search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:dsdb/acl: remove unused "acl:perform" option
[Samba/gebeck_regimport.git] / source4 / dsdb / samdb / ldb_modules / acl.c
blob9a7b01b265889caf97b5421f2ef83d8d41265220
1 /*
2 ldb database library
3
4 Copyright (C) Simo Sorce 2006-2008
5 Copyright (C) Nadezhda Ivanova 2009
6 Copyright (C) Anatoliy Atanasov 2009
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 /*
23 * Name: ldb
24 *
25 * Component: ldb ACL module
26 *
27 * Description: Module that performs authorisation access checks based on the
28 * account's security context and the DACL of the object being polled.
29 * Only DACL checks implemented at this point
30 *
31 * Authors: Nadezhda Ivanova, Anatoliy Atanasov
32 */
33
34 #include "includes.h"
35 #include "ldb_module.h"
36 #include "auth/auth.h"
37 #include "libcli/security/security.h"
38 #include "dsdb/samdb/samdb.h"
39 #include "librpc/gen_ndr/ndr_security.h"
40 #include "param/param.h"
41 #include "dsdb/samdb/ldb_modules/util.h"
42 #include "lib/util/tsort.h"
43 #include "system/kerberos.h"
44 #include "auth/kerberos/kerberos.h"
45
46 struct extended_access_check_attribute {
47 const char *oa_name;
48 const uint32_t requires_rights;
49 };
50
51 struct acl_private {
52 const char **password_attrs;
53 void *cached_schema_ptr;
54 uint64_t cached_schema_metadata_usn;
55 uint64_t cached_schema_loaded_usn;
56 const char **confidential_attrs;
57 };
58
59 struct acl_context {
60 struct ldb_module *module;
61 struct ldb_request *req;
62 bool am_system;
63 bool am_administrator;
64 bool modify_search;
65 bool constructed_attrs;
66 bool allowedAttributes;
67 bool allowedAttributesEffective;
68 bool allowedChildClasses;
69 bool allowedChildClassesEffective;
70 bool sDRightsEffective;
71 bool userPassword;
72 const char * const *attrs;
73 struct dsdb_schema *schema;
74 };
75
76 static int acl_module_init(struct ldb_module *module)
77 {
78 struct ldb_context *ldb;
79 struct acl_private *data;
80 int ret;
81 unsigned int i;
82 TALLOC_CTX *mem_ctx;
83 static const char *attrs[] = { "passwordAttribute", NULL };
84 struct ldb_result *res;
85 struct ldb_message *msg;
86 struct ldb_message_element *password_attributes;
87
88 ldb = ldb_module_get_ctx(module);
89
90 ret = ldb_mod_register_control(module, LDB_CONTROL_SD_FLAGS_OID);
91 if (ret != LDB_SUCCESS) {
92 ldb_debug(ldb, LDB_DEBUG_ERROR,
93 "acl_module_init: Unable to register control with rootdse!\n");
94 return ldb_operr(ldb);
95 }
96
97 data = talloc_zero(module, struct acl_private);
98 if (data == NULL) {
99 return ldb_oom(ldb);
100 }
101
102 ldb_module_set_private(module, data);
103
104 mem_ctx = talloc_new(module);
105 if (!mem_ctx) {
106 return ldb_oom(ldb);
107 }
108
109 ret = dsdb_module_search_dn(module, mem_ctx, &res,
110 ldb_dn_new(mem_ctx, ldb, "@KLUDGEACL"),
111 attrs,
112 DSDB_FLAG_NEXT_MODULE |
113 DSDB_FLAG_AS_SYSTEM,
114 NULL);
115 if (ret != LDB_SUCCESS) {
116 goto done;
117 }
118 if (res->count == 0) {
119 goto done;
120 }
121
122 if (res->count > 1) {
123 talloc_free(mem_ctx);
124 return LDB_ERR_CONSTRAINT_VIOLATION;
125 }
126
127 msg = res->msgs[0];
128
129 password_attributes = ldb_msg_find_element(msg, "passwordAttribute");
130 if (!password_attributes) {
131 goto done;
132 }
133 data->password_attrs = talloc_array(data, const char *, password_attributes->num_values + 1);
134 if (!data->password_attrs) {
135 talloc_free(mem_ctx);
136 return ldb_oom(ldb);
137 }
138 for (i=0; i < password_attributes->num_values; i++) {
139 data->password_attrs[i] = (const char *)password_attributes->values[i].data;
140 talloc_steal(data->password_attrs, password_attributes->values[i].data);
141 }
142 data->password_attrs[i] = NULL;
143
144 done:
145 talloc_free(mem_ctx);
146 return ldb_next_init(module);
147 }
148
149 static int acl_allowedAttributes(struct ldb_module *module,
150 const struct dsdb_schema *schema,
151 struct ldb_message *sd_msg,
152 struct ldb_message *msg,
153 struct acl_context *ac)
154 {
155 struct ldb_message_element *oc_el;
156 struct ldb_context *ldb = ldb_module_get_ctx(module);
157 TALLOC_CTX *mem_ctx;
158 const char **attr_list;
159 int i, ret;
160
161 /* If we don't have a schema yet, we can't do anything... */
162 if (schema == NULL) {
163 ldb_asprintf_errstring(ldb, "cannot add allowedAttributes to %s because no schema is loaded", ldb_dn_get_linearized(msg->dn));
164 return LDB_ERR_OPERATIONS_ERROR;
165 }
166
167 /* Must remove any existing attribute */
168 if (ac->allowedAttributes) {
169 ldb_msg_remove_attr(msg, "allowedAttributes");
170 }
171
172 mem_ctx = talloc_new(msg);
173 if (!mem_ctx) {
174 return ldb_oom(ldb);
175 }
176
177 oc_el = ldb_msg_find_element(sd_msg, "objectClass");
178 attr_list = dsdb_full_attribute_list(mem_ctx, schema, oc_el, DSDB_SCHEMA_ALL);
179 if (!attr_list) {
180 ldb_asprintf_errstring(ldb, "acl: Failed to get list of attributes");
181 talloc_free(mem_ctx);
182 return LDB_ERR_OPERATIONS_ERROR;
183 }
184 if (ac->allowedAttributes) {
185 for (i=0; attr_list && attr_list[i]; i++) {
186 ldb_msg_add_string(msg, "allowedAttributes", attr_list[i]);
187 }
188 }
189 if (ac->allowedAttributesEffective) {
190 struct security_descriptor *sd;
191 struct dom_sid *sid = NULL;
192 struct ldb_control *as_system = ldb_request_get_control(ac->req,
193 LDB_CONTROL_AS_SYSTEM_OID);
194
195 if (as_system != NULL) {
196 as_system->critical = 0;
197 }
198
199 ldb_msg_remove_attr(msg, "allowedAttributesEffective");
200 if (ac->am_system || as_system) {
201 for (i=0; attr_list && attr_list[i]; i++) {
202 ldb_msg_add_string(msg, "allowedAttributesEffective", attr_list[i]);
203 }
204 return LDB_SUCCESS;
205 }
206
207 ret = dsdb_get_sd_from_ldb_message(ldb_module_get_ctx(module), mem_ctx, sd_msg, &sd);
208
209 if (ret != LDB_SUCCESS) {
210 return ret;
211 }
212
213 sid = samdb_result_dom_sid(mem_ctx, sd_msg, "objectSid");
214 for (i=0; attr_list && attr_list[i]; i++) {
215 const struct dsdb_attribute *attr = dsdb_attribute_by_lDAPDisplayName(schema,
216 attr_list[i]);
217 if (!attr) {
218 return ldb_operr(ldb);
219 }
220 /* remove constructed attributes */
221 if (attr->systemFlags & DS_FLAG_ATTR_IS_CONSTRUCTED
222 || attr->systemOnly
223 || (attr->linkID != 0 && attr->linkID % 2 != 0 )) {
224 continue;
225 }
226 ret = acl_check_access_on_attribute(module,
227 msg,
228 sd,
229 sid,
230 SEC_ADS_WRITE_PROP,
231 attr);
232 if (ret == LDB_SUCCESS) {
233 ldb_msg_add_string(msg, "allowedAttributesEffective", attr_list[i]);
234 }
235 }
236 }
237 return LDB_SUCCESS;
238 }
239
240 static int acl_childClasses(struct ldb_module *module,
241 const struct dsdb_schema *schema,
242 struct ldb_message *sd_msg,
243 struct ldb_message *msg,
244 const char *attrName)
245 {
246 struct ldb_message_element *oc_el;
247 struct ldb_message_element *allowedClasses;
248 const struct dsdb_class *sclass;
249 unsigned int i, j;
250 int ret;
251
252 /* If we don't have a schema yet, we can't do anything... */
253 if (schema == NULL) {
254 ldb_asprintf_errstring(ldb_module_get_ctx(module), "cannot add childClassesEffective to %s because no schema is loaded", ldb_dn_get_linearized(msg->dn));
255 return LDB_ERR_OPERATIONS_ERROR;
256 }
257
258 /* Must remove any existing attribute, or else confusion reins */
259 ldb_msg_remove_attr(msg, attrName);
260 ret = ldb_msg_add_empty(msg, attrName, 0, &allowedClasses);
261 if (ret != LDB_SUCCESS) {
262 return ret;
263 }
264
265 oc_el = ldb_msg_find_element(sd_msg, "objectClass");
266
267 for (i=0; oc_el && i < oc_el->num_values; i++) {
268 sclass = dsdb_class_by_lDAPDisplayName_ldb_val(schema, &oc_el->values[i]);
269 if (!sclass) {
270 /* We don't know this class? what is going on? */
271 continue;
272 }
273
274 for (j=0; sclass->possibleInferiors && sclass->possibleInferiors[j]; j++) {
275 ldb_msg_add_string(msg, attrName, sclass->possibleInferiors[j]);
276 }
277 }
278 if (allowedClasses->num_values > 1) {
279 TYPESAFE_QSORT(allowedClasses->values, allowedClasses->num_values, data_blob_cmp);
280 for (i=1 ; i < allowedClasses->num_values; i++) {
281 struct ldb_val *val1 = &allowedClasses->values[i-1];
282 struct ldb_val *val2 = &allowedClasses->values[i];
283 if (data_blob_cmp(val1, val2) == 0) {
284 memmove(val1, val2, (allowedClasses->num_values - i) * sizeof(struct ldb_val));
285 allowedClasses->num_values--;
286 i--;
287 }
288 }
289 }
290
291 return LDB_SUCCESS;
292 }
293
294 static int acl_check_access_on_class(struct ldb_module *module,
295 const struct dsdb_schema *schema,
296 TALLOC_CTX *mem_ctx,
297 struct security_descriptor *sd,
298 struct security_token *token,
299 struct dom_sid *rp_sid,
300 uint32_t access_mask,
301 const char *class_name)
302 {
303 int ret;
304 NTSTATUS status;
305 uint32_t access_granted;
306 struct object_tree *root = NULL;
307 struct object_tree *new_node = NULL;
308 const struct GUID *guid;
309
310 if (class_name != NULL) {
311 guid = class_schemaid_guid_by_lDAPDisplayName(schema, class_name);
312 if (!guid) {
313 DEBUG(10, ("acl_search: cannot find class %s\n",
314 class_name));
315 goto fail;
316 }
317 if (!insert_in_object_tree(mem_ctx,
318 guid, access_mask,
319 &root, &new_node)) {
320 DEBUG(10, ("acl_search: cannot add to object tree guid\n"));
321 goto fail;
322 }
323 }
324
325 status = sec_access_check_ds(sd, token,
326 access_mask,
327 &access_granted,
328 root,
329 rp_sid);
330 if (!NT_STATUS_IS_OK(status)) {
331 ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
332 } else {
333 ret = LDB_SUCCESS;
334 }
335 return ret;
336 fail:
337 return ldb_operr(ldb_module_get_ctx(module));
338 }
339
340 static int acl_childClassesEffective(struct ldb_module *module,
341 const struct dsdb_schema *schema,
342 struct ldb_message *sd_msg,
343 struct ldb_message *msg,
344 struct acl_context *ac)
345 {
346 struct ldb_message_element *oc_el;
347 struct ldb_message_element *allowedClasses = NULL;
348 const struct dsdb_class *sclass;
349 struct security_descriptor *sd;
350 struct ldb_control *as_system = ldb_request_get_control(ac->req,
351 LDB_CONTROL_AS_SYSTEM_OID);
352 struct dom_sid *sid = NULL;
353 unsigned int i, j;
354 int ret;
355
356 if (as_system != NULL) {
357 as_system->critical = 0;
358 }
359
360 if (ac->am_system || as_system) {
361 return acl_childClasses(module, schema, sd_msg, msg, "allowedChildClassesEffective");
362 }
363
364 /* If we don't have a schema yet, we can't do anything... */
365 if (schema == NULL) {
366 ldb_asprintf_errstring(ldb_module_get_ctx(module), "cannot add allowedChildClassesEffective to %s because no schema is loaded", ldb_dn_get_linearized(msg->dn));
367 return LDB_ERR_OPERATIONS_ERROR;
368 }
369
370 /* Must remove any existing attribute, or else confusion reins */
371 ldb_msg_remove_attr(msg, "allowedChildClassesEffective");
372
373 oc_el = ldb_msg_find_element(sd_msg, "objectClass");
374 ret = dsdb_get_sd_from_ldb_message(ldb_module_get_ctx(module), msg, sd_msg, &sd);
375 if (ret != LDB_SUCCESS) {
376 return ret;
377 }
378
379 sid = samdb_result_dom_sid(msg, sd_msg, "objectSid");
380 for (i=0; oc_el && i < oc_el->num_values; i++) {
381 sclass = dsdb_class_by_lDAPDisplayName_ldb_val(schema, &oc_el->values[i]);
382 if (!sclass) {
383 /* We don't know this class? what is going on? */
384 continue;
385 }
386
387 for (j=0; sclass->possibleInferiors && sclass->possibleInferiors[j]; j++) {
388 ret = acl_check_access_on_class(module,
389 schema,
390 msg,
391 sd,
392 acl_user_token(module),
393 sid,
394 SEC_ADS_CREATE_CHILD,
395 sclass->possibleInferiors[j]);
396 if (ret == LDB_SUCCESS) {
397 ldb_msg_add_string(msg, "allowedChildClassesEffective",
398 sclass->possibleInferiors[j]);
399 }
400 }
401 }
402 allowedClasses = ldb_msg_find_element(msg, "allowedChildClassesEffective");
403 if (!allowedClasses) {
404 return LDB_SUCCESS;
405 }
406
407 if (allowedClasses->num_values > 1) {
408 TYPESAFE_QSORT(allowedClasses->values, allowedClasses->num_values, data_blob_cmp);
409 for (i=1 ; i < allowedClasses->num_values; i++) {
410 struct ldb_val *val1 = &allowedClasses->values[i-1];
411 struct ldb_val *val2 = &allowedClasses->values[i];
412 if (data_blob_cmp(val1, val2) == 0) {
413 memmove(val1, val2, (allowedClasses->num_values - i) * sizeof( struct ldb_val));
414 allowedClasses->num_values--;
415 i--;
416 }
417 }
418 }
419 return LDB_SUCCESS;
420 }
421
422 static int acl_sDRightsEffective(struct ldb_module *module,
423 struct ldb_message *sd_msg,
424 struct ldb_message *msg,
425 struct acl_context *ac)
426 {
427 struct ldb_message_element *rightsEffective;
428 int ret;
429 struct security_descriptor *sd;
430 struct ldb_control *as_system = ldb_request_get_control(ac->req,
431 LDB_CONTROL_AS_SYSTEM_OID);
432 struct dom_sid *sid = NULL;
433 uint32_t flags = 0;
434
435 if (as_system != NULL) {
436 as_system->critical = 0;
437 }
438
439 /* Must remove any existing attribute, or else confusion reins */
440 ldb_msg_remove_attr(msg, "sDRightsEffective");
441 ret = ldb_msg_add_empty(msg, "sDRightsEffective", 0, &rightsEffective);
442 if (ret != LDB_SUCCESS) {
443 return ret;
444 }
445 if (ac->am_system || as_system) {
446 flags = SECINFO_OWNER | SECINFO_GROUP | SECINFO_SACL | SECINFO_DACL;
447 }
448 else {
449 /* Get the security descriptor from the message */
450 ret = dsdb_get_sd_from_ldb_message(ldb_module_get_ctx(module), msg, sd_msg, &sd);
451 if (ret != LDB_SUCCESS) {
452 return ret;
453 }
454 sid = samdb_result_dom_sid(msg, sd_msg, "objectSid");
455 ret = acl_check_access_on_attribute(module,
456 msg,
457 sd,
458 sid,
459 SEC_STD_WRITE_OWNER,
460 NULL);
461 if (ret == LDB_SUCCESS) {
462 flags |= SECINFO_OWNER | SECINFO_GROUP;
463 }
464 ret = acl_check_access_on_attribute(module,
465 msg,
466 sd,
467 sid,
468 SEC_STD_WRITE_DAC,
469 NULL);
470 if (ret == LDB_SUCCESS) {
471 flags |= SECINFO_DACL;
472 }
473 ret = acl_check_access_on_attribute(module,
474 msg,
475 sd,
476 sid,
477 SEC_FLAG_SYSTEM_SECURITY,
478 NULL);
479 if (ret == LDB_SUCCESS) {
480 flags |= SECINFO_SACL;
481 }
482 }
483 return samdb_msg_add_uint(ldb_module_get_ctx(module), msg, msg,
484 "sDRightsEffective", flags);
485 }
486
487 static int acl_validate_spn_value(TALLOC_CTX *mem_ctx,
488 struct ldb_context *ldb,
489 const char *spn_value,
490 uint32_t userAccountControl,
491 const char *samAccountName,
492 const char *dnsHostName,
493 const char *netbios_name,
494 const char *ntds_guid)
495 {
496 int ret;
497 krb5_context krb_ctx;
498 krb5_error_code kerr;
499 krb5_principal principal;
500 char *instanceName;
501 char *serviceType;
502 char *serviceName;
503 const char *forest_name = samdb_forest_name(ldb, mem_ctx);
504 const char *base_domain = samdb_default_domain_name(ldb, mem_ctx);
505 struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
506 struct loadparm_context);
507 bool is_dc = (userAccountControl & UF_SERVER_TRUST_ACCOUNT) ||
508 (userAccountControl & UF_PARTIAL_SECRETS_ACCOUNT);
509
510 if (strcasecmp_m(spn_value, samAccountName) == 0) {
511 /* MacOS X sets this value, and setting an SPN of your
512 * own samAccountName is both pointless and safe */
513 return LDB_SUCCESS;
514 }
515
516 kerr = smb_krb5_init_context_basic(mem_ctx,
517 lp_ctx,
518 &krb_ctx);
519 if (kerr != 0) {
520 return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
521 "Could not initialize kerberos context.");
522 }
523
524 ret = krb5_parse_name(krb_ctx, spn_value, &principal);
525 if (ret) {
526 krb5_free_context(krb_ctx);
527 return LDB_ERR_CONSTRAINT_VIOLATION;
528 }
529
530 if (principal->name.name_string.len < 2) {
531 goto fail;
532 }
533
534 instanceName = principal->name.name_string.val[1];
535 serviceType = principal->name.name_string.val[0];
536 if (principal->name.name_string.len == 3) {
537 serviceName = principal->name.name_string.val[2];
538 } else {
539 serviceName = NULL;
540 }
541
542 if (serviceName) {
543 if (!is_dc) {
544 goto fail;
545 }
546 if (strcasecmp(serviceType, "ldap") == 0) {
547 if (strcasecmp(serviceName, netbios_name) != 0 &&
548 strcasecmp(serviceName, forest_name) != 0) {
549 goto fail;
550 }
551
552 } else if (strcasecmp(serviceType, "gc") == 0) {
553 if (strcasecmp(serviceName, forest_name) != 0) {
554 goto fail;
555 }
556 } else {
557 if (strcasecmp(serviceName, base_domain) != 0 &&
558 strcasecmp(serviceName, netbios_name) != 0) {
559 goto fail;
560 }
561 }
562 }
563 /* instanceName can be samAccountName without $ or dnsHostName
564 * or "ntds_guid._msdcs.forest_domain for DC objects */
565 if (strlen(instanceName) == (strlen(samAccountName) - 1)
566 && strncasecmp(instanceName, samAccountName, strlen(samAccountName) - 1) == 0) {
567 goto success;
568 } else if (dnsHostName != NULL && strcasecmp(instanceName, dnsHostName) == 0) {
569 goto success;
570 } else if (is_dc) {
571 const char *guid_str;
572 guid_str = talloc_asprintf(mem_ctx,"%s._msdcs.%s",
573 ntds_guid,
574 forest_name);
575 if (strcasecmp(instanceName, guid_str) == 0) {
576 goto success;
577 }
578 }
579
580 fail:
581 krb5_free_principal(krb_ctx, principal);
582 krb5_free_context(krb_ctx);
583 return LDB_ERR_CONSTRAINT_VIOLATION;
584
585 success:
586 krb5_free_principal(krb_ctx, principal);
587 krb5_free_context(krb_ctx);
588 return LDB_SUCCESS;
589 }
590
591 static int acl_check_spn(TALLOC_CTX *mem_ctx,
592 struct ldb_module *module,
593 struct ldb_request *req,
594 struct security_descriptor *sd,
595 struct dom_sid *sid,
596 const struct GUID *oc_guid,
597 const struct dsdb_attribute *attr)
598 {
599 int ret;
600 unsigned int i;
601 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
602 struct ldb_context *ldb = ldb_module_get_ctx(module);
603 struct ldb_result *acl_res;
604 struct ldb_result *netbios_res;
605 struct ldb_message_element *el;
606 struct ldb_dn *partitions_dn = samdb_partitions_dn(ldb, tmp_ctx);
607 uint32_t userAccountControl;
608 const char *samAccountName;
609 const char *dnsHostName;
610 const char *netbios_name;
611 struct GUID ntds;
612 char *ntds_guid = NULL;
613
614 static const char *acl_attrs[] = {
615 "samAccountName",
616 "dnsHostName",
617 "userAccountControl",
618 NULL
619 };
620 static const char *netbios_attrs[] = {
621 "nETBIOSName",
622 NULL
623 };
624
625 /* if we have wp, we can do whatever we like */
626 if (acl_check_access_on_attribute(module,
627 tmp_ctx,
628 sd,
629 sid,
630 SEC_ADS_WRITE_PROP,
631 attr) == LDB_SUCCESS) {
632 talloc_free(tmp_ctx);
633 return LDB_SUCCESS;
634 }
635
636 ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
637 GUID_DRS_VALIDATE_SPN,
638 SEC_ADS_SELF_WRITE,
639 sid);
640
641 if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
642 dsdb_acl_debug(sd, acl_user_token(module),
643 req->op.mod.message->dn,
644 true,
645 10);
646 talloc_free(tmp_ctx);
647 return ret;
648 }
649
650 ret = dsdb_module_search_dn(module, tmp_ctx,
651 &acl_res, req->op.mod.message->dn,
652 acl_attrs,
653 DSDB_FLAG_NEXT_MODULE |
654 DSDB_FLAG_AS_SYSTEM |
655 DSDB_SEARCH_SHOW_RECYCLED,
656 req);
657 if (ret != LDB_SUCCESS) {
658 talloc_free(tmp_ctx);
659 return ret;
660 }
661
662 userAccountControl = ldb_msg_find_attr_as_uint(acl_res->msgs[0], "userAccountControl", 0);
663 dnsHostName = ldb_msg_find_attr_as_string(acl_res->msgs[0], "dnsHostName", NULL);
664 samAccountName = ldb_msg_find_attr_as_string(acl_res->msgs[0], "samAccountName", NULL);
665
666 ret = dsdb_module_search(module, tmp_ctx,
667 &netbios_res, partitions_dn,
668 LDB_SCOPE_ONELEVEL,
669 netbios_attrs,
670 DSDB_FLAG_NEXT_MODULE |
671 DSDB_FLAG_AS_SYSTEM,
672 req,
673 "(ncName=%s)",
674 ldb_dn_get_linearized(ldb_get_default_basedn(ldb)));
675
676 netbios_name = ldb_msg_find_attr_as_string(netbios_res->msgs[0], "nETBIOSName", NULL);
677
678 el = ldb_msg_find_element(req->op.mod.message, "servicePrincipalName");
679 if (!el) {
680 talloc_free(tmp_ctx);
681 return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
682 "Error finding element for servicePrincipalName.");
683 }
684
685 /* NTDSDSA objectGuid of object we are checking SPN for */
686 if (userAccountControl & (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)) {
687 ret = dsdb_module_find_ntdsguid_for_computer(module, tmp_ctx,
688 req->op.mod.message->dn, &ntds, req);
689 if (ret != LDB_SUCCESS) {
690 ldb_asprintf_errstring(ldb, "Failed to find NTDSDSA objectGuid for %s: %s",
691 ldb_dn_get_linearized(req->op.mod.message->dn),
692 ldb_strerror(ret));
693 talloc_free(tmp_ctx);
694 return LDB_ERR_OPERATIONS_ERROR;
695 }
696 ntds_guid = GUID_string(tmp_ctx, &ntds);
697 }
698
699 for (i=0; i < el->num_values; i++) {
700 ret = acl_validate_spn_value(tmp_ctx,
701 ldb,
702 (char *)el->values[i].data,
703 userAccountControl,
704 samAccountName,
705 dnsHostName,
706 netbios_name,
707 ntds_guid);
708 if (ret != LDB_SUCCESS) {
709 talloc_free(tmp_ctx);
710 return ret;
711 }
712 }
713 talloc_free(tmp_ctx);
714 return LDB_SUCCESS;
715 }
716
717 static int acl_add(struct ldb_module *module, struct ldb_request *req)
718 {
719 int ret;
720 struct ldb_dn *parent = ldb_dn_get_parent(req, req->op.add.message->dn);
721 struct ldb_context *ldb;
722 const struct dsdb_schema *schema;
723 struct ldb_message_element *oc_el;
724 const struct GUID *guid;
725 struct ldb_dn *nc_root;
726 struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
727
728 if (as_system != NULL) {
729 as_system->critical = 0;
730 }
731
732 if (dsdb_module_am_system(module) || as_system) {
733 return ldb_next_request(module, req);
734 }
735 if (ldb_dn_is_special(req->op.add.message->dn)) {
736 return ldb_next_request(module, req);
737 }
738
739 ldb = ldb_module_get_ctx(module);
740
741 /* Creating an NC. There is probably something we should do here,
742 * but we will establish that later */
743
744 ret = dsdb_find_nc_root(ldb, req, req->op.add.message->dn, &nc_root);
745 if (ret != LDB_SUCCESS) {
746 return ret;
747 }
748 if (ldb_dn_compare(nc_root, req->op.add.message->dn) == 0) {
749 talloc_free(nc_root);
750 return ldb_next_request(module, req);
751 }
752 talloc_free(nc_root);
753
754 schema = dsdb_get_schema(ldb, req);
755 if (!schema) {
756 return ldb_operr(ldb);
757 }
758
759 oc_el = ldb_msg_find_element(req->op.add.message, "objectClass");
760 if (!oc_el || oc_el->num_values == 0) {
761 ldb_asprintf_errstring(ldb_module_get_ctx(module),
762 "acl: unable to find objectClass on %s\n",
763 ldb_dn_get_linearized(req->op.add.message->dn));
764 return ldb_module_done(req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
765 }
766
767 guid = class_schemaid_guid_by_lDAPDisplayName(schema,
768 (char *)oc_el->values[oc_el->num_values-1].data);
769 ret = dsdb_module_check_access_on_dn(module, req, parent, SEC_ADS_CREATE_CHILD, guid, req);
770 if (ret != LDB_SUCCESS) {
771 return ret;
772 }
773 return ldb_next_request(module, req);
774 }
775
776 /* ckecks if modifications are allowed on "Member" attribute */
777 static int acl_check_self_membership(TALLOC_CTX *mem_ctx,
778 struct ldb_module *module,
779 struct ldb_request *req,
780 struct security_descriptor *sd,
781 struct dom_sid *sid,
782 const struct GUID *oc_guid,
783 const struct dsdb_attribute *attr)
784 {
785 int ret;
786 unsigned int i;
787 struct ldb_context *ldb = ldb_module_get_ctx(module);
788 struct ldb_dn *user_dn;
789 struct ldb_message_element *member_el;
790 /* if we have wp, we can do whatever we like */
791 if (acl_check_access_on_attribute(module,
792 mem_ctx,
793 sd,
794 sid,
795 SEC_ADS_WRITE_PROP,
796 attr) == LDB_SUCCESS) {
797 return LDB_SUCCESS;
798 }
799 /* if we are adding/deleting ourselves, check for self membership */
800 ret = dsdb_find_dn_by_sid(ldb, mem_ctx,
801 &acl_user_token(module)->sids[PRIMARY_USER_SID_INDEX],
802 &user_dn);
803 if (ret != LDB_SUCCESS) {
804 return ret;
805 }
806 member_el = ldb_msg_find_element(req->op.mod.message, "member");
807 if (!member_el) {
808 return ldb_operr(ldb);
809 }
810 /* user can only remove oneself */
811 if (member_el->num_values == 0) {
812 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
813 }
814 for (i = 0; i < member_el->num_values; i++) {
815 if (strcasecmp((const char *)member_el->values[i].data,
816 ldb_dn_get_extended_linearized(mem_ctx, user_dn, 1)) != 0) {
817 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
818 }
819 }
820 ret = acl_check_extended_right(mem_ctx, sd, acl_user_token(module),
821 GUID_DRS_SELF_MEMBERSHIP,
822 SEC_ADS_SELF_WRITE,
823 sid);
824 if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
825 dsdb_acl_debug(sd, acl_user_token(module),
826 req->op.mod.message->dn,
827 true,
828 10);
829 }
830 return ret;
831 }
832
833 static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
834 struct ldb_module *module,
835 struct ldb_request *req,
836 struct security_descriptor *sd,
837 struct dom_sid *sid,
838 const struct GUID *oc_guid,
839 bool userPassword)
840 {
841 int ret = LDB_SUCCESS;
842 unsigned int del_attr_cnt = 0, add_attr_cnt = 0, rep_attr_cnt = 0;
843 struct ldb_message_element *el;
844 struct ldb_message *msg;
845 const char *passwordAttrs[] = { "userPassword", "clearTextPassword",
846 "unicodePwd", "dBCSPwd", NULL }, **l;
847 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
848
849 msg = ldb_msg_copy_shallow(tmp_ctx, req->op.mod.message);
850 if (msg == NULL) {
851 return ldb_module_oom(module);
852 }
853 for (l = passwordAttrs; *l != NULL; l++) {
854 if ((!userPassword) && (ldb_attr_cmp(*l, "userPassword") == 0)) {
855 continue;
856 }
857
858 while ((el = ldb_msg_find_element(msg, *l)) != NULL) {
859 if (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_DELETE) {
860 ++del_attr_cnt;
861 }
862 if (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_ADD) {
863 ++add_attr_cnt;
864 }
865 if (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_REPLACE) {
866 ++rep_attr_cnt;
867 }
868 ldb_msg_remove_element(msg, el);
869 }
870 }
871
872 /* single deletes will be handled by the "password_hash" LDB module
873 * later in the stack, so we let it though here */
874 if ((del_attr_cnt > 0) && (add_attr_cnt == 0) && (rep_attr_cnt == 0)) {
875 talloc_free(tmp_ctx);
876 return LDB_SUCCESS;
877 }
878
879 if (ldb_request_get_control(req,
880 DSDB_CONTROL_PASSWORD_CHANGE_OID) != NULL) {
881 /* The "DSDB_CONTROL_PASSWORD_CHANGE_OID" control means that we
882 * have a user password change and not a set as the message
883 * looks like. In it's value blob it contains the NT and/or LM
884 * hash of the old password specified by the user.
885 * This control is used by the SAMR and "kpasswd" password
886 * change mechanisms. */
887 ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
888 GUID_DRS_USER_CHANGE_PASSWORD,
889 SEC_ADS_CONTROL_ACCESS,
890 sid);
891 }
892 else if (rep_attr_cnt > 0 || (add_attr_cnt != del_attr_cnt)) {
893 ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
894 GUID_DRS_FORCE_CHANGE_PASSWORD,
895 SEC_ADS_CONTROL_ACCESS,
896 sid);
897 }
898 else if (add_attr_cnt == 1 && del_attr_cnt == 1) {
899 ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
900 GUID_DRS_USER_CHANGE_PASSWORD,
901 SEC_ADS_CONTROL_ACCESS,
902 sid);
903 /* Very strange, but we get constraint violation in this case */
904 if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
905 ret = LDB_ERR_CONSTRAINT_VIOLATION;
906 }
907 }
908 if (ret != LDB_SUCCESS) {
909 dsdb_acl_debug(sd, acl_user_token(module),
910 req->op.mod.message->dn,
911 true,
912 10);
913 }
914 talloc_free(tmp_ctx);
915 return ret;
916 }
917
918 static const struct GUID *get_oc_guid_from_message(const struct dsdb_schema *schema,
919 struct ldb_message *msg)
920 {
921 struct ldb_message_element *oc_el;
922 const struct dsdb_class *object_class;
923
924 oc_el = ldb_msg_find_element(msg, "objectClass");
925 if (!oc_el) {
926 return NULL;
927 }
928
929 object_class = dsdb_get_last_structural_class(schema, oc_el);
930 if (object_class == NULL) {
931 return NULL;
932 }
933
934 return &object_class->schemaIDGUID;
935 }
936
937
938 static int acl_modify(struct ldb_module *module, struct ldb_request *req)
939 {
940 int ret;
941 struct ldb_context *ldb = ldb_module_get_ctx(module);
942 const struct dsdb_schema *schema;
943 unsigned int i;
944 const struct GUID *guid;
945 uint32_t access_granted;
946 struct object_tree *root = NULL;
947 struct object_tree *new_node = NULL;
948 NTSTATUS status;
949 struct ldb_result *acl_res;
950 struct security_descriptor *sd;
951 struct dom_sid *sid = NULL;
952 struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
953 bool userPassword = dsdb_user_password_support(module, req, req);
954 TALLOC_CTX *tmp_ctx = talloc_new(req);
955 static const char *acl_attrs[] = {
956 "nTSecurityDescriptor",
957 "objectClass",
958 "objectSid",
959 NULL
960 };
961
962 if (as_system != NULL) {
963 as_system->critical = 0;
964 }
965
966 /* Don't print this debug statement if elements[0].name is going to be NULL */
967 if(req->op.mod.message->num_elements > 0)
968 {
969 DEBUG(10, ("ldb:acl_modify: %s\n", req->op.mod.message->elements[0].name));
970 }
971 if (dsdb_module_am_system(module) || as_system) {
972 return ldb_next_request(module, req);
973 }
974 if (ldb_dn_is_special(req->op.mod.message->dn)) {
975 return ldb_next_request(module, req);
976 }
977 ret = dsdb_module_search_dn(module, tmp_ctx, &acl_res, req->op.mod.message->dn,
978 acl_attrs,
979 DSDB_FLAG_NEXT_MODULE |
980 DSDB_FLAG_AS_SYSTEM |
981 DSDB_SEARCH_SHOW_RECYCLED,
982 req);
983
984 if (ret != LDB_SUCCESS) {
985 goto fail;
986 }
987
988 schema = dsdb_get_schema(ldb, tmp_ctx);
989 if (!schema) {
990 ret = LDB_ERR_OPERATIONS_ERROR;
991 goto fail;
992 }
993
994 ret = dsdb_get_sd_from_ldb_message(ldb, tmp_ctx, acl_res->msgs[0], &sd);
995 if (ret != LDB_SUCCESS) {
996 talloc_free(tmp_ctx);
997 return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
998 "acl_modify: Error retrieving security descriptor.");
999 }
1000 /* Theoretically we pass the check if the object has no sd */
1001 if (!sd) {
1002 goto success;
1003 }
1004
1005 guid = get_oc_guid_from_message(schema, acl_res->msgs[0]);
1006 if (!guid) {
1007 talloc_free(tmp_ctx);
1008 return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
1009 "acl_modify: Error retrieving object class GUID.");
1010 }
1011 sid = samdb_result_dom_sid(req, acl_res->msgs[0], "objectSid");
1012 if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
1013 &root, &new_node)) {
1014 talloc_free(tmp_ctx);
1015 return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
1016 "acl_modify: Error adding new node in object tree.");
1017 }
1018 for (i=0; i < req->op.mod.message->num_elements; i++){
1019 const struct dsdb_attribute *attr;
1020 attr = dsdb_attribute_by_lDAPDisplayName(schema,
1021 req->op.mod.message->elements[i].name);
1022
1023 if (ldb_attr_cmp("nTSecurityDescriptor", req->op.mod.message->elements[i].name) == 0) {
1024 status = sec_access_check_ds(sd, acl_user_token(module),
1025 SEC_STD_WRITE_DAC,
1026 &access_granted,
1027 NULL,
1028 sid);
1029
1030 if (!NT_STATUS_IS_OK(status)) {
1031 ldb_asprintf_errstring(ldb_module_get_ctx(module),
1032 "Object %s has no write dacl access\n",
1033 ldb_dn_get_linearized(req->op.mod.message->dn));
1034 dsdb_acl_debug(sd,
1035 acl_user_token(module),
1036 req->op.mod.message->dn,
1037 true,
1038 10);
1039 ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
1040 goto fail;
1041 }
1042 }
1043 else if (ldb_attr_cmp("member", req->op.mod.message->elements[i].name) == 0) {
1044 ret = acl_check_self_membership(tmp_ctx,
1045 module,
1046 req,
1047 sd,
1048 sid,
1049 guid,
1050 attr);
1051 if (ret != LDB_SUCCESS) {
1052 goto fail;
1053 }
1054 }
1055 else if (ldb_attr_cmp("dBCSPwd", req->op.mod.message->elements[i].name) == 0) {
1056 /* this one is not affected by any rights, we should let it through
1057 so that passwords_hash returns the correct error */
1058 continue;
1059 }
1060 else if (ldb_attr_cmp("unicodePwd", req->op.mod.message->elements[i].name) == 0 ||
1061 (userPassword && ldb_attr_cmp("userPassword", req->op.mod.message->elements[i].name) == 0) ||
1062 ldb_attr_cmp("clearTextPassword", req->op.mod.message->elements[i].name) == 0) {
1063 ret = acl_check_password_rights(tmp_ctx,
1064 module,
1065 req,
1066 sd,
1067 sid,
1068 guid,
1069 userPassword);
1070 if (ret != LDB_SUCCESS) {
1071 goto fail;
1072 }
1073 } else if (ldb_attr_cmp("servicePrincipalName", req->op.mod.message->elements[i].name) == 0) {
1074 ret = acl_check_spn(tmp_ctx,
1075 module,
1076 req,
1077 sd,
1078 sid,
1079 guid,
1080 attr);
1081 if (ret != LDB_SUCCESS) {
1082 goto fail;
1083 }
1084 } else {
1085
1086 /* This basic attribute existence check with the right errorcode
1087 * is needed since this module is the first one which requests
1088 * schema attribute information.
1089 * The complete attribute checking is done in the
1090 * "objectclass_attrs" module behind this one.
1091 */
1092 if (!attr) {
1093 ldb_asprintf_errstring(ldb, "acl_modify: attribute '%s' on entry '%s' was not found in the schema!",
1094 req->op.mod.message->elements[i].name,
1095 ldb_dn_get_linearized(req->op.mod.message->dn));
1096 ret = LDB_ERR_NO_SUCH_ATTRIBUTE;
1097 goto fail;
1098 }
1099 if (!insert_in_object_tree(tmp_ctx,
1100 &attr->attributeSecurityGUID, SEC_ADS_WRITE_PROP,
1101 &new_node, &new_node)) {
1102 ldb_asprintf_errstring(ldb_module_get_ctx(module),
1103 "acl_modify: cannot add to object tree securityGUID\n");
1104 ret = LDB_ERR_OPERATIONS_ERROR;
1105 goto fail;
1106 }
1107
1108 if (!insert_in_object_tree(tmp_ctx,
1109 &attr->schemaIDGUID, SEC_ADS_WRITE_PROP, &new_node, &new_node)) {
1110 ldb_asprintf_errstring(ldb_module_get_ctx(module),
1111 "acl_modify: cannot add to object tree attributeGUID\n");
1112 ret = LDB_ERR_OPERATIONS_ERROR;
1113 goto fail;
1114 }
1115 }
1116 }
1117
1118 if (root->num_of_children > 0) {
1119 status = sec_access_check_ds(sd, acl_user_token(module),
1120 SEC_ADS_WRITE_PROP,
1121 &access_granted,
1122 root,
1123 sid);
1124
1125 if (!NT_STATUS_IS_OK(status)) {
1126 ldb_asprintf_errstring(ldb_module_get_ctx(module),
1127 "Object %s has no write property access\n",
1128 ldb_dn_get_linearized(req->op.mod.message->dn));
1129 dsdb_acl_debug(sd,
1130 acl_user_token(module),
1131 req->op.mod.message->dn,
1132 true,
1133 10);
1134 ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
1135 goto fail;
1136 }
1137 }
1138
1139 success:
1140 talloc_free(tmp_ctx);
1141 return ldb_next_request(module, req);
1142 fail:
1143 talloc_free(tmp_ctx);
1144 return ret;
1145 }
1146
1147 /* similar to the modify for the time being.
1148 * We need to consider the special delete tree case, though - TODO */
1149 static int acl_delete(struct ldb_module *module, struct ldb_request *req)
1150 {
1151 int ret;
1152 struct ldb_dn *parent = ldb_dn_get_parent(req, req->op.del.dn);
1153 struct ldb_context *ldb;
1154 struct ldb_dn *nc_root;
1155 struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
1156
1157 if (as_system != NULL) {
1158 as_system->critical = 0;
1159 }
1160
1161 DEBUG(10, ("ldb:acl_delete: %s\n", ldb_dn_get_linearized(req->op.del.dn)));
1162 if (dsdb_module_am_system(module) || as_system) {
1163 return ldb_next_request(module, req);
1164 }
1165 if (ldb_dn_is_special(req->op.del.dn)) {
1166 return ldb_next_request(module, req);
1167 }
1168
1169 ldb = ldb_module_get_ctx(module);
1170
1171 /* Make sure we aren't deleting a NC */
1172
1173 ret = dsdb_find_nc_root(ldb, req, req->op.del.dn, &nc_root);
1174 if (ret != LDB_SUCCESS) {
1175 return ret;
1176 }
1177 if (ldb_dn_compare(nc_root, req->op.del.dn) == 0) {
1178 talloc_free(nc_root);
1179 DEBUG(10,("acl:deleting a NC\n"));
1180 /* Windows returns "ERR_UNWILLING_TO_PERFORM */
1181 return ldb_module_done(req, NULL, NULL,
1182 LDB_ERR_UNWILLING_TO_PERFORM);
1183 }
1184 talloc_free(nc_root);
1185
1186 /* First check if we have delete object right */
1187 ret = dsdb_module_check_access_on_dn(module, req, req->op.del.dn,
1188 SEC_STD_DELETE, NULL, req);
1189 if (ret == LDB_SUCCESS) {
1190 return ldb_next_request(module, req);
1191 }
1192
1193 /* Nope, we don't have delete object. Lets check if we have delete
1194 * child on the parent */
1195 ret = dsdb_module_check_access_on_dn(module, req, parent,
1196 SEC_ADS_DELETE_CHILD, NULL, req);
1197 if (ret != LDB_SUCCESS) {
1198 return ret;
1199 }
1200
1201 return ldb_next_request(module, req);
1202 }
1203
1204 static int acl_rename(struct ldb_module *module, struct ldb_request *req)
1205 {
1206 int ret;
1207 struct ldb_dn *oldparent = ldb_dn_get_parent(req, req->op.rename.olddn);
1208 struct ldb_dn *newparent = ldb_dn_get_parent(req, req->op.rename.newdn);
1209 const struct dsdb_schema *schema;
1210 struct ldb_context *ldb;
1211 struct security_descriptor *sd = NULL;
1212 struct dom_sid *sid = NULL;
1213 struct ldb_result *acl_res;
1214 const struct GUID *guid;
1215 struct ldb_dn *nc_root;
1216 struct object_tree *root = NULL;
1217 struct object_tree *new_node = NULL;
1218 struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
1219 TALLOC_CTX *tmp_ctx = talloc_new(req);
1220 NTSTATUS status;
1221 uint32_t access_granted;
1222 const char *rdn_name;
1223 static const char *acl_attrs[] = {
1224 "nTSecurityDescriptor",
1225 "objectClass",
1226 "objectSid",
1227 NULL
1228 };
1229
1230 if (as_system != NULL) {
1231 as_system->critical = 0;
1232 }
1233
1234 DEBUG(10, ("ldb:acl_rename: %s\n", ldb_dn_get_linearized(req->op.rename.olddn)));
1235 if (dsdb_module_am_system(module) || as_system) {
1236 return ldb_next_request(module, req);
1237 }
1238 if (ldb_dn_is_special(req->op.rename.olddn)) {
1239 return ldb_next_request(module, req);
1240 }
1241
1242 ldb = ldb_module_get_ctx(module);
1243
1244 /* Make sure we aren't renaming/moving a NC */
1245
1246 ret = dsdb_find_nc_root(ldb, req, req->op.rename.olddn, &nc_root);
1247 if (ret != LDB_SUCCESS) {
1248 return ret;
1249 }
1250 if (ldb_dn_compare(nc_root, req->op.rename.olddn) == 0) {
1251 talloc_free(nc_root);
1252 DEBUG(10,("acl:renaming/moving a NC\n"));
1253 /* Windows returns "ERR_UNWILLING_TO_PERFORM */
1254 return ldb_module_done(req, NULL, NULL,
1255 LDB_ERR_UNWILLING_TO_PERFORM);
1256 }
1257 talloc_free(nc_root);
1258
1259 /* Look for the parent */
1260
1261 ret = dsdb_module_search_dn(module, tmp_ctx, &acl_res,
1262 req->op.rename.olddn, acl_attrs,
1263 DSDB_FLAG_NEXT_MODULE |
1264 DSDB_FLAG_AS_SYSTEM |
1265 DSDB_SEARCH_SHOW_RECYCLED, req);
1266 /* we sould be able to find the parent */
1267 if (ret != LDB_SUCCESS) {
1268 DEBUG(10,("acl: failed to find object %s\n",
1269 ldb_dn_get_linearized(req->op.rename.olddn)));
1270 talloc_free(tmp_ctx);
1271 return ret;
1272 }
1273
1274 schema = dsdb_get_schema(ldb, acl_res);
1275 if (!schema) {
1276 talloc_free(tmp_ctx);
1277 return ldb_operr(ldb);
1278 }
1279
1280 guid = get_oc_guid_from_message(schema, acl_res->msgs[0]);
1281 if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
1282 &root, &new_node)) {
1283 talloc_free(tmp_ctx);
1284 return ldb_operr(ldb);
1285 };
1286
1287 guid = attribute_schemaid_guid_by_lDAPDisplayName(schema,
1288 "name");
1289 if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
1290 &new_node, &new_node)) {
1291 talloc_free(tmp_ctx);
1292 return ldb_operr(ldb);
1293 };
1294
1295 rdn_name = ldb_dn_get_rdn_name(req->op.rename.olddn);
1296 if (rdn_name == NULL) {
1297 talloc_free(tmp_ctx);
1298 return ldb_operr(ldb);
1299 }
1300 guid = attribute_schemaid_guid_by_lDAPDisplayName(schema,
1301 rdn_name);
1302 if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
1303 &new_node, &new_node)) {
1304 talloc_free(tmp_ctx);
1305 return ldb_operr(ldb);
1306 };
1307
1308 ret = dsdb_get_sd_from_ldb_message(ldb, req, acl_res->msgs[0], &sd);
1309
1310 if (ret != LDB_SUCCESS) {
1311 talloc_free(tmp_ctx);
1312 return ldb_operr(ldb);
1313 }
1314 /* Theoretically we pass the check if the object has no sd */
1315 if (!sd) {
1316 talloc_free(tmp_ctx);
1317 return LDB_SUCCESS;
1318 }
1319 sid = samdb_result_dom_sid(req, acl_res->msgs[0], "objectSid");
1320 status = sec_access_check_ds(sd, acl_user_token(module),
1321 SEC_ADS_WRITE_PROP,
1322 &access_granted,
1323 root,
1324 sid);
1325
1326 if (!NT_STATUS_IS_OK(status)) {
1327 ldb_asprintf_errstring(ldb_module_get_ctx(module),
1328 "Object %s has no wp on name\n",
1329 ldb_dn_get_linearized(req->op.rename.olddn));
1330 dsdb_acl_debug(sd,
1331 acl_user_token(module),
1332 req->op.rename.olddn,
1333 true,
1334 10);
1335 talloc_free(tmp_ctx);
1336 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
1337 }
1338
1339 if (ldb_dn_compare(oldparent, newparent) == 0) {
1340 /* regular rename, not move, nothing more to do */
1341 talloc_free(tmp_ctx);
1342 return ldb_next_request(module, req);
1343 }
1344
1345 /* new parent should have create child */
1346 root = NULL;
1347 new_node = NULL;
1348 guid = get_oc_guid_from_message(schema, acl_res->msgs[0]);
1349 if (!guid) {
1350 ldb_asprintf_errstring(ldb_module_get_ctx(module),
1351 "acl:renamed object has no object class\n");
1352 talloc_free(tmp_ctx);
1353 return ldb_module_done(req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
1354 }
1355
1356 ret = dsdb_module_check_access_on_dn(module, req, newparent, SEC_ADS_CREATE_CHILD, guid, req);
1357 if (ret != LDB_SUCCESS) {
1358 ldb_asprintf_errstring(ldb_module_get_ctx(module),
1359 "acl:access_denied renaming %s",
1360 ldb_dn_get_linearized(req->op.rename.olddn));
1361 talloc_free(tmp_ctx);
1362 return ret;
1363 }
1364 /* do we have delete object on the object? */
1365
1366 status = sec_access_check_ds(sd, acl_user_token(module),
1367 SEC_STD_DELETE,
1368 &access_granted,
1369 NULL,
1370 sid);
1371
1372 if (NT_STATUS_IS_OK(status)) {
1373 talloc_free(tmp_ctx);
1374 return ldb_next_request(module, req);
1375 }
1376 /* what about delete child on the current parent */
1377 ret = dsdb_module_check_access_on_dn(module, req, oldparent, SEC_ADS_DELETE_CHILD, NULL, req);
1378 if (ret != LDB_SUCCESS) {
1379 ldb_asprintf_errstring(ldb_module_get_ctx(module),
1380 "acl:access_denied renaming %s", ldb_dn_get_linearized(req->op.rename.olddn));
1381 talloc_free(tmp_ctx);
1382 return ldb_module_done(req, NULL, NULL, ret);
1383 }
1384
1385 talloc_free(tmp_ctx);
1386
1387 return ldb_next_request(module, req);
1388 }
1389
1390 static int acl_search_update_confidential_attrs(struct acl_context *ac,
1391 struct acl_private *data)
1392 {
1393 struct dsdb_attribute *a;
1394 uint32_t n = 0;
1395
1396 if ((ac->schema == data->cached_schema_ptr) &&
1397 (ac->schema->loaded_usn == data->cached_schema_loaded_usn) &&
1398 (ac->schema->metadata_usn == data->cached_schema_metadata_usn))
1399 {
1400 return LDB_SUCCESS;
1401 }
1402
1403 data->cached_schema_ptr = NULL;
1404 data->cached_schema_loaded_usn = 0;
1405 data->cached_schema_metadata_usn = 0;
1406 TALLOC_FREE(data->confidential_attrs);
1407
1408 if (ac->schema == NULL) {
1409 return LDB_SUCCESS;
1410 }
1411
1412 for (a = ac->schema->attributes; a; a = a->next) {
1413 const char **attrs = data->confidential_attrs;
1414
1415 if (!(a->searchFlags & SEARCH_FLAG_CONFIDENTIAL)) {
1416 continue;
1417 }
1418
1419 attrs = talloc_realloc(data, attrs, const char *, n + 2);
1420 if (attrs == NULL) {
1421 TALLOC_FREE(data->confidential_attrs);
1422 return ldb_module_oom(ac->module);
1423 }
1424
1425 attrs[n] = a->lDAPDisplayName;
1426 attrs[n+1] = NULL;
1427 n++;
1428
1429 data->confidential_attrs = attrs;
1430 }
1431
1432 data->cached_schema_ptr = ac->schema;
1433 data->cached_schema_loaded_usn = ac->schema->loaded_usn;
1434 data->cached_schema_metadata_usn = ac->schema->metadata_usn;
1435
1436 return LDB_SUCCESS;
1437 }
1438
1439 static int acl_search_callback(struct ldb_request *req, struct ldb_reply *ares)
1440 {
1441 struct acl_context *ac;
1442 struct acl_private *data;
1443 struct ldb_result *acl_res;
1444 static const char *acl_attrs[] = {
1445 "objectClass",
1446 "nTSecurityDescriptor",
1447 "objectSid",
1448 NULL
1449 };
1450 int ret;
1451 unsigned int i;
1452
1453 ac = talloc_get_type(req->context, struct acl_context);
1454 data = talloc_get_type(ldb_module_get_private(ac->module), struct acl_private);
1455 if (!ares) {
1456 return ldb_module_done(ac->req, NULL, NULL,
1457 LDB_ERR_OPERATIONS_ERROR);
1458 }
1459 if (ares->error != LDB_SUCCESS) {
1460 return ldb_module_done(ac->req, ares->controls,
1461 ares->response, ares->error);
1462 }
1463
1464 switch (ares->type) {
1465 case LDB_REPLY_ENTRY:
1466 if (ac->constructed_attrs) {
1467 ret = dsdb_module_search_dn(ac->module, ac, &acl_res, ares->message->dn,
1468 acl_attrs,
1469 DSDB_FLAG_NEXT_MODULE |
1470 DSDB_FLAG_AS_SYSTEM |
1471 DSDB_SEARCH_SHOW_RECYCLED,
1472 req);
1473 if (ret != LDB_SUCCESS) {
1474 return ldb_module_done(ac->req, NULL, NULL, ret);
1475 }
1476 }
1477
1478 if (ac->allowedAttributes || ac->allowedAttributesEffective) {
1479 ret = acl_allowedAttributes(ac->module, ac->schema,
1480 acl_res->msgs[0],
1481 ares->message, ac);
1482 if (ret != LDB_SUCCESS) {
1483 return ldb_module_done(ac->req, NULL, NULL, ret);
1484 }
1485 }
1486
1487 if (ac->allowedChildClasses) {
1488 ret = acl_childClasses(ac->module, ac->schema,
1489 acl_res->msgs[0],
1490 ares->message,
1491 "allowedChildClasses");
1492 if (ret != LDB_SUCCESS) {
1493 return ldb_module_done(ac->req, NULL, NULL, ret);
1494 }
1495 }
1496
1497 if (ac->allowedChildClassesEffective) {
1498 ret = acl_childClassesEffective(ac->module, ac->schema,
1499 acl_res->msgs[0],
1500 ares->message, ac);
1501 if (ret != LDB_SUCCESS) {
1502 return ldb_module_done(ac->req, NULL, NULL, ret);
1503 }
1504 }
1505
1506 if (ac->sDRightsEffective) {
1507 ret = acl_sDRightsEffective(ac->module,
1508 acl_res->msgs[0],
1509 ares->message, ac);
1510 if (ret != LDB_SUCCESS) {
1511 return ldb_module_done(ac->req, NULL, NULL, ret);
1512 }
1513 }
1514
1515 if (data == NULL) {
1516 return ldb_module_send_entry(ac->req, ares->message,
1517 ares->controls);
1518 }
1519
1520 if (ac->am_system) {
1521 return ldb_module_send_entry(ac->req, ares->message,
1522 ares->controls);
1523 }
1524
1525 if (data->password_attrs != NULL) {
1526 for (i = 0; data->password_attrs[i]; i++) {
1527 if ((!ac->userPassword) &&
1528 (ldb_attr_cmp(data->password_attrs[i],
1529 "userPassword") == 0))
1530 {
1531 continue;
1532 }
1533
1534 ldb_msg_remove_attr(ares->message, data->password_attrs[i]);
1535 }
1536 }
1537
1538 if (ac->am_administrator) {
1539 return ldb_module_send_entry(ac->req, ares->message,
1540 ares->controls);
1541 }
1542
1543 ret = acl_search_update_confidential_attrs(ac, data);
1544 if (ret != LDB_SUCCESS) {
1545 return ret;
1546 }
1547
1548 if (data->confidential_attrs != NULL) {
1549 for (i = 0; data->confidential_attrs[i]; i++) {
1550 ldb_msg_remove_attr(ares->message,
1551 data->confidential_attrs[i]);
1552 }
1553 }
1554
1555 return ldb_module_send_entry(ac->req, ares->message, ares->controls);
1556
1557 case LDB_REPLY_REFERRAL:
1558 return ldb_module_send_referral(ac->req, ares->referral);
1559
1560 case LDB_REPLY_DONE:
1561 return ldb_module_done(ac->req, ares->controls,
1562 ares->response, LDB_SUCCESS);
1563
1564 }
1565 return LDB_SUCCESS;
1566 }
1567
1568 static int acl_search(struct ldb_module *module, struct ldb_request *req)
1569 {
1570 struct ldb_context *ldb;
1571 struct acl_context *ac;
1572 struct ldb_parse_tree *down_tree;
1573 struct ldb_request *down_req;
1574 struct acl_private *data;
1575 int ret;
1576 unsigned int i;
1577
1578 ldb = ldb_module_get_ctx(module);
1579
1580 ac = talloc_zero(req, struct acl_context);
1581 if (ac == NULL) {
1582 return ldb_oom(ldb);
1583 }
1584 data = talloc_get_type(ldb_module_get_private(module), struct acl_private);
1585
1586 ac->module = module;
1587 ac->req = req;
1588 ac->am_system = dsdb_module_am_system(module);
1589 ac->am_administrator = dsdb_module_am_administrator(module);
1590 ac->constructed_attrs = false;
1591 ac->modify_search = true;
1592 ac->allowedAttributes = ldb_attr_in_list(req->op.search.attrs, "allowedAttributes");
1593 ac->allowedAttributesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedAttributesEffective");
1594 ac->allowedChildClasses = ldb_attr_in_list(req->op.search.attrs, "allowedChildClasses");
1595 ac->allowedChildClassesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedChildClassesEffective");
1596 ac->sDRightsEffective = ldb_attr_in_list(req->op.search.attrs, "sDRightsEffective");
1597 ac->userPassword = dsdb_user_password_support(module, ac, req);
1598 ac->schema = dsdb_get_schema(ldb, ac);
1599
1600 ac->constructed_attrs |= ac->allowedAttributes;
1601 ac->constructed_attrs |= ac->allowedChildClasses;
1602 ac->constructed_attrs |= ac->allowedChildClassesEffective;
1603 ac->constructed_attrs |= ac->allowedAttributesEffective;
1604 ac->constructed_attrs |= ac->sDRightsEffective;
1605
1606 if (data == NULL) {
1607 ac->modify_search = false;
1608 }
1609 if (ac->am_system) {
1610 ac->modify_search = false;
1611 }
1612
1613 if (!ac->constructed_attrs && !ac->modify_search) {
1614 return ldb_next_request(module, req);
1615 }
1616
1617 ret = acl_search_update_confidential_attrs(ac, data);
1618 if (ret != LDB_SUCCESS) {
1619 return ret;
1620 }
1621
1622 down_tree = ldb_parse_tree_copy_shallow(ac, req->op.search.tree);
1623 if (down_tree == NULL) {
1624 return ldb_oom(ldb);
1625 }
1626
1627 if (!ac->am_system && data->password_attrs) {
1628 for (i = 0; data->password_attrs[i]; i++) {
1629 if ((!ac->userPassword) &&
1630 (ldb_attr_cmp(data->password_attrs[i],
1631 "userPassword") == 0))
1632 {
1633 continue;
1634 }
1635
1636 ldb_parse_tree_attr_replace(down_tree,
1637 data->password_attrs[i],
1638 "kludgeACLredactedattribute");
1639 }
1640 }
1641
1642 if (!ac->am_system && !ac->am_administrator && data->confidential_attrs) {
1643 for (i = 0; data->confidential_attrs[i]; i++) {
1644 ldb_parse_tree_attr_replace(down_tree,
1645 data->confidential_attrs[i],
1646 "kludgeACLredactedattribute");
1647 }
1648 }
1649
1650 ret = ldb_build_search_req_ex(&down_req,
1651 ldb, ac,
1652 req->op.search.base,
1653 req->op.search.scope,
1654 down_tree,
1655 req->op.search.attrs,
1656 req->controls,
1657 ac, acl_search_callback,
1658 req);
1659 LDB_REQ_SET_LOCATION(down_req);
1660 if (ret != LDB_SUCCESS) {
1661 return ret;
1662 }
1663 /* perform the search */
1664 return ldb_next_request(module, down_req);
1665 }
1666
1667 static int acl_extended(struct ldb_module *module, struct ldb_request *req)
1668 {
1669 struct ldb_context *ldb = ldb_module_get_ctx(module);
1670 struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
1671
1672 /* allow everybody to read the sequence number */
1673 if (strcmp(req->op.extended.oid,
1674 LDB_EXTENDED_SEQUENCE_NUMBER) == 0) {
1675 return ldb_next_request(module, req);
1676 }
1677
1678 if (dsdb_module_am_system(module) ||
1679 dsdb_module_am_administrator(module) || as_system) {
1680 return ldb_next_request(module, req);
1681 } else {
1682 ldb_asprintf_errstring(ldb,
1683 "acl_extended: "
1684 "attempted database modify not permitted. "
1685 "User %s is not SYSTEM or an administrator",
1686 acl_user_name(req, module));
1687 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
1688 }
1689 }
1690
1691 static const struct ldb_module_ops ldb_acl_module_ops = {
1692 .name = "acl",
1693 .search = acl_search,
1694 .add = acl_add,
1695 .modify = acl_modify,
1696 .del = acl_delete,
1697 .rename = acl_rename,
1698 .extended = acl_extended,
1699 .init_context = acl_module_init
1700 };
1701
1702 int ldb_acl_module_init(const char *version)
1703 {
1704 LDB_MODULE_CHECK_VERSION(version);
1705 return ldb_register_module(&ldb_acl_module_ops);
1706 }
reg import