LCOV - code coverage report
Current view: top level - source3/libads - disp_sec.c (source / functions) Hit Total Coverage
Test: coverage report for v4-17-test 1498b464 Lines: 0 105 0.0 %
Date: 2024-06-13 04:01:37 Functions: 0 6 0.0 %

          Line data    Source code
       1             : /* 
       2             :    Unix SMB/CIFS implementation.
       3             :    Samba utility functions. ADS stuff
       4             :    Copyright (C) Alexey Kotovich 2002
       5             :    
       6             :    This program is free software; you can redistribute it and/or modify
       7             :    it under the terms of the GNU General Public License as published by
       8             :    the Free Software Foundation; either version 3 of the License, or
       9             :    (at your option) any later version.
      10             :    
      11             :    This program is distributed in the hope that it will be useful, 
      12             :    but WITHOUT ANY WARRANTY; without even the implied warranty of
      13             :    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      14             :    GNU General Public License for more details.
      15             :    
      16             :    You should have received a copy of the GNU General Public License
      17             :    along with this program.  If not, see <http://www.gnu.org/licenses/>.
      18             : */
      19             : 
      20             : #include "includes.h"
      21             : #include "ads.h"
      22             : #include "libads/ldap_schema.h"
      23             : #include "../libcli/security/secace.h"
      24             : #include "../librpc/ndr/libndr.h"
      25             : #include "libcli/security/dom_sid.h"
      26             : 
      27             : /* for ADS */
      28             : #define SEC_RIGHTS_FULL_CTRL            0xf01ff
      29             : 
      30             : #ifdef HAVE_LDAP
      31             : 
      32             : static struct perm_mask_str {
      33             :         uint32_t  mask;
      34             :         const char   *str;
      35             : } perms[] = {
      36             :         {SEC_RIGHTS_FULL_CTRL,          "[Full Control]"},
      37             : 
      38             :         {SEC_ADS_LIST,                  "[List Contents]"},
      39             :         {SEC_ADS_LIST_OBJECT,           "[List Object]"},
      40             : 
      41             :         {SEC_ADS_READ_PROP,             "[Read All Properties]"},
      42             :         {SEC_STD_READ_CONTROL,          "[Read Permissions]"},
      43             : 
      44             :         {SEC_ADS_SELF_WRITE,            "[All validate writes]"},
      45             :         {SEC_ADS_WRITE_PROP,            "[Write All Properties]"},
      46             : 
      47             :         {SEC_STD_WRITE_DAC,             "[Modify Permissions]"},
      48             :         {SEC_STD_WRITE_OWNER,           "[Modify Owner]"},
      49             : 
      50             :         {SEC_ADS_CREATE_CHILD,          "[Create All Child Objects]"},
      51             : 
      52             :         {SEC_STD_DELETE,                "[Delete]"},
      53             :         {SEC_ADS_DELETE_TREE,           "[Delete Subtree]"},
      54             :         {SEC_ADS_DELETE_CHILD,          "[Delete All Child Objects]"},
      55             : 
      56             :         {SEC_ADS_CONTROL_ACCESS,        "[Change Password]"},
      57             :         {SEC_ADS_CONTROL_ACCESS,        "[Reset Password]"},
      58             : 
      59             :         {0,                             0}
      60             : };
      61             : 
      62             : /* convert a security permissions into a string */
      63           0 : static void ads_disp_perms(uint32_t type)
      64             : {
      65           0 :         int i = 0;
      66           0 :         int j = 0;
      67             : 
      68           0 :         printf("Permissions: ");
      69             :         
      70           0 :         if (type == SEC_RIGHTS_FULL_CTRL) {
      71           0 :                 printf("%s\n", perms[j].str);
      72           0 :                 return;
      73             :         }
      74             : 
      75           0 :         for (i = 0; i < 32; i++) {
      76           0 :                 if (type & ((uint32_t)1 << i)) {
      77           0 :                         for (j = 1; perms[j].str; j ++) {
      78           0 :                                 if (perms[j].mask == (((unsigned) 1) << i)) {
      79           0 :                                         printf("\n\t%s (0x%08x)", perms[j].str, perms[j].mask);
      80             :                                 }       
      81             :                         }
      82           0 :                         type &= ~(1 << i);
      83             :                 }
      84             :         }
      85             : 
      86             :         /* remaining bits get added on as-is */
      87           0 :         if (type != 0) {
      88           0 :                 printf("[%08x]", type);
      89             :         }
      90           0 :         puts("");
      91             : }
      92             : 
      93           0 : static const char *ads_interprete_guid_from_object(ADS_STRUCT *ads, 
      94             :                                                    TALLOC_CTX *mem_ctx, 
      95             :                                                    const struct GUID *guid)
      96             : {
      97           0 :         const char *ret = NULL;
      98             : 
      99           0 :         if (!ads || !mem_ctx) {
     100           0 :                 return NULL;
     101             :         }
     102             : 
     103           0 :         ret = ads_get_attrname_by_guid(ads, ads->config.schema_path, 
     104             :                                        mem_ctx, guid);
     105           0 :         if (ret) {
     106           0 :                 return talloc_asprintf(mem_ctx, "LDAP attribute: \"%s\"", ret);
     107             :         }
     108             : 
     109           0 :         ret = ads_get_extended_right_name_by_guid(ads, ads->config.config_path,
     110             :                                                   mem_ctx, guid);
     111             : 
     112           0 :         if (ret) {
     113           0 :                 return talloc_asprintf(mem_ctx, "Extended right: \"%s\"", ret);
     114             :         }
     115             : 
     116           0 :         return ret;
     117             : }
     118             : 
     119           0 : static void ads_disp_sec_ace_object(ADS_STRUCT *ads, 
     120             :                                     TALLOC_CTX *mem_ctx, 
     121             :                                     struct security_ace_object *object)
     122             : {
     123           0 :         if (object->flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
     124           0 :                 printf("Object type: SEC_ACE_OBJECT_TYPE_PRESENT\n");
     125           0 :                 printf("Object GUID: %s (%s)\n", GUID_string(mem_ctx, 
     126           0 :                         &object->type.type), 
     127             :                         ads_interprete_guid_from_object(ads, mem_ctx, 
     128           0 :                                 &object->type.type));
     129             :         }
     130           0 :         if (object->flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) {
     131           0 :                 printf("Object type: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT\n");
     132           0 :                 printf("Object GUID: %s (%s)\n", GUID_string(mem_ctx,
     133           0 :                         &object->inherited_type.inherited_type),
     134             :                         ads_interprete_guid_from_object(ads, mem_ctx, 
     135           0 :                                 &object->inherited_type.inherited_type));
     136             :         }
     137           0 : }
     138             : 
     139             : /* display ACE */
     140           0 : static void ads_disp_ace(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_ace *sec_ace)
     141             : {
     142           0 :         const char *access_type = "UNKNOWN";
     143             :         struct dom_sid_buf sidbuf;
     144             : 
     145           0 :         if (!sec_ace_object(sec_ace->type)) {
     146           0 :                 printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x)\n", 
     147           0 :                   sec_ace->type,
     148           0 :                   sec_ace->flags,
     149           0 :                   sec_ace->size,
     150             :                   sec_ace->access_mask);                     
     151             :         } else {
     152           0 :                 printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x, object flags: 0x%x)\n", 
     153           0 :                   sec_ace->type,
     154           0 :                   sec_ace->flags,
     155           0 :                   sec_ace->size,
     156             :                   sec_ace->access_mask,
     157             :                   sec_ace->object.object.flags);
     158             :         }
     159             :         
     160           0 :         if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) {
     161           0 :                 access_type = "ALLOWED";
     162           0 :         } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED) {
     163           0 :                 access_type = "DENIED";
     164           0 :         } else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT) {
     165           0 :                 access_type = "SYSTEM AUDIT";
     166           0 :         } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) {
     167           0 :                 access_type = "ALLOWED OBJECT";
     168           0 :         } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT) {
     169           0 :                 access_type = "DENIED OBJECT";
     170           0 :         } else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT) {
     171           0 :                 access_type = "AUDIT OBJECT";
     172             :         }
     173             : 
     174           0 :         printf("access SID:  %s\naccess type: %s\n",
     175           0 :                dom_sid_str_buf(&sec_ace->trustee, &sidbuf),
     176             :                access_type);
     177             : 
     178           0 :         if (sec_ace_object(sec_ace->type)) {
     179           0 :                 ads_disp_sec_ace_object(ads, mem_ctx, &sec_ace->object.object);
     180             :         }
     181             : 
     182           0 :         ads_disp_perms(sec_ace->access_mask);
     183           0 : }
     184             : 
     185             : /* display ACL */
     186           0 : static void ads_disp_acl(struct security_acl *sec_acl, const char *type)
     187             : {
     188           0 :         if (!sec_acl)
     189           0 :                 printf("------- (%s) ACL not present\n", type);
     190             :         else {
     191           0 :                 printf("------- (%s) ACL (revision: %d, size: %d, number of ACEs: %d)\n", 
     192             :                        type,
     193           0 :                        sec_acl->revision,
     194           0 :                        sec_acl->size,
     195             :                        sec_acl->num_aces);                   
     196             :         }
     197           0 : }
     198             : 
     199             : /* display SD */
     200           0 : void ads_disp_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_descriptor *sd)
     201             : {
     202             :         uint32_t i;
     203           0 :         char *tmp_path = NULL;
     204             :         struct dom_sid_buf buf;
     205             : 
     206           0 :         if (!sd) {
     207           0 :                 return;
     208             :         }
     209             : 
     210           0 :         if (ads && !ads->config.schema_path) {
     211           0 :                 if (ADS_ERR_OK(ads_schema_path(ads, mem_ctx, &tmp_path))) {
     212           0 :                         ads->config.schema_path = talloc_strdup(ads, tmp_path);
     213           0 :                         if (ads->config.schema_path == NULL) {
     214           0 :                                 DBG_WARNING("Out of memory\n");
     215             :                         }
     216             :                 }
     217             :         }
     218             : 
     219           0 :         if (ads && !ads->config.config_path) {
     220           0 :                 if (ADS_ERR_OK(ads_config_path(ads, mem_ctx, &tmp_path))) {
     221           0 :                         ads->config.config_path = talloc_strdup(ads, tmp_path);
     222           0 :                         if (ads->config.config_path == NULL) {
     223           0 :                                 DBG_WARNING("Out of memory\n");
     224             :                         }
     225             :                 }
     226             :         }
     227             : 
     228           0 :         printf("-------------- Security Descriptor (revision: %d, type: 0x%02x)\n", 
     229           0 :                sd->revision,
     230           0 :                sd->type);
     231             : 
     232           0 :         printf("owner SID: %s\n", sd->owner_sid ? 
     233           0 :                dom_sid_str_buf(sd->owner_sid, &buf) : "(null)");
     234           0 :         printf("group SID: %s\n", sd->group_sid ?
     235           0 :                dom_sid_str_buf(sd->group_sid, &buf) : "(null)");
     236             : 
     237           0 :         ads_disp_acl(sd->sacl, "system");
     238           0 :         if (sd->sacl) {
     239           0 :                 for (i = 0; i < sd->sacl->num_aces; i ++) {
     240           0 :                         ads_disp_ace(ads, mem_ctx, &sd->sacl->aces[i]);
     241             :                 }
     242             :         }
     243             :         
     244           0 :         ads_disp_acl(sd->dacl, "user");
     245           0 :         if (sd->dacl) {
     246           0 :                 for (i = 0; i < sd->dacl->num_aces; i ++) {
     247           0 :                         ads_disp_ace(ads, mem_ctx, &sd->dacl->aces[i]);
     248             :                 }
     249             :         }
     250             : 
     251           0 :         printf("-------------- End Of Security Descriptor\n");
     252             : }
     253             : 
     254             : #endif

Generated by: LCOV version 1.13