search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dsdb: read acl, sd can be null and ret == LDB_SUCCESS
[Samba/gebeck_regimport.git] / source4 / dsdb / samdb / ldb_modules / acl_read.c
blobcde6d11c75bd07d4f6dd032e9f01d2b8e78eb2a9
1 /*
2 ldb database library
3
4 Copyright (C) Simo Sorce 2006-2008
5 Copyright (C) Nadezhda Ivanova 2010
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 /*
22 * Name: ldb
23 *
24 * Component: ldb ACL Read module
25 *
26 * Description: Module that performs authorisation access checks on read requests
27 * Only DACL checks implemented at this point
28 *
29 * Author: Nadezhda Ivanova
30 */
31
32 #include "includes.h"
33 #include "ldb_module.h"
34 #include "auth/auth.h"
35 #include "libcli/security/security.h"
36 #include "dsdb/samdb/samdb.h"
37 #include "librpc/gen_ndr/ndr_security.h"
38 #include "param/param.h"
39 #include "dsdb/samdb/ldb_modules/util.h"
40
41
42 struct aclread_context {
43 struct ldb_module *module;
44 struct ldb_request *req;
45 const char * const *attrs;
46 const struct dsdb_schema *schema;
47 bool sd;
48 bool instance_type;
49 bool object_sid;
50 };
51
52 struct aclread_private {
53 bool enabled;
54 };
55
56 static void aclread_mark_inaccesslible(struct ldb_message_element *el) {
57 el->flags |= LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE;
58 }
59
60 static bool aclread_is_inaccessible(struct ldb_message_element *el) {
61 return el->flags & LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE;
62 }
63
64 static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
65 {
66 struct ldb_context *ldb;
67 struct aclread_context *ac;
68 struct ldb_message *ret_msg;
69 struct ldb_message *msg;
70 int ret, num_of_attrs = 0;
71 unsigned int i, k = 0;
72 struct security_descriptor *sd;
73 struct dom_sid *sid = NULL;
74 TALLOC_CTX *tmp_ctx;
75 uint32_t instanceType;
76
77 ac = talloc_get_type(req->context, struct aclread_context);
78 ldb = ldb_module_get_ctx(ac->module);
79 if (!ares) {
80 return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR );
81 }
82 if (ares->error != LDB_SUCCESS) {
83 return ldb_module_done(ac->req, ares->controls,
84 ares->response, ares->error);
85 }
86 tmp_ctx = talloc_new(ac);
87 switch (ares->type) {
88 case LDB_REPLY_ENTRY:
89 msg = ares->message;
90 ret = dsdb_get_sd_from_ldb_message(ldb, tmp_ctx, msg, &sd);
91 if (ret != LDB_SUCCESS || sd == NULL ) {
92 DEBUG(10, ("acl_read: cannot get descriptor\n"));
93 ret = LDB_ERR_OPERATIONS_ERROR;
94 goto fail;
95 }
96 sid = samdb_result_dom_sid(tmp_ctx, msg, "objectSid");
97 /* get the object instance type */
98 instanceType = ldb_msg_find_attr_as_uint(msg,
99 "instanceType", 0);
100 if (!ldb_dn_is_null(msg->dn) && !(instanceType & INSTANCE_TYPE_IS_NC_HEAD))
101 {
102 /* the object has a parent, so we have to check for visibility */
103 struct ldb_dn *parent_dn = ldb_dn_get_parent(tmp_ctx, msg->dn);
104 ret = dsdb_module_check_access_on_dn(ac->module,
105 tmp_ctx,
106 parent_dn,
107 SEC_ADS_LIST,
108 NULL, req);
109 if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
110 talloc_free(tmp_ctx);
111 return LDB_SUCCESS;
112 } else if (ret != LDB_SUCCESS) {
113 goto fail;
114 }
115 }
116 /* for every element in the message check RP */
117 for (i=0; i < msg->num_elements; i++) {
118 const struct dsdb_attribute *attr;
119 bool is_sd, is_objectsid, is_instancetype;
120 uint32_t access_mask;
121 attr = dsdb_attribute_by_lDAPDisplayName(ac->schema,
122 msg->elements[i].name);
123 if (!attr) {
124 DEBUG(2, ("acl_read: cannot find attribute %s in schema\n",
125 msg->elements[i].name));
126 ret = LDB_ERR_OPERATIONS_ERROR;
127 goto fail;
128 }
129 is_sd = ldb_attr_cmp("nTSecurityDescriptor",
130 msg->elements[i].name) == 0;
131 is_objectsid = ldb_attr_cmp("objectSid",
132 msg->elements[i].name) == 0;
133 is_instancetype = ldb_attr_cmp("instanceType",
134 msg->elements[i].name) == 0;
135 /* these attributes were added to perform access checks and must be removed */
136 if (is_objectsid && ac->object_sid) {
137 aclread_mark_inaccesslible(&msg->elements[i]);
138 continue;
139 }
140 if (is_instancetype && ac->instance_type) {
141 aclread_mark_inaccesslible(&msg->elements[i]);
142 continue;
143 }
144 if (is_sd && ac->sd) {
145 aclread_mark_inaccesslible(&msg->elements[i]);
146 continue;
147 }
148 /* nTSecurityDescriptor is a special case */
149 if (is_sd) {
150 access_mask = SEC_FLAG_SYSTEM_SECURITY|SEC_STD_READ_CONTROL;
151 } else {
152 access_mask = SEC_ADS_READ_PROP;
153 }
154 ret = acl_check_access_on_attribute(ac->module,
155 tmp_ctx,
156 sd,
157 sid,
158 access_mask,
159 attr);
160
161 if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
162 /* do not return this entry if attribute is
163 part of the search filter */
164 if (dsdb_attr_in_parse_tree(ac->req->op.search.tree,
165 msg->elements[i].name)) {
166 talloc_free(tmp_ctx);
167 return LDB_SUCCESS;
168 }
169 aclread_mark_inaccesslible(&msg->elements[i]);
170 } else if (ret != LDB_SUCCESS) {
171 goto fail;
172 }
173 }
174 for (i=0; i < msg->num_elements; i++) {
175 if (!aclread_is_inaccessible(&msg->elements[i])) {
176 num_of_attrs++;
177 }
178 }
179 /*create a new message to return*/
180 ret_msg = ldb_msg_new(ac->req);
181 ret_msg->dn = msg->dn;
182 talloc_steal(ret_msg, msg->dn);
183 ret_msg->num_elements = num_of_attrs;
184 if (num_of_attrs > 0) {
185 ret_msg->elements = talloc_array(ret_msg,
186 struct ldb_message_element,
187 num_of_attrs);
188 if (ret_msg->elements == NULL) {
189 return ldb_oom(ldb);
190 }
191 for (i=0; i < msg->num_elements; i++) {
192 bool to_remove = aclread_is_inaccessible(&msg->elements[i]);
193 if (!to_remove) {
194 ret_msg->elements[k] = msg->elements[i];
195 talloc_steal(ret_msg->elements, msg->elements[i].name);
196 talloc_steal(ret_msg->elements, msg->elements[i].values);
197 k++;
198 }
199 }
200 } else {
201 ret_msg->elements = NULL;
202 }
203 talloc_free(tmp_ctx);
204
205 return ldb_module_send_entry(ac->req, ret_msg, ares->controls);
206 case LDB_REPLY_REFERRAL:
207 return ldb_module_send_referral(ac->req, ares->referral);
208 case LDB_REPLY_DONE:
209 return ldb_module_done(ac->req, ares->controls,
210 ares->response, LDB_SUCCESS);
211
212 }
213 return LDB_SUCCESS;
214 fail:
215 talloc_free(tmp_ctx);
216 return ldb_module_done(ac->req, NULL, NULL, ret);
217 }
218
219
220 static int aclread_search(struct ldb_module *module, struct ldb_request *req)
221 {
222 struct ldb_context *ldb;
223 int ret;
224 struct aclread_context *ac;
225 struct ldb_request *down_req;
226 struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
227 struct ldb_result *res;
228 struct aclread_private *p;
229 bool is_untrusted = ldb_req_is_untrusted(req);
230 const char * const *attrs = NULL;
231 uint32_t instanceType;
232 static const char *acl_attrs[] = {
233 "instanceType",
234 NULL
235 };
236
237 ldb = ldb_module_get_ctx(module);
238 p = talloc_get_type(ldb_module_get_private(module), struct aclread_private);
239
240 /* skip access checks if we are system or system control is supplied
241 * or this is not LDAP server request */
242 if (!p || !p->enabled ||
243 dsdb_module_am_system(module)
244 || as_system || !is_untrusted) {
245 return ldb_next_request(module, req);
246 }
247 /* no checks on special dn */
248 if (ldb_dn_is_special(req->op.search.base)) {
249 return ldb_next_request(module, req);
250 }
251
252 /* check accessibility of base */
253 if (!ldb_dn_is_null(req->op.search.base)) {
254 ret = dsdb_module_search_dn(module, req, &res, req->op.search.base,
255 acl_attrs,
256 DSDB_FLAG_NEXT_MODULE |
257 DSDB_SEARCH_SHOW_DELETED, req);
258 if (ret != LDB_SUCCESS) {
259 return ldb_error(ldb, ret,
260 "acl_read: Error retrieving instanceType for base.");
261 }
262 instanceType = ldb_msg_find_attr_as_uint(res->msgs[0],
263 "instanceType", 0);
264 if (instanceType != 0 && !(instanceType & INSTANCE_TYPE_IS_NC_HEAD))
265 {
266 /* the object has a parent, so we have to check for visibility */
267 struct ldb_dn *parent_dn = ldb_dn_get_parent(req, req->op.search.base);
268 ret = dsdb_module_check_access_on_dn(module,
269 req,
270 parent_dn,
271 SEC_ADS_LIST,
272 NULL, req);
273 if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
274 return ldb_module_done(req, NULL, NULL, LDB_ERR_NO_SUCH_OBJECT);
275 } else if (ret != LDB_SUCCESS) {
276 return ldb_module_done(req, NULL, NULL, ret);
277 }
278 }
279 }
280 ac = talloc_zero(req, struct aclread_context);
281 if (ac == NULL) {
282 return ldb_oom(ldb);
283 }
284 ac->module = module;
285 ac->req = req;
286 ac->schema = dsdb_get_schema(ldb, req);
287 if (!ac->schema) {
288 return ldb_operr(ldb);
289 }
290 ac->sd = !(ldb_attr_in_list(req->op.search.attrs, "nTSecurityDescriptor"));
291 if (req->op.search.attrs && !ldb_attr_in_list(req->op.search.attrs, "*")) {
292 if (!ldb_attr_in_list(req->op.search.attrs, "instanceType")) {
293 ac->instance_type = true;
294 attrs = ldb_attr_list_copy_add(ac, req->op.search.attrs, "instanceType");
295 } else {
296 attrs = req->op.search.attrs;
297 }
298 if (!ldb_attr_in_list(req->op.search.attrs, "objectSid")) {
299 ac->object_sid = true;
300 attrs = ldb_attr_list_copy_add(ac, attrs, "objectSid");
301 }
302 }
303
304 if (ac->sd) {
305 /* avoid replacing all attributes with nTSecurityDescriptor
306 * if attribute list is empty */
307 if (!attrs) {
308 attrs = ldb_attr_list_copy_add(ac, attrs, "*");
309 }
310 attrs = ldb_attr_list_copy_add(ac, attrs, "nTSecurityDescriptor");
311 }
312 ac->attrs = req->op.search.attrs;
313 ret = ldb_build_search_req_ex(&down_req,
314 ldb, ac,
315 req->op.search.base,
316 req->op.search.scope,
317 req->op.search.tree,
318 attrs,
319 req->controls,
320 ac, aclread_callback,
321 req);
322
323 if (ret != LDB_SUCCESS) {
324 return LDB_ERR_OPERATIONS_ERROR;
325 }
326
327 return ldb_next_request(module, down_req);
328 }
329
330 static int aclread_init(struct ldb_module *module)
331 {
332 struct ldb_context *ldb = ldb_module_get_ctx(module);
333 struct aclread_private *p = talloc_zero(module, struct aclread_private);
334 if (p == NULL) {
335 return ldb_module_oom(module);
336 }
337 p->enabled = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"), NULL, "acl", "search", false);
338 ldb_module_set_private(module, p);
339 return ldb_next_init(module);
340 }
341
342 static const struct ldb_module_ops ldb_aclread_module_ops = {
343 .name = "aclread",
344 .search = aclread_search,
345 .init_context = aclread_init
346 };
347
348 int ldb_aclread_module_init(const char *version)
349 {
350 LDB_MODULE_CHECK_VERSION(version);
351 return ldb_register_module(&ldb_aclread_module_ops);
352 }
reg import