testsuite/smbd/se_access_check_printer.c

   1 /*
   2    Unix SMB/Netbios implementation.
   3    Version 1.9.
   4    Security context tests
   5    Copyright (C) Tim Potter 2000
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License as published by
   9    the Free Software Foundation; either version 3 of the License, or
  10    (at your option) any later version.
  11
  12    This program is distributed in the hope that it will be useful,
  13    but WITHOUT ANY WARRANTY; without even the implied warranty of
  14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15    GNU General Public License for more details.
  16
  17    You should have received a copy of the GNU General Public License
  18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  19 */
  20
  21 #include "includes.h"
  22 #include "se_access_check_utils.h"
  23
  24 /* Globals */
  25
  26 BOOL failed;
  27 SEC_DESC *sd;
  28
  29 struct ace_entry acl_printer[] = {
  30
  31         /* Everyone is allowed to print */
  32
  33         { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
  34           PRINTER_ACE_PRINT, "S-1-1-0" },
  35
  36         /* Except for user0 who uses too much paper */
  37
  38         { SEC_ACE_TYPE_ACCESS_DENIED, SEC_ACE_FLAG_CONTAINER_INHERIT,
  39           PRINTER_ACE_FULL_CONTROL, "user0" },
  40
  41         /* Users 1 and 2 can manage documents */
  42
  43         { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
  44           PRINTER_ACE_MANAGE_DOCUMENTS, "user1" },
  45
  46         { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
  47           PRINTER_ACE_MANAGE_DOCUMENTS, "user2" },
  48
  49         /* Domain Admins can also manage documents */
  50
  51         { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
  52           PRINTER_ACE_MANAGE_DOCUMENTS, "Domain Admins" },
  53
  54         /* User 3 is da man */
  55
  56         { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
  57           PRINTER_ACE_FULL_CONTROL, "user3" },
  58
  59         { 0, 0, 0, NULL}
  60 };
  61
  62 BOOL test_user(char *username, uint32 acc_desired, uint32 *acc_granted)
  63 {
  64         struct passwd *pw;
  65         uint32 status;
  66
  67         if (!(pw = getpwnam(username))) {
  68                 printf("FAIL: could not lookup user info for %s\n",
  69                        username);
  70                 exit(1);
  71         }
  72
  73         return se_access_check(sd, pw->pw_uid, pw->pw_gid, 0, NULL,
  74                                acc_desired, acc_granted, &status);
  75 }
  76
  77 static char *pace_str(uint32 ace_flags)
  78 {
  79         if ((ace_flags & PRINTER_ACE_FULL_CONTROL) ==
  80             PRINTER_ACE_FULL_CONTROL) return "full control";
  81
  82         if ((ace_flags & PRINTER_ACE_MANAGE_DOCUMENTS) ==
  83             PRINTER_ACE_MANAGE_DOCUMENTS) return "manage documents";
  84
  85         if ((ace_flags & PRINTER_ACE_PRINT) == PRINTER_ACE_PRINT)
  86                 return "print";
  87
  88         return "UNKNOWN";
  89 }
  90
  91 uint32 perms[] = {
  92         PRINTER_ACE_PRINT,
  93         PRINTER_ACE_FULL_CONTROL,
  94         PRINTER_ACE_MANAGE_DOCUMENTS,
  95         0
  96 };
  97
  98 void runtest(void)
  99 {
 100         uint32 acc_granted;
 101         BOOL result;
 102         int i, j;
 103
 104         for (i = 0; perms[i]; i++) {
 105
 106                 /* Test 10 users */
 107
 108                 for (j = 0; j < 10; j++) {
 109                         fstring name;
 110
 111                         /* Test user against ACL */
 112
 113                         snprintf(name, sizeof(fstring), "%s/user%d",
 114                                  getenv("TEST_WORKGROUP"), j);
 115
 116                         result = test_user(name, perms[i], &acc_granted);
 117
 118                         printf("%s: %s %s 0x%08x\n", name,
 119                                pace_str(perms[i]),
 120                                result ? "TRUE " : "FALSE", acc_granted);
 121
 122                         /* Check results */
 123
 124                         switch (perms[i]) {
 125
 126                         case PRINTER_ACE_PRINT: {
 127                                 if (!result || acc_granted !=
 128                                     PRINTER_ACE_PRINT) {
 129                                         printf("FAIL: user %s can't print\n",
 130                                                name);
 131                                         failed = True;
 132                                 }
 133                                 break;
 134                         }
 135
 136                         case PRINTER_ACE_FULL_CONTROL: {
 137                                 if (j == 3) {
 138                                         if (!result || acc_granted !=
 139                                             PRINTER_ACE_FULL_CONTROL) {
 140                                                 printf("FAIL: user %s doesn't "
 141                                                        "have full control\n",
 142                                                        name);
 143                                                 failed = True;
 144                                         }
 145                                 } else {
 146                                         if (result || acc_granted != 0) {
 147                                                 printf("FAIL: user %s has full "
 148                                                        "control\n", name);
 149                                                 failed = True;
 150                                         }
 151                                 }
 152                                 break;
 153                         }
 154                         case PRINTER_ACE_MANAGE_DOCUMENTS: {
 155                                 if (j == 1 || j == 2) {
 156                                         if (!result || acc_granted !=
 157                                             PRINTER_ACE_MANAGE_DOCUMENTS) {
 158                                                 printf("FAIL: user %s can't "
 159                                                        "manage documents\n",
 160                                                        name);
 161                                                 failed = True;
 162                                         }
 163                                 } else {
 164                                         if (result || acc_granted != 0) {
 165                                                 printf("FAIL: user %s can "
 166                                                        "manage documents\n",
 167                                                        name);
 168                                                 failed = True;
 169                                         }
 170                                 }
 171                                 break;
 172                         }
 173
 174                         default:
 175                                 printf("FAIL: internal error\n");
 176                                 exit(1);
 177                         }
 178                 }
 179         }
 180 }
 181
 182 /* Main function */
 183
 184 int main(int argc, char **argv)
 185 {
 186         /* Initialisation */
 187
 188         generate_wellknown_sids();
 189
 190         /* Create security descriptor */
 191
 192         sd = build_sec_desc(acl_printer, NULL, NULL_SID, NULL_SID);
 193
 194         if (!sd) {
 195                 printf("FAIL: could not build security descriptor\n");
 196                 return 1;
 197         }
 198
 199         /* Run test */
 200
 201         runtest();
 202
 203         /* Return */
 204
 205         if (!failed) {
 206                 printf("PASS\n");
 207                 return 0;
 208         }
 209
 210         return 1;
 211 }