source3/libads/disp_sec.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Samba utility functions. ADS stuff
   4    Copyright (C) Alexey Kotovich 2002
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License as published by
   8    the Free Software Foundation; either version 3 of the License, or
   9    (at your option) any later version.
  10
  11    This program is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14    GNU General Public License for more details.
  15
  16    You should have received a copy of the GNU General Public License
  17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18 */
  19
  20 #include "includes.h"
  21 #include "ads.h"
  22 #include "libads/ldap_schema.h"
  23
  24 /* for ADS */
  25 #define SEC_RIGHTS_FULL_CTRL            0xf01ff
  26
  27 #ifdef HAVE_LDAP
  28
  29 static struct perm_mask_str {
  30         uint32  mask;
  31         const char   *str;
  32 } perms[] = {
  33         {SEC_RIGHTS_FULL_CTRL,          "[Full Control]"},
  34
  35         {SEC_ADS_LIST,                  "[List Contents]"},
  36         {SEC_ADS_LIST_OBJECT,           "[List Object]"},
  37
  38         {SEC_ADS_READ_PROP,             "[Read All Properties]"},
  39         {SEC_STD_READ_CONTROL,          "[Read Permissions]"},
  40
  41         {SEC_ADS_SELF_WRITE,            "[All validate writes]"},
  42         {SEC_ADS_WRITE_PROP,            "[Write All Properties]"},
  43
  44         {SEC_STD_WRITE_DAC,             "[Modify Permissions]"},
  45         {SEC_STD_WRITE_OWNER,           "[Modify Owner]"},
  46
  47         {SEC_ADS_CREATE_CHILD,          "[Create All Child Objects]"},
  48
  49         {SEC_STD_DELETE,                "[Delete]"},
  50         {SEC_ADS_DELETE_TREE,           "[Delete Subtree]"},
  51         {SEC_ADS_DELETE_CHILD,          "[Delete All Child Objects]"},
  52
  53         {SEC_ADS_CONTROL_ACCESS,        "[Change Password]"},
  54         {SEC_ADS_CONTROL_ACCESS,        "[Reset Password]"},
  55
  56         {0,                             0}
  57 };
  58
  59 /* convert a security permissions into a string */
  60 static void ads_disp_perms(uint32 type)
  61 {
  62         int i = 0;
  63         int j = 0;
  64
  65         printf("Permissions: ");
  66
  67         if (type == SEC_RIGHTS_FULL_CTRL) {
  68                 printf("%s\n", perms[j].str);
  69                 return;
  70         }
  71
  72         for (i = 0; i < 32; i++) {
  73                 if (type & (1 << i)) {
  74                         for (j = 1; perms[j].str; j ++) {
  75                                 if (perms[j].mask == (((unsigned) 1) << i)) {
  76                                         printf("\n\t%s (0x%08x)", perms[j].str, perms[j].mask);
  77                                 }
  78                         }
  79                         type &= ~(1 << i);
  80                 }
  81         }
  82
  83         /* remaining bits get added on as-is */
  84         if (type != 0) {
  85                 printf("[%08x]", type);
  86         }
  87         puts("");
  88 }
  89
  90 static const char *ads_interprete_guid_from_object(ADS_STRUCT *ads,
  91                                                    TALLOC_CTX *mem_ctx,
  92                                                    const struct GUID *guid)
  93 {
  94         const char *ret = NULL;
  95
  96         if (!ads || !mem_ctx) {
  97                 return NULL;
  98         }
  99
 100         ret = ads_get_attrname_by_guid(ads, ads->config.schema_path,
 101                                        mem_ctx, guid);
 102         if (ret) {
 103                 return talloc_asprintf(mem_ctx, "LDAP attribute: \"%s\"", ret);
 104         }
 105
 106         ret = ads_get_extended_right_name_by_guid(ads, ads->config.config_path,
 107                                                   mem_ctx, guid);
 108
 109         if (ret) {
 110                 return talloc_asprintf(mem_ctx, "Extended right: \"%s\"", ret);
 111         }
 112
 113         return ret;
 114 }
 115
 116 static void ads_disp_sec_ace_object(ADS_STRUCT *ads,
 117                                     TALLOC_CTX *mem_ctx,
 118                                     struct security_ace_object *object)
 119 {
 120         if (object->flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
 121                 printf("Object type: SEC_ACE_OBJECT_TYPE_PRESENT\n");
 122                 printf("Object GUID: %s (%s)\n", GUID_string(mem_ctx,
 123                         &object->type.type),
 124                         ads_interprete_guid_from_object(ads, mem_ctx,
 125                                 &object->type.type));
 126         }
 127         if (object->flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) {
 128                 printf("Object type: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT\n");
 129                 printf("Object GUID: %s (%s)\n", GUID_string(mem_ctx,
 130                         &object->inherited_type.inherited_type),
 131                         ads_interprete_guid_from_object(ads, mem_ctx,
 132                                 &object->inherited_type.inherited_type));
 133         }
 134 }
 135
 136 /* display ACE */
 137 static void ads_disp_ace(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_ace *sec_ace)
 138 {
 139         const char *access_type = "UNKNOWN";
 140
 141         if (!sec_ace_object(sec_ace->type)) {
 142                 printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x)\n",
 143                   sec_ace->type,
 144                   sec_ace->flags,
 145                   sec_ace->size,
 146                   sec_ace->access_mask);
 147         } else {
 148                 printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x, object flags: 0x%x)\n",
 149                   sec_ace->type,
 150                   sec_ace->flags,
 151                   sec_ace->size,
 152                   sec_ace->access_mask,
 153                   sec_ace->object.object.flags);
 154         }
 155
 156         if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) {
 157                 access_type = "ALLOWED";
 158         } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED) {
 159                 access_type = "DENIED";
 160         } else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT) {
 161                 access_type = "SYSTEM AUDIT";
 162         } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) {
 163                 access_type = "ALLOWED OBJECT";
 164         } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT) {
 165                 access_type = "DENIED OBJECT";
 166         } else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT) {
 167                 access_type = "AUDIT OBJECT";
 168         }
 169
 170         printf("access SID:  %s\naccess type: %s\n",
 171                sid_string_talloc(mem_ctx, &sec_ace->trustee), access_type);
 172
 173         if (sec_ace_object(sec_ace->type)) {
 174                 ads_disp_sec_ace_object(ads, mem_ctx, &sec_ace->object.object);
 175         }
 176
 177         ads_disp_perms(sec_ace->access_mask);
 178 }
 179
 180 /* display ACL */
 181 static void ads_disp_acl(struct security_acl *sec_acl, const char *type)
 182 {
 183         if (!sec_acl)
 184                 printf("------- (%s) ACL not present\n", type);
 185         else {
 186                 printf("------- (%s) ACL (revision: %d, size: %d, number of ACEs: %d)\n",
 187                        type,
 188                        sec_acl->revision,
 189                        sec_acl->size,
 190                        sec_acl->num_aces);
 191         }
 192 }
 193
 194 /* display SD */
 195 void ads_disp_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_descriptor *sd)
 196 {
 197         int i;
 198         char *tmp_path = NULL;
 199
 200         if (!sd) {
 201                 return;
 202         }
 203
 204         if (ads && !ads->config.schema_path) {
 205                 if (ADS_ERR_OK(ads_schema_path(ads, mem_ctx, &tmp_path))) {
 206                         ads->config.schema_path = SMB_STRDUP(tmp_path);
 207                 }
 208         }
 209
 210         if (ads && !ads->config.config_path) {
 211                 if (ADS_ERR_OK(ads_config_path(ads, mem_ctx, &tmp_path))) {
 212                         ads->config.config_path = SMB_STRDUP(tmp_path);
 213                 }
 214         }
 215
 216         printf("-------------- Security Descriptor (revision: %d, type: 0x%02x)\n",
 217                sd->revision,
 218                sd->type);
 219
 220         printf("owner SID: %s\n", sd->owner_sid ?
 221                 sid_string_talloc(mem_ctx, sd->owner_sid) : "(null)");
 222         printf("group SID: %s\n", sd->group_sid ?
 223                 sid_string_talloc(mem_ctx, sd->group_sid) : "(null)");
 224
 225         ads_disp_acl(sd->sacl, "system");
 226         if (sd->sacl) {
 227                 for (i = 0; i < sd->sacl->num_aces; i ++) {
 228                         ads_disp_ace(ads, mem_ctx, &sd->sacl->aces[i]);
 229                 }
 230         }
 231
 232         ads_disp_acl(sd->dacl, "user");
 233         if (sd->dacl) {
 234                 for (i = 0; i < sd->dacl->num_aces; i ++) {
 235                         ads_disp_ace(ads, mem_ctx, &sd->dacl->aces[i]);
 236                 }
 237         }
 238
 239         printf("-------------- End Of Security Descriptor\n");
 240 }
 241
 242 #endif