summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/dsdb/common/dsdb_access.c85
-rw-r--r--source4/dsdb/samdb/ldb_modules/acl.c49
2 files changed, 93 insertions, 41 deletions
diff --git a/source4/dsdb/common/dsdb_access.c b/source4/dsdb/common/dsdb_access.c
index 1f8b795a7b..40233f9379 100644
--- a/source4/dsdb/common/dsdb_access.c
+++ b/source4/dsdb/common/dsdb_access.c
@@ -26,22 +26,13 @@
*/
#include "includes.h"
-#include "events/events.h"
#include "ldb.h"
#include "ldb_errors.h"
-#include "../lib/util/util_ldb.h"
-#include "../lib/crypto/crypto.h"
#include "libcli/security/security.h"
#include "librpc/gen_ndr/ndr_security.h"
-#include "librpc/gen_ndr/ndr_misc.h"
-#include "../libds/common/flags.h"
#include "libcli/ldap/ldap_ndr.h"
#include "param/param.h"
-#include "libcli/auth/libcli_auth.h"
-#include "librpc/gen_ndr/ndr_drsblobs.h"
-#include "system/locale.h"
#include "auth/auth.h"
-#include "lib/util/tsort.h"
void dsdb_acl_debug(struct security_descriptor *sd,
struct security_token *token,
@@ -113,38 +104,20 @@ int dsdb_get_dom_sid_from_ldb_message(TALLOC_CTX *mem_ctx,
return LDB_SUCCESS;
}
-int dsdb_check_access_on_dn(struct ldb_context *ldb,
- TALLOC_CTX *mem_ctx,
- struct ldb_dn *dn,
- uint32_t access,
- const struct GUID *guid)
+int dsdb_check_access_on_dn_internal(struct ldb_result *acl_res,
+ TALLOC_CTX *mem_ctx,
+ struct security_token *token,
+ struct ldb_dn *dn,
+ uint32_t access,
+ const struct GUID *guid)
{
- int ret;
- struct ldb_result *acl_res;
struct security_descriptor *sd = NULL;
struct dom_sid *sid = NULL;
struct object_tree *root = NULL;
struct object_tree *new_node = NULL;
NTSTATUS status;
uint32_t access_granted;
- static const char *acl_attrs[] = {
- "nTSecurityDescriptor",
- "objectSid",
- NULL
- };
-
- struct auth_session_info *session_info
- = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
- if(!session_info) {
- return LDB_ERR_OPERATIONS_ERROR;
- }
-
- ret = ldb_search(ldb, mem_ctx, &acl_res, dn, LDB_SCOPE_BASE, acl_attrs, NULL);
- /* we sould be able to find the parent */
- if (ret != LDB_SUCCESS) {
- DEBUG(10,("acl: failed to find object %s\n", ldb_dn_get_linearized(dn)));
- return ret;
- }
+ int ret;
ret = dsdb_get_sd_from_ldb_message(mem_ctx, acl_res->msgs[0], &sd);
if (ret != LDB_SUCCESS) {
@@ -164,14 +137,14 @@ int dsdb_check_access_on_dn(struct ldb_context *ldb,
return LDB_ERR_OPERATIONS_ERROR;
}
}
- status = sec_access_check_ds(sd, session_info->security_token,
+ status = sec_access_check_ds(sd, token,
access,
&access_granted,
root,
sid);
if (!NT_STATUS_IS_OK(status)) {
dsdb_acl_debug(sd,
- session_info->security_token,
+ token,
dn,
true,
10);
@@ -179,3 +152,43 @@ int dsdb_check_access_on_dn(struct ldb_context *ldb,
}
return LDB_SUCCESS;
}
+
+/* performs an access check from outside the module stack
+ * given the dn of the object to be checked, the required access
+ * guid is either the guid of the extended right, or NULL
+ */
+
+int dsdb_check_access_on_dn(struct ldb_context *ldb,
+ TALLOC_CTX *mem_ctx,
+ struct ldb_dn *dn,
+ uint32_t access,
+ const struct GUID *guid)
+{
+ int ret;
+ struct ldb_result *acl_res;
+ static const char *acl_attrs[] = {
+ "nTSecurityDescriptor",
+ "objectSid",
+ NULL
+ };
+
+ struct auth_session_info *session_info
+ = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
+ if(!session_info) {
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ ret = ldb_search(ldb, mem_ctx, &acl_res, dn, LDB_SCOPE_BASE, acl_attrs, NULL);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(10,("access_check: failed to find object %s\n", ldb_dn_get_linearized(dn)));
+ return ret;
+ }
+
+ return dsdb_check_access_on_dn_internal(acl_res,
+ mem_ctx,
+ session_info->security_token,
+ dn,
+ access,
+ guid);
+}
+
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 9280de1b97..b0c1e2fa9e 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -82,6 +82,45 @@ static struct security_token *acl_user_token(struct ldb_module *module)
return session_info->security_token;
}
+/* performs an access check from inside the module stack
+ * given the dn of the object to be checked, the required access
+ * guid is either the guid of the extended right, or NULL
+ */
+
+int dsdb_module_check_access_on_dn(struct ldb_module *module,
+ TALLOC_CTX *mem_ctx,
+ struct ldb_dn *dn,
+ uint32_t access,
+ const struct GUID *guid)
+{
+ int ret;
+ struct ldb_result *acl_res;
+ static const char *acl_attrs[] = {
+ "nTSecurityDescriptor",
+ "objectSid",
+ NULL
+ };
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ struct auth_session_info *session_info
+ = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
+ if(!session_info) {
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ ret = dsdb_module_search_dn(module, mem_ctx, &acl_res, dn,
+ acl_attrs, DSDB_SEARCH_SHOW_DELETED);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(10,("access_check: failed to find object %s\n", ldb_dn_get_linearized(dn)));
+ return ret;
+ }
+ return dsdb_check_access_on_dn_internal(acl_res,
+ mem_ctx,
+ session_info->security_token,
+ dn,
+ access,
+ guid);
+}
+
+
static int acl_module_init(struct ldb_module *module)
{
struct ldb_context *ldb;
@@ -606,7 +645,7 @@ static int acl_add(struct ldb_module *module, struct ldb_request *req)
guid = class_schemaid_guid_by_lDAPDisplayName(dsdb_get_schema(ldb),
(char *)oc_el->values[oc_el->num_values-1].data);
- ret = dsdb_check_access_on_dn(ldb, req, parent, SEC_ADS_CREATE_CHILD, guid);
+ ret = dsdb_module_check_access_on_dn(module, req, parent, SEC_ADS_CREATE_CHILD, guid);
if (ret != LDB_SUCCESS) {
return ret;
}
@@ -787,7 +826,7 @@ static int acl_delete(struct ldb_module *module, struct ldb_request *req)
}
ldb = ldb_module_get_ctx(module);
/* first check if we have delete object right */
- ret = dsdb_check_access_on_dn(ldb, req, req->op.del.dn, SEC_STD_DELETE, NULL);
+ ret = dsdb_module_check_access_on_dn(module, req, req->op.del.dn, SEC_STD_DELETE, NULL);
if (ret == LDB_SUCCESS) {
return ldb_next_request(module, req);
}
@@ -801,7 +840,7 @@ static int acl_delete(struct ldb_module *module, struct ldb_request *req)
return ldb_module_done(req, NULL, NULL, LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS);
}
- ret = dsdb_check_access_on_dn(ldb, req, parent, SEC_ADS_DELETE_CHILD, NULL);
+ ret = dsdb_module_check_access_on_dn(module, req, parent, SEC_ADS_DELETE_CHILD, NULL);
if (ret != LDB_SUCCESS) {
return ret;
}
@@ -932,7 +971,7 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req)
return ldb_module_done(req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
}
- ret = dsdb_check_access_on_dn(ldb, req, newparent, SEC_ADS_CREATE_CHILD, guid);
+ ret = dsdb_module_check_access_on_dn(module, req, newparent, SEC_ADS_CREATE_CHILD, guid);
if (ret != LDB_SUCCESS) {
DEBUG(10,("acl:access_denied renaming %s", ldb_dn_get_linearized(req->op.rename.olddn)));
return ret;
@@ -949,7 +988,7 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req)
return ldb_next_request(module, req);
}
/* what about delete child on the current parent */
- ret = dsdb_check_access_on_dn(ldb, req, oldparent, SEC_ADS_DELETE_CHILD, NULL);
+ ret = dsdb_module_check_access_on_dn(module, req, oldparent, SEC_ADS_DELETE_CHILD, NULL);
if (ret != LDB_SUCCESS) {
DEBUG(10,("acl:access_denied renaming %s", ldb_dn_get_linearized(req->op.rename.olddn)));
return ldb_module_done(req, NULL, NULL, ret);