2002-03-10 09:56:59 +03:00
/*
2002-03-22 09:24:38 +03:00
Unix SMB / CIFS implementation .
2002-03-10 09:56:59 +03:00
Samba utility functions . ADS stuff
Copyright ( C ) Alexey Kotovich 2002
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-09 23:25:36 +04:00
the Free Software Foundation ; either version 3 of the License , or
2002-03-10 09:56:59 +03:00
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
2007-07-10 04:52:41 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2002-03-10 09:56:59 +03:00
*/
# include "includes.h"
2010-07-02 02:32:52 +04:00
# include "ads.h"
2010-07-01 01:48:34 +04:00
# include "libads/ldap_schema.h"
2011-02-26 01:34:23 +03:00
# include "../libcli/security/secace.h"
2011-03-31 01:47:34 +04:00
# include "../librpc/ndr/libndr.h"
2018-11-23 10:39:02 +03:00
# include "libcli/security/dom_sid.h"
2002-03-10 09:56:59 +03:00
2010-06-03 12:49:34 +04:00
/* for ADS */
# define SEC_RIGHTS_FULL_CTRL 0xf01ff
2007-07-11 19:46:01 +04:00
# ifdef HAVE_LDAP
2002-03-10 09:56:59 +03:00
static struct perm_mask_str {
2015-04-18 18:40:14 +03:00
uint32_t mask ;
2003-01-03 11:28:12 +03:00
const char * str ;
2002-03-10 09:56:59 +03:00
} perms [ ] = {
{ SEC_RIGHTS_FULL_CTRL , " [Full Control] " } ,
2010-05-28 05:31:52 +04:00
{ SEC_ADS_LIST , " [List Contents] " } ,
{ SEC_ADS_LIST_OBJECT , " [List Object] " } ,
2002-03-10 09:56:59 +03:00
2010-05-28 05:31:52 +04:00
{ SEC_ADS_READ_PROP , " [Read All Properties] " } ,
{ SEC_STD_READ_CONTROL , " [Read Permissions] " } ,
2002-03-10 09:56:59 +03:00
2010-05-28 05:31:52 +04:00
{ SEC_ADS_SELF_WRITE , " [All validate writes] " } ,
{ SEC_ADS_WRITE_PROP , " [Write All Properties] " } ,
2002-03-10 09:56:59 +03:00
2010-05-28 05:31:52 +04:00
{ SEC_STD_WRITE_DAC , " [Modify Permissions] " } ,
{ SEC_STD_WRITE_OWNER , " [Modify Owner] " } ,
2002-03-10 09:56:59 +03:00
2010-05-28 05:31:52 +04:00
{ SEC_ADS_CREATE_CHILD , " [Create All Child Objects] " } ,
2002-03-10 09:56:59 +03:00
2010-05-28 05:31:52 +04:00
{ SEC_STD_DELETE , " [Delete] " } ,
{ SEC_ADS_DELETE_TREE , " [Delete Subtree] " } ,
{ SEC_ADS_DELETE_CHILD , " [Delete All Child Objects] " } ,
2002-03-10 09:56:59 +03:00
2010-05-28 05:31:52 +04:00
{ SEC_ADS_CONTROL_ACCESS , " [Change Password] " } ,
{ SEC_ADS_CONTROL_ACCESS , " [Reset Password] " } ,
2007-05-11 16:59:16 +04:00
2002-03-10 09:56:59 +03:00
{ 0 , 0 }
} ;
/* convert a security permissions into a string */
2015-04-18 18:40:14 +03:00
static void ads_disp_perms ( uint32_t type )
2002-03-10 09:56:59 +03:00
{
int i = 0 ;
int j = 0 ;
printf ( " Permissions: " ) ;
if ( type = = SEC_RIGHTS_FULL_CTRL ) {
printf ( " %s \n " , perms [ j ] . str ) ;
return ;
}
for ( i = 0 ; i < 32 ; i + + ) {
2019-05-21 13:52:56 +03:00
if ( type & ( ( uint32_t ) 1 < < i ) ) {
2002-03-10 09:56:59 +03:00
for ( j = 1 ; perms [ j ] . str ; j + + ) {
if ( perms [ j ] . mask = = ( ( ( unsigned ) 1 ) < < i ) ) {
2007-05-11 16:59:16 +04:00
printf ( " \n \t %s (0x%08x) " , perms [ j ] . str , perms [ j ] . mask ) ;
2002-03-10 09:56:59 +03:00
}
}
type & = ~ ( 1 < < i ) ;
}
}
/* remaining bits get added on as-is */
if ( type ! = 0 ) {
printf ( " [%08x] " , type ) ;
}
puts ( " " ) ;
}
2007-07-11 17:41:04 +04:00
static const char * ads_interprete_guid_from_object ( ADS_STRUCT * ads ,
TALLOC_CTX * mem_ctx ,
const struct GUID * guid )
{
const char * ret = NULL ;
2007-07-14 03:26:55 +04:00
if ( ! ads | | ! mem_ctx ) {
return NULL ;
}
2007-07-11 17:41:04 +04:00
ret = ads_get_attrname_by_guid ( ads , ads - > config . schema_path ,
mem_ctx , guid ) ;
if ( ret ) {
return talloc_asprintf ( mem_ctx , " LDAP attribute: \" %s \" " , ret ) ;
}
ret = ads_get_extended_right_name_by_guid ( ads , ads - > config . config_path ,
mem_ctx , guid ) ;
if ( ret ) {
return talloc_asprintf ( mem_ctx , " Extended right: \" %s \" " , ret ) ;
}
return ret ;
}
static void ads_disp_sec_ace_object ( ADS_STRUCT * ads ,
TALLOC_CTX * mem_ctx ,
struct security_ace_object * object )
2007-07-11 01:04:57 +04:00
{
2009-03-01 06:59:07 +03:00
if ( object - > flags & SEC_ACE_OBJECT_TYPE_PRESENT ) {
printf ( " Object type: SEC_ACE_OBJECT_TYPE_PRESENT \n " ) ;
2008-10-14 04:26:18 +04:00
printf ( " Object GUID: %s (%s) \n " , GUID_string ( mem_ctx ,
& object - > type . type ) ,
2007-07-11 17:41:04 +04:00
ads_interprete_guid_from_object ( ads , mem_ctx ,
& object - > type . type ) ) ;
2007-07-11 01:04:57 +04:00
}
2009-03-01 06:59:07 +03:00
if ( object - > flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT ) {
printf ( " Object type: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT \n " ) ;
2008-10-14 04:26:18 +04:00
printf ( " Object GUID: %s (%s) \n " , GUID_string ( mem_ctx ,
& object - > inherited_type . inherited_type ) ,
2007-07-11 17:41:04 +04:00
ads_interprete_guid_from_object ( ads , mem_ctx ,
& object - > inherited_type . inherited_type ) ) ;
2007-07-11 01:04:57 +04:00
}
}
2002-03-10 09:56:59 +03:00
/* display ACE */
2010-05-18 05:25:38 +04:00
static void ads_disp_ace ( ADS_STRUCT * ads , TALLOC_CTX * mem_ctx , struct security_ace * sec_ace )
2002-03-10 09:56:59 +03:00
{
2003-01-03 11:28:12 +03:00
const char * access_type = " UNKNOWN " ;
2018-11-23 10:39:02 +03:00
struct dom_sid_buf sidbuf ;
2002-03-10 09:56:59 +03:00
if ( ! sec_ace_object ( sec_ace - > type ) ) {
printf ( " ------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x) \n " ,
sec_ace - > type ,
sec_ace - > flags ,
sec_ace - > size ,
2006-09-21 02:23:12 +04:00
sec_ace - > access_mask ) ;
2002-03-10 09:56:59 +03:00
} else {
printf ( " ------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x, object flags: 0x%x) \n " ,
sec_ace - > type ,
sec_ace - > flags ,
sec_ace - > size ,
2006-09-21 02:23:12 +04:00
sec_ace - > access_mask ,
sec_ace - > object . object . flags ) ;
2002-03-10 09:56:59 +03:00
}
if ( sec_ace - > type = = SEC_ACE_TYPE_ACCESS_ALLOWED ) {
access_type = " ALLOWED " ;
} else if ( sec_ace - > type = = SEC_ACE_TYPE_ACCESS_DENIED ) {
access_type = " DENIED " ;
} else if ( sec_ace - > type = = SEC_ACE_TYPE_SYSTEM_AUDIT ) {
access_type = " SYSTEM AUDIT " ;
} else if ( sec_ace - > type = = SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT ) {
access_type = " ALLOWED OBJECT " ;
} else if ( sec_ace - > type = = SEC_ACE_TYPE_ACCESS_DENIED_OBJECT ) {
2002-07-15 14:35:28 +04:00
access_type = " DENIED OBJECT " ;
2002-03-10 09:56:59 +03:00
} else if ( sec_ace - > type = = SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT ) {
access_type = " AUDIT OBJECT " ;
}
2018-11-23 10:39:02 +03:00
printf ( " access SID: %s \n access type: %s \n " ,
dom_sid_str_buf ( & sec_ace - > trustee , & sidbuf ) ,
access_type ) ;
2002-03-10 09:56:59 +03:00
2007-07-11 01:04:57 +04:00
if ( sec_ace_object ( sec_ace - > type ) ) {
2007-07-11 17:30:38 +04:00
ads_disp_sec_ace_object ( ads , mem_ctx , & sec_ace - > object . object ) ;
2007-07-11 01:04:57 +04:00
}
2006-09-21 02:23:12 +04:00
ads_disp_perms ( sec_ace - > access_mask ) ;
2002-03-10 09:56:59 +03:00
}
/* display ACL */
2010-05-18 05:30:40 +04:00
static void ads_disp_acl ( struct security_acl * sec_acl , const char * type )
2002-03-10 09:56:59 +03:00
{
if ( ! sec_acl )
printf ( " ------- (%s) ACL not present \n " , type ) ;
else {
printf ( " ------- (%s) ACL (revision: %d, size: %d, number of ACEs: %d) \n " ,
type ,
sec_acl - > revision ,
sec_acl - > size ,
sec_acl - > num_aces ) ;
}
}
/* display SD */
2010-05-18 12:29:34 +04:00
void ads_disp_sd ( ADS_STRUCT * ads , TALLOC_CTX * mem_ctx , struct security_descriptor * sd )
2002-03-10 09:56:59 +03:00
{
2018-11-23 10:40:57 +03:00
uint32_t i ;
2007-07-11 17:41:04 +04:00
char * tmp_path = NULL ;
2018-12-10 13:52:50 +03:00
struct dom_sid_buf buf ;
2007-07-11 17:41:04 +04:00
2007-07-14 03:26:55 +04:00
if ( ! sd ) {
return ;
}
if ( ads & & ! ads - > config . schema_path ) {
2007-07-11 17:41:04 +04:00
if ( ADS_ERR_OK ( ads_schema_path ( ads , mem_ctx , & tmp_path ) ) ) {
ads - > config . schema_path = SMB_STRDUP ( tmp_path ) ;
}
}
2007-07-14 03:26:55 +04:00
if ( ads & & ! ads - > config . config_path ) {
2007-07-11 17:41:04 +04:00
if ( ADS_ERR_OK ( ads_config_path ( ads , mem_ctx , & tmp_path ) ) ) {
ads - > config . config_path = SMB_STRDUP ( tmp_path ) ;
}
}
2002-03-10 09:56:59 +03:00
printf ( " -------------- Security Descriptor (revision: %d, type: 0x%02x) \n " ,
sd - > revision ,
sd - > type ) ;
2007-07-14 03:26:55 +04:00
printf ( " owner SID: %s \n " , sd - > owner_sid ?
2018-12-10 13:52:50 +03:00
dom_sid_str_buf ( sd - > owner_sid , & buf ) : " (null) " ) ;
2007-07-14 03:26:55 +04:00
printf ( " group SID: %s \n " , sd - > group_sid ?
2018-12-10 13:52:50 +03:00
dom_sid_str_buf ( sd - > group_sid , & buf ) : " (null) " ) ;
2002-03-10 09:56:59 +03:00
ads_disp_acl ( sd - > sacl , " system " ) ;
2007-07-14 03:26:55 +04:00
if ( sd - > sacl ) {
for ( i = 0 ; i < sd - > sacl - > num_aces ; i + + ) {
ads_disp_ace ( ads , mem_ctx , & sd - > sacl - > aces [ i ] ) ;
}
}
2002-03-10 09:56:59 +03:00
ads_disp_acl ( sd - > dacl , " user " ) ;
2007-07-14 03:26:55 +04:00
if ( sd - > dacl ) {
for ( i = 0 ; i < sd - > dacl - > num_aces ; i + + ) {
ads_disp_ace ( ads , mem_ctx , & sd - > dacl - > aces [ i ] ) ;
}
}
2002-03-10 09:56:59 +03:00
printf ( " -------------- End Of Security Descriptor \n " ) ;
}
2007-07-11 19:46:01 +04:00
# endif