From d2bd5895cf9b8a3572b17bca850e9c56a4cca901 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 1 Mar 2009 02:44:51 +0100 Subject: Move gpo_sec to top-level. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Günther Deschner --- libgpo/config.mk | 3 +- libgpo/gpo.h | 2 + libgpo/gpo_sec.c | 189 +++++++++++++++++++++++++++++++++++++++++++++++ source3/Makefile.in | 2 +- source3/include/ads.h | 2 - source3/libgpo/gpo_sec.c | 186 ---------------------------------------------- source4/main.mk | 2 +- 7 files changed, 195 insertions(+), 191 deletions(-) create mode 100644 libgpo/gpo_sec.c delete mode 100644 source3/libgpo/gpo_sec.c diff --git a/libgpo/config.mk b/libgpo/config.mk index ebfcafd024..10cd238285 100644 --- a/libgpo/config.mk +++ b/libgpo/config.mk @@ -1,3 +1,4 @@ [SUBSYSTEM::LIBGPO] -LIBGPO_OBJ_FILES = ../libgpo/gpo_util.o +LIBGPO_OBJ_FILES = ../libgpo/gpo_util.o ../libgpo/gpo_sec.o \ + ../libgpo/gpext/gpext.o diff --git a/libgpo/gpo.h b/libgpo/gpo.h index 9abf526e14..c34dc4c750 100644 --- a/libgpo/gpo.h +++ b/libgpo/gpo.h @@ -157,6 +157,8 @@ struct gp_registry_context { #define GP_EXT_GUID_SECURITY "827D319E-6EAC-11D2-A4EA-00C04F79F83A" #define GP_EXT_GUID_REGISTRY "35378EAC-683F-11D2-A89A-00C04FBBCFA2" #define GP_EXT_GUID_SCRIPTS "42B5FAAE-6536-11D2-AE5A-0000F87571E3" +#define ADS_EXTENDED_RIGHT_APPLY_GROUP_POLICY "edacfd8f-ffb3-11d1-b41d-00a0c968f939" + #include "../libgpo/gpext/gpext.h" diff --git a/libgpo/gpo_sec.c b/libgpo/gpo_sec.c new file mode 100644 index 0000000000..15bd2881d5 --- /dev/null +++ b/libgpo/gpo_sec.c @@ -0,0 +1,189 @@ +/* + * Unix SMB/CIFS implementation. + * Group Policy Object Support + * Copyright (C) Guenther Deschner 2007 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see . + */ + +#include "includes.h" +#include "librpc/gen_ndr/security.h" +#include "librpc/gen_ndr/ndr_misc.h" +#include "../libgpo/gpo.h" + +/**************************************************************** +****************************************************************/ + +static bool gpo_sd_check_agp_object_guid(const struct security_ace_object *object) +{ + struct GUID ext_right_apg_guid; + NTSTATUS status; + + if (!object) { + return false; + } + + status = GUID_from_string(ADS_EXTENDED_RIGHT_APPLY_GROUP_POLICY, + &ext_right_apg_guid); + if (!NT_STATUS_IS_OK(status)) { + return false; + } + + switch (object->flags) { + case SEC_ACE_OBJECT_TYPE_PRESENT: + if (GUID_equal(&object->type.type, + &ext_right_apg_guid)) { + return true; + } + case SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT: + if (GUID_equal(&object->inherited_type.inherited_type, + &ext_right_apg_guid)) { + return true; + } + default: + break; + } + + return false; +} + +/**************************************************************** +****************************************************************/ + +static bool gpo_sd_check_agp_object(const struct security_ace *ace) +{ + if (!sec_ace_object(ace->type)) { + return false; + } + + return gpo_sd_check_agp_object_guid(&ace->object.object); +} + +/**************************************************************** +****************************************************************/ + +static bool gpo_sd_check_agp_access_bits(uint32_t access_mask) +{ + return (access_mask & SEC_RIGHTS_EXTENDED); +} + +#if 0 +/**************************************************************** +****************************************************************/ + +static bool gpo_sd_check_read_access_bits(uint32_t access_mask) +{ + uint32_t read_bits = SEC_RIGHTS_LIST_CONTENTS | + SEC_RIGHTS_READ_ALL_PROP | + SEC_RIGHTS_READ_PERMS; + + return (read_bits == (access_mask & read_bits)); +} +#endif + +/**************************************************************** +****************************************************************/ + +static NTSTATUS gpo_sd_check_ace_denied_object(const struct security_ace *ace, + const struct nt_user_token *token) +{ + if (gpo_sd_check_agp_object(ace) && + gpo_sd_check_agp_access_bits(ace->access_mask) && + nt_token_check_sid(&ace->trustee, token)) { + DEBUG(10,("gpo_sd_check_ace_denied_object: " + "Access denied as of ace for %s\n", + sid_string_dbg(&ace->trustee))); + return NT_STATUS_ACCESS_DENIED; + } + + return STATUS_MORE_ENTRIES; +} + +/**************************************************************** +****************************************************************/ + +static NTSTATUS gpo_sd_check_ace_allowed_object(const struct security_ace *ace, + const struct nt_user_token *token) +{ + if (gpo_sd_check_agp_object(ace) && + gpo_sd_check_agp_access_bits(ace->access_mask) && + nt_token_check_sid(&ace->trustee, token)) { + DEBUG(10,("gpo_sd_check_ace_allowed_object: " + "Access granted as of ace for %s\n", + sid_string_dbg(&ace->trustee))); + return NT_STATUS_OK; + } + + return STATUS_MORE_ENTRIES; +} + +/**************************************************************** +****************************************************************/ + +static NTSTATUS gpo_sd_check_ace(const struct security_ace *ace, + const struct nt_user_token *token) +{ + switch (ace->type) { + case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: + return gpo_sd_check_ace_denied_object(ace, token); + case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: + return gpo_sd_check_ace_allowed_object(ace, token); + default: + return STATUS_MORE_ENTRIES; + } +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS gpo_apply_security_filtering(const struct GROUP_POLICY_OBJECT *gpo, + const struct nt_user_token *token) +{ + struct security_descriptor *sd = gpo->security_descriptor; + struct security_acl *dacl = NULL; + NTSTATUS status = NT_STATUS_ACCESS_DENIED; + int i; + + if (!token) { + return NT_STATUS_INVALID_USER_BUFFER; + } + + if (!sd) { + return NT_STATUS_INVALID_SECURITY_DESCR; + } + + dacl = sd->dacl; + if (!dacl) { + return NT_STATUS_INVALID_SECURITY_DESCR; + } + + /* check all aces and only return NT_STATUS_OK (== Access granted) or + * NT_STATUS_ACCESS_DENIED ( == Access denied) - the default is to + * deny access */ + + for (i = 0; i < dacl->num_aces; i ++) { + + status = gpo_sd_check_ace(&dacl->aces[i], token); + + if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { + return status; + } else if (NT_STATUS_IS_OK(status)) { + return status; + } + + continue; + } + + return NT_STATUS_ACCESS_DENIED; +} diff --git a/source3/Makefile.in b/source3/Makefile.in index 425d5f1c3b..adc36dda2c 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -412,7 +412,7 @@ LIBADDNS_OBJ = $(LIBADDNS_OBJ0) $(SOCKET_WRAPPER_OBJ) GPEXT_OBJ = ../libgpo/gpext/gpext.o @GPEXT_STATIC@ LIBGPO_OBJ0 = libgpo/gpo_ldap.o libgpo/gpo_ini.o ../libgpo/gpo_util.o \ - libgpo/gpo_fetch.o libgpo/gpo_filesync.o libgpo/gpo_sec.o \ + libgpo/gpo_fetch.o libgpo/gpo_filesync.o ../libgpo/gpo_sec.o \ libgpo/gpo_reg.o \ $(GPEXT_OBJ) LIBGPO_OBJ = $(LIBGPO_OBJ0) diff --git a/source3/include/ads.h b/source3/include/ads.h index 0fa19b55a6..afa4e12175 100644 --- a/source3/include/ads.h +++ b/source3/include/ads.h @@ -409,8 +409,6 @@ typedef struct { int critical; } ads_control; -#define ADS_EXTENDED_RIGHT_APPLY_GROUP_POLICY "edacfd8f-ffb3-11d1-b41d-00a0c968f939" - #define ADS_IGNORE_PRINCIPAL "not_defined_in_RFC4178@please_ignore" /* Settings for the domainFunctionality attribute in the rootDSE */ diff --git a/source3/libgpo/gpo_sec.c b/source3/libgpo/gpo_sec.c deleted file mode 100644 index c72bb26732..0000000000 --- a/source3/libgpo/gpo_sec.c +++ /dev/null @@ -1,186 +0,0 @@ -/* - * Unix SMB/CIFS implementation. - * Group Policy Object Support - * Copyright (C) Guenther Deschner 2007 - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, see . - */ - -#include "includes.h" - -/**************************************************************** -****************************************************************/ - -static bool gpo_sd_check_agp_object_guid(const struct security_ace_object *object) -{ - struct GUID ext_right_apg_guid; - NTSTATUS status; - - if (!object) { - return false; - } - - status = GUID_from_string(ADS_EXTENDED_RIGHT_APPLY_GROUP_POLICY, - &ext_right_apg_guid); - if (!NT_STATUS_IS_OK(status)) { - return false; - } - - switch (object->flags) { - case SEC_ACE_OBJECT_TYPE_PRESENT: - if (GUID_equal(&object->type.type, - &ext_right_apg_guid)) { - return True; - } - case SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT: - if (GUID_equal(&object->inherited_type.inherited_type, - &ext_right_apg_guid)) { - return True; - } - default: - break; - } - - return false; -} - -/**************************************************************** -****************************************************************/ - -static bool gpo_sd_check_agp_object(const SEC_ACE *ace) -{ - if (!sec_ace_object(ace->type)) { - return false; - } - - return gpo_sd_check_agp_object_guid(&ace->object.object); -} - -/**************************************************************** -****************************************************************/ - -static bool gpo_sd_check_agp_access_bits(uint32_t access_mask) -{ - return (access_mask & SEC_RIGHTS_EXTENDED); -} - -#if 0 -/**************************************************************** -****************************************************************/ - -static bool gpo_sd_check_read_access_bits(uint32_t access_mask) -{ - uint32_t read_bits = SEC_RIGHTS_LIST_CONTENTS | - SEC_RIGHTS_READ_ALL_PROP | - SEC_RIGHTS_READ_PERMS; - - return (read_bits == (access_mask & read_bits)); -} -#endif - -/**************************************************************** -****************************************************************/ - -static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace, - const struct nt_user_token *token) -{ - if (gpo_sd_check_agp_object(ace) && - gpo_sd_check_agp_access_bits(ace->access_mask) && - nt_token_check_sid(&ace->trustee, token)) { - DEBUG(10,("gpo_sd_check_ace_denied_object: " - "Access denied as of ace for %s\n", - sid_string_dbg(&ace->trustee))); - return NT_STATUS_ACCESS_DENIED; - } - - return STATUS_MORE_ENTRIES; -} - -/**************************************************************** -****************************************************************/ - -static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace, - const struct nt_user_token *token) -{ - if (gpo_sd_check_agp_object(ace) && - gpo_sd_check_agp_access_bits(ace->access_mask) && - nt_token_check_sid(&ace->trustee, token)) { - DEBUG(10,("gpo_sd_check_ace_allowed_object: " - "Access granted as of ace for %s\n", - sid_string_dbg(&ace->trustee))); - return NT_STATUS_OK; - } - - return STATUS_MORE_ENTRIES; -} - -/**************************************************************** -****************************************************************/ - -static NTSTATUS gpo_sd_check_ace(const SEC_ACE *ace, - const struct nt_user_token *token) -{ - switch (ace->type) { - case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: - return gpo_sd_check_ace_denied_object(ace, token); - case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: - return gpo_sd_check_ace_allowed_object(ace, token); - default: - return STATUS_MORE_ENTRIES; - } -} - -/**************************************************************** -****************************************************************/ - -NTSTATUS gpo_apply_security_filtering(const struct GROUP_POLICY_OBJECT *gpo, - const struct nt_user_token *token) -{ - SEC_DESC *sd = gpo->security_descriptor; - SEC_ACL *dacl = NULL; - NTSTATUS status = NT_STATUS_ACCESS_DENIED; - int i; - - if (!token) { - return NT_STATUS_INVALID_USER_BUFFER; - } - - if (!sd) { - return NT_STATUS_INVALID_SECURITY_DESCR; - } - - dacl = sd->dacl; - if (!dacl) { - return NT_STATUS_INVALID_SECURITY_DESCR; - } - - /* check all aces and only return NT_STATUS_OK (== Access granted) or - * NT_STATUS_ACCESS_DENIED ( == Access denied) - the default is to - * deny access */ - - for (i = 0; i < dacl->num_aces; i ++) { - - status = gpo_sd_check_ace(&dacl->aces[i], token); - - if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { - return status; - } else if (NT_STATUS_IS_OK(status)) { - return status; - } - - continue; - } - - return NT_STATUS_ACCESS_DENIED; -} diff --git a/source4/main.mk b/source4/main.mk index aaae329ed8..d9e0254c1f 100644 --- a/source4/main.mk +++ b/source4/main.mk @@ -56,4 +56,4 @@ mkinclude ../libcli/ldap/config.mk mkinclude ../libcli/auth/config.mk mkinclude ../libcli/drsuapi/config.mk mkinclude ../libcli/samsync/config.mk - +mkinclude ../libgpo/config.mk -- cgit