From 2fbb43ad82c16ae83da39ff61f665697564c3482 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 16 Jun 2005 20:29:15 +0000 Subject: r7647: add access checks to the top level hive open calls; will need to pass the open request through the backend access check for the subkey open calls (This used to be commit 23acef44e978f3bace762cc98c310b11f0021d31) --- source3/rpc_server/srv_reg_nt.c | 92 +++++++++++++++++++++++++++++++++++++++-- 1 file changed, 89 insertions(+), 3 deletions(-) (limited to 'source3/rpc_server') diff --git a/source3/rpc_server/srv_reg_nt.c b/source3/rpc_server/srv_reg_nt.c index 31a6c019bb..01c60a473f 100644 --- a/source3/rpc_server/srv_reg_nt.c +++ b/source3/rpc_server/srv_reg_nt.c @@ -43,6 +43,53 @@ struct generic_mapping reg_map = { REG_KEY_READ, REG_KEY_WRITE, REG_KEY_EXECUTE, REG_KEY_ALL }; +/******************************************************************** +********************************************************************/ + +static NTSTATUS registry_access_check( SEC_DESC *sec_desc, NT_USER_TOKEN *token, + uint32 access_desired, uint32 *access_granted ) +{ + NTSTATUS result; + + se_access_check( sec_desc, token, access_desired, access_granted, &result ); + + return result; +} + +/******************************************************************** +********************************************************************/ + +static SEC_DESC* construct_reg_hive_sd( TALLOC_CTX *ctx ) +{ + SEC_ACE ace[2]; + SEC_ACCESS mask; + size_t i = 0; + SEC_DESC *sd; + SEC_ACL *acl; + uint32 sd_size; + + /* basic access for Everyone */ + + init_sec_access(&mask, REG_KEY_READ ); + init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + + /* Full Access 'BUILTIN\Administrators' */ + + init_sec_access(&mask, REG_KEY_ALL ); + init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + + + /* create the security descriptor */ + + if ( !(acl = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) ) + return NULL; + + if ( !(sd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, acl, &sd_size)) ) + return NULL; + + return sd; +} + /****************************************************************** free() function for REGISTRY_KEY *****************************************************************/ @@ -290,7 +337,20 @@ WERROR _reg_close(pipes_struct *p, REG_Q_CLOSE *q_u, REG_R_CLOSE *r_u) WERROR _reg_open_hklm(pipes_struct *p, REG_Q_OPEN_HIVE *q_u, REG_R_OPEN_HIVE *r_u) { - return open_registry_key( p, &r_u->pol, NULL, KEY_HKLM, 0x0 ); + SEC_DESC *sec_desc; + uint32 access_granted = 0; + NTSTATUS status; + + /* perform access checks */ + + if ( !(sec_desc = construct_reg_hive_sd( p->mem_ctx )) ) + return WERR_NOMEM; + + status = registry_access_check( sec_desc, p->pipe_user.nt_user_token, q_u->access, &access_granted ); + if ( !NT_STATUS_IS_OK(status) ) + return ntstatus_to_werror( status ); + + return open_registry_key( p, &r_u->pol, NULL, KEY_HKLM, access_granted ); } /******************************************************************* @@ -298,7 +358,20 @@ WERROR _reg_open_hklm(pipes_struct *p, REG_Q_OPEN_HIVE *q_u, REG_R_OPEN_HIVE *r_ WERROR _reg_open_hkcr(pipes_struct *p, REG_Q_OPEN_HIVE *q_u, REG_R_OPEN_HIVE *r_u) { - return open_registry_key( p, &r_u->pol, NULL, KEY_HKCR, 0x0 ); + SEC_DESC *sec_desc; + uint32 access_granted = 0; + NTSTATUS status; + + /* perform access checks */ + + if ( !(sec_desc = construct_reg_hive_sd( p->mem_ctx )) ) + return WERR_NOMEM; + + status = registry_access_check( sec_desc, p->pipe_user.nt_user_token, q_u->access, &access_granted ); + if ( !NT_STATUS_IS_OK(status) ) + return ntstatus_to_werror( status ); + + return open_registry_key( p, &r_u->pol, NULL, KEY_HKCR, access_granted ); } /******************************************************************* @@ -306,7 +379,20 @@ WERROR _reg_open_hkcr(pipes_struct *p, REG_Q_OPEN_HIVE *q_u, REG_R_OPEN_HIVE *r_ WERROR _reg_open_hku(pipes_struct *p, REG_Q_OPEN_HIVE *q_u, REG_R_OPEN_HIVE *r_u) { - return open_registry_key( p, &r_u->pol, NULL, KEY_HKU, 0x0 ); + SEC_DESC *sec_desc; + uint32 access_granted = 0; + NTSTATUS status; + + /* perform access checks */ + + if ( !(sec_desc = construct_reg_hive_sd( p->mem_ctx )) ) + return WERR_NOMEM; + + status = registry_access_check( sec_desc, p->pipe_user.nt_user_token, q_u->access, &access_granted ); + if ( !NT_STATUS_IS_OK(status) ) + return ntstatus_to_werror( status ); + + return open_registry_key( p, &r_u->pol, NULL, KEY_HKU, access_granted ); } /******************************************************************* -- cgit