Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 : Samba utility functions. ADS stuff
4 : Copyright (C) Alexey Kotovich 2002
5 :
6 : This program is free software; you can redistribute it and/or modify
7 : it under the terms of the GNU General Public License as published by
8 : the Free Software Foundation; either version 3 of the License, or
9 : (at your option) any later version.
10 :
11 : This program is distributed in the hope that it will be useful,
12 : but WITHOUT ANY WARRANTY; without even the implied warranty of
13 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 : GNU General Public License for more details.
15 :
16 : You should have received a copy of the GNU General Public License
17 : along with this program. If not, see <http://www.gnu.org/licenses/>.
18 : */
19 :
20 : #include "includes.h"
21 : #include "ads.h"
22 : #include "libads/ldap_schema.h"
23 : #include "../libcli/security/secace.h"
24 : #include "../librpc/ndr/libndr.h"
25 : #include "libcli/security/dom_sid.h"
26 :
27 : /* for ADS */
28 : #define SEC_RIGHTS_FULL_CTRL 0xf01ff
29 :
30 : #ifdef HAVE_LDAP
31 :
32 : static struct perm_mask_str {
33 : uint32_t mask;
34 : const char *str;
35 : } perms[] = {
36 : {SEC_RIGHTS_FULL_CTRL, "[Full Control]"},
37 :
38 : {SEC_ADS_LIST, "[List Contents]"},
39 : {SEC_ADS_LIST_OBJECT, "[List Object]"},
40 :
41 : {SEC_ADS_READ_PROP, "[Read All Properties]"},
42 : {SEC_STD_READ_CONTROL, "[Read Permissions]"},
43 :
44 : {SEC_ADS_SELF_WRITE, "[All validate writes]"},
45 : {SEC_ADS_WRITE_PROP, "[Write All Properties]"},
46 :
47 : {SEC_STD_WRITE_DAC, "[Modify Permissions]"},
48 : {SEC_STD_WRITE_OWNER, "[Modify Owner]"},
49 :
50 : {SEC_ADS_CREATE_CHILD, "[Create All Child Objects]"},
51 :
52 : {SEC_STD_DELETE, "[Delete]"},
53 : {SEC_ADS_DELETE_TREE, "[Delete Subtree]"},
54 : {SEC_ADS_DELETE_CHILD, "[Delete All Child Objects]"},
55 :
56 : {SEC_ADS_CONTROL_ACCESS, "[Change Password]"},
57 : {SEC_ADS_CONTROL_ACCESS, "[Reset Password]"},
58 :
59 : {0, 0}
60 : };
61 :
62 : /* convert a security permissions into a string */
63 0 : static void ads_disp_perms(uint32_t type)
64 : {
65 0 : int i = 0;
66 0 : int j = 0;
67 :
68 0 : printf("Permissions: ");
69 :
70 0 : if (type == SEC_RIGHTS_FULL_CTRL) {
71 0 : printf("%s\n", perms[j].str);
72 0 : return;
73 : }
74 :
75 0 : for (i = 0; i < 32; i++) {
76 0 : if (type & ((uint32_t)1 << i)) {
77 0 : for (j = 1; perms[j].str; j ++) {
78 0 : if (perms[j].mask == (((unsigned) 1) << i)) {
79 0 : printf("\n\t%s (0x%08x)", perms[j].str, perms[j].mask);
80 : }
81 : }
82 0 : type &= ~(1 << i);
83 : }
84 : }
85 :
86 : /* remaining bits get added on as-is */
87 0 : if (type != 0) {
88 0 : printf("[%08x]", type);
89 : }
90 0 : puts("");
91 : }
92 :
93 0 : static const char *ads_interprete_guid_from_object(ADS_STRUCT *ads,
94 : TALLOC_CTX *mem_ctx,
95 : const struct GUID *guid)
96 : {
97 0 : const char *ret = NULL;
98 :
99 0 : if (!ads || !mem_ctx) {
100 0 : return NULL;
101 : }
102 :
103 0 : ret = ads_get_attrname_by_guid(ads, ads->config.schema_path,
104 : mem_ctx, guid);
105 0 : if (ret) {
106 0 : return talloc_asprintf(mem_ctx, "LDAP attribute: \"%s\"", ret);
107 : }
108 :
109 0 : ret = ads_get_extended_right_name_by_guid(ads, ads->config.config_path,
110 : mem_ctx, guid);
111 :
112 0 : if (ret) {
113 0 : return talloc_asprintf(mem_ctx, "Extended right: \"%s\"", ret);
114 : }
115 :
116 0 : return ret;
117 : }
118 :
119 0 : static void ads_disp_sec_ace_object(ADS_STRUCT *ads,
120 : TALLOC_CTX *mem_ctx,
121 : struct security_ace_object *object)
122 : {
123 0 : if (object->flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
124 0 : printf("Object type: SEC_ACE_OBJECT_TYPE_PRESENT\n");
125 0 : printf("Object GUID: %s (%s)\n", GUID_string(mem_ctx,
126 0 : &object->type.type),
127 : ads_interprete_guid_from_object(ads, mem_ctx,
128 0 : &object->type.type));
129 : }
130 0 : if (object->flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) {
131 0 : printf("Object type: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT\n");
132 0 : printf("Object GUID: %s (%s)\n", GUID_string(mem_ctx,
133 0 : &object->inherited_type.inherited_type),
134 : ads_interprete_guid_from_object(ads, mem_ctx,
135 0 : &object->inherited_type.inherited_type));
136 : }
137 0 : }
138 :
139 : /* display ACE */
140 0 : static void ads_disp_ace(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_ace *sec_ace)
141 : {
142 0 : const char *access_type = "UNKNOWN";
143 0 : struct dom_sid_buf sidbuf;
144 :
145 0 : if (!sec_ace_object(sec_ace->type)) {
146 0 : printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x)\n",
147 0 : sec_ace->type,
148 0 : sec_ace->flags,
149 0 : sec_ace->size,
150 : sec_ace->access_mask);
151 : } else {
152 0 : printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x, object flags: 0x%x)\n",
153 0 : sec_ace->type,
154 0 : sec_ace->flags,
155 0 : sec_ace->size,
156 : sec_ace->access_mask,
157 : sec_ace->object.object.flags);
158 : }
159 :
160 0 : if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) {
161 0 : access_type = "ALLOWED";
162 0 : } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED) {
163 0 : access_type = "DENIED";
164 0 : } else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT) {
165 0 : access_type = "SYSTEM AUDIT";
166 0 : } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) {
167 0 : access_type = "ALLOWED OBJECT";
168 0 : } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT) {
169 0 : access_type = "DENIED OBJECT";
170 0 : } else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT) {
171 0 : access_type = "AUDIT OBJECT";
172 : }
173 :
174 0 : printf("access SID: %s\naccess type: %s\n",
175 0 : dom_sid_str_buf(&sec_ace->trustee, &sidbuf),
176 : access_type);
177 :
178 0 : if (sec_ace_object(sec_ace->type)) {
179 0 : ads_disp_sec_ace_object(ads, mem_ctx, &sec_ace->object.object);
180 : }
181 :
182 0 : ads_disp_perms(sec_ace->access_mask);
183 0 : }
184 :
185 : /* display ACL */
186 0 : static void ads_disp_acl(struct security_acl *sec_acl, const char *type)
187 : {
188 0 : if (!sec_acl)
189 0 : printf("------- (%s) ACL not present\n", type);
190 : else {
191 0 : printf("------- (%s) ACL (revision: %d, size: %d, number of ACEs: %d)\n",
192 : type,
193 0 : sec_acl->revision,
194 0 : sec_acl->size,
195 : sec_acl->num_aces);
196 : }
197 0 : }
198 :
199 : /* display SD */
200 0 : void ads_disp_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_descriptor *sd)
201 : {
202 0 : uint32_t i;
203 0 : char *tmp_path = NULL;
204 0 : struct dom_sid_buf buf;
205 :
206 0 : if (!sd) {
207 0 : return;
208 : }
209 :
210 0 : if (ads && !ads->config.schema_path) {
211 0 : if (ADS_ERR_OK(ads_schema_path(ads, mem_ctx, &tmp_path))) {
212 0 : ads->config.schema_path = talloc_strdup(ads, tmp_path);
213 0 : if (ads->config.schema_path == NULL) {
214 0 : DBG_WARNING("Out of memory\n");
215 : }
216 : }
217 : }
218 :
219 0 : if (ads && !ads->config.config_path) {
220 0 : if (ADS_ERR_OK(ads_config_path(ads, mem_ctx, &tmp_path))) {
221 0 : ads->config.config_path = talloc_strdup(ads, tmp_path);
222 0 : if (ads->config.config_path == NULL) {
223 0 : DBG_WARNING("Out of memory\n");
224 : }
225 : }
226 : }
227 :
228 0 : printf("-------------- Security Descriptor (revision: %d, type: 0x%02x)\n",
229 0 : sd->revision,
230 0 : sd->type);
231 :
232 0 : printf("owner SID: %s\n", sd->owner_sid ?
233 0 : dom_sid_str_buf(sd->owner_sid, &buf) : "(null)");
234 0 : printf("group SID: %s\n", sd->group_sid ?
235 0 : dom_sid_str_buf(sd->group_sid, &buf) : "(null)");
236 :
237 0 : ads_disp_acl(sd->sacl, "system");
238 0 : if (sd->sacl) {
239 0 : for (i = 0; i < sd->sacl->num_aces; i ++) {
240 0 : ads_disp_ace(ads, mem_ctx, &sd->sacl->aces[i]);
241 : }
242 : }
243 :
244 0 : ads_disp_acl(sd->dacl, "user");
245 0 : if (sd->dacl) {
246 0 : for (i = 0; i < sd->dacl->num_aces; i ++) {
247 0 : ads_disp_ace(ads, mem_ctx, &sd->dacl->aces[i]);
248 : }
249 : }
250 :
251 0 : printf("-------------- End Of Security Descriptor\n");
252 : }
253 :
254 : #endif
|
