4
Copyright (C) Nadezhda Ivanova 2010
6
This program is free software; you can redistribute it and/or modify
7
it under the terms of the GNU General Public License as published by
8
the Free Software Foundation; either version 3 of the License, or
9
(at your option) any later version.
11
This program is distributed in the hope that it will be useful,
12
but WITHOUT ANY WARRANTY; without even the implied warranty of
13
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14
GNU General Public License for more details.
16
You should have received a copy of the GNU General Public License
17
along with this program. If not, see <http://www.gnu.org/licenses/>.
23
* Component: ldb ACL modules
25
* Description: Some auxiliary functions used for access checking
27
* Author: Nadezhda Ivanova
30
#include "ldb_module.h"
31
#include "auth/auth.h"
32
#include "libcli/security/security.h"
33
#include "dsdb/samdb/samdb.h"
34
#include "librpc/gen_ndr/ndr_security.h"
35
#include "param/param.h"
36
#include "dsdb/samdb/ldb_modules/util.h"
38
struct security_token *acl_user_token(struct ldb_module *module)
40
struct ldb_context *ldb = ldb_module_get_ctx(module);
41
struct auth_session_info *session_info
42
= (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
46
return session_info->security_token;
49
/* performs an access check from inside the module stack
50
* given the dn of the object to be checked, the required access
51
* guid is either the guid of the extended right, or NULL
54
int dsdb_module_check_access_on_dn(struct ldb_module *module,
58
const struct GUID *guid,
59
struct ldb_request *parent)
62
struct ldb_result *acl_res;
63
static const char *acl_attrs[] = {
64
"nTSecurityDescriptor",
68
struct ldb_context *ldb = ldb_module_get_ctx(module);
69
struct auth_session_info *session_info
70
= (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
72
return ldb_operr(ldb);
74
ret = dsdb_module_search_dn(module, mem_ctx, &acl_res, dn,
76
DSDB_FLAG_NEXT_MODULE |
77
DSDB_SEARCH_SHOW_RECYCLED,
79
if (ret != LDB_SUCCESS) {
80
DEBUG(0,("access_check: failed to find object %s\n", ldb_dn_get_linearized(dn)));
83
return dsdb_check_access_on_dn_internal(ldb, acl_res,
85
session_info->security_token,
91
int dsdb_module_check_access_on_guid(struct ldb_module *module,
95
const struct GUID *oc_guid,
96
struct ldb_request *parent)
99
struct ldb_result *acl_res;
100
static const char *acl_attrs[] = {
101
"nTSecurityDescriptor",
105
struct ldb_context *ldb = ldb_module_get_ctx(module);
106
struct auth_session_info *session_info
107
= (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
109
return ldb_operr(ldb);
111
ret = dsdb_module_search(module, mem_ctx, &acl_res, NULL, LDB_SCOPE_SUBTREE,
113
DSDB_FLAG_NEXT_MODULE |
114
DSDB_SEARCH_SHOW_RECYCLED,
116
"objectGUID=%s", GUID_string(mem_ctx, guid));
118
if (ret != LDB_SUCCESS || acl_res->count == 0) {
119
DEBUG(0,("access_check: failed to find object %s\n", GUID_string(mem_ctx, guid)));
122
return dsdb_check_access_on_dn_internal(ldb, acl_res,
124
session_info->security_token,
125
acl_res->msgs[0]->dn,
130
int acl_check_access_on_attribute(struct ldb_module *module,
132
struct security_descriptor *sd,
133
struct dom_sid *rp_sid,
134
uint32_t access_mask,
135
const struct dsdb_attribute *attr)
139
uint32_t access_granted;
140
struct object_tree *root = NULL;
141
struct object_tree *new_node = NULL;
142
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
143
struct security_token *token = acl_user_token(module);
145
if (!GUID_all_zero(&attr->attributeSecurityGUID)) {
146
if (!insert_in_object_tree(tmp_ctx,
147
&attr->attributeSecurityGUID,
150
DEBUG(10, ("acl_search: cannot add to object tree securityGUID\n"));
154
if (!insert_in_object_tree(tmp_ctx,
156
access_mask, &new_node,
158
DEBUG(10, ("acl_search: cannot add to object tree attributeGUID\n"));
163
if (!insert_in_object_tree(tmp_ctx,
167
DEBUG(10, ("acl_search: cannot add to object tree attributeGUID\n"));
172
status = sec_access_check_ds(sd, token,
177
if (!NT_STATUS_IS_OK(status)) {
178
ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
183
talloc_free(tmp_ctx);
186
talloc_free(tmp_ctx);
187
return ldb_operr(ldb_module_get_ctx(module));
191
/* checks for validated writes */
192
int acl_check_extended_right(TALLOC_CTX *mem_ctx,
193
struct security_descriptor *sd,
194
struct security_token *token,
195
const char *ext_right,
201
uint32_t access_granted;
202
struct object_tree *root = NULL;
203
struct object_tree *new_node = NULL;
204
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
206
GUID_from_string(ext_right, &right);
208
if (!insert_in_object_tree(tmp_ctx, &right, right_type,
210
DEBUG(10, ("acl_ext_right: cannot add to object tree\n"));
211
talloc_free(tmp_ctx);
212
return LDB_ERR_OPERATIONS_ERROR;
214
status = sec_access_check_ds(sd, token,
220
if (!NT_STATUS_IS_OK(status)) {
221
talloc_free(tmp_ctx);
222
return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
224
talloc_free(tmp_ctx);
228
const char *acl_user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module)
230
struct ldb_context *ldb = ldb_module_get_ctx(module);
231
struct auth_session_info *session_info
232
= (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
234
return "UNKNOWN (NULL)";
237
return talloc_asprintf(mem_ctx, "%s\\%s",
238
session_info->info->domain_name,
239
session_info->info->account_name);