search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:dsdb/acl_read: do search for instanceType AS_SYSTEM and with SHOW_RECYCLED
[Samba/gebeck_regimport.git] / source4 / dsdb / samdb / ldb_modules / acl_read.c
blobbc75d3221bf02c0945b86a2deabd26e7d3acdd41
1 /*
2 ldb database library
3
4 Copyright (C) Simo Sorce 2006-2008
5 Copyright (C) Nadezhda Ivanova 2010
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 /*
22 * Name: ldb
23 *
24 * Component: ldb ACL Read module
25 *
26 * Description: Module that performs authorisation access checks on read requests
27 * Only DACL checks implemented at this point
28 *
29 * Author: Nadezhda Ivanova
30 */
31
32 #include "includes.h"
33 #include "ldb_module.h"
34 #include "auth/auth.h"
35 #include "libcli/security/security.h"
36 #include "dsdb/samdb/samdb.h"
37 #include "librpc/gen_ndr/ndr_security.h"
38 #include "param/param.h"
39 #include "dsdb/samdb/ldb_modules/util.h"
40
41
42 struct aclread_context {
43 struct ldb_module *module;
44 struct ldb_request *req;
45 const char * const *attrs;
46 const struct dsdb_schema *schema;
47 bool sd;
48 bool instance_type;
49 bool object_sid;
50 bool indirsync;
51 };
52
53 struct aclread_private {
54 bool enabled;
55 };
56
57 static void aclread_mark_inaccesslible(struct ldb_message_element *el) {
58 el->flags |= LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE;
59 }
60
61 static bool aclread_is_inaccessible(struct ldb_message_element *el) {
62 return el->flags & LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE;
63 }
64
65 static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
66 {
67 struct ldb_context *ldb;
68 struct aclread_context *ac;
69 struct ldb_message *ret_msg;
70 struct ldb_message *msg;
71 int ret, num_of_attrs = 0;
72 unsigned int i, k = 0;
73 struct security_descriptor *sd;
74 struct dom_sid *sid = NULL;
75 TALLOC_CTX *tmp_ctx;
76 uint32_t instanceType;
77
78 ac = talloc_get_type(req->context, struct aclread_context);
79 ldb = ldb_module_get_ctx(ac->module);
80 if (!ares) {
81 return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR );
82 }
83 if (ares->error != LDB_SUCCESS) {
84 return ldb_module_done(ac->req, ares->controls,
85 ares->response, ares->error);
86 }
87 tmp_ctx = talloc_new(ac);
88 switch (ares->type) {
89 case LDB_REPLY_ENTRY:
90 msg = ares->message;
91 ret = dsdb_get_sd_from_ldb_message(ldb, tmp_ctx, msg, &sd);
92 if (ret != LDB_SUCCESS || sd == NULL ) {
93 DEBUG(10, ("acl_read: cannot get descriptor\n"));
94 ret = LDB_ERR_OPERATIONS_ERROR;
95 goto fail;
96 }
97 sid = samdb_result_dom_sid(tmp_ctx, msg, "objectSid");
98 /* get the object instance type */
99 instanceType = ldb_msg_find_attr_as_uint(msg,
100 "instanceType", 0);
101 if (!ldb_dn_is_null(msg->dn) && !(instanceType & INSTANCE_TYPE_IS_NC_HEAD))
102 {
103 /* the object has a parent, so we have to check for visibility */
104 struct ldb_dn *parent_dn = ldb_dn_get_parent(tmp_ctx, msg->dn);
105
106 ret = dsdb_module_check_access_on_dn(ac->module,
107 tmp_ctx,
108 parent_dn,
109 SEC_ADS_LIST,
110 NULL, req);
111 if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
112 talloc_free(tmp_ctx);
113 return LDB_SUCCESS;
114 } else if (ret != LDB_SUCCESS) {
115 goto fail;
116 }
117 }
118 /* for every element in the message check RP */
119 for (i=0; i < msg->num_elements; i++) {
120 const struct dsdb_attribute *attr;
121 bool is_sd, is_objectsid, is_instancetype;
122 uint32_t access_mask;
123 attr = dsdb_attribute_by_lDAPDisplayName(ac->schema,
124 msg->elements[i].name);
125 if (!attr) {
126 DEBUG(2, ("acl_read: cannot find attribute %s in schema\n",
127 msg->elements[i].name));
128 ret = LDB_ERR_OPERATIONS_ERROR;
129 goto fail;
130 }
131 is_sd = ldb_attr_cmp("nTSecurityDescriptor",
132 msg->elements[i].name) == 0;
133 is_objectsid = ldb_attr_cmp("objectSid",
134 msg->elements[i].name) == 0;
135 is_instancetype = ldb_attr_cmp("instanceType",
136 msg->elements[i].name) == 0;
137 /* these attributes were added to perform access checks and must be removed */
138 if (is_objectsid && ac->object_sid) {
139 aclread_mark_inaccesslible(&msg->elements[i]);
140 continue;
141 }
142 if (is_instancetype && ac->instance_type) {
143 aclread_mark_inaccesslible(&msg->elements[i]);
144 continue;
145 }
146 if (is_sd && ac->sd) {
147 aclread_mark_inaccesslible(&msg->elements[i]);
148 continue;
149 }
150 /* nTSecurityDescriptor is a special case */
151 if (is_sd) {
152 access_mask = SEC_FLAG_SYSTEM_SECURITY|SEC_STD_READ_CONTROL;
153 } else {
154 access_mask = SEC_ADS_READ_PROP;
155 }
156
157 if (attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL) {
158 access_mask |= SEC_ADS_CONTROL_ACCESS;
159 }
160
161 ret = acl_check_access_on_attribute(ac->module,
162 tmp_ctx,
163 sd,
164 sid,
165 access_mask,
166 attr);
167
168 /*
169 * Dirsync control needs the replpropertymetadata attribute
170 * so return it as it will be removed by the control
171 * in anycase.
172 */
173 if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
174 if (!ac->indirsync) {
175 /*
176 * do not return this entry if attribute is
177 * part of the search filter
178 */
179 if (dsdb_attr_in_parse_tree(ac->req->op.search.tree,
180 msg->elements[i].name)) {
181 talloc_free(tmp_ctx);
182 return LDB_SUCCESS;
183 }
184 aclread_mark_inaccesslible(&msg->elements[i]);
185 } else {
186 /*
187 * We are doing dirysnc answers
188 * and the object shouldn't be returned (normally)
189 * but we will return it without replPropertyMetaData
190 * so that the dirysync module will do what is needed
191 * (remove the object if it is not deleted, or return
192 * just the objectGUID if it's deleted).
193 */
194 if (dsdb_attr_in_parse_tree(ac->req->op.search.tree,
195 msg->elements[i].name)) {
196 ldb_msg_remove_attr(msg, "replPropertyMetaData");
197 break;
198 } else {
199 aclread_mark_inaccesslible(&msg->elements[i]);
200 }
201 }
202 } else if (ret != LDB_SUCCESS) {
203 goto fail;
204 }
205 }
206 for (i=0; i < msg->num_elements; i++) {
207 if (!aclread_is_inaccessible(&msg->elements[i])) {
208 num_of_attrs++;
209 }
210 }
211 /*create a new message to return*/
212 ret_msg = ldb_msg_new(ac->req);
213 ret_msg->dn = msg->dn;
214 talloc_steal(ret_msg, msg->dn);
215 ret_msg->num_elements = num_of_attrs;
216 if (num_of_attrs > 0) {
217 ret_msg->elements = talloc_array(ret_msg,
218 struct ldb_message_element,
219 num_of_attrs);
220 if (ret_msg->elements == NULL) {
221 return ldb_oom(ldb);
222 }
223 for (i=0; i < msg->num_elements; i++) {
224 bool to_remove = aclread_is_inaccessible(&msg->elements[i]);
225 if (!to_remove) {
226 ret_msg->elements[k] = msg->elements[i];
227 talloc_steal(ret_msg->elements, msg->elements[i].name);
228 talloc_steal(ret_msg->elements, msg->elements[i].values);
229 k++;
230 }
231 }
232 } else {
233 ret_msg->elements = NULL;
234 }
235 talloc_free(tmp_ctx);
236
237 return ldb_module_send_entry(ac->req, ret_msg, ares->controls);
238 case LDB_REPLY_REFERRAL:
239 return ldb_module_send_referral(ac->req, ares->referral);
240 case LDB_REPLY_DONE:
241 return ldb_module_done(ac->req, ares->controls,
242 ares->response, LDB_SUCCESS);
243
244 }
245 return LDB_SUCCESS;
246 fail:
247 talloc_free(tmp_ctx);
248 return ldb_module_done(ac->req, NULL, NULL, ret);
249 }
250
251
252 static int aclread_search(struct ldb_module *module, struct ldb_request *req)
253 {
254 struct ldb_context *ldb;
255 int ret;
256 struct aclread_context *ac;
257 struct ldb_request *down_req;
258 struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
259 uint32_t flags = ldb_req_get_custom_flags(req);
260 struct ldb_result *res;
261 struct aclread_private *p;
262 bool is_untrusted = ldb_req_is_untrusted(req);
263 const char * const *attrs = NULL;
264 uint32_t instanceType;
265 static const char *acl_attrs[] = {
266 "instanceType",
267 NULL
268 };
269
270 ldb = ldb_module_get_ctx(module);
271 p = talloc_get_type(ldb_module_get_private(module), struct aclread_private);
272
273 /* skip access checks if we are system or system control is supplied
274 * or this is not LDAP server request */
275 if (!p || !p->enabled ||
276 dsdb_module_am_system(module)
277 || as_system || !is_untrusted) {
278 return ldb_next_request(module, req);
279 }
280 /* no checks on special dn */
281 if (ldb_dn_is_special(req->op.search.base)) {
282 return ldb_next_request(module, req);
283 }
284
285 /* check accessibility of base */
286 if (!ldb_dn_is_null(req->op.search.base)) {
287 ret = dsdb_module_search_dn(module, req, &res, req->op.search.base,
288 acl_attrs,
289 DSDB_FLAG_NEXT_MODULE |
290 DSDB_FLAG_AS_SYSTEM |
291 DSDB_SEARCH_SHOW_RECYCLED,
292 req);
293 if (ret != LDB_SUCCESS) {
294 return ldb_error(ldb, ret,
295 "acl_read: Error retrieving instanceType for base.");
296 }
297 instanceType = ldb_msg_find_attr_as_uint(res->msgs[0],
298 "instanceType", 0);
299 if (instanceType != 0 && !(instanceType & INSTANCE_TYPE_IS_NC_HEAD))
300 {
301 /* the object has a parent, so we have to check for visibility */
302 struct ldb_dn *parent_dn = ldb_dn_get_parent(req, req->op.search.base);
303 ret = dsdb_module_check_access_on_dn(module,
304 req,
305 parent_dn,
306 SEC_ADS_LIST,
307 NULL, req);
308 if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
309 return ldb_module_done(req, NULL, NULL, LDB_ERR_NO_SUCH_OBJECT);
310 } else if (ret != LDB_SUCCESS) {
311 return ldb_module_done(req, NULL, NULL, ret);
312 }
313 }
314 }
315 ac = talloc_zero(req, struct aclread_context);
316 if (ac == NULL) {
317 return ldb_oom(ldb);
318 }
319 ac->module = module;
320 ac->req = req;
321 ac->schema = dsdb_get_schema(ldb, req);
322 if (flags & DSDB_ACL_CHECKS_DIRSYNC_FLAG) {
323 ac->indirsync = true;
324 } else {
325 ac->indirsync = false;
326 }
327 if (!ac->schema) {
328 return ldb_operr(ldb);
329 }
330 /*
331 * In theory we should also check for the SD control but control verification is
332 * expensive so we'd better had the ntsecuritydescriptor to the list of
333 * searched attribute and then remove it !
334 */
335 ac->sd = !(ldb_attr_in_list(req->op.search.attrs, "nTSecurityDescriptor"));
336 if (req->op.search.attrs && !ldb_attr_in_list(req->op.search.attrs, "*")) {
337 if (!ldb_attr_in_list(req->op.search.attrs, "instanceType")) {
338 ac->instance_type = true;
339 attrs = ldb_attr_list_copy_add(ac, req->op.search.attrs, "instanceType");
340 } else {
341 attrs = req->op.search.attrs;
342 }
343 if (!ldb_attr_in_list(req->op.search.attrs, "objectSid")) {
344 ac->object_sid = true;
345 attrs = ldb_attr_list_copy_add(ac, attrs, "objectSid");
346 }
347 }
348
349 if (ac->sd) {
350 /* avoid replacing all attributes with nTSecurityDescriptor
351 * if attribute list is empty */
352 if (!attrs) {
353 attrs = ldb_attr_list_copy_add(ac, req->op.search.attrs, "*");
354 }
355 attrs = ldb_attr_list_copy_add(ac, attrs, "nTSecurityDescriptor");
356 }
357 ac->attrs = req->op.search.attrs;
358 ret = ldb_build_search_req_ex(&down_req,
359 ldb, ac,
360 req->op.search.base,
361 req->op.search.scope,
362 req->op.search.tree,
363 attrs,
364 req->controls,
365 ac, aclread_callback,
366 req);
367
368 if (ret != LDB_SUCCESS) {
369 return LDB_ERR_OPERATIONS_ERROR;
370 }
371
372 return ldb_next_request(module, down_req);
373 }
374
375 static int aclread_init(struct ldb_module *module)
376 {
377 struct ldb_context *ldb = ldb_module_get_ctx(module);
378 struct aclread_private *p = talloc_zero(module, struct aclread_private);
379 if (p == NULL) {
380 return ldb_module_oom(module);
381 }
382 p->enabled = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"), NULL, "acl", "search", false);
383 ldb_module_set_private(module, p);
384 return ldb_next_init(module);
385 }
386
387 static const struct ldb_module_ops ldb_aclread_module_ops = {
388 .name = "aclread",
389 .search = aclread_search,
390 .init_context = aclread_init
391 };
392
393 int ldb_aclread_module_init(const char *version)
394 {
395 LDB_MODULE_CHECK_VERSION(version);
396 return ldb_register_module(&ldb_aclread_module_ops);
397 }
reg import