4 Copyright (C) Simo Sorce 2006-2008
5 Copyright (C) Nadezhda Ivanova 2010
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 * Component: ldb ACL Read module
26 * Description: Module that performs authorisation access checks on read requests
27 * Only DACL checks implemented at this point
29 * Author: Nadezhda Ivanova
33 #include "ldb_module.h"
34 #include "auth/auth.h"
35 #include "libcli/security/security.h"
36 #include "dsdb/samdb/samdb.h"
37 #include "librpc/gen_ndr/ndr_security.h"
38 #include "param/param.h"
39 #include "dsdb/samdb/ldb_modules/util.h"
42 struct aclread_context {
43 struct ldb_module *module;
44 struct ldb_request *req;
45 const char * const *attrs;
46 const struct dsdb_schema *schema;
48 bool added_nTSecurityDescriptor;
49 bool added_instanceType;
51 bool added_objectClass;
55 struct aclread_private {
59 static void aclread_mark_inaccesslible(struct ldb_message_element *el) {
60 el->flags |= LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE;
63 static bool aclread_is_inaccessible(struct ldb_message_element *el) {
64 return el->flags & LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE;
67 static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
69 struct ldb_context *ldb;
70 struct aclread_context *ac;
71 struct ldb_message *ret_msg;
72 struct ldb_message *msg;
73 int ret, num_of_attrs = 0;
74 unsigned int i, k = 0;
75 struct security_descriptor *sd;
76 struct dom_sid *sid = NULL;
78 uint32_t instanceType;
79 const struct dsdb_class *objectclass;
81 ac = talloc_get_type(req->context, struct aclread_context);
82 ldb = ldb_module_get_ctx(ac->module);
84 return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR );
86 if (ares->error != LDB_SUCCESS) {
87 return ldb_module_done(ac->req, ares->controls,
88 ares->response, ares->error);
90 tmp_ctx = talloc_new(ac);
94 ret = dsdb_get_sd_from_ldb_message(ldb, tmp_ctx, msg, &sd);
95 if (ret != LDB_SUCCESS) {
96 ldb_debug_set(ldb, LDB_DEBUG_FATAL,
97 "acl_read: cannot get descriptor of %s: %s\n",
98 ldb_dn_get_linearized(msg->dn), ldb_strerror(ret));
99 ret = LDB_ERR_OPERATIONS_ERROR;
101 } else if (sd == NULL) {
102 ldb_debug_set(ldb, LDB_DEBUG_FATAL,
103 "acl_read: cannot get descriptor of %s (attribute not found)\n",
104 ldb_dn_get_linearized(msg->dn));
105 ret = LDB_ERR_OPERATIONS_ERROR;
109 * Get the most specific structural object class for the ACL check
111 objectclass = dsdb_get_structural_oc_from_msg(ac->schema, msg);
112 if (objectclass == NULL) {
113 ldb_asprintf_errstring(ldb, "acl_read: Failed to find a structural class for %s",
114 ldb_dn_get_linearized(msg->dn));
115 ret = LDB_ERR_OPERATIONS_ERROR;
119 sid = samdb_result_dom_sid(tmp_ctx, msg, "objectSid");
120 /* get the object instance type */
121 instanceType = ldb_msg_find_attr_as_uint(msg,
123 if (!ldb_dn_is_null(msg->dn) && !(instanceType & INSTANCE_TYPE_IS_NC_HEAD))
125 /* the object has a parent, so we have to check for visibility */
126 struct ldb_dn *parent_dn = ldb_dn_get_parent(tmp_ctx, msg->dn);
128 ret = dsdb_module_check_access_on_dn(ac->module,
132 &objectclass->schemaIDGUID,
134 if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
135 talloc_free(tmp_ctx);
137 } else if (ret != LDB_SUCCESS) {
138 ldb_debug_set(ldb, LDB_DEBUG_FATAL,
139 "acl_read: %s check parent %s - %s\n",
140 ldb_dn_get_linearized(msg->dn),
147 /* for every element in the message check RP */
148 for (i=0; i < msg->num_elements; i++) {
149 const struct dsdb_attribute *attr;
150 bool is_sd, is_objectsid, is_instancetype, is_objectclass;
151 uint32_t access_mask;
152 attr = dsdb_attribute_by_lDAPDisplayName(ac->schema,
153 msg->elements[i].name);
155 ldb_debug_set(ldb, LDB_DEBUG_FATAL,
156 "acl_read: %s cannot find attr[%s] in of schema\n",
157 ldb_dn_get_linearized(msg->dn),
158 msg->elements[i].name);
159 ret = LDB_ERR_OPERATIONS_ERROR;
162 is_sd = ldb_attr_cmp("nTSecurityDescriptor",
163 msg->elements[i].name) == 0;
164 is_objectsid = ldb_attr_cmp("objectSid",
165 msg->elements[i].name) == 0;
166 is_instancetype = ldb_attr_cmp("instanceType",
167 msg->elements[i].name) == 0;
168 is_objectclass = ldb_attr_cmp("objectClass",
169 msg->elements[i].name) == 0;
170 /* these attributes were added to perform access checks and must be removed */
171 if (is_objectsid && ac->added_objectSid) {
172 aclread_mark_inaccesslible(&msg->elements[i]);
175 if (is_instancetype && ac->added_instanceType) {
176 aclread_mark_inaccesslible(&msg->elements[i]);
179 if (is_objectclass && ac->added_objectClass) {
180 aclread_mark_inaccesslible(&msg->elements[i]);
183 if (is_sd && ac->added_nTSecurityDescriptor) {
184 aclread_mark_inaccesslible(&msg->elements[i]);
187 /* nTSecurityDescriptor is a special case */
191 if (ac->sd_flags & (SECINFO_OWNER|SECINFO_GROUP)) {
192 access_mask |= SEC_STD_READ_CONTROL;
194 if (ac->sd_flags & SECINFO_DACL) {
195 access_mask |= SEC_STD_READ_CONTROL;
197 if (ac->sd_flags & SECINFO_SACL) {
198 access_mask |= SEC_FLAG_SYSTEM_SECURITY;
201 access_mask = SEC_ADS_READ_PROP;
204 if (attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL) {
205 access_mask |= SEC_ADS_CONTROL_ACCESS;
208 if (access_mask == 0) {
209 aclread_mark_inaccesslible(&msg->elements[i]);
213 ret = acl_check_access_on_attribute(ac->module,
222 * Dirsync control needs the replpropertymetadata attribute
223 * so return it as it will be removed by the control
226 if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
227 if (!ac->indirsync) {
229 * do not return this entry if attribute is
230 * part of the search filter
232 if (dsdb_attr_in_parse_tree(ac->req->op.search.tree,
233 msg->elements[i].name)) {
234 talloc_free(tmp_ctx);
237 aclread_mark_inaccesslible(&msg->elements[i]);
240 * We are doing dirysnc answers
241 * and the object shouldn't be returned (normally)
242 * but we will return it without replPropertyMetaData
243 * so that the dirysync module will do what is needed
244 * (remove the object if it is not deleted, or return
245 * just the objectGUID if it's deleted).
247 if (dsdb_attr_in_parse_tree(ac->req->op.search.tree,
248 msg->elements[i].name)) {
249 ldb_msg_remove_attr(msg, "replPropertyMetaData");
252 aclread_mark_inaccesslible(&msg->elements[i]);
255 } else if (ret != LDB_SUCCESS) {
256 ldb_debug_set(ldb, LDB_DEBUG_FATAL,
257 "acl_read: %s check attr[%s] gives %s - %s\n",
258 ldb_dn_get_linearized(msg->dn),
259 msg->elements[i].name,
265 for (i=0; i < msg->num_elements; i++) {
266 if (!aclread_is_inaccessible(&msg->elements[i])) {
270 /*create a new message to return*/
271 ret_msg = ldb_msg_new(ac->req);
272 ret_msg->dn = msg->dn;
273 talloc_steal(ret_msg, msg->dn);
274 ret_msg->num_elements = num_of_attrs;
275 if (num_of_attrs > 0) {
276 ret_msg->elements = talloc_array(ret_msg,
277 struct ldb_message_element,
279 if (ret_msg->elements == NULL) {
282 for (i=0; i < msg->num_elements; i++) {
283 bool to_remove = aclread_is_inaccessible(&msg->elements[i]);
285 ret_msg->elements[k] = msg->elements[i];
286 talloc_steal(ret_msg->elements, msg->elements[i].name);
287 talloc_steal(ret_msg->elements, msg->elements[i].values);
292 * This should not be needed, but some modules
293 * may allocate values on the wrong context...
295 talloc_steal(ret_msg->elements, msg);
297 ret_msg->elements = NULL;
299 talloc_free(tmp_ctx);
301 return ldb_module_send_entry(ac->req, ret_msg, ares->controls);
302 case LDB_REPLY_REFERRAL:
303 return ldb_module_send_referral(ac->req, ares->referral);
305 return ldb_module_done(ac->req, ares->controls,
306 ares->response, LDB_SUCCESS);
311 talloc_free(tmp_ctx);
312 return ldb_module_done(ac->req, NULL, NULL, ret);
316 static int aclread_search(struct ldb_module *module, struct ldb_request *req)
318 struct ldb_context *ldb;
320 struct aclread_context *ac;
321 struct ldb_request *down_req;
322 struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
323 uint32_t flags = ldb_req_get_custom_flags(req);
324 struct ldb_result *res;
325 struct aclread_private *p;
326 bool need_sd = false;
327 bool explicit_sd_flags = false;
328 bool is_untrusted = ldb_req_is_untrusted(req);
329 static const char * const _all_attrs[] = { "*", NULL };
330 bool all_attrs = false;
331 const char * const *attrs = NULL;
332 uint32_t instanceType;
333 static const char *acl_attrs[] = {
338 ldb = ldb_module_get_ctx(module);
339 p = talloc_get_type(ldb_module_get_private(module), struct aclread_private);
341 /* skip access checks if we are system or system control is supplied
342 * or this is not LDAP server request */
343 if (!p || !p->enabled ||
344 dsdb_module_am_system(module)
345 || as_system || !is_untrusted) {
346 return ldb_next_request(module, req);
348 /* no checks on special dn */
349 if (ldb_dn_is_special(req->op.search.base)) {
350 return ldb_next_request(module, req);
353 /* check accessibility of base */
354 if (!ldb_dn_is_null(req->op.search.base)) {
355 ret = dsdb_module_search_dn(module, req, &res, req->op.search.base,
357 DSDB_FLAG_NEXT_MODULE |
358 DSDB_FLAG_AS_SYSTEM |
359 DSDB_SEARCH_SHOW_RECYCLED,
361 if (ret != LDB_SUCCESS) {
362 return ldb_error(ldb, ret,
363 "acl_read: Error retrieving instanceType for base.");
365 instanceType = ldb_msg_find_attr_as_uint(res->msgs[0],
367 if (instanceType != 0 && !(instanceType & INSTANCE_TYPE_IS_NC_HEAD))
369 /* the object has a parent, so we have to check for visibility */
370 struct ldb_dn *parent_dn = ldb_dn_get_parent(req, req->op.search.base);
371 ret = dsdb_module_check_access_on_dn(module,
376 if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
377 return ldb_module_done(req, NULL, NULL, LDB_ERR_NO_SUCH_OBJECT);
378 } else if (ret != LDB_SUCCESS) {
379 return ldb_module_done(req, NULL, NULL, ret);
383 ac = talloc_zero(req, struct aclread_context);
389 ac->schema = dsdb_get_schema(ldb, req);
390 if (flags & DSDB_ACL_CHECKS_DIRSYNC_FLAG) {
391 ac->indirsync = true;
393 ac->indirsync = false;
396 return ldb_operr(ldb);
399 attrs = req->op.search.attrs;
403 } else if (attrs[0] == NULL) {
406 } else if (ldb_attr_in_list(attrs, "*")) {
411 * In theory we should also check for the SD control but control verification is
412 * expensive so we'd better had the ntsecuritydescriptor to the list of
413 * searched attribute and then remove it !
415 ac->sd_flags = dsdb_request_sd_flags(ac->req, &explicit_sd_flags);
417 if (ldb_attr_in_list(attrs, "nTSecurityDescriptor")) {
419 } else if (explicit_sd_flags && all_attrs) {
426 if (!ldb_attr_in_list(attrs, "instanceType")) {
427 attrs = ldb_attr_list_copy_add(ac, attrs, "instanceType");
431 ac->added_instanceType = true;
433 if (!ldb_attr_in_list(req->op.search.attrs, "objectSid")) {
434 attrs = ldb_attr_list_copy_add(ac, attrs, "objectSid");
438 ac->added_objectSid = true;
440 if (!ldb_attr_in_list(req->op.search.attrs, "objectClass")) {
441 attrs = ldb_attr_list_copy_add(ac, attrs, "objectClass");
445 ac->added_objectClass = true;
450 attrs = ldb_attr_list_copy_add(ac, attrs, "nTSecurityDescriptor");
454 ac->added_nTSecurityDescriptor = true;
457 ac->attrs = req->op.search.attrs;
458 ret = ldb_build_search_req_ex(&down_req,
461 req->op.search.scope,
465 ac, aclread_callback,
468 if (ret != LDB_SUCCESS) {
469 return LDB_ERR_OPERATIONS_ERROR;
472 return ldb_next_request(module, down_req);
475 static int aclread_init(struct ldb_module *module)
477 struct ldb_context *ldb = ldb_module_get_ctx(module);
478 struct aclread_private *p = talloc_zero(module, struct aclread_private);
480 return ldb_module_oom(module);
482 p->enabled = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"), NULL, "acl", "search", true);
483 ldb_module_set_private(module, p);
484 return ldb_next_init(module);
487 static const struct ldb_module_ops ldb_aclread_module_ops = {
489 .search = aclread_search,
490 .init_context = aclread_init
493 int ldb_aclread_module_init(const char *version)
495 LDB_MODULE_CHECK_VERSION(version);
496 return ldb_register_module(&ldb_aclread_module_ops);