The branch, master has been updated via abc0030 dsdb: Fix warning about unused var via c52408f dsdb: Explain ordering constraints on the ACL module as well. via 8f078cd dsdb: Ensure "authenticated users" is processed for group memberships via d36c030 libcli/security: remove useless if (root->num_of_children > 0) statements via 853ecd4 libcli/security: add init_mask to existing children in insert_in_object_tree via 5b4e3de libcli/security: handle node initialisation in one spot in insert_in_object_tree() via a359aef libcli/security: avoid usage of dom_sid_parse_talloc() in sec_access_check_ds() via a3fffde libcli/security: simplify get_ace_object_type() via b0f731f libcli/security: fix formating in access_check.c via 10a90ce libcli/security: fix whitespaces in access_check.c via 0ebb937 dsdb-acl: the SEC_ADS_DELETE_CHILD checks need objectclass->schemaIDGUID via 8f8d97f dsdb-acl: make use of acl_check_access_on_objectclass() for the object in acl_delete() via 8aa8555 dsdb-acl: make use of acl_check_access_on_{attribute,objectclass} in acl_rename() via 8d31e42 dsdb-acl: make use of acl_check_access_on_attribute() in acl_modify() via 8e47e64 dsdb-acl: remove unused acl_check_access_on_class() via 34f1a52 dsdb-acl: use acl_check_access_on_objectclass() instead of acl_check_access_on_class() via 6a4063f dsdb-acl: Use the structural objectClass in acl_check_access_on_attribute() via e8cc59e dsdb-acl: Pass the structural objectClass into acl_check_access_on_attribute via 93944ea dsdb-acl: Remove unused get_oc_guid_from_message() via a1b421e dsdb-acl: ask for the objectClass attribute if it's not in the scope of the clients search via 6ab4150 dsdb-acl: use dsdb_get_structural_oc_from_msg() rather than class_schemaid_guid_by_lDAPDisplayName via 7304339 dsdb-acl: Use dsdb_get_structural_oc_from_msg() in acl_rename() via 6d7e53a dsdb-acl: Use dsdb_get_structural_oc_from_msg() in acl_modify() via 097fae2 dsdb-acl: add acl_check_access_on_objectclass() helper via 74bfec0 dsdb-acl: Add helper function dsdb_get_structural_oc_from_msg() via 2685a4e dsdb-acl: attr is not optional to acl_check_access_on_attribute() via d695b8a dsdb-acl: dsdb_attribute_by_lDAPDisplayName() is needed for all attributes via ddfb8fe dsdb-acl: introduce a 'el' helper variable to acl_modify() via 71b856a dsdb-acl: introduce a 'msg' helper variable to acl_modify() via c2853f5 dsdb-schema: make sure we build [system]PossibleInferiors completely via 1f673bf dsdb-schema: make sure use clean caches in schema_inferiors.c via c4b9ee2 dsdb-schema: make schema_subclasses_order_recurse() static from 58fadf2 BUG 9474: Downgrade v4 printer driver requests to v3.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit abc0030f780b775bf7656b572ee754ebd8079b5d Author: Matthieu Patou <m...@matws.net> Date: Sat Dec 29 16:43:44 2012 -0800 dsdb: Fix warning about unused var Reviewed-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Mon Jan 21 17:51:16 CET 2013 on sn-devel-104 commit c52408f461fb3515cde17eebb458b566fd0a049c Author: Andrew Bartlett <abart...@samba.org> Date: Wed Jan 2 09:27:51 2013 +1100 dsdb: Explain ordering constraints on the ACL module as well. Andrew Bartlett Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 8f078cdf247476fad511bb6d7e00c8654fd26e85 Author: Andrew Bartlett <abart...@samba.org> Date: Sat Dec 29 15:13:54 2012 +1100 dsdb: Ensure "authenticated users" is processed for group memberships This change moves the addition of "Authenticated Users" from the very end of the token processing to the start. The reason is that we need to see if "Authenticated Users" is a member of other builtin groups, just as we would for any other SID. This picks up the "Pre-Windows 2000 Compatible Access" group, which is in turn often used in ACLs on LDAP objects. Without this change, the eventual token does not contain S-1-5-32-554 and users other than "Administrator" are unable to read uidNumber (in particular). Andrew Bartlett Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit d36c03056fb85dfedbafd3a59497e35db63ade17 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Jan 3 21:30:12 2013 +1100 libcli/security: remove useless if (root->num_of_children > 0) statements The for loop does this implicitly when comparing for (i = 0; i < root->num_of_children; i++) Andrew Bartlett Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 853ecd418afe15973d3e8844ad0e01d3d54536d5 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 15 19:03:00 2013 +0100 libcli/security: add init_mask to existing children in insert_in_object_tree Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 5b4e3de2bb25eeb85d72a886386c853cea3e9468 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Jan 3 20:40:32 2013 +1100 libcli/security: handle node initialisation in one spot in insert_in_object_tree() This removes special-case for initalising the children array in insert_in_object_tree(). talloc_realloc() handles the intial allocate case perfectly well, so there is no need to have this duplicated. This also restores having just one place were the rest of the elements are intialised, to ensure uniform behaviour. To do this, we have to rework insert_in_object_tree to have only one output variable, both because having both root and new_node as output variables was too confusing, and because otherwise the two pointers were being allowed to point at the same memory. Andrew Bartlett Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a359aef0837781c42bf9dbcdd069796c72cc94c7 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Jan 16 09:49:20 2013 +0100 libcli/security: avoid usage of dom_sid_parse_talloc() in sec_access_check_ds() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a3fffde368fa0c6594f7fd5309e0b20d3fa7c68e Author: Stefan Metzmacher <me...@samba.org> Date: Wed Jan 16 10:05:56 2013 +0100 libcli/security: simplify get_ace_object_type() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b0f731fc3b96edf91216829bd0dc63bb4269f458 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Jan 16 09:46:48 2013 +0100 libcli/security: fix formating in access_check.c Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 10a90ce8422ac4ff4461b13a3dd03bbcd9bd2258 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Jan 16 09:43:44 2013 +0100 libcli/security: fix whitespaces in access_check.c Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 0ebb93708eb377e29eaaf4400c65399d18c229b6 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Jan 17 16:22:09 2013 +0100 dsdb-acl: the SEC_ADS_DELETE_CHILD checks need objectclass->schemaIDGUID Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 8f8d97f9fe05b2de1403676a148ab7b90a83812b Author: Stefan Metzmacher <me...@samba.org> Date: Thu Jan 17 16:21:10 2013 +0100 dsdb-acl: make use of acl_check_access_on_objectclass() for the object in acl_delete() We should only use dsdb_module_check_access_on_dn() on the parent. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 8aa855573067418c84f71aa3a20e5f472343851d Author: Stefan Metzmacher <me...@samba.org> Date: Wed Jan 16 16:43:14 2013 +0100 dsdb-acl: make use of acl_check_access_on_{attribute,objectclass} in acl_rename() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 8d31e42eed71e9686b03c496eeff1ff96a6742ea Author: Stefan Metzmacher <me...@samba.org> Date: Wed Jan 16 16:41:51 2013 +0100 dsdb-acl: make use of acl_check_access_on_attribute() in acl_modify() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 8e47e64f5d73441b6eb13d59001d52ec77c1c7d5 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Jan 16 16:36:07 2013 +0100 dsdb-acl: remove unused acl_check_access_on_class() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 34f1a52689f4cc64fb63118e685a4442e3fe187a Author: Stefan Metzmacher <me...@samba.org> Date: Wed Jan 16 16:35:33 2013 +0100 dsdb-acl: use acl_check_access_on_objectclass() instead of acl_check_access_on_class() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6a4063f30273ff184364f276c5206c3507f37644 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Jan 2 15:01:23 2013 +1100 dsdb-acl: Use the structural objectClass in acl_check_access_on_attribute() This commit enters the GUID into the object tree so that that access rights assigned to the structural objectClass are also available, as well as rights assigned to the attribute property groups. Andrew Bartlett Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e8cc59eb781006c6193249128a1ffc4bcba8f28a Author: Andrew Bartlett <abart...@samba.org> Date: Wed Jan 2 15:01:00 2013 +1100 dsdb-acl: Pass the structural objectClass into acl_check_access_on_attribute This will, when the GUID is entered into the object tree (not in this commit) ensure that access rights assigned to the structural objectClass are also available, as well as rights assigned to the attribute property groups. Andrew Bartlett Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 93944ea90069df5379993f5c186ffd68e166f1c4 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Jan 2 14:55:36 2013 +1100 dsdb-acl: Remove unused get_oc_guid_from_message() Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a1b421e8cca24a5831f4c6d77714cf54faf8c48e Author: Andrew Bartlett <abart...@samba.org> Date: Wed Jan 2 15:01:00 2013 +1100 dsdb-acl: ask for the objectClass attribute if it's not in the scope of the clients search This will be used later. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6ab41506857814d69d897471a14002d98fb4c172 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Jan 2 09:26:15 2013 +1100 dsdb-acl: use dsdb_get_structural_oc_from_msg() rather than class_schemaid_guid_by_lDAPDisplayName This uses dsdb_get_last_structural_objectclass(), which encodes this ordering knowledge in one place in the code, rather than using this uncommented magic expression: (char *)oc_el->values[oc_el->num_values-1].data Andrew Bartlett Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 730433984c9f3dd30ee0b07dc22af56b4d3a062f Author: Andrew Bartlett <abart...@samba.org> Date: Wed Jan 2 14:54:20 2013 +1100 dsdb-acl: Use dsdb_get_structural_oc_from_msg() in acl_rename() Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6d7e53aaac8c95f86e1eb8593880ae1c09d973d4 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Jan 2 14:53:02 2013 +1100 dsdb-acl: Use dsdb_get_structural_oc_from_msg() in acl_modify() Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 097fae2d1d6ae04a7bfc795803f200b6f703a904 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Jan 16 16:34:56 2013 +0100 dsdb-acl: add acl_check_access_on_objectclass() helper Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 74bfec026921fcfc430fb7cfaee44ed75f135a99 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Jan 2 14:52:21 2013 +1100 dsdb-acl: Add helper function dsdb_get_structural_oc_from_msg() This will eventually replace get_oc_guid_from_message(), returning the full dsdb_class. Andrew Bartlett Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 2685a4ed6681b1a20fb26087867737ecbf8fad73 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Jan 16 11:45:46 2013 +0100 dsdb-acl: attr is not optional to acl_check_access_on_attribute() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit d695b8abc7a2e4f7e1853d0c61fe0c03fc786111 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Jan 16 16:39:35 2013 +0100 dsdb-acl: dsdb_attribute_by_lDAPDisplayName() is needed for all attributes "clearTextPassword" is the only exception. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ddfb8fe89c493c485250d59868312614c79a9cc1 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jan 18 09:17:25 2013 +0100 dsdb-acl: introduce a 'el' helper variable to acl_modify() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 71b856a3f08fbd095833c27c59d7ed382be70d2a Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jan 18 09:17:25 2013 +0100 dsdb-acl: introduce a 'msg' helper variable to acl_modify() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c2853f55fc603d4875bb1e50a1cbf409df0421ea Author: Stefan Metzmacher <me...@samba.org> Date: Thu Jan 17 14:41:39 2013 +0100 dsdb-schema: make sure we build [system]PossibleInferiors completely Otherwise callers like dsdb_schema_copy_shallow() will corrupt the talloc hierarchie. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 1f673bf9209405dfa2593859bbc45d1c6dc2a960 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Jan 17 14:40:24 2013 +0100 dsdb-schema: make sure use clean caches in schema_inferiors.c Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c4b9ee255814b8121d13e33cd9b0cd7c093d736c Author: Stefan Metzmacher <me...@samba.org> Date: Thu Jan 17 14:14:37 2013 +0100 dsdb-schema: make schema_subclasses_order_recurse() static Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: libcli/security/access_check.c | 206 +++++----- libcli/security/access_check.h | 8 +- libcli/security/object_tree.c | 80 ++-- source4/auth/session.c | 44 ++- source4/dsdb/common/dsdb_access.c | 5 +- source4/dsdb/common/util_groups.c | 25 ++ source4/dsdb/samdb/ldb_modules/acl.c | 478 +++++++++++----------- source4/dsdb/samdb/ldb_modules/acl_read.c | 32 ++- source4/dsdb/samdb/ldb_modules/acl_util.c | 95 +++-- source4/dsdb/samdb/ldb_modules/extended_dn_out.c | 2 - source4/dsdb/samdb/ldb_modules/samba_dsdb.c | 4 +- source4/dsdb/samdb/ldb_modules/util.c | 13 + source4/dsdb/samdb/samdb.c | 31 -- source4/dsdb/schema/schema.h | 11 +- source4/dsdb/schema/schema_inferiors.c | 59 ++-- 15 files changed, 592 insertions(+), 501 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c index 70345f5..f0a7b66 100644 --- a/libcli/security/access_check.c +++ b/libcli/security/access_check.c @@ -367,15 +367,11 @@ NTSTATUS se_file_access_check(const struct security_descriptor *sd, static const struct GUID *get_ace_object_type(struct security_ace *ace) { - struct GUID *type; - - if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) - type = &ace->object.object.type.type; - else - type = NULL; - - return type; + if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) { + return &ace->object.object.type.type; + } + return NULL; } /* modified access check for the purposes of DS security @@ -389,31 +385,32 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd, struct object_tree *tree, struct dom_sid *replace_sid) { - uint32_t i; - uint32_t bits_remaining; - struct object_tree *node; - const struct GUID *type; - struct dom_sid *ps_sid = dom_sid_parse_talloc(NULL, SID_NT_SELF); - - *access_granted = access_desired; - bits_remaining = access_desired; - - /* handle the maximum allowed flag */ - if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) { - access_desired |= access_check_max_allowed(sd, token); - access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED; - *access_granted = access_desired; + uint32_t i; + uint32_t bits_remaining; + struct object_tree *node; + const struct GUID *type; + struct dom_sid self_sid; + + dom_sid_parse(SID_NT_SELF, &self_sid); + + *access_granted = access_desired; + bits_remaining = access_desired; + + /* handle the maximum allowed flag */ + if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) { + access_desired |= access_check_max_allowed(sd, token); + access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED; + *access_granted = access_desired; bits_remaining = access_desired; - } + } - if (access_desired & SEC_FLAG_SYSTEM_SECURITY) { - if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) { - bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY; - } else { - talloc_free(ps_sid); - return NT_STATUS_PRIVILEGE_NOT_HELD; - } - } + if (access_desired & SEC_FLAG_SYSTEM_SECURITY) { + if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) { + bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY; + } else { + return NT_STATUS_PRIVILEGE_NOT_HELD; + } + } /* the owner always gets SEC_STD_WRITE_DAC and SEC_STD_READ_CONTROL */ if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL)) && @@ -431,88 +428,89 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd, bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP); } - /* a NULL dacl allows access */ - if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) { - *access_granted = access_desired; - talloc_free(ps_sid); - return NT_STATUS_OK; - } + /* a NULL dacl allows access */ + if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) { + *access_granted = access_desired; + return NT_STATUS_OK; + } - if (sd->dacl == NULL) { - goto done; - } + if (sd->dacl == NULL) { + goto done; + } - /* check each ace in turn. */ - for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) { + /* check each ace in turn. */ + for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) { struct dom_sid *trustee; struct security_ace *ace = &sd->dacl->aces[i]; - if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) { - continue; - } - if (dom_sid_equal(&ace->trustee, ps_sid) && replace_sid) { - trustee = replace_sid; + if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) { + continue; } - else - { + + if (dom_sid_equal(&ace->trustee, &self_sid) && replace_sid) { + trustee = replace_sid; + } else { trustee = &ace->trustee; } - if (!security_token_has_sid(token, trustee)) { - continue; - } - - switch (ace->type) { - case SEC_ACE_TYPE_ACCESS_ALLOWED: - if (tree) - object_tree_modify_access(tree, ace->access_mask); - - bits_remaining &= ~ace->access_mask; - break; - case SEC_ACE_TYPE_ACCESS_DENIED: - if (bits_remaining & ace->access_mask) { - talloc_free(ps_sid); - return NT_STATUS_ACCESS_DENIED; - } - break; - case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: - case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: - /* check only in case we have provided a tree, - * the ACE has an object type and that type - * is in the tree */ - type = get_ace_object_type(ace); - - if (!tree) - continue; - - if (!type) - node = tree; - else - if (!(node = get_object_tree_by_GUID(tree, type))) - continue; - - if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) { - object_tree_modify_access(node, ace->access_mask); - if (node->remaining_access == 0) { - talloc_free(ps_sid); - return NT_STATUS_OK; - } - } else { - if (node->remaining_access & ace->access_mask){ - talloc_free(ps_sid); - return NT_STATUS_ACCESS_DENIED; - } - } - break; - default: /* Other ACE types not handled/supported */ - break; - } - } + + if (!security_token_has_sid(token, trustee)) { + continue; + } + + switch (ace->type) { + case SEC_ACE_TYPE_ACCESS_ALLOWED: + if (tree) { + object_tree_modify_access(tree, ace->access_mask); + } + + bits_remaining &= ~ace->access_mask; + break; + case SEC_ACE_TYPE_ACCESS_DENIED: + if (bits_remaining & ace->access_mask) { + return NT_STATUS_ACCESS_DENIED; + } + break; + case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: + case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: + /* + * check only in case we have provided a tree, + * the ACE has an object type and that type + * is in the tree + */ + type = get_ace_object_type(ace); + + if (!tree) { + continue; + } + + if (!type) { + node = tree; + } else { + if (!(node = get_object_tree_by_GUID(tree, type))) { + continue; + } + } + + if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) { + object_tree_modify_access(node, ace->access_mask); + if (node->remaining_access == 0) { + return NT_STATUS_OK; + } + } else { + if (node->remaining_access & ace->access_mask){ + return NT_STATUS_ACCESS_DENIED; + } + } + break; + default: /* Other ACE types not handled/supported */ + break; + } + } done: - talloc_free(ps_sid); - if (bits_remaining != 0) { - return NT_STATUS_ACCESS_DENIED; - } + if (bits_remaining != 0) { + return NT_STATUS_ACCESS_DENIED; + } - return NT_STATUS_OK; + return NT_STATUS_OK; } diff --git a/libcli/security/access_check.h b/libcli/security/access_check.h index 84b2e5f..952589d 100644 --- a/libcli/security/access_check.h +++ b/libcli/security/access_check.h @@ -77,10 +77,10 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd, struct dom_sid *replace_sid); bool insert_in_object_tree(TALLOC_CTX *mem_ctx, - const struct GUID *guid, - uint32_t init_access, - struct object_tree **root, - struct object_tree **new_node); + const struct GUID *guid, + uint32_t init_access, + struct object_tree *root, + struct object_tree **new_node_out); /* search by GUID */ struct object_tree *get_object_tree_by_GUID(struct object_tree *root, diff --git a/libcli/security/object_tree.c b/libcli/security/object_tree.c index dcbd310..3e5ee10 100644 --- a/libcli/security/object_tree.c +++ b/libcli/security/object_tree.c @@ -38,52 +38,52 @@ */ bool insert_in_object_tree(TALLOC_CTX *mem_ctx, - const struct GUID *guid, - uint32_t init_access, - struct object_tree **root, - struct object_tree **new_node) + const struct GUID *guid, + uint32_t init_access, + struct object_tree *root, + struct object_tree **new_node_out) { + struct object_tree *new_node; + if (!guid || GUID_all_zero(guid)){ return true; } - if (!*root){ - *root = talloc_zero(mem_ctx, struct object_tree); - if (!*root) { + if (!root) { + root = talloc_zero(mem_ctx, struct object_tree); + if (!root) { return false; } - (*root)->guid = *guid; - (*root)->remaining_access = init_access; - *new_node = *root; - return true; - } - - if (!(*root)->children) { - (*root)->children = talloc_array(mem_ctx, struct object_tree, 1); - (*root)->children[0].guid = *guid; - (*root)->children[0].num_of_children = 0; - (*root)->children[0].children = NULL; - (*root)->num_of_children++; - (*root)->children[0].remaining_access = init_access; - *new_node = &((*root)->children[0]); - return true; - } - else { + new_node = root; + } else { int i; - for (i = 0; i < (*root)->num_of_children; i++) { - if (GUID_equal(&((*root)->children[i].guid), guid)) { - *new_node = &((*root)->children[i]); + + for (i = 0; i < root->num_of_children; i++) { + if (GUID_equal(&root->children[i].guid, guid)) { + new_node = &root->children[i]; + new_node->remaining_access |= init_access; + *new_node_out = new_node; return true; } } - (*root)->children = talloc_realloc(mem_ctx, (*root)->children, struct object_tree, - (*root)->num_of_children +1); - (*root)->children[(*root)->num_of_children].guid = *guid; - (*root)->children[(*root)->num_of_children].remaining_access = init_access; - *new_node = &((*root)->children[(*root)->num_of_children]); - (*root)->num_of_children++; - return true; + + root->children = talloc_realloc(mem_ctx, root->children, + struct object_tree, + root->num_of_children + 1); + if (!root->children) { + return false; + } + new_node = &root->children[root->num_of_children]; + root->num_of_children++; } + + new_node->children = NULL; + new_node->guid = *guid; + new_node->remaining_access = init_access; + new_node->num_of_children = 0; + + *new_node_out = new_node; + return true; } /* search by GUID */ @@ -97,11 +97,9 @@ struct object_tree *get_object_tree_by_GUID(struct object_tree *root, result = root; return result; } - else if (root->num_of_children > 0) { - for (i = 0; i < root->num_of_children; i++) { + for (i = 0; i < root->num_of_children; i++) { if ((result = get_object_tree_by_GUID(&root->children[i], guid))) break; - } } return result; } @@ -111,11 +109,9 @@ struct object_tree *get_object_tree_by_GUID(struct object_tree *root, void object_tree_modify_access(struct object_tree *root, uint32_t access_mask) { + int i; root->remaining_access &= ~access_mask; - if (root->num_of_children > 0) { - int i; - for (i = 0; i < root->num_of_children; i++) { - object_tree_modify_access(&root->children[i], access_mask); - } + for (i = 0; i < root->num_of_children; i++) { + object_tree_modify_access(&root->children[i], access_mask); } } diff --git a/source4/auth/session.c b/source4/auth/session.c index de417cc..bb0b5bc 100644 --- a/source4/auth/session.c +++ b/source4/auth/session.c @@ -102,22 +102,56 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, sids[i] = user_info_dc->sids[i]; } - if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &user_info_dc->sids[PRIMARY_USER_SID_INDEX])) { + /* + * Finally add the "standard" sids. + * The only difference between guest and "anonymous" + * is the addition of Authenticated_Users. + */ + + if (session_info_flags & AUTH_SESSION_INFO_DEFAULT_GROUPS) { + sids = talloc_realloc(tmp_ctx, sids, struct dom_sid, num_sids + 2); + NT_STATUS_HAVE_NO_MEMORY(sids); + + if (!dom_sid_parse(SID_WORLD, &sids[num_sids])) { + return NT_STATUS_INTERNAL_ERROR; + } + num_sids++; + + if (!dom_sid_parse(SID_NT_NETWORK, &sids[num_sids])) { + return NT_STATUS_INTERNAL_ERROR; + } + num_sids++; + } + + if (session_info_flags & AUTH_SESSION_INFO_AUTHENTICATED) { + sids = talloc_realloc(tmp_ctx, sids, struct dom_sid, num_sids + 1); + NT_STATUS_HAVE_NO_MEMORY(sids); + + if (!dom_sid_parse(SID_NT_AUTHENTICATED_USERS, &sids[num_sids])) { + return NT_STATUS_INTERNAL_ERROR; + } + num_sids++; + } + + + + if (num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &sids[PRIMARY_USER_SID_INDEX])) { /* Don't expand nested groups of system, anonymous etc*/ - } else if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &user_info_dc->sids[PRIMARY_USER_SID_INDEX])) { + } else if (num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &sids[PRIMARY_USER_SID_INDEX])) { /* Don't expand nested groups of system, anonymous etc*/ } else if (sam_ctx) { filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))", GROUP_TYPE_BUILTIN_LOCAL_GROUP); /* Search for each group in the token */ - for (i = 0; i < user_info_dc->num_sids; i++) { + for (i = 0; i < num_sids; i++) { char *sid_string; const char *sid_dn; DATA_BLOB sid_blob; - + int ret; + sid_string = dom_sid_string(tmp_ctx, - &user_info_dc->sids[i]); + &sids[i]); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_string, user_info_dc); sid_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", sid_string); diff --git a/source4/dsdb/common/dsdb_access.c b/source4/dsdb/common/dsdb_access.c index fd75e77..6af5c3a 100644 --- a/source4/dsdb/common/dsdb_access.c +++ b/source4/dsdb/common/dsdb_access.c @@ -93,7 +93,6 @@ int dsdb_check_access_on_dn_internal(struct ldb_context *ldb, struct security_descriptor *sd = NULL; struct dom_sid *sid = NULL; struct object_tree *root = NULL; - struct object_tree *new_node = NULL; NTSTATUS status; uint32_t access_granted; int ret; @@ -108,8 +107,8 @@ int dsdb_check_access_on_dn_internal(struct ldb_context *ldb, } sid = samdb_result_dom_sid(mem_ctx, acl_res->msgs[0], "objectSid"); if (guid) { - if (!insert_in_object_tree(mem_ctx, guid, access_mask, &root, - &new_node)) { + if (!insert_in_object_tree(mem_ctx, guid, access_mask, NULL, + &root)) { return ldb_operr(ldb); } } diff --git a/source4/dsdb/common/util_groups.c b/source4/dsdb/common/util_groups.c index b5aecba..6a96ce8 100644 --- a/source4/dsdb/common/util_groups.c +++ b/source4/dsdb/common/util_groups.c @@ -126,6 +126,31 @@ NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx, filter); } + /* + * We have the problem with the caller creating a <SID=S-....> + * DN for ForeignSecurityPrincipals as they also have + * duplicate objects with the SAME SID under CN=Configuration. + * This causes a SID= DN to fail with NO_SUCH_OBJECT on Samba + * and on Windows. So, we allow this to fail, and + * double-check if we can find it with a search in the main + * domain partition. + */ + if (ret == LDB_ERR_NO_SUCH_OBJECT && only_childs) { + char *sid_string = dom_sid_string(tmp_ctx, + &sid); + if (!sid_string) { + talloc_free(tmp_ctx); + return NT_STATUS_OK; + } + + ret = dsdb_search(sam_ctx, tmp_ctx, &res, + ldb_get_default_basedn(sam_ctx), + LDB_SCOPE_SUBTREE, + attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, + "(&(objectClass=foreignSecurityPrincipal)(objectSID=%s))", -- Samba Shared Repository