2010-03-11 23:10:38 +02:00
/*
ldb database library
Copyright ( C ) Nadezhda Ivanova 2010
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 3 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program . If not , see < http : //www.gnu.org/licenses/>.
*/
/*
* Name : dsdb_access
*
* Description : utility functions for access checking on objects
*
* Authors : Nadezhda Ivanova
*/
# include "includes.h"
# include "ldb.h"
2010-07-06 13:21:54 +10:00
# include "ldb_module.h"
2010-03-11 23:10:38 +02:00
# include "ldb_errors.h"
# include "libcli/security/security.h"
# include "librpc/gen_ndr/ndr_security.h"
# include "libcli/ldap/ldap_ndr.h"
# include "param/param.h"
# include "auth/auth.h"
2010-04-16 14:28:09 +03:00
# include "dsdb/samdb/samdb.h"
2010-09-26 21:12:48 -07:00
# include "dsdb/common/util.h"
2010-03-11 23:10:38 +02:00
void dsdb_acl_debug ( struct security_descriptor * sd ,
struct security_token * token ,
struct ldb_dn * dn ,
bool denied ,
int level )
{
if ( denied ) {
DEBUG ( level , ( " Access on %s denied " , ldb_dn_get_linearized ( dn ) ) ) ;
} else {
DEBUG ( level , ( " Access on %s granted " , ldb_dn_get_linearized ( dn ) ) ) ;
}
DEBUG ( level , ( " Security context: %s \n " ,
ndr_print_struct_string ( 0 , ( ndr_print_fn_t ) ndr_print_security_token , " " , token ) ) ) ;
DEBUG ( level , ( " Security descriptor: %s \n " ,
ndr_print_struct_string ( 0 , ( ndr_print_fn_t ) ndr_print_security_descriptor , " " , sd ) ) ) ;
}
2010-07-06 13:21:54 +10:00
int dsdb_get_sd_from_ldb_message ( struct ldb_context * ldb ,
TALLOC_CTX * mem_ctx ,
2010-03-11 23:10:38 +02:00
struct ldb_message * acl_res ,
struct security_descriptor * * sd )
{
struct ldb_message_element * sd_element ;
enum ndr_err_code ndr_err ;
sd_element = ldb_msg_find_element ( acl_res , " nTSecurityDescriptor " ) ;
2013-06-13 14:13:26 +02:00
if ( sd_element = = NULL ) {
return ldb_error ( ldb , LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS ,
" nTSecurityDescriptor is missing " ) ;
2010-03-11 23:10:38 +02:00
}
* sd = talloc ( mem_ctx , struct security_descriptor ) ;
if ( ! * sd ) {
2010-07-06 13:21:54 +10:00
return ldb_oom ( ldb ) ;
2010-03-11 23:10:38 +02:00
}
2010-05-09 17:20:01 +02:00
ndr_err = ndr_pull_struct_blob ( & sd_element - > values [ 0 ] , * sd , * sd ,
2010-03-11 23:10:38 +02:00
( ndr_pull_flags_fn_t ) ndr_pull_security_descriptor ) ;
if ( ! NDR_ERR_CODE_IS_SUCCESS ( ndr_err ) ) {
2010-07-06 13:21:54 +10:00
return ldb_operr ( ldb ) ;
2010-03-11 23:10:38 +02:00
}
return LDB_SUCCESS ;
}
2010-07-06 13:21:54 +10:00
int dsdb_check_access_on_dn_internal ( struct ldb_context * ldb ,
struct ldb_result * acl_res ,
2010-03-12 03:13:51 +02:00
TALLOC_CTX * mem_ctx ,
struct security_token * token ,
struct ldb_dn * dn ,
2010-12-06 11:06:27 +01:00
uint32_t access_mask ,
2010-03-12 03:13:51 +02:00
const struct GUID * guid )
2010-03-11 23:10:38 +02:00
{
struct security_descriptor * sd = NULL ;
struct dom_sid * sid = NULL ;
struct object_tree * root = NULL ;
NTSTATUS status ;
uint32_t access_granted ;
2010-03-12 03:13:51 +02:00
int ret ;
2010-03-11 23:10:38 +02:00
2010-07-06 13:21:54 +10:00
ret = dsdb_get_sd_from_ldb_message ( ldb , mem_ctx , acl_res - > msgs [ 0 ] , & sd ) ;
2010-03-11 23:10:38 +02:00
if ( ret ! = LDB_SUCCESS ) {
2010-07-06 13:21:54 +10:00
return ldb_operr ( ldb ) ;
2010-03-11 23:10:38 +02:00
}
2013-06-13 14:16:43 +02:00
2010-04-16 14:28:09 +03:00
sid = samdb_result_dom_sid ( mem_ctx , acl_res - > msgs [ 0 ] , " objectSid " ) ;
2010-03-11 23:10:38 +02:00
if ( guid ) {
2013-01-03 20:40:32 +11:00
if ( ! insert_in_object_tree ( mem_ctx , guid , access_mask , NULL ,
& root ) ) {
2010-07-06 13:21:54 +10:00
return ldb_operr ( ldb ) ;
2010-03-11 23:10:38 +02:00
}
}
2010-03-12 03:13:51 +02:00
status = sec_access_check_ds ( sd , token ,
2010-12-06 11:06:27 +01:00
access_mask ,
2010-03-11 23:10:38 +02:00
& access_granted ,
root ,
sid ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
dsdb_acl_debug ( sd ,
2010-03-12 03:13:51 +02:00
token ,
2010-03-11 23:10:38 +02:00
dn ,
true ,
10 ) ;
2011-08-25 19:20:28 +10:00
ldb_asprintf_errstring ( ldb ,
" dsdb_access: Access check failed on %s " ,
ldb_dn_get_linearized ( dn ) ) ;
2010-03-11 23:10:38 +02:00
return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS ;
}
return LDB_SUCCESS ;
}
2010-03-12 03:13:51 +02:00
/* performs an access check from outside the module stack
* given the dn of the object to be checked , the required access
* guid is either the guid of the extended right , or NULL
*/
int dsdb_check_access_on_dn ( struct ldb_context * ldb ,
TALLOC_CTX * mem_ctx ,
struct ldb_dn * dn ,
2010-09-26 21:12:48 -07:00
struct security_token * token ,
2010-12-06 11:06:27 +01:00
uint32_t access_mask ,
2010-09-26 21:12:48 -07:00
const char * ext_right )
2010-03-12 03:13:51 +02:00
{
int ret ;
2010-09-26 21:12:48 -07:00
struct GUID guid ;
2010-03-12 03:13:51 +02:00
struct ldb_result * acl_res ;
static const char * acl_attrs [ ] = {
" nTSecurityDescriptor " ,
" objectSid " ,
NULL
} ;
2011-11-02 14:34:41 +11:00
if ( ext_right ! = NULL ) {
NTSTATUS status = GUID_from_string ( ext_right , & guid ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return LDB_ERR_OPERATIONS_ERROR ;
}
2010-03-12 03:13:51 +02:00
}
2013-06-10 13:31:59 +02:00
/*
* We need AS_SYSTEM in order to get the nTSecurityDescriptor attribute .
* Also the result of this search not controlled by the client
* nor is the result exposed to the client .
*/
ret = dsdb_search_dn ( ldb , mem_ctx , & acl_res , dn , acl_attrs ,
DSDB_FLAG_AS_SYSTEM | DSDB_SEARCH_SHOW_RECYCLED ) ;
2010-03-12 03:13:51 +02:00
if ( ret ! = LDB_SUCCESS ) {
DEBUG ( 10 , ( " access_check: failed to find object %s \n " , ldb_dn_get_linearized ( dn ) ) ) ;
return ret ;
}
2010-07-06 13:21:54 +10:00
return dsdb_check_access_on_dn_internal ( ldb , acl_res ,
2010-03-12 03:13:51 +02:00
mem_ctx ,
2010-09-26 21:12:48 -07:00
token ,
2010-03-12 03:13:51 +02:00
dn ,
2010-12-06 11:06:27 +01:00
access_mask ,
2011-11-02 14:34:41 +11:00
ext_right ? & guid : NULL ) ;
2010-03-12 03:13:51 +02:00
}