4 Copyright (C) Simo Sorce 2006-2008
5 Copyright (C) Nadezhda Ivanova 2010
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 * Component: ldb ACL Read module
26 * Description: Module that performs authorisation access checks on read requests
27 * Only DACL checks implemented at this point
29 * Author: Nadezhda Ivanova
33 #include "ldb_module.h"
34 #include "auth/auth.h"
35 #include "libcli/security/security.h"
36 #include "dsdb/samdb/samdb.h"
37 #include "librpc/gen_ndr/ndr_security.h"
38 #include "param/param.h"
39 #include "dsdb/samdb/ldb_modules/util.h"
42 struct aclread_context {
43 struct ldb_module *module;
44 struct ldb_request *req;
45 const char * const *attrs;
46 const struct dsdb_schema *schema;
52 struct aclread_private {
56 static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
58 struct ldb_context *ldb;
59 struct aclread_context *ac;
60 struct ldb_result *acl_res;
61 struct ldb_message_element *parent;
62 static const char *acl_attrs[] = {
63 "nTSecurityDescriptor",
70 struct security_descriptor *sd;
71 struct dom_sid *sid = NULL;
73 uint32_t instanceType;
75 ac = talloc_get_type(req->context, struct aclread_context);
76 ldb = ldb_module_get_ctx(ac->module);
78 return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR );
80 if (ares->error != LDB_SUCCESS) {
81 return ldb_module_done(ac->req, ares->controls,
82 ares->response, ares->error);
84 tmp_ctx = talloc_new(ac);
87 ret = dsdb_get_sd_from_ldb_message(ldb, tmp_ctx, ares->message, &sd);
88 if (ret != LDB_SUCCESS) {
89 DEBUG(10, ("acl_read: cannot get descriptor\n"));
90 ret = LDB_ERR_OPERATIONS_ERROR;
93 sid = samdb_result_dom_sid(tmp_ctx, ares->message, "objectSid");
94 /* get the object instance type */
95 instanceType = ldb_msg_find_attr_as_uint(ares->message,
97 if (!ldb_dn_is_null(ares->message->dn) && !(instanceType & INSTANCE_TYPE_IS_NC_HEAD))
99 /* the object has a parent, so we have to check for visibility */
100 struct ldb_dn *parent_dn = ldb_dn_get_parent(tmp_ctx, ares->message->dn);
101 ret = dsdb_module_check_access_on_dn(ac->module,
106 if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
107 talloc_free(tmp_ctx);
109 } else if (ret != LDB_SUCCESS) {
113 /* for every element in the message check RP */
115 while (i < ares->message->num_elements) {
116 const struct dsdb_attribute *attr;
117 attr = dsdb_attribute_by_lDAPDisplayName(ac->schema,
118 ares->message->elements[i].name);
120 DEBUG(2, ("acl_read: cannot find attribute %s in schema\n",
121 ares->message->elements[i].name));
122 ret = LDB_ERR_OPERATIONS_ERROR;
125 /* nTSecurityDescriptor is a special case */
126 if (ldb_attr_cmp("nTSecurityDescriptor",
127 ares->message->elements[i].name) == 0) {
129 ldb_msg_remove_attr(ares->message, ares->message->elements[i].name);
132 ret = acl_check_access_on_attribute(ac->module,
136 SEC_FLAG_SYSTEM_SECURITY|SEC_STD_READ_CONTROL,
139 ret = acl_check_access_on_attribute(ac->module,
146 if (ret == LDB_SUCCESS) {
148 } else if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
149 /* do not return this entry if attribute is
150 part of the search filter */
151 if (dsdb_attr_in_parse_tree(ac->req->op.search.tree,
152 ares->message->elements[i].name)) {
153 talloc_free(tmp_ctx);
156 ldb_msg_remove_attr(ares->message, ares->message->elements[i].name);
161 if (ac->instance_type) {
162 ldb_msg_remove_attr(ares->message, "instanceType");
164 if (ac->object_sid) {
165 ldb_msg_remove_attr(ares->message, "objectSid");
167 talloc_free(tmp_ctx);
168 return ldb_module_send_entry(ac->req, ares->message, ares->controls);
169 case LDB_REPLY_REFERRAL:
170 return ldb_module_send_referral(ac->req, ares->referral);
172 return ldb_module_done(ac->req, ares->controls,
173 ares->response, LDB_SUCCESS);
178 talloc_free(tmp_ctx);
179 return ldb_module_done(ac->req, NULL, NULL, ret);
183 static int aclread_search(struct ldb_module *module, struct ldb_request *req)
185 struct ldb_context *ldb;
187 struct aclread_context *ac;
188 struct ldb_request *down_req;
189 struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
190 struct ldb_result *res;
191 struct aclread_private *p;
192 bool is_untrusted = ldb_req_is_untrusted(req);
193 const char * const *attrs = NULL;
194 uint32_t instanceType;
195 static const char *acl_attrs[] = {
200 ldb = ldb_module_get_ctx(module);
201 p = talloc_get_type(ldb_module_get_private(module), struct aclread_private);
203 /* skip access checks if we are system or system control is supplied
204 * or this is not LDAP server request */
205 if (!p || !p->enabled ||
206 dsdb_module_am_system(module)
207 || as_system || !is_untrusted) {
208 return ldb_next_request(module, req);
210 /* no checks on special dn */
211 if (ldb_dn_is_special(req->op.search.base)) {
212 return ldb_next_request(module, req);
215 /* check accessibility of base */
216 if (!ldb_dn_is_null(req->op.search.base)) {
217 ret = dsdb_module_search_dn(module, req, &res, req->op.search.base,
219 DSDB_FLAG_NEXT_MODULE |
220 DSDB_SEARCH_SHOW_DELETED);
221 if (ret != LDB_SUCCESS) {
222 return ldb_error(ldb, ret,
223 "acl_read: Error retrieving instanceType for base.");
225 instanceType = ldb_msg_find_attr_as_uint(res->msgs[0],
227 if (instanceType != 0 && !(instanceType & INSTANCE_TYPE_IS_NC_HEAD))
229 /* the object has a parent, so we have to check for visibility */
230 struct ldb_dn *parent_dn = ldb_dn_get_parent(req, req->op.search.base);
231 ret = dsdb_module_check_access_on_dn(module,
236 if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
237 return ldb_module_done(req, NULL, NULL, LDB_ERR_NO_SUCH_OBJECT);
238 } else if (ret != LDB_SUCCESS) {
239 return ldb_module_done(req, NULL, NULL, ret);
243 ac = talloc_zero(req, struct aclread_context);
249 ac->schema = dsdb_get_schema(ldb, req);
251 return ldb_operr(ldb);
253 ac->sd = !(ldb_attr_in_list(req->op.search.attrs, "nTSecurityDescriptor"));
254 if (req->op.search.attrs && !ldb_attr_in_list(req->op.search.attrs, "*")) {
255 if (!ldb_attr_in_list(req->op.search.attrs, "instanceType")) {
256 ac->instance_type = true;
257 attrs = ldb_attr_list_copy_add(ac, req->op.search.attrs, "instanceType");
259 attrs = req->op.search.attrs;
261 if (!ldb_attr_in_list(req->op.search.attrs, "objectSid")) {
262 ac->object_sid = true;
263 attrs = ldb_attr_list_copy_add(ac, attrs, "objectSid");
268 /* avoid replacing all attributes with nTSecurityDescriptor
269 * if attribute list is empty */
271 attrs = ldb_attr_list_copy_add(ac, attrs, "*");
273 attrs = ldb_attr_list_copy_add(ac, attrs, "nTSecurityDescriptor");
275 ac->attrs = req->op.search.attrs;
276 ret = ldb_build_search_req_ex(&down_req,
279 req->op.search.scope,
283 ac, aclread_callback,
286 if (ret != LDB_SUCCESS) {
287 return LDB_ERR_OPERATIONS_ERROR;
290 return ldb_next_request(module, down_req);
293 static int aclread_init(struct ldb_module *module)
295 struct ldb_context *ldb = ldb_module_get_ctx(module);
296 struct aclread_private *p = talloc_zero(module, struct aclread_private);
298 return ldb_module_oom(module);
300 p->enabled = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"), NULL, "acl", "search", false);
301 ldb_module_set_private(module, p);
302 return ldb_next_init(module);
305 static const struct ldb_module_ops ldb_aclread_module_ops = {
307 .search = aclread_search,
308 .init_context = aclread_init
311 int ldb_aclread_module_init(const char *version)
313 LDB_MODULE_CHECK_VERSION(version);
314 return ldb_register_module(&ldb_aclread_module_ops);