diff options
author | Gerald Carter <jerry@samba.org> | 2005-06-14 18:08:39 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 10:57:14 -0500 |
commit | 023ac1031b0057ee752cf2d3a8de3d6e0d4b1802 (patch) | |
tree | e97aeaa7ada1fa760a7a4b3eb994ee2a9d538a6d | |
parent | 2265f5c9d7a829a835d6b58be2abe0604ee0b367 (diff) | |
download | samba-023ac1031b0057ee752cf2d3a8de3d6e0d4b1802.tar.gz samba-023ac1031b0057ee752cf2d3a8de3d6e0d4b1802.tar.bz2 samba-023ac1031b0057ee752cf2d3a8de3d6e0d4b1802.zip |
r7576: implement access checks for open_scm and open_service
according to default security descriptor described in MSDN.
no one can get in to due to the permissions, but i'll fix
that next.
(This used to be commit 11902e503ed4f6d6991a9fe7521fe44168274ec8)
-rw-r--r-- | source3/include/rpc_secdes.h | 34 | ||||
-rw-r--r-- | source3/rpc_server/srv_svcctl_nt.c | 126 |
2 files changed, 139 insertions, 21 deletions
diff --git a/source3/include/rpc_secdes.h b/source3/include/rpc_secdes.h index 9eb4c9a41e..fe95706d03 100644 --- a/source3/include/rpc_secdes.h +++ b/source3/include/rpc_secdes.h @@ -475,15 +475,20 @@ typedef struct standard_mapping { #define SC_RIGHT_MGR_QUERY_LOCK_STATUS 0x0010 #define SC_RIGHT_MGR_MODIFY_BOOT_CONFIG 0x0020 +#define SC_MANAGER_READ_ACCESS \ + ( STANDARD_RIGHTS_READ_ACCESS | \ + SC_RIGHT_MGR_CONNECT | \ + SC_RIGHT_MGR_ENUMERATE_SERVICE | \ + SC_RIGHT_MGR_QUERY_LOCK_STATUS ) + #define SC_MANAGER_ALL_ACCESS \ ( STANDARD_RIGHTS_REQUIRED_ACCESS | \ - SC_RIGHT_MGR_CONNECT | \ + SC_MANAGER_READ_ACCESS | \ SC_RIGHT_MGR_CREATE_SERVICE | \ - SC_RIGHT_MGR_ENUMERATE_SERVICE | \ SC_RIGHT_MGR_LOCK | \ - SC_RIGHT_MGR_QUERY_LOCK_STATUS | \ SC_RIGHT_MGR_MODIFY_BOOT_CONFIG ) + /* Service Object Bits */ #define SC_RIGHT_SVC_QUERY_CONFIG 0x0001 @@ -496,17 +501,26 @@ typedef struct standard_mapping { #define SC_RIGHT_SVC_INTERROGATE 0x0080 #define SC_RIGHT_SVC_USER_DEFINED_CONTROL 0x0100 -#define SERVICE_ALL_ACCESS \ - ( STANDARD_RIGHTS_REQUIRED_ACCESS | \ +#define SERVICE_READ_ACCESS \ + ( STANDARD_RIGHTS_READ_ACCESS | \ + SC_RIGHT_SVC_ENUMERATE_DEPENDENTS | \ + SC_RIGHT_SVC_INTERROGATE | \ SC_RIGHT_SVC_QUERY_CONFIG | \ - SC_RIGHT_SVC_CHANGE_CONFIG | \ SC_RIGHT_SVC_QUERY_STATUS | \ - SC_RIGHT_SVC_ENUMERATE_DEPENDENTS | \ + SC_RIGHT_SVC_USER_DEFINED_CONTROL ) + +#define SERVICE_EXECUTE_ACCESS \ + ( SERVICE_READ_ACCESS | \ SC_RIGHT_SVC_START | \ SC_RIGHT_SVC_STOP | \ - SC_RIGHT_SVC_PAUSE_CONTINUE | \ - SC_RIGHT_SVC_INTERROGATE | \ - SC_RIGHT_SVC_USER_DEFINED_CONTROL ) + SC_RIGHT_SVC_PAUSE_CONTINUE ) + +#define SERVICE_ALL_ACCESS \ + ( STANDARD_RIGHTS_REQUIRED_ACCESS | \ + SERVICE_READ_ACCESS | \ + SERVICE_EXECUTE_ACCESS ) + + /* * Access Bits for registry ACLS diff --git a/source3/rpc_server/srv_svcctl_nt.c b/source3/rpc_server/srv_svcctl_nt.c index 707fd8bdd5..53fddcf964 100644 --- a/source3/rpc_server/srv_svcctl_nt.c +++ b/source3/rpc_server/srv_svcctl_nt.c @@ -443,6 +443,91 @@ BOOL init_svcctl_db(void) /******************************************************************** ********************************************************************/ +static NTSTATUS svcctl_access_check( SEC_DESC *sec_desc, NT_USER_TOKEN *token, + uint32 access_desired, uint32 *access_granted ) +{ + NTSTATUS result; + + /* maybe add privilege checks in here later */ + + se_access_check( sec_desc, token, access_desired, access_granted, &result ); + + return result; +} + +/******************************************************************** +********************************************************************/ + +static SEC_DESC* construct_scm_sd( TALLOC_CTX *ctx ) +{ + SEC_ACE ace[2]; + SEC_ACCESS mask; + size_t i = 0; + SEC_DESC *sd; + SEC_ACL *acl; + uint32 sd_size; + + /* basic access for Everyone */ + + init_sec_access(&mask, SC_MANAGER_READ_ACCESS ); + init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + + /* Full Access 'BUILTIN\Administrators' */ + + init_sec_access(&mask,SC_MANAGER_ALL_ACCESS ); + init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + + + /* create the security descriptor */ + + if ( !(acl = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) ) + return NULL; + + if ( !(sd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, acl, &sd_size)) ) + return NULL; + + return sd; +} + +/******************************************************************** +********************************************************************/ + +static SEC_DESC* construct_service_sd( TALLOC_CTX *ctx ) +{ + SEC_ACE ace[4]; + SEC_ACCESS mask; + size_t i = 0; + SEC_DESC *sd; + SEC_ACL *acl; + uint32 sd_size; + + /* basic access for Everyone */ + + init_sec_access(&mask, SERVICE_READ_ACCESS ); + init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + + init_sec_access(&mask,SERVICE_EXECUTE_ACCESS ); + init_sec_ace(&ace[i++], &global_sid_Builtin_Power_Users, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + + init_sec_access(&mask,SERVICE_ALL_ACCESS ); + init_sec_ace(&ace[i++], &global_sid_Builtin_Server_Operators, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + + /* create the security descriptor */ + + if ( !(acl = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) ) + return NULL; + + if ( !(sd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, acl, &sd_size)) ) + return NULL; + + return sd; +} + + +/******************************************************************** +********************************************************************/ + static BOOL read_service_tdb_to_si(TDB_CONTEXT *stdb,char *service_name, Service_info *si) { @@ -546,12 +631,15 @@ static SERVICE_INFO *find_service_info_by_hnd(pipes_struct *p, POLICY_HND *hnd) /****************************************************************** *****************************************************************/ -WERROR create_open_service_handle( pipes_struct *p, POLICY_HND *handle, const char *service ) +static WERROR create_open_service_handle( pipes_struct *p, POLICY_HND *handle, + const char *service, uint32 access_granted ) { SERVICE_INFO *info = NULL; if ( !(info = SMB_MALLOC_P( SERVICE_INFO )) ) return WERR_NOMEM; + + ZERO_STRUCTP( info ); /* the Service Manager has a NULL name */ @@ -574,6 +662,8 @@ WERROR create_open_service_handle( pipes_struct *p, POLICY_HND *handle, const ch #endif } + info->access_granted = access_granted; + /* store the SERVICE_INFO and create an open handle */ if ( !create_policy_hnd( p, handle, free_service_handle_info, info ) ) { @@ -589,13 +679,20 @@ WERROR create_open_service_handle( pipes_struct *p, POLICY_HND *handle, const ch WERROR _svcctl_open_scmanager(pipes_struct *p, SVCCTL_Q_OPEN_SCMANAGER *q_u, SVCCTL_R_OPEN_SCMANAGER *r_u) { - /* perform access checks */ + SEC_DESC *sec_desc; + uint32 access_granted = 0; + NTSTATUS status; - - /* open the handle and return */ + /* perform access checks */ - return create_open_service_handle( p, &r_u->handle, NULL ); - + if ( !(sec_desc = construct_scm_sd( p->mem_ctx )) ) + return WERR_NOMEM; + + status = svcctl_access_check( sec_desc, p->pipe_user.nt_user_token, q_u->access, &access_granted ); + if ( !NT_STATUS_IS_OK(status) ) + return ntstatus_to_werror( status ); + + return create_open_service_handle( p, &r_u->handle, NULL, access_granted ); } /******************************************************************** @@ -603,6 +700,9 @@ WERROR _svcctl_open_scmanager(pipes_struct *p, SVCCTL_Q_OPEN_SCMANAGER *q_u, SVC WERROR _svcctl_open_service(pipes_struct *p, SVCCTL_Q_OPEN_SERVICE *q_u, SVCCTL_R_OPEN_SERVICE *r_u) { + SEC_DESC *sec_desc; + uint32 access_granted = 0; + NTSTATUS status; pstring service; rpcstr_pull(service, q_u->servicename.buffer, sizeof(service), q_u->servicename.uni_str_len*2, 0); @@ -614,17 +714,21 @@ WERROR _svcctl_open_service(pipes_struct *p, SVCCTL_Q_OPEN_SERVICE *q_u, SVCCTL_ return WERR_ACCESS_DENIED; } - /* check the access granted on the SCM handle */ - - /* check the access requested on this service */ + /* perform access checks */ - + if ( !(sec_desc = construct_service_sd( p->mem_ctx )) ) + return WERR_NOMEM; + + status = svcctl_access_check( sec_desc, p->pipe_user.nt_user_token, q_u->access, &access_granted ); + if ( !NT_STATUS_IS_OK(status) ) + return ntstatus_to_werror( status ); + #if 0 /* FIXME!!! */ if ( ! read_service_tdb_to_si(service_tdb,service, info) ) { return WERR_NO_SUCH_SERVICE; #endif - return create_open_service_handle( p, &r_u->handle, service ); + return create_open_service_handle( p, &r_u->handle, service, access_granted ); } /******************************************************************** |