struct lsa_QuerySecurity *r)
{
struct dcesrv_handle *h;
- struct security_descriptor *sd;
+ const struct security_descriptor *sd = NULL;
+ uint32_t access_granted = 0;
+ struct sec_desc_buf *sdbuf = NULL;
NTSTATUS status;
struct dom_sid *sid;
sid = &dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
if (h->wire_handle.handle_type == LSA_HANDLE_POLICY) {
- status = dcesrv_build_lsa_sd(mem_ctx, &sd, sid, 0);
- } else if (h->wire_handle.handle_type == LSA_HANDLE_ACCOUNT) {
- status = dcesrv_build_lsa_sd(mem_ctx, &sd, sid,
+ struct lsa_policy_state *pstate = h->data;
+
+ sd = pstate->sd;
+ access_granted = pstate->access_mask;
+
+ } else if (h->wire_handle.handle_type == LSA_HANDLE_ACCOUNT) {
+ struct lsa_account_state *astate = h->data;
+ struct security_descriptor *_sd = NULL;
+
+ status = dcesrv_build_lsa_sd(mem_ctx, &_sd, sid,
LSA_ACCOUNT_ALL_ACCESS);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ sd = _sd;
+ access_granted = astate->access_mask;
} else {
return NT_STATUS_INVALID_HANDLE;
}
- NT_STATUS_NOT_OK_RETURN(status);
- (*r->out.sdbuf) = talloc(mem_ctx, struct sec_desc_buf);
- NT_STATUS_HAVE_NO_MEMORY(*r->out.sdbuf);
+ sdbuf = talloc_zero(mem_ctx, struct sec_desc_buf);
+ if (sdbuf == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = security_descriptor_for_client(sdbuf, sd, r->in.sec_info,
+ access_granted, &sdbuf->sd);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
- (*r->out.sdbuf)->sd = sd;
+ *r->out.sdbuf = sdbuf;
return NT_STATUS_OK;
}
struct GUID domain_guid;
struct lsa_policy_state *state;
- NTSTATUS status = dcesrv_lsa_get_policy_state(dce_call, mem_ctx, &state);
+ NTSTATUS status = dcesrv_lsa_get_policy_state(dce_call, mem_ctx,
+ 0, /* we skip access checks */
+ &state);
if (!NT_STATUS_IS_OK(status)) {
return ntstatus_to_werror(status);
}
#include "rpc_server/lsa/lsa.h"
-NTSTATUS dcesrv_lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+/*
+ * This matches a Windows 2012R2 dc in
+ * a domain with function level 2012R2.
+ */
+#define DCESRV_LSA_POLICY_SD_SDDL \
+ "O:BAG:SY" \
+ "D:" \
+ "(D;;0x00000800;;;AN)" \
+ "(A;;GA;;;BA)" \
+ "(A;;GX;;;WD)" \
+ "(A;;0x00000801;;;AN)" \
+ "(A;;0x00001000;;;LS)" \
+ "(A;;0x00001000;;;NS)" \
+ "(A;;0x00001000;;;IS)" \
+ "(A;;0x00000801;;;S-1-15-2-1)"
+
+static const struct generic_mapping dcesrv_lsa_policy_mapping = {
+ LSA_POLICY_READ,
+ LSA_POLICY_WRITE,
+ LSA_POLICY_EXECUTE,
+ LSA_POLICY_ALL_ACCESS
+};
+
+NTSTATUS dcesrv_lsa_get_policy_state(struct dcesrv_call_state *dce_call,
+ TALLOC_CTX *mem_ctx,
+ uint32_t access_desired,
struct lsa_policy_state **_state)
{
+ struct auth_session_info *session_info = dce_call->conn->auth_state.session_info;
+ enum security_user_level security_level;
struct lsa_policy_state *state;
struct ldb_result *dom_res;
const char *dom_attrs[] = {
char *p;
int ret;
- state = talloc(mem_ctx, struct lsa_policy_state);
+ state = talloc_zero(mem_ctx, struct lsa_policy_state);
if (!state) {
return NT_STATUS_NO_MEMORY;
}
return NT_STATUS_NO_SUCH_DOMAIN;
}
+ state->sd = sddl_decode(state, DCESRV_LSA_POLICY_SD_SDDL,
+ state->domain_sid);
+ if (state->sd == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ state->sd->dacl->revision = SECURITY_ACL_REVISION_NT4;
+
+ se_map_generic(&access_desired, &dcesrv_lsa_policy_mapping);
+ security_acl_map_generic(state->sd->dacl, &dcesrv_lsa_policy_mapping);
+
+ security_level = security_session_user_level(session_info, NULL);
+ if (security_level >= SECURITY_SYSTEM) {
+ /*
+ * The security descriptor doesn't allow system,
+ * but we want to allow system via ncalrpc as root.
+ */
+ state->access_mask = access_desired;
+ if (state->access_mask & SEC_FLAG_MAXIMUM_ALLOWED) {
+ state->access_mask &= ~SEC_FLAG_MAXIMUM_ALLOWED;
+ state->access_mask |= LSA_POLICY_ALL_ACCESS;
+ }
+ } else {
+ NTSTATUS status;
+
+ status = se_access_check(state->sd,
+ session_info->security_token,
+ access_desired,
+ &state->access_mask);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(2,("%s: access desired[0x%08X] rejected[0x%08X] - %s\n",
+ __func__,
+ (unsigned)access_desired,
+ (unsigned)state->access_mask,
+ nt_errstr(status)));
+ return status;
+ }
+ }
+
+ DEBUG(10,("%s: access desired[0x%08X] granted[0x%08X] - success.\n",
+ __func__,
+ (unsigned)access_desired,
+ (unsigned)state->access_mask));
+
*_state = state;
return NT_STATUS_OK;
return NT_STATUS_INVALID_PARAMETER;
}
- status = dcesrv_lsa_get_policy_state(dce_call, mem_ctx, &state);
+ status = dcesrv_lsa_get_policy_state(dce_call, mem_ctx,
+ r->in.access_mask,
+ &state);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
handle->data = talloc_steal(handle, state);
- /* need to check the access mask against - need ACLs - fails
- WSPP test */
- state->access_mask = r->in.access_mask;
state->handle = handle;
*r->out.handle = handle->wire_handle;
DCESRV_FAULT(DCERPC_FAULT_ACCESS_DENIED);
}
- status = dcesrv_lsa_get_policy_state(dce_call, mem_ctx, &policy_state);
+ status = dcesrv_lsa_get_policy_state(dce_call, mem_ctx,
+ 0, /* we skip access checks */
+ &policy_state);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
DCESRV_FAULT(DCERPC_FAULT_ACCESS_DENIED);
}
- status = dcesrv_lsa_get_policy_state(dce_call, mem_ctx, &policy_state);
+ status = dcesrv_lsa_get_policy_state(dce_call, mem_ctx,
+ 0, /* we skip access checks */
+ &policy_state);
if (!NT_STATUS_IS_OK(status)) {
return status;
}