1/* 2 Unix SMB/Netbios implementation. 3 Version 1.9. 4 Security context tests 5 Copyright (C) Tim Potter 2000 6 7 This program is free software; you can redistribute it and/or modify 8 it under the terms of the GNU General Public License as published by 9 the Free Software Foundation; either version 3 of the License, or 10 (at your option) any later version. 11 12 This program is distributed in the hope that it will be useful, 13 but WITHOUT ANY WARRANTY; without even the implied warranty of 14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 GNU General Public License for more details. 16 17 You should have received a copy of the GNU General Public License 18 along with this program. If not, see <http://www.gnu.org/licenses/>. 19*/ 20 21#include "includes.h" 22#include "se_access_check_utils.h" 23 24/* Globals */ 25 26BOOL failed; 27SEC_DESC *sd; 28 29struct ace_entry acl_printer[] = { 30 31 /* Everyone is allowed to print */ 32 33 { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT, 34 PRINTER_ACE_PRINT, "S-1-1-0" }, 35 36 /* Except for user0 who uses too much paper */ 37 38 { SEC_ACE_TYPE_ACCESS_DENIED, SEC_ACE_FLAG_CONTAINER_INHERIT, 39 PRINTER_ACE_FULL_CONTROL, "user0" }, 40 41 /* Users 1 and 2 can manage documents */ 42 43 { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT, 44 PRINTER_ACE_MANAGE_DOCUMENTS, "user1" }, 45 46 { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT, 47 PRINTER_ACE_MANAGE_DOCUMENTS, "user2" }, 48 49 /* Domain Admins can also manage documents */ 50 51 { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT, 52 PRINTER_ACE_MANAGE_DOCUMENTS, "Domain Admins" }, 53 54 /* User 3 is da man */ 55 56 { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT, 57 PRINTER_ACE_FULL_CONTROL, "user3" }, 58 59 { 0, 0, 0, NULL} 60}; 61 62BOOL test_user(char *username, uint32 acc_desired, uint32 *acc_granted) 63{ 64 struct passwd *pw; 65 uint32 status; 66 67 if (!(pw = getpwnam(username))) { 68 printf("FAIL: could not lookup user info for %s\n", 69 username); 70 exit(1); 71 } 72 73 return se_access_check(sd, pw->pw_uid, pw->pw_gid, 0, NULL, 74 acc_desired, acc_granted, &status); 75} 76 77static char *pace_str(uint32 ace_flags) 78{ 79 if ((ace_flags & PRINTER_ACE_FULL_CONTROL) == 80 PRINTER_ACE_FULL_CONTROL) return "full control"; 81 82 if ((ace_flags & PRINTER_ACE_MANAGE_DOCUMENTS) == 83 PRINTER_ACE_MANAGE_DOCUMENTS) return "manage documents"; 84 85 if ((ace_flags & PRINTER_ACE_PRINT) == PRINTER_ACE_PRINT) 86 return "print"; 87 88 return "UNKNOWN"; 89} 90 91uint32 perms[] = { 92 PRINTER_ACE_PRINT, 93 PRINTER_ACE_FULL_CONTROL, 94 PRINTER_ACE_MANAGE_DOCUMENTS, 95 0 96}; 97 98void runtest(void) 99{ 100 uint32 acc_granted; 101 BOOL result; 102 int i, j; 103 104 for (i = 0; perms[i]; i++) { 105 106 /* Test 10 users */ 107 108 for (j = 0; j < 10; j++) { 109 fstring name; 110 111 /* Test user against ACL */ 112 113 snprintf(name, sizeof(fstring), "%s/user%d", 114 getenv("TEST_WORKGROUP"), j); 115 116 result = test_user(name, perms[i], &acc_granted); 117 118 printf("%s: %s %s 0x%08x\n", name, 119 pace_str(perms[i]), 120 result ? "TRUE " : "FALSE", acc_granted); 121 122 /* Check results */ 123 124 switch (perms[i]) { 125 126 case PRINTER_ACE_PRINT: { 127 if (!result || acc_granted != 128 PRINTER_ACE_PRINT) { 129 printf("FAIL: user %s can't print\n", 130 name); 131 failed = True; 132 } 133 break; 134 } 135 136 case PRINTER_ACE_FULL_CONTROL: { 137 if (j == 3) { 138 if (!result || acc_granted != 139 PRINTER_ACE_FULL_CONTROL) { 140 printf("FAIL: user %s doesn't " 141 "have full control\n", 142 name); 143 failed = True; 144 } 145 } else { 146 if (result || acc_granted != 0) { 147 printf("FAIL: user %s has full " 148 "control\n", name); 149 failed = True; 150 } 151 } 152 break; 153 } 154 case PRINTER_ACE_MANAGE_DOCUMENTS: { 155 if (j == 1 || j == 2) { 156 if (!result || acc_granted != 157 PRINTER_ACE_MANAGE_DOCUMENTS) { 158 printf("FAIL: user %s can't " 159 "manage documents\n", 160 name); 161 failed = True; 162 } 163 } else { 164 if (result || acc_granted != 0) { 165 printf("FAIL: user %s can " 166 "manage documents\n", 167 name); 168 failed = True; 169 } 170 } 171 break; 172 } 173 174 default: 175 printf("FAIL: internal error\n"); 176 exit(1); 177 } 178 } 179 } 180} 181 182/* Main function */ 183 184int main(int argc, char **argv) 185{ 186 /* Initialisation */ 187 188 generate_wellknown_sids(); 189 190 /* Create security descriptor */ 191 192 sd = build_sec_desc(acl_printer, NULL, NULL_SID, NULL_SID); 193 194 if (!sd) { 195 printf("FAIL: could not build security descriptor\n"); 196 return 1; 197 } 198 199 /* Run test */ 200 201 runtest(); 202 203 /* Return */ 204 205 if (!failed) { 206 printf("PASS\n"); 207 return 0; 208 } 209 210 return 1; 211} 212