struct ldb_request *req;
const char * const *attrs;
const struct dsdb_schema *schema;
- bool sd;
- bool instance_type;
- bool object_sid;
+ uint32_t sd_flags;
+ bool added_nTSecurityDescriptor;
+ bool added_instanceType;
+ bool added_objectSid;
+ bool added_objectClass;
+ bool indirsync;
};
struct aclread_private {
bool enabled;
};
+static void aclread_mark_inaccesslible(struct ldb_message_element *el) {
+ el->flags |= LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE;
+}
+
+static bool aclread_is_inaccessible(struct ldb_message_element *el) {
+ return el->flags & LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE;
+}
+
static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
{
- struct ldb_context *ldb;
- struct aclread_context *ac;
- struct ldb_result *acl_res;
- struct ldb_message_element *parent;
- static const char *acl_attrs[] = {
- "nTSecurityDescriptor",
- "objectSid",
- "insyanceType",
- NULL
- };
- int ret;
- unsigned int i;
- struct security_descriptor *sd;
- struct dom_sid *sid = NULL;
- TALLOC_CTX *tmp_ctx;
- uint32_t instanceType;
-
- ac = talloc_get_type(req->context, struct aclread_context);
- ldb = ldb_module_get_ctx(ac->module);
- if (!ares) {
- return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR );
- }
- if (ares->error != LDB_SUCCESS) {
- return ldb_module_done(ac->req, ares->controls,
- ares->response, ares->error);
- }
- tmp_ctx = talloc_new(ac);
- switch (ares->type) {
- case LDB_REPLY_ENTRY:
- ret = dsdb_get_sd_from_ldb_message(ldb, tmp_ctx, ares->message, &sd);
- if (ret != LDB_SUCCESS) {
- DEBUG(10, ("acl_read: cannot get descriptor\n"));
- ret = LDB_ERR_OPERATIONS_ERROR;
- goto fail;
- }
- sid = samdb_result_dom_sid(tmp_ctx, ares->message, "objectSid");
- /* get the object instance type */
- instanceType = ldb_msg_find_attr_as_uint(ares->message,
+ struct ldb_context *ldb;
+ struct aclread_context *ac;
+ struct ldb_message *ret_msg;
+ struct ldb_message *msg;
+ int ret, num_of_attrs = 0;
+ unsigned int i, k = 0;
+ struct security_descriptor *sd;
+ struct dom_sid *sid = NULL;
+ TALLOC_CTX *tmp_ctx;
+ uint32_t instanceType;
+ const struct dsdb_class *objectclass;
+
+ ac = talloc_get_type(req->context, struct aclread_context);
+ ldb = ldb_module_get_ctx(ac->module);
+ if (!ares) {
+ return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR );
+ }
+ if (ares->error != LDB_SUCCESS) {
+ return ldb_module_done(ac->req, ares->controls,
+ ares->response, ares->error);
+ }
+ tmp_ctx = talloc_new(ac);
+ switch (ares->type) {
+ case LDB_REPLY_ENTRY:
+ msg = ares->message;
+ ret = dsdb_get_sd_from_ldb_message(ldb, tmp_ctx, msg, &sd);
+ if (ret != LDB_SUCCESS || sd == NULL ) {
+ ldb_debug_set(ldb, LDB_DEBUG_FATAL,
+ "acl_read: cannot get descriptor of %s\n",
+ ldb_dn_get_linearized(msg->dn));
+ ret = LDB_ERR_OPERATIONS_ERROR;
+ goto fail;
+ }
+ /*
+ * Get the most specific structural object class for the ACL check
+ */
+ objectclass = dsdb_get_structural_oc_from_msg(ac->schema, msg);
+ if (objectclass == NULL) {
+ ldb_asprintf_errstring(ldb, "acl_read: Failed to find a structural class for %s",
+ ldb_dn_get_linearized(msg->dn));
+ ret = LDB_ERR_OPERATIONS_ERROR;
+ goto fail;
+ }
+
+ sid = samdb_result_dom_sid(tmp_ctx, msg, "objectSid");
+ /* get the object instance type */
+ instanceType = ldb_msg_find_attr_as_uint(msg,
"instanceType", 0);
- if (!ldb_dn_is_null(ares->message->dn) && !(instanceType & INSTANCE_TYPE_IS_NC_HEAD))
- {
+ if (!ldb_dn_is_null(msg->dn) && !(instanceType & INSTANCE_TYPE_IS_NC_HEAD))
+ {
/* the object has a parent, so we have to check for visibility */
- struct ldb_dn *parent_dn = ldb_dn_get_parent(tmp_ctx, ares->message->dn);
+ struct ldb_dn *parent_dn = ldb_dn_get_parent(tmp_ctx, msg->dn);
+
ret = dsdb_module_check_access_on_dn(ac->module,
tmp_ctx,
parent_dn,
SEC_ADS_LIST,
- NULL);
+ &objectclass->schemaIDGUID,
+ req);
if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
talloc_free(tmp_ctx);
return LDB_SUCCESS;
} else if (ret != LDB_SUCCESS) {
+ ldb_debug_set(ldb, LDB_DEBUG_FATAL,
+ "acl_read: %s check parent %s - %s\n",
+ ldb_dn_get_linearized(msg->dn),
+ ldb_strerror(ret),
+ ldb_errstring(ldb));
+ goto fail;
+ }
+ }
+
+ /* for every element in the message check RP */
+ for (i=0; i < msg->num_elements; i++) {
+ const struct dsdb_attribute *attr;
+ bool is_sd, is_objectsid, is_instancetype, is_objectclass;
+ uint32_t access_mask;
+ attr = dsdb_attribute_by_lDAPDisplayName(ac->schema,
+ msg->elements[i].name);
+ if (!attr) {
+ ldb_debug_set(ldb, LDB_DEBUG_FATAL,
+ "acl_read: %s cannot find attr[%s] in of schema\n",
+ ldb_dn_get_linearized(msg->dn),
+ msg->elements[i].name);
+ ret = LDB_ERR_OPERATIONS_ERROR;
+ goto fail;
+ }
+ is_sd = ldb_attr_cmp("nTSecurityDescriptor",
+ msg->elements[i].name) == 0;
+ is_objectsid = ldb_attr_cmp("objectSid",
+ msg->elements[i].name) == 0;
+ is_instancetype = ldb_attr_cmp("instanceType",
+ msg->elements[i].name) == 0;
+ is_objectclass = ldb_attr_cmp("objectClass",
+ msg->elements[i].name) == 0;
+ /* these attributes were added to perform access checks and must be removed */
+ if (is_objectsid && ac->added_objectSid) {
+ aclread_mark_inaccesslible(&msg->elements[i]);
+ continue;
+ }
+ if (is_instancetype && ac->added_instanceType) {
+ aclread_mark_inaccesslible(&msg->elements[i]);
+ continue;
+ }
+ if (is_objectclass && ac->added_objectClass) {
+ aclread_mark_inaccesslible(&msg->elements[i]);
+ continue;
+ }
+ if (is_sd && ac->added_nTSecurityDescriptor) {
+ aclread_mark_inaccesslible(&msg->elements[i]);
+ continue;
+ }
+ /* nTSecurityDescriptor is a special case */
+ if (is_sd) {
+ access_mask = 0;
+
+ if (ac->sd_flags & (SECINFO_OWNER|SECINFO_GROUP)) {
+ access_mask |= SEC_STD_READ_CONTROL;
+ }
+ if (ac->sd_flags & SECINFO_DACL) {
+ access_mask |= SEC_STD_READ_CONTROL;
+ }
+ if (ac->sd_flags & SECINFO_SACL) {
+ access_mask |= SEC_FLAG_SYSTEM_SECURITY;
+ }
+ } else {
+ access_mask = SEC_ADS_READ_PROP;
+ }
+
+ if (attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL) {
+ access_mask |= SEC_ADS_CONTROL_ACCESS;
+ }
+
+ if (access_mask == 0) {
+ aclread_mark_inaccesslible(&msg->elements[i]);
+ continue;
+ }
+
+ ret = acl_check_access_on_attribute(ac->module,
+ tmp_ctx,
+ sd,
+ sid,
+ access_mask,
+ attr,
+ objectclass);
+
+ /*
+ * Dirsync control needs the replpropertymetadata attribute
+ * so return it as it will be removed by the control
+ * in anycase.
+ */
+ if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
+ if (!ac->indirsync) {
+ /*
+ * do not return this entry if attribute is
+ * part of the search filter
+ */
+ if (dsdb_attr_in_parse_tree(ac->req->op.search.tree,
+ msg->elements[i].name)) {
+ talloc_free(tmp_ctx);
+ return LDB_SUCCESS;
+ }
+ aclread_mark_inaccesslible(&msg->elements[i]);
+ } else {
+ /*
+ * We are doing dirysnc answers
+ * and the object shouldn't be returned (normally)
+ * but we will return it without replPropertyMetaData
+ * so that the dirysync module will do what is needed
+ * (remove the object if it is not deleted, or return
+ * just the objectGUID if it's deleted).
+ */
+ if (dsdb_attr_in_parse_tree(ac->req->op.search.tree,
+ msg->elements[i].name)) {
+ ldb_msg_remove_attr(msg, "replPropertyMetaData");
+ break;
+ } else {
+ aclread_mark_inaccesslible(&msg->elements[i]);
+ }
+ }
+ } else if (ret != LDB_SUCCESS) {
+ ldb_debug_set(ldb, LDB_DEBUG_FATAL,
+ "acl_read: %s check attr[%s] gives %s - %s\n",
+ ldb_dn_get_linearized(msg->dn),
+ msg->elements[i].name,
+ ldb_strerror(ret),
+ ldb_errstring(ldb));
goto fail;
}
- }
- /* for every element in the message check RP */
- i = 0;
- while (i < ares->message->num_elements) {
- const struct dsdb_attribute *attr;
- attr = dsdb_attribute_by_lDAPDisplayName(ac->schema,
- ares->message->elements[i].name);
- if (!attr) {
- DEBUG(2, ("acl_read: cannot find attribute %s in schema\n",
- ares->message->elements[i].name));
- ret = LDB_ERR_OPERATIONS_ERROR;
- goto fail;
- }
- /* nTSecurityDescriptor is a special case */
- if (ldb_attr_cmp("nTSecurityDescriptor",
- ares->message->elements[i].name) == 0) {
- if (ac->sd) {
- ldb_msg_remove_attr(ares->message, ares->message->elements[i].name);
- ret = LDB_SUCCESS;
- }
- ret = acl_check_access_on_attribute(ac->module,
- tmp_ctx,
- sd,
- sid,
- SEC_FLAG_SYSTEM_SECURITY|SEC_STD_READ_CONTROL,
- attr);
- } else {
- ret = acl_check_access_on_attribute(ac->module,
- tmp_ctx,
- sd,
- sid,
- SEC_ADS_READ_PROP,
- attr);
- }
- if (ret == LDB_SUCCESS) {
- i++;
- } else if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
- /* do not return this entry if attribute is
- part of the search filter */
- if (dsdb_attr_in_parse_tree(ac->req->op.search.tree,
- ares->message->elements[i].name)) {
- talloc_free(tmp_ctx);
- return LDB_SUCCESS;
- }
- ldb_msg_remove_attr(ares->message, ares->message->elements[i].name);
- } else {
- goto fail;
- }
- }
- if (ac->instance_type) {
- ldb_msg_remove_attr(ares->message, "instanceType");
- }
- if (ac->object_sid) {
- ldb_msg_remove_attr(ares->message, "objectSid");
- }
- talloc_free(tmp_ctx);
- return ldb_module_send_entry(ac->req, ares->message, ares->controls);
- case LDB_REPLY_REFERRAL:
- return ldb_module_send_referral(ac->req, ares->referral);
- case LDB_REPLY_DONE:
- return ldb_module_done(ac->req, ares->controls,
+ }
+ for (i=0; i < msg->num_elements; i++) {
+ if (!aclread_is_inaccessible(&msg->elements[i])) {
+ num_of_attrs++;
+ }
+ }
+ /*create a new message to return*/
+ ret_msg = ldb_msg_new(ac->req);
+ ret_msg->dn = msg->dn;
+ talloc_steal(ret_msg, msg->dn);
+ ret_msg->num_elements = num_of_attrs;
+ if (num_of_attrs > 0) {
+ ret_msg->elements = talloc_array(ret_msg,
+ struct ldb_message_element,
+ num_of_attrs);
+ if (ret_msg->elements == NULL) {
+ return ldb_oom(ldb);
+ }
+ for (i=0; i < msg->num_elements; i++) {
+ bool to_remove = aclread_is_inaccessible(&msg->elements[i]);
+ if (!to_remove) {
+ ret_msg->elements[k] = msg->elements[i];
+ talloc_steal(ret_msg->elements, msg->elements[i].name);
+ talloc_steal(ret_msg->elements, msg->elements[i].values);
+ k++;
+ }
+ }
+ /*
+ * This should not be needed, but some modules
+ * may allocate values on the wrong context...
+ */
+ talloc_steal(ret_msg->elements, msg);
+ } else {
+ ret_msg->elements = NULL;
+ }
+ talloc_free(tmp_ctx);
+
+ return ldb_module_send_entry(ac->req, ret_msg, ares->controls);
+ case LDB_REPLY_REFERRAL:
+ return ldb_module_send_referral(ac->req, ares->referral);
+ case LDB_REPLY_DONE:
+ return ldb_module_done(ac->req, ares->controls,
ares->response, LDB_SUCCESS);
- }
- return LDB_SUCCESS;
+ }
+ return LDB_SUCCESS;
fail:
- talloc_free(tmp_ctx);
- return ldb_module_done(ac->req, NULL, NULL, ret);
+ talloc_free(tmp_ctx);
+ return ldb_module_done(ac->req, NULL, NULL, ret);
}
struct aclread_context *ac;
struct ldb_request *down_req;
struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
+ uint32_t flags = ldb_req_get_custom_flags(req);
struct ldb_result *res;
struct aclread_private *p;
+ bool need_sd = false;
+ bool explicit_sd_flags = false;
bool is_untrusted = ldb_req_is_untrusted(req);
+ static const char * const _all_attrs[] = { "*", NULL };
+ bool all_attrs = false;
const char * const *attrs = NULL;
uint32_t instanceType;
static const char *acl_attrs[] = {
- "instanceType",
- NULL
+ "instanceType",
+ NULL
};
ldb = ldb_module_get_ctx(module);
ret = dsdb_module_search_dn(module, req, &res, req->op.search.base,
acl_attrs,
DSDB_FLAG_NEXT_MODULE |
- DSDB_SEARCH_SHOW_DELETED);
+ DSDB_FLAG_AS_SYSTEM |
+ DSDB_SEARCH_SHOW_RECYCLED,
+ req);
if (ret != LDB_SUCCESS) {
return ldb_error(ldb, ret,
- "acl_read: Error retrieving instanceType for base.");
+ "acl_read: Error retrieving instanceType for base.");
}
instanceType = ldb_msg_find_attr_as_uint(res->msgs[0],
- "instanceType", 0);
+ "instanceType", 0);
if (instanceType != 0 && !(instanceType & INSTANCE_TYPE_IS_NC_HEAD))
{
/* the object has a parent, so we have to check for visibility */
req,
parent_dn,
SEC_ADS_LIST,
- NULL);
+ NULL, req);
if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
return ldb_module_done(req, NULL, NULL, LDB_ERR_NO_SUCH_OBJECT);
} else if (ret != LDB_SUCCESS) {
ac->module = module;
ac->req = req;
ac->schema = dsdb_get_schema(ldb, req);
+ if (flags & DSDB_ACL_CHECKS_DIRSYNC_FLAG) {
+ ac->indirsync = true;
+ } else {
+ ac->indirsync = false;
+ }
if (!ac->schema) {
return ldb_operr(ldb);
}
- ac->sd = !(ldb_attr_in_list(req->op.search.attrs, "nTSecurityDescriptor"));
- if (req->op.search.attrs && !ldb_attr_in_list(req->op.search.attrs, "*")) {
- if (!ldb_attr_in_list(req->op.search.attrs, "instanceType")) {
- ac->instance_type = true;
- attrs = ldb_attr_list_copy_add(ac, req->op.search.attrs, "instanceType");
- } else {
- attrs = req->op.search.attrs;
+
+ attrs = req->op.search.attrs;
+ if (attrs == NULL) {
+ all_attrs = true;
+ attrs = _all_attrs;
+ } else if (attrs[0] == NULL) {
+ all_attrs = true;
+ attrs = _all_attrs;
+ } else if (ldb_attr_in_list(attrs, "*")) {
+ all_attrs = true;
+ }
+
+ /*
+ * In theory we should also check for the SD control but control verification is
+ * expensive so we'd better had the ntsecuritydescriptor to the list of
+ * searched attribute and then remove it !
+ */
+ ac->sd_flags = dsdb_request_sd_flags(ac->req, &explicit_sd_flags);
+
+ if (ldb_attr_in_list(attrs, "nTSecurityDescriptor")) {
+ need_sd = false;
+ } else if (explicit_sd_flags && all_attrs) {
+ need_sd = false;
+ } else {
+ need_sd = true;
+ }
+
+ if (!all_attrs) {
+ if (!ldb_attr_in_list(attrs, "instanceType")) {
+ attrs = ldb_attr_list_copy_add(ac, attrs, "instanceType");
+ if (attrs == NULL) {
+ return ldb_oom(ldb);
+ }
+ ac->added_instanceType = true;
}
if (!ldb_attr_in_list(req->op.search.attrs, "objectSid")) {
- ac->object_sid = true;
attrs = ldb_attr_list_copy_add(ac, attrs, "objectSid");
+ if (attrs == NULL) {
+ return ldb_oom(ldb);
+ }
+ ac->added_objectSid = true;
+ }
+ if (!ldb_attr_in_list(req->op.search.attrs, "objectClass")) {
+ attrs = ldb_attr_list_copy_add(ac, attrs, "objectClass");
+ if (attrs == NULL) {
+ return ldb_oom(ldb);
+ }
+ ac->added_objectClass = true;
}
}
- if (ac->sd) {
- /* avoid replacing all attributes with nTSecurityDescriptor
- * if attribute list is empty */
- if (!attrs) {
- attrs = ldb_attr_list_copy_add(ac, attrs, "*");
- }
+ if (need_sd) {
attrs = ldb_attr_list_copy_add(ac, attrs, "nTSecurityDescriptor");
+ if (attrs == NULL) {
+ return ldb_oom(ldb);
+ }
+ ac->added_nTSecurityDescriptor = true;
}
+
ac->attrs = req->op.search.attrs;
ret = ldb_build_search_req_ex(&down_req,
ldb, ac,
if (p == NULL) {
return ldb_module_oom(module);
}
- p->enabled = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"), NULL, "acl", "search", false);
+ p->enabled = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"), NULL, "acl", "search", true);
ldb_module_set_private(module, p);
return ldb_next_init(module);
}
git.samba.org / metze / samba / wip.git / blobdiff