source3/libads/disp_sec.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Samba utility functions. ADS stuff
   4    Copyright (C) Alexey Kotovich 2002
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License as published by
   8    the Free Software Foundation; either version 3 of the License, or
   9    (at your option) any later version.
  10
  11    This program is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14    GNU General Public License for more details.
  15
  16    You should have received a copy of the GNU General Public License
  17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18 */
  19
  20 #include "includes.h"
  21 #include "ads.h"
  22 #include "libads/ldap_schema.h"
  23 #include "../libcli/security/secace.h"
  24 #include "../librpc/ndr/libndr.h"
  25
  26 /* for ADS */
  27 #define SEC_RIGHTS_FULL_CTRL            0xf01ff
  28
  29 #ifdef HAVE_LDAP
  30
  31 static struct perm_mask_str {
  32         uint32_t  mask;
  33         const char   *str;
  34 } perms[] = {
  35         {SEC_RIGHTS_FULL_CTRL,          "[Full Control]"},
  36
  37         {SEC_ADS_LIST,                  "[List Contents]"},
  38         {SEC_ADS_LIST_OBJECT,           "[List Object]"},
  39
  40         {SEC_ADS_READ_PROP,             "[Read All Properties]"},
  41         {SEC_STD_READ_CONTROL,          "[Read Permissions]"},
  42
  43         {SEC_ADS_SELF_WRITE,            "[All validate writes]"},
  44         {SEC_ADS_WRITE_PROP,            "[Write All Properties]"},
  45
  46         {SEC_STD_WRITE_DAC,             "[Modify Permissions]"},
  47         {SEC_STD_WRITE_OWNER,           "[Modify Owner]"},
  48
  49         {SEC_ADS_CREATE_CHILD,          "[Create All Child Objects]"},
  50
  51         {SEC_STD_DELETE,                "[Delete]"},
  52         {SEC_ADS_DELETE_TREE,           "[Delete Subtree]"},
  53         {SEC_ADS_DELETE_CHILD,          "[Delete All Child Objects]"},
  54
  55         {SEC_ADS_CONTROL_ACCESS,        "[Change Password]"},
  56         {SEC_ADS_CONTROL_ACCESS,        "[Reset Password]"},
  57
  58         {0,                             0}
  59 };
  60
  61 /* convert a security permissions into a string */
  62 static void ads_disp_perms(uint32_t type)
  63 {
  64         int i = 0;
  65         int j = 0;
  66
  67         printf("Permissions: ");
  68
  69         if (type == SEC_RIGHTS_FULL_CTRL) {
  70                 printf("%s\n", perms[j].str);
  71                 return;
  72         }
  73
  74         for (i = 0; i < 32; i++) {
  75                 if (type & (1 << i)) {
  76                         for (j = 1; perms[j].str; j ++) {
  77                                 if (perms[j].mask == (((unsigned) 1) << i)) {
  78                                         printf("\n\t%s (0x%08x)", perms[j].str, perms[j].mask);
  79                                 }
  80                         }
  81                         type &= ~(1 << i);
  82                 }
  83         }
  84
  85         /* remaining bits get added on as-is */
  86         if (type != 0) {
  87                 printf("[%08x]", type);
  88         }
  89         puts("");
  90 }
  91
  92 static const char *ads_interprete_guid_from_object(ADS_STRUCT *ads,
  93                                                    TALLOC_CTX *mem_ctx,
  94                                                    const struct GUID *guid)
  95 {
  96         const char *ret = NULL;
  97
  98         if (!ads || !mem_ctx) {
  99                 return NULL;
 100         }
 101
 102         ret = ads_get_attrname_by_guid(ads, ads->config.schema_path,
 103                                        mem_ctx, guid);
 104         if (ret) {
 105                 return talloc_asprintf(mem_ctx, "LDAP attribute: \"%s\"", ret);
 106         }
 107
 108         ret = ads_get_extended_right_name_by_guid(ads, ads->config.config_path,
 109                                                   mem_ctx, guid);
 110
 111         if (ret) {
 112                 return talloc_asprintf(mem_ctx, "Extended right: \"%s\"", ret);
 113         }
 114
 115         return ret;
 116 }
 117
 118 static void ads_disp_sec_ace_object(ADS_STRUCT *ads,
 119                                     TALLOC_CTX *mem_ctx,
 120                                     struct security_ace_object *object)
 121 {
 122         if (object->flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
 123                 printf("Object type: SEC_ACE_OBJECT_TYPE_PRESENT\n");
 124                 printf("Object GUID: %s (%s)\n", GUID_string(mem_ctx,
 125                         &object->type.type),
 126                         ads_interprete_guid_from_object(ads, mem_ctx,
 127                                 &object->type.type));
 128         }
 129         if (object->flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) {
 130                 printf("Object type: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT\n");
 131                 printf("Object GUID: %s (%s)\n", GUID_string(mem_ctx,
 132                         &object->inherited_type.inherited_type),
 133                         ads_interprete_guid_from_object(ads, mem_ctx,
 134                                 &object->inherited_type.inherited_type));
 135         }
 136 }
 137
 138 /* display ACE */
 139 static void ads_disp_ace(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_ace *sec_ace)
 140 {
 141         const char *access_type = "UNKNOWN";
 142
 143         if (!sec_ace_object(sec_ace->type)) {
 144                 printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x)\n",
 145                   sec_ace->type,
 146                   sec_ace->flags,
 147                   sec_ace->size,
 148                   sec_ace->access_mask);
 149         } else {
 150                 printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x, object flags: 0x%x)\n",
 151                   sec_ace->type,
 152                   sec_ace->flags,
 153                   sec_ace->size,
 154                   sec_ace->access_mask,
 155                   sec_ace->object.object.flags);
 156         }
 157
 158         if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) {
 159                 access_type = "ALLOWED";
 160         } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED) {
 161                 access_type = "DENIED";
 162         } else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT) {
 163                 access_type = "SYSTEM AUDIT";
 164         } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) {
 165                 access_type = "ALLOWED OBJECT";
 166         } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT) {
 167                 access_type = "DENIED OBJECT";
 168         } else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT) {
 169                 access_type = "AUDIT OBJECT";
 170         }
 171
 172         printf("access SID:  %s\naccess type: %s\n",
 173                sid_string_talloc(mem_ctx, &sec_ace->trustee), access_type);
 174
 175         if (sec_ace_object(sec_ace->type)) {
 176                 ads_disp_sec_ace_object(ads, mem_ctx, &sec_ace->object.object);
 177         }
 178
 179         ads_disp_perms(sec_ace->access_mask);
 180 }
 181
 182 /* display ACL */
 183 static void ads_disp_acl(struct security_acl *sec_acl, const char *type)
 184 {
 185         if (!sec_acl)
 186                 printf("------- (%s) ACL not present\n", type);
 187         else {
 188                 printf("------- (%s) ACL (revision: %d, size: %d, number of ACEs: %d)\n",
 189                        type,
 190                        sec_acl->revision,
 191                        sec_acl->size,
 192                        sec_acl->num_aces);
 193         }
 194 }
 195
 196 /* display SD */
 197 void ads_disp_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_descriptor *sd)
 198 {
 199         int i;
 200         char *tmp_path = NULL;
 201
 202         if (!sd) {
 203                 return;
 204         }
 205
 206         if (ads && !ads->config.schema_path) {
 207                 if (ADS_ERR_OK(ads_schema_path(ads, mem_ctx, &tmp_path))) {
 208                         ads->config.schema_path = SMB_STRDUP(tmp_path);
 209                 }
 210         }
 211
 212         if (ads && !ads->config.config_path) {
 213                 if (ADS_ERR_OK(ads_config_path(ads, mem_ctx, &tmp_path))) {
 214                         ads->config.config_path = SMB_STRDUP(tmp_path);
 215                 }
 216         }
 217
 218         printf("-------------- Security Descriptor (revision: %d, type: 0x%02x)\n",
 219                sd->revision,
 220                sd->type);
 221
 222         printf("owner SID: %s\n", sd->owner_sid ?
 223                 sid_string_talloc(mem_ctx, sd->owner_sid) : "(null)");
 224         printf("group SID: %s\n", sd->group_sid ?
 225                 sid_string_talloc(mem_ctx, sd->group_sid) : "(null)");
 226
 227         ads_disp_acl(sd->sacl, "system");
 228         if (sd->sacl) {
 229                 for (i = 0; i < sd->sacl->num_aces; i ++) {
 230                         ads_disp_ace(ads, mem_ctx, &sd->sacl->aces[i]);
 231                 }
 232         }
 233
 234         ads_disp_acl(sd->dacl, "user");
 235         if (sd->dacl) {
 236                 for (i = 0; i < sd->dacl->num_aces; i ++) {
 237                         ads_disp_ace(ads, mem_ctx, &sd->dacl->aces[i]);
 238                 }
 239         }
 240
 241         printf("-------------- End Of Security Descriptor\n");
 242 }
 243
 244 #endif