LCOV - code coverage report
Current view: top level - source4/dsdb/common - dsdb_access.c (source / functions) Hit Total Coverage
Test: coverage report for master 6248eab5 Lines: 36 45 80.0 %
Date: 2021-08-25 13:27:56 Functions: 4 4 100.0 %

          Line data    Source code
       1             : /*
       2             :   ldb database library
       3             : 
       4             :   Copyright (C) Nadezhda Ivanova 2010
       5             : 
       6             :   This program is free software; you can redistribute it and/or modify
       7             :   it under the terms of the GNU General Public License as published by
       8             :   the Free Software Foundation; either version 3 of the License, or
       9             :   (at your option) any later version.
      10             : 
      11             :   This program is distributed in the hope that it will be useful,
      12             :   but WITHOUT ANY WARRANTY; without even the implied warranty of
      13             :   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      14             :   GNU General Public License for more details.
      15             : 
      16             :   You should have received a copy of the GNU General Public License
      17             :   along with this program.  If not, see <http://www.gnu.org/licenses/>.
      18             : */
      19             : 
      20             : /*
      21             :  *  Name: dsdb_access
      22             :  *
      23             :  *  Description: utility functions for access checking on objects
      24             :  *
      25             :  *  Authors: Nadezhda Ivanova
      26             :  */
      27             : 
      28             : #include "includes.h"
      29             : #include "ldb.h"
      30             : #include "ldb_module.h"
      31             : #include "ldb_errors.h"
      32             : #include "libcli/security/security.h"
      33             : #include "librpc/gen_ndr/ndr_security.h"
      34             : #include "libcli/ldap/ldap_ndr.h"
      35             : #include "param/param.h"
      36             : #include "auth/auth.h"
      37             : #include "dsdb/samdb/samdb.h"
      38             : #include "dsdb/common/util.h"
      39             : 
      40       47125 : void dsdb_acl_debug(struct security_descriptor *sd,
      41             :                       struct security_token *token,
      42             :                       struct ldb_dn *dn,
      43             :                       bool denied,
      44             :                       int level)
      45             : {
      46       47125 :         if (denied) {
      47       47125 :                 DEBUG(level, ("Access on %s denied", ldb_dn_get_linearized(dn)));
      48             :         } else {
      49           0 :                 DEBUG(level, ("Access on %s granted", ldb_dn_get_linearized(dn)));
      50             :         }
      51             : 
      52       47125 :         DEBUG(level,("Security context: %s\n",
      53             :                      ndr_print_struct_string(0,(ndr_print_fn_t)ndr_print_security_token,"", token)));
      54       47125 :         DEBUG(level,("Security descriptor: %s\n",
      55             :                      ndr_print_struct_string(0,(ndr_print_fn_t)ndr_print_security_descriptor,"", sd)));
      56       47125 : }
      57             : 
      58     1416881 : int dsdb_get_sd_from_ldb_message(struct ldb_context *ldb,
      59             :                                  TALLOC_CTX *mem_ctx,
      60             :                                  struct ldb_message *acl_res,
      61             :                                  struct security_descriptor **sd)
      62             : {
      63             :         struct ldb_message_element *sd_element;
      64             :         enum ndr_err_code ndr_err;
      65             : 
      66     1416881 :         sd_element = ldb_msg_find_element(acl_res, "nTSecurityDescriptor");
      67     1416881 :         if (sd_element == NULL) {
      68           0 :                 return ldb_error(ldb, LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS,
      69             :                                  "nTSecurityDescriptor is missing");
      70             :         }
      71     1416881 :         *sd = talloc(mem_ctx, struct security_descriptor);
      72     1416881 :         if(!*sd) {
      73           0 :                 return ldb_oom(ldb);
      74             :         }
      75     1416881 :         ndr_err = ndr_pull_struct_blob(&sd_element->values[0], *sd, *sd,
      76             :                                        (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
      77             : 
      78     1416881 :         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
      79           0 :                 return ldb_operr(ldb);
      80             :         }
      81             : 
      82     1337146 :         return LDB_SUCCESS;
      83             : }
      84             : 
      85     1271831 : int dsdb_check_access_on_dn_internal(struct ldb_context *ldb,
      86             :                                      struct ldb_result *acl_res,
      87             :                                      TALLOC_CTX *mem_ctx,
      88             :                                      struct security_token *token,
      89             :                                      struct ldb_dn *dn,
      90             :                                      uint32_t access_mask,
      91             :                                      const struct GUID *guid)
      92             : {
      93     1271831 :         struct security_descriptor *sd = NULL;
      94     1271831 :         struct dom_sid *sid = NULL;
      95     1271831 :         struct object_tree *root = NULL;
      96             :         NTSTATUS status;
      97             :         uint32_t access_granted;
      98             :         int ret;
      99             : 
     100     1271831 :         ret = dsdb_get_sd_from_ldb_message(ldb, mem_ctx, acl_res->msgs[0], &sd);
     101     1271831 :         if (ret != LDB_SUCCESS) {
     102           0 :                 return ldb_operr(ldb);
     103             :         }
     104             : 
     105     1271831 :         sid = samdb_result_dom_sid(mem_ctx, acl_res->msgs[0], "objectSid");
     106     1271831 :         if (guid) {
     107      497008 :                 if (!insert_in_object_tree(mem_ctx, guid, access_mask, NULL,
     108             :                                            &root)) {
     109           0 :                         return ldb_operr(ldb);
     110             :                 }
     111             :         }
     112     1271831 :         status = sec_access_check_ds(sd, token,
     113             :                                      access_mask,
     114             :                                      &access_granted,
     115             :                                      root,
     116             :                                      sid);
     117     1271831 :         if (!NT_STATUS_IS_OK(status)) {
     118       46258 :                 dsdb_acl_debug(sd,
     119             :                                token,
     120             :                                dn,
     121             :                                true,
     122             :                                10);
     123       46258 :                 ldb_asprintf_errstring(ldb,
     124             :                                        "dsdb_access: Access check failed on %s",
     125             :                                        ldb_dn_get_linearized(dn));
     126       46258 :                 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
     127             :         }
     128     1148901 :         return LDB_SUCCESS;
     129             : }
     130             : 
     131             : /* performs an access check from outside the module stack
     132             :  * given the dn of the object to be checked, the required access
     133             :  * guid is either the guid of the extended right, or NULL
     134             :  */
     135             : 
     136       13539 : int dsdb_check_access_on_dn(struct ldb_context *ldb,
     137             :                             TALLOC_CTX *mem_ctx,
     138             :                             struct ldb_dn *dn,
     139             :                             struct security_token *token,
     140             :                             uint32_t access_mask,
     141             :                             const char *ext_right)
     142             : {
     143             :         int ret;
     144             :         struct GUID guid;
     145             :         struct ldb_result *acl_res;
     146             :         static const char *acl_attrs[] = {
     147             :                 "nTSecurityDescriptor",
     148             :                 "objectSid",
     149             :                 NULL
     150             :         };
     151             : 
     152       13539 :         if (ext_right != NULL) {
     153       13536 :                 NTSTATUS status = GUID_from_string(ext_right, &guid);
     154       13536 :                 if (!NT_STATUS_IS_OK(status)) {
     155           0 :                         return LDB_ERR_OPERATIONS_ERROR;
     156             :                 }
     157             :         }
     158             : 
     159             :         /*
     160             :          * We need AS_SYSTEM in order to get the nTSecurityDescriptor attribute.
     161             :          * Also the result of this search not controlled by the client
     162             :          * nor is the result exposed to the client.
     163             :          */
     164       13539 :         ret = dsdb_search_dn(ldb, mem_ctx, &acl_res, dn, acl_attrs,
     165             :                              DSDB_FLAG_AS_SYSTEM | DSDB_SEARCH_SHOW_RECYCLED);
     166       13539 :         if (ret != LDB_SUCCESS) {
     167           0 :                 DEBUG(10,("access_check: failed to find object %s\n", ldb_dn_get_linearized(dn)));
     168           0 :                 return ret;
     169             :         }
     170             : 
     171       13539 :         return dsdb_check_access_on_dn_internal(ldb, acl_res,
     172             :                                                 mem_ctx,
     173             :                                                 token,
     174             :                                                 dn,
     175             :                                                 access_mask,
     176             :                                                 ext_right ? &guid : NULL);
     177             : }
     178             : 

Generated by: LCOV version 1.13