4 Copyright (C) Simo Sorce 2006-2008
5 Copyright (C) Nadezhda Ivanova 2010
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 * Component: ldb ACL Read module
26 * Description: Module that performs authorisation access checks on read requests
27 * Only DACL checks implemented at this point
29 * Author: Nadezhda Ivanova
33 #include "ldb_module.h"
34 #include "auth/auth.h"
35 #include "libcli/security/security.h"
36 #include "dsdb/samdb/samdb.h"
37 #include "librpc/gen_ndr/ndr_security.h"
38 #include "param/param.h"
39 #include "dsdb/samdb/ldb_modules/util.h"
42 struct aclread_context {
43 struct ldb_module *module;
44 struct ldb_request *req;
45 const char * const *attrs;
46 const struct dsdb_schema *schema;
53 struct aclread_private {
57 static void aclread_mark_inaccesslible(struct ldb_message_element *el) {
58 el->flags |= LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE;
61 static bool aclread_is_inaccessible(struct ldb_message_element *el) {
62 return el->flags & LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE;
65 static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
67 struct ldb_context *ldb;
68 struct aclread_context *ac;
69 struct ldb_message *ret_msg;
70 struct ldb_message *msg;
71 int ret, num_of_attrs = 0;
72 unsigned int i, k = 0;
73 struct security_descriptor *sd;
74 struct dom_sid *sid = NULL;
76 uint32_t instanceType;
78 ac = talloc_get_type(req->context, struct aclread_context);
79 ldb = ldb_module_get_ctx(ac->module);
81 return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR );
83 if (ares->error != LDB_SUCCESS) {
84 return ldb_module_done(ac->req, ares->controls,
85 ares->response, ares->error);
87 tmp_ctx = talloc_new(ac);
91 ret = dsdb_get_sd_from_ldb_message(ldb, tmp_ctx, msg, &sd);
92 if (ret != LDB_SUCCESS || sd == NULL ) {
93 DEBUG(10, ("acl_read: cannot get descriptor\n"));
94 ret = LDB_ERR_OPERATIONS_ERROR;
97 sid = samdb_result_dom_sid(tmp_ctx, msg, "objectSid");
98 /* get the object instance type */
99 instanceType = ldb_msg_find_attr_as_uint(msg,
101 if (!ldb_dn_is_null(msg->dn) && !(instanceType & INSTANCE_TYPE_IS_NC_HEAD))
103 /* the object has a parent, so we have to check for visibility */
104 struct ldb_dn *parent_dn = ldb_dn_get_parent(tmp_ctx, msg->dn);
105 ret = dsdb_module_check_access_on_dn(ac->module,
110 if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
111 talloc_free(tmp_ctx);
113 } else if (ret != LDB_SUCCESS) {
117 /* for every element in the message check RP */
118 for (i=0; i < msg->num_elements; i++) {
119 const struct dsdb_attribute *attr;
120 bool is_sd, is_objectsid, is_instancetype;
121 uint32_t access_mask;
122 attr = dsdb_attribute_by_lDAPDisplayName(ac->schema,
123 msg->elements[i].name);
125 DEBUG(2, ("acl_read: cannot find attribute %s in schema\n",
126 msg->elements[i].name));
127 ret = LDB_ERR_OPERATIONS_ERROR;
130 is_sd = ldb_attr_cmp("nTSecurityDescriptor",
131 msg->elements[i].name) == 0;
132 is_objectsid = ldb_attr_cmp("objectSid",
133 msg->elements[i].name) == 0;
134 is_instancetype = ldb_attr_cmp("instanceType",
135 msg->elements[i].name) == 0;
136 /* these attributes were added to perform access checks and must be removed */
137 if (is_objectsid && ac->object_sid) {
138 aclread_mark_inaccesslible(&msg->elements[i]);
141 if (is_instancetype && ac->instance_type) {
142 aclread_mark_inaccesslible(&msg->elements[i]);
145 if (is_sd && ac->sd) {
146 aclread_mark_inaccesslible(&msg->elements[i]);
149 /* nTSecurityDescriptor is a special case */
151 access_mask = SEC_FLAG_SYSTEM_SECURITY|SEC_STD_READ_CONTROL;
153 access_mask = SEC_ADS_READ_PROP;
155 ret = acl_check_access_on_attribute(ac->module,
163 * Dirsync control needs the replpropertymetadata attribute
164 * so return it as it will be removed by the control
167 if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
168 if (!ac->indirsync) {
169 /* do not return this entry if attribute is
170 part of the search filter */
171 if (dsdb_attr_in_parse_tree(ac->req->op.search.tree,
172 msg->elements[i].name)) {
173 talloc_free(tmp_ctx);
176 aclread_mark_inaccesslible(&msg->elements[i]);
179 * We are doing dirysnc answers
180 * and the object shouldn't be returned (normally)
181 * but we will return it without replPropertyMetaData
182 * so that the dirysync module will do what is needed
183 * (remove the object if it is not deleted, or return
184 * just the objectGUID if it's deleted).
186 if (dsdb_attr_in_parse_tree(ac->req->op.search.tree,
187 msg->elements[i].name)) {
188 ldb_msg_remove_attr(msg, "replPropertyMetaData");
191 } else if (ret != LDB_SUCCESS) {
195 for (i=0; i < msg->num_elements; i++) {
196 if (!aclread_is_inaccessible(&msg->elements[i])) {
200 /*create a new message to return*/
201 ret_msg = ldb_msg_new(ac->req);
202 ret_msg->dn = msg->dn;
203 talloc_steal(ret_msg, msg->dn);
204 ret_msg->num_elements = num_of_attrs;
205 if (num_of_attrs > 0) {
206 ret_msg->elements = talloc_array(ret_msg,
207 struct ldb_message_element,
209 if (ret_msg->elements == NULL) {
212 for (i=0; i < msg->num_elements; i++) {
213 bool to_remove = aclread_is_inaccessible(&msg->elements[i]);
215 ret_msg->elements[k] = msg->elements[i];
216 talloc_steal(ret_msg->elements, msg->elements[i].name);
217 talloc_steal(ret_msg->elements, msg->elements[i].values);
222 ret_msg->elements = NULL;
224 talloc_free(tmp_ctx);
226 return ldb_module_send_entry(ac->req, ret_msg, ares->controls);
227 case LDB_REPLY_REFERRAL:
228 return ldb_module_send_referral(ac->req, ares->referral);
230 return ldb_module_done(ac->req, ares->controls,
231 ares->response, LDB_SUCCESS);
236 talloc_free(tmp_ctx);
237 return ldb_module_done(ac->req, NULL, NULL, ret);
241 static int aclread_search(struct ldb_module *module, struct ldb_request *req)
243 struct ldb_context *ldb;
245 struct aclread_context *ac;
246 struct ldb_request *down_req;
247 struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
248 struct ldb_control *indirsync = ldb_request_get_control(req, DSDB_CONTROL_DIRSYNC_RELAX_CHECK_OID);
249 struct ldb_result *res;
250 struct aclread_private *p;
251 bool is_untrusted = ldb_req_is_untrusted(req);
252 const char * const *attrs = NULL;
253 uint32_t instanceType;
254 static const char *acl_attrs[] = {
259 ldb = ldb_module_get_ctx(module);
260 p = talloc_get_type(ldb_module_get_private(module), struct aclread_private);
262 /* skip access checks if we are system or system control is supplied
263 * or this is not LDAP server request */
264 if (!p || !p->enabled ||
265 dsdb_module_am_system(module)
266 || as_system || !is_untrusted) {
267 return ldb_next_request(module, req);
269 /* no checks on special dn */
270 if (ldb_dn_is_special(req->op.search.base)) {
271 return ldb_next_request(module, req);
274 /* check accessibility of base */
275 if (!ldb_dn_is_null(req->op.search.base)) {
276 ret = dsdb_module_search_dn(module, req, &res, req->op.search.base,
278 DSDB_FLAG_NEXT_MODULE |
279 DSDB_SEARCH_SHOW_DELETED, req);
280 if (ret != LDB_SUCCESS) {
281 return ldb_error(ldb, ret,
282 "acl_read: Error retrieving instanceType for base.");
284 instanceType = ldb_msg_find_attr_as_uint(res->msgs[0],
286 if (instanceType != 0 && !(instanceType & INSTANCE_TYPE_IS_NC_HEAD))
288 /* the object has a parent, so we have to check for visibility */
289 struct ldb_dn *parent_dn = ldb_dn_get_parent(req, req->op.search.base);
290 ret = dsdb_module_check_access_on_dn(module,
295 if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
296 return ldb_module_done(req, NULL, NULL, LDB_ERR_NO_SUCH_OBJECT);
297 } else if (ret != LDB_SUCCESS) {
298 return ldb_module_done(req, NULL, NULL, ret);
302 ac = talloc_zero(req, struct aclread_context);
308 ac->schema = dsdb_get_schema(ldb, req);
309 if (indirsync != NULL) {
310 ac->indirsync = true;
312 ac->indirsync = false;
315 return ldb_operr(ldb);
317 ac->sd = !(ldb_attr_in_list(req->op.search.attrs, "nTSecurityDescriptor"));
318 if (req->op.search.attrs && !ldb_attr_in_list(req->op.search.attrs, "*")) {
319 if (!ldb_attr_in_list(req->op.search.attrs, "instanceType")) {
320 ac->instance_type = true;
321 attrs = ldb_attr_list_copy_add(ac, req->op.search.attrs, "instanceType");
323 attrs = req->op.search.attrs;
325 if (!ldb_attr_in_list(req->op.search.attrs, "objectSid")) {
326 ac->object_sid = true;
327 attrs = ldb_attr_list_copy_add(ac, attrs, "objectSid");
332 /* avoid replacing all attributes with nTSecurityDescriptor
333 * if attribute list is empty */
335 attrs = ldb_attr_list_copy_add(ac, attrs, "*");
337 attrs = ldb_attr_list_copy_add(ac, attrs, "nTSecurityDescriptor");
339 ac->attrs = req->op.search.attrs;
340 ret = ldb_build_search_req_ex(&down_req,
343 req->op.search.scope,
347 ac, aclread_callback,
350 if (ret != LDB_SUCCESS) {
351 return LDB_ERR_OPERATIONS_ERROR;
354 return ldb_next_request(module, down_req);
357 static int aclread_init(struct ldb_module *module)
359 struct ldb_context *ldb = ldb_module_get_ctx(module);
360 struct aclread_private *p = talloc_zero(module, struct aclread_private);
362 return ldb_module_oom(module);
364 p->enabled = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"), NULL, "acl", "search", false);
365 ldb_module_set_private(module, p);
366 return ldb_next_init(module);
369 static const struct ldb_module_ops ldb_aclread_module_ops = {
371 .search = aclread_search,
372 .init_context = aclread_init
375 int ldb_aclread_module_init(const char *version)
377 LDB_MODULE_CHECK_VERSION(version);
378 return ldb_register_module(&ldb_aclread_module_ops);