sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-03 12:58:35 +03:00
Code

Doing some research into ACLs on the LSA and SAM policy objects.

Browse Source 
- added lsaquerysecobj to rpcclient
 - renamed querysecobj to samquerysecobj
 - removed duplicated display_sec_acl() code from cmd_spoolss.c and
   cmd_samr.c and moved it into display_sec.c
(This used to be commit 59b2e3f408a5ff22f2d81a927d010a7df5f19f7f)
This commit is contained in:
Tim Potter 2001-12-11 02:17:26 +00:00
parent ebefbda2f6
commit b872787f01
6 changed files with 169 additions and 349 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
source3/Makefile.in
View File

@ -294,7 +294,8 @@ RPCCLIENT_OBJ1 = rpcclient/rpcclient.o rpcclient/cmd_lsarpc.o \
rpcclient/cmd_samr.o rpcclient/cmd_spoolss.o \
rpcclient/cmd_netlogon.o rpcclient/cmd_srvsvc.o \
rpcclient/cmd_dfs.o rpcclient/cmd_reg.o \
rpc_client/cli_login.o rpc_client/cli_netlogon.o
rpc_client/cli_login.o rpc_client/cli_netlogon.o \
rpcclient/display_sec.o
RPCCLIENT_OBJ = $(RPCCLIENT_OBJ1) \
$(PARAM_OBJ) $(LIBSMB_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) \

52
source3/libsmb/cli_lsarpc.c
View File

@ -988,6 +988,58 @@ NTSTATUS cli_lsa_lookupprivvalue(struct cli_state *cli, TALLOC_CTX *mem_ctx,
return result;
}
/** Query LSA security object */
NTSTATUS cli_lsa_query_secobj(struct cli_state *cli, TALLOC_CTX *mem_ctx,
POLICY_HND *pol, uint32 sec_info,
SEC_DESC_BUF **psdb)
{
prs_struct qbuf, rbuf;
LSA_Q_QUERY_SEC_OBJ q;
LSA_R_QUERY_SEC_OBJ r;
NTSTATUS result;
ZERO_STRUCT(q);
ZERO_STRUCT(r);
/* Initialise parse structures */
prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL);
prs_init(&rbuf, 0, mem_ctx, UNMARSHALL);
/* Marshall data and send request */
init_q_query_sec_obj(&q, pol, sec_info);
if (!lsa_io_q_query_sec_obj("", &q, &qbuf, 0) ||
!rpc_api_pipe_req(cli, LSA_QUERYSECOBJ, &qbuf, &rbuf)) {
result = NT_STATUS_UNSUCCESSFUL;
goto done;
}
/* Unmarshall response */
if (!lsa_io_r_query_sec_obj("", &r, &rbuf, 0)) {
result = NT_STATUS_UNSUCCESSFUL;
goto done;
}
if (!NT_STATUS_IS_OK(result = r.status)) {
goto done;
}
/* Return output parameters */
if (psdb)
*psdb = r.buf;
done:
prs_mem_free(&qbuf);
prs_mem_free(&rbuf);
return result;
}
/** Fetch a DOMAIN sid. Does complete cli setup / teardown anonymously. */
BOOL fetch_domain_sid( char *domain, char *remote_machine, DOM_SID *psid)

37
source3/rpcclient/cmd_lsarpc.c
View File

@ -452,6 +452,42 @@ static NTSTATUS cmd_lsa_lookupprivvalue(struct cli_state *cli,
return result;
}
/* Query LSA security object */
static NTSTATUS cmd_lsa_query_secobj(struct cli_state *cli,
TALLOC_CTX *mem_ctx, int argc,
char **argv)
{
POLICY_HND pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
SEC_DESC_BUF *sdb;
uint32 sec_info = 0x00000004; /* ??? */
if (argc != 1 ) {
printf("Usage: %s\n", argv[0]);
return NT_STATUS_OK;
}
result = cli_lsa_open_policy2(cli, mem_ctx, True,
SEC_RIGHTS_MAXIMUM_ALLOWED,
&pol);
if (!NT_STATUS_IS_OK(result))
goto done;
result = cli_lsa_query_secobj(cli, mem_ctx, &pol, sec_info, &sdb);
if (!NT_STATUS_IS_OK(result))
goto done;
/* Print results */
display_sec_desc(sdb->sec);
done:
return result;
}
/* List of commands exported by this module */
struct cmd_set lsarpc_commands[] = {
@ -467,6 +503,7 @@ struct cmd_set lsarpc_commands[] = {
{ "lsaenumsid", cmd_lsa_enum_sids, PIPE_LSARPC, "Enumerate the LSA SIDS", "" },
{ "lsaenumprivsaccount", cmd_lsa_enum_privsaccounts, PIPE_LSARPC, "Enumerate the privileges of an SID", "" },
{ "lsalookupprivvalue", cmd_lsa_lookupprivvalue, PIPE_LSARPC, "Get a privilege value given its name", "" },
{ "lsaquerysecobj", cmd_lsa_query_secobj, PIPE_LSARPC, "Query LSA security object", "" },
{ NULL }
};

124
source3/rpcclient/cmd_samr.c
View File

@ -28,128 +28,6 @@
extern DOM_SID domain_sid;
/****************************************************************************
convert a security permissions into a string
****************************************************************************/
char *get_sec_mask_str(uint32 type)
{
static fstring typestr="";
int i;
typestr[0] = 0;
if (type & GENERIC_ALL_ACCESS)
fstrcat(typestr, "Generic all access ");
if (type & GENERIC_EXECUTE_ACCESS)
fstrcat(typestr, "Generic execute access ");
if (type & GENERIC_WRITE_ACCESS)
fstrcat(typestr, "Generic write access ");
if (type & GENERIC_READ_ACCESS)
fstrcat(typestr, "Generic read access ");
if (type & MAXIMUM_ALLOWED_ACCESS)
fstrcat(typestr, "MAXIMUM_ALLOWED_ACCESS ");
if (type & SYSTEM_SECURITY_ACCESS)
fstrcat(typestr, "SYSTEM_SECURITY_ACCESS ");
if (type & SYNCHRONIZE_ACCESS)
fstrcat(typestr, "SYNCHRONIZE_ACCESS ");
if (type & WRITE_OWNER_ACCESS)
fstrcat(typestr, "WRITE_OWNER_ACCESS ");
if (type & WRITE_DAC_ACCESS)
fstrcat(typestr, "WRITE_DAC_ACCESS ");
if (type & READ_CONTROL_ACCESS)
fstrcat(typestr, "READ_CONTROL_ACCESS ");
if (type & DELETE_ACCESS)
fstrcat(typestr, "DELETE_ACCESS ");
printf("Specific bits: 0x%x\n", type&SPECIFIC_RIGHTS_MASK);
return typestr;
}
/****************************************************************************
display sec_access structure
****************************************************************************/
void display_sec_access(SEC_ACCESS *info)
{
printf("\t\tPermissions: 0x%x: %s\n", info->mask, get_sec_mask_str(info->mask));
}
/****************************************************************************
display sec_ace structure
****************************************************************************/
void display_sec_ace(SEC_ACE *ace)
{
fstring sid_str;
printf("\tACE\n\t\ttype: ");
switch (ace->type) {
case SEC_ACE_TYPE_ACCESS_ALLOWED:
printf("ACCESS ALLOWED");
break;
case SEC_ACE_TYPE_ACCESS_DENIED:
printf("ACCESS DENIED");
break;
case SEC_ACE_TYPE_SYSTEM_AUDIT:
printf("SYSTEM AUDIT");
break;
case SEC_ACE_TYPE_SYSTEM_ALARM:
printf("SYSTEM ALARM");
break;
default:
printf("????");
break;
}
printf(" (%d) flags: %d\n", ace->type, ace->flags);
display_sec_access(&ace->info);
sid_to_string(sid_str, &ace->trustee);
printf("\t\tSID: %s\n\n", sid_str);
}
/****************************************************************************
display sec_acl structure
****************************************************************************/
void display_sec_acl(SEC_ACL *sec_acl)
{
int i;
printf("\tACL\tNum ACEs:\t%d\trevision:\t%x\n",
sec_acl->num_aces, sec_acl->revision);
printf("\t---\n");
if (sec_acl->size != 0 && sec_acl->num_aces != 0)
for (i = 0; i < sec_acl->num_aces; i++)
display_sec_ace(&sec_acl->ace[i]);
}
/****************************************************************************
display sec_desc structure
****************************************************************************/
void display_sec_desc(SEC_DESC *sec)
{
fstring sid_str;
if (sec->off_sacl != 0) {
printf("S-ACL\n");
display_sec_acl(sec->sacl);
}
if (sec->off_dacl != 0) {
printf("D-ACL\n");
display_sec_acl(sec->dacl);
}
if (sec->off_owner_sid != 0) {
sid_to_string(sid_str, sec->owner_sid);
printf("\tOwner SID:\t%s\n", sid_str);
}
if (sec->off_grp_sid != 0) {
sid_to_string(sid_str, sec->grp_sid);
printf("\tParent SID:\t%s\n", sid_str);
}
}
/****************************************************************************
display sam_user_info_21 structure
****************************************************************************/
@ -1301,7 +1179,7 @@ struct cmd_set samr_commands[] = {
{ "samlookupnames", cmd_samr_lookup_names, PIPE_SAMR, "Look up names", "" },
{ "samlookuprids", cmd_samr_lookup_rids, PIPE_SAMR, "Look up names", "" },
{ "deletedomuser", cmd_samr_delete_dom_user, PIPE_SAMR, "Delete domain user", "" },
{ "querysecobj", cmd_samr_query_sec_obj, PIPE_SAMR, "Query security object", "" },
{ "samquerysecobj", cmd_samr_query_sec_obj, PIPE_SAMR, "Query SAMR security object", "" },
{ NULL }
};

52
source3/rpcclient/cmd_spoolss.c
View File

@ -82,58 +82,6 @@ static NTSTATUS cmd_spoolss_not_implemented(struct cli_state *cli,
return NT_STATUS_OK;
}
/****************************************************************************
display sec_ace structure
****************************************************************************/
static void display_sec_ace(SEC_ACE *ace)
{
fstring sid_str;
sid_to_string(sid_str, &ace->trustee);
printf("\t\tSID: %s\n", sid_str);
printf("\t\ttype:[%d], flags:[0x%02x], mask:[0x%08x]\n",
ace->type, ace->flags, ace->info.mask);
}
/****************************************************************************
display sec_acl structure
****************************************************************************/
static void display_sec_acl(SEC_ACL *acl)
{
if (acl->size != 0 && acl->num_aces != 0) {
int i;
printf("\t\tRevision:[%d]\n", acl->revision);
for (i = 0; i < acl->num_aces; i++) {
display_sec_ace(&acl->ace[i]);
}
}
}
/****************************************************************************
display sec_desc structure
****************************************************************************/
static void display_sec_desc(SEC_DESC *sec)
{
fstring sid_str;
printf("\tRevision:[%d]\n", sec->revision);
if (sec->off_owner_sid) {
sid_to_string(sid_str, sec->owner_sid);
printf("\tOwner SID: %s\n", sid_str);
}
if (sec->off_grp_sid) {
sid_to_string(sid_str, sec->grp_sid);
printf("\tGroup SID: %s\n", sid_str);
}
if (sec->off_sacl) display_sec_acl(sec->sacl);
if (sec->off_dacl) display_sec_acl(sec->dacl);
}
/***********************************************************************
* Get printer information
*/

250
source3/rpcclient/display_sec.c
View File

@ -23,67 +23,40 @@
#include "includes.h"
#include "rpcclient.h"
/****************************************************************************
convert a security permissions into a string
****************************************************************************/
static const char *get_sec_mask_str(uint32 type)
char *get_sec_mask_str(uint32 type)
{
static fstring typestr;
static fstring typestr="";
int i;
switch (type)
{
case SEC_RIGHTS_FULL_CONTROL:
{
fstrcpy(typestr, "Full Control");
return typestr;
}
case SEC_RIGHTS_READ:
{
fstrcpy(typestr, "Read");
return typestr;
}
default:
{
break;
}
}
typestr[0] = 0;
for (i = 0; i < 32; i++)
{
if (type & (1 << i))
{
switch (1 << i)
{
case SEC_RIGHTS_QUERY_VALUE : fstrcat(typestr, "Query " ); break;
case SEC_RIGHTS_SET_VALUE : fstrcat(typestr, "Set " ); break;
case SEC_RIGHTS_CREATE_SUBKEY : fstrcat(typestr, "Create "); break;
case SEC_RIGHTS_ENUM_SUBKEYS : fstrcat(typestr, "Enum "); break;
case SEC_RIGHTS_NOTIFY : fstrcat(typestr, "Notify "); break;
case SEC_RIGHTS_CREATE_LINK : fstrcat(typestr, "CreateLink "); break;
case DELETE_ACCESS : fstrcat(typestr, "Delete "); break;
case READ_CONTROL_ACCESS : fstrcat(typestr, "ReadControl "); break;
case WRITE_DAC_ACCESS : fstrcat(typestr, "WriteDAC "); break;
case WRITE_OWNER_ACCESS : fstrcat(typestr, "WriteOwner "); break;
}
type &= ~(1 << i);
}
}
/* remaining bits get added on as-is */
if (type != 0)
{
fstring tmp;
slprintf(tmp, sizeof(tmp)-1, "[%08x]", type);
fstrcat(typestr, tmp);
}
if (type & GENERIC_ALL_ACCESS)
fstrcat(typestr, "Generic all access ");
if (type & GENERIC_EXECUTE_ACCESS)
fstrcat(typestr, "Generic execute access ");
if (type & GENERIC_WRITE_ACCESS)
fstrcat(typestr, "Generic write access ");
if (type & GENERIC_READ_ACCESS)
fstrcat(typestr, "Generic read access ");
if (type & MAXIMUM_ALLOWED_ACCESS)
fstrcat(typestr, "MAXIMUM_ALLOWED_ACCESS ");
if (type & SYSTEM_SECURITY_ACCESS)
fstrcat(typestr, "SYSTEM_SECURITY_ACCESS ");
if (type & SYNCHRONIZE_ACCESS)
fstrcat(typestr, "SYNCHRONIZE_ACCESS ");
if (type & WRITE_OWNER_ACCESS)
fstrcat(typestr, "WRITE_OWNER_ACCESS ");
if (type & WRITE_DAC_ACCESS)
fstrcat(typestr, "WRITE_DAC_ACCESS ");
if (type & READ_CONTROL_ACCESS)
fstrcat(typestr, "READ_CONTROL_ACCESS ");
if (type & DELETE_ACCESS)
fstrcat(typestr, "DELETE_ACCESS ");
/* remove last space */
i = strlen(typestr)-1;
if (typestr[i] == ' ') typestr[i] = 0;
printf("Specific bits: 0x%x\n", type&SPECIFIC_RIGHTS_MASK);
return typestr;
}
@ -91,152 +64,83 @@ static const char *get_sec_mask_str(uint32 type)
/****************************************************************************
display sec_access structure
****************************************************************************/
static void display_sec_access(FILE *out_hnd, enum action_type action, SEC_ACCESS *const info)
void display_sec_access(SEC_ACCESS *info)
{
switch (action)
{
case ACTION_HEADER:
{
break;
}
case ACTION_ENUMERATE:
{
report(out_hnd, "\t\tPermissions:\t%s\n",
get_sec_mask_str(info->mask));
}
case ACTION_FOOTER:
{
break;
}
}
printf("\t\tPermissions: 0x%x: %s\n", info->mask, get_sec_mask_str(info->mask));
}
/****************************************************************************
display sec_ace structure
****************************************************************************/
static void display_sec_ace(FILE *out_hnd, enum action_type action, SEC_ACE *const ace)
void display_sec_ace(SEC_ACE *ace)
{
switch (action)
{
case ACTION_HEADER:
{
report(out_hnd, "\tACE\n");
fstring sid_str;
printf("\tACE\n\t\ttype: ");
switch (ace->type) {
case SEC_ACE_TYPE_ACCESS_ALLOWED:
printf("ACCESS ALLOWED");
break;
}
case ACTION_ENUMERATE:
{
fstring sid_str;
report(out_hnd,
"\t\tType:%2x Flags:%2x Perms:%04x\n",
ace->type, ace->flags,
(uint32) ace->info.mask);
display_sec_access(out_hnd, ACTION_HEADER , &ace->info);
display_sec_access(out_hnd, ACTION_ENUMERATE, &ace->info);
display_sec_access(out_hnd, ACTION_FOOTER , &ace->info);
sid_to_string(sid_str, &ace->sid);
report(out_hnd, "\t\tSID:\t%s\n", sid_str);
}
case ACTION_FOOTER:
{
case SEC_ACE_TYPE_ACCESS_DENIED:
printf("ACCESS DENIED");
break;
case SEC_ACE_TYPE_SYSTEM_AUDIT:
printf("SYSTEM AUDIT");
break;
case SEC_ACE_TYPE_SYSTEM_ALARM:
printf("SYSTEM ALARM");
break;
default:
printf("????");
break;
}
}
printf(" (%d) flags: %d\n", ace->type, ace->flags);
display_sec_access(&ace->info);
sid_to_string(sid_str, &ace->trustee);
printf("\t\tSID: %s\n\n", sid_str);
}
/****************************************************************************
display sec_acl structure
****************************************************************************/
static void display_sec_acl(FILE *out_hnd, enum action_type action, SEC_ACL *const sec_acl)
void display_sec_acl(SEC_ACL *sec_acl)
{
if (sec_acl == NULL)
{
return;
}
switch (action)
{
case ACTION_HEADER:
{
report(out_hnd, "\tACL\tNum ACEs:\t%d\trevision:\t%x\n",
sec_acl->num_aces, sec_acl->revision);
report(out_hnd, "\t---\n");
int i;
break;
}
case ACTION_ENUMERATE:
{
if (sec_acl->size != 0 && sec_acl->num_aces != 0)
{
int i;
for (i = 0; i < sec_acl->num_aces; i++)
{
display_sec_ace(out_hnd, ACTION_HEADER , &sec_acl->ace[i]);
display_sec_ace(out_hnd, ACTION_ENUMERATE, &sec_acl->ace[i]);
display_sec_ace(out_hnd, ACTION_FOOTER , &sec_acl->ace[i]);
}
}
printf("\tACL\tNum ACEs:\t%d\trevision:\t%x\n",
sec_acl->num_aces, sec_acl->revision);
printf("\t---\n");
if (sec_acl->size != 0 && sec_acl->num_aces != 0)
for (i = 0; i < sec_acl->num_aces; i++)
display_sec_ace(&sec_acl->ace[i]);
break;
}
case ACTION_FOOTER:
{
report(out_hnd, "\n");
break;
}
}
}
/****************************************************************************
display sec_desc structure
****************************************************************************/
void display_sec_desc(FILE *out_hnd, enum action_type action, SEC_DESC *const sec)
void display_sec_desc(SEC_DESC *sec)
{
switch (action)
{
case ACTION_HEADER:
{
report(out_hnd, "\tSecurity Descriptor\trevision:\t%x\ttype:\t%x\n",
sec->revision, sec->type);
report(out_hnd, "\t-------------------\n");
fstring sid_str;
break;
}
case ACTION_ENUMERATE:
{
fstring sid_str;
if (sec->off_sacl != 0) {
printf("S-ACL\n");
display_sec_acl(sec->sacl);
}
if (sec->off_sacl != 0)
{
display_sec_acl(out_hnd, ACTION_HEADER , sec->sacl);
display_sec_acl(out_hnd, ACTION_ENUMERATE, sec->sacl);
display_sec_acl(out_hnd, ACTION_FOOTER , sec->sacl);
}
if (sec->off_dacl != 0)
{
display_sec_acl(out_hnd, ACTION_HEADER , sec->dacl);
display_sec_acl(out_hnd, ACTION_ENUMERATE, sec->dacl);
display_sec_acl(out_hnd, ACTION_FOOTER , sec->dacl);
}
if (sec->off_owner_sid != 0)
{
sid_to_string(sid_str, sec->owner_sid);
report(out_hnd, "\tOwner SID:\t%s\n", sid_str);
}
if (sec->off_grp_sid != 0)
{
sid_to_string(sid_str, sec->grp_sid);
report(out_hnd, "\tParent SID:\t%s\n", sid_str);
}
break;
}
case ACTION_FOOTER:
{
report(out_hnd, "\n");
break;
}
if (sec->off_dacl != 0) {
printf("D-ACL\n");
display_sec_acl(sec->dacl);
}
if (sec->off_owner_sid != 0) {
sid_to_string(sid_str, sec->owner_sid);
printf("\tOwner SID:\t%s\n", sid_str);
}
if (sec->off_grp_sid != 0) {
sid_to_string(sid_str, sec->grp_sid);
printf("\tParent SID:\t%s\n", sid_str);
}
}