diff options
author | Günther Deschner <gd@samba.org> | 2007-07-11 09:39:08 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:28:31 -0500 |
commit | 1c957f9559880712acd335c9df11191df0386df0 (patch) | |
tree | 88123438b0efe17bbbaf4f5b7afba6ed37765ff9 /source3 | |
parent | e05f45baefb050248064f58474e5ddddb2761111 (diff) | |
download | samba-1c957f9559880712acd335c9df11191df0386df0.tar.gz samba-1c957f9559880712acd335c9df11191df0386df0.tar.bz2 samba-1c957f9559880712acd335c9df11191df0386df0.zip |
r23826: Fix gpo security filtering by matching the security descriptor ace's for the
extended apply group policy right.
Guenther
(This used to be commit d832014a6fef657f484412372b5d09047552b183)
Diffstat (limited to 'source3')
-rw-r--r-- | source3/include/ads.h | 3 | ||||
-rw-r--r-- | source3/include/rpc_secdes.h | 1 | ||||
-rw-r--r-- | source3/libads/disp_sec.c | 2 | ||||
-rw-r--r-- | source3/libgpo/gpo_sec.c | 67 |
4 files changed, 51 insertions, 22 deletions
diff --git a/source3/include/ads.h b/source3/include/ads.h index cbab016d46..c01a1055b2 100644 --- a/source3/include/ads.h +++ b/source3/include/ads.h @@ -341,4 +341,7 @@ typedef struct { int val; int critical; } ads_control; + +#define ADS_EXTENDED_RIGHT_APPLY_GROUP_POLICY "edacfd8f-ffb3-11d1-b41d-00a0c968f939" + #endif /* _INCLUDE_ADS_H_ */ diff --git a/source3/include/rpc_secdes.h b/source3/include/rpc_secdes.h index 1c49e4242d..298d4e664e 100644 --- a/source3/include/rpc_secdes.h +++ b/source3/include/rpc_secdes.h @@ -37,7 +37,6 @@ #define SEC_RIGHTS_EXTENDED 0x100 /* change/reset password, receive/send as*/ #define SEC_RIGHTS_CHANGE_PASSWD SEC_RIGHTS_EXTENDED #define SEC_RIGHTS_RESET_PASSWD SEC_RIGHTS_EXTENDED -#define SEC_RIGHTS_APPLY_GROUP_POLICY SEC_RIGHTS_EXTENDED #define SEC_RIGHTS_FULL_CTRL 0xf01ff #define SEC_ACE_OBJECT_PRESENT 0x00000001 /* thanks for Jim McDonough <jmcd@us.ibm.com> */ diff --git a/source3/libads/disp_sec.c b/source3/libads/disp_sec.c index 1f5eb4166a..516f204ed6 100644 --- a/source3/libads/disp_sec.c +++ b/source3/libads/disp_sec.c @@ -46,8 +46,6 @@ static struct perm_mask_str { {SEC_RIGHTS_CHANGE_PASSWD, "[Change Password]"}, {SEC_RIGHTS_RESET_PASSWD, "[Reset Password]"}, - {SEC_RIGHTS_APPLY_GROUP_POLICY, "[Apply Group Policy]"}, - {0, 0} }; diff --git a/source3/libgpo/gpo_sec.c b/source3/libgpo/gpo_sec.c index 5a4e29d270..abdcd17378 100644 --- a/source3/libgpo/gpo_sec.c +++ b/source3/libgpo/gpo_sec.c @@ -19,33 +19,60 @@ #include "includes.h" - /* When modifiying security filtering with gpmc.msc (on w2k3) the - * following ACE is created in the DACL: +/**************************************************************** +****************************************************************/ -------- ACE (type: 0x05, flags: 0x02, size: 0x38, mask: 0x100, object flags: 0x1) -access SID: $SID -access type: ALLOWED OBJECT -Permissions: - [Apply Group Policy] (0x00000100) +static BOOL gpo_sd_check_agp_object_guid(const struct security_ace_object *object) +{ + struct GUID ext_right_apg_guid; + NTSTATUS status; + + if (!object) { + return False; + } -------- ACE (type: 0x00, flags: 0x02, size: 0x24, mask: 0x20014) -access SID: $SID -access type: ALLOWED -Permissions: - [List Contents] (0x00000004) - [Read All Properties] (0x00000010) - [Read Permissions] (0x00020000) + status = GUID_from_string(ADS_EXTENDED_RIGHT_APPLY_GROUP_POLICY, + &ext_right_apg_guid); + if (!NT_STATUS_IS_OK(status)) { + return False; + } - * by default all "Authenticated Users" (S-1-5-11) have an ALLOW - * OBJECT ace with SEC_RIGHTS_APPLY_GROUP_POLICY mask */ + switch (object->flags) { + case SEC_ACE_OBJECT_PRESENT: + if (GUID_equal(&object->type.type, + &ext_right_apg_guid)) { + return True; + } + case SEC_ACE_OBJECT_INHERITED_PRESENT: + if (GUID_equal(&object->inherited_type.inherited_type, + &ext_right_apg_guid)) { + return True; + } + default: + break; + } + return False; +} + +/**************************************************************** +****************************************************************/ + +static BOOL gpo_sd_check_agp_object(const SEC_ACE *ace) +{ + if (sec_ace_object(ace->type)) { + return gpo_sd_check_agp_object_guid(&ace->object.object); + } + + return False; +} /**************************************************************** ****************************************************************/ static BOOL gpo_sd_check_agp_access_bits(uint32 access_mask) { - return (access_mask & SEC_RIGHTS_APPLY_GROUP_POLICY); + return (access_mask & SEC_RIGHTS_EXTENDED); } #if 0 @@ -93,7 +120,8 @@ static BOOL gpo_sd_check_trustee_in_sid_token(const DOM_SID *trustee, static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace, const struct GPO_SID_TOKEN *token) { - if (gpo_sd_check_agp_access_bits(ace->access_mask) && + if (gpo_sd_check_agp_object(ace) && + gpo_sd_check_agp_access_bits(ace->access_mask) && gpo_sd_check_trustee_in_sid_token(&ace->trustee, token)) { DEBUG(10,("gpo_sd_check_ace_denied_object: Access denied as of ace for %s\n", sid_string_static(&ace->trustee))); @@ -109,7 +137,8 @@ static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace, static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace, const struct GPO_SID_TOKEN *token) { - if (gpo_sd_check_agp_access_bits(ace->access_mask) && + if (gpo_sd_check_agp_object(ace) && + gpo_sd_check_agp_access_bits(ace->access_mask) && gpo_sd_check_trustee_in_sid_token(&ace->trustee, token)) { DEBUG(10,("gpo_sd_check_ace_allowed_object: Access granted as of ace for %s\n", sid_string_static(&ace->trustee))); |