source3/libads/disp_sec.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Samba utility functions. ADS stuff
   4    Copyright (C) Alexey Kotovich 2002
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License as published by
   8    the Free Software Foundation; either version 3 of the License, or
   9    (at your option) any later version.
  10
  11    This program is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14    GNU General Public License for more details.
  15
  16    You should have received a copy of the GNU General Public License
  17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18 */
  19
  20 #include "includes.h"
  21 #include "libads/ldap_schema.h"
  22
  23 /* for ADS */
  24 #define SEC_RIGHTS_FULL_CTRL            0xf01ff
  25
  26 #ifdef HAVE_LDAP
  27
  28 static struct perm_mask_str {
  29         uint32  mask;
  30         const char   *str;
  31 } perms[] = {
  32         {SEC_RIGHTS_FULL_CTRL,          "[Full Control]"},
  33
  34         {SEC_ADS_LIST,                  "[List Contents]"},
  35         {SEC_ADS_LIST_OBJECT,           "[List Object]"},
  36
  37         {SEC_ADS_READ_PROP,             "[Read All Properties]"},
  38         {SEC_STD_READ_CONTROL,          "[Read Permissions]"},
  39
  40         {SEC_ADS_SELF_WRITE,            "[All validate writes]"},
  41         {SEC_ADS_WRITE_PROP,            "[Write All Properties]"},
  42
  43         {SEC_STD_WRITE_DAC,             "[Modify Permissions]"},
  44         {SEC_STD_WRITE_OWNER,           "[Modify Owner]"},
  45
  46         {SEC_ADS_CREATE_CHILD,          "[Create All Child Objects]"},
  47
  48         {SEC_STD_DELETE,                "[Delete]"},
  49         {SEC_ADS_DELETE_TREE,           "[Delete Subtree]"},
  50         {SEC_ADS_DELETE_CHILD,          "[Delete All Child Objects]"},
  51
  52         {SEC_ADS_CONTROL_ACCESS,        "[Change Password]"},
  53         {SEC_ADS_CONTROL_ACCESS,        "[Reset Password]"},
  54
  55         {0,                             0}
  56 };
  57
  58 /* convert a security permissions into a string */
  59 static void ads_disp_perms(uint32 type)
  60 {
  61         int i = 0;
  62         int j = 0;
  63
  64         printf("Permissions: ");
  65
  66         if (type == SEC_RIGHTS_FULL_CTRL) {
  67                 printf("%s\n", perms[j].str);
  68                 return;
  69         }
  70
  71         for (i = 0; i < 32; i++) {
  72                 if (type & (1 << i)) {
  73                         for (j = 1; perms[j].str; j ++) {
  74                                 if (perms[j].mask == (((unsigned) 1) << i)) {
  75                                         printf("\n\t%s (0x%08x)", perms[j].str, perms[j].mask);
  76                                 }
  77                         }
  78                         type &= ~(1 << i);
  79                 }
  80         }
  81
  82         /* remaining bits get added on as-is */
  83         if (type != 0) {
  84                 printf("[%08x]", type);
  85         }
  86         puts("");
  87 }
  88
  89 static const char *ads_interprete_guid_from_object(ADS_STRUCT *ads,
  90                                                    TALLOC_CTX *mem_ctx,
  91                                                    const struct GUID *guid)
  92 {
  93         const char *ret = NULL;
  94
  95         if (!ads || !mem_ctx) {
  96                 return NULL;
  97         }
  98
  99         ret = ads_get_attrname_by_guid(ads, ads->config.schema_path,
 100                                        mem_ctx, guid);
 101         if (ret) {
 102                 return talloc_asprintf(mem_ctx, "LDAP attribute: \"%s\"", ret);
 103         }
 104
 105         ret = ads_get_extended_right_name_by_guid(ads, ads->config.config_path,
 106                                                   mem_ctx, guid);
 107
 108         if (ret) {
 109                 return talloc_asprintf(mem_ctx, "Extended right: \"%s\"", ret);
 110         }
 111
 112         return ret;
 113 }
 114
 115 static void ads_disp_sec_ace_object(ADS_STRUCT *ads,
 116                                     TALLOC_CTX *mem_ctx,
 117                                     struct security_ace_object *object)
 118 {
 119         if (object->flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
 120                 printf("Object type: SEC_ACE_OBJECT_TYPE_PRESENT\n");
 121                 printf("Object GUID: %s (%s)\n", GUID_string(mem_ctx,
 122                         &object->type.type),
 123                         ads_interprete_guid_from_object(ads, mem_ctx,
 124                                 &object->type.type));
 125         }
 126         if (object->flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) {
 127                 printf("Object type: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT\n");
 128                 printf("Object GUID: %s (%s)\n", GUID_string(mem_ctx,
 129                         &object->inherited_type.inherited_type),
 130                         ads_interprete_guid_from_object(ads, mem_ctx,
 131                                 &object->inherited_type.inherited_type));
 132         }
 133 }
 134
 135 /* display ACE */
 136 static void ads_disp_ace(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_ace *sec_ace)
 137 {
 138         const char *access_type = "UNKNOWN";
 139
 140         if (!sec_ace_object(sec_ace->type)) {
 141                 printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x)\n",
 142                   sec_ace->type,
 143                   sec_ace->flags,
 144                   sec_ace->size,
 145                   sec_ace->access_mask);
 146         } else {
 147                 printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x, object flags: 0x%x)\n",
 148                   sec_ace->type,
 149                   sec_ace->flags,
 150                   sec_ace->size,
 151                   sec_ace->access_mask,
 152                   sec_ace->object.object.flags);
 153         }
 154
 155         if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) {
 156                 access_type = "ALLOWED";
 157         } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED) {
 158                 access_type = "DENIED";
 159         } else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT) {
 160                 access_type = "SYSTEM AUDIT";
 161         } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) {
 162                 access_type = "ALLOWED OBJECT";
 163         } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT) {
 164                 access_type = "DENIED OBJECT";
 165         } else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT) {
 166                 access_type = "AUDIT OBJECT";
 167         }
 168
 169         printf("access SID:  %s\naccess type: %s\n",
 170                sid_string_talloc(mem_ctx, &sec_ace->trustee), access_type);
 171
 172         if (sec_ace_object(sec_ace->type)) {
 173                 ads_disp_sec_ace_object(ads, mem_ctx, &sec_ace->object.object);
 174         }
 175
 176         ads_disp_perms(sec_ace->access_mask);
 177 }
 178
 179 /* display ACL */
 180 static void ads_disp_acl(struct security_acl *sec_acl, const char *type)
 181 {
 182         if (!sec_acl)
 183                 printf("------- (%s) ACL not present\n", type);
 184         else {
 185                 printf("------- (%s) ACL (revision: %d, size: %d, number of ACEs: %d)\n",
 186                        type,
 187                        sec_acl->revision,
 188                        sec_acl->size,
 189                        sec_acl->num_aces);
 190         }
 191 }
 192
 193 /* display SD */
 194 void ads_disp_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_descriptor *sd)
 195 {
 196         int i;
 197         char *tmp_path = NULL;
 198
 199         if (!sd) {
 200                 return;
 201         }
 202
 203         if (ads && !ads->config.schema_path) {
 204                 if (ADS_ERR_OK(ads_schema_path(ads, mem_ctx, &tmp_path))) {
 205                         ads->config.schema_path = SMB_STRDUP(tmp_path);
 206                 }
 207         }
 208
 209         if (ads && !ads->config.config_path) {
 210                 if (ADS_ERR_OK(ads_config_path(ads, mem_ctx, &tmp_path))) {
 211                         ads->config.config_path = SMB_STRDUP(tmp_path);
 212                 }
 213         }
 214
 215         printf("-------------- Security Descriptor (revision: %d, type: 0x%02x)\n",
 216                sd->revision,
 217                sd->type);
 218
 219         printf("owner SID: %s\n", sd->owner_sid ?
 220                 sid_string_talloc(mem_ctx, sd->owner_sid) : "(null)");
 221         printf("group SID: %s\n", sd->group_sid ?
 222                 sid_string_talloc(mem_ctx, sd->group_sid) : "(null)");
 223
 224         ads_disp_acl(sd->sacl, "system");
 225         if (sd->sacl) {
 226                 for (i = 0; i < sd->sacl->num_aces; i ++) {
 227                         ads_disp_ace(ads, mem_ctx, &sd->sacl->aces[i]);
 228                 }
 229         }
 230
 231         ads_disp_acl(sd->dacl, "user");
 232         if (sd->dacl) {
 233                 for (i = 0; i < sd->dacl->num_aces; i ++) {
 234                         ads_disp_ace(ads, mem_ctx, &sd->dacl->aces[i]);
 235                 }
 236         }
 237
 238         printf("-------------- End Of Security Descriptor\n");
 239 }
 240
 241 #endif