LCOV - code coverage report
Current view: top level - source4/dsdb/samdb/ldb_modules - acl_util.c (source / functions) Hit Total Coverage
Test: coverage report for abartlet/fix-coverage dd10fb34 Lines: 79 108 73.1 %
Date: 2021-09-23 10:06:22 Functions: 7 8 87.5 %

          Line data    Source code
       1             : /*
       2             :   ACL utility functions
       3             : 
       4             :   Copyright (C) Nadezhda Ivanova 2010
       5             : 
       6             :   This program is free software; you can redistribute it and/or modify
       7             :   it under the terms of the GNU General Public License as published by
       8             :   the Free Software Foundation; either version 3 of the License, or
       9             :   (at your option) any later version.
      10             : 
      11             :   This program is distributed in the hope that it will be useful,
      12             :   but WITHOUT ANY WARRANTY; without even the implied warranty of
      13             :   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      14             :   GNU General Public License for more details.
      15             : 
      16             :   You should have received a copy of the GNU General Public License
      17             :   along with this program.  If not, see <http://www.gnu.org/licenses/>.
      18             : */
      19             : 
      20             : /*
      21             :  *  Name: acl_util
      22             :  *
      23             :  *  Component: ldb ACL modules
      24             :  *
      25             :  *  Description: Some auxiliary functions used for access checking
      26             :  *
      27             :  *  Author: Nadezhda Ivanova
      28             :  */
      29             : #include "includes.h"
      30             : #include "ldb_module.h"
      31             : #include "auth/auth.h"
      32             : #include "libcli/security/security.h"
      33             : #include "dsdb/samdb/samdb.h"
      34             : #include "librpc/gen_ndr/ndr_security.h"
      35             : #include "param/param.h"
      36             : #include "dsdb/samdb/ldb_modules/util.h"
      37             : 
      38     5131789 : struct security_token *acl_user_token(struct ldb_module *module)
      39             : {
      40     5131789 :         struct ldb_context *ldb = ldb_module_get_ctx(module);
      41     4569612 :         struct auth_session_info *session_info
      42      562177 :                 = (struct auth_session_info *)ldb_get_opaque(
      43             :                         ldb,
      44             :                         DSDB_SESSION_INFO);
      45     5131789 :         if(!session_info) {
      46           0 :                 return NULL;
      47             :         }
      48     5131781 :         return session_info->security_token;
      49             : }
      50             : 
      51             : /* performs an access check from inside the module stack
      52             :  * given the dn of the object to be checked, the required access
      53             :  * guid is either the guid of the extended right, or NULL
      54             :  */
      55             : 
      56     1255333 : int dsdb_module_check_access_on_dn(struct ldb_module *module,
      57             :                                    TALLOC_CTX *mem_ctx,
      58             :                                    struct ldb_dn *dn,
      59             :                                    uint32_t access_mask,
      60             :                                    const struct GUID *guid,
      61             :                                    struct ldb_request *parent)
      62             : {
      63             :         int ret;
      64             :         struct ldb_result *acl_res;
      65             :         static const char *acl_attrs[] = {
      66             :                 "nTSecurityDescriptor",
      67             :                 "objectSid",
      68             :                 NULL
      69             :         };
      70     1255333 :         struct ldb_context *ldb = ldb_module_get_ctx(module);
      71     1025957 :         struct auth_session_info *session_info
      72      229376 :                 = (struct auth_session_info *)ldb_get_opaque(
      73             :                         ldb,
      74             :                         DSDB_SESSION_INFO);
      75     1255333 :         if(!session_info) {
      76           0 :                 return ldb_operr(ldb);
      77             :         }
      78     1255333 :         ret = dsdb_module_search_dn(module, mem_ctx, &acl_res, dn,
      79             :                                     acl_attrs,
      80             :                                     DSDB_FLAG_NEXT_MODULE |
      81             :                                     DSDB_FLAG_AS_SYSTEM |
      82             :                                     DSDB_SEARCH_SHOW_RECYCLED,
      83             :                                     parent);
      84     1255333 :         if (ret != LDB_SUCCESS) {
      85         363 :                 ldb_asprintf_errstring(ldb_module_get_ctx(module),
      86             :                                        "access_check: failed to find object %s\n",
      87             :                                        ldb_dn_get_linearized(dn));
      88         363 :                 return ret;
      89             :         }
      90     1254970 :         return dsdb_check_access_on_dn_internal(ldb, acl_res,
      91             :                                                 mem_ctx,
      92             :                                                 session_info->security_token,
      93             :                                                 dn,
      94             :                                                 access_mask,
      95             :                                                 guid);
      96             : }
      97             : 
      98     4640531 : int acl_check_access_on_attribute(struct ldb_module *module,
      99             :                                   TALLOC_CTX *mem_ctx,
     100             :                                   struct security_descriptor *sd,
     101             :                                   struct dom_sid *rp_sid,
     102             :                                   uint32_t access_mask,
     103             :                                   const struct dsdb_attribute *attr,
     104             :                                   const struct dsdb_class *objectclass)
     105             : {
     106             :         int ret;
     107             :         NTSTATUS status;
     108             :         uint32_t access_granted;
     109     4640531 :         struct object_tree *root = NULL;
     110     4640531 :         struct object_tree *new_node = NULL;
     111     4640531 :         TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
     112     4640531 :         struct security_token *token = acl_user_token(module);
     113             : 
     114     4640531 :         if (!insert_in_object_tree(tmp_ctx,
     115             :                                    &objectclass->schemaIDGUID,
     116             :                                    access_mask, NULL,
     117             :                                    &root)) {
     118           0 :                 DEBUG(10, ("acl_search: cannot add to object tree class schemaIDGUID\n"));
     119           0 :                 goto fail;
     120             :         }
     121     4640531 :         new_node = root;
     122             : 
     123     4640531 :         if (!GUID_all_zero(&attr->attributeSecurityGUID)) {
     124     3334417 :                 if (!insert_in_object_tree(tmp_ctx,
     125             :                                            &attr->attributeSecurityGUID,
     126             :                                            access_mask, new_node,
     127             :                                            &new_node)) {
     128           0 :                         DEBUG(10, ("acl_search: cannot add to object tree securityGUID\n"));
     129           0 :                         goto fail;
     130             :                 }
     131             :         }
     132             : 
     133     4640531 :         if (!insert_in_object_tree(tmp_ctx,
     134             :                                    &attr->schemaIDGUID,
     135             :                                    access_mask, new_node,
     136             :                                    &new_node)) {
     137           0 :                 DEBUG(10, ("acl_search: cannot add to object tree attributeGUID\n"));
     138           0 :                 goto fail;
     139             :         }
     140             : 
     141     4640531 :         status = sec_access_check_ds(sd, token,
     142             :                                      access_mask,
     143             :                                      &access_granted,
     144             :                                      root,
     145             :                                      rp_sid);
     146     4640531 :         if (!NT_STATUS_IS_OK(status)) {
     147       37675 :                 ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
     148             :         }
     149             :         else {
     150     4602856 :                 ret = LDB_SUCCESS;
     151             :         }
     152     4640531 :         talloc_free(tmp_ctx);
     153     4640531 :         return ret;
     154           0 : fail:
     155           0 :         talloc_free(tmp_ctx);
     156           0 :         return ldb_operr(ldb_module_get_ctx(module));
     157             : }
     158             : 
     159       28243 : int acl_check_access_on_objectclass(struct ldb_module *module,
     160             :                                     TALLOC_CTX *mem_ctx,
     161             :                                     struct security_descriptor *sd,
     162             :                                     struct dom_sid *rp_sid,
     163             :                                     uint32_t access_mask,
     164             :                                     const struct dsdb_class *objectclass)
     165             : {
     166             :         int ret;
     167             :         NTSTATUS status;
     168             :         uint32_t access_granted;
     169       28243 :         struct object_tree *root = NULL;
     170       28243 :         TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
     171       28243 :         struct security_token *token = acl_user_token(module);
     172             : 
     173       28243 :         if (!insert_in_object_tree(tmp_ctx,
     174             :                                    &objectclass->schemaIDGUID,
     175             :                                    access_mask, NULL,
     176             :                                    &root)) {
     177           0 :                 DEBUG(10, ("acl_search: cannot add to object tree class schemaIDGUID\n"));
     178           0 :                 goto fail;
     179             :         }
     180             : 
     181       28243 :         status = sec_access_check_ds(sd, token,
     182             :                                      access_mask,
     183             :                                      &access_granted,
     184             :                                      root,
     185             :                                      rp_sid);
     186       28243 :         if (!NT_STATUS_IS_OK(status)) {
     187        1883 :                 ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
     188             :         } else {
     189       26360 :                 ret = LDB_SUCCESS;
     190             :         }
     191       28243 :         talloc_free(tmp_ctx);
     192       28243 :         return ret;
     193           0 : fail:
     194           0 :         talloc_free(tmp_ctx);
     195           0 :         return ldb_operr(ldb_module_get_ctx(module));
     196             : }
     197             : 
     198             : /* checks for validated writes */
     199       14624 : int acl_check_extended_right(TALLOC_CTX *mem_ctx,
     200             :                              struct security_descriptor *sd,
     201             :                              struct security_token *token,
     202             :                              const char *ext_right,
     203             :                              uint32_t right_type,
     204             :                              struct dom_sid *sid)
     205             : {
     206             :         struct GUID right;
     207             :         NTSTATUS status;
     208             :         uint32_t access_granted;
     209       14624 :         struct object_tree *root = NULL;
     210       14624 :         TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
     211             : 
     212       14624 :         GUID_from_string(ext_right, &right);
     213             : 
     214       14624 :         if (!insert_in_object_tree(tmp_ctx, &right, right_type,
     215             :                                    NULL, &root)) {
     216           0 :                 DEBUG(10, ("acl_ext_right: cannot add to object tree\n"));
     217           0 :                 talloc_free(tmp_ctx);
     218           0 :                 return LDB_ERR_OPERATIONS_ERROR;
     219             :         }
     220       14624 :         status = sec_access_check_ds(sd, token,
     221             :                                      right_type,
     222             :                                      &access_granted,
     223             :                                      root,
     224             :                                      sid);
     225             : 
     226       14624 :         if (!NT_STATUS_IS_OK(status)) {
     227         183 :                 talloc_free(tmp_ctx);
     228         183 :                 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
     229             :         }
     230       14441 :         talloc_free(tmp_ctx);
     231       14441 :         return LDB_SUCCESS;
     232             : }
     233             : 
     234           0 : const char *acl_user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module)
     235             : {
     236           0 :         struct ldb_context *ldb = ldb_module_get_ctx(module);
     237           0 :         struct auth_session_info *session_info
     238           0 :                 = (struct auth_session_info *)ldb_get_opaque(
     239             :                         ldb,
     240             :                         DSDB_SESSION_INFO);
     241           0 :         if (!session_info) {
     242           0 :                 return "UNKNOWN (NULL)";
     243             :         }
     244             : 
     245           0 :         return talloc_asprintf(mem_ctx, "%s\\%s",
     246           0 :                                session_info->info->domain_name,
     247           0 :                                session_info->info->account_name);
     248             : }
     249             : 
     250    21088009 : uint32_t dsdb_request_sd_flags(struct ldb_request *req, bool *explicit)
     251             : {
     252             :         struct ldb_control *sd_control;
     253    21088009 :         uint32_t sd_flags = 0;
     254             : 
     255    21088009 :         if (explicit) {
     256    20575176 :                 *explicit = false;
     257             :         }
     258             : 
     259    21088009 :         sd_control = ldb_request_get_control(req, LDB_CONTROL_SD_FLAGS_OID);
     260    21088009 :         if (sd_control != NULL && sd_control->data != NULL) {
     261     1147761 :                 struct ldb_sd_flags_control *sdctr = (struct ldb_sd_flags_control *)sd_control->data;
     262             : 
     263     1147761 :                 sd_flags = sdctr->secinfo_flags;
     264             : 
     265     1147761 :                 if (explicit) {
     266     1127122 :                         *explicit = true;
     267             :                 }
     268             : 
     269             :                 /* mark it as handled */
     270     1147761 :                 sd_control->critical = 0;
     271             :         }
     272             : 
     273             :         /* we only care for the last 4 bits */
     274    21088009 :         sd_flags &= 0x0000000F;
     275             : 
     276             :         /*
     277             :          * MS-ADTS 3.1.1.3.4.1.11 says that no bits
     278             :          * equals all 4 bits
     279             :          */
     280    21088009 :         if (sd_flags == 0) {
     281    19940302 :                 sd_flags = SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL | SECINFO_SACL;
     282             :         }
     283             : 
     284    21088009 :         return sd_flags;
     285             : }
     286             : 
     287      330431 : int dsdb_module_schedule_sd_propagation(struct ldb_module *module,
     288             :                                         struct ldb_dn *nc_root,
     289             :                                         struct GUID guid,
     290             :                                         bool include_self)
     291             : {
     292      330431 :         struct ldb_context *ldb = ldb_module_get_ctx(module);
     293             :         struct dsdb_extended_sec_desc_propagation_op *op;
     294             :         int ret;
     295             : 
     296      330431 :         op = talloc_zero(module, struct dsdb_extended_sec_desc_propagation_op);
     297      330431 :         if (op == NULL) {
     298           0 :                 return ldb_oom(ldb);
     299             :         }
     300             : 
     301      330431 :         op->nc_root = nc_root;
     302      330431 :         op->guid = guid;
     303      330431 :         op->include_self = include_self;
     304             : 
     305      330431 :         ret = dsdb_module_extended(module, op, NULL,
     306             :                                    DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID,
     307             :                                    op,
     308             :                                    DSDB_FLAG_TOP_MODULE |
     309             :                                    DSDB_FLAG_AS_SYSTEM |
     310             :                                    DSDB_FLAG_TRUSTED,
     311             :                                    NULL);
     312      330431 :         TALLOC_FREE(op);
     313      330431 :         return ret;
     314             : }

Generated by: LCOV version 1.13