summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/dsdb/samdb/ldb_modules/descriptor.c149
-rwxr-xr-xsource4/lib/ldb/tests/python/sec_descriptor.py112
2 files changed, 240 insertions, 21 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c
index 6a57560314..98e54b19c1 100644
--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
+++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
@@ -154,15 +154,85 @@ static struct dom_sid *get_default_group(TALLOC_CTX *mem_ctx,
return NULL;
}
+static struct security_descriptor *descr_handle_sd_flags(TALLOC_CTX *mem_ctx,
+ struct security_descriptor *new_sd,
+ struct security_descriptor *old_sd,
+ uint32_t sd_flags)
+{
+ struct security_descriptor *final_sd;
+ /* if there is no control or contlol == 0 modify everything */
+ if (!sd_flags) {
+ return new_sd;
+ }
+
+ final_sd = talloc_zero(mem_ctx, struct security_descriptor);
+ final_sd->revision = SECURITY_DESCRIPTOR_REVISION_1;
+ final_sd->type = SEC_DESC_SELF_RELATIVE;
+
+ if (sd_flags & (SECINFO_OWNER)) {
+ final_sd->owner_sid = talloc_memdup(mem_ctx, new_sd->owner_sid, sizeof(struct dom_sid));
+ final_sd->type |= new_sd->type & SEC_DESC_OWNER_DEFAULTED;
+ }
+ else if (old_sd) {
+ final_sd->owner_sid = talloc_memdup(mem_ctx, old_sd->owner_sid, sizeof(struct dom_sid));
+ final_sd->type |= old_sd->type & SEC_DESC_OWNER_DEFAULTED;
+ }
+
+ if (sd_flags & (SECINFO_GROUP)) {
+ final_sd->group_sid = talloc_memdup(mem_ctx, new_sd->group_sid, sizeof(struct dom_sid));
+ final_sd->type |= new_sd->type & SEC_DESC_GROUP_DEFAULTED;
+ }
+ else if (old_sd) {
+ final_sd->group_sid = talloc_memdup(mem_ctx, old_sd->group_sid, sizeof(struct dom_sid));
+ final_sd->type |= old_sd->type & SEC_DESC_GROUP_DEFAULTED;
+ }
+
+ if (sd_flags & (SECINFO_SACL)) {
+ final_sd->sacl = security_acl_dup(mem_ctx,new_sd->sacl);
+ final_sd->type |= new_sd->type & (SEC_DESC_SACL_PRESENT |
+ SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ |
+ SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED |
+ SEC_DESC_SERVER_SECURITY);
+ }
+ else if (old_sd) {
+ final_sd->sacl = security_acl_dup(mem_ctx,old_sd->sacl);
+ final_sd->type |= old_sd->type & (SEC_DESC_SACL_PRESENT |
+ SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ |
+ SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED |
+ SEC_DESC_SERVER_SECURITY);
+ }
+
+ if (sd_flags & (SECINFO_DACL)) {
+ final_sd->dacl = security_acl_dup(mem_ctx,new_sd->dacl);
+ final_sd->type |= new_sd->type & (SEC_DESC_DACL_PRESENT |
+ SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ |
+ SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED |
+ SEC_DESC_DACL_TRUSTED);
+ }
+ else if (old_sd) {
+ final_sd->dacl = security_acl_dup(mem_ctx,old_sd->dacl);
+ final_sd->type |= old_sd->type & (SEC_DESC_DACL_PRESENT |
+ SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ |
+ SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED |
+ SEC_DESC_DACL_TRUSTED);
+ }
+ /* not so sure about this */
+ final_sd->type |= new_sd->type & SEC_DESC_RM_CONTROL_VALID;
+ return final_sd;
+}
+
static DATA_BLOB *get_new_descriptor(struct ldb_module *module,
struct ldb_dn *dn,
TALLOC_CTX *mem_ctx,
const struct dsdb_class *objectclass,
const struct ldb_val *parent,
- struct ldb_val *object)
+ struct ldb_val *object,
+ struct ldb_val *old_sd,
+ uint32_t sd_flags)
{
struct security_descriptor *user_descriptor = NULL, *parent_descriptor = NULL;
- struct security_descriptor *new_sd;
+ struct security_descriptor *old_descriptor = NULL;
+ struct security_descriptor *new_sd, *final_sd;
DATA_BLOB *linear_sd;
enum ndr_err_code ndr_err;
struct ldb_context *ldb = ldb_module_get_ctx(module);
@@ -175,13 +245,14 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module,
if (object) {
user_descriptor = talloc(mem_ctx, struct security_descriptor);
- if(!user_descriptor)
+ if (!user_descriptor) {
return NULL;
+ }
ndr_err = ndr_pull_struct_blob(object, user_descriptor, NULL,
user_descriptor,
(ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)){
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
talloc_free(user_descriptor);
return NULL;
}
@@ -189,19 +260,36 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module,
user_descriptor = get_sd_unpacked(module, mem_ctx, objectclass);
}
- if (parent){
+ if (old_sd) {
+ old_descriptor = talloc(mem_ctx, struct security_descriptor);
+ if (!old_descriptor) {
+ return NULL;
+ }
+ ndr_err = ndr_pull_struct_blob(old_sd, old_descriptor, NULL,
+ old_descriptor,
+ (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
+
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ talloc_free(old_descriptor);
+ return NULL;
+ }
+ }
+
+ if (parent) {
parent_descriptor = talloc(mem_ctx, struct security_descriptor);
- if(!parent_descriptor)
+ if (!parent_descriptor) {
return NULL;
+ }
ndr_err = ndr_pull_struct_blob(parent, parent_descriptor, NULL,
parent_descriptor,
(ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)){
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
talloc_free(parent_descriptor);
return NULL;
}
}
+
default_owner = get_default_ag(mem_ctx, dn,
session_info->security_token, ldb);
default_group = get_default_group(mem_ctx, ldb, default_owner);
@@ -210,11 +298,15 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module,
session_info->security_token,
default_owner, default_group,
map_generic_rights_ds);
- if (!new_sd)
+ if (!new_sd) {
return NULL;
+ }
+ final_sd = descr_handle_sd_flags(mem_ctx, new_sd, old_descriptor, sd_flags);
-
- sddl_sd = sddl_encode(mem_ctx, new_sd, domain_sid);
+ if (!final_sd) {
+ return NULL;
+ }
+ sddl_sd = sddl_encode(mem_ctx, final_sd, domain_sid);
DEBUG(10, ("Object %s created with desriptor %s\n\n", ldb_dn_get_linearized(dn), sddl_sd));
linear_sd = talloc(mem_ctx, DATA_BLOB);
@@ -224,7 +316,7 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module,
ndr_err = ndr_push_struct_blob(linear_sd, mem_ctx,
lp_iconv_convenience(ldb_get_opaque(ldb, "loadparm")),
- new_sd,
+ final_sd,
(ndr_push_flags_fn_t)ndr_push_security_descriptor);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
return NULL;
@@ -383,12 +475,16 @@ static int descriptor_do_mod(struct descriptor_context *ac)
struct ldb_context *ldb;
const struct dsdb_schema *schema;
struct ldb_request *mod_req;
- struct ldb_message_element *objectclass_element, *tmp_element;
+ struct ldb_message_element *objectclass_element, *tmp_element, *oldsd_el;
+ struct ldb_val *oldsd_val = NULL;
int ret;
DATA_BLOB *sd;
const struct dsdb_class *objectclass;
struct ldb_message *msg;
+ struct ldb_control *sd_control;
+ struct ldb_control **saved_controls;
int flags = 0;
+ uint32_t sd_flags = 0;
ldb = ldb_module_get_ctx(ac->module);
schema = dsdb_get_schema(ldb);
@@ -402,9 +498,21 @@ static int descriptor_do_mod(struct descriptor_context *ac)
ldb_dn_get_linearized(ac->search_oc_res->message->dn));
return LDB_ERR_OPERATIONS_ERROR;
}
-
+ sd_control = ldb_request_get_control(ac->req, LDB_CONTROL_SD_FLAGS_OID);
+ if (sd_control) {
+ struct ldb_sd_flags_control *sdctr = (struct ldb_sd_flags_control *)sd_control->data;
+ sd_flags = sdctr->secinfo_flags;
+ /* we only care for the last 4 bits */
+ sd_flags = sd_flags & 0x0000000F;
+ }
+ if (sd_flags != 0) {
+ oldsd_el = ldb_msg_find_element(ac->search_oc_res->message, "nTSecurityDescriptor");
+ if (oldsd_el) {
+ oldsd_val = oldsd_el->values;
+ }
+ }
sd = get_new_descriptor(ac->module, msg->dn, ac, objectclass,
- ac->parentsd_val, ac->sd_val);
+ ac->parentsd_val, ac->sd_val, oldsd_val, sd_flags);
if (ac->sd_val) {
tmp_element = ldb_msg_find_element(msg, "ntSecurityDescriptor");
flags = tmp_element->flags;
@@ -427,6 +535,15 @@ static int descriptor_do_mod(struct descriptor_context *ac)
if (ret != LDB_SUCCESS) {
return ret;
}
+ /* save it locally and remove it from the list */
+ /* we do not need to replace them later as we
+ * are keeping the original req intact */
+ if (sd_control) {
+ if (!save_controls(sd_control, mod_req, &saved_controls)) {
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ }
+
return ldb_next_request(ac->module, mod_req);
}
@@ -441,7 +558,7 @@ static int descriptor_do_add(struct descriptor_context *ac)
int ret;
DATA_BLOB *sd;
const struct dsdb_class *objectclass;
- static const char *const attrs[] = { "objectClass", NULL };
+ static const char *const attrs[] = { "objectClass", "nTSecurityDescriptor", NULL };
struct ldb_request *search_req;
ldb = ldb_module_get_ctx(ac->module);
@@ -491,7 +608,7 @@ static int descriptor_do_add(struct descriptor_context *ac)
/* get the parent descriptor and the one provided. If not provided, get the default.*/
/* convert to security descriptor and calculate */
sd = get_new_descriptor(ac->module, msg->dn, mem_ctx, objectclass,
- ac->parentsd_val, ac->sd_val);
+ ac->parentsd_val, ac->sd_val, NULL, 0);
if (ac->sd_val) {
ldb_msg_remove_attr(msg, "nTSecurityDescriptor");
}
diff --git a/source4/lib/ldb/tests/python/sec_descriptor.py b/source4/lib/ldb/tests/python/sec_descriptor.py
index 2770176f89..8763579dc0 100755
--- a/source4/lib/ldb/tests/python/sec_descriptor.py
+++ b/source4/lib/ldb/tests/python/sec_descriptor.py
@@ -25,7 +25,8 @@ from samba.ndr import ndr_pack, ndr_unpack
from samba.dcerpc import security
from samba.auth import system_session
-from samba import Ldb, DS_DOMAIN_FUNCTION_2008
+from samba import Ldb, DS_DOMAIN_FUNCTION_2008, SECINFO_OWNER, \
+ SECINFO_GROUP, SECINFO_DACL, SECINFO_SACL
from subunit import SubunitTestRunner
import unittest
@@ -83,7 +84,7 @@ class DescriptorTests(unittest.TestCase):
def get_users_domain_dn(self, name):
return "CN=%s,CN=Users,%s" % (name, self.base_dn)
- def modify_desc(self, _ldb, object_dn, desc):
+ def modify_desc(self, _ldb, object_dn, desc, controls=None):
assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
mod = """
dn: """ + object_dn + """
@@ -94,9 +95,9 @@ replace: nTSecurityDescriptor
mod += "nTSecurityDescriptor: %s" % desc
elif isinstance(desc, security.descriptor):
mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
- _ldb.modify_ldif(mod)
+ _ldb.modify_ldif(mod, controls)
- def create_domain_ou(self, _ldb, ou_dn, desc=None):
+ def create_domain_ou(self, _ldb, ou_dn, desc=None, controls=None):
ldif = """
dn: """ + ou_dn + """
ou: """ + ou_dn.split(",")[0][3:] + """
@@ -109,7 +110,7 @@ url: www.example.com
ldif += "nTSecurityDescriptor: %s" % desc
elif isinstance(desc, security.descriptor):
ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
- _ldb.add_ldif(ldif)
+ _ldb.add_ldif(ldif, controls)
def create_domain_user(self, _ldb, user_dn, desc=None):
ldif = """
@@ -1683,6 +1684,105 @@ class DaclDescriptorTests(DescriptorTests):
########################################################################################
+
+class SdFlagsDescriptorTests(DescriptorTests):
+ def setUp(self):
+ DescriptorTests.setUp(self)
+ self.test_descr = "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)"
+
+ def tearDown(self):
+ self.delete_force(self.ldb_admin, "OU=test_sdflags_ou," + self.base_dn)
+
+ def test_301(self):
+ """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
+ See that only the owner has been changed.
+ """
+ ou_dn = "OU=test_sdflags_ou," + self.base_dn
+ self.create_domain_ou(self.ldb_admin, ou_dn)
+ self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
+ desc_sddl = self.get_desc_sddl(ou_dn)
+ # make sure we have modified the owner
+ self.assertTrue("O:AU" in desc_sddl)
+ # make sure nothing else has been modified
+ self.assertFalse("G:AU" in desc_sddl)
+ self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
+ self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
+
+ def test_302(self):
+ """ Modify a descriptor with GROUP_SECURITY_INFORMATION set.
+ See that only the owner has been changed.
+ """
+ ou_dn = "OU=test_sdflags_ou," + self.base_dn
+ self.create_domain_ou(self.ldb_admin, ou_dn)
+ self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
+ desc_sddl = self.get_desc_sddl(ou_dn)
+ # make sure we have modified the group
+ self.assertTrue("G:AU" in desc_sddl)
+ # make sure nothing else has been modified
+ self.assertFalse("O:AU" in desc_sddl)
+ self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
+ self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
+
+ def test_303(self):
+ """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
+ See that only the owner has been changed.
+ """
+ ou_dn = "OU=test_sdflags_ou," + self.base_dn
+ self.create_domain_ou(self.ldb_admin, ou_dn)
+ self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
+ desc_sddl = self.get_desc_sddl(ou_dn)
+ # make sure we have modified the DACL
+ self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
+ # make sure nothing else has been modified
+ self.assertFalse("O:AU" in desc_sddl)
+ self.assertFalse("G:AU" in desc_sddl)
+ self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
+
+ def test_304(self):
+ """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
+ See that only the owner has been changed.
+ """
+ ou_dn = "OU=test_sdflags_ou," + self.base_dn
+ self.create_domain_ou(self.ldb_admin, ou_dn)
+ self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
+ desc_sddl = self.get_desc_sddl(ou_dn)
+ # make sure we have modified the DACL
+ self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
+ # make sure nothing else has been modified
+ self.assertFalse("O:AU" in desc_sddl)
+ self.assertFalse("G:AU" in desc_sddl)
+ self.assertFalse("(D;;CC;;;LG)" in desc_sddl)
+
+ def test_305(self):
+ """ Modify a descriptor with 0x0 set.
+ Contrary to logic this is interpreted as no control,
+ which is the same as 0xF
+ """
+ ou_dn = "OU=test_sdflags_ou," + self.base_dn
+ self.create_domain_ou(self.ldb_admin, ou_dn)
+ self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:0"])
+ desc_sddl = self.get_desc_sddl(ou_dn)
+ # make sure we have modified the DACL
+ self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
+ # make sure nothing else has been modified
+ self.assertTrue("O:AU" in desc_sddl)
+ self.assertTrue("G:AU" in desc_sddl)
+ self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
+
+ def test_306(self):
+ """ Modify a descriptor with 0xF set.
+ """
+ ou_dn = "OU=test_sdflags_ou," + self.base_dn
+ self.create_domain_ou(self.ldb_admin, ou_dn)
+ self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:15"])
+ desc_sddl = self.get_desc_sddl(ou_dn)
+ # make sure we have modified the DACL
+ self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
+ # make sure nothing else has been modified
+ self.assertTrue("O:AU" in desc_sddl)
+ self.assertTrue("G:AU" in desc_sddl)
+ self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
+
if not "://" in host:
host = "ldap://%s" % host
ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp, options=["modules:paged_searches"])
@@ -1693,5 +1793,7 @@ if not runner.run(unittest.makeSuite(OwnerGroupDescriptorTests)).wasSuccessful()
rc = 1
if not runner.run(unittest.makeSuite(DaclDescriptorTests)).wasSuccessful():
rc = 1
+if not runner.run(unittest.makeSuite(SdFlagsDescriptorTests)).wasSuccessful():
+ rc = 1
sys.exit(rc)