4 Copyright (C) Andrew Bartlett 2005
5 Copyright (C) Simo Sorce 2006
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 * Component: ldb kludge ACL module
26 * Description: Simple module to enforce a simple form of access
27 * control, sufficient for securing a default Samba4
30 * Author: Andrew Bartlett
34 #include "ldb/include/ldb.h"
35 #include "ldb/include/ldb_errors.h"
36 #include "ldb/include/ldb_private.h"
37 #include "auth/auth.h"
38 #include "libcli/security/security.h"
39 #include "dsdb/samdb/samdb.h"
43 * - System can read passwords
44 * - Administrators can write anything
45 * - Users can read anything that is not a password
49 struct kludge_private_data {
50 const char **password_attrs;
53 static enum security_user_level what_is_user(struct ldb_module *module)
55 struct auth_session_info *session_info
56 = (struct auth_session_info *)ldb_get_opaque(module->ldb, "sessionInfo");
57 return security_session_user_level(session_info);
60 static const char *user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module)
62 struct auth_session_info *session_info
63 = (struct auth_session_info *)ldb_get_opaque(module->ldb, "sessionInfo");
65 return "UNKNOWN (NULL)";
68 return talloc_asprintf(mem_ctx, "%s\\%s",
69 session_info->server_info->domain_name,
70 session_info->server_info->account_name);
74 struct kludge_acl_context {
76 struct ldb_module *module;
78 int (*up_callback)(struct ldb_context *, void *, struct ldb_reply *);
80 enum security_user_level user_type;
81 bool allowedAttributes;
82 bool allowedAttributesEffective;
83 bool allowedChildClasses;
84 bool allowedChildClassesEffective;
88 /* read all objectClasses */
90 static int kludge_acl_allowedAttributes(struct ldb_context *ldb, struct ldb_message *msg,
93 struct ldb_message_element *oc_el;
94 struct ldb_message_element *allowedAttributes;
95 const struct dsdb_schema *schema = dsdb_get_schema(ldb);
96 const struct dsdb_class *class;
99 /* If we don't have a schema yet, we can't do anything... */
100 if (schema == NULL) {
104 /* Must remove any existing attribute, or else confusion reins */
105 ldb_msg_remove_attr(msg, attrName);
106 ret = ldb_msg_add_empty(msg, attrName, 0, &allowedAttributes);
107 if (ret != LDB_SUCCESS) {
111 /* To ensure that oc_el is valid, we must look for it after
112 we alter the element array in ldb_msg_add_empty() */
113 oc_el = ldb_msg_find_element(msg, "objectClass");
115 for (i=0; oc_el && i < oc_el->num_values; i++) {
116 class = dsdb_class_by_lDAPDisplayName(schema, (const char *)oc_el->values[i].data);
118 /* We don't know this class? what is going on? */
122 for (j=0; class->mayContain && class->mayContain[j]; j++) {
123 ldb_msg_add_string(msg, attrName, class->mayContain[j]);
125 for (j=0; class->mustContain && class->mustContain[j]; j++) {
126 ldb_msg_add_string(msg, attrName, class->mustContain[j]);
128 for (j=0; class->systemMayContain && class->systemMayContain[j]; j++) {
129 ldb_msg_add_string(msg, attrName, class->systemMayContain[j]);
131 for (j=0; class->systemMustContain && class->systemMustContain[j]; j++) {
132 ldb_msg_add_string(msg, attrName, class->systemMustContain[j]);
136 if (allowedAttributes->num_values > 1) {
137 qsort(allowedAttributes->values,
138 allowedAttributes->num_values,
139 sizeof(*allowedAttributes->values),
140 (comparison_fn_t)data_blob_cmp);
142 for (i=1 ; i < allowedAttributes->num_values; i++) {
143 struct ldb_val *val1 = &allowedAttributes->values[i-1];
144 struct ldb_val *val2 = &allowedAttributes->values[i];
145 if (data_blob_cmp(val1, val2) == 0) {
146 memmove(val1, val2, (allowedAttributes->num_values - i) * sizeof( struct ldb_val));
147 allowedAttributes->num_values--;
156 /* read all objectClasses */
158 static int kludge_acl_childClasses(struct ldb_context *ldb, struct ldb_message *msg,
159 const char *attrName)
161 struct ldb_message_element *oc_el;
162 struct ldb_message_element *allowedClasses;
163 const struct dsdb_schema *schema = dsdb_get_schema(ldb);
164 const struct dsdb_class *class;
167 /* If we don't have a schema yet, we can't do anything... */
168 if (schema == NULL) {
172 /* Must remove any existing attribute, or else confusion reins */
173 ldb_msg_remove_attr(msg, attrName);
174 ret = ldb_msg_add_empty(msg, attrName, 0, &allowedClasses);
175 if (ret != LDB_SUCCESS) {
179 /* To ensure that oc_el is valid, we must look for it after
180 we alter the element array in ldb_msg_add_empty() */
181 oc_el = ldb_msg_find_element(msg, "objectClass");
183 for (i=0; oc_el && i < oc_el->num_values; i++) {
184 class = dsdb_class_by_lDAPDisplayName(schema, (const char *)oc_el->values[i].data);
186 /* We don't know this class? what is going on? */
190 for (j=0; class->possibleInferiors && class->possibleInferiors[j]; j++) {
191 ldb_msg_add_string(msg, attrName, class->possibleInferiors[j]);
195 if (allowedClasses->num_values > 1) {
196 qsort(allowedClasses->values,
197 allowedClasses->num_values,
198 sizeof(*allowedClasses->values),
199 (comparison_fn_t)data_blob_cmp);
201 for (i=1 ; i < allowedClasses->num_values; i++) {
202 struct ldb_val *val1 = &allowedClasses->values[i-1];
203 struct ldb_val *val2 = &allowedClasses->values[i];
204 if (data_blob_cmp(val1, val2) == 0) {
205 memmove(val1, val2, (allowedClasses->num_values - i) * sizeof( struct ldb_val));
206 allowedClasses->num_values--;
216 /* find all attributes allowed by all these objectClasses */
218 static int kludge_acl_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
220 struct kludge_acl_context *ac;
221 struct kludge_private_data *data;
224 ac = talloc_get_type(context, struct kludge_acl_context);
225 data = talloc_get_type(ac->module->private_data, struct kludge_private_data);
227 if (ares->type != LDB_REPLY_ENTRY) {
228 return ac->up_callback(ldb, ac->up_context, ares);
231 if (ac->allowedAttributes) {
232 ret = kludge_acl_allowedAttributes(ldb, ares->message, "allowedAttributes");
233 if (ret != LDB_SUCCESS) {
238 if (ac->allowedChildClasses) {
239 ret = kludge_acl_childClasses(ldb, ares->message, "allowedChildClasses");
240 if (ret != LDB_SUCCESS) {
245 if (data && data->password_attrs) /* if we are not initialized just get through */
247 switch (ac->user_type) {
248 case SECURITY_SYSTEM:
249 case SECURITY_ADMINISTRATOR:
250 if (ac->allowedAttributesEffective) {
251 ret = kludge_acl_allowedAttributes(ldb, ares->message, "allowedAttributesEffective");
252 if (ret != LDB_SUCCESS) {
256 if (ac->allowedChildClassesEffective) {
257 ret = kludge_acl_childClasses(ldb, ares->message, "allowedChildClassesEffective");
258 if (ret != LDB_SUCCESS) {
264 /* remove password attributes */
265 for (i = 0; data->password_attrs[i]; i++) {
266 ldb_msg_remove_attr(ares->message, data->password_attrs[i]);
271 if ((ac->allowedAttributes || ac->allowedAttributesEffective
272 || ac->allowedChildClasses || ac->allowedChildClassesEffective) &&
273 (!ldb_attr_in_list(ac->attrs, "objectClass") &&
274 !ldb_attr_in_list(ac->attrs, "*"))) {
275 ldb_msg_remove_attr(ares->message, "objectClass");
278 return ac->up_callback(ldb, ac->up_context, ares);
281 static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
283 struct kludge_acl_context *ac;
284 struct ldb_request *down_req;
285 struct kludge_private_data *data;
290 ac = talloc(req, struct kludge_acl_context);
292 ldb_oom(module->ldb);
293 return LDB_ERR_OPERATIONS_ERROR;
296 data = talloc_get_type(module->private_data, struct kludge_private_data);
299 ac->up_context = req->context;
300 ac->up_callback = req->callback;
301 ac->user_type = what_is_user(module);
302 ac->attrs = req->op.search.attrs;
304 down_req = talloc_zero(req, struct ldb_request);
305 if (down_req == NULL) {
306 ldb_oom(module->ldb);
307 return LDB_ERR_OPERATIONS_ERROR;
310 down_req->operation = req->operation;
311 down_req->op.search.base = req->op.search.base;
312 down_req->op.search.scope = req->op.search.scope;
313 down_req->op.search.tree = req->op.search.tree;
314 down_req->op.search.attrs = req->op.search.attrs;
316 ac->allowedAttributes = ldb_attr_in_list(req->op.search.attrs, "allowedAttributes");
318 ac->allowedAttributesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedAttributesEffective");
320 ac->allowedChildClasses = ldb_attr_in_list(req->op.search.attrs, "allowedChildClasses");
322 ac->allowedChildClassesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedChildClassesEffective");
324 if (ac->allowedAttributes || ac->allowedAttributesEffective || ac->allowedChildClasses || ac->allowedChildClassesEffective) {
325 down_req->op.search.attrs
326 = ldb_attr_list_copy_add(down_req, down_req->op.search.attrs, "objectClass");
329 /* FIXME: I hink we should copy the tree and keep the original
331 /* replace any attributes in the parse tree that are private,
332 so we don't allow a search for 'sambaPassword=penguin',
333 just as we would not allow that attribute to be returned */
334 switch (ac->user_type) {
335 case SECURITY_SYSTEM:
338 /* remove password attributes */
339 for (i = 0; data && data->password_attrs && data->password_attrs[i]; i++) {
340 ldb_parse_tree_attr_replace(down_req->op.search.tree,
341 data->password_attrs[i],
342 "kludgeACLredactedattribute");
346 down_req->controls = req->controls;
348 down_req->context = ac;
349 down_req->callback = kludge_acl_callback;
350 ldb_set_timeout_from_prev_req(module->ldb, req, down_req);
352 /* perform the search */
353 ret = ldb_next_request(module, down_req);
355 /* do not free down_req as the call results may be linked to it,
356 * it will be freed when the upper level request get freed */
357 if (ret == LDB_SUCCESS) {
358 req->handle = down_req->handle;
364 /* ANY change type */
365 static int kludge_acl_change(struct ldb_module *module, struct ldb_request *req)
367 enum security_user_level user_type = what_is_user(module);
369 case SECURITY_SYSTEM:
370 case SECURITY_ADMINISTRATOR:
371 return ldb_next_request(module, req);
373 ldb_asprintf_errstring(module->ldb,
374 "kludge_acl_change: "
375 "attempted database modify not permitted. "
376 "User %s is not SYSTEM or an administrator",
377 user_name(req, module));
378 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
382 static int kludge_acl_init(struct ldb_module *module)
385 TALLOC_CTX *mem_ctx = talloc_new(module);
386 static const char *attrs[] = { "passwordAttribute", NULL };
387 struct ldb_result *res;
388 struct ldb_message *msg;
389 struct ldb_message_element *password_attributes;
391 struct kludge_private_data *data;
393 data = talloc(module, struct kludge_private_data);
395 ldb_oom(module->ldb);
396 return LDB_ERR_OPERATIONS_ERROR;
399 data->password_attrs = NULL;
400 module->private_data = data;
403 ldb_oom(module->ldb);
404 return LDB_ERR_OPERATIONS_ERROR;
407 ret = ldb_search(module->ldb, ldb_dn_new(mem_ctx, module->ldb, "@KLUDGEACL"),
411 if (ret != LDB_SUCCESS) {
414 talloc_steal(mem_ctx, res);
415 if (res->count == 0) {
419 if (res->count > 1) {
420 talloc_free(mem_ctx);
421 return LDB_ERR_CONSTRAINT_VIOLATION;
426 password_attributes = ldb_msg_find_element(msg, "passwordAttribute");
427 if (!password_attributes) {
430 data->password_attrs = talloc_array(data, const char *, password_attributes->num_values + 1);
431 if (!data->password_attrs) {
432 talloc_free(mem_ctx);
433 ldb_oom(module->ldb);
434 return LDB_ERR_OPERATIONS_ERROR;
436 for (i=0; i < password_attributes->num_values; i++) {
437 data->password_attrs[i] = (const char *)password_attributes->values[i].data;
438 talloc_steal(data->password_attrs, password_attributes->values[i].data);
440 data->password_attrs[i] = NULL;
443 talloc_free(mem_ctx);
444 return ldb_next_init(module);
447 _PUBLIC_ const struct ldb_module_ops ldb_kludge_acl_module_ops = {
448 .name = "kludge_acl",
449 .search = kludge_acl_search,
450 .add = kludge_acl_change,
451 .modify = kludge_acl_change,
452 .del = kludge_acl_change,
453 .rename = kludge_acl_change,
454 .extended = kludge_acl_change,
455 .init_context = kludge_acl_init