2 Unix SMB/CIFS implementation.
3 Samba utility functions. ADS stuff
4 Copyright (C) Alexey Kotovich 2002
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "libads/ldap_schema.h"
23 #include "../libcli/security/secace.h"
24 #include "../librpc/ndr/libndr.h"
27 #define SEC_RIGHTS_FULL_CTRL 0xf01ff
31 static struct perm_mask_str
{
35 {SEC_RIGHTS_FULL_CTRL
, "[Full Control]"},
37 {SEC_ADS_LIST
, "[List Contents]"},
38 {SEC_ADS_LIST_OBJECT
, "[List Object]"},
40 {SEC_ADS_READ_PROP
, "[Read All Properties]"},
41 {SEC_STD_READ_CONTROL
, "[Read Permissions]"},
43 {SEC_ADS_SELF_WRITE
, "[All validate writes]"},
44 {SEC_ADS_WRITE_PROP
, "[Write All Properties]"},
46 {SEC_STD_WRITE_DAC
, "[Modify Permissions]"},
47 {SEC_STD_WRITE_OWNER
, "[Modify Owner]"},
49 {SEC_ADS_CREATE_CHILD
, "[Create All Child Objects]"},
51 {SEC_STD_DELETE
, "[Delete]"},
52 {SEC_ADS_DELETE_TREE
, "[Delete Subtree]"},
53 {SEC_ADS_DELETE_CHILD
, "[Delete All Child Objects]"},
55 {SEC_ADS_CONTROL_ACCESS
, "[Change Password]"},
56 {SEC_ADS_CONTROL_ACCESS
, "[Reset Password]"},
61 /* convert a security permissions into a string */
62 static void ads_disp_perms(uint32_t type
)
67 printf("Permissions: ");
69 if (type
== SEC_RIGHTS_FULL_CTRL
) {
70 printf("%s\n", perms
[j
].str
);
74 for (i
= 0; i
< 32; i
++) {
75 if (type
& (1 << i
)) {
76 for (j
= 1; perms
[j
].str
; j
++) {
77 if (perms
[j
].mask
== (((unsigned) 1) << i
)) {
78 printf("\n\t%s (0x%08x)", perms
[j
].str
, perms
[j
].mask
);
85 /* remaining bits get added on as-is */
87 printf("[%08x]", type
);
92 static const char *ads_interprete_guid_from_object(ADS_STRUCT
*ads
,
94 const struct GUID
*guid
)
96 const char *ret
= NULL
;
98 if (!ads
|| !mem_ctx
) {
102 ret
= ads_get_attrname_by_guid(ads
, ads
->config
.schema_path
,
105 return talloc_asprintf(mem_ctx
, "LDAP attribute: \"%s\"", ret
);
108 ret
= ads_get_extended_right_name_by_guid(ads
, ads
->config
.config_path
,
112 return talloc_asprintf(mem_ctx
, "Extended right: \"%s\"", ret
);
118 static void ads_disp_sec_ace_object(ADS_STRUCT
*ads
,
120 struct security_ace_object
*object
)
122 if (object
->flags
& SEC_ACE_OBJECT_TYPE_PRESENT
) {
123 printf("Object type: SEC_ACE_OBJECT_TYPE_PRESENT\n");
124 printf("Object GUID: %s (%s)\n", GUID_string(mem_ctx
,
126 ads_interprete_guid_from_object(ads
, mem_ctx
,
127 &object
->type
.type
));
129 if (object
->flags
& SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT
) {
130 printf("Object type: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT\n");
131 printf("Object GUID: %s (%s)\n", GUID_string(mem_ctx
,
132 &object
->inherited_type
.inherited_type
),
133 ads_interprete_guid_from_object(ads
, mem_ctx
,
134 &object
->inherited_type
.inherited_type
));
139 static void ads_disp_ace(ADS_STRUCT
*ads
, TALLOC_CTX
*mem_ctx
, struct security_ace
*sec_ace
)
141 const char *access_type
= "UNKNOWN";
143 if (!sec_ace_object(sec_ace
->type
)) {
144 printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x)\n",
148 sec_ace
->access_mask
);
150 printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x, object flags: 0x%x)\n",
154 sec_ace
->access_mask
,
155 sec_ace
->object
.object
.flags
);
158 if (sec_ace
->type
== SEC_ACE_TYPE_ACCESS_ALLOWED
) {
159 access_type
= "ALLOWED";
160 } else if (sec_ace
->type
== SEC_ACE_TYPE_ACCESS_DENIED
) {
161 access_type
= "DENIED";
162 } else if (sec_ace
->type
== SEC_ACE_TYPE_SYSTEM_AUDIT
) {
163 access_type
= "SYSTEM AUDIT";
164 } else if (sec_ace
->type
== SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT
) {
165 access_type
= "ALLOWED OBJECT";
166 } else if (sec_ace
->type
== SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
) {
167 access_type
= "DENIED OBJECT";
168 } else if (sec_ace
->type
== SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT
) {
169 access_type
= "AUDIT OBJECT";
172 printf("access SID: %s\naccess type: %s\n",
173 sid_string_talloc(mem_ctx
, &sec_ace
->trustee
), access_type
);
175 if (sec_ace_object(sec_ace
->type
)) {
176 ads_disp_sec_ace_object(ads
, mem_ctx
, &sec_ace
->object
.object
);
179 ads_disp_perms(sec_ace
->access_mask
);
183 static void ads_disp_acl(struct security_acl
*sec_acl
, const char *type
)
186 printf("------- (%s) ACL not present\n", type
);
188 printf("------- (%s) ACL (revision: %d, size: %d, number of ACEs: %d)\n",
197 void ads_disp_sd(ADS_STRUCT
*ads
, TALLOC_CTX
*mem_ctx
, struct security_descriptor
*sd
)
200 char *tmp_path
= NULL
;
206 if (ads
&& !ads
->config
.schema_path
) {
207 if (ADS_ERR_OK(ads_schema_path(ads
, mem_ctx
, &tmp_path
))) {
208 ads
->config
.schema_path
= SMB_STRDUP(tmp_path
);
212 if (ads
&& !ads
->config
.config_path
) {
213 if (ADS_ERR_OK(ads_config_path(ads
, mem_ctx
, &tmp_path
))) {
214 ads
->config
.config_path
= SMB_STRDUP(tmp_path
);
218 printf("-------------- Security Descriptor (revision: %d, type: 0x%02x)\n",
222 printf("owner SID: %s\n", sd
->owner_sid
?
223 sid_string_talloc(mem_ctx
, sd
->owner_sid
) : "(null)");
224 printf("group SID: %s\n", sd
->group_sid
?
225 sid_string_talloc(mem_ctx
, sd
->group_sid
) : "(null)");
227 ads_disp_acl(sd
->sacl
, "system");
229 for (i
= 0; i
< sd
->sacl
->num_aces
; i
++) {
230 ads_disp_ace(ads
, mem_ctx
, &sd
->sacl
->aces
[i
]);
234 ads_disp_acl(sd
->dacl
, "user");
236 for (i
= 0; i
< sd
->dacl
->num_aces
; i
++) {
237 ads_disp_ace(ads
, mem_ctx
, &sd
->dacl
->aces
[i
]);
241 printf("-------------- End Of Security Descriptor\n");