+static int acl_check_access_on_attribute(struct ldb_module *module,
+ TALLOC_CTX *mem_ctx,
+ struct security_descriptor *sd,
+ uint32_t access,
+ struct dsdb_attribute *attr)
+{
+ int ret;
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ NTSTATUS status;
+ uint32_t access_granted;
+ struct object_tree *root = NULL;
+ struct object_tree *new_node = NULL;
+ const struct dsdb_schema *schema = dsdb_get_schema(ldb);
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ struct security_token *token = acl_user_token(module);
+ if (attr) {
+ if (!GUID_all_zero(&attr->attributeSecurityGUID)) {
+ if (!insert_in_object_tree(tmp_ctx,
+ &attr->attributeSecurityGUID, access,
+ &root, &new_node)) {
+ DEBUG(10, ("acl_search: cannot add to object tree securityGUID\n"));
+ goto fail;
+ }
+
+ if (!insert_in_object_tree(tmp_ctx,
+ &attr->schemaIDGUID, access, &new_node, &new_node)) {
+ DEBUG(10, ("acl_search: cannot add to object tree attributeGUID\n"));
+ goto fail;
+ }
+ }
+ else {
+ if (!insert_in_object_tree(tmp_ctx,
+ &attr->schemaIDGUID, access, &root, &new_node)) {
+ DEBUG(10, ("acl_search: cannot add to object tree attributeGUID\n"));
+ goto fail;
+ }
+ }
+ }
+ status = sec_access_check_ds(sd, token,
+ access,
+ &access_granted,
+ root);
+ if (!NT_STATUS_IS_OK(status)) {
+ ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+ }
+ else {
+ ret = LDB_SUCCESS;
+ }
+ return ret;
+fail:
+ return LDB_ERR_OPERATIONS_ERROR;
+}
+
+static int acl_check_access_on_class(struct ldb_module *module,
+ TALLOC_CTX *mem_ctx,
+ struct security_descriptor *sd,
+ uint32_t access,
+ const char *class_name)
+{
+ int ret;
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ NTSTATUS status;
+ uint32_t access_granted;
+ struct object_tree *root = NULL;
+ struct object_tree *new_node = NULL;
+ struct GUID *guid;
+ const struct dsdb_schema *schema = dsdb_get_schema(ldb);
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ struct security_token *token = acl_user_token(module);
+ if (class_name) {
+ guid = class_schemaid_guid_by_lDAPDisplayName(schema, class_name);
+ if (!guid) {
+ DEBUG(10, ("acl_search: cannot find class %s\n",
+ class_name));
+ goto fail;
+ }
+ if (!insert_in_object_tree(tmp_ctx,
+ guid, access,
+ &root, &new_node)) {
+ DEBUG(10, ("acl_search: cannot add to object tree guid\n"));
+ goto fail;
+ }
+ }
+ status = sec_access_check_ds(sd, token,
+ access,
+ &access_granted,
+ root);
+ if (!NT_STATUS_IS_OK(status)) {
+ ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+ }
+ else {
+ ret = LDB_SUCCESS;
+ }
+ return ret;
+fail:
+ return LDB_ERR_OPERATIONS_ERROR;
+}
+
+static int acl_allowedAttributes(struct ldb_module *module,
+ struct ldb_message *sd_msg,
+ struct ldb_message *msg,
+ struct acl_context *ac)
+{
+ struct ldb_message_element *oc_el;
+ struct ldb_message_element *allowedAttributes;
+ struct ldb_message_element *allowedAttributesEffective;
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ const struct dsdb_schema *schema = dsdb_get_schema(ldb);
+ TALLOC_CTX *mem_ctx;
+ const char **attr_list;
+ int i, ret;
+
+ /* If we don't have a schema yet, we can't do anything... */
+ if (schema == NULL) {
+ return LDB_SUCCESS;
+ }
+
+ /* Must remove any existing attribute */
+ if (ac->allowedAttributes) {
+ ldb_msg_remove_attr(msg, "allowedAttributes");
+ }
+
+ mem_ctx = talloc_new(msg);
+ if (!mem_ctx) {
+ ldb_oom(ldb);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ oc_el = ldb_msg_find_element(sd_msg, "objectClass");
+ attr_list = dsdb_full_attribute_list(mem_ctx, schema, oc_el, DSDB_SCHEMA_ALL);
+ if (!attr_list) {
+ ldb_asprintf_errstring(ldb, "acl: Failed to get list of attributes");
+ talloc_free(mem_ctx);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ if (ac->allowedAttributes) {
+ for (i=0; attr_list && attr_list[i]; i++) {
+ ldb_msg_add_string(msg, "allowedAttributes", attr_list[i]);
+ }
+ }
+ if (ac->allowedAttributesEffective) {
+ struct security_descriptor *sd;
+ ldb_msg_remove_attr(msg, "allowedAttributesEffective");
+ if (ac->user_type == SECURITY_SYSTEM) {
+ for (i=0; attr_list && attr_list[i]; i++) {
+ ldb_msg_add_string(msg, "allowedAttributesEffective", attr_list[i]);
+ }
+ return LDB_SUCCESS;
+ }
+
+ ret = get_sd_from_ldb_message(mem_ctx, sd_msg, &sd);
+
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ for (i=0; attr_list && attr_list[i]; i++) {
+ struct dsdb_attribute *attr = dsdb_attribute_by_lDAPDisplayName(schema,
+ attr_list[i]);
+ if (!attr) {
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ /* remove constructed attributes */
+ if (attr->systemFlags & DS_FLAG_ATTR_IS_CONSTRUCTED) {
+ continue;
+ }
+ ret = acl_check_access_on_attribute(module,
+ msg,
+ sd,
+ SEC_ADS_WRITE_PROP,
+ attr);
+ if (ret == LDB_SUCCESS) {
+ ldb_msg_add_string(msg, "allowedAttributesEffective", attr_list[i]);
+ }
+ }
+ }
+ return LDB_SUCCESS;
+}
+
+static int acl_childClasses(struct ldb_module *module,
+ struct ldb_message *sd_msg,
+ struct ldb_message *msg,
+ const char *attrName)
+{
+ struct ldb_message_element *oc_el;
+ struct ldb_message_element *allowedClasses;
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ const struct dsdb_schema *schema = dsdb_get_schema(ldb);
+ const struct dsdb_class *sclass;
+ int i, j, ret;
+
+ /* If we don't have a schema yet, we can't do anything... */
+ if (schema == NULL) {
+ return LDB_SUCCESS;
+ }
+
+ /* Must remove any existing attribute, or else confusion reins */
+ ldb_msg_remove_attr(msg, attrName);
+ ret = ldb_msg_add_empty(msg, attrName, 0, &allowedClasses);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ oc_el = ldb_msg_find_element(sd_msg, "objectClass");
+
+ for (i=0; oc_el && i < oc_el->num_values; i++) {
+ sclass = dsdb_class_by_lDAPDisplayName_ldb_val(schema, &oc_el->values[i]);
+ if (!sclass) {
+ /* We don't know this class? what is going on? */
+ continue;
+ }
+
+ for (j=0; sclass->possibleInferiors && sclass->possibleInferiors[j]; j++) {
+ ldb_msg_add_string(msg, attrName, sclass->possibleInferiors[j]);
+ }
+ }
+ if (allowedClasses->num_values > 1) {
+ qsort(allowedClasses->values,
+ allowedClasses->num_values,
+ sizeof(*allowedClasses->values),
+ (comparison_fn_t)data_blob_cmp);
+
+ for (i=1 ; i < allowedClasses->num_values; i++) {
+ struct ldb_val *val1 = &allowedClasses->values[i-1];
+ struct ldb_val *val2 = &allowedClasses->values[i];
+ if (data_blob_cmp(val1, val2) == 0) {
+ memmove(val1, val2, (allowedClasses->num_values - i) * sizeof(struct ldb_val));
+ allowedClasses->num_values--;
+ i--;
+ }
+ }
+ }
+
+ return LDB_SUCCESS;
+}
+
+static int acl_childClassesEffective(struct ldb_module *module,
+ struct ldb_message *sd_msg,
+ struct ldb_message *msg,
+ struct acl_context *ac)
+{
+ struct ldb_message_element *oc_el;
+ struct ldb_message_element *allowedClasses = NULL;
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ const struct dsdb_schema *schema = dsdb_get_schema(ldb);
+ const struct dsdb_class *sclass;
+ struct security_descriptor *sd;
+ int i, j, ret;
+
+ if (ac->user_type == SECURITY_SYSTEM) {
+ return acl_childClasses(module, sd_msg, msg, "allowedChildClassesEffective");
+ }
+
+ /* If we don't have a schema yet, we can't do anything... */
+ if (schema == NULL) {
+ return LDB_SUCCESS;
+ }
+
+ /* Must remove any existing attribute, or else confusion reins */
+ ldb_msg_remove_attr(msg, "allowedChildClassesEffective");
+
+ oc_el = ldb_msg_find_element(sd_msg, "objectClass");
+ ret = get_sd_from_ldb_message(msg, sd_msg, &sd);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ for (i=0; oc_el && i < oc_el->num_values; i++) {
+ sclass = dsdb_class_by_lDAPDisplayName_ldb_val(schema, &oc_el->values[i]);
+ if (!sclass) {
+ /* We don't know this class? what is going on? */
+ continue;
+ }
+
+ for (j=0; sclass->possibleInferiors && sclass->possibleInferiors[j]; j++) {
+ ret = acl_check_access_on_class(module,
+ msg,
+ sd,
+ SEC_ADS_CREATE_CHILD,
+ sclass->possibleInferiors[j]);
+ if (ret == LDB_SUCCESS) {
+ ldb_msg_add_string(msg, "allowedChildClassesEffective",
+ sclass->possibleInferiors[j]);
+ }
+ }
+ }
+ allowedClasses = ldb_msg_find_element(msg, "allowedChildClassesEffective");
+ if (!allowedClasses) {
+ return LDB_SUCCESS;
+ }
+
+ if (allowedClasses->num_values > 1) {
+ qsort(allowedClasses->values,
+ allowedClasses->num_values,
+ sizeof(*allowedClasses->values),
+ (comparison_fn_t)data_blob_cmp);
+ for (i=1 ; i < allowedClasses->num_values; i++) {
+ struct ldb_val *val1 = &allowedClasses->values[i-1];
+ struct ldb_val *val2 = &allowedClasses->values[i];
+ if (data_blob_cmp(val1, val2) == 0) {
+ memmove(val1, val2, (allowedClasses->num_values - i) * sizeof( struct ldb_val));
+ allowedClasses->num_values--;
+ i--;
+ }
+ }
+ }
+ return LDB_SUCCESS;
+}
+
+static int acl_sDRightsEffective(struct ldb_module *module,
+ struct ldb_message *sd_msg,
+ struct ldb_message *msg,
+ struct acl_context *ac)
+{
+ struct ldb_message_element *rightsEffective;
+ int ret;
+ struct security_descriptor *sd;
+ uint32_t flags = 0;
+
+ /* Must remove any existing attribute, or else confusion reins */
+ ldb_msg_remove_attr(msg, "sDRightsEffective");
+ ret = ldb_msg_add_empty(msg, "sDRightsEffective", 0, &rightsEffective);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ if (ac->user_type == SECURITY_SYSTEM) {
+ flags = SECINFO_OWNER | SECINFO_GROUP | SECINFO_SACL | SECINFO_DACL;
+ }
+ else {
+ /* Get the security descriptor from the message */
+ ret = get_sd_from_ldb_message(msg, sd_msg, &sd);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ ret = acl_check_access_on_attribute(module,
+ msg,
+ sd,
+ SEC_STD_WRITE_OWNER,
+ NULL);
+ if (ret == LDB_SUCCESS) {
+ flags |= SECINFO_OWNER | SECINFO_GROUP;
+ }
+ ret = acl_check_access_on_attribute(module,
+ msg,
+ sd,
+ SEC_STD_WRITE_DAC,
+ NULL);
+ if (ret == LDB_SUCCESS) {
+ flags |= SECINFO_DACL;
+ }
+ ret = acl_check_access_on_attribute(module,
+ msg,
+ sd,
+ SEC_FLAG_SYSTEM_SECURITY,
+ NULL);
+ if (ret == LDB_SUCCESS) {
+ flags |= SECINFO_SACL;
+ }
+ }
+ ldb_msg_add_fmt(msg, "sDRightsEffective", "%u", flags);
+ return LDB_SUCCESS;
+}
+