Author: gd Date: 2007-07-11 09:39:08 +0000 (Wed, 11 Jul 2007) New Revision: 23826
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=23826 Log: Fix gpo security filtering by matching the security descriptor ace's for the extended apply group policy right. Guenther Modified: branches/SAMBA_3_2/source/include/ads.h branches/SAMBA_3_2/source/include/rpc_secdes.h branches/SAMBA_3_2/source/libads/disp_sec.c branches/SAMBA_3_2/source/libgpo/gpo_sec.c branches/SAMBA_3_2_0/source/include/ads.h branches/SAMBA_3_2_0/source/include/rpc_secdes.h branches/SAMBA_3_2_0/source/libads/disp_sec.c branches/SAMBA_3_2_0/source/libgpo/gpo_sec.c Changeset: Modified: branches/SAMBA_3_2/source/include/ads.h =================================================================== --- branches/SAMBA_3_2/source/include/ads.h 2007-07-11 08:43:08 UTC (rev 23825) +++ branches/SAMBA_3_2/source/include/ads.h 2007-07-11 09:39:08 UTC (rev 23826) @@ -341,4 +341,7 @@ int val; int critical; } ads_control; + +#define ADS_EXTENDED_RIGHT_APPLY_GROUP_POLICY "edacfd8f-ffb3-11d1-b41d-00a0c968f939" + #endif /* _INCLUDE_ADS_H_ */ Modified: branches/SAMBA_3_2/source/include/rpc_secdes.h =================================================================== --- branches/SAMBA_3_2/source/include/rpc_secdes.h 2007-07-11 08:43:08 UTC (rev 23825) +++ branches/SAMBA_3_2/source/include/rpc_secdes.h 2007-07-11 09:39:08 UTC (rev 23826) @@ -37,7 +37,6 @@ #define SEC_RIGHTS_EXTENDED 0x100 /* change/reset password, receive/send as*/ #define SEC_RIGHTS_CHANGE_PASSWD SEC_RIGHTS_EXTENDED #define SEC_RIGHTS_RESET_PASSWD SEC_RIGHTS_EXTENDED -#define SEC_RIGHTS_APPLY_GROUP_POLICY SEC_RIGHTS_EXTENDED #define SEC_RIGHTS_FULL_CTRL 0xf01ff #define SEC_ACE_OBJECT_PRESENT 0x00000001 /* thanks for Jim McDonough <[EMAIL PROTECTED]> */ Modified: branches/SAMBA_3_2/source/libads/disp_sec.c =================================================================== --- branches/SAMBA_3_2/source/libads/disp_sec.c 2007-07-11 08:43:08 UTC (rev 23825) +++ branches/SAMBA_3_2/source/libads/disp_sec.c 2007-07-11 09:39:08 UTC (rev 23826) @@ -46,8 +46,6 @@ {SEC_RIGHTS_CHANGE_PASSWD, "[Change Password]"}, {SEC_RIGHTS_RESET_PASSWD, "[Reset Password]"}, - {SEC_RIGHTS_APPLY_GROUP_POLICY, "[Apply Group Policy]"}, - {0, 0} }; Modified: branches/SAMBA_3_2/source/libgpo/gpo_sec.c =================================================================== --- branches/SAMBA_3_2/source/libgpo/gpo_sec.c 2007-07-11 08:43:08 UTC (rev 23825) +++ branches/SAMBA_3_2/source/libgpo/gpo_sec.c 2007-07-11 09:39:08 UTC (rev 23826) @@ -19,33 +19,60 @@ #include "includes.h" - /* When modifiying security filtering with gpmc.msc (on w2k3) the - * following ACE is created in the DACL: +/**************************************************************** +****************************************************************/ -------- ACE (type: 0x05, flags: 0x02, size: 0x38, mask: 0x100, object flags: 0x1) -access SID: $SID -access type: ALLOWED OBJECT -Permissions: - [Apply Group Policy] (0x00000100) +static BOOL gpo_sd_check_agp_object_guid(const struct security_ace_object *object) +{ + struct GUID ext_right_apg_guid; + NTSTATUS status; -------- ACE (type: 0x00, flags: 0x02, size: 0x24, mask: 0x20014) -access SID: $SID -access type: ALLOWED -Permissions: - [List Contents] (0x00000004) - [Read All Properties] (0x00000010) - [Read Permissions] (0x00020000) + if (!object) { + return False; + } - * by default all "Authenticated Users" (S-1-5-11) have an ALLOW - * OBJECT ace with SEC_RIGHTS_APPLY_GROUP_POLICY mask */ + status = GUID_from_string(ADS_EXTENDED_RIGHT_APPLY_GROUP_POLICY, + &ext_right_apg_guid); + if (!NT_STATUS_IS_OK(status)) { + return False; + } + switch (object->flags) { + case SEC_ACE_OBJECT_PRESENT: + if (GUID_equal(&object->type.type, + &ext_right_apg_guid)) { + return True; + } + case SEC_ACE_OBJECT_INHERITED_PRESENT: + if (GUID_equal(&object->inherited_type.inherited_type, + &ext_right_apg_guid)) { + return True; + } + default: + break; + } + return False; +} + /**************************************************************** ****************************************************************/ +static BOOL gpo_sd_check_agp_object(const SEC_ACE *ace) +{ + if (sec_ace_object(ace->type)) { + return gpo_sd_check_agp_object_guid(&ace->object.object); + } + + return False; +} + +/**************************************************************** +****************************************************************/ + static BOOL gpo_sd_check_agp_access_bits(uint32 access_mask) { - return (access_mask & SEC_RIGHTS_APPLY_GROUP_POLICY); + return (access_mask & SEC_RIGHTS_EXTENDED); } #if 0 @@ -93,7 +120,8 @@ static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace, const struct GPO_SID_TOKEN *token) { - if (gpo_sd_check_agp_access_bits(ace->access_mask) && + if (gpo_sd_check_agp_object(ace) && + gpo_sd_check_agp_access_bits(ace->access_mask) && gpo_sd_check_trustee_in_sid_token(&ace->trustee, token)) { DEBUG(10,("gpo_sd_check_ace_denied_object: Access denied as of ace for %s\n", sid_string_static(&ace->trustee))); @@ -109,7 +137,8 @@ static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace, const struct GPO_SID_TOKEN *token) { - if (gpo_sd_check_agp_access_bits(ace->access_mask) && + if (gpo_sd_check_agp_object(ace) && + gpo_sd_check_agp_access_bits(ace->access_mask) && gpo_sd_check_trustee_in_sid_token(&ace->trustee, token)) { DEBUG(10,("gpo_sd_check_ace_allowed_object: Access granted as of ace for %s\n", sid_string_static(&ace->trustee))); Modified: branches/SAMBA_3_2_0/source/include/ads.h =================================================================== --- branches/SAMBA_3_2_0/source/include/ads.h 2007-07-11 08:43:08 UTC (rev 23825) +++ branches/SAMBA_3_2_0/source/include/ads.h 2007-07-11 09:39:08 UTC (rev 23826) @@ -341,4 +341,7 @@ int val; int critical; } ads_control; + +#define ADS_EXTENDED_RIGHT_APPLY_GROUP_POLICY "edacfd8f-ffb3-11d1-b41d-00a0c968f939" + #endif /* _INCLUDE_ADS_H_ */ Modified: branches/SAMBA_3_2_0/source/include/rpc_secdes.h =================================================================== --- branches/SAMBA_3_2_0/source/include/rpc_secdes.h 2007-07-11 08:43:08 UTC (rev 23825) +++ branches/SAMBA_3_2_0/source/include/rpc_secdes.h 2007-07-11 09:39:08 UTC (rev 23826) @@ -37,7 +37,6 @@ #define SEC_RIGHTS_EXTENDED 0x100 /* change/reset password, receive/send as*/ #define SEC_RIGHTS_CHANGE_PASSWD SEC_RIGHTS_EXTENDED #define SEC_RIGHTS_RESET_PASSWD SEC_RIGHTS_EXTENDED -#define SEC_RIGHTS_APPLY_GROUP_POLICY SEC_RIGHTS_EXTENDED #define SEC_RIGHTS_FULL_CTRL 0xf01ff #define SEC_ACE_OBJECT_PRESENT 0x00000001 /* thanks for Jim McDonough <[EMAIL PROTECTED]> */ Modified: branches/SAMBA_3_2_0/source/libads/disp_sec.c =================================================================== --- branches/SAMBA_3_2_0/source/libads/disp_sec.c 2007-07-11 08:43:08 UTC (rev 23825) +++ branches/SAMBA_3_2_0/source/libads/disp_sec.c 2007-07-11 09:39:08 UTC (rev 23826) @@ -46,8 +46,6 @@ {SEC_RIGHTS_CHANGE_PASSWD, "[Change Password]"}, {SEC_RIGHTS_RESET_PASSWD, "[Reset Password]"}, - {SEC_RIGHTS_APPLY_GROUP_POLICY, "[Apply Group Policy]"}, - {0, 0} }; Modified: branches/SAMBA_3_2_0/source/libgpo/gpo_sec.c =================================================================== --- branches/SAMBA_3_2_0/source/libgpo/gpo_sec.c 2007-07-11 08:43:08 UTC (rev 23825) +++ branches/SAMBA_3_2_0/source/libgpo/gpo_sec.c 2007-07-11 09:39:08 UTC (rev 23826) @@ -19,33 +19,60 @@ #include "includes.h" - /* When modifiying security filtering with gpmc.msc (on w2k3) the - * following ACE is created in the DACL: +/**************************************************************** +****************************************************************/ -------- ACE (type: 0x05, flags: 0x02, size: 0x38, mask: 0x100, object flags: 0x1) -access SID: $SID -access type: ALLOWED OBJECT -Permissions: - [Apply Group Policy] (0x00000100) +static BOOL gpo_sd_check_agp_object_guid(const struct security_ace_object *object) +{ + struct GUID ext_right_apg_guid; + NTSTATUS status; -------- ACE (type: 0x00, flags: 0x02, size: 0x24, mask: 0x20014) -access SID: $SID -access type: ALLOWED -Permissions: - [List Contents] (0x00000004) - [Read All Properties] (0x00000010) - [Read Permissions] (0x00020000) + if (!object) { + return False; + } - * by default all "Authenticated Users" (S-1-5-11) have an ALLOW - * OBJECT ace with SEC_RIGHTS_APPLY_GROUP_POLICY mask */ + status = GUID_from_string(ADS_EXTENDED_RIGHT_APPLY_GROUP_POLICY, + &ext_right_apg_guid); + if (!NT_STATUS_IS_OK(status)) { + return False; + } + switch (object->flags) { + case SEC_ACE_OBJECT_PRESENT: + if (GUID_equal(&object->type.type, + &ext_right_apg_guid)) { + return True; + } + case SEC_ACE_OBJECT_INHERITED_PRESENT: + if (GUID_equal(&object->inherited_type.inherited_type, + &ext_right_apg_guid)) { + return True; + } + default: + break; + } + return False; +} + /**************************************************************** ****************************************************************/ +static BOOL gpo_sd_check_agp_object(const SEC_ACE *ace) +{ + if (sec_ace_object(ace->type)) { + return gpo_sd_check_agp_object_guid(&ace->object.object); + } + + return False; +} + +/**************************************************************** +****************************************************************/ + static BOOL gpo_sd_check_agp_access_bits(uint32 access_mask) { - return (access_mask & SEC_RIGHTS_APPLY_GROUP_POLICY); + return (access_mask & SEC_RIGHTS_EXTENDED); } #if 0 @@ -93,7 +120,8 @@ static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace, const struct GPO_SID_TOKEN *token) { - if (gpo_sd_check_agp_access_bits(ace->access_mask) && + if (gpo_sd_check_agp_object(ace) && + gpo_sd_check_agp_access_bits(ace->access_mask) && gpo_sd_check_trustee_in_sid_token(&ace->trustee, token)) { DEBUG(10,("gpo_sd_check_ace_denied_object: Access denied as of ace for %s\n", sid_string_static(&ace->trustee))); @@ -109,7 +137,8 @@ static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace, const struct GPO_SID_TOKEN *token) { - if (gpo_sd_check_agp_access_bits(ace->access_mask) && + if (gpo_sd_check_agp_object(ace) && + gpo_sd_check_agp_access_bits(ace->access_mask) && gpo_sd_check_trustee_in_sid_token(&ace->trustee, token)) { DEBUG(10,("gpo_sd_check_ace_allowed_object: Access granted as of ace for %s\n", sid_string_static(&ace->trustee)));