From b872787f01f0e72db3c03676e46432375fcce787 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Tue, 11 Dec 2001 02:17:26 +0000 Subject: Doing some research into ACLs on the LSA and SAM policy objects. - added lsaquerysecobj to rpcclient - renamed querysecobj to samquerysecobj - removed duplicated display_sec_acl() code from cmd_spoolss.c and cmd_samr.c and moved it into display_sec.c (This used to be commit 59b2e3f408a5ff22f2d81a927d010a7df5f19f7f) --- source3/rpcclient/cmd_lsarpc.c | 37 ++++++ source3/rpcclient/cmd_samr.c | 124 +------------------- source3/rpcclient/cmd_spoolss.c | 52 -------- source3/rpcclient/display_sec.c | 254 +++++++++++++--------------------------- 4 files changed, 117 insertions(+), 350 deletions(-) (limited to 'source3/rpcclient') diff --git a/source3/rpcclient/cmd_lsarpc.c b/source3/rpcclient/cmd_lsarpc.c index ef9518a7fc..52ab9c3800 100644 --- a/source3/rpcclient/cmd_lsarpc.c +++ b/source3/rpcclient/cmd_lsarpc.c @@ -452,6 +452,42 @@ static NTSTATUS cmd_lsa_lookupprivvalue(struct cli_state *cli, return result; } +/* Query LSA security object */ + +static NTSTATUS cmd_lsa_query_secobj(struct cli_state *cli, + TALLOC_CTX *mem_ctx, int argc, + char **argv) +{ + POLICY_HND pol; + NTSTATUS result = NT_STATUS_UNSUCCESSFUL; + SEC_DESC_BUF *sdb; + uint32 sec_info = 0x00000004; /* ??? */ + + if (argc != 1 ) { + printf("Usage: %s\n", argv[0]); + return NT_STATUS_OK; + } + + result = cli_lsa_open_policy2(cli, mem_ctx, True, + SEC_RIGHTS_MAXIMUM_ALLOWED, + &pol); + + if (!NT_STATUS_IS_OK(result)) + goto done; + + result = cli_lsa_query_secobj(cli, mem_ctx, &pol, sec_info, &sdb); + + if (!NT_STATUS_IS_OK(result)) + goto done; + + /* Print results */ + + display_sec_desc(sdb->sec); + + done: + return result; +} + /* List of commands exported by this module */ struct cmd_set lsarpc_commands[] = { @@ -467,6 +503,7 @@ struct cmd_set lsarpc_commands[] = { { "lsaenumsid", cmd_lsa_enum_sids, PIPE_LSARPC, "Enumerate the LSA SIDS", "" }, { "lsaenumprivsaccount", cmd_lsa_enum_privsaccounts, PIPE_LSARPC, "Enumerate the privileges of an SID", "" }, { "lsalookupprivvalue", cmd_lsa_lookupprivvalue, PIPE_LSARPC, "Get a privilege value given its name", "" }, + { "lsaquerysecobj", cmd_lsa_query_secobj, PIPE_LSARPC, "Query LSA security object", "" }, { NULL } }; diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c index a6cdc4bfeb..dccd756add 100644 --- a/source3/rpcclient/cmd_samr.c +++ b/source3/rpcclient/cmd_samr.c @@ -28,128 +28,6 @@ extern DOM_SID domain_sid; -/**************************************************************************** -convert a security permissions into a string -****************************************************************************/ -char *get_sec_mask_str(uint32 type) -{ - static fstring typestr=""; - int i; - - typestr[0] = 0; - - if (type & GENERIC_ALL_ACCESS) - fstrcat(typestr, "Generic all access "); - if (type & GENERIC_EXECUTE_ACCESS) - fstrcat(typestr, "Generic execute access "); - if (type & GENERIC_WRITE_ACCESS) - fstrcat(typestr, "Generic write access "); - if (type & GENERIC_READ_ACCESS) - fstrcat(typestr, "Generic read access "); - if (type & MAXIMUM_ALLOWED_ACCESS) - fstrcat(typestr, "MAXIMUM_ALLOWED_ACCESS "); - if (type & SYSTEM_SECURITY_ACCESS) - fstrcat(typestr, "SYSTEM_SECURITY_ACCESS "); - if (type & SYNCHRONIZE_ACCESS) - fstrcat(typestr, "SYNCHRONIZE_ACCESS "); - if (type & WRITE_OWNER_ACCESS) - fstrcat(typestr, "WRITE_OWNER_ACCESS "); - if (type & WRITE_DAC_ACCESS) - fstrcat(typestr, "WRITE_DAC_ACCESS "); - if (type & READ_CONTROL_ACCESS) - fstrcat(typestr, "READ_CONTROL_ACCESS "); - if (type & DELETE_ACCESS) - fstrcat(typestr, "DELETE_ACCESS "); - - printf("Specific bits: 0x%x\n", type&SPECIFIC_RIGHTS_MASK); - - return typestr; -} - -/**************************************************************************** - display sec_access structure - ****************************************************************************/ -void display_sec_access(SEC_ACCESS *info) -{ - printf("\t\tPermissions: 0x%x: %s\n", info->mask, get_sec_mask_str(info->mask)); -} - -/**************************************************************************** - display sec_ace structure - ****************************************************************************/ -void display_sec_ace(SEC_ACE *ace) -{ - fstring sid_str; - - printf("\tACE\n\t\ttype: "); - switch (ace->type) { - case SEC_ACE_TYPE_ACCESS_ALLOWED: - printf("ACCESS ALLOWED"); - break; - case SEC_ACE_TYPE_ACCESS_DENIED: - printf("ACCESS DENIED"); - break; - case SEC_ACE_TYPE_SYSTEM_AUDIT: - printf("SYSTEM AUDIT"); - break; - case SEC_ACE_TYPE_SYSTEM_ALARM: - printf("SYSTEM ALARM"); - break; - default: - printf("????"); - break; - } - printf(" (%d) flags: %d\n", ace->type, ace->flags); - display_sec_access(&ace->info); - sid_to_string(sid_str, &ace->trustee); - printf("\t\tSID: %s\n\n", sid_str); -} - -/**************************************************************************** - display sec_acl structure - ****************************************************************************/ -void display_sec_acl(SEC_ACL *sec_acl) -{ - int i; - - printf("\tACL\tNum ACEs:\t%d\trevision:\t%x\n", - sec_acl->num_aces, sec_acl->revision); - printf("\t---\n"); - - if (sec_acl->size != 0 && sec_acl->num_aces != 0) - for (i = 0; i < sec_acl->num_aces; i++) - display_sec_ace(&sec_acl->ace[i]); - -} - -/**************************************************************************** - display sec_desc structure - ****************************************************************************/ -void display_sec_desc(SEC_DESC *sec) -{ - fstring sid_str; - - if (sec->off_sacl != 0) { - printf("S-ACL\n"); - display_sec_acl(sec->sacl); - } - - if (sec->off_dacl != 0) { - printf("D-ACL\n"); - display_sec_acl(sec->dacl); - } - - if (sec->off_owner_sid != 0) { - sid_to_string(sid_str, sec->owner_sid); - printf("\tOwner SID:\t%s\n", sid_str); - } - - if (sec->off_grp_sid != 0) { - sid_to_string(sid_str, sec->grp_sid); - printf("\tParent SID:\t%s\n", sid_str); - } -} - /**************************************************************************** display sam_user_info_21 structure ****************************************************************************/ @@ -1301,7 +1179,7 @@ struct cmd_set samr_commands[] = { { "samlookupnames", cmd_samr_lookup_names, PIPE_SAMR, "Look up names", "" }, { "samlookuprids", cmd_samr_lookup_rids, PIPE_SAMR, "Look up names", "" }, { "deletedomuser", cmd_samr_delete_dom_user, PIPE_SAMR, "Delete domain user", "" }, - { "querysecobj", cmd_samr_query_sec_obj, PIPE_SAMR, "Query security object", "" }, + { "samquerysecobj", cmd_samr_query_sec_obj, PIPE_SAMR, "Query SAMR security object", "" }, { NULL } }; diff --git a/source3/rpcclient/cmd_spoolss.c b/source3/rpcclient/cmd_spoolss.c index 2f80295a53..1e521473d4 100644 --- a/source3/rpcclient/cmd_spoolss.c +++ b/source3/rpcclient/cmd_spoolss.c @@ -82,58 +82,6 @@ static NTSTATUS cmd_spoolss_not_implemented(struct cli_state *cli, return NT_STATUS_OK; } -/**************************************************************************** - display sec_ace structure - ****************************************************************************/ -static void display_sec_ace(SEC_ACE *ace) -{ - fstring sid_str; - - sid_to_string(sid_str, &ace->trustee); - printf("\t\tSID: %s\n", sid_str); - - printf("\t\ttype:[%d], flags:[0x%02x], mask:[0x%08x]\n", - ace->type, ace->flags, ace->info.mask); -} - -/**************************************************************************** - display sec_acl structure - ****************************************************************************/ -static void display_sec_acl(SEC_ACL *acl) -{ - if (acl->size != 0 && acl->num_aces != 0) { - int i; - - printf("\t\tRevision:[%d]\n", acl->revision); - for (i = 0; i < acl->num_aces; i++) { - display_sec_ace(&acl->ace[i]); - } - } -} - -/**************************************************************************** - display sec_desc structure - ****************************************************************************/ -static void display_sec_desc(SEC_DESC *sec) -{ - fstring sid_str; - - printf("\tRevision:[%d]\n", sec->revision); - - if (sec->off_owner_sid) { - sid_to_string(sid_str, sec->owner_sid); - printf("\tOwner SID: %s\n", sid_str); - } - - if (sec->off_grp_sid) { - sid_to_string(sid_str, sec->grp_sid); - printf("\tGroup SID: %s\n", sid_str); - } - - if (sec->off_sacl) display_sec_acl(sec->sacl); - if (sec->off_dacl) display_sec_acl(sec->dacl); -} - /*********************************************************************** * Get printer information */ diff --git a/source3/rpcclient/display_sec.c b/source3/rpcclient/display_sec.c index a428a95686..009f88e49b 100644 --- a/source3/rpcclient/display_sec.c +++ b/source3/rpcclient/display_sec.c @@ -23,67 +23,40 @@ #include "includes.h" #include "rpcclient.h" - /**************************************************************************** convert a security permissions into a string ****************************************************************************/ -static const char *get_sec_mask_str(uint32 type) +char *get_sec_mask_str(uint32 type) { - static fstring typestr; + static fstring typestr=""; int i; - switch (type) - { - case SEC_RIGHTS_FULL_CONTROL: - { - fstrcpy(typestr, "Full Control"); - return typestr; - } - - case SEC_RIGHTS_READ: - { - fstrcpy(typestr, "Read"); - return typestr; - } - default: - { - break; - } - } - typestr[0] = 0; - for (i = 0; i < 32; i++) - { - if (type & (1 << i)) - { - switch (1 << i) - { - case SEC_RIGHTS_QUERY_VALUE : fstrcat(typestr, "Query " ); break; - case SEC_RIGHTS_SET_VALUE : fstrcat(typestr, "Set " ); break; - case SEC_RIGHTS_CREATE_SUBKEY : fstrcat(typestr, "Create "); break; - case SEC_RIGHTS_ENUM_SUBKEYS : fstrcat(typestr, "Enum "); break; - case SEC_RIGHTS_NOTIFY : fstrcat(typestr, "Notify "); break; - case SEC_RIGHTS_CREATE_LINK : fstrcat(typestr, "CreateLink "); break; - case DELETE_ACCESS : fstrcat(typestr, "Delete "); break; - case READ_CONTROL_ACCESS : fstrcat(typestr, "ReadControl "); break; - case WRITE_DAC_ACCESS : fstrcat(typestr, "WriteDAC "); break; - case WRITE_OWNER_ACCESS : fstrcat(typestr, "WriteOwner "); break; - } - type &= ~(1 << i); - } - } - - /* remaining bits get added on as-is */ - if (type != 0) - { - fstring tmp; - slprintf(tmp, sizeof(tmp)-1, "[%08x]", type); - fstrcat(typestr, tmp); - } - /* remove last space */ - i = strlen(typestr)-1; - if (typestr[i] == ' ') typestr[i] = 0; + if (type & GENERIC_ALL_ACCESS) + fstrcat(typestr, "Generic all access "); + if (type & GENERIC_EXECUTE_ACCESS) + fstrcat(typestr, "Generic execute access "); + if (type & GENERIC_WRITE_ACCESS) + fstrcat(typestr, "Generic write access "); + if (type & GENERIC_READ_ACCESS) + fstrcat(typestr, "Generic read access "); + if (type & MAXIMUM_ALLOWED_ACCESS) + fstrcat(typestr, "MAXIMUM_ALLOWED_ACCESS "); + if (type & SYSTEM_SECURITY_ACCESS) + fstrcat(typestr, "SYSTEM_SECURITY_ACCESS "); + if (type & SYNCHRONIZE_ACCESS) + fstrcat(typestr, "SYNCHRONIZE_ACCESS "); + if (type & WRITE_OWNER_ACCESS) + fstrcat(typestr, "WRITE_OWNER_ACCESS "); + if (type & WRITE_DAC_ACCESS) + fstrcat(typestr, "WRITE_DAC_ACCESS "); + if (type & READ_CONTROL_ACCESS) + fstrcat(typestr, "READ_CONTROL_ACCESS "); + if (type & DELETE_ACCESS) + fstrcat(typestr, "DELETE_ACCESS "); + + printf("Specific bits: 0x%x\n", type&SPECIFIC_RIGHTS_MASK); return typestr; } @@ -91,152 +64,83 @@ static const char *get_sec_mask_str(uint32 type) /**************************************************************************** display sec_access structure ****************************************************************************/ -static void display_sec_access(FILE *out_hnd, enum action_type action, SEC_ACCESS *const info) +void display_sec_access(SEC_ACCESS *info) { - switch (action) - { - case ACTION_HEADER: - { - break; - } - case ACTION_ENUMERATE: - { - report(out_hnd, "\t\tPermissions:\t%s\n", - get_sec_mask_str(info->mask)); - } - case ACTION_FOOTER: - { - break; - } - } + printf("\t\tPermissions: 0x%x: %s\n", info->mask, get_sec_mask_str(info->mask)); } /**************************************************************************** display sec_ace structure ****************************************************************************/ -static void display_sec_ace(FILE *out_hnd, enum action_type action, SEC_ACE *const ace) +void display_sec_ace(SEC_ACE *ace) { - switch (action) - { - case ACTION_HEADER: - { - report(out_hnd, "\tACE\n"); + fstring sid_str; + + printf("\tACE\n\t\ttype: "); + switch (ace->type) { + case SEC_ACE_TYPE_ACCESS_ALLOWED: + printf("ACCESS ALLOWED"); + break; + case SEC_ACE_TYPE_ACCESS_DENIED: + printf("ACCESS DENIED"); break; - } - case ACTION_ENUMERATE: - { - fstring sid_str; - - report(out_hnd, - "\t\tType:%2x Flags:%2x Perms:%04x\n", - ace->type, ace->flags, - (uint32) ace->info.mask); - - display_sec_access(out_hnd, ACTION_HEADER , &ace->info); - display_sec_access(out_hnd, ACTION_ENUMERATE, &ace->info); - display_sec_access(out_hnd, ACTION_FOOTER , &ace->info); - - sid_to_string(sid_str, &ace->sid); - report(out_hnd, "\t\tSID:\t%s\n", sid_str); - } - case ACTION_FOOTER: - { + case SEC_ACE_TYPE_SYSTEM_AUDIT: + printf("SYSTEM AUDIT"); + break; + case SEC_ACE_TYPE_SYSTEM_ALARM: + printf("SYSTEM ALARM"); + break; + default: + printf("????"); break; - } } + printf(" (%d) flags: %d\n", ace->type, ace->flags); + display_sec_access(&ace->info); + sid_to_string(sid_str, &ace->trustee); + printf("\t\tSID: %s\n\n", sid_str); } /**************************************************************************** display sec_acl structure ****************************************************************************/ -static void display_sec_acl(FILE *out_hnd, enum action_type action, SEC_ACL *const sec_acl) +void display_sec_acl(SEC_ACL *sec_acl) { - if (sec_acl == NULL) - { - return; - } - switch (action) - { - case ACTION_HEADER: - { - report(out_hnd, "\tACL\tNum ACEs:\t%d\trevision:\t%x\n", - sec_acl->num_aces, sec_acl->revision); - report(out_hnd, "\t---\n"); + int i; - break; - } - case ACTION_ENUMERATE: - { - if (sec_acl->size != 0 && sec_acl->num_aces != 0) - { - int i; - for (i = 0; i < sec_acl->num_aces; i++) - { - display_sec_ace(out_hnd, ACTION_HEADER , &sec_acl->ace[i]); - display_sec_ace(out_hnd, ACTION_ENUMERATE, &sec_acl->ace[i]); - display_sec_ace(out_hnd, ACTION_FOOTER , &sec_acl->ace[i]); - } - } + printf("\tACL\tNum ACEs:\t%d\trevision:\t%x\n", + sec_acl->num_aces, sec_acl->revision); + printf("\t---\n"); + + if (sec_acl->size != 0 && sec_acl->num_aces != 0) + for (i = 0; i < sec_acl->num_aces; i++) + display_sec_ace(&sec_acl->ace[i]); - break; - } - case ACTION_FOOTER: - { - report(out_hnd, "\n"); - break; - } - } } /**************************************************************************** display sec_desc structure ****************************************************************************/ -void display_sec_desc(FILE *out_hnd, enum action_type action, SEC_DESC *const sec) +void display_sec_desc(SEC_DESC *sec) { - switch (action) - { - case ACTION_HEADER: - { - report(out_hnd, "\tSecurity Descriptor\trevision:\t%x\ttype:\t%x\n", - sec->revision, sec->type); - report(out_hnd, "\t-------------------\n"); + fstring sid_str; - break; - } - case ACTION_ENUMERATE: - { - fstring sid_str; - - if (sec->off_sacl != 0) - { - display_sec_acl(out_hnd, ACTION_HEADER , sec->sacl); - display_sec_acl(out_hnd, ACTION_ENUMERATE, sec->sacl); - display_sec_acl(out_hnd, ACTION_FOOTER , sec->sacl); - } - if (sec->off_dacl != 0) - { - display_sec_acl(out_hnd, ACTION_HEADER , sec->dacl); - display_sec_acl(out_hnd, ACTION_ENUMERATE, sec->dacl); - display_sec_acl(out_hnd, ACTION_FOOTER , sec->dacl); - } - if (sec->off_owner_sid != 0) - { - sid_to_string(sid_str, sec->owner_sid); - report(out_hnd, "\tOwner SID:\t%s\n", sid_str); - } - if (sec->off_grp_sid != 0) - { - sid_to_string(sid_str, sec->grp_sid); - report(out_hnd, "\tParent SID:\t%s\n", sid_str); - } - - break; - } - case ACTION_FOOTER: - { - report(out_hnd, "\n"); - break; - } + if (sec->off_sacl != 0) { + printf("S-ACL\n"); + display_sec_acl(sec->sacl); + } + + if (sec->off_dacl != 0) { + printf("D-ACL\n"); + display_sec_acl(sec->dacl); } -} + if (sec->off_owner_sid != 0) { + sid_to_string(sid_str, sec->owner_sid); + printf("\tOwner SID:\t%s\n", sid_str); + } + + if (sec->off_grp_sid != 0) { + sid_to_string(sid_str, sec->grp_sid); + printf("\tParent SID:\t%s\n", sid_str); + } +} -- cgit