/* Unix SMB/Netbios implementation. Version 1.9. Security context tests Copyright (C) Tim Potter 2000 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. */ #include "includes.h" #include "se_access_check_utils.h" /* Globals */ BOOL failed; SEC_DESC *sd; struct ace_entry acl_printer[] = { /* Everyone is allowed to print */ { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT, PRINTER_ACE_PRINT, "S-1-1-0" }, /* Except for user0 who uses too much paper */ { SEC_ACE_TYPE_ACCESS_DENIED, SEC_ACE_FLAG_CONTAINER_INHERIT, PRINTER_ACE_FULL_CONTROL, "user0" }, /* Users 1 and 2 can manage documents */ { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT, PRINTER_ACE_MANAGE_DOCUMENTS, "user1" }, { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT, PRINTER_ACE_MANAGE_DOCUMENTS, "user2" }, /* Domain Admins can also manage documents */ { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT, PRINTER_ACE_MANAGE_DOCUMENTS, "Domain Admins" }, /* User 3 is da man */ { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT, PRINTER_ACE_FULL_CONTROL, "user3" }, { 0, 0, 0, NULL} }; BOOL test_user(char *username, uint32 acc_desired, uint32 *acc_granted) { struct passwd *pw; uint32 status; if (!(pw = getpwnam(username))) { printf("FAIL: could not lookup user info for %s\n", username); exit(1); } return se_access_check(sd, pw->pw_uid, pw->pw_gid, 0, NULL, acc_desired, acc_granted, &status); } static char *pace_str(uint32 ace_flags) { if ((ace_flags & PRINTER_ACE_FULL_CONTROL) == PRINTER_ACE_FULL_CONTROL) return "full control"; if ((ace_flags & PRINTER_ACE_MANAGE_DOCUMENTS) == PRINTER_ACE_MANAGE_DOCUMENTS) return "manage documents"; if ((ace_flags & PRINTER_ACE_PRINT) == PRINTER_ACE_PRINT) return "print"; return "UNKNOWN"; } uint32 perms[] = { PRINTER_ACE_PRINT, PRINTER_ACE_FULL_CONTROL, PRINTER_ACE_MANAGE_DOCUMENTS, 0 }; void runtest(void) { uint32 acc_granted; BOOL result; int i, j; for (i = 0; perms[i]; i++) { /* Test 10 users */ for (j = 0; j < 10; j++) { fstring name; /* Test user against ACL */ snprintf(name, sizeof(fstring), "%s/user%d", getenv("TEST_WORKGROUP"), j); result = test_user(name, perms[i], &acc_granted); printf("%s: %s %s 0x%08x\n", name, pace_str(perms[i]), result ? "TRUE " : "FALSE", acc_granted); /* Check results */ switch (perms[i]) { case PRINTER_ACE_PRINT: { if (!result || acc_granted != PRINTER_ACE_PRINT) { printf("FAIL: user %s can't print\n", name); failed = True; } break; } case PRINTER_ACE_FULL_CONTROL: { if (j == 3) { if (!result || acc_granted != PRINTER_ACE_FULL_CONTROL) { printf("FAIL: user %s doesn't " "have full control\n", name); failed = True; } } else { if (result || acc_granted != 0) { printf("FAIL: user %s has full " "control\n", name); failed = True; } } break; } case PRINTER_ACE_MANAGE_DOCUMENTS: { if (j == 1 || j == 2) { if (!result || acc_granted != PRINTER_ACE_MANAGE_DOCUMENTS) { printf("FAIL: user %s can't " "manage documents\n", name); failed = True; } } else { if (result || acc_granted != 0) { printf("FAIL: user %s can " "manage documents\n", name); failed = True; } } break; } default: printf("FAIL: internal error\n"); exit(1); } } } } /* Main function */ int main(int argc, char **argv) { /* Initialisation */ generate_wellknown_sids(); /* Create security descriptor */ sd = build_sec_desc(acl_printer, NULL, NULL_SID, NULL_SID); if (!sd) { printf("FAIL: could not build security descriptor\n"); return 1; } /* Run test */ runtest(); /* Return */ if (!failed) { printf("PASS\n"); return 0; } return 1; }