mirrors/ntfs-3g
0
0
Fork 0
mirror of https://git.code.sf.net/p/ntfs-3g/ntfs-3g.git synced 2024-11-23 18:14:24 +08:00
Code Issues Packages Projects Releases Wiki Activity

Added an option to secaudit for getting a user mapping proposal

Browse Source 
Get a user mapping proposal by designating a file created on Windows
by the user to be mapped to the current one on Linux.
This is expected to be easier to use than "usermap".
This commit is contained in:
Jean-Pierre André 2012-09-12 09:31:35 +02:00
parent 7c600754dd
commit 2223b8796c
1 changed files with 231 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

259
src/secaudit.c
View File

@ -10,6 +10,7 @@
* -h displaying hexadecimal security descriptors within a file
* -r recursing in a directory
* -s setting backed-up NTFS ACLs
* -u getting a user mapping proposal
* -v verbose (very verbose if set twice)
* also, if compile-time option is set
* -t run internal tests (with no access to storage)
@ -198,6 +199,10 @@
* Jul 2012, version 1.3.24
* - added self-tests for authenticated users
* - added display of ace-inherited flag
* - made runnable on OpenIndiana
*
* Aug 2012, version 1.4.0
* - added an option for user mapping proposal
*/
/*
@ -221,7 +226,7 @@
* General parameters which may have to be adapted to needs
*/
#define AUDT_VERSION "1.3.24"
#define AUDT_VERSION "1.4.0"
#define GET_FILE_SECURITY "ntfs_get_file_security"
#define SET_FILE_SECURITY "ntfs_set_file_security"
@ -477,7 +482,9 @@ unsigned int getfull(char*, const char*);
BOOL updatefull(const char *name, DWORD flags, char *attr);
BOOL setfull(const char*, int, BOOL);
BOOL singleshow(const char*);
void showmounted(const char*);
BOOL proposal(const char*, const char*);
BOOL showmounted(const char*);
BOOL processmounted(const char*);
BOOL recurseshow(const char*);
BOOL singleset(const char*, int);
BOOL recurseset(const char*, int);
@ -492,6 +499,7 @@ BOOL iterate(RECURSE, const char*, mode_t);
#else
BOOL backup(const char*, const char*);
BOOL listfiles(const char*, const char*);
BOOL mapproposal(const char*, const char*);
#endif
#if POSIXACLS
BOOL setfull_posix(const char *, const struct POSIX_SECURITY*, BOOL);
@ -639,6 +647,7 @@ BOOL opt_e; /* restore extra (currently windows attribs) */
BOOL opt_h; /* display an hexadecimal descriptor in a file */
BOOL opt_r; /* recursively apply to subdirectories */
BOOL opt_s; /* restore NTFS ACLs */
BOOL opt_u; /* user mapping proposal */
#if SELFTESTS & !USESTUBS
BOOL opt_t; /* run self-tests */
#endif
@ -4648,6 +4657,69 @@ BOOL setfull(const char *fullname, int mode, BOOL isdir)
return (err);
}
BOOL proposal(const char *name, const char *attr)
{
int uoff, goff;
int i;
u64 uauth, gauth;
int ucnt, gcnt;
int uid, gid;
BOOL err;
err = FALSE;
#ifdef WIN32
uid = gid = 0;
#else
uid = getuid();
gid = getgid();
#endif
uoff = get4l(attr,4);
uauth = get6h(attr,uoff+2);
ucnt = attr[uoff+1] & 255;
goff = get4l(attr,8);
gauth = get6h(attr,goff+2);
gcnt = attr[goff+1] & 255;
if ((ucnt == 5) && (gcnt == 5)
&& (uauth == 5) && (gauth == 5)
&& (get4l(attr,uoff+8) == 21) && (get4l(attr,goff+8) == 21)) {
printf("# User mapping proposal\n");
if (uid)
printf("%d::",uid);
else
printf("user::");
printf("S-%d-%llu",attr[uoff] & 255,uauth);
for (i=0; i<ucnt; i++)
printf("-%lu",get4l(attr,uoff+8+4*i));
printf("\n");
if (gid)
printf(":%d:",gid);
else
printf(":group:");
printf("S-%d-%llu",attr[goff] & 255,gauth);
for (i=0; i<gcnt; i++)
printf("-%lu",get4l(attr,goff+8+4*i));
printf("\n");
/* generic rule, based on group */
printf("::S-%d-%llu",attr[goff] & 255,gauth);
for (i=0; i<gcnt-1; i++)
printf("-%lu",get4l(attr,goff+8+4*i));
printf("-10000\n");
if (!uid || !gid) {
printf("# Please replace \"user\" and \"group\" by the uid and gid\n");
printf("# of the Linux owner and group of ");
printname(stdout,name);
printf("\n");
}
} else {
printf("** Not possible : ");
printname(stdout,name);
printf(" was not created by a Windows user\n");
err = TRUE;
}
return (err);
}
#ifdef WIN32
/*
@ -4885,6 +4957,31 @@ BOOL singleshow(const char *fullname)
return (err);
}
BOOL mapproposal(const char *fullname)
{
char attr[256];
ULONG attrsz;
int attrib;
int err;
err = FALSE;
attrsz = 0;
attrib = GetFileAttributesW((LPCWSTR)fullname);
if ((attrib != INVALID_FILE_ATTRIBUTES)
&& GetFileSecurityW((LPCWSTR)fullname,
OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION,
(char*)attr,256,&attrsz)) {
err = proposal(fullname,attr);
} else {
printf("** Could not access ");
printname(stdout,fullname);
printf("\n");
printerror(stdout);
err = TRUE;
}
return (err);
}
#if POSIXACLS
BOOL recurseset_posix(const char *fullname, const struct POSIX_SECURITY *pxdesc)
@ -5273,7 +5370,7 @@ static ssize_t ntfs_getxattr(const char *path, const char *name, void *value, si
* Display all the parameters associated to a mounted file
*/
void showmounted(const char *fullname)
BOOL showmounted(const char *fullname)
{
static char attr[MAXATTRSZ];
@ -5289,7 +5386,9 @@ void showmounted(const char *fullname)
u32 attrib;
int level;
BOOL isdir;
BOOL err;
err = FALSE;
if (!stat(fullname,&st)) {
isdir = S_ISDIR(st.st_mode);
printf("%s ",(isdir ? "Directory" : "File"));
@ -5360,21 +5459,65 @@ void showmounted(const char *fullname)
if (mapped)
ntfs_free_mapping(context.mapping);
#endif
} else
} else {
printf("Descriptor fails sanity check\n");
errors++;
}
} else {
printf("** Could not get the NTFS ACL, check whether file is on NTFS\n");
errors++;
}
} else
} else {
printf("%s not found\n",fullname);
err = TRUE;
}
return (err);
}
BOOL processmounted(const char *fullname)
{
static char attr[MAXATTRSZ];
struct stat st;
int attrsz;
BOOL err;
err = FALSE;
if (!opt_u)
err = showmounted(fullname);
else
if (!stat(fullname,&st)) {
attrsz = ntfs_getxattr(fullname,"system.ntfs_acl",attr,MAXATTRSZ);
if (attrsz > 0) {
if (opt_v) {
hexdump(attr,attrsz,8);
printf("Computed hash : 0x%08lx\n",
(unsigned long)hash((le32*)attr,attrsz));
}
if (ntfs_valid_descr(attr,attrsz)) {
err = proposal(fullname, attr);
} else {
printf("*** Descriptor fails sanity check\n");
errors++;
}
} else {
printf("** Could not get the NTFS ACL, check whether file is on NTFS\n");
errors++;
}
} else {
printf("%s not found\n",fullname);
err = TRUE;
}
return (err);
}
#else /* HAVE_SETXATTR */
void showmounted(const char *fullname __attribute__((unused)))
BOOL processmounted(const char *fullname __attribute__((unused)))
{
fprintf(stderr,"Not possible on this configuration\n");
fprintf(stderr,"Not possible on this configuration,\n");
fprintf(stderr,"you have to use an unmounted partition\n");
return (TRUE);
}
#endif /* HAVE_SETXATTR */
@ -5688,6 +5831,47 @@ BOOL listfiles(const char *volume, const char *root)
return (err);
}
BOOL mapproposal(const char *volume, const char *name)
{
BOOL err;
u32 attrsz;
int securindex;
char attr[256]; /* header (20) and a couple of SIDs (max 40 each) */
err = FALSE;
if (!getuid() && open_security_api()) {
if (open_volume(volume,MS_RDONLY)) {
attrsz = 0;
securindex = ntfs_get_file_security(ntfs_context,name,
OWNER_SECURITY_INFORMATION
| GROUP_SECURITY_INFORMATION,
(char*)attr,MAXATTRSZ,&attrsz);
if (securindex)
err = proposal(name,attr);
else {
fprintf(stderr,"*** Could not get the ACL of %s\n",
name);
printerror(stdout);
errors++;
}
close_volume(volume);
} else {
fprintf(stderr,"Could not open volume %s\n",volume);
printerror(stdout);
err = TRUE;
}
close_security_api();
} else {
if (getuid())
fprintf(stderr,"This is only possible as root\n");
else
fprintf(stderr,"Could not open security API\n");
err = TRUE;
}
return (err);
}
#endif
#ifndef WIN32
@ -6718,7 +6902,7 @@ int getoptions(int argc, char *argv[])
opt_a = FALSE;
opt_b = FALSE;
opt_e = FALSE;
opt_e = FALSE;
opt_h = FALSE;
#if FORCEMASK
opt_m = FALSE;
@ -6728,6 +6912,7 @@ int getoptions(int argc, char *argv[])
#if SELFTESTS & !USESTUBS
opt_t = FALSE;
#endif
opt_u = FALSE;
opt_v = 0;
xarg = 1;
err = FALSE;
@ -6767,6 +6952,9 @@ int getoptions(int argc, char *argv[])
opt_t = TRUE;
break;
#endif
case 'u' :
opt_u = TRUE;
break;
case 'v' :
opt_v++;
break;
@ -6778,7 +6966,7 @@ int getoptions(int argc, char *argv[])
narg = argc - xarg;
#ifdef WIN32
if ( ((opt_h || opt_s) && (narg > 1))
|| ((opt_r || opt_b) && ((narg < 1) || (narg > 2)))
|| ((opt_r || opt_b || opt_u) && ((narg < 1) || (narg > 2)))
#if SELFTESTS & !USESTUBS
|| (opt_t && (narg > 0))
#endif
@ -6812,6 +7000,8 @@ int getoptions(int argc, char *argv[])
fprintf(stderr," set the security parameters of file to perms\n");
fprintf(stderr," secaudit -r[v] perms directory\n");
fprintf(stderr," set the security parameters of files in directory to perms\n");
fprintf(stderr," secaudit -u file\n");
fprintf(stderr," get a user mapping proposal applicable to file\n");
#if POSIXACLS
fprintf(stderr," Note: perms can be an octal mode or a Posix ACL description\n");
#else
@ -6822,12 +7012,13 @@ int getoptions(int argc, char *argv[])
#else
if ( (opt_h && (narg > 1))
|| (opt_a && (narg != 1))
|| ((opt_r || opt_b || opt_s) && ((narg < 1) || (narg > 3)))
|| ((opt_r || opt_b || opt_s || opt_u)
&& ((narg < 1) || (narg > 3)))
#if SELFTESTS & !USESTUBS
|| (opt_t && (narg > 0))
#endif
|| (opt_e && !opt_s)
|| (!opt_h && !opt_a && !opt_r && !opt_b && !opt_s
|| (!opt_h && !opt_a && !opt_r && !opt_b && !opt_s && !opt_u
#if SELFTESTS & !USESTUBS
&& !opt_t
#endif
@ -6861,8 +7052,12 @@ int getoptions(int argc, char *argv[])
fprintf(stderr," set the security parameters of file to perms\n");
fprintf(stderr," secaudit -r[v] volume perms directory\n");
fprintf(stderr," set the security parameters of files in directory to perms\n");
fprintf(stderr," secaudit -u volume file\n");
fprintf(stderr," get a user mapping proposal applicable to file\n");
#ifdef HAVE_SETXATTR
fprintf(stderr," special case, does not require being root :\n");
fprintf(stderr," special cases, do not require being root :\n");
fprintf(stderr," secaudit -u mounted-file\n");
fprintf(stderr," get a user mapping proposal applicable to mounted file\n");
fprintf(stderr," secaudit [-v] mounted-file\n");
fprintf(stderr," display the security parameters of a mounted file\n");
#endif
@ -7065,23 +7260,27 @@ char *argv[];
filename = (char*)malloc(2*size + 2);
if (filename) {
makeutf16(filename,argv[xarg]);
if (opt_u) {
cmderr = mapproposal(filename);
} else {
#if POSIXACLS
if (local_build_mapping(context.mapping,filename)) {
printf("*** Could not get user mapping data\n");
warnings++;
}
if (local_build_mapping(context.mapping,filename)) {
printf("*** Could not get user mapping data\n");
warnings++;
}
#endif
if (opt_b)
cmderr = backup(filename);
else {
if (opt_r)
cmderr = listfiles(filename);
else
cmderr = singleshow(filename);
}
if (opt_b)
cmderr = backup(filename);
else {
if (opt_r)
cmderr = listfiles(filename);
else
cmderr = singleshow(filename);
}
#if POSIXACLS
ntfs_free_mapping(context.mapping);
ntfs_free_mapping(context.mapping);
#endif
}
free(filename);
} else {
fprintf(stderr,"No more memory\n");
@ -7195,7 +7394,8 @@ char *argv[];
printf("** %u %s found\n",errors,
(errors > 1 ? "errors were" : "error was"));
else
printf("No errors were found\n");
if (!cmderr)
printf("No errors were found\n");
if (!isatty(1)) {
fflush(stdout);
if (warnings)
@ -7280,7 +7480,7 @@ int main(int argc, char *argv[])
if (opt_s)
cmderr = dorestore(argv[xarg],stdin);
else
showmounted(argv[xarg]);
cmderr = processmounted(argv[xarg]);
break;
case 2 :
if (opt_b)
@ -7297,7 +7497,10 @@ int main(int argc, char *argv[])
cmderr = TRUE;
}
} else
cmderr = listfiles(argv[xarg],argv[xarg+1]);
if (opt_u)
cmderr = mapproposal(argv[xarg],argv[xarg+1]);
else
cmderr = listfiles(argv[xarg],argv[xarg+1]);
break;
case 3 :
p = argv[xarg+1];