1 /*
2 ldb database library
3
4 Copyright (C) Andrew Bartlett 2005
5 Copyright (C) Simo Sorce 2006
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program; if not, write to the Free Software
19 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
20 */
21
22 /*
23 * Name: ldb
24 *
25 * Component: ldb kludge ACL module
26 *
27 * Description: Simple module to enforce a simple form of access
28 * control, sufficient for securing a default Samba4
29 * installation.
30 *
31 * Author: Andrew Bartlett
32 */
33
34 #include "includes.h"
35 #include "ldb/include/ldb.h"
36 #include "ldb/include/ldb_errors.h"
37 #include "ldb/include/ldb_private.h"
38 #include "auth/auth.h"
39 #include "libcli/security/security.h"
40
41 /* Kludge ACL rules:
42 *
43 * - System can read passwords
44 * - Administrators can write anything
45 * - Users can read anything that is not a password
46 *
47 */
48
49 enum user_is {
50 ANONYMOUS,
51 USER,
52 ADMINISTRATOR,
53 SYSTEM
54 };
55
56 struct kludge_private_data {
57 const char **password_attrs;
58 };
59
what_is_user(struct ldb_module * module)60 static enum user_is what_is_user(struct ldb_module *module)
61 {
62 struct auth_session_info *session_info
63 = ldb_get_opaque(module->ldb, "sessionInfo");
64 if (!session_info) {
65 return ANONYMOUS;
66 }
67
68 if (security_token_is_system(session_info->security_token)) {
69 return SYSTEM;
70 }
71
72 if (security_token_is_anonymous(session_info->security_token)) {
73 return ANONYMOUS;
74 }
75
76 if (security_token_has_builtin_administrators(session_info->security_token)) {
77 return ADMINISTRATOR;
78 }
79
80 if (security_token_has_nt_authenticated_users(session_info->security_token)) {
81 return USER;
82 }
83
84 return ANONYMOUS;
85 }
86
user_name(TALLOC_CTX * mem_ctx,struct ldb_module * module)87 static const char *user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module)
88 {
89 struct auth_session_info *session_info
90 = ldb_get_opaque(module->ldb, "sessionInfo");
91 if (!session_info) {
92 return "UNKNOWN (NULL)";
93 }
94
95 return talloc_asprintf(mem_ctx, "%s\\%s",
96 session_info->server_info->domain_name,
97 session_info->server_info->account_name);
98 }
99
100 /* search */
101 struct kludge_acl_context {
102
103 struct ldb_module *module;
104 void *up_context;
105 int (*up_callback)(struct ldb_context *, void *, struct ldb_reply *);
106
107 enum user_is user_type;
108 };
109
kludge_acl_callback(struct ldb_context * ldb,void * context,struct ldb_reply * ares)110 static int kludge_acl_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
111 {
112 struct kludge_acl_context *ac;
113 struct kludge_private_data *data;
114 int i;
115
116 if (!context || !ares) {
117 ldb_set_errstring(ldb, "NULL Context or Result in callback");
118 goto error;
119 }
120
121 ac = talloc_get_type(context, struct kludge_acl_context);
122 data = talloc_get_type(ac->module->private_data, struct kludge_private_data);
123
124 if (ares->type == LDB_REPLY_ENTRY
125 && data->password_attrs) /* if we are not initialized just get through */
126 {
127 switch (ac->user_type) {
128 case SYSTEM:
129 case ADMINISTRATOR:
130 break;
131 default:
132 /* remove password attributes */
133 for (i = 0; data->password_attrs[i]; i++) {
134 ldb_msg_remove_attr(ares->message, data->password_attrs[i]);
135 }
136 }
137 }
138
139 return ac->up_callback(ldb, ac->up_context, ares);
140
141 error:
142 talloc_free(ares);
143 return LDB_ERR_OPERATIONS_ERROR;
144 }
145
kludge_acl_search(struct ldb_module * module,struct ldb_request * req)146 static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
147 {
148 struct kludge_acl_context *ac;
149 struct ldb_request *down_req;
150 int ret;
151
152 req->handle = NULL;
153
154 ac = talloc(req, struct kludge_acl_context);
155 if (ac == NULL) {
156 return LDB_ERR_OPERATIONS_ERROR;
157 }
158
159 ac->module = module;
160 ac->up_context = req->context;
161 ac->up_callback = req->callback;
162 ac->user_type = what_is_user(module);
163
164 down_req = talloc_zero(req, struct ldb_request);
165 if (down_req == NULL) {
166 return LDB_ERR_OPERATIONS_ERROR;
167 }
168
169 down_req->operation = req->operation;
170 down_req->op.search.base = req->op.search.base;
171 down_req->op.search.scope = req->op.search.scope;
172 down_req->op.search.tree = req->op.search.tree;
173 down_req->op.search.attrs = req->op.search.attrs;
174
175 down_req->controls = req->controls;
176
177 down_req->context = ac;
178 down_req->callback = kludge_acl_callback;
179 ldb_set_timeout_from_prev_req(module->ldb, req, down_req);
180
181 /* perform the search */
182 ret = ldb_next_request(module, down_req);
183
184 /* do not free down_req as the call results may be linked to it,
185 * it will be freed when the upper level request get freed */
186 if (ret == LDB_SUCCESS) {
187 req->handle = down_req->handle;
188 }
189
190 return ret;
191 }
192
193 /* ANY change type */
kludge_acl_change(struct ldb_module * module,struct ldb_request * req)194 static int kludge_acl_change(struct ldb_module *module, struct ldb_request *req)
195 {
196 enum user_is user_type = what_is_user(module);
197 switch (user_type) {
198 case SYSTEM:
199 case ADMINISTRATOR:
200 return ldb_next_request(module, req);
201 default:
202 ldb_asprintf_errstring(module->ldb,
203 "kludge_acl_change: "
204 "attempted database modify not permitted. "
205 "User %s is not SYSTEM or an administrator",
206 user_name(req, module));
207 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
208 }
209 }
210
kludge_acl_init(struct ldb_module * module)211 static int kludge_acl_init(struct ldb_module *module)
212 {
213 int ret, i;
214 TALLOC_CTX *mem_ctx = talloc_new(module);
215 static const char *attrs[] = { "passwordAttribute", NULL };
216 struct ldb_result *res;
217 struct ldb_message *msg;
218 struct ldb_message_element *password_attributes;
219
220 struct kludge_private_data *data;
221
222 data = talloc(module, struct kludge_private_data);
223 if (data == NULL) {
224 return LDB_ERR_OPERATIONS_ERROR;
225 }
226
227 data->password_attrs = NULL;
228 module->private_data = data;
229
230 if (!mem_ctx) {
231 return LDB_ERR_OPERATIONS_ERROR;
232 }
233
234 ret = ldb_search(module->ldb, ldb_dn_new(mem_ctx, module->ldb, "@KLUDGEACL"),
235 LDB_SCOPE_BASE,
236 NULL, attrs,
237 &res);
238 if (ret != LDB_SUCCESS) {
239 goto done;
240 }
241 talloc_steal(mem_ctx, res);
242 if (res->count == 0) {
243 goto done;
244 }
245
246 if (res->count > 1) {
247 talloc_free(mem_ctx);
248 return LDB_ERR_CONSTRAINT_VIOLATION;
249 }
250
251 msg = res->msgs[0];
252
253 password_attributes = ldb_msg_find_element(msg, "passwordAttribute");
254 if (!password_attributes) {
255 goto done;
256 }
257 data->password_attrs = talloc_array(data, const char *, password_attributes->num_values + 1);
258 if (!data->password_attrs) {
259 talloc_free(mem_ctx);
260 return LDB_ERR_OPERATIONS_ERROR;
261 }
262 for (i=0; i < password_attributes->num_values; i++) {
263 data->password_attrs[i] = (const char *)password_attributes->values[i].data;
264 talloc_steal(data->password_attrs, password_attributes->values[i].data);
265 }
266 data->password_attrs[i] = NULL;
267
268 done:
269 talloc_free(mem_ctx);
270 return ldb_next_init(module);
271 }
272
273 static const struct ldb_module_ops kludge_acl_ops = {
274 .name = "kludge_acl",
275 .search = kludge_acl_search,
276 .add = kludge_acl_change,
277 .modify = kludge_acl_change,
278 .del = kludge_acl_change,
279 .rename = kludge_acl_change,
280 .init_context = kludge_acl_init
281 };
282
ldb_kludge_acl_init(void)283 int ldb_kludge_acl_init(void)
284 {
285 return ldb_register_module(&kludge_acl_ops);
286 }
287