclread_private
{
58 static void aclread_mark_inaccesslible(struct ldb_message_element
*el
) {
59 el
->flags
|= LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE
;
62 static bool aclread_is_inaccessible(struct ldb_message_element
*el
) {
63 return el
->flags
& LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE
;
66 static int aclread_callback(struct ldb_request
*req
, struct ldb_reply
*ares
)
68 struct ldb_context
*ldb
;
69 struct aclread_context
*ac
;
70 struct ldb_message
*ret_msg
;
71 struct ldb_message
*msg
;
72 int ret
, num_of_attrs
= 0;
73 unsigned int i
, k
= 0;
74 struct security_descriptor
*sd
;
75 struct dom_sid
*sid
= NULL
;
77 uint32_t instanceType
;
79 ac
= talloc_get_type(req
->context
, struct aclread_context
);
80 ldb
= ldb_module_get_ctx(ac
->module
);
82 return ldb_module_done(ac
->req
, NULL
, NULL
, LDB_ERR_OPERATIONS_ERROR
);
84 if (ares
->error
!= LDB_SUCCESS
) {
85 return ldb_module_done(ac
->req
, ares
->controls
,
86 ares
->response
, ares
->error
);
88 tmp_ctx
= talloc_new(ac
);
92 ret
= dsdb_get_sd_from_ldb_message(ldb
, tmp_ctx
, msg
, &sd
);
93 if (ret
!= LDB_SUCCESS
|| sd
== NULL
) {
94 ldb_debug_set(ldb
, LDB_DEBUG_FATAL
,
95 "acl_read: cannot get descriptor of %s\n",
96 ldb_dn_get_linearized(msg
->dn
));
97 ret
= LDB_ERR_OPERATIONS_ERROR
;
100 sid
= samdb_result_dom_sid(tmp_ctx
, msg
, "objectSid");
101 /* get the object instance type */
102 instanceType
= ldb_msg_find_attr_as_uint(msg
,
104 if (!ldb_dn_is_null(msg
->dn
) && !(instanceType
& INSTANCE_TYPE_IS_NC_HEAD
))
106 /* the object has a parent, so we have to check for visibility */
107 struct ldb_dn
*parent_dn
= ldb_dn_get_parent(tmp_ctx
, msg
->dn
);
109 ret
= dsdb_module_check_access_on_dn(ac
->module
,
114 if (ret
== LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS
) {
115 talloc_free(tmp_ctx
);
117 } else if (ret
!= LDB_SUCCESS
) {
118 ldb_debug_set(ldb
, LDB_DEBUG_FATAL
,
119 "acl_read: %s check parent %s - %s\n",
120 ldb_dn_get_linearized(msg
->dn
),
126 /* for every element in the message check RP */
127 for (i
=0; i
< msg
->num_elements
; i
++) {
128 const struct dsdb_attribute
*attr
;
129 bool is_sd
, is_objectsid
, is_instancetype
;
130 uint32_t access_mask
;
131 attr
= dsdb_attribute_by_lDAPDisplayName(ac
->schema
,
132 msg
->elements
[i
].name
);
134 ldb_debug_set(ldb
, LDB_DEBUG_FATAL
,
135 "acl_read: %s cannot find attr[%s] in of schema\n",
136 ldb_dn_get_linearized(msg
->dn
),
137 msg
->elements
[i
].name
);
138 ret
= LDB_ERR_OPERATIONS_ERROR
;
141 is_sd
= ldb_attr_cmp("nTSecurityDescriptor",
142 msg
->elements
[i
].name
) == 0;
143 is_objectsid
= ldb_attr_cmp("objectSid",
144 msg
->elements
[i
].name
) == 0;
145 is_instancetype
= ldb_attr_cmp("instanceType",
146 msg
->elements
[i
].name
) == 0;
147 /* these attributes were added to perform access checks and must be removed */
148 if (is_objectsid
&& ac
->added_objectSid
) {
149 aclread_mark_inaccesslible(&msg
->elements
[i
]);
152 if (is_instancetype
&& ac
->added_instanceType
) {
153 aclread_mark_inaccesslible(&msg
->elements
[i
]);
156 if (is_sd
&& ac
->added_nTSecurityDescriptor
) {
157 aclread_mark_inaccesslible(&msg
->elements
[i
]);
160 /* nTSecurityDescriptor is a special case */
164 if (ac
->sd_flags
& (SECINFO_OWNER
|SECINFO_GROUP
)) {
165 access_mask
|= SEC_STD_READ_CONTROL
;
167 if (ac
->sd_flags
& SECINFO_DACL
) {
168 access_mask
|= SEC_STD_READ_CONTROL
;
170 if (ac
->sd_flags
& SECINFO_SACL
) {
171 access_mask
|= SEC_FLAG_SYSTEM_SECURITY
;
174 access_mask
= SEC_ADS_READ_PROP
;
177 if (attr
->searchFlags
& SEARCH_FLAG_CONFIDENTIAL
) {
178 access_mask
|= SEC_ADS_CONTROL_ACCESS
;
181 if (access_mask
== 0) {
182 aclread_mark_inaccesslible(&msg
->elements
[i
]);
186 ret
= acl_check_access_on_attribute(ac
->module
,
194 * Dirsync control needs the replpropertymetadata attribute
195 * so return it as it will be removed by the control
198 if (ret
== LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS
) {
199 if (!ac
->indirsync
) {
201 * do not return this entry if attribute is
202 * part of the search filter
204 if (dsdb_attr_in_parse_tree(ac
->req
->op
.search
.tree
,
205 msg
->elements
[i
].name
)) {
206 talloc_free(tmp_ctx
);
209 aclread_mark_inaccesslible(&msg
->elements
[i
]);
212 * We are doing dirysnc answers
213 * and the object shouldn't be returned (normally)
214 * but we will return it without replPropertyMetaData
215 * so that the dirysync module will do what is needed
216 * (remove the object if it is not deleted, or return
217 * just the objectGUID if it's deleted).
219 if (dsdb_attr_in_parse_tree(ac
->req
->op
.search
.tree
,
220 msg
->elements
[i
].name
)) {
221 ldb_msg_remove_attr(msg
, "replPropertyMetaData");
224 aclread_mark_inaccesslible(&msg
->elements
[i
]);
227 } else if (ret
!= LDB_SUCCESS
) {
228 ldb_debug_set(ldb
, LDB_DEBUG_FATAL
,
229 "acl_read: %s check attr[%s] gives %s - %s\n",
230 ldb_dn_get_linearized(msg
->dn
),
231 msg
->elements
[i
].name
,
237 for (i
=0; i
< msg
->num_elements
; i
++) {
238 if (!aclread_is_inaccessible(&msg
->elements
[i
])) {
242 /*create a new message to return*/
243 ret_msg
= ldb_msg_new(ac
->req
);
244 ret_msg
->dn
= msg
->dn
;
245 talloc_steal(ret_msg
, msg
->dn
);
246 ret_msg
->num_elements
= num_of_attrs
;
247 if (num_of_attrs
> 0) {
248 ret_msg
->elements
= talloc_array(ret_msg
,
249 struct ldb_message_element
,
251 if (ret_msg
->elements
== NULL
) {
254 for (i
=0; i
< msg
->num_elements
; i
++) {
255 bool to_remove
= aclread_is_inaccessible(&msg
->elements
[i
]);
257 ret_msg
->elements
[k
] = msg
->elements
[i
];
258 talloc_steal(ret_msg
->elements
, msg
->elements
[i
].name
);
259 talloc_steal(ret_msg
->elements
, msg
->elements
[i
].values
);
264 * This should not be needed, but some modules
265 * may allocate values on the wrong context...
267 talloc_steal(ret_msg
->elements
, msg
);
269 ret_msg
->elements
= NULL
;
271 talloc_free(tmp_ctx
);
273 return ldb_module_send_entry(ac
->req
, ret_msg
, ares
->controls
);
274 case LDB_REPLY_REFERRAL
:
275 return ldb_module_send_referral(ac
->req
, ares
->referral
);
277 return ldb_module_done(ac
->req
, ares
->controls
,
278 ares
->response
, LDB_SUCCESS
);
283 talloc_free(tmp_ctx
);
284 return ldb_module_done(ac
->req
, NULL
, NULL
, ret
);
288 static int aclread_search(struct ldb_module
*module
, struct ldb_request
*req
)
290 struct ldb_context
*ldb
;
292 struct aclread_context
*ac
;
293 struct ldb_request
*down_req
;
294 struct ldb_control
*as_system
= ldb_request_get_control(req
, LDB_CONTROL_AS_SYSTEM_OID
);
295 uint32_t flags
= ldb_req_get_custom_flags(req
);
296 struct ldb_result
*res
;
297 struct aclread_private
*p
;
298 bool need_sd
= false;
299 bool explicit_sd_flags
= false;
300 bool is_untrusted
= ldb_req_is_untrusted(req
);
301 static const char * const _all_attrs
[] = { "*", NULL
};
302 bool all_attrs
= false;
303 const char * const *attrs
= NULL
;
304 uint32_t instanceType
;
305 static const char *acl_attrs
[] = {
310 ldb
= ldb_module_get_ctx(module
);
311 p
= talloc_get_type(ldb_module_get_private(module
), struct aclread_private
);
313 /* skip access checks if we are system or system control is supplied
314 * or this is not LDAP server request */
315 if (!p
|| !p
->enabled
||
316 dsdb_module_am_system(module
)
317 || as_system
|| !is_untrusted
) {
318 return ldb_next_request(module
, req
);
320 /* no checks on special dn */
321 if (ldb_dn_is_special(req
->op
.search
.base
)) {
322 return ldb_next_request(module
, req
);
325 /* check accessibility of base */
326 if (!ldb_dn_is_null(req
->op
.search
.base
)) {
327 ret
= dsdb_module_search_dn(module
, req
, &res
, req
->op
.search
.base
,
329 DSDB_FLAG_NEXT_MODULE
|
330 DSDB_FLAG_AS_SYSTEM
|
331 DSDB_SEARCH_SHOW_RECYCLED
,
333 if (ret
!= LDB_SUCCESS
) {
334 return ldb_error(ldb
, ret
,
335 "acl_read: Error retrieving instanceType for base.");
337 instanceType
= ldb_msg_find_attr_as_uint(res
->msgs
[0],
339 if (instanceType
!= 0 && !(instanceType
& INSTANCE_TYPE_IS_NC_HEAD
))
341 /* the object has a parent, so we have to check for visibility */
342 struct ldb_dn
*parent_dn
= ldb_dn_get_parent(req
, req
->op
.search
.base
);
343 ret
= dsdb_module_check_access_on_dn(module
,
348 if (ret
== LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS
) {
349 return ldb_module_done(req
, NULL
, NULL
, LDB_ERR_NO_SUCH_OBJECT
);
350 } else if (ret
!= LDB_SUCCESS
) {
351 return ldb_module_done(req
, NULL
, NULL
, ret
);
355 ac
= talloc_zero(req
, struct aclread_context
);
361 ac
->schema
= dsdb_get_schema(ldb
, req
);
362 if (flags
& DSDB_ACL_CHECKS_DIRSYNC_FLAG
) {
363 ac
->indirsync
= true;
365 ac
->indirsync
= false;
368 return ldb_operr(ldb
);
371 attrs
= req
->op
.search
.attrs
;
375 } else if (attrs
[0] == NULL
) {
378 } else if (ldb_attr_in_list(attrs
, "*")) {
383 * In theory we should also check for the SD control but control verification is
384 * expensive so we'd better had the ntsecuritydescriptor to the list of
385 * searched attribute and then remove it !
387 ac
->sd_flags
= dsdb_request_sd_flags(ac
->req
, &explicit_sd_flags
);
389 if (ldb_attr_in_list(attrs
, "nTSecurityDescriptor")) {
391 } else if (explicit_sd_flags
&& all_attrs
) {
398 if (!ldb_attr_in_list(attrs
, "instanceType")) {
399 attrs
= ldb_attr_list_copy_add(ac
, attrs
, "instanceType");
403 ac
->added_instanceType
= true;
405 if (!ldb_attr_in_list(req
->op
.search
.attrs
, "objectSid")) {
406 attrs
= ldb_attr_list_copy_add(ac
, attrs
, "objectSid");
410 ac
->added_objectSid
= true;
415 attrs
= ldb_attr_list_copy_add(ac
, attrs
, "nTSecurityDescriptor");
419 ac
->added_nTSecurityDescriptor
= true;
422 ac
->attrs
= req
->op
.search
.attrs
;
423 ret
= ldb_build_search_req_ex(&down_req
,
426 req
->op
.search
.scope
,
430 ac
, aclread_callback
,
433 if (ret
!= LDB_SUCCESS
) {
434 return LDB_ERR_OPERATIONS_ERROR
;
437 return ldb_next_request(module
, down_req
);
440 static int aclread_init(struct ldb_module
*module
)
442 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
443 struct aclread_private
*p
= talloc_zero(module
, struct aclread_private
);
445 return ldb_module_oom(module
);
447 p
->enabled
= lpcfg_parm_bool(ldb_get_opaque(ldb
, "loadparm"), NULL
, "acl", "search", true);
448 ldb_module_set_private(module
, p
);
449 return ldb_next_init(module
);
452 static const struct ldb_module_ops ldb_aclread_module_ops
= {
454 .search
= aclread_search
,
455 .init_context
= aclread_init
458 int ldb_aclread_module_init(const char *version
)
460 LDB_MODULE_CHECK_VERSION(version
);
461 return ldb_register_module(&ldb_aclread_module_ops
);