Context Navigation

← Previous Revision
Latest Revision
Next Revision →
Blame
Revision Log

util_seaccess.c@ 101

Visit:

Last change on this file since 101 was 1, checked in by Paul Smedley, 18 years ago
Initial code import
File size: 10.3 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	Copyright (C) Luke Kenneth Casson Leighton 1996-2000.
4	Copyright (C) Tim Potter 2000.
5	Copyright (C) Re-written by Jeremy Allison 2000.
6
7	This program is free software; you can redistribute it and/or modify
8	it under the terms of the GNU General Public License as published by
9	the Free Software Foundation; either version 2 of the License, or
10	(at your option) any later version.
11
12	This program is distributed in the hope that it will be useful,
13	but WITHOUT ANY WARRANTY; without even the implied warranty of
14	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15	GNU General Public License for more details.
16
17	You should have received a copy of the GNU General Public License
18	along with this program; if not, write to the Free Software
19	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
20	*/
21
22	#include "includes.h"
23
24	extern NT_USER_TOKEN anonymous_token;
25
26	/*********************************************************************************
27	Check an ACE against a SID. We return the remaining needed permission
28	bits not yet granted. Zero means permission allowed (no more needed bits).
29	**********************************************************************************/
30
31	static uint32 check_ace(SEC_ACE ace, const NT_USER_TOKEN token, uint32 acc_desired,
32	NTSTATUS *status)
33	{
34	uint32 mask = ace->access_mask;
35
36	/*
37	* Inherit only is ignored.
38	*/
39
40	if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
41	return acc_desired;
42	}
43
44	/*
45	* If this ACE has no SID in common with the token,
46	* ignore it as it cannot be used to make an access
47	* determination.
48	*/
49
50	if (!token_sid_in_ace( token, ace))
51	return acc_desired;
52
53	switch (ace->type) {
54	case SEC_ACE_TYPE_ACCESS_ALLOWED:
55	/*
56	* This is explicitly allowed.
57	* Remove the bits from the remaining
58	* access required. Return the remaining
59	* bits needed.
60	*/
61	acc_desired &= ~mask;
62	break;
63	case SEC_ACE_TYPE_ACCESS_DENIED:
64	/*
65	* This is explicitly denied.
66	* If any bits match terminate here,
67	* we are denied.
68	*/
69	if (acc_desired & mask) {
70	*status = NT_STATUS_ACCESS_DENIED;
71	return 0xFFFFFFFF;
72	}
73	break;
74	case SEC_ACE_TYPE_SYSTEM_ALARM:
75	case SEC_ACE_TYPE_SYSTEM_AUDIT:
76	*status = NT_STATUS_NOT_IMPLEMENTED;
77	return 0xFFFFFFFF;
78	default:
79	*status = NT_STATUS_INVALID_PARAMETER;
80	return 0xFFFFFFFF;
81	}
82
83	return acc_desired;
84	}
85
86	/*********************************************************************************
87	Maximum access was requested. Calculate the max possible. Fail if it doesn't
88	include other bits requested.
89	**********************************************************************************/
90
91	static BOOL get_max_access( SEC_ACL the_acl, const NT_USER_TOKEN token, uint32 *granted,
92	uint32 desired,
93	NTSTATUS *status)
94	{
95	uint32 acc_denied = 0;
96	uint32 acc_granted = 0;
97	size_t i;
98
99	for ( i = 0 ; i < the_acl->num_aces; i++) {
100	SEC_ACE *ace = &the_acl->aces[i];
101	uint32 mask = ace->access_mask;
102
103	if (!token_sid_in_ace( token, ace))
104	continue;
105
106	switch (ace->type) {
107	case SEC_ACE_TYPE_ACCESS_ALLOWED:
108	acc_granted \|= (mask & ~acc_denied);
109	break;
110	case SEC_ACE_TYPE_ACCESS_DENIED:
111	acc_denied \|= (mask & ~acc_granted);
112	break;
113	case SEC_ACE_TYPE_SYSTEM_ALARM:
114	case SEC_ACE_TYPE_SYSTEM_AUDIT:
115	*status = NT_STATUS_NOT_IMPLEMENTED;
116	*granted = 0;
117	return False;
118	default:
119	*status = NT_STATUS_INVALID_PARAMETER;
120	*granted = 0;
121	return False;
122	}
123	}
124
125	/*
126	* If we were granted no access, or we desired bits that we
127	* didn't get, then deny.
128	*/
129
130	if ((acc_granted == 0) \|\| ((acc_granted & desired) != desired)) {
131	*status = NT_STATUS_ACCESS_DENIED;
132	*granted = 0;
133	return False;
134	}
135
136	/*
137	* Return the access we did get.
138	*/
139
140	*granted = acc_granted;
141	*status = NT_STATUS_OK;
142	return True;
143	}
144
145	/* Map generic access rights to object specific rights. This technique is
146	used to give meaning to assigning read, write, execute and all access to
147	objects. Each type of object has its own mapping of generic to object
148	specific access rights. */
149
150	void se_map_generic(uint32 access_mask, struct generic_mapping mapping)
151	{
152	uint32 old_mask = *access_mask;
153
154	if (*access_mask & GENERIC_READ_ACCESS) {
155	*access_mask &= ~GENERIC_READ_ACCESS;
156	*access_mask \|= mapping->generic_read;
157	}
158
159	if (*access_mask & GENERIC_WRITE_ACCESS) {
160	*access_mask &= ~GENERIC_WRITE_ACCESS;
161	*access_mask \|= mapping->generic_write;
162	}
163
164	if (*access_mask & GENERIC_EXECUTE_ACCESS) {
165	*access_mask &= ~GENERIC_EXECUTE_ACCESS;
166	*access_mask \|= mapping->generic_execute;
167	}
168
169	if (*access_mask & GENERIC_ALL_ACCESS) {
170	*access_mask &= ~GENERIC_ALL_ACCESS;
171	*access_mask \|= mapping->generic_all;
172	}
173
174	if (old_mask != *access_mask) {
175	DEBUG(10, ("se_map_generic(): mapped mask 0x%08x to 0x%08x\n",
176	old_mask, *access_mask));
177	}
178	}
179
180	/* Map standard access rights to object specific rights. This technique is
181	used to give meaning to assigning read, write, execute and all access to
182	objects. Each type of object has its own mapping of standard to object
183	specific access rights. */
184
185	void se_map_standard(uint32 access_mask, struct standard_mapping mapping)
186	{
187	uint32 old_mask = *access_mask;
188
189	if (*access_mask & READ_CONTROL_ACCESS) {
190	*access_mask &= ~READ_CONTROL_ACCESS;
191	*access_mask \|= mapping->std_read;
192	}
193
194	if (*access_mask & (DELETE_ACCESS\|WRITE_DAC_ACCESS\|WRITE_OWNER_ACCESS\|SYNCHRONIZE_ACCESS)) {
195	*access_mask &= ~(DELETE_ACCESS\|WRITE_DAC_ACCESS\|WRITE_OWNER_ACCESS\|SYNCHRONIZE_ACCESS);
196	*access_mask \|= mapping->std_all;
197	}
198
199	if (old_mask != *access_mask) {
200	DEBUG(10, ("se_map_standard(): mapped mask 0x%08x to 0x%08x\n",
201	old_mask, *access_mask));
202	}
203	}
204
205	/*****************************************************************************
206	Check access rights of a user against a security descriptor. Look at
207	each ACE in the security descriptor until an access denied ACE denies
208	any of the desired rights to the user or any of the users groups, or one
209	or more ACEs explicitly grant all requested access rights. See
210	"Access-Checking" document in MSDN.
211	*****************************************************************************/
212
213	BOOL se_access_check(const SEC_DESC sd, const NT_USER_TOKEN token,
214	uint32 acc_desired, uint32 *acc_granted,
215	NTSTATUS *status)
216	{
217	size_t i;
218	SEC_ACL *the_acl;
219	fstring sid_str;
220	uint32 tmp_acc_desired = acc_desired;
221
222	if (!status \|\| !acc_granted)
223	return False;
224
225	if (!token)
226	token = &anonymous_token;
227
228	*status = NT_STATUS_OK;
229	*acc_granted = 0;
230
231	DEBUG(10,("se_access_check: requested access 0x%08x, for NT token with %u entries and first sid %s.\n",
232	(unsigned int)acc_desired, (unsigned int)token->num_sids,
233	sid_to_string(sid_str, &token->user_sids[0])));
234
235	/*
236	* No security descriptor or security descriptor with no DACL
237	* present allows all access.
238	*/
239
240	/* ACL must have something in it */
241
242	if (!sd \|\| (sd && (!(sd->type & SEC_DESC_DACL_PRESENT) \|\| sd->dacl == NULL))) {
243	*status = NT_STATUS_OK;
244	*acc_granted = acc_desired;
245	DEBUG(5, ("se_access_check: no sd or blank DACL, access allowed\n"));
246	return True;
247	}
248
249	/* The user sid is the first in the token */
250	if (DEBUGLVL(3)) {
251	DEBUG(3, ("se_access_check: user sid is %s\n", sid_to_string(sid_str, &token->user_sids[PRIMARY_USER_SID_INDEX]) ));
252
253	for (i = 1; i < token->num_sids; i++) {
254	DEBUGADD(3, ("se_access_check: also %s\n",
255	sid_to_string(sid_str, &token->user_sids[i])));
256	}
257	}
258
259	/* Is the token the owner of the SID ? */
260
261	if (sd->owner_sid) {
262	for (i = 0; i < token->num_sids; i++) {
263	if (sid_equal(&token->user_sids[i], sd->owner_sid)) {
264	/*
265	* The owner always has SEC_RIGHTS_WRITE_DAC & READ_CONTROL.
266	*/
267	if (tmp_acc_desired & WRITE_DAC_ACCESS)
268	tmp_acc_desired &= ~WRITE_DAC_ACCESS;
269	if (tmp_acc_desired & READ_CONTROL_ACCESS)
270	tmp_acc_desired &= ~READ_CONTROL_ACCESS;
271	}
272	}
273	}
274
275	the_acl = sd->dacl;
276
277	if (tmp_acc_desired & MAXIMUM_ALLOWED_ACCESS) {
278	tmp_acc_desired &= ~MAXIMUM_ALLOWED_ACCESS;
279	return get_max_access( the_acl, token, acc_granted, tmp_acc_desired,
280	status);
281	}
282
283	for ( i = 0 ; i < the_acl->num_aces && tmp_acc_desired != 0; i++) {
284	SEC_ACE *ace = &the_acl->aces[i];
285
286	DEBUGADD(10,("se_access_check: ACE %u: type %d, flags = 0x%02x, SID = %s mask = %x, current desired = %x\n",
287	(unsigned int)i, ace->type, ace->flags,
288	sid_to_string(sid_str, &ace->trustee),
289	(unsigned int) ace->access_mask,
290	(unsigned int)tmp_acc_desired ));
291
292	tmp_acc_desired = check_ace( ace, token, tmp_acc_desired, status);
293	if (NT_STATUS_V(*status)) {
294	*acc_granted = 0;
295	DEBUG(5,("se_access_check: ACE %u denied with status %s.\n", (unsigned int)i, nt_errstr(*status)));
296	return False;
297	}
298	}
299
300	/*
301	* If there are no more desired permissions left then
302	* access was allowed.
303	*/
304
305	if (tmp_acc_desired == 0) {
306	*acc_granted = acc_desired;
307	*status = NT_STATUS_OK;
308	DEBUG(5,("se_access_check: access (%x) granted.\n", (unsigned int)acc_desired ));
309	return True;
310	}
311
312	*acc_granted = 0;
313	*status = NT_STATUS_ACCESS_DENIED;
314	DEBUG(5,("se_access_check: access (%x) denied.\n", (unsigned int)acc_desired ));
315	return False;
316	}
317
318
319	/*******************************************************************
320	samr_make_sam_obj_sd
321	********************************************************************/
322
323	NTSTATUS samr_make_sam_obj_sd(TALLOC_CTX ctx, SEC_DESC psd, size_t sd_size)
324	{
325	DOM_SID adm_sid;
326	DOM_SID act_sid;
327
328	SEC_ACE ace[3];
329	SEC_ACCESS mask;
330
331	SEC_ACL *psa = NULL;
332
333	sid_copy(&adm_sid, &global_sid_Builtin);
334	sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS);
335
336	sid_copy(&act_sid, &global_sid_Builtin);
337	sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS);
338
339	/basic access for every one/
340	init_sec_access(&mask, GENERIC_RIGHTS_SAM_EXECUTE \| GENERIC_RIGHTS_SAM_READ);
341	init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
342
343	/full access for builtin aliases Administrators and Account Operators/
344	init_sec_access(&mask, GENERIC_RIGHTS_SAM_ALL_ACCESS);
345	init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
346	init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
347
348	if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) == NULL)
349	return NT_STATUS_NO_MEMORY;
350
351	if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL)
352	return NT_STATUS_NO_MEMORY;
353
354	return NT_STATUS_OK;
355	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: trunk-3.0/source/lib/util_seaccess.c@ 101

Download in other formats: