static struct dom_sid *get_default_ag(TALLOC_CTX *mem_ctx,
struct ldb_dn *dn,
struct security_token *token,
struct ldb_context *ldb)
{
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
struct dom_sid *da_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ADMINS);
struct dom_sid *ea_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ENTERPRISE_ADMINS);
struct dom_sid *sa_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_SCHEMA_ADMINS);
struct dom_sid *dag_sid;
struct ldb_dn *nc_root;
int ret;
ret = dsdb_find_nc_root(ldb, tmp_ctx, dn, &nc_root);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return NULL;
}
if (ldb_dn_compare(nc_root, ldb_get_schema_basedn(ldb)) == 0) {
if (security_token_has_sid(token, sa_sid)) {
dag_sid = dom_sid_dup(mem_ctx, sa_sid);
} else if (security_token_has_sid(token, ea_sid)) {
dag_sid = dom_sid_dup(mem_ctx, ea_sid);
} else if (security_token_has_sid(token, da_sid)) {
dag_sid = dom_sid_dup(mem_ctx, da_sid);
} else if (security_token_is_system(token)) {
dag_sid = dom_sid_dup(mem_ctx, sa_sid);
} else {
dag_sid = NULL;
}
} else if (ldb_dn_compare(nc_root, ldb_get_config_basedn(ldb)) == 0) {
if (security_token_has_sid(token, ea_sid)) {
dag_sid = dom_sid_dup(mem_ctx, ea_sid);
} else if (security_token_has_sid(token, da_sid)) {
dag_sid = dom_sid_dup(mem_ctx, da_sid);
} else if (security_token_is_system(token)) {
dag_sid = dom_sid_dup(mem_ctx, ea_sid);
} else {
dag_sid = NULL;
}
} else if (ldb_dn_compare(nc_root, ldb_get_default_basedn(ldb)) == 0) {
if (security_token_has_sid(token, da_sid)) {
dag_sid = dom_sid_dup(mem_ctx, da_sid);
} else if (security_token_has_sid(token, ea_sid)) {
dag_sid = dom_sid_dup(mem_ctx, ea_sid);
} else if (security_token_is_system(token)) {
dag_sid = dom_sid_dup(mem_ctx, da_sid);
} else {
dag_sid = NULL;
}
} else {
dag_sid = NULL;
}
talloc_free(tmp_ctx);
return dag_sid;
}
enum security_user_level security_session_user_level(struct auth_session_info *session_info)
{
if (!session_info) {
return SECURITY_ANONYMOUS;
}
if (security_token_is_system(session_info->security_token)) {
return SECURITY_SYSTEM;
}
if (security_token_is_anonymous(session_info->security_token)) {
return SECURITY_ANONYMOUS;
}
if (security_token_has_builtin_administrators(session_info->security_token)) {
return SECURITY_ADMINISTRATOR;
}
if (security_token_has_enterprise_dcs(session_info->security_token)) {
return SECURITY_DOMAIN_CONTROLLER;
}
if (security_token_has_nt_authenticated_users(session_info->security_token)) {
return SECURITY_USER;
}
return SECURITY_ANONYMOUS;
}
/*
Fill in the auth_user_info_unix and auth_unix_token elements in a struct session_info
*/
NTSTATUS auth_session_info_fill_unix( struct wbc_context *wbc_ctx,
struct loadparm_context *lp_ctx,
struct auth_session_info *session_info)
{
char *su;
size_t len;
NTSTATUS status = security_token_to_unix_token(session_info, wbc_ctx,
session_info->security_token,
&session_info->unix_token);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
session_info->unix_info = talloc_zero(session_info, struct auth_user_info_unix);
NT_STATUS_HAVE_NO_MEMORY(session_info->unix_info);
session_info->unix_info->system = security_token_is_system(session_info->security_token);
session_info->unix_info->unix_name = talloc_asprintf(session_info->unix_info,
"%s%s%s", session_info->info->domain_name,
lpcfg_winbind_separator(lp_ctx),
session_info->info->account_name);
NT_STATUS_HAVE_NO_MEMORY(session_info->unix_info->unix_name);
len = strlen(session_info->info->account_name) + 1;
session_info->unix_info->sanitized_username = su = talloc_array(session_info->unix_info, char, len);
NT_STATUS_HAVE_NO_MEMORY(su);
alpha_strcpy(su, session_info->info->account_name,
". _-$", len);
return NT_STATUS_OK;
}
static enum user_is what_is_user(struct ldb_module *module)
{
struct auth_session_info *session_info
= ldb_get_opaque(module->ldb, "sessionInfo");
if (!session_info) {
return ANONYMOUS;
}
if (security_token_is_system(session_info->security_token)) {
return SYSTEM;
}
if (security_token_is_anonymous(session_info->security_token)) {
return ANONYMOUS;
}
if (security_token_has_builtin_administrators(session_info->security_token)) {
return ADMINISTRATOR;
}
if (security_token_has_nt_authenticated_users(session_info->security_token)) {
return USER;
}
return ANONYMOUS;
}
static bool is_priviledged_pipe(struct auth_session_info *info) {
/* If the user is not root, or has the system token, fail */
if ((info->unix_token->uid != sec_initial_uid()) &&
!security_token_is_system(info->security_token)) {
return false;
}
return true;
}
/*
setup the privilege mask for this security token based on our
local SAM
*/
NTSTATUS samdb_privilege_setup(struct tevent_context *ev_ctx,
struct loadparm_context *lp_ctx, struct security_token *token)
{
void *samctx;
TALLOC_CTX *mem_ctx;
int i;
NTSTATUS status;
/* Shortcuts to prevent recursion and avoid lookups */
if (token->user_sid == NULL) {
token->privilege_mask = 0;
return NT_STATUS_OK;
}
if (security_token_is_system(token)) {
token->privilege_mask = ~0;
return NT_STATUS_OK;
}
if (security_token_is_anonymous(token)) {
token->privilege_mask = 0;
return NT_STATUS_OK;
}
mem_ctx = talloc_new(token);
samctx = samdb_connect(mem_ctx, ev_ctx, lp_ctx, system_session(mem_ctx, lp_ctx));
if (samctx == NULL) {
talloc_free(mem_ctx);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
token->privilege_mask = 0;
for (i=0;i<token->num_sids;i++) {
status = samdb_privilege_setup_sid(samctx, mem_ctx,
token, token->sids[i]);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(mem_ctx);
return status;
}
}
talloc_free(mem_ctx);
return NT_STATUS_OK;
}
enum security_user_level security_session_user_level(struct auth_session_info *session_info,
const struct dom_sid *domain_sid)
{
if (!session_info) {
return SECURITY_ANONYMOUS;
}
if (security_token_is_system(session_info->security_token)) {
return SECURITY_SYSTEM;
}
if (security_token_is_anonymous(session_info->security_token)) {
return SECURITY_ANONYMOUS;
}
if (security_token_has_builtin_administrators(session_info->security_token)) {
return SECURITY_ADMINISTRATOR;
}
if (domain_sid) {
struct dom_sid *rodc_dcs;
rodc_dcs = dom_sid_add_rid(session_info, domain_sid, DOMAIN_RID_READONLY_DCS);
if (security_token_has_sid(session_info->security_token, rodc_dcs)) {
talloc_free(rodc_dcs);
return SECURITY_RO_DOMAIN_CONTROLLER;
}
talloc_free(rodc_dcs);
}
if (security_token_has_enterprise_dcs(session_info->security_token)) {
return SECURITY_DOMAIN_CONTROLLER;
}
if (security_token_has_nt_authenticated_users(session_info->security_token)) {
return SECURITY_USER;
}
return SECURITY_ANONYMOUS;
}
NTSTATUS access_check_object( struct security_descriptor *psd, struct security_token *token,
enum sec_privilege needed_priv_1, enum sec_privilege needed_priv_2,
uint32 rights_mask,
uint32 des_access, uint32 *acc_granted,
const char *debug )
{
NTSTATUS status = NT_STATUS_ACCESS_DENIED;
uint32 saved_mask = 0;
bool priv_granted = false;
bool is_system = false;
bool is_root = false;
/* Check if we are are the system token */
if (security_token_is_system(token) &&
security_token_system_privilege(token)) {
is_system = true;
}
/* Check if we are root */
if (root_mode()) {
is_root = true;
}
/* Check if we are root */
/* check privileges; certain SAM access bits should be overridden
by privileges (mostly having to do with creating/modifying/deleting
users and groups) */
if ((needed_priv_1 != SEC_PRIV_INVALID && security_token_has_privilege(token, needed_priv_1)) ||
(needed_priv_2 != SEC_PRIV_INVALID && security_token_has_privilege(token, needed_priv_2))) {
priv_granted = true;
saved_mask = (des_access & rights_mask);
des_access &= ~saved_mask;
DEBUG(4,("access_check_object: user rights access mask [0x%x]\n",
rights_mask));
}
/* check the security descriptor first */
status = se_access_check(psd, token, des_access, acc_granted);
if (NT_STATUS_IS_OK(status)) {
goto done;
}
if (is_system || is_root) {
DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", debug, des_access));
DEBUGADD(4,("but overritten by %s\n",
is_root ? "euid == initial uid" : "system token"));
priv_granted = true;
*acc_granted = des_access;
status = NT_STATUS_OK;
goto done;
}
done:
if (priv_granted) {
/* add in any bits saved during the privilege check (only
matters if status is ok) */
*acc_granted |= rights_mask;
}
DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n",
debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED",
des_access, *acc_granted));
return status;
}
