1 /*
2 * Unix SMB/CIFS implementation.
3 * Group Policy Object Support
4 * Copyright (C) Wilco Baan Hofman 2010
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19 #include "includes.h"
20 #include "../libcli/security/dom_sid.h"
21 #include "../libcli/security/security_descriptor.h"
22 #include "../librpc/ndr/libndr.h"
23 #include "../lib/util/charset/charset.h"
24 #include "param/param.h"
25 #include "lib/policy/policy.h"
26
gp_ads_to_dir_access_mask(uint32_t access_mask)27 uint32_t gp_ads_to_dir_access_mask(uint32_t access_mask)
28 {
29 uint32_t fs_mask;
30
31 /* Copy the standard access mask */
32 fs_mask = access_mask & 0x001F0000;
33
34 /* When READ_PROP and LIST_CONTENTS are set, read access is granted on the GPT */
35 if (access_mask & SEC_ADS_READ_PROP && access_mask & SEC_ADS_LIST) {
36 fs_mask |= SEC_STD_SYNCHRONIZE | SEC_DIR_LIST | SEC_DIR_READ_ATTRIBUTE |
37 SEC_DIR_READ_EA | SEC_DIR_TRAVERSE;
38 }
39
40 /* When WRITE_PROP is set, full write access is granted on the GPT */
41 if (access_mask & SEC_ADS_WRITE_PROP) {
42 fs_mask |= SEC_STD_SYNCHRONIZE | SEC_DIR_WRITE_ATTRIBUTE |
43 SEC_DIR_WRITE_EA | SEC_DIR_ADD_FILE |
44 SEC_DIR_ADD_SUBDIR;
45 }
46
47 /* Map CREATE_CHILD to add file and add subdir */
48 if (access_mask & SEC_ADS_CREATE_CHILD)
49 fs_mask |= SEC_DIR_ADD_FILE | SEC_DIR_ADD_SUBDIR;
50
51 /* Map ADS delete child to dir delete child */
52 if (access_mask & SEC_ADS_DELETE_CHILD)
53 fs_mask |= SEC_DIR_DELETE_CHILD;
54
55 return fs_mask;
56 }
57
gp_create_gpt_security_descriptor(TALLOC_CTX * mem_ctx,struct security_descriptor * ds_sd,struct security_descriptor ** ret)58 NTSTATUS gp_create_gpt_security_descriptor (TALLOC_CTX *mem_ctx, struct security_descriptor *ds_sd, struct security_descriptor **ret)
59 {
60 struct security_descriptor *fs_sd;
61 NTSTATUS status;
62 uint32_t i;
63
64 /* Allocate the file system security descriptor */
65 fs_sd = talloc(mem_ctx, struct security_descriptor);
66 NT_STATUS_HAVE_NO_MEMORY(fs_sd);
67
68 /* Copy the basic information from the directory server security descriptor */
69 fs_sd->owner_sid = talloc_memdup(fs_sd, ds_sd->owner_sid, sizeof(struct dom_sid));
70 if (fs_sd->owner_sid == NULL) {
71 TALLOC_FREE(fs_sd);
72 return NT_STATUS_NO_MEMORY;
73 }
74
75 fs_sd->group_sid = talloc_memdup(fs_sd, ds_sd->group_sid, sizeof(struct dom_sid));
76 if (fs_sd->group_sid == NULL) {
77 TALLOC_FREE(fs_sd);
78 return NT_STATUS_NO_MEMORY;
79 }
80
81 fs_sd->type = ds_sd->type;
82 fs_sd->revision = ds_sd->revision;
83
84 /* Copy the sacl */
85 fs_sd->sacl = security_acl_dup(fs_sd, ds_sd->sacl);
86 if (fs_sd->sacl == NULL) {
87 TALLOC_FREE(fs_sd);
88 return NT_STATUS_NO_MEMORY;
89 }
90
91 /* Copy the dacl */
92 fs_sd->dacl = talloc_zero(fs_sd, struct security_acl);
93 if (fs_sd->dacl == NULL) {
94 TALLOC_FREE(fs_sd);
95 return NT_STATUS_NO_MEMORY;
96 }
97
98 for (i = 0; i < ds_sd->dacl->num_aces; i++) {
99 char *trustee = dom_sid_string(fs_sd, &ds_sd->dacl->aces[i].trustee);
100 struct security_ace *ace;
101
102 /* Don't add the allow for SID_BUILTIN_PREW2K */
103 if (!(ds_sd->dacl->aces[i].type & SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) &&
104 strcmp(trustee, SID_BUILTIN_PREW2K) == 0) {
105 talloc_free(trustee);
106 continue;
107 }
108
109 /* Copy the ace from the directory server security descriptor */
110 ace = talloc_memdup(fs_sd, &ds_sd->dacl->aces[i], sizeof(struct security_ace));
111 if (ace == NULL) {
112 TALLOC_FREE(fs_sd);
113 return NT_STATUS_NO_MEMORY;
114 }
115
116 /* Set specific inheritance flags for within the GPO */
117 ace->flags |= SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_CONTAINER_INHERIT;
118 if (strcmp(trustee, SID_CREATOR_OWNER) == 0) {
119 ace->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
120 }
121
122 /* Get a directory access mask from the assigned access mask on the LDAP object */
123 ace->access_mask = gp_ads_to_dir_access_mask(ace->access_mask);
124
125 /* Add the ace to the security descriptor DACL */
126 status = security_descriptor_dacl_add(fs_sd, ace);
127 if (!NT_STATUS_IS_OK(status)) {
128 DEBUG(0, ("Failed to add a dacl to file system security descriptor\n"));
129 return status;
130 }
131
132 /* Clean up the allocated data in this iteration */
133 talloc_free(trustee);
134 }
135
136 *ret = fs_sd;
137 return NT_STATUS_OK;
138 }
139
140
gp_create_gpo(struct gp_context * gp_ctx,const char * display_name,struct gp_object ** ret)141 NTSTATUS gp_create_gpo (struct gp_context *gp_ctx, const char *display_name, struct gp_object **ret)
142 {
143 struct GUID guid_struct;
144 char *guid_str;
145 char *name;
146 struct security_descriptor *sd;
147 TALLOC_CTX *mem_ctx;
148 struct gp_object *gpo;
149 NTSTATUS status;
150
151 /* Create a forked memory context, as a base for everything here */
152 mem_ctx = talloc_new(gp_ctx);
153 NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
154
155 /* Create the gpo struct to return later */
156 gpo = talloc(gp_ctx, struct gp_object);
157 if (gpo == NULL) {
158 TALLOC_FREE(mem_ctx);
159 return NT_STATUS_NO_MEMORY;
160 }
161
162 /* Generate a GUID */
163 guid_struct = GUID_random();
164 guid_str = GUID_string2(mem_ctx, &guid_struct);
165 if (guid_str == NULL) {
166 TALLOC_FREE(mem_ctx);
167 return NT_STATUS_NO_MEMORY;
168 }
169 name = strupper_talloc(mem_ctx, guid_str);
170 if (name == NULL) {
171 TALLOC_FREE(mem_ctx);
172 return NT_STATUS_NO_MEMORY;
173 }
174
175 /* Prepare the GPO struct */
176 gpo->dn = NULL;
177 gpo->name = name;
178 gpo->flags = 0;
179 gpo->version = 0;
180 gpo->display_name = talloc_strdup(gpo, display_name);
181 if (gpo->display_name == NULL) {
182 TALLOC_FREE(mem_ctx);
183 return NT_STATUS_NO_MEMORY;
184 }
185
186 gpo->file_sys_path = talloc_asprintf(gpo, "\\\\%s\\sysvol\\%s\\Policies\\%s", lpcfg_dnsdomain(gp_ctx->lp_ctx), lpcfg_dnsdomain(gp_ctx->lp_ctx), name);
187 if (gpo->file_sys_path == NULL) {
188 TALLOC_FREE(mem_ctx);
189 return NT_STATUS_NO_MEMORY;
190 }
191
192 /* Create the GPT */
193 status = gp_create_gpt(gp_ctx, name, gpo->file_sys_path);
194 if (!NT_STATUS_IS_OK(status)) {
195 DEBUG(0, ("Failed to create GPT\n"));
196 talloc_free(mem_ctx);
197 return status;
198 }
199
200
201 /* Create the LDAP GPO, including CN=User and CN=Machine */
202 status = gp_create_ldap_gpo(gp_ctx, gpo);
203 if (!NT_STATUS_IS_OK(status)) {
204 DEBUG(0, ("Failed to create LDAP group policy object\n"));
205 talloc_free(mem_ctx);
206 return status;
207 }
208
209 /* Get the new security descriptor */
210 status = gp_get_gpo_info(gp_ctx, gpo->dn, &gpo);
211 if (!NT_STATUS_IS_OK(status)) {
212 DEBUG(0, ("Failed to fetch LDAP group policy object\n"));
213 talloc_free(mem_ctx);
214 return status;
215 }
216
217 /* Create matching file and DS security descriptors */
218 status = gp_create_gpt_security_descriptor(mem_ctx, gpo->security_descriptor, &sd);
219 if (!NT_STATUS_IS_OK(status)) {
220 DEBUG(0, ("Failed to convert ADS security descriptor to filesystem security descriptor\n"));
221 talloc_free(mem_ctx);
222 return status;
223 }
224
225 /* Set the security descriptor on the filesystem for this GPO */
226 status = gp_set_gpt_security_descriptor(gp_ctx, gpo, sd);
227 if (!NT_STATUS_IS_OK(status)) {
228 DEBUG(0, ("Failed to set security descriptor (ACL) on the file system\n"));
229 talloc_free(mem_ctx);
230 return status;
231 }
232
233 talloc_free(mem_ctx);
234
235 *ret = gpo;
236 return NT_STATUS_OK;
237 }
238
gp_set_acl(struct gp_context * gp_ctx,const char * dn_str,const struct security_descriptor * sd)239 NTSTATUS gp_set_acl (struct gp_context *gp_ctx, const char *dn_str, const struct security_descriptor *sd)
240 {
241 TALLOC_CTX *mem_ctx;
242 struct security_descriptor *fs_sd;
243 struct gp_object *gpo;
244 NTSTATUS status;
245
246 /* Create a forked memory context, as a base for everything here */
247 mem_ctx = talloc_new(gp_ctx);
248 NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
249
250 /* Set the ACL on LDAP database */
251 status = gp_set_ads_acl(gp_ctx, dn_str, sd);
252 if (!NT_STATUS_IS_OK(status)) {
253 DEBUG(0, ("Failed to set ACL on ADS\n"));
254 talloc_free(mem_ctx);
255 return status;
256 }
257
258 /* Get the group policy object information, for filesystem location and merged sd */
259 status = gp_get_gpo_info(gp_ctx, dn_str, &gpo);
260 if (!NT_STATUS_IS_OK(status)) {
261 DEBUG(0, ("Failed to set ACL on ADS\n"));
262 talloc_free(mem_ctx);
263 return status;
264 }
265
266 /* Create matching file and DS security descriptors */
267 status = gp_create_gpt_security_descriptor(mem_ctx, gpo->security_descriptor, &fs_sd);
268 if (!NT_STATUS_IS_OK(status)) {
269 DEBUG(0, ("Failed to convert ADS security descriptor to filesystem security descriptor\n"));
270 talloc_free(mem_ctx);
271 return status;
272 }
273
274 /* Set the security descriptor on the filesystem for this GPO */
275 status = gp_set_gpt_security_descriptor(gp_ctx, gpo, fs_sd);
276 if (!NT_STATUS_IS_OK(status)) {
277 DEBUG(0, ("Failed to set security descriptor (ACL) on the file system\n"));
278 talloc_free(mem_ctx);
279 return status;
280 }
281
282 talloc_free(mem_ctx);
283 return NT_STATUS_OK;
284 }
285
gp_push_gpo(struct gp_context * gp_ctx,const char * local_path,struct gp_object * gpo)286 NTSTATUS gp_push_gpo (struct gp_context *gp_ctx, const char *local_path, struct gp_object *gpo)
287 {
288 NTSTATUS status;
289 TALLOC_CTX *mem_ctx;
290 struct gp_ini_context *ini;
291 char *filename;
292
293 mem_ctx = talloc_new(gp_ctx);
294 NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
295
296 /* Get version from ini file */
297 /* FIXME: The local file system may be case sensitive */
298 filename = talloc_asprintf(mem_ctx, "%s/%s", local_path, "GPT.INI");
299 if (filename == NULL) {
300 TALLOC_FREE(mem_ctx);
301 return NT_STATUS_NO_MEMORY;
302 }
303 status = gp_parse_ini(mem_ctx, gp_ctx, local_path, &ini);
304 if (!NT_STATUS_IS_OK(status)) {
305 DEBUG(0, ("Failed to parse GPT.INI.\n"));
306 talloc_free(mem_ctx);
307 return status;
308 }
309
310 /* Push the GPT to the remote sysvol */
311 status = gp_push_gpt(gp_ctx, local_path, gpo->file_sys_path);
312 if (!NT_STATUS_IS_OK(status)) {
313 DEBUG(0, ("Failed to push GPT to DC's sysvol share.\n"));
314 talloc_free(mem_ctx);
315 return status;
316 }
317
318 /* Write version to LDAP */
319 status = gp_set_ldap_gpo(gp_ctx, gpo);
320 if (!NT_STATUS_IS_OK(status)) {
321 DEBUG(0, ("Failed to set GPO options in DC's LDAP.\n"));
322 talloc_free(mem_ctx);
323 return status;
324 }
325
326 talloc_free(mem_ctx);
327 return NT_STATUS_OK;
328 }
329