The branch, master has been updated
via 56b754e... Implementation of sDRightsEffective,
allowedAttributesEffective and allowedChildClassesEffective.
from 85e79a2... s3:packaging: Fix source dir.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 56b754e09ad5cd926e1dd0747252b7c359294938
Author: Nadezhda Ivanova <[email protected]>
Date: Thu Dec 10 15:49:53 2009 +0200
Implementation of sDRightsEffective, allowedAttributesEffective and
allowedChildClassesEffective.
Behavior as documented in WSPP and tested. Needs optimisation though.
-----------------------------------------------------------------------
Summary of changes:
source4/dsdb/samdb/ldb_modules/acl.c | 650 ++++++++++++++++++++++--
source4/dsdb/samdb/ldb_modules/kludge_acl.c | 5 +-
source4/lib/ldb/tests/python/sec_descriptor.py | 127 +++++-
3 files changed, 738 insertions(+), 44 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c
b/source4/dsdb/samdb/ldb_modules/acl.c
index 13e71e5..45aa294 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -1,22 +1,22 @@
/*
- ldb database library
+ ldb database library
- Copyright (C) Simo Sorce 2006-2008
- Copyright (C) Nadezhda Ivanova 2009
- Copyright (C) Anatoliy Atanasov 2009
+ Copyright (C) Simo Sorce 2006-2008
+ Copyright (C) Nadezhda Ivanova 2009
+ Copyright (C) Anatoliy Atanasov 2009
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/*
@@ -45,8 +45,21 @@ struct extended_access_check_attribute {
const uint32_t requires_rights;
};
-struct acl_private{
- bool perform_check;
+struct acl_private {
+ bool acl_perform;
+ const char **password_attrs;
+};
+
+struct acl_context {
+ struct ldb_module *module;
+ struct ldb_request *req;
+ enum security_user_level user_type;
+ bool allowedAttributes;
+ bool allowedAttributesEffective;
+ bool allowedChildClasses;
+ bool allowedChildClassesEffective;
+ bool sDRightsEffective;
+ const char * const *attrs;
};
bool is_root_base_dn(struct ldb_context *ldb, struct ldb_dn *dn_to_check)
@@ -80,7 +93,12 @@ static int acl_module_init(struct ldb_module *module)
{
struct ldb_context *ldb;
struct acl_private *data;
- int ret;
+ int ret, i;
+ TALLOC_CTX *mem_ctx = talloc_new(module);
+ static const char *attrs[] = { "passwordAttribute", NULL };
+ struct ldb_result *res;
+ struct ldb_message *msg;
+ struct ldb_message_element *password_attributes;
ldb = ldb_module_get_ctx(module);
@@ -92,22 +110,69 @@ static int acl_module_init(struct ldb_module *module)
}
data = talloc(module, struct acl_private);
- data->perform_check = lp_parm_bool(ldb_get_opaque(ldb, "loadparm"),
- NULL, "acl", "perform", false);
+ if (data == NULL) {
+ ldb_oom(ldb);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ data->password_attrs = NULL;
+ data->acl_perform = lp_parm_bool(ldb_get_opaque(ldb, "loadparm"),
+ NULL, "acl", "perform", false);
ldb_module_set_private(module, data);
+ if (!mem_ctx) {
+ ldb_oom(ldb);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ ret = ldb_search(ldb, mem_ctx, &res,
+ ldb_dn_new(mem_ctx, ldb, "@KLUDGEACL"),
+ LDB_SCOPE_BASE, attrs, NULL);
+ if (ret != LDB_SUCCESS) {
+ goto done;
+ }
+ if (res->count == 0) {
+ goto done;
+ }
+
+ if (res->count > 1) {
+ talloc_free(mem_ctx);
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+
+ msg = res->msgs[0];
+
+ password_attributes = ldb_msg_find_element(msg, "passwordAttribute");
+ if (!password_attributes) {
+ goto done;
+ }
+ data->password_attrs = talloc_array(data, const char *,
password_attributes->num_values + 1);
+ if (!data->password_attrs) {
+ talloc_free(mem_ctx);
+ ldb_oom(ldb);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ for (i=0; i < password_attributes->num_values; i++) {
+ data->password_attrs[i] = (const char
*)password_attributes->values[i].data;
+ talloc_steal(data->password_attrs,
password_attributes->values[i].data);
+ }
+ data->password_attrs[i] = NULL;
+
+done:
+ talloc_free(mem_ctx);
return ldb_next_init(module);
}
-static int get_sd_from_result(TALLOC_CTX *mem_ctx,
- struct ldb_result *acl_res,
- struct security_descriptor **sd)
+static int get_sd_from_ldb_message(TALLOC_CTX *mem_ctx,
+ struct ldb_message *acl_res,
+ struct security_descriptor **sd)
{
struct ldb_message_element *sd_element;
enum ndr_err_code ndr_err;
- sd_element = ldb_msg_find_element(acl_res->msgs[0],
"ntSecurityDescriptor");
+ sd_element = ldb_msg_find_element(acl_res, "nTSecurityDescriptor");
if (!sd_element) {
+ *sd = NULL;
return LDB_SUCCESS;
}
*sd = talloc(mem_ctx, struct security_descriptor);
@@ -118,19 +183,19 @@ static int get_sd_from_result(TALLOC_CTX *mem_ctx,
(ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- return LDB_ERR_OPERATIONS_ERROR;
+ return LDB_ERR_OPERATIONS_ERROR;
}
return LDB_SUCCESS;
}
-static const struct GUID *get_oc_guid_from_result(struct ldb_module *module,
- struct ldb_result *acl_res)
+static const struct GUID *get_oc_guid_from_message(struct ldb_module *module,
+ struct ldb_message *msg)
{
struct ldb_message_element *oc_el;
struct ldb_context *ldb = ldb_module_get_ctx(module);
- oc_el = ldb_msg_find_element(acl_res->msgs[0], "objectClass");
+ oc_el = ldb_msg_find_element(msg, "objectClass");
if (!oc_el) {
return NULL;
}
@@ -181,7 +246,7 @@ static int check_access_on_dn(struct ldb_module *module,
return ret;
}
- ret = get_sd_from_result(mem_ctx, acl_res, &sd);
+ ret = get_sd_from_ldb_message(mem_ctx, acl_res->msgs[0], &sd);
if (ret != LDB_SUCCESS) {
return LDB_ERR_OPERATIONS_ERROR;
}
@@ -204,6 +269,369 @@ static int check_access_on_dn(struct ldb_module *module,
return LDB_SUCCESS;
}
+static int acl_check_access_on_attribute(struct ldb_module *module,
+ TALLOC_CTX *mem_ctx,
+ struct security_descriptor *sd,
+ uint32_t access,
+ struct dsdb_attribute *attr)
+{
+ int ret;
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ NTSTATUS status;
+ uint32_t access_granted;
+ struct object_tree *root = NULL;
+ struct object_tree *new_node = NULL;
+ const struct dsdb_schema *schema = dsdb_get_schema(ldb);
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ struct security_token *token = acl_user_token(module);
+ if (attr) {
+ if (!GUID_all_zero(&attr->attributeSecurityGUID)) {
+ if (!insert_in_object_tree(tmp_ctx,
+
&attr->attributeSecurityGUID, access,
+ &root, &new_node)) {
+ DEBUG(10, ("acl_search: cannot add to object
tree securityGUID\n"));
+ goto fail;
+ }
+
+ if (!insert_in_object_tree(tmp_ctx,
+ &attr->schemaIDGUID, access,
&new_node, &new_node)) {
+ DEBUG(10, ("acl_search: cannot add to object
tree attributeGUID\n"));
+ goto fail;
+ }
+ }
+ else {
+ if (!insert_in_object_tree(tmp_ctx,
+ &attr->schemaIDGUID, access,
&root, &new_node)) {
+ DEBUG(10, ("acl_search: cannot add to object
tree attributeGUID\n"));
+ goto fail;
+ }
+ }
+ }
+ status = sec_access_check_ds(sd, token,
+ access,
+ &access_granted,
+ root);
+ if (!NT_STATUS_IS_OK(status)) {
+ ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+ }
+ else {
+ ret = LDB_SUCCESS;
+ }
+ return ret;
+fail:
+ return LDB_ERR_OPERATIONS_ERROR;
+}
+
+static int acl_check_access_on_class(struct ldb_module *module,
+ TALLOC_CTX *mem_ctx,
+ struct security_descriptor *sd,
+ uint32_t access,
+ const char *class_name)
+{
+ int ret;
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ NTSTATUS status;
+ uint32_t access_granted;
+ struct object_tree *root = NULL;
+ struct object_tree *new_node = NULL;
+ struct GUID *guid;
+ const struct dsdb_schema *schema = dsdb_get_schema(ldb);
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ struct security_token *token = acl_user_token(module);
+ if (class_name) {
+ guid = class_schemaid_guid_by_lDAPDisplayName(schema,
class_name);
+ if (!guid) {
+ DEBUG(10, ("acl_search: cannot find class %s\n",
+ class_name));
+ goto fail;
+ }
+ if (!insert_in_object_tree(tmp_ctx,
+ guid, access,
+ &root, &new_node)) {
+ DEBUG(10, ("acl_search: cannot add to object tree
guid\n"));
+ goto fail;
+ }
+ }
+ status = sec_access_check_ds(sd, token,
+ access,
+ &access_granted,
+ root);
+ if (!NT_STATUS_IS_OK(status)) {
+ ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+ }
+ else {
+ ret = LDB_SUCCESS;
+ }
+ return ret;
+fail:
+ return LDB_ERR_OPERATIONS_ERROR;
+}
+
+static int acl_allowedAttributes(struct ldb_module *module,
+ struct ldb_message *sd_msg,
+ struct ldb_message *msg,
+ struct acl_context *ac)
+{
+ struct ldb_message_element *oc_el;
+ struct ldb_message_element *allowedAttributes;
+ struct ldb_message_element *allowedAttributesEffective;
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ const struct dsdb_schema *schema = dsdb_get_schema(ldb);
+ TALLOC_CTX *mem_ctx;
+ const char **attr_list;
+ int i, ret;
+
+ /* If we don't have a schema yet, we can't do anything... */
+ if (schema == NULL) {
+ return LDB_SUCCESS;
+ }
+
+ /* Must remove any existing attribute */
+ if (ac->allowedAttributes) {
+ ldb_msg_remove_attr(msg, "allowedAttributes");
+ }
+
+ mem_ctx = talloc_new(msg);
+ if (!mem_ctx) {
+ ldb_oom(ldb);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ oc_el = ldb_msg_find_element(sd_msg, "objectClass");
+ attr_list = dsdb_full_attribute_list(mem_ctx, schema, oc_el,
DSDB_SCHEMA_ALL);
+ if (!attr_list) {
+ ldb_asprintf_errstring(ldb, "acl: Failed to get list of
attributes");
+ talloc_free(mem_ctx);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ if (ac->allowedAttributes) {
+ for (i=0; attr_list && attr_list[i]; i++) {
+ ldb_msg_add_string(msg, "allowedAttributes",
attr_list[i]);
+ }
+ }
+ if (ac->allowedAttributesEffective) {
+ struct security_descriptor *sd;
+ ldb_msg_remove_attr(msg, "allowedAttributesEffective");
+ if (ac->user_type == SECURITY_SYSTEM) {
+ for (i=0; attr_list && attr_list[i]; i++) {
+ ldb_msg_add_string(msg,
"allowedAttributesEffective", attr_list[i]);
+ }
+ return LDB_SUCCESS;
+ }
+
+ ret = get_sd_from_ldb_message(mem_ctx, sd_msg, &sd);
+
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ for (i=0; attr_list && attr_list[i]; i++) {
+ struct dsdb_attribute *attr =
dsdb_attribute_by_lDAPDisplayName(schema,
+
attr_list[i]);
+ if (!attr) {
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ /* remove constructed attributes */
+ if (attr->systemFlags & DS_FLAG_ATTR_IS_CONSTRUCTED) {
+ continue;
+ }
+ ret = acl_check_access_on_attribute(module,
+ msg,
+ sd,
+ SEC_ADS_WRITE_PROP,
+ attr);
+ if (ret == LDB_SUCCESS) {
+ ldb_msg_add_string(msg,
"allowedAttributesEffective", attr_list[i]);
+ }
+ }
+ }
+ return LDB_SUCCESS;
+}
+
+static int acl_childClasses(struct ldb_module *module,
+ struct ldb_message *sd_msg,
+ struct ldb_message *msg,
+ const char *attrName)
+{
+ struct ldb_message_element *oc_el;
+ struct ldb_message_element *allowedClasses;
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ const struct dsdb_schema *schema = dsdb_get_schema(ldb);
+ const struct dsdb_class *sclass;
+ int i, j, ret;
+
+ /* If we don't have a schema yet, we can't do anything... */
+ if (schema == NULL) {
+ return LDB_SUCCESS;
+ }
+
+ /* Must remove any existing attribute, or else confusion reins */
+ ldb_msg_remove_attr(msg, attrName);
+ ret = ldb_msg_add_empty(msg, attrName, 0, &allowedClasses);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ oc_el = ldb_msg_find_element(sd_msg, "objectClass");
+
+ for (i=0; oc_el && i < oc_el->num_values; i++) {
+ sclass = dsdb_class_by_lDAPDisplayName_ldb_val(schema,
&oc_el->values[i]);
+ if (!sclass) {
+ /* We don't know this class? what is going on? */
+ continue;
+ }
+
+ for (j=0; sclass->possibleInferiors &&
sclass->possibleInferiors[j]; j++) {
+ ldb_msg_add_string(msg, attrName,
sclass->possibleInferiors[j]);
+ }
+ }
+ if (allowedClasses->num_values > 1) {
+ qsort(allowedClasses->values,
+ allowedClasses->num_values,
+ sizeof(*allowedClasses->values),
+ (comparison_fn_t)data_blob_cmp);
+
+ for (i=1 ; i < allowedClasses->num_values; i++) {
+ struct ldb_val *val1 = &allowedClasses->values[i-1];
+ struct ldb_val *val2 = &allowedClasses->values[i];
+ if (data_blob_cmp(val1, val2) == 0) {
+ memmove(val1, val2, (allowedClasses->num_values
- i) * sizeof(struct ldb_val));
+ allowedClasses->num_values--;
+ i--;
+ }
+ }
+ }
+
+ return LDB_SUCCESS;
+}
+
+static int acl_childClassesEffective(struct ldb_module *module,
+ struct ldb_message *sd_msg,
+ struct ldb_message *msg,
+ struct acl_context *ac)
+{
+ struct ldb_message_element *oc_el;
+ struct ldb_message_element *allowedClasses = NULL;
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ const struct dsdb_schema *schema = dsdb_get_schema(ldb);
+ const struct dsdb_class *sclass;
+ struct security_descriptor *sd;
+ int i, j, ret;
+
+ if (ac->user_type == SECURITY_SYSTEM) {
+ return acl_childClasses(module, sd_msg, msg,
"allowedChildClassesEffective");
+ }
+
+ /* If we don't have a schema yet, we can't do anything... */
+ if (schema == NULL) {
+ return LDB_SUCCESS;
+ }
+
+ /* Must remove any existing attribute, or else confusion reins */
+ ldb_msg_remove_attr(msg, "allowedChildClassesEffective");
+
+ oc_el = ldb_msg_find_element(sd_msg, "objectClass");
+ ret = get_sd_from_ldb_message(msg, sd_msg, &sd);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ for (i=0; oc_el && i < oc_el->num_values; i++) {
+ sclass = dsdb_class_by_lDAPDisplayName_ldb_val(schema,
&oc_el->values[i]);
+ if (!sclass) {
+ /* We don't know this class? what is going on? */
+ continue;
+ }
+
+ for (j=0; sclass->possibleInferiors &&
sclass->possibleInferiors[j]; j++) {
+ ret = acl_check_access_on_class(module,
+ msg,
+ sd,
+ SEC_ADS_CREATE_CHILD,
+
sclass->possibleInferiors[j]);
+ if (ret == LDB_SUCCESS) {
+ ldb_msg_add_string(msg,
"allowedChildClassesEffective",
+
sclass->possibleInferiors[j]);
+ }
+ }
+ }
+ allowedClasses = ldb_msg_find_element(msg,
"allowedChildClassesEffective");
+ if (!allowedClasses) {
+ return LDB_SUCCESS;
+ }
+
+ if (allowedClasses->num_values > 1) {
+ qsort(allowedClasses->values,
+ allowedClasses->num_values,
+ sizeof(*allowedClasses->values),
+ (comparison_fn_t)data_blob_cmp);
+ for (i=1 ; i < allowedClasses->num_values; i++) {
+ struct ldb_val *val1 = &allowedClasses->values[i-1];
+ struct ldb_val *val2 = &allowedClasses->values[i];
+ if (data_blob_cmp(val1, val2) == 0) {
+ memmove(val1, val2, (allowedClasses->num_values
- i) * sizeof( struct ldb_val));
+ allowedClasses->num_values--;
+ i--;
+ }
+ }
+ }
+ return LDB_SUCCESS;
+}
+
--
Samba Shared Repository
