1/*
2   Unix SMB/CIFS implementation.
3   Samba utility functions
4   Copyright (C) Andrew Tridgell 1992-1999
5   Copyright (C) Luke Kenneth Casson Leighton 1996 - 1999
6
7   This program is free software; you can redistribute it and/or modify
8   it under the terms of the GNU General Public License as published by
9   the Free Software Foundation; either version 3 of the License, or
10   (at your option) any later version.
11
12   This program is distributed in the hope that it will be useful,
13   but WITHOUT ANY WARRANTY; without even the implied warranty of
14   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15   GNU General Public License for more details.
16
17   You should have received a copy of the GNU General Public License
18   along with this program.  If not, see <http://www.gnu.org/licenses/>.
19*/
20
21#include "includes.h"
22#include "librpc/gen_ndr/security.h"
23#include "libcli/security/secace.h"
24#include "libcli/security/dom_sid.h"
25#include "librpc/ndr/libndr.h"
26
27/****************************************************************************
28convert a security permissions into a string
29****************************************************************************/
30
31char *get_sec_mask_str(TALLOC_CTX *ctx, uint32_t type)
32{
33	char *typestr = talloc_strdup(ctx, "");
34
35	if (!typestr) {
36		return NULL;
37	}
38
39	if (type & SEC_GENERIC_ALL) {
40		typestr = talloc_asprintf_append(typestr,
41				"Generic all access ");
42		if (!typestr) {
43			return NULL;
44		}
45	}
46	if (type & SEC_GENERIC_EXECUTE) {
47		typestr = talloc_asprintf_append(typestr,
48				"Generic execute access");
49		if (!typestr) {
50			return NULL;
51		}
52	}
53	if (type & SEC_GENERIC_WRITE) {
54		typestr = talloc_asprintf_append(typestr,
55				"Generic write access ");
56		if (!typestr) {
57			return NULL;
58		}
59	}
60	if (type & SEC_GENERIC_READ) {
61		typestr = talloc_asprintf_append(typestr,
62				"Generic read access ");
63		if (!typestr) {
64			return NULL;
65		}
66	}
67	if (type & SEC_FLAG_MAXIMUM_ALLOWED) {
68		typestr = talloc_asprintf_append(typestr,
69				"MAXIMUM_ALLOWED_ACCESS ");
70		if (!typestr) {
71			return NULL;
72		}
73	}
74	if (type & SEC_FLAG_SYSTEM_SECURITY) {
75		typestr = talloc_asprintf_append(typestr,
76				"SYSTEM_SECURITY_ACCESS ");
77		if (!typestr) {
78			return NULL;
79		}
80	}
81	if (type & SEC_STD_SYNCHRONIZE) {
82		typestr = talloc_asprintf_append(typestr,
83				"SYNCHRONIZE_ACCESS ");
84		if (!typestr) {
85			return NULL;
86		}
87	}
88	if (type & SEC_STD_WRITE_OWNER) {
89		typestr = talloc_asprintf_append(typestr,
90				"WRITE_OWNER_ACCESS ");
91		if (!typestr) {
92			return NULL;
93		}
94	}
95	if (type & SEC_STD_WRITE_DAC) {
96		typestr = talloc_asprintf_append(typestr,
97				"WRITE_DAC_ACCESS ");
98		if (!typestr) {
99			return NULL;
100		}
101	}
102	if (type & SEC_STD_READ_CONTROL) {
103		typestr = talloc_asprintf_append(typestr,
104				"READ_CONTROL_ACCESS ");
105		if (!typestr) {
106			return NULL;
107		}
108	}
109	if (type & SEC_STD_DELETE) {
110		typestr = talloc_asprintf_append(typestr,
111				"DELETE_ACCESS ");
112		if (!typestr) {
113			return NULL;
114		}
115	}
116
117	printf("\t\tSpecific bits: 0x%lx\n", (unsigned long)type&SEC_MASK_SPECIFIC);
118
119	return typestr;
120}
121
122/****************************************************************************
123 display sec_access structure
124 ****************************************************************************/
125void display_sec_access(uint32_t *info)
126{
127	char *mask_str = get_sec_mask_str(NULL, *info);
128	printf("\t\tPermissions: 0x%x: %s\n", *info, mask_str ? mask_str : "");
129	talloc_free(mask_str);
130}
131
132/****************************************************************************
133 display sec_ace flags
134 ****************************************************************************/
135void display_sec_ace_flags(uint8_t flags)
136{
137	if (flags & SEC_ACE_FLAG_OBJECT_INHERIT)
138		printf("SEC_ACE_FLAG_OBJECT_INHERIT ");
139	if (flags & SEC_ACE_FLAG_CONTAINER_INHERIT)
140		printf(" SEC_ACE_FLAG_CONTAINER_INHERIT ");
141	if (flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT)
142		printf("SEC_ACE_FLAG_NO_PROPAGATE_INHERIT ");
143	if (flags & SEC_ACE_FLAG_INHERIT_ONLY)
144		printf("SEC_ACE_FLAG_INHERIT_ONLY ");
145	if (flags & SEC_ACE_FLAG_INHERITED_ACE)
146		printf("SEC_ACE_FLAG_INHERITED_ACE ");
147/*	if (flags & SEC_ACE_FLAG_VALID_INHERIT)
148		printf("SEC_ACE_FLAG_VALID_INHERIT "); */
149	if (flags & SEC_ACE_FLAG_SUCCESSFUL_ACCESS)
150		printf("SEC_ACE_FLAG_SUCCESSFUL_ACCESS ");
151	if (flags & SEC_ACE_FLAG_FAILED_ACCESS)
152		printf("SEC_ACE_FLAG_FAILED_ACCESS ");
153
154	printf("\n");
155}
156
157/****************************************************************************
158 display sec_ace object
159 ****************************************************************************/
160static void disp_sec_ace_object(struct security_ace_object *object)
161{
162	if (object->flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
163		printf("Object type: SEC_ACE_OBJECT_TYPE_PRESENT\n");
164		printf("Object GUID: %s\n", GUID_string(talloc_tos(),
165			&object->type.type));
166	}
167	if (object->flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) {
168		printf("Object type: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT\n");
169		printf("Object GUID: %s\n", GUID_string(talloc_tos(),
170			&object->inherited_type.inherited_type));
171	}
172}
173
174/****************************************************************************
175 display sec_ace structure
176 ****************************************************************************/
177void display_sec_ace(struct security_ace *ace)
178{
179	char *sid_str;
180
181	printf("\tACE\n\t\ttype: ");
182	switch (ace->type) {
183		case SEC_ACE_TYPE_ACCESS_ALLOWED:
184			printf("ACCESS ALLOWED");
185			break;
186		case SEC_ACE_TYPE_ACCESS_DENIED:
187			printf("ACCESS DENIED");
188			break;
189		case SEC_ACE_TYPE_SYSTEM_AUDIT:
190			printf("SYSTEM AUDIT");
191			break;
192		case SEC_ACE_TYPE_SYSTEM_ALARM:
193			printf("SYSTEM ALARM");
194			break;
195		case SEC_ACE_TYPE_ALLOWED_COMPOUND:
196			printf("SEC_ACE_TYPE_ALLOWED_COMPOUND");
197			break;
198		case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
199			printf("SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT");
200			break;
201		case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
202			printf("SEC_ACE_TYPE_ACCESS_DENIED_OBJECT");
203			break;
204		case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
205			printf("SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT");
206			break;
207		case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
208			printf("SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT");
209			break;
210		default:
211			printf("????");
212			break;
213	}
214
215	printf(" (%d) flags: 0x%02x ", ace->type, ace->flags);
216	display_sec_ace_flags(ace->flags);
217	display_sec_access(&ace->access_mask);
218	sid_str = dom_sid_string(NULL, &ace->trustee);
219	printf("\t\tSID: %s\n\n", sid_str);
220	talloc_free(sid_str);
221
222	if (sec_ace_object(ace->type)) {
223		disp_sec_ace_object(&ace->object.object);
224	}
225
226}
227
228/****************************************************************************
229 display sec_acl structure
230 ****************************************************************************/
231void display_sec_acl(struct security_acl *sec_acl)
232{
233	int i;
234
235	printf("\tACL\tNum ACEs:\t%d\trevision:\t%x\n",
236			 sec_acl->num_aces, sec_acl->revision);
237	printf("\t---\n");
238
239	if (sec_acl->size != 0 && sec_acl->num_aces != 0) {
240		for (i = 0; i < sec_acl->num_aces; i++) {
241			display_sec_ace(&sec_acl->aces[i]);
242		}
243	}
244}
245
246void display_acl_type(uint16_t type)
247{
248	printf("type: 0x%04x: ", type);
249
250	if (type & SEC_DESC_OWNER_DEFAULTED)	/* 0x0001 */
251		printf("SEC_DESC_OWNER_DEFAULTED ");
252	if (type & SEC_DESC_GROUP_DEFAULTED)	/* 0x0002 */
253		printf("SEC_DESC_GROUP_DEFAULTED ");
254	if (type & SEC_DESC_DACL_PRESENT) 	/* 0x0004 */
255		printf("SEC_DESC_DACL_PRESENT ");
256	if (type & SEC_DESC_DACL_DEFAULTED)	/* 0x0008 */
257		printf("SEC_DESC_DACL_DEFAULTED ");
258	if (type & SEC_DESC_SACL_PRESENT)	/* 0x0010 */
259		printf("SEC_DESC_SACL_PRESENT ");
260	if (type & SEC_DESC_SACL_DEFAULTED)	/* 0x0020 */
261		printf("SEC_DESC_SACL_DEFAULTED ");
262	if (type & SEC_DESC_DACL_TRUSTED)	/* 0x0040 */
263		printf("SEC_DESC_DACL_TRUSTED ");
264	if (type & SEC_DESC_SERVER_SECURITY)	/* 0x0080 */
265		printf("SEC_DESC_SERVER_SECURITY ");
266	if (type & SEC_DESC_DACL_AUTO_INHERIT_REQ) /* 0x0100 */
267		printf("SEC_DESC_DACL_AUTO_INHERIT_REQ ");
268	if (type & SEC_DESC_SACL_AUTO_INHERIT_REQ) /* 0x0200 */
269		printf("SEC_DESC_SACL_AUTO_INHERIT_REQ ");
270	if (type & SEC_DESC_DACL_AUTO_INHERITED) /* 0x0400 */
271		printf("SEC_DESC_DACL_AUTO_INHERITED ");
272	if (type & SEC_DESC_SACL_AUTO_INHERITED) /* 0x0800 */
273		printf("SEC_DESC_SACL_AUTO_INHERITED ");
274	if (type & SEC_DESC_DACL_PROTECTED)	/* 0x1000 */
275		printf("SEC_DESC_DACL_PROTECTED ");
276	if (type & SEC_DESC_SACL_PROTECTED)	/* 0x2000 */
277		printf("SEC_DESC_SACL_PROTECTED ");
278	if (type & SEC_DESC_RM_CONTROL_VALID)	/* 0x4000 */
279		printf("SEC_DESC_RM_CONTROL_VALID ");
280	if (type & SEC_DESC_SELF_RELATIVE)	/* 0x8000 */
281		printf("SEC_DESC_SELF_RELATIVE ");
282
283	printf("\n");
284}
285
286/****************************************************************************
287 display sec_desc structure
288 ****************************************************************************/
289void display_sec_desc(struct security_descriptor *sec)
290{
291	char *sid_str;
292
293	if (!sec) {
294		printf("NULL\n");
295		return;
296	}
297
298	printf("revision: %d\n", sec->revision);
299	display_acl_type(sec->type);
300
301	if (sec->sacl) {
302		printf("SACL\n");
303		display_sec_acl(sec->sacl);
304	}
305
306	if (sec->dacl) {
307		printf("DACL\n");
308		display_sec_acl(sec->dacl);
309	}
310
311	if (sec->owner_sid) {
312		sid_str = dom_sid_string(NULL, sec->owner_sid);
313		printf("\tOwner SID:\t%s\n", sid_str);
314		talloc_free(sid_str);
315	}
316
317	if (sec->group_sid) {
318		sid_str = dom_sid_string(NULL, sec->group_sid);
319		printf("\tGroup SID:\t%s\n", sid_str);
320		talloc_free(sid_str);
321	}
322}
323