search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Change get_nt_acl_no_snum() to return an NTSTATUS, not a struct security_descriptor *.
[Samba/gebeck_regimport.git] / source3 / libads / disp_sec.c
blob7dcdc95901eb8e0ad9b2b74c719023a14b002bff
1 /*
2 Unix SMB/CIFS implementation.
3 Samba utility functions. ADS stuff
4 Copyright (C) Alexey Kotovich 2002
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "ads.h"
22 #include "libads/ldap_schema.h"
23 #include "../libcli/security/secace.h"
24 #include "../librpc/ndr/libndr.h"
25
26 /* for ADS */
27 #define SEC_RIGHTS_FULL_CTRL 0xf01ff
28
29 #ifdef HAVE_LDAP
30
31 static struct perm_mask_str {
32 uint32 mask;
33 const char *str;
34 } perms[] = {
35 {SEC_RIGHTS_FULL_CTRL, "[Full Control]"},
36
37 {SEC_ADS_LIST, "[List Contents]"},
38 {SEC_ADS_LIST_OBJECT, "[List Object]"},
39
40 {SEC_ADS_READ_PROP, "[Read All Properties]"},
41 {SEC_STD_READ_CONTROL, "[Read Permissions]"},
42
43 {SEC_ADS_SELF_WRITE, "[All validate writes]"},
44 {SEC_ADS_WRITE_PROP, "[Write All Properties]"},
45
46 {SEC_STD_WRITE_DAC, "[Modify Permissions]"},
47 {SEC_STD_WRITE_OWNER, "[Modify Owner]"},
48
49 {SEC_ADS_CREATE_CHILD, "[Create All Child Objects]"},
50
51 {SEC_STD_DELETE, "[Delete]"},
52 {SEC_ADS_DELETE_TREE, "[Delete Subtree]"},
53 {SEC_ADS_DELETE_CHILD, "[Delete All Child Objects]"},
54
55 {SEC_ADS_CONTROL_ACCESS, "[Change Password]"},
56 {SEC_ADS_CONTROL_ACCESS, "[Reset Password]"},
57
58 {0, 0}
59 };
60
61 /* convert a security permissions into a string */
62 static void ads_disp_perms(uint32 type)
63 {
64 int i = 0;
65 int j = 0;
66
67 printf("Permissions: ");
68
69 if (type == SEC_RIGHTS_FULL_CTRL) {
70 printf("%s\n", perms[j].str);
71 return;
72 }
73
74 for (i = 0; i < 32; i++) {
75 if (type & (1 << i)) {
76 for (j = 1; perms[j].str; j ++) {
77 if (perms[j].mask == (((unsigned) 1) << i)) {
78 printf("\n\t%s (0x%08x)", perms[j].str, perms[j].mask);
79 }
80 }
81 type &= ~(1 << i);
82 }
83 }
84
85 /* remaining bits get added on as-is */
86 if (type != 0) {
87 printf("[%08x]", type);
88 }
89 puts("");
90 }
91
92 static const char *ads_interprete_guid_from_object(ADS_STRUCT *ads,
93 TALLOC_CTX *mem_ctx,
94 const struct GUID *guid)
95 {
96 const char *ret = NULL;
97
98 if (!ads || !mem_ctx) {
99 return NULL;
100 }
101
102 ret = ads_get_attrname_by_guid(ads, ads->config.schema_path,
103 mem_ctx, guid);
104 if (ret) {
105 return talloc_asprintf(mem_ctx, "LDAP attribute: \"%s\"", ret);
106 }
107
108 ret = ads_get_extended_right_name_by_guid(ads, ads->config.config_path,
109 mem_ctx, guid);
110
111 if (ret) {
112 return talloc_asprintf(mem_ctx, "Extended right: \"%s\"", ret);
113 }
114
115 return ret;
116 }
117
118 static void ads_disp_sec_ace_object(ADS_STRUCT *ads,
119 TALLOC_CTX *mem_ctx,
120 struct security_ace_object *object)
121 {
122 if (object->flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
123 printf("Object type: SEC_ACE_OBJECT_TYPE_PRESENT\n");
124 printf("Object GUID: %s (%s)\n", GUID_string(mem_ctx,
125 &object->type.type),
126 ads_interprete_guid_from_object(ads, mem_ctx,
127 &object->type.type));
128 }
129 if (object->flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) {
130 printf("Object type: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT\n");
131 printf("Object GUID: %s (%s)\n", GUID_string(mem_ctx,
132 &object->inherited_type.inherited_type),
133 ads_interprete_guid_from_object(ads, mem_ctx,
134 &object->inherited_type.inherited_type));
135 }
136 }
137
138 /* display ACE */
139 static void ads_disp_ace(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_ace *sec_ace)
140 {
141 const char *access_type = "UNKNOWN";
142
143 if (!sec_ace_object(sec_ace->type)) {
144 printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x)\n",
145 sec_ace->type,
146 sec_ace->flags,
147 sec_ace->size,
148 sec_ace->access_mask);
149 } else {
150 printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x, object flags: 0x%x)\n",
151 sec_ace->type,
152 sec_ace->flags,
153 sec_ace->size,
154 sec_ace->access_mask,
155 sec_ace->object.object.flags);
156 }
157
158 if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) {
159 access_type = "ALLOWED";
160 } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED) {
161 access_type = "DENIED";
162 } else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT) {
163 access_type = "SYSTEM AUDIT";
164 } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) {
165 access_type = "ALLOWED OBJECT";
166 } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT) {
167 access_type = "DENIED OBJECT";
168 } else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT) {
169 access_type = "AUDIT OBJECT";
170 }
171
172 printf("access SID: %s\naccess type: %s\n",
173 sid_string_talloc(mem_ctx, &sec_ace->trustee), access_type);
174
175 if (sec_ace_object(sec_ace->type)) {
176 ads_disp_sec_ace_object(ads, mem_ctx, &sec_ace->object.object);
177 }
178
179 ads_disp_perms(sec_ace->access_mask);
180 }
181
182 /* display ACL */
183 static void ads_disp_acl(struct security_acl *sec_acl, const char *type)
184 {
185 if (!sec_acl)
186 printf("------- (%s) ACL not present\n", type);
187 else {
188 printf("------- (%s) ACL (revision: %d, size: %d, number of ACEs: %d)\n",
189 type,
190 sec_acl->revision,
191 sec_acl->size,
192 sec_acl->num_aces);
193 }
194 }
195
196 /* display SD */
197 void ads_disp_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_descriptor *sd)
198 {
199 int i;
200 char *tmp_path = NULL;
201
202 if (!sd) {
203 return;
204 }
205
206 if (ads && !ads->config.schema_path) {
207 if (ADS_ERR_OK(ads_schema_path(ads, mem_ctx, &tmp_path))) {
208 ads->config.schema_path = SMB_STRDUP(tmp_path);
209 }
210 }
211
212 if (ads && !ads->config.config_path) {
213 if (ADS_ERR_OK(ads_config_path(ads, mem_ctx, &tmp_path))) {
214 ads->config.config_path = SMB_STRDUP(tmp_path);
215 }
216 }
217
218 printf("-------------- Security Descriptor (revision: %d, type: 0x%02x)\n",
219 sd->revision,
220 sd->type);
221
222 printf("owner SID: %s\n", sd->owner_sid ?
223 sid_string_talloc(mem_ctx, sd->owner_sid) : "(null)");
224 printf("group SID: %s\n", sd->group_sid ?
225 sid_string_talloc(mem_ctx, sd->group_sid) : "(null)");
226
227 ads_disp_acl(sd->sacl, "system");
228 if (sd->sacl) {
229 for (i = 0; i < sd->sacl->num_aces; i ++) {
230 ads_disp_ace(ads, mem_ctx, &sd->sacl->aces[i]);
231 }
232 }
233
234 ads_disp_acl(sd->dacl, "user");
235 if (sd->dacl) {
236 for (i = 0; i < sd->dacl->num_aces; i ++) {
237 ads_disp_ace(ads, mem_ctx, &sd->dacl->aces[i]);
238 }
239 }
240
241 printf("-------------- End Of Security Descriptor\n");
242 }
243
244 #endif
reg import