r22803: Add some more flesh to the GPO security filtering (still very basic).

Guenther
author: Günther Deschner <gd@samba.org> 2007-05-11 15:28:07 +0000
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-10-10 12:21:59 -0500
commit: 8cfe32cb9cbe791308368f07b5bdbfcc84ac33d7 (patch)
tree: 0d0520fa51e65fdd1804642f1fad1df71f4012de /source/libgpo
parent: 61982d842288d880c24bc4808811452547c0b622 (diff)
download: samba-8cfe32cb9cbe791308368f07b5bdbfcc84ac33d7.tar.gz
1 files changed, 151 insertions, 1 deletions
diff --git a/source/libgpo/gpo_sec.c b/source/libgpo/gpo_sec.c
index 20366a9d204..fc7c5d24570 100644
--- a/source/libgpo/gpo_sec.c
+++ b/source/libgpo/gpo_sec.c
@@ -20,11 +20,161 @@
 
 #include "includes.h"
 
+	/* When modifiying security filtering with gpmc.msc (on w2k3) the
+	 * following ACE is created in the DACL:
+
+------- ACE (type: 0x05, flags: 0x02, size: 0x38, mask: 0x100, object flags: 0x1)
+access SID: $SID 
+access type: ALLOWED OBJECT
+Permissions:
+	[Apply Group Policy] (0x00000100)
+
+------- ACE (type: 0x00, flags: 0x02, size: 0x24, mask: 0x20014)
+access SID:  $SID
+access type: ALLOWED
+Permissions:
+	[List Contents] (0x00000004)
+	[Read All Properties] (0x00000010)
+	[Read Permissions] (0x00020000)
+
+	 * by default all "Authenticated Users" (S-1-5-11) have an ALLOW
+	 * OBJECT ace with SEC_RIGHTS_APPLY_GROUP_POLICY mask */
+
+
+/****************************************************************
+****************************************************************/
+
+static BOOL gpo_sd_check_agp_access_bits(uint32 access_mask)
+{
+	return (access_mask & SEC_RIGHTS_APPLY_GROUP_POLICY);
+}
+
+/****************************************************************
+****************************************************************/
+
+static BOOL gpo_sd_check_read_access_bits(uint32 access_mask)
+{
+	uint32 read_bits = SEC_RIGHTS_LIST_CONTENTS |
+			   SEC_RIGHTS_READ_ALL_PROP |
+			   SEC_RIGHTS_READ_PERMS;
+
+	return (read_bits == (access_mask & read_bits));
+}
+
+
+/****************************************************************
+****************************************************************/
+
+static BOOL gpo_sd_check_trustee_in_sid_token(const DOM_SID *trustee, 
+					      const struct GPO_SID_TOKEN *token)
+{
+	int i;
+
+	if (sid_equal(trustee, &token->object_sid)) {
+		return True;
+	}
+
+	if (sid_equal(trustee, &token->primary_group_sid)) {
+		return True;
+	}
+
+	for (i = 0; i < token->num_token_sids; i++) {
+		if (sid_equal(trustee, &token->token_sids[i])) {
+			return True;
+		}
+	}
+
+	return False;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace, 
+					       const struct GPO_SID_TOKEN *token) 
+{
+	if (gpo_sd_check_agp_access_bits(ace->access_mask) &&
+	    gpo_sd_check_trustee_in_sid_token(&ace->trustee, token)) {
+		DEBUG(10,("gpo_sd_check_ace_denied_object: Access denied as of ace for %s\n", 
+			sid_string_static(&ace->trustee)));
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
+	return STATUS_MORE_ENTRIES;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace, 
+						const struct GPO_SID_TOKEN *token) 
+{
+	if (gpo_sd_check_agp_access_bits(ace->access_mask) && 
+	    gpo_sd_check_trustee_in_sid_token(&ace->trustee, token)) {
+		DEBUG(10,("gpo_sd_check_ace_allowed_object: Access granted as of ace for %s\n", 
+			sid_string_static(&ace->trustee)));
+		return NT_STATUS_OK;
+	}
+
+	return STATUS_MORE_ENTRIES;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS gpo_sd_check_ace(const SEC_ACE *ace, 
+				 const struct GPO_SID_TOKEN *token) 
+{
+	switch (ace->type) {
+		case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
+			return gpo_sd_check_ace_denied_object(ace, token);
+		case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
+			return gpo_sd_check_ace_allowed_object(ace, token);
+		default:
+			return STATUS_MORE_ENTRIES;
+	}
+}
+
 /****************************************************************
 ****************************************************************/
 
 NTSTATUS gpo_apply_security_filtering(const struct GROUP_POLICY_OBJECT *gpo, 
 				      const struct GPO_SID_TOKEN *token)
 {
-	return NT_STATUS_OK;
+	SEC_DESC *sd = gpo->security_descriptor;
+	SEC_ACL *dacl = NULL;
+	NTSTATUS status = NT_STATUS_ACCESS_DENIED;
+	int i;
+
+	if (!token) {
+		return NT_STATUS_INVALID_USER_BUFFER;
+	}
+
+	if (!sd) {
+		return NT_STATUS_INVALID_SECURITY_DESCR;
+	}
+
+	dacl = sd->dacl;
+	if (!dacl) {
+		return NT_STATUS_INVALID_SECURITY_DESCR;
+	}
+
+	/* check all aces and only return NT_STATUS_OK (== Access granted) or
+	 * NT_STATUS_ACCESS_DENIED ( == Access denied) - the default is to
+	 * deny access */
+
+	for (i = 0; i < dacl->num_aces; i ++) {
+
+		status = gpo_sd_check_ace(&dacl->aces[i], token);
+
+		if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+			return status;
+		} else if (NT_STATUS_IS_OK(status)) {
+			return status;
+		}
+
+		continue;
+	}
+
+	return NT_STATUS_ACCESS_DENIED;
 }
author	Günther Deschner <gd@samba.org>	2007-05-11 15:28:07 +0000
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-10-10 12:21:59 -0500
commit	8cfe32cb9cbe791308368f07b5bdbfcc84ac33d7 (patch)
tree	0d0520fa51e65fdd1804642f1fad1df71f4012de /source/libgpo
parent	61982d842288d880c24bc4808811452547c0b622 (diff)
download	samba-8cfe32cb9cbe791308368f07b5bdbfcc84ac33d7.tar.gz