r23826: Fix gpo security filtering by matching the security descriptor ace's for the

extended apply group policy right.

Guenther

diff --git a/source/include/ads.h b/source/include/ads.h
index cbab016d46ea4178f6cf36922aa2761d0489cebe..c01a1055b2d3468d12cd70c82f73d5f2812d1697 100644 (file)
--- a/source/include/ads.h
+++ b/source/include/ads.h
@@ -341,4 +341,7 @@ typedef struct {
        int val;
        int critical;
 } ads_control;
+
+#define ADS_EXTENDED_RIGHT_APPLY_GROUP_POLICY "edacfd8f-ffb3-11d1-b41d-00a0c968f939"
+
 #endif /* _INCLUDE_ADS_H_ */

diff --git a/source/include/rpc_secdes.h b/source/include/rpc_secdes.h
index 1c49e4242dad53babf17611a49422da3b0a89933..298d4e664e3e6abe9b07f4087737616de1b6a7b5 100644 (file)
--- a/source/include/rpc_secdes.h
+++ b/source/include/rpc_secdes.h
@@ -37,7 +37,6 @@
 #define SEC_RIGHTS_EXTENDED            0x100 /* change/reset password, receive/send as*/
 #define        SEC_RIGHTS_CHANGE_PASSWD        SEC_RIGHTS_EXTENDED
 #define        SEC_RIGHTS_RESET_PASSWD         SEC_RIGHTS_EXTENDED
-#define SEC_RIGHTS_APPLY_GROUP_POLICY  SEC_RIGHTS_EXTENDED
 #define SEC_RIGHTS_FULL_CTRL           0xf01ff
 
 #define SEC_ACE_OBJECT_PRESENT           0x00000001 /* thanks for Jim McDonough <jmcd@us.ibm.com> */

diff --git a/source/libads/disp_sec.c b/source/libads/disp_sec.c
index 1f5eb4166ac97320e99ba52f69f96b39e9cd9a84..516f204ed6abc32b3f0cb659cd685389d0ecc972 100644 (file)
--- a/source/libads/disp_sec.c
+++ b/source/libads/disp_sec.c
@@ -46,8 +46,6 @@ static struct perm_mask_str {
        {SEC_RIGHTS_CHANGE_PASSWD,      "[Change Password]"},   
        {SEC_RIGHTS_RESET_PASSWD,       "[Reset Password]"},
 
-       {SEC_RIGHTS_APPLY_GROUP_POLICY, "[Apply Group Policy]"},
-
        {0,                             0}
 };
 

diff --git a/source/libgpo/gpo_sec.c b/source/libgpo/gpo_sec.c
index 5a4e29d2709f623698f131046b4999cb0f8e35b2..abdcd17378d4a752f3f65ad72f9aa4ae940724dc 100644 (file)
--- a/source/libgpo/gpo_sec.c
+++ b/source/libgpo/gpo_sec.c
@@ -19,33 +19,60 @@
 
 #include "includes.h"
 
-       /* When modifiying security filtering with gpmc.msc (on w2k3) the
-        * following ACE is created in the DACL:
+/****************************************************************
+****************************************************************/
 
-------- ACE (type: 0x05, flags: 0x02, size: 0x38, mask: 0x100, object flags: 0x1)
-access SID: $SID 
-access type: ALLOWED OBJECT
-Permissions:
-       [Apply Group Policy] (0x00000100)
+static BOOL gpo_sd_check_agp_object_guid(const struct security_ace_object *object)
+{
+       struct GUID ext_right_apg_guid;
+       NTSTATUS status;
+
+       if (!object) {
+               return False;
+       }
 
-------- ACE (type: 0x00, flags: 0x02, size: 0x24, mask: 0x20014)
-access SID:  $SID
-access type: ALLOWED
-Permissions:
-       [List Contents] (0x00000004)
-       [Read All Properties] (0x00000010)
-       [Read Permissions] (0x00020000)
+       status = GUID_from_string(ADS_EXTENDED_RIGHT_APPLY_GROUP_POLICY,
+                                 &ext_right_apg_guid);
+       if (!NT_STATUS_IS_OK(status)) {
+               return False;
+       }
 
-        * by default all "Authenticated Users" (S-1-5-11) have an ALLOW
-        * OBJECT ace with SEC_RIGHTS_APPLY_GROUP_POLICY mask */
+       switch (object->flags) {
+               case SEC_ACE_OBJECT_PRESENT:
+                       if (GUID_equal(&object->type.type,
+                                      &ext_right_apg_guid)) {
+                               return True;
+                       }
+               case  SEC_ACE_OBJECT_INHERITED_PRESENT:
+                       if (GUID_equal(&object->inherited_type.inherited_type,
+                                      &ext_right_apg_guid)) {
+                               return True;
+                       }
+               default:
+                       break;
+       }
 
+       return False;
+}
+
+/****************************************************************
+****************************************************************/
+
+static BOOL gpo_sd_check_agp_object(const SEC_ACE *ace)
+{
+       if (sec_ace_object(ace->type)) {
+               return gpo_sd_check_agp_object_guid(&ace->object.object);
+       }
+
+       return False;
+}
 
 /****************************************************************
 ****************************************************************/
 
 static BOOL gpo_sd_check_agp_access_bits(uint32 access_mask)
 {
-       return (access_mask & SEC_RIGHTS_APPLY_GROUP_POLICY);
+       return (access_mask & SEC_RIGHTS_EXTENDED);
 }
 
 #if 0
@@ -93,7 +120,8 @@ static BOOL gpo_sd_check_trustee_in_sid_token(const DOM_SID *trustee,
 static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace, 
                                               const struct GPO_SID_TOKEN *token) 
 {
-       if (gpo_sd_check_agp_access_bits(ace->access_mask) &&
+       if (gpo_sd_check_agp_object(ace) &&
+           gpo_sd_check_agp_access_bits(ace->access_mask) &&
            gpo_sd_check_trustee_in_sid_token(&ace->trustee, token)) {
                DEBUG(10,("gpo_sd_check_ace_denied_object: Access denied as of ace for %s\n", 
                        sid_string_static(&ace->trustee)));
@@ -109,7 +137,8 @@ static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace,
 static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace, 
                                                const struct GPO_SID_TOKEN *token) 
 {
-       if (gpo_sd_check_agp_access_bits(ace->access_mask) && 
+       if (gpo_sd_check_agp_object(ace) &&
+           gpo_sd_check_agp_access_bits(ace->access_mask) && 
            gpo_sd_check_trustee_in_sid_token(&ace->trustee, token)) {
                DEBUG(10,("gpo_sd_check_ace_allowed_object: Access granted as of ace for %s\n", 
                        sid_string_static(&ace->trustee)));