search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
librpc: Shorten dcerpc_binding_handle_call a bit
[Samba/gebeck_regimport.git] / source4 / dsdb / samdb / ldb_modules / acl_util.c
blob1f64ab18658621db220483aff31abfea70342015
1 /*
2 ACL utility functions
3
4 Copyright (C) Nadezhda Ivanova 2010
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /*
21 * Name: acl_util
22 *
23 * Component: ldb ACL modules
24 *
25 * Description: Some auxiliary functions used for access checking
26 *
27 * Author: Nadezhda Ivanova
28 */
29 #include "includes.h"
30 #include "ldb_module.h"
31 #include "auth/auth.h"
32 #include "libcli/security/security.h"
33 #include "dsdb/samdb/samdb.h"
34 #include "librpc/gen_ndr/ndr_security.h"
35 #include "param/param.h"
36 #include "dsdb/samdb/ldb_modules/util.h"
37
38 struct security_token *acl_user_token(struct ldb_module *module)
39 {
40 struct ldb_context *ldb = ldb_module_get_ctx(module);
41 struct auth_session_info *session_info
42 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
43 if(!session_info) {
44 return NULL;
45 }
46 return session_info->security_token;
47 }
48
49 /* performs an access check from inside the module stack
50 * given the dn of the object to be checked, the required access
51 * guid is either the guid of the extended right, or NULL
52 */
53
54 int dsdb_module_check_access_on_dn(struct ldb_module *module,
55 TALLOC_CTX *mem_ctx,
56 struct ldb_dn *dn,
57 uint32_t access_mask,
58 const struct GUID *guid,
59 struct ldb_request *parent)
60 {
61 int ret;
62 struct ldb_result *acl_res;
63 static const char *acl_attrs[] = {
64 "nTSecurityDescriptor",
65 "objectSid",
66 NULL
67 };
68 struct ldb_context *ldb = ldb_module_get_ctx(module);
69 struct auth_session_info *session_info
70 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
71 if(!session_info) {
72 return ldb_operr(ldb);
73 }
74 ret = dsdb_module_search_dn(module, mem_ctx, &acl_res, dn,
75 acl_attrs,
76 DSDB_FLAG_NEXT_MODULE |
77 DSDB_FLAG_AS_SYSTEM |
78 DSDB_SEARCH_SHOW_RECYCLED,
79 parent);
80 if (ret != LDB_SUCCESS) {
81 ldb_asprintf_errstring(ldb_module_get_ctx(module),
82 "access_check: failed to find object %s\n",
83 ldb_dn_get_linearized(dn));
84 return ret;
85 }
86 return dsdb_check_access_on_dn_internal(ldb, acl_res,
87 mem_ctx,
88 session_info->security_token,
89 dn,
90 access_mask,
91 guid);
92 }
93
94 int acl_check_access_on_attribute(struct ldb_module *module,
95 TALLOC_CTX *mem_ctx,
96 struct security_descriptor *sd,
97 struct dom_sid *rp_sid,
98 uint32_t access_mask,
99 const struct dsdb_attribute *attr,
100 const struct dsdb_class *objectclass)
101 {
102 int ret;
103 NTSTATUS status;
104 uint32_t access_granted;
105 struct object_tree *root = NULL;
106 struct object_tree *new_node = NULL;
107 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
108 struct security_token *token = acl_user_token(module);
109
110 if (!insert_in_object_tree(tmp_ctx,
111 &objectclass->schemaIDGUID,
112 access_mask, NULL,
113 &root)) {
114 DEBUG(10, ("acl_search: cannot add to object tree class schemaIDGUID\n"));
115 goto fail;
116 }
117 new_node = root;
118
119 if (!GUID_all_zero(&attr->attributeSecurityGUID)) {
120 if (!insert_in_object_tree(tmp_ctx,
121 &attr->attributeSecurityGUID,
122 access_mask, new_node,
123 &new_node)) {
124 DEBUG(10, ("acl_search: cannot add to object tree securityGUID\n"));
125 goto fail;
126 }
127 }
128
129 if (!insert_in_object_tree(tmp_ctx,
130 &attr->schemaIDGUID,
131 access_mask, new_node,
132 &new_node)) {
133 DEBUG(10, ("acl_search: cannot add to object tree attributeGUID\n"));
134 goto fail;
135 }
136
137 status = sec_access_check_ds(sd, token,
138 access_mask,
139 &access_granted,
140 root,
141 rp_sid);
142 if (!NT_STATUS_IS_OK(status)) {
143 ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
144 }
145 else {
146 ret = LDB_SUCCESS;
147 }
148 talloc_free(tmp_ctx);
149 return ret;
150 fail:
151 talloc_free(tmp_ctx);
152 return ldb_operr(ldb_module_get_ctx(module));
153 }
154
155 int acl_check_access_on_objectclass(struct ldb_module *module,
156 TALLOC_CTX *mem_ctx,
157 struct security_descriptor *sd,
158 struct dom_sid *rp_sid,
159 uint32_t access_mask,
160 const struct dsdb_class *objectclass)
161 {
162 int ret;
163 NTSTATUS status;
164 uint32_t access_granted;
165 struct object_tree *root = NULL;
166 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
167 struct security_token *token = acl_user_token(module);
168
169 if (!insert_in_object_tree(tmp_ctx,
170 &objectclass->schemaIDGUID,
171 access_mask, NULL,
172 &root)) {
173 DEBUG(10, ("acl_search: cannot add to object tree class schemaIDGUID\n"));
174 goto fail;
175 }
176
177 status = sec_access_check_ds(sd, token,
178 access_mask,
179 &access_granted,
180 root,
181 rp_sid);
182 if (!NT_STATUS_IS_OK(status)) {
183 ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
184 } else {
185 ret = LDB_SUCCESS;
186 }
187 talloc_free(tmp_ctx);
188 return ret;
189 fail:
190 talloc_free(tmp_ctx);
191 return ldb_operr(ldb_module_get_ctx(module));
192 }
193
194 /* checks for validated writes */
195 int acl_check_extended_right(TALLOC_CTX *mem_ctx,
196 struct security_descriptor *sd,
197 struct security_token *token,
198 const char *ext_right,
199 uint32_t right_type,
200 struct dom_sid *sid)
201 {
202 struct GUID right;
203 NTSTATUS status;
204 uint32_t access_granted;
205 struct object_tree *root = NULL;
206 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
207
208 GUID_from_string(ext_right, &right);
209
210 if (!insert_in_object_tree(tmp_ctx, &right, right_type,
211 NULL, &root)) {
212 DEBUG(10, ("acl_ext_right: cannot add to object tree\n"));
213 talloc_free(tmp_ctx);
214 return LDB_ERR_OPERATIONS_ERROR;
215 }
216 status = sec_access_check_ds(sd, token,
217 right_type,
218 &access_granted,
219 root,
220 sid);
221
222 if (!NT_STATUS_IS_OK(status)) {
223 talloc_free(tmp_ctx);
224 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
225 }
226 talloc_free(tmp_ctx);
227 return LDB_SUCCESS;
228 }
229
230 const char *acl_user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module)
231 {
232 struct ldb_context *ldb = ldb_module_get_ctx(module);
233 struct auth_session_info *session_info
234 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
235 if (!session_info) {
236 return "UNKNOWN (NULL)";
237 }
238
239 return talloc_asprintf(mem_ctx, "%s\\%s",
240 session_info->info->domain_name,
241 session_info->info->account_name);
242 }
243
244 uint32_t dsdb_request_sd_flags(struct ldb_request *req, bool *explicit)
245 {
246 struct ldb_control *sd_control;
247 uint32_t sd_flags = 0;
248
249 if (explicit) {
250 *explicit = false;
251 }
252
253 sd_control = ldb_request_get_control(req, LDB_CONTROL_SD_FLAGS_OID);
254 if (sd_control) {
255 struct ldb_sd_flags_control *sdctr = (struct ldb_sd_flags_control *)sd_control->data;
256
257 sd_flags = sdctr->secinfo_flags;
258
259 if (explicit) {
260 *explicit = true;
261 }
262
263 /* mark it as handled */
264 sd_control->critical = 0;
265 }
266
267 /* we only care for the last 4 bits */
268 sd_flags &= 0x0000000F;
269
270 /*
271 * MS-ADTS 3.1.1.3.4.1.11 says that no bits
272 * equals all 4 bits
273 */
274 if (sd_flags == 0) {
275 sd_flags = SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL | SECINFO_SACL;
276 }
277
278 return sd_flags;
279 }
280
281 int dsdb_module_schedule_sd_propagation(struct ldb_module *module,
282 struct ldb_dn *nc_root,
283 struct ldb_dn *dn,
284 bool include_self)
285 {
286 struct ldb_context *ldb = ldb_module_get_ctx(module);
287 struct dsdb_extended_sec_desc_propagation_op *op;
288 int ret;
289
290 op = talloc_zero(module, struct dsdb_extended_sec_desc_propagation_op);
291 if (op == NULL) {
292 return ldb_oom(ldb);
293 }
294
295 op->nc_root = nc_root;
296 op->dn = dn;
297 op->include_self = include_self;
298
299 ret = dsdb_module_extended(module, op, NULL,
300 DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID,
301 op,
302 DSDB_FLAG_TOP_MODULE |
303 DSDB_FLAG_AS_SYSTEM |
304 DSDB_FLAG_TRUSTED,
305 NULL);
306 TALLOC_FREE(op);
307 return ret;
308 }
reg import