Skip to content

Commit

Permalink
GPO evaluation of primary group
Browse files Browse the repository at this point in the history 
When we are evaluating GPO the SID of user's primary
group is not returned in the list. This patch converts
the value of origPrimaryGroupGidNumber attribute back to
SID and that SID is added to the list of SIDs before
evaluating the GPO rules.
  • Loading branch information
@thalman
thalman committed Dec 6, 2023
1 parent ad70f15 commit dccf804
Showing 1 changed file with 33 additions and 9 deletions.
42 changes: 33 additions & 9 deletions src/providers/ad/ad_gpo.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -578,6 +578,7 @@ static errno_t
ad_gpo_get_sids(TALLOC_CTX *mem_ctx,
const char *user,
struct sss_domain_info *domain,
struct sss_idmap_ctx *idmap_ctx,
const char **_user_sid,
const char ***_group_sids,
int *_group_size)
Expand All @@ -590,6 +591,8 @@ ad_gpo_get_sids(TALLOC_CTX *mem_ctx,
const char *user_sid = NULL;
const char *group_sid = NULL;
const char **group_sids = NULL;
uint64_t orig_gid = 0;
char *orig_gid_sid = NULL;

tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
Expand All @@ -614,10 +617,20 @@ ad_gpo_get_sids(TALLOC_CTX *mem_ctx,
}

user_sid = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_SID_STR, NULL);

/* if there is origPrimaryGroupGidNumber, it's sid must be added to list */
orig_gid = ldb_msg_find_attr_as_uint64(res->msgs[0],
SYSDB_PRIMARY_GROUP_GIDNUM,
0);
if (orig_gid != 0) {
sss_idmap_unix_to_sid(idmap_ctx, orig_gid, &orig_gid_sid);
DEBUG(SSSDBG_TRACE_INTERNAL, "Primary group sid '%s' added to the list\n", orig_gid_sid);
}

num_group_sids = (res->count) - 1;

/* include space for AD_AUTHENTICATED_USERS_SID and NULL */
group_sids = talloc_array(tmp_ctx, const char *, num_group_sids + 1 + 1);
/* include space for AD_AUTHENTICATED_USERS_SID, original GID sid and NULL */
group_sids = talloc_array(tmp_ctx, const char *, num_group_sids + 3);
if (group_sids == NULL) {
ret = ENOMEM;
goto done;
Expand All @@ -640,15 +653,19 @@ ad_gpo_get_sids(TALLOC_CTX *mem_ctx,
}
}
group_sids[i++] = talloc_strdup(group_sids, AD_AUTHENTICATED_USERS_SID);
if (orig_gid_sid != NULL) {
group_sids[i++] = talloc_strdup(group_sids, orig_gid_sid);
}
group_sids[i] = NULL;

*_group_size = num_group_sids + 1;
*_group_size = i;
*_group_sids = talloc_steal(mem_ctx, group_sids);
*_user_sid = talloc_steal(mem_ctx, user_sid);
ret = EOK;

done:
talloc_free(tmp_ctx);
sss_idmap_free_sid(idmap_ctx, orig_gid_sid);
return ret;
}

Expand Down Expand Up @@ -1043,7 +1060,7 @@ ad_gpo_filter_gpos_by_dacl(TALLOC_CTX *mem_ctx,
goto done;
}

ret = ad_gpo_get_sids(tmp_ctx, user, domain, &user_sid,
ret = ad_gpo_get_sids(tmp_ctx, user, domain, idmap_ctx, &user_sid,
&group_sids, &group_size);
if (ret != EOK) {
ret = ERR_NO_SIDS;
Expand Down Expand Up @@ -1542,6 +1559,7 @@ ad_gpo_access_check(TALLOC_CTX *mem_ctx,
const char *user,
bool gpo_implicit_deny,
struct sss_domain_info *domain,
struct sss_idmap_ctx *idmap_ctx,
char **allowed_sids,
int allowed_size,
char **denied_sids,
Expand All @@ -1568,7 +1586,7 @@ ad_gpo_access_check(TALLOC_CTX *mem_ctx,
DEBUG(SSSDBG_TRACE_FUNC, " denied_sids[%d] = %s\n", j, denied_sids[j]);
}

ret = ad_gpo_get_sids(mem_ctx, user, domain, &user_sid,
ret = ad_gpo_get_sids(mem_ctx, user, domain, idmap_ctx, &user_sid,
&group_sids, &group_size);
if (ret != EOK) {
ret = ERR_NO_SIDS;
Expand Down Expand Up @@ -1706,7 +1724,8 @@ ad_gpo_perform_hbac_processing(TALLOC_CTX *mem_ctx,
const char *user,
bool gpo_implicit_deny,
struct sss_domain_info *user_domain,
struct sss_domain_info *host_domain)
struct sss_domain_info *host_domain,
struct sss_idmap_ctx *idmap_ctx)
{
int ret;
const char *allow_key = NULL;
Expand Down Expand Up @@ -1743,7 +1762,7 @@ ad_gpo_perform_hbac_processing(TALLOC_CTX *mem_ctx,

/* perform access check with the final resultant allow_sids and deny_sids */
ret = ad_gpo_access_check(mem_ctx, gpo_mode, gpo_map_type, user,
gpo_implicit_deny, user_domain,
gpo_implicit_deny, user_domain, idmap_ctx,
allow_sids, allow_size, deny_sids, deny_size);

if (ret != EOK) {
Expand Down Expand Up @@ -1937,6 +1956,7 @@ process_offline_gpos(TALLOC_CTX *mem_ctx,
enum gpo_access_control_mode gpo_mode,
struct sss_domain_info *user_domain,
struct sss_domain_info *host_domain,
struct sss_idmap_ctx *idmap_ctx,
enum gpo_map_type gpo_map_type)

{
Expand All @@ -1948,7 +1968,8 @@ process_offline_gpos(TALLOC_CTX *mem_ctx,
user,
gpo_implicit_deny,
user_domain,
host_domain);
host_domain,
idmap_ctx);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "HBAC processing failed: [%d](%s}\n",
ret, sss_strerror(ret));
Expand Down Expand Up @@ -1997,6 +2018,7 @@ ad_gpo_connect_done(struct tevent_req *subreq)
state->gpo_mode,
state->user_domain,
state->host_domain,
state->opts->idmap_ctx->map,
state->gpo_map_type);

if (ret == EOK) {
Expand Down Expand Up @@ -2123,6 +2145,7 @@ ad_gpo_target_dn_retrieval_done(struct tevent_req *subreq)
state->gpo_mode,
state->user_domain,
state->host_domain,
state->opts->idmap_ctx->map,
state->gpo_map_type);

if (ret == EOK) {
Expand Down Expand Up @@ -2785,7 +2808,8 @@ ad_gpo_cse_done(struct tevent_req *subreq)
state->user,
state->gpo_implicit_deny,
state->user_domain,
state->host_domain);
state->host_domain,
state->opts->idmap_ctx->map);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "HBAC processing failed: [%d](%s}\n",
ret, sss_strerror(ret));
Expand Down

0 comments on commit dccf804

Please sign in to comment.