1/*
2   Unix SMB/Netbios implementation.
3   Version 1.9.
4   Security context tests
5   Copyright (C) Tim Potter 2000
6
7   This program is free software; you can redistribute it and/or modify
8   it under the terms of the GNU General Public License as published by
9   the Free Software Foundation; either version 2 of the License, or
10   (at your option) any later version.
11
12   This program is distributed in the hope that it will be useful,
13   but WITHOUT ANY WARRANTY; without even the implied warranty of
14   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15   GNU General Public License for more details.
16
17   You should have received a copy of the GNU General Public License
18   along with this program; if not, write to the Free Software
19   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
20*/
21
22#include "includes.h"
23#include "se_access_check_utils.h"
24
25/* Globals */
26
27BOOL failed;
28SEC_DESC *sd;
29
30struct ace_entry acl_printer[] = {
31
32	/* Everyone is allowed to print */
33
34	{ SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
35	  PRINTER_ACE_PRINT, "S-1-1-0" },
36
37	/* Except for user0 who uses too much paper */
38
39	{ SEC_ACE_TYPE_ACCESS_DENIED, SEC_ACE_FLAG_CONTAINER_INHERIT,
40	  PRINTER_ACE_FULL_CONTROL, "user0" },
41
42	/* Users 1 and 2 can manage documents */
43
44	{ SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
45	  PRINTER_ACE_MANAGE_DOCUMENTS, "user1" },
46
47	{ SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
48	  PRINTER_ACE_MANAGE_DOCUMENTS, "user2" },
49
50	/* Domain Admins can also manage documents */
51
52	{ SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
53	  PRINTER_ACE_MANAGE_DOCUMENTS, "Domain Admins" },
54
55	/* User 3 is da man */
56
57	{ SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
58	  PRINTER_ACE_FULL_CONTROL, "user3" },
59
60	{ 0, 0, 0, NULL}
61};
62
63BOOL test_user(char *username, uint32 acc_desired, uint32 *acc_granted)
64{
65	struct passwd *pw;
66	uint32 status;
67
68	if (!(pw = getpwnam(username))) {
69		printf("FAIL: could not lookup user info for %s\n",
70		       username);
71		exit(1);
72	}
73
74	return se_access_check(sd, pw->pw_uid, pw->pw_gid, 0, NULL,
75			       acc_desired, acc_granted, &status);
76}
77
78static char *pace_str(uint32 ace_flags)
79{
80	if ((ace_flags & PRINTER_ACE_FULL_CONTROL) ==
81	    PRINTER_ACE_FULL_CONTROL) return "full control";
82
83	if ((ace_flags & PRINTER_ACE_MANAGE_DOCUMENTS) ==
84	    PRINTER_ACE_MANAGE_DOCUMENTS) return "manage documents";
85
86	if ((ace_flags & PRINTER_ACE_PRINT) == PRINTER_ACE_PRINT)
87		return "print";
88
89	return "UNKNOWN";
90}
91
92uint32 perms[] = {
93	PRINTER_ACE_PRINT,
94	PRINTER_ACE_FULL_CONTROL,
95	PRINTER_ACE_MANAGE_DOCUMENTS,
96	0
97};
98
99void runtest(void)
100{
101	uint32 acc_granted;
102	BOOL result;
103	int i, j;
104
105	for (i = 0; perms[i]; i++) {
106
107		/* Test 10 users */
108
109		for (j = 0; j < 10; j++) {
110			fstring name;
111
112			/* Test user against ACL */
113
114			snprintf(name, sizeof(fstring), "%s/user%d",
115				 getenv("TEST_WORKGROUP"), j);
116
117			result = test_user(name, perms[i], &acc_granted);
118
119			printf("%s: %s %s 0x%08x\n", name,
120			       pace_str(perms[i]),
121			       result ? "TRUE " : "FALSE", acc_granted);
122
123			/* Check results */
124
125			switch (perms[i]) {
126
127			case PRINTER_ACE_PRINT: {
128				if (!result || acc_granted !=
129				    PRINTER_ACE_PRINT) {
130					printf("FAIL: user %s can't print\n",
131					       name);
132					failed = True;
133				}
134				break;
135			}
136
137			case PRINTER_ACE_FULL_CONTROL: {
138				if (j == 3) {
139					if (!result || acc_granted !=
140					    PRINTER_ACE_FULL_CONTROL) {
141						printf("FAIL: user %s doesn't "
142						       "have full control\n",
143						       name);
144						failed = True;
145					}
146				} else {
147					if (result || acc_granted != 0) {
148						printf("FAIL: user %s has full "
149						       "control\n", name);
150						failed = True;
151					}
152				}
153				break;
154			}
155			case PRINTER_ACE_MANAGE_DOCUMENTS: {
156				if (j == 1 || j == 2) {
157					if (!result || acc_granted !=
158					    PRINTER_ACE_MANAGE_DOCUMENTS) {
159						printf("FAIL: user %s can't "
160						       "manage documents\n",
161						       name);
162						failed = True;
163					}
164				} else {
165					if (result || acc_granted != 0) {
166						printf("FAIL: user %s can "
167						       "manage documents\n",
168						       name);
169						failed = True;
170					}
171				}
172				break;
173			}
174
175			default:
176				printf("FAIL: internal error\n");
177				exit(1);
178			}
179		}
180	}
181}
182
183/* Main function */
184
185int main(int argc, char **argv)
186{
187	/* Initialisation */
188
189	generate_wellknown_sids();
190
191	/* Create security descriptor */
192
193	sd = build_sec_desc(acl_printer, NULL, NULL_SID, NULL_SID);
194
195	if (!sd) {
196		printf("FAIL: could not build security descriptor\n");
197		return 1;
198	}
199
200	/* Run test */
201
202	runtest();
203
204	/* Return */
205
206        if (!failed) {
207		printf("PASS\n");
208		return 0;
209	}
210
211	return 1;
212}
213