2 Unix SMB/CIFS implementation.
3 Copyright (C) Luke Kenneth Casson Leighton 1996-2000.
4 Copyright (C) Tim Potter 2000.
5 Copyright (C) Re-written by Jeremy Allison 2000.
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program; if not, write to the Free Software
19 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 /**********************************************************************************
27 Check if this ACE has a SID in common with the token.
28 **********************************************************************************/
30 static BOOL token_sid_in_ace(const NT_USER_TOKEN *token, const SEC_ACE *ace)
34 for (i = 0; i < token->num_sids; i++) {
35 if (sid_equal(&ace->trustee, &token->user_sids[i]))
42 /*********************************************************************************
43 Check an ACE against a SID. We return the remaining needed permission
44 bits not yet granted. Zero means permission allowed (no more needed bits).
45 **********************************************************************************/
47 static uint32 check_ace(SEC_ACE *ace, NT_USER_TOKEN *token, uint32 acc_desired,
50 uint32 mask = ace->info.mask;
53 * Inherit only is ignored.
56 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
61 * If this ACE has no SID in common with the token,
62 * ignore it as it cannot be used to make an access
66 if (!token_sid_in_ace( token, ace))
70 case SEC_ACE_TYPE_ACCESS_ALLOWED:
72 * This is explicitly allowed.
73 * Remove the bits from the remaining
74 * access required. Return the remaining
79 case SEC_ACE_TYPE_ACCESS_DENIED:
81 * This is explicitly denied.
82 * If any bits match terminate here,
85 if (acc_desired & mask) {
86 *status = NT_STATUS_ACCESS_DENIED;
90 case SEC_ACE_TYPE_SYSTEM_ALARM:
91 case SEC_ACE_TYPE_SYSTEM_AUDIT:
92 *status = NT_STATUS_NOT_IMPLEMENTED;
95 *status = NT_STATUS_INVALID_PARAMETER;
102 /*********************************************************************************
103 Maximum access was requested. Calculate the max possible. Fail if it doesn't
104 include other bits requested.
105 **********************************************************************************/
107 static BOOL get_max_access( SEC_ACL *the_acl, NT_USER_TOKEN *token, uint32 *granted,
111 uint32 acc_denied = 0;
112 uint32 acc_granted = 0;
115 for ( i = 0 ; i < the_acl->num_aces; i++) {
116 SEC_ACE *ace = &the_acl->ace[i];
117 uint32 mask = ace->info.mask;
119 if (!token_sid_in_ace( token, ace))
123 case SEC_ACE_TYPE_ACCESS_ALLOWED:
124 acc_granted |= (mask & ~acc_denied);
126 case SEC_ACE_TYPE_ACCESS_DENIED:
127 acc_denied |= (mask & ~acc_granted);
129 case SEC_ACE_TYPE_SYSTEM_ALARM:
130 case SEC_ACE_TYPE_SYSTEM_AUDIT:
131 *status = NT_STATUS_NOT_IMPLEMENTED;
135 *status = NT_STATUS_INVALID_PARAMETER;
142 * If we were granted no access, or we desired bits that we
143 * didn't get, then deny.
146 if ((acc_granted == 0) || ((acc_granted & desired) != desired)) {
147 *status = NT_STATUS_ACCESS_DENIED;
153 * Return the access we did get.
156 *granted = acc_granted;
157 *status = NT_STATUS_OK;
161 /* Map generic access rights to object specific rights. This technique is
162 used to give meaning to assigning read, write, execute and all access to
163 objects. Each type of object has its own mapping of generic to object
164 specific access rights. */
166 void se_map_generic(uint32 *access_mask, struct generic_mapping *mapping)
168 uint32 old_mask = *access_mask;
170 if (*access_mask & GENERIC_READ_ACCESS) {
171 *access_mask &= ~GENERIC_READ_ACCESS;
172 *access_mask |= mapping->generic_read;
175 if (*access_mask & GENERIC_WRITE_ACCESS) {
176 *access_mask &= ~GENERIC_WRITE_ACCESS;
177 *access_mask |= mapping->generic_write;
180 if (*access_mask & GENERIC_EXECUTE_ACCESS) {
181 *access_mask &= ~GENERIC_EXECUTE_ACCESS;
182 *access_mask |= mapping->generic_execute;
185 if (*access_mask & GENERIC_ALL_ACCESS) {
186 *access_mask &= ~GENERIC_ALL_ACCESS;
187 *access_mask |= mapping->generic_all;
190 if (old_mask != *access_mask) {
191 DEBUG(10, ("se_map_generic(): mapped mask 0x%08x to 0x%08x\n",
192 old_mask, *access_mask));
196 /* Map standard access rights to object specific rights. This technique is
197 used to give meaning to assigning read, write, execute and all access to
198 objects. Each type of object has its own mapping of standard to object
199 specific access rights. */
201 void se_map_standard(uint32 *access_mask, struct standard_mapping *mapping)
203 uint32 old_mask = *access_mask;
205 if (*access_mask & READ_CONTROL_ACCESS) {
206 *access_mask &= ~READ_CONTROL_ACCESS;
207 *access_mask |= mapping->std_read;
210 if (*access_mask & (DELETE_ACCESS|WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS|SYNCHRONIZE_ACCESS)) {
211 *access_mask &= ~(DELETE_ACCESS|WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS|SYNCHRONIZE_ACCESS);
212 *access_mask |= mapping->std_all;
215 if (old_mask != *access_mask) {
216 DEBUG(10, ("se_map_standard(): mapped mask 0x%08x to 0x%08x\n",
217 old_mask, *access_mask));
221 /*****************************************************************************
222 Check access rights of a user against a security descriptor. Look at
223 each ACE in the security descriptor until an access denied ACE denies
224 any of the desired rights to the user or any of the users groups, or one
225 or more ACEs explicitly grant all requested access rights. See
226 "Access-Checking" document in MSDN.
227 *****************************************************************************/
229 BOOL se_access_check(SEC_DESC *sd, NT_USER_TOKEN *token,
230 uint32 acc_desired, uint32 *acc_granted,
233 extern NT_USER_TOKEN anonymous_token;
237 uint32 tmp_acc_desired = acc_desired;
239 if (!status || !acc_granted)
243 token = &anonymous_token;
245 *status = NT_STATUS_OK;
248 DEBUG(10,("se_access_check: requested access 0x%08x, for NT token with %u entries and first sid %s.\n",
249 (unsigned int)acc_desired, (unsigned int)token->num_sids,
250 sid_to_string(sid_str, &token->user_sids[0])));
253 * No security descriptor or security descriptor with no DACL
254 * present allows all access.
257 /* ACL must have something in it */
259 if (!sd || (sd && (!(sd->type & SEC_DESC_DACL_PRESENT) || sd->dacl == NULL))) {
260 *status = NT_STATUS_OK;
261 *acc_granted = acc_desired;
262 DEBUG(5, ("se_access_check: no sd or blank DACL, access allowed\n"));
266 /* The user sid is the first in the token */
268 DEBUG(3, ("se_access_check: user sid is %s\n", sid_to_string(sid_str, &token->user_sids[PRIMARY_USER_SID_INDEX]) ));
270 for (i = 1; i < token->num_sids; i++) {
271 DEBUG(3, ("se_access_check: also %s\n",
272 sid_to_string(sid_str, &token->user_sids[i])));
275 /* Is the token the owner of the SID ? */
278 for (i = 0; i < token->num_sids; i++) {
279 if (sid_equal(&token->user_sids[i], sd->owner_sid)) {
281 * The owner always has SEC_RIGHTS_WRITE_DAC & READ_CONTROL.
283 if (tmp_acc_desired & WRITE_DAC_ACCESS)
284 tmp_acc_desired &= ~WRITE_DAC_ACCESS;
285 if (tmp_acc_desired & READ_CONTROL_ACCESS)
286 tmp_acc_desired &= ~READ_CONTROL_ACCESS;
293 if (tmp_acc_desired & MAXIMUM_ALLOWED_ACCESS) {
294 tmp_acc_desired &= ~MAXIMUM_ALLOWED_ACCESS;
295 return get_max_access( the_acl, token, acc_granted, tmp_acc_desired,
299 for ( i = 0 ; i < the_acl->num_aces && tmp_acc_desired != 0; i++) {
300 SEC_ACE *ace = &the_acl->ace[i];
302 DEBUG(10,("se_access_check: ACE %u: type %d, flags = 0x%02x, SID = %s mask = %x, current desired = %x\n",
303 (unsigned int)i, ace->type, ace->flags,
304 sid_to_string(sid_str, &ace->trustee),
305 (unsigned int) ace->info.mask,
306 (unsigned int)tmp_acc_desired ));
308 tmp_acc_desired = check_ace( ace, token, tmp_acc_desired, status);
309 if (NT_STATUS_V(*status)) {
311 DEBUG(5,("se_access_check: ACE %u denied with status %s.\n", (unsigned int)i, nt_errstr(*status)));
317 * If there are no more desired permissions left then
318 * access was allowed.
321 if (tmp_acc_desired == 0) {
322 *acc_granted = acc_desired;
323 *status = NT_STATUS_OK;
324 DEBUG(5,("se_access_check: access (%x) granted.\n", (unsigned int)acc_desired ));
329 *status = NT_STATUS_ACCESS_DENIED;
330 DEBUG(5,("se_access_check: access (%x) denied.\n", (unsigned int)acc_desired ));
334 /* Create a child security descriptor using another security descriptor as
335 the parent container. This child object can either be a container or
336 non-container object. */
338 SEC_DESC_BUF *se_create_child_secdesc(TALLOC_CTX *ctx, SEC_DESC *parent_ctr,
339 BOOL child_container)
343 SEC_ACL *new_dacl, *the_acl;
344 SEC_ACE *new_ace_list = NULL;
345 int new_ace_list_ndx = 0, i;
348 /* Currently we only process the dacl when creating the child. The
349 sacl should also be processed but this is left out as sacls are
350 not implemented in Samba at the moment.*/
352 the_acl = parent_ctr->dacl;
354 if (!(new_ace_list = talloc(ctx, sizeof(SEC_ACE) * the_acl->num_aces)))
357 for (i = 0; the_acl && i < the_acl->num_aces; i++) {
358 SEC_ACE *ace = &the_acl->ace[i];
359 SEC_ACE *new_ace = &new_ace_list[new_ace_list_ndx];
361 BOOL inherit = False;
364 /* The OBJECT_INHERIT_ACE flag causes the ACE to be
365 inherited by non-container children objects. Container
366 children objects will inherit it as an INHERIT_ONLY
369 if (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT) {
371 if (!child_container) {
372 new_flags |= SEC_ACE_FLAG_OBJECT_INHERIT;
374 new_flags |= SEC_ACE_FLAG_INHERIT_ONLY;
380 /* The CONAINER_INHERIT_ACE flag means all child container
381 objects will inherit and use the ACE. */
383 if (ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT) {
384 if (!child_container) {
387 new_flags |= SEC_ACE_FLAG_CONTAINER_INHERIT;
391 /* The INHERIT_ONLY_ACE is not used by the se_access_check()
392 function for the parent container, but is inherited by
393 all child objects as a normal ACE. */
395 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
396 /* Move along, nothing to see here */
399 /* The SEC_ACE_FLAG_NO_PROPAGATE_INHERIT flag means the ACE
400 is inherited by child objects but not grandchildren
401 objects. We clear the object inherit and container
402 inherit flags in the inherited ACE. */
404 if (ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) {
405 new_flags &= ~(SEC_ACE_FLAG_OBJECT_INHERIT |
406 SEC_ACE_FLAG_CONTAINER_INHERIT);
409 /* Add ACE to ACE list */
414 init_sec_access(&new_ace->info, ace->info.mask);
415 init_sec_ace(new_ace, &ace->trustee, ace->type,
416 new_ace->info, new_flags);
418 sid_to_string(sid_str, &ace->trustee);
420 DEBUG(5, ("se_create_child_secdesc(): %s:%d/0x%02x/0x%08x "
421 " inherited as %s:%d/0x%02x/0x%08x\n", sid_str,
422 ace->type, ace->flags, ace->info.mask,
423 sid_str, new_ace->type, new_ace->flags,
424 new_ace->info.mask));
429 /* Create child security descriptor to return */
431 new_dacl = make_sec_acl(ctx, ACL_REVISION, new_ace_list_ndx, new_ace_list);
433 /* Use the existing user and group sids. I don't think this is
434 correct. Perhaps the user and group should be passed in as
435 parameters by the caller? */
437 sd = make_sec_desc(ctx, SEC_DESC_REVISION,
438 parent_ctr->owner_sid,
443 sdb = make_sec_desc_buf(ctx, size, sd);
git.samba.org / samba.git / blob