| 1 | /*
|
|---|
| 2 | Unix SMB/Netbios implementation.
|
|---|
| 3 | Version 1.9.
|
|---|
| 4 | Security context tests
|
|---|
| 5 | Copyright (C) Tim Potter 2000
|
|---|
| 6 |
|
|---|
| 7 | This program is free software; you can redistribute it and/or modify
|
|---|
| 8 | it under the terms of the GNU General Public License as published by
|
|---|
| 9 | the Free Software Foundation; either version 2 of the License, or
|
|---|
| 10 | (at your option) any later version.
|
|---|
| 11 |
|
|---|
| 12 | This program is distributed in the hope that it will be useful,
|
|---|
| 13 | but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|---|
| 14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|---|
| 15 | GNU General Public License for more details.
|
|---|
| 16 |
|
|---|
| 17 | You should have received a copy of the GNU General Public License
|
|---|
| 18 | along with this program; if not, write to the Free Software
|
|---|
| 19 | Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
|---|
| 20 | */
|
|---|
| 21 |
|
|---|
| 22 | #include "includes.h"
|
|---|
| 23 | #include "se_access_check_utils.h"
|
|---|
| 24 |
|
|---|
| 25 | /* Globals */
|
|---|
| 26 |
|
|---|
| 27 | BOOL failed;
|
|---|
| 28 | SEC_DESC *sd;
|
|---|
| 29 |
|
|---|
| 30 | struct ace_entry acl_denysome[] = {
|
|---|
| 31 | { SEC_ACE_TYPE_ACCESS_DENIED, SEC_ACE_FLAG_CONTAINER_INHERIT,
|
|---|
| 32 | GENERIC_ALL_ACCESS, "user1" },
|
|---|
| 33 | { SEC_ACE_TYPE_ACCESS_DENIED, SEC_ACE_FLAG_CONTAINER_INHERIT,
|
|---|
| 34 | GENERIC_ALL_ACCESS, "user3" },
|
|---|
| 35 | { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
|
|---|
| 36 | GENERIC_ALL_ACCESS, "S-1-1-0" },
|
|---|
| 37 | { 0, 0, 0, NULL}
|
|---|
| 38 | };
|
|---|
| 39 |
|
|---|
| 40 | BOOL denysome_check(struct passwd *pw, int ngroups, gid_t *groups)
|
|---|
| 41 | {
|
|---|
| 42 | uint32 acc_granted, status;
|
|---|
| 43 | fstring name;
|
|---|
| 44 | BOOL result;
|
|---|
| 45 | int len1, len2;
|
|---|
| 46 |
|
|---|
| 47 | /* Check only user1 and user3 denied access */
|
|---|
| 48 |
|
|---|
| 49 | result = se_access_check(sd, pw->pw_uid, pw->pw_gid,
|
|---|
| 50 | ngroups, groups,
|
|---|
| 51 | SEC_RIGHTS_MAXIMUM_ALLOWED,
|
|---|
| 52 | &acc_granted, &status);
|
|---|
| 53 |
|
|---|
| 54 | len1 = (int)strlen(pw->pw_name) - strlen("user1");
|
|---|
| 55 | len2 = (int)strlen(pw->pw_name) - strlen("user3");
|
|---|
| 56 |
|
|---|
| 57 | if ((strncmp("user1", &pw->pw_name[MAX(len1, 0)],
|
|---|
| 58 | strlen("user1")) == 0) ||
|
|---|
| 59 | (strncmp("user3", &pw->pw_name[MAX(len2, 0)],
|
|---|
| 60 | strlen("user3")) == 0)) {
|
|---|
| 61 | if (result || acc_granted != 0) {
|
|---|
| 62 | printf("FAIL: access not denied for %s\n",
|
|---|
| 63 | pw->pw_name);
|
|---|
| 64 | }
|
|---|
| 65 | } else {
|
|---|
| 66 | if (!result || acc_granted != GENERIC_ALL_ACCESS) {
|
|---|
| 67 | printf("FAIL: access denied for %s\n", pw->pw_name);
|
|---|
| 68 | }
|
|---|
| 69 | }
|
|---|
| 70 |
|
|---|
| 71 | printf("result %s for user %s\n", result ? "allowed" : "denied",
|
|---|
| 72 | pw->pw_name);
|
|---|
| 73 |
|
|---|
| 74 | return True;
|
|---|
| 75 | }
|
|---|
| 76 |
|
|---|
| 77 | /* Main function */
|
|---|
| 78 |
|
|---|
| 79 | int main(int argc, char **argv)
|
|---|
| 80 | {
|
|---|
| 81 | /* Initialisation */
|
|---|
| 82 |
|
|---|
| 83 | generate_wellknown_sids();
|
|---|
| 84 |
|
|---|
| 85 | /* Create security descriptor */
|
|---|
| 86 |
|
|---|
| 87 | sd = build_sec_desc(acl_denysome, NULL, NULL_SID, NULL_SID);
|
|---|
| 88 |
|
|---|
| 89 | if (!sd) {
|
|---|
| 90 | printf("FAIL: could not build security descriptor\n");
|
|---|
| 91 | return 1;
|
|---|
| 92 | }
|
|---|
| 93 |
|
|---|
| 94 | /* Run test */
|
|---|
| 95 |
|
|---|
| 96 | visit_pwdb(denysome_check);
|
|---|
| 97 |
|
|---|
| 98 | /* Return */
|
|---|
| 99 |
|
|---|
| 100 | if (!failed) {
|
|---|
| 101 | printf("PASS\n");
|
|---|
| 102 | return 0;
|
|---|
| 103 | }
|
|---|
| 104 |
|
|---|
| 105 | return 1;
|
|---|
| 106 | }
|
|---|
