source4/dsdb/samdb/ldb_modules/kludge_acl.c

   1 /*
   2    ldb database library
   3
   4    Copyright (C) Andrew Bartlett 2005
   5    Copyright (C) Simo Sorce 2006
   6
   7     This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License as published by
   9    the Free Software Foundation; either version 3 of the License, or
  10    (at your option) any later version.
  11
  12    This program is distributed in the hope that it will be useful,
  13    but WITHOUT ANY WARRANTY; without even the implied warranty of
  14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15    GNU General Public License for more details.
  16
  17    You should have received a copy of the GNU General Public License
  18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  19 */
  20
  21 /*
  22  *  Name: ldb
  23  *
  24  *  Component: ldb kludge ACL module
  25  *
  26  *  Description: Simple module to enforce a simple form of access
  27  *               control, sufficient for securing a default Samba4
  28  *               installation.
  29  *
  30  *  Author: Andrew Bartlett
  31  */
  32
  33 #include "includes.h"
  34 #include "ldb/include/ldb.h"
  35 #include "ldb/include/ldb_errors.h"
  36 #include "ldb/include/ldb_private.h"
  37 #include "auth/auth.h"
  38 #include "libcli/security/security.h"
  39 #include "dsdb/samdb/samdb.h"
  40
  41 /* Kludge ACL rules:
  42  *
  43  * - System can read passwords
  44  * - Administrators can write anything
  45  * - Users can read anything that is not a password
  46  *
  47  */
  48
  49 struct kludge_private_data {
  50         const char **password_attrs;
  51 };
  52
  53 static enum security_user_level what_is_user(struct ldb_module *module)
  54 {
  55         struct auth_session_info *session_info
  56                 = (struct auth_session_info *)ldb_get_opaque(module->ldb, "sessionInfo");
  57         return security_session_user_level(session_info);
  58 }
  59
  60 static const char *user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module)
  61 {
  62         struct auth_session_info *session_info
  63                 = (struct auth_session_info *)ldb_get_opaque(module->ldb, "sessionInfo");
  64         if (!session_info) {
  65                 return "UNKNOWN (NULL)";
  66         }
  67
  68         return talloc_asprintf(mem_ctx, "%s\\%s",
  69                                session_info->server_info->domain_name,
  70                                session_info->server_info->account_name);
  71 }
  72
  73 /* search */
  74 struct kludge_acl_context {
  75
  76         struct ldb_module *module;
  77         void *up_context;
  78         int (*up_callback)(struct ldb_context *, void *, struct ldb_reply *);
  79
  80         enum security_user_level user_type;
  81         bool allowedAttributes;
  82         bool allowedAttributesEffective;
  83         bool allowedChildClasses;
  84         bool allowedChildClassesEffective;
  85         const char **attrs;
  86 };
  87
  88 /* read all objectClasses */
  89
  90 static int kludge_acl_allowedAttributes(struct ldb_context *ldb, struct ldb_message *msg,
  91                                         const char *attrName)
  92 {
  93         struct ldb_message_element *oc_el;
  94         struct ldb_message_element *allowedAttributes;
  95         const struct dsdb_schema *schema = dsdb_get_schema(ldb);
  96         const struct dsdb_class *class;
  97         int i, j, ret;
  98
  99         /* If we don't have a schema yet, we can't do anything... */
 100         if (schema == NULL) {
 101                 return LDB_SUCCESS;
 102         }
 103
 104         /* Must remove any existing attribute, or else confusion reins */
 105         ldb_msg_remove_attr(msg, attrName);
 106         ret = ldb_msg_add_empty(msg, attrName, 0, &allowedAttributes);
 107         if (ret != LDB_SUCCESS) {
 108                 return ret;
 109         }
 110
 111         /* To ensure that oc_el is valid, we must look for it after
 112            we alter the element array in ldb_msg_add_empty() */
 113         oc_el = ldb_msg_find_element(msg, "objectClass");
 114
 115         for (i=0; oc_el && i < oc_el->num_values; i++) {
 116                 class = dsdb_class_by_lDAPDisplayName(schema, (const char *)oc_el->values[i].data);
 117                 if (!class) {
 118                         /* We don't know this class?  what is going on? */
 119                         continue;
 120                 }
 121
 122                 for (j=0; class->mayContain && class->mayContain[j]; j++) {
 123                         ldb_msg_add_string(msg, attrName, class->mayContain[j]);
 124                 }
 125                 for (j=0; class->mustContain && class->mustContain[j]; j++) {
 126                         ldb_msg_add_string(msg, attrName, class->mustContain[j]);
 127                 }
 128                 for (j=0; class->systemMayContain && class->systemMayContain[j]; j++) {
 129                         ldb_msg_add_string(msg, attrName, class->systemMayContain[j]);
 130                 }
 131                 for (j=0; class->systemMustContain && class->systemMustContain[j]; j++) {
 132                         ldb_msg_add_string(msg, attrName, class->systemMustContain[j]);
 133                 }
 134         }
 135
 136         if (allowedAttributes->num_values > 1) {
 137                 qsort(allowedAttributes->values,
 138                       allowedAttributes->num_values,
 139                       sizeof(*allowedAttributes->values),
 140                       (comparison_fn_t)data_blob_cmp);
 141
 142                 for (i=1 ; i < allowedAttributes->num_values; i++) {
 143                         struct ldb_val *val1 = &allowedAttributes->values[i-1];
 144                         struct ldb_val *val2 = &allowedAttributes->values[i];
 145                         if (data_blob_cmp(val1, val2) == 0) {
 146                                 memmove(val1, val2, (allowedAttributes->num_values - i) * sizeof( struct ldb_val));
 147                                 allowedAttributes->num_values--;
 148                                 i--;
 149                         }
 150                 }
 151         }
 152
 153         return 0;
 154
 155 }
 156 /* read all objectClasses */
 157
 158 static int kludge_acl_childClasses(struct ldb_context *ldb, struct ldb_message *msg,
 159                                    const char *attrName)
 160 {
 161         struct ldb_message_element *oc_el;
 162         struct ldb_message_element *allowedClasses;
 163         const struct dsdb_schema *schema = dsdb_get_schema(ldb);
 164         const struct dsdb_class *class;
 165         int i, j, ret;
 166
 167         /* If we don't have a schema yet, we can't do anything... */
 168         if (schema == NULL) {
 169                 return LDB_SUCCESS;
 170         }
 171
 172         /* Must remove any existing attribute, or else confusion reins */
 173         ldb_msg_remove_attr(msg, attrName);
 174         ret = ldb_msg_add_empty(msg, attrName, 0, &allowedClasses);
 175         if (ret != LDB_SUCCESS) {
 176                 return ret;
 177         }
 178
 179         /* To ensure that oc_el is valid, we must look for it after
 180            we alter the element array in ldb_msg_add_empty() */
 181         oc_el = ldb_msg_find_element(msg, "objectClass");
 182
 183         for (i=0; oc_el && i < oc_el->num_values; i++) {
 184                 class = dsdb_class_by_lDAPDisplayName(schema, (const char *)oc_el->values[i].data);
 185                 if (!class) {
 186                         /* We don't know this class?  what is going on? */
 187                         continue;
 188                 }
 189
 190                 for (j=0; class->possibleInferiors && class->possibleInferiors[j]; j++) {
 191                         ldb_msg_add_string(msg, attrName, class->possibleInferiors[j]);
 192                 }
 193         }
 194
 195         if (allowedClasses->num_values > 1) {
 196                 qsort(allowedClasses->values,
 197                       allowedClasses->num_values,
 198                       sizeof(*allowedClasses->values),
 199                       (comparison_fn_t)data_blob_cmp);
 200
 201                 for (i=1 ; i < allowedClasses->num_values; i++) {
 202                         struct ldb_val *val1 = &allowedClasses->values[i-1];
 203                         struct ldb_val *val2 = &allowedClasses->values[i];
 204                         if (data_blob_cmp(val1, val2) == 0) {
 205                                 memmove(val1, val2, (allowedClasses->num_values - i) * sizeof( struct ldb_val));
 206                                 allowedClasses->num_values--;
 207                                 i--;
 208                         }
 209                 }
 210         }
 211
 212         return 0;
 213
 214 }
 215
 216 /* find all attributes allowed by all these objectClasses */
 217
 218 static int kludge_acl_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
 219 {
 220         struct kludge_acl_context *ac;
 221         struct kludge_private_data *data;
 222         int i, ret;
 223
 224         ac = talloc_get_type(context, struct kludge_acl_context);
 225         data = talloc_get_type(ac->module->private_data, struct kludge_private_data);
 226
 227         if (ares->type != LDB_REPLY_ENTRY) {
 228                 return ac->up_callback(ldb, ac->up_context, ares);
 229         }
 230
 231         if (ac->allowedAttributes) {
 232                 ret = kludge_acl_allowedAttributes(ldb, ares->message, "allowedAttributes");
 233                 if (ret != LDB_SUCCESS) {
 234                         return ret;
 235
 236                 }
 237         }
 238         if (ac->allowedChildClasses) {
 239                 ret = kludge_acl_childClasses(ldb, ares->message, "allowedChildClasses");
 240                 if (ret != LDB_SUCCESS) {
 241                         return ret;
 242                 }
 243         }
 244
 245         if (data && data->password_attrs) /* if we are not initialized just get through */
 246         {
 247                 switch (ac->user_type) {
 248                 case SECURITY_SYSTEM:
 249                 case SECURITY_ADMINISTRATOR:
 250                         if (ac->allowedAttributesEffective) {
 251                                 ret = kludge_acl_allowedAttributes(ldb, ares->message, "allowedAttributesEffective");
 252                                 if (ret != LDB_SUCCESS) {
 253                                         return ret;
 254                                 }
 255                         }
 256                         if (ac->allowedChildClassesEffective) {
 257                                 ret = kludge_acl_childClasses(ldb, ares->message, "allowedChildClassesEffective");
 258                                 if (ret != LDB_SUCCESS) {
 259                                         return ret;
 260                                 }
 261                         }
 262                         break;
 263                 default:
 264                         /* remove password attributes */
 265                         for (i = 0; data->password_attrs[i]; i++) {
 266                                 ldb_msg_remove_attr(ares->message, data->password_attrs[i]);
 267                         }
 268                 }
 269         }
 270
 271         if ((ac->allowedAttributes || ac->allowedAttributesEffective
 272              || ac->allowedChildClasses || ac->allowedChildClassesEffective) &&
 273             (!ldb_attr_in_list(ac->attrs, "objectClass") &&
 274              !ldb_attr_in_list(ac->attrs, "*"))) {
 275                 ldb_msg_remove_attr(ares->message, "objectClass");
 276         }
 277
 278         return ac->up_callback(ldb, ac->up_context, ares);
 279 }
 280
 281 static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
 282 {
 283         struct kludge_acl_context *ac;
 284         struct ldb_request *down_req;
 285         struct kludge_private_data *data;
 286         int ret, i;
 287
 288         req->handle = NULL;
 289
 290         ac = talloc(req, struct kludge_acl_context);
 291         if (ac == NULL) {
 292                 ldb_oom(module->ldb);
 293                 return LDB_ERR_OPERATIONS_ERROR;
 294         }
 295
 296         data = talloc_get_type(module->private_data, struct kludge_private_data);
 297
 298         ac->module = module;
 299         ac->up_context = req->context;
 300         ac->up_callback = req->callback;
 301         ac->user_type = what_is_user(module);
 302         ac->attrs = req->op.search.attrs;
 303
 304         down_req = talloc_zero(req, struct ldb_request);
 305         if (down_req == NULL) {
 306                 ldb_oom(module->ldb);
 307                 return LDB_ERR_OPERATIONS_ERROR;
 308         }
 309
 310         down_req->operation = req->operation;
 311         down_req->op.search.base = req->op.search.base;
 312         down_req->op.search.scope = req->op.search.scope;
 313         down_req->op.search.tree = req->op.search.tree;
 314         down_req->op.search.attrs = req->op.search.attrs;
 315
 316         ac->allowedAttributes = ldb_attr_in_list(req->op.search.attrs, "allowedAttributes");
 317
 318         ac->allowedAttributesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedAttributesEffective");
 319
 320         ac->allowedChildClasses = ldb_attr_in_list(req->op.search.attrs, "allowedChildClasses");
 321
 322         ac->allowedChildClassesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedChildClassesEffective");
 323
 324         if (ac->allowedAttributes || ac->allowedAttributesEffective || ac->allowedChildClasses || ac->allowedChildClassesEffective) {
 325                 down_req->op.search.attrs
 326                         = ldb_attr_list_copy_add(down_req, down_req->op.search.attrs, "objectClass");
 327         }
 328
 329         /*  FIXME: I hink we should copy the tree and keep the original
 330          *  unmodified. SSS */
 331         /* replace any attributes in the parse tree that are private,
 332            so we don't allow a search for 'sambaPassword=penguin',
 333            just as we would not allow that attribute to be returned */
 334         switch (ac->user_type) {
 335         case SECURITY_SYSTEM:
 336                 break;
 337         default:
 338                 /* remove password attributes */
 339                 for (i = 0; data && data->password_attrs && data->password_attrs[i]; i++) {
 340                         ldb_parse_tree_attr_replace(down_req->op.search.tree,
 341                                                     data->password_attrs[i],
 342                                                     "kludgeACLredactedattribute");
 343                 }
 344         }
 345
 346         down_req->controls = req->controls;
 347
 348         down_req->context = ac;
 349         down_req->callback = kludge_acl_callback;
 350         ldb_set_timeout_from_prev_req(module->ldb, req, down_req);
 351
 352         /* perform the search */
 353         ret = ldb_next_request(module, down_req);
 354
 355         /* do not free down_req as the call results may be linked to it,
 356          * it will be freed when the upper level request get freed */
 357         if (ret == LDB_SUCCESS) {
 358                 req->handle = down_req->handle;
 359         }
 360
 361         return ret;
 362 }
 363
 364 /* ANY change type */
 365 static int kludge_acl_change(struct ldb_module *module, struct ldb_request *req)
 366 {
 367         enum security_user_level user_type = what_is_user(module);
 368         switch (user_type) {
 369         case SECURITY_SYSTEM:
 370         case SECURITY_ADMINISTRATOR:
 371                 return ldb_next_request(module, req);
 372         default:
 373                 ldb_asprintf_errstring(module->ldb,
 374                                        "kludge_acl_change: "
 375                                        "attempted database modify not permitted. "
 376                                        "User %s is not SYSTEM or an administrator",
 377                                        user_name(req, module));
 378                 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
 379         }
 380 }
 381
 382 static int kludge_acl_init(struct ldb_module *module)
 383 {
 384         int ret, i;
 385         TALLOC_CTX *mem_ctx = talloc_new(module);
 386         static const char *attrs[] = { "passwordAttribute", NULL };
 387         struct ldb_result *res;
 388         struct ldb_message *msg;
 389         struct ldb_message_element *password_attributes;
 390
 391         struct kludge_private_data *data;
 392
 393         data = talloc(module, struct kludge_private_data);
 394         if (data == NULL) {
 395                 ldb_oom(module->ldb);
 396                 return LDB_ERR_OPERATIONS_ERROR;
 397         }
 398
 399         data->password_attrs = NULL;
 400         module->private_data = data;
 401
 402         if (!mem_ctx) {
 403                 ldb_oom(module->ldb);
 404                 return LDB_ERR_OPERATIONS_ERROR;
 405         }
 406
 407         ret = ldb_search(module->ldb, ldb_dn_new(mem_ctx, module->ldb, "@KLUDGEACL"),
 408                          LDB_SCOPE_BASE,
 409                          NULL, attrs,
 410                          &res);
 411         if (ret != LDB_SUCCESS) {
 412                 goto done;
 413         }
 414         talloc_steal(mem_ctx, res);
 415         if (res->count == 0) {
 416                 goto done;
 417         }
 418
 419         if (res->count > 1) {
 420                 talloc_free(mem_ctx);
 421                 return LDB_ERR_CONSTRAINT_VIOLATION;
 422         }
 423
 424         msg = res->msgs[0];
 425
 426         password_attributes = ldb_msg_find_element(msg, "passwordAttribute");
 427         if (!password_attributes) {
 428                 goto done;
 429         }
 430         data->password_attrs = talloc_array(data, const char *, password_attributes->num_values + 1);
 431         if (!data->password_attrs) {
 432                 talloc_free(mem_ctx);
 433                 ldb_oom(module->ldb);
 434                 return LDB_ERR_OPERATIONS_ERROR;
 435         }
 436         for (i=0; i < password_attributes->num_values; i++) {
 437                 data->password_attrs[i] = (const char *)password_attributes->values[i].data;
 438                 talloc_steal(data->password_attrs, password_attributes->values[i].data);
 439         }
 440         data->password_attrs[i] = NULL;
 441
 442 done:
 443         talloc_free(mem_ctx);
 444         return ldb_next_init(module);
 445 }
 446
 447 _PUBLIC_ const struct ldb_module_ops ldb_kludge_acl_module_ops = {
 448         .name              = "kludge_acl",
 449         .search            = kludge_acl_search,
 450         .add               = kludge_acl_change,
 451         .modify            = kludge_acl_change,
 452         .del               = kludge_acl_change,
 453         .rename            = kludge_acl_change,
 454         .extended          = kludge_acl_change,
 455         .init_context      = kludge_acl_init
 456 };