source4/lib/policy/gp_manage.c

   1 /*
   2  *  Unix SMB/CIFS implementation.
   3  *  Group Policy Object Support
   4  *  Copyright (C) Wilco Baan Hofman 2010
   5  *
   6  *  This program is free software; you can redistribute it and/or modify
   7  *  it under the terms of the GNU General Public License as published by
   8  *  the Free Software Foundation; either version 3 of the License, or
   9  *  (at your option) any later version.
  10  *
  11  *  This program is distributed in the hope that it will be useful,
  12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  *  GNU General Public License for more details.
  15  *
  16  *  You should have received a copy of the GNU General Public License
  17  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
  18  */
  19 #include "includes.h"
  20 #include "../libcli/security/dom_sid.h"
  21 #include "../libcli/security/security_descriptor.h"
  22 #include "../librpc/ndr/libndr.h"
  23 #include "../lib/util/charset/charset.h"
  24 #include "param/param.h"
  25 #include "lib/policy/policy.h"
  26
  27 uint32_t gp_ads_to_dir_access_mask(uint32_t access_mask)
  28 {
  29         uint32_t fs_mask;
  30
  31         /* Copy the standard access mask */
  32         fs_mask = access_mask & 0x001F0000;
  33
  34         /* When READ_PROP and LIST_CONTENTS are set, read access is granted on the GPT */
  35         if (access_mask & SEC_ADS_READ_PROP && access_mask & SEC_ADS_LIST) {
  36                 fs_mask |= SEC_STD_SYNCHRONIZE | SEC_DIR_LIST | SEC_DIR_READ_ATTRIBUTE |
  37                                 SEC_DIR_READ_EA | SEC_DIR_TRAVERSE;
  38         }
  39
  40         /* When WRITE_PROP is set, full write access is granted on the GPT */
  41         if (access_mask & SEC_ADS_WRITE_PROP) {
  42                 fs_mask |= SEC_STD_SYNCHRONIZE | SEC_DIR_WRITE_ATTRIBUTE |
  43                                 SEC_DIR_WRITE_EA | SEC_DIR_ADD_FILE |
  44                                 SEC_DIR_ADD_SUBDIR;
  45         }
  46
  47         /* Map CREATE_CHILD to add file and add subdir */
  48         if (access_mask & SEC_ADS_CREATE_CHILD)
  49                 fs_mask |= SEC_DIR_ADD_FILE | SEC_DIR_ADD_SUBDIR;
  50
  51         /* Map ADS delete child to dir delete child */
  52         if (access_mask & SEC_ADS_DELETE_CHILD)
  53                 fs_mask |= SEC_DIR_DELETE_CHILD;
  54
  55         return fs_mask;
  56 }
  57
  58 NTSTATUS gp_create_gpt_security_descriptor (TALLOC_CTX *mem_ctx, struct security_descriptor *ds_sd, struct security_descriptor **ret)
  59 {
  60         struct security_descriptor *fs_sd;
  61         NTSTATUS status;
  62         uint32_t i;
  63
  64         /* Allocate the file system security descriptor */
  65         fs_sd = talloc(mem_ctx, struct security_descriptor);
  66         NT_STATUS_HAVE_NO_MEMORY(fs_sd);
  67
  68         /* Copy the basic information from the directory server security descriptor */
  69         fs_sd->owner_sid = talloc_memdup(fs_sd, ds_sd->owner_sid, sizeof(struct dom_sid));
  70         if (fs_sd->owner_sid == NULL) {
  71                 TALLOC_FREE(fs_sd);
  72                 return NT_STATUS_NO_MEMORY;
  73         }
  74
  75         fs_sd->group_sid = talloc_memdup(fs_sd, ds_sd->group_sid, sizeof(struct dom_sid));
  76         if (fs_sd->group_sid == NULL) {
  77                 TALLOC_FREE(fs_sd);
  78                 return NT_STATUS_NO_MEMORY;
  79         }
  80
  81         fs_sd->type = ds_sd->type;
  82         fs_sd->revision = ds_sd->revision;
  83
  84         /* Copy the sacl */
  85         fs_sd->sacl = security_acl_dup(fs_sd, ds_sd->sacl);
  86         if (fs_sd->sacl == NULL) {
  87                 TALLOC_FREE(fs_sd);
  88                 return NT_STATUS_NO_MEMORY;
  89         }
  90
  91         /* Copy the dacl */
  92         fs_sd->dacl = talloc_zero(fs_sd, struct security_acl);
  93         if (fs_sd->dacl == NULL) {
  94                 TALLOC_FREE(fs_sd);
  95                 return NT_STATUS_NO_MEMORY;
  96         }
  97
  98         for (i = 0; i < ds_sd->dacl->num_aces; i++) {
  99                 char *trustee = dom_sid_string(fs_sd, &ds_sd->dacl->aces[i].trustee);
 100                 struct security_ace *ace;
 101
 102                 /* Don't add the allow for SID_BUILTIN_PREW2K */
 103                 if ((ds_sd->dacl->aces[i].type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT ||
 104                      ds_sd->dacl->aces[i].type == SEC_ACE_TYPE_ACCESS_ALLOWED) &&
 105                                 strcmp(trustee, SID_BUILTIN_PREW2K) == 0) {
 106                         talloc_free(trustee);
 107                         continue;
 108                 }
 109
 110                 /* Copy the ace from the directory server security descriptor */
 111                 ace = talloc_memdup(fs_sd, &ds_sd->dacl->aces[i], sizeof(struct security_ace));
 112                 if (ace == NULL) {
 113                         TALLOC_FREE(fs_sd);
 114                         return NT_STATUS_NO_MEMORY;
 115                 }
 116
 117                 /* Set specific inheritance flags for within the GPO */
 118                 ace->flags |= SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_CONTAINER_INHERIT;
 119                 if (strcmp(trustee, SID_CREATOR_OWNER) == 0) {
 120                         ace->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
 121                 }
 122
 123                 /* Get a directory access mask from the assigned access mask on the LDAP object */
 124                 ace->access_mask = gp_ads_to_dir_access_mask(ace->access_mask);
 125
 126                 /* Add the ace to the security descriptor DACL */
 127                 status = security_descriptor_dacl_add(fs_sd, ace);
 128                 if (!NT_STATUS_IS_OK(status)) {
 129                         DEBUG(0, ("Failed to add a dacl to file system security descriptor\n"));
 130                         TALLOC_FREE(fs_sd);
 131                         return status;
 132                 }
 133
 134                 /* Clean up the allocated data in this iteration */
 135                 talloc_free(trustee);
 136         }
 137
 138         *ret = fs_sd;
 139         return NT_STATUS_OK;
 140 }
 141
 142
 143 NTSTATUS gp_create_gpo (struct gp_context *gp_ctx, const char *display_name, struct gp_object **ret)
 144 {
 145         struct GUID guid_struct;
 146         char *guid_str;
 147         char *name;
 148         struct security_descriptor *sd;
 149         TALLOC_CTX *mem_ctx;
 150         struct gp_object *gpo;
 151         NTSTATUS status;
 152
 153         /* Create a forked memory context, as a base for everything here */
 154         mem_ctx = talloc_new(gp_ctx);
 155         NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
 156
 157         /* Create the gpo struct to return later */
 158         gpo = talloc(gp_ctx, struct gp_object);
 159         if (gpo == NULL) {
 160                 TALLOC_FREE(mem_ctx);
 161                 return NT_STATUS_NO_MEMORY;
 162         }
 163
 164         /* Generate a GUID */
 165         guid_struct = GUID_random();
 166         guid_str = GUID_string2(mem_ctx, &guid_struct);
 167         if (guid_str == NULL) {
 168                 TALLOC_FREE(mem_ctx);
 169                 return NT_STATUS_NO_MEMORY;
 170         }
 171         name = strupper_talloc(mem_ctx, guid_str);
 172         if (name == NULL) {
 173                 TALLOC_FREE(mem_ctx);
 174                 return NT_STATUS_NO_MEMORY;
 175         }
 176
 177         /* Prepare the GPO struct */
 178         gpo->dn = NULL;
 179         gpo->name = name;
 180         gpo->flags = 0;
 181         gpo->version = 0;
 182         gpo->display_name = talloc_strdup(gpo, display_name);
 183         if (gpo->display_name == NULL) {
 184                 TALLOC_FREE(mem_ctx);
 185                 return NT_STATUS_NO_MEMORY;
 186         }
 187
 188         gpo->file_sys_path = talloc_asprintf(gpo, "\\\\%s\\sysvol\\%s\\Policies\\%s", lpcfg_dnsdomain(gp_ctx->lp_ctx), lpcfg_dnsdomain(gp_ctx->lp_ctx), name);
 189         if (gpo->file_sys_path == NULL) {
 190                 TALLOC_FREE(mem_ctx);
 191                 return NT_STATUS_NO_MEMORY;
 192         }
 193
 194         /* Create the GPT */
 195         status = gp_create_gpt(gp_ctx, name, gpo->file_sys_path);
 196         if (!NT_STATUS_IS_OK(status)) {
 197                 DEBUG(0, ("Failed to create GPT\n"));
 198                 talloc_free(mem_ctx);
 199                 return status;
 200         }
 201
 202
 203         /* Create the LDAP GPO, including CN=User and CN=Machine */
 204         status = gp_create_ldap_gpo(gp_ctx, gpo);
 205         if (!NT_STATUS_IS_OK(status)) {
 206                 DEBUG(0, ("Failed to create LDAP group policy object\n"));
 207                 talloc_free(mem_ctx);
 208                 return status;
 209         }
 210
 211         /* Get the new security descriptor */
 212         status = gp_get_gpo_info(gp_ctx, gpo->dn, &gpo);
 213         if (!NT_STATUS_IS_OK(status)) {
 214                 DEBUG(0, ("Failed to fetch LDAP group policy object\n"));
 215                 talloc_free(mem_ctx);
 216                 return status;
 217         }
 218
 219         /* Create matching file and DS security descriptors */
 220         status = gp_create_gpt_security_descriptor(mem_ctx, gpo->security_descriptor, &sd);
 221         if (!NT_STATUS_IS_OK(status)) {
 222                 DEBUG(0, ("Failed to convert ADS security descriptor to filesystem security descriptor\n"));
 223                 talloc_free(mem_ctx);
 224                 return status;
 225         }
 226
 227         /* Set the security descriptor on the filesystem for this GPO */
 228         status = gp_set_gpt_security_descriptor(gp_ctx, gpo, sd);
 229         if (!NT_STATUS_IS_OK(status)) {
 230                 DEBUG(0, ("Failed to set security descriptor (ACL) on the file system\n"));
 231                 talloc_free(mem_ctx);
 232                 return status;
 233         }
 234
 235         talloc_free(mem_ctx);
 236
 237         *ret = gpo;
 238         return NT_STATUS_OK;
 239 }
 240
 241 NTSTATUS gp_set_acl (struct gp_context *gp_ctx, const char *dn_str, const struct security_descriptor *sd)
 242 {
 243         TALLOC_CTX *mem_ctx;
 244         struct security_descriptor *fs_sd;
 245         struct gp_object *gpo;
 246         NTSTATUS status;
 247
 248         /* Create a forked memory context, as a base for everything here */
 249         mem_ctx = talloc_new(gp_ctx);
 250         NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
 251
 252         /* Set the ACL on LDAP database */
 253         status = gp_set_ads_acl(gp_ctx, dn_str, sd);
 254         if (!NT_STATUS_IS_OK(status)) {
 255                 DEBUG(0, ("Failed to set ACL on ADS\n"));
 256                 talloc_free(mem_ctx);
 257                 return status;
 258         }
 259
 260         /* Get the group policy object information, for filesystem location and merged sd */
 261         status = gp_get_gpo_info(gp_ctx, dn_str, &gpo);
 262         if (!NT_STATUS_IS_OK(status)) {
 263                 DEBUG(0, ("Failed to set ACL on ADS\n"));
 264                 talloc_free(mem_ctx);
 265                 return status;
 266         }
 267
 268         /* Create matching file and DS security descriptors */
 269         status = gp_create_gpt_security_descriptor(mem_ctx, gpo->security_descriptor, &fs_sd);
 270         if (!NT_STATUS_IS_OK(status)) {
 271                 DEBUG(0, ("Failed to convert ADS security descriptor to filesystem security descriptor\n"));
 272                 talloc_free(mem_ctx);
 273                 return status;
 274         }
 275
 276         /* Set the security descriptor on the filesystem for this GPO */
 277         status = gp_set_gpt_security_descriptor(gp_ctx, gpo, fs_sd);
 278         if (!NT_STATUS_IS_OK(status)) {
 279                 DEBUG(0, ("Failed to set security descriptor (ACL) on the file system\n"));
 280                 talloc_free(mem_ctx);
 281                 return status;
 282         }
 283
 284         talloc_free(mem_ctx);
 285         return NT_STATUS_OK;
 286 }
 287
 288 NTSTATUS gp_push_gpo (struct gp_context *gp_ctx, const char *local_path, struct gp_object *gpo)
 289 {
 290         NTSTATUS status;
 291         TALLOC_CTX *mem_ctx;
 292         struct gp_ini_context *ini;
 293         char *filename;
 294
 295         mem_ctx = talloc_new(gp_ctx);
 296         NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
 297
 298         /* Get version from ini file */
 299         /* FIXME: The local file system may be case sensitive */
 300         filename = talloc_asprintf(mem_ctx, "%s/%s", local_path, "GPT.INI");
 301         if (filename == NULL) {
 302                 TALLOC_FREE(mem_ctx);
 303                 return NT_STATUS_NO_MEMORY;
 304         }
 305         status = gp_parse_ini(mem_ctx, gp_ctx, local_path, &ini);
 306         if (!NT_STATUS_IS_OK(status)) {
 307                 DEBUG(0, ("Failed to parse GPT.INI.\n"));
 308                 talloc_free(mem_ctx);
 309                 return status;
 310         }
 311
 312         /* Push the GPT to the remote sysvol */
 313         status = gp_push_gpt(gp_ctx, local_path, gpo->file_sys_path);
 314         if (!NT_STATUS_IS_OK(status)) {
 315                 DEBUG(0, ("Failed to push GPT to DC's sysvol share.\n"));
 316                 talloc_free(mem_ctx);
 317                 return status;
 318         }
 319
 320         /* Write version to LDAP */
 321         status = gp_set_ldap_gpo(gp_ctx, gpo);
 322         if (!NT_STATUS_IS_OK(status)) {
 323                 DEBUG(0, ("Failed to set GPO options in DC's LDAP.\n"));
 324                 talloc_free(mem_ctx);
 325                 return status;
 326         }
 327
 328         talloc_free(mem_ctx);
 329         return NT_STATUS_OK;
 330 }