mirror of
https://github.com/samba-team/samba.git
synced 2024-12-28 07:21:54 +03:00
166 lines
4.4 KiB
C
166 lines
4.4 KiB
C
/*
|
|
ldb database library
|
|
|
|
Copyright (C) Nadezhda Ivanova 2010
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation; either version 3 of the License, or
|
|
(at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
/*
|
|
* Name: dsdb_access
|
|
*
|
|
* Description: utility functions for access checking on objects
|
|
*
|
|
* Authors: Nadezhda Ivanova
|
|
*/
|
|
|
|
#include "includes.h"
|
|
#include "ldb.h"
|
|
#include "ldb_errors.h"
|
|
#include "libcli/security/security.h"
|
|
#include "librpc/gen_ndr/ndr_security.h"
|
|
#include "libcli/ldap/ldap_ndr.h"
|
|
#include "param/param.h"
|
|
#include "auth/auth.h"
|
|
#include "dsdb/samdb/samdb.h"
|
|
|
|
void dsdb_acl_debug(struct security_descriptor *sd,
|
|
struct security_token *token,
|
|
struct ldb_dn *dn,
|
|
bool denied,
|
|
int level)
|
|
{
|
|
if (denied) {
|
|
DEBUG(level, ("Access on %s denied", ldb_dn_get_linearized(dn)));
|
|
} else {
|
|
DEBUG(level, ("Access on %s granted", ldb_dn_get_linearized(dn)));
|
|
}
|
|
|
|
DEBUG(level,("Security context: %s\n",
|
|
ndr_print_struct_string(0,(ndr_print_fn_t)ndr_print_security_token,"", token)));
|
|
DEBUG(level,("Security descriptor: %s\n",
|
|
ndr_print_struct_string(0,(ndr_print_fn_t)ndr_print_security_descriptor,"", sd)));
|
|
}
|
|
|
|
int dsdb_get_sd_from_ldb_message(TALLOC_CTX *mem_ctx,
|
|
struct ldb_message *acl_res,
|
|
struct security_descriptor **sd)
|
|
{
|
|
struct ldb_message_element *sd_element;
|
|
enum ndr_err_code ndr_err;
|
|
|
|
sd_element = ldb_msg_find_element(acl_res, "nTSecurityDescriptor");
|
|
if (!sd_element) {
|
|
*sd = NULL;
|
|
return LDB_SUCCESS;
|
|
}
|
|
*sd = talloc(mem_ctx, struct security_descriptor);
|
|
if(!*sd) {
|
|
return LDB_ERR_OPERATIONS_ERROR;
|
|
}
|
|
ndr_err = ndr_pull_struct_blob(&sd_element->values[0], *sd, NULL, *sd,
|
|
(ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
|
|
|
|
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
|
|
return LDB_ERR_OPERATIONS_ERROR;
|
|
}
|
|
|
|
return LDB_SUCCESS;
|
|
}
|
|
|
|
int dsdb_check_access_on_dn_internal(struct ldb_result *acl_res,
|
|
TALLOC_CTX *mem_ctx,
|
|
struct security_token *token,
|
|
struct ldb_dn *dn,
|
|
uint32_t access,
|
|
const struct GUID *guid)
|
|
{
|
|
struct security_descriptor *sd = NULL;
|
|
struct dom_sid *sid = NULL;
|
|
struct object_tree *root = NULL;
|
|
struct object_tree *new_node = NULL;
|
|
NTSTATUS status;
|
|
uint32_t access_granted;
|
|
int ret;
|
|
|
|
ret = dsdb_get_sd_from_ldb_message(mem_ctx, acl_res->msgs[0], &sd);
|
|
if (ret != LDB_SUCCESS) {
|
|
return LDB_ERR_OPERATIONS_ERROR;
|
|
}
|
|
/* Theoretically we pass the check if the object has no sd */
|
|
if (!sd) {
|
|
return LDB_SUCCESS;
|
|
}
|
|
sid = samdb_result_dom_sid(mem_ctx, acl_res->msgs[0], "objectSid");
|
|
if (guid) {
|
|
if (!insert_in_object_tree(mem_ctx, guid, access, &root, &new_node)) {
|
|
return LDB_ERR_OPERATIONS_ERROR;
|
|
}
|
|
}
|
|
status = sec_access_check_ds(sd, token,
|
|
access,
|
|
&access_granted,
|
|
root,
|
|
sid);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
dsdb_acl_debug(sd,
|
|
token,
|
|
dn,
|
|
true,
|
|
10);
|
|
return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
|
|
}
|
|
return LDB_SUCCESS;
|
|
}
|
|
|
|
/* performs an access check from outside the module stack
|
|
* given the dn of the object to be checked, the required access
|
|
* guid is either the guid of the extended right, or NULL
|
|
*/
|
|
|
|
int dsdb_check_access_on_dn(struct ldb_context *ldb,
|
|
TALLOC_CTX *mem_ctx,
|
|
struct ldb_dn *dn,
|
|
uint32_t access,
|
|
const struct GUID *guid)
|
|
{
|
|
int ret;
|
|
struct ldb_result *acl_res;
|
|
static const char *acl_attrs[] = {
|
|
"nTSecurityDescriptor",
|
|
"objectSid",
|
|
NULL
|
|
};
|
|
|
|
struct auth_session_info *session_info
|
|
= (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
|
|
if(!session_info) {
|
|
return LDB_ERR_OPERATIONS_ERROR;
|
|
}
|
|
|
|
ret = ldb_search(ldb, mem_ctx, &acl_res, dn, LDB_SCOPE_BASE, acl_attrs, NULL);
|
|
if (ret != LDB_SUCCESS) {
|
|
DEBUG(10,("access_check: failed to find object %s\n", ldb_dn_get_linearized(dn)));
|
|
return ret;
|
|
}
|
|
|
|
return dsdb_check_access_on_dn_internal(acl_res,
|
|
mem_ctx,
|
|
session_info->security_token,
|
|
dn,
|
|
access,
|
|
guid);
|
|
}
|
|
|