Logo Search packages:      
Sourcecode: samba-doc-ja version File versions

se_access_check_printer.c

/* 
   Unix SMB/Netbios implementation.
   Version 1.9.
   Security context tests
   Copyright (C) Tim Potter 2000
   
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 2 of the License, or
   (at your option) any later version.
   
   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.
   
   You should have received a copy of the GNU General Public License
   along with this program; if not, write to the Free Software
   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/

#include "includes.h"
#include "se_access_check_utils.h"

/* Globals */

BOOL failed;
SEC_DESC *sd;

struct ace_entry acl_printer[] = {

      /* Everyone is allowed to print */

      { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
        PRINTER_ACE_PRINT, "S-1-1-0" },

      /* Except for user0 who uses too much paper */

      { SEC_ACE_TYPE_ACCESS_DENIED, SEC_ACE_FLAG_CONTAINER_INHERIT,
        PRINTER_ACE_FULL_CONTROL, "user0" },

      /* Users 1 and 2 can manage documents */

      { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
        PRINTER_ACE_MANAGE_DOCUMENTS, "user1" },

      { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
        PRINTER_ACE_MANAGE_DOCUMENTS, "user2" },

      /* Domain Admins can also manage documents */

      { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
        PRINTER_ACE_MANAGE_DOCUMENTS, "Domain Admins" },

      /* User 3 is da man */

      { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
        PRINTER_ACE_FULL_CONTROL, "user3" },

      { 0, 0, 0, NULL}
};

BOOL test_user(char *username, uint32 acc_desired, uint32 *acc_granted)
{
      struct passwd *pw;
      uint32 status;

      if (!(pw = getpwnam(username))) {
            printf("FAIL: could not lookup user info for %s\n",
                   username);
            exit(1);
      }

      return se_access_check(sd, pw->pw_uid, pw->pw_gid, 0, NULL,
                         acc_desired, acc_granted, &status);
}

static char *pace_str(uint32 ace_flags)
{
      if ((ace_flags & PRINTER_ACE_FULL_CONTROL) == 
          PRINTER_ACE_FULL_CONTROL) return "full control";

      if ((ace_flags & PRINTER_ACE_MANAGE_DOCUMENTS) ==
          PRINTER_ACE_MANAGE_DOCUMENTS) return "manage documents";

      if ((ace_flags & PRINTER_ACE_PRINT) == PRINTER_ACE_PRINT)
            return "print";

      return "UNKNOWN";
}

uint32 perms[] = {
      PRINTER_ACE_PRINT,
      PRINTER_ACE_FULL_CONTROL,
      PRINTER_ACE_MANAGE_DOCUMENTS,
      0
};

void runtest(void)
{
      uint32 acc_granted;
      BOOL result;
      int i, j;

      for (i = 0; perms[i]; i++) {

            /* Test 10 users */
            
            for (j = 0; j < 10; j++) {
                  fstring name;

                  /* Test user against ACL */

                  snprintf(name, sizeof(fstring), "%s/user%d", 
                         getenv("TEST_WORKGROUP"), j);
                  
                  result = test_user(name, perms[i], &acc_granted);

                  printf("%s: %s %s 0x%08x\n", name, 
                         pace_str(perms[i]), 
                         result ? "TRUE " : "FALSE", acc_granted);

                  /* Check results */

                  switch (perms[i]) {

                  case PRINTER_ACE_PRINT: {
                        if (!result || acc_granted !=
                            PRINTER_ACE_PRINT) {
                              printf("FAIL: user %s can't print\n",
                                     name);
                              failed = True;
                        }
                        break;
                  }

                  case PRINTER_ACE_FULL_CONTROL: {
                        if (j == 3) {
                              if (!result || acc_granted !=
                                  PRINTER_ACE_FULL_CONTROL) {
                                    printf("FAIL: user %s doesn't "
                                           "have full control\n",
                                           name);
                                    failed = True;
                              }
                        } else {
                              if (result || acc_granted != 0) {
                                    printf("FAIL: user %s has full "
                                           "control\n", name);
                                    failed = True;
                              }
                        }
                        break;
                  }
                  case PRINTER_ACE_MANAGE_DOCUMENTS: {
                        if (j == 1 || j == 2) {
                              if (!result || acc_granted !=
                                  PRINTER_ACE_MANAGE_DOCUMENTS) {
                                    printf("FAIL: user %s can't "
                                           "manage documents\n",
                                           name);
                                    failed = True;
                              }
                        } else {
                              if (result || acc_granted != 0) {
                                    printf("FAIL: user %s can "
                                           "manage documents\n",
                                           name);
                                    failed = True;
                              }
                        }
                        break;
                  }

                  default:
                        printf("FAIL: internal error\n");
                        exit(1);
                  }
            }
      }
}

/* Main function */

int main(int argc, char **argv)
{
      /* Initialisation */

      generate_wellknown_sids();

      /* Create security descriptor */

      sd = build_sec_desc(acl_printer, NULL, NULL_SID, NULL_SID);

      if (!sd) {
            printf("FAIL: could not build security descriptor\n");
            return 1;
      }

      /* Run test */

      runtest();

      /* Return */

        if (!failed) {
            printf("PASS\n");
            return 0;
      } 

      return 1;
}

Generated by  Doxygen 1.6.0   Back to index