sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-26 10:04:02 +03:00
Code
samba-mirror/source4/dsdb/samdb/samdb_privilege.c

135 lines
3.4 KiB
C
Raw Normal View History

r4151: added privilege attribute handling on samdb. pvfs will now honor some privileges on ACLs, and it will be quite easy to add the checks for more privileges in the necessary places, by making calls to sec_privilege_check(). (This used to be commit 3549039d0fbc54f87ae679e7288b82b28713e487)
2004-12-11 13:19:41 +00:00
/*
Unix SMB/CIFS implementation.
manipulate privilege records in samdb
Copyright (C) Andrew Tridgell 2004
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-07-10 02:07:03 +00:00
the Free Software Foundation; either version 3 of the License, or
r4151: added privilege attribute handling on samdb. pvfs will now honor some privileges on ACLs, and it will be quite easy to add the checks for more privileges in the necessary places, by making calls to sec_privilege_check(). (This used to be commit 3549039d0fbc54f87ae679e7288b82b28713e487)
2004-12-11 13:19:41 +00:00
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-07-10 02:07:03 +00:00
along with this program. If not, see <http://www.gnu.org/licenses/>.
r4151: added privilege attribute handling on samdb. pvfs will now honor some privileges on ACLs, and it will be quite easy to add the checks for more privileges in the necessary places, by making calls to sec_privilege_check(). (This used to be commit 3549039d0fbc54f87ae679e7288b82b28713e487)
2004-12-11 13:19:41 +00:00
*/
#include "includes.h"
r26319: Split encoding functions out of libcli_ldap. (This used to be commit 95a6ef7fc8757ccfd90dbf0d6c9b5098f10b10b6)
2007-12-06 21:39:49 +01:00
#include "libcli/ldap/ldap_ndr.h"
r12542: Move some more prototypes out to seperate headers (This used to be commit 0aca5fd5130d980d07398f3291d294202aefe3c2)
2005-12-28 15:38:36 +00:00
#include "dsdb/samdb/samdb.h"
#include "auth/auth.h"
r14860: create libcli/security/security.h metze (This used to be commit 9ec706238c173992dc938d537bdf1103bf519dbf)
2006-04-02 12:02:01 +00:00
#include "libcli/security/security.h"
Revert "s4:remove "util_ldb" submodule and integrate the three gendb_* calls in "dsdb/common/util.c"" This reverts commit 8a2ce5c47cee499f90b125ebde83de5f9f1a9aa0. Jelmer pointed out that these are also in use by other LDB databases - not only SAMDB ones. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sun Oct 17 13:37:16 UTC 2010 on sn-devel-104
2010-10-17 14:27:18 +02:00
#include "../lib/util/util_ldb.h"
r26227: Make loadparm_context part of a server task, move loadparm_contexts further up the call stack. (This used to be commit 0721a07aada6a1fae6dcbd610b8783df57d7bbad)
2007-12-02 17:09:52 +01:00
#include "param/param.h"
s4-privileges: moved privileges to private/privilege.ldb We were storing privileges in the sam, which was OK when we were a standalone DC, but is no good when we replicate with a windows DC. This moves the privileges to a separate (local) database
2009-10-16 17:05:27 +11:00
#include "ldb_wrap.h"
/* connect to the privilege database */
struct ldb_context *privilege_connect(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx)
{
s4-auth Remove event context from privilage database handling These local TDB operations can quite safely be handled in a new/nested event context, rather than using the main event context. Andrew Bartlett
2010-12-20 21:26:35 +11:00
return ldb_wrap_connect(mem_ctx, NULL, lp_ctx, "privilege.ldb",
s4-samdb: reduce the number of samdb opens at startup Using common parameters means that the ldb_wrap code can return a reference rather than a new database
2009-10-25 17:19:03 +11:00
NULL, NULL, 0);
s4-privileges: moved privileges to private/privilege.ldb We were storing privileges in the sam, which was OK when we were a standalone DC, but is no good when we replicate with a windows DC. This moves the privileges to a separate (local) database
2009-10-16 17:05:27 +11:00
}
r4151: added privilege attribute handling on samdb. pvfs will now honor some privileges on ACLs, and it will be quite easy to add the checks for more privileges in the necessary places, by making calls to sec_privilege_check(). (This used to be commit 3549039d0fbc54f87ae679e7288b82b28713e487)
2004-12-11 13:19:41 +00:00
/*
add privilege bits for one sid to a security_token
*/
s4-privileges: moved privileges to private/privilege.ldb We were storing privileges in the sam, which was OK when we were a standalone DC, but is no good when we replicate with a windows DC. This moves the privileges to a separate (local) database
2009-10-16 17:05:27 +11:00
static NTSTATUS samdb_privilege_setup_sid(struct ldb_context *pdb, TALLOC_CTX *mem_ctx,
r14891: fix a bug found by the ibm checker the problem was that we shift with <<= (privilege-1) and we called the function with privilege=0 add some checks to catch invalid privilege values and hide the mask representation in privilege.c metze (This used to be commit a69f000324764bcd4cf420f2ecba1aca788258e4)
2006-04-03 14:39:46 +00:00
struct security_token *token,
const struct dom_sid *sid)
r4151: added privilege attribute handling on samdb. pvfs will now honor some privileges on ACLs, and it will be quite easy to add the checks for more privileges in the necessary places, by making calls to sec_privilege_check(). (This used to be commit 3549039d0fbc54f87ae679e7288b82b28713e487)
2004-12-11 13:19:41 +00:00
{
const char * const attrs[] = { "privilege", NULL };
struct ldb_message **res = NULL;
struct ldb_message_element *el;
s4:samdb_privilege.c - Change two counter variables to unsigned Also here in both cases the unsigned counter fits better than the signed one.
2009-11-06 20:14:41 +01:00
unsigned int i;
int ret;
r9240: - move struct security_token to the idl file, with this we can the ndr_pull/push/print functions for it in the ntacl-lsm module - fix compiler warnings in the ldap_encode_ndr_* code metze (This used to be commit 83d65d0d7ed9c240ad44aa2c881c1f07212bfda4)
2005-08-11 13:12:45 +00:00
char *sidstr;
r4151: added privilege attribute handling on samdb. pvfs will now honor some privileges on ACLs, and it will be quite easy to add the checks for more privileges in the necessary places, by making calls to sec_privilege_check(). (This used to be commit 3549039d0fbc54f87ae679e7288b82b28713e487)
2004-12-11 13:19:41 +00:00
r7860: switch our ldb storage format to use a NDR encoded objectSid. This is quite a large change as we had lots of code that assumed that objectSid was a string in S- format. metze and simo tried to convince me to use NDR format months ago, but I didn't listen, so its fair that I have the pain of fixing all the code now :-) This builds on the ldb_register_samba_handlers() and ldif handlers code I did earlier this week. There are still three parts of this conversion I have not finished: - the ltdb index records need to use the string form of the objectSid (to keep the DNs sane). Until that it done I have disabled indexing on objectSid, which is a big performance hit, but allows us to pass all our tests while I rejig the indexing system to use a externally supplied conversion function - I haven't yet put in place the code that allows client to use the "S-xxx-yyy" form for objectSid in ldap search expressions. w2k3 supports this, presumably by looking for the "S-" prefix to determine what type of objectSid form is being used by the client. I have been working on ways to handle this, but am not happy with them yet so they aren't part of this patch - I need to change pidl to generate push functions that take a "const void *" instead of a "void*" for the data pointer. That will fix the couple of new warnings this code generates. Luckily it many places the conversion to NDR formatted records actually simplified the code, as it means we no longer need as many calls to dom_sid_parse_talloc(). In some places it got more complex, but not many. (This used to be commit d40bc2fa8ddd43560315688eebdbe98bdd02756c)
2005-06-24 00:18:20 +00:00
sidstr = ldap_encode_ndr_dom_sid(mem_ctx, sid);
NT_STATUS_HAVE_NO_MEMORY(sidstr);
r4151: added privilege attribute handling on samdb. pvfs will now honor some privileges on ACLs, and it will be quite easy to add the checks for more privileges in the necessary places, by making calls to sec_privilege_check(). (This used to be commit 3549039d0fbc54f87ae679e7288b82b28713e487)
2004-12-11 13:19:41 +00:00
s4-privileges: moved privileges to private/privilege.ldb We were storing privileges in the sam, which was OK when we were a standalone DC, but is no good when we replicate with a windows DC. This moves the privileges to a separate (local) database
2009-10-16 17:05:27 +11:00
ret = gendb_search(pdb, mem_ctx, NULL, &res, attrs, "objectSid=%s", sidstr);
r7860: switch our ldb storage format to use a NDR encoded objectSid. This is quite a large change as we had lots of code that assumed that objectSid was a string in S- format. metze and simo tried to convince me to use NDR format months ago, but I didn't listen, so its fair that I have the pain of fixing all the code now :-) This builds on the ldb_register_samba_handlers() and ldif handlers code I did earlier this week. There are still three parts of this conversion I have not finished: - the ltdb index records need to use the string form of the objectSid (to keep the DNs sane). Until that it done I have disabled indexing on objectSid, which is a big performance hit, but allows us to pass all our tests while I rejig the indexing system to use a externally supplied conversion function - I haven't yet put in place the code that allows client to use the "S-xxx-yyy" form for objectSid in ldap search expressions. w2k3 supports this, presumably by looking for the "S-" prefix to determine what type of objectSid form is being used by the client. I have been working on ways to handle this, but am not happy with them yet so they aren't part of this patch - I need to change pidl to generate push functions that take a "const void *" instead of a "void*" for the data pointer. That will fix the couple of new warnings this code generates. Luckily it many places the conversion to NDR formatted records actually simplified the code, as it means we no longer need as many calls to dom_sid_parse_talloc(). In some places it got more complex, but not many. (This used to be commit d40bc2fa8ddd43560315688eebdbe98bdd02756c)
2005-06-24 00:18:20 +00:00
talloc_free(sidstr);
r4151: added privilege attribute handling on samdb. pvfs will now honor some privileges on ACLs, and it will be quite easy to add the checks for more privileges in the necessary places, by making calls to sec_privilege_check(). (This used to be commit 3549039d0fbc54f87ae679e7288b82b28713e487)
2004-12-11 13:19:41 +00:00
if (ret != 1) {
/* not an error to not match */
return NT_STATUS_OK;
}
el = ldb_msg_find_element(res[0], "privilege");
if (el == NULL) {
return NT_STATUS_OK;
}
for (i=0;i<el->num_values;i++) {
r9240: - move struct security_token to the idl file, with this we can the ndr_pull/push/print functions for it in the ntacl-lsm module - fix compiler warnings in the ldap_encode_ndr_* code metze (This used to be commit 83d65d0d7ed9c240ad44aa2c881c1f07212bfda4)
2005-08-11 13:12:45 +00:00
const char *priv_str = (const char *)el->values[i].data;
r14891: fix a bug found by the ibm checker the problem was that we shift with <<= (privilege-1) and we called the function with privilege=0 add some checks to catch invalid privilege values and hide the mask representation in privilege.c metze (This used to be commit a69f000324764bcd4cf420f2ecba1aca788258e4)
2006-04-03 14:39:46 +00:00
enum sec_privilege privilege = sec_privilege_id(priv_str);
libcli/security make sec_privilege_id() return SEC_PRIV_INVALID on failure. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-08-30 14:00:50 +10:00
if (privilege == SEC_PRIV_INVALID) {
s4-privs Seperate rights and privileges These are related, but slightly different concepts. The biggest difference is that rights are not enumerated as a system-wide list. This moves the rights to security.idl due to dependencies. Andrew Bartlett
2010-09-11 16:58:45 +10:00
uint32_t right_bit = sec_right_bit(priv_str);
security_token_set_right_bit(token, right_bit);
if (right_bit == 0) {
DEBUG(1,("Unknown privilege '%s' in samdb\n",
priv_str));
}
r4151: added privilege attribute handling on samdb. pvfs will now honor some privileges on ACLs, and it will be quite easy to add the checks for more privileges in the necessary places, by making calls to sec_privilege_check(). (This used to be commit 3549039d0fbc54f87ae679e7288b82b28713e487)
2004-12-11 13:19:41 +00:00
continue;
}
r14894: - add some 'const' - remove sid_active_in_token() was the same as security_token_has_sid() - rename some functions metze (This used to be commit 81390dcda50f53d61e70059fb33014de0d283dc5)
2006-04-03 15:18:12 +00:00
security_token_set_privilege(token, privilege);
r4151: added privilege attribute handling on samdb. pvfs will now honor some privileges on ACLs, and it will be quite easy to add the checks for more privileges in the necessary places, by making calls to sec_privilege_check(). (This used to be commit 3549039d0fbc54f87ae679e7288b82b28713e487)
2004-12-11 13:19:41 +00:00
}
return NT_STATUS_OK;
}
/*
setup the privilege mask for this security token based on our
local SAM
*/
s4-auth Remove event context from privilage database handling These local TDB operations can quite safely be handled in a new/nested event context, rather than using the main event context. Andrew Bartlett
2010-12-20 21:26:35 +11:00
NTSTATUS samdb_privilege_setup(struct loadparm_context *lp_ctx, struct security_token *token)
r4151: added privilege attribute handling on samdb. pvfs will now honor some privileges on ACLs, and it will be quite easy to add the checks for more privileges in the necessary places, by making calls to sec_privilege_check(). (This used to be commit 3549039d0fbc54f87ae679e7288b82b28713e487)
2004-12-11 13:19:41 +00:00
{
s4-privileges: moved privileges to private/privilege.ldb We were storing privileges in the sam, which was OK when we were a standalone DC, but is no good when we replicate with a windows DC. This moves the privileges to a separate (local) database
2009-10-16 17:05:27 +11:00
struct ldb_context *pdb;
r10810: This adds the hooks required to communicate the current user from the authenticated session down into LDB. This associates a session info structure with the open LDB, allowing a future ldb_ntacl module to allow/deny operations on that basis. Along the way, I cleaned up a few things, and added new helper functions to assist. In particular the LSA pipe uses simpler queries for some of the setup. In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't been worked on (other than making it continue to compile) since January, and I think the features of this module are being put into ldb anyway. I have also changed the partitions in ldap_server to be initialised after the connection, with the private pointer used to associate the ldb with the incoming session. Andrew Bartlett (This used to be commit fd7203789a2c0929eecea8125b57b833a67fed71)
2005-10-07 11:31:45 +00:00
TALLOC_CTX *mem_ctx;
s4:samdb_privilege.c - Change two counter variables to unsigned Also here in both cases the unsigned counter fits better than the signed one.
2009-11-06 20:14:41 +01:00
unsigned int i;
r4151: added privilege attribute handling on samdb. pvfs will now honor some privileges on ACLs, and it will be quite easy to add the checks for more privileges in the necessary places, by making calls to sec_privilege_check(). (This used to be commit 3549039d0fbc54f87ae679e7288b82b28713e487)
2004-12-11 13:19:41 +00:00
NTSTATUS status;
r10810: This adds the hooks required to communicate the current user from the authenticated session down into LDB. This associates a session info structure with the open LDB, allowing a future ldb_ntacl module to allow/deny operations on that basis. Along the way, I cleaned up a few things, and added new helper functions to assist. In particular the LSA pipe uses simpler queries for some of the setup. In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't been worked on (other than making it continue to compile) since January, and I think the features of this module are being put into ldb anyway. I have also changed the partitions in ldap_server to be initialised after the connection, with the private pointer used to associate the ldb with the incoming session. Andrew Bartlett (This used to be commit fd7203789a2c0929eecea8125b57b833a67fed71)
2005-10-07 11:31:45 +00:00
/* Shortcuts to prevent recursion and avoid lookups */
s4:security Remove use of user_sid and group_sid from struct security_token This makes the structure more like Samba3's NT_USER_TOKEN
2010-08-14 13:30:51 +10:00
if (token->sids == NULL) {
r23966: It isn't great, but at least now we have some access control in SWAT This patch prevents non-root and non-administrator users from running the provision, upgrade and vampire pages. *I think* the rest of SWAT is LDB operations, or otherwise authenticated, so we should now be secure. I wish I had a better way to 'prove' we got this right, but this is better than nothing, and moves us closer to an alpha. Andrew Bartlett (This used to be commit d61061052dc4711f886199e49bc303002c8f9b11)
2007-07-19 07:48:26 +00:00
token->privilege_mask = 0;
return NT_STATUS_OK;
}
r14840: - rename some functions - stack specific functions on top of generic ones metze (This used to be commit e391f3c98aae600c5f64d5975dd55567a09c3100)
2006-03-31 11:05:33 +00:00
if (security_token_is_system(token)) {
r10810: This adds the hooks required to communicate the current user from the authenticated session down into LDB. This associates a session info structure with the open LDB, allowing a future ldb_ntacl module to allow/deny operations on that basis. Along the way, I cleaned up a few things, and added new helper functions to assist. In particular the LSA pipe uses simpler queries for some of the setup. In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't been worked on (other than making it continue to compile) since January, and I think the features of this module are being put into ldb anyway. I have also changed the partitions in ldap_server to be initialised after the connection, with the private pointer used to associate the ldb with the incoming session. Andrew Bartlett (This used to be commit fd7203789a2c0929eecea8125b57b833a67fed71)
2005-10-07 11:31:45 +00:00
token->privilege_mask = ~0;
return NT_STATUS_OK;
}
r14840: - rename some functions - stack specific functions on top of generic ones metze (This used to be commit e391f3c98aae600c5f64d5975dd55567a09c3100)
2006-03-31 11:05:33 +00:00
if (security_token_is_anonymous(token)) {
r10810: This adds the hooks required to communicate the current user from the authenticated session down into LDB. This associates a session info structure with the open LDB, allowing a future ldb_ntacl module to allow/deny operations on that basis. Along the way, I cleaned up a few things, and added new helper functions to assist. In particular the LSA pipe uses simpler queries for some of the setup. In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't been worked on (other than making it continue to compile) since January, and I think the features of this module are being put into ldb anyway. I have also changed the partitions in ldap_server to be initialised after the connection, with the private pointer used to associate the ldb with the incoming session. Andrew Bartlett (This used to be commit fd7203789a2c0929eecea8125b57b833a67fed71)
2005-10-07 11:31:45 +00:00
token->privilege_mask = 0;
return NT_STATUS_OK;
}
mem_ctx = talloc_new(token);
s4-auth Remove event context from privilage database handling These local TDB operations can quite safely be handled in a new/nested event context, rather than using the main event context. Andrew Bartlett
2010-12-20 21:26:35 +11:00
pdb = privilege_connect(mem_ctx, lp_ctx);
s4-privileges: moved privileges to private/privilege.ldb We were storing privileges in the sam, which was OK when we were a standalone DC, but is no good when we replicate with a windows DC. This moves the privileges to a separate (local) database
2009-10-16 17:05:27 +11:00
if (pdb == NULL) {
r4151: added privilege attribute handling on samdb. pvfs will now honor some privileges on ACLs, and it will be quite easy to add the checks for more privileges in the necessary places, by making calls to sec_privilege_check(). (This used to be commit 3549039d0fbc54f87ae679e7288b82b28713e487)
2004-12-11 13:19:41 +00:00
talloc_free(mem_ctx);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
token->privilege_mask = 0;
for (i=0;i<token->num_sids;i++) {
s4-privileges: moved privileges to private/privilege.ldb We were storing privileges in the sam, which was OK when we were a standalone DC, but is no good when we replicate with a windows DC. This moves the privileges to a separate (local) database
2009-10-16 17:05:27 +11:00
status = samdb_privilege_setup_sid(pdb, mem_ctx,
s4:security Change struct security_token->sids from struct dom_sid * to struct dom_sid This makes the structure much more like NT_USER_TOKEN in the source3/ code. (The remaining changes are that privilages still need to be merged) Andrew Bartlett
2010-08-20 12:15:15 +10:00
token, &token->sids[i]);
r4151: added privilege attribute handling on samdb. pvfs will now honor some privileges on ACLs, and it will be quite easy to add the checks for more privileges in the necessary places, by making calls to sec_privilege_check(). (This used to be commit 3549039d0fbc54f87ae679e7288b82b28713e487)
2004-12-11 13:19:41 +00:00
if (!NT_STATUS_IS_OK(status)) {
talloc_free(mem_ctx);
return status;
}
}
talloc_free(mem_ctx);
return NT_STATUS_OK;
}
Copy Permalink