source3/lib/util_seaccess.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Copyright (C) Andrew Tridgell 2004
   5    Copyright (C) Gerald Carter 2005
   6    Copyright (C) Volker Lendecke 2007
   7    Copyright (C) Jeremy Allison 2008
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23 #include "includes.h"
  24
  25 /* Map generic access rights to object specific rights.  This technique is
  26    used to give meaning to assigning read, write, execute and all access to
  27    objects.  Each type of object has its own mapping of generic to object
  28    specific access rights. */
  29
  30 void se_map_generic(uint32 *access_mask, const struct generic_mapping *mapping)
  31 {
  32         uint32 old_mask = *access_mask;
  33
  34         if (*access_mask & GENERIC_READ_ACCESS) {
  35                 *access_mask &= ~GENERIC_READ_ACCESS;
  36                 *access_mask |= mapping->generic_read;
  37         }
  38
  39         if (*access_mask & GENERIC_WRITE_ACCESS) {
  40                 *access_mask &= ~GENERIC_WRITE_ACCESS;
  41                 *access_mask |= mapping->generic_write;
  42         }
  43
  44         if (*access_mask & GENERIC_EXECUTE_ACCESS) {
  45                 *access_mask &= ~GENERIC_EXECUTE_ACCESS;
  46                 *access_mask |= mapping->generic_execute;
  47         }
  48
  49         if (*access_mask & GENERIC_ALL_ACCESS) {
  50                 *access_mask &= ~GENERIC_ALL_ACCESS;
  51                 *access_mask |= mapping->generic_all;
  52         }
  53
  54         if (old_mask != *access_mask) {
  55                 DEBUG(10, ("se_map_generic(): mapped mask 0x%08x to 0x%08x\n",
  56                            old_mask, *access_mask));
  57         }
  58 }
  59
  60 /* Map generic access rights to object specific rights for all the ACE's
  61  * in a security_acl.
  62  */
  63
  64 void security_acl_map_generic(struct security_acl *sa,
  65                                 const struct generic_mapping *mapping)
  66 {
  67         unsigned int i;
  68
  69         if (!sa) {
  70                 return;
  71         }
  72
  73         for (i = 0; i < sa->num_aces; i++) {
  74                 se_map_generic(&sa->aces[i].access_mask, mapping);
  75         }
  76 }
  77
  78 /* Map standard access rights to object specific rights.  This technique is
  79    used to give meaning to assigning read, write, execute and all access to
  80    objects.  Each type of object has its own mapping of standard to object
  81    specific access rights. */
  82
  83 void se_map_standard(uint32 *access_mask, const struct standard_mapping *mapping)
  84 {
  85         uint32 old_mask = *access_mask;
  86
  87         if (*access_mask & SEC_STD_READ_CONTROL) {
  88                 *access_mask &= ~SEC_STD_READ_CONTROL;
  89                 *access_mask |= mapping->std_read;
  90         }
  91
  92         if (*access_mask & (SEC_STD_DELETE|SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|SEC_STD_SYNCHRONIZE)) {
  93                 *access_mask &= ~(SEC_STD_DELETE|SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|SEC_STD_SYNCHRONIZE);
  94                 *access_mask |= mapping->std_all;
  95         }
  96
  97         if (old_mask != *access_mask) {
  98                 DEBUG(10, ("se_map_standard(): mapped mask 0x%08x to 0x%08x\n",
  99                            old_mask, *access_mask));
 100         }
 101 }
 102
 103 /*
 104   perform a SEC_FLAG_MAXIMUM_ALLOWED access check
 105 */
 106 static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
 107                                         const struct security_token *token)
 108 {
 109         uint32_t denied = 0, granted = 0;
 110         unsigned i;
 111
 112         if (is_sid_in_token(token, sd->owner_sid)) {
 113                 granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL | SEC_STD_DELETE;
 114         } else if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
 115                 granted |= SEC_STD_DELETE;
 116         }
 117
 118         if (sd->dacl == NULL) {
 119                 return granted & ~denied;
 120         }
 121
 122         for (i = 0;i<sd->dacl->num_aces; i++) {
 123                 struct security_ace *ace = &sd->dacl->aces[i];
 124
 125                 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
 126                         continue;
 127                 }
 128
 129                 if (!is_sid_in_token(token, &ace->trustee)) {
 130                         continue;
 131                 }
 132
 133                 switch (ace->type) {
 134                 case SEC_ACE_TYPE_ACCESS_ALLOWED:
 135                         granted |= ace->access_mask;
 136                         break;
 137                 case SEC_ACE_TYPE_ACCESS_DENIED:
 138                 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
 139                         denied |= ace->access_mask;
 140                         break;
 141                 default:        /* Other ACE types not handled/supported */
 142                         break;
 143                 }
 144         }
 145
 146         return granted & ~denied;
 147 }
 148
 149 /*
 150   The main entry point for access checking. If returning ACCESS_DENIED
 151   this function returns the denied bits in the uint32_t pointed
 152   to by the access_granted pointer.
 153 */
 154 NTSTATUS se_access_check(const struct security_descriptor *sd,
 155                           const struct security_token *token,
 156                           uint32_t access_desired,
 157                           uint32_t *access_granted)
 158 {
 159         int i;
 160         uint32_t bits_remaining;
 161
 162         *access_granted = access_desired;
 163         bits_remaining = access_desired;
 164
 165         /* handle the maximum allowed flag */
 166         if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
 167                 uint32_t orig_access_desired = access_desired;
 168
 169                 access_desired |= access_check_max_allowed(sd, token);
 170                 access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
 171                 *access_granted = access_desired;
 172                 bits_remaining = access_desired & ~SEC_STD_DELETE;
 173
 174                 DEBUG(10,("se_access_check: MAX desired = 0x%x, granted = 0x%x, remaining = 0x%x\n",
 175                         orig_access_desired,
 176                         *access_granted,
 177                         bits_remaining));
 178         }
 179
 180 #if 0
 181         /* We need to support SeSecurityPrivilege for this. */
 182
 183         if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
 184                 if (user_has_privileges(token, &sec_security)) {
 185                         bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
 186                 } else {
 187                         return NT_STATUS_PRIVILEGE_NOT_HELD;
 188                 }
 189         }
 190 #endif
 191
 192         /* a NULL dacl allows access */
 193         if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
 194                 *access_granted = access_desired;
 195                 return NT_STATUS_OK;
 196         }
 197
 198         /* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */
 199         if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE)) &&
 200             is_sid_in_token(token, sd->owner_sid)) {
 201                 bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE);
 202         }
 203         if ((bits_remaining & SEC_STD_DELETE) &&
 204             (security_token_has_privilege(token, SEC_PRIV_RESTORE))) {
 205                 bits_remaining &= ~SEC_STD_DELETE;
 206         }
 207
 208         if (sd->dacl == NULL) {
 209                 goto done;
 210         }
 211
 212         /* check each ace in turn. */
 213         for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
 214                 struct security_ace *ace = &sd->dacl->aces[i];
 215
 216                 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
 217                         continue;
 218                 }
 219
 220                 if (!is_sid_in_token(token, &ace->trustee)) {
 221                         continue;
 222                 }
 223
 224                 switch (ace->type) {
 225                 case SEC_ACE_TYPE_ACCESS_ALLOWED:
 226                         bits_remaining &= ~ace->access_mask;
 227                         break;
 228                 case SEC_ACE_TYPE_ACCESS_DENIED:
 229                 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
 230                         if (bits_remaining & ace->access_mask) {
 231                                 return NT_STATUS_ACCESS_DENIED;
 232                         }
 233                         break;
 234                 default:        /* Other ACE types not handled/supported */
 235                         break;
 236                 }
 237         }
 238
 239 done:
 240         if (bits_remaining != 0) {
 241                 *access_granted = bits_remaining;
 242                 return NT_STATUS_ACCESS_DENIED;
 243         }
 244
 245         return NT_STATUS_OK;
 246 }