summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2007-07-11 09:39:08 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:28:31 -0500
commit1c957f9559880712acd335c9df11191df0386df0 (patch)
tree88123438b0efe17bbbaf4f5b7afba6ed37765ff9
parente05f45baefb050248064f58474e5ddddb2761111 (diff)
downloadsamba-1c957f9559880712acd335c9df11191df0386df0.tar.gz
samba-1c957f9559880712acd335c9df11191df0386df0.tar.bz2
samba-1c957f9559880712acd335c9df11191df0386df0.zip
r23826: Fix gpo security filtering by matching the security descriptor ace's for the
extended apply group policy right. Guenther (This used to be commit d832014a6fef657f484412372b5d09047552b183)
-rw-r--r--source3/include/ads.h3
-rw-r--r--source3/include/rpc_secdes.h1
-rw-r--r--source3/libads/disp_sec.c2
-rw-r--r--source3/libgpo/gpo_sec.c67
4 files changed, 51 insertions, 22 deletions
diff --git a/source3/include/ads.h b/source3/include/ads.h
index cbab016d46..c01a1055b2 100644
--- a/source3/include/ads.h
+++ b/source3/include/ads.h
@@ -341,4 +341,7 @@ typedef struct {
int val;
int critical;
} ads_control;
+
+#define ADS_EXTENDED_RIGHT_APPLY_GROUP_POLICY "edacfd8f-ffb3-11d1-b41d-00a0c968f939"
+
#endif /* _INCLUDE_ADS_H_ */
diff --git a/source3/include/rpc_secdes.h b/source3/include/rpc_secdes.h
index 1c49e4242d..298d4e664e 100644
--- a/source3/include/rpc_secdes.h
+++ b/source3/include/rpc_secdes.h
@@ -37,7 +37,6 @@
#define SEC_RIGHTS_EXTENDED 0x100 /* change/reset password, receive/send as*/
#define SEC_RIGHTS_CHANGE_PASSWD SEC_RIGHTS_EXTENDED
#define SEC_RIGHTS_RESET_PASSWD SEC_RIGHTS_EXTENDED
-#define SEC_RIGHTS_APPLY_GROUP_POLICY SEC_RIGHTS_EXTENDED
#define SEC_RIGHTS_FULL_CTRL 0xf01ff
#define SEC_ACE_OBJECT_PRESENT 0x00000001 /* thanks for Jim McDonough <jmcd@us.ibm.com> */
diff --git a/source3/libads/disp_sec.c b/source3/libads/disp_sec.c
index 1f5eb4166a..516f204ed6 100644
--- a/source3/libads/disp_sec.c
+++ b/source3/libads/disp_sec.c
@@ -46,8 +46,6 @@ static struct perm_mask_str {
{SEC_RIGHTS_CHANGE_PASSWD, "[Change Password]"},
{SEC_RIGHTS_RESET_PASSWD, "[Reset Password]"},
- {SEC_RIGHTS_APPLY_GROUP_POLICY, "[Apply Group Policy]"},
-
{0, 0}
};
diff --git a/source3/libgpo/gpo_sec.c b/source3/libgpo/gpo_sec.c
index 5a4e29d270..abdcd17378 100644
--- a/source3/libgpo/gpo_sec.c
+++ b/source3/libgpo/gpo_sec.c
@@ -19,33 +19,60 @@
#include "includes.h"
- /* When modifiying security filtering with gpmc.msc (on w2k3) the
- * following ACE is created in the DACL:
+/****************************************************************
+****************************************************************/
-------- ACE (type: 0x05, flags: 0x02, size: 0x38, mask: 0x100, object flags: 0x1)
-access SID: $SID
-access type: ALLOWED OBJECT
-Permissions:
- [Apply Group Policy] (0x00000100)
+static BOOL gpo_sd_check_agp_object_guid(const struct security_ace_object *object)
+{
+ struct GUID ext_right_apg_guid;
+ NTSTATUS status;
+
+ if (!object) {
+ return False;
+ }
-------- ACE (type: 0x00, flags: 0x02, size: 0x24, mask: 0x20014)
-access SID: $SID
-access type: ALLOWED
-Permissions:
- [List Contents] (0x00000004)
- [Read All Properties] (0x00000010)
- [Read Permissions] (0x00020000)
+ status = GUID_from_string(ADS_EXTENDED_RIGHT_APPLY_GROUP_POLICY,
+ &ext_right_apg_guid);
+ if (!NT_STATUS_IS_OK(status)) {
+ return False;
+ }
- * by default all "Authenticated Users" (S-1-5-11) have an ALLOW
- * OBJECT ace with SEC_RIGHTS_APPLY_GROUP_POLICY mask */
+ switch (object->flags) {
+ case SEC_ACE_OBJECT_PRESENT:
+ if (GUID_equal(&object->type.type,
+ &ext_right_apg_guid)) {
+ return True;
+ }
+ case SEC_ACE_OBJECT_INHERITED_PRESENT:
+ if (GUID_equal(&object->inherited_type.inherited_type,
+ &ext_right_apg_guid)) {
+ return True;
+ }
+ default:
+ break;
+ }
+ return False;
+}
+
+/****************************************************************
+****************************************************************/
+
+static BOOL gpo_sd_check_agp_object(const SEC_ACE *ace)
+{
+ if (sec_ace_object(ace->type)) {
+ return gpo_sd_check_agp_object_guid(&ace->object.object);
+ }
+
+ return False;
+}
/****************************************************************
****************************************************************/
static BOOL gpo_sd_check_agp_access_bits(uint32 access_mask)
{
- return (access_mask & SEC_RIGHTS_APPLY_GROUP_POLICY);
+ return (access_mask & SEC_RIGHTS_EXTENDED);
}
#if 0
@@ -93,7 +120,8 @@ static BOOL gpo_sd_check_trustee_in_sid_token(const DOM_SID *trustee,
static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace,
const struct GPO_SID_TOKEN *token)
{
- if (gpo_sd_check_agp_access_bits(ace->access_mask) &&
+ if (gpo_sd_check_agp_object(ace) &&
+ gpo_sd_check_agp_access_bits(ace->access_mask) &&
gpo_sd_check_trustee_in_sid_token(&ace->trustee, token)) {
DEBUG(10,("gpo_sd_check_ace_denied_object: Access denied as of ace for %s\n",
sid_string_static(&ace->trustee)));
@@ -109,7 +137,8 @@ static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace,
static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace,
const struct GPO_SID_TOKEN *token)
{
- if (gpo_sd_check_agp_access_bits(ace->access_mask) &&
+ if (gpo_sd_check_agp_object(ace) &&
+ gpo_sd_check_agp_access_bits(ace->access_mask) &&
gpo_sd_check_trustee_in_sid_token(&ace->trustee, token)) {
DEBUG(10,("gpo_sd_check_ace_allowed_object: Access granted as of ace for %s\n",
sid_string_static(&ace->trustee)));