search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fixed some major bugs in inheritance and access checks.
[Samba/gebeck_regimport.git] / source4 / libcli / security / create_descriptor.c
blobd5bc7cba402ceefa4fde17c13f330758b1f9191c
1 /*
2 Copyright (C) Nadezhda Ivanova 2009
3
4 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation; either version 3 of the License, or
7 (at your option) any later version.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program. If not, see <http://www.gnu.org/licenses/>.
16 */
17
18 /*
19 * Name: create_descriptor
20 *
21 * Component: routines for calculating and creating security descriptors
22 * as described in MS-DTYP 2.5.2.2
23 *
24 * Description:
25 *
26 *
27 * Author: Nadezhda Ivanova
28 */
29 #include "includes.h"
30 #include "libcli/security/security.h"
31 #include "librpc/gen_ndr/ndr_security.h"
32
33 /* Todos:
34 * build the security token dacl as follows:
35 * SYSTEM: GA, OWNER: GA, LOGIN_SID:GW|GE
36 * Need session id information for the login SID. Probably
37 * the best place for this is during token creation
38 *
39 * Implement SD Invariants
40 * ACE sorting rules
41 * LDAP_SERVER_SD_FLAGS_OID control
42 * ADTS 7.1.3.3 needs to be clarified
43 */
44
45 /* the mapping function for generic rights for DS.(GA,GR,GW,GX)
46 * The mapping function is passed as an argument to the
47 * descriptor calculating routine and depends on the security
48 * manager that calls the calculating routine.
49 * TODO: need similar mappings for the file system and
50 * registry security managers in order to make this code
51 * generic for all security managers
52 */
53
54 uint32_t map_generic_rights_ds(uint32_t access_mask)
55 {
56 if (access_mask & SEC_GENERIC_ALL){
57 access_mask |= SEC_ADS_GENERIC_ALL;
58 access_mask = ~SEC_GENERIC_ALL;
59 }
60
61 if (access_mask & SEC_GENERIC_EXECUTE){
62 access_mask |= SEC_ADS_GENERIC_EXECUTE;
63 access_mask = ~SEC_GENERIC_EXECUTE;
64 }
65
66 if (access_mask & SEC_GENERIC_WRITE){
67 access_mask |= SEC_ADS_GENERIC_WRITE;
68 access_mask &= ~SEC_GENERIC_WRITE;
69 }
70
71 if (access_mask & SEC_GENERIC_READ){
72 access_mask |= SEC_ADS_GENERIC_READ;
73 access_mask &= ~SEC_GENERIC_READ;
74 }
75
76 return access_mask;
77 }
78
79 /* Not sure what this has to be,
80 * and it does not seem to have any influence */
81 static bool object_in_list(struct GUID *object_list, struct GUID *object)
82 {
83 return true;
84 }
85
86
87 static bool contains_inheritable_aces(struct security_acl *acl)
88 {
89 int i;
90 if (!acl)
91 return false;
92
93 for (i=0; i < acl->num_aces; i++) {
94 struct security_ace *ace = &acl->aces[i];
95 if ((ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT) ||
96 (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT))
97 return true;
98 }
99
100 return false;
101 }
102
103 static struct security_acl *preprocess_creator_acl(TALLOC_CTX *mem, struct security_acl *acl)
104 {
105 int i;
106 struct security_acl *new_acl;
107 if (!acl) {
108 return NULL;
109 }
110
111 new_acl = talloc_zero(mem, struct security_acl);
112
113 for (i=0; i < acl->num_aces; i++) {
114 struct security_ace *ace = &acl->aces[i];
115 if (!(ace->flags & SEC_ACE_FLAG_INHERITED_ACE)){
116 new_acl->aces = talloc_realloc(new_acl, new_acl->aces, struct security_ace,
117 new_acl->num_aces+1);
118 if (new_acl->aces == NULL) {
119 talloc_free(new_acl);
120 return NULL;
121 }
122 new_acl->aces[new_acl->num_aces] = *ace;
123 new_acl->num_aces++;
124 }
125 }
126 if (new_acl)
127 new_acl->revision = acl->revision;
128
129 return new_acl;
130 }
131
132 /* This is not exactly as described in the docs. The original seemed to return
133 * only a list of the inherited or flagless ones... */
134
135 static bool postprocess_acl(struct security_acl *acl,
136 struct dom_sid *owner,
137 struct dom_sid *group,
138 uint32_t (*generic_map)(uint32_t access_mask))
139 {
140 int i;
141 struct dom_sid *co, *cg;
142 TALLOC_CTX *tmp_ctx = talloc_new(acl);
143 if (!generic_map){
144 return false;
145 }
146 co = dom_sid_parse_talloc(tmp_ctx, SID_CREATOR_OWNER);
147 cg = dom_sid_parse_talloc(tmp_ctx, SID_CREATOR_GROUP);
148 for (i=0; i < acl->num_aces; i++) {
149 struct security_ace *ace = &acl->aces[i];
150 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY)
151 continue;
152 if (dom_sid_equal(&ace->trustee, co)){
153 ace->trustee = *owner;
154 /* perhaps this should be done somewhere else? */
155 ace->flags &= ~SEC_ACE_FLAG_CONTAINER_INHERIT;
156 }
157 if (dom_sid_equal(&ace->trustee, cg)){
158 ace->trustee = *group;
159 ace->flags &= ~SEC_ACE_FLAG_CONTAINER_INHERIT;
160 }
161 ace->access_mask = generic_map(ace->access_mask);
162 }
163
164 talloc_free(tmp_ctx);
165 return true;
166 }
167
168 static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx,
169 struct security_acl *acl,
170 bool is_container,
171 struct GUID *object_list)
172 {
173 int i;
174 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
175 struct security_acl *tmp_acl = talloc_zero(tmp_ctx, struct security_acl);
176 struct security_acl *inh_acl = talloc_zero(tmp_ctx, struct security_acl);
177 struct security_acl *new_acl;
178 struct dom_sid *co, *cg;
179 if (!tmp_acl || !inh_acl)
180 return NULL;
181
182 co = dom_sid_parse_talloc(tmp_ctx, SID_CREATOR_OWNER);
183 cg = dom_sid_parse_talloc(tmp_ctx, SID_CREATOR_GROUP);
184
185 for (i=0; i < acl->num_aces; i++){
186 struct security_ace *ace = &acl->aces[i];
187 if ((ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT) ||
188 (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) {
189 tmp_acl->aces = talloc_realloc(tmp_acl, tmp_acl->aces, struct security_ace,
190 tmp_acl->num_aces+1);
191 if (tmp_acl->aces == NULL) {
192 talloc_free(tmp_ctx);
193 return NULL;
194 }
195
196 tmp_acl->aces[tmp_acl->num_aces] = *ace;
197 tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERITED_ACE;
198
199 if (is_container && (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT))
200 tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY;
201
202 if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT ||
203 ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT){
204 if (!object_in_list(object_list, &ace->object.object.type.type)){
205 tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY;
206 }
207
208 }
209 tmp_acl->num_aces++;
210 }
211 }
212
213 if (is_container) {
214 for (i=0; i < acl->num_aces; i++){
215 struct security_ace *ace = &acl->aces[i];
216
217 if (ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT)
218 continue;
219 if (!dom_sid_equal(&ace->trustee, co) && !dom_sid_equal(&ace->trustee, cg))
220 continue;
221
222 if ((ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT) ||
223 (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)){
224 inh_acl->aces = talloc_realloc(inh_acl, inh_acl->aces, struct security_ace,
225 inh_acl->num_aces+1);
226 if (inh_acl->aces == NULL){
227 talloc_free(tmp_ctx);
228 return NULL;
229 }
230 inh_acl->aces[inh_acl->num_aces] = *ace;
231 inh_acl->aces[inh_acl->num_aces].flags &= ~SEC_ACE_FLAG_INHERIT_ONLY;
232 inh_acl->aces[inh_acl->num_aces].flags |= SEC_ACE_FLAG_INHERITED_ACE;
233 inh_acl->num_aces++;
234 }
235 }
236 }
237 new_acl = security_acl_concatenate(mem_ctx, inh_acl, tmp_acl);
238 if (new_acl)
239 new_acl->revision = acl->revision;
240 talloc_free(tmp_ctx);
241 return new_acl;
242 }
243
244 /* In the docs this looks == calculate_inherited_from_parent. However,
245 * It shouldn't return the inherited, rather filter them out....
246 */
247 static struct security_acl *calculate_inherited_from_creator(TALLOC_CTX *mem_ctx,
248 struct security_acl *acl,
249 bool is_container,
250 struct GUID *object_list)
251 {
252 int i;
253 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
254 struct security_acl *tmp_acl = talloc_zero(tmp_ctx, struct security_acl);
255 struct security_acl *new_acl;
256 struct dom_sid *co, *cg;
257
258 if (!tmp_acl)
259 return NULL;
260
261 tmp_acl->revision = acl->revision;
262 DEBUG(6,(__location__ ": acl revision %u\n", acl->revision));
263
264 co = dom_sid_parse_talloc(tmp_ctx, SID_CREATOR_OWNER);
265 cg = dom_sid_parse_talloc(tmp_ctx, SID_CREATOR_GROUP);
266
267 for (i=0; i < acl->num_aces; i++){
268 struct security_ace *ace = &acl->aces[i];
269 if (ace->flags & SEC_ACE_FLAG_INHERITED_ACE)
270 continue;
271
272 tmp_acl->aces = talloc_realloc(tmp_acl, tmp_acl->aces, struct security_ace,
273 tmp_acl->num_aces+1);
274 tmp_acl->aces[tmp_acl->num_aces] = *ace;
275 tmp_acl->num_aces++;
276
277 if (!dom_sid_equal(&ace->trustee, co) && !dom_sid_equal(&ace->trustee, cg))
278 continue;
279
280 tmp_acl->aces = talloc_realloc(tmp_acl, tmp_acl->aces, struct security_ace,
281 tmp_acl->num_aces+1);
282 tmp_acl->aces[tmp_acl->num_aces] = *ace;
283 tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY;
284 tmp_acl->num_aces++;
285 }
286 new_acl = security_acl_dup(mem_ctx,tmp_acl);
287
288 if (new_acl)
289 new_acl->revision = acl->revision;
290
291 talloc_free(tmp_ctx);
292 return new_acl;
293 }
294
295 static void cr_descr_log_descriptor(struct security_descriptor *sd,
296 const char *message,
297 int level)
298 {
299 if (sd) {
300 DEBUG(level,("%s: %s\n", message,
301 ndr_print_struct_string(0,(ndr_print_fn_t)ndr_print_security_descriptor,
302 "", sd)));
303 }
304 else {
305 DEBUG(level,("%s: NULL\n", message));
306 }
307 }
308
309 static void cr_descr_log_acl(struct security_acl *acl,
310 const char *message,
311 int level)
312 {
313 if (acl) {
314 DEBUG(level,("%s: %s\n", message,
315 ndr_print_struct_string(0,(ndr_print_fn_t)ndr_print_security_acl,
316 "", acl)));
317 }
318 else {
319 DEBUG(level,("%s: NULL\n", message));
320 }
321 }
322
323 static bool compute_acl(int acl_type,
324 struct security_descriptor *parent_sd,
325 struct security_descriptor *creator_sd,
326 bool is_container,
327 uint32_t inherit_flags,
328 struct GUID *object_list,
329 uint32_t (*generic_map)(uint32_t access_mask),
330 struct security_token *token,
331 struct security_descriptor *new_sd) /* INOUT argument */
332 {
333 struct security_acl *p_acl = NULL, *c_acl = NULL, **new_acl;
334 int level = 10;
335 if (acl_type == SEC_DESC_DACL_PRESENT){
336 if (parent_sd)
337 p_acl = parent_sd->dacl;
338 if (creator_sd)
339 c_acl = creator_sd->dacl;
340 new_acl = &new_sd->dacl;
341 }
342 else{
343 if (parent_sd)
344 p_acl = parent_sd->sacl;
345 if (creator_sd)
346 c_acl = creator_sd->sacl;
347 new_acl = &new_sd->sacl;
348 }
349
350 cr_descr_log_descriptor(parent_sd, __location__"parent_sd", level);
351 cr_descr_log_descriptor(creator_sd,__location__ "creator_sd", level);
352
353 if (contains_inheritable_aces(p_acl)){
354 if (!c_acl || (c_acl && inherit_flags & SEC_DEFAULT_DESCRIPTOR)){
355 *new_acl = calculate_inherited_from_parent(new_sd,
356 p_acl,
357 is_container,
358 object_list);
359 if (*new_acl == NULL)
360 goto final;
361 if (acl_type == SEC_DESC_DACL_PRESENT && new_sd->dacl)
362 new_sd->type |= SEC_DESC_DACL_AUTO_INHERITED;
363
364 if (acl_type == SEC_DESC_SACL_PRESENT && new_sd->sacl)
365 new_sd->type |= SEC_DESC_SACL_AUTO_INHERITED;
366
367 if (!postprocess_acl(*new_acl, new_sd->owner_sid,
368 new_sd->group_sid, generic_map))
369 return false;
370 else {
371 cr_descr_log_descriptor(new_sd,
372 __location__": Nothing from creator, newsd is", level);
373 goto final;
374 }
375 }
376 if (c_acl && !(inherit_flags & SEC_DEFAULT_DESCRIPTOR)){
377 struct security_acl *pr_acl = NULL, *tmp_acl = NULL, *tpr_acl = NULL;
378 tpr_acl = preprocess_creator_acl(new_sd, c_acl);
379 tmp_acl = calculate_inherited_from_creator(new_sd,
380 tpr_acl,
381 is_container,
382 object_list);
383
384 cr_descr_log_acl(tmp_acl, __location__"Inherited from creator", level);
385 /* Todo some refactoring here! */
386 if (acl_type == SEC_DESC_DACL_PRESENT &&
387 !(creator_sd->type & SEC_DESC_DACL_PROTECTED) &&
388 (inherit_flags & SEC_DACL_AUTO_INHERIT)) {
389 pr_acl = calculate_inherited_from_parent(new_sd,
390 p_acl,
391 is_container,
392 object_list);
393 cr_descr_log_acl(pr_acl, __location__"Inherited from parent", level);
394 new_sd->type |= SEC_DESC_DACL_AUTO_INHERITED;
395 }
396 else if (acl_type == SEC_DESC_SACL_PRESENT &&
397 !(creator_sd->type & SEC_DESC_SACL_PROTECTED) &&
398 (inherit_flags & SEC_SACL_AUTO_INHERIT)){
399 pr_acl = calculate_inherited_from_parent(new_sd,
400 p_acl,
401 is_container,
402 object_list);
403 cr_descr_log_acl(pr_acl, __location__"Inherited from parent", level);
404 new_sd->type |= SEC_DESC_SACL_AUTO_INHERITED;
405 }
406 *new_acl = security_acl_concatenate(new_sd, tmp_acl, pr_acl);
407 }
408 if (*new_acl == NULL)
409 goto final;
410 if (!postprocess_acl(*new_acl, new_sd->owner_sid,
411 new_sd->group_sid,generic_map))
412 return false;
413 else
414 goto final;
415 }
416 else{
417 *new_acl = preprocess_creator_acl(new_sd,c_acl);
418 if (*new_acl == NULL)
419 goto final;
420 if (!postprocess_acl(*new_acl, new_sd->owner_sid,
421 new_sd->group_sid,generic_map))
422 return false;
423 else
424 goto final;
425 }
426 final:
427 if (acl_type == SEC_DESC_DACL_PRESENT && new_sd->dacl)
428 new_sd->type |= SEC_DESC_DACL_PRESENT;
429
430 if (acl_type == SEC_DESC_SACL_PRESENT && new_sd->sacl)
431 new_sd->type |= SEC_DESC_SACL_PRESENT;
432 /* This is a hack to handle the fact that
433 * apprantly any AI flag provided by the user is preserved */
434 if (creator_sd)
435 new_sd->type |= creator_sd->type;
436 cr_descr_log_descriptor(new_sd, __location__"final sd", level);
437 return true;
438 }
439
440 struct security_descriptor *create_security_descriptor(TALLOC_CTX *mem_ctx,
441 struct security_descriptor *parent_sd,
442 struct security_descriptor *creator_sd,
443 bool is_container,
444 struct GUID *object_list,
445 uint32_t inherit_flags,
446 struct security_token *token,
447 struct dom_sid *default_owner, /* valid only for DS, NULL for the other RSs */
448 struct dom_sid *default_group, /* valid only for DS, NULL for the other RSs */
449 uint32_t (*generic_map)(uint32_t access_mask))
450 {
451 struct security_descriptor *new_sd;
452 struct dom_sid *new_owner = NULL;
453 struct dom_sid *new_group = NULL;
454
455 new_sd = security_descriptor_initialise(mem_ctx);
456 if (!new_sd) {
457 return NULL;
458 }
459
460 if (!creator_sd || !creator_sd->owner_sid) {
461 if ((inherit_flags & SEC_OWNER_FROM_PARENT) && parent_sd) {
462 new_owner = parent_sd->owner_sid;
463 } else if (!default_owner) {
464 new_owner = token->user_sid;
465 } else {
466 new_owner = default_owner;
467 new_sd->type |= SEC_DESC_OWNER_DEFAULTED;
468 }
469 } else {
470 new_owner = creator_sd->owner_sid;
471 }
472
473 if (!creator_sd || !creator_sd->group_sid){
474 if ((inherit_flags & SEC_GROUP_FROM_PARENT) && parent_sd) {
475 new_group = parent_sd->group_sid;
476 } else if (!default_group) {
477 new_group = token->group_sid;
478 } else {
479 new_group = default_group;
480 new_sd->type |= SEC_DESC_GROUP_DEFAULTED;
481 }
482 } else {
483 new_group = creator_sd->group_sid;
484 }
485
486 new_sd->owner_sid = talloc_memdup(new_sd, new_owner, sizeof(struct dom_sid));
487 new_sd->group_sid = talloc_memdup(new_sd, new_group, sizeof(struct dom_sid));
488 if (!new_sd->owner_sid || !new_sd->group_sid){
489 talloc_free(new_sd);
490 return NULL;
491 }
492
493 if (!compute_acl(SEC_DESC_DACL_PRESENT, parent_sd, creator_sd,
494 is_container, inherit_flags, object_list,
495 generic_map,token,new_sd)){
496 talloc_free(new_sd);
497 return NULL;
498 }
499
500 if (!compute_acl(SEC_DESC_SACL_PRESENT, parent_sd, creator_sd,
501 is_container, inherit_flags, object_list,
502 generic_map, token,new_sd)){
503 talloc_free(new_sd);
504 return NULL;
505 }
506
507 return new_sd;
508 }
reg import