1/* 2 Unix SMB/Netbios implementation. 3 Version 1.9. 4 Security context tests 5 Copyright (C) Tim Potter 2000 6 7 This program is free software; you can redistribute it and/or modify 8 it under the terms of the GNU General Public License as published by 9 the Free Software Foundation; either version 2 of the License, or 10 (at your option) any later version. 11 12 This program is distributed in the hope that it will be useful, 13 but WITHOUT ANY WARRANTY; without even the implied warranty of 14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 GNU General Public License for more details. 16 17 You should have received a copy of the GNU General Public License 18 along with this program; if not, write to the Free Software 19 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. 20*/ 21 22#include "includes.h" 23#include "se_access_check_utils.h" 24 25/* Globals */ 26 27BOOL failed; 28SEC_DESC *sd; 29 30struct ace_entry acl_printer[] = { 31 32 /* Everyone is allowed to print */ 33 34 { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT, 35 PRINTER_ACE_PRINT, "S-1-1-0" }, 36 37 /* Except for user0 who uses too much paper */ 38 39 { SEC_ACE_TYPE_ACCESS_DENIED, SEC_ACE_FLAG_CONTAINER_INHERIT, 40 PRINTER_ACE_FULL_CONTROL, "user0" }, 41 42 /* Users 1 and 2 can manage documents */ 43 44 { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT, 45 PRINTER_ACE_MANAGE_DOCUMENTS, "user1" }, 46 47 { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT, 48 PRINTER_ACE_MANAGE_DOCUMENTS, "user2" }, 49 50 /* Domain Admins can also manage documents */ 51 52 { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT, 53 PRINTER_ACE_MANAGE_DOCUMENTS, "Domain Admins" }, 54 55 /* User 3 is da man */ 56 57 { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT, 58 PRINTER_ACE_FULL_CONTROL, "user3" }, 59 60 { 0, 0, 0, NULL} 61}; 62 63BOOL test_user(char *username, uint32 acc_desired, uint32 *acc_granted) 64{ 65 struct passwd *pw; 66 uint32 status; 67 68 if (!(pw = getpwnam(username))) { 69 printf("FAIL: could not lookup user info for %s\n", 70 username); 71 exit(1); 72 } 73 74 return se_access_check(sd, pw->pw_uid, pw->pw_gid, 0, NULL, 75 acc_desired, acc_granted, &status); 76} 77 78static char *pace_str(uint32 ace_flags) 79{ 80 if ((ace_flags & PRINTER_ACE_FULL_CONTROL) == 81 PRINTER_ACE_FULL_CONTROL) return "full control"; 82 83 if ((ace_flags & PRINTER_ACE_MANAGE_DOCUMENTS) == 84 PRINTER_ACE_MANAGE_DOCUMENTS) return "manage documents"; 85 86 if ((ace_flags & PRINTER_ACE_PRINT) == PRINTER_ACE_PRINT) 87 return "print"; 88 89 return "UNKNOWN"; 90} 91 92uint32 perms[] = { 93 PRINTER_ACE_PRINT, 94 PRINTER_ACE_FULL_CONTROL, 95 PRINTER_ACE_MANAGE_DOCUMENTS, 96 0 97}; 98 99void runtest(void) 100{ 101 uint32 acc_granted; 102 BOOL result; 103 int i, j; 104 105 for (i = 0; perms[i]; i++) { 106 107 /* Test 10 users */ 108 109 for (j = 0; j < 10; j++) { 110 fstring name; 111 112 /* Test user against ACL */ 113 114 snprintf(name, sizeof(fstring), "%s/user%d", 115 getenv("TEST_WORKGROUP"), j); 116 117 result = test_user(name, perms[i], &acc_granted); 118 119 printf("%s: %s %s 0x%08x\n", name, 120 pace_str(perms[i]), 121 result ? "TRUE " : "FALSE", acc_granted); 122 123 /* Check results */ 124 125 switch (perms[i]) { 126 127 case PRINTER_ACE_PRINT: { 128 if (!result || acc_granted != 129 PRINTER_ACE_PRINT) { 130 printf("FAIL: user %s can't print\n", 131 name); 132 failed = True; 133 } 134 break; 135 } 136 137 case PRINTER_ACE_FULL_CONTROL: { 138 if (j == 3) { 139 if (!result || acc_granted != 140 PRINTER_ACE_FULL_CONTROL) { 141 printf("FAIL: user %s doesn't " 142 "have full control\n", 143 name); 144 failed = True; 145 } 146 } else { 147 if (result || acc_granted != 0) { 148 printf("FAIL: user %s has full " 149 "control\n", name); 150 failed = True; 151 } 152 } 153 break; 154 } 155 case PRINTER_ACE_MANAGE_DOCUMENTS: { 156 if (j == 1 || j == 2) { 157 if (!result || acc_granted != 158 PRINTER_ACE_MANAGE_DOCUMENTS) { 159 printf("FAIL: user %s can't " 160 "manage documents\n", 161 name); 162 failed = True; 163 } 164 } else { 165 if (result || acc_granted != 0) { 166 printf("FAIL: user %s can " 167 "manage documents\n", 168 name); 169 failed = True; 170 } 171 } 172 break; 173 } 174 175 default: 176 printf("FAIL: internal error\n"); 177 exit(1); 178 } 179 } 180 } 181} 182 183/* Main function */ 184 185int main(int argc, char **argv) 186{ 187 /* Initialisation */ 188 189 generate_wellknown_sids(); 190 191 /* Create security descriptor */ 192 193 sd = build_sec_desc(acl_printer, NULL, NULL_SID, NULL_SID); 194 195 if (!sd) { 196 printf("FAIL: could not build security descriptor\n"); 197 return 1; 198 } 199 200 /* Run test */ 201 202 runtest(); 203 204 /* Return */ 205 206 if (!failed) { 207 printf("PASS\n"); 208 return 0; 209 } 210 211 return 1; 212} 213