From c6a51dc5f1c06fe01ebcfa438f28cd551f0678ff Mon Sep 17 00:00:00 2001
From: Günther Deschner <gd@samba.org>
Date: Fri, 11 May 2007 15:28:07 +0000
Subject: r22803: Add some more flesh to the GPO security filtering (still very
 basic).

Guenther
(This used to be commit 8cfe32cb9cbe791308368f07b5bdbfcc84ac33d7)
---
 source3/libgpo/gpo_sec.c | 152 ++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 151 insertions(+), 1 deletion(-)

(limited to 'source3/libgpo')

diff --git a/source3/libgpo/gpo_sec.c b/source3/libgpo/gpo_sec.c
index 20366a9d20..fc7c5d2457 100644
--- a/source3/libgpo/gpo_sec.c
+++ b/source3/libgpo/gpo_sec.c
@@ -20,11 +20,161 @@
 
 #include "includes.h"
 
+	/* When modifiying security filtering with gpmc.msc (on w2k3) the
+	 * following ACE is created in the DACL:
+
+------- ACE (type: 0x05, flags: 0x02, size: 0x38, mask: 0x100, object flags: 0x1)
+access SID: $SID 
+access type: ALLOWED OBJECT
+Permissions:
+	[Apply Group Policy] (0x00000100)
+
+------- ACE (type: 0x00, flags: 0x02, size: 0x24, mask: 0x20014)
+access SID:  $SID
+access type: ALLOWED
+Permissions:
+	[List Contents] (0x00000004)
+	[Read All Properties] (0x00000010)
+	[Read Permissions] (0x00020000)
+
+	 * by default all "Authenticated Users" (S-1-5-11) have an ALLOW
+	 * OBJECT ace with SEC_RIGHTS_APPLY_GROUP_POLICY mask */
+
+
+/****************************************************************
+****************************************************************/
+
+static BOOL gpo_sd_check_agp_access_bits(uint32 access_mask)
+{
+	return (access_mask & SEC_RIGHTS_APPLY_GROUP_POLICY);
+}
+
+/****************************************************************
+****************************************************************/
+
+static BOOL gpo_sd_check_read_access_bits(uint32 access_mask)
+{
+	uint32 read_bits = SEC_RIGHTS_LIST_CONTENTS |
+			   SEC_RIGHTS_READ_ALL_PROP |
+			   SEC_RIGHTS_READ_PERMS;
+
+	return (read_bits == (access_mask & read_bits));
+}
+
+
+/****************************************************************
+****************************************************************/
+
+static BOOL gpo_sd_check_trustee_in_sid_token(const DOM_SID *trustee, 
+					      const struct GPO_SID_TOKEN *token)
+{
+	int i;
+
+	if (sid_equal(trustee, &token->object_sid)) {
+		return True;
+	}
+
+	if (sid_equal(trustee, &token->primary_group_sid)) {
+		return True;
+	}
+
+	for (i = 0; i < token->num_token_sids; i++) {
+		if (sid_equal(trustee, &token->token_sids[i])) {
+			return True;
+		}
+	}
+
+	return False;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace, 
+					       const struct GPO_SID_TOKEN *token) 
+{
+	if (gpo_sd_check_agp_access_bits(ace->access_mask) &&
+	    gpo_sd_check_trustee_in_sid_token(&ace->trustee, token)) {
+		DEBUG(10,("gpo_sd_check_ace_denied_object: Access denied as of ace for %s\n", 
+			sid_string_static(&ace->trustee)));
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
+	return STATUS_MORE_ENTRIES;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace, 
+						const struct GPO_SID_TOKEN *token) 
+{
+	if (gpo_sd_check_agp_access_bits(ace->access_mask) && 
+	    gpo_sd_check_trustee_in_sid_token(&ace->trustee, token)) {
+		DEBUG(10,("gpo_sd_check_ace_allowed_object: Access granted as of ace for %s\n", 
+			sid_string_static(&ace->trustee)));
+		return NT_STATUS_OK;
+	}
+
+	return STATUS_MORE_ENTRIES;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS gpo_sd_check_ace(const SEC_ACE *ace, 
+				 const struct GPO_SID_TOKEN *token) 
+{
+	switch (ace->type) {
+		case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
+			return gpo_sd_check_ace_denied_object(ace, token);
+		case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
+			return gpo_sd_check_ace_allowed_object(ace, token);
+		default:
+			return STATUS_MORE_ENTRIES;
+	}
+}
+
 /****************************************************************
 ****************************************************************/
 
 NTSTATUS gpo_apply_security_filtering(const struct GROUP_POLICY_OBJECT *gpo, 
 				      const struct GPO_SID_TOKEN *token)
 {
-	return NT_STATUS_OK;
+	SEC_DESC *sd = gpo->security_descriptor;
+	SEC_ACL *dacl = NULL;
+	NTSTATUS status = NT_STATUS_ACCESS_DENIED;
+	int i;
+
+	if (!token) {
+		return NT_STATUS_INVALID_USER_BUFFER;
+	}
+
+	if (!sd) {
+		return NT_STATUS_INVALID_SECURITY_DESCR;
+	}
+
+	dacl = sd->dacl;
+	if (!dacl) {
+		return NT_STATUS_INVALID_SECURITY_DESCR;
+	}
+
+	/* check all aces and only return NT_STATUS_OK (== Access granted) or
+	 * NT_STATUS_ACCESS_DENIED ( == Access denied) - the default is to
+	 * deny access */
+
+	for (i = 0; i < dacl->num_aces; i ++) {
+
+		status = gpo_sd_check_ace(&dacl->aces[i], token);
+
+		if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+			return status;
+		} else if (NT_STATUS_IS_OK(status)) {
+			return status;
+		}
+
+		continue;
+	}
+
+	return NT_STATUS_ACCESS_DENIED;
 }
-- 
cgit