4 Copyright (C) Simo Sorce 2006-2008
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2007
6 Copyright (C) Nadezhda Ivanova 2009
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 * Component: DS Security descriptor module
28 * - Calculate the security descriptor of a newly created object
29 * - Perform sd recalculation on a move operation
30 * - Handle sd modification invariants
32 * Author: Nadezhda Ivanova
36 #include <ldb_module.h>
37 #include "util/dlinklist.h"
38 #include "dsdb/samdb/samdb.h"
39 #include "librpc/ndr/libndr.h"
40 #include "librpc/gen_ndr/ndr_security.h"
41 #include "libcli/security/security.h"
42 #include "auth/auth.h"
43 #include "param/param.h"
44 #include "dsdb/samdb/ldb_modules/util.h"
45 #include "lib/util/binsearch.h"
47 struct descriptor_changes
{
48 struct descriptor_changes
*prev
, *next
;
49 struct descriptor_changes
*children
;
50 struct ldb_dn
*nc_root
;
54 struct ldb_dn
*stopped_dn
;
57 struct descriptor_data
{
58 TALLOC_CTX
*trans_mem
;
59 struct descriptor_changes
*changes
;
62 struct descriptor_context
{
63 struct ldb_module
*module
;
64 struct ldb_request
*req
;
65 struct ldb_message
*msg
;
66 struct ldb_reply
*search_res
;
67 struct ldb_reply
*search_oc_res
;
68 struct ldb_val
*parentsd_val
;
69 struct ldb_message_element
*sd_element
;
70 struct ldb_val
*sd_val
;
72 int (*step_fn
)(struct descriptor_context
*);
75 static struct dom_sid
*get_default_ag(TALLOC_CTX
*mem_ctx
,
77 struct security_token
*token
,
78 struct ldb_context
*ldb
)
80 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
81 const struct dom_sid
*domain_sid
= samdb_domain_sid(ldb
);
82 struct dom_sid
*da_sid
= dom_sid_add_rid(tmp_ctx
, domain_sid
, DOMAIN_RID_ADMINS
);
83 struct dom_sid
*ea_sid
= dom_sid_add_rid(tmp_ctx
, domain_sid
, DOMAIN_RID_ENTERPRISE_ADMINS
);
84 struct dom_sid
*sa_sid
= dom_sid_add_rid(tmp_ctx
, domain_sid
, DOMAIN_RID_SCHEMA_ADMINS
);
85 struct dom_sid
*dag_sid
;
86 struct ldb_dn
*nc_root
;
89 ret
= dsdb_find_nc_root(ldb
, tmp_ctx
, dn
, &nc_root
);
90 if (ret
!= LDB_SUCCESS
) {
95 if (ldb_dn_compare(nc_root
, ldb_get_schema_basedn(ldb
)) == 0) {
96 if (security_token_has_sid(token
, sa_sid
)) {
97 dag_sid
= dom_sid_dup(mem_ctx
, sa_sid
);
98 } else if (security_token_has_sid(token
, ea_sid
)) {
99 dag_sid
= dom_sid_dup(mem_ctx
, ea_sid
);
100 } else if (security_token_has_sid(token
, da_sid
)) {
101 dag_sid
= dom_sid_dup(mem_ctx
, da_sid
);
102 } else if (security_token_is_system(token
)) {
103 dag_sid
= dom_sid_dup(mem_ctx
, sa_sid
);
107 } else if (ldb_dn_compare(nc_root
, ldb_get_config_basedn(ldb
)) == 0) {
108 if (security_token_has_sid(token
, ea_sid
)) {
109 dag_sid
= dom_sid_dup(mem_ctx
, ea_sid
);
110 } else if (security_token_has_sid(token
, da_sid
)) {
111 dag_sid
= dom_sid_dup(mem_ctx
, da_sid
);
112 } else if (security_token_is_system(token
)) {
113 dag_sid
= dom_sid_dup(mem_ctx
, ea_sid
);
117 } else if (ldb_dn_compare(nc_root
, ldb_get_default_basedn(ldb
)) == 0) {
118 if (security_token_has_sid(token
, da_sid
)) {
119 dag_sid
= dom_sid_dup(mem_ctx
, da_sid
);
120 } else if (security_token_has_sid(token
, ea_sid
)) {
121 dag_sid
= dom_sid_dup(mem_ctx
, ea_sid
);
122 } else if (security_token_is_system(token
)) {
123 dag_sid
= dom_sid_dup(mem_ctx
, da_sid
);
131 talloc_free(tmp_ctx
);
135 static struct security_descriptor
*get_sd_unpacked(struct ldb_module
*module
, TALLOC_CTX
*mem_ctx
,
136 const struct dsdb_class
*objectclass
)
138 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
139 struct security_descriptor
*sd
;
140 const struct dom_sid
*domain_sid
= samdb_domain_sid(ldb
);
142 if (!objectclass
->defaultSecurityDescriptor
|| !domain_sid
) {
146 sd
= sddl_decode(mem_ctx
,
147 objectclass
->defaultSecurityDescriptor
,
152 static struct dom_sid
*get_default_group(TALLOC_CTX
*mem_ctx
,
153 struct ldb_context
*ldb
,
157 * This depends on the function level of the DC
158 * which is 2008R2 in our case. Which means it is
159 * higher than 2003 and we should use the
160 * "default administrator group" also as owning group.
162 * This matches dcpromo for a 2003 domain
163 * on a Windows 2008R2 DC.
168 static struct security_descriptor
*descr_handle_sd_flags(TALLOC_CTX
*mem_ctx
,
169 struct security_descriptor
*new_sd
,
170 struct security_descriptor
*old_sd
,
173 struct security_descriptor
*final_sd
;
174 /* if there is no control or control == 0 modify everything */
179 final_sd
= talloc_zero(mem_ctx
, struct security_descriptor
);
180 final_sd
->revision
= SECURITY_DESCRIPTOR_REVISION_1
;
181 final_sd
->type
= SEC_DESC_SELF_RELATIVE
;
183 if (sd_flags
& (SECINFO_OWNER
)) {
184 final_sd
->owner_sid
= talloc_memdup(mem_ctx
, new_sd
->owner_sid
, sizeof(struct dom_sid
));
185 final_sd
->type
|= new_sd
->type
& SEC_DESC_OWNER_DEFAULTED
;
188 final_sd
->owner_sid
= talloc_memdup(mem_ctx
, old_sd
->owner_sid
, sizeof(struct dom_sid
));
189 final_sd
->type
|= old_sd
->type
& SEC_DESC_OWNER_DEFAULTED
;
192 if (sd_flags
& (SECINFO_GROUP
)) {
193 final_sd
->group_sid
= talloc_memdup(mem_ctx
, new_sd
->group_sid
, sizeof(struct dom_sid
));
194 final_sd
->type
|= new_sd
->type
& SEC_DESC_GROUP_DEFAULTED
;
197 final_sd
->group_sid
= talloc_memdup(mem_ctx
, old_sd
->group_sid
, sizeof(struct dom_sid
));
198 final_sd
->type
|= old_sd
->type
& SEC_DESC_GROUP_DEFAULTED
;
201 if (sd_flags
& (SECINFO_SACL
)) {
202 final_sd
->sacl
= security_acl_dup(mem_ctx
,new_sd
->sacl
);
203 final_sd
->type
|= new_sd
->type
& (SEC_DESC_SACL_PRESENT
|
204 SEC_DESC_SACL_DEFAULTED
|SEC_DESC_SACL_AUTO_INHERIT_REQ
|
205 SEC_DESC_SACL_AUTO_INHERITED
|SEC_DESC_SACL_PROTECTED
|
206 SEC_DESC_SERVER_SECURITY
);
208 else if (old_sd
&& old_sd
->sacl
) {
209 final_sd
->sacl
= security_acl_dup(mem_ctx
,old_sd
->sacl
);
210 final_sd
->type
|= old_sd
->type
& (SEC_DESC_SACL_PRESENT
|
211 SEC_DESC_SACL_DEFAULTED
|SEC_DESC_SACL_AUTO_INHERIT_REQ
|
212 SEC_DESC_SACL_AUTO_INHERITED
|SEC_DESC_SACL_PROTECTED
|
213 SEC_DESC_SERVER_SECURITY
);
216 if (sd_flags
& (SECINFO_DACL
)) {
217 final_sd
->dacl
= security_acl_dup(mem_ctx
,new_sd
->dacl
);
218 final_sd
->type
|= new_sd
->type
& (SEC_DESC_DACL_PRESENT
|
219 SEC_DESC_DACL_DEFAULTED
|SEC_DESC_DACL_AUTO_INHERIT_REQ
|
220 SEC_DESC_DACL_AUTO_INHERITED
|SEC_DESC_DACL_PROTECTED
|
221 SEC_DESC_DACL_TRUSTED
);
223 else if (old_sd
&& old_sd
->dacl
) {
224 final_sd
->dacl
= security_acl_dup(mem_ctx
,old_sd
->dacl
);
225 final_sd
->type
|= old_sd
->type
& (SEC_DESC_DACL_PRESENT
|
226 SEC_DESC_DACL_DEFAULTED
|SEC_DESC_DACL_AUTO_INHERIT_REQ
|
227 SEC_DESC_DACL_AUTO_INHERITED
|SEC_DESC_DACL_PROTECTED
|
228 SEC_DESC_DACL_TRUSTED
);
230 /* not so sure about this */
231 final_sd
->type
|= new_sd
->type
& SEC_DESC_RM_CONTROL_VALID
;
235 static DATA_BLOB
*get_new_descriptor(struct ldb_module
*module
,
238 const struct dsdb_class
*objectclass
,
239 const struct ldb_val
*parent
,
240 const struct ldb_val
*object
,
241 const struct ldb_val
*old_sd
,
244 struct security_descriptor
*user_descriptor
= NULL
, *parent_descriptor
= NULL
;
245 struct security_descriptor
*old_descriptor
= NULL
;
246 struct security_descriptor
*new_sd
, *final_sd
;
247 DATA_BLOB
*linear_sd
;
248 enum ndr_err_code ndr_err
;
249 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
250 struct auth_session_info
*session_info
251 = ldb_get_opaque(ldb
, "sessionInfo");
252 const struct dom_sid
*domain_sid
= samdb_domain_sid(ldb
);
254 struct dom_sid
*default_owner
;
255 struct dom_sid
*default_group
;
256 struct security_descriptor
*default_descriptor
= NULL
;
257 struct GUID
*object_list
= NULL
;
259 if (objectclass
!= NULL
) {
260 default_descriptor
= get_sd_unpacked(module
, mem_ctx
, objectclass
);
261 object_list
= talloc_zero_array(mem_ctx
, struct GUID
, 2);
262 if (object_list
== NULL
) {
265 object_list
[0] = objectclass
->schemaIDGUID
;
269 user_descriptor
= talloc(mem_ctx
, struct security_descriptor
);
270 if (!user_descriptor
) {
273 ndr_err
= ndr_pull_struct_blob(object
, user_descriptor
,
275 (ndr_pull_flags_fn_t
)ndr_pull_security_descriptor
);
277 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
278 talloc_free(user_descriptor
);
282 user_descriptor
= default_descriptor
;
286 old_descriptor
= talloc(mem_ctx
, struct security_descriptor
);
287 if (!old_descriptor
) {
290 ndr_err
= ndr_pull_struct_blob(old_sd
, old_descriptor
,
292 (ndr_pull_flags_fn_t
)ndr_pull_security_descriptor
);
294 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
295 talloc_free(old_descriptor
);
301 parent_descriptor
= talloc(mem_ctx
, struct security_descriptor
);
302 if (!parent_descriptor
) {
305 ndr_err
= ndr_pull_struct_blob(parent
, parent_descriptor
,
307 (ndr_pull_flags_fn_t
)ndr_pull_security_descriptor
);
309 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
310 talloc_free(parent_descriptor
);
315 if (user_descriptor
&& default_descriptor
&&
316 (user_descriptor
->dacl
== NULL
))
318 user_descriptor
->dacl
= default_descriptor
->dacl
;
319 user_descriptor
->type
|= default_descriptor
->type
& (
320 SEC_DESC_DACL_PRESENT
|
321 SEC_DESC_DACL_DEFAULTED
|SEC_DESC_DACL_AUTO_INHERIT_REQ
|
322 SEC_DESC_DACL_AUTO_INHERITED
|SEC_DESC_DACL_PROTECTED
|
323 SEC_DESC_DACL_TRUSTED
);
326 if (user_descriptor
&& default_descriptor
&&
327 (user_descriptor
->sacl
== NULL
))
329 user_descriptor
->sacl
= default_descriptor
->sacl
;
330 user_descriptor
->type
|= default_descriptor
->type
& (
331 SEC_DESC_SACL_PRESENT
|
332 SEC_DESC_SACL_DEFAULTED
|SEC_DESC_SACL_AUTO_INHERIT_REQ
|
333 SEC_DESC_SACL_AUTO_INHERITED
|SEC_DESC_SACL_PROTECTED
|
334 SEC_DESC_SERVER_SECURITY
);
338 if (!(sd_flags
& SECINFO_OWNER
) && user_descriptor
) {
339 user_descriptor
->owner_sid
= NULL
;
342 * We need the correct owner sid
343 * when calculating the DACL or SACL
345 if (old_descriptor
) {
346 user_descriptor
->owner_sid
= old_descriptor
->owner_sid
;
349 if (!(sd_flags
& SECINFO_GROUP
) && user_descriptor
) {
350 user_descriptor
->group_sid
= NULL
;
353 * We need the correct group sid
354 * when calculating the DACL or SACL
356 if (old_descriptor
) {
357 user_descriptor
->group_sid
= old_descriptor
->group_sid
;
360 if (!(sd_flags
& SECINFO_DACL
) && user_descriptor
) {
361 user_descriptor
->dacl
= NULL
;
364 * We add SEC_DESC_DACL_PROTECTED so that
365 * create_security_descriptor() skips
366 * the unused inheritance calculation
368 user_descriptor
->type
|= SEC_DESC_DACL_PROTECTED
;
370 if (!(sd_flags
& SECINFO_SACL
) && user_descriptor
) {
371 user_descriptor
->sacl
= NULL
;
374 * We add SEC_DESC_SACL_PROTECTED so that
375 * create_security_descriptor() skips
376 * the unused inheritance calculation
378 user_descriptor
->type
|= SEC_DESC_SACL_PROTECTED
;
381 default_owner
= get_default_ag(mem_ctx
, dn
,
382 session_info
->security_token
, ldb
);
383 default_group
= get_default_group(mem_ctx
, ldb
, default_owner
);
384 new_sd
= create_security_descriptor(mem_ctx
,
389 SEC_DACL_AUTO_INHERIT
|
390 SEC_SACL_AUTO_INHERIT
,
391 session_info
->security_token
,
392 default_owner
, default_group
,
393 map_generic_rights_ds
);
397 final_sd
= descr_handle_sd_flags(mem_ctx
, new_sd
, old_descriptor
, sd_flags
);
403 if (final_sd
->dacl
) {
404 final_sd
->dacl
->revision
= SECURITY_ACL_REVISION_ADS
;
406 if (final_sd
->sacl
) {
407 final_sd
->sacl
->revision
= SECURITY_ACL_REVISION_ADS
;
410 sddl_sd
= sddl_encode(mem_ctx
, final_sd
, domain_sid
);
411 DEBUG(10, ("Object %s created with desriptor %s\n\n", ldb_dn_get_linearized(dn
), sddl_sd
));
413 linear_sd
= talloc(mem_ctx
, DATA_BLOB
);
418 ndr_err
= ndr_push_struct_blob(linear_sd
, mem_ctx
,
420 (ndr_push_flags_fn_t
)ndr_push_security_descriptor
);
421 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
428 static DATA_BLOB
*descr_get_descriptor_to_show(struct ldb_module
*module
,
433 struct security_descriptor
*old_sd
, *final_sd
;
434 DATA_BLOB
*linear_sd
;
435 enum ndr_err_code ndr_err
;
437 old_sd
= talloc(mem_ctx
, struct security_descriptor
);
441 ndr_err
= ndr_pull_struct_blob(sd
, old_sd
,
443 (ndr_pull_flags_fn_t
)ndr_pull_security_descriptor
);
445 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
450 final_sd
= descr_handle_sd_flags(mem_ctx
, old_sd
, NULL
, sd_flags
);
456 linear_sd
= talloc(mem_ctx
, DATA_BLOB
);
461 ndr_err
= ndr_push_struct_blob(linear_sd
, mem_ctx
,
463 (ndr_push_flags_fn_t
)ndr_push_security_descriptor
);
464 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
471 static struct descriptor_context
*descriptor_init_context(struct ldb_module
*module
,
472 struct ldb_request
*req
)
474 struct ldb_context
*ldb
;
475 struct descriptor_context
*ac
;
477 ldb
= ldb_module_get_ctx(module
);
479 ac
= talloc_zero(req
, struct descriptor_context
);
481 ldb_set_errstring(ldb
, "Out of Memory");
490 static int descriptor_search_callback(struct ldb_request
*req
, struct ldb_reply
*ares
)
492 struct descriptor_context
*ac
;
493 struct ldb_val
*sd_val
= NULL
;
494 struct ldb_message_element
*sd_el
;
498 ac
= talloc_get_type(req
->context
, struct descriptor_context
);
501 ret
= LDB_ERR_OPERATIONS_ERROR
;
504 if (ares
->error
!= LDB_SUCCESS
) {
505 return ldb_module_done(ac
->req
, ares
->controls
,
506 ares
->response
, ares
->error
);
509 switch (ares
->type
) {
510 case LDB_REPLY_ENTRY
:
511 sd_el
= ldb_msg_find_element(ares
->message
, "nTSecurityDescriptor");
513 sd_val
= sd_el
->values
;
517 show_sd
= descr_get_descriptor_to_show(ac
->module
, ac
->req
,
518 sd_val
, ac
->sd_flags
);
520 ret
= LDB_ERR_OPERATIONS_ERROR
;
523 ldb_msg_remove_attr(ares
->message
, "nTSecurityDescriptor");
524 ret
= ldb_msg_add_steal_value(ares
->message
, "nTSecurityDescriptor", show_sd
);
525 if (ret
!= LDB_SUCCESS
) {
529 return ldb_module_send_entry(ac
->req
, ares
->message
, ares
->controls
);
531 case LDB_REPLY_REFERRAL
:
532 return ldb_module_send_referral(ac
->req
, ares
->referral
);
535 return ldb_module_done(ac
->req
, ares
->controls
,
536 ares
->response
, ares
->error
);
541 return ldb_module_done(ac
->req
, NULL
, NULL
, ret
);
544 static int descriptor_add(struct ldb_module
*module
, struct ldb_request
*req
)
546 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
547 struct ldb_request
*add_req
;
548 struct ldb_message
*msg
;
549 struct ldb_result
*parent_res
;
550 const struct ldb_val
*parent_sd
= NULL
;
551 const struct ldb_val
*user_sd
;
552 struct ldb_dn
*dn
= req
->op
.add
.message
->dn
;
553 struct ldb_dn
*parent_dn
, *nc_root
;
554 struct ldb_message_element
*objectclass_element
, *sd_element
;
556 const struct dsdb_schema
*schema
;
558 const struct dsdb_class
*objectclass
;
559 static const char * const parent_attrs
[] = { "nTSecurityDescriptor", NULL
};
560 uint32_t instanceType
;
562 uint32_t sd_flags
= dsdb_request_sd_flags(req
, NULL
);
564 /* do not manipulate our control entries */
565 if (ldb_dn_is_special(dn
)) {
566 return ldb_next_request(module
, req
);
569 user_sd
= ldb_msg_find_ldb_val(req
->op
.add
.message
, "nTSecurityDescriptor");
570 sd_element
= ldb_msg_find_element(req
->op
.add
.message
, "nTSecurityDescriptor");
571 /* nTSecurityDescriptor without a value is an error, letting through so it is handled */
572 if (user_sd
== NULL
&& sd_element
) {
573 return ldb_next_request(module
, req
);
576 ldb_debug(ldb
, LDB_DEBUG_TRACE
,"descriptor_add: %s\n", ldb_dn_get_linearized(dn
));
578 instanceType
= ldb_msg_find_attr_as_uint(req
->op
.add
.message
, "instanceType", 0);
580 if (instanceType
& INSTANCE_TYPE_IS_NC_HEAD
) {
585 ret
= dsdb_find_nc_root(ldb
, req
, dn
, &nc_root
);
586 if (ret
!= LDB_SUCCESS
) {
587 ldb_debug(ldb
, LDB_DEBUG_TRACE
,"descriptor_add: Could not find NC root for %s\n",
588 ldb_dn_get_linearized(dn
));
592 if (ldb_dn_compare(dn
, nc_root
) == 0) {
593 DEBUG(0, ("Found DN %s being a NC by the old method\n", ldb_dn_get_linearized(dn
)));
599 DEBUG(2, ("DN: %s is a NC\n", ldb_dn_get_linearized(dn
)));
602 /* if the object has a parent, retrieve its SD to
603 * use for calculation. Unfortunately we do not yet have
604 * instanceType, so we use dsdb_find_nc_root. */
606 parent_dn
= ldb_dn_get_parent(req
, dn
);
607 if (parent_dn
== NULL
) {
611 /* we aren't any NC */
612 ret
= dsdb_module_search_dn(module
, req
, &parent_res
, parent_dn
,
614 DSDB_FLAG_NEXT_MODULE
|
615 DSDB_FLAG_AS_SYSTEM
|
616 DSDB_SEARCH_SHOW_RECYCLED
,
618 if (ret
!= LDB_SUCCESS
) {
619 ldb_debug(ldb
, LDB_DEBUG_TRACE
,"descriptor_add: Could not find SD for %s\n",
620 ldb_dn_get_linearized(parent_dn
));
623 if (parent_res
->count
!= 1) {
624 return ldb_operr(ldb
);
626 parent_sd
= ldb_msg_find_ldb_val(parent_res
->msgs
[0], "nTSecurityDescriptor");
629 schema
= dsdb_get_schema(ldb
, req
);
631 objectclass_element
= ldb_msg_find_element(req
->op
.add
.message
, "objectClass");
632 if (objectclass_element
== NULL
) {
633 return ldb_operr(ldb
);
636 objectclass
= dsdb_get_last_structural_class(schema
,
637 objectclass_element
);
638 if (objectclass
== NULL
) {
639 return ldb_operr(ldb
);
643 * The SD_FLAG control is ignored on add
644 * and we default to all bits set.
648 sd
= get_new_descriptor(module
, dn
, req
,
649 objectclass
, parent_sd
,
650 user_sd
, NULL
, sd_flags
);
652 return ldb_operr(ldb
);
654 msg
= ldb_msg_copy_shallow(req
, req
->op
.add
.message
);
658 if (sd_element
!= NULL
) {
659 sd_element
->values
[0] = *sd
;
661 ret
= ldb_msg_add_steal_value(msg
,
662 "nTSecurityDescriptor",
664 if (ret
!= LDB_SUCCESS
) {
669 ret
= ldb_build_add_req(&add_req
, ldb
, req
,
672 req
, dsdb_next_callback
,
674 LDB_REQ_SET_LOCATION(add_req
);
675 if (ret
!= LDB_SUCCESS
) {
676 return ldb_error(ldb
, ret
,
677 "descriptor_add: Error creating new add request.");
680 return ldb_next_request(module
, add_req
);
683 static int descriptor_modify(struct ldb_module
*module
, struct ldb_request
*req
)
685 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
686 struct ldb_request
*mod_req
;
687 struct ldb_message
*msg
;
688 struct ldb_result
*current_res
, *parent_res
;
689 const struct ldb_val
*old_sd
= NULL
;
690 const struct ldb_val
*parent_sd
= NULL
;
691 const struct ldb_val
*user_sd
;
692 struct ldb_dn
*dn
= req
->op
.mod
.message
->dn
;
693 struct ldb_dn
*parent_dn
;
694 struct ldb_message_element
*objectclass_element
, *sd_element
;
696 uint32_t instanceType
;
697 bool explicit_sd_flags
= false;
698 uint32_t sd_flags
= dsdb_request_sd_flags(req
, &explicit_sd_flags
);
699 const struct dsdb_schema
*schema
;
701 const struct dsdb_class
*objectclass
;
702 static const char * const parent_attrs
[] = { "nTSecurityDescriptor", NULL
};
703 static const char * const current_attrs
[] = { "nTSecurityDescriptor",
705 "objectClass", NULL
};
706 struct ldb_control
*sd_propagation_control
;
709 /* do not manipulate our control entries */
710 if (ldb_dn_is_special(dn
)) {
711 return ldb_next_request(module
, req
);
714 sd_propagation_control
= ldb_request_get_control(req
,
715 DSDB_CONTROL_SEC_DESC_PROPAGATION_OID
);
716 if (sd_propagation_control
!= NULL
) {
717 if (sd_propagation_control
->data
!= module
) {
718 return ldb_operr(ldb
);
720 if (req
->op
.mod
.message
->num_elements
!= 0) {
721 return ldb_operr(ldb
);
723 if (explicit_sd_flags
) {
724 return ldb_operr(ldb
);
726 if (sd_flags
!= 0xF) {
727 return ldb_operr(ldb
);
729 if (sd_propagation_control
->critical
== 0) {
730 return ldb_operr(ldb
);
733 sd_propagation_control
->critical
= 0;
736 sd_element
= ldb_msg_find_element(req
->op
.mod
.message
, "nTSecurityDescriptor");
737 if (sd_propagation_control
== NULL
&& sd_element
== NULL
) {
738 return ldb_next_request(module
, req
);
742 * nTSecurityDescriptor with DELETE is not supported yet.
743 * TODO: handle this correctly.
745 if (sd_propagation_control
== NULL
&&
746 LDB_FLAG_MOD_TYPE(sd_element
->flags
) == LDB_FLAG_MOD_DELETE
)
748 return ldb_module_error(module
,
749 LDB_ERR_UNWILLING_TO_PERFORM
,
750 "MOD_DELETE for nTSecurityDescriptor "
751 "not supported yet");
754 user_sd
= ldb_msg_find_ldb_val(req
->op
.mod
.message
, "nTSecurityDescriptor");
755 /* nTSecurityDescriptor without a value is an error, letting through so it is handled */
756 if (sd_propagation_control
== NULL
&& user_sd
== NULL
) {
757 return ldb_next_request(module
, req
);
760 ldb_debug(ldb
, LDB_DEBUG_TRACE
,"descriptor_modify: %s\n", ldb_dn_get_linearized(dn
));
762 ret
= dsdb_module_search_dn(module
, req
, ¤t_res
, dn
,
764 DSDB_FLAG_NEXT_MODULE
|
765 DSDB_FLAG_AS_SYSTEM
|
766 DSDB_SEARCH_SHOW_RECYCLED
,
768 if (ret
!= LDB_SUCCESS
) {
769 ldb_debug(ldb
, LDB_DEBUG_ERROR
,"descriptor_modify: Could not find %s\n",
770 ldb_dn_get_linearized(dn
));
774 instanceType
= ldb_msg_find_attr_as_uint(current_res
->msgs
[0],
776 /* if the object has a parent, retrieve its SD to
777 * use for calculation */
778 if (!ldb_dn_is_null(current_res
->msgs
[0]->dn
) &&
779 !(instanceType
& INSTANCE_TYPE_IS_NC_HEAD
)) {
780 parent_dn
= ldb_dn_get_parent(req
, dn
);
781 if (parent_dn
== NULL
) {
784 ret
= dsdb_module_search_dn(module
, req
, &parent_res
, parent_dn
,
786 DSDB_FLAG_NEXT_MODULE
|
787 DSDB_FLAG_AS_SYSTEM
|
788 DSDB_SEARCH_SHOW_RECYCLED
,
790 if (ret
!= LDB_SUCCESS
) {
791 ldb_debug(ldb
, LDB_DEBUG_ERROR
, "descriptor_modify: Could not find SD for %s\n",
792 ldb_dn_get_linearized(parent_dn
));
795 if (parent_res
->count
!= 1) {
796 return ldb_operr(ldb
);
798 parent_sd
= ldb_msg_find_ldb_val(parent_res
->msgs
[0], "nTSecurityDescriptor");
801 schema
= dsdb_get_schema(ldb
, req
);
803 objectclass_element
= ldb_msg_find_element(current_res
->msgs
[0], "objectClass");
804 if (objectclass_element
== NULL
) {
805 return ldb_operr(ldb
);
808 objectclass
= dsdb_get_last_structural_class(schema
,
809 objectclass_element
);
810 if (objectclass
== NULL
) {
811 return ldb_operr(ldb
);
814 old_sd
= ldb_msg_find_ldb_val(current_res
->msgs
[0], "nTSecurityDescriptor");
815 if (old_sd
== NULL
) {
816 return ldb_operr(ldb
);
819 if (sd_propagation_control
!= NULL
) {
821 * This just triggers a recalculation of the
827 sd
= get_new_descriptor(module
, dn
, req
,
828 objectclass
, parent_sd
,
829 user_sd
, old_sd
, sd_flags
);
831 return ldb_operr(ldb
);
833 msg
= ldb_msg_copy_shallow(req
, req
->op
.mod
.message
);
837 cmp_ret
= data_blob_cmp(old_sd
, sd
);
838 if (sd_propagation_control
!= NULL
) {
841 * The nTSecurityDescriptor is unchanged,
842 * which means we can stop the processing.
844 * We mark the control as critical again,
845 * as we have not processed it, so the caller
846 * can tell that the descriptor was unchanged.
848 sd_propagation_control
->critical
= 1;
849 return ldb_module_done(req
, NULL
, NULL
, LDB_SUCCESS
);
852 ret
= ldb_msg_add_empty(msg
, "nTSecurityDescriptor",
853 LDB_FLAG_MOD_REPLACE
,
855 if (ret
!= LDB_SUCCESS
) {
858 ret
= ldb_msg_add_value(msg
, "nTSecurityDescriptor",
860 if (ret
!= LDB_SUCCESS
) {
863 } else if (cmp_ret
!= 0) {
864 struct ldb_dn
*nc_root
;
866 ret
= dsdb_find_nc_root(ldb
, msg
, dn
, &nc_root
);
867 if (ret
!= LDB_SUCCESS
) {
871 ret
= dsdb_module_schedule_sd_propagation(module
, nc_root
,
873 if (ret
!= LDB_SUCCESS
) {
874 return ldb_operr(ldb
);
876 sd_element
->values
[0] = *sd
;
878 sd_element
->values
[0] = *sd
;
881 ret
= ldb_build_mod_req(&mod_req
, ldb
, req
,
887 LDB_REQ_SET_LOCATION(mod_req
);
888 if (ret
!= LDB_SUCCESS
) {
892 return ldb_next_request(module
, mod_req
);
895 static int descriptor_search(struct ldb_module
*module
, struct ldb_request
*req
)
898 struct ldb_context
*ldb
;
899 struct ldb_request
*down_req
;
900 struct descriptor_context
*ac
;
901 bool explicit_sd_flags
= false;
902 uint32_t sd_flags
= dsdb_request_sd_flags(req
, &explicit_sd_flags
);
903 bool show_sd
= explicit_sd_flags
;
906 ldb_attr_in_list(req
->op
.search
.attrs
, "nTSecurityDescriptor"))
912 return ldb_next_request(module
, req
);
915 ldb
= ldb_module_get_ctx(module
);
916 ac
= descriptor_init_context(module
, req
);
918 return ldb_operr(ldb
);
920 ac
->sd_flags
= sd_flags
;
922 ret
= ldb_build_search_req_ex(&down_req
, ldb
, ac
,
924 req
->op
.search
.scope
,
926 req
->op
.search
.attrs
,
928 ac
, descriptor_search_callback
,
930 LDB_REQ_SET_LOCATION(down_req
);
931 if (ret
!= LDB_SUCCESS
) {
935 return ldb_next_request(ac
->module
, down_req
);
938 static int descriptor_rename(struct ldb_module
*module
, struct ldb_request
*req
)
940 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
941 struct ldb_dn
*olddn
= req
->op
.rename
.olddn
;
942 struct ldb_dn
*newdn
= req
->op
.rename
.newdn
;
945 /* do not manipulate our control entries */
946 if (ldb_dn_is_special(req
->op
.rename
.olddn
)) {
947 return ldb_next_request(module
, req
);
950 ldb_debug(ldb
, LDB_DEBUG_TRACE
,"descriptor_rename: %s\n",
951 ldb_dn_get_linearized(olddn
));
953 if (ldb_dn_compare(olddn
, newdn
) != 0) {
954 struct ldb_dn
*nc_root
;
956 ret
= dsdb_find_nc_root(ldb
, req
, newdn
, &nc_root
);
957 if (ret
!= LDB_SUCCESS
) {
961 ret
= dsdb_module_schedule_sd_propagation(module
, nc_root
,
963 if (ret
!= LDB_SUCCESS
) {
964 return ldb_operr(ldb
);
968 return ldb_next_request(module
, req
);
971 static int descriptor_extended_sec_desc_propagation(struct ldb_module
*module
,
972 struct ldb_request
*req
)
974 struct descriptor_data
*descriptor_private
=
975 talloc_get_type_abort(ldb_module_get_private(module
),
976 struct descriptor_data
);
977 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
978 struct dsdb_extended_sec_desc_propagation_op
*op
;
979 TALLOC_CTX
*parent_mem
= NULL
;
980 struct descriptor_changes
*parent_change
= NULL
;
981 struct descriptor_changes
*c
;
984 op
= talloc_get_type(req
->op
.extended
.data
,
985 struct dsdb_extended_sec_desc_propagation_op
);
987 ldb_debug(ldb
, LDB_DEBUG_FATAL
,
988 "descriptor_extended_sec_desc_propagation: "
989 "invalid extended data\n");
990 return LDB_ERR_PROTOCOL_ERROR
;
993 if (descriptor_private
->trans_mem
== NULL
) {
994 return ldb_module_operr(module
);
997 parent_mem
= descriptor_private
->trans_mem
;
999 for (c
= descriptor_private
->changes
; c
; c
= c
->next
) {
1000 ret
= ldb_dn_compare(c
->nc_root
, op
->nc_root
);
1005 ret
= ldb_dn_compare(c
->dn
, op
->dn
);
1007 if (op
->include_self
) {
1008 c
->force_self
= true;
1010 c
->force_children
= true;
1012 return ldb_module_done(req
, NULL
, NULL
, LDB_SUCCESS
);
1015 ret
= ldb_dn_compare_base(c
->dn
, op
->dn
);
1025 c
= talloc_zero(parent_mem
, struct descriptor_changes
);
1027 return ldb_module_oom(module
);
1029 c
->nc_root
= ldb_dn_copy(c
, op
->nc_root
);
1030 if (c
->nc_root
== NULL
) {
1031 return ldb_module_oom(module
);
1033 c
->dn
= ldb_dn_copy(c
, op
->dn
);
1034 if (c
->dn
== NULL
) {
1035 return ldb_module_oom(module
);
1037 if (op
->include_self
) {
1038 c
->force_self
= true;
1040 c
->force_children
= true;
1043 if (parent_change
!= NULL
) {
1044 DLIST_ADD_END(parent_change
->children
, c
, NULL
);
1046 DLIST_ADD_END(descriptor_private
->changes
, c
, NULL
);
1049 return ldb_module_done(req
, NULL
, NULL
, LDB_SUCCESS
);
1052 static int descriptor_extended(struct ldb_module
*module
, struct ldb_request
*req
)
1054 if (strcmp(req
->op
.extended
.oid
, DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID
) == 0) {
1055 return descriptor_extended_sec_desc_propagation(module
, req
);
1058 return ldb_next_request(module
, req
);
1061 static int descriptor_init(struct ldb_module
*module
)
1063 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
1065 struct descriptor_data
*descriptor_private
;
1067 ret
= ldb_mod_register_control(module
, LDB_CONTROL_SD_FLAGS_OID
);
1068 if (ret
!= LDB_SUCCESS
) {
1069 ldb_debug(ldb
, LDB_DEBUG_ERROR
,
1070 "descriptor: Unable to register control with rootdse!\n");
1071 return ldb_operr(ldb
);
1074 descriptor_private
= talloc_zero(module
, struct descriptor_data
);
1075 if (descriptor_private
== NULL
) {
1077 return LDB_ERR_OPERATIONS_ERROR
;
1079 ldb_module_set_private(module
, descriptor_private
);
1081 return ldb_next_init(module
);
1084 static int descriptor_sd_propagation_object(struct ldb_module
*module
,
1085 struct ldb_message
*msg
,
1088 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
1089 struct ldb_request
*sub_req
;
1090 struct ldb_result
*mod_res
;
1091 struct ldb_control
*sd_propagation_control
;
1096 mod_res
= talloc_zero(msg
, struct ldb_result
);
1097 if (mod_res
== NULL
) {
1098 return ldb_module_oom(module
);
1101 ret
= ldb_build_mod_req(&sub_req
, ldb
, mod_res
,
1105 ldb_modify_default_callback
,
1107 LDB_REQ_SET_LOCATION(sub_req
);
1108 if (ret
!= LDB_SUCCESS
) {
1109 return ldb_module_operr(module
);
1112 ldb_req_mark_trusted(sub_req
);
1114 ret
= ldb_request_add_control(sub_req
,
1115 DSDB_CONTROL_SEC_DESC_PROPAGATION_OID
,
1117 if (ret
!= LDB_SUCCESS
) {
1118 return ldb_module_operr(module
);
1121 sd_propagation_control
= ldb_request_get_control(sub_req
,
1122 DSDB_CONTROL_SEC_DESC_PROPAGATION_OID
);
1123 if (sd_propagation_control
== NULL
) {
1124 return ldb_module_operr(module
);
1127 ret
= dsdb_request_add_controls(sub_req
,
1128 DSDB_FLAG_AS_SYSTEM
|
1129 DSDB_SEARCH_SHOW_RECYCLED
);
1130 if (ret
!= LDB_SUCCESS
) {
1131 return ldb_module_operr(module
);
1134 ret
= descriptor_modify(module
, sub_req
);
1135 if (ret
== LDB_SUCCESS
) {
1136 ret
= ldb_wait(sub_req
->handle
, LDB_WAIT_ALL
);
1138 if (ret
!= LDB_SUCCESS
) {
1139 return ldb_module_operr(module
);
1142 if (sd_propagation_control
->critical
!= 0) {
1146 talloc_free(mod_res
);
1151 static int descriptor_sd_propagation_msg_sort(struct ldb_message
**m1
,
1152 struct ldb_message
**m2
)
1154 struct ldb_dn
*dn1
= (*m1
)->dn
;
1155 struct ldb_dn
*dn2
= (*m2
)->dn
;
1158 * This sorts in tree order, parents first
1160 return ldb_dn_compare(dn2
, dn1
);
1163 static int descriptor_sd_propagation_dn_sort(struct ldb_dn
*dn1
,
1167 * This sorts in tree order, parents first
1169 return ldb_dn_compare(dn2
, dn1
);
1172 static int descriptor_sd_propagation_recursive(struct ldb_module
*module
,
1173 struct descriptor_changes
*change
)
1175 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
1176 struct ldb_result
*res
= NULL
;
1178 const char * const no_attrs
[] = { "@__NONE__", NULL
};
1179 struct descriptor_changes
*c
;
1180 struct descriptor_changes
*stopped_stack
= NULL
;
1184 * Note: that we do not search for deleted/recycled objects
1186 ret
= dsdb_module_search(module
,
1192 DSDB_FLAG_NEXT_MODULE
|
1193 DSDB_FLAG_AS_SYSTEM
,
1194 NULL
, /* parent_req */
1196 if (ret
!= LDB_SUCCESS
) {
1200 TYPESAFE_QSORT(res
->msgs
, res
->count
,
1201 descriptor_sd_propagation_msg_sort
);
1203 for (c
= change
->children
; c
; c
= c
->next
) {
1204 struct ldb_message
*msg
= NULL
;
1206 BINARY_ARRAY_SEARCH_P(res
->msgs
, res
->count
, dn
, c
->dn
,
1207 descriptor_sd_propagation_dn_sort
,
1211 ldb_debug(ldb
, LDB_DEBUG_WARNING
,
1212 "descriptor_sd_propagation_recursive: "
1213 "%s not found under %s",
1214 ldb_dn_get_linearized(c
->dn
),
1215 ldb_dn_get_linearized(change
->dn
));
1219 msg
->elements
= (struct ldb_message_element
*)c
;
1222 DLIST_ADD(stopped_stack
, change
);
1224 if (change
->force_self
) {
1230 for (; i
< res
->count
; i
++) {
1231 struct descriptor_changes
*cur
;
1234 cur
= talloc_get_type(res
->msgs
[i
]->elements
,
1235 struct descriptor_changes
);
1236 res
->msgs
[i
]->elements
= NULL
;
1237 res
->msgs
[i
]->num_elements
= 0;
1240 DLIST_REMOVE(change
->children
, cur
);
1243 for (c
= stopped_stack
; c
; c
= stopped_stack
) {
1244 ret
= ldb_dn_compare_base(c
->dn
,
1250 c
->stopped_dn
= NULL
;
1251 DLIST_REMOVE(stopped_stack
, c
);
1255 DLIST_ADD(stopped_stack
, cur
);
1258 if (stopped_stack
->stopped_dn
!= NULL
) {
1259 ret
= ldb_dn_compare_base(stopped_stack
->stopped_dn
,
1264 stopped_stack
->stopped_dn
= NULL
;
1267 ret
= descriptor_sd_propagation_object(module
, res
->msgs
[i
],
1269 if (ret
!= LDB_SUCCESS
) {
1273 if (cur
!= NULL
&& cur
->force_children
) {
1278 stopped_stack
->stopped_dn
= res
->msgs
[i
]->dn
;
1287 static int descriptor_start_transaction(struct ldb_module
*module
)
1289 struct descriptor_data
*descriptor_private
=
1290 talloc_get_type_abort(ldb_module_get_private(module
),
1291 struct descriptor_data
);
1293 if (descriptor_private
->trans_mem
!= NULL
) {
1294 return ldb_module_operr(module
);
1297 descriptor_private
->trans_mem
= talloc_new(descriptor_private
);
1298 if (descriptor_private
->trans_mem
== NULL
) {
1299 return ldb_module_oom(module
);
1301 descriptor_private
->changes
= NULL
;
1303 return ldb_next_start_trans(module
);
1306 static int descriptor_prepare_commit(struct ldb_module
*module
)
1308 struct descriptor_data
*descriptor_private
=
1309 talloc_get_type_abort(ldb_module_get_private(module
),
1310 struct descriptor_data
);
1311 struct descriptor_changes
*c
, *n
;
1314 for (c
= descriptor_private
->changes
; c
; c
= n
) {
1316 DLIST_REMOVE(descriptor_private
->changes
, c
);
1318 ret
= descriptor_sd_propagation_recursive(module
, c
);
1319 if (ret
== LDB_ERR_NO_SUCH_OBJECT
) {
1322 if (ret
!= LDB_SUCCESS
) {
1327 return ldb_next_prepare_commit(module
);
1330 static int descriptor_end_transaction(struct ldb_module
*module
)
1332 struct descriptor_data
*descriptor_private
=
1333 talloc_get_type_abort(ldb_module_get_private(module
),
1334 struct descriptor_data
);
1336 TALLOC_FREE(descriptor_private
->trans_mem
);
1337 descriptor_private
->changes
= NULL
;
1339 return ldb_next_end_trans(module
);
1342 static int descriptor_del_transaction(struct ldb_module
*module
)
1344 struct descriptor_data
*descriptor_private
=
1345 talloc_get_type_abort(ldb_module_get_private(module
),
1346 struct descriptor_data
);
1348 TALLOC_FREE(descriptor_private
->trans_mem
);
1349 descriptor_private
->changes
= NULL
;
1351 return ldb_next_del_trans(module
);
1354 static const struct ldb_module_ops ldb_descriptor_module_ops
= {
1355 .name
= "descriptor",
1356 .search
= descriptor_search
,
1357 .add
= descriptor_add
,
1358 .modify
= descriptor_modify
,
1359 .rename
= descriptor_rename
,
1360 .init_context
= descriptor_init
,
1361 .extended
= descriptor_extended
,
1362 .start_transaction
= descriptor_start_transaction
,
1363 .prepare_commit
= descriptor_prepare_commit
,
1364 .end_transaction
= descriptor_end_transaction
,
1365 .del_transaction
= descriptor_del_transaction
,
1368 int ldb_descriptor_module_init(const char *version
)
1370 LDB_MODULE_CHECK_VERSION(version
);
1371 return ldb_register_module(&ldb_descriptor_module_ops
);