From 1c957f9559880712acd335c9df11191df0386df0 Mon Sep 17 00:00:00 2001
From: Günther Deschner <gd@samba.org>
Date: Wed, 11 Jul 2007 09:39:08 +0000
Subject: r23826: Fix gpo security filtering by matching the security
 descriptor ace's for the extended apply group policy right.

Guenther
(This used to be commit d832014a6fef657f484412372b5d09047552b183)
---
 source3/include/ads.h        |  3 ++
 source3/include/rpc_secdes.h |  1 -
 source3/libads/disp_sec.c    |  2 --
 source3/libgpo/gpo_sec.c     | 67 +++++++++++++++++++++++++++++++-------------
 4 files changed, 51 insertions(+), 22 deletions(-)

diff --git a/source3/include/ads.h b/source3/include/ads.h
index cbab016d46..c01a1055b2 100644
--- a/source3/include/ads.h
+++ b/source3/include/ads.h
@@ -341,4 +341,7 @@ typedef struct {
 	int val;
 	int critical;
 } ads_control;
+
+#define ADS_EXTENDED_RIGHT_APPLY_GROUP_POLICY "edacfd8f-ffb3-11d1-b41d-00a0c968f939"
+
 #endif	/* _INCLUDE_ADS_H_ */
diff --git a/source3/include/rpc_secdes.h b/source3/include/rpc_secdes.h
index 1c49e4242d..298d4e664e 100644
--- a/source3/include/rpc_secdes.h
+++ b/source3/include/rpc_secdes.h
@@ -37,7 +37,6 @@
 #define SEC_RIGHTS_EXTENDED		0x100 /* change/reset password, receive/send as*/
 #define	SEC_RIGHTS_CHANGE_PASSWD	SEC_RIGHTS_EXTENDED
 #define	SEC_RIGHTS_RESET_PASSWD		SEC_RIGHTS_EXTENDED
-#define SEC_RIGHTS_APPLY_GROUP_POLICY	SEC_RIGHTS_EXTENDED
 #define SEC_RIGHTS_FULL_CTRL		0xf01ff
 
 #define SEC_ACE_OBJECT_PRESENT           0x00000001 /* thanks for Jim McDonough <jmcd@us.ibm.com> */
diff --git a/source3/libads/disp_sec.c b/source3/libads/disp_sec.c
index 1f5eb4166a..516f204ed6 100644
--- a/source3/libads/disp_sec.c
+++ b/source3/libads/disp_sec.c
@@ -46,8 +46,6 @@ static struct perm_mask_str {
 	{SEC_RIGHTS_CHANGE_PASSWD,	"[Change Password]"},	
 	{SEC_RIGHTS_RESET_PASSWD,	"[Reset Password]"},
 
-	{SEC_RIGHTS_APPLY_GROUP_POLICY,	"[Apply Group Policy]"},
-
 	{0,				0}
 };
 
diff --git a/source3/libgpo/gpo_sec.c b/source3/libgpo/gpo_sec.c
index 5a4e29d270..abdcd17378 100644
--- a/source3/libgpo/gpo_sec.c
+++ b/source3/libgpo/gpo_sec.c
@@ -19,33 +19,60 @@
 
 #include "includes.h"
 
-	/* When modifiying security filtering with gpmc.msc (on w2k3) the
-	 * following ACE is created in the DACL:
+/****************************************************************
+****************************************************************/
 
-------- ACE (type: 0x05, flags: 0x02, size: 0x38, mask: 0x100, object flags: 0x1)
-access SID: $SID 
-access type: ALLOWED OBJECT
-Permissions:
-	[Apply Group Policy] (0x00000100)
+static BOOL gpo_sd_check_agp_object_guid(const struct security_ace_object *object)
+{
+	struct GUID ext_right_apg_guid;
+	NTSTATUS status;
+
+	if (!object) {
+		return False;
+	}
 
-------- ACE (type: 0x00, flags: 0x02, size: 0x24, mask: 0x20014)
-access SID:  $SID
-access type: ALLOWED
-Permissions:
-	[List Contents] (0x00000004)
-	[Read All Properties] (0x00000010)
-	[Read Permissions] (0x00020000)
+	status = GUID_from_string(ADS_EXTENDED_RIGHT_APPLY_GROUP_POLICY,
+				  &ext_right_apg_guid);
+	if (!NT_STATUS_IS_OK(status)) {
+		return False;
+	}
 
-	 * by default all "Authenticated Users" (S-1-5-11) have an ALLOW
-	 * OBJECT ace with SEC_RIGHTS_APPLY_GROUP_POLICY mask */
+	switch (object->flags) {
+		case SEC_ACE_OBJECT_PRESENT:
+			if (GUID_equal(&object->type.type,
+				       &ext_right_apg_guid)) {
+				return True;
+			}
+		case  SEC_ACE_OBJECT_INHERITED_PRESENT:
+			if (GUID_equal(&object->inherited_type.inherited_type,
+				       &ext_right_apg_guid)) {
+				return True;
+			}
+		default:
+			break;
+	}
 
+	return False;
+}
+
+/****************************************************************
+****************************************************************/
+
+static BOOL gpo_sd_check_agp_object(const SEC_ACE *ace)
+{
+	if (sec_ace_object(ace->type)) {
+		return gpo_sd_check_agp_object_guid(&ace->object.object);
+	}
+
+	return False;
+}
 
 /****************************************************************
 ****************************************************************/
 
 static BOOL gpo_sd_check_agp_access_bits(uint32 access_mask)
 {
-	return (access_mask & SEC_RIGHTS_APPLY_GROUP_POLICY);
+	return (access_mask & SEC_RIGHTS_EXTENDED);
 }
 
 #if 0
@@ -93,7 +120,8 @@ static BOOL gpo_sd_check_trustee_in_sid_token(const DOM_SID *trustee,
 static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace, 
 					       const struct GPO_SID_TOKEN *token) 
 {
-	if (gpo_sd_check_agp_access_bits(ace->access_mask) &&
+	if (gpo_sd_check_agp_object(ace) &&
+	    gpo_sd_check_agp_access_bits(ace->access_mask) &&
 	    gpo_sd_check_trustee_in_sid_token(&ace->trustee, token)) {
 		DEBUG(10,("gpo_sd_check_ace_denied_object: Access denied as of ace for %s\n", 
 			sid_string_static(&ace->trustee)));
@@ -109,7 +137,8 @@ static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace,
 static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace, 
 						const struct GPO_SID_TOKEN *token) 
 {
-	if (gpo_sd_check_agp_access_bits(ace->access_mask) && 
+	if (gpo_sd_check_agp_object(ace) &&
+	    gpo_sd_check_agp_access_bits(ace->access_mask) && 
 	    gpo_sd_check_trustee_in_sid_token(&ace->trustee, token)) {
 		DEBUG(10,("gpo_sd_check_ace_allowed_object: Access granted as of ace for %s\n", 
 			sid_string_static(&ace->trustee)));
-- 
cgit