libcli/security/display_sec.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Samba utility functions
   4    Copyright (C) Andrew Tridgell 1992-1999
   5    Copyright (C) Luke Kenneth Casson Leighton 1996 - 1999
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License as published by
   9    the Free Software Foundation; either version 3 of the License, or
  10    (at your option) any later version.
  11
  12    This program is distributed in the hope that it will be useful,
  13    but WITHOUT ANY WARRANTY; without even the implied warranty of
  14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15    GNU General Public License for more details.
  16
  17    You should have received a copy of the GNU General Public License
  18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  19 */
  20
  21 #include "includes.h"
  22 #include "libcli/security/security.h"
  23 #include "librpc/ndr/libndr.h"
  24 #include "libcli/security/display_sec.h"
  25
  26 /****************************************************************************
  27 convert a security permissions into a string
  28 ****************************************************************************/
  29
  30 char *get_sec_mask_str(TALLOC_CTX *ctx, uint32_t type)
  31 {
  32         char *typestr = talloc_strdup(ctx, "");
  33
  34         if (!typestr) {
  35                 return NULL;
  36         }
  37
  38         if (type & SEC_GENERIC_ALL) {
  39                 typestr = talloc_asprintf_append(typestr,
  40                                 "Generic all access ");
  41                 if (!typestr) {
  42                         return NULL;
  43                 }
  44         }
  45         if (type & SEC_GENERIC_EXECUTE) {
  46                 typestr = talloc_asprintf_append(typestr,
  47                                 "Generic execute access");
  48                 if (!typestr) {
  49                         return NULL;
  50                 }
  51         }
  52         if (type & SEC_GENERIC_WRITE) {
  53                 typestr = talloc_asprintf_append(typestr,
  54                                 "Generic write access ");
  55                 if (!typestr) {
  56                         return NULL;
  57                 }
  58         }
  59         if (type & SEC_GENERIC_READ) {
  60                 typestr = talloc_asprintf_append(typestr,
  61                                 "Generic read access ");
  62                 if (!typestr) {
  63                         return NULL;
  64                 }
  65         }
  66         if (type & SEC_FLAG_MAXIMUM_ALLOWED) {
  67                 typestr = talloc_asprintf_append(typestr,
  68                                 "MAXIMUM_ALLOWED_ACCESS ");
  69                 if (!typestr) {
  70                         return NULL;
  71                 }
  72         }
  73         if (type & SEC_FLAG_SYSTEM_SECURITY) {
  74                 typestr = talloc_asprintf_append(typestr,
  75                                 "SYSTEM_SECURITY_ACCESS ");
  76                 if (!typestr) {
  77                         return NULL;
  78                 }
  79         }
  80         if (type & SEC_STD_SYNCHRONIZE) {
  81                 typestr = talloc_asprintf_append(typestr,
  82                                 "SYNCHRONIZE_ACCESS ");
  83                 if (!typestr) {
  84                         return NULL;
  85                 }
  86         }
  87         if (type & SEC_STD_WRITE_OWNER) {
  88                 typestr = talloc_asprintf_append(typestr,
  89                                 "WRITE_OWNER_ACCESS ");
  90                 if (!typestr) {
  91                         return NULL;
  92                 }
  93         }
  94         if (type & SEC_STD_WRITE_DAC) {
  95                 typestr = talloc_asprintf_append(typestr,
  96                                 "WRITE_DAC_ACCESS ");
  97                 if (!typestr) {
  98                         return NULL;
  99                 }
 100         }
 101         if (type & SEC_STD_READ_CONTROL) {
 102                 typestr = talloc_asprintf_append(typestr,
 103                                 "READ_CONTROL_ACCESS ");
 104                 if (!typestr) {
 105                         return NULL;
 106                 }
 107         }
 108         if (type & SEC_STD_DELETE) {
 109                 typestr = talloc_asprintf_append(typestr,
 110                                 "DELETE_ACCESS ");
 111                 if (!typestr) {
 112                         return NULL;
 113                 }
 114         }
 115
 116         printf("\t\tSpecific bits: 0x%lx\n", (unsigned long)type&SEC_MASK_SPECIFIC);
 117
 118         return typestr;
 119 }
 120
 121 /****************************************************************************
 122  display sec_access structure
 123  ****************************************************************************/
 124 void display_sec_access(uint32_t *info)
 125 {
 126         char *mask_str = get_sec_mask_str(NULL, *info);
 127         printf("\t\tPermissions: 0x%x: %s\n", *info, mask_str ? mask_str : "");
 128         talloc_free(mask_str);
 129 }
 130
 131 /****************************************************************************
 132  display sec_ace flags
 133  ****************************************************************************/
 134 void display_sec_ace_flags(uint8_t flags)
 135 {
 136         if (flags & SEC_ACE_FLAG_OBJECT_INHERIT)
 137                 printf("SEC_ACE_FLAG_OBJECT_INHERIT ");
 138         if (flags & SEC_ACE_FLAG_CONTAINER_INHERIT)
 139                 printf(" SEC_ACE_FLAG_CONTAINER_INHERIT ");
 140         if (flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT)
 141                 printf("SEC_ACE_FLAG_NO_PROPAGATE_INHERIT ");
 142         if (flags & SEC_ACE_FLAG_INHERIT_ONLY)
 143                 printf("SEC_ACE_FLAG_INHERIT_ONLY ");
 144         if (flags & SEC_ACE_FLAG_INHERITED_ACE)
 145                 printf("SEC_ACE_FLAG_INHERITED_ACE ");
 146 /*      if (flags & SEC_ACE_FLAG_VALID_INHERIT)
 147                 printf("SEC_ACE_FLAG_VALID_INHERIT "); */
 148         if (flags & SEC_ACE_FLAG_SUCCESSFUL_ACCESS)
 149                 printf("SEC_ACE_FLAG_SUCCESSFUL_ACCESS ");
 150         if (flags & SEC_ACE_FLAG_FAILED_ACCESS)
 151                 printf("SEC_ACE_FLAG_FAILED_ACCESS ");
 152
 153         printf("\n");
 154 }
 155
 156 /****************************************************************************
 157  display sec_ace object
 158  ****************************************************************************/
 159 static void disp_sec_ace_object(struct security_ace_object *object)
 160 {
 161         char *str;
 162         if (object->flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
 163                 str = GUID_string(NULL, &object->type.type);
 164                 if (str == NULL) return;
 165                 printf("Object type: SEC_ACE_OBJECT_TYPE_PRESENT\n");
 166                 printf("Object GUID: %s\n", str);
 167                 talloc_free(str);
 168         }
 169         if (object->flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) {
 170                 str = GUID_string(NULL, &object->inherited_type.inherited_type);
 171                 if (str == NULL) return;
 172                 printf("Object type: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT\n");
 173                 printf("Object GUID: %s\n", str);
 174                 talloc_free(str);
 175         }
 176 }
 177
 178 /****************************************************************************
 179  display sec_ace structure
 180  ****************************************************************************/
 181 void display_sec_ace(struct security_ace *ace)
 182 {
 183         char *sid_str;
 184
 185         printf("\tACE\n\t\ttype: ");
 186         switch (ace->type) {
 187                 case SEC_ACE_TYPE_ACCESS_ALLOWED:
 188                         printf("ACCESS ALLOWED");
 189                         break;
 190                 case SEC_ACE_TYPE_ACCESS_DENIED:
 191                         printf("ACCESS DENIED");
 192                         break;
 193                 case SEC_ACE_TYPE_SYSTEM_AUDIT:
 194                         printf("SYSTEM AUDIT");
 195                         break;
 196                 case SEC_ACE_TYPE_SYSTEM_ALARM:
 197                         printf("SYSTEM ALARM");
 198                         break;
 199                 case SEC_ACE_TYPE_ALLOWED_COMPOUND:
 200                         printf("SEC_ACE_TYPE_ALLOWED_COMPOUND");
 201                         break;
 202                 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
 203                         printf("SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT");
 204                         break;
 205                 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
 206                         printf("SEC_ACE_TYPE_ACCESS_DENIED_OBJECT");
 207                         break;
 208                 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
 209                         printf("SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT");
 210                         break;
 211                 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
 212                         printf("SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT");
 213                         break;
 214                 default:
 215                         printf("????");
 216                         break;
 217         }
 218
 219         printf(" (%d) flags: 0x%02x ", ace->type, ace->flags);
 220         display_sec_ace_flags(ace->flags);
 221         display_sec_access(&ace->access_mask);
 222         sid_str = dom_sid_string(NULL, &ace->trustee);
 223         printf("\t\tSID: %s\n\n", sid_str);
 224         talloc_free(sid_str);
 225
 226         if (sec_ace_object(ace->type)) {
 227                 disp_sec_ace_object(&ace->object.object);
 228         }
 229
 230 }
 231
 232 /****************************************************************************
 233  display sec_acl structure
 234  ****************************************************************************/
 235 void display_sec_acl(struct security_acl *sec_acl)
 236 {
 237         uint32_t i;
 238
 239         printf("\tACL\tNum ACEs:\t%u\trevision:\t%x\n",
 240                          sec_acl->num_aces, sec_acl->revision);
 241         printf("\t---\n");
 242
 243         if (sec_acl->size != 0 && sec_acl->num_aces != 0) {
 244                 for (i = 0; i < sec_acl->num_aces; i++) {
 245                         display_sec_ace(&sec_acl->aces[i]);
 246                 }
 247         }
 248 }
 249
 250 void display_acl_type(uint16_t type)
 251 {
 252         printf("type: 0x%04x: ", type);
 253
 254         if (type & SEC_DESC_OWNER_DEFAULTED)    /* 0x0001 */
 255                 printf("SEC_DESC_OWNER_DEFAULTED ");
 256         if (type & SEC_DESC_GROUP_DEFAULTED)    /* 0x0002 */
 257                 printf("SEC_DESC_GROUP_DEFAULTED ");
 258         if (type & SEC_DESC_DACL_PRESENT)       /* 0x0004 */
 259                 printf("SEC_DESC_DACL_PRESENT ");
 260         if (type & SEC_DESC_DACL_DEFAULTED)     /* 0x0008 */
 261                 printf("SEC_DESC_DACL_DEFAULTED ");
 262         if (type & SEC_DESC_SACL_PRESENT)       /* 0x0010 */
 263                 printf("SEC_DESC_SACL_PRESENT ");
 264         if (type & SEC_DESC_SACL_DEFAULTED)     /* 0x0020 */
 265                 printf("SEC_DESC_SACL_DEFAULTED ");
 266         if (type & SEC_DESC_DACL_TRUSTED)       /* 0x0040 */
 267                 printf("SEC_DESC_DACL_TRUSTED ");
 268         if (type & SEC_DESC_SERVER_SECURITY)    /* 0x0080 */
 269                 printf("SEC_DESC_SERVER_SECURITY ");
 270         if (type & SEC_DESC_DACL_AUTO_INHERIT_REQ) /* 0x0100 */
 271                 printf("SEC_DESC_DACL_AUTO_INHERIT_REQ ");
 272         if (type & SEC_DESC_SACL_AUTO_INHERIT_REQ) /* 0x0200 */
 273                 printf("SEC_DESC_SACL_AUTO_INHERIT_REQ ");
 274         if (type & SEC_DESC_DACL_AUTO_INHERITED) /* 0x0400 */
 275                 printf("SEC_DESC_DACL_AUTO_INHERITED ");
 276         if (type & SEC_DESC_SACL_AUTO_INHERITED) /* 0x0800 */
 277                 printf("SEC_DESC_SACL_AUTO_INHERITED ");
 278         if (type & SEC_DESC_DACL_PROTECTED)     /* 0x1000 */
 279                 printf("SEC_DESC_DACL_PROTECTED ");
 280         if (type & SEC_DESC_SACL_PROTECTED)     /* 0x2000 */
 281                 printf("SEC_DESC_SACL_PROTECTED ");
 282         if (type & SEC_DESC_RM_CONTROL_VALID)   /* 0x4000 */
 283                 printf("SEC_DESC_RM_CONTROL_VALID ");
 284         if (type & SEC_DESC_SELF_RELATIVE)      /* 0x8000 */
 285                 printf("SEC_DESC_SELF_RELATIVE ");
 286
 287         printf("\n");
 288 }
 289
 290 /****************************************************************************
 291  display sec_desc structure
 292  ****************************************************************************/
 293 void display_sec_desc(struct security_descriptor *sec)
 294 {
 295         char *sid_str;
 296
 297         if (!sec) {
 298                 printf("NULL\n");
 299                 return;
 300         }
 301
 302         printf("revision: %d\n", sec->revision);
 303         display_acl_type(sec->type);
 304
 305         if (sec->sacl) {
 306                 printf("SACL\n");
 307                 display_sec_acl(sec->sacl);
 308         }
 309
 310         if (sec->dacl) {
 311                 printf("DACL\n");
 312                 display_sec_acl(sec->dacl);
 313         }
 314
 315         if (sec->owner_sid) {
 316                 sid_str = dom_sid_string(NULL, sec->owner_sid);
 317                 printf("\tOwner SID:\t%s\n", sid_str);
 318                 talloc_free(sid_str);
 319         }
 320
 321         if (sec->group_sid) {
 322                 sid_str = dom_sid_string(NULL, sec->group_sid);
 323                 printf("\tGroup SID:\t%s\n", sid_str);
 324                 talloc_free(sid_str);
 325         }
 326 }