util:datablob: data_blob_pad checks its alignment assumption
[samba4-gss.git] / source4 / dsdb / common / dsdb_access.c
blob6edae35837664d9a525d87aa99aecc52f6127d6e
1 /*
2 ldb database library
4 Copyright (C) Nadezhda Ivanova 2010
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 * Name: dsdb_access
23 * Description: utility functions for access checking on objects
25 * Authors: Nadezhda Ivanova
28 #include "includes.h"
29 #include "ldb.h"
30 #include "ldb_module.h"
31 #include "ldb_errors.h"
32 #include "libcli/security/security.h"
33 #include "librpc/gen_ndr/ndr_security.h"
34 #include "libcli/ldap/ldap_ndr.h"
35 #include "param/param.h"
36 #include "auth/auth.h"
37 #include "dsdb/samdb/samdb.h"
38 #include "dsdb/common/util.h"
40 void dsdb_acl_debug(struct security_descriptor *sd,
41 struct security_token *token,
42 struct ldb_dn *dn,
43 bool denied,
44 int level)
46 if (denied) {
47 DEBUG(level, ("Access on %s denied\n", ldb_dn_get_linearized(dn)));
48 } else {
49 DEBUG(level, ("Access on %s granted\n", ldb_dn_get_linearized(dn)));
52 DEBUG(level,("Security context: %s\n",
53 ndr_print_struct_string(0,(ndr_print_fn_t)ndr_print_security_token,"", token)));
54 DEBUG(level,("Security descriptor: %s\n",
55 ndr_print_struct_string(0,(ndr_print_fn_t)ndr_print_security_descriptor,"", sd)));
58 int dsdb_get_sd_from_ldb_message(struct ldb_context *ldb,
59 TALLOC_CTX *mem_ctx,
60 struct ldb_message *acl_res,
61 struct security_descriptor **sd)
63 struct ldb_message_element *sd_element;
64 enum ndr_err_code ndr_err;
66 sd_element = ldb_msg_find_element(acl_res, "nTSecurityDescriptor");
67 if (sd_element == NULL) {
68 return ldb_error(ldb, LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS,
69 "nTSecurityDescriptor is missing");
71 *sd = talloc(mem_ctx, struct security_descriptor);
72 if(!*sd) {
73 return ldb_oom(ldb);
75 ndr_err = ndr_pull_struct_blob(&sd_element->values[0], *sd, *sd,
76 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
78 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
79 TALLOC_FREE(*sd);
80 return ldb_operr(ldb);
83 return LDB_SUCCESS;
86 int dsdb_check_access_on_dn_internal(struct ldb_context *ldb,
87 struct ldb_result *acl_res,
88 TALLOC_CTX *mem_ctx,
89 struct security_token *token,
90 struct ldb_dn *dn,
91 uint32_t access_mask,
92 const struct GUID *guid)
94 struct security_descriptor *sd = NULL;
95 struct dom_sid *sid = NULL;
96 struct object_tree *root = NULL;
97 NTSTATUS status;
98 uint32_t access_granted;
99 int ret;
101 ret = dsdb_get_sd_from_ldb_message(ldb, mem_ctx, acl_res->msgs[0], &sd);
102 if (ret != LDB_SUCCESS) {
103 return ldb_operr(ldb);
106 sid = samdb_result_dom_sid(mem_ctx, acl_res->msgs[0], "objectSid");
107 if (guid) {
108 if (!insert_in_object_tree(mem_ctx, guid, access_mask, NULL,
109 &root)) {
110 TALLOC_FREE(sd);
111 TALLOC_FREE(sid);
112 return ldb_operr(ldb);
115 status = sec_access_check_ds(sd, token,
116 access_mask,
117 &access_granted,
118 root,
119 sid);
120 if (!NT_STATUS_IS_OK(status)) {
121 dsdb_acl_debug(sd,
122 token,
124 true,
125 10);
126 ldb_asprintf_errstring(ldb,
127 "dsdb_access: Access check failed on %s",
128 ldb_dn_get_linearized(dn));
129 TALLOC_FREE(sd);
130 TALLOC_FREE(sid);
131 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
133 return LDB_SUCCESS;
136 /* performs an access check from outside the module stack
137 * given the dn of the object to be checked, the required access
138 * guid is either the guid of the extended right, or NULL
141 int dsdb_check_access_on_dn(struct ldb_context *ldb,
142 TALLOC_CTX *mem_ctx,
143 struct ldb_dn *dn,
144 struct security_token *token,
145 uint32_t access_mask,
146 const char *ext_right)
148 int ret;
149 struct GUID guid;
150 struct ldb_result *acl_res;
151 static const char *acl_attrs[] = {
152 "nTSecurityDescriptor",
153 "objectSid",
154 NULL
157 if (ext_right != NULL) {
158 NTSTATUS status = GUID_from_string(ext_right, &guid);
159 if (!NT_STATUS_IS_OK(status)) {
160 return LDB_ERR_OPERATIONS_ERROR;
165 * We need AS_SYSTEM in order to get the nTSecurityDescriptor attribute.
166 * Also the result of this search not controlled by the client
167 * nor is the result exposed to the client.
169 ret = dsdb_search_dn(ldb, mem_ctx, &acl_res, dn, acl_attrs,
170 DSDB_FLAG_AS_SYSTEM | DSDB_SEARCH_SHOW_RECYCLED);
171 if (ret != LDB_SUCCESS) {
172 DEBUG(10,("access_check: failed to find object %s\n", ldb_dn_get_linearized(dn)));
173 return ret;
176 return dsdb_check_access_on_dn_internal(ldb, acl_res,
177 mem_ctx,
178 token,
180 access_mask,
181 ext_right ? &guid : NULL);