source/libads/disp_sec.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Samba utility functions. ADS stuff
   4    Copyright (C) Alexey Kotovich 2002
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License as published by
   8    the Free Software Foundation; either version 3 of the License, or
   9    (at your option) any later version.
  10
  11    This program is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14    GNU General Public License for more details.
  15
  16    You should have received a copy of the GNU General Public License
  17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18 */
  19
  20 #include "includes.h"
  21
  22 #ifdef HAVE_LDAP
  23
  24 static struct perm_mask_str {
  25         uint32  mask;
  26         const char   *str;
  27 } perms[] = {
  28         {SEC_RIGHTS_FULL_CTRL,          "[Full Control]"},
  29
  30         {SEC_RIGHTS_LIST_CONTENTS,      "[List Contents]"},
  31         {SEC_RIGHTS_LIST_OBJECT,        "[List Object]"},
  32
  33         {SEC_RIGHTS_READ_ALL_PROP,      "[Read All Properties]"},
  34         {SEC_RIGHTS_READ_PERMS,         "[Read Permissions]"},
  35
  36         {SEC_RIGHTS_WRITE_ALL_VALID,    "[All validate writes]"},
  37         {SEC_RIGHTS_WRITE_ALL_PROP,     "[Write All Properties]"},
  38
  39         {SEC_RIGHTS_MODIFY_PERMS,       "[Modify Permissions]"},
  40         {SEC_RIGHTS_MODIFY_OWNER,       "[Modify Owner]"},
  41
  42         {SEC_RIGHTS_CREATE_CHILD,       "[Create All Child Objects]"},
  43
  44         {SEC_RIGHTS_DELETE,             "[Delete]"},
  45         {SEC_RIGHTS_DELETE_SUBTREE,     "[Delete Subtree]"},
  46         {SEC_RIGHTS_DELETE_CHILD,       "[Delete All Child Objects]"},
  47
  48         {SEC_RIGHTS_CHANGE_PASSWD,      "[Change Password]"},
  49         {SEC_RIGHTS_RESET_PASSWD,       "[Reset Password]"},
  50
  51         {0,                             0}
  52 };
  53
  54 /* convert a security permissions into a string */
  55 static void ads_disp_perms(uint32 type)
  56 {
  57         int i = 0;
  58         int j = 0;
  59
  60         printf("Permissions: ");
  61
  62         if (type == SEC_RIGHTS_FULL_CTRL) {
  63                 printf("%s\n", perms[j].str);
  64                 return;
  65         }
  66
  67         for (i = 0; i < 32; i++) {
  68                 if (type & (1 << i)) {
  69                         for (j = 1; perms[j].str; j ++) {
  70                                 if (perms[j].mask == (((unsigned) 1) << i)) {
  71                                         printf("\n\t%s (0x%08x)", perms[j].str, perms[j].mask);
  72                                 }
  73                         }
  74                         type &= ~(1 << i);
  75                 }
  76         }
  77
  78         /* remaining bits get added on as-is */
  79         if (type != 0) {
  80                 printf("[%08x]", type);
  81         }
  82         puts("");
  83 }
  84
  85 static const char *ads_interprete_guid_from_object(ADS_STRUCT *ads,
  86                                                    TALLOC_CTX *mem_ctx,
  87                                                    const struct GUID *guid)
  88 {
  89         const char *ret = NULL;
  90
  91         if (!ads || !mem_ctx) {
  92                 return NULL;
  93         }
  94
  95         ret = ads_get_attrname_by_guid(ads, ads->config.schema_path,
  96                                        mem_ctx, guid);
  97         if (ret) {
  98                 return talloc_asprintf(mem_ctx, "LDAP attribute: \"%s\"", ret);
  99         }
 100
 101         ret = ads_get_extended_right_name_by_guid(ads, ads->config.config_path,
 102                                                   mem_ctx, guid);
 103
 104         if (ret) {
 105                 return talloc_asprintf(mem_ctx, "Extended right: \"%s\"", ret);
 106         }
 107
 108         return ret;
 109 }
 110
 111 static void ads_disp_sec_ace_object(ADS_STRUCT *ads,
 112                                     TALLOC_CTX *mem_ctx,
 113                                     struct security_ace_object *object)
 114 {
 115         if (object->flags & SEC_ACE_OBJECT_PRESENT) {
 116                 printf("Object type: SEC_ACE_OBJECT_PRESENT\n");
 117                 printf("Object GUID: %s (%s)\n", smb_uuid_string(mem_ctx,
 118                         object->type.type),
 119                         ads_interprete_guid_from_object(ads, mem_ctx,
 120                                 &object->type.type));
 121         }
 122         if (object->flags & SEC_ACE_OBJECT_INHERITED_PRESENT) {
 123                 printf("Object type: SEC_ACE_OBJECT_INHERITED_PRESENT\n");
 124                 printf("Object GUID: %s (%s)\n", smb_uuid_string(mem_ctx,
 125                         object->inherited_type.inherited_type),
 126                         ads_interprete_guid_from_object(ads, mem_ctx,
 127                                 &object->inherited_type.inherited_type));
 128         }
 129 }
 130
 131 /* display ACE */
 132 static void ads_disp_ace(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, SEC_ACE *sec_ace)
 133 {
 134         const char *access_type = "UNKNOWN";
 135
 136         if (!sec_ace_object(sec_ace->type)) {
 137                 printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x)\n",
 138                   sec_ace->type,
 139                   sec_ace->flags,
 140                   sec_ace->size,
 141                   sec_ace->access_mask);
 142         } else {
 143                 printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x, object flags: 0x%x)\n",
 144                   sec_ace->type,
 145                   sec_ace->flags,
 146                   sec_ace->size,
 147                   sec_ace->access_mask,
 148                   sec_ace->object.object.flags);
 149         }
 150
 151         if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) {
 152                 access_type = "ALLOWED";
 153         } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED) {
 154                 access_type = "DENIED";
 155         } else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT) {
 156                 access_type = "SYSTEM AUDIT";
 157         } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) {
 158                 access_type = "ALLOWED OBJECT";
 159         } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT) {
 160                 access_type = "DENIED OBJECT";
 161         } else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT) {
 162                 access_type = "AUDIT OBJECT";
 163         }
 164
 165         printf("access SID:  %s\naccess type: %s\n",
 166                sid_string_talloc(mem_ctx, &sec_ace->trustee), access_type);
 167
 168         if (sec_ace_object(sec_ace->type)) {
 169                 ads_disp_sec_ace_object(ads, mem_ctx, &sec_ace->object.object);
 170         }
 171
 172         ads_disp_perms(sec_ace->access_mask);
 173 }
 174
 175 /* display ACL */
 176 static void ads_disp_acl(SEC_ACL *sec_acl, const char *type)
 177 {
 178         if (!sec_acl)
 179                 printf("------- (%s) ACL not present\n", type);
 180         else {
 181                 printf("------- (%s) ACL (revision: %d, size: %d, number of ACEs: %d)\n",
 182                        type,
 183                        sec_acl->revision,
 184                        sec_acl->size,
 185                        sec_acl->num_aces);
 186         }
 187 }
 188
 189 /* display SD */
 190 void ads_disp_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, SEC_DESC *sd)
 191 {
 192         int i;
 193         char *tmp_path = NULL;
 194
 195         if (!sd) {
 196                 return;
 197         }
 198
 199         if (ads && !ads->config.schema_path) {
 200                 if (ADS_ERR_OK(ads_schema_path(ads, mem_ctx, &tmp_path))) {
 201                         ads->config.schema_path = SMB_STRDUP(tmp_path);
 202                 }
 203         }
 204
 205         if (ads && !ads->config.config_path) {
 206                 if (ADS_ERR_OK(ads_config_path(ads, mem_ctx, &tmp_path))) {
 207                         ads->config.config_path = SMB_STRDUP(tmp_path);
 208                 }
 209         }
 210
 211         printf("-------------- Security Descriptor (revision: %d, type: 0x%02x)\n",
 212                sd->revision,
 213                sd->type);
 214
 215         printf("owner SID: %s\n", sd->owner_sid ?
 216                 sid_string_talloc(mem_ctx, sd->owner_sid) : "(null)");
 217         printf("group SID: %s\n", sd->group_sid ?
 218                 sid_string_talloc(mem_ctx, sd->group_sid) : "(null)");
 219
 220         ads_disp_acl(sd->sacl, "system");
 221         if (sd->sacl) {
 222                 for (i = 0; i < sd->sacl->num_aces; i ++) {
 223                         ads_disp_ace(ads, mem_ctx, &sd->sacl->aces[i]);
 224                 }
 225         }
 226
 227         ads_disp_acl(sd->dacl, "user");
 228         if (sd->dacl) {
 229                 for (i = 0; i < sd->dacl->num_aces; i ++) {
 230                         ads_disp_ace(ads, mem_ctx, &sd->dacl->aces[i]);
 231                 }
 232         }
 233
 234         printf("-------------- End Of Security Descriptor\n");
 235 }
 236
 237 #endif