4 Copyright (C) Nadezhda Ivanova 2010
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 * Component: ldb ACL modules
25 * Description: Some auxiliary functions used for access checking
27 * Author: Nadezhda Ivanova
30 #include "ldb_module.h"
31 #include "auth/auth.h"
32 #include "libcli/security/security.h"
33 #include "dsdb/samdb/samdb.h"
34 #include "librpc/gen_ndr/ndr_security.h"
35 #include "param/param.h"
36 #include "dsdb/samdb/ldb_modules/util.h"
38 struct security_token *acl_user_token(struct ldb_module *module)
40 struct ldb_context *ldb = ldb_module_get_ctx(module);
41 struct auth_session_info *session_info
42 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
46 return session_info->security_token;
49 /* performs an access check from inside the module stack
50 * given the dn of the object to be checked, the required access
51 * guid is either the guid of the extended right, or NULL
54 int dsdb_module_check_access_on_dn(struct ldb_module *module,
58 const struct GUID *guid,
59 struct ldb_request *parent)
62 struct ldb_result *acl_res;
63 static const char *acl_attrs[] = {
64 "nTSecurityDescriptor",
68 struct ldb_context *ldb = ldb_module_get_ctx(module);
69 struct auth_session_info *session_info
70 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
72 return ldb_operr(ldb);
74 ret = dsdb_module_search_dn(module, mem_ctx, &acl_res, dn,
76 DSDB_FLAG_NEXT_MODULE |
78 DSDB_SEARCH_SHOW_RECYCLED,
80 if (ret != LDB_SUCCESS) {
81 ldb_asprintf_errstring(ldb_module_get_ctx(module),
82 "access_check: failed to find object %s\n",
83 ldb_dn_get_linearized(dn));
86 return dsdb_check_access_on_dn_internal(ldb, acl_res,
88 session_info->security_token,
95 * @brief Checks the current as the requested access on 1 attribute
97 * This function checks if a given trustee has the requested access
98 * on the specified attribute given the current security descriptor.
99 * The attribute can be NULL in this case the check will skip the
100 * OBJECT_ACE entries.
102 * @param[in] module A struct ldb_module object, security token
103 * for the current user are stored within the
106 * @param[in] mem_ctx A talloc context object for memory allocation
108 * @param[in] sd A security descriptor for attr
110 * @param[in] rp_sid The SID of the domain, used for expanding
111 * trustee in ACE that are just a RID.
113 * @param[in] access_mask An integer that represents the desired access
114 * that the security descriptor should grant to
115 * the user on the given attribute
117 * @param[in] attr A dsdb_attribute for which the checks should be
120 * @return Returns LDB_SUCCESS on success, on error another
122 * If the requested rights are not granted
123 * LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS will be returned.
126 int acl_check_access_on_attribute(struct ldb_module *module,
128 struct security_descriptor *sd,
129 struct dom_sid *rp_sid,
130 uint32_t access_mask,
131 const struct dsdb_attribute *attr,
132 const struct dsdb_class *objectclass)
136 uint32_t access_granted;
137 struct object_tree *root = NULL;
138 struct object_tree *new_node = NULL;
139 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
140 struct security_token *token = acl_user_token(module);
142 if (!insert_in_object_tree(tmp_ctx,
143 &objectclass->schemaIDGUID,
146 DEBUG(10, ("acl_search: cannot add to object tree class schemaIDGUID\n"));
151 if (!GUID_all_zero(&attr->attributeSecurityGUID)) {
152 if (!insert_in_object_tree(tmp_ctx,
153 &attr->attributeSecurityGUID,
154 access_mask, new_node,
156 DEBUG(10, ("acl_search: cannot add to object tree securityGUID\n"));
161 if (!insert_in_object_tree(tmp_ctx,
163 access_mask, new_node,
165 DEBUG(10, ("acl_search: cannot add to object tree attributeGUID\n"));
169 status = sec_access_check_ds(sd, token,
174 if (!NT_STATUS_IS_OK(status)) {
175 ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
180 talloc_free(tmp_ctx);
183 talloc_free(tmp_ctx);
184 return ldb_operr(ldb_module_get_ctx(module));
187 int acl_check_access_on_objectclass(struct ldb_module *module,
189 struct security_descriptor *sd,
190 struct dom_sid *rp_sid,
191 uint32_t access_mask,
192 const struct dsdb_class *objectclass)
196 uint32_t access_granted;
197 struct object_tree *root = NULL;
198 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
199 struct security_token *token = acl_user_token(module);
201 if (!insert_in_object_tree(tmp_ctx,
202 &objectclass->schemaIDGUID,
205 DEBUG(10, ("acl_search: cannot add to object tree class schemaIDGUID\n"));
209 status = sec_access_check_ds(sd, token,
214 if (!NT_STATUS_IS_OK(status)) {
215 ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
219 talloc_free(tmp_ctx);
222 talloc_free(tmp_ctx);
223 return ldb_operr(ldb_module_get_ctx(module));
227 * @brief Checks if a given extended right grants the desired access for a given user
229 * This function checks if a given user is granted the specified extended right
230 * with the requested access right.
232 * @param[in] mem_ctx A talloc context object for memory allocation
234 * @param[in] sd A security descriptor for attr
236 * @param[in] token The security token reprensenting the user
238 * @param[in] ext_right A string representation of the GUID of the extended
241 * @param[in] right_typ An integer that represents the desired access
242 * that the security descriptor should grant to
243 * the user for the specified extended access right
245 * @param[in] dom_sid The SID of the domain, used for expanding
246 * trustee in ACE that are just a RID.
248 * @return Returns LDB_SUCCESS on success, on error another
250 * If the requested rights are not granted
251 * LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS will be returned.
253 int acl_check_extended_right(TALLOC_CTX *mem_ctx,
254 struct security_descriptor *sd,
255 struct security_token *token,
256 const char *ext_right,
262 uint32_t access_granted;
263 struct object_tree *root = NULL;
264 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
266 GUID_from_string(ext_right, &right);
268 if (!insert_in_object_tree(tmp_ctx, &right, right_type,
270 DEBUG(10, ("acl_ext_right: cannot add to object tree\n"));
271 talloc_free(tmp_ctx);
272 return LDB_ERR_OPERATIONS_ERROR;
274 status = sec_access_check_ds(sd, token,
280 if (!NT_STATUS_IS_OK(status)) {
281 talloc_free(tmp_ctx);
282 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
284 talloc_free(tmp_ctx);
288 const char *acl_user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module)
290 struct ldb_context *ldb = ldb_module_get_ctx(module);
291 struct auth_session_info *session_info
292 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
294 return "UNKNOWN (NULL)";
297 return talloc_asprintf(mem_ctx, "%s\\%s",
298 session_info->info->domain_name,
299 session_info->info->account_name);
302 uint32_t dsdb_request_sd_flags(struct ldb_request *req, bool *explicit)
304 struct ldb_control *sd_control;
305 uint32_t sd_flags = 0;
311 sd_control = ldb_request_get_control(req, LDB_CONTROL_SD_FLAGS_OID);
313 struct ldb_sd_flags_control *sdctr = (struct ldb_sd_flags_control *)sd_control->data;
315 sd_flags = sdctr->secinfo_flags;
321 /* mark it as handled */
322 sd_control->critical = 0;
325 /* we only care for the last 4 bits */
326 sd_flags &= 0x0000000F;
329 * MS-ADTS 3.1.1.3.4.1.11 says that no bits
333 sd_flags = SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL | SECINFO_SACL;
339 int dsdb_module_schedule_sd_propagation(struct ldb_module *module,
340 struct ldb_dn *nc_root,
344 struct ldb_context *ldb = ldb_module_get_ctx(module);
345 struct dsdb_extended_sec_desc_propagation_op *op;
348 op = talloc_zero(module, struct dsdb_extended_sec_desc_propagation_op);
353 op->nc_root = nc_root;
355 op->include_self = include_self;
357 ret = dsdb_module_extended(module, op, NULL,
358 DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID,
360 DSDB_FLAG_TOP_MODULE |
361 DSDB_FLAG_AS_SYSTEM |