s4-pvfs: use O_FOLLOW one level at a time for security overrides
[ira/wip.git] / libcli / security / display_sec.c
1 /* 
2    Unix SMB/CIFS implementation.
3    Samba utility functions
4    Copyright (C) Andrew Tridgell 1992-1999
5    Copyright (C) Luke Kenneth Casson Leighton 1996 - 1999
6    
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License as published by
9    the Free Software Foundation; either version 3 of the License, or
10    (at your option) any later version.
11    
12    This program is distributed in the hope that it will be useful, 
13    but WITHOUT ANY WARRANTY; without even the implied warranty of
14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15    GNU General Public License for more details.
16    
17    You should have received a copy of the GNU General Public License
18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "librpc/gen_ndr/security.h"
23 #include "libcli/security/secace.h"
24 #include "libcli/security/dom_sid.h"
25 #include "librpc/ndr/libndr.h"
26
27 /****************************************************************************
28 convert a security permissions into a string
29 ****************************************************************************/
30
31 char *get_sec_mask_str(TALLOC_CTX *ctx, uint32_t type)
32 {
33         char *typestr = talloc_strdup(ctx, "");
34
35         if (!typestr) {
36                 return NULL;
37         }
38
39         if (type & SEC_GENERIC_ALL) {
40                 typestr = talloc_asprintf_append(typestr,
41                                 "Generic all access ");
42                 if (!typestr) {
43                         return NULL;
44                 }
45         }
46         if (type & SEC_GENERIC_EXECUTE) {
47                 typestr = talloc_asprintf_append(typestr,
48                                 "Generic execute access");
49                 if (!typestr) {
50                         return NULL;
51                 }
52         }
53         if (type & SEC_GENERIC_WRITE) {
54                 typestr = talloc_asprintf_append(typestr,
55                                 "Generic write access ");
56                 if (!typestr) {
57                         return NULL;
58                 }
59         }
60         if (type & SEC_GENERIC_READ) {
61                 typestr = talloc_asprintf_append(typestr,
62                                 "Generic read access ");
63                 if (!typestr) {
64                         return NULL;
65                 }
66         }
67         if (type & SEC_FLAG_MAXIMUM_ALLOWED) {
68                 typestr = talloc_asprintf_append(typestr,
69                                 "MAXIMUM_ALLOWED_ACCESS ");
70                 if (!typestr) {
71                         return NULL;
72                 }
73         }
74         if (type & SEC_FLAG_SYSTEM_SECURITY) {
75                 typestr = talloc_asprintf_append(typestr,
76                                 "SYSTEM_SECURITY_ACCESS ");
77                 if (!typestr) {
78                         return NULL;
79                 }
80         }
81         if (type & SEC_STD_SYNCHRONIZE) {
82                 typestr = talloc_asprintf_append(typestr,
83                                 "SYNCHRONIZE_ACCESS ");
84                 if (!typestr) {
85                         return NULL;
86                 }
87         }
88         if (type & SEC_STD_WRITE_OWNER) {
89                 typestr = talloc_asprintf_append(typestr,
90                                 "WRITE_OWNER_ACCESS ");
91                 if (!typestr) {
92                         return NULL;
93                 }
94         }
95         if (type & SEC_STD_WRITE_DAC) {
96                 typestr = talloc_asprintf_append(typestr,
97                                 "WRITE_DAC_ACCESS ");
98                 if (!typestr) {
99                         return NULL;
100                 }
101         }
102         if (type & SEC_STD_READ_CONTROL) {
103                 typestr = talloc_asprintf_append(typestr,
104                                 "READ_CONTROL_ACCESS ");
105                 if (!typestr) {
106                         return NULL;
107                 }
108         }
109         if (type & SEC_STD_DELETE) {
110                 typestr = talloc_asprintf_append(typestr,
111                                 "DELETE_ACCESS ");
112                 if (!typestr) {
113                         return NULL;
114                 }
115         }
116
117         printf("\t\tSpecific bits: 0x%lx\n", (unsigned long)type&SEC_MASK_SPECIFIC);
118
119         return typestr;
120 }
121
122 /****************************************************************************
123  display sec_access structure
124  ****************************************************************************/
125 void display_sec_access(uint32_t *info)
126 {
127         char *mask_str = get_sec_mask_str(NULL, *info);
128         printf("\t\tPermissions: 0x%x: %s\n", *info, mask_str ? mask_str : "");
129         talloc_free(mask_str);
130 }
131
132 /****************************************************************************
133  display sec_ace flags
134  ****************************************************************************/
135 void display_sec_ace_flags(uint8_t flags)
136 {
137         if (flags & SEC_ACE_FLAG_OBJECT_INHERIT)
138                 printf("SEC_ACE_FLAG_OBJECT_INHERIT ");
139         if (flags & SEC_ACE_FLAG_CONTAINER_INHERIT)
140                 printf(" SEC_ACE_FLAG_CONTAINER_INHERIT ");
141         if (flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT)
142                 printf("SEC_ACE_FLAG_NO_PROPAGATE_INHERIT ");
143         if (flags & SEC_ACE_FLAG_INHERIT_ONLY)
144                 printf("SEC_ACE_FLAG_INHERIT_ONLY ");
145         if (flags & SEC_ACE_FLAG_INHERITED_ACE)
146                 printf("SEC_ACE_FLAG_INHERITED_ACE ");
147 /*      if (flags & SEC_ACE_FLAG_VALID_INHERIT)
148                 printf("SEC_ACE_FLAG_VALID_INHERIT "); */
149         if (flags & SEC_ACE_FLAG_SUCCESSFUL_ACCESS)
150                 printf("SEC_ACE_FLAG_SUCCESSFUL_ACCESS ");
151         if (flags & SEC_ACE_FLAG_FAILED_ACCESS)
152                 printf("SEC_ACE_FLAG_FAILED_ACCESS ");
153
154         printf("\n");
155 }
156
157 /****************************************************************************
158  display sec_ace object
159  ****************************************************************************/
160 static void disp_sec_ace_object(struct security_ace_object *object)
161 {
162         if (object->flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
163                 printf("Object type: SEC_ACE_OBJECT_TYPE_PRESENT\n");
164                 printf("Object GUID: %s\n", GUID_string(talloc_tos(),
165                         &object->type.type));
166         }
167         if (object->flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) {
168                 printf("Object type: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT\n");
169                 printf("Object GUID: %s\n", GUID_string(talloc_tos(), 
170                         &object->inherited_type.inherited_type));
171         }
172 }
173
174 /****************************************************************************
175  display sec_ace structure
176  ****************************************************************************/
177 void display_sec_ace(struct security_ace *ace)
178 {
179         char *sid_str;
180
181         printf("\tACE\n\t\ttype: ");
182         switch (ace->type) {
183                 case SEC_ACE_TYPE_ACCESS_ALLOWED:
184                         printf("ACCESS ALLOWED");
185                         break;
186                 case SEC_ACE_TYPE_ACCESS_DENIED:
187                         printf("ACCESS DENIED");
188                         break;
189                 case SEC_ACE_TYPE_SYSTEM_AUDIT:
190                         printf("SYSTEM AUDIT");
191                         break;
192                 case SEC_ACE_TYPE_SYSTEM_ALARM:
193                         printf("SYSTEM ALARM");
194                         break;
195                 case SEC_ACE_TYPE_ALLOWED_COMPOUND:
196                         printf("SEC_ACE_TYPE_ALLOWED_COMPOUND");
197                         break;
198                 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
199                         printf("SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT");
200                         break;
201                 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
202                         printf("SEC_ACE_TYPE_ACCESS_DENIED_OBJECT");
203                         break;
204                 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
205                         printf("SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT");
206                         break;
207                 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
208                         printf("SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT");
209                         break;
210                 default:
211                         printf("????");
212                         break;
213         }
214
215         printf(" (%d) flags: 0x%02x ", ace->type, ace->flags);
216         display_sec_ace_flags(ace->flags);
217         display_sec_access(&ace->access_mask);
218         sid_str = dom_sid_string(NULL, &ace->trustee);
219         printf("\t\tSID: %s\n\n", sid_str);
220         talloc_free(sid_str);
221
222         if (sec_ace_object(ace->type)) {
223                 disp_sec_ace_object(&ace->object.object);
224         }
225
226 }
227
228 /****************************************************************************
229  display sec_acl structure
230  ****************************************************************************/
231 void display_sec_acl(struct security_acl *sec_acl)
232 {
233         int i;
234
235         printf("\tACL\tNum ACEs:\t%d\trevision:\t%x\n",
236                          sec_acl->num_aces, sec_acl->revision); 
237         printf("\t---\n");
238
239         if (sec_acl->size != 0 && sec_acl->num_aces != 0) {
240                 for (i = 0; i < sec_acl->num_aces; i++) {
241                         display_sec_ace(&sec_acl->aces[i]);
242                 }
243         }
244 }
245
246 void display_acl_type(uint16_t type)
247 {
248         printf("type: 0x%04x: ", type);
249
250         if (type & SEC_DESC_OWNER_DEFAULTED)    /* 0x0001 */
251                 printf("SEC_DESC_OWNER_DEFAULTED ");
252         if (type & SEC_DESC_GROUP_DEFAULTED)    /* 0x0002 */
253                 printf("SEC_DESC_GROUP_DEFAULTED ");
254         if (type & SEC_DESC_DACL_PRESENT)       /* 0x0004 */
255                 printf("SEC_DESC_DACL_PRESENT ");
256         if (type & SEC_DESC_DACL_DEFAULTED)     /* 0x0008 */
257                 printf("SEC_DESC_DACL_DEFAULTED ");
258         if (type & SEC_DESC_SACL_PRESENT)       /* 0x0010 */
259                 printf("SEC_DESC_SACL_PRESENT ");
260         if (type & SEC_DESC_SACL_DEFAULTED)     /* 0x0020 */
261                 printf("SEC_DESC_SACL_DEFAULTED ");
262         if (type & SEC_DESC_DACL_TRUSTED)       /* 0x0040 */
263                 printf("SEC_DESC_DACL_TRUSTED ");
264         if (type & SEC_DESC_SERVER_SECURITY)    /* 0x0080 */
265                 printf("SEC_DESC_SERVER_SECURITY ");
266         if (type & SEC_DESC_DACL_AUTO_INHERIT_REQ) /* 0x0100 */
267                 printf("SEC_DESC_DACL_AUTO_INHERIT_REQ ");
268         if (type & SEC_DESC_SACL_AUTO_INHERIT_REQ) /* 0x0200 */
269                 printf("SEC_DESC_SACL_AUTO_INHERIT_REQ ");
270         if (type & SEC_DESC_DACL_AUTO_INHERITED) /* 0x0400 */
271                 printf("SEC_DESC_DACL_AUTO_INHERITED ");
272         if (type & SEC_DESC_SACL_AUTO_INHERITED) /* 0x0800 */
273                 printf("SEC_DESC_SACL_AUTO_INHERITED ");
274         if (type & SEC_DESC_DACL_PROTECTED)     /* 0x1000 */
275                 printf("SEC_DESC_DACL_PROTECTED ");
276         if (type & SEC_DESC_SACL_PROTECTED)     /* 0x2000 */
277                 printf("SEC_DESC_SACL_PROTECTED ");
278         if (type & SEC_DESC_RM_CONTROL_VALID)   /* 0x4000 */
279                 printf("SEC_DESC_RM_CONTROL_VALID ");
280         if (type & SEC_DESC_SELF_RELATIVE)      /* 0x8000 */
281                 printf("SEC_DESC_SELF_RELATIVE ");
282         
283         printf("\n");
284 }
285
286 /****************************************************************************
287  display sec_desc structure
288  ****************************************************************************/
289 void display_sec_desc(struct security_descriptor *sec)
290 {
291         char *sid_str;
292
293         if (!sec) {
294                 printf("NULL\n");
295                 return;
296         }
297
298         printf("revision: %d\n", sec->revision);
299         display_acl_type(sec->type);
300
301         if (sec->sacl) {
302                 printf("SACL\n");
303                 display_sec_acl(sec->sacl);
304         }
305
306         if (sec->dacl) {
307                 printf("DACL\n");
308                 display_sec_acl(sec->dacl);
309         }
310
311         if (sec->owner_sid) {
312                 sid_str = dom_sid_string(NULL, sec->owner_sid);
313                 printf("\tOwner SID:\t%s\n", sid_str);
314                 talloc_free(sid_str);
315         }
316
317         if (sec->group_sid) {
318                 sid_str = dom_sid_string(NULL, sec->group_sid);
319                 printf("\tGroup SID:\t%s\n", sid_str);
320                 talloc_free(sid_str);
321         }
322 }