4 Copyright (C) Nadezhda Ivanova 2010
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 * Component: ldb ACL modules
25 * Description: Some auxiliary functions used for access checking
27 * Author: Nadezhda Ivanova
30 #include "ldb_module.h"
31 #include "auth/auth.h"
32 #include "libcli/security/security.h"
33 #include "dsdb/samdb/samdb.h"
34 #include "librpc/gen_ndr/ndr_security.h"
35 #include "param/param.h"
36 #include "dsdb/samdb/ldb_modules/util.h"
38 struct security_token *acl_user_token(struct ldb_module *module)
40 struct ldb_context *ldb = ldb_module_get_ctx(module);
41 struct auth_session_info *session_info
42 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
46 return session_info->security_token;
49 /* performs an access check from inside the module stack
50 * given the dn of the object to be checked, the required access
51 * guid is either the guid of the extended right, or NULL
54 int dsdb_module_check_access_on_dn(struct ldb_module *module,
58 const struct GUID *guid,
59 struct ldb_request *parent)
62 struct ldb_result *acl_res;
63 static const char *acl_attrs[] = {
64 "nTSecurityDescriptor",
68 struct ldb_context *ldb = ldb_module_get_ctx(module);
69 struct auth_session_info *session_info
70 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
72 return ldb_operr(ldb);
74 ret = dsdb_module_search_dn(module, mem_ctx, &acl_res, dn,
76 DSDB_FLAG_NEXT_MODULE |
77 DSDB_SEARCH_SHOW_RECYCLED |
80 if (ret != LDB_SUCCESS) {
81 DEBUG(0,("access_check: failed to find object %s\n", ldb_dn_get_linearized(dn)));
84 return dsdb_check_access_on_dn_internal(ldb, acl_res,
86 session_info->security_token,
92 int dsdb_module_check_access_on_guid(struct ldb_module *module,
96 const struct GUID *oc_guid,
97 struct ldb_request *parent)
100 struct ldb_result *acl_res;
101 static const char *acl_attrs[] = {
102 "nTSecurityDescriptor",
106 struct ldb_context *ldb = ldb_module_get_ctx(module);
107 struct auth_session_info *session_info
108 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
110 return ldb_operr(ldb);
112 ret = dsdb_module_search(module, mem_ctx, &acl_res, NULL, LDB_SCOPE_SUBTREE,
114 DSDB_FLAG_NEXT_MODULE |
115 DSDB_SEARCH_SHOW_RECYCLED |
118 "objectGUID=%s", GUID_string(mem_ctx, guid));
120 if (ret != LDB_SUCCESS || acl_res->count == 0) {
121 DEBUG(0,("access_check: failed to find object %s\n", GUID_string(mem_ctx, guid)));
124 return dsdb_check_access_on_dn_internal(ldb, acl_res,
126 session_info->security_token,
127 acl_res->msgs[0]->dn,
132 int acl_check_access_on_attribute(struct ldb_module *module,
134 struct security_descriptor *sd,
135 struct dom_sid *rp_sid,
136 uint32_t access_mask,
137 const struct dsdb_attribute *attr)
141 uint32_t access_granted;
142 struct object_tree *root = NULL;
143 struct object_tree *new_node = NULL;
144 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
145 struct security_token *token = acl_user_token(module);
147 if (!GUID_all_zero(&attr->attributeSecurityGUID)) {
148 if (!insert_in_object_tree(tmp_ctx,
149 &attr->attributeSecurityGUID,
152 DEBUG(10, ("acl_search: cannot add to object tree securityGUID\n"));
156 if (!insert_in_object_tree(tmp_ctx,
158 access_mask, &new_node,
160 DEBUG(10, ("acl_search: cannot add to object tree attributeGUID\n"));
165 if (!insert_in_object_tree(tmp_ctx,
169 DEBUG(10, ("acl_search: cannot add to object tree attributeGUID\n"));
174 status = sec_access_check_ds(sd, token,
179 if (!NT_STATUS_IS_OK(status)) {
180 ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
185 talloc_free(tmp_ctx);
188 talloc_free(tmp_ctx);
189 return ldb_operr(ldb_module_get_ctx(module));
193 /* checks for validated writes */
194 int acl_check_extended_right(TALLOC_CTX *mem_ctx,
195 struct security_descriptor *sd,
196 struct security_token *token,
197 const char *ext_right,
203 uint32_t access_granted;
204 struct object_tree *root = NULL;
205 struct object_tree *new_node = NULL;
206 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
208 GUID_from_string(ext_right, &right);
210 if (!insert_in_object_tree(tmp_ctx, &right, right_type,
212 DEBUG(10, ("acl_ext_right: cannot add to object tree\n"));
213 talloc_free(tmp_ctx);
214 return LDB_ERR_OPERATIONS_ERROR;
216 status = sec_access_check_ds(sd, token,
222 if (!NT_STATUS_IS_OK(status)) {
223 talloc_free(tmp_ctx);
224 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
226 talloc_free(tmp_ctx);
230 const char *acl_user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module)
232 struct ldb_context *ldb = ldb_module_get_ctx(module);
233 struct auth_session_info *session_info
234 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
236 return "UNKNOWN (NULL)";
239 return talloc_asprintf(mem_ctx, "%s\\%s",
240 session_info->server_info->domain_name,
241 session_info->server_info->account_name);