search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
python: models: rename argument ldb to samdb
[samba.git] / source3 / libads / disp_sec.c
bloba193c5bb3e935a1f570acc1ff1fe239454671a64
1 /*
2 Unix SMB/CIFS implementation.
3 Samba utility functions. ADS stuff
4 Copyright (C) Alexey Kotovich 2002
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "ads.h"
22 #include "libads/ldap_schema.h"
23 #include "../libcli/security/secace.h"
24 #include "../librpc/ndr/libndr.h"
25 #include "libcli/security/dom_sid.h"
26
27 /* for ADS */
28 #define SEC_RIGHTS_FULL_CTRL 0xf01ff
29
30 #ifdef HAVE_LDAP
31
32 static struct perm_mask_str {
33 uint32_t mask;
34 const char *str;
35 } perms[] = {
36 {SEC_RIGHTS_FULL_CTRL, "[Full Control]"},
37
38 {SEC_ADS_LIST, "[List Contents]"},
39 {SEC_ADS_LIST_OBJECT, "[List Object]"},
40
41 {SEC_ADS_READ_PROP, "[Read All Properties]"},
42 {SEC_STD_READ_CONTROL, "[Read Permissions]"},
43
44 {SEC_ADS_SELF_WRITE, "[All validate writes]"},
45 {SEC_ADS_WRITE_PROP, "[Write All Properties]"},
46
47 {SEC_STD_WRITE_DAC, "[Modify Permissions]"},
48 {SEC_STD_WRITE_OWNER, "[Modify Owner]"},
49
50 {SEC_ADS_CREATE_CHILD, "[Create All Child Objects]"},
51
52 {SEC_STD_DELETE, "[Delete]"},
53 {SEC_ADS_DELETE_TREE, "[Delete Subtree]"},
54 {SEC_ADS_DELETE_CHILD, "[Delete All Child Objects]"},
55
56 {SEC_ADS_CONTROL_ACCESS, "[Change Password]"},
57 {SEC_ADS_CONTROL_ACCESS, "[Reset Password]"},
58
59 {0, 0}
60 };
61
62 /* convert a security permissions into a string */
63 static void ads_disp_perms(uint32_t type)
64 {
65 int i = 0;
66 int j = 0;
67
68 printf("Permissions: ");
69
70 if (type == SEC_RIGHTS_FULL_CTRL) {
71 printf("%s\n", perms[j].str);
72 return;
73 }
74
75 for (i = 0; i < 32; i++) {
76 if (type & ((uint32_t)1 << i)) {
77 for (j = 1; perms[j].str; j ++) {
78 if (perms[j].mask == (((unsigned) 1) << i)) {
79 printf("\n\t%s (0x%08x)", perms[j].str, perms[j].mask);
80 }
81 }
82 type &= ~(1 << i);
83 }
84 }
85
86 /* remaining bits get added on as-is */
87 if (type != 0) {
88 printf("[%08x]", type);
89 }
90 puts("");
91 }
92
93 static const char *ads_interprete_guid_from_object(ADS_STRUCT *ads,
94 TALLOC_CTX *mem_ctx,
95 const struct GUID *guid)
96 {
97 const char *ret = NULL;
98
99 if (!ads || !mem_ctx) {
100 return NULL;
101 }
102
103 ret = ads_get_attrname_by_guid(ads, ads->config.schema_path,
104 mem_ctx, guid);
105 if (ret) {
106 return talloc_asprintf(mem_ctx, "LDAP attribute: \"%s\"", ret);
107 }
108
109 ret = ads_get_extended_right_name_by_guid(ads, ads->config.config_path,
110 mem_ctx, guid);
111
112 if (ret) {
113 return talloc_asprintf(mem_ctx, "Extended right: \"%s\"", ret);
114 }
115
116 return ret;
117 }
118
119 static void ads_disp_sec_ace_object(ADS_STRUCT *ads,
120 TALLOC_CTX *mem_ctx,
121 struct security_ace_object *object)
122 {
123 if (object->flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
124 printf("Object type: SEC_ACE_OBJECT_TYPE_PRESENT\n");
125 printf("Object GUID: %s (%s)\n", GUID_string(mem_ctx,
126 &object->type.type),
127 ads_interprete_guid_from_object(ads, mem_ctx,
128 &object->type.type));
129 }
130 if (object->flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) {
131 printf("Object type: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT\n");
132 printf("Object GUID: %s (%s)\n", GUID_string(mem_ctx,
133 &object->inherited_type.inherited_type),
134 ads_interprete_guid_from_object(ads, mem_ctx,
135 &object->inherited_type.inherited_type));
136 }
137 }
138
139 /* display ACE */
140 static void ads_disp_ace(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_ace *sec_ace)
141 {
142 const char *access_type = "UNKNOWN";
143 struct dom_sid_buf sidbuf;
144
145 if (!sec_ace_object(sec_ace->type)) {
146 printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x)\n",
147 sec_ace->type,
148 sec_ace->flags,
149 sec_ace->size,
150 sec_ace->access_mask);
151 } else {
152 printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x, object flags: 0x%x)\n",
153 sec_ace->type,
154 sec_ace->flags,
155 sec_ace->size,
156 sec_ace->access_mask,
157 sec_ace->object.object.flags);
158 }
159
160 if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) {
161 access_type = "ALLOWED";
162 } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED) {
163 access_type = "DENIED";
164 } else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT) {
165 access_type = "SYSTEM AUDIT";
166 } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) {
167 access_type = "ALLOWED OBJECT";
168 } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT) {
169 access_type = "DENIED OBJECT";
170 } else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT) {
171 access_type = "AUDIT OBJECT";
172 }
173
174 printf("access SID: %s\naccess type: %s\n",
175 dom_sid_str_buf(&sec_ace->trustee, &sidbuf),
176 access_type);
177
178 if (sec_ace_object(sec_ace->type)) {
179 ads_disp_sec_ace_object(ads, mem_ctx, &sec_ace->object.object);
180 }
181
182 ads_disp_perms(sec_ace->access_mask);
183 }
184
185 /* display ACL */
186 static void ads_disp_acl(struct security_acl *sec_acl, const char *type)
187 {
188 if (!sec_acl)
189 printf("------- (%s) ACL not present\n", type);
190 else {
191 printf("------- (%s) ACL (revision: %d, size: %d, number of ACEs: %d)\n",
192 type,
193 sec_acl->revision,
194 sec_acl->size,
195 sec_acl->num_aces);
196 }
197 }
198
199 /* display SD */
200 void ads_disp_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_descriptor *sd)
201 {
202 uint32_t i;
203 char *tmp_path = NULL;
204 struct dom_sid_buf buf;
205
206 if (!sd) {
207 return;
208 }
209
210 if (ads && !ads->config.schema_path) {
211 if (ADS_ERR_OK(ads_schema_path(ads, mem_ctx, &tmp_path))) {
212 ads->config.schema_path = talloc_strdup(ads, tmp_path);
213 if (ads->config.schema_path == NULL) {
214 DBG_WARNING("Out of memory\n");
215 }
216 }
217 }
218
219 if (ads && !ads->config.config_path) {
220 if (ADS_ERR_OK(ads_config_path(ads, mem_ctx, &tmp_path))) {
221 ads->config.config_path = talloc_strdup(ads, tmp_path);
222 if (ads->config.config_path == NULL) {
223 DBG_WARNING("Out of memory\n");
224 }
225 }
226 }
227
228 printf("-------------- Security Descriptor (revision: %d, type: 0x%02x)\n",
229 sd->revision,
230 sd->type);
231
232 printf("owner SID: %s\n", sd->owner_sid ?
233 dom_sid_str_buf(sd->owner_sid, &buf) : "(null)");
234 printf("group SID: %s\n", sd->group_sid ?
235 dom_sid_str_buf(sd->group_sid, &buf) : "(null)");
236
237 ads_disp_acl(sd->sacl, "system");
238 if (sd->sacl) {
239 for (i = 0; i < sd->sacl->num_aces; i ++) {
240 ads_disp_ace(ads, mem_ctx, &sd->sacl->aces[i]);
241 }
242 }
243
244 ads_disp_acl(sd->dacl, "user");
245 if (sd->dacl) {
246 for (i = 0; i < sd->dacl->num_aces; i ++) {
247 ads_disp_ace(ads, mem_ctx, &sd->dacl->aces[i]);
248 }
249 }
250
251 printf("-------------- End Of Security Descriptor\n");
252 }
253
254 #endif
Samba git mirror