Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 :
4 : Copyright (C) Andrew Tridgell 2004
5 : Copyright (C) Gerald Carter 2005
6 : Copyright (C) Volker Lendecke 2007
7 : Copyright (C) Jeremy Allison 2008
8 : Copyright (C) Andrew Bartlett 2010
9 :
10 : This program is free software; you can redistribute it and/or modify
11 : it under the terms of the GNU General Public License as published by
12 : the Free Software Foundation; either version 3 of the License, or
13 : (at your option) any later version.
14 :
15 : This program is distributed in the hope that it will be useful,
16 : but WITHOUT ANY WARRANTY; without even the implied warranty of
17 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 : GNU General Public License for more details.
19 :
20 : You should have received a copy of the GNU General Public License
21 : along with this program. If not, see <http://www.gnu.org/licenses/>.
22 : */
23 :
24 : #include "replace.h"
25 : #include "lib/util/debug.h"
26 : #include "libcli/security/security.h"
27 : #include "librpc/gen_ndr/conditional_ace.h"
28 : #include "libcli/security/conditional_ace.h"
29 :
30 : /* Map generic access rights to object specific rights. This technique is
31 : used to give meaning to assigning read, write, execute and all access to
32 : objects. Each type of object has its own mapping of generic to object
33 : specific access rights. */
34 :
35 685579 : void se_map_generic(uint32_t *access_mask, const struct generic_mapping *mapping)
36 : {
37 685579 : uint32_t old_mask = *access_mask;
38 :
39 685579 : if (*access_mask & GENERIC_READ_ACCESS) {
40 4476 : *access_mask &= ~GENERIC_READ_ACCESS;
41 4476 : *access_mask |= mapping->generic_read;
42 : }
43 :
44 685579 : if (*access_mask & GENERIC_WRITE_ACCESS) {
45 164 : *access_mask &= ~GENERIC_WRITE_ACCESS;
46 164 : *access_mask |= mapping->generic_write;
47 : }
48 :
49 685579 : if (*access_mask & GENERIC_EXECUTE_ACCESS) {
50 4706 : *access_mask &= ~GENERIC_EXECUTE_ACCESS;
51 4706 : *access_mask |= mapping->generic_execute;
52 : }
53 :
54 685579 : if (*access_mask & GENERIC_ALL_ACCESS) {
55 4118 : *access_mask &= ~GENERIC_ALL_ACCESS;
56 4118 : *access_mask |= mapping->generic_all;
57 : }
58 :
59 685579 : if (old_mask != *access_mask) {
60 5678 : DEBUG(10, ("se_map_generic(): mapped mask 0x%08x to 0x%08x\n",
61 : old_mask, *access_mask));
62 : }
63 685579 : }
64 :
65 : /* Map generic access rights to object specific rights for all the ACE's
66 : * in a security_acl.
67 : */
68 :
69 15250 : void security_acl_map_generic(struct security_acl *sa,
70 : const struct generic_mapping *mapping)
71 : {
72 149 : unsigned int i;
73 :
74 15250 : if (!sa) {
75 0 : return;
76 : }
77 :
78 75951 : for (i = 0; i < sa->num_aces; i++) {
79 60701 : se_map_generic(&sa->aces[i].access_mask, mapping);
80 : }
81 : }
82 :
83 : /* Map standard access rights to object specific rights. This technique is
84 : used to give meaning to assigning read, write, execute and all access to
85 : objects. Each type of object has its own mapping of standard to object
86 : specific access rights. */
87 :
88 624 : void se_map_standard(uint32_t *access_mask, const struct standard_mapping *mapping)
89 : {
90 624 : uint32_t old_mask = *access_mask;
91 :
92 624 : if (*access_mask & SEC_STD_READ_CONTROL) {
93 16 : *access_mask &= ~SEC_STD_READ_CONTROL;
94 16 : *access_mask |= mapping->std_read;
95 : }
96 :
97 624 : if (*access_mask & (SEC_STD_DELETE|SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|SEC_STD_SYNCHRONIZE)) {
98 8 : *access_mask &= ~(SEC_STD_DELETE|SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|SEC_STD_SYNCHRONIZE);
99 8 : *access_mask |= mapping->std_all;
100 : }
101 :
102 624 : if (old_mask != *access_mask) {
103 4 : DEBUG(10, ("se_map_standard(): mapped mask 0x%08x to 0x%08x\n",
104 : old_mask, *access_mask));
105 : }
106 624 : }
107 :
108 : enum ace_callback_result {
109 : ACE_CALLBACK_DENY,
110 : ACE_CALLBACK_ALLOW,
111 : ACE_CALLBACK_SKIP, /* do not apply this ACE */
112 : ACE_CALLBACK_INVALID /* we don't want to process the conditional ACE */
113 : };
114 :
115 :
116 529 : static enum ace_callback_result check_callback_ace_allow(
117 : const struct security_ace *ace,
118 : const struct security_token *token,
119 : const struct security_descriptor *sd)
120 : {
121 135 : bool ok;
122 135 : int result;
123 :
124 529 : switch (token->evaluate_claims) {
125 394 : case CLAIMS_EVALUATION_ALWAYS:
126 529 : break;
127 :
128 0 : case CLAIMS_EVALUATION_INVALID_STATE:
129 0 : DBG_WARNING("Refusing to evaluate ACL with "
130 : "conditional ACE against security "
131 : "token with CLAIMS_EVALUATION_INVALID_STATE\n");
132 0 : return ACE_CALLBACK_INVALID;
133 0 : case CLAIMS_EVALUATION_NEVER:
134 : default:
135 : /*
136 : * We are asked to pretend we never understood this
137 : * ACE type.
138 : *
139 : * By returning SKIP, this ACE will not adjust any
140 : * permission bits making it an effective no-op, which
141 : * was the default behaviour up to Samba 4.19.
142 : */
143 0 : return ACE_CALLBACK_SKIP;
144 : }
145 :
146 529 : if (ace->type != SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK &&
147 0 : ace->type != SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT) {
148 : /* This indicates a programming error */
149 0 : DBG_ERR("bad conditional allow ACE type: %u\n", ace->type);
150 0 : return ACE_CALLBACK_INVALID;
151 : }
152 :
153 : /*
154 : * Until we discover otherwise, we assume all callback ACEs
155 : * are conditional ACEs.
156 : */
157 529 : ok = access_check_conditional_ace(ace, token, sd, &result);
158 529 : if (!ok) {
159 : /*
160 : * An error in processing the conditional ACE is
161 : * treated as UNKNOWN, which amounts to a DENY/SKIP
162 : * result.
163 : *
164 : * This is different from the INVALID result which
165 : * means we should not be thinking about conditional
166 : * ACES at all, and will abort the whole access check.
167 : */
168 0 : DBG_WARNING("callback ACE was not a valid conditional ACE\n");
169 0 : return ACE_CALLBACK_SKIP;
170 : }
171 529 : if (result == ACE_CONDITION_TRUE) {
172 284 : return ACE_CALLBACK_ALLOW;
173 : }
174 : /* UNKNOWN means do not allow */
175 196 : return ACE_CALLBACK_SKIP;
176 : }
177 :
178 :
179 142 : static enum ace_callback_result check_callback_ace_deny(
180 : const struct security_ace *ace,
181 : const struct security_token *token,
182 : const struct security_descriptor *sd)
183 : {
184 4 : bool ok;
185 4 : int result;
186 :
187 142 : switch (token->evaluate_claims) {
188 138 : case CLAIMS_EVALUATION_ALWAYS:
189 142 : break;
190 :
191 0 : case CLAIMS_EVALUATION_INVALID_STATE:
192 0 : DBG_WARNING("Refusing to evaluate ACL with "
193 : "conditional ACE against security "
194 : "token with CLAIMS_EVALUATION_INVALID_STATE\n");
195 0 : return ACE_CALLBACK_INVALID;
196 0 : case CLAIMS_EVALUATION_NEVER:
197 : default:
198 : /*
199 : * We are asked to pretend we never understood this
200 : * ACE type.
201 : */
202 0 : return ACE_CALLBACK_SKIP;
203 : }
204 :
205 142 : if (ace->type != SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK &&
206 0 : ace->type != SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT) {
207 0 : DBG_ERR("bad conditional deny ACE type: %u\n", ace->type);
208 0 : return ACE_CALLBACK_INVALID;
209 : }
210 :
211 : /*
212 : * Until we discover otherwise, we assume all callback ACEs
213 : * are conditional ACEs.
214 : */
215 142 : ok = access_check_conditional_ace(ace, token, sd, &result);
216 142 : if (!ok) {
217 : /*
218 : * An error in processing the conditional ACE is
219 : * treated as UNKNOWN, which means DENY.
220 : */
221 0 : DBG_WARNING("callback ACE was not a valid conditional ACE\n");
222 0 : return ACE_CALLBACK_DENY;
223 : }
224 142 : if (result != ACE_CONDITION_FALSE) {
225 : /* UNKNOWN means deny */
226 120 : return ACE_CALLBACK_DENY;
227 : }
228 22 : return ACE_CALLBACK_SKIP;
229 : }
230 :
231 :
232 : /*
233 : perform a SEC_FLAG_MAXIMUM_ALLOWED access check
234 : */
235 113319 : static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
236 : const struct security_token *token,
237 : enum implicit_owner_rights implicit_owner_rights)
238 : {
239 113319 : uint32_t denied = 0, granted = 0;
240 113319 : bool am_owner = false;
241 113319 : bool have_owner_rights_ace = false;
242 1814 : unsigned i;
243 :
244 113319 : if (sd->dacl == NULL) {
245 0 : if (security_token_has_sid(token, sd->owner_sid)) {
246 0 : switch (implicit_owner_rights) {
247 0 : case IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS:
248 0 : granted |= SEC_STD_WRITE_DAC;
249 0 : FALL_THROUGH;
250 0 : case IMPLICIT_OWNER_READ_CONTROL_RIGHTS:
251 0 : granted |= SEC_STD_READ_CONTROL;
252 0 : break;
253 : }
254 : }
255 0 : return granted;
256 : }
257 :
258 113319 : if (security_token_has_sid(token, sd->owner_sid)) {
259 : /*
260 : * Check for explicit owner rights: if there are none, we remove
261 : * the default owner right SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL
262 : * from remaining_access. Otherwise we just process the
263 : * explicitly granted rights when processing the ACEs.
264 : */
265 5075 : am_owner = true;
266 :
267 33755 : for (i=0; i < sd->dacl->num_aces; i++) {
268 29570 : struct security_ace *ace = &sd->dacl->aces[i];
269 :
270 29570 : if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
271 1507 : continue;
272 : }
273 :
274 28927 : have_owner_rights_ace = dom_sid_equal(
275 28063 : &ace->trustee, &global_sid_Owner_Rights);
276 28063 : if (have_owner_rights_ace) {
277 12 : break;
278 : }
279 : }
280 : }
281 :
282 113319 : if (am_owner && !have_owner_rights_ace) {
283 4185 : switch (implicit_owner_rights) {
284 4185 : case IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS:
285 4185 : granted |= SEC_STD_WRITE_DAC;
286 114 : FALL_THROUGH;
287 4185 : case IMPLICIT_OWNER_READ_CONTROL_RIGHTS:
288 4185 : granted |= SEC_STD_READ_CONTROL;
289 4185 : break;
290 : }
291 : }
292 :
293 252703 : for (i = 0;i<sd->dacl->num_aces; i++) {
294 139384 : struct security_ace *ace = &sd->dacl->aces[i];
295 139384 : bool is_owner_rights_ace = false;
296 :
297 139384 : if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
298 1507 : continue;
299 : }
300 :
301 137877 : if (am_owner) {
302 28071 : is_owner_rights_ace = dom_sid_equal(
303 28071 : &ace->trustee, &global_sid_Owner_Rights);
304 : }
305 :
306 138741 : if (!is_owner_rights_ace &&
307 137861 : !security_token_has_sid(token, &ace->trustee))
308 : {
309 21535 : continue;
310 : }
311 :
312 116342 : switch (ace->type) {
313 116303 : case SEC_ACE_TYPE_ACCESS_ALLOWED:
314 116303 : granted |= ace->access_mask;
315 116303 : break;
316 18 : case SEC_ACE_TYPE_ACCESS_DENIED:
317 : case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
318 18 : denied |= ~granted & ace->access_mask;
319 18 : break;
320 :
321 0 : case SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK:
322 : {
323 0 : enum ace_callback_result allow =
324 0 : check_callback_ace_allow(ace, token, sd);
325 0 : if (allow == ACE_CALLBACK_INVALID) {
326 0 : return 0;
327 : }
328 0 : if (allow == ACE_CALLBACK_ALLOW) {
329 0 : granted |= ace->access_mask;
330 : }
331 0 : break;
332 : }
333 :
334 0 : case SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK:
335 : {
336 0 : enum ace_callback_result deny =
337 0 : check_callback_ace_deny(ace, token, sd);
338 0 : if (deny == ACE_CALLBACK_INVALID) {
339 0 : return 0;
340 : }
341 0 : if (deny == ACE_CALLBACK_DENY) {
342 0 : denied |= ~granted & ace->access_mask;
343 : }
344 0 : break;
345 : }
346 :
347 21 : default: /* Other ACE types not handled/supported */
348 21 : break;
349 : }
350 : }
351 :
352 113319 : return granted & ~denied;
353 : }
354 :
355 :
356 :
357 866057 : static NTSTATUS se_access_check_implicit_owner(const struct security_descriptor *sd,
358 : const struct security_token *token,
359 : uint32_t access_desired,
360 : uint32_t *access_granted,
361 : enum implicit_owner_rights implicit_owner_rights)
362 : {
363 3167 : uint32_t i;
364 3167 : uint32_t bits_remaining;
365 866057 : uint32_t explicitly_denied_bits = 0;
366 866057 : bool am_owner = false;
367 866057 : bool have_owner_rights_ace = false;
368 :
369 866057 : switch (token->evaluate_claims) {
370 199062 : case CLAIMS_EVALUATION_INVALID_STATE:
371 199062 : if (token->num_local_claims > 0 ||
372 199062 : token->num_user_claims > 0 ||
373 199062 : token->num_device_claims > 0 ||
374 199062 : token->num_device_sids > 0) {
375 0 : DBG_WARNING("Refusing to evaluate token with claims or device SIDs but also "
376 : "with CLAIMS_EVALUATION_INVALID_STATE\n");
377 0 : return NT_STATUS_INVALID_TOKEN;
378 : }
379 198990 : break;
380 663900 : case CLAIMS_EVALUATION_ALWAYS:
381 : case CLAIMS_EVALUATION_NEVER:
382 663900 : break;
383 : }
384 :
385 866057 : *access_granted = access_desired;
386 866057 : bits_remaining = access_desired;
387 :
388 : /* handle the maximum allowed flag */
389 866057 : if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
390 4405 : uint32_t orig_access_desired = access_desired;
391 :
392 4405 : access_desired |= access_check_max_allowed(sd, token, implicit_owner_rights);
393 4405 : access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
394 4405 : *access_granted = access_desired;
395 4405 : bits_remaining = access_desired;
396 :
397 4405 : DEBUG(10,("se_access_check: MAX desired = 0x%x, granted = 0x%x, remaining = 0x%x\n",
398 : orig_access_desired,
399 : *access_granted,
400 : bits_remaining));
401 : }
402 :
403 : /* a NULL dacl allows access */
404 866057 : if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
405 77 : *access_granted = access_desired;
406 77 : return NT_STATUS_OK;
407 : }
408 :
409 865980 : if (sd->dacl == NULL) {
410 1 : goto done;
411 : }
412 :
413 865979 : if (security_token_has_sid(token, sd->owner_sid)) {
414 : /*
415 : * Check for explicit owner rights: if there are none, we remove
416 : * the default owner right SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL
417 : * from remaining_access. Otherwise we just process the
418 : * explicitly granted rights when processing the ACEs.
419 : */
420 387551 : am_owner = true;
421 :
422 1661144 : for (i=0; i < sd->dacl->num_aces; i++) {
423 1277591 : struct security_ace *ace = &sd->dacl->aces[i];
424 :
425 1277591 : if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
426 79092 : continue;
427 : }
428 :
429 1201739 : have_owner_rights_ace = dom_sid_equal(
430 1198499 : &ace->trustee, &global_sid_Owner_Rights);
431 1198499 : if (have_owner_rights_ace) {
432 80 : break;
433 : }
434 : }
435 : }
436 865979 : if (am_owner && !have_owner_rights_ace) {
437 383553 : switch (implicit_owner_rights) {
438 383553 : case IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS:
439 383553 : bits_remaining &= ~SEC_STD_WRITE_DAC;
440 906 : FALL_THROUGH;
441 383553 : case IMPLICIT_OWNER_READ_CONTROL_RIGHTS:
442 383553 : bits_remaining &= ~SEC_STD_READ_CONTROL;
443 383553 : break;
444 : }
445 : }
446 :
447 : /* check each ace in turn. */
448 1768322 : for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
449 902343 : struct security_ace *ace = &sd->dacl->aces[i];
450 902343 : bool is_owner_rights_ace = false;
451 :
452 902343 : if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
453 3985 : continue;
454 : }
455 :
456 898358 : if (am_owner) {
457 392008 : is_owner_rights_ace = dom_sid_equal(
458 392008 : &ace->trustee, &global_sid_Owner_Rights);
459 : }
460 :
461 899417 : if (!is_owner_rights_ace &&
462 898254 : !security_token_has_sid(token, &ace->trustee))
463 : {
464 40160 : continue;
465 : }
466 :
467 858198 : switch (ace->type) {
468 857704 : case SEC_ACE_TYPE_ACCESS_ALLOWED:
469 857704 : bits_remaining &= ~ace->access_mask;
470 857704 : break;
471 107 : case SEC_ACE_TYPE_ACCESS_DENIED:
472 : case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
473 107 : explicitly_denied_bits |= (bits_remaining & ace->access_mask);
474 107 : break;
475 :
476 135 : case SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK:
477 : {
478 135 : enum ace_callback_result allow =
479 135 : check_callback_ace_allow(ace, token, sd);
480 135 : if (allow == ACE_CALLBACK_INVALID) {
481 0 : return NT_STATUS_INVALID_ACE_CONDITION;
482 : }
483 135 : if (allow == ACE_CALLBACK_ALLOW) {
484 86 : bits_remaining &= ~ace->access_mask;
485 : }
486 0 : break;
487 : }
488 :
489 4 : case SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK:
490 : case SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT:
491 : {
492 4 : enum ace_callback_result deny =
493 4 : check_callback_ace_deny(ace, token, sd);
494 4 : if (deny == ACE_CALLBACK_INVALID) {
495 0 : return NT_STATUS_INVALID_ACE_CONDITION;
496 : }
497 4 : if (deny == ACE_CALLBACK_DENY) {
498 4 : explicitly_denied_bits |= (bits_remaining & ace->access_mask);
499 : }
500 0 : break;
501 : }
502 :
503 248 : default: /* Other ACE types not handled/supported */
504 248 : break;
505 : }
506 : }
507 :
508 : /* Explicitly denied bits always override */
509 865979 : bits_remaining |= explicitly_denied_bits;
510 :
511 : /*
512 : * We check privileges here because they override even DENY entries.
513 : */
514 :
515 : /* Does the user have the privilege to gain SEC_PRIV_SECURITY? */
516 865979 : if (bits_remaining & SEC_FLAG_SYSTEM_SECURITY) {
517 21113 : if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
518 19632 : bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
519 : } else {
520 1481 : return NT_STATUS_PRIVILEGE_NOT_HELD;
521 : }
522 : }
523 :
524 868746 : if ((bits_remaining & SEC_STD_WRITE_OWNER) &&
525 4248 : security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
526 2882 : bits_remaining &= ~(SEC_STD_WRITE_OWNER);
527 : }
528 :
529 861616 : done:
530 864499 : if (bits_remaining != 0) {
531 13055 : *access_granted = bits_remaining;
532 13055 : return NT_STATUS_ACCESS_DENIED;
533 : }
534 :
535 851444 : return NT_STATUS_OK;
536 : }
537 :
538 : /*
539 : The main entry point for access checking. If returning ACCESS_DENIED
540 : this function returns the denied bits in the uint32_t pointed
541 : to by the access_granted pointer.
542 : */
543 203473 : NTSTATUS se_access_check(const struct security_descriptor *sd,
544 : const struct security_token *token,
545 : uint32_t access_desired,
546 : uint32_t *access_granted)
547 : {
548 203473 : return se_access_check_implicit_owner(sd,
549 : token,
550 : access_desired,
551 : access_granted,
552 : IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS);
553 : }
554 :
555 : /*
556 : The main entry point for access checking FOR THE FILE SERVER ONLY !
557 : If returning ACCESS_DENIED this function returns the denied bits in
558 : the uint32_t pointed to by the access_granted pointer.
559 : */
560 662584 : NTSTATUS se_file_access_check(const struct security_descriptor *sd,
561 : const struct security_token *token,
562 : bool priv_open_requested,
563 : uint32_t access_desired,
564 : uint32_t *access_granted)
565 : {
566 2810 : uint32_t bits_remaining;
567 2810 : NTSTATUS status;
568 :
569 662584 : if (!priv_open_requested) {
570 : /* Fall back to generic se_access_check(). */
571 553640 : return se_access_check_implicit_owner(sd,
572 : token,
573 : access_desired,
574 : access_granted,
575 : IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS);
576 : }
577 :
578 : /*
579 : * We need to handle the maximum allowed flag
580 : * outside of se_access_check(), as we need to
581 : * add in the access allowed by the privileges
582 : * as well.
583 : */
584 :
585 108944 : if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
586 108914 : uint32_t orig_access_desired = access_desired;
587 :
588 108914 : access_desired |= access_check_max_allowed(sd, token, true);
589 108914 : access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
590 :
591 108914 : if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
592 19122 : access_desired |= SEC_RIGHTS_PRIV_BACKUP;
593 : }
594 :
595 108914 : if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
596 20602 : access_desired |= SEC_RIGHTS_PRIV_RESTORE;
597 : }
598 :
599 108914 : DEBUG(10,("se_file_access_check: MAX desired = 0x%x "
600 : "mapped to 0x%x\n",
601 : orig_access_desired,
602 : access_desired));
603 : }
604 :
605 108944 : status = se_access_check_implicit_owner(sd,
606 : token,
607 : access_desired,
608 : access_granted,
609 : IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS);
610 :
611 108944 : if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
612 106446 : return status;
613 : }
614 :
615 2498 : bits_remaining = *access_granted;
616 :
617 : /* Check if we should override with privileges. */
618 4996 : if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) &&
619 2498 : security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
620 2498 : bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
621 : }
622 4996 : if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
623 2498 : security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
624 2498 : bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
625 : }
626 2498 : if (bits_remaining != 0) {
627 0 : *access_granted = bits_remaining;
628 0 : return NT_STATUS_ACCESS_DENIED;
629 : }
630 :
631 2498 : return NT_STATUS_OK;
632 : }
633 :
634 5695497 : static const struct GUID *get_ace_object_type(const struct security_ace *ace)
635 : {
636 5695497 : if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
637 5420283 : return &ace->object.object.type.type;
638 : }
639 :
640 275214 : return NULL;
641 : }
642 :
643 : /**
644 : * Evaluates access rights specified in a object-specific ACE for an AD object.
645 : * This logic corresponds to MS-ADTS 5.1.3.3.3 Checking Object-Specific Access.
646 : * @param[in] ace - the ACE being processed
647 : * @param[in/out] tree - remaining_access gets updated for the tree
648 : * @param[out] grant_access - set to true if the ACE grants sufficient access
649 : * rights to the object/attribute
650 : * @returns NT_STATUS_OK, unless access was denied
651 : */
652 6623709 : static NTSTATUS check_object_specific_access(const struct security_ace *ace,
653 : struct object_tree *tree,
654 : bool *grant_access)
655 : {
656 6623709 : struct object_tree *node = NULL;
657 6623709 : const struct GUID *type = NULL;
658 :
659 6623709 : *grant_access = false;
660 :
661 : /* if no tree was supplied, we can't do object-specific access checks */
662 6623709 : if (!tree) {
663 928212 : return NT_STATUS_OK;
664 : }
665 :
666 : /* Get the ObjectType GUID this ACE applies to */
667 5695497 : type = get_ace_object_type(ace);
668 :
669 : /*
670 : * If the ACE doesn't have a type, then apply it to the whole tree, i.e.
671 : * treat 'OA' ACEs as 'A' and 'OD' as 'D'
672 : */
673 5695497 : if (!type) {
674 275214 : node = tree;
675 : } else {
676 :
677 : /* skip it if the ACE's ObjectType GUID is not in the tree */
678 5420283 : node = get_object_tree_by_GUID(tree, type);
679 5420283 : if (!node) {
680 4743541 : return NT_STATUS_OK;
681 : }
682 : }
683 :
684 951956 : if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT ||
685 590 : ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT) {
686 : /* apply the access rights to this node, and any children */
687 951366 : object_tree_modify_access(node, ace->access_mask);
688 :
689 : /*
690 : * Currently all nodes in the tree request the same access mask,
691 : * so we can use any node to check if processing this ACE now
692 : * means the requested access has been granted
693 : */
694 951366 : if (node->remaining_access == 0) {
695 936556 : *grant_access = true;
696 936556 : return NT_STATUS_OK;
697 : }
698 :
699 : /*
700 : * As per 5.1.3.3.4 Checking Control Access Right-Based Access,
701 : * if the CONTROL_ACCESS right is present, then we can grant
702 : * access and stop any further access checks
703 : */
704 14810 : if (ace->access_mask & SEC_ADS_CONTROL_ACCESS) {
705 894 : *grant_access = true;
706 894 : return NT_STATUS_OK;
707 : }
708 : } else {
709 :
710 : /* this ACE denies access to the requested object/attribute */
711 590 : if (node->remaining_access & ace->access_mask){
712 554 : return NT_STATUS_ACCESS_DENIED;
713 : }
714 : }
715 13952 : return NT_STATUS_OK;
716 : }
717 :
718 :
719 8836693 : NTSTATUS sec_access_check_ds_implicit_owner(const struct security_descriptor *sd,
720 : const struct security_token *token,
721 : uint32_t access_desired,
722 : uint32_t *access_granted,
723 : struct object_tree *tree,
724 : const struct dom_sid *replace_sid,
725 : enum implicit_owner_rights implicit_owner_rights)
726 : {
727 89132 : uint32_t i;
728 89132 : uint32_t bits_remaining;
729 :
730 8836693 : *access_granted = access_desired;
731 8836693 : bits_remaining = access_desired;
732 :
733 : /* handle the maximum allowed flag */
734 8836693 : if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
735 0 : access_desired |= access_check_max_allowed(sd, token, implicit_owner_rights);
736 0 : access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
737 0 : *access_granted = access_desired;
738 0 : bits_remaining = access_desired;
739 : }
740 :
741 8836693 : if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
742 35679 : if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
743 34735 : bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
744 : } else {
745 944 : return NT_STATUS_PRIVILEGE_NOT_HELD;
746 : }
747 : }
748 :
749 : /* the owner always gets SEC_STD_WRITE_DAC and SEC_STD_READ_CONTROL */
750 8887626 : if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL)) &&
751 51877 : security_token_has_sid(token, sd->owner_sid)) {
752 49463 : switch (implicit_owner_rights) {
753 27046 : case IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS:
754 27046 : bits_remaining &= ~SEC_STD_WRITE_DAC;
755 88 : FALL_THROUGH;
756 49463 : case IMPLICIT_OWNER_READ_CONTROL_RIGHTS:
757 49463 : bits_remaining &= ~SEC_STD_READ_CONTROL;
758 49463 : break;
759 : }
760 : }
761 :
762 : /* SEC_PRIV_TAKE_OWNERSHIP grants SEC_STD_WRITE_OWNER */
763 8848998 : if ((bits_remaining & (SEC_STD_WRITE_OWNER)) &&
764 13249 : security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
765 12877 : bits_remaining &= ~(SEC_STD_WRITE_OWNER);
766 : }
767 :
768 : /* a NULL dacl allows access */
769 8835749 : if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
770 0 : *access_granted = access_desired;
771 0 : return NT_STATUS_OK;
772 : }
773 :
774 8835749 : if (sd->dacl == NULL) {
775 2 : goto done;
776 : }
777 :
778 : /* check each ace in turn. */
779 47605677 : for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
780 511452 : const struct dom_sid *trustee;
781 39723605 : const struct security_ace *ace = &sd->dacl->aces[i];
782 511452 : NTSTATUS status;
783 39723605 : bool grant_access = false;
784 :
785 39723605 : if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
786 24070166 : continue;
787 : }
788 :
789 33699347 : if (dom_sid_equal(&ace->trustee, &global_sid_Self) && replace_sid) {
790 6510849 : trustee = replace_sid;
791 : } else {
792 27187007 : trustee = &ace->trustee;
793 : }
794 :
795 33699347 : if (!security_token_has_sid(token, trustee)) {
796 18045908 : continue;
797 : }
798 :
799 15653439 : switch (ace->type) {
800 8994178 : case SEC_ACE_TYPE_ACCESS_ALLOWED:
801 8994178 : if (tree) {
802 8069118 : object_tree_modify_access(tree, ace->access_mask);
803 : }
804 :
805 8994178 : bits_remaining &= ~ace->access_mask;
806 8994178 : break;
807 35020 : case SEC_ACE_TYPE_ACCESS_DENIED:
808 35020 : if (bits_remaining & ace->access_mask) {
809 15555 : return NT_STATUS_ACCESS_DENIED;
810 : }
811 19465 : break;
812 394 : case SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK:
813 : {
814 0 : enum ace_callback_result allow =
815 394 : check_callback_ace_allow(ace, token, sd);
816 394 : if (allow == ACE_CALLBACK_INVALID) {
817 0 : return NT_STATUS_INVALID_ACE_CONDITION;
818 : }
819 394 : if (allow == ACE_CALLBACK_ALLOW) {
820 198 : bits_remaining &= ~ace->access_mask;
821 : }
822 394 : break;
823 : }
824 :
825 138 : case SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK:
826 : {
827 0 : enum ace_callback_result deny =
828 138 : check_callback_ace_deny(ace, token, sd);
829 138 : if (deny == ACE_CALLBACK_INVALID) {
830 0 : return NT_STATUS_INVALID_ACE_CONDITION;
831 : }
832 138 : if (deny == ACE_CALLBACK_DENY) {
833 116 : if (bits_remaining & ace->access_mask) {
834 116 : return NT_STATUS_ACCESS_DENIED;
835 : }
836 : }
837 22 : break;
838 : }
839 :
840 6623709 : case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
841 : case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
842 6623709 : status = check_object_specific_access(ace, tree,
843 : &grant_access);
844 :
845 6623709 : if (!NT_STATUS_IS_OK(status)) {
846 554 : return status;
847 : }
848 :
849 6623155 : if (grant_access) {
850 937450 : return NT_STATUS_OK;
851 : }
852 5508831 : break;
853 0 : case SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT:
854 : {
855 : /*
856 : * if the callback says ALLOW, we treat this as a
857 : * SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT.
858 : *
859 : * Otherwise we act as if this ACE does not exist.
860 : */
861 0 : enum ace_callback_result allow =
862 0 : check_callback_ace_allow(ace, token, sd);
863 0 : if (allow == ACE_CALLBACK_INVALID) {
864 0 : return NT_STATUS_INVALID_ACE_CONDITION;
865 : }
866 0 : if (allow != ACE_CALLBACK_ALLOW) {
867 0 : break;
868 : }
869 :
870 0 : status = check_object_specific_access(ace, tree,
871 : &grant_access);
872 :
873 0 : if (!NT_STATUS_IS_OK(status)) {
874 0 : return status;
875 : }
876 :
877 0 : if (grant_access) {
878 0 : return NT_STATUS_OK;
879 : }
880 0 : break;
881 : }
882 0 : case SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT:
883 : {
884 : /*
885 : * ACCESS_DENIED_OBJECT ACEs can't grant access --
886 : * they either don't match the object and slide
887 : * harmlessly past or they return
888 : * NT_STATUS_ACCESS_DENIED.
889 : *
890 : * ACCESS_DENIED_CALLBACK_OBJECT ACEs add another way
891 : * of not applying, and another way of failing.
892 : */
893 0 : enum ace_callback_result deny =
894 0 : check_callback_ace_deny(ace, token, sd);
895 0 : if (deny == ACE_CALLBACK_INVALID) {
896 0 : return NT_STATUS_INVALID_ACE_CONDITION;
897 : }
898 0 : if (deny != ACE_CALLBACK_DENY) {
899 0 : break;
900 : }
901 0 : status = check_object_specific_access(ace, tree,
902 : &grant_access);
903 :
904 0 : if (!NT_STATUS_IS_OK(status)) {
905 0 : return status;
906 : }
907 0 : break;
908 : }
909 0 : default: /* Other ACE types not handled/supported */
910 0 : break;
911 : }
912 : }
913 :
914 7882072 : done:
915 7882074 : if (bits_remaining != 0) {
916 65597 : return NT_STATUS_ACCESS_DENIED;
917 : }
918 :
919 7816477 : return NT_STATUS_OK;
920 : }
921 :
922 : /**
923 : * @brief Perform directoryservice (DS) related access checks for a given user
924 : *
925 : * Perform DS access checks for the user represented by its security_token, on
926 : * the provided security descriptor. If an tree associating GUID and access
927 : * required is provided then object access (OA) are checked as well. *
928 : * @param[in] sd The security descriptor against which the required
929 : * access are requested
930 : *
931 : * @param[in] token The security_token associated with the user to
932 : * test
933 : *
934 : * @param[in] access_desired A bitfield of rights that must be granted for the
935 : * given user in the specified SD.
936 : *
937 : * If one
938 : * of the entry in the tree grants all the requested rights for the given GUID
939 : * FIXME
940 : * tree can be null if not null it's the
941 : * Lots of code duplication, it will be united in just one
942 : * function eventually */
943 :
944 1571196 : NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
945 : const struct security_token *token,
946 : uint32_t access_desired,
947 : uint32_t *access_granted,
948 : struct object_tree *tree,
949 : const struct dom_sid *replace_sid)
950 : {
951 1571196 : return sec_access_check_ds_implicit_owner(sd,
952 : token,
953 : access_desired,
954 : access_granted,
955 : tree,
956 : replace_sid,
957 : IMPLICIT_OWNER_READ_CONTROL_RIGHTS);
958 : }
|
