| 1 | /*
|
|---|
| 2 | Unix SMB/Netbios implementation.
|
|---|
| 3 | Version 1.9.
|
|---|
| 4 | Security context tests
|
|---|
| 5 | Copyright (C) Tim Potter 2000
|
|---|
| 6 |
|
|---|
| 7 | This program is free software; you can redistribute it and/or modify
|
|---|
| 8 | it under the terms of the GNU General Public License as published by
|
|---|
| 9 | the Free Software Foundation; either version 2 of the License, or
|
|---|
| 10 | (at your option) any later version.
|
|---|
| 11 |
|
|---|
| 12 | This program is distributed in the hope that it will be useful,
|
|---|
| 13 | but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|---|
| 14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|---|
| 15 | GNU General Public License for more details.
|
|---|
| 16 |
|
|---|
| 17 | You should have received a copy of the GNU General Public License
|
|---|
| 18 | along with this program; if not, write to the Free Software
|
|---|
| 19 | Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
|---|
| 20 | */
|
|---|
| 21 |
|
|---|
| 22 | #include "includes.h"
|
|---|
| 23 | #include "se_access_check_utils.h"
|
|---|
| 24 |
|
|---|
| 25 | /* Globals */
|
|---|
| 26 |
|
|---|
| 27 | BOOL failed;
|
|---|
| 28 | SEC_DESC *sd;
|
|---|
| 29 |
|
|---|
| 30 | struct ace_entry acl_allowsome[] = {
|
|---|
| 31 | { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
|
|---|
| 32 | GENERIC_ALL_ACCESS, "user0" },
|
|---|
| 33 | { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
|
|---|
| 34 | GENERIC_ALL_ACCESS, "user2" },
|
|---|
| 35 | { 0, 0, 0, NULL}
|
|---|
| 36 | };
|
|---|
| 37 |
|
|---|
| 38 | BOOL allowsome_check(struct passwd *pw, int ngroups, gid_t *groups)
|
|---|
| 39 | {
|
|---|
| 40 | uint32 acc_granted, status;
|
|---|
| 41 | fstring name;
|
|---|
| 42 | BOOL result;
|
|---|
| 43 | int len1, len2;
|
|---|
| 44 |
|
|---|
| 45 | /* Check only user0 and user2 allowed access */
|
|---|
| 46 |
|
|---|
| 47 | result = se_access_check(sd, pw->pw_uid, pw->pw_gid,
|
|---|
| 48 | ngroups, groups,
|
|---|
| 49 | SEC_RIGHTS_MAXIMUM_ALLOWED,
|
|---|
| 50 | &acc_granted, &status);
|
|---|
| 51 |
|
|---|
| 52 | len1 = (int)strlen(pw->pw_name) - strlen("user0");
|
|---|
| 53 | len2 = (int)strlen(pw->pw_name) - strlen("user2");
|
|---|
| 54 |
|
|---|
| 55 | if ((strncmp("user0", &pw->pw_name[MAX(len1, 0)],
|
|---|
| 56 | strlen("user0")) == 0) ||
|
|---|
| 57 | (strncmp("user2", &pw->pw_name[MAX(len2, 0)],
|
|---|
| 58 | strlen("user2")) == 0)) {
|
|---|
| 59 | if (!result || acc_granted != GENERIC_ALL_ACCESS) {
|
|---|
| 60 | printf("FAIL: access not granted for %s\n",
|
|---|
| 61 | pw->pw_name);
|
|---|
| 62 | }
|
|---|
| 63 | } else {
|
|---|
| 64 | if (result || acc_granted != 0) {
|
|---|
| 65 | printf("FAIL: access granted for %s\n", pw->pw_name);
|
|---|
| 66 | }
|
|---|
| 67 | }
|
|---|
| 68 |
|
|---|
| 69 | printf("result %s for user %s\n", result ? "allowed" : "denied",
|
|---|
| 70 | pw->pw_name);
|
|---|
| 71 |
|
|---|
| 72 | return True;
|
|---|
| 73 | }
|
|---|
| 74 |
|
|---|
| 75 | /* Main function */
|
|---|
| 76 |
|
|---|
| 77 | int main(int argc, char **argv)
|
|---|
| 78 | {
|
|---|
| 79 | /* Initialisation */
|
|---|
| 80 |
|
|---|
| 81 | generate_wellknown_sids();
|
|---|
| 82 |
|
|---|
| 83 | /* Create security descriptor */
|
|---|
| 84 |
|
|---|
| 85 | sd = build_sec_desc(acl_allowsome, NULL, NULL_SID, NULL_SID);
|
|---|
| 86 |
|
|---|
| 87 | if (!sd) {
|
|---|
| 88 | printf("FAIL: could not build security descriptor\n");
|
|---|
| 89 | return 1;
|
|---|
| 90 | }
|
|---|
| 91 |
|
|---|
| 92 | /* Run test */
|
|---|
| 93 |
|
|---|
| 94 | visit_pwdb(allowsome_check);
|
|---|
| 95 |
|
|---|
| 96 | /* Return */
|
|---|
| 97 |
|
|---|
| 98 | if (!failed) {
|
|---|
| 99 | printf("PASS\n");
|
|---|
| 100 | return 0;
|
|---|
| 101 | }
|
|---|
| 102 |
|
|---|
| 103 | return 1;
|
|---|
| 104 | }
|
|---|
