source3/libads/disp_sec.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Samba utility functions. ADS stuff
   4    Copyright (C) Alexey Kotovich 2002
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License as published by
   8    the Free Software Foundation; either version 3 of the License, or
   9    (at your option) any later version.
  10
  11    This program is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14    GNU General Public License for more details.
  15
  16    You should have received a copy of the GNU General Public License
  17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18 */
  19
  20 #include "includes.h"
  21 #include "ads.h"
  22 #include "libads/ldap_schema.h"
  23 #include "../libcli/security/secace.h"
  24 #include "../librpc/ndr/libndr.h"
  25 #include "libcli/security/dom_sid.h"
  26
  27 /* for ADS */
  28 #define SEC_RIGHTS_FULL_CTRL            0xf01ff
  29
  30 #ifdef HAVE_LDAP
  31
  32 static struct perm_mask_str {
  33         uint32_t  mask;
  34         const char   *str;
  35 } perms[] = {
  36         {SEC_RIGHTS_FULL_CTRL,          "[Full Control]"},
  37
  38         {SEC_ADS_LIST,                  "[List Contents]"},
  39         {SEC_ADS_LIST_OBJECT,           "[List Object]"},
  40
  41         {SEC_ADS_READ_PROP,             "[Read All Properties]"},
  42         {SEC_STD_READ_CONTROL,          "[Read Permissions]"},
  43
  44         {SEC_ADS_SELF_WRITE,            "[All validate writes]"},
  45         {SEC_ADS_WRITE_PROP,            "[Write All Properties]"},
  46
  47         {SEC_STD_WRITE_DAC,             "[Modify Permissions]"},
  48         {SEC_STD_WRITE_OWNER,           "[Modify Owner]"},
  49
  50         {SEC_ADS_CREATE_CHILD,          "[Create All Child Objects]"},
  51
  52         {SEC_STD_DELETE,                "[Delete]"},
  53         {SEC_ADS_DELETE_TREE,           "[Delete Subtree]"},
  54         {SEC_ADS_DELETE_CHILD,          "[Delete All Child Objects]"},
  55
  56         {SEC_ADS_CONTROL_ACCESS,        "[Change Password]"},
  57         {SEC_ADS_CONTROL_ACCESS,        "[Reset Password]"},
  58
  59         {0,                             0}
  60 };
  61
  62 /* convert a security permissions into a string */
  63 static void ads_disp_perms(uint32_t type)
  64 {
  65         int i = 0;
  66         int j = 0;
  67
  68         printf("Permissions: ");
  69
  70         if (type == SEC_RIGHTS_FULL_CTRL) {
  71                 printf("%s\n", perms[j].str);
  72                 return;
  73         }
  74
  75         for (i = 0; i < 32; i++) {
  76                 if (type & ((uint32_t)1 << i)) {
  77                         for (j = 1; perms[j].str; j ++) {
  78                                 if (perms[j].mask == (((unsigned) 1) << i)) {
  79                                         printf("\n\t%s (0x%08x)", perms[j].str, perms[j].mask);
  80                                 }
  81                         }
  82                         type &= ~(1 << i);
  83                 }
  84         }
  85
  86         /* remaining bits get added on as-is */
  87         if (type != 0) {
  88                 printf("[%08x]", type);
  89         }
  90         puts("");
  91 }
  92
  93 static const char *ads_interprete_guid_from_object(ADS_STRUCT *ads,
  94                                                    TALLOC_CTX *mem_ctx,
  95                                                    const struct GUID *guid)
  96 {
  97         const char *ret = NULL;
  98
  99         if (!ads || !mem_ctx) {
 100                 return NULL;
 101         }
 102
 103         ret = ads_get_attrname_by_guid(ads, ads->config.schema_path,
 104                                        mem_ctx, guid);
 105         if (ret) {
 106                 return talloc_asprintf(mem_ctx, "LDAP attribute: \"%s\"", ret);
 107         }
 108
 109         ret = ads_get_extended_right_name_by_guid(ads, ads->config.config_path,
 110                                                   mem_ctx, guid);
 111
 112         if (ret) {
 113                 return talloc_asprintf(mem_ctx, "Extended right: \"%s\"", ret);
 114         }
 115
 116         return ret;
 117 }
 118
 119 static void ads_disp_sec_ace_object(ADS_STRUCT *ads,
 120                                     TALLOC_CTX *mem_ctx,
 121                                     struct security_ace_object *object)
 122 {
 123         if (object->flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
 124                 printf("Object type: SEC_ACE_OBJECT_TYPE_PRESENT\n");
 125                 printf("Object GUID: %s (%s)\n", GUID_string(mem_ctx,
 126                         &object->type.type),
 127                         ads_interprete_guid_from_object(ads, mem_ctx,
 128                                 &object->type.type));
 129         }
 130         if (object->flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) {
 131                 printf("Object type: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT\n");
 132                 printf("Object GUID: %s (%s)\n", GUID_string(mem_ctx,
 133                         &object->inherited_type.inherited_type),
 134                         ads_interprete_guid_from_object(ads, mem_ctx,
 135                                 &object->inherited_type.inherited_type));
 136         }
 137 }
 138
 139 /* display ACE */
 140 static void ads_disp_ace(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_ace *sec_ace)
 141 {
 142         const char *access_type = "UNKNOWN";
 143         struct dom_sid_buf sidbuf;
 144
 145         if (!sec_ace_object(sec_ace->type)) {
 146                 printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x)\n",
 147                   sec_ace->type,
 148                   sec_ace->flags,
 149                   sec_ace->size,
 150                   sec_ace->access_mask);
 151         } else {
 152                 printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x, object flags: 0x%x)\n",
 153                   sec_ace->type,
 154                   sec_ace->flags,
 155                   sec_ace->size,
 156                   sec_ace->access_mask,
 157                   sec_ace->object.object.flags);
 158         }
 159
 160         if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) {
 161                 access_type = "ALLOWED";
 162         } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED) {
 163                 access_type = "DENIED";
 164         } else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT) {
 165                 access_type = "SYSTEM AUDIT";
 166         } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) {
 167                 access_type = "ALLOWED OBJECT";
 168         } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT) {
 169                 access_type = "DENIED OBJECT";
 170         } else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT) {
 171                 access_type = "AUDIT OBJECT";
 172         }
 173
 174         printf("access SID:  %s\naccess type: %s\n",
 175                dom_sid_str_buf(&sec_ace->trustee, &sidbuf),
 176                access_type);
 177
 178         if (sec_ace_object(sec_ace->type)) {
 179                 ads_disp_sec_ace_object(ads, mem_ctx, &sec_ace->object.object);
 180         }
 181
 182         ads_disp_perms(sec_ace->access_mask);
 183 }
 184
 185 /* display ACL */
 186 static void ads_disp_acl(struct security_acl *sec_acl, const char *type)
 187 {
 188         if (!sec_acl)
 189                 printf("------- (%s) ACL not present\n", type);
 190         else {
 191                 printf("------- (%s) ACL (revision: %d, size: %d, number of ACEs: %d)\n",
 192                        type,
 193                        sec_acl->revision,
 194                        sec_acl->size,
 195                        sec_acl->num_aces);
 196         }
 197 }
 198
 199 /* display SD */
 200 void ads_disp_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_descriptor *sd)
 201 {
 202         uint32_t i;
 203         char *tmp_path = NULL;
 204         struct dom_sid_buf buf;
 205
 206         if (!sd) {
 207                 return;
 208         }
 209
 210         if (ads && !ads->config.schema_path) {
 211                 if (ADS_ERR_OK(ads_schema_path(ads, mem_ctx, &tmp_path))) {
 212                         ads->config.schema_path = SMB_STRDUP(tmp_path);
 213                 }
 214         }
 215
 216         if (ads && !ads->config.config_path) {
 217                 if (ADS_ERR_OK(ads_config_path(ads, mem_ctx, &tmp_path))) {
 218                         ads->config.config_path = SMB_STRDUP(tmp_path);
 219                 }
 220         }
 221
 222         printf("-------------- Security Descriptor (revision: %d, type: 0x%02x)\n",
 223                sd->revision,
 224                sd->type);
 225
 226         printf("owner SID: %s\n", sd->owner_sid ?
 227                dom_sid_str_buf(sd->owner_sid, &buf) : "(null)");
 228         printf("group SID: %s\n", sd->group_sid ?
 229                dom_sid_str_buf(sd->group_sid, &buf) : "(null)");
 230
 231         ads_disp_acl(sd->sacl, "system");
 232         if (sd->sacl) {
 233                 for (i = 0; i < sd->sacl->num_aces; i ++) {
 234                         ads_disp_ace(ads, mem_ctx, &sd->sacl->aces[i]);
 235                 }
 236         }
 237
 238         ads_disp_acl(sd->dacl, "user");
 239         if (sd->dacl) {
 240                 for (i = 0; i < sd->dacl->num_aces; i ++) {
 241                         ads_disp_ace(ads, mem_ctx, &sd->dacl->aces[i]);
 242                 }
 243         }
 244
 245         printf("-------------- End Of Security Descriptor\n");
 246 }
 247
 248 #endif