1/* 2 Unix SMB/CIFS implementation. 3 Samba utility functions 4 Copyright (C) Andrew Tridgell 1992-1999 5 Copyright (C) Luke Kenneth Casson Leighton 1996 - 1999 6 7 This program is free software; you can redistribute it and/or modify 8 it under the terms of the GNU General Public License as published by 9 the Free Software Foundation; either version 3 of the License, or 10 (at your option) any later version. 11 12 This program is distributed in the hope that it will be useful, 13 but WITHOUT ANY WARRANTY; without even the implied warranty of 14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 GNU General Public License for more details. 16 17 You should have received a copy of the GNU General Public License 18 along with this program. If not, see <http://www.gnu.org/licenses/>. 19*/ 20 21#include "includes.h" 22#include "librpc/gen_ndr/security.h" 23#include "libcli/security/secace.h" 24#include "libcli/security/dom_sid.h" 25#include "librpc/ndr/libndr.h" 26 27/**************************************************************************** 28convert a security permissions into a string 29****************************************************************************/ 30 31char *get_sec_mask_str(TALLOC_CTX *ctx, uint32_t type) 32{ 33 char *typestr = talloc_strdup(ctx, ""); 34 35 if (!typestr) { 36 return NULL; 37 } 38 39 if (type & SEC_GENERIC_ALL) { 40 typestr = talloc_asprintf_append(typestr, 41 "Generic all access "); 42 if (!typestr) { 43 return NULL; 44 } 45 } 46 if (type & SEC_GENERIC_EXECUTE) { 47 typestr = talloc_asprintf_append(typestr, 48 "Generic execute access"); 49 if (!typestr) { 50 return NULL; 51 } 52 } 53 if (type & SEC_GENERIC_WRITE) { 54 typestr = talloc_asprintf_append(typestr, 55 "Generic write access "); 56 if (!typestr) { 57 return NULL; 58 } 59 } 60 if (type & SEC_GENERIC_READ) { 61 typestr = talloc_asprintf_append(typestr, 62 "Generic read access "); 63 if (!typestr) { 64 return NULL; 65 } 66 } 67 if (type & SEC_FLAG_MAXIMUM_ALLOWED) { 68 typestr = talloc_asprintf_append(typestr, 69 "MAXIMUM_ALLOWED_ACCESS "); 70 if (!typestr) { 71 return NULL; 72 } 73 } 74 if (type & SEC_FLAG_SYSTEM_SECURITY) { 75 typestr = talloc_asprintf_append(typestr, 76 "SYSTEM_SECURITY_ACCESS "); 77 if (!typestr) { 78 return NULL; 79 } 80 } 81 if (type & SEC_STD_SYNCHRONIZE) { 82 typestr = talloc_asprintf_append(typestr, 83 "SYNCHRONIZE_ACCESS "); 84 if (!typestr) { 85 return NULL; 86 } 87 } 88 if (type & SEC_STD_WRITE_OWNER) { 89 typestr = talloc_asprintf_append(typestr, 90 "WRITE_OWNER_ACCESS "); 91 if (!typestr) { 92 return NULL; 93 } 94 } 95 if (type & SEC_STD_WRITE_DAC) { 96 typestr = talloc_asprintf_append(typestr, 97 "WRITE_DAC_ACCESS "); 98 if (!typestr) { 99 return NULL; 100 } 101 } 102 if (type & SEC_STD_READ_CONTROL) { 103 typestr = talloc_asprintf_append(typestr, 104 "READ_CONTROL_ACCESS "); 105 if (!typestr) { 106 return NULL; 107 } 108 } 109 if (type & SEC_STD_DELETE) { 110 typestr = talloc_asprintf_append(typestr, 111 "DELETE_ACCESS "); 112 if (!typestr) { 113 return NULL; 114 } 115 } 116 117 printf("\t\tSpecific bits: 0x%lx\n", (unsigned long)type&SEC_MASK_SPECIFIC); 118 119 return typestr; 120} 121 122/**************************************************************************** 123 display sec_access structure 124 ****************************************************************************/ 125void display_sec_access(uint32_t *info) 126{ 127 char *mask_str = get_sec_mask_str(NULL, *info); 128 printf("\t\tPermissions: 0x%x: %s\n", *info, mask_str ? mask_str : ""); 129 talloc_free(mask_str); 130} 131 132/**************************************************************************** 133 display sec_ace flags 134 ****************************************************************************/ 135void display_sec_ace_flags(uint8_t flags) 136{ 137 if (flags & SEC_ACE_FLAG_OBJECT_INHERIT) 138 printf("SEC_ACE_FLAG_OBJECT_INHERIT "); 139 if (flags & SEC_ACE_FLAG_CONTAINER_INHERIT) 140 printf(" SEC_ACE_FLAG_CONTAINER_INHERIT "); 141 if (flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) 142 printf("SEC_ACE_FLAG_NO_PROPAGATE_INHERIT "); 143 if (flags & SEC_ACE_FLAG_INHERIT_ONLY) 144 printf("SEC_ACE_FLAG_INHERIT_ONLY "); 145 if (flags & SEC_ACE_FLAG_INHERITED_ACE) 146 printf("SEC_ACE_FLAG_INHERITED_ACE "); 147/* if (flags & SEC_ACE_FLAG_VALID_INHERIT) 148 printf("SEC_ACE_FLAG_VALID_INHERIT "); */ 149 if (flags & SEC_ACE_FLAG_SUCCESSFUL_ACCESS) 150 printf("SEC_ACE_FLAG_SUCCESSFUL_ACCESS "); 151 if (flags & SEC_ACE_FLAG_FAILED_ACCESS) 152 printf("SEC_ACE_FLAG_FAILED_ACCESS "); 153 154 printf("\n"); 155} 156 157/**************************************************************************** 158 display sec_ace object 159 ****************************************************************************/ 160static void disp_sec_ace_object(struct security_ace_object *object) 161{ 162 if (object->flags & SEC_ACE_OBJECT_TYPE_PRESENT) { 163 printf("Object type: SEC_ACE_OBJECT_TYPE_PRESENT\n"); 164 printf("Object GUID: %s\n", GUID_string(talloc_tos(), 165 &object->type.type)); 166 } 167 if (object->flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) { 168 printf("Object type: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT\n"); 169 printf("Object GUID: %s\n", GUID_string(talloc_tos(), 170 &object->inherited_type.inherited_type)); 171 } 172} 173 174/**************************************************************************** 175 display sec_ace structure 176 ****************************************************************************/ 177void display_sec_ace(struct security_ace *ace) 178{ 179 char *sid_str; 180 181 printf("\tACE\n\t\ttype: "); 182 switch (ace->type) { 183 case SEC_ACE_TYPE_ACCESS_ALLOWED: 184 printf("ACCESS ALLOWED"); 185 break; 186 case SEC_ACE_TYPE_ACCESS_DENIED: 187 printf("ACCESS DENIED"); 188 break; 189 case SEC_ACE_TYPE_SYSTEM_AUDIT: 190 printf("SYSTEM AUDIT"); 191 break; 192 case SEC_ACE_TYPE_SYSTEM_ALARM: 193 printf("SYSTEM ALARM"); 194 break; 195 case SEC_ACE_TYPE_ALLOWED_COMPOUND: 196 printf("SEC_ACE_TYPE_ALLOWED_COMPOUND"); 197 break; 198 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: 199 printf("SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT"); 200 break; 201 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: 202 printf("SEC_ACE_TYPE_ACCESS_DENIED_OBJECT"); 203 break; 204 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT: 205 printf("SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT"); 206 break; 207 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT: 208 printf("SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT"); 209 break; 210 default: 211 printf("????"); 212 break; 213 } 214 215 printf(" (%d) flags: 0x%02x ", ace->type, ace->flags); 216 display_sec_ace_flags(ace->flags); 217 display_sec_access(&ace->access_mask); 218 sid_str = dom_sid_string(NULL, &ace->trustee); 219 printf("\t\tSID: %s\n\n", sid_str); 220 talloc_free(sid_str); 221 222 if (sec_ace_object(ace->type)) { 223 disp_sec_ace_object(&ace->object.object); 224 } 225 226} 227 228/**************************************************************************** 229 display sec_acl structure 230 ****************************************************************************/ 231void display_sec_acl(struct security_acl *sec_acl) 232{ 233 int i; 234 235 printf("\tACL\tNum ACEs:\t%d\trevision:\t%x\n", 236 sec_acl->num_aces, sec_acl->revision); 237 printf("\t---\n"); 238 239 if (sec_acl->size != 0 && sec_acl->num_aces != 0) { 240 for (i = 0; i < sec_acl->num_aces; i++) { 241 display_sec_ace(&sec_acl->aces[i]); 242 } 243 } 244} 245 246void display_acl_type(uint16_t type) 247{ 248 printf("type: 0x%04x: ", type); 249 250 if (type & SEC_DESC_OWNER_DEFAULTED) /* 0x0001 */ 251 printf("SEC_DESC_OWNER_DEFAULTED "); 252 if (type & SEC_DESC_GROUP_DEFAULTED) /* 0x0002 */ 253 printf("SEC_DESC_GROUP_DEFAULTED "); 254 if (type & SEC_DESC_DACL_PRESENT) /* 0x0004 */ 255 printf("SEC_DESC_DACL_PRESENT "); 256 if (type & SEC_DESC_DACL_DEFAULTED) /* 0x0008 */ 257 printf("SEC_DESC_DACL_DEFAULTED "); 258 if (type & SEC_DESC_SACL_PRESENT) /* 0x0010 */ 259 printf("SEC_DESC_SACL_PRESENT "); 260 if (type & SEC_DESC_SACL_DEFAULTED) /* 0x0020 */ 261 printf("SEC_DESC_SACL_DEFAULTED "); 262 if (type & SEC_DESC_DACL_TRUSTED) /* 0x0040 */ 263 printf("SEC_DESC_DACL_TRUSTED "); 264 if (type & SEC_DESC_SERVER_SECURITY) /* 0x0080 */ 265 printf("SEC_DESC_SERVER_SECURITY "); 266 if (type & SEC_DESC_DACL_AUTO_INHERIT_REQ) /* 0x0100 */ 267 printf("SEC_DESC_DACL_AUTO_INHERIT_REQ "); 268 if (type & SEC_DESC_SACL_AUTO_INHERIT_REQ) /* 0x0200 */ 269 printf("SEC_DESC_SACL_AUTO_INHERIT_REQ "); 270 if (type & SEC_DESC_DACL_AUTO_INHERITED) /* 0x0400 */ 271 printf("SEC_DESC_DACL_AUTO_INHERITED "); 272 if (type & SEC_DESC_SACL_AUTO_INHERITED) /* 0x0800 */ 273 printf("SEC_DESC_SACL_AUTO_INHERITED "); 274 if (type & SEC_DESC_DACL_PROTECTED) /* 0x1000 */ 275 printf("SEC_DESC_DACL_PROTECTED "); 276 if (type & SEC_DESC_SACL_PROTECTED) /* 0x2000 */ 277 printf("SEC_DESC_SACL_PROTECTED "); 278 if (type & SEC_DESC_RM_CONTROL_VALID) /* 0x4000 */ 279 printf("SEC_DESC_RM_CONTROL_VALID "); 280 if (type & SEC_DESC_SELF_RELATIVE) /* 0x8000 */ 281 printf("SEC_DESC_SELF_RELATIVE "); 282 283 printf("\n"); 284} 285 286/**************************************************************************** 287 display sec_desc structure 288 ****************************************************************************/ 289void display_sec_desc(struct security_descriptor *sec) 290{ 291 char *sid_str; 292 293 if (!sec) { 294 printf("NULL\n"); 295 return; 296 } 297 298 printf("revision: %d\n", sec->revision); 299 display_acl_type(sec->type); 300 301 if (sec->sacl) { 302 printf("SACL\n"); 303 display_sec_acl(sec->sacl); 304 } 305 306 if (sec->dacl) { 307 printf("DACL\n"); 308 display_sec_acl(sec->dacl); 309 } 310 311 if (sec->owner_sid) { 312 sid_str = dom_sid_string(NULL, sec->owner_sid); 313 printf("\tOwner SID:\t%s\n", sid_str); 314 talloc_free(sid_str); 315 } 316 317 if (sec->group_sid) { 318 sid_str = dom_sid_string(NULL, sec->group_sid); 319 printf("\tGroup SID:\t%s\n", sid_str); 320 talloc_free(sid_str); 321 } 322} 323