Line data    Source code

       1             : /*
       2             :  *  Unix SMB/CIFS implementation.
       3             :  *  RPC Pipe client / server routines
       4             :  *  Copyright (C) Andrew Tridgell                   1992-1997,
       5             :  *  Copyright (C) Luke Kenneth Casson Leighton      1996-1997,
       6             :  *  Copyright (C) Paul Ashton                       1997,
       7             :  *  Copyright (C) Marc Jacobsen                     1999,
       8             :  *  Copyright (C) Jeremy Allison                    2001-2008,
       9             :  *  Copyright (C) Jean François Micouleau           1998-2001,
      10             :  *  Copyright (C) Jim McDonough <jmcd@us.ibm.com>   2002,
      11             :  *  Copyright (C) Gerald (Jerry) Carter             2003-2004,
      12             :  *  Copyright (C) Simo Sorce                        2003.
      13             :  *  Copyright (C) Volker Lendecke                   2005.
      14             :  *  Copyright (C) Guenther Deschner                 2008.
      15             :  *
      16             :  *  This program is free software; you can redistribute it and/or modify
      17             :  *  it under the terms of the GNU General Public License as published by
      18             :  *  the Free Software Foundation; either version 3 of the License, or
      19             :  *  (at your option) any later version.
      20             :  *
      21             :  *  This program is distributed in the hope that it will be useful,
      22             :  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
      23             :  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      24             :  *  GNU General Public License for more details.
      25             :  *
      26             :  *  You should have received a copy of the GNU General Public License
      27             :  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
      28             :  */
      29             : 
      30             : #include "includes.h"
      31             : #include "system/passwd.h" /* uid_wrapper */
      32             : #include "rpc_server/srv_access_check.h"
      33             : #include "../libcli/security/security.h"
      34             : #include "passdb/machine_sid.h"
      35             : 
      36             : #undef DBGC_CLASS
      37             : #define DBGC_CLASS DBGC_RPC_SRV
      38             : 
      39             : /*******************************************************************
      40             :  Checks if access to an object should be granted, and returns that
      41             :  level of access for further checks.
      42             : 
      43             :  If the user has either of needed_priv_1 or needed_priv_2 then they
      44             :  get the rights in rights_mask in addition to any calculated rights.
      45             : 
      46             :  This handles the unusual case where we need to allow two different
      47             :  privileges to obtain exactly the same rights, which occurs only in
      48             :  SAMR.
      49             : ********************************************************************/
      50             : 
      51        9154 : NTSTATUS access_check_object( struct security_descriptor *psd, struct security_token *token,
      52             :                               enum sec_privilege needed_priv_1, enum sec_privilege needed_priv_2,
      53             :                               uint32_t rights_mask,
      54             :                               uint32_t des_access, uint32_t *acc_granted,
      55             :                               const char *debug )
      56             : {
      57        9154 :         NTSTATUS status = NT_STATUS_ACCESS_DENIED;
      58        9154 :         uint32_t saved_mask = 0;
      59        9154 :         bool priv_granted = false;
      60        9154 :         bool is_system = false;
      61        9154 :         bool is_root = false;
      62             : 
      63             :         /* Check if we are are the system token */
      64       11950 :         if (security_token_is_system(token) &&
      65        2796 :             security_token_system_privilege(token)) {
      66        2796 :                 is_system = true;
      67             :         }
      68             : 
      69             :         /* Check if we are root */
      70        9154 :         if (root_mode()) {
      71        7941 :                 is_root = true;
      72             :         }
      73             : 
      74             :         /* check privileges; certain SAM access bits should be overridden
      75             :            by privileges (mostly having to do with creating/modifying/deleting
      76             :            users and groups) */
      77             : 
      78        9154 :         if ((needed_priv_1 != SEC_PRIV_INVALID && security_token_has_privilege(token, needed_priv_1)) ||
      79         299 :             (needed_priv_2 != SEC_PRIV_INVALID && security_token_has_privilege(token, needed_priv_2))) {
      80        2290 :                 priv_granted = true;
      81        2290 :                 saved_mask = (des_access & rights_mask);
      82        2290 :                 des_access &= ~saved_mask;
      83             : 
      84        2290 :                 DEBUG(4,("access_check_object: user rights access mask [0x%x]\n",
      85             :                         rights_mask));
      86             :         }
      87             : 
      88             : 
      89             :         /* check the security descriptor first */
      90        9154 :         status = se_access_check(psd, token, des_access, acc_granted);
      91        9154 :         if (NT_STATUS_IS_OK(status)) {
      92        1874 :                 goto done;
      93             :         }
      94             : 
      95        7280 :         if (is_system || is_root) {
      96        7280 :                 DEBUG(4,
      97             :                       ("%s: ACCESS should be DENIED  (requested: %#010x)\n"
      98             :                        "but overritten by %s\n",
      99             :                        debug,
     100             :                        des_access,
     101             :                        is_root ? "euid == initial uid" : "system token"));
     102             : 
     103        7280 :                 priv_granted = true;
     104        7280 :                 *acc_granted = des_access;
     105             : 
     106        7280 :                 status = NT_STATUS_OK;
     107        7280 :                 goto done;
     108             :         }
     109             : 
     110             : 
     111           0 : done:
     112        9154 :         if (priv_granted) {
     113             :                 /* add in any bits saved during the privilege check (only
     114             :                    matters if status is ok) */
     115             : 
     116        7456 :                 *acc_granted |= rights_mask;
     117             :         }
     118             : 
     119        9154 :         DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n",
     120             :                 debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED",
     121             :                 des_access, *acc_granted));
     122             : 
     123        9154 :         return status;
     124             : }
     125             : 
     126             : 
     127             : /*******************************************************************
     128             :  Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
     129             : ********************************************************************/
     130             : 
     131        9364 : void map_max_allowed_access(const struct security_token *nt_token,
     132             :                             const struct security_unix_token *unix_token,
     133             :                             uint32_t *pacc_requested)
     134             : {
     135        9364 :         if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) {
     136        1371 :                 return;
     137             :         }
     138        7993 :         *pacc_requested &= ~MAXIMUM_ALLOWED_ACCESS;
     139             : 
     140             :         /* At least try for generic read|execute - Everyone gets that. */
     141        7993 :         *pacc_requested |= GENERIC_READ_ACCESS|GENERIC_EXECUTE_ACCESS;
     142             : 
     143             :         /* root gets anything. */
     144        7993 :         if (unix_token->uid == sec_initial_uid()) {
     145        6870 :                 *pacc_requested |= GENERIC_ALL_ACCESS;
     146        6870 :                 return;
     147             :         }
     148             : 
     149             :         /* Full Access for 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
     150             : 
     151        2216 :         if (security_token_has_sid(nt_token, &global_sid_Builtin_Administrators) ||
     152        1093 :                         security_token_has_sid(nt_token, &global_sid_Builtin_Account_Operators)) {
     153          30 :                 *pacc_requested |= GENERIC_ALL_ACCESS;
     154          30 :                 return;
     155             :         }
     156             : 
     157             :         /* Full access for DOMAIN\Domain Admins. */
     158        1093 :         if ( IS_DC ) {
     159           0 :                 struct dom_sid domadmin_sid;
     160        1093 :                 sid_compose(&domadmin_sid, get_global_sam_sid(),
     161             :                             DOMAIN_RID_ADMINS);
     162        1093 :                 if (security_token_has_sid(nt_token, &domadmin_sid)) {
     163           0 :                         *pacc_requested |= GENERIC_ALL_ACCESS;
     164           0 :                         return;
     165             :                 }
     166             :         }
     167             :         /* TODO ! Check privileges. */
     168             : }