static struct dom_sid *get_default_ag(TALLOC_CTX *mem_ctx,
struct ldb_dn *dn,
struct security_token *token,
struct ldb_context *ldb)
{
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
struct dom_sid *da_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ADMINS);
struct dom_sid *ea_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ENTERPRISE_ADMINS);
struct dom_sid *sa_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_SCHEMA_ADMINS);
struct dom_sid *dag_sid;
struct ldb_dn *nc_root;
int ret;
ret = dsdb_find_nc_root(ldb, tmp_ctx, dn, &nc_root);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return NULL;
}
if (ldb_dn_compare(nc_root, ldb_get_schema_basedn(ldb)) == 0) {
if (security_token_has_sid(token, sa_sid)) {
dag_sid = dom_sid_dup(mem_ctx, sa_sid);
} else if (security_token_has_sid(token, ea_sid)) {
dag_sid = dom_sid_dup(mem_ctx, ea_sid);
} else if (security_token_has_sid(token, da_sid)) {
dag_sid = dom_sid_dup(mem_ctx, da_sid);
} else if (security_token_is_system(token)) {
dag_sid = dom_sid_dup(mem_ctx, sa_sid);
} else {
dag_sid = NULL;
}
} else if (ldb_dn_compare(nc_root, ldb_get_config_basedn(ldb)) == 0) {
if (security_token_has_sid(token, ea_sid)) {
dag_sid = dom_sid_dup(mem_ctx, ea_sid);
} else if (security_token_has_sid(token, da_sid)) {
dag_sid = dom_sid_dup(mem_ctx, da_sid);
} else if (security_token_is_system(token)) {
dag_sid = dom_sid_dup(mem_ctx, ea_sid);
} else {
dag_sid = NULL;
}
} else if (ldb_dn_compare(nc_root, ldb_get_default_basedn(ldb)) == 0) {
if (security_token_has_sid(token, da_sid)) {
dag_sid = dom_sid_dup(mem_ctx, da_sid);
} else if (security_token_has_sid(token, ea_sid)) {
dag_sid = dom_sid_dup(mem_ctx, ea_sid);
} else if (security_token_is_system(token)) {
dag_sid = dom_sid_dup(mem_ctx, da_sid);
} else {
dag_sid = NULL;
}
} else {
dag_sid = NULL;
}
talloc_free(tmp_ctx);
return dag_sid;
}
/*
perform a SEC_FLAG_MAXIMUM_ALLOWED access check
*/
static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
const struct security_token *token)
{
uint32_t denied = 0, granted = 0;
unsigned i;
if (security_token_has_sid(token, sd->owner_sid)) {
granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL | SEC_STD_DELETE;
} else if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
granted |= SEC_STD_DELETE;
}
if (sd->dacl == NULL) {
return granted & ~denied;
}
for (i = 0;i<sd->dacl->num_aces; i++) {
struct security_ace *ace = &sd->dacl->aces[i];
if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
continue;
}
if (!security_token_has_sid(token, &ace->trustee)) {
continue;
}
switch (ace->type) {
case SEC_ACE_TYPE_ACCESS_ALLOWED:
granted |= ace->access_mask;
break;
case SEC_ACE_TYPE_ACCESS_DENIED:
case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
denied |= ace->access_mask;
break;
default: /* Other ACE types not handled/supported */
break;
}
}
return granted & ~denied;
}
bool security_token_has_sid_string(const struct security_token *token, const char *sid_string)
{
bool ret;
struct dom_sid *sid = dom_sid_parse_talloc(NULL, sid_string);
if (!sid) return false;
ret = security_token_has_sid(token, sid);
talloc_free(sid);
return ret;
}
void map_max_allowed_access(const struct security_token *nt_token,
const struct security_unix_token *unix_token,
uint32_t *pacc_requested)
{
if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) {
return;
}
*pacc_requested &= ~MAXIMUM_ALLOWED_ACCESS;
/* At least try for generic read|execute - Everyone gets that. */
*pacc_requested = GENERIC_READ_ACCESS|GENERIC_EXECUTE_ACCESS;
/* root gets anything. */
if (unix_token->uid == sec_initial_uid()) {
*pacc_requested |= GENERIC_ALL_ACCESS;
return;
}
/* Full Access for 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
if (security_token_has_sid(nt_token, &global_sid_Builtin_Administrators) ||
security_token_has_sid(nt_token, &global_sid_Builtin_Account_Operators)) {
*pacc_requested |= GENERIC_ALL_ACCESS;
return;
}
/* Full access for DOMAIN\Domain Admins. */
if ( IS_DC ) {
struct dom_sid domadmin_sid;
sid_compose(&domadmin_sid, get_global_sam_sid(),
DOMAIN_RID_ADMINS);
if (security_token_has_sid(nt_token, &domadmin_sid)) {
*pacc_requested |= GENERIC_ALL_ACCESS;
return;
}
}
/* TODO ! Check privileges. */
}
enum security_user_level security_session_user_level(struct auth_session_info *session_info,
const struct dom_sid *domain_sid)
{
if (!session_info) {
return SECURITY_ANONYMOUS;
}
if (security_token_is_system(session_info->security_token)) {
return SECURITY_SYSTEM;
}
if (security_token_is_anonymous(session_info->security_token)) {
return SECURITY_ANONYMOUS;
}
if (security_token_has_builtin_administrators(session_info->security_token)) {
return SECURITY_ADMINISTRATOR;
}
if (domain_sid) {
struct dom_sid *rodc_dcs;
rodc_dcs = dom_sid_add_rid(session_info, domain_sid, DOMAIN_RID_READONLY_DCS);
if (security_token_has_sid(session_info->security_token, rodc_dcs)) {
talloc_free(rodc_dcs);
return SECURITY_RO_DOMAIN_CONTROLLER;
}
talloc_free(rodc_dcs);
}
if (security_token_has_enterprise_dcs(session_info->security_token)) {
return SECURITY_DOMAIN_CONTROLLER;
}
if (security_token_has_nt_authenticated_users(session_info->security_token)) {
return SECURITY_USER;
}
return SECURITY_ANONYMOUS;
}
NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
const struct security_token *token,
uint32_t access_desired,
uint32_t *access_granted,
struct object_tree *tree,
struct dom_sid *replace_sid)
{
uint32_t i;
uint32_t bits_remaining;
struct object_tree *node;
const struct GUID *type;
struct dom_sid self_sid;
dom_sid_parse(SID_NT_SELF, &self_sid);
*access_granted = access_desired;
bits_remaining = access_desired;
/* handle the maximum allowed flag */
if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
access_desired |= access_check_max_allowed(sd, token);
access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
*access_granted = access_desired;
bits_remaining = access_desired;
}
if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
} else {
return NT_STATUS_PRIVILEGE_NOT_HELD;
}
}
/* the owner always gets SEC_STD_WRITE_DAC and SEC_STD_READ_CONTROL */
if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL)) &&
security_token_has_sid(token, sd->owner_sid)) {
bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL);
}
/* TODO: remove this, as it is file server specific */
if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
}
if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) &&
security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
}
/* a NULL dacl allows access */
if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
*access_granted = access_desired;
return NT_STATUS_OK;
}
if (sd->dacl == NULL) {
goto done;
}
/* check each ace in turn. */
for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
struct dom_sid *trustee;
struct security_ace *ace = &sd->dacl->aces[i];
if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
continue;
}
if (dom_sid_equal(&ace->trustee, &self_sid) && replace_sid) {
trustee = replace_sid;
} else {
trustee = &ace->trustee;
}
if (!security_token_has_sid(token, trustee)) {
continue;
}
switch (ace->type) {
case SEC_ACE_TYPE_ACCESS_ALLOWED:
if (tree) {
object_tree_modify_access(tree, ace->access_mask);
}
bits_remaining &= ~ace->access_mask;
break;
case SEC_ACE_TYPE_ACCESS_DENIED:
if (bits_remaining & ace->access_mask) {
return NT_STATUS_ACCESS_DENIED;
}
break;
case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
/*
* check only in case we have provided a tree,
* the ACE has an object type and that type
* is in the tree
*/
type = get_ace_object_type(ace);
if (!tree) {
continue;
}
if (!type) {
node = tree;
} else {
if (!(node = get_object_tree_by_GUID(tree, type))) {
continue;
}
}
if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) {
object_tree_modify_access(node, ace->access_mask);
if (node->remaining_access == 0) {
return NT_STATUS_OK;
}
} else {
if (node->remaining_access & ace->access_mask){
return NT_STATUS_ACCESS_DENIED;
}
}
break;
default: /* Other ACE types not handled/supported */
break;
}
}
done:
if (bits_remaining != 0) {
return NT_STATUS_ACCESS_DENIED;
}
return NT_STATUS_OK;
}
/*
The main entry point for access checking. If returning ACCESS_DENIED
this function returns the denied bits in the uint32_t pointed
to by the access_granted pointer.
*/
NTSTATUS se_access_check(const struct security_descriptor *sd,
const struct security_token *token,
uint32_t access_desired,
uint32_t *access_granted)
{
uint32_t i;
uint32_t bits_remaining;
uint32_t explicitly_denied_bits = 0;
/*
* Up until Windows Server 2008, owner always had these rights. Now
* we have to use Owner Rights perms if they are on the file.
*
* In addition we have to accumulate these bits and apply them
* correctly. See bug #8795
*/
uint32_t owner_rights_allowed = 0;
uint32_t owner_rights_denied = 0;
bool owner_rights_default = true;
*access_granted = access_desired;
bits_remaining = access_desired;
/* handle the maximum allowed flag */
if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
uint32_t orig_access_desired = access_desired;
access_desired |= access_check_max_allowed(sd, token);
access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
*access_granted = access_desired;
bits_remaining = access_desired;
DEBUG(10,("se_access_check: MAX desired = 0x%x, granted = 0x%x, remaining = 0x%x\n",
orig_access_desired,
*access_granted,
bits_remaining));
}
/* a NULL dacl allows access */
if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
*access_granted = access_desired;
return NT_STATUS_OK;
}
if (sd->dacl == NULL) {
goto done;
}
/* check each ace in turn. */
for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
struct security_ace *ace = &sd->dacl->aces[i];
if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
continue;
}
/*
* We need the Owner Rights permissions to ensure we
* give or deny the correct permissions to the owner. Replace
* owner_rights with the perms here if it is present.
*
* We don't care if we are not the owner because that is taken
* care of below when we check if our token has the owner SID.
*
*/
if (dom_sid_equal(&ace->trustee, &global_sid_Owner_Rights)) {
if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) {
owner_rights_allowed |= ace->access_mask;
owner_rights_default = false;
} else if (ace->type == SEC_ACE_TYPE_ACCESS_DENIED) {
owner_rights_denied |= ace->access_mask;
owner_rights_default = false;
}
continue;
}
if (!security_token_has_sid(token, &ace->trustee)) {
continue;
}
switch (ace->type) {
case SEC_ACE_TYPE_ACCESS_ALLOWED:
bits_remaining &= ~ace->access_mask;
break;
case SEC_ACE_TYPE_ACCESS_DENIED:
case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
explicitly_denied_bits |= (bits_remaining & ace->access_mask);
break;
default: /* Other ACE types not handled/supported */
break;
}
}
/* Explicitly denied bits always override */
bits_remaining |= explicitly_denied_bits;
/* The owner always gets owner rights as defined above. */
if (security_token_has_sid(token, sd->owner_sid)) {
if (owner_rights_default) {
/*
* Just remove them, no need to check if they are
* there.
*/
bits_remaining &= ~(SEC_STD_WRITE_DAC |
SEC_STD_READ_CONTROL);
} else {
bits_remaining &= ~owner_rights_allowed;
bits_remaining |= owner_rights_denied;
}
}
/*
* We check privileges here because they override even DENY entries.
*/
/* Does the user have the privilege to gain SEC_PRIV_SECURITY? */
if (bits_remaining & SEC_FLAG_SYSTEM_SECURITY) {
if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
} else {
return NT_STATUS_PRIVILEGE_NOT_HELD;
}
}
if ((bits_remaining & SEC_STD_WRITE_OWNER) &&
security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
bits_remaining &= ~(SEC_STD_WRITE_OWNER);
}
done:
if (bits_remaining != 0) {
*access_granted = bits_remaining;
return NT_STATUS_ACCESS_DENIED;
}
return NT_STATUS_OK;
}
/*
the main entry point for access checking.
*/
NTSTATUS sec_access_check(const struct security_descriptor *sd,
const struct security_token *token,
uint32_t access_desired,
uint32_t *access_granted)
{
int i;
uint32_t bits_remaining;
*access_granted = access_desired;
bits_remaining = access_desired;
/* handle the maximum allowed flag */
if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
access_desired |= access_check_max_allowed(sd, token);
access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
*access_granted = access_desired;
bits_remaining = access_desired & ~SEC_STD_DELETE;
}
if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
} else {
return NT_STATUS_PRIVILEGE_NOT_HELD;
}
}
/* a NULL dacl allows access */
if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
*access_granted = access_desired;
return NT_STATUS_OK;
}
/* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */
if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE)) &&
security_token_has_sid(token, sd->owner_sid)) {
bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE);
}
if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
}
if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) &&
security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
}
if (sd->dacl == NULL) {
goto done;
}
/* check each ace in turn. */
for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
struct security_ace *ace = &sd->dacl->aces[i];
if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
continue;
}
if (!security_token_has_sid(token, &ace->trustee)) {
continue;
}
switch (ace->type) {
case SEC_ACE_TYPE_ACCESS_ALLOWED:
bits_remaining &= ~ace->access_mask;
break;
case SEC_ACE_TYPE_ACCESS_DENIED:
case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
if (bits_remaining & ace->access_mask) {
return NT_STATUS_ACCESS_DENIED;
}
break;
default: /* Other ACE types not handled/supported */
break;
}
}
done:
if (bits_remaining != 0) {
return NT_STATUS_ACCESS_DENIED;
}
return NT_STATUS_OK;
}
/*
The main entry point for access checking. If returning ACCESS_DENIED
this function returns the denied bits in the uint32_t pointed
to by the access_granted pointer.
*/
NTSTATUS se_access_check(const struct security_descriptor *sd,
const struct security_token *token,
uint32_t access_desired,
uint32_t *access_granted)
{
uint32_t i;
uint32_t bits_remaining;
*access_granted = access_desired;
bits_remaining = access_desired;
/* handle the maximum allowed flag */
if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
uint32_t orig_access_desired = access_desired;
access_desired |= access_check_max_allowed(sd, token);
access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
*access_granted = access_desired;
bits_remaining = access_desired;
DEBUG(10,("se_access_check: MAX desired = 0x%x, granted = 0x%x, remaining = 0x%x\n",
orig_access_desired,
*access_granted,
bits_remaining));
}
/* s3 had this with #if 0 previously. To be sure the merge
doesn't change any behaviour, we have the above #if check
on _SAMBA_BUILD_. */
if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
} else {
return NT_STATUS_PRIVILEGE_NOT_HELD;
}
}
/* the owner always gets SEC_STD_WRITE_DAC and SEC_STD_READ_CONTROL */
if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL)) &&
security_token_has_sid(token, sd->owner_sid)) {
bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL);
}
/* TODO: remove this, as it is file server specific */
if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
}
if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) &&
security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
}
/* a NULL dacl allows access */
if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
*access_granted = access_desired;
return NT_STATUS_OK;
}
if (sd->dacl == NULL) {
goto done;
}
/* check each ace in turn. */
for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
struct security_ace *ace = &sd->dacl->aces[i];
if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
continue;
}
if (!security_token_has_sid(token, &ace->trustee)) {
continue;
}
switch (ace->type) {
case SEC_ACE_TYPE_ACCESS_ALLOWED:
bits_remaining &= ~ace->access_mask;
break;
case SEC_ACE_TYPE_ACCESS_DENIED:
case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
if (bits_remaining & ace->access_mask) {
return NT_STATUS_ACCESS_DENIED;
}
break;
default: /* Other ACE types not handled/supported */
break;
}
}
done:
if (bits_remaining != 0) {
*access_granted = bits_remaining;
return NT_STATUS_ACCESS_DENIED;
}
return NT_STATUS_OK;
}
