/src/samba/source3/libads/disp_sec.c
Line | Count | Source |
1 | | /* |
2 | | Unix SMB/CIFS implementation. |
3 | | Samba utility functions. ADS stuff |
4 | | Copyright (C) Alexey Kotovich 2002 |
5 | | |
6 | | This program is free software; you can redistribute it and/or modify |
7 | | it under the terms of the GNU General Public License as published by |
8 | | the Free Software Foundation; either version 3 of the License, or |
9 | | (at your option) any later version. |
10 | | |
11 | | This program is distributed in the hope that it will be useful, |
12 | | but WITHOUT ANY WARRANTY; without even the implied warranty of |
13 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
14 | | GNU General Public License for more details. |
15 | | |
16 | | You should have received a copy of the GNU General Public License |
17 | | along with this program. If not, see <http://www.gnu.org/licenses/>. |
18 | | */ |
19 | | |
20 | | #include "includes.h" |
21 | | #include "ads.h" |
22 | | #include "libads/ldap_schema.h" |
23 | | #include "../libcli/security/secace.h" |
24 | | #include "../librpc/ndr/libndr.h" |
25 | | #include "libcli/security/dom_sid.h" |
26 | | |
27 | | /* for ADS */ |
28 | 0 | #define SEC_RIGHTS_FULL_CTRL 0xf01ff |
29 | | |
30 | | #ifdef HAVE_LDAP |
31 | | |
32 | | static struct perm_mask_str { |
33 | | uint32_t mask; |
34 | | const char *str; |
35 | | } perms[] = { |
36 | | {SEC_RIGHTS_FULL_CTRL, "[Full Control]"}, |
37 | | |
38 | | {SEC_ADS_LIST, "[List Contents]"}, |
39 | | {SEC_ADS_LIST_OBJECT, "[List Object]"}, |
40 | | |
41 | | {SEC_ADS_READ_PROP, "[Read All Properties]"}, |
42 | | {SEC_STD_READ_CONTROL, "[Read Permissions]"}, |
43 | | |
44 | | {SEC_ADS_SELF_WRITE, "[All validate writes]"}, |
45 | | {SEC_ADS_WRITE_PROP, "[Write All Properties]"}, |
46 | | |
47 | | {SEC_STD_WRITE_DAC, "[Modify Permissions]"}, |
48 | | {SEC_STD_WRITE_OWNER, "[Modify Owner]"}, |
49 | | |
50 | | {SEC_ADS_CREATE_CHILD, "[Create All Child Objects]"}, |
51 | | |
52 | | {SEC_STD_DELETE, "[Delete]"}, |
53 | | {SEC_ADS_DELETE_TREE, "[Delete Subtree]"}, |
54 | | {SEC_ADS_DELETE_CHILD, "[Delete All Child Objects]"}, |
55 | | |
56 | | {SEC_ADS_CONTROL_ACCESS, "[Change Password]"}, |
57 | | {SEC_ADS_CONTROL_ACCESS, "[Reset Password]"}, |
58 | | |
59 | | {0, 0} |
60 | | }; |
61 | | |
62 | | /* convert a security permissions into a string */ |
63 | | static void ads_disp_perms(uint32_t type) |
64 | 0 | { |
65 | 0 | int i = 0; |
66 | 0 | int j = 0; |
67 | |
|
68 | 0 | printf("Permissions: "); |
69 | | |
70 | 0 | if (type == SEC_RIGHTS_FULL_CTRL) { |
71 | 0 | printf("%s\n", perms[j].str); |
72 | 0 | return; |
73 | 0 | } |
74 | | |
75 | 0 | for (i = 0; i < 32; i++) { |
76 | 0 | if (type & ((uint32_t)1 << i)) { |
77 | 0 | for (j = 1; perms[j].str; j ++) { |
78 | 0 | if (perms[j].mask == (((unsigned) 1) << i)) { |
79 | 0 | printf("\n\t%s (0x%08x)", perms[j].str, perms[j].mask); |
80 | 0 | } |
81 | 0 | } |
82 | 0 | type &= ~(1 << i); |
83 | 0 | } |
84 | 0 | } |
85 | | |
86 | | /* remaining bits get added on as-is */ |
87 | 0 | if (type != 0) { |
88 | 0 | printf("[%08x]", type); |
89 | 0 | } |
90 | 0 | puts(""); |
91 | 0 | } |
92 | | |
93 | | static const char *ads_interprete_guid_from_object(ADS_STRUCT *ads, |
94 | | TALLOC_CTX *mem_ctx, |
95 | | const struct GUID *guid) |
96 | 0 | { |
97 | 0 | const char *ret = NULL; |
98 | |
|
99 | 0 | if (!ads || !mem_ctx) { |
100 | 0 | return NULL; |
101 | 0 | } |
102 | | |
103 | 0 | ret = ads_get_attrname_by_guid(ads, ads->config.schema_path, |
104 | 0 | mem_ctx, guid); |
105 | 0 | if (ret) { |
106 | 0 | return talloc_asprintf(mem_ctx, "LDAP attribute: \"%s\"", ret); |
107 | 0 | } |
108 | | |
109 | 0 | ret = ads_get_extended_right_name_by_guid(ads, ads->config.config_path, |
110 | 0 | mem_ctx, guid); |
111 | |
|
112 | 0 | if (ret) { |
113 | 0 | return talloc_asprintf(mem_ctx, "Extended right: \"%s\"", ret); |
114 | 0 | } |
115 | | |
116 | 0 | return ret; |
117 | 0 | } |
118 | | |
119 | | static void ads_disp_sec_ace_object(ADS_STRUCT *ads, |
120 | | TALLOC_CTX *mem_ctx, |
121 | | struct security_ace_object *object) |
122 | 0 | { |
123 | 0 | if (object->flags & SEC_ACE_OBJECT_TYPE_PRESENT) { |
124 | 0 | printf("Object type: SEC_ACE_OBJECT_TYPE_PRESENT\n"); |
125 | 0 | printf("Object GUID: %s (%s)\n", GUID_string(mem_ctx, |
126 | 0 | &object->type.type), |
127 | 0 | ads_interprete_guid_from_object(ads, mem_ctx, |
128 | 0 | &object->type.type)); |
129 | 0 | } |
130 | 0 | if (object->flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) { |
131 | 0 | printf("Object type: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT\n"); |
132 | 0 | printf("Object GUID: %s (%s)\n", GUID_string(mem_ctx, |
133 | 0 | &object->inherited_type.inherited_type), |
134 | 0 | ads_interprete_guid_from_object(ads, mem_ctx, |
135 | 0 | &object->inherited_type.inherited_type)); |
136 | 0 | } |
137 | 0 | } |
138 | | |
139 | | /* display ACE */ |
140 | | static void ads_disp_ace(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_ace *sec_ace) |
141 | 0 | { |
142 | 0 | const char *access_type = "UNKNOWN"; |
143 | 0 | struct dom_sid_buf sidbuf; |
144 | |
|
145 | 0 | if (!sec_ace_object(sec_ace->type)) { |
146 | 0 | printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x)\n", |
147 | 0 | sec_ace->type, |
148 | 0 | sec_ace->flags, |
149 | 0 | sec_ace->size, |
150 | 0 | sec_ace->access_mask); |
151 | 0 | } else { |
152 | 0 | printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x, object flags: 0x%x)\n", |
153 | 0 | sec_ace->type, |
154 | 0 | sec_ace->flags, |
155 | 0 | sec_ace->size, |
156 | 0 | sec_ace->access_mask, |
157 | 0 | sec_ace->object.object.flags); |
158 | 0 | } |
159 | | |
160 | 0 | if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) { |
161 | 0 | access_type = "ALLOWED"; |
162 | 0 | } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED) { |
163 | 0 | access_type = "DENIED"; |
164 | 0 | } else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT) { |
165 | 0 | access_type = "SYSTEM AUDIT"; |
166 | 0 | } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) { |
167 | 0 | access_type = "ALLOWED OBJECT"; |
168 | 0 | } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT) { |
169 | 0 | access_type = "DENIED OBJECT"; |
170 | 0 | } else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT) { |
171 | 0 | access_type = "AUDIT OBJECT"; |
172 | 0 | } |
173 | |
|
174 | 0 | printf("access SID: %s\naccess type: %s\n", |
175 | 0 | dom_sid_str_buf(&sec_ace->trustee, &sidbuf), |
176 | 0 | access_type); |
177 | |
|
178 | 0 | if (sec_ace_object(sec_ace->type)) { |
179 | 0 | ads_disp_sec_ace_object(ads, mem_ctx, &sec_ace->object.object); |
180 | 0 | } |
181 | |
|
182 | 0 | ads_disp_perms(sec_ace->access_mask); |
183 | 0 | } |
184 | | |
185 | | /* display ACL */ |
186 | | static void ads_disp_acl(struct security_acl *sec_acl, const char *type) |
187 | 0 | { |
188 | 0 | if (!sec_acl) |
189 | 0 | printf("------- (%s) ACL not present\n", type); |
190 | 0 | else { |
191 | 0 | printf("------- (%s) ACL (revision: %d, size: %d, number of ACEs: %d)\n", |
192 | 0 | type, |
193 | 0 | sec_acl->revision, |
194 | 0 | sec_acl->size, |
195 | 0 | sec_acl->num_aces); |
196 | 0 | } |
197 | 0 | } |
198 | | |
199 | | /* display SD */ |
200 | | void ads_disp_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_descriptor *sd) |
201 | 0 | { |
202 | 0 | uint32_t i; |
203 | 0 | char *tmp_path = NULL; |
204 | 0 | struct dom_sid_buf buf; |
205 | |
|
206 | 0 | if (!sd) { |
207 | 0 | return; |
208 | 0 | } |
209 | | |
210 | 0 | if (ads && !ads->config.schema_path) { |
211 | 0 | if (ADS_ERR_OK(ads_schema_path(ads, mem_ctx, &tmp_path))) { |
212 | 0 | ads->config.schema_path = talloc_strdup(ads, tmp_path); |
213 | 0 | if (ads->config.schema_path == NULL) { |
214 | 0 | DBG_WARNING("Out of memory\n"); |
215 | 0 | } |
216 | 0 | } |
217 | 0 | } |
218 | |
|
219 | 0 | if (ads && !ads->config.config_path) { |
220 | 0 | if (ADS_ERR_OK(ads_config_path(ads, mem_ctx, &tmp_path))) { |
221 | 0 | ads->config.config_path = talloc_strdup(ads, tmp_path); |
222 | 0 | if (ads->config.config_path == NULL) { |
223 | 0 | DBG_WARNING("Out of memory\n"); |
224 | 0 | } |
225 | 0 | } |
226 | 0 | } |
227 | |
|
228 | 0 | printf("-------------- Security Descriptor (revision: %d, type: 0x%02x)\n", |
229 | 0 | sd->revision, |
230 | 0 | sd->type); |
231 | |
|
232 | 0 | printf("owner SID: %s\n", sd->owner_sid ? |
233 | 0 | dom_sid_str_buf(sd->owner_sid, &buf) : "(null)"); |
234 | 0 | printf("group SID: %s\n", sd->group_sid ? |
235 | 0 | dom_sid_str_buf(sd->group_sid, &buf) : "(null)"); |
236 | |
|
237 | 0 | ads_disp_acl(sd->sacl, "system"); |
238 | 0 | if (sd->sacl) { |
239 | 0 | for (i = 0; i < sd->sacl->num_aces; i ++) { |
240 | 0 | ads_disp_ace(ads, mem_ctx, &sd->sacl->aces[i]); |
241 | 0 | } |
242 | 0 | } |
243 | | |
244 | 0 | ads_disp_acl(sd->dacl, "user"); |
245 | 0 | if (sd->dacl) { |
246 | 0 | for (i = 0; i < sd->dacl->num_aces; i ++) { |
247 | 0 | ads_disp_ace(ads, mem_ctx, &sd->dacl->aces[i]); |
248 | 0 | } |
249 | 0 | } |
250 | |
|
251 | 0 | printf("-------------- End Of Security Descriptor\n"); |
252 | 0 | } |
253 | | |
254 | | #endif |