Line data    Source code

       1             : /*
       2             :    Unix SMB/CIFS implementation.
       3             :    Samba utility functions
       4             :    Copyright (C) Andrew Tridgell 1992-1999
       5             :    Copyright (C) Luke Kenneth Casson Leighton 1996 - 1999
       6             : 
       7             :    This program is free software; you can redistribute it and/or modify
       8             :    it under the terms of the GNU General Public License as published by
       9             :    the Free Software Foundation; either version 3 of the License, or
      10             :    (at your option) any later version.
      11             : 
      12             :    This program is distributed in the hope that it will be useful,
      13             :    but WITHOUT ANY WARRANTY; without even the implied warranty of
      14             :    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      15             :    GNU General Public License for more details.
      16             : 
      17             :    You should have received a copy of the GNU General Public License
      18             :    along with this program.  If not, see <http://www.gnu.org/licenses/>.
      19             : */
      20             : 
      21             : #include "replace.h"
      22             : #include "libcli/security/security.h"
      23             : #include "librpc/ndr/libndr.h"
      24             : #include "libcli/security/display_sec.h"
      25             : 
      26             : /****************************************************************************
      27             : convert a security permissions into a string
      28             : ****************************************************************************/
      29             : 
      30          19 : char *get_sec_mask_str(TALLOC_CTX *ctx, uint32_t type)
      31             : {
      32          19 :         char *typestr = talloc_strdup(ctx, "");
      33             : 
      34          19 :         if (type & SEC_GENERIC_ALL) {
      35           0 :                 talloc_asprintf_addbuf(&typestr, "Generic all access ");
      36             :         }
      37          19 :         if (type & SEC_GENERIC_EXECUTE) {
      38           0 :                 talloc_asprintf_addbuf(&typestr, "Generic execute access");
      39             :         }
      40          19 :         if (type & SEC_GENERIC_WRITE) {
      41           0 :                 talloc_asprintf_addbuf(&typestr, "Generic write access ");
      42             :         }
      43          19 :         if (type & SEC_GENERIC_READ) {
      44           0 :                 talloc_asprintf_addbuf(&typestr, "Generic read access ");
      45             :         }
      46          19 :         if (type & SEC_FLAG_MAXIMUM_ALLOWED) {
      47           0 :                 talloc_asprintf_addbuf(&typestr, "MAXIMUM_ALLOWED_ACCESS ");
      48             :         }
      49          19 :         if (type & SEC_FLAG_SYSTEM_SECURITY) {
      50           0 :                 talloc_asprintf_addbuf(&typestr, "SYSTEM_SECURITY_ACCESS ");
      51             :         }
      52          19 :         if (type & SEC_STD_SYNCHRONIZE) {
      53          13 :                 talloc_asprintf_addbuf(&typestr, "SYNCHRONIZE_ACCESS ");
      54             :         }
      55          19 :         if (type & SEC_STD_WRITE_OWNER) {
      56          16 :                 talloc_asprintf_addbuf(&typestr, "WRITE_OWNER_ACCESS ");
      57             :         }
      58          19 :         if (type & SEC_STD_WRITE_DAC) {
      59          16 :                 talloc_asprintf_addbuf(&typestr, "WRITE_DAC_ACCESS ");
      60             :         }
      61          19 :         if (type & SEC_STD_READ_CONTROL) {
      62          18 :                 talloc_asprintf_addbuf(&typestr, "READ_CONTROL_ACCESS ");
      63             :         }
      64          19 :         if (type & SEC_STD_DELETE) {
      65          16 :                 talloc_asprintf_addbuf(&typestr, "DELETE_ACCESS ");
      66             :         }
      67             : 
      68          19 :         printf("\t\tSpecific bits: 0x%lx\n", (unsigned long)type&SEC_MASK_SPECIFIC);
      69             : 
      70          19 :         return typestr;
      71             : }
      72             : 
      73             : /****************************************************************************
      74             :  display sec_access structure
      75             :  ****************************************************************************/
      76          18 : void display_sec_access(uint32_t *info)
      77             : {
      78          18 :         char *mask_str = get_sec_mask_str(NULL, *info);
      79          18 :         printf("\t\tPermissions: 0x%x: %s\n", *info, mask_str ? mask_str : "");
      80          18 :         talloc_free(mask_str);
      81          18 : }
      82             : 
      83             : /****************************************************************************
      84             :  display sec_ace flags
      85             :  ****************************************************************************/
      86          18 : void display_sec_ace_flags(uint8_t flags)
      87             : {
      88          18 :         if (flags & SEC_ACE_FLAG_OBJECT_INHERIT)
      89           0 :                 printf("SEC_ACE_FLAG_OBJECT_INHERIT ");
      90          18 :         if (flags & SEC_ACE_FLAG_CONTAINER_INHERIT)
      91           0 :                 printf(" SEC_ACE_FLAG_CONTAINER_INHERIT ");
      92          18 :         if (flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT)
      93           0 :                 printf("SEC_ACE_FLAG_NO_PROPAGATE_INHERIT ");
      94          18 :         if (flags & SEC_ACE_FLAG_INHERIT_ONLY)
      95           0 :                 printf("SEC_ACE_FLAG_INHERIT_ONLY ");
      96          18 :         if (flags & SEC_ACE_FLAG_INHERITED_ACE)
      97           0 :                 printf("SEC_ACE_FLAG_INHERITED_ACE ");
      98             : /*      if (flags & SEC_ACE_FLAG_VALID_INHERIT)
      99             :                 printf("SEC_ACE_FLAG_VALID_INHERIT "); */
     100          18 :         if (flags & SEC_ACE_FLAG_SUCCESSFUL_ACCESS)
     101           0 :                 printf("SEC_ACE_FLAG_SUCCESSFUL_ACCESS ");
     102          18 :         if (flags & SEC_ACE_FLAG_FAILED_ACCESS)
     103           0 :                 printf("SEC_ACE_FLAG_FAILED_ACCESS ");
     104             : 
     105          18 :         printf("\n");
     106          18 : }
     107             : 
     108             : /****************************************************************************
     109             :  display sec_ace object
     110             :  ****************************************************************************/
     111           0 : static void disp_sec_ace_object(struct security_ace_object *object)
     112             : {
     113           0 :         char *str;
     114           0 :         if (object->flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
     115           0 :                 str = GUID_string(NULL, &object->type.type);
     116           0 :                 if (str == NULL) return;
     117           0 :                 printf("Object type: SEC_ACE_OBJECT_TYPE_PRESENT\n");
     118           0 :                 printf("Object GUID: %s\n", str);
     119           0 :                 talloc_free(str);
     120             :         }
     121           0 :         if (object->flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) {
     122           0 :                 str = GUID_string(NULL, &object->inherited_type.inherited_type);
     123           0 :                 if (str == NULL) return;
     124           0 :                 printf("Object type: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT\n");
     125           0 :                 printf("Object GUID: %s\n", str);
     126           0 :                 talloc_free(str);
     127             :         }
     128             : }
     129             : 
     130             : /****************************************************************************
     131             :  display sec_ace structure
     132             :  ****************************************************************************/
     133          18 : void display_sec_ace(struct security_ace *ace)
     134             : {
     135           0 :         struct dom_sid_buf sid_str;
     136             : 
     137          18 :         printf("\tACE\n\t\ttype: ");
     138          18 :         switch (ace->type) {
     139          18 :                 case SEC_ACE_TYPE_ACCESS_ALLOWED:
     140          18 :                         printf("ACCESS ALLOWED");
     141          18 :                         break;
     142           0 :                 case SEC_ACE_TYPE_ACCESS_DENIED:
     143           0 :                         printf("ACCESS DENIED");
     144           0 :                         break;
     145           0 :                 case SEC_ACE_TYPE_SYSTEM_AUDIT:
     146           0 :                         printf("SYSTEM AUDIT");
     147           0 :                         break;
     148           0 :                 case SEC_ACE_TYPE_SYSTEM_ALARM:
     149           0 :                         printf("SYSTEM ALARM");
     150           0 :                         break;
     151             : #define ACE_CASE(x) case x: printf(#x); break
     152           0 :                 ACE_CASE(SEC_ACE_TYPE_ALLOWED_COMPOUND);
     153           0 :                 ACE_CASE(SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT);
     154           0 :                 ACE_CASE(SEC_ACE_TYPE_ACCESS_DENIED_OBJECT);
     155           0 :                 ACE_CASE(SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT);
     156           0 :                 ACE_CASE(SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT);
     157           0 :                 ACE_CASE(SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK);
     158           0 :                 ACE_CASE(SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK);
     159           0 :                 ACE_CASE(SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT);
     160           0 :                 ACE_CASE(SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT);
     161           0 :                 ACE_CASE(SEC_ACE_TYPE_SYSTEM_AUDIT_CALLBACK);
     162           0 :                 ACE_CASE(SEC_ACE_TYPE_SYSTEM_ALARM_CALLBACK);
     163           0 :                 ACE_CASE(SEC_ACE_TYPE_SYSTEM_AUDIT_CALLBACK_OBJECT);
     164           0 :                 ACE_CASE(SEC_ACE_TYPE_SYSTEM_ALARM_CALLBACK_OBJECT);
     165             : #undef ACE_CASE
     166           0 :                 default:
     167           0 :                         printf("????");
     168           0 :                         break;
     169             :         }
     170             : 
     171          18 :         printf(" (%d) flags: 0x%02x ", ace->type, ace->flags);
     172          18 :         display_sec_ace_flags(ace->flags);
     173          18 :         display_sec_access(&ace->access_mask);
     174          18 :         printf("\t\tSID: %s\n\n", dom_sid_str_buf(&ace->trustee, &sid_str));
     175             : 
     176          18 :         if (sec_ace_object(ace->type)) {
     177           0 :                 disp_sec_ace_object(&ace->object.object);
     178             :         }
     179             : 
     180          18 : }
     181             : 
     182             : /****************************************************************************
     183             :  display sec_acl structure
     184             :  ****************************************************************************/
     185          14 : void display_sec_acl(struct security_acl *sec_acl)
     186             : {
     187           0 :         uint32_t i;
     188             : 
     189          14 :         printf("\tACL\tNum ACEs:\t%u\trevision:\t%x\n",
     190          14 :                sec_acl->num_aces, sec_acl->revision);
     191          14 :         printf("\t---\n");
     192             : 
     193          14 :         if (sec_acl->size != 0 && sec_acl->num_aces != 0) {
     194          32 :                 for (i = 0; i < sec_acl->num_aces; i++) {
     195          18 :                         display_sec_ace(&sec_acl->aces[i]);
     196             :                 }
     197             :         }
     198          14 : }
     199             : 
     200          14 : void display_acl_type(uint16_t type)
     201             : {
     202          14 :         printf("type: 0x%04x: ", type);
     203             : 
     204          14 :         if (type & SEC_DESC_OWNER_DEFAULTED)        /* 0x0001 */
     205           0 :                 printf("SEC_DESC_OWNER_DEFAULTED ");
     206          14 :         if (type & SEC_DESC_GROUP_DEFAULTED)        /* 0x0002 */
     207           0 :                 printf("SEC_DESC_GROUP_DEFAULTED ");
     208          14 :         if (type & SEC_DESC_DACL_PRESENT)   /* 0x0004 */
     209          14 :                 printf("SEC_DESC_DACL_PRESENT ");
     210          14 :         if (type & SEC_DESC_DACL_DEFAULTED) /* 0x0008 */
     211           0 :                 printf("SEC_DESC_DACL_DEFAULTED ");
     212          14 :         if (type & SEC_DESC_SACL_PRESENT)   /* 0x0010 */
     213           0 :                 printf("SEC_DESC_SACL_PRESENT ");
     214          14 :         if (type & SEC_DESC_SACL_DEFAULTED) /* 0x0020 */
     215           0 :                 printf("SEC_DESC_SACL_DEFAULTED ");
     216          14 :         if (type & SEC_DESC_DACL_TRUSTED)   /* 0x0040 */
     217           0 :                 printf("SEC_DESC_DACL_TRUSTED ");
     218          14 :         if (type & SEC_DESC_SERVER_SECURITY)        /* 0x0080 */
     219           0 :                 printf("SEC_DESC_SERVER_SECURITY ");
     220          14 :         if (type & SEC_DESC_DACL_AUTO_INHERIT_REQ) /* 0x0100 */
     221           0 :                 printf("SEC_DESC_DACL_AUTO_INHERIT_REQ ");
     222          14 :         if (type & SEC_DESC_SACL_AUTO_INHERIT_REQ) /* 0x0200 */
     223           0 :                 printf("SEC_DESC_SACL_AUTO_INHERIT_REQ ");
     224          14 :         if (type & SEC_DESC_DACL_AUTO_INHERITED) /* 0x0400 */
     225           0 :                 printf("SEC_DESC_DACL_AUTO_INHERITED ");
     226          14 :         if (type & SEC_DESC_SACL_AUTO_INHERITED) /* 0x0800 */
     227           0 :                 printf("SEC_DESC_SACL_AUTO_INHERITED ");
     228          14 :         if (type & SEC_DESC_DACL_PROTECTED) /* 0x1000 */
     229           0 :                 printf("SEC_DESC_DACL_PROTECTED ");
     230          14 :         if (type & SEC_DESC_SACL_PROTECTED) /* 0x2000 */
     231           0 :                 printf("SEC_DESC_SACL_PROTECTED ");
     232          14 :         if (type & SEC_DESC_RM_CONTROL_VALID)       /* 0x4000 */
     233           0 :                 printf("SEC_DESC_RM_CONTROL_VALID ");
     234          14 :         if (type & SEC_DESC_SELF_RELATIVE)  /* 0x8000 */
     235          14 :                 printf("SEC_DESC_SELF_RELATIVE ");
     236             : 
     237          14 :         printf("\n");
     238          14 : }
     239             : 
     240             : /****************************************************************************
     241             :  display sec_desc structure
     242             :  ****************************************************************************/
     243          14 : void display_sec_desc(struct security_descriptor *sec)
     244             : {
     245           0 :         struct dom_sid_buf sid_str;
     246             : 
     247          14 :         if (!sec) {
     248           0 :                 printf("NULL\n");
     249           0 :                 return;
     250             :         }
     251             : 
     252          14 :         printf("revision: %d\n", sec->revision);
     253          14 :         display_acl_type(sec->type);
     254             : 
     255          14 :         if (sec->sacl) {
     256           0 :                 printf("SACL\n");
     257           0 :                 display_sec_acl(sec->sacl);
     258             :         }
     259             : 
     260          14 :         if (sec->dacl) {
     261          14 :                 printf("DACL\n");
     262          14 :                 display_sec_acl(sec->dacl);
     263             :         }
     264             : 
     265          14 :         if (sec->owner_sid) {
     266           2 :                 printf("\tOwner SID:\t%s\n",
     267           2 :                        dom_sid_str_buf(sec->owner_sid, &sid_str));
     268             :         }
     269             : 
     270          14 :         if (sec->group_sid) {
     271           2 :                 printf("\tGroup SID:\t%s\n",
     272           2 :                        dom_sid_str_buf(sec->group_sid, &sid_str));
     273             :         }
     274             : }