/* ldb database library Copyright (C) Simo Sorce 2006-2008 Copyright (C) Nadezhda Ivanova 2009 Copyright (C) Anatoliy Atanasov 2009 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . */ /* * Name: ldb * * Component: ldb ACL module * * Description: Module that performs authorisation access checks based on the * account's security context and the DACL of the object being polled. * Only DACL checks implemented at this point * * Authors: Nadezhda Ivanova, Anatoliy Atanasov */ #include "includes.h" #include "ldb_module.h" #include "auth/auth.h" #include "libcli/security/security.h" #include "librpc/gen_ndr/ndr_security.h" #include "dsdb/samdb/samdb.h" #include "librpc/gen_ndr/ndr_security.h" #include "param/param.h" /* acl_search helper */ struct acl_context { struct ldb_module *module; struct ldb_request *req; struct ldb_request *down_req; /*needed if we have to identify if this is SYSTEM_USER*/ enum security_user_level user_type; uint32_t access_needed; struct ldb_dn * dn_to_check; /* set to true when we need to process the request as a SYSTEM_USER, regardless * of the user's actual rights - for example when we need to retrieve the * ntSecurityDescriptor */ bool ignore_security; struct security_token *token; /*needed to identify if we have requested these attributes*/ bool nTSecurityDescriptor; bool objectClass; int sec_result; }; struct extended_access_check_attribute { const char *oa_name; const uint32_t requires_rights; }; struct acl_private{ bool perform_check; }; static int acl_search_callback(struct ldb_request *req, struct ldb_reply *ares); /*FIXME: Perhaps this should go in the .idl file*/ #define SEC_GENERIC_ACCESS_NEVER_GRANTED ( 0xFFFFFFFF ) /*Contains a part of the attributes - the ones that have predefined required rights*/ static const struct extended_access_check_attribute extended_access_checks_table[] = { { .oa_name = "nTSecurityDescriptor", .requires_rights = SEC_FLAG_SYSTEM_SECURITY & SEC_STD_READ_CONTROL, }, { .oa_name = "pekList", .requires_rights = SEC_GENERIC_ACCESS_NEVER_GRANTED, }, { .oa_name = "currentValue", .requires_rights = SEC_GENERIC_ACCESS_NEVER_GRANTED, }, { .oa_name = "dBCSPwd", .requires_rights = SEC_GENERIC_ACCESS_NEVER_GRANTED, }, { .oa_name = "unicodePwd", .requires_rights = SEC_GENERIC_ACCESS_NEVER_GRANTED, }, { .oa_name = "ntPwdHistory", .requires_rights = SEC_GENERIC_ACCESS_NEVER_GRANTED, }, { .oa_name = "priorValue", .requires_rights = SEC_GENERIC_ACCESS_NEVER_GRANTED, }, { .oa_name = "supplementalCredentials", .requires_rights = SEC_GENERIC_ACCESS_NEVER_GRANTED, }, { .oa_name = "trustAuthIncoming", .requires_rights = SEC_GENERIC_ACCESS_NEVER_GRANTED, }, { .oa_name = "trustAuthOutgoing", .requires_rights = SEC_GENERIC_ACCESS_NEVER_GRANTED, }, { .oa_name = "ImPwdHistory", .requires_rights = SEC_GENERIC_ACCESS_NEVER_GRANTED, }, { .oa_name = "initialAuthIncoming", .requires_rights = SEC_GENERIC_ACCESS_NEVER_GRANTED, }, { .oa_name = "initialAuthOutgoing", .requires_rights = SEC_GENERIC_ACCESS_NEVER_GRANTED, }, { .oa_name = "msDS-ExecuteScriptPassword", .requires_rights = SEC_GENERIC_ACCESS_NEVER_GRANTED, }, }; static NTSTATUS extended_access_check(const char *attribute_name, const int access_rights, uint32_t searchFlags) { int i = 0; if (access_rights == SEC_GENERIC_ACCESS_NEVER_GRANTED) { return NT_STATUS_ACCESS_DENIED; } /*Check if the attribute is in the table first*/ for ( i = 0; extended_access_checks_table[i].oa_name; i++ ) { if (ldb_attr_cmp(extended_access_checks_table[i].oa_name, attribute_name) == 0) { if ((access_rights & extended_access_checks_table[i].requires_rights) == access_rights) { return NT_STATUS_OK; } else { return NT_STATUS_ACCESS_DENIED; } } } /*Check for attribute whose attributeSchema has 0x80 set in searchFlags*/ if ((searchFlags & SEARCH_FLAG_CONFIDENTIAL) == SEARCH_FLAG_CONFIDENTIAL) { if (((SEC_ADS_READ_PROP & SEC_ADS_CONTROL_ACCESS) & access_rights) == access_rights) { return NT_STATUS_OK; } else { return NT_STATUS_ACCESS_DENIED; } } /*Check attributes with *special* behaviour*/ if (ldb_attr_cmp("msDS-QuotaEffective", attribute_name) == 0 || ldb_attr_cmp("msDS-QuotaUsed", attribute_name) == 0){ /*Rights required: * *(RIGHT_DS_READ_PROPERTY on the Quotas container or *((the client is querying the quota for the security principal it is authenticated as) and *(DS-Query-Self-Quota control access right on the Quotas container)) */ } if (ldb_attr_cmp("userPassword", attribute_name) == 0) { /*When the dSHeuristics.fUserPwdSupport flag is false, the requester must be granted RIGHT_DS_READ_PROPERTY. *When the dSHeuristics.fUserPwdSupport flag is true, access is never granted. */ } if (ldb_attr_cmp("sDRightsEffective", attribute_name) == 0) { /*FIXME:3.1.1.4.5.4 in MS-ADTS*/ } if (ldb_attr_cmp("allowedChildClassesEffective", attribute_name) == 0) { /*FIXME:3.1.1.4.5.5 in MS-ADTS*/ } if (ldb_attr_cmp("allowedAttributesEffective", attribute_name) == 0) { /*FIXME:3.1.1.4.5.7 in MS-ADTS*/ } if (ldb_attr_cmp("msDS-Approx-Immed-Subordinates", attribute_name) == 0) { /*FIXME:3.1.1.4.5.15 in MS-ADTS*/ } if (ldb_attr_cmp("msDS-QuotaEffective", attribute_name) == 0) { /*FIXME:3.1.1.4.5.22 in MS-ADTS*/ } if (ldb_attr_cmp("msDS-ReplAttributeMetaData", attribute_name) == 0 || ldb_attr_cmp("msDS-ReplAttributeMetaData", attribute_name) == 0) { /*The security context of the requester must be granted the following rights on the replPropertyMetaData attribute: *(RIGHT_DS_READ_PROPERTY)or (DS-Replication-Manage-Topology by ON!nTSecurityDescriptor) */ } if (ldb_attr_cmp("msDS-NCReplInboundNeighbors", attribute_name) == 0) { /*The security context of the requester must be granted the following rights on repsFrom: *(RIGHT_DS_READ_PROPERTY) or (DS-Replication-Manage-Topology) or (DS-Replication-Monitor-Topology) */ } if (ldb_attr_cmp("msDS-NCReplOutboundNeighbors", attribute_name) == 0) { /*The security context of the requester must be granted the following rights on repsTo: *(RIGHT_DS_READ_PROPERTY) or (DS-Replication-Manage-Topology) or (DS-Replication-Monitor-Topology) */ } if (ldb_attr_cmp("msDS-NCReplCursors", attribute_name) == 0) { /*The security context of the requester must be granted the following rights on replUpToDateVector: (RIGHT_DS_READ_PROPERTY) *or (DS-Replication-Manage-Topology) or (DS-Replication-Monitor-Topology) */ } if (ldb_attr_cmp("msDS-IsUserCachableAtRodc", attribute_name) == 0) { /*The security context of the requester must be granted *the DS-Replication-Secrets-Synchronize control access right on the root of the default NC. */ } return NT_STATUS_OK; } /* Builds an object tree for object specific access checks */ static struct object_tree * build_object_tree_form_attr_list(TALLOC_CTX *mem_ctx, /* Todo this context or separate? */ struct ldb_context *ldb, const char ** attr_names, int num_attrs, const char * object_class, uint32_t init_access) { const struct dsdb_schema *schema = dsdb_get_schema(ldb); const struct GUID *oc_guid = class_schemaid_guid_by_lDAPDisplayName(schema, object_class); struct object_tree *tree; int i; if (!oc_guid) return NULL; tree = insert_in_object_tree(mem_ctx, oc_guid, NULL, init_access, NULL); if (attr_names){ for (i=0; i < num_attrs; i++){ const struct dsdb_attribute *attribute = dsdb_attribute_by_lDAPDisplayName(schema,attr_names[i]); if (attribute) insert_in_object_tree(mem_ctx, &attribute->schemaIDGUID, &attribute->attributeSecurityGUID, init_access, tree); } } return tree; } bool is_root_base_dn(struct ldb_context *ldb, struct ldb_dn *dn_to_check) { int result; struct ldb_dn *root_base_dn = ldb_get_root_basedn(ldb); result = ldb_dn_compare(root_base_dn,dn_to_check); return (result==0); } static int acl_op_callback(struct ldb_request *req, struct ldb_reply *ares) { struct acl_context *ac; ac = talloc_get_type(req->context, struct acl_context); if (!ares) { return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); } if (ares->error != LDB_SUCCESS) { return ldb_module_done(ac->req, ares->controls, ares->response, ares->error); } if (ares->type != LDB_REPLY_DONE) { talloc_free(ares); return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); } return ldb_module_done(ac->req, ares->controls, ares->response, ares->error); } static int acl_access_check_add(struct ldb_reply *ares, struct acl_context *ac, struct security_descriptor *sd) { uint32_t access_granted = 0; NTSTATUS status; struct ldb_dn *parent; struct ldb_dn *grandparent; struct object_tree *tree = NULL; parent = ldb_dn_get_parent(ac->req, ac->req->op.add.message->dn); grandparent = ldb_dn_get_parent(ac->req, parent); if (ldb_dn_compare(ares->message->dn, grandparent) == 0) status = sec_access_check_ds(sd, ac->token, SEC_ADS_LIST, &access_granted, NULL); else if (ldb_dn_compare(ares->message->dn, parent) == 0){ struct ldb_message_element *oc_el; struct ldb_context *ldb = ldb_module_get_ctx(ac->module); const struct dsdb_schema *schema = dsdb_get_schema(ldb); int i; oc_el = ldb_msg_find_element(ares->message, "objectClass"); if (!oc_el || oc_el->num_values == 0) return LDB_SUCCESS; for (i = 0; i < oc_el->num_values; i++){ const struct GUID *guid = class_schemaid_guid_by_lDAPDisplayName(schema, oc_el->values[i].data); ac->sec_result = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS; tree = insert_in_object_tree(ac->req, guid, NULL, SEC_ADS_CREATE_CHILD, tree); status = sec_access_check_ds(sd, ac->token, SEC_ADS_CREATE_CHILD,&access_granted, tree); if (NT_STATUS_IS_OK(status)) ac->sec_result = LDB_SUCCESS; } } else return LDB_SUCCESS; return ac->sec_result; } static int acl_access_check_modify(struct ldb_reply *ares, struct acl_context *ac, struct security_descriptor *sd) { uint32_t access_granted = 0; NTSTATUS status; struct ldb_dn *parent; struct object_tree *tree = NULL; parent = ldb_dn_get_parent(ac->req, ac->req->op.add.message->dn); if (ldb_dn_compare(ares->message->dn, parent) == 0) status = sec_access_check_ds(sd, ac->token, SEC_ADS_LIST,&access_granted, NULL); else if (ldb_dn_compare(ares->message->dn, ac->req->op.add.message->dn) == 0){ struct ldb_message_element *oc_el; struct ldb_context *ldb = ldb_module_get_ctx(ac->module); const struct dsdb_schema *schema = dsdb_get_schema(ldb); int i; struct GUID *guid; oc_el = ldb_msg_find_element(ares->message, "objectClass"); if (!oc_el || oc_el->num_values == 0) return LDB_SUCCESS; guid = class_schemaid_guid_by_lDAPDisplayName(schema, oc_el->values[oc_el->num_values-1].data); tree = insert_in_object_tree(ac->req, guid, NULL, SEC_ADS_WRITE_PROP, tree); for (i=0; i < ac->req->op.mod.message->num_elements; i++){ const struct dsdb_attribute *attr = dsdb_attribute_by_lDAPDisplayName(schema, ac->req->op.mod.message->elements[i].name); if (!attr) return LDB_ERR_OPERATIONS_ERROR; /* What should we actually return here? */ insert_in_object_tree(ac, &attr->schemaIDGUID, &attr->attributeSecurityGUID, ac->access_needed, tree); } status = sec_access_check_ds(sd, ac->token, SEC_ADS_WRITE_PROP ,&access_granted, tree); if (!NT_STATUS_IS_OK(status)) ac->sec_result = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS; } else return LDB_SUCCESS; return ac->sec_result; } /*TODO*/ static int acl_access_check_rename(struct ldb_reply *ares, struct acl_context *ac, struct security_descriptor *sd) { return ac->sec_result; } static int acl_access_check_delete(struct ldb_reply *ares, struct acl_context *ac, struct security_descriptor *sd) { uint32_t access_granted = 0; NTSTATUS status; struct ldb_dn *parent; struct object_tree *tree = NULL; parent = ldb_dn_get_parent(ac->req, ac->req->op.del.dn); if (ldb_dn_compare(ares->message->dn, parent) == 0){ status = sec_access_check_ds(sd, ac->token, SEC_ADS_LIST,&access_granted, NULL); if (!NT_STATUS_IS_OK(status)){ ac->sec_result = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS; return ac->sec_result; } status = sec_access_check_ds(sd, ac->token, SEC_ADS_DELETE_CHILD,&access_granted, NULL); if (NT_STATUS_IS_OK(status)){ ac->sec_result = LDB_SUCCESS; return ac->sec_result; } } else if (ldb_dn_compare(ares->message->dn, ac->req->op.del.dn) == 0){ status = sec_access_check_ds(sd, ac->token, SEC_STD_DELETE, &access_granted, NULL); if (!NT_STATUS_IS_OK(status)) ac->sec_result = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS; } return ac->sec_result; } static int acl_access_check_search(struct ldb_reply *ares, struct acl_context *ac, struct security_descriptor *sd) { uint32_t access_granted; NTSTATUS status; struct ldb_dn *parent; if (ac->user_type == SECURITY_SYSTEM || ac->user_type == SECURITY_ANONYMOUS) { return LDB_SUCCESS;/*FIXME: we have anonymous access*/ } parent = ldb_dn_get_parent(ac->req, ac->dn_to_check); ac->sec_result = LDB_SUCCESS; if (ldb_dn_compare(ares->message->dn, parent) == 0) { status = sec_access_check_ds(sd, ac->token, SEC_ADS_LIST,&access_granted, NULL); if (!NT_STATUS_IS_OK(status)) { ac->sec_result = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS; } } return ac->sec_result; } static int acl_perform_access_check(struct ldb_request *req, struct ldb_reply *ares, struct acl_context *ac) { struct ldb_message_element *oc_el; struct security_descriptor *sd; enum ndr_err_code ndr_err; oc_el = ldb_msg_find_element(ares->message, "ntSecurityDescriptor"); if (!oc_el || oc_el->num_values == 0) return LDB_SUCCESS; sd = talloc(ac, struct security_descriptor); if(!sd) { return ldb_module_done(ac->req, ares->controls, ares->response, LDB_ERR_OPERATIONS_ERROR); } ndr_err = ndr_pull_struct_blob(&oc_el->values[0], sd, NULL, sd, (ndr_pull_flags_fn_t)ndr_pull_security_descriptor); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) return ldb_module_done(ac->req, ares->controls, ares->response, LDB_ERR_OPERATIONS_ERROR); switch (ac->req->operation) { case LDB_SEARCH: return acl_access_check_search(ares, ac, sd); case LDB_ADD: return acl_access_check_add(ares, ac, sd); case LDB_MODIFY: return acl_access_check_modify(ares, ac, sd); case LDB_DELETE: return acl_access_check_delete(ares, ac, sd); case LDB_RENAME: return acl_access_check_rename(ares, ac, sd); default: return ldb_module_done(ac->req, ares->controls, ares->response, LDB_ERR_OPERATIONS_ERROR); } return LDB_SUCCESS; } static int acl_forward_add(struct ldb_reply *ares, struct acl_context *ac) { struct ldb_request *newreq; struct ldb_context *ldb; int ret; ldb = ldb_module_get_ctx(ac->module); ret = ldb_build_add_req(&newreq,ldb, ac, ac->req->op.add.message, ac->req->controls, ac, acl_op_callback, ac->req); if (ret != LDB_SUCCESS) return ldb_module_done(ac->req, ares->controls, ares->response, LDB_ERR_OPERATIONS_ERROR); return ldb_next_request(ac->module, newreq); } static int acl_forward_modify(struct ldb_reply *ares, struct acl_context *ac) { struct ldb_request *newreq; struct ldb_context *ldb; int ret; ldb = ldb_module_get_ctx(ac->module); ret = ldb_build_mod_req(&newreq,ldb, ac, ac->req->op.mod.message, ac->req->controls, ac, acl_op_callback, ac->req); if (ret != LDB_SUCCESS) return ldb_module_done(ac->req, ares->controls, ares->response, LDB_ERR_OPERATIONS_ERROR); return ldb_next_request(ac->module, newreq); } static int acl_forward_delete(struct ldb_reply *ares, struct acl_context *ac) { struct ldb_request *newreq; struct ldb_context *ldb; int ret; ldb = ldb_module_get_ctx(ac->module); ret = ldb_build_del_req(&newreq, ldb, ac, ac->req->op.del.dn, ac->req->controls, ac, acl_op_callback, ac->req); if (ret != LDB_SUCCESS) return ldb_module_done(ac->req, ares->controls, ares->response, LDB_ERR_OPERATIONS_ERROR); return ldb_next_request(ac->module, newreq); } static int acl_forward_rename(struct ldb_reply *ares, struct acl_context *ac) { return LDB_SUCCESS; } static int acl_forward_search(struct acl_context *ac) { int ret; const char * const *attrs; struct ldb_control *sd_control; struct ldb_control **sd_saved_controls; struct ldb_context *ldb; struct ldb_request *newreq; ldb = ldb_module_get_ctx(ac->module); attrs = ac->req->op.search.attrs; if (attrs) { ac->nTSecurityDescriptor = false; ac->objectClass = false; if (!ldb_attr_in_list(ac->req->op.search.attrs, "nTSecurityDescriptor")) { attrs = ldb_attr_list_copy_add(ac, attrs, "nTSecurityDescriptor"); ac->nTSecurityDescriptor = true; } if (!ldb_attr_in_list(ac->req->op.search.attrs, "objectClass")) { attrs = ldb_attr_list_copy_add(ac, attrs, "objectClass"); ac->objectClass = true; } } ret = ldb_build_search_req_ex(&newreq,ldb, ac, ac->req->op.search.base, ac->req->op.search.scope, ac->req->op.search.tree, attrs, ac->req->controls, ac, acl_search_callback, ac->req); if (ret != LDB_SUCCESS) { return LDB_ERR_OPERATIONS_ERROR; } /* check if there's an SD_FLAGS control */ sd_control = ldb_request_get_control(newreq, LDB_CONTROL_SD_FLAGS_OID); if (sd_control) { /* save it locally and remove it from the list */ /* we do not need to replace them later as we * are keeping the original req intact */ if (!save_controls(sd_control, newreq, &sd_saved_controls)) { return LDB_ERR_OPERATIONS_ERROR; } } return ldb_next_request(ac->module, newreq); } static int acl_forward_request(struct ldb_reply *ares, struct acl_context *ac) { switch (ac->req->operation) { case LDB_SEARCH: return acl_forward_search(ac); case LDB_ADD: return acl_forward_add(ares,ac); case LDB_MODIFY: return acl_forward_modify(ares,ac); case LDB_DELETE: return acl_forward_delete(ares,ac); case LDB_RENAME: return acl_forward_rename(ares,ac); default: return ldb_module_done(ac->req, ares->controls, ares->response, LDB_ERR_OPERATIONS_ERROR); } return LDB_SUCCESS; } static int acl_visible_callback(struct ldb_request *req, struct ldb_reply *ares) { struct acl_context *ac; ac = talloc_get_type(req->context, struct acl_context); if (!ares) { return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); } if (ares->error != LDB_SUCCESS) { return ldb_module_done(ac->req, ares->controls, ares->response, ares->error); } switch (ares->type) { case LDB_REPLY_ENTRY: return acl_perform_access_check(req, ares, ac); case LDB_REPLY_REFERRAL: return ldb_module_send_referral(ac->req, ares->referral); /* what to do here actually? */ case LDB_REPLY_DONE: if (ac->sec_result != LDB_SUCCESS) { return ldb_module_done(ac->req, ares->controls, ares->response, ac->sec_result); } return acl_forward_request(ares,ac); default: break; } return LDB_SUCCESS; } static enum security_user_level what_is_user(struct ldb_module *module) { struct ldb_context *ldb = ldb_module_get_ctx(module); struct auth_session_info *session_info = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo"); return security_session_user_level(session_info); } static struct security_token * user_token(struct ldb_module *module) { struct ldb_context *ldb = ldb_module_get_ctx(module); struct auth_session_info *session_info = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo"); if(!session_info) { return NULL; } return session_info->security_token; } static int make_req_access_check(struct ldb_module *module, struct ldb_request *req, struct acl_context *ac, const char *filter) { struct ldb_context *ldb; int ret; const char **attrs = talloc_array(ac, const char *, 3); struct ldb_parse_tree *tree = ldb_parse_tree(req, filter); attrs[0] = talloc_strdup(attrs, "ntSecurityDescriptor"); attrs[1] = talloc_strdup(attrs, "objectClass"); attrs[2] = NULL; ldb = ldb_module_get_ctx(module); ret = ldb_build_search_req_ex(&ac->down_req, ldb, ac, ac->dn_to_check, LDB_SCOPE_SUBTREE, tree, attrs, NULL, ac, acl_visible_callback, req); return ret; } static const char *user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module) { struct ldb_context *ldb = ldb_module_get_ctx(module); struct auth_session_info *session_info = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo"); if (!session_info) { return "UNKNOWN (NULL)"; } return talloc_asprintf(mem_ctx, "%s\\%s", session_info->server_info->domain_name, session_info->server_info->account_name); } static int acl_module_init(struct ldb_module *module) { struct ldb_context *ldb; struct acl_private *data; int ret; ldb = ldb_module_get_ctx(module); ret = ldb_mod_register_control(module, LDB_CONTROL_SD_FLAGS_OID); if (ret != LDB_SUCCESS) { ldb_debug(ldb, LDB_DEBUG_ERROR, "acl_module_init: Unable to register control with rootdse!\n"); return LDB_ERR_OPERATIONS_ERROR; } data = talloc(module, struct acl_private); data->perform_check = lp_parm_bool(ldb_get_opaque(ldb, "loadparm"), NULL, "acl", "perform", false); ldb_module_set_private(module, data); return ldb_next_init(module); } static int acl_add(struct ldb_module *module, struct ldb_request *req) { int ret; struct acl_context *ac; struct ldb_dn * parent = ldb_dn_get_parent(req, req->op.add.message->dn); char * filter; struct ldb_context *ldb; struct acl_private *data; ldb = ldb_module_get_ctx(module); data = talloc_get_type(ldb_module_get_private(module), struct acl_private); if (!data->perform_check) return ldb_next_request(module, req); ac = talloc(req, struct acl_context); if (ac == NULL) { return LDB_ERR_OPERATIONS_ERROR; } if (what_is_user(module) == SECURITY_SYSTEM) return ldb_next_request(module, req); ac->module = module; ac->req = req; ac->ignore_security = true; ac->dn_to_check = ldb_dn_get_parent(req, parent); ac->token = user_token(module); ac->user_type = what_is_user(module); ac->sec_result = LDB_SUCCESS; if (!is_root_base_dn(ldb, req->op.add.message->dn) && parent && !is_root_base_dn(ldb, parent)){ filter = talloc_asprintf(req,"(&(objectClass=*)(|(%s=%s)(%s=%s))))", ldb_dn_get_component_name(parent,0), ldb_dn_get_component_val(parent,0)->data, ldb_dn_get_component_name(ac->dn_to_check,0), ldb_dn_get_component_val(ac->dn_to_check,0)->data); ret = make_req_access_check(module, req, ac, filter); if (ret != LDB_SUCCESS){ return ret; } return ldb_next_request(module, ac->down_req); } return ldb_next_request(module, req); } static int acl_modify(struct ldb_module *module, struct ldb_request *req) { int ret; struct acl_context *ac; struct ldb_dn * parent = ldb_dn_get_parent(req, req->op.mod.message->dn); char * filter; struct ldb_context *ldb; struct acl_private *data; ldb = ldb_module_get_ctx(module); data = talloc_get_type(ldb_module_get_private(module), struct acl_private); if (!data->perform_check) return ldb_next_request(module, req); ac = talloc(req, struct acl_context); if (ac == NULL) { return LDB_ERR_OPERATIONS_ERROR; } /* TODO Is this really right? */ /* if (what_is_user(module) == SECURITY_SYSTEM) */ return ldb_next_request(module, req); ac->module = module; ac->req = req; ac->ignore_security = true; ac->dn_to_check = req->op.mod.message->dn; ac->token = user_token(module); ac->user_type = what_is_user(module); ac->sec_result = LDB_SUCCESS; if (!is_root_base_dn(ldb, req->op.mod.message->dn) && parent && !is_root_base_dn(ldb, parent)){ filter = talloc_asprintf(req,"(&(objectClass=*)(|(%s=%s)(%s=%s))))", ldb_dn_get_component_name(parent,0), ldb_dn_get_component_val(parent,0)->data, ldb_dn_get_component_name(req->op.mod.message->dn,0), ldb_dn_get_component_val(req->op.mod.message->dn,0)->data); ret = make_req_access_check(module, req, ac, filter); if (ret != LDB_SUCCESS){ return ret; } return ldb_next_request(module, ac->down_req); } return ldb_next_request(module, req); } /* similar to the modify for the time being. * We need to concider the special delete tree case, though - TODO */ static int acl_delete(struct ldb_module *module, struct ldb_request *req) { int ret; struct acl_context *ac; struct ldb_dn * parent = ldb_dn_get_parent(req, req->op.del.dn); char * filter; struct ldb_context *ldb; struct acl_private *data; ldb = ldb_module_get_ctx(module); data = talloc_get_type(ldb_module_get_private(module), struct acl_private); if (!data->perform_check) return ldb_next_request(module, req); ac = talloc(req, struct acl_context); if (ac == NULL) { return LDB_ERR_OPERATIONS_ERROR; } if (ac->user_type == SECURITY_SYSTEM) return ldb_next_request(module, req); ac->module = module; ac->req = req; ac->ignore_security = true; ac->dn_to_check = req->op.del.dn; ac->token = user_token(module); ac->user_type = what_is_user(module); ac->sec_result = LDB_SUCCESS; if (parent) { filter = talloc_asprintf(req,"(&(objectClass=*)(|(%s=%s)(%s=%s))))", ldb_dn_get_component_name(parent,0), ldb_dn_get_component_val(parent,0)->data, ldb_dn_get_component_name(req->op.del.dn,0), ldb_dn_get_component_val(req->op.del.dn,0)->data); ret = make_req_access_check(module, req, ac, filter); if (ret != LDB_SUCCESS){ return ret; } return ldb_next_request(module, ac->down_req); } return ldb_next_request(module, req); } static int acl_rename(struct ldb_module *module, struct ldb_request *req) { struct ldb_dn *source_parent; struct ldb_dn *dest_parent; int ret; struct acl_context *ac; char * filter; struct ldb_context *ldb; struct acl_private *data; ldb = ldb_module_get_ctx(module); data = talloc_get_type(ldb_module_get_private(module), struct acl_private); if (!data->perform_check) return ldb_next_request(module, req); ac = talloc(req, struct acl_context); if (ac == NULL) { return LDB_ERR_OPERATIONS_ERROR; } if (ac->user_type == SECURITY_SYSTEM) return ldb_next_request(module, req); ac->module = module; ac->req = req; ac->ignore_security = true; ac->token = user_token(module); ac->user_type = what_is_user(module); ac->sec_result = LDB_SUCCESS; /* We need to know if it is a simple rename or a move operation */ source_parent = ldb_dn_get_parent(req, req->op.rename.olddn); dest_parent = ldb_dn_get_parent(req, req->op.rename.newdn); if (ldb_dn_compare(source_parent, dest_parent) == 0){ /*Not a move, just rename*/ filter = talloc_asprintf(req,"(&(objectClass=*)(|(%s=%s)(%s=%s))))", ldb_dn_get_component_name(dest_parent,0), ldb_dn_get_component_val(dest_parent,0)->data, ldb_dn_get_component_name(req->op.rename.olddn,0), ldb_dn_get_component_val(req->op.rename.olddn,0)->data); } else{ filter = talloc_asprintf(req,"(&(objectClass=*)(|(%s=%s)(%s=%s))))", ldb_dn_get_component_name(dest_parent,0), ldb_dn_get_component_val(dest_parent,0)->data, ldb_dn_get_component_name(source_parent,0), ldb_dn_get_component_val(source_parent,0)->data); } ret = make_req_access_check(module, req, ac, filter); if (ret != LDB_SUCCESS){ return ret; } return ldb_next_request(module, ac->down_req); } static int acl_search_callback(struct ldb_request *req, struct ldb_reply *ares) { struct ldb_context *ldb; struct acl_context *ac; struct security_descriptor *sd; uint32_t searchFlags; uint32_t access_mask; struct object_tree *ot; int i, ret; NTSTATUS status; struct ldb_message_element *element_security_descriptor; struct ldb_message_element *element_object_class; const struct dsdb_attribute *attr; const struct dsdb_schema *schema; struct GUID *oc_guid; ac = talloc_get_type(req->context, struct acl_context); ldb = ldb_module_get_ctx(ac->module); schema = dsdb_get_schema(ldb); if (!ares) { return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); } if (ares->error != LDB_SUCCESS) { return ldb_module_done(ac->req, ares->controls, ares->response, ares->error); } switch (ares->type) { case LDB_REPLY_ENTRY: switch (ac->user_type) { case SECURITY_SYSTEM: case SECURITY_ANONYMOUS:/*FIXME: should we let anonymous have system access*/ break; default: /* Access checks * * 0. If we do not have nTSecurityDescriptor, we do not have an object in the response, * so check the parent dn. * 1. Call sec_access_check on empty tree * 2. For each attribute call extended_access_check * 3. For each attribute call build_object_tree_form_attr_list and then check with sec_access_check * */ element_security_descriptor = ldb_msg_find_element(ares->message, "nTSecurityDescriptor"); element_object_class = ldb_msg_find_element(ares->message, "objectClass"); if (!element_security_descriptor || !element_object_class) break; sd = talloc(ldb, struct security_descriptor); if(!sd) { return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); } if(!NDR_ERR_CODE_IS_SUCCESS(ndr_pull_struct_blob(&element_security_descriptor->values[0], ldb, NULL, sd, (ndr_pull_flags_fn_t)ndr_pull_security_descriptor))) { DEBUG(0, ("acl_search_callback: Error parsing security descriptor\n")); return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); } oc_guid = class_schemaid_guid_by_lDAPDisplayName(schema, element_object_class->values[0].data); for (i=0; imessage->num_elements; i++) { attr = dsdb_attribute_by_lDAPDisplayName(schema, ares->message->elements[i].name); if (attr) { searchFlags = attr->searchFlags; } else { searchFlags = 0x0; } /*status = extended_access_check(ares->message->elements[i].name, access_mask, searchFlags); */ /* Todo FIXME */ ac->access_needed = SEC_ADS_READ_PROP; if (NT_STATUS_IS_OK(status)) { ot = insert_in_object_tree(req, oc_guid, NULL, ac->access_needed, NULL); insert_in_object_tree(req, &attr->schemaIDGUID, &attr->attributeSecurityGUID, ac->access_needed, ot); status = sec_access_check_ds(sd, ac->token, ac->access_needed, &access_mask, ot); if (NT_STATUS_IS_OK(status)) { continue; } } ldb_msg_remove_attr(ares->message, ares->message->elements[i].name); } break; } if (ac->nTSecurityDescriptor) { ldb_msg_remove_attr(ares->message, "nTSecurityDescriptor"); } else if (ac->objectClass) { ldb_msg_remove_attr(ares->message, "objectClass"); } return ldb_module_send_entry(ac->req, ares->message, ares->controls); case LDB_REPLY_REFERRAL: return ldb_module_send_referral(ac->req, ares->referral); case LDB_REPLY_DONE: return ldb_module_done(ac->req, ares->controls,ares->response, LDB_SUCCESS); } return LDB_SUCCESS; } static int acl_search(struct ldb_module *module, struct ldb_request *req) { int ret; struct ldb_context *ldb; struct acl_context *ac; const char **attrs; struct ldb_control *sd_control; struct ldb_control **sd_saved_controls; struct ldb_dn * parent; struct acl_private *data; ldb = ldb_module_get_ctx(module); data = talloc_get_type(ldb_module_get_private(module), struct acl_private); if (!data || !data->perform_check) return ldb_next_request(module, req); if (what_is_user(module) == SECURITY_SYSTEM) return ldb_next_request(module, req); ac = talloc_get_type(req->context, struct acl_context); if ( ac == NULL ) { ac = talloc(req, struct acl_context); if (ac == NULL) { ldb_oom(ldb); return LDB_ERR_OPERATIONS_ERROR; } ac->module = module; ac->req = req; ac->ignore_security = false; ac->user_type = what_is_user(module); ac->token = user_token(module); ac->dn_to_check = req->op.search.base; ac->sec_result = LDB_SUCCESS; attrs = talloc_array(ac, const char*, 2); attrs[0] = talloc_strdup(attrs, "nTSecurityDescriptor"); attrs[1] = NULL; parent = ldb_dn_get_parent(req, ac->dn_to_check); if (!is_root_base_dn(ldb, req->op.search.base) && parent && !is_root_base_dn(ldb, parent)) { /*we have parent so check for visibility*/ ret = ldb_build_search_req(&ac->down_req, ldb, ac, parent, LDB_SCOPE_BASE, "(objectClass=*)", attrs, req->controls, ac, acl_visible_callback, req); if (ret != LDB_SUCCESS) { return ret; } return ldb_next_request(module, ac->down_req); } else { return acl_forward_search(ac); } } return ldb_next_request(module, req); } static int acl_extended(struct ldb_module *module, struct ldb_request *req) { struct ldb_context *ldb = ldb_module_get_ctx(module); enum security_user_level user_type; struct acl_private *data; data = talloc_get_type(ldb_module_get_private(module), struct acl_private); if (!data->perform_check) return ldb_next_request(module, req); /* allow everybody to read the sequence number */ if (strcmp(req->op.extended.oid, LDB_EXTENDED_SEQUENCE_NUMBER) == 0) { return ldb_next_request(module, req); } user_type = what_is_user(module); switch (user_type) { case SECURITY_SYSTEM: case SECURITY_ADMINISTRATOR: return ldb_next_request(module, req); default: ldb_asprintf_errstring(ldb, "acl_extended: attempted database modify not permitted." "User %s is not SYSTEM or an Administrator", user_name(req, module)); return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS; } } _PUBLIC_ const struct ldb_module_ops ldb_acl_module_ops = { .name = "acl", .search = acl_search, .add = acl_add, .modify = acl_modify, .del = acl_delete, .rename = acl_rename, .extended = acl_extended, .init_context = acl_module_init };