summaryrefslogtreecommitdiffstats
path: root/source/libgpo
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2007-05-11 15:28:07 +0000
committerGünther Deschner <gd@samba.org>2007-05-11 15:28:07 +0000
commit8cecc3ff6a1850ffe556195726838f61721f6b58 (patch)
treed1422b3ccb2d374b7f1418241e6d8eedd953f89e /source/libgpo
parent7e9717b8075a17b9f988bbbac2dd6aeccc13a35b (diff)
downloadsamba-8cecc3ff6a1850ffe556195726838f61721f6b58.tar.gz
samba-8cecc3ff6a1850ffe556195726838f61721f6b58.tar.xz
samba-8cecc3ff6a1850ffe556195726838f61721f6b58.zip
r22803: Add some more flesh to the GPO security filtering (still very basic).
Guenther
Diffstat (limited to 'source/libgpo')
-rw-r--r--source/libgpo/gpo_sec.c152
1 files changed, 151 insertions, 1 deletions
diff --git a/source/libgpo/gpo_sec.c b/source/libgpo/gpo_sec.c
index 20366a9d204..fc7c5d24570 100644
--- a/source/libgpo/gpo_sec.c
+++ b/source/libgpo/gpo_sec.c
@@ -20,11 +20,161 @@
#include "includes.h"
+ /* When modifiying security filtering with gpmc.msc (on w2k3) the
+ * following ACE is created in the DACL:
+
+------- ACE (type: 0x05, flags: 0x02, size: 0x38, mask: 0x100, object flags: 0x1)
+access SID: $SID
+access type: ALLOWED OBJECT
+Permissions:
+ [Apply Group Policy] (0x00000100)
+
+------- ACE (type: 0x00, flags: 0x02, size: 0x24, mask: 0x20014)
+access SID: $SID
+access type: ALLOWED
+Permissions:
+ [List Contents] (0x00000004)
+ [Read All Properties] (0x00000010)
+ [Read Permissions] (0x00020000)
+
+ * by default all "Authenticated Users" (S-1-5-11) have an ALLOW
+ * OBJECT ace with SEC_RIGHTS_APPLY_GROUP_POLICY mask */
+
+
+/****************************************************************
+****************************************************************/
+
+static BOOL gpo_sd_check_agp_access_bits(uint32 access_mask)
+{
+ return (access_mask & SEC_RIGHTS_APPLY_GROUP_POLICY);
+}
+
+/****************************************************************
+****************************************************************/
+
+static BOOL gpo_sd_check_read_access_bits(uint32 access_mask)
+{
+ uint32 read_bits = SEC_RIGHTS_LIST_CONTENTS |
+ SEC_RIGHTS_READ_ALL_PROP |
+ SEC_RIGHTS_READ_PERMS;
+
+ return (read_bits == (access_mask & read_bits));
+}
+
+
+/****************************************************************
+****************************************************************/
+
+static BOOL gpo_sd_check_trustee_in_sid_token(const DOM_SID *trustee,
+ const struct GPO_SID_TOKEN *token)
+{
+ int i;
+
+ if (sid_equal(trustee, &token->object_sid)) {
+ return True;
+ }
+
+ if (sid_equal(trustee, &token->primary_group_sid)) {
+ return True;
+ }
+
+ for (i = 0; i < token->num_token_sids; i++) {
+ if (sid_equal(trustee, &token->token_sids[i])) {
+ return True;
+ }
+ }
+
+ return False;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace,
+ const struct GPO_SID_TOKEN *token)
+{
+ if (gpo_sd_check_agp_access_bits(ace->access_mask) &&
+ gpo_sd_check_trustee_in_sid_token(&ace->trustee, token)) {
+ DEBUG(10,("gpo_sd_check_ace_denied_object: Access denied as of ace for %s\n",
+ sid_string_static(&ace->trustee)));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ return STATUS_MORE_ENTRIES;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace,
+ const struct GPO_SID_TOKEN *token)
+{
+ if (gpo_sd_check_agp_access_bits(ace->access_mask) &&
+ gpo_sd_check_trustee_in_sid_token(&ace->trustee, token)) {
+ DEBUG(10,("gpo_sd_check_ace_allowed_object: Access granted as of ace for %s\n",
+ sid_string_static(&ace->trustee)));
+ return NT_STATUS_OK;
+ }
+
+ return STATUS_MORE_ENTRIES;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS gpo_sd_check_ace(const SEC_ACE *ace,
+ const struct GPO_SID_TOKEN *token)
+{
+ switch (ace->type) {
+ case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
+ return gpo_sd_check_ace_denied_object(ace, token);
+ case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
+ return gpo_sd_check_ace_allowed_object(ace, token);
+ default:
+ return STATUS_MORE_ENTRIES;
+ }
+}
+
/****************************************************************
****************************************************************/
NTSTATUS gpo_apply_security_filtering(const struct GROUP_POLICY_OBJECT *gpo,
const struct GPO_SID_TOKEN *token)
{
- return NT_STATUS_OK;
+ SEC_DESC *sd = gpo->security_descriptor;
+ SEC_ACL *dacl = NULL;
+ NTSTATUS status = NT_STATUS_ACCESS_DENIED;
+ int i;
+
+ if (!token) {
+ return NT_STATUS_INVALID_USER_BUFFER;
+ }
+
+ if (!sd) {
+ return NT_STATUS_INVALID_SECURITY_DESCR;
+ }
+
+ dacl = sd->dacl;
+ if (!dacl) {
+ return NT_STATUS_INVALID_SECURITY_DESCR;
+ }
+
+ /* check all aces and only return NT_STATUS_OK (== Access granted) or
+ * NT_STATUS_ACCESS_DENIED ( == Access denied) - the default is to
+ * deny access */
+
+ for (i = 0; i < dacl->num_aces; i ++) {
+
+ status = gpo_sd_check_ace(&dacl->aces[i], token);
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+ return status;
+ } else if (NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ continue;
+ }
+
+ return NT_STATUS_ACCESS_DENIED;
}