diff options
author | Jelmer Vernooij <jelmer@samba.org> | 2008-10-11 03:12:21 +0200 |
---|---|---|
committer | Jelmer Vernooij <jelmer@samba.org> | 2008-10-11 03:12:21 +0200 |
commit | 0fd0fc75c46b39a611c7f9a56081105714d73e36 (patch) | |
tree | b93ef5e67e49a3aa49c37e13df3d6222b2df7095 /source3/libgpo | |
parent | 69d38a95c29498c0266cb98b911faa3e7240c787 (diff) | |
parent | 47f7ef8f39ba482a7d6578ab82c9e0670381c4f8 (diff) | |
download | samba-0fd0fc75c46b39a611c7f9a56081105714d73e36.tar.gz samba-0fd0fc75c46b39a611c7f9a56081105714d73e36.tar.bz2 samba-0fd0fc75c46b39a611c7f9a56081105714d73e36.zip |
Merge branch 'master' of ssh://git.samba.org/data/git/samba into selftest
Conflicts:
selftest/selftest.pl
Diffstat (limited to 'source3/libgpo')
-rw-r--r-- | source3/libgpo/gpext/scripts.c | 2 | ||||
-rw-r--r-- | source3/libgpo/gpext/security.c | 267 | ||||
-rw-r--r-- | source3/libgpo/gpo_reg.c | 14 |
3 files changed, 275 insertions, 8 deletions
diff --git a/source3/libgpo/gpext/scripts.c b/source3/libgpo/gpext/scripts.c index c07407c3f0..02c3abaa1e 100644 --- a/source3/libgpo/gpext/scripts.c +++ b/source3/libgpo/gpext/scripts.c @@ -93,7 +93,7 @@ static NTSTATUS generate_gp_registry_entry(TALLOC_CTX *mem_ctx, data->type = data_type; switch (data->type) { case REG_QWORD: - data->v.qword = (uint64_t)data_p; + data->v.qword = *(uint64_t *)data_p; break; case REG_SZ: data->v.sz.str = talloc_strdup(mem_ctx, (char *)data_p); diff --git a/source3/libgpo/gpext/security.c b/source3/libgpo/gpext/security.c new file mode 100644 index 0000000000..1d746da37f --- /dev/null +++ b/source3/libgpo/gpext/security.c @@ -0,0 +1,267 @@ +/* + * Unix SMB/CIFS implementation. + * Group Policy Support + * Copyright (C) Guenther Deschner 2005-2008 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <http://www.gnu.org/licenses/>. + */ + +#include "includes.h" +#include "libgpo/gpo_ini.h" + +#define GP_EXT_NAME "security" + +#define GPTTMPL_UNIX_PATH "Microsoft/Windows NT/SecEdit/GptTmpl.inf" + +#define GPTTMPL_SECTION_UNICODE "Unicode" +#define GPTTMPL_SECTION_VERSION "Version" + +#define GPTTMPL_SECTION_REGISTRY_VALUES "Registry Values" +#define GPTTMPL_SECTION_SYSTEM_ACCESS "System Access" +#define GPTTMPL_SECTION_KERBEROS_POLICY "Kerberos Policy" +#define GPTTMPL_SECTION_EVENT_AUDIT "Event Audit" +#define GPTTMPL_SECTION_PRIVILEGE_RIGHTS "Privilege Rights" +#define GPTTMPL_SECTION_APPLICATION_LOG "Application Log" +#define GPTTMPL_SECTION_SECURITY_LOG "Security Log" +#define GPTTMPL_SECTION_SYSTEM_LOG "System Log" +#define GPTTMPL_SECTION_GROUP_MEMBERSHIP "Group Membership" +#define GPTTMPL_SECTION_FILE_SECURITY "File Security" +#define GPTTMPL_SECTION_SERVICE_GENERAL_SETTING "Service General Setting" + +static TALLOC_CTX *ctx = NULL; + +struct gpttmpl_table { + const char *section; + const char *parameter; + enum winreg_Type type; +}; + +/**************************************************************** + parse the Version section from gpttmpl file +****************************************************************/ + +#define GPTTMPL_PARAMETER_REVISION "Revision" +#define GPTTMPL_PARAMETER_SIGNATURE "signature" +#define GPTTMPL_VALUE_CHICAGO "$CHICAGO$" /* whatever this is good for... */ +#define GPTTMPL_PARAMETER_UNICODE "Unicode" + +static NTSTATUS gpttmpl_parse_header(dictionary *dict, + uint32_t *version_out) +{ + const char *signature = NULL; + uint32_t version; + + if (!dict) { + return NT_STATUS_INVALID_PARAMETER; + } + + if ((signature = iniparser_getstring(dict, GPTTMPL_SECTION_VERSION + ":"GPTTMPL_PARAMETER_SIGNATURE, NULL)) == NULL) { + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + if (!strequal(signature, GPTTMPL_VALUE_CHICAGO)) { + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + if ((version = iniparser_getint(dict, GPTTMPL_SECTION_VERSION + ":"GPTTMPL_PARAMETER_REVISION, Undefined)) == Undefined) { + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + if (version_out) { + *version_out = version; + } + + /* treat that as boolean */ + if ((!iniparser_getboolean(dict, GPTTMPL_SECTION_UNICODE + ":"GPTTMPL_PARAMETER_UNICODE, Undefined)) == Undefined) { + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + return NT_STATUS_OK; +} + +/**************************************************************** +****************************************************************/ + +static NTSTATUS gpttmpl_init_context(TALLOC_CTX *mem_ctx, + uint32_t flags, + const char *unix_path, + struct gp_inifile_context **ini_ctx) +{ + NTSTATUS status; + uint32_t version; + struct gp_inifile_context *tmp_ctx = NULL; + + status = gp_inifile_init_context(mem_ctx, flags, unix_path, + GPTTMPL_UNIX_PATH, &tmp_ctx); + NT_STATUS_NOT_OK_RETURN(status); + + status = gpttmpl_parse_header(tmp_ctx->dict, &version); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1,("gpttmpl_init_context: failed: %s\n", + nt_errstr(status))); + TALLOC_FREE(tmp_ctx); + return status; + } + + *ini_ctx = tmp_ctx; + + return NT_STATUS_OK; +} + +/**************************************************************** +****************************************************************/ + +static NTSTATUS gpttmpl_process(struct gp_inifile_context *ini_ctx, + struct registry_key *root_key, + uint32_t flags) +{ + return NT_STATUS_OK; +} + +/**************************************************************** +****************************************************************/ + +static NTSTATUS security_process_group_policy(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + uint32_t flags, + struct registry_key *root_key, + const struct nt_user_token *token, + struct GROUP_POLICY_OBJECT *gpo, + const char *extension_guid, + const char *snapin_guid) +{ + NTSTATUS status; + char *unix_path = NULL; + struct gp_inifile_context *ini_ctx = NULL; + + debug_gpext_header(0, "security_process_group_policy", flags, gpo, + extension_guid, snapin_guid); + + /* this handler processes the gpttmpl files and merge output to the + * registry */ + + status = gpo_get_unix_path(mem_ctx, gpo, &unix_path); + if (!NT_STATUS_IS_OK(status)) { + goto out; + } + + status = gpttmpl_init_context(mem_ctx, flags, unix_path, &ini_ctx); + if (!NT_STATUS_IS_OK(status)) { + goto out; + } + + status = gpttmpl_process(ini_ctx, root_key, flags); + if (!NT_STATUS_IS_OK(status)) { + goto out; + } + + out: + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0,("security_process_group_policy: %s\n", + nt_errstr(status))); + } + TALLOC_FREE(ini_ctx); + + return status; +} + +/**************************************************************** +****************************************************************/ + +static NTSTATUS security_get_reg_config(TALLOC_CTX *mem_ctx, + struct gp_extension_reg_info **reg_info) +{ + NTSTATUS status; + struct gp_extension_reg_info *info = NULL; + + struct gp_extension_reg_table table[] = { + /* FIXME: how can we store the "(Default)" value ??? */ + /* { "", REG_SZ, "Security" }, */ + { "ProcessGroupPolicy", REG_SZ, "security_process_group_policy" }, + { "NoUserPolicy", REG_DWORD, "1" }, + { "ExtensionDebugLevel", REG_DWORD, "1" }, + { NULL, REG_NONE, NULL } + }; + + info = TALLOC_ZERO_P(mem_ctx, struct gp_extension_reg_info); + NT_STATUS_HAVE_NO_MEMORY(info); + + status = gp_ext_info_add_entry(mem_ctx, GP_EXT_NAME, + GP_EXT_GUID_SECURITY, + table, info); + NT_STATUS_NOT_OK_RETURN(status); + + *reg_info = info; + + return NT_STATUS_OK; +} + + +/**************************************************************** +****************************************************************/ + +static NTSTATUS security_initialize(TALLOC_CTX *mem_ctx) +{ + return NT_STATUS_OK; +} + +/**************************************************************** +****************************************************************/ + +static NTSTATUS security_shutdown(void) +{ + NTSTATUS status; + + status = unregister_gp_extension(GP_EXT_NAME); + if (NT_STATUS_IS_OK(status)) { + return status; + } + + TALLOC_FREE(ctx); + + return NT_STATUS_OK; +} + +/**************************************************************** +****************************************************************/ + +static struct gp_extension_methods security_methods = { + .initialize = security_initialize, + .process_group_policy = security_process_group_policy, + .get_reg_config = security_get_reg_config, + .shutdown = security_shutdown +}; + +/**************************************************************** +****************************************************************/ + +static NTSTATUS gpext_security_init(void) +{ + NTSTATUS status; + + ctx = talloc_init("gpext_security_init"); + NT_STATUS_HAVE_NO_MEMORY(ctx); + + status = register_gp_extension(ctx, SMB_GPEXT_INTERFACE_VERSION, + GP_EXT_NAME, GP_EXT_GUID_SECURITY, + &security_methods); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(ctx); + } + + return status; +} diff --git a/source3/libgpo/gpo_reg.c b/source3/libgpo/gpo_reg.c index 920deeb189..d49315021e 100644 --- a/source3/libgpo/gpo_reg.c +++ b/source3/libgpo/gpo_reg.c @@ -689,25 +689,25 @@ static WERROR gp_reg_generate_sd(TALLOC_CTX *mem_ctx, size_t *sd_size) { SEC_ACE ace[6]; - SEC_ACCESS mask; + uint32_t mask; SEC_ACL *acl = NULL; uint8_t inherit_flags; - init_sec_access(&mask, REG_KEY_ALL); + mask = REG_KEY_ALL; init_sec_ace(&ace[0], &global_sid_System, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - init_sec_access(&mask, REG_KEY_ALL); + mask = REG_KEY_ALL; init_sec_ace(&ace[1], &global_sid_Builtin_Administrators, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - init_sec_access(&mask, REG_KEY_READ); + mask = REG_KEY_READ; init_sec_ace(&ace[2], sid ? sid : &global_sid_Authenticated_Users, SEC_ACE_TYPE_ACCESS_ALLOWED, @@ -717,19 +717,19 @@ static WERROR gp_reg_generate_sd(TALLOC_CTX *mem_ctx, SEC_ACE_FLAG_CONTAINER_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY; - init_sec_access(&mask, REG_KEY_ALL); + mask = REG_KEY_ALL; init_sec_ace(&ace[3], &global_sid_System, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, inherit_flags); - init_sec_access(&mask, REG_KEY_ALL); + mask = REG_KEY_ALL; init_sec_ace(&ace[4], &global_sid_Builtin_Administrators, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, inherit_flags); - init_sec_access(&mask, REG_KEY_READ); + mask = REG_KEY_READ; init_sec_ace(&ace[5], sid ? sid : &global_sid_Authenticated_Users, SEC_ACE_TYPE_ACCESS_ALLOWED, |