libcli/security/display_sec.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Samba utility functions
   4    Copyright (C) Andrew Tridgell 1992-1999
   5    Copyright (C) Luke Kenneth Casson Leighton 1996 - 1999
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License as published by
   9    the Free Software Foundation; either version 3 of the License, or
  10    (at your option) any later version.
  11
  12    This program is distributed in the hope that it will be useful,
  13    but WITHOUT ANY WARRANTY; without even the implied warranty of
  14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15    GNU General Public License for more details.
  16
  17    You should have received a copy of the GNU General Public License
  18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  19 */
  20
  21 #include "includes.h"
  22 #include "libcli/security/security.h"
  23 #include "librpc/ndr/libndr.h"
  24
  25 /****************************************************************************
  26 convert a security permissions into a string
  27 ****************************************************************************/
  28
  29 char *get_sec_mask_str(TALLOC_CTX *ctx, uint32_t type)
  30 {
  31         char *typestr = talloc_strdup(ctx, "");
  32
  33         if (!typestr) {
  34                 return NULL;
  35         }
  36
  37         if (type & SEC_GENERIC_ALL) {
  38                 typestr = talloc_asprintf_append(typestr,
  39                                 "Generic all access ");
  40                 if (!typestr) {
  41                         return NULL;
  42                 }
  43         }
  44         if (type & SEC_GENERIC_EXECUTE) {
  45                 typestr = talloc_asprintf_append(typestr,
  46                                 "Generic execute access");
  47                 if (!typestr) {
  48                         return NULL;
  49                 }
  50         }
  51         if (type & SEC_GENERIC_WRITE) {
  52                 typestr = talloc_asprintf_append(typestr,
  53                                 "Generic write access ");
  54                 if (!typestr) {
  55                         return NULL;
  56                 }
  57         }
  58         if (type & SEC_GENERIC_READ) {
  59                 typestr = talloc_asprintf_append(typestr,
  60                                 "Generic read access ");
  61                 if (!typestr) {
  62                         return NULL;
  63                 }
  64         }
  65         if (type & SEC_FLAG_MAXIMUM_ALLOWED) {
  66                 typestr = talloc_asprintf_append(typestr,
  67                                 "MAXIMUM_ALLOWED_ACCESS ");
  68                 if (!typestr) {
  69                         return NULL;
  70                 }
  71         }
  72         if (type & SEC_FLAG_SYSTEM_SECURITY) {
  73                 typestr = talloc_asprintf_append(typestr,
  74                                 "SYSTEM_SECURITY_ACCESS ");
  75                 if (!typestr) {
  76                         return NULL;
  77                 }
  78         }
  79         if (type & SEC_STD_SYNCHRONIZE) {
  80                 typestr = talloc_asprintf_append(typestr,
  81                                 "SYNCHRONIZE_ACCESS ");
  82                 if (!typestr) {
  83                         return NULL;
  84                 }
  85         }
  86         if (type & SEC_STD_WRITE_OWNER) {
  87                 typestr = talloc_asprintf_append(typestr,
  88                                 "WRITE_OWNER_ACCESS ");
  89                 if (!typestr) {
  90                         return NULL;
  91                 }
  92         }
  93         if (type & SEC_STD_WRITE_DAC) {
  94                 typestr = talloc_asprintf_append(typestr,
  95                                 "WRITE_DAC_ACCESS ");
  96                 if (!typestr) {
  97                         return NULL;
  98                 }
  99         }
 100         if (type & SEC_STD_READ_CONTROL) {
 101                 typestr = talloc_asprintf_append(typestr,
 102                                 "READ_CONTROL_ACCESS ");
 103                 if (!typestr) {
 104                         return NULL;
 105                 }
 106         }
 107         if (type & SEC_STD_DELETE) {
 108                 typestr = talloc_asprintf_append(typestr,
 109                                 "DELETE_ACCESS ");
 110                 if (!typestr) {
 111                         return NULL;
 112                 }
 113         }
 114
 115         printf("\t\tSpecific bits: 0x%lx\n", (unsigned long)type&SEC_MASK_SPECIFIC);
 116
 117         return typestr;
 118 }
 119
 120 /****************************************************************************
 121  display sec_access structure
 122  ****************************************************************************/
 123 void display_sec_access(uint32_t *info)
 124 {
 125         char *mask_str = get_sec_mask_str(NULL, *info);
 126         printf("\t\tPermissions: 0x%x: %s\n", *info, mask_str ? mask_str : "");
 127         talloc_free(mask_str);
 128 }
 129
 130 /****************************************************************************
 131  display sec_ace flags
 132  ****************************************************************************/
 133 void display_sec_ace_flags(uint8_t flags)
 134 {
 135         if (flags & SEC_ACE_FLAG_OBJECT_INHERIT)
 136                 printf("SEC_ACE_FLAG_OBJECT_INHERIT ");
 137         if (flags & SEC_ACE_FLAG_CONTAINER_INHERIT)
 138                 printf(" SEC_ACE_FLAG_CONTAINER_INHERIT ");
 139         if (flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT)
 140                 printf("SEC_ACE_FLAG_NO_PROPAGATE_INHERIT ");
 141         if (flags & SEC_ACE_FLAG_INHERIT_ONLY)
 142                 printf("SEC_ACE_FLAG_INHERIT_ONLY ");
 143         if (flags & SEC_ACE_FLAG_INHERITED_ACE)
 144                 printf("SEC_ACE_FLAG_INHERITED_ACE ");
 145 /*      if (flags & SEC_ACE_FLAG_VALID_INHERIT)
 146                 printf("SEC_ACE_FLAG_VALID_INHERIT "); */
 147         if (flags & SEC_ACE_FLAG_SUCCESSFUL_ACCESS)
 148                 printf("SEC_ACE_FLAG_SUCCESSFUL_ACCESS ");
 149         if (flags & SEC_ACE_FLAG_FAILED_ACCESS)
 150                 printf("SEC_ACE_FLAG_FAILED_ACCESS ");
 151
 152         printf("\n");
 153 }
 154
 155 /****************************************************************************
 156  display sec_ace object
 157  ****************************************************************************/
 158 static void disp_sec_ace_object(struct security_ace_object *object)
 159 {
 160         char *str;
 161         if (object->flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
 162                 str = GUID_string(NULL, &object->type.type);
 163                 if (str == NULL) return;
 164                 printf("Object type: SEC_ACE_OBJECT_TYPE_PRESENT\n");
 165                 printf("Object GUID: %s\n", str);
 166                 talloc_free(str);
 167         }
 168         if (object->flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) {
 169                 str = GUID_string(NULL, &object->inherited_type.inherited_type);
 170                 if (str == NULL) return;
 171                 printf("Object type: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT\n");
 172                 printf("Object GUID: %s\n", str);
 173                 talloc_free(str);
 174         }
 175 }
 176
 177 /****************************************************************************
 178  display sec_ace structure
 179  ****************************************************************************/
 180 void display_sec_ace(struct security_ace *ace)
 181 {
 182         char *sid_str;
 183
 184         printf("\tACE\n\t\ttype: ");
 185         switch (ace->type) {
 186                 case SEC_ACE_TYPE_ACCESS_ALLOWED:
 187                         printf("ACCESS ALLOWED");
 188                         break;
 189                 case SEC_ACE_TYPE_ACCESS_DENIED:
 190                         printf("ACCESS DENIED");
 191                         break;
 192                 case SEC_ACE_TYPE_SYSTEM_AUDIT:
 193                         printf("SYSTEM AUDIT");
 194                         break;
 195                 case SEC_ACE_TYPE_SYSTEM_ALARM:
 196                         printf("SYSTEM ALARM");
 197                         break;
 198                 case SEC_ACE_TYPE_ALLOWED_COMPOUND:
 199                         printf("SEC_ACE_TYPE_ALLOWED_COMPOUND");
 200                         break;
 201                 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
 202                         printf("SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT");
 203                         break;
 204                 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
 205                         printf("SEC_ACE_TYPE_ACCESS_DENIED_OBJECT");
 206                         break;
 207                 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
 208                         printf("SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT");
 209                         break;
 210                 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
 211                         printf("SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT");
 212                         break;
 213                 default:
 214                         printf("????");
 215                         break;
 216         }
 217
 218         printf(" (%d) flags: 0x%02x ", ace->type, ace->flags);
 219         display_sec_ace_flags(ace->flags);
 220         display_sec_access(&ace->access_mask);
 221         sid_str = dom_sid_string(NULL, &ace->trustee);
 222         printf("\t\tSID: %s\n\n", sid_str);
 223         talloc_free(sid_str);
 224
 225         if (sec_ace_object(ace->type)) {
 226                 disp_sec_ace_object(&ace->object.object);
 227         }
 228
 229 }
 230
 231 /****************************************************************************
 232  display sec_acl structure
 233  ****************************************************************************/
 234 void display_sec_acl(struct security_acl *sec_acl)
 235 {
 236         int i;
 237
 238         printf("\tACL\tNum ACEs:\t%d\trevision:\t%x\n",
 239                          sec_acl->num_aces, sec_acl->revision);
 240         printf("\t---\n");
 241
 242         if (sec_acl->size != 0 && sec_acl->num_aces != 0) {
 243                 for (i = 0; i < sec_acl->num_aces; i++) {
 244                         display_sec_ace(&sec_acl->aces[i]);
 245                 }
 246         }
 247 }
 248
 249 void display_acl_type(uint16_t type)
 250 {
 251         printf("type: 0x%04x: ", type);
 252
 253         if (type & SEC_DESC_OWNER_DEFAULTED)    /* 0x0001 */
 254                 printf("SEC_DESC_OWNER_DEFAULTED ");
 255         if (type & SEC_DESC_GROUP_DEFAULTED)    /* 0x0002 */
 256                 printf("SEC_DESC_GROUP_DEFAULTED ");
 257         if (type & SEC_DESC_DACL_PRESENT)       /* 0x0004 */
 258                 printf("SEC_DESC_DACL_PRESENT ");
 259         if (type & SEC_DESC_DACL_DEFAULTED)     /* 0x0008 */
 260                 printf("SEC_DESC_DACL_DEFAULTED ");
 261         if (type & SEC_DESC_SACL_PRESENT)       /* 0x0010 */
 262                 printf("SEC_DESC_SACL_PRESENT ");
 263         if (type & SEC_DESC_SACL_DEFAULTED)     /* 0x0020 */
 264                 printf("SEC_DESC_SACL_DEFAULTED ");
 265         if (type & SEC_DESC_DACL_TRUSTED)       /* 0x0040 */
 266                 printf("SEC_DESC_DACL_TRUSTED ");
 267         if (type & SEC_DESC_SERVER_SECURITY)    /* 0x0080 */
 268                 printf("SEC_DESC_SERVER_SECURITY ");
 269         if (type & SEC_DESC_DACL_AUTO_INHERIT_REQ) /* 0x0100 */
 270                 printf("SEC_DESC_DACL_AUTO_INHERIT_REQ ");
 271         if (type & SEC_DESC_SACL_AUTO_INHERIT_REQ) /* 0x0200 */
 272                 printf("SEC_DESC_SACL_AUTO_INHERIT_REQ ");
 273         if (type & SEC_DESC_DACL_AUTO_INHERITED) /* 0x0400 */
 274                 printf("SEC_DESC_DACL_AUTO_INHERITED ");
 275         if (type & SEC_DESC_SACL_AUTO_INHERITED) /* 0x0800 */
 276                 printf("SEC_DESC_SACL_AUTO_INHERITED ");
 277         if (type & SEC_DESC_DACL_PROTECTED)     /* 0x1000 */
 278                 printf("SEC_DESC_DACL_PROTECTED ");
 279         if (type & SEC_DESC_SACL_PROTECTED)     /* 0x2000 */
 280                 printf("SEC_DESC_SACL_PROTECTED ");
 281         if (type & SEC_DESC_RM_CONTROL_VALID)   /* 0x4000 */
 282                 printf("SEC_DESC_RM_CONTROL_VALID ");
 283         if (type & SEC_DESC_SELF_RELATIVE)      /* 0x8000 */
 284                 printf("SEC_DESC_SELF_RELATIVE ");
 285
 286         printf("\n");
 287 }
 288
 289 /****************************************************************************
 290  display sec_desc structure
 291  ****************************************************************************/
 292 void display_sec_desc(struct security_descriptor *sec)
 293 {
 294         char *sid_str;
 295
 296         if (!sec) {
 297                 printf("NULL\n");
 298                 return;
 299         }
 300
 301         printf("revision: %d\n", sec->revision);
 302         display_acl_type(sec->type);
 303
 304         if (sec->sacl) {
 305                 printf("SACL\n");
 306                 display_sec_acl(sec->sacl);
 307         }
 308
 309         if (sec->dacl) {
 310                 printf("DACL\n");
 311                 display_sec_acl(sec->dacl);
 312         }
 313
 314         if (sec->owner_sid) {
 315                 sid_str = dom_sid_string(NULL, sec->owner_sid);
 316                 printf("\tOwner SID:\t%s\n", sid_str);
 317                 talloc_free(sid_str);
 318         }
 319
 320         if (sec->group_sid) {
 321                 sid_str = dom_sid_string(NULL, sec->group_sid);
 322                 printf("\tGroup SID:\t%s\n", sid_str);
 323                 talloc_free(sid_str);
 324         }
 325 }