[s4] Access Control Rights musings

Nadezhda Ivanova nivanova at samba.org
Thu Mar 25 09:25:01 MDT 2010


Hi all,
My apologies for the 10-tomed "Mission Earth" I am dumping on you, but I
would appreciate at least a cursory glance, to make sure I haven't missed
something important.
This is a list of references and short explanations about Access Control
Rights and when the system needs to check them, and my opinion if they are
relevant to our implementation. I suppose it could be useful to all of us,
since I may not always be able to add access checks fast enough in the
appropriate place in the code so other people may need to help. Also perhaps
you can help me decide which ones are actually relevant. I am not sure if we
need them all for interoperability...
I dont know if I should should add all of these that are relevant to the
TODO list, to keep track of what we have.

*The following are rights that we definitely need to check for:*

*Add-GUID* - Extended right needed at the NC root to add an object with a
specific GUID. If the requester specifies an object guid when adding an
object, they must have this access right on the NC. A few other conditions
must be met as well, see MS-ADTS 3.1.15.2.1 for reference. I am not sure if
we currently always disallow specifying objectGuids, and if we do, where
it's done...
*Change-Domain-Master* - Extended right needed to change the domain naming
FSMO role owner.  MS-ADTS 3.1.1.3.3.1 for reference. I will be taking care
of this one in the role transfer code.
*Change-Infrastructure* - Extended right needed to change the infrastructure
FSMO role owner. MS-ADTS 3.1.1.3.3.2 for reference, same as above.
*Change-PDC* - Extended right needed to change the primary domain controller
(PDC) emulator FSMO role owner. MS-ADTS 3.1.1.3.3.3, same as above.
*Change-Rid-Master* - Extended right needed to change the relative
identifier (RID) master FSMO role owner.
*Change-Schema-Master* - extended right needed to change the schema master
FSMO role owner. [MS-ADTS] 3.1.1.3.3.6 becomeSchemaMaster, same as above.

*DS-Replication-Get-Changes *- Extended right needed to replicate changes
from a given NC.
*DS-Replication-Get-Changes-All* - Control access right that allows the
replication of secret domain data.
Those are referred to here:
[MS-DRSR] 4.1.8.3 Server Behavior of the IDL_DRSGetMemberships Method
[MS-DRSR] 4.1.12.4 Server Behavior of the IDL_DRSGetObjectExistence Method
[MS-DRSR] 5.106.12 SecurityCheckForChanges
[MS-DRSR] 5.94 IsGetNCChangesPermissionGranted
I'm taking care for checking them in getNCChanges, I haven't dealt with
other cases though.

*DS-Replication-Get-Changes-In-**Filtered-Set* - allows the replication of
data to a partial or read-only domain replica NC. In [MS-DRSR] 5.106.12
SecurityCheckForChanges, [MS-DRSR] 5.94 IsGetNCChangesPermissionGranted. I'm
taking care of this in getNcChanges.

*DS-Replication-Manage-Topology* - Extended right needed to update the
replication topology for a given NC.
This is referred to all over MS-DRSR - [MS-DRSR] 4.1.1.2.3 CreateNtdsDsa
4.1.1.3 Server Behavior of the IDL_DRSAddEntry Method
4.1.6.3 Server Behavior of the IDL_DRSExecuteKCC Method
4.1.13.3 Server Behavior of the IDL_DRSGetReplInfo Method
4.1.19.2 Server Behavior of the IDL_DRSReplicaAdd Method
4.1.20.2 Server Behavior of the IDL_DRSReplicaDel Method
4.1.22.2 Server Behavior of the IDL_DRSReplicaModify Method
4.1.24.3 Server Behavior of the IDL_DRSReplicaVerifyObjects Method
4.1.26.2 Server Behavior of the IDL_DRSUpdateRefs Method

If implementing this functionality we have to check this, so if you are
dealing with it and need help, let me know.

*DS-Replication-Monitor-Topology* - Extended control access right that
allows the reading of replication monitoring data, such as replication
status and object metadata.Relevant to the IDL_DRSGetReplInfo Method. Up to
the replication gurus I think, let me know.
*DS-Replication-Synchronize* - Extended right needed to synchronize
replication from a given NC. [MS-DRSR] 4.1.23.2 Server Behavior of the
IDL_DRSReplicaSync Method
Seems we have to check for it in the ReplicaSync, which I believe we
support...
*Manage-Optional-Features* - referred in 3.1.1.3.3.25
disableOptionalFeature. I think someone implemented that operation recently
in rootdse, if that's the case, I'll take care of this as well.
*Reanimate-Tombstones* - Control access right that allows deleted schema
elements to be restored. Should be checked when we undelete a schema object:

[MS-ADTS] 3.1.1.5.3 Modify Operation
[MS-ADTS] 3.1.1.5.3.2 Constraints
[MS-ADTS] 3.1.1.5.3.7.1 UndeleteSecurity Considerations
[MS-ADTS] 3.1.1.5.5.4 SecurityConsiderations
I suppose I can take care of this one, but I'll need technical advice and
help testing.

*Unexpire-Password *- Extended control access right that allows a user to
restore an expired password for a user object.
[MS-ADTS] 3.1.1.5.3.1 Security Considerations
[MS-ADTS] 3.1.1.5.3.3 Processing Specifics
[MS-ADTS] 3.1.1.8.10 userAccountControl
[MS-SAMR] 3.1.1.8.6 dbcsPwd
[MS-SAMR] 3.1.1.8.7 unicodePwd
[MS-SAMR] 3.1.1.8.10userAccountControl
As you can see, lots to read here, so I'll be coming back to this one. For
sure we need to check it if setting pwdLastSet to -1 (unexpire). Not sure
about the SAMR context.

*User-Change-Password* - Permits changing password on user account.
[MS-ADTS] 3.1.1.3.1.5.1 unicodePwd
[MS-ADTS] 3.1.1.5.3.1 Security Considerations
[MS-SAMR] 2.2.1.7 User ACCESS_MASK Values
[MS-SAMR] 3.1.5.12 Security Pattern
[MS-SAMR] 3.1.5.12.1.1 SamrSetSecurityObject (DC Configuration)
[MS-SAMR] 3.1.5.12.2.1 SamrQuerySecurityObject (DC Configuration)

Again a bit of reading. In DS we need to check this when setting the
password attributes. Help needed for the SAMR context.

*User-Force-Change-Password *- [MS-ADTS] 3.1.1.3.1.5.1 unicodePwd.

Update-Password-Not-Required-Bit - Extended control access right that allows
a user to enable or disable the "password not required" setting for user
objects. In [MS-SAMR] 3.1.1.8.10 userAccountControl - need some SAMR experts
here.

*Stuff that I am pretty sure does not concern us, at least not any time
soon:*
*Do-Garbage-Collection* - Control right to force the Directory Service to do
garbage collection. [MS-ADTS] 3.1.1.3.3.8 doGarbageCollection. We do not
support this operation. I do not know we plan to, or is it even meaningful
to our implementation.
*DS-Check-Stale-Phantoms* - Extended right needed to force DS to check stale
phantom objects. [MS-ADTS] 3.1.1.3.3.7 checkPhantoms. We do not support this
operation. I do not know we plan to, or is it even meaningful to our
implementation.
*Recalculate-Hierarchy* - Extended right to force the DS to recalculate the
hierarchy. MS-ADTS 3.1.1.3.3.12 recalcHierarchy. Does not seem relevant.
*Recalculate-Security-**Inheritance* - Extended right needed to force DS to
recompute ACL inheritance on a Naming Context. - does not make sense in our
implementation.
*Update-Schema-Cache* - Extended right to force a schema cache update. Not
much meaningful info, but I'm pretty sure this is implementation-dependent.
 *Refresh-Group-Cache* - This is for no GC logon. No GC logon relies on
caching group memberships and this control access right is used to
permission administrators/operators with rights to cause an immediate
refresh of the cache, contacting an available G.C. Referred to in
3.1.1.3.3.18 updateCachedMemberships. Seems implementation dependent so my
guess is we don't need this.
*Abandon-Replication* - Extended right needed to cancel a replication sync.
Only relevant for win2000 so I suppose we do not need to be concerned with
it.
*Apply-Group-Policy* - Extended right used by Group Policy engine to
determine if a GPO applies to a user/computer or not. Again a question for
dochelp. described as a class, but not a meaningful explanation on which
operation the system is supposed to make a check.
*Certificate-Enrollment* - Extended right needed to cause certificate
enrollment. Not a lot of info on this one, but I am pretty sure it relates
to Active Directory Certificate Services, which do not concern us.
*Reload-SSL-Certificate* - used to renew Server Certificate (Reload SSL/TLS
Certificate).
*Generate-RSoP-Logging* - The user who has the rights on an OU/Domain will
be able to generate logging mode RSoP data for the users/computers within
the OU.
*Generate-RSoP-Planning* - The user who has the rights on an OU/Domain will
be able to generate planning mode RSoP data for the users/computers within
the OU.
Those seem to gave importance for GPMC, but I think we need not concern
ourselves with them.
I could not find meaningful information about the following, but they seem
to be implementation dependent and at this point I assume we do not need
them. Let me know if you think differently. They apply to the Site class.
 *msmq-Open-Connector* - Allows to open connector queue.
*msmq-Peek* - Allows peeking at messages in the queue.
*msmq-Peek-computer-Journa*l - Allows peeking at messages in the Computer
Journal queue.
*msmq-Peek-Dead-Letter* - Allows peeking at messages in the Dead Letter
queue.
*msmq-Receive* - Allows receiving messages from the queue.
*msmq-Receive-computer-Journal* - Allows receiving messages from the
Computer Journal queue. msmq-Receive-Dead-Letter - Allows receiving messages
from the Dead Letter queue.
*msmq-Receive-journal* - Allows receiving messages from the queue's Journal.
*msmq-Send* - Allows sending messages to the queue.

The following are exchange rights. Most of them apply to classes that do not
exist in the schema unless exchange is installed. I think no need to bother
with them for now, perhaps the openChange guys can say something about
that...
*Open-Address-Book* - Extended right checked when opening address book
object for address book views.
*Receive-As* - Exchange right: allows receiving mail as a given mailbox.
*Send-As* - Exchange right: allows sending mail as the mailbox.
*Send-To* - Exchange right: allows sending to a mailbox.

*Stuff that there is bot enough info on, or related to protocols I am not
familiar with:*

Ask dochelp for more info on these:
*Allocate-Rids* - Extended right needed to request rid pool. This is defined
in MS-ADTS, but no mention of when to actually check for it in MS-ADTS or
MS-DRSR or the reference list provided by dochelp... Looks like a question
for MS.
*Create-Inbound-Forest-Trust * - enables users to create an inbound-only
trust between forests by adding them to the appropriate group. Another
dochelp question. It seems it may concern us at some point, but no mention
at what operation it has to be checked.

Kerberos:
Allowed-To-Authenticate - The control access right controls who can
authenticate to a particular machine or service. It basically lives on
computer, user and InetOrgPerson objects. It is also applicable on the
domain object if access is allowed for the entire domain we. It can be
applied to OU's to permit users to be able to set inheritable ACE's on OU's
containing a set of user/computer objects.  This one is referenced in
MS-KILE 3.3.5.4 TGS Exchange and MS-SFU 4.3, both documents are about
Kerberos protocol extensions, so maybe abartlet can take a look and say if
they are relevant.

SAMR:
*Domain-Administer-Server *- Legacy SAM right. Its use is described in
[MS-SAMR] 3.1.5.1.5 SamrOpenDomain (Opnum 7), I need help to determine if
it's relevant.
*Enable-Per-User-Reversibly-Encrypted-Password* - allows users to enable or
disable the "reversible encrypted password" setting for user and computer
objects. Referenced in MS-SAMR 3.1.1.8.10 userAccountControl. I'm totally
unfamiliar with the SAMR stuff, I cannot judge if its relevant...
*SAM-Enumerate-Entire-Domain* - This is a special control access right that
can be used to restrict who can be allowed to use downlevel API such as
NetQueryDisplayInformation and NetUser/GroupEnum and enumerate the entire
domain. Referenced in  MS-SAMR] 3.1.5.2.5 SamrEnumerateUsersInDomain(Opnum
13)

DRS:
*DS-Execute-Intentions-Script* - Control access right, which should be
granted to the partitions container, that allows the Rendom.exe or prepare
operation to be used in a domain rename. This control access right also
appears as an audit-only right when the Redom.exe or execute step operations
are performed.  Referenced in [MS-DRSR] 4.2.1.3 Server Behavior of the
IDL_DSAPrepareScript Method. Replication gurus, do we need this?
*DS-Install-Replica* - Extended right needed to do a replica install.
MS-ADTS 3.1.1.3.4.1.23 LDAP_SERVER_RODC_DCPROMO_OID - related to this
extended control. Not sure if we support it or even need to support this
control, any ideas?
*Migrate-SID-History* - Extended right that enables a user to migrate the
SID-History without administrator privileges. Referred in MS-DRSR 4.1.2.3
Server Behavior of the IDL_DRSAddSidHistory Method. Again, replication guys,
your opinion wanted :).
*Read-Only-Replication-Secret-Synchronization* - needed to replicate object
secret attributes to an RODC. Referenced in ADTS 3.1.1.3.4.1.24
LDAP_SERVER_INPUT_DN_OID and 3.1.1.3.3.22 rODCPurgeAccount. I think we don't
support the control and operation now, but we may have to....

LDAP:
DS-Query-Self-Quota - Control access right which allows a user to query the
user's own quotas. MS-ADTS 3.1.1.3.4.1.19 LDAP_SERVER_QUOTA_CONTROL_OID -
related to this extended control. Not sure if we support it or even need to
support this control, any ideas?

Wow, someone made it to the end? Thanks!

Regards,
Nadya


More information about the samba-technical mailing list