2007-08-14 14:47:08 +00:00
/*
2007-05-11 15:08:05 +00:00
* Unix SMB / CIFS implementation .
* Group Policy Object Support
* Copyright ( C ) Guenther Deschner 2007
2007-08-14 14:47:08 +00:00
*
2007-05-11 15:08:05 +00:00
* This program is free software ; you can redistribute it and / or modify
* it under the terms of the GNU General Public License as published by
2007-07-09 19:25:36 +00:00
* the Free Software Foundation ; either version 3 of the License , or
2007-05-11 15:08:05 +00:00
* ( at your option ) any later version .
2007-08-14 14:47:08 +00:00
*
2007-05-11 15:08:05 +00:00
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU General Public License for more details .
2007-08-14 14:47:08 +00:00
*
2007-05-11 15:08:05 +00:00
* You should have received a copy of the GNU General Public License
2007-07-10 05:23:25 +00:00
* along with this program ; if not , see < http : //www.gnu.org/licenses/>.
2007-05-11 15:08:05 +00:00
*/
# include "includes.h"
2007-07-11 09:39:08 +00:00
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-05-11 15:28:07 +00:00
2007-10-18 17:40:25 -07:00
static bool gpo_sd_check_agp_object_guid ( const struct security_ace_object * object )
2007-07-11 09:39:08 +00:00
{
struct GUID ext_right_apg_guid ;
NTSTATUS status ;
if ( ! object ) {
2008-02-29 14:51:37 +01:00
return false ;
2007-07-11 09:39:08 +00:00
}
2007-05-11 15:28:07 +00:00
2007-07-11 09:39:08 +00:00
status = GUID_from_string ( ADS_EXTENDED_RIGHT_APPLY_GROUP_POLICY ,
& ext_right_apg_guid ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2008-02-29 14:51:37 +01:00
return false ;
2007-07-11 09:39:08 +00:00
}
2007-05-11 15:28:07 +00:00
2007-07-11 09:39:08 +00:00
switch ( object - > flags ) {
2009-03-01 04:59:07 +01:00
case SEC_ACE_OBJECT_TYPE_PRESENT :
2007-07-11 09:39:08 +00:00
if ( GUID_equal ( & object - > type . type ,
& ext_right_apg_guid ) ) {
return True ;
}
2009-03-01 04:59:07 +01:00
case SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT :
2007-07-11 09:39:08 +00:00
if ( GUID_equal ( & object - > inherited_type . inherited_type ,
& ext_right_apg_guid ) ) {
return True ;
}
default :
break ;
}
2007-05-11 15:28:07 +00:00
2008-02-29 14:51:37 +01:00
return false ;
2007-07-11 09:39:08 +00:00
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-10-18 17:40:25 -07:00
static bool gpo_sd_check_agp_object ( const SEC_ACE * ace )
2007-07-11 09:39:08 +00:00
{
2007-07-17 09:39:39 +00:00
if ( ! sec_ace_object ( ace - > type ) ) {
2008-02-29 14:51:37 +01:00
return false ;
2007-07-11 09:39:08 +00:00
}
2007-07-17 09:39:39 +00:00
return gpo_sd_check_agp_object_guid ( & ace - > object . object ) ;
2007-07-11 09:39:08 +00:00
}
2007-05-11 15:28:07 +00:00
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-10-18 17:40:25 -07:00
static bool gpo_sd_check_agp_access_bits ( uint32_t access_mask )
2007-05-11 15:28:07 +00:00
{
2007-07-11 09:39:08 +00:00
return ( access_mask & SEC_RIGHTS_EXTENDED ) ;
2007-05-11 15:28:07 +00:00
}
2007-06-05 10:23:56 +00:00
#if 0
2007-05-11 15:28:07 +00:00
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-10-18 17:40:25 -07:00
static bool gpo_sd_check_read_access_bits ( uint32_t access_mask )
2007-05-11 15:28:07 +00:00
{
2007-08-14 14:47:08 +00:00
uint32_t read_bits = SEC_RIGHTS_LIST_CONTENTS |
2007-05-11 15:28:07 +00:00
SEC_RIGHTS_READ_ALL_PROP |
SEC_RIGHTS_READ_PERMS ;
return ( read_bits = = ( access_mask & read_bits ) ) ;
}
2007-06-05 10:23:56 +00:00
# endif
2007-05-11 15:28:07 +00:00
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-08-14 14:47:08 +00:00
static NTSTATUS gpo_sd_check_ace_denied_object ( const SEC_ACE * ace ,
const struct nt_user_token * token )
2007-05-11 15:28:07 +00:00
{
2007-07-11 09:39:08 +00:00
if ( gpo_sd_check_agp_object ( ace ) & &
gpo_sd_check_agp_access_bits ( ace - > access_mask ) & &
2007-07-17 11:52:23 +00:00
nt_token_check_sid ( & ace - > trustee , token ) ) {
2007-08-14 14:47:08 +00:00
DEBUG ( 10 , ( " gpo_sd_check_ace_denied_object: "
" Access denied as of ace for %s \n " ,
2007-12-15 21:11:36 +01:00
sid_string_dbg ( & ace - > trustee ) ) ) ;
2007-05-11 15:28:07 +00:00
return NT_STATUS_ACCESS_DENIED ;
}
return STATUS_MORE_ENTRIES ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-08-14 14:47:08 +00:00
static NTSTATUS gpo_sd_check_ace_allowed_object ( const SEC_ACE * ace ,
const struct nt_user_token * token )
2007-05-11 15:28:07 +00:00
{
2007-07-11 09:39:08 +00:00
if ( gpo_sd_check_agp_object ( ace ) & &
2007-08-14 14:47:08 +00:00
gpo_sd_check_agp_access_bits ( ace - > access_mask ) & &
2007-07-17 11:52:23 +00:00
nt_token_check_sid ( & ace - > trustee , token ) ) {
2007-08-14 14:47:08 +00:00
DEBUG ( 10 , ( " gpo_sd_check_ace_allowed_object: "
" Access granted as of ace for %s \n " ,
2007-12-15 21:11:36 +01:00
sid_string_dbg ( & ace - > trustee ) ) ) ;
2007-05-11 15:28:07 +00:00
return NT_STATUS_OK ;
}
return STATUS_MORE_ENTRIES ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-08-14 14:47:08 +00:00
static NTSTATUS gpo_sd_check_ace ( const SEC_ACE * ace ,
const struct nt_user_token * token )
2007-05-11 15:28:07 +00:00
{
switch ( ace - > type ) {
case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT :
return gpo_sd_check_ace_denied_object ( ace , token ) ;
case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT :
return gpo_sd_check_ace_allowed_object ( ace , token ) ;
default :
return STATUS_MORE_ENTRIES ;
}
}
2007-05-11 15:08:05 +00:00
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-08-14 14:47:08 +00:00
NTSTATUS gpo_apply_security_filtering ( const struct GROUP_POLICY_OBJECT * gpo ,
2007-07-17 09:39:39 +00:00
const struct nt_user_token * token )
2007-05-11 15:08:05 +00:00
{
2007-05-11 15:28:07 +00:00
SEC_DESC * sd = gpo - > security_descriptor ;
SEC_ACL * dacl = NULL ;
NTSTATUS status = NT_STATUS_ACCESS_DENIED ;
int i ;
if ( ! token ) {
return NT_STATUS_INVALID_USER_BUFFER ;
}
if ( ! sd ) {
return NT_STATUS_INVALID_SECURITY_DESCR ;
}
dacl = sd - > dacl ;
if ( ! dacl ) {
return NT_STATUS_INVALID_SECURITY_DESCR ;
}
/* check all aces and only return NT_STATUS_OK (== Access granted) or
* NT_STATUS_ACCESS_DENIED ( = = Access denied ) - the default is to
* deny access */
for ( i = 0 ; i < dacl - > num_aces ; i + + ) {
status = gpo_sd_check_ace ( & dacl - > aces [ i ] , token ) ;
if ( NT_STATUS_EQUAL ( status , NT_STATUS_ACCESS_DENIED ) ) {
return status ;
} else if ( NT_STATUS_IS_OK ( status ) ) {
return status ;
}
continue ;
}
return NT_STATUS_ACCESS_DENIED ;
2007-05-11 15:08:05 +00:00
}
