From 1c957f9559880712acd335c9df11191df0386df0 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 11 Jul 2007 09:39:08 +0000 Subject: r23826: Fix gpo security filtering by matching the security descriptor ace's for the extended apply group policy right. Guenther (This used to be commit d832014a6fef657f484412372b5d09047552b183) --- source3/libgpo/gpo_sec.c | 67 ++++++++++++++++++++++++++++++++++-------------- 1 file changed, 48 insertions(+), 19 deletions(-) (limited to 'source3/libgpo/gpo_sec.c') diff --git a/source3/libgpo/gpo_sec.c b/source3/libgpo/gpo_sec.c index 5a4e29d270..abdcd17378 100644 --- a/source3/libgpo/gpo_sec.c +++ b/source3/libgpo/gpo_sec.c @@ -19,33 +19,60 @@ #include "includes.h" - /* When modifiying security filtering with gpmc.msc (on w2k3) the - * following ACE is created in the DACL: +/**************************************************************** +****************************************************************/ -------- ACE (type: 0x05, flags: 0x02, size: 0x38, mask: 0x100, object flags: 0x1) -access SID: $SID -access type: ALLOWED OBJECT -Permissions: - [Apply Group Policy] (0x00000100) +static BOOL gpo_sd_check_agp_object_guid(const struct security_ace_object *object) +{ + struct GUID ext_right_apg_guid; + NTSTATUS status; + + if (!object) { + return False; + } -------- ACE (type: 0x00, flags: 0x02, size: 0x24, mask: 0x20014) -access SID: $SID -access type: ALLOWED -Permissions: - [List Contents] (0x00000004) - [Read All Properties] (0x00000010) - [Read Permissions] (0x00020000) + status = GUID_from_string(ADS_EXTENDED_RIGHT_APPLY_GROUP_POLICY, + &ext_right_apg_guid); + if (!NT_STATUS_IS_OK(status)) { + return False; + } - * by default all "Authenticated Users" (S-1-5-11) have an ALLOW - * OBJECT ace with SEC_RIGHTS_APPLY_GROUP_POLICY mask */ + switch (object->flags) { + case SEC_ACE_OBJECT_PRESENT: + if (GUID_equal(&object->type.type, + &ext_right_apg_guid)) { + return True; + } + case SEC_ACE_OBJECT_INHERITED_PRESENT: + if (GUID_equal(&object->inherited_type.inherited_type, + &ext_right_apg_guid)) { + return True; + } + default: + break; + } + return False; +} + +/**************************************************************** +****************************************************************/ + +static BOOL gpo_sd_check_agp_object(const SEC_ACE *ace) +{ + if (sec_ace_object(ace->type)) { + return gpo_sd_check_agp_object_guid(&ace->object.object); + } + + return False; +} /**************************************************************** ****************************************************************/ static BOOL gpo_sd_check_agp_access_bits(uint32 access_mask) { - return (access_mask & SEC_RIGHTS_APPLY_GROUP_POLICY); + return (access_mask & SEC_RIGHTS_EXTENDED); } #if 0 @@ -93,7 +120,8 @@ static BOOL gpo_sd_check_trustee_in_sid_token(const DOM_SID *trustee, static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace, const struct GPO_SID_TOKEN *token) { - if (gpo_sd_check_agp_access_bits(ace->access_mask) && + if (gpo_sd_check_agp_object(ace) && + gpo_sd_check_agp_access_bits(ace->access_mask) && gpo_sd_check_trustee_in_sid_token(&ace->trustee, token)) { DEBUG(10,("gpo_sd_check_ace_denied_object: Access denied as of ace for %s\n", sid_string_static(&ace->trustee))); @@ -109,7 +137,8 @@ static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace, static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace, const struct GPO_SID_TOKEN *token) { - if (gpo_sd_check_agp_access_bits(ace->access_mask) && + if (gpo_sd_check_agp_object(ace) && + gpo_sd_check_agp_access_bits(ace->access_mask) && gpo_sd_check_trustee_in_sid_token(&ace->trustee, token)) { DEBUG(10,("gpo_sd_check_ace_allowed_object: Access granted as of ace for %s\n", sid_string_static(&ace->trustee))); -- cgit