blob: ca2264f5c55103657223052b7b5dd57ec26f7fbb
1 | /* |
2 | * Display and audit security attributes in an NTFS volume |
3 | * |
4 | * Copyright (c) 2007-2013 Jean-Pierre Andre |
5 | * |
6 | * Options : |
7 | * -a auditing security data |
8 | * -b backing up NTFS ACLs |
9 | * -e set extra backed-up parameters (in conjunction with -s) |
10 | * -h displaying hexadecimal security descriptors within a file |
11 | * -r recursing in a directory |
12 | * -s setting backed-up NTFS ACLs |
13 | * -u getting a user mapping proposal |
14 | * -v verbose (very verbose if set twice) |
15 | * also, if compile-time option is set |
16 | * -t run internal tests (with no access to storage) |
17 | * |
18 | * On Linux (being root, with volume not mounted) : |
19 | * secaudit -h [file] |
20 | * display the security descriptors found in file |
21 | * secaudit -a[rv] volume |
22 | * audit the volume |
23 | * secaudit [-v] volume file |
24 | * display the security parameters of file |
25 | * secaudit -r[v] volume directory |
26 | * display the security parameters of files in directory |
27 | * secaudit -b[v] volume [directory] |
28 | * backup the security parameters of files in directory |
29 | * secaudit -s[ve] volume [backupfile] |
30 | * set the security parameters as indicated in backup |
31 | * with -e set extra parameters (Windows attrib) |
32 | * secaudit volume perms file |
33 | * set the security parameters of file to perms (mode or acl) |
34 | * secaudit -r[v] volume perms directory |
35 | * set the security parameters of files in directory to perms |
36 | * special case, does not require being root : |
37 | * secaudit [-v] mounted-file |
38 | * display the security parameters of mounted file |
39 | * |
40 | * |
41 | * On Windows (the volume being part of file name) |
42 | * secaudit -h [file] |
43 | * display the security descriptors found in file |
44 | * secaudit [-v] file |
45 | * display the security parameters of file |
46 | * secaudit -r[v] directory |
47 | * display the security parameters of files in directory |
48 | * secaudit -b[v] directory |
49 | * backup the security parameters of files in directory |
50 | * secaudit -s[v] [backupfile] |
51 | * set the security parameters as indicated in backup |
52 | * with -e set extra parameters (Windows attrib) |
53 | * secaudit perms file |
54 | * set the security parameters of file to perms (mode or acl) |
55 | * secaudit -r[v] perms directory |
56 | * set the security parameters of files in directory to perms |
57 | */ |
58 | |
59 | /* History |
60 | * |
61 | * Nov 2007 |
62 | * - first version, by concatenating miscellaneous utilities |
63 | * |
64 | * Jan 2008, version 1.0.1 |
65 | * - fixed mode displaying |
66 | * - added a global severe errors count |
67 | * |
68 | * Feb 2008, version 1.0.2 |
69 | * - implemented conversions for big-endian machines |
70 | * |
71 | * Mar 2008, version 1.0.3 |
72 | * - avoided consistency checks on $Secure when there is no such file |
73 | * |
74 | * Mar 2008, version 1.0.4 |
75 | * - changed ordering of ACE's |
76 | * - changed representation for special flags |
77 | * - defaulted to stdin for option -h |
78 | * - added self tests (compile time option) |
79 | * - fixed errors specific to big-endian computers |
80 | * |
81 | * Apr 2008, version 1.1.0 |
82 | * - developped Posix ACLs to NTFS ACLs conversions |
83 | * - developped NTFS ACLs backup and restore |
84 | * |
85 | * Apr 2008, version 1.1.1 |
86 | * - fixed an error specific to big-endian computers |
87 | * - checked hash value and fixed error report in restore |
88 | * - improved display in showhex() and restore() |
89 | * |
90 | * Apr 2008, version 1.1.2 |
91 | * - improved and fixed Posix ACLs to NTFS ACLs conversions |
92 | * |
93 | * Apr 2008, version 1.1.3 |
94 | * - reenabled recursion for setting a new mode or ACL |
95 | * - processed Unicode file names and displayed them as UTF-8 |
96 | * - allocated dynamically memory for file names when recursing |
97 | * |
98 | * May 2008, version 1.1.4 |
99 | * - all Unicode/UTF-8 strings checked and processed |
100 | * |
101 | * Jul 2008, version 1.1.5 |
102 | * - made Windows owner consistent with Linux owner when changing mode |
103 | * - allowed owner change on Windows when it does not match Linux owner |
104 | * - skipped currently unused code |
105 | * |
106 | * Aug 2008, version 1.2.0 |
107 | * - processed \.NTFS-3G\UserMapping on Windows |
108 | * - made use of user mappings through the security API or direct access |
109 | * - fixed a bug in restore |
110 | * - fixed UTF-8 conversions |
111 | * |
112 | * Sep 2008, version 1.3.0 |
113 | * - split the code to have part of it shared with ntfs-3g library |
114 | * - fixed testing for end of SDS block |
115 | * - added samples checking in selftest for easier debugging |
116 | * |
117 | * Oct 2008, version 1.3.1 |
118 | * - fixed outputting long long data when testing on a Palm organizer |
119 | * |
120 | * Dec 2008, version 1.3.2 |
121 | * - fixed restoring ACLs |
122 | * - added optional logging of ACL hashes to facilitate restore checks |
123 | * - fixed collecting SACLs |
124 | * - fixed setting special control flags |
125 | * - fixed clearing existing SACLs (Linux only) and DACLs |
126 | * - changed the sequencing of items when quering a security descriptor |
127 | * - avoided recursing on junctions and symlinks on Windows |
128 | * |
129 | * Jan 2009, version 1.3.3 |
130 | * - save/restore Windows attributes (code from Faisal) |
131 | * |
132 | * Mar 2009, version 1.3.4 |
133 | * - enabled displaying attributes of a mounted file over Linux |
134 | * |
135 | * Apr 2009, version 1.3.5 |
136 | * - fixed initialisation of stand-alone user mapping |
137 | * - fixed POSIXACL redefinition when included in the ntfs-3g package |
138 | * - fixed displaying of options |
139 | * - fixed a dependency on the shared library version used |
140 | * |
141 | * May 2009, version 1.3.6 |
142 | * - added new samples for self testing |
143 | * |
144 | * Jun 2009, version 1.3.7 |
145 | * - fixed displaying owner and group of a mounted file over Linux |
146 | * |
147 | * Jul 2009, version 1.3.8 |
148 | * - fixed again displaying owner and group of a mounted file over Linux |
149 | * - cleaned some code to avoid warnings |
150 | * |
151 | * Nov 2009, version 1.3.9 |
152 | * - allowed security descriptors up to 64K |
153 | * |
154 | * Nov 2009, version 1.3.10 |
155 | * - applied patches for MacOSX from Erik Larsson |
156 | * |
157 | * Nov 2009, version 1.3.11 |
158 | * - replace <attr/xattr.h> by <sys/xattr.h> (provided by glibc) |
159 | * |
160 | * Dec 2009, version 1.3.12 |
161 | * - worked around "const" possibly redefined in config.h |
162 | * |
163 | * Dec 2009, version 1.3.13 |
164 | * - fixed the return code of dorestore() |
165 | * |
166 | * Dec 2009, version 1.3.14 |
167 | * - adapted to opensolaris |
168 | * |
169 | * Jan 2010, version 1.3.15 |
170 | * - more adaptations to opensolaris |
171 | * - removed the fix for return code of dorestore() |
172 | * |
173 | * Jan 2010, version 1.3.16 |
174 | * - repeated the fix for return code of dorestore() |
175 | * |
176 | * Mar 2010, version 1.3.17 |
177 | * - adapted to new default user mapping |
178 | * - fixed #ifdef'd code for selftest |
179 | * |
180 | * May 2010, version 1.3.18 |
181 | * - redefined early error logging |
182 | * |
183 | * Mar 2011, version 1.3.19 |
184 | * - fixed interface to ntfs_initialize_file_security() |
185 | * |
186 | * Apr 2011, version 1.3.20 |
187 | * - fixed false memory leak detection |
188 | * |
189 | * Jun 2011, version 1.3.21 |
190 | * - cleaned a few unneeded variables |
191 | * |
192 | * Nov 2011, version 1.3.22 |
193 | * - added a distinctive prefix to owner and group SID |
194 | * - fixed a false memory leak detection |
195 | * |
196 | * Jun 2012, version 1.3.23 |
197 | * - added support for SACL (nickgarvey) |
198 | * |
199 | * Jul 2012, version 1.3.24 |
200 | * - added self-tests for authenticated users |
201 | * - added display of ace-inherited flag |
202 | * - made runnable on OpenIndiana |
203 | * |
204 | * Aug 2012, version 1.4.0 |
205 | * - added an option for user mapping proposal |
206 | * |
207 | * Sep 2013, version 1.4.1 |
208 | * - silenced an aliasing warning by gcc >= 4.8 |
209 | */ |
210 | |
211 | /* |
212 | * This program is free software; you can redistribute it and/or modify |
213 | * it under the terms of the GNU General Public License as published by |
214 | * the Free Software Foundation; either version 2 of the License, or |
215 | * (at your option) any later version. |
216 | * |
217 | * This program is distributed in the hope that it will be useful, |
218 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
219 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
220 | * GNU General Public License for more details. |
221 | * |
222 | * You should have received a copy of the GNU General Public License |
223 | * along with this program (in the main directory of the NTFS-3G |
224 | * distribution in the file COPYING); if not, write to the Free Software |
225 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
226 | */ |
227 | |
228 | /* |
229 | * General parameters which may have to be adapted to needs |
230 | */ |
231 | |
232 | #define AUDT_VERSION "1.4.1" |
233 | |
234 | #define GET_FILE_SECURITY "ntfs_get_file_security" |
235 | #define SET_FILE_SECURITY "ntfs_set_file_security" |
236 | #define GET_FILE_ATTRIBUTES "ntfs_get_file_attributes" |
237 | #define SET_FILE_ATTRIBUTES "ntfs_set_file_attributes" |
238 | #define READ_DIRECTORY "ntfs_read_directory" |
239 | #define READ_SDS "ntfs_read_sds" |
240 | #define READ_SII "ntfs_read_sii" |
241 | #define READ_SDH "ntfs_read_sdh" |
242 | #define GET_USER "ntfs_get_user" |
243 | #define GET_GROUP "ntfs_get_group" |
244 | #define GET_USID "ntfs_get_usid" |
245 | #define GET_GSID "ntfs_get_gsid" |
246 | #define INIT_FILE_SECURITY "ntfs_initialize_file_security" |
247 | #define LEAVE_FILE_SECURITY "ntfs_leave_file_security" |
248 | |
249 | /* |
250 | * External declarations |
251 | */ |
252 | |
253 | #include <stdio.h> |
254 | #include <time.h> |
255 | #include <string.h> |
256 | #include <stdlib.h> |
257 | #include <sys/types.h> |
258 | #include <fcntl.h> |
259 | #include <errno.h> |
260 | #include <stdarg.h> |
261 | |
262 | /* |
263 | * integration into secaudit, check whether Win32, |
264 | * may have to be adapted to compiler or something else |
265 | */ |
266 | |
267 | #ifndef WIN32 |
268 | #if defined(__WIN32) | defined(__WIN32__) | defined(WNSC) |
269 | #define WIN32 1 |
270 | #endif |
271 | #endif |
272 | |
273 | /* |
274 | * integration into secaudit/Win32 |
275 | */ |
276 | #ifdef WIN32 |
277 | #include <windows.h> |
278 | #define __LITTLE_ENDIAN 1234 |
279 | #define __BYTE_ORDER __LITTLE_ENDIAN |
280 | #else |
281 | /* |
282 | * integration into secaudit/STSC |
283 | */ |
284 | #ifdef STSC |
285 | #include <stat.h> |
286 | #undef __BYTE_ORDER |
287 | #define __BYTE_ORDER __BIG_ENDIAN |
288 | #else |
289 | /* |
290 | * integration into secaudit/Linux |
291 | */ |
292 | |
293 | #include <sys/stat.h> |
294 | #ifdef HAVE_ENDIAN_H |
295 | #include <endian.h> |
296 | #endif |
297 | #ifdef HAVE_MACHINE_ENDIAN_H |
298 | #include <machine/endian.h> |
299 | #endif |
300 | #include <unistd.h> |
301 | #include <dlfcn.h> |
302 | #endif /* STSC */ |
303 | #endif /* WIN32 */ |
304 | #include "secaudit.h" |
305 | |
306 | #ifndef WIN32 |
307 | |
308 | #ifndef STSC |
309 | |
310 | #if !defined(HAVE_CONFIG_H) && POSIXACLS && !defined(__SVR4) |
311 | /* require <sys/xattr.h> if not integrated into ntfs-3g package */ |
312 | #define HAVE_SETXATTR 1 |
313 | #endif |
314 | |
315 | #ifdef HAVE_CONFIG_H |
316 | #ifdef _FILE_OFFSET_BITS |
317 | #undef _FILE_OFFSET_BITS /* work around "_FILE_OFFSET_BITS" possibly already defined */ |
318 | #endif |
319 | /* <sys/xattr.h> according to config.h if integrated into ntfs-3g package */ |
320 | #include "config.h" |
321 | #ifdef const /* work around "const" possibly redefined in config.h */ |
322 | #undef const |
323 | #endif |
324 | #ifndef POSIXACLS |
325 | #define POSIXACLS 0 |
326 | #endif |
327 | #endif /* HAVE_CONFIG_H */ |
328 | |
329 | #ifdef HAVE_SETXATTR |
330 | #include <sys/xattr.h> |
331 | #else |
332 | #warning "The extended attribute package is not available" |
333 | #endif /* HAVE_SETXATTR */ |
334 | |
335 | #endif /* STSC */ |
336 | |
337 | #define NTFS_MNT_NONE 0 /* no flag for mounting the device */ |
338 | #define NTFS_MNT_RDONLY 1 /* flag for mounting the device read-only */ |
339 | |
340 | struct CALLBACK; |
341 | |
342 | typedef int (*dircallback)(struct CALLBACK *context, char *ntfsname, |
343 | int length, int type, long long pos, u64 mft_ref, |
344 | unsigned int dt_type); |
345 | |
346 | #ifndef HAVE_SYSLOG_H |
347 | void ntfs_log_early_error(const char *format, ...) |
348 | __attribute__((format(printf, 1, 2))); |
349 | #endif |
350 | |
351 | #if USESTUBS | defined(STSC) |
352 | |
353 | int ntfs_get_file_security(void *scapi, |
354 | const char *path, DWORD selection, |
355 | char *buf, DWORD buflen, LPDWORD psize); |
356 | BOOL ntfs_set_file_security(void *scapi, |
357 | const char *path, DWORD selection, const char *attr); |
358 | int ntfs_get_file_attributes(void *scapi, |
359 | const char *path); |
360 | BOOL ntfs_set_file_attributes(void *scapi, |
361 | const char *path, DWORD attrib); |
362 | BOOL ntfs_read_directory(void *scapi, |
363 | const char *path, dircallback callback, void *context); |
364 | int ntfs_read_sds(void *scapi, |
365 | char *buf, DWORD buflen, DWORD offset); |
366 | void *ntfs_read_sii(void *scapi, void *entry); |
367 | void *ntfs_read_sdh(void *scapi, void *entry); |
368 | |
369 | int ntfs_get_usid(void *scapi, uid_t uid, char *buf); |
370 | int ntfs_get_gsid(void *scapi, gid_t gid, char *buf); |
371 | int ntfs_get_user(void *scapi, const char *usid); |
372 | int ntfs_get_group(void *scapi, const char *gsid); |
373 | |
374 | void *ntfs_initialize_file_security(const char *device, unsigned long flags); |
375 | BOOL ntfs_leave_file_security(void *scapi); |
376 | |
377 | #else |
378 | |
379 | typedef int (*type_get_file_security)(void *scapi, |
380 | const char *path, DWORD selection, |
381 | char *buf, DWORD buflen, LPDWORD psize); |
382 | typedef BOOL (*type_set_file_security)(void *scapi, |
383 | const char *path, DWORD selection, const char *attr); |
384 | typedef int (*type_get_file_attributes)(void *scapi, |
385 | const char *path); |
386 | typedef BOOL (*type_set_file_attributes)(void *scapi, |
387 | const char *path, DWORD attrib); |
388 | typedef BOOL (*type_read_directory)(void *scapi, |
389 | const char *path, dircallback callback, void *context); |
390 | typedef int (*type_read_sds)(void *scapi, |
391 | char *buf, DWORD buflen, DWORD offset); |
392 | typedef void *(*type_read_sii)(void *scapi, void *entry); |
393 | typedef void *(*type_read_sdh)(void *scapi, void *entry); |
394 | |
395 | typedef int (*type_get_usid)(void *scapi, uid_t uid, char *buf); |
396 | typedef int (*type_get_gsid)(void *scapi, gid_t gid, char *buf); |
397 | typedef int (*type_get_user)(void *scapi, const char *usid); |
398 | typedef int (*type_get_group)(void *scapi, const char *gsid); |
399 | |
400 | typedef void *(*type_initialize_file_security)(const char *device, |
401 | unsigned long flags); |
402 | typedef BOOL (*type_leave_file_security)(void *scapi); |
403 | |
404 | type_get_file_security ntfs_get_file_security; |
405 | type_set_file_security ntfs_set_file_security; |
406 | type_get_file_attributes ntfs_get_file_attributes; |
407 | type_set_file_attributes ntfs_set_file_attributes; |
408 | type_read_directory ntfs_read_directory; |
409 | type_read_sds ntfs_read_sds; |
410 | type_read_sii ntfs_read_sii; |
411 | type_read_sdh ntfs_read_sdh; |
412 | |
413 | type_get_usid ntfs_get_usid; |
414 | type_get_gsid ntfs_get_gsid; |
415 | type_get_user ntfs_get_user; |
416 | type_get_group ntfs_get_group; |
417 | |
418 | type_initialize_file_security ntfs_initialize_file_security; |
419 | type_leave_file_security ntfs_leave_file_security; |
420 | |
421 | |
422 | #endif /* USESTUBS | defined(STSC) */ |
423 | #endif /* WIN32 */ |
424 | |
425 | /* |
426 | * Prototypes for local functions |
427 | */ |
428 | |
429 | BOOL open_security_api(void); |
430 | BOOL close_security_api(void); |
431 | #ifndef WIN32 |
432 | BOOL open_volume(const char*, unsigned long flags); |
433 | BOOL close_volume(const char*); |
434 | #endif |
435 | unsigned int get2l(const char*, int); |
436 | unsigned long get4l(const char*, int); |
437 | u64 get6l(const char*, int); |
438 | u64 get6h(const char*, int); |
439 | u64 get8l(const char*, int); |
440 | void set2l(char*, unsigned int); |
441 | void set4l(char*, unsigned long); |
442 | void hexdump(const char*, int, int); |
443 | u32 hash(const le32*, int); |
444 | unsigned int utf8size(const char*, int); |
445 | unsigned int makeutf8(char*, const char*, int); |
446 | unsigned int utf16size(const char*); |
447 | unsigned int makeutf16(char*, const char*); |
448 | unsigned int utf16len(const char*); |
449 | void printname(FILE*, const char*); |
450 | void printerror(FILE*); |
451 | BOOL guess_dir(const char*); |
452 | void showsid(const char*, int, const char*, int); |
453 | void showusid(const char*, int); |
454 | void showgsid(const char*, int); |
455 | void showheader(const char*, int); |
456 | void showace(const char*, int, int, int); |
457 | void showacl(const char*, int, int, int); |
458 | void showdacl(const char*, int, int); |
459 | void showsacl(const char*, int, int); |
460 | void showall(const char*, int); |
461 | void showposix(const struct POSIX_SECURITY*); |
462 | int linux_permissions(const char*, BOOL); |
463 | uid_t linux_owner(const char*); |
464 | gid_t linux_group(const char*); |
465 | int basicread(void*, char*, size_t, off_t); |
466 | int dummyread(void*, char*, size_t, off_t); |
467 | int local_build_mapping(struct MAPPING *[], const char*); |
468 | void newblock(s32); |
469 | void freeblocks(void); |
470 | u32 getmsbhex(const char*); |
471 | u32 getlsbhex(const char*); |
472 | BOOL ishexdump(const char*, int, int); |
473 | void showhex(FILE*); |
474 | void showfull(const char*, BOOL); |
475 | BOOL applyattr(const char*, const char*, BOOL, int, s32); |
476 | BOOL restore(FILE*); |
477 | BOOL dorestore(const char*, FILE*); |
478 | u32 merge_rights(const struct POSIX_SECURITY*, BOOL); |
479 | void tryposix(struct POSIX_SECURITY*); |
480 | void check_samples(void); |
481 | void basictest(int, BOOL, const SID*, const SID*); |
482 | void posixtest(int, BOOL, const SID*, const SID*); |
483 | void selftests(void); |
484 | unsigned int getfull(char*, const char*); |
485 | BOOL updatefull(const char *name, DWORD flags, char *attr); |
486 | BOOL setfull(const char*, int, BOOL); |
487 | BOOL singleshow(const char*); |
488 | BOOL proposal(const char*, const char*); |
489 | BOOL showmounted(const char*); |
490 | BOOL processmounted(const char*); |
491 | BOOL recurseshow(const char*); |
492 | BOOL singleset(const char*, int); |
493 | BOOL recurseset(const char*, int); |
494 | #ifdef WIN32 |
495 | BOOL backup(const char*); |
496 | BOOL listfiles(const char*); |
497 | #if POSIXACLS |
498 | BOOL iterate(RECURSE, const char*, const struct POSIX_SECURITY*); |
499 | #else |
500 | BOOL iterate(RECURSE, const char*, mode_t); |
501 | #endif |
502 | #else |
503 | BOOL backup(const char*, const char*); |
504 | BOOL listfiles(const char*, const char*); |
505 | BOOL mapproposal(const char*, const char*); |
506 | #endif |
507 | #if POSIXACLS |
508 | BOOL setfull_posix(const char *, const struct POSIX_SECURITY*, BOOL); |
509 | struct POSIX_SECURITY *linux_permissions_posix(const char*, BOOL); |
510 | BOOL recurseset_posix(const char*, const struct POSIX_SECURITY*); |
511 | BOOL singleset_posix(const char*, const struct POSIX_SECURITY*); |
512 | struct POSIX_SECURITY *encode_posix_acl(const char*); |
513 | #endif |
514 | static void *stdmalloc(size_t); |
515 | static void stdfree(void*); |
516 | |
517 | BOOL valid_sds(const char*, unsigned int, unsigned int, |
518 | unsigned int, u32, BOOL); |
519 | BOOL valid_sii(const char*, u32); |
520 | BOOL valid_sdh(const char*, u32, u32); |
521 | int consist_sds(const char*, unsigned int, unsigned int, BOOL); |
522 | int consist_sii(const char*); |
523 | int consist_sdh(const char*); |
524 | int audit_sds(BOOL); |
525 | int audit_sii(void); |
526 | int audit_sdh(void); |
527 | void audit_summary(void); |
528 | BOOL audit(const char*); |
529 | int getoptions(int, char*[]); |
530 | |
531 | #ifndef WIN32 |
532 | |
533 | /* |
534 | * Structures for collecting directory contents (Linux only) |
535 | */ |
536 | |
537 | struct LINK { |
538 | struct LINK *next; |
539 | char name[1]; |
540 | } ; |
541 | |
542 | struct CALLBACK { |
543 | struct LINK *head; |
544 | const char *dir; |
545 | } ; |
546 | |
547 | int callback(struct CALLBACK *context, char *ntfsname, |
548 | int length, int type, long long pos, u64 mft_ref, |
549 | unsigned int dt_type); |
550 | #endif |
551 | |
552 | /* |
553 | * Global constants |
554 | */ |
555 | |
556 | #define BANNER "secaudit " AUDT_VERSION " : NTFS security data auditing" |
557 | |
558 | #if SELFTESTS & !USESTUBS |
559 | |
560 | /* |
561 | * Dummy mapping file (self tests only) |
562 | */ |
563 | |
564 | #define DUMMYAUTH "S-1-5-21-3141592653-589793238-462843383-" |
565 | char dummymapping[] = "500::" DUMMYAUTH "1000\n" |
566 | "501::" DUMMYAUTH "1001\n" |
567 | "502::" DUMMYAUTH "1002\n" |
568 | "503::" DUMMYAUTH "1003\n" |
569 | "516::" DUMMYAUTH "1016\n" |
570 | ":500:" DUMMYAUTH "513\r\n" |
571 | ":511:S-1-5-21-1607551490-981732888-1819828000-513\n" |
572 | ":516:" DUMMYAUTH "1012\r\n" |
573 | "::" DUMMYAUTH "10000\n"; |
574 | |
575 | /* |
576 | * SID for world (S-1-1-0) |
577 | */ |
578 | |
579 | static const char worldsidbytes[] = { |
580 | 1, /* revision */ |
581 | 1, /* auth count */ |
582 | 0, 0, 0, 0, 0, 1, /* base */ |
583 | 0, 0, 0, 0 /* 1st level */ |
584 | } ; |
585 | static const SID *worldsid = (const SID*)worldsidbytes; |
586 | |
587 | /* |
588 | * SID for authenticated user (S-1-5-11) |
589 | */ |
590 | |
591 | static const char authsidbytes[] = { |
592 | 1, /* revision */ |
593 | 1, /* auth count */ |
594 | 0, 0, 0, 0, 0, 5, /* base */ |
595 | 11, 0, 0, 0 /* 1st level */ |
596 | }; |
597 | |
598 | static const SID *authsid = (const SID*)authsidbytes; |
599 | |
600 | /* |
601 | * SID for administrator (S-1-5-32-544) |
602 | */ |
603 | |
604 | static const char adminsidbytes[] = { |
605 | 1, /* revision */ |
606 | 2, /* auth count */ |
607 | 0, 0, 0, 0, 0, 5, /* base */ |
608 | 32, 0, 0, 0, /* 1st level */ |
609 | 32, 2, 0, 0 /* 2nd level */ |
610 | }; |
611 | |
612 | static const SID *adminsid = (const SID*)adminsidbytes; |
613 | |
614 | /* |
615 | * SID for local users (S-1-5-32-545) |
616 | */ |
617 | |
618 | static const char localsidbytes[] = { |
619 | 1, /* revision */ |
620 | 2, /* auth count */ |
621 | 0, 0, 0, 0, 0, 5, /* base */ |
622 | 32, 0, 0, 0, /* 1st level */ |
623 | 33, 2, 0, 0 /* 2nd level */ |
624 | }; |
625 | |
626 | static const SID *localsid = (const SID*)localsidbytes; |
627 | |
628 | /* |
629 | * SID for system (S-1-5-18) |
630 | */ |
631 | |
632 | static const char systemsidbytes[] = { |
633 | 1, /* revision */ |
634 | 1, /* auth count */ |
635 | 0, 0, 0, 0, 0, 5, /* base */ |
636 | 18, 0, 0, 0 /* 1st level */ |
637 | }; |
638 | |
639 | static const SID *systemsid = (const SID*)systemsidbytes; |
640 | |
641 | #endif |
642 | |
643 | /* |
644 | * Global variables |
645 | */ |
646 | |
647 | BOOL opt_a; /* audit security data */ |
648 | BOOL opt_b; /* backup NTFS ACLs */ |
649 | BOOL opt_e; /* restore extra (currently windows attribs) */ |
650 | BOOL opt_h; /* display an hexadecimal descriptor in a file */ |
651 | BOOL opt_r; /* recursively apply to subdirectories */ |
652 | BOOL opt_s; /* restore NTFS ACLs */ |
653 | BOOL opt_u; /* user mapping proposal */ |
654 | #if SELFTESTS & !USESTUBS |
655 | BOOL opt_t; /* run self-tests */ |
656 | #endif |
657 | int opt_v; /* verbose or very verbose*/ |
658 | struct SECURITY_DATA *securdata[(MAXSECURID + (1 << SECBLKSZ) - 1)/(1 << SECBLKSZ)]; |
659 | #if FORCEMASK |
660 | BOOL opt_m; /* force a mask - dangerous */ |
661 | u32 forcemsk /* mask to force */ |
662 | #endif |
663 | unsigned int errors; /* number of severe errors */ |
664 | unsigned int warnings; /* number of non-severe errors */ |
665 | |
666 | struct CHKALLOC *firstalloc; |
667 | struct SECURITY_CONTEXT context; |
668 | MAPTYPE mappingtype; |
669 | |
670 | #ifdef STSC |
671 | #define static |
672 | #endif |
673 | |
674 | #ifndef WIN32 |
675 | |
676 | void *ntfs_handle; |
677 | void *ntfs_context = (void*)NULL; |
678 | |
679 | /* |
680 | * Open and close the security API (platform dependent) |
681 | */ |
682 | |
683 | BOOL open_security_api(void) |
684 | { |
685 | #if USESTUBS | defined(STSC) |
686 | return (TRUE); |
687 | #else |
688 | char *error; |
689 | BOOL err; |
690 | const char *libfile; |
691 | |
692 | err = TRUE; |
693 | libfile = getenv(ENVNTFS3G); |
694 | if (!libfile) |
695 | libfile = (sizeof(char*) == 8 ? LIBFILE64 : LIBFILE); |
696 | #ifdef __SVR4 |
697 | /* do not override library functions by caller ones */ |
698 | ntfs_handle = dlopen(libfile,RTLD_LAZY | RTLD_GROUP); |
699 | #else |
700 | ntfs_handle = dlopen(libfile,RTLD_LAZY); |
701 | #endif |
702 | if (ntfs_handle) { |
703 | ntfs_initialize_file_security = (type_initialize_file_security) |
704 | dlsym(ntfs_handle,INIT_FILE_SECURITY); |
705 | error = dlerror(); |
706 | if (error) |
707 | fprintf(stderr," %s\n",error); |
708 | else { |
709 | ntfs_leave_file_security = (type_leave_file_security) |
710 | dlsym(ntfs_handle,LEAVE_FILE_SECURITY); |
711 | ntfs_get_file_security = (type_get_file_security) |
712 | dlsym(ntfs_handle,GET_FILE_SECURITY); |
713 | ntfs_set_file_security = (type_set_file_security) |
714 | dlsym(ntfs_handle,SET_FILE_SECURITY); |
715 | ntfs_get_file_attributes = (type_get_file_attributes) |
716 | dlsym(ntfs_handle,GET_FILE_ATTRIBUTES); |
717 | ntfs_set_file_attributes = (type_set_file_attributes) |
718 | dlsym(ntfs_handle,SET_FILE_ATTRIBUTES); |
719 | ntfs_read_directory = (type_read_directory) |
720 | dlsym(ntfs_handle,READ_DIRECTORY); |
721 | ntfs_read_sds = (type_read_sds) |
722 | dlsym(ntfs_handle,READ_SDS); |
723 | ntfs_read_sii = (type_read_sii) |
724 | dlsym(ntfs_handle,READ_SII); |
725 | ntfs_read_sdh = (type_read_sdh) |
726 | dlsym(ntfs_handle,READ_SDH); |
727 | ntfs_get_user = (type_get_user) |
728 | dlsym(ntfs_handle,GET_USER); |
729 | ntfs_get_group = (type_get_group) |
730 | dlsym(ntfs_handle,GET_GROUP); |
731 | ntfs_get_usid = (type_get_usid) |
732 | dlsym(ntfs_handle,GET_USID); |
733 | ntfs_get_gsid = (type_get_gsid) |
734 | dlsym(ntfs_handle,GET_GSID); |
735 | err = !ntfs_initialize_file_security |
736 | || !ntfs_leave_file_security |
737 | || !ntfs_get_file_security |
738 | || !ntfs_set_file_security |
739 | || !ntfs_get_file_attributes |
740 | || !ntfs_set_file_attributes |
741 | || !ntfs_read_directory |
742 | || !ntfs_read_sds |
743 | || !ntfs_read_sii |
744 | || !ntfs_read_sdh |
745 | || !ntfs_get_user |
746 | || !ntfs_get_group |
747 | || !ntfs_get_usid |
748 | || !ntfs_get_gsid; |
749 | |
750 | if (error) |
751 | fprintf(stderr,"ntfs-3g API not available\n"); |
752 | } |
753 | } else { |
754 | fprintf(stderr,"Could not open ntfs-3g library\n"); |
755 | fprintf(stderr,"\nPlease set environment variable \"" ENVNTFS3G "\"\n"); |
756 | fprintf(stderr,"to appropriate path and retry\n"); |
757 | } |
758 | return (!err); |
759 | #endif /* USESTUBS | defined(STSC) */ |
760 | } |
761 | |
762 | BOOL close_security_api(void) |
763 | { |
764 | #if USESTUBS | defined(STSC) |
765 | return (0); |
766 | #else |
767 | return (!dlclose(ntfs_handle)); |
768 | #endif /* USESTUBS | defined(STSC) */ |
769 | } |
770 | |
771 | /* |
772 | * Open and close a volume (platform dependent) |
773 | * Assumes a single volume is opened |
774 | */ |
775 | |
776 | BOOL open_volume(const char *volume, unsigned long flags) |
777 | { |
778 | BOOL ok; |
779 | |
780 | ok = FALSE; |
781 | if (!ntfs_context) { |
782 | ntfs_context = ntfs_initialize_file_security(volume,flags); |
783 | if (ntfs_context) { |
784 | if (*(u32*)ntfs_context != MAGIC_API) { |
785 | fprintf(stderr,"Versions of ntfs-3g and secaudit" |
786 | " are not compatible\n"); |
787 | } else { |
788 | fprintf(stderr,"\"%s\" opened\n",volume); |
789 | mappingtype = MAPEXTERN; |
790 | ok = TRUE; |
791 | } |
792 | } else { |
793 | fprintf(stderr,"Could not open \"%s\"\n",volume); |
794 | fprintf(stderr,"Make sure \"%s\" is not mounted\n",volume); |
795 | } |
796 | } else |
797 | fprintf(stderr,"A volume is already open\n"); |
798 | return (ok); |
799 | } |
800 | |
801 | BOOL close_volume(const char *volume) |
802 | { |
803 | BOOL r; |
804 | |
805 | r = ntfs_leave_file_security(ntfs_context); |
806 | if (r) |
807 | fprintf(stderr,"\"%s\" closed\n",volume); |
808 | else |
809 | fprintf(stderr,"Could not close \"%s\"\n",volume); |
810 | ntfs_context = (void*)NULL; |
811 | return (r); |
812 | } |
813 | |
814 | #endif /* WIN32 */ |
815 | |
816 | /* |
817 | * Extract small or big endian data from an array of bytes |
818 | */ |
819 | |
820 | unsigned int get2l(const char *attr, int p) |
821 | { |
822 | int i; |
823 | unsigned int v; |
824 | |
825 | v = 0; |
826 | for (i=0; i<2; i++) |
827 | v += (attr[p+i] & 255) << (8*i); |
828 | return (v); |
829 | } |
830 | |
831 | unsigned long get4l(const char *attr, int p) |
832 | { |
833 | int i; |
834 | unsigned long v; |
835 | |
836 | v = 0; |
837 | for (i=0; i<4; i++) |
838 | v += ((long)(attr[p+i] & 255)) << (8*i); |
839 | return (v); |
840 | } |
841 | |
842 | u64 get6l(const char *attr, int p) |
843 | { |
844 | int i; |
845 | u64 v; |
846 | |
847 | v = 0; |
848 | for (i=0; i<6; i++) |
849 | v += ((long long)(attr[p+i] & 255)) << (8*i); |
850 | return (v); |
851 | } |
852 | |
853 | u64 get6h(const char *attr, int p) |
854 | { |
855 | int i; |
856 | u64 v; |
857 | |
858 | v = 0; |
859 | for (i=0; i<6; i++) |
860 | v = (v << 8) + (attr[p+i] & 255); |
861 | return (v); |
862 | } |
863 | |
864 | u64 get8l(const char *attr, int p) |
865 | { |
866 | int i; |
867 | u64 v; |
868 | |
869 | v = 0; |
870 | for (i=0; i<8; i++) |
871 | v += ((long long)(attr[p+i] & 255)) << (8*i); |
872 | return (v); |
873 | } |
874 | |
875 | /* |
876 | * Set small or big endian data into an array of bytes |
877 | */ |
878 | |
879 | void set2l(char *p, unsigned int v) |
880 | { |
881 | int i; |
882 | |
883 | for (i=0; i<2; i++) |
884 | p[i] = ((v >> 8*i) & 255); |
885 | } |
886 | |
887 | void set4l(char *p, unsigned long v) |
888 | { |
889 | int i; |
890 | |
891 | for (i=0; i<4; i++) |
892 | p[i] = ((v >> 8*i) & 255); |
893 | } |
894 | |
895 | |
896 | /* |
897 | * hexadecimal dump of an array of bytes |
898 | */ |
899 | |
900 | void hexdump(const char *attr, int size, int level) |
901 | { |
902 | int i,j; |
903 | |
904 | for (i=0; i<size; i+=16) { |
905 | if (level) |
906 | printf("%*c",level,' '); |
907 | printf("%06x ",i); |
908 | for (j=i; (j<(i+16)) && (j<size); j++) |
909 | printf((j & 3 ? "%02x" : " %02x"),attr[j] & 255); |
910 | printf("\n"); |
911 | } |
912 | } |
913 | |
914 | u32 hash(const le32 *buf, int size /* bytes */) |
915 | { |
916 | u32 h; |
917 | int i; |
918 | |
919 | h = 0; |
920 | for (i=0; 4*i<size; i++) |
921 | h = le32_to_cpu(buf[i]) + (h << 3) + ((h >> 29) & 7); |
922 | return (h); |
923 | } |
924 | |
925 | /* |
926 | * Evaluate the size of UTS-8 conversion of a UTF-16LE text |
927 | * trailing '\0' not accounted for |
928 | * Returns 0 for invalid input |
929 | */ |
930 | |
931 | unsigned int utf8size(const char *utf16, int length) |
932 | { |
933 | int i; |
934 | unsigned int size; |
935 | enum { BASE, SURR, ERR } state; |
936 | |
937 | size = 0; |
938 | state = BASE; |
939 | for (i=0; i<2*length; i+=2) { |
940 | switch (state) { |
941 | case BASE : |
942 | if (utf16[i+1] & 0xf8) { |
943 | if ((utf16[i+1] & 0xf8) == 0xd8) |
944 | state = (utf16[i+1] & 4 ? ERR : SURR); |
945 | else |
946 | #if NOREVBOM |
947 | if (((utf16[i+1] & 0xff) == 0xff) |
948 | && ((utf16[i] & 0xfe) == 0xfe)) |
949 | state = ERR; |
950 | else |
951 | size += 3; |
952 | #else |
953 | size += 3; |
954 | #endif |
955 | } else |
956 | if ((utf16[i] & 0x80) || utf16[i+1]) |
957 | size += 2; |
958 | else |
959 | size++; |
960 | break; |
961 | case SURR : |
962 | if ((utf16[i+1] & 0xfc) == 0xdc) { |
963 | state = BASE; |
964 | size += 4; |
965 | } else |
966 | state = ERR; |
967 | break; |
968 | case ERR : |
969 | break; |
970 | } |
971 | } |
972 | if (state != BASE) |
973 | size = 0; |
974 | return (size); |
975 | } |
976 | |
977 | /* |
978 | * Convert a UTF-16LE text to UTF-8 |
979 | * Note : wcstombs() not used because on Linux it fails for characters |
980 | * not present in current locale |
981 | * Returns size or zero for invalid input |
982 | */ |
983 | |
984 | unsigned int makeutf8(char *utf8, const char *utf16, int length) |
985 | { |
986 | int i; |
987 | unsigned int size; |
988 | unsigned int rem; |
989 | enum { BASE, SURR, ERR } state; |
990 | |
991 | size = 0; |
992 | rem = 0; |
993 | state = BASE; |
994 | for (i=0; i<2*length; i+=2) { |
995 | switch (state) { |
996 | case BASE : |
997 | if (utf16[i+1] & 0xf8) { |
998 | if ((utf16[i+1] & 0xf8) == 0xd8) { |
999 | if (utf16[i+1] & 4) |
1000 | state = ERR; |
1001 | else { |
1002 | utf8[size++] = 0xf0 + (utf16[i+1] & 7) |
1003 | + ((utf16[i] & 0xc0) == 0xc0); |
1004 | utf8[size++] = 0x80 + (((utf16[i] + 64) >> 2) & 63); |
1005 | rem = utf16[i] & 3; |
1006 | state = SURR; |
1007 | } |
1008 | } else { |
1009 | #if NOREVBOM |
1010 | if (((utf16[i+1] & 0xff) == 0xff) |
1011 | && ((utf16[i] & 0xfe) == 0xfe)) |
1012 | state = ERR; |
1013 | else { |
1014 | utf8[size++] = 0xe0 + ((utf16[i+1] >> 4) & 15); |
1015 | utf8[size++] = 0x80 |
1016 | + ((utf16[i+1] & 15) << 2) |
1017 | + ((utf16[i] >> 6) & 3); |
1018 | utf8[size++] = 0x80 + (utf16[i] & 63); |
1019 | } |
1020 | #else |
1021 | utf8[size++] = 0xe0 + ((utf16[i+1] >> 4) & 15); |
1022 | utf8[size++] = 0x80 |
1023 | + ((utf16[i+1] & 15) << 2) |
1024 | + ((utf16[i] >> 6) & 3); |
1025 | utf8[size++] = 0x80 + (utf16[i] & 63); |
1026 | #endif |
1027 | } |
1028 | } else |
1029 | if ((utf16[i] & 0x80) || utf16[i+1]) { |
1030 | utf8[size++] = 0xc0 |
1031 | + ((utf16[i+1] & 15) << 2) |
1032 | + ((utf16[i] >> 6) & 3); |
1033 | utf8[size++] = 0x80 + (utf16[i] & 63); |
1034 | } else |
1035 | utf8[size++] = utf16[i]; |
1036 | break; |
1037 | case SURR : |
1038 | if ((utf16[i+1] & 0xfc) == 0xdc) { |
1039 | utf8[size++] = 0x80 + (rem << 4) |
1040 | + ((utf16[i+1] & 3) << 2) |
1041 | + ((utf16[i] >> 6) & 3); |
1042 | utf8[size++] = 0x80 + (utf16[i] & 63); |
1043 | state = BASE; |
1044 | } else |
1045 | state = ERR; |
1046 | break; |
1047 | case ERR : |
1048 | break; |
1049 | } |
1050 | } |
1051 | utf8[size] = 0; |
1052 | if (state != BASE) |
1053 | state = ERR; |
1054 | return (state == ERR ? 0 : size); |
1055 | } |
1056 | |
1057 | #ifdef WIN32 |
1058 | |
1059 | /* |
1060 | * Evaluate the size of UTF-16LE conversion of a UTF-8 text |
1061 | * (basic conversions only) |
1062 | * trailing '\0' not accounted for |
1063 | */ |
1064 | |
1065 | unsigned int utf16size(const char *utf8) |
1066 | { |
1067 | unsigned int size; |
1068 | const char *p; |
1069 | int c; |
1070 | unsigned int code; |
1071 | enum { BASE, TWO, THREE, THREE2, THREE3, FOUR, ERR } state; |
1072 | |
1073 | p = utf8; |
1074 | size = 0; |
1075 | state = BASE; |
1076 | while (*p) { |
1077 | c = *p++ & 255; |
1078 | switch (state) { |
1079 | case BASE : |
1080 | if (!(c & 0x80)) |
1081 | size++; |
1082 | else |
1083 | if (c < 0xc2) |
1084 | state = ERR; |
1085 | else |
1086 | if (c < 0xe0) |
1087 | state = TWO; |
1088 | else |
1089 | if (c < 0xf0) { |
1090 | if (c == 0xe0) |
1091 | state = THREE2; |
1092 | else |
1093 | if (c == 0xed) |
1094 | state = THREE3; |
1095 | else |
1096 | state = THREE; |
1097 | } else |
1098 | if (c < 0xf8) { |
1099 | state = FOUR; |
1100 | code = c & 7; |
1101 | } else |
1102 | state = ERR; |
1103 | break; |
1104 | case TWO : |
1105 | if ((c & 0xc0) != 0x80) |
1106 | state = ERR; |
1107 | else { |
1108 | size++; |
1109 | state = BASE; |
1110 | } |
1111 | break; |
1112 | case THREE : |
1113 | if ((c & 0xc0) != 0x80) |
1114 | state = ERR; |
1115 | else |
1116 | state = TWO; |
1117 | break; |
1118 | case THREE2 : |
1119 | if ((c & 0xe0) != 0xa0) |
1120 | state = ERR; |
1121 | else |
1122 | state = TWO; |
1123 | break; |
1124 | case THREE3 : |
1125 | if ((c & 0xe0) != 0x80) |
1126 | state = ERR; |
1127 | else |
1128 | state = TWO; |
1129 | break; |
1130 | case FOUR : |
1131 | if ((((code << 6) + (c & 63)) > 0x10f) |
1132 | || (((code << 6) + (c & 63)) < 0x10)) |
1133 | state = ERR; |
1134 | else { |
1135 | size++; |
1136 | state = THREE; |
1137 | } |
1138 | break; |
1139 | case ERR : |
1140 | break; |
1141 | } |
1142 | } |
1143 | if (state != BASE) size = 0; |
1144 | return (size); |
1145 | } |
1146 | |
1147 | /* |
1148 | * Convert a UTF8 text to UTF-16LE |
1149 | * (basic conversions only) |
1150 | * Note : mbstowcs() not used because on Linux it fails for characters |
1151 | * not present in current locale |
1152 | */ |
1153 | |
1154 | unsigned int makeutf16(char *target, const char *utf8) |
1155 | { |
1156 | unsigned int size; |
1157 | unsigned int code; |
1158 | const char *p; |
1159 | int c; |
1160 | enum { BASE, TWO, THREE, THREE2, THREE3, FOUR, FOUR2, FOUR3, ERR } state; |
1161 | |
1162 | p = utf8; |
1163 | size = 0; |
1164 | c = 0; |
1165 | state = BASE; |
1166 | while (*p) { |
1167 | c = *p++ & 255; |
1168 | switch (state) { |
1169 | case BASE : |
1170 | if (!(c & 0x80)) { |
1171 | target[2*size] = c; |
1172 | target[2*size + 1] = 0; |
1173 | size++; |
1174 | } else { |
1175 | if (c < 0xc2) |
1176 | state = ERR; |
1177 | else |
1178 | if (c < 0xe0) { |
1179 | code = c & 31; |
1180 | state = TWO; |
1181 | } else |
1182 | if (c < 0xf0) { |
1183 | code = c & 15; |
1184 | if (c == 0xe0) |
1185 | state = THREE2; |
1186 | else |
1187 | if (c == 0xed) |
1188 | state = THREE3; |
1189 | else |
1190 | state = THREE; |
1191 | } else |
1192 | if (c < 0xf8) { |
1193 | code = c & 7; |
1194 | state = FOUR; |
1195 | } else |
1196 | state = ERR; |
1197 | } |
1198 | break; |
1199 | case TWO : |
1200 | #if NOREVBOM |
1201 | if (((c & 0xc0) != 0x80) |
1202 | || ((code == 0x3ff) && (c >= 0xbe))) |
1203 | #else |
1204 | if ((c & 0xc0) != 0x80) |
1205 | #endif |
1206 | state = ERR; |
1207 | else { |
1208 | target[2*size] = ((code & 3) << 6) + (c & 63); |
1209 | target[2*size + 1] = ((code >> 2) & 255); |
1210 | size++; |
1211 | state = BASE; |
1212 | } |
1213 | break; |
1214 | case THREE : |
1215 | if ((c & 0xc0) != 0x80) |
1216 | state = ERR; |
1217 | else { |
1218 | code = ((code & 15) << 6) + (c & 63); |
1219 | state = TWO; |
1220 | } |
1221 | break; |
1222 | case THREE2 : |
1223 | if ((c & 0xe0) != 0xa0) |
1224 | state = ERR; |
1225 | else { |
1226 | code = ((code & 15) << 6) + (c & 63); |
1227 | state = TWO; |
1228 | } |
1229 | break; |
1230 | case THREE3 : |
1231 | if ((c & 0xe0) != 0x80) |
1232 | state = ERR; |
1233 | else { |
1234 | code = ((code & 15) << 6) + (c & 63); |
1235 | state = TWO; |
1236 | } |
1237 | break; |
1238 | case FOUR : |
1239 | if ((c & 0xc0) != 0x80) |
1240 | state = ERR; |
1241 | else { |
1242 | code = (code << 6) + (c & 63); |
1243 | state = FOUR2; |
1244 | } |
1245 | break; |
1246 | case FOUR2 : |
1247 | if ((c & 0xc0) != 0x80) |
1248 | state = ERR; |
1249 | else { |
1250 | code = (code << 6) + (c & 63); |
1251 | state = FOUR3; |
1252 | } |
1253 | break; |
1254 | case FOUR3 : |
1255 | if ((code > 0x43ff) |
1256 | || (code < 0x400) |
1257 | || ((c & 0xc0) != 0x80)) |
1258 | state = ERR; |
1259 | else { |
1260 | target[2*size] = ((code - 0x400) >> 4) & 255; |
1261 | target[2*size+1] = 0xd8 + (((code - 0x400) >> 12) & 3); |
1262 | target[2*size+2] = ((code & 3) << 6) + (c & 63); |
1263 | target[2*size+3] = 0xdc + ((code >> 2) & 3); |
1264 | size += 2; |
1265 | state = BASE; |
1266 | } |
1267 | break; |
1268 | case ERR : |
1269 | break; |
1270 | } |
1271 | } |
1272 | if (state != BASE) |
1273 | size = 0; |
1274 | target[2*size] = 0; |
1275 | target[2*size + 1] = 0; |
1276 | return (size); |
1277 | } |
1278 | |
1279 | unsigned int utf16len(const char *str) |
1280 | { |
1281 | unsigned int len; |
1282 | |
1283 | len = 0; |
1284 | while (str[2*len] || str[2*len+1]) len++; |
1285 | return (len); |
1286 | } |
1287 | |
1288 | #endif |
1289 | |
1290 | /* |
1291 | * Print a file name |
1292 | * on Windows it prints UTF-16LE names as UTF-8 |
1293 | */ |
1294 | |
1295 | void printname(FILE *file, const char *name) |
1296 | { |
1297 | #ifdef WIN32 |
1298 | char utf8name[MAXFILENAME]; |
1299 | |
1300 | makeutf8(utf8name,name,utf16len(name)); |
1301 | fprintf(file,"%s",utf8name); |
1302 | #else |
1303 | fprintf(file,"%s",name); |
1304 | #endif |
1305 | } |
1306 | |
1307 | /* |
1308 | * Print the last error code |
1309 | */ |
1310 | |
1311 | void printerror(FILE *file) |
1312 | { |
1313 | #ifdef WIN32 |
1314 | int err; |
1315 | const char *txt; |
1316 | |
1317 | err = GetLastError(); |
1318 | switch (err) { |
1319 | case 5 : |
1320 | txt = "Access to security descriptor was denied"; |
1321 | break; |
1322 | case 1307 : |
1323 | txt = "This SID may not be assigned as the owner of this object"; |
1324 | break; |
1325 | case 1308 : |
1326 | txt = "This SID may not be assigned as the group of this object"; |
1327 | break; |
1328 | case 1314 : |
1329 | txt = "You do not have the privilege to change this SID"; |
1330 | break; |
1331 | default : |
1332 | txt = (const char*)NULL; |
1333 | break; |
1334 | } |
1335 | if (txt) |
1336 | fprintf(file,"Error %d : %s\n",err,txt); |
1337 | else |
1338 | fprintf(file,"Error %d\n",err); |
1339 | #else |
1340 | #ifdef STSC |
1341 | if (errno) fprintf(file,"Error code %d\n",errno); |
1342 | #else |
1343 | if (errno) fprintf(file,"Error code %d : %s\n",errno,strerror(errno)); |
1344 | #endif |
1345 | #endif |
1346 | } |
1347 | |
1348 | #ifndef HAVE_SYSLOG_H |
1349 | |
1350 | /* |
1351 | * Redefine early error messages in stand-alone situations |
1352 | */ |
1353 | |
1354 | void ntfs_log_early_error(const char *format, ...) |
1355 | { |
1356 | va_list args; |
1357 | |
1358 | va_start(args, format); |
1359 | vfprintf(stderr,format,args); |
1360 | va_end(args); |
1361 | } |
1362 | |
1363 | #endif |
1364 | |
1365 | /* |
1366 | * Guess whether a security attribute is intended for a directory |
1367 | * based on the presence of inheritable ACE |
1368 | * (not 100% reliable) |
1369 | */ |
1370 | |
1371 | BOOL guess_dir(const char *attr) |
1372 | { |
1373 | int off; |
1374 | int isdir; |
1375 | int cnt; |
1376 | int i; |
1377 | int x; |
1378 | |
1379 | isdir = 0; |
1380 | off = get4l(attr,16); |
1381 | if (off) { |
1382 | cnt = get2l(attr,off+4); |
1383 | x = 8; |
1384 | for (i=0; i<cnt; i++) { |
1385 | if (attr[off + x + 1] & 3) |
1386 | isdir = 1; |
1387 | x += get2l(attr,off + x + 2); |
1388 | } |
1389 | } |
1390 | return (isdir); |
1391 | } |
1392 | |
1393 | /* |
1394 | * Display a SID |
1395 | * See http://msdn2.microsoft.com/en-us/library/aa379649.aspx |
1396 | */ |
1397 | |
1398 | void showsid(const char *attr, int off, const char *prefix, int level) |
1399 | { |
1400 | int cnt; |
1401 | int i; |
1402 | BOOL known; |
1403 | u64 auth; |
1404 | unsigned long first; |
1405 | unsigned long second; |
1406 | unsigned long last; |
1407 | char marker; |
1408 | |
1409 | if (opt_b) |
1410 | marker = '#'; |
1411 | else |
1412 | marker = ' '; |
1413 | cnt = attr[off+1] & 255; |
1414 | auth = get6h(attr,off+2); |
1415 | first = get4l(attr,off+8); |
1416 | known = FALSE; |
1417 | if ((attr[off] == 1) /* revision */ |
1418 | && (auth < 100)) |
1419 | switch (cnt) { |
1420 | case 0 : /* no level (error) */ |
1421 | break; |
1422 | case 1 : /* single level */ |
1423 | switch (auth) { |
1424 | case 0 : |
1425 | if (first == 0) { |
1426 | known = TRUE; |
1427 | printf("%*cNull SID\n",-level,marker); |
1428 | } |
1429 | break; |
1430 | case 1 : |
1431 | if (first == 0) { |
1432 | known = TRUE; |
1433 | printf("%*cWorld SID\n",-level,marker); |
1434 | } |
1435 | break; |
1436 | case 3 : |
1437 | switch (first) { |
1438 | case 0 : |
1439 | known = TRUE; |
1440 | printf("%*cCreator owner SID\n",-level,marker); |
1441 | break; |
1442 | case 1 : |
1443 | known = TRUE; |
1444 | printf("%*cCreator group SID\n",-level,marker); |
1445 | break; |
1446 | } |
1447 | break; |
1448 | case 5 : |
1449 | switch (first) { |
1450 | case 7 : |
1451 | known = TRUE; |
1452 | printf("%*cAnonymous logon SID\n",-level,marker); |
1453 | break; |
1454 | case 11 : |
1455 | known = TRUE; |
1456 | printf("%*cAuthenticated user SID\n",-level,marker); |
1457 | break; |
1458 | case 13 : |
1459 | known = TRUE; |
1460 | printf("%*cLocal service SID\n",-level,marker); |
1461 | break; |
1462 | case 14 : |
1463 | known = TRUE; |
1464 | printf("%*cNetwork service SID\n",-level,marker); |
1465 | break; |
1466 | case 18 : |
1467 | known = TRUE; |
1468 | printf("%*cNT System SID\n",-level,marker); |
1469 | break; |
1470 | } |
1471 | break; |
1472 | } |
1473 | break; |
1474 | case 2 : /* double level */ |
1475 | second = get4l(attr,off+12); |
1476 | switch (auth) { |
1477 | case 5 : |
1478 | if (first == 32) { |
1479 | known = TRUE; |
1480 | switch (second) { |
1481 | case 544 : |
1482 | printf("%*cLocal admins SID\n",-level,marker); |
1483 | break; |
1484 | case 545 : |
1485 | printf("%*cLocal users SID\n",-level,marker); |
1486 | break; |
1487 | case 546 : |
1488 | printf("%*cLocal guests SID\n",-level,marker); |
1489 | break; |
1490 | default : |
1491 | printf("%*cSome domain SID\n",-level,marker); |
1492 | break; |
1493 | } |
1494 | } |
1495 | break; |
1496 | } |
1497 | default : /* three levels or more */ |
1498 | second = get4l(attr,off+12); |
1499 | last = get4l(attr,off+4+4*cnt); |
1500 | switch (auth) { |
1501 | case 5 : |
1502 | if (first == 21) { |
1503 | known = TRUE; |
1504 | switch (last) |
1505 | { |
1506 | case 512 : |
1507 | printf("%*cLocal admins SID\n",-level,marker); |
1508 | break; |
1509 | case 513 : |
1510 | printf("%*cLocal users SID\n",-level,marker); |
1511 | break; |
1512 | case 514 : |
1513 | printf("%*cLocal guests SID\n",-level,marker); |
1514 | break; |
1515 | default : |
1516 | printf("%*cLocal user-%lu SID\n",-level,marker,last); |
1517 | break; |
1518 | } |
1519 | } |
1520 | break; |
1521 | } |
1522 | } |
1523 | if (!known) |
1524 | printf("%*cUnknown SID\n",-level,marker); |
1525 | printf("%*c%shex S-%d-",-level,marker,prefix,attr[off] & 255); |
1526 | printf("%llx",auth); |
1527 | for (i=0; i<cnt; i++) |
1528 | printf("-%lx",get4l(attr,off+8+4*i)); |
1529 | printf("\n"); |
1530 | printf("%*c%sdec S-%d-",-level,marker,prefix,attr[off] & 255); |
1531 | printf("%llu",auth); |
1532 | for (i=0; i<cnt; i++) |
1533 | printf("-%lu",get4l(attr,off+8+4*i)); |
1534 | printf("\n"); |
1535 | } |
1536 | |
1537 | void showusid(const char *attr, int level) |
1538 | { |
1539 | int off; |
1540 | char marker; |
1541 | |
1542 | if (opt_b) |
1543 | marker = '#'; |
1544 | else |
1545 | marker = ' '; |
1546 | if (level) |
1547 | printf("%*c",-level,marker); |
1548 | printf("Owner SID\n"); |
1549 | off = get4l(attr,4); |
1550 | showsid(attr,off,"O:",level+4); |
1551 | } |
1552 | |
1553 | void showgsid(const char *attr, int level) |
1554 | { |
1555 | int off; |
1556 | char marker; |
1557 | |
1558 | if (opt_b) |
1559 | marker = '#'; |
1560 | else |
1561 | marker = ' '; |
1562 | if (level) |
1563 | printf("%*c",-level,marker); |
1564 | printf("Group SID\n"); |
1565 | off = get4l(attr,8); |
1566 | showsid(attr,off,"G:",level+4); |
1567 | } |
1568 | |
1569 | void showheader(const char *attr, int level) |
1570 | { |
1571 | int flags; |
1572 | char marker; |
1573 | |
1574 | if (opt_b) |
1575 | marker = '#'; |
1576 | else |
1577 | marker = ' '; |
1578 | if (level) |
1579 | printf("%*c",-level,marker); |
1580 | printf("Global header\n"); |
1581 | printf("%*crevision %d\n",-level-4,marker,attr[0]); |
1582 | flags = get2l(attr,2); |
1583 | printf("%*cflags 0x%x\n",-level-4,marker,flags); |
1584 | if (flags & 1) |
1585 | printf("%*c owner is defaulted\n",-level-4,marker); |
1586 | if (flags & 2) |
1587 | printf("%*c group is defaulted\n",-level-4,marker); |
1588 | if (flags & 4) |
1589 | printf("%*c DACL present\n",-level-4,marker); |
1590 | if (flags & 8) |
1591 | printf("%*c DACL is defaulted\n",-level-4,marker); |
1592 | if (flags & 0x10) |
1593 | printf("%*c SACL present\n",-level-4,marker); |
1594 | if (flags & 0x20) |
1595 | printf("%*c SACL is defaulted\n",-level-4,marker); |
1596 | if (flags & 0x100) |
1597 | printf("%*c DACL inheritance is requested\n",-level-4,marker); |
1598 | if (flags & 0x200) |
1599 | printf("%*c SACL inheritance is requested\n",-level-4,marker); |
1600 | if (flags & 0x400) |
1601 | printf("%*c DACL was inherited automatically\n",-level-4,marker); |
1602 | if (flags & 0x800) |
1603 | printf("%*c SACL was inherited automatically\n",-level-4,marker); |
1604 | if (flags & 0x1000) |
1605 | printf("%*c DACL cannot be modified by inheritable ACEs\n",-level-4,marker); |
1606 | if (flags & 0x2000) |
1607 | printf("%*c SACL cannot be modified by inheritable ACEs\n",-level-4,marker); |
1608 | if (flags & 0x8000) |
1609 | printf("%*c self relative descriptor\n",-level-4,marker); |
1610 | if (flags & 0x43eb) |
1611 | printf("%*c unknown flags 0x%x present\n",-level-4,marker, |
1612 | flags & 0x43eb); |
1613 | printf("%*cOff USID 0x%x\n",-level-4,marker,(int)get4l(attr,4)); |
1614 | printf("%*cOff GSID 0x%x\n",-level-4,marker,(int)get4l(attr,8)); |
1615 | printf("%*cOff SACL 0x%x\n",-level-4,marker,(int)get4l(attr,12)); |
1616 | printf("%*cOff DACL 0x%x\n",-level-4,marker,(int)get4l(attr,16)); |
1617 | } |
1618 | |
1619 | void showace(const char *attr, int off, int isdir, int level) |
1620 | { |
1621 | int flags; |
1622 | u32 rights; |
1623 | char marker; |
1624 | |
1625 | if (opt_b) |
1626 | marker = '#'; |
1627 | else |
1628 | marker = ' '; |
1629 | printf("%*ctype %d\n",-level,marker,attr[off]); |
1630 | switch (attr[off]) { |
1631 | case 0 : |
1632 | printf("%*cAccess allowed\n",-level-4,marker); |
1633 | break; |
1634 | case 1 : |
1635 | printf("%*cAccess denied\n",-level-4,marker); |
1636 | break; |
1637 | case 2 : |
1638 | printf("%*cSystem audit\n",-level-4,marker); |
1639 | break; |
1640 | default : |
1641 | printf("%*cunknown\n",-level-4,marker); |
1642 | break; |
1643 | } |
1644 | flags = attr[off+1] & 255; |
1645 | printf("%*cflags 0x%x\n",-level,marker,flags); |
1646 | if (flags & 1) |
1647 | printf("%*cObject inherits ACE\n",-level-4,marker); |
1648 | if (flags & 2) |
1649 | printf("%*cContainer inherits ACE\n",-level-4,marker); |
1650 | if (flags & 4) |
1651 | printf("%*cDon\'t propagate inherits ACE\n",-level-4,marker); |
1652 | if (flags & 8) |
1653 | printf("%*cInherit only ACE\n",-level-4,marker); |
1654 | if (flags & 0x10) |
1655 | printf("%*cACE was inherited\n",-level-4,marker); |
1656 | if (flags & 0x40) |
1657 | printf("%*cAudit on success\n",-level-4,marker); |
1658 | if (flags & 0x80) |
1659 | printf("%*cAudit on failure\n",-level-4,marker); |
1660 | |
1661 | printf("%*cSize 0x%x\n",-level,marker,get2l(attr,off+2)); |
1662 | |
1663 | rights = get4l(attr,off+4); |
1664 | printf("%*cAcc rgts 0x%lx\n",-level,marker,(long)rights); |
1665 | printf("%*cObj specific acc rgts 0x%lx\n",-level-4,marker,(long)rights & 65535); |
1666 | if (isdir) /* a directory */ { |
1667 | if (rights & 0x01) |
1668 | printf("%*cList directory\n",-level-8,marker); |
1669 | if (rights & 0x02) |
1670 | printf("%*cAdd file\n",-level-8,marker); |
1671 | if (rights & 0x04) |
1672 | printf("%*cAdd subdirectory\n",-level-8,marker); |
1673 | if (rights & 0x08) |
1674 | printf("%*cRead EA\n",-level-8,marker); |
1675 | if (rights & 0x10) |
1676 | printf("%*cWrite EA\n",-level-8,marker); |
1677 | if (rights & 0x20) |
1678 | printf("%*cTraverse\n",-level-8,marker); |
1679 | if (rights & 0x40) |
1680 | printf("%*cDelete child\n",-level-8,marker); |
1681 | if (rights & 0x80) |
1682 | printf("%*cRead attributes\n",-level-8,marker); |
1683 | if (rights & 0x100) |
1684 | printf("%*cWrite attributes\n",-level-8,marker); |
1685 | } |
1686 | else { |
1687 | /* see FILE_READ_DATA etc in winnt.h */ |
1688 | if (rights & 0x01) |
1689 | printf("%*cRead data\n",-level-8,marker); |
1690 | if (rights & 0x02) |
1691 | printf("%*cWrite data\n",-level-8,marker); |
1692 | if (rights & 0x04) |
1693 | printf("%*cAppend data\n",-level-8,marker); |
1694 | if (rights & 0x08) |
1695 | printf("%*cRead EA\n",-level-8,marker); |
1696 | if (rights & 0x10) |
1697 | printf("%*cWrite EA\n",-level-8,marker); |
1698 | if (rights & 0x20) |
1699 | printf("%*cExecute\n",-level-8,marker); |
1700 | if (rights & 0x80) |
1701 | printf("%*cRead attributes\n",-level-8,marker); |
1702 | if (rights & 0x100) |
1703 | printf("%*cWrite attributes\n",-level-8,marker); |
1704 | } |
1705 | printf("%*cstandard acc rgts 0x%lx\n",-level-4,marker,(long)(rights >> 16) & 127); |
1706 | if (rights & 0x10000) |
1707 | printf("%*cDelete\n",-level-8,marker); |
1708 | if (rights & 0x20000) |
1709 | printf("%*cRead control\n",-level-8,marker); |
1710 | if (rights & 0x40000) |
1711 | printf("%*cWrite DAC\n",-level-8,marker); |
1712 | if (rights & 0x80000) |
1713 | printf("%*cWrite owner\n",-level-8,marker); |
1714 | if (rights & 0x100000) |
1715 | printf("%*cSynchronize\n",-level-8,marker); |
1716 | if (rights & 0x800000) |
1717 | printf("%*cCan access security ACL\n",-level-4,marker); |
1718 | if (rights & 0x10000000) |
1719 | printf("%*cGeneric all\n",-level-4,marker); |
1720 | if (rights & 0x20000000) |
1721 | printf("%*cGeneric execute\n",-level-4,marker); |
1722 | if (rights & 0x40000000) |
1723 | printf("%*cGeneric write\n",-level-4,marker); |
1724 | if (rights & 0x80000000) |
1725 | printf("%*cGeneric read\n",-level-4,marker); |
1726 | |
1727 | printf("%*cSID at 0x%x\n",-level,marker,off+8); |
1728 | showsid(attr,off+8,"",level+4); |
1729 | printf("%*cSummary :",-level,marker); |
1730 | if (attr[off] == 0) |
1731 | printf(" grant"); |
1732 | if (attr[off] == 1) |
1733 | printf(" deny"); |
1734 | if (rights & le32_to_cpu(FILE_GREAD | FILE_GWRITE | FILE_GEXEC)) { |
1735 | printf(" "); |
1736 | if (rights & le32_to_cpu(FILE_GREAD)) |
1737 | printf("r"); |
1738 | if (rights & le32_to_cpu(FILE_GWRITE)) |
1739 | printf("w"); |
1740 | if (rights & le32_to_cpu(FILE_GEXEC)) |
1741 | printf("x"); |
1742 | } else |
1743 | printf(" none"); |
1744 | if (flags & 11) |
1745 | printf(" inherited"); |
1746 | if (!(flags & 8)) { |
1747 | int sz; |
1748 | |
1749 | printf(" applied"); |
1750 | sz = attr[off+9]*4 + 8; |
1751 | if (!memcmp(&attr[off+8],&attr[get4l(attr,4)],sz)) |
1752 | printf(" to owner"); |
1753 | if (!memcmp(&attr[off+8],&attr[get4l(attr,8)],sz)) |
1754 | printf(" to group"); |
1755 | } |
1756 | printf("\n"); |
1757 | |
1758 | } |
1759 | |
1760 | void showacl(const char *attr, int off, int isdir, int level) |
1761 | { |
1762 | int i; |
1763 | int cnt; |
1764 | int size; |
1765 | int x; |
1766 | char marker; |
1767 | |
1768 | if (opt_b) |
1769 | marker = '#'; |
1770 | else |
1771 | marker = ' '; |
1772 | size = get2l(attr,off+2); |
1773 | printf("%*crevision %d\n",-level,marker,attr[off]); |
1774 | printf("%*cACL size %d\n",-level,marker,size); |
1775 | cnt = get2l(attr,off+4); |
1776 | printf("%*cACE cnt %d\n",-level,marker,cnt); |
1777 | x = 8; |
1778 | for (i=0; (i<cnt) && (x < size); i++) { |
1779 | printf("%*cACE %d at 0x%x\n",-level,marker,i + 1,off+x); |
1780 | showace(attr,off + x,isdir,level+4); |
1781 | x += get2l(attr,off + x + 2); |
1782 | } |
1783 | } |
1784 | |
1785 | void showdacl(const char *attr, int isdir, int level) |
1786 | { |
1787 | int off; |
1788 | char marker; |
1789 | |
1790 | if (opt_b) |
1791 | marker = '#'; |
1792 | else |
1793 | marker = ' '; |
1794 | off = get4l(attr,16); |
1795 | if (off) { |
1796 | if (level) |
1797 | printf("%*c",-level,marker); |
1798 | printf("DACL\n"); |
1799 | showacl(attr,off,isdir,level+4); |
1800 | } else { |
1801 | if (level) |
1802 | printf("%*c",-level,marker); |
1803 | printf("No DACL\n"); |
1804 | } |
1805 | } |
1806 | |
1807 | void showsacl(const char *attr, int isdir, int level) |
1808 | { |
1809 | int off; |
1810 | char marker; |
1811 | |
1812 | if (opt_b) |
1813 | marker = '#'; |
1814 | else |
1815 | marker = ' '; |
1816 | off = get4l(attr,12); |
1817 | if (off) { |
1818 | if (level) |
1819 | printf("%*c",-level,marker); |
1820 | printf("SACL\n"); |
1821 | showacl(attr,off,isdir,level+4); |
1822 | } |
1823 | else { |
1824 | if (level) |
1825 | printf("%*c",-level,marker); |
1826 | printf("No SACL\n"); |
1827 | } |
1828 | } |
1829 | |
1830 | void showall(const char *attr, int level) |
1831 | { |
1832 | BOOL isdir; |
1833 | |
1834 | isdir = guess_dir(attr); |
1835 | showheader(attr,level); |
1836 | showusid(attr,level); |
1837 | showgsid(attr,level); |
1838 | showdacl(attr,isdir,level); |
1839 | showsacl(attr,isdir,level); |
1840 | } |
1841 | |
1842 | #if POSIXACLS |
1843 | /* |
1844 | * Display a Posix descriptor |
1845 | */ |
1846 | |
1847 | void showposix(const struct POSIX_SECURITY *pxdesc) |
1848 | { |
1849 | char txperm[4]; |
1850 | const char *txtag; |
1851 | const char *txtype; |
1852 | const struct POSIX_ACL *acl; |
1853 | const struct POSIX_ACE *pxace; |
1854 | int acccnt; |
1855 | int defcnt; |
1856 | int firstdef; |
1857 | int perms; |
1858 | u16 tag; |
1859 | s32 id; |
1860 | int k,l; |
1861 | |
1862 | if (pxdesc) { |
1863 | acccnt = pxdesc->acccnt; |
1864 | defcnt = pxdesc->defcnt; |
1865 | firstdef = pxdesc->firstdef; |
1866 | acl = &pxdesc->acl; |
1867 | printf("Posix descriptor :\n"); |
1868 | printf(" acccnt %d\n",acccnt); |
1869 | printf(" defcnt %d\n",defcnt); |
1870 | printf(" firstdef %d\n",firstdef); |
1871 | printf(" mode : 0%03o\n",(int)pxdesc->mode); |
1872 | printf(" tagsset : 0x%02x\n",(int)pxdesc->tagsset); |
1873 | printf("Posix ACL :\n"); |
1874 | printf(" version %d\n",(int)acl->version); |
1875 | printf(" flags 0x%02x\n",(int)acl->flags); |
1876 | for (k=0; k<(acccnt + defcnt); k++) { |
1877 | if (k < acccnt) |
1878 | l = k; |
1879 | else |
1880 | l = firstdef + k - acccnt; |
1881 | pxace = &acl->ace[l]; |
1882 | tag = pxace->tag; |
1883 | perms = pxace->perms; |
1884 | if (tag == POSIX_ACL_SPECIAL) { |
1885 | txperm[0] = (perms & S_ISVTX ? 's' : '-'); |
1886 | txperm[1] = (perms & S_ISUID ? 'u' : '-'); |
1887 | txperm[2] = (perms & S_ISGID ? 'g' : '-'); |
1888 | } else { |
1889 | txperm[0] = (perms & 4 ? 'r' : '-'); |
1890 | txperm[1] = (perms & 2 ? 'w' : '-'); |
1891 | txperm[2] = (perms & 1 ? 'x' : '-'); |
1892 | } |
1893 | txperm[3] = 0; |
1894 | if (k >= acccnt) |
1895 | txtype = "default"; |
1896 | else |
1897 | txtype = "access "; |
1898 | switch (tag) { |
1899 | case POSIX_ACL_USER : |
1900 | txtag = "USER "; |
1901 | break; |
1902 | case POSIX_ACL_USER_OBJ : |
1903 | txtag = "USR-O"; |
1904 | break; |
1905 | case POSIX_ACL_GROUP : |
1906 | txtag = "GROUP"; |
1907 | break; |
1908 | case POSIX_ACL_GROUP_OBJ : |
1909 | txtag = "GRP-O"; |
1910 | break; |
1911 | case POSIX_ACL_MASK : |
1912 | txtag = "MASK "; |
1913 | break; |
1914 | case POSIX_ACL_OTHER : |
1915 | txtag = "OTHER"; |
1916 | break; |
1917 | case POSIX_ACL_SPECIAL : |
1918 | txtag = "SPECL"; |
1919 | break; |
1920 | default : |
1921 | txtag = "UNKWN"; |
1922 | break; |
1923 | } |
1924 | id = pxace->id; |
1925 | printf("ace %d : %s %s %4ld perms 0%03o %s\n", |
1926 | l,txtype,txtag,(long)id, |
1927 | perms,txperm); |
1928 | } |
1929 | } else |
1930 | printf("** NULL ACL\n"); |
1931 | } |
1932 | |
1933 | #endif /* POSIXACLS */ |
1934 | |
1935 | #if defined(WIN32) | defined(STSC) |
1936 | |
1937 | #else |
1938 | |
1939 | /* |
1940 | * Relay to get usid as defined during mounting |
1941 | */ |
1942 | |
1943 | const SID *relay_find_usid(const struct MAPPING *usermapping __attribute__((unused)), |
1944 | uid_t uid, SID *defusid) |
1945 | { |
1946 | return (ntfs_get_usid(ntfs_context,uid,(char*)defusid) ? |
1947 | defusid : (SID*)NULL); |
1948 | } |
1949 | |
1950 | /* |
1951 | * Relay to get gsid as defined during mounting |
1952 | */ |
1953 | |
1954 | const SID *relay_find_gsid(const struct MAPPING *groupmapping __attribute__((unused)), |
1955 | uid_t gid, SID *defgsid) |
1956 | { |
1957 | return (ntfs_get_usid(ntfs_context,gid,(char*)defgsid) ? |
1958 | defgsid : (SID*)NULL); |
1959 | } |
1960 | |
1961 | /* |
1962 | * Relay to get uid as defined during mounting |
1963 | */ |
1964 | |
1965 | uid_t relay_find_user(const struct MAPPING *mapping __attribute__((unused)), |
1966 | const SID *usid) |
1967 | { |
1968 | int uid; |
1969 | |
1970 | uid = ntfs_get_user(ntfs_context,(const char*)usid); |
1971 | return (uid < 0 ? 0 : uid); |
1972 | } |
1973 | |
1974 | /* |
1975 | * Relay to get gid as defined during mounting |
1976 | */ |
1977 | |
1978 | gid_t relay_find_group(const struct MAPPING *mapping __attribute__((unused)), |
1979 | const SID *gsid) |
1980 | { |
1981 | int gid; |
1982 | |
1983 | gid = ntfs_get_group(ntfs_context,(const char*)gsid); |
1984 | return (gid < 0 ? 0 : gid); |
1985 | } |
1986 | |
1987 | #endif |
1988 | |
1989 | #if defined(WIN32) | defined(STSC) |
1990 | |
1991 | /* |
1992 | * Dummy get uid from user name, out of a Linux environment |
1993 | */ |
1994 | |
1995 | struct passwd *getpwnam(const char *user) |
1996 | { |
1997 | ntfs_log_error("Cannot interpret id \"%s\"", user); |
1998 | ntfs_log_error("please use numeric uids in UserMapping file\n"); |
1999 | return ((struct passwd*)NULL); |
2000 | } |
2001 | |
2002 | /* |
2003 | * Dummy get gid from group name, out of a Linux environment |
2004 | */ |
2005 | |
2006 | struct group *getgrnam(const char *group) |
2007 | { |
2008 | ntfs_log_error("Cannot interpret id \"%s\"", group); |
2009 | ntfs_log_error("please use numeric gids in UserMapping file\n"); |
2010 | return ((struct group*)NULL); |
2011 | } |
2012 | |
2013 | #endif /* defined(WIN32) | defined(STSC) */ |
2014 | |
2015 | #if POSIXACLS |
2016 | |
2017 | struct POSIX_SECURITY *linux_permissions_posix(const char *attr, BOOL isdir) |
2018 | { |
2019 | const SECURITY_DESCRIPTOR_RELATIVE *phead; |
2020 | #if OWNERFROMACL |
2021 | const SID *osid; |
2022 | #endif |
2023 | const SID *usid; |
2024 | const SID *gsid; |
2025 | struct POSIX_SECURITY *posix_desc; |
2026 | |
2027 | phead = (const SECURITY_DESCRIPTOR_RELATIVE*)attr; |
2028 | gsid = (const SID*)&attr[le32_to_cpu(phead->group)]; |
2029 | #if OWNERFROMACL |
2030 | osid = (const SID*)&attr[le32_to_cpu(phead->owner)]; |
2031 | usid = ntfs_acl_owner((const char*)attr); |
2032 | #if SELFTESTS & !USESTUBS |
2033 | if (!opt_t && !ntfs_same_sid(usid,osid)) |
2034 | printf("== Linux owner is different from Windows owner\n"); |
2035 | #else |
2036 | if (!ntfs_same_sid(usid,osid)) |
2037 | printf("== Linux owner is different from Windows owner\n"); |
2038 | #endif |
2039 | #else |
2040 | usid = (const SID*)&attr[le32_to_cpu(phead->owner)]; |
2041 | #endif |
2042 | posix_desc = ntfs_build_permissions_posix(context.mapping, |
2043 | (const char*)attr, usid, gsid, isdir); |
2044 | if (!posix_desc) { |
2045 | printf("** Failed to build a Posix descriptor\n"); |
2046 | errors++; |
2047 | } |
2048 | return (posix_desc); |
2049 | } |
2050 | |
2051 | #endif /* POSIXACLS */ |
2052 | |
2053 | int linux_permissions(const char *attr, BOOL isdir) |
2054 | { |
2055 | const SECURITY_DESCRIPTOR_RELATIVE *phead; |
2056 | #if OWNERFROMACL |
2057 | const SID *osid; |
2058 | #endif |
2059 | const SID *usid; |
2060 | const SID *gsid; |
2061 | int perm; |
2062 | |
2063 | phead = (const SECURITY_DESCRIPTOR_RELATIVE*)attr; |
2064 | gsid = (const SID*)&attr[le32_to_cpu(phead->group)]; |
2065 | #if OWNERFROMACL |
2066 | osid = (const SID*)&attr[le32_to_cpu(phead->owner)]; |
2067 | usid = ntfs_acl_owner((const char*)attr); |
2068 | #if SELFTESTS & !USESTUBS |
2069 | if (!opt_t && !ntfs_same_sid(usid,osid)) |
2070 | printf("== Linux owner is different from Windows owner\n"); |
2071 | #else |
2072 | if (!ntfs_same_sid(usid,osid)) |
2073 | printf("== Linux owner is different from Windows owner\n"); |
2074 | #endif |
2075 | #else |
2076 | usid = (const SID*)&attr[le32_to_cpu(phead->owner)]; |
2077 | #endif |
2078 | perm = ntfs_build_permissions((const char*)attr, usid, gsid, isdir); |
2079 | if (perm < 0) { |
2080 | printf("** Failed to build permissions\n"); |
2081 | errors++; |
2082 | } |
2083 | return (perm); |
2084 | } |
2085 | |
2086 | uid_t linux_owner(const char *attr) |
2087 | { |
2088 | const SID *usid; |
2089 | uid_t uid; |
2090 | |
2091 | #if OWNERFROMACL |
2092 | usid = ntfs_acl_owner((const char*)attr); |
2093 | #else |
2094 | const SECURITY_DESCRIPTOR_RELATIVE *phead; |
2095 | |
2096 | phead = (const SECURITY_DESCRIPTOR_RELATIVE*)attr; |
2097 | usid = (const SID*)&attr[le32_to_cpu(phead->owner)]; |
2098 | #endif |
2099 | #if defined(WIN32) | defined(STSC) |
2100 | uid = ntfs_find_user(context.mapping[MAPUSERS],usid); |
2101 | #else |
2102 | if (mappingtype == MAPEXTERN) |
2103 | uid = relay_find_user(context.mapping[MAPUSERS],usid); |
2104 | else |
2105 | uid = ntfs_find_user(context.mapping[MAPUSERS],usid); |
2106 | #endif |
2107 | return (uid); |
2108 | } |
2109 | |
2110 | gid_t linux_group(const char *attr) |
2111 | { |
2112 | const SECURITY_DESCRIPTOR_RELATIVE *phead; |
2113 | const SID *gsid; |
2114 | gid_t gid; |
2115 | |
2116 | phead = (const SECURITY_DESCRIPTOR_RELATIVE*)attr; |
2117 | gsid = (const SID*)&attr[le32_to_cpu(phead->group)]; |
2118 | #if defined(WIN32) | defined(STSC) |
2119 | gid = ntfs_find_group(context.mapping[MAPGROUPS],gsid); |
2120 | #else |
2121 | if (mappingtype == MAPEXTERN) |
2122 | gid = relay_find_group(context.mapping[MAPGROUPS],gsid); |
2123 | else |
2124 | gid = ntfs_find_group(context.mapping[MAPGROUPS],gsid); |
2125 | #endif |
2126 | return (gid); |
2127 | } |
2128 | |
2129 | void newblock(s32 key) |
2130 | { |
2131 | struct SECURITY_DATA *psecurdata; |
2132 | int i; |
2133 | |
2134 | if ((key > 0) && (key < MAXSECURID) && !securdata[key >> SECBLKSZ]) { |
2135 | securdata[key >> SECBLKSZ] = |
2136 | (struct SECURITY_DATA*)malloc((1 << SECBLKSZ)*sizeof(struct SECURITY_DATA)); |
2137 | if (securdata[key >> SECBLKSZ]) |
2138 | for (i=0; i<(1 << SECBLKSZ); i++) { |
2139 | psecurdata = &securdata[key >> SECBLKSZ][i]; |
2140 | psecurdata->filecount = 0; |
2141 | psecurdata->mode = 0; |
2142 | psecurdata->flags = 0; |
2143 | psecurdata->attr = (char*)NULL; |
2144 | } |
2145 | } |
2146 | } |
2147 | |
2148 | void freeblocks(void) |
2149 | { |
2150 | int i,j; |
2151 | struct SECURITY_DATA *psecurdata; |
2152 | |
2153 | for (i=0; i<(MAXSECURID + (1 << SECBLKSZ) - 1)/(1 << SECBLKSZ); i++) |
2154 | if (securdata[i]) { |
2155 | for (j=0; j<(1 << SECBLKSZ); j++) { |
2156 | psecurdata = &securdata[i][j]; |
2157 | if (psecurdata->attr) |
2158 | free(psecurdata->attr); |
2159 | } |
2160 | free(securdata[i]); |
2161 | } |
2162 | } |
2163 | |
2164 | /* |
2165 | * Basic read from a user mapping file (Win32) |
2166 | */ |
2167 | |
2168 | int basicread(void *fileid, char *buf, size_t size, |
2169 | off_t pos __attribute__((unused))) |
2170 | { |
2171 | return (read(*(int*)fileid, buf, size)); |
2172 | } |
2173 | |
2174 | #if SELFTESTS & !USESTUBS |
2175 | |
2176 | /* |
2177 | * Read a dummy mapping file for tests |
2178 | */ |
2179 | |
2180 | int dummyread(void *fileid __attribute__((unused)), |
2181 | char *buf, size_t size, off_t pos) |
2182 | { |
2183 | size_t sz; |
2184 | |
2185 | if (pos >= (off_t)(sizeof(dummymapping) - 1)) |
2186 | sz = 0; |
2187 | else |
2188 | if ((size + pos) >= (sizeof(dummymapping) - 1)) |
2189 | sz = sizeof(dummymapping) - 1 - pos; |
2190 | else |
2191 | sz = size; |
2192 | if (sz > 0) |
2193 | memcpy(buf,&dummymapping[pos],sz); |
2194 | return (sz); |
2195 | } |
2196 | |
2197 | #endif /* POSIXACLS & SELFTESTS & !USESTUBS */ |
2198 | |
2199 | /* |
2200 | * Apply default single user mapping |
2201 | * returns zero if successful |
2202 | */ |
2203 | |
2204 | static int do_default_mapping(struct MAPPING *mapping[], |
2205 | const SID *usid) |
2206 | { |
2207 | struct MAPPING *usermapping; |
2208 | struct MAPPING *groupmapping; |
2209 | SID *sid; |
2210 | int sidsz; |
2211 | int res; |
2212 | |
2213 | res = -1; |
2214 | sidsz = ntfs_sid_size(usid); |
2215 | #if USESTUBS |
2216 | sid = (SID*)stdmalloc(sidsz); /* will be freed within the library */ |
2217 | #else |
2218 | sid = (SID*)ntfs_malloc(sidsz); |
2219 | #endif |
2220 | if (sid) { |
2221 | memcpy(sid,usid,sidsz); |
2222 | #if USESTUBS |
2223 | usermapping = (struct MAPPING*)stdmalloc(sizeof(struct MAPPING)); |
2224 | #else |
2225 | usermapping = (struct MAPPING*)ntfs_malloc(sizeof(struct MAPPING)); |
2226 | #endif |
2227 | if (usermapping) { |
2228 | #if USESTUBS |
2229 | groupmapping = (struct MAPPING*)stdmalloc(sizeof(struct MAPPING)); |
2230 | #else |
2231 | groupmapping = (struct MAPPING*)ntfs_malloc(sizeof(struct MAPPING)); |
2232 | #endif |
2233 | if (groupmapping) { |
2234 | usermapping->sid = sid; |
2235 | usermapping->xid = 0; |
2236 | usermapping->next = (struct MAPPING*)NULL; |
2237 | groupmapping->sid = sid; |
2238 | groupmapping->xid = 0; |
2239 | groupmapping->next = (struct MAPPING*)NULL; |
2240 | mapping[MAPUSERS] = usermapping; |
2241 | mapping[MAPGROUPS] = groupmapping; |
2242 | res = 0; |
2243 | } |
2244 | } |
2245 | } |
2246 | return (res); |
2247 | } |
2248 | |
2249 | /* |
2250 | * Build the user mapping |
2251 | * - according to a mapping file if defined (or default present), |
2252 | * - or try default single user mapping if possible |
2253 | * |
2254 | * The mapping is specific to a mounted device |
2255 | * No locking done, mounting assumed non multithreaded |
2256 | * |
2257 | * returns zero if mapping is successful |
2258 | * (failure should not be interpreted as an error) |
2259 | */ |
2260 | |
2261 | int local_build_mapping(struct MAPPING *mapping[], const char *usermap_path) |
2262 | { |
2263 | #ifdef WIN32 |
2264 | char mapfile[sizeof(MAPDIR) + sizeof(MAPFILE) + 6]; |
2265 | char currpath[261]; |
2266 | #else |
2267 | char *mapfile; |
2268 | char *p; |
2269 | #endif |
2270 | int fd; |
2271 | struct MAPLIST *item; |
2272 | struct MAPLIST *firstitem = (struct MAPLIST*)NULL; |
2273 | struct MAPPING *usermapping; |
2274 | struct MAPPING *groupmapping; |
2275 | static struct { |
2276 | u8 revision; |
2277 | u8 levels; |
2278 | be16 highbase; |
2279 | be32 lowbase; |
2280 | le32 level1; |
2281 | le32 level2; |
2282 | le32 level3; |
2283 | le32 level4; |
2284 | le32 level5; |
2285 | } defmap = { |
2286 | 1, 5, const_cpu_to_be16(0), const_cpu_to_be32(5), |
2287 | const_cpu_to_le32(21), |
2288 | const_cpu_to_le32(DEFSECAUTH1), const_cpu_to_le32(DEFSECAUTH2), |
2289 | const_cpu_to_le32(DEFSECAUTH3), const_cpu_to_le32(DEFSECBASE) |
2290 | } ; |
2291 | |
2292 | /* be sure not to map anything until done */ |
2293 | mapping[MAPUSERS] = (struct MAPPING*)NULL; |
2294 | mapping[MAPGROUPS] = (struct MAPPING*)NULL; |
2295 | |
2296 | if (usermap_path) { |
2297 | #ifdef WIN32 |
2298 | /* TODO : check whether the device can store acls */ |
2299 | strcpy(mapfile,"x:\\" MAPDIR "\\" MAPFILE); |
2300 | if (((le16*)usermap_path)[1] == ':') |
2301 | mapfile[0] = usermap_path[0]; |
2302 | else { |
2303 | GetModuleFileName(NULL, currpath, 261); |
2304 | mapfile[0] = currpath[0]; |
2305 | } |
2306 | fd = open(mapfile,O_RDONLY); |
2307 | #else |
2308 | fd = 0; |
2309 | mapfile = (char*)malloc(MAXFILENAME); |
2310 | if (mapfile) { |
2311 | /* build a full path to locate the mapping file */ |
2312 | if ((usermap_path[0] != '/') |
2313 | && getcwd(mapfile,MAXFILENAME)) { |
2314 | strcat(mapfile,"/"); |
2315 | strcat(mapfile,usermap_path); |
2316 | } else |
2317 | strcpy(mapfile,usermap_path); |
2318 | p = strrchr(mapfile,'/'); |
2319 | if (p) |
2320 | do { |
2321 | strcpy(p,"/" MAPDIR "/" MAPFILE); |
2322 | fd = open(mapfile,O_RDONLY); |
2323 | if (fd <= 0) { |
2324 | *p = 0; |
2325 | p = strrchr(mapfile,'/'); |
2326 | if (p == mapfile) |
2327 | p = (char*)NULL; |
2328 | } |
2329 | } while ((fd <= 0) && p); |
2330 | free(mapfile); |
2331 | if (!p) { |
2332 | printf("** Could not find the user mapping file\n"); |
2333 | if (usermap_path[0] != '/') |
2334 | printf(" Retry with full path of file\n"); |
2335 | errors++; |
2336 | } |
2337 | } |
2338 | #endif |
2339 | if (fd > 0) { |
2340 | firstitem = ntfs_read_mapping(basicread, (void*)&fd); |
2341 | close(fd); |
2342 | } |
2343 | } else { |
2344 | #if SELFTESTS & !USESTUBS |
2345 | firstitem = ntfs_read_mapping(dummyread, (void*)NULL); |
2346 | #endif |
2347 | } |
2348 | |
2349 | if (firstitem) { |
2350 | usermapping = ntfs_do_user_mapping(firstitem); |
2351 | groupmapping = ntfs_do_group_mapping(firstitem); |
2352 | if (usermapping && groupmapping) { |
2353 | mapping[MAPUSERS] = usermapping; |
2354 | mapping[MAPGROUPS] = groupmapping; |
2355 | } else |
2356 | ntfs_log_error("There were no valid user or no valid group\n"); |
2357 | /* now we can free the memory copy of input text */ |
2358 | /* and rely on internal representation */ |
2359 | while (firstitem) { |
2360 | item = firstitem->next; |
2361 | #if USESTUBS |
2362 | stdfree(firstitem); /* allocated within library */ |
2363 | #else |
2364 | free(firstitem); |
2365 | #endif |
2366 | firstitem = item; |
2367 | } |
2368 | } else { |
2369 | do_default_mapping(mapping,(const SID*)&defmap); |
2370 | } |
2371 | if (mapping[MAPUSERS]) |
2372 | mappingtype = MAPLOCAL; |
2373 | return (!mapping[MAPUSERS]); |
2374 | } |
2375 | |
2376 | /* |
2377 | * Get an hexadecimal number (source with MSB first) |
2378 | */ |
2379 | |
2380 | u32 getmsbhex(const char *text) |
2381 | { |
2382 | u32 v; |
2383 | int b; |
2384 | BOOL ok; |
2385 | |
2386 | v = 0; |
2387 | ok = TRUE; |
2388 | do { |
2389 | b = *text++; |
2390 | if ((b >= '0') && (b <= '9')) |
2391 | v = (v << 4) + b - '0'; |
2392 | else |
2393 | if ((b >= 'a') && (b <= 'f')) |
2394 | v = (v << 4) + b - 'a' + 10; |
2395 | else |
2396 | if ((b >= 'A') && (b <= 'F')) |
2397 | v = (v << 4) + b - 'A' + 10; |
2398 | else ok = FALSE; |
2399 | } while (ok); |
2400 | return (v); |
2401 | } |
2402 | |
2403 | |
2404 | /* |
2405 | * Get an hexadecimal number (source with LSB first) |
2406 | * An odd number of digits might yield a strange result |
2407 | */ |
2408 | |
2409 | u32 getlsbhex(const char *text) |
2410 | { |
2411 | u32 v; |
2412 | int b; |
2413 | BOOL ok; |
2414 | int pos; |
2415 | |
2416 | v = 0; |
2417 | ok = TRUE; |
2418 | pos = 0; |
2419 | do { |
2420 | b = *text++; |
2421 | if ((b >= '0') && (b <= '9')) |
2422 | v |= (u32)(b - '0') << (pos ^ 4); |
2423 | else |
2424 | if ((b >= 'a') && (b <= 'f')) |
2425 | v |= (u32)(b - 'a' + 10) << (pos ^ 4); |
2426 | else |
2427 | if ((b >= 'A') && (b <= 'F')) |
2428 | v |= (u32)(b - 'A' + 10) << (pos ^ 4); |
2429 | else ok = FALSE; |
2430 | pos += 4; |
2431 | } while (ok); |
2432 | return (v); |
2433 | } |
2434 | |
2435 | |
2436 | /* |
2437 | * Check whether a line looks like an hex dump |
2438 | */ |
2439 | |
2440 | BOOL ishexdump(const char *line, int first, int lth) |
2441 | { |
2442 | BOOL ok; |
2443 | int i; |
2444 | int b; |
2445 | |
2446 | ok = (first >= 0) && (lth >= (first + 16)); |
2447 | for (i=0; ((first+i)<lth) && ok; i++) { |
2448 | b = line[first + i]; |
2449 | if ((i == 6) |
2450 | || (i == 7) |
2451 | || (i == 16) |
2452 | || (i == 25) |
2453 | || (i == 34) |
2454 | || (i == 43)) |
2455 | ok = (b == ' ') || (b == '\n'); |
2456 | else |
2457 | ok = ((b >= '0') && (b <= '9')) |
2458 | || ((b >= 'a') && (b <= 'f')) |
2459 | || ((b >= 'A') && (b <= 'F')); |
2460 | } |
2461 | return (ok); |
2462 | } |
2463 | |
2464 | |
2465 | /* |
2466 | * Display security descriptors from a file |
2467 | * This is typically to convert a verbose output to a very verbose one |
2468 | */ |
2469 | |
2470 | void showhex(FILE *fd) |
2471 | { |
2472 | static char attr[MAXATTRSZ]; |
2473 | char line[MAXLINE+1]; |
2474 | #if POSIXACLS |
2475 | struct POSIX_SECURITY *pxdesc; |
2476 | #endif |
2477 | int lth; |
2478 | int first; |
2479 | unsigned int pos; |
2480 | u32 v; |
2481 | int c; |
2482 | int isdir; |
2483 | int mode; |
2484 | unsigned int off; |
2485 | int i; |
2486 | le32 *pattr; |
2487 | BOOL isdump; |
2488 | BOOL done; |
2489 | |
2490 | pos = 0; |
2491 | off = 0; |
2492 | done = FALSE; |
2493 | do { |
2494 | /* input a (partial) line without displaying */ |
2495 | lth = 0; |
2496 | first = -1; |
2497 | do { |
2498 | c = getc(fd); |
2499 | if ((c != ' ') && (first < 0)) |
2500 | first = lth; |
2501 | if (c == EOF) |
2502 | done = TRUE; |
2503 | else |
2504 | if (c != '\r') |
2505 | line[lth++] = c; |
2506 | } while (!done && (c != '\n') && (lth < MAXLINE)); |
2507 | /* check whether this looks like an hexadecimal dump */ |
2508 | isdump = ishexdump(line, first, lth); |
2509 | if (isdump) off = getmsbhex(&line[first]); |
2510 | /* line is not an hexadecimal dump */ |
2511 | /* display what we have in store */ |
2512 | if ((!isdump || !off) && pos && ntfs_valid_descr((char*)attr,pos)) { |
2513 | printf(" Computed hash : 0x%08lx\n", |
2514 | (unsigned long)hash((le32*)attr, |
2515 | ntfs_attr_size(attr))); |
2516 | isdir = guess_dir(attr); |
2517 | printf(" Estimated type : %s\n",(isdir ? "directory" : "file")); |
2518 | showheader(attr,4); |
2519 | showusid(attr,4); |
2520 | showgsid(attr,4); |
2521 | showdacl(attr,isdir,4); |
2522 | showsacl(attr,isdir,4); |
2523 | mode = linux_permissions(attr,isdir); |
2524 | printf("Interpreted Unix mode 0%03o\n",mode); |
2525 | #if POSIXACLS |
2526 | /* |
2527 | * Posix display not possible when user |
2528 | * mapping is not available (option -h) |
2529 | */ |
2530 | if (mappingtype != MAPNONE) { |
2531 | pxdesc = linux_permissions_posix(attr,isdir); |
2532 | if (pxdesc) { |
2533 | showposix(pxdesc); |
2534 | free(pxdesc); |
2535 | } |
2536 | } |
2537 | #endif |
2538 | pos = 0; |
2539 | } |
2540 | if (isdump && !off) |
2541 | pos = off; |
2542 | /* line looks like an hexadecimal dump */ |
2543 | /* decode it into attribute */ |
2544 | if (isdump && (off == pos)) { |
2545 | for (i=first+8; i<lth; i+=9) { |
2546 | pattr = (le32*)&attr[pos]; |
2547 | v = getlsbhex(&line[i]); |
2548 | *pattr = cpu_to_le32(v); |
2549 | pos += 4; |
2550 | } |
2551 | } |
2552 | /* display (full) current line */ |
2553 | if (lth) printf("! "); |
2554 | for (i=0; i<lth; i++) { |
2555 | c = line[i]; |
2556 | putchar(c); |
2557 | } |
2558 | while (!done && (c != '\n')) { |
2559 | c = getc(fd); |
2560 | if (c == EOF) |
2561 | done = TRUE; |
2562 | else |
2563 | putchar(c); |
2564 | } |
2565 | } while (!done); |
2566 | } |
2567 | |
2568 | BOOL applyattr(const char *fullname, const char *attr, |
2569 | BOOL withattr, int attrib, s32 key) |
2570 | { |
2571 | struct SECURITY_DATA *psecurdata; |
2572 | const char *curattr; |
2573 | char *newattr; |
2574 | int selection; |
2575 | BOOL bad; |
2576 | BOOL badattrib; |
2577 | BOOL err; |
2578 | #ifdef WIN32 |
2579 | HANDLE htoken; |
2580 | TOKEN_PRIVILEGES tkp; |
2581 | #endif |
2582 | |
2583 | err = FALSE; |
2584 | psecurdata = (struct SECURITY_DATA*)NULL; |
2585 | curattr = (const char*)NULL; |
2586 | newattr = (char*)NULL; |
2587 | if ((key > 0) && (key < MAXSECURID)) { |
2588 | if (!securdata[key >> SECBLKSZ]) |
2589 | newblock(key); |
2590 | if (securdata[key >> SECBLKSZ]) { |
2591 | psecurdata = &securdata[key >> SECBLKSZ] |
2592 | [key & ((1 << SECBLKSZ) - 1)]; |
2593 | } |
2594 | } |
2595 | |
2596 | /* If we have a usable attrib value. Try applying */ |
2597 | badattrib = FALSE; |
2598 | if (opt_e && (attrib != INVALID_FILE_ATTRIBUTES)) { |
2599 | #ifdef WIN32 |
2600 | badattrib = !SetFileAttributesW((LPCWSTR)fullname, attrib); |
2601 | #else |
2602 | badattrib = !ntfs_set_file_attributes(ntfs_context, fullname, attrib); |
2603 | #endif |
2604 | if (badattrib) { |
2605 | printf("** Could not set Windows attrib of "); |
2606 | printname(stdout,fullname); |
2607 | printf(" to 0x%x\n", attrib); |
2608 | printerror(stdout); |
2609 | warnings++; |
2610 | } |
2611 | } |
2612 | |
2613 | if (withattr) { |
2614 | if (psecurdata) { |
2615 | newattr = (char*)malloc(ntfs_attr_size(attr)); |
2616 | if (newattr) { |
2617 | memcpy(newattr,attr,ntfs_attr_size(attr)); |
2618 | psecurdata->attr = newattr; |
2619 | } |
2620 | } |
2621 | curattr = attr; |
2622 | } else |
2623 | /* |
2624 | * No explicit attr in backup, use attr defined |
2625 | * previously for the same id |
2626 | */ |
2627 | if (psecurdata) |
2628 | curattr = psecurdata->attr; |
2629 | |
2630 | |
2631 | if (curattr) { |
2632 | #ifdef WIN32 |
2633 | selection = OWNER_SECURITY_INFORMATION |
2634 | | GROUP_SECURITY_INFORMATION |
2635 | | DACL_SECURITY_INFORMATION; |
2636 | if (OpenProcessToken(GetCurrentProcess(), |
2637 | TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &htoken)) { |
2638 | if (LookupPrivilegeValue(NULL, SE_SECURITY_NAME, |
2639 | &tkp.Privileges[0].Luid)) { |
2640 | tkp.PrivilegeCount = 1; |
2641 | tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; |
2642 | if (AdjustTokenPrivileges(htoken, FALSE, &tkp, 0, NULL, 0)) { |
2643 | selection |= SACL_SECURITY_INFORMATION; |
2644 | } |
2645 | } |
2646 | } |
2647 | bad = !SetFileSecurityW((LPCWSTR)fullname, |
2648 | selection, (char*)curattr); |
2649 | if (bad) |
2650 | switch (GetLastError()) { |
2651 | case 1307 : |
2652 | case 1314 : |
2653 | printf("** Could not set owner or SACL of "); |
2654 | printname(stdout,fullname); |
2655 | printf(", retrying with no owner or SACL setting\n"); |
2656 | warnings++; |
2657 | bad = !SetFileSecurityW((LPCWSTR)fullname, |
2658 | selection & ~OWNER_SECURITY_INFORMATION |
2659 | & ~SACL_SECURITY_INFORMATION, (char*)curattr); |
2660 | break; |
2661 | default : |
2662 | break; |
2663 | } |
2664 | /* Release privileges once we are done*/ |
2665 | if (selection ^ SACL_SECURITY_INFORMATION) { |
2666 | tkp.Privileges[0].Attributes = 0; |
2667 | AdjustTokenPrivileges(htoken, FALSE, &tkp, 0, NULL, 0); |
2668 | } |
2669 | #else |
2670 | selection = OWNER_SECURITY_INFORMATION |
2671 | | GROUP_SECURITY_INFORMATION |
2672 | | DACL_SECURITY_INFORMATION |
2673 | | SACL_SECURITY_INFORMATION; |
2674 | bad = !ntfs_set_file_security(ntfs_context,fullname, |
2675 | selection, (const char*)curattr); |
2676 | #endif |
2677 | if (bad) { |
2678 | printf("** Could not set the ACL of "); |
2679 | printname(stdout,fullname); |
2680 | printf("\n"); |
2681 | printerror(stdout); |
2682 | err = TRUE; |
2683 | } else |
2684 | if (opt_v) { |
2685 | if (opt_e && !badattrib) |
2686 | printf("ACL and attrib have been applied to "); |
2687 | else |
2688 | printf("ACL has been applied to "); |
2689 | printname(stdout,fullname); |
2690 | printf("\n"); |
2691 | |
2692 | } |
2693 | } else { |
2694 | printf("** There was no valid ACL for "); |
2695 | printname(stdout,fullname); |
2696 | printf("\n"); |
2697 | err = TRUE; |
2698 | } |
2699 | return (!err); |
2700 | } |
2701 | |
2702 | /* |
2703 | * Restore security descriptors from a file |
2704 | */ |
2705 | |
2706 | BOOL restore(FILE *fd) |
2707 | { |
2708 | static char attr[MAXATTRSZ]; |
2709 | char line[MAXFILENAME+25]; |
2710 | char fullname[MAXFILENAME+25]; |
2711 | SECURITY_DESCRIPTOR_RELATIVE *phead; |
2712 | int lth; |
2713 | int first; |
2714 | unsigned int pos; |
2715 | int c; |
2716 | int isdir; |
2717 | int mode; |
2718 | s32 key; |
2719 | BOOL isdump; |
2720 | unsigned int off; |
2721 | u32 v; |
2722 | u32 oldhash; |
2723 | int i; |
2724 | int count; |
2725 | int attrib; |
2726 | le32 *pattr; |
2727 | BOOL withattr; |
2728 | BOOL done; |
2729 | |
2730 | pos = 0; |
2731 | off = 0; |
2732 | done = FALSE; |
2733 | withattr = FALSE; |
2734 | oldhash = 0; |
2735 | key = 0; |
2736 | errors = 0; |
2737 | count = 0; |
2738 | fullname[0] = 0; |
2739 | attrib = INVALID_FILE_ATTRIBUTES; |
2740 | do { |
2741 | /* input a (partial) line without processing */ |
2742 | lth = 0; |
2743 | first = -1; |
2744 | do { |
2745 | c = getc(fd); |
2746 | if ((c != ' ') && (first < 0)) |
2747 | first = lth; |
2748 | if (c == EOF) |
2749 | done = TRUE; |
2750 | else |
2751 | if (c != '\r') |
2752 | line[lth++] = c; |
2753 | } while (!done && (c != '\n') && (lth < (MAXFILENAME + 24))); |
2754 | /* check whether this looks like an hexadecimal dump */ |
2755 | isdump = ishexdump(line, first, lth); |
2756 | if (isdump) off = getmsbhex(&line[first]); |
2757 | /* line is not an hexadecimal dump */ |
2758 | /* apply what we have in store */ |
2759 | if ((!isdump || !off) && pos && ntfs_valid_descr((char*)attr,pos)) { |
2760 | withattr = TRUE; |
2761 | if (opt_v >= 2) { |
2762 | printf(" Computed hash : 0x%08lx\n", |
2763 | (unsigned long)hash((le32*)attr, |
2764 | ntfs_attr_size(attr))); |
2765 | isdir = guess_dir(attr); |
2766 | printf(" Estimated type : %s\n",(isdir ? "directory" : "file")); |
2767 | showheader(attr,4); |
2768 | showusid(attr,4); |
2769 | showgsid(attr,4); |
2770 | showdacl(attr,isdir,4); |
2771 | showsacl(attr,isdir,4); |
2772 | mode = linux_permissions(attr,isdir); |
2773 | printf("Interpreted Unix mode 0%03o\n",mode); |
2774 | } |
2775 | pos = 0; |
2776 | } |
2777 | if (isdump && !off) |
2778 | pos = off; |
2779 | /* line looks like an hexadecimal dump */ |
2780 | /* decode it into attribute */ |
2781 | if (isdump && (off == pos)) { |
2782 | for (i=first+8; i<lth; i+=9) { |
2783 | pattr = (le32*)&attr[pos]; |
2784 | v = getlsbhex(&line[i]); |
2785 | *pattr = cpu_to_le32(v); |
2786 | pos += 4; |
2787 | } |
2788 | } |
2789 | /* display (full) current line unless dump or verbose */ |
2790 | if (!isdump || opt_v) { |
2791 | if(lth) printf("! "); |
2792 | for (i=0; i<lth; i++) { |
2793 | c = line[i]; |
2794 | putchar(c); |
2795 | } |
2796 | } |
2797 | while (!done && (c != '\n')) { |
2798 | c = getc(fd); |
2799 | if (c == EOF) |
2800 | done = TRUE; |
2801 | else |
2802 | if (!isdump || opt_v) |
2803 | putchar(c); |
2804 | } |
2805 | |
2806 | line[lth] = 0; |
2807 | while ((lth > 0) |
2808 | && ((line[lth-1] == '\n') || (line[lth-1] == '\r'))) |
2809 | line[--lth] = 0; |
2810 | if (!strncmp(line,"Computed hash : 0x",18)) |
2811 | oldhash = getmsbhex(&line[18]); |
2812 | if (!strncmp(line,"Security key : 0x",17)) |
2813 | key = getmsbhex(&line[17]); |
2814 | if (!strncmp(line,"Windows attrib : 0x",19)) |
2815 | attrib = getmsbhex(&line[19]); |
2816 | if (done |
2817 | || !strncmp(line,"File ",5) |
2818 | || !strncmp(line,"Directory ",10)) { |
2819 | /* |
2820 | * New file or directory (or end of file) : |
2821 | * apply attribute just collected |
2822 | * or apply attribute defined from current key |
2823 | */ |
2824 | |
2825 | if (withattr |
2826 | && oldhash |
2827 | && (hash((const le32*)attr,ntfs_attr_size(attr)) != oldhash)) { |
2828 | printf("** ACL rejected, its hash is not as expected\n"); |
2829 | errors++; |
2830 | } else |
2831 | if (fullname[0]) { |
2832 | phead = (SECURITY_DESCRIPTOR_RELATIVE*)attr; |
2833 | /* set the request for auto-inheritance */ |
2834 | if (phead->control & SE_DACL_AUTO_INHERITED) |
2835 | phead->control |= SE_DACL_AUTO_INHERIT_REQ; |
2836 | if (!applyattr(fullname,attr,withattr, |
2837 | attrib,key)) |
2838 | errors++; |
2839 | else |
2840 | count++; |
2841 | } |
2842 | /* save current file or directory name */ |
2843 | withattr = FALSE; |
2844 | key = 0; |
2845 | oldhash = 0; |
2846 | attrib = INVALID_FILE_ATTRIBUTES; |
2847 | if (!done) { |
2848 | #ifdef WIN32 |
2849 | if (!strncmp(line,"File ",5)) |
2850 | makeutf16(fullname,&line[5]); |
2851 | else |
2852 | makeutf16(fullname,&line[10]); |
2853 | #else |
2854 | if (!strncmp(line,"File ",5)) |
2855 | strcpy(fullname,&line[5]); |
2856 | else |
2857 | strcpy(fullname,&line[10]); |
2858 | #endif |
2859 | } |
2860 | } |
2861 | } while (!done); |
2862 | printf("%d ACLs have been applied\n",count); |
2863 | return (FALSE); |
2864 | } |
2865 | |
2866 | /* |
2867 | * Open the security API in rw mode for an ACL restoration |
2868 | */ |
2869 | |
2870 | #ifdef WIN32 |
2871 | #else |
2872 | BOOL dorestore(const char *volume, FILE *fd) |
2873 | { |
2874 | BOOL err; |
2875 | |
2876 | err = FALSE; |
2877 | if (!getuid()) { |
2878 | if (open_security_api()) { |
2879 | if (open_volume(volume,NTFS_MNT_NONE)) { |
2880 | if (restore(fd)) err = TRUE; |
2881 | close_volume(volume); |
2882 | } else { |
2883 | fprintf(stderr,"Could not open volume %s\n",volume); |
2884 | printerror(stderr); |
2885 | err = TRUE; |
2886 | } |
2887 | close_security_api(); |
2888 | } else { |
2889 | fprintf(stderr,"Could not open security API\n"); |
2890 | printerror(stderr); |
2891 | err = TRUE; |
2892 | } |
2893 | } else { |
2894 | fprintf(stderr,"Restore is only possible as root\n"); |
2895 | err = TRUE; |
2896 | } |
2897 | return (err); |
2898 | } |
2899 | #endif /* WIN32 */ |
2900 | |
2901 | #if POSIXACLS & SELFTESTS & !USESTUBS |
2902 | |
2903 | /* |
2904 | * Merge Posix ACL rights into an u32 (self test only) |
2905 | * |
2906 | * Result format : -----rwxrwxrwxrwxrwx---rwxrwxrwx |
2907 | * U1 U2 G1 G2 M o g w |
2908 | * |
2909 | * Only two users (U1, U2) and two groups (G1, G2) taken into account |
2910 | */ |
2911 | u32 merge_rights(const struct POSIX_SECURITY *pxdesc, BOOL def) |
2912 | { |
2913 | const struct POSIX_ACE *pxace; |
2914 | int i; |
2915 | int users; |
2916 | int groups; |
2917 | int first; |
2918 | int last; |
2919 | u32 rights; |
2920 | |
2921 | rights = 0; |
2922 | users = 0; |
2923 | groups = 0; |
2924 | if (def) { |
2925 | first = pxdesc->firstdef; |
2926 | last = pxdesc->firstdef + pxdesc->defcnt - 1; |
2927 | } else { |
2928 | first = 0; |
2929 | last = pxdesc->acccnt - 1; |
2930 | } |
2931 | pxace = pxdesc->acl.ace; |
2932 | for (i=first; i<=last; i++) { |
2933 | switch (pxace[i].tag) { |
2934 | case POSIX_ACL_USER_OBJ : |
2935 | rights |= (pxace[i].perms & 7) << 6; |
2936 | break; |
2937 | case POSIX_ACL_USER : |
2938 | if (users < 2) |
2939 | rights |= ((u32)pxace[i].perms & 7) << (24 - 3*users); |
2940 | users++; |
2941 | break; |
2942 | case POSIX_ACL_GROUP_OBJ : |
2943 | rights |= (pxace[i].perms & 7) << 3; |
2944 | break; |
2945 | case POSIX_ACL_GROUP : |
2946 | if (groups < 2) |
2947 | rights |= ((u32)pxace[i].perms & 7) << (18 - 3*groups); |
2948 | groups++; |
2949 | break; |
2950 | case POSIX_ACL_MASK : |
2951 | rights |= ((u32)pxace[i].perms & 7) << 12; |
2952 | break; |
2953 | case POSIX_ACL_OTHER : |
2954 | rights |= (pxace[i].perms & 7); |
2955 | break; |
2956 | default : |
2957 | break; |
2958 | } |
2959 | } |
2960 | return (rights); |
2961 | } |
2962 | |
2963 | void tryposix(struct POSIX_SECURITY *pxdesc) |
2964 | { |
2965 | le32 owner_sid[] = /* S-1-5-21-3141592653-589793238-462843383-1016 */ |
2966 | { |
2967 | cpu_to_le32(0x501), cpu_to_le32(0x05000000), cpu_to_le32(21), |
2968 | cpu_to_le32(DEFSECAUTH1), cpu_to_le32(DEFSECAUTH2), |
2969 | cpu_to_le32(DEFSECAUTH3), cpu_to_le32(1016) |
2970 | } ; |
2971 | le32 group_sid[] = /* S-1-5-21-3141592653-589793238-462843383-513 */ |
2972 | { |
2973 | cpu_to_le32(0x501), cpu_to_le32(0x05000000), cpu_to_le32(21), |
2974 | cpu_to_le32(DEFSECAUTH1), cpu_to_le32(DEFSECAUTH2), |
2975 | cpu_to_le32(DEFSECAUTH3), cpu_to_le32(513) |
2976 | } ; |
2977 | |
2978 | char *attr; |
2979 | BOOL isdir; |
2980 | mode_t mode; |
2981 | struct POSIX_SECURITY *newpxdesc; |
2982 | struct POSIX_SECURITY *oldpxdesc; |
2983 | static char *oldattr = (char*)NULL; |
2984 | |
2985 | isdir = FALSE; |
2986 | if (oldattr) { |
2987 | oldpxdesc = linux_permissions_posix(oldattr, isdir); |
2988 | newpxdesc = ntfs_merge_descr_posix(pxdesc, oldpxdesc); |
2989 | if (!newpxdesc) |
2990 | newpxdesc = pxdesc; |
2991 | free(oldpxdesc); |
2992 | if (opt_v) { |
2993 | printf("merged descriptors :\n"); |
2994 | showposix(newpxdesc); |
2995 | } |
2996 | } else |
2997 | newpxdesc = pxdesc; |
2998 | attr = ntfs_build_descr_posix(context.mapping,newpxdesc, |
2999 | isdir,(SID*)owner_sid,(SID*)group_sid); |
3000 | if (attr && ntfs_valid_descr(attr, ntfs_attr_size(attr))) { |
3001 | if (opt_v) |
3002 | hexdump(attr,ntfs_attr_size(attr),8); |
3003 | if (opt_v >= 2) { |
3004 | showheader(attr,4); |
3005 | showusid(attr,4); |
3006 | showgsid(attr,4); |
3007 | showdacl(attr,isdir,4); |
3008 | showsacl(attr,isdir,4); |
3009 | mode = linux_permissions(attr,isdir); |
3010 | printf("Interpreted Unix mode 0%03o\n",mode); |
3011 | printf("Interpreted back Posix descriptor :\n"); |
3012 | newpxdesc = linux_permissions_posix(attr,isdir); |
3013 | showposix(newpxdesc); |
3014 | free(newpxdesc); |
3015 | } |
3016 | if (oldattr) free(oldattr); |
3017 | oldattr = attr; |
3018 | } |
3019 | } |
3020 | |
3021 | static BOOL same_posix(struct POSIX_SECURITY *pxdesc1, |
3022 | struct POSIX_SECURITY *pxdesc2) |
3023 | { |
3024 | BOOL same; |
3025 | int i; |
3026 | |
3027 | same = pxdesc1 |
3028 | && pxdesc2 |
3029 | && (pxdesc1->mode == pxdesc2->mode) |
3030 | && (pxdesc1->acccnt == pxdesc2->acccnt) |
3031 | && (pxdesc1->defcnt == pxdesc2->defcnt) |
3032 | && (pxdesc1->firstdef == pxdesc2->firstdef) |
3033 | && (pxdesc1->tagsset == pxdesc2->tagsset) |
3034 | && (pxdesc1->acl.version == pxdesc2->acl.version) |
3035 | && (pxdesc1->acl.flags == pxdesc2->acl.flags); |
3036 | i = 0; |
3037 | while (same && (i < pxdesc1->acccnt)) { |
3038 | same = (pxdesc1->acl.ace[i].tag == pxdesc2->acl.ace[i].tag) |
3039 | && (pxdesc1->acl.ace[i].perms == pxdesc2->acl.ace[i].perms) |
3040 | && (pxdesc1->acl.ace[i].id == pxdesc2->acl.ace[i].id); |
3041 | i++; |
3042 | } |
3043 | i = pxdesc1->firstdef; |
3044 | while (same && (i < pxdesc1->firstdef + pxdesc1->defcnt)) { |
3045 | same = (pxdesc1->acl.ace[i].tag == pxdesc2->acl.ace[i].tag) |
3046 | && (pxdesc1->acl.ace[i].perms == pxdesc2->acl.ace[i].perms) |
3047 | && (pxdesc1->acl.ace[i].id == pxdesc2->acl.ace[i].id); |
3048 | i++; |
3049 | } |
3050 | return (same); |
3051 | } |
3052 | |
3053 | #endif /* POSIXACLS & SELFTESTS & !USESTUBS */ |
3054 | |
3055 | #if SELFTESTS & !USESTUBS |
3056 | |
3057 | /* |
3058 | * Build a dummy security descriptor |
3059 | * returns descriptor in allocated memory, must free() after use |
3060 | */ |
3061 | |
3062 | static char *build_dummy_descr(BOOL isdir __attribute__((unused)), |
3063 | const SID *usid, const SID *gsid, |
3064 | int cnt, |
3065 | /* seq of int allow, SID *sid, int flags, u32 mask */ |
3066 | ...) |
3067 | { |
3068 | char *attr; |
3069 | int attrsz; |
3070 | SECURITY_DESCRIPTOR_RELATIVE *pnhead; |
3071 | ACL *pacl; |
3072 | ACCESS_ALLOWED_ACE *pace; |
3073 | va_list ap; |
3074 | const SID *sid; |
3075 | u32 umask; |
3076 | le32 mask; |
3077 | int flags; |
3078 | BOOL allow; |
3079 | int pos; |
3080 | int usidsz; |
3081 | int gsidsz; |
3082 | int sidsz; |
3083 | int aclsz; |
3084 | int i; |
3085 | |
3086 | if (usid) |
3087 | usidsz = ntfs_sid_size(usid); |
3088 | else |
3089 | usidsz = 0; |
3090 | if (gsid) |
3091 | gsidsz = ntfs_sid_size(gsid); |
3092 | else |
3093 | gsidsz = 0; |
3094 | |
3095 | |
3096 | /* allocate enough space for the new security attribute */ |
3097 | attrsz = sizeof(SECURITY_DESCRIPTOR_RELATIVE) /* header */ |
3098 | + usidsz + gsidsz /* usid and gsid */ |
3099 | + sizeof(ACL) /* acl header */ |
3100 | + cnt*40; |
3101 | |
3102 | attr = (char*)ntfs_malloc(attrsz); |
3103 | if (attr) { |
3104 | /* build the main header part */ |
3105 | pnhead = (SECURITY_DESCRIPTOR_RELATIVE*) attr; |
3106 | pnhead->revision = SECURITY_DESCRIPTOR_REVISION; |
3107 | pnhead->alignment = 0; |
3108 | /* |
3109 | * The flag SE_DACL_PROTECTED prevents the ACL |
3110 | * to be changed in an inheritance after creation |
3111 | */ |
3112 | pnhead->control = SE_DACL_PRESENT | SE_DACL_PROTECTED |
3113 | | SE_SELF_RELATIVE; |
3114 | /* |
3115 | * Windows prefers ACL first, do the same to |
3116 | * get the same hash value and avoid duplication |
3117 | */ |
3118 | /* build the ACL header */ |
3119 | pos = sizeof(SECURITY_DESCRIPTOR_RELATIVE); |
3120 | pacl = (ACL*)&attr[pos]; |
3121 | pacl->revision = ACL_REVISION; |
3122 | pacl->alignment1 = 0; |
3123 | pacl->size = cpu_to_le16(0); /* fixed later */ |
3124 | pacl->ace_count = cpu_to_le16(cnt); |
3125 | pacl->alignment2 = cpu_to_le16(0); |
3126 | |
3127 | /* enter the ACEs */ |
3128 | |
3129 | pos += sizeof(ACL); |
3130 | aclsz = sizeof(ACL); |
3131 | va_start(ap,cnt); |
3132 | for (i=0; i<cnt; i++) { |
3133 | pace = (ACCESS_ALLOWED_ACE*)&attr[pos]; |
3134 | allow = va_arg(ap,int); |
3135 | sid = va_arg(ap,SID*); |
3136 | flags = va_arg(ap,int); |
3137 | umask = va_arg(ap,u32); |
3138 | mask = cpu_to_le32(umask); |
3139 | sidsz = ntfs_sid_size(sid); |
3140 | pace->type = (allow ? ACCESS_ALLOWED_ACE_TYPE : ACCESS_DENIED_ACE_TYPE); |
3141 | pace->flags = flags; |
3142 | pace->size = cpu_to_le16(sidsz + 8); |
3143 | pace->mask = mask; |
3144 | memcpy(&pace->sid,sid,sidsz); |
3145 | aclsz += sidsz + 8; |
3146 | pos += sidsz + 8; |
3147 | } |
3148 | va_end(ap); |
3149 | |
3150 | /* append usid and gsid if defined */ |
3151 | /* positions of ACL, USID and GSID into header */ |
3152 | pnhead->owner = cpu_to_le32(0); |
3153 | pnhead->group = cpu_to_le32(0); |
3154 | if (usid) { |
3155 | memcpy(&attr[pos], usid, usidsz); |
3156 | pnhead->owner = cpu_to_le32(pos); |
3157 | } |
3158 | if (gsid) { |
3159 | memcpy(&attr[pos + usidsz], gsid, gsidsz); |
3160 | pnhead->group = cpu_to_le32(pos + usidsz); |
3161 | } |
3162 | /* positions of DACL and SACL into header */ |
3163 | pnhead->sacl = cpu_to_le32(0); |
3164 | if (cnt) { |
3165 | pacl->size = cpu_to_le16(aclsz); |
3166 | pnhead->dacl = |
3167 | cpu_to_le32(sizeof(SECURITY_DESCRIPTOR_RELATIVE)); |
3168 | } else |
3169 | pnhead->dacl = cpu_to_le32(0); |
3170 | if (!ntfs_valid_descr(attr,pos+usidsz+gsidsz)) { |
3171 | printf("** Bad sample descriptor\n"); |
3172 | free(attr); |
3173 | attr = (char*)NULL; |
3174 | errors++; |
3175 | } |
3176 | } else |
3177 | errno = ENOMEM; |
3178 | return (attr); |
3179 | } |
3180 | |
3181 | /* |
3182 | * Check a few samples with special conditions |
3183 | */ |
3184 | |
3185 | void check_samples() |
3186 | { |
3187 | char *descr = (char*)NULL; |
3188 | BOOL isdir = FALSE; |
3189 | mode_t perms; |
3190 | mode_t expect = 0; |
3191 | int cnt; |
3192 | u32 expectacc; |
3193 | u32 expectdef; |
3194 | #if POSIXACLS |
3195 | u32 accrights; |
3196 | u32 defrights; |
3197 | mode_t mixmode; |
3198 | struct POSIX_SECURITY *pxdesc; |
3199 | struct POSIX_SECURITY *pxsample; |
3200 | const char *txsample; |
3201 | #endif |
3202 | le32 owner1[] = /* S-1-5-21-1833069642-4243175381-1340018762-1003 */ |
3203 | { |
3204 | cpu_to_le32(0x501), cpu_to_le32(0x05000000), cpu_to_le32(21), |
3205 | cpu_to_le32(1833069642), cpu_to_le32(4243175381), |
3206 | cpu_to_le32(1340018762), cpu_to_le32(1003) |
3207 | } ; |
3208 | le32 group1[] = /* S-1-5-21-1833069642-4243175381-1340018762-513 */ |
3209 | { |
3210 | cpu_to_le32(0x501), cpu_to_le32(0x05000000), cpu_to_le32(21), |
3211 | cpu_to_le32(1833069642), cpu_to_le32(4243175381), |
3212 | cpu_to_le32(1340018762), cpu_to_le32(513) |
3213 | } ; |
3214 | le32 group2[] = /* S-1-5-21-1607551490-981732888-1819828000-513 */ |
3215 | { |
3216 | cpu_to_le32(0x501), cpu_to_le32(0x05000000), cpu_to_le32(21), |
3217 | cpu_to_le32(1607551490), cpu_to_le32(981732888), |
3218 | cpu_to_le32(1819828000), cpu_to_le32(513) |
3219 | } ; |
3220 | le32 owner3[] = /* S-1-5-21-3141592653-589793238-462843383-1016 */ |
3221 | { |
3222 | cpu_to_le32(0x501), cpu_to_le32(0x05000000), cpu_to_le32(21), |
3223 | cpu_to_le32(DEFSECAUTH1), cpu_to_le32(DEFSECAUTH2), |
3224 | cpu_to_le32(DEFSECAUTH3), cpu_to_le32(1016) |
3225 | } ; |
3226 | le32 group3[] = /* S-1-5-21-3141592653-589793238-462843383-513 */ |
3227 | { |
3228 | cpu_to_le32(0x501), cpu_to_le32(0x05000000), cpu_to_le32(21), |
3229 | cpu_to_le32(DEFSECAUTH1), cpu_to_le32(DEFSECAUTH2), |
3230 | cpu_to_le32(DEFSECAUTH3), cpu_to_le32(513) |
3231 | } ; |
3232 | |
3233 | #if POSIXACLS |
3234 | struct { |
3235 | struct POSIX_SECURITY head; |
3236 | struct POSIX_ACE ace[4]; |
3237 | } sampletry1 = |
3238 | { |
3239 | { 0645, 4, 0, 4, 0x35, |
3240 | { POSIX_VERSION, 0, 0 } |
3241 | }, |
3242 | { |
3243 | { 1, 6, -1 }, |
3244 | { 4, 5, -1 }, |
3245 | { 16, 4, -1 }, |
3246 | { 32, 5, -1 } |
3247 | } |
3248 | } ; |
3249 | |
3250 | struct { |
3251 | struct POSIX_SECURITY head; |
3252 | struct POSIX_ACE ace[6]; |
3253 | } sampletry3 = |
3254 | { |
3255 | { 0100, 6, 0, 6, 0x3f, |
3256 | { POSIX_VERSION, 0, 0 } |
3257 | }, |
3258 | { |
3259 | { 1, 1, -1 }, |
3260 | { 2, 3, 1000 }, |
3261 | { 4, 1, -1 }, |
3262 | { 8, 3, 1002 }, |
3263 | { 16, 0, -1 }, |
3264 | { 32, 0, -1 } |
3265 | } |
3266 | } ; |
3267 | |
3268 | struct { |
3269 | struct POSIX_SECURITY head; |
3270 | struct POSIX_ACE ace[8]; |
3271 | } sampletry4 = |
3272 | { |
3273 | { 0140, 8, 0, 8, 0x3f, |
3274 | { POSIX_VERSION, 0, 0 } |
3275 | }, |
3276 | { |
3277 | { 1, 1, -1 }, |
3278 | { 2, 3, 516 }, |
3279 | { 2, 6, 1000 }, |
3280 | { 4, 1, -1 }, |
3281 | { 8, 6, 500 }, |
3282 | { 8, 3, 1002 }, |
3283 | { 16, 4, -1 }, |
3284 | { 32, 0, -1 } |
3285 | } |
3286 | } ; |
3287 | |
3288 | struct { |
3289 | struct POSIX_SECURITY head; |
3290 | struct POSIX_ACE ace[6]; |
3291 | } sampletry5 = |
3292 | { |
3293 | { 0454, 6, 0, 6, 0x3f, |
3294 | { POSIX_VERSION, 0, 0 } |
3295 | }, |
3296 | { |
3297 | { 1, 4, -1 }, |
3298 | { 2, 5, 516 }, |
3299 | { 4, 4, -1 }, |
3300 | { 8, 6, 500 }, |
3301 | { 16, 5, -1 }, |
3302 | { 32, 4, -1 } |
3303 | } |
3304 | } ; |
3305 | |
3306 | struct { |
3307 | struct POSIX_SECURITY head; |
3308 | struct POSIX_ACE ace[8]; |
3309 | } sampletry6 = |
3310 | { |
3311 | { 0332, 8, 0, 8, 0x3f, |
3312 | { POSIX_VERSION, 0, 0 } |
3313 | }, |
3314 | { |
3315 | { 1, 3, -1 }, |
3316 | { 2, 1, 0 }, |
3317 | { 2, 2, 1000 }, |
3318 | { 4, 6, -1 }, |
3319 | { 8, 4, 0 }, |
3320 | { 8, 5, 1002 }, |
3321 | { 16, 3, -1 }, |
3322 | { 32, 2, -1 } |
3323 | } |
3324 | } ; |
3325 | |
3326 | struct { |
3327 | struct POSIX_SECURITY head; |
3328 | struct POSIX_ACE ace[4]; |
3329 | } sampletry8 = |
3330 | { |
3331 | { 0677, 4, 0, 4, 0x35, |
3332 | { POSIX_VERSION, 0, 0 } |
3333 | }, |
3334 | { |
3335 | { 1, 6, -1 }, |
3336 | { 4, 7, -1 }, |
3337 | { 16, 7, -1 }, |
3338 | { 32, 7, -1 } |
3339 | } |
3340 | } ; |
3341 | |
3342 | #endif /* POSIXACLS */ |
3343 | |
3344 | |
3345 | #if POSIXACLS |
3346 | for (cnt=1; cnt<=8; cnt++) { |
3347 | switch (cnt) { |
3348 | case 1 : |
3349 | pxsample = &sampletry1.head; |
3350 | txsample = "sampletry1-a"; |
3351 | isdir = FALSE; |
3352 | descr = ntfs_build_descr_posix(context.mapping,&sampletry1.head, |
3353 | isdir, (const SID*)owner3, (const SID*)group3); |
3354 | break; |
3355 | case 2 : |
3356 | pxsample = &sampletry1.head; |
3357 | txsample = "sampletry1-b"; |
3358 | isdir = FALSE; |
3359 | descr = ntfs_build_descr_posix(context.mapping,&sampletry1.head, |
3360 | isdir, (const SID*)adminsid, (const SID*)group3); |
3361 | break; |
3362 | case 3 : |
3363 | isdir = FALSE; |
3364 | pxsample = &sampletry3.head; |
3365 | txsample = "sampletry3"; |
3366 | descr = ntfs_build_descr_posix(context.mapping,pxsample, |
3367 | isdir, (const SID*)group3, (const SID*)group3); |
3368 | break; |
3369 | case 4 : |
3370 | isdir = FALSE; |
3371 | pxsample = &sampletry4.head; |
3372 | txsample = "sampletry4"; |
3373 | descr = ntfs_build_descr_posix(context.mapping,pxsample, |
3374 | isdir, (const SID*)owner3, (const SID*)group3); |
3375 | break; |
3376 | case 5 : |
3377 | isdir = FALSE; |
3378 | pxsample = &sampletry5.head; |
3379 | txsample = "sampletry5"; |
3380 | descr = ntfs_build_descr_posix(context.mapping,pxsample, |
3381 | isdir, (const SID*)owner3, (const SID*)group3); |
3382 | break; |
3383 | case 6 : |
3384 | isdir = FALSE; |
3385 | pxsample = &sampletry6.head; |
3386 | txsample = "sampletry6-a"; |
3387 | descr = ntfs_build_descr_posix(context.mapping,pxsample, |
3388 | isdir, (const SID*)owner3, (const SID*)group3); |
3389 | break; |
3390 | case 7 : |
3391 | isdir = FALSE; |
3392 | pxsample = &sampletry6.head; |
3393 | txsample = "sampletry6-b"; |
3394 | descr = ntfs_build_descr_posix(context.mapping,pxsample, |
3395 | isdir, (const SID*)adminsid, (const SID*)adminsid); |
3396 | break; |
3397 | case 8 : |
3398 | pxsample = &sampletry8.head; |
3399 | txsample = "sampletry8"; |
3400 | isdir = FALSE; |
3401 | descr = ntfs_build_descr_posix(context.mapping,&sampletry8.head, |
3402 | isdir, (const SID*)owner3, (const SID*)group3); |
3403 | break; |
3404 | default : |
3405 | pxsample = (struct POSIX_SECURITY*)NULL; |
3406 | txsample = (const char*)NULL; |
3407 | } |
3408 | /* check we get original back */ |
3409 | if (descr) |
3410 | pxdesc = linux_permissions_posix(descr, isdir); |
3411 | else |
3412 | pxdesc = (struct POSIX_SECURITY*)NULL; |
3413 | if (!descr || !pxdesc || !same_posix(pxsample,pxdesc)) { |
3414 | printf("** Error in %s\n",txsample); |
3415 | showposix(pxsample); |
3416 | showall(descr,0); |
3417 | showposix(pxdesc); |
3418 | errors++; |
3419 | } |
3420 | free(descr); |
3421 | free(pxdesc); |
3422 | } |
3423 | |
3424 | #endif /* POSIXACLS */ |
3425 | |
3426 | |
3427 | /* |
3428 | * Check a few samples built by Windows, |
3429 | * which cannot be generated by Linux |
3430 | */ |
3431 | |
3432 | for (cnt=1; cnt<=10; cnt++) { |
3433 | switch(cnt) { |
3434 | case 1 : /* hp/tmp */ |
3435 | isdir = TRUE; |
3436 | descr = build_dummy_descr(isdir, |
3437 | (const SID*)owner1, (const SID*)group1, |
3438 | 1, |
3439 | (int)TRUE, worldsid, (int)0x3, (u32)0x1f01ff); |
3440 | expectacc = expect = 0777; |
3441 | expectdef = 0; |
3442 | break; |
3443 | case 2 : /* swsetup */ |
3444 | isdir = TRUE; |
3445 | descr = build_dummy_descr(isdir, adminsid, (const SID*)group2, |
3446 | 2, |
3447 | (int)TRUE, worldsid, (int)0x0, (u32)0x1f01ff, |
3448 | (int)TRUE, worldsid, (int)0xb, (u32)0x1f01ff); |
3449 | expectacc = expect = 0777; |
3450 | expectdef = 0777; |
3451 | break; |
3452 | case 3 : /* Dr Watson */ |
3453 | isdir = TRUE; |
3454 | descr = build_dummy_descr(isdir, (const SID*)owner3, (const SID*)group3, |
3455 | 0); |
3456 | expectacc = expect = 0700; |
3457 | expectdef = 0; |
3458 | break; |
3459 | case 4 : |
3460 | isdir = FALSE; |
3461 | descr = build_dummy_descr(isdir, |
3462 | (const SID*)owner3, (const SID*)group3, |
3463 | 4, |
3464 | (int)TRUE, (const SID*)owner3, 0, |
3465 | le32_to_cpu(FILE_READ_DATA | OWNER_RIGHTS), |
3466 | (int)TRUE, (const SID*)group3, 0, |
3467 | le32_to_cpu(FILE_WRITE_DATA), |
3468 | (int)TRUE, (const SID*)group2, 0, |
3469 | le32_to_cpu(FILE_WRITE_DATA | FILE_READ_DATA), |
3470 | (int)TRUE, (const SID*)worldsid, 0, |
3471 | le32_to_cpu(FILE_EXECUTE)); |
3472 | expect = 0731; |
3473 | expectacc = 07070731; |
3474 | expectdef = 0; |
3475 | break; |
3476 | case 5 : /* Vista/JP */ |
3477 | isdir = TRUE; |
3478 | descr = build_dummy_descr(isdir, systemsid, systemsid, |
3479 | 6, |
3480 | (int)TRUE, owner1, (int)0x0, (u32)0x1f01ff, |
3481 | (int)TRUE, systemsid, (int)0x0, (u32)0x1f01ff, |
3482 | (int)TRUE, adminsid, (int)0x0, (u32)0x1f01ff, |
3483 | (int)TRUE, owner1, (int)0xb, (u32)0x10000000, |
3484 | (int)TRUE, systemsid, (int)0xb, (u32)0x10000000, |
3485 | (int)TRUE, adminsid, (int)0xb, (u32)0x10000000); |
3486 | expectacc = expect = 0700; |
3487 | expectdef = 0700; |
3488 | break; |
3489 | case 6 : /* Vista/JP2 */ |
3490 | isdir = TRUE; |
3491 | descr = build_dummy_descr(isdir, systemsid, systemsid, |
3492 | 7, |
3493 | (int)TRUE, owner1, (int)0x0, (u32)0x1f01ff, |
3494 | (int)TRUE, systemsid, (int)0x0, (u32)0x1f01ff, |
3495 | (int)TRUE, adminsid, (int)0x0, (u32)0x1f01ff, |
3496 | (int)TRUE, owner1, (int)0xb, (u32)0x1f01ff, |
3497 | (int)TRUE, systemsid, (int)0xb, (u32)0x1f01ff, |
3498 | (int)TRUE, adminsid, (int)0xb, (u32)0x1f01ff, |
3499 | (int)TRUE, owner3, (int)0x3, (u32)0x1200a9); |
3500 | expectacc = 0500070700; |
3501 | expectdef = 0700; |
3502 | expect = 0700; |
3503 | break; |
3504 | case 7 : /* WinXP/JP */ |
3505 | isdir = TRUE; |
3506 | descr = build_dummy_descr(isdir, adminsid, systemsid, |
3507 | 6, |
3508 | (int)TRUE, owner1, (int)0x0, (u32)0x1f01ff, |
3509 | (int)TRUE, systemsid, (int)0x0, (u32)0x1f01ff, |
3510 | (int)TRUE, adminsid, (int)0x0, (u32)0x1f01ff, |
3511 | (int)TRUE, owner1, (int)0xb, (u32)0x10000000, |
3512 | (int)TRUE, systemsid, (int)0xb, (u32)0x10000000, |
3513 | (int)TRUE, adminsid, (int)0xb, (u32)0x10000000); |
3514 | expectacc = expect = 0700; |
3515 | expectdef = 0700; |
3516 | break; |
3517 | case 8 : /* WinXP/JP2 */ |
3518 | isdir = TRUE; |
3519 | descr = build_dummy_descr(isdir, adminsid, systemsid, |
3520 | 6, |
3521 | (int)TRUE, owner1, (int)0x0, (u32)0x1f01ff, |
3522 | (int)TRUE, systemsid, (int)0x0, (u32)0x1f01ff, |
3523 | (int)TRUE, adminsid, (int)0x0, (u32)0x1f01ff, |
3524 | (int)TRUE, owner1, (int)0xb, (u32)0x10000000, |
3525 | (int)TRUE, systemsid, (int)0xb, (u32)0x10000000, |
3526 | (int)TRUE, adminsid, (int)0xb, (u32)0x10000000); |
3527 | expectacc = expect = 0700; |
3528 | expectdef = 0700; |
3529 | break; |
3530 | case 9 : /* Win8/bin */ |
3531 | isdir = TRUE; |
3532 | descr = build_dummy_descr(isdir, |
3533 | (const SID*)owner3, (const SID*)owner3, |
3534 | 6, |
3535 | (int)TRUE, authsid, (int)0x3, (u32)0x1f01ff, |
3536 | (int)TRUE, adminsid, (int)0x13, (u32)0x1f01ff, |
3537 | (int)TRUE, systemsid, (int)0x13, (u32)0x1f01ff, |
3538 | (int)TRUE, localsid, (int)0x13, (u32)0x1200a9, |
3539 | (int)TRUE, authsid, (int)0x10, (u32)0x1301bf, |
3540 | (int)TRUE, authsid, (int)0x1b, (u32)0xe0010000); |
3541 | expectacc = expect = 0777; |
3542 | expectdef = 0777; |
3543 | break; |
3544 | case 10 : /* Win8/bin/linem.exe */ |
3545 | isdir = FALSE; |
3546 | descr = build_dummy_descr(isdir, |
3547 | (const SID*)owner3, (const SID*)owner3, |
3548 | 4, |
3549 | (int)TRUE, authsid, (int)0x10, (u32)0x1f01ff, |
3550 | (int)TRUE, adminsid, (int)0x10, (u32)0x1f01ff, |
3551 | (int)TRUE, systemsid, (int)0x10, (u32)0x1ff, |
3552 | (int)TRUE, localsid, (int)0x10, (u32)0x1200a9); |
3553 | expectacc = expect = 0777; |
3554 | expectdef = 0; |
3555 | break; |
3556 | default : |
3557 | expectacc = expectdef = 0; |
3558 | break; |
3559 | } |
3560 | if (descr) { |
3561 | perms = linux_permissions(descr, isdir); |
3562 | if (perms != expect) { |
3563 | printf("** Error in sample %d, perms 0%03o expected 0%03o\n", |
3564 | cnt,perms,expect); |
3565 | showall(descr,0); |
3566 | errors++; |
3567 | } else { |
3568 | #if POSIXACLS |
3569 | pxdesc = linux_permissions_posix(descr, isdir); |
3570 | if (pxdesc) { |
3571 | accrights = merge_rights(pxdesc,FALSE); |
3572 | defrights = merge_rights(pxdesc,TRUE); |
3573 | if (!(pxdesc->tagsset & ~(POSIX_ACL_USER_OBJ | POSIX_ACL_GROUP_OBJ | POSIX_ACL_OTHER))) |
3574 | mixmode = expect; |
3575 | else |
3576 | mixmode = (expect & 07707) | ((accrights >> 9) & 070); |
3577 | if ((pxdesc->mode != mixmode) |
3578 | || (accrights != expectacc) |
3579 | || (defrights != expectdef)) { |
3580 | printf("** Error in sample %d : mode %03o expected 0%03o\n", |
3581 | cnt,pxdesc->mode,mixmode); |
3582 | printf(" Posix access rights 0%03lo expected 0%03lo\n", |
3583 | (long)accrights,(long)expectacc); |
3584 | printf(" default rights 0%03lo expected 0%03lo\n", |
3585 | (long)defrights,(long)expectdef); |
3586 | showall(descr,0); |
3587 | showposix(pxdesc); |
3588 | exit(1); |
3589 | } |
3590 | free(pxdesc); |
3591 | } |
3592 | #endif |
3593 | } |
3594 | free(descr); |
3595 | } |
3596 | } |
3597 | } |
3598 | |
3599 | |
3600 | /* |
3601 | * Check whether any basic permission setting is interpreted |
3602 | * back exactly as set |
3603 | */ |
3604 | |
3605 | void basictest(int kind, BOOL isdir, const SID *owner, const SID *group) |
3606 | { |
3607 | char *attr; |
3608 | mode_t perm; |
3609 | mode_t gotback; |
3610 | u32 count; |
3611 | u32 acecount; |
3612 | u32 globhash; |
3613 | const SECURITY_DESCRIPTOR_RELATIVE *phead; |
3614 | const ACL *pacl; |
3615 | enum { ERRNO, |
3616 | ERRMA, ERRPA, /* error converting mode or Posix ACL to NTFS */ |
3617 | ERRAM, ERRAP, /* error converting NTFS to mode or Posix ACL */ |
3618 | } err; |
3619 | u32 expectcnt[] = { |
3620 | 27800, 31896, |
3621 | 24064, 28160, |
3622 | 24064, 28160, |
3623 | 24064, 28160, |
3624 | 25416, 29512 |
3625 | } ; |
3626 | u32 expecthash[] = { |
3627 | 0x8f80865b, 0x7bc7960, |
3628 | 0x8fd9ecfe, 0xddd4db0, |
3629 | 0xa8b07400, 0xa189c20, |
3630 | 0xc5689a00, 0xb6c09000, |
3631 | 0x94bfb419, 0xa4311791 |
3632 | } ; |
3633 | #if POSIXACLS |
3634 | struct POSIX_SECURITY *pxdesc; |
3635 | char *pxattr; |
3636 | u32 pxcount; |
3637 | u32 pxacecount; |
3638 | u32 pxglobhash; |
3639 | #endif |
3640 | |
3641 | count = 0; |
3642 | acecount = 0; |
3643 | globhash = 0; |
3644 | #if POSIXACLS |
3645 | pxcount = 0; |
3646 | pxacecount = 0; |
3647 | pxglobhash = 0; |
3648 | #endif |
3649 | for (perm=0; (perm<=07777) && (errors < 10); perm++) { |
3650 | err = ERRNO; |
3651 | /* file owned by plain user and group */ |
3652 | attr = ntfs_build_descr(perm,isdir,owner,(const SID*)group); |
3653 | if (attr && ntfs_valid_descr(attr, ntfs_attr_size(attr))) { |
3654 | phead = (const SECURITY_DESCRIPTOR_RELATIVE*)attr; |
3655 | pacl = (const ACL*)&attr[le32_to_cpu(phead->dacl)]; |
3656 | acecount += le16_to_cpu(pacl->ace_count); |
3657 | globhash += hash((const le32*)attr,ntfs_attr_size(attr)); |
3658 | count++; |
3659 | #if POSIXACLS |
3660 | /* |
3661 | * Build a NTFS ACL from a mode, and |
3662 | * decode to a Posix ACL, expecting to |
3663 | * get the original mode back. |
3664 | */ |
3665 | pxdesc = linux_permissions_posix(attr, isdir); |
3666 | if (!pxdesc || (pxdesc->mode != perm)) { |
3667 | err = ERRAP; |
3668 | if (pxdesc) |
3669 | gotback = pxdesc->mode; |
3670 | else |
3671 | gotback = 0; |
3672 | } else { |
3673 | /* |
3674 | * Build a NTFS ACL from the Posix ACL, expecting to |
3675 | * get exactly the same NTFS ACL, then decode to a |
3676 | * mode, expecting to get the original mode back. |
3677 | */ |
3678 | pxattr = ntfs_build_descr_posix(context.mapping, |
3679 | pxdesc,isdir,owner, |
3680 | (const SID*)group); |
3681 | if (pxattr && !memcmp(pxattr,attr, |
3682 | ntfs_attr_size(attr))) { |
3683 | phead = (const SECURITY_DESCRIPTOR_RELATIVE*)attr; |
3684 | pacl = (const ACL*)&attr[le32_to_cpu(phead->dacl)]; |
3685 | pxacecount += le16_to_cpu(pacl->ace_count); |
3686 | pxglobhash += hash((const le32*)attr,ntfs_attr_size(attr)); |
3687 | pxcount++; |
3688 | gotback = linux_permissions(pxattr, isdir); |
3689 | if (gotback != perm) |
3690 | err = ERRAM; |
3691 | else |
3692 | free(pxattr); |
3693 | } else |
3694 | err = ERRPA; |
3695 | free(attr); |
3696 | } |
3697 | free(pxdesc); |
3698 | #else |
3699 | gotback = linux_permissions(attr, isdir); |
3700 | if (gotback != perm) |
3701 | err = ERRAM; |
3702 | else |
3703 | free(attr); |
3704 | #endif /* POSIXACLS */ |
3705 | } else |
3706 | err = ERRMA; |
3707 | |
3708 | switch (err) { |
3709 | case ERRMA : |
3710 | printf("** no or wrong permission settings " |
3711 | "for kind %d perm %03o\n",kind,perm); |
3712 | if (attr && opt_v) |
3713 | hexdump(attr,ntfs_attr_size(attr),8); |
3714 | if (attr && (opt_v >= 2)) { |
3715 | showheader(attr,4); |
3716 | showusid(attr,4); |
3717 | showgsid(attr,4); |
3718 | showdacl(attr,isdir,4); |
3719 | showsacl(attr,isdir,4); |
3720 | } |
3721 | errors++; |
3722 | break; |
3723 | case ERRPA : |
3724 | printf("** no or wrong permission settings from PX " |
3725 | "for kind %d perm %03o\n",kind,perm); |
3726 | errors++; |
3727 | break; |
3728 | #if POSIXACLS |
3729 | case ERRAM : |
3730 | printf("** wrong permission settings, " |
3731 | "kind %d perm 0%03o, gotback %03o\n", |
3732 | kind, perm, gotback); |
3733 | if (opt_v) |
3734 | hexdump(pxattr,ntfs_attr_size(pxattr),8); |
3735 | if (opt_v >= 2) { |
3736 | showheader(pxattr,4); |
3737 | showusid(pxattr,4); |
3738 | showgsid(pxattr,4); |
3739 | showdacl(pxattr,isdir,4); |
3740 | showsacl(pxattr,isdir,4); |
3741 | } |
3742 | errors++; |
3743 | break; |
3744 | case ERRAP : |
3745 | /* continued */ |
3746 | #else |
3747 | case ERRAM : |
3748 | case ERRAP : |
3749 | #endif /* POSIXACLS */ |
3750 | printf("** wrong permission settings, " |
3751 | "kind %d perm 0%03o, gotback %03o\n", |
3752 | kind, perm, gotback); |
3753 | if (opt_v) |
3754 | hexdump(attr,ntfs_attr_size(attr),8); |
3755 | if (opt_v >= 2) { |
3756 | showheader(attr,4); |
3757 | showusid(attr,4); |
3758 | showgsid(attr,4); |
3759 | showdacl(attr,isdir,4); |
3760 | showsacl(attr,isdir,4); |
3761 | } |
3762 | errors++; |
3763 | free(attr); |
3764 | break; |
3765 | default : |
3766 | break; |
3767 | } |
3768 | } |
3769 | printf("%lu ACLs built from mode, %lu ACE built, mean count %lu.%02lu\n", |
3770 | (unsigned long)count,(unsigned long)acecount, |
3771 | (unsigned long)acecount/count,acecount*100L/count%100L); |
3772 | if (acecount != expectcnt[kind]) { |
3773 | printf("** Error : expected ACE count %lu\n", |
3774 | (unsigned long)expectcnt[kind]); |
3775 | errors++; |
3776 | } |
3777 | if (globhash != expecthash[kind]) { |
3778 | printf("** Error : wrong global hash 0x%lx instead of 0x%lx\n", |
3779 | (unsigned long)globhash, (unsigned long)expecthash[kind]); |
3780 | errors++; |
3781 | } |
3782 | #if POSIXACLS |
3783 | printf("%lu ACLs built from Posix ACLs, %lu ACE built, mean count %lu.%02lu\n", |
3784 | (unsigned long)pxcount,(unsigned long)pxacecount, |
3785 | (unsigned long)pxacecount/pxcount,pxacecount*100L/pxcount%100L); |
3786 | if (pxacecount != expectcnt[kind]) { |
3787 | printf("** Error : expected ACE count %lu\n", |
3788 | (unsigned long)expectcnt[kind]); |
3789 | errors++; |
3790 | } |
3791 | if (pxglobhash != expecthash[kind]) { |
3792 | printf("** Error : wrong global hash 0x%lx instead of 0x%lx\n", |
3793 | (unsigned long)pxglobhash, (unsigned long)expecthash[kind]); |
3794 | errors++; |
3795 | } |
3796 | #endif /* POSIXACLS */ |
3797 | } |
3798 | |
3799 | #if POSIXACLS |
3800 | |
3801 | /* |
3802 | * Check whether Posix ACL settings are interpreted |
3803 | * back exactly as set |
3804 | */ |
3805 | |
3806 | void posixtest(int kind, BOOL isdir, |
3807 | const SID *owner, const SID *group) |
3808 | { |
3809 | struct POSIX_SECURITY *pxdesc; |
3810 | struct { |
3811 | struct POSIX_SECURITY pxdesc; |
3812 | struct POSIX_ACE aces[10]; |
3813 | } desc; |
3814 | int ownobj; |
3815 | int grpobj; |
3816 | int usr; |
3817 | int grp; |
3818 | int wrld; |
3819 | int mask; |
3820 | int mindes, maxdes; |
3821 | int minmsk, maxmsk; |
3822 | char *pxattr; |
3823 | u32 count; |
3824 | u32 acecount; |
3825 | u32 globhash; |
3826 | const SECURITY_DESCRIPTOR_RELATIVE *phead; |
3827 | const ACL *pacl; |
3828 | struct POSIX_SECURITY *gotback; |
3829 | enum { ERRNO, |
3830 | ERRMA, ERRPA, /* error converting mode or Posix ACL to NTFS */ |
3831 | ERRAM, ERRAP, /* error converting NTFS to mode or Posix ACL */ |
3832 | } err; |
3833 | u32 expectcnt[] = { |
3834 | #ifdef STSC |
3835 | 32400, 34992, |
3836 | 25920, 28512, |
3837 | 25920, 28512, |
3838 | 25920, 28512, |
3839 | 26460, 29052, |
3840 | 0, 0, |
3841 | 0, 0, |
3842 | 0, 0, |
3843 | 24516, 27108, |
3844 | 20736, 23328, |
3845 | 20736, 23328, |
3846 | 20736, 23328, |
3847 | 21060, 23652, |
3848 | #else |
3849 | 252720, 273456, |
3850 | 199584, 220320, |
3851 | 199584, 220320, |
3852 | 199584, 220320, |
3853 | 203904, 224640, |
3854 | 0, 0, |
3855 | 0, 0, |
3856 | 0, 0, |
3857 | 196452, 217188, |
3858 | 165888, 186624, |
3859 | 165888, 186624, |
3860 | 165888, 186624, |
3861 | 168480, 189216, |
3862 | #endif |
3863 | 0, 0, |
3864 | 0, 0, |
3865 | 0, 0, |
3866 | 16368, 18672, |
3867 | 0, 0, |
3868 | 13824, 0, |
3869 | 0, 0, |
3870 | 14640, 0 |
3871 | } ; |
3872 | u32 expecthash[] = { |
3873 | #ifdef STSC |
3874 | 0xf9f82115, 0x40666647, |
3875 | 0xde826d30, 0xa181b660, |
3876 | 0x952d4500, 0x8ac49450, |
3877 | 0xf80acee0, 0xbd9ec6c0, |
3878 | 0xfe09b868, 0xde24e84d, |
3879 | 0, 0, |
3880 | 0, 0, |
3881 | 0, 0, |
3882 | 0x2381438d, 0x3ab42dc6, |
3883 | 0x7cccf6f8, 0x108ad430, |
3884 | 0x5e448840, 0x83ab6c40, |
3885 | 0x9b037100, 0x8f7c3b40, |
3886 | 0x04a359dc, 0xa4619609, |
3887 | #else |
3888 | 0x1808a6cd, 0xd82f7c60, |
3889 | 0x5ad29e85, 0x518c7620, |
3890 | 0x188ce270, 0x7e44e590, |
3891 | 0x48a64800, 0x5bdf0030, |
3892 | 0x1c64aec6, 0x8b0168fa, |
3893 | 0, 0, |
3894 | 0, 0, |
3895 | 0, 0, |
3896 | 0x169fb80e, 0x382d9a59, |
3897 | 0xf9c28164, 0x1855d352, |
3898 | 0xf9685700, 0x44d16700, |
3899 | 0x587ebe90, 0xf7c51480, |
3900 | 0x2cb1b518, 0x52408df6, |
3901 | #endif |
3902 | 0, 0, |
3903 | 0, 0, |
3904 | 0, 0, |
3905 | 0x905f2e38, 0xd40c22f0, |
3906 | 0, 0, |
3907 | 0xdd76da00, 0, |
3908 | 0, 0, |
3909 | 0x718e34a0, 0 |
3910 | }; |
3911 | |
3912 | count = 0; |
3913 | acecount = 0; |
3914 | globhash = 0; |
3915 | /* fill headers */ |
3916 | pxdesc = &desc.pxdesc; |
3917 | pxdesc->mode = 0; |
3918 | pxdesc->defcnt = 0; |
3919 | if (kind & 32) { |
3920 | pxdesc->acccnt = 4; |
3921 | pxdesc->firstdef = 4; |
3922 | pxdesc->tagsset = 0x35; |
3923 | } else { |
3924 | pxdesc->acccnt = 6;; |
3925 | pxdesc->firstdef = 6; |
3926 | pxdesc->tagsset = 0x3f; |
3927 | } |
3928 | pxdesc->acl.version = POSIX_VERSION; |
3929 | pxdesc->acl.flags = 0; |
3930 | pxdesc->acl.filler = 0; |
3931 | /* prefill aces */ |
3932 | pxdesc->acl.ace[0].tag = POSIX_ACL_USER_OBJ; |
3933 | pxdesc->acl.ace[0].id = -1; |
3934 | if (kind & 32) { |
3935 | pxdesc->acl.ace[1].tag = POSIX_ACL_GROUP_OBJ; |
3936 | pxdesc->acl.ace[1].id = -1; |
3937 | pxdesc->acl.ace[2].tag = POSIX_ACL_MASK; |
3938 | pxdesc->acl.ace[2].id = -1; |
3939 | pxdesc->acl.ace[3].tag = POSIX_ACL_OTHER; |
3940 | pxdesc->acl.ace[3].id = -1; |
3941 | } else { |
3942 | pxdesc->acl.ace[1].tag = POSIX_ACL_USER; |
3943 | pxdesc->acl.ace[1].id = (kind & 16 ? 0 : 1000); |
3944 | pxdesc->acl.ace[2].tag = POSIX_ACL_GROUP_OBJ; |
3945 | pxdesc->acl.ace[2].id = -1; |
3946 | pxdesc->acl.ace[3].tag = POSIX_ACL_GROUP; |
3947 | pxdesc->acl.ace[3].id = (kind & 16 ? 0 : 1002); |
3948 | pxdesc->acl.ace[4].tag = POSIX_ACL_MASK; |
3949 | pxdesc->acl.ace[4].id = -1; |
3950 | pxdesc->acl.ace[5].tag = POSIX_ACL_OTHER; |
3951 | pxdesc->acl.ace[5].id = -1; |
3952 | } |
3953 | |
3954 | mindes = 3; |
3955 | maxdes = (kind & 32 ? mindes : 6); |
3956 | #ifdef STSC |
3957 | minmsk = (kind & 32 ? 0 : 3); |
3958 | maxmsk = (kind & 32 ? 7 : 3); |
3959 | #else |
3960 | minmsk = 0; |
3961 | maxmsk = 7; |
3962 | #endif |
3963 | for (mask=minmsk; mask<=maxmsk; mask++) |
3964 | for (ownobj=1; ownobj<7; ownobj++) |
3965 | for (grpobj=1; grpobj<7; grpobj++) |
3966 | for (wrld=0; wrld<8; wrld++) |
3967 | for (usr=mindes; usr<=maxdes; usr++) |
3968 | if (usr != 4) |
3969 | for (grp=mindes; grp<=maxdes; grp++) |
3970 | if (grp != 4) { |
3971 | pxdesc->mode = (ownobj << 6) | (mask << 3) | wrld; |
3972 | |
3973 | pxdesc->acl.ace[0].perms = ownobj; |
3974 | if (kind & 32) { |
3975 | pxdesc->acl.ace[1].perms = grpobj; |
3976 | pxdesc->acl.ace[2].perms = mask; |
3977 | pxdesc->acl.ace[3].perms = wrld; |
3978 | } else { |
3979 | pxdesc->acl.ace[1].perms = usr; |
3980 | pxdesc->acl.ace[2].perms = grpobj; |
3981 | pxdesc->acl.ace[3].perms = grp; |
3982 | pxdesc->acl.ace[4].perms = mask; |
3983 | pxdesc->acl.ace[5].perms = wrld; |
3984 | } |
3985 | |
3986 | err = ERRNO; |
3987 | gotback = (struct POSIX_SECURITY*)NULL; |
3988 | pxattr = ntfs_build_descr_posix(context.mapping, |
3989 | pxdesc,isdir,owner,group); |
3990 | if (pxattr && ntfs_valid_descr(pxattr, ntfs_attr_size(pxattr))) { |
3991 | phead = (const SECURITY_DESCRIPTOR_RELATIVE*)pxattr; |
3992 | pacl = (const ACL*)&pxattr[le32_to_cpu(phead->dacl)]; |
3993 | acecount += le16_to_cpu(pacl->ace_count); |
3994 | globhash += hash((const le32*)pxattr,ntfs_attr_size(pxattr)); |
3995 | count++; |
3996 | gotback = linux_permissions_posix(pxattr, isdir); |
3997 | if (gotback) { |
3998 | if (ntfs_valid_posix(gotback)) { |
3999 | if (!same_posix(pxdesc,gotback)) { |
4000 | printf("Non matching got back Posix ACL\n"); |
4001 | printf("input ACL\n"); |
4002 | showposix(pxdesc); |
4003 | printf("NTFS owner\n"); |
4004 | showusid(pxattr,4); |
4005 | printf("NTFS group\n"); |
4006 | showgsid(pxattr,4); |
4007 | printf("NTFS DACL\n"); |
4008 | showdacl(pxattr,isdir,4); |
4009 | printf("gotback ACL\n"); |
4010 | showposix(gotback); |
4011 | errors++; |
4012 | exit(1); |
4013 | } |
4014 | } else { |
4015 | printf("Got back an invalid Posix ACL\n"); |
4016 | errors++; |
4017 | } |
4018 | free(gotback); |
4019 | } else { |
4020 | printf("Could not get Posix ACL back\n"); |
4021 | errors++; |
4022 | } |
4023 | |
4024 | } else { |
4025 | printf("NTFS ACL incorrect or not build\n"); |
4026 | printf("input ACL\n"); |
4027 | showposix(pxdesc); |
4028 | printf("NTFS DACL\n"); |
4029 | if (pxattr) |
4030 | showdacl(pxattr,isdir,4); |
4031 | else |
4032 | printf(" (none)\n"); |
4033 | if (gotback) { |
4034 | printf("gotback ACL\n"); |
4035 | showposix(gotback); |
4036 | } else |
4037 | printf("no gotback ACL\n"); |
4038 | errors++; |
4039 | } |
4040 | if (pxattr) |
4041 | free(pxattr); |
4042 | } |
4043 | printf("%lu ACLs built from Posix ACLs, %lu ACE built, mean count %lu.%02lu\n", |
4044 | (unsigned long)count,(unsigned long)acecount, |
4045 | (unsigned long)acecount/count,acecount*100L/count%100L); |
4046 | if (acecount != expectcnt[kind]) { |
4047 | printf("** Error ! expected ACE count %lu\n", |
4048 | (unsigned long)expectcnt[kind]); |
4049 | errors++; |
4050 | } |
4051 | if (globhash != expecthash[kind]) { |
4052 | printf("** Error : wrong global hash 0x%lx instead of 0x%lx\n", |
4053 | (unsigned long)globhash, (unsigned long)expecthash[kind]); |
4054 | errors++; |
4055 | } |
4056 | } |
4057 | |
4058 | #endif /* POSIXACLS */ |
4059 | |
4060 | void selftests(void) |
4061 | { |
4062 | le32 owner_sid[] = /* S-1-5-21-3141592653-589793238-462843383-1016 */ |
4063 | { |
4064 | cpu_to_le32(0x501), cpu_to_le32(0x05000000), cpu_to_le32(21), |
4065 | cpu_to_le32(DEFSECAUTH1), cpu_to_le32(DEFSECAUTH2), |
4066 | cpu_to_le32(DEFSECAUTH3), cpu_to_le32(1016) |
4067 | } ; |
4068 | le32 group_sid[] = /* S-1-5-21-3141592653-589793238-462843383-513 */ |
4069 | { |
4070 | cpu_to_le32(0x501), cpu_to_le32(0x05000000), cpu_to_le32(21), |
4071 | cpu_to_le32(DEFSECAUTH1), cpu_to_le32(DEFSECAUTH2), |
4072 | cpu_to_le32(DEFSECAUTH3), cpu_to_le32(513) |
4073 | } ; |
4074 | #if POSIXACLS |
4075 | #ifdef STSC |
4076 | unsigned char kindlist[] = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, |
4077 | 16, 17, 18, 20, 22, 24, |
4078 | 32, 33, 36, 40 } ; |
4079 | #else |
4080 | unsigned char kindlist[] = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, |
4081 | 16, 17, 18, 20, 22, 24, 19, 21, 23, 25, |
4082 | 32, 33, 36, 40 } ; |
4083 | #endif |
4084 | unsigned int k; |
4085 | #endif /* POSIXACLS */ |
4086 | int kind; |
4087 | const SID *owner; |
4088 | const SID *group; |
4089 | BOOL isdir; |
4090 | |
4091 | #if POSIXACLS |
4092 | local_build_mapping(context.mapping, (const char*)NULL); |
4093 | #endif |
4094 | /* first check samples */ |
4095 | mappingtype = MAPDUMMY; |
4096 | check_samples(); |
4097 | if (errors) exit(1); |
4098 | /* |
4099 | * kind is oring of : |
4100 | * 1 : directory |
4101 | * 2 : owner is root |
4102 | * 4 : group is root |
4103 | * 8 : group is owner |
4104 | * 16 : root is designated user/group |
4105 | * 32 : mask present with no designated user/group |
4106 | */ |
4107 | for (kind=0; (kind<10) && (errors<10); kind++) { |
4108 | isdir = kind & 1; |
4109 | if (kind & 8) |
4110 | owner = (const SID*)group_sid; |
4111 | else |
4112 | owner = (kind & 2 ? adminsid : (const SID*)owner_sid); |
4113 | group = (kind & 4 ? adminsid : (const SID*)group_sid); |
4114 | basictest(kind, isdir, owner, group); |
4115 | } |
4116 | #if POSIXACLS |
4117 | for (k=0; (k<sizeof(kindlist)) && (errors<10); k++) { |
4118 | kind = kindlist[k]; |
4119 | isdir = kind & 1; |
4120 | if (kind & 8) |
4121 | owner = (const SID*)group_sid; |
4122 | else |
4123 | owner = (kind & 2 ? adminsid : (const SID*)owner_sid); |
4124 | group = (kind & 4 ? adminsid : (const SID*)group_sid); |
4125 | posixtest(kind, isdir, owner, group); |
4126 | } |
4127 | ntfs_free_mapping(context.mapping); |
4128 | #endif |
4129 | if (errors >= 10) |
4130 | printf("** too many errors, test aborted\n"); |
4131 | } |
4132 | #endif /* SELFTESTS & !USESTUBS */ |
4133 | |
4134 | #ifdef WIN32 |
4135 | |
4136 | /* |
4137 | * Get the security descriptor of a file (Windows version) |
4138 | */ |
4139 | |
4140 | unsigned int getfull(char *attr, const char *fullname) |
4141 | { |
4142 | static char part[MAXATTRSZ]; |
4143 | BIGSID ownsid; |
4144 | int xowner; |
4145 | int ownersz; |
4146 | u16 ownerfl; |
4147 | ULONG attrsz; |
4148 | ULONG partsz; |
4149 | BOOL overflow; |
4150 | HANDLE htoken; |
4151 | TOKEN_PRIVILEGES tkp; |
4152 | BOOL saclsuccess; |
4153 | |
4154 | attrsz = 0; |
4155 | partsz = 0; |
4156 | overflow = FALSE; |
4157 | if (GetFileSecurityW((LPCWSTR)fullname,OWNER_SECURITY_INFORMATION, |
4158 | (char*)part,MAXATTRSZ,&partsz)) { |
4159 | xowner = get4l(part,4); |
4160 | if (xowner) { |
4161 | ownerfl = get2l(part,2); |
4162 | ownersz = ntfs_sid_size((SID*)&part[xowner]); |
4163 | if (ownersz <= (int)sizeof(BIGSID)) |
4164 | memcpy(ownsid,&part[xowner],ownersz); |
4165 | else |
4166 | overflow = TRUE; |
4167 | } else { |
4168 | ownerfl = 0; |
4169 | ownersz = 0; |
4170 | } |
4171 | /* |
4172 | * SACL : just feed in or clean |
4173 | * This requires the SE_SECURITY_NAME privilege |
4174 | */ |
4175 | saclsuccess = FALSE; |
4176 | if (OpenProcessToken(GetCurrentProcess(), |
4177 | TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &htoken)) { |
4178 | if (LookupPrivilegeValue(NULL, SE_SECURITY_NAME, |
4179 | &tkp.Privileges[0].Luid)) { |
4180 | tkp.PrivilegeCount = 1; |
4181 | tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; |
4182 | if (AdjustTokenPrivileges(htoken, FALSE, &tkp, 0, NULL, 0)) { |
4183 | if (GetFileSecurityW((LPCWSTR)fullname, |
4184 | SACL_SECURITY_INFORMATION, |
4185 | (char*)attr,MAXATTRSZ,&attrsz)) { |
4186 | saclsuccess = TRUE; |
4187 | } |
4188 | tkp.Privileges[0].Attributes = 0; |
4189 | AdjustTokenPrivileges(htoken, FALSE, &tkp, 0, NULL, 0); |
4190 | } |
4191 | } |
4192 | } |
4193 | if (!saclsuccess) { |
4194 | attrsz = 20; |
4195 | set4l(attr,0); |
4196 | attr[0] = SECURITY_DESCRIPTOR_REVISION; |
4197 | set4l(&attr[12],0); |
4198 | if (opt_v >= 2) |
4199 | printf(" No SACL\n"); |
4200 | } |
4201 | /* |
4202 | * append DACL and merge its flags |
4203 | */ |
4204 | partsz = 0; |
4205 | set4l(&attr[16],0); |
4206 | if (GetFileSecurityW((LPCWSTR)fullname,DACL_SECURITY_INFORMATION, |
4207 | (char*)part,MAXATTRSZ,&partsz)) { |
4208 | if ((attrsz + partsz - 20) <= MAXATTRSZ) { |
4209 | memcpy(&attr[attrsz],&part[20],partsz-20); |
4210 | set4l(&attr[16],(partsz > 20 ? attrsz : 0)); |
4211 | set2l(&attr[2],get2l(attr,2) | (get2l(part,2) |
4212 | & const_le16_to_cpu(SE_DACL_PROTECTED |
4213 | | SE_DACL_AUTO_INHERITED |
4214 | | SE_DACL_PRESENT))); |
4215 | attrsz += partsz - 20; |
4216 | } else |
4217 | overflow = TRUE; |
4218 | } else |
4219 | if (partsz > MAXATTRSZ) |
4220 | overflow = TRUE; |
4221 | else { |
4222 | if (opt_b) |
4223 | printf("# No discretionary access control list\n"); |
4224 | else |
4225 | printf(" No discretionary access control list\n"); |
4226 | warnings++; |
4227 | } |
4228 | |
4229 | /* |
4230 | * append owner and merge its flag |
4231 | */ |
4232 | if (xowner && !overflow) { |
4233 | memcpy(&attr[attrsz],ownsid,ownersz); |
4234 | set4l(&attr[4],attrsz); |
4235 | set2l(&attr[2],get2l(attr,2) |
4236 | | (ownerfl & const_le16_to_cpu(SE_OWNER_DEFAULTED))); |
4237 | attrsz += ownersz; |
4238 | } else |
4239 | set4l(&attr[4],0); |
4240 | /* |
4241 | * append group |
4242 | */ |
4243 | partsz = 0; |
4244 | set4l(&attr[8],0); |
4245 | if (GetFileSecurityW((LPCWSTR)fullname,GROUP_SECURITY_INFORMATION, |
4246 | (char*)part,MAXATTRSZ,&partsz)) { |
4247 | if ((attrsz + partsz - 20) <= MAXATTRSZ) { |
4248 | memcpy(&attr[attrsz],&part[20],partsz-20); |
4249 | set4l(&attr[8],(partsz > 20 ? attrsz : 0)); |
4250 | set2l(&attr[2],get2l(attr,2) | (get2l(part,2) |
4251 | & const_le16_to_cpu(SE_GROUP_DEFAULTED))); |
4252 | attrsz += partsz - 20; |
4253 | } else |
4254 | overflow = TRUE; |
4255 | } else |
4256 | if (partsz > MAXATTRSZ) |
4257 | overflow = TRUE; |
4258 | else { |
4259 | printf("** No group SID\n"); |
4260 | warnings++; |
4261 | } |
4262 | set2l(&attr[2],get2l(attr,2) |
4263 | | const_le16_to_cpu(SE_SELF_RELATIVE)); |
4264 | if (overflow) { |
4265 | printf("** Descriptor was too long (> %d)\n",MAXATTRSZ); |
4266 | warnings++; |
4267 | attrsz = 0; |
4268 | } else |
4269 | if (!ntfs_valid_descr((char*)attr,attrsz)) { |
4270 | printf("** Descriptor for "); |
4271 | printname(stdout,fullname); |
4272 | printf(" is not valid\n"); |
4273 | errors++; |
4274 | attrsz = 0; |
4275 | } |
4276 | |
4277 | } else { |
4278 | printf("** Could not get owner of "); |
4279 | printname(stdout,fullname); |
4280 | printf(", partsz %d\n",partsz); |
4281 | printerror(stdout); |
4282 | warnings++; |
4283 | attrsz = 0; |
4284 | } |
4285 | return (attrsz); |
4286 | } |
4287 | |
4288 | /* |
4289 | * Update a security descriptor (Windows version) |
4290 | */ |
4291 | |
4292 | BOOL updatefull(const char *name, DWORD flags, char *attr) |
4293 | { |
4294 | BOOL bad; |
4295 | |
4296 | bad = !SetFileSecurityW((LPCWSTR)name, flags, attr); |
4297 | if (bad |
4298 | && (flags & OWNER_SECURITY_INFORMATION) |
4299 | && (GetLastError() == 1307)) { |
4300 | printf("** Could not set owner of "); |
4301 | printname(stdout,name); |
4302 | printf(", retrying with no owner setting\n"); |
4303 | warnings++; |
4304 | bad = !SetFileSecurityW((LPCWSTR)name, |
4305 | flags & ~OWNER_SECURITY_INFORMATION, (char*)attr); |
4306 | } |
4307 | if (bad) { |
4308 | printf("** Could not change attributes of "); |
4309 | printname(stdout,name); |
4310 | printf("\n"); |
4311 | printerror(stdout); |
4312 | errors++; |
4313 | } |
4314 | return (!bad); |
4315 | } |
4316 | |
4317 | #else |
4318 | |
4319 | /* |
4320 | * Get the security descriptor of a file (Linux version) |
4321 | */ |
4322 | |
4323 | unsigned int getfull(char *attr, const char *fullname) |
4324 | { |
4325 | static char part[MAXATTRSZ]; |
4326 | BIGSID ownsid; |
4327 | int xowner; |
4328 | int ownersz; |
4329 | u16 ownerfl; |
4330 | u32 attrsz; |
4331 | u32 partsz; |
4332 | BOOL overflow; |
4333 | |
4334 | attrsz = 0; |
4335 | partsz = 0; |
4336 | overflow = FALSE; |
4337 | if (ntfs_get_file_security(ntfs_context,fullname, |
4338 | OWNER_SECURITY_INFORMATION, |
4339 | (char*)part,MAXATTRSZ,&partsz)) { |
4340 | xowner = get4l(part,4); |
4341 | if (xowner) { |
4342 | ownerfl = get2l(part,2); |
4343 | ownersz = ntfs_sid_size((SID*)&part[xowner]); |
4344 | if (ownersz <= (int)sizeof(BIGSID)) |
4345 | memcpy(ownsid,&part[xowner],ownersz); |
4346 | else |
4347 | overflow = TRUE; |
4348 | } else { |
4349 | ownerfl = 0; |
4350 | ownersz = 0; |
4351 | } |
4352 | /* |
4353 | * SACL : just feed in or clean |
4354 | */ |
4355 | if (!ntfs_get_file_security(ntfs_context,fullname, |
4356 | SACL_SECURITY_INFORMATION, |
4357 | (char*)attr,MAXATTRSZ,&attrsz)) { |
4358 | attrsz = 20; |
4359 | set4l(attr,0); |
4360 | attr[0] = SECURITY_DESCRIPTOR_REVISION; |
4361 | set4l(&attr[12],0); |
4362 | if (opt_v >= 2) |
4363 | printf(" No SACL\n"); |
4364 | } |
4365 | /* |
4366 | * append DACL and merge its flags |
4367 | */ |
4368 | partsz = 0; |
4369 | set4l(&attr[16],0); |
4370 | if (ntfs_get_file_security(ntfs_context,fullname, |
4371 | DACL_SECURITY_INFORMATION, |
4372 | (char*)part,MAXATTRSZ,&partsz)) { |
4373 | if ((attrsz + partsz - 20) <= MAXATTRSZ) { |
4374 | memcpy(&attr[attrsz],&part[20],partsz-20); |
4375 | set4l(&attr[16],(partsz > 20 ? attrsz : 0)); |
4376 | set2l(&attr[2],get2l(attr,2) | (get2l(part,2) |
4377 | & const_le16_to_cpu(SE_DACL_PROTECTED |
4378 | | SE_DACL_AUTO_INHERITED |
4379 | | SE_DACL_PRESENT))); |
4380 | attrsz += partsz - 20; |
4381 | } else |
4382 | overflow = TRUE; |
4383 | } else |
4384 | if (partsz > MAXATTRSZ) |
4385 | overflow = TRUE; |
4386 | else { |
4387 | if (opt_b) |
4388 | printf("# No discretionary access control list\n"); |
4389 | else |
4390 | printf(" No discretionary access control list\n"); |
4391 | warnings++; |
4392 | } |
4393 | |
4394 | /* |
4395 | * append owner and merge its flag |
4396 | */ |
4397 | if (xowner && !overflow) { |
4398 | memcpy(&attr[attrsz],ownsid,ownersz); |
4399 | set4l(&attr[4],attrsz); |
4400 | set2l(&attr[2],get2l(attr,2) |
4401 | | (ownerfl & const_le16_to_cpu(SE_OWNER_DEFAULTED))); |
4402 | attrsz += ownersz; |
4403 | } else |
4404 | set4l(&attr[4],0); |
4405 | /* |
4406 | * append group |
4407 | */ |
4408 | partsz = 0; |
4409 | set4l(&attr[8],0); |
4410 | if (ntfs_get_file_security(ntfs_context,fullname, |
4411 | GROUP_SECURITY_INFORMATION, |
4412 | (char*)part,MAXATTRSZ,&partsz)) { |
4413 | if ((attrsz + partsz - 20) <= MAXATTRSZ) { |
4414 | memcpy(&attr[attrsz],&part[20],partsz-20); |
4415 | set4l(&attr[8],(partsz > 20 ? attrsz : 0)); |
4416 | set2l(&attr[2],get2l(attr,2) | (get2l(part,2) |
4417 | & const_le16_to_cpu(SE_GROUP_DEFAULTED))); |
4418 | attrsz += partsz - 20; |
4419 | } else |
4420 | overflow = TRUE; |
4421 | } else |
4422 | if (partsz > MAXATTRSZ) |
4423 | overflow = TRUE; |
4424 | else { |
4425 | printf("** No group SID\n"); |
4426 | warnings++; |
4427 | } |
4428 | if (overflow) { |
4429 | printf("** Descriptor was too long (> %d)\n",MAXATTRSZ); |
4430 | warnings++; |
4431 | attrsz = 0; |
4432 | } else |
4433 | if (!ntfs_valid_descr((char*)attr,attrsz)) { |
4434 | printf("** Descriptor for %s is not valid\n",fullname); |
4435 | errors++; |
4436 | attrsz = 0; |
4437 | } |
4438 | |
4439 | } else { |
4440 | printf("** Could not get owner of %s\n",fullname); |
4441 | warnings++; |
4442 | attrsz = 0; |
4443 | } |
4444 | return (attrsz); |
4445 | } |
4446 | |
4447 | /* |
4448 | * Update a security descriptor (Linux version) |
4449 | */ |
4450 | |
4451 | BOOL updatefull(const char *name, DWORD flags, char *attr) |
4452 | { |
4453 | BOOL ok; |
4454 | |
4455 | ok = !ntfs_set_file_security(ntfs_context, name, flags, attr); |
4456 | if (ok) { |
4457 | printf("** Could not change attributes of %s\n",name); |
4458 | printerror(stdout); |
4459 | errors++; |
4460 | } |
4461 | return (ok); |
4462 | } |
4463 | |
4464 | |
4465 | #endif |
4466 | |
4467 | #if POSIXACLS |
4468 | |
4469 | /* |
4470 | * Set all the parameters associated to a file |
4471 | */ |
4472 | |
4473 | BOOL setfull_posix(const char *fullname, const struct POSIX_SECURITY *pxdesc, |
4474 | BOOL isdir) |
4475 | { |
4476 | static char attr[MAXATTRSZ]; |
4477 | struct POSIX_SECURITY *oldpxdesc; |
4478 | struct POSIX_SECURITY *newpxdesc; |
4479 | const SECURITY_DESCRIPTOR_RELATIVE *phead; |
4480 | char *newattr; |
4481 | int err; |
4482 | unsigned int attrsz; |
4483 | int newattrsz; |
4484 | const SID *usid; |
4485 | const SID *gsid; |
4486 | #if OWNERFROMACL |
4487 | const SID *osid; |
4488 | #endif |
4489 | |
4490 | printf("%s ",(isdir ? "Directory" : "File")); |
4491 | printname(stdout,fullname); |
4492 | if (pxdesc->acccnt) |
4493 | printf("\n"); |
4494 | else |
4495 | printf(" mode 0%03o\n",pxdesc->mode); |
4496 | |
4497 | err = FALSE; |
4498 | attrsz = getfull(attr, fullname); |
4499 | if (attrsz) { |
4500 | oldpxdesc = linux_permissions_posix(attr, isdir); |
4501 | if (opt_v >= 2) { |
4502 | printf("Posix equivalent of old ACL :\n"); |
4503 | showposix(oldpxdesc); |
4504 | } |
4505 | if (oldpxdesc) { |
4506 | if (!pxdesc->defcnt |
4507 | && !(pxdesc->tagsset & |
4508 | (POSIX_ACL_USER | POSIX_ACL_GROUP | POSIX_ACL_MASK))) { |
4509 | if (!ntfs_merge_mode_posix(oldpxdesc,pxdesc->mode)) |
4510 | newpxdesc = oldpxdesc; |
4511 | else { |
4512 | newpxdesc = (struct POSIX_SECURITY*)NULL; |
4513 | free(oldpxdesc); |
4514 | } |
4515 | } else { |
4516 | newpxdesc = ntfs_merge_descr_posix(pxdesc, oldpxdesc); |
4517 | free(oldpxdesc); |
4518 | } |
4519 | if (opt_v) { |
4520 | printf("New Posix ACL :\n"); |
4521 | showposix(newpxdesc); |
4522 | } |
4523 | } else |
4524 | newpxdesc = (struct POSIX_SECURITY*)NULL; |
4525 | if (newpxdesc) { |
4526 | phead = (const SECURITY_DESCRIPTOR_RELATIVE*)attr; |
4527 | gsid = (const SID*)&attr[le32_to_cpu(phead->group)]; |
4528 | #if OWNERFROMACL |
4529 | osid = (const SID*)&attr[le32_to_cpu(phead->owner)]; |
4530 | usid = ntfs_acl_owner((const char*)attr); |
4531 | if (!ntfs_same_sid(usid,osid)) |
4532 | printf("== Windows owner might change\n"); |
4533 | #else |
4534 | usid = (const SID*)&attr[le32_to_cpu(phead->owner)]; |
4535 | #endif |
4536 | newattr = ntfs_build_descr_posix(context.mapping, |
4537 | newpxdesc,isdir,usid,gsid); |
4538 | free(newpxdesc); |
4539 | } else |
4540 | newattr = (char*)NULL; |
4541 | if (newattr) { |
4542 | newattrsz = ntfs_attr_size(newattr); |
4543 | if (opt_v) { |
4544 | printf("New NTFS security descriptor\n"); |
4545 | hexdump(newattr,newattrsz,4); |
4546 | } |
4547 | if (opt_v >= 2) { |
4548 | printf("Expected hash : 0x%08lx\n", |
4549 | (unsigned long)hash((le32*)newattr,ntfs_attr_size(newattr))); |
4550 | showheader(newattr,0); |
4551 | showusid(newattr,0); |
4552 | showgsid(newattr,0); |
4553 | showdacl(newattr,isdir,0); |
4554 | showsacl(newattr,isdir,0); |
4555 | } |
4556 | |
4557 | #ifdef WIN32 |
4558 | /* |
4559 | * avoid getting a set owner error on Windows |
4560 | * owner should not be changed anyway |
4561 | */ |
4562 | if (!updatefull(fullname, |
4563 | DACL_SECURITY_INFORMATION |
4564 | | GROUP_SECURITY_INFORMATION |
4565 | | OWNER_SECURITY_INFORMATION, |
4566 | newattr)) |
4567 | #else |
4568 | if (!updatefull(fullname, |
4569 | DACL_SECURITY_INFORMATION |
4570 | | GROUP_SECURITY_INFORMATION |
4571 | | OWNER_SECURITY_INFORMATION, |
4572 | newattr)) |
4573 | #endif |
4574 | err = TRUE; |
4575 | /* |
4576 | { |
4577 | struct POSIX_SECURITY *interp; |
4578 | printf("Reinterpreted new Posix :\n"); |
4579 | interp = linux_permissions_posix(newattr,isdir); |
4580 | showposix(interp); |
4581 | free(interp); |
4582 | } |
4583 | */ |
4584 | free(newattr); |
4585 | } else |
4586 | err = TRUE; |
4587 | } else |
4588 | err = TRUE; |
4589 | return (!err); |
4590 | } |
4591 | |
4592 | #endif |
4593 | |
4594 | BOOL setfull(const char *fullname, int mode, BOOL isdir) |
4595 | { |
4596 | static char attr[MAXATTRSZ]; |
4597 | const SECURITY_DESCRIPTOR_RELATIVE *phead; |
4598 | char *newattr; |
4599 | int err; |
4600 | unsigned int attrsz; |
4601 | int newattrsz; |
4602 | const SID *usid; |
4603 | const SID *gsid; |
4604 | #if OWNERFROMACL |
4605 | const SID *osid; |
4606 | #endif |
4607 | |
4608 | printf("%s ",(isdir ? "Directory" : "File")); |
4609 | printname(stdout,fullname); |
4610 | printf(" mode 0%03o\n",mode); |
4611 | attrsz = getfull(attr, fullname); |
4612 | err = FALSE; |
4613 | if (attrsz) { |
4614 | phead = (const SECURITY_DESCRIPTOR_RELATIVE*)attr; |
4615 | gsid = (const SID*)&attr[le32_to_cpu(phead->group)]; |
4616 | #if OWNERFROMACL |
4617 | osid = (const SID*)&attr[le32_to_cpu(phead->owner)]; |
4618 | usid = ntfs_acl_owner((const char*)attr); |
4619 | if (!ntfs_same_sid(usid,osid)) |
4620 | printf("== Windows owner might change\n"); |
4621 | #else |
4622 | usid = (const SID*)&attr[le32_to_cpu(phead->owner)]; |
4623 | #endif |
4624 | newattr = ntfs_build_descr(mode,isdir,usid,gsid); |
4625 | if (newattr) { |
4626 | newattrsz = ntfs_attr_size(newattr); |
4627 | if (opt_v) { |
4628 | printf("Security descriptor\n"); |
4629 | hexdump(newattr,newattrsz,4); |
4630 | } |
4631 | if (opt_v >= 2) { |
4632 | printf("Expected hash : 0x%08lx\n", |
4633 | (unsigned long)hash((le32*)newattr,ntfs_attr_size(newattr))); |
4634 | showheader(newattr,0); |
4635 | showusid(newattr,0); |
4636 | showgsid(newattr,0); |
4637 | showdacl(newattr,isdir,0); |
4638 | showsacl(newattr,isdir,0); |
4639 | } |
4640 | |
4641 | #ifdef WIN32 |
4642 | /* |
4643 | * avoid getting a set owner error on Windows |
4644 | * owner should not be changed anyway |
4645 | */ |
4646 | if (!updatefull(fullname, |
4647 | DACL_SECURITY_INFORMATION |
4648 | | GROUP_SECURITY_INFORMATION |
4649 | | OWNER_SECURITY_INFORMATION, |
4650 | newattr)) |
4651 | #else |
4652 | if (!updatefull(fullname, |
4653 | DACL_SECURITY_INFORMATION |
4654 | | GROUP_SECURITY_INFORMATION |
4655 | | OWNER_SECURITY_INFORMATION, |
4656 | newattr)) |
4657 | #endif |
4658 | err = TRUE; |
4659 | free(newattr); |
4660 | } |
4661 | |
4662 | } else |
4663 | err = TRUE; |
4664 | return (err); |
4665 | } |
4666 | |
4667 | BOOL proposal(const char *name, const char *attr) |
4668 | { |
4669 | char fullname[MAXFILENAME]; |
4670 | int uoff, goff; |
4671 | int i; |
4672 | u64 uauth, gauth; |
4673 | int ucnt, gcnt; |
4674 | int uid, gid; |
4675 | BOOL err; |
4676 | #ifdef WIN32 |
4677 | char driveletter; |
4678 | #else |
4679 | struct stat st; |
4680 | char *p,*q; |
4681 | #endif |
4682 | |
4683 | err = FALSE; |
4684 | #ifdef WIN32 |
4685 | uid = gid = 0; |
4686 | #else |
4687 | uid = getuid(); |
4688 | gid = getgid(); |
4689 | #endif |
4690 | uoff = get4l(attr,4); |
4691 | uauth = get6h(attr,uoff+2); |
4692 | ucnt = attr[uoff+1] & 255; |
4693 | goff = get4l(attr,8); |
4694 | gauth = get6h(attr,goff+2); |
4695 | gcnt = attr[goff+1] & 255; |
4696 | |
4697 | if ((ucnt == 5) && (gcnt == 5) |
4698 | && (uauth == 5) && (gauth == 5) |
4699 | && (get4l(attr,uoff+8) == 21) && (get4l(attr,goff+8) == 21)) { |
4700 | printf("# User mapping proposal :\n"); |
4701 | printf("# -------------------- cut here -------------------\n"); |
4702 | if (uid) |
4703 | printf("%d::",uid); |
4704 | else |
4705 | printf("user::"); |
4706 | printf("S-%d-%llu",attr[uoff] & 255,uauth); |
4707 | for (i=0; i<ucnt; i++) |
4708 | printf("-%lu",get4l(attr,uoff+8+4*i)); |
4709 | printf("\n"); |
4710 | if (gid) |
4711 | printf(":%d:",gid); |
4712 | else |
4713 | printf(":group:"); |
4714 | printf("S-%d-%llu",attr[goff] & 255,gauth); |
4715 | for (i=0; i<gcnt; i++) |
4716 | printf("-%lu",get4l(attr,goff+8+4*i)); |
4717 | printf("\n"); |
4718 | /* generic rule, based on group */ |
4719 | printf("::S-%d-%llu",attr[goff] & 255,gauth); |
4720 | for (i=0; i<gcnt-1; i++) |
4721 | printf("-%lu",get4l(attr,goff+8+4*i)); |
4722 | printf("-10000\n"); |
4723 | printf("# -------------------- cut here -------------------\n"); |
4724 | if (!uid || !gid) { |
4725 | printf("# Please replace \"user\" and \"group\" above by the uid\n"); |
4726 | printf("# and gid of the Linux owner and group of "); |
4727 | printname(stdout,name); |
4728 | printf(", then\n"); |
4729 | printf("# insert the modified lines into .NTFS-3G/Usermapping, with .NTFS-3G\n"); |
4730 | } else |
4731 | printf("# Insert the above lines into .NTFS-3G/Usermapping, with .NTFS-3G\n"); |
4732 | #ifdef WIN32 |
4733 | printf("# being a directory of the root of the NTFS file system.\n"); |
4734 | |
4735 | /* Get the drive letter to the file system */ |
4736 | driveletter = 0; |
4737 | if ((((name[0] >= 'a') && (name[0] <= 'z')) |
4738 | || ((name[0] >= 'A') && (name[0] <= 'Z'))) |
4739 | && (name[1] == ':')) |
4740 | driveletter = name[0]; |
4741 | else { |
4742 | if (GetCurrentDirectoryA(MAXFILENAME, fullname) |
4743 | && (fullname[1] == ':')) |
4744 | driveletter = fullname[0]; |
4745 | } |
4746 | if (driveletter) { |
4747 | printf("# Example : %c:\\.NTFS-3G\\UserMapping\n", |
4748 | driveletter); |
4749 | } |
4750 | #else |
4751 | printf("# being a hidden subdirectory of the root of the NTFS file system.\n"); |
4752 | |
4753 | /* Get the path to the root of the file system */ |
4754 | if (name[0] != '/') { |
4755 | p = getcwd(fullname,MAXFILENAME); |
4756 | if (p) { |
4757 | strcat(fullname,"/"); |
4758 | strcat(fullname,name); |
4759 | } |
4760 | } else { |
4761 | strcpy(fullname,name); |
4762 | p = fullname; |
4763 | } |
4764 | if (p) { |
4765 | /* go down the path to inode 5 (fails on symlinks) */ |
4766 | do { |
4767 | lstat(fullname,&st); |
4768 | q = strrchr(p,'/'); |
4769 | if (q && (st.st_ino != 5)) |
4770 | *q = 0; |
4771 | } while (strchr(p,'/') && (st.st_ino != 5)); |
4772 | } |
4773 | if (p && (st.st_ino == 5)) { |
4774 | printf("# Example : "); |
4775 | printname(stdout,p); |
4776 | printf("/.NTFS-3G/UserMapping\n"); |
4777 | } |
4778 | #endif |
4779 | } else { |
4780 | printf("** Not possible : "); |
4781 | printname(stdout,name); |
4782 | printf(" was not created by a Windows user\n"); |
4783 | err = TRUE; |
4784 | } |
4785 | return (err); |
4786 | } |
4787 | |
4788 | #ifdef WIN32 |
4789 | |
4790 | /* |
4791 | * Check whether a directory with reparse data is a junction |
4792 | * or a symbolic link |
4793 | */ |
4794 | |
4795 | BOOL islink(const char *filename) |
4796 | { |
4797 | WIN32_FIND_DATAW found; |
4798 | HANDLE search; |
4799 | BOOL link; |
4800 | |
4801 | link = FALSE; |
4802 | search = FindFirstFileW((LPCWSTR)filename, &found); |
4803 | if (search != INVALID_HANDLE_VALUE) { |
4804 | link = (found.dwReserved0 == IO_REPARSE_TAG_MOUNT_POINT) |
4805 | || (found.dwReserved0 == IO_REPARSE_TAG_SYMLINK); |
4806 | FindClose(search); |
4807 | } |
4808 | return (link); |
4809 | } |
4810 | |
4811 | #if POSIXACLS |
4812 | BOOL iterate(RECURSE call, const char *fullname, const struct POSIX_SECURITY *pxdesc) |
4813 | #else |
4814 | BOOL iterate(RECURSE call, const char *fullname, mode_t mode) |
4815 | #endif |
4816 | { |
4817 | WIN32_FIND_DATAW found; |
4818 | HANDLE search; |
4819 | BOOL err; |
4820 | unsigned int len; |
4821 | char *filter; |
4822 | char *inner; |
4823 | |
4824 | err = FALSE; |
4825 | filter = (char*)malloc(MAXFILENAME); |
4826 | inner = (char*)malloc(MAXFILENAME); |
4827 | if (filter && inner) { |
4828 | len = utf16len(fullname); |
4829 | memcpy(filter, fullname, 2*len); |
4830 | makeutf16(&filter[2*len],"\\*.*"); |
4831 | search = FindFirstFileW((LPCWSTR)filter, &found); |
4832 | if (search != INVALID_HANDLE_VALUE) { |
4833 | do { |
4834 | if (found.cFileName[0] != UNICODE('.')) { |
4835 | memcpy(inner, fullname, 2*len); |
4836 | inner[2*len] = '\\'; |
4837 | inner[2*len+1] = 0; |
4838 | memcpy(&inner[2*len+2],found.cFileName, |
4839 | 2*utf16len((char*)found.cFileName)+2); |
4840 | if (opt_v) |
4841 | if (opt_b) |
4842 | printf("#\n#\n"); |
4843 | else |
4844 | printf("\n\n"); |
4845 | switch (call) { |
4846 | case RECSHOW : |
4847 | if (recurseshow(inner)) |
4848 | err = TRUE; |
4849 | break; |
4850 | #if POSIXACLS |
4851 | case RECSETPOSIX : |
4852 | if (recurseset_posix(inner,pxdesc)) |
4853 | err = TRUE; |
4854 | break; |
4855 | #else |
4856 | case RECSET : |
4857 | if (recurseset(inner,mode)) |
4858 | err = TRUE; |
4859 | break; |
4860 | #endif |
4861 | default : |
4862 | err = TRUE; |
4863 | } |
4864 | } |
4865 | } while (FindNextFileW(search, &found)); |
4866 | FindClose(search); |
4867 | } |
4868 | free(filter); |
4869 | free(inner); |
4870 | } else { |
4871 | printf("** Cannot process deeper : not enough memory\n"); |
4872 | errors++; |
4873 | err = TRUE; |
4874 | } |
4875 | return (err); |
4876 | } |
4877 | |
4878 | |
4879 | |
4880 | /* |
4881 | * Display all the parameters associated to a file (Windows version) |
4882 | */ |
4883 | |
4884 | void showfull(const char *fullname, BOOL isdir) |
4885 | { |
4886 | static char attr[MAXATTRSZ]; |
4887 | #if POSIXACLS |
4888 | struct POSIX_SECURITY *pxdesc; |
4889 | #endif |
4890 | ULONG attrsz; |
4891 | int mode; |
4892 | uid_t uid; |
4893 | gid_t gid; |
4894 | int attrib; |
4895 | int level; |
4896 | |
4897 | printf("%s ",(isdir ? "Directory" : "File")); |
4898 | printname(stdout,fullname); |
4899 | printf("\n"); |
4900 | |
4901 | /* get individual parameters, as when trying to get them */ |
4902 | /* all, and one (typically SACL) is missing, we get none, */ |
4903 | /* and concatenate them, to be able to compute the hash code */ |
4904 | |
4905 | attrsz = getfull(attr, fullname); |
4906 | if (attrsz) { |
4907 | if (opt_v || opt_b) { |
4908 | hexdump(attr,attrsz,8); |
4909 | printf("Computed hash : 0x%08lx\n", |
4910 | (unsigned long)hash((le32*)attr,attrsz)); |
4911 | } |
4912 | if (opt_v && opt_b) { |
4913 | printf("# %s ",(isdir ? "Directory" : "File")); |
4914 | printname(stdout,fullname); |
4915 | printf(" hash 0x%lx\n", |
4916 | (unsigned long)hash((le32*)attr,attrsz)); |
4917 | } |
4918 | attrib = GetFileAttributesW((LPCWSTR)fullname); |
4919 | if (attrib == INVALID_FILE_ATTRIBUTES) { |
4920 | printf("** Could not get file attrib\n"); |
4921 | errors++; |
4922 | } else |
4923 | printf("Windows attrib : 0x%x\n",attrib); |
4924 | if (ntfs_valid_descr(attr,attrsz)) { |
4925 | #if POSIXACLS |
4926 | pxdesc = linux_permissions_posix(attr,isdir); |
4927 | if (pxdesc) |
4928 | mode = pxdesc->mode; |
4929 | else |
4930 | mode = 0; |
4931 | #else |
4932 | mode = linux_permissions(attr,isdir); |
4933 | #endif |
4934 | if (opt_v >= 2) { |
4935 | level = (opt_b ? 4 : 0); |
4936 | showheader(attr,level); |
4937 | showusid(attr,level); |
4938 | showgsid(attr,level); |
4939 | showdacl(attr,isdir,level); |
4940 | showsacl(attr,isdir,level); |
4941 | } |
4942 | uid = linux_owner(attr); |
4943 | gid = linux_group(attr); |
4944 | if (opt_b) { |
4945 | printf("# Interpreted Unix owner %d, group %d, mode 0%03o\n", |
4946 | (int)uid,(int)gid,mode); |
4947 | } else { |
4948 | printf("Interpreted Unix owner %d, group %d, mode 0%03o\n", |
4949 | (int)uid,(int)gid,mode); |
4950 | } |
4951 | #if POSIXACLS |
4952 | if (pxdesc) { |
4953 | if (!opt_b |
4954 | && (pxdesc->defcnt |
4955 | || (pxdesc->tagsset |
4956 | & (POSIX_ACL_USER |
4957 | | POSIX_ACL_GROUP |
4958 | | POSIX_ACL_MASK)))) |
4959 | showposix(pxdesc); |
4960 | free(pxdesc); |
4961 | } |
4962 | #endif |
4963 | } else |
4964 | if (opt_b) |
4965 | printf("# Descriptor fails sanity check\n"); |
4966 | else |
4967 | printf("Descriptor fails sanity check\n"); |
4968 | } |
4969 | } |
4970 | |
4971 | BOOL recurseshow(const char *fullname) |
4972 | { |
4973 | int attrib; |
4974 | int err; |
4975 | BOOL isdir; |
4976 | |
4977 | err = FALSE; |
4978 | attrib = GetFileAttributesW((LPCWSTR)fullname); |
4979 | if (attrib != INVALID_FILE_ATTRIBUTES) { |
4980 | isdir = (attrib & FILE_ATTRIBUTE_DIRECTORY) != 0; |
4981 | showfull(fullname,isdir); |
4982 | if (isdir |
4983 | && !((attrib & FILE_ATTRIBUTE_REPARSE_POINT) |
4984 | && islink(fullname))) { |
4985 | #if POSIXACLS |
4986 | err = iterate(RECSHOW, fullname, (struct POSIX_SECURITY*)NULL); |
4987 | #else |
4988 | err = iterate(RECSHOW, fullname, 0); |
4989 | #endif |
4990 | } |
4991 | } else { |
4992 | printf("** Could not access "); |
4993 | printname(stdout,fullname); |
4994 | printf("\n"); |
4995 | printerror(stdout); |
4996 | errors++; |
4997 | err = TRUE; |
4998 | } |
4999 | return (err); |
5000 | } |
5001 | |
5002 | |
5003 | BOOL singleshow(const char *fullname) |
5004 | { |
5005 | int attrib; |
5006 | int err; |
5007 | BOOL isdir; |
5008 | |
5009 | err = FALSE; |
5010 | attrib = GetFileAttributesW((LPCWSTR)fullname); |
5011 | if (attrib != INVALID_FILE_ATTRIBUTES) { |
5012 | isdir = (attrib & FILE_ATTRIBUTE_DIRECTORY) != 0; |
5013 | showfull(fullname,isdir); |
5014 | } else { |
5015 | printf("** Could not access "); |
5016 | printname(stdout,fullname); |
5017 | printf("\n"); |
5018 | printerror(stdout); |
5019 | errors++; |
5020 | err = TRUE; |
5021 | } |
5022 | return (err); |
5023 | } |
5024 | |
5025 | BOOL mapproposal(const char *fullname) |
5026 | { |
5027 | char attr[256]; |
5028 | ULONG attrsz; |
5029 | int attrib; |
5030 | int err; |
5031 | |
5032 | err = FALSE; |
5033 | attrsz = 0; |
5034 | attrib = GetFileAttributesW((LPCWSTR)fullname); |
5035 | if ((attrib != INVALID_FILE_ATTRIBUTES) |
5036 | && GetFileSecurityW((LPCWSTR)fullname, |
5037 | OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION, |
5038 | (char*)attr,256,&attrsz)) { |
5039 | err = proposal(fullname,attr); |
5040 | } else { |
5041 | printf("** Could not access "); |
5042 | printname(stdout,fullname); |
5043 | printf("\n"); |
5044 | printerror(stdout); |
5045 | err = TRUE; |
5046 | } |
5047 | return (err); |
5048 | } |
5049 | |
5050 | #if POSIXACLS |
5051 | |
5052 | BOOL recurseset_posix(const char *fullname, const struct POSIX_SECURITY *pxdesc) |
5053 | { |
5054 | int attrib; |
5055 | int err; |
5056 | BOOL isdir; |
5057 | |
5058 | err = FALSE; |
5059 | attrib = GetFileAttributesW((LPCWSTR)fullname); |
5060 | if (attrib != INVALID_FILE_ATTRIBUTES) { |
5061 | isdir = (attrib & FILE_ATTRIBUTE_DIRECTORY) != 0; |
5062 | err = !setfull_posix(fullname,pxdesc,isdir); |
5063 | if (err) { |
5064 | printf("** Failed to update "); |
5065 | printname(stdout,fullname); |
5066 | printf("\n"); |
5067 | errors++; |
5068 | } else |
5069 | if (isdir |
5070 | && !((attrib & FILE_ATTRIBUTE_REPARSE_POINT) |
5071 | && islink(fullname))) |
5072 | iterate(RECSETPOSIX, fullname, pxdesc); |
5073 | } else { |
5074 | err = GetLastError(); |
5075 | printf("** Could not access "); |
5076 | printname(stdout,fullname); |
5077 | printf("\n"); |
5078 | printerror(stdout); |
5079 | err = TRUE; |
5080 | errors++; |
5081 | } |
5082 | return (err); |
5083 | } |
5084 | |
5085 | #else |
5086 | |
5087 | BOOL recurseset(const char *fullname, int mode) |
5088 | { |
5089 | int attrib; |
5090 | int err; |
5091 | BOOL isdir; |
5092 | |
5093 | err = FALSE; |
5094 | attrib = GetFileAttributesW((LPCWSTR)fullname); |
5095 | if (attrib != INVALID_FILE_ATTRIBUTES) { |
5096 | isdir = (attrib & FILE_ATTRIBUTE_DIRECTORY) != 0; |
5097 | setfull(fullname,mode,isdir); |
5098 | if (isdir |
5099 | && !((attrib & FILE_ATTRIBUTE_REPARSE_POINT) |
5100 | && islink(fullname))) |
5101 | iterate(RECSETPOSIX, fullname, mode); |
5102 | } else { |
5103 | err = GetLastError(); |
5104 | printf("** Could not access "); |
5105 | printname(stdout,fullname); |
5106 | printf("\n"); |
5107 | printerror(stdout); |
5108 | err = TRUE; |
5109 | errors++; |
5110 | } |
5111 | return (err); |
5112 | } |
5113 | |
5114 | #endif |
5115 | |
5116 | #if POSIXACLS |
5117 | |
5118 | BOOL singleset_posix(const char *path, const struct POSIX_SECURITY *pxdesc) |
5119 | { |
5120 | BOOL isdir; |
5121 | BOOL err; |
5122 | int attrib; |
5123 | |
5124 | err = FALSE; |
5125 | attrib = GetFileAttributesW((LPCWSTR)path); |
5126 | if (attrib != INVALID_FILE_ATTRIBUTES) { |
5127 | isdir = (attrib & FILE_ATTRIBUTE_DIRECTORY); |
5128 | err = !setfull_posix(path,pxdesc,isdir); |
5129 | if (err) { |
5130 | printf("** Failed to update "); |
5131 | printname(stdout,path); |
5132 | printf("\n"); |
5133 | errors++; |
5134 | } |
5135 | } else { |
5136 | printf("** Could not access "); |
5137 | printname(stdout,path); |
5138 | printf("\n"); |
5139 | printerror(stdout); |
5140 | errors++; |
5141 | err = TRUE; |
5142 | } |
5143 | return (!err); |
5144 | } |
5145 | |
5146 | #endif |
5147 | |
5148 | BOOL singleset(const char *path, int mode) |
5149 | { |
5150 | BOOL isdir; |
5151 | BOOL err; |
5152 | int attrib; |
5153 | |
5154 | err = FALSE; |
5155 | attrib = GetFileAttributesW((LPCWSTR)path); |
5156 | if (attrib != INVALID_FILE_ATTRIBUTES) { |
5157 | isdir = (attrib & FILE_ATTRIBUTE_DIRECTORY); |
5158 | setfull(path,mode,isdir); |
5159 | } else { |
5160 | printf("** Could not access "); |
5161 | printname(stdout,path); |
5162 | printf("\n"); |
5163 | printerror(stdout); |
5164 | errors++; |
5165 | err = TRUE; |
5166 | } |
5167 | return (!err); |
5168 | } |
5169 | |
5170 | #else |
5171 | |
5172 | /* |
5173 | * Display all the parameters associated to a file (Linux version) |
5174 | */ |
5175 | |
5176 | void showfull(const char *fullname, BOOL isdir) |
5177 | { |
5178 | static char attr[MAXATTRSZ]; |
5179 | static char part[MAXATTRSZ]; |
5180 | #if POSIXACLS |
5181 | struct POSIX_SECURITY *pxdesc; |
5182 | #endif |
5183 | struct SECURITY_DATA *psecurdata; |
5184 | char *newattr; |
5185 | int securindex; |
5186 | int mode; |
5187 | int level; |
5188 | int attrib; |
5189 | u32 attrsz; |
5190 | u32 partsz; |
5191 | uid_t uid; |
5192 | gid_t gid; |
5193 | |
5194 | if (opt_v || opt_b) |
5195 | printf("%s %s\n",(isdir ? "Directory" : "File"),fullname); |
5196 | |
5197 | /* get individual parameters, as when trying to get them */ |
5198 | /* all, and one (typically SACL) is missing, we get none */ |
5199 | /* and concatenate them, to be able to compute the checksum */ |
5200 | |
5201 | partsz = 0; |
5202 | securindex = ntfs_get_file_security(ntfs_context,fullname, |
5203 | OWNER_SECURITY_INFORMATION, |
5204 | (char*)part,MAXATTRSZ,&partsz); |
5205 | |
5206 | attrib = ntfs_get_file_attributes(ntfs_context, fullname); |
5207 | if (attrib == INVALID_FILE_ATTRIBUTES) { |
5208 | printf("** Could not get file attrib\n"); |
5209 | errors++; |
5210 | } |
5211 | if ((securindex < 0) |
5212 | || (securindex >= MAXSECURID) |
5213 | || ((securindex > 0) |
5214 | && ((!opt_r && !opt_b) |
5215 | || !securdata[securindex >> SECBLKSZ] |
5216 | || !securdata[securindex >> SECBLKSZ][securindex & ((1 << SECBLKSZ) - 1)].filecount))) |
5217 | { |
5218 | if (opt_v || opt_b) { |
5219 | if ((securindex < -1) || (securindex >= MAXSECURID)) |
5220 | printf("Security key : 0x%x out of range\n",securindex); |
5221 | else |
5222 | if (securindex == -1) |
5223 | printf("Security key : none\n"); |
5224 | else |
5225 | printf("Security key : 0x%x\n",securindex); |
5226 | } else { |
5227 | printf("%s %s",(isdir ? "Directory" : "File"),fullname); |
5228 | if ((securindex < -1) || (securindex >= MAXSECURID)) |
5229 | printf(" : key 0x%x out of range\n",securindex); |
5230 | else |
5231 | if (securindex == -1) |
5232 | printf(" : no key\n"); |
5233 | else |
5234 | printf(" : key 0x%x\n",securindex); |
5235 | } |
5236 | |
5237 | attrsz = getfull(attr, fullname); |
5238 | if (attrsz) { |
5239 | psecurdata = (struct SECURITY_DATA*)NULL; |
5240 | if ((securindex < MAXSECURID) && (securindex > 0)) { |
5241 | if (!securdata[securindex >> SECBLKSZ]) |
5242 | newblock(securindex); |
5243 | if (securdata[securindex >> SECBLKSZ]) |
5244 | psecurdata = &securdata[securindex >> SECBLKSZ] |
5245 | [securindex & ((1 << SECBLKSZ) - 1)]; |
5246 | } |
5247 | if (opt_v && (opt_a || opt_b) && psecurdata) { |
5248 | newattr = (char*)malloc(attrsz); |
5249 | printf("# %s %s hash 0x%lx\n",(isdir ? "Directory" : "File"), |
5250 | fullname, |
5251 | (unsigned long)hash((le32*)attr,attrsz)); |
5252 | if (newattr) { |
5253 | memcpy(newattr,attr,attrsz); |
5254 | psecurdata->attr = newattr; |
5255 | } |
5256 | } |
5257 | if ((opt_v || opt_b) |
5258 | && ((securindex >= MAXSECURID) |
5259 | || (securindex <= 0) |
5260 | || !psecurdata |
5261 | || (!psecurdata->filecount |
5262 | && !psecurdata->flags))) { |
5263 | hexdump(attr,attrsz,8); |
5264 | printf("Computed hash : 0x%08lx\n", |
5265 | (unsigned long)hash((le32*)attr,attrsz)); |
5266 | } |
5267 | if (ntfs_valid_descr((char*)attr,attrsz)) { |
5268 | #if POSIXACLS |
5269 | pxdesc = linux_permissions_posix(attr,isdir); |
5270 | if (pxdesc) |
5271 | mode = pxdesc->mode; |
5272 | else |
5273 | mode = 0; |
5274 | #else |
5275 | mode = linux_permissions(attr,isdir); |
5276 | #endif |
5277 | attrib = ntfs_get_file_attributes(ntfs_context,fullname); |
5278 | if (opt_v >= 2) { |
5279 | level = (opt_b ? 4 : 0); |
5280 | showheader(attr,level); |
5281 | showusid(attr,level); |
5282 | showgsid(attr,level); |
5283 | showdacl(attr,isdir,level); |
5284 | showsacl(attr,isdir,level); |
5285 | } |
5286 | if (attrib != INVALID_FILE_ATTRIBUTES) |
5287 | printf("Windows attrib : 0x%x\n",attrib); |
5288 | uid = linux_owner(attr); |
5289 | gid = linux_group(attr); |
5290 | if (opt_b) { |
5291 | printf("# Interpreted Unix owner %d, group %d, mode 0%03o\n", |
5292 | (int)uid,(int)gid,mode); |
5293 | } else { |
5294 | printf("Interpreted Unix owner %d, group %d, mode 0%03o\n", |
5295 | (int)uid,(int)gid,mode); |
5296 | } |
5297 | #if POSIXACLS |
5298 | if (pxdesc) { |
5299 | if (!opt_b |
5300 | && (pxdesc->defcnt |
5301 | || (pxdesc->tagsset |
5302 | & (POSIX_ACL_USER |
5303 | | POSIX_ACL_GROUP |
5304 | | POSIX_ACL_MASK)))) |
5305 | showposix(pxdesc); |
5306 | #if USESTUBS |
5307 | stdfree(pxdesc); /* allocated within library */ |
5308 | #else |
5309 | free(pxdesc); |
5310 | #endif |
5311 | } |
5312 | #endif |
5313 | if ((opt_r || opt_b) && (securindex < MAXSECURID) |
5314 | && (securindex > 0) && psecurdata) { |
5315 | psecurdata->filecount++; |
5316 | psecurdata->mode = mode; |
5317 | } |
5318 | } else { |
5319 | printf("** Descriptor fails sanity check\n"); |
5320 | errors++; |
5321 | } |
5322 | } |
5323 | } else |
5324 | if (securindex > 0) { |
5325 | if (securdata[securindex >> SECBLKSZ]) { |
5326 | psecurdata = &securdata[securindex >> SECBLKSZ] |
5327 | [securindex & ((1 << SECBLKSZ) - 1)]; |
5328 | psecurdata->filecount++; |
5329 | if (opt_b || opt_r) { |
5330 | if (!opt_b && !opt_v) |
5331 | printf("%s %s\n",(isdir ? "Directory" : "File"),fullname); |
5332 | printf("Security key : 0x%x mode %03o (already displayed)\n", |
5333 | securindex,psecurdata->mode); |
5334 | if (attrib != INVALID_FILE_ATTRIBUTES) |
5335 | printf("Windows attrib : 0x%x\n",attrib); |
5336 | } else { |
5337 | printf("%s %s",(isdir ? "Directory" : "File"),fullname); |
5338 | printf(" : key 0x%x\n",securindex); |
5339 | } |
5340 | if ((opt_a || opt_b) && opt_v |
5341 | && psecurdata && psecurdata->attr) { |
5342 | printf("# %s %s hash 0x%lx\n",(isdir ? "Directory" : "File"), |
5343 | fullname, |
5344 | (unsigned long)hash((le32*)psecurdata->attr, |
5345 | ntfs_attr_size(psecurdata->attr))); |
5346 | } |
5347 | } |
5348 | } else { |
5349 | if (!opt_v && !opt_b) |
5350 | printf("%s %s",(isdir ? "Directory" : "File"),fullname); |
5351 | printf(" (Failed)\n"); |
5352 | printf("** Could not get security data of %s, partsz %d\n", |
5353 | fullname,partsz); |
5354 | printerror(stdout); |
5355 | errors++; |
5356 | } |
5357 | } |
5358 | |
5359 | BOOL recurseshow(const char *path) |
5360 | { |
5361 | struct CALLBACK dircontext; |
5362 | struct LINK *current; |
5363 | BOOL isdir; |
5364 | BOOL err; |
5365 | |
5366 | err = FALSE; |
5367 | dircontext.head = (struct LINK*)NULL; |
5368 | dircontext.dir = path; |
5369 | isdir = ntfs_read_directory(ntfs_context, path, |
5370 | callback, &dircontext); |
5371 | if (isdir) { |
5372 | showfull(path,TRUE); |
5373 | if (opt_v) { |
5374 | if (opt_b) |
5375 | printf("#\n#\n"); |
5376 | else |
5377 | printf("\n\n"); |
5378 | } |
5379 | while (dircontext.head) { |
5380 | current = dircontext.head; |
5381 | if (recurseshow(current->name)) err = TRUE; |
5382 | dircontext.head = dircontext.head->next; |
5383 | free(current); |
5384 | } |
5385 | } else |
5386 | if (errno == ENOTDIR) { |
5387 | showfull(path,FALSE); |
5388 | if (opt_v) { |
5389 | if (opt_b) |
5390 | printf("#\n#\n"); |
5391 | else |
5392 | printf("\n\n"); |
5393 | } |
5394 | } else { |
5395 | printf("** Could not access %s\n",path); |
5396 | printerror(stdout); |
5397 | errors++; |
5398 | err = TRUE; |
5399 | } |
5400 | return (!err); |
5401 | } |
5402 | |
5403 | |
5404 | BOOL singleshow(const char *path) |
5405 | { |
5406 | BOOL isdir; |
5407 | BOOL err; |
5408 | |
5409 | err = FALSE; |
5410 | isdir = ntfs_read_directory(ntfs_context, path, |
5411 | callback, (struct CALLBACK*)NULL); |
5412 | if (isdir || (errno == ENOTDIR)) |
5413 | showfull(path,isdir); |
5414 | else { |
5415 | printf("** Could not access %s\n",path); |
5416 | printerror(stdout); |
5417 | errors++; |
5418 | err = TRUE; |
5419 | } |
5420 | return (err); |
5421 | } |
5422 | |
5423 | #ifdef HAVE_SETXATTR |
5424 | |
5425 | static ssize_t ntfs_getxattr(const char *path, const char *name, void *value, size_t size) |
5426 | { |
5427 | #if defined(__APPLE__) || defined(__DARWIN__) |
5428 | return getxattr(path, name, value, size, 0, 0); |
5429 | #else |
5430 | return getxattr(path, name, value, size); |
5431 | #endif |
5432 | } |
5433 | |
5434 | /* |
5435 | * Display all the parameters associated to a mounted file |
5436 | */ |
5437 | |
5438 | BOOL showmounted(const char *fullname) |
5439 | { |
5440 | |
5441 | static char attr[MAXATTRSZ]; |
5442 | struct stat st; |
5443 | #if POSIXACLS |
5444 | struct POSIX_SECURITY *pxdesc; |
5445 | #endif |
5446 | BOOL mapped; |
5447 | int attrsz; |
5448 | int mode; |
5449 | uid_t uid; |
5450 | gid_t gid; |
5451 | u32 attrib; |
5452 | int level; |
5453 | BOOL isdir; |
5454 | BOOL err; |
5455 | |
5456 | err = FALSE; |
5457 | if (!stat(fullname,&st)) { |
5458 | isdir = S_ISDIR(st.st_mode); |
5459 | printf("%s ",(isdir ? "Directory" : "File")); |
5460 | printname(stdout,fullname); |
5461 | printf("\n"); |
5462 | |
5463 | attrsz = ntfs_getxattr(fullname,"system.ntfs_acl",attr,MAXATTRSZ); |
5464 | if (attrsz > 0) { |
5465 | if (opt_v) { |
5466 | hexdump(attr,attrsz,8); |
5467 | printf("Computed hash : 0x%08lx\n", |
5468 | (unsigned long)hash((le32*)attr,attrsz)); |
5469 | } |
5470 | if (ntfs_getxattr(fullname,"system.ntfs_attrib",&attrib,4) != 4) { |
5471 | printf("** Could not get file attrib\n"); |
5472 | errors++; |
5473 | } else |
5474 | printf("Windows attrib : 0x%x\n",(int)attrib); |
5475 | if (ntfs_valid_descr(attr,attrsz)) { |
5476 | mapped = !local_build_mapping(context.mapping,fullname); |
5477 | #if POSIXACLS |
5478 | if (mapped) { |
5479 | pxdesc = linux_permissions_posix(attr,isdir); |
5480 | if (pxdesc) |
5481 | mode = pxdesc->mode; |
5482 | else |
5483 | mode = 0; |
5484 | } else { |
5485 | pxdesc = (struct POSIX_SECURITY*)NULL; |
5486 | mode = linux_permissions(attr,isdir); |
5487 | printf("No user mapping : " |
5488 | "cannot display the Posix ACL\n"); |
5489 | } |
5490 | #else |
5491 | mode = linux_permissions(attr,isdir); |
5492 | #endif |
5493 | if (opt_v >= 2) { |
5494 | level = (opt_b ? 4 : 0); |
5495 | showheader(attr,level); |
5496 | showusid(attr,level); |
5497 | showgsid(attr,level); |
5498 | showdacl(attr,isdir,level); |
5499 | showsacl(attr,isdir,level); |
5500 | } |
5501 | if (mapped) { |
5502 | uid = linux_owner(attr); |
5503 | gid = linux_group(attr); |
5504 | printf("Interpreted Unix owner %d, group %d, mode 0%03o\n", |
5505 | (int)uid,(int)gid,mode); |
5506 | } else { |
5507 | printf("Interpreted Unix mode 0%03o (owner and group are unmapped)\n", |
5508 | mode); |
5509 | } |
5510 | #if POSIXACLS |
5511 | if (pxdesc) { |
5512 | if ((pxdesc->defcnt |
5513 | || (pxdesc->tagsset |
5514 | & (POSIX_ACL_USER |
5515 | | POSIX_ACL_GROUP |
5516 | | POSIX_ACL_MASK)))) |
5517 | showposix(pxdesc); |
5518 | #if USESTUBS |
5519 | stdfree(pxdesc); /* allocated within library */ |
5520 | #else |
5521 | free(pxdesc); |
5522 | #endif |
5523 | } |
5524 | if (mapped) |
5525 | ntfs_free_mapping(context.mapping); |
5526 | #endif |
5527 | } else { |
5528 | printf("Descriptor fails sanity check\n"); |
5529 | errors++; |
5530 | } |
5531 | } else { |
5532 | printf("** Could not get the NTFS ACL, check whether file is on NTFS\n"); |
5533 | errors++; |
5534 | } |
5535 | } else { |
5536 | printf("%s not found\n",fullname); |
5537 | err = TRUE; |
5538 | } |
5539 | return (err); |
5540 | } |
5541 | |
5542 | BOOL processmounted(const char *fullname) |
5543 | { |
5544 | |
5545 | static char attr[MAXATTRSZ]; |
5546 | struct stat st; |
5547 | int attrsz; |
5548 | BOOL err; |
5549 | |
5550 | err = FALSE; |
5551 | if (!opt_u) |
5552 | err = showmounted(fullname); |
5553 | else |
5554 | if (!stat(fullname,&st)) { |
5555 | attrsz = ntfs_getxattr(fullname,"system.ntfs_acl",attr,MAXATTRSZ); |
5556 | if (attrsz > 0) { |
5557 | if (opt_v) { |
5558 | hexdump(attr,attrsz,8); |
5559 | printf("Computed hash : 0x%08lx\n", |
5560 | (unsigned long)hash((le32*)attr,attrsz)); |
5561 | } |
5562 | if (ntfs_valid_descr(attr,attrsz)) { |
5563 | err = proposal(fullname, attr); |
5564 | } else { |
5565 | printf("*** Descriptor fails sanity check\n"); |
5566 | errors++; |
5567 | } |
5568 | } else { |
5569 | printf("** Could not get the NTFS ACL, check whether file is on NTFS\n"); |
5570 | errors++; |
5571 | } |
5572 | } else { |
5573 | printf("%s not found\n",fullname); |
5574 | err = TRUE; |
5575 | } |
5576 | return (err); |
5577 | } |
5578 | |
5579 | #else /* HAVE_SETXATTR */ |
5580 | |
5581 | BOOL processmounted(const char *fullname __attribute__((unused))) |
5582 | { |
5583 | fprintf(stderr,"Not possible on this configuration,\n"); |
5584 | fprintf(stderr,"you have to use an unmounted partition\n"); |
5585 | return (TRUE); |
5586 | } |
5587 | |
5588 | #endif /* HAVE_SETXATTR */ |
5589 | |
5590 | #if POSIXACLS |
5591 | |
5592 | BOOL recurseset_posix(const char *path, const struct POSIX_SECURITY *pxdesc) |
5593 | { |
5594 | struct CALLBACK dircontext; |
5595 | struct LINK *current; |
5596 | BOOL isdir; |
5597 | BOOL err; |
5598 | |
5599 | err = FALSE; |
5600 | dircontext.head = (struct LINK*)NULL; |
5601 | dircontext.dir = path; |
5602 | isdir = ntfs_read_directory(ntfs_context, path, |
5603 | callback, &dircontext); |
5604 | if (isdir) { |
5605 | err = !setfull_posix(path,pxdesc,TRUE); |
5606 | if (err) { |
5607 | printf("** Failed to update %s\n",path); |
5608 | printerror(stdout); |
5609 | errors++; |
5610 | } else { |
5611 | if (opt_b) |
5612 | printf("#\n#\n"); |
5613 | else |
5614 | printf("\n\n"); |
5615 | while (dircontext.head) { |
5616 | current = dircontext.head; |
5617 | recurseset_posix(current->name,pxdesc); |
5618 | dircontext.head = dircontext.head->next; |
5619 | free(current); |
5620 | } |
5621 | } |
5622 | } else |
5623 | if (errno == ENOTDIR) { |
5624 | err = !setfull_posix(path,pxdesc,FALSE); |
5625 | if (err) { |
5626 | printf("** Failed to update %s\n",path); |
5627 | printerror(stdout); |
5628 | errors++; |
5629 | } |
5630 | } else { |
5631 | printf("** Could not access %s\n",path); |
5632 | printerror(stdout); |
5633 | errors++; |
5634 | err = TRUE; |
5635 | } |
5636 | return (!err); |
5637 | } |
5638 | |
5639 | #else |
5640 | |
5641 | BOOL recurseset(const char *path, int mode) |
5642 | { |
5643 | struct CALLBACK dircontext; |
5644 | struct LINK *current; |
5645 | BOOL isdir; |
5646 | BOOL err; |
5647 | |
5648 | err = FALSE; |
5649 | dircontext.head = (struct LINK*)NULL; |
5650 | dircontext.dir = path; |
5651 | isdir = ntfs_read_directory(ntfs_context, path, |
5652 | callback, &dircontext); |
5653 | if (isdir) { |
5654 | setfull(path,mode,TRUE); |
5655 | if (opt_b) |
5656 | printf("#\n#\n"); |
5657 | else |
5658 | printf("\n\n"); |
5659 | while (dircontext.head) { |
5660 | current = dircontext.head; |
5661 | recurseset(current->name,mode); |
5662 | dircontext.head = dircontext.head->next; |
5663 | free(current); |
5664 | } |
5665 | } else |
5666 | if (errno == ENOTDIR) |
5667 | setfull(path,mode,FALSE); |
5668 | else { |
5669 | printf("** Could not access %s\n",path); |
5670 | printerror(stdout); |
5671 | errors++; |
5672 | err = TRUE; |
5673 | } |
5674 | return (!err); |
5675 | } |
5676 | |
5677 | #endif |
5678 | |
5679 | #if POSIXACLS |
5680 | |
5681 | BOOL singleset_posix(const char *path, const struct POSIX_SECURITY *pxdesc) |
5682 | { |
5683 | BOOL isdir; |
5684 | BOOL err; |
5685 | |
5686 | err = FALSE; |
5687 | isdir = ntfs_read_directory(ntfs_context, path, |
5688 | callback, (struct CALLBACK*)NULL); |
5689 | if (isdir || (errno == ENOTDIR)) { |
5690 | err = !setfull_posix(path,pxdesc,isdir); |
5691 | if (err) { |
5692 | printf("** Failed to update %s\n",path); |
5693 | printerror(stdout); |
5694 | errors++; |
5695 | } |
5696 | } else { |
5697 | printf("** Could not access %s\n",path); |
5698 | printerror(stdout); |
5699 | errors++; |
5700 | err = TRUE; |
5701 | } |
5702 | return (!err); |
5703 | } |
5704 | |
5705 | #endif |
5706 | |
5707 | BOOL singleset(const char *path, int mode) |
5708 | { |
5709 | BOOL isdir; |
5710 | BOOL err; |
5711 | |
5712 | err = FALSE; |
5713 | isdir = ntfs_read_directory(ntfs_context, path, |
5714 | callback, (struct CALLBACK*)NULL); |
5715 | if (isdir || (errno == ENOTDIR)) |
5716 | setfull(path,mode,isdir); |
5717 | else { |
5718 | printf("** Could not access %s\n",path); |
5719 | printerror(stdout); |
5720 | errors++; |
5721 | err = TRUE; |
5722 | } |
5723 | return (!err); |
5724 | } |
5725 | |
5726 | int callback(struct CALLBACK *dircontext, char *ntfsname, |
5727 | int length, int type, |
5728 | long long pos __attribute__((unused)), u64 mft_ref __attribute__((unused)), |
5729 | unsigned int dt_type __attribute__((unused))) |
5730 | { |
5731 | struct LINK *linkage; |
5732 | char *name; |
5733 | int newlth; |
5734 | int size; |
5735 | |
5736 | size = utf8size(ntfsname,length); |
5737 | if (dircontext |
5738 | && (type != 2) /* 2 : dos name (8+3) */ |
5739 | && (size > 0) /* chars convertible to utf8 */ |
5740 | && ((length > 2) |
5741 | || (ntfsname[0] != '.') |
5742 | || (ntfsname[1] != '\0') |
5743 | || ((ntfsname[2] || ntfsname[3]) |
5744 | && ((ntfsname[2] != '.') || (ntfsname[3] != '\0'))))) { |
5745 | linkage = (struct LINK*)malloc(sizeof(struct LINK) |
5746 | + strlen(dircontext->dir) |
5747 | + size + 2); |
5748 | if (linkage) { |
5749 | /* may find ".fuse_hidden*" files */ |
5750 | /* recommendation is not to hide them, so that */ |
5751 | /* the user has a clue to delete them */ |
5752 | strcpy(linkage->name,dircontext->dir); |
5753 | if (linkage->name[strlen(linkage->name) - 1] != '/') |
5754 | strcat(linkage->name,"/"); |
5755 | name = &linkage->name[strlen(linkage->name)]; |
5756 | newlth = makeutf8(name,ntfsname,length); |
5757 | name[newlth] = 0; |
5758 | linkage->next = dircontext->head; |
5759 | dircontext->head = linkage; |
5760 | } |
5761 | } |
5762 | return (0); |
5763 | } |
5764 | |
5765 | #endif |
5766 | |
5767 | #ifdef WIN32 |
5768 | |
5769 | /* |
5770 | * Backup security descriptors in a directory tree (Windows mode) |
5771 | */ |
5772 | |
5773 | BOOL backup(const char *root) |
5774 | { |
5775 | BOOL err; |
5776 | time_t now; |
5777 | const char *txtime; |
5778 | |
5779 | now = time((time_t*)NULL); |
5780 | txtime = ctime(&now); |
5781 | printf("#\n# Recursive ACL collection on %s#\n",txtime); |
5782 | err = recurseshow(root); |
5783 | return (err); |
5784 | } |
5785 | |
5786 | #else |
5787 | |
5788 | /* |
5789 | * Backup security descriptors in a directory tree (Linux mode) |
5790 | */ |
5791 | |
5792 | BOOL backup(const char *volume, const char *root) |
5793 | { |
5794 | BOOL err; |
5795 | int count; |
5796 | int i,j; |
5797 | time_t now; |
5798 | const char *txtime; |
5799 | |
5800 | now = time((time_t*)NULL); |
5801 | txtime = ctime(&now); |
5802 | if (!getuid() && open_security_api()) { |
5803 | if (open_volume(volume,NTFS_MNT_RDONLY)) { |
5804 | printf("#\n# Recursive ACL collection on %s#\n",txtime); |
5805 | err = recurseshow(root); |
5806 | count = 0; |
5807 | for (i=0; i<(MAXSECURID + (1 << SECBLKSZ) - 1)/(1 << SECBLKSZ); i++) |
5808 | if (securdata[i]) |
5809 | for (j=0; j<(1 << SECBLKSZ); j++) |
5810 | if (securdata[i][j].filecount) { |
5811 | count++; |
5812 | } |
5813 | printf("# %d security keys\n",count); |
5814 | close_volume(volume); |
5815 | } else { |
5816 | fprintf(stderr,"Could not open volume %s\n",volume); |
5817 | printerror(stdout); |
5818 | err = TRUE; |
5819 | } |
5820 | close_security_api(); |
5821 | } else { |
5822 | if (getuid()) |
5823 | fprintf(stderr,"This is only possible as root\n"); |
5824 | else |
5825 | fprintf(stderr,"Could not open security API\n"); |
5826 | err = TRUE; |
5827 | } |
5828 | return (err); |
5829 | } |
5830 | |
5831 | #endif |
5832 | |
5833 | #ifdef WIN32 |
5834 | |
5835 | /* |
5836 | * List security descriptors in a directory tree (Windows mode) |
5837 | */ |
5838 | |
5839 | BOOL listfiles(const char *root) |
5840 | { |
5841 | BOOL err; |
5842 | |
5843 | if (opt_r) { |
5844 | printf("\nRecursive file check\n"); |
5845 | err = recurseshow(root); |
5846 | } else |
5847 | err = singleshow(root); |
5848 | return (err); |
5849 | } |
5850 | |
5851 | #else |
5852 | |
5853 | /* |
5854 | * List security descriptors in a directory tree (Linux mode) |
5855 | */ |
5856 | |
5857 | BOOL listfiles(const char *volume, const char *root) |
5858 | { |
5859 | BOOL err; |
5860 | int i,j; |
5861 | int count; |
5862 | |
5863 | if (!getuid() && open_security_api()) { |
5864 | if (open_volume(volume,NTFS_MNT_RDONLY)) { |
5865 | if (opt_r) { |
5866 | printf("\nRecursive file check\n"); |
5867 | err = recurseshow(root); |
5868 | printf("Summary\n"); |
5869 | count = 0; |
5870 | for (i=0; i<(MAXSECURID + (1 << SECBLKSZ) - 1)/(1 << SECBLKSZ); i++) |
5871 | if (securdata[i]) |
5872 | for (j=0; j<(1 << SECBLKSZ); j++) |
5873 | if (securdata[i][j].filecount) { |
5874 | printf("Key 0x%x : %d files, mode 0%03o\n", |
5875 | i*(1 << SECBLKSZ)+j,securdata[i][j].filecount, |
5876 | securdata[i][j].mode); |
5877 | count++; |
5878 | } |
5879 | printf("%d security keys\n",count); |
5880 | } else |
5881 | err = singleshow(root); |
5882 | close_volume(volume); |
5883 | } else { |
5884 | fprintf(stderr,"Could not open volume %s\n",volume); |
5885 | printerror(stdout); |
5886 | err = TRUE; |
5887 | } |
5888 | close_security_api(); |
5889 | } else { |
5890 | if (getuid()) |
5891 | fprintf(stderr,"This is only possible as root\n"); |
5892 | else |
5893 | fprintf(stderr,"Could not open security API\n"); |
5894 | err = TRUE; |
5895 | } |
5896 | return (err); |
5897 | } |
5898 | |
5899 | BOOL mapproposal(const char *volume, const char *name) |
5900 | { |
5901 | BOOL err; |
5902 | u32 attrsz; |
5903 | int securindex; |
5904 | char attr[256]; /* header (20) and a couple of SIDs (max 40 each) */ |
5905 | |
5906 | err = FALSE; |
5907 | if (!getuid() && open_security_api()) { |
5908 | if (open_volume(volume,NTFS_MNT_RDONLY)) { |
5909 | |
5910 | attrsz = 0; |
5911 | securindex = ntfs_get_file_security(ntfs_context,name, |
5912 | OWNER_SECURITY_INFORMATION |
5913 | | GROUP_SECURITY_INFORMATION, |
5914 | (char*)attr,MAXATTRSZ,&attrsz); |
5915 | if (securindex) |
5916 | err = proposal(name,attr); |
5917 | else { |
5918 | fprintf(stderr,"*** Could not get the ACL of %s\n", |
5919 | name); |
5920 | printerror(stdout); |
5921 | errors++; |
5922 | } |
5923 | close_volume(volume); |
5924 | } else { |
5925 | fprintf(stderr,"Could not open volume %s\n",volume); |
5926 | printerror(stdout); |
5927 | err = TRUE; |
5928 | } |
5929 | close_security_api(); |
5930 | } else { |
5931 | if (getuid()) |
5932 | fprintf(stderr,"This is only possible as root\n"); |
5933 | else |
5934 | fprintf(stderr,"Could not open security API\n"); |
5935 | err = TRUE; |
5936 | } |
5937 | return (err); |
5938 | } |
5939 | |
5940 | #endif |
5941 | |
5942 | #ifndef WIN32 |
5943 | |
5944 | /* |
5945 | * Check whether a SDS entry is valid |
5946 | */ |
5947 | |
5948 | BOOL valid_sds(const char *attr, unsigned int offset, |
5949 | unsigned int entrysz, unsigned int size, u32 prevkey, |
5950 | BOOL second) |
5951 | { |
5952 | BOOL unsane; |
5953 | u32 comphash; |
5954 | u32 key; |
5955 | |
5956 | unsane = FALSE; |
5957 | if (!get4l(attr,0) && !get4l(attr,4)) { |
5958 | printf("Entry at 0x%lx was deleted\n",(long)offset); |
5959 | } else { |
5960 | if ((ntfs_attr_size(&attr[20]) + 20) > entrysz) { |
5961 | printf("** Entry is truncated (expected size %ld)\n", |
5962 | (long)ntfs_attr_size(&attr[20] + 20)); |
5963 | unsane = TRUE; |
5964 | errors++; |
5965 | } |
5966 | if ((ntfs_attr_size(&attr[20]) + 20) < entrysz) { |
5967 | printf("** Extra data appended to entry (expected size %ld)\n", |
5968 | (long)ntfs_attr_size(&attr[20]) + 20); |
5969 | warnings++; |
5970 | } |
5971 | if (!unsane && !ntfs_valid_descr((const char*)&attr[20],size)) { |
5972 | printf("** General sanity check has failed\n"); |
5973 | unsane = TRUE; |
5974 | errors++; |
5975 | } |
5976 | if (!unsane) { |
5977 | comphash = hash((const le32*)&attr[20],entrysz-20); |
5978 | if ((u32)get4l(attr,0) == comphash) { |
5979 | if (opt_v >= 2) |
5980 | printf("Hash 0x%08lx (correct)\n", |
5981 | (unsigned long)comphash); |
5982 | } else { |
5983 | printf("** hash 0x%08lx (computed : 0x%08lx)\n", |
5984 | (unsigned long)get4l(attr,0), |
5985 | (unsigned long)comphash); |
5986 | unsane = TRUE; |
5987 | errors++; |
5988 | } |
5989 | } |
5990 | if (!unsane) { |
5991 | if ((second ? get8l(attr,8) + 0x40000 : get8l(attr,8)) == offset) { |
5992 | if (opt_v >= 2) |
5993 | printf("Offset 0x%lx (correct)\n",(long)offset); |
5994 | } else { |
5995 | printf("** offset 0x%llx (expected : 0x%llx)\n", |
5996 | (long long)get8l(attr,8), |
5997 | (long long)(second ? get8l(attr,8) - 0x40000 : get8l(attr,8))); |
5998 | // unsane = TRUE; |
5999 | errors++; |
6000 | } |
6001 | } |
6002 | if (!unsane) { |
6003 | key = get4l(attr,4); |
6004 | if (opt_v >= 2) |
6005 | printf("Key 0x%x\n",(int)key); |
6006 | if (key) { |
6007 | if (key <= prevkey) { |
6008 | printf("** Unordered key 0x%lx after 0x%lx\n", |
6009 | (long)key,(long)prevkey); |
6010 | unsane = TRUE; |
6011 | errors++; |
6012 | } |
6013 | } |
6014 | } |
6015 | } |
6016 | return (!unsane); |
6017 | } |
6018 | |
6019 | /* |
6020 | * Check whether a SDS entry is consistent with other known data |
6021 | * and store current data for subsequent checks |
6022 | */ |
6023 | |
6024 | int consist_sds(const char *attr, unsigned int offset, |
6025 | unsigned int entrysz, BOOL second) |
6026 | { |
6027 | int errcnt; |
6028 | u32 key; |
6029 | u32 comphash; |
6030 | struct SECURITY_DATA *psecurdata; |
6031 | |
6032 | errcnt = 0; |
6033 | key = get4l(attr,4); |
6034 | if ((key > 0) && (key < MAXSECURID)) { |
6035 | printf("Valid entry at 0x%lx for key 0x%lx\n", |
6036 | (long)offset,(long)key); |
6037 | if (!securdata[key >> SECBLKSZ]) |
6038 | newblock(key); |
6039 | if (securdata[key >> SECBLKSZ]) { |
6040 | psecurdata = &securdata[key >> SECBLKSZ][key & ((1 << SECBLKSZ) - 1)]; |
6041 | comphash = hash((const le32*)&attr[20],entrysz-20); |
6042 | if (psecurdata->flags & INSDS1) { |
6043 | if (psecurdata->hash != comphash) { |
6044 | printf("** Different hash values : $SDS-1 0x%08lx $SDS-2 0x%08lx\n", |
6045 | (unsigned long)psecurdata->hash, |
6046 | (unsigned long)comphash); |
6047 | errcnt++; |
6048 | errors++; |
6049 | } |
6050 | if (psecurdata->offset != get8l(attr,8)) { |
6051 | printf("** Different offsets : $SDS-1 0x%llx $SDS-2 0x%llx\n", |
6052 | (long long)psecurdata->offset,(long long)get8l(attr,8)); |
6053 | errcnt++; |
6054 | errors++; |
6055 | } |
6056 | if (psecurdata->length != get4l(attr,16)) { |
6057 | printf("** Different lengths : $SDS-1 0x%lx $SDS-2 0x%lx\n", |
6058 | (long)psecurdata->length,(long)get4l(attr,16)); |
6059 | errcnt++; |
6060 | errors++; |
6061 | } |
6062 | } else { |
6063 | if (second) { |
6064 | printf("** Entry was not present in $SDS-1\n"); |
6065 | errcnt++; |
6066 | errors++; |
6067 | } |
6068 | psecurdata->hash = comphash; |
6069 | psecurdata->offset = get8l(attr,8); |
6070 | psecurdata->length = get4l(attr,16); |
6071 | } |
6072 | psecurdata->flags |= (second ? INSDS2 : INSDS1); |
6073 | } |
6074 | } else |
6075 | if (key || get4l(attr,0)) { |
6076 | printf("** Security_id 0x%x out of bounds\n",key); |
6077 | warnings++; |
6078 | } |
6079 | return (errcnt); |
6080 | } |
6081 | |
6082 | |
6083 | /* |
6084 | * Auditing of $SDS (Linux only) |
6085 | */ |
6086 | |
6087 | int audit_sds(BOOL second) |
6088 | { |
6089 | static char attr[MAXATTRSZ + 20]; |
6090 | BOOL isdir; |
6091 | BOOL done; |
6092 | BOOL unsane; |
6093 | u32 prevkey; |
6094 | int errcnt; |
6095 | int size; |
6096 | unsigned int entrysz; |
6097 | unsigned int entryalsz; |
6098 | unsigned int offset; |
6099 | int count; |
6100 | int deleted; |
6101 | int mode; |
6102 | |
6103 | if (second) |
6104 | printf("\nAuditing $SDS-2\n"); |
6105 | else |
6106 | printf("\nAuditing $SDS-1\n"); |
6107 | errcnt = 0; |
6108 | offset = (second ? 0x40000 : 0); |
6109 | count = 0; |
6110 | deleted = 0; |
6111 | done = FALSE; |
6112 | prevkey = 0; |
6113 | |
6114 | /* get size of first record */ |
6115 | |
6116 | size = ntfs_read_sds(ntfs_context,(char*)attr,20,offset); |
6117 | if (size != 20) { |
6118 | if ((size < 0) && (errno == ENOTSUP)) |
6119 | printf("** There is no $SDS-%d in this volume\n", |
6120 | (second ? 2 : 1)); |
6121 | else { |
6122 | printf("** Could not open $SDS-%d, size %d\n", |
6123 | (second ? 2 : 1),size); |
6124 | errors++; |
6125 | errcnt++; |
6126 | } |
6127 | } else |
6128 | do { |
6129 | entrysz = get4l(attr,16); |
6130 | entryalsz = ((entrysz - 1) | 15) + 1; |
6131 | if (entryalsz <= (MAXATTRSZ + 20)) { |
6132 | /* read next header in anticipation, to get its size */ |
6133 | size = ntfs_read_sds(ntfs_context, |
6134 | (char*)&attr[20],entryalsz,offset + 20); |
6135 | if (opt_v) |
6136 | printf("\nAt offset 0x%lx got %lu bytes\n",(long)offset,(long)size); |
6137 | } else { |
6138 | printf("** Security attribute is too long (%ld bytes) - stopping\n", |
6139 | (long)entryalsz); |
6140 | errcnt++; |
6141 | } |
6142 | if ((entryalsz > (MAXATTRSZ + 20)) || (size < (int)(entrysz - 20))) |
6143 | done = TRUE; |
6144 | else { |
6145 | if (opt_v) { |
6146 | printf("Entry size %d bytes\n",entrysz); |
6147 | hexdump(&attr[20],size,8); |
6148 | } |
6149 | |
6150 | unsane = !valid_sds(attr,offset,entrysz, |
6151 | size,prevkey,second); |
6152 | if (!unsane) { |
6153 | if (!get4l(attr,0) && !get4l(attr,4)) |
6154 | deleted++; |
6155 | else |
6156 | count++; |
6157 | errcnt += consist_sds(attr,offset, |
6158 | entrysz, second); |
6159 | if (opt_v >= 2) { |
6160 | isdir = guess_dir(&attr[20]); |
6161 | printf("Assuming %s descriptor\n",(isdir ? "directory" : "file")); |
6162 | showheader(&attr[20],0); |
6163 | showusid(&attr[20],0); |
6164 | showgsid(&attr[20],0); |
6165 | showdacl(&attr[20],isdir,0); |
6166 | showsacl(&attr[20],isdir,0); |
6167 | mode = linux_permissions( |
6168 | &attr[20],isdir); |
6169 | printf("Interpreted Unix mode 0%03o\n",mode); |
6170 | } |
6171 | prevkey = get4l(attr,4); |
6172 | } |
6173 | if (!unsane) { |
6174 | memcpy(attr,&attr[entryalsz],20); |
6175 | offset += entryalsz; |
6176 | if (!get4l(attr,16) |
6177 | || ((((offset - 1) | 0x3ffff) - offset + 1) < 20)) { |
6178 | if (second) |
6179 | offset = ((offset - 1) | 0x7ffff) + 0x40001; |
6180 | else |
6181 | offset = ((offset - 1) | 0x7ffff) + 1; |
6182 | if (opt_v) |
6183 | printf("Trying next SDS-%d block at offset 0x%lx\n", |
6184 | (second ? 2 : 1), (long)offset); |
6185 | size = ntfs_read_sds(ntfs_context, |
6186 | (char*)attr,20,offset); |
6187 | if (size != 20) { |
6188 | if (opt_v) |
6189 | printf("Assuming end of $SDS, got %d bytes\n",size); |
6190 | done = TRUE; |
6191 | } |
6192 | } |
6193 | } else { |
6194 | printf("** Sanity check failed - stopping there\n"); |
6195 | errcnt++; |
6196 | errors++; |
6197 | done = TRUE; |
6198 | } |
6199 | } |
6200 | } while (!done); |
6201 | if (count || deleted || errcnt) { |
6202 | printf("%d valid and %d deleted entries in $SDS-%d\n", |
6203 | count,deleted,(second ? 2 : 1)); |
6204 | printf("%d errors in $SDS-%c\n",errcnt,(second ? '2' : '1')); |
6205 | } |
6206 | return (errcnt); |
6207 | } |
6208 | |
6209 | /* |
6210 | * Check whether a SII entry is sane |
6211 | */ |
6212 | |
6213 | BOOL valid_sii(const char *entry, u32 prevkey) |
6214 | { |
6215 | BOOL valid; |
6216 | u32 key; |
6217 | |
6218 | valid = TRUE; |
6219 | key = get4l(entry,16); |
6220 | if (key <= prevkey) { |
6221 | printf("** Unordered key 0x%lx after 0x%lx\n", |
6222 | (long)key,(long)prevkey); |
6223 | valid = FALSE; |
6224 | errors++; |
6225 | } |
6226 | prevkey = key; |
6227 | if (get2l(entry,0) != 20) { |
6228 | printf("** offset %d (instead of 20)\n",(int)get2l(entry,0)); |
6229 | valid = FALSE; |
6230 | errors++; |
6231 | } |
6232 | if (get2l(entry,2) != 20) { |
6233 | printf("** size %d (instead of 20)\n",(int)get2l(entry,2)); |
6234 | valid = FALSE; |
6235 | errors++; |
6236 | } |
6237 | if (get4l(entry,4) != 0) { |
6238 | printf("** fill1 %d (instead of 0)\n",(int)get4l(entry,4)); |
6239 | valid = FALSE; |
6240 | errors++; |
6241 | } |
6242 | if (get2l(entry,12) & 1) { |
6243 | if (get2l(entry,8) != 48) { |
6244 | printf("** index size %d (instead of 48)\n",(int)get2l(entry,8)); |
6245 | valid = FALSE; |
6246 | errors++; |
6247 | } |
6248 | } else |
6249 | if (get2l(entry,8) != 40) { |
6250 | printf("** index size %d (instead of 40)\n",(int)get2l(entry,8)); |
6251 | valid = FALSE; |
6252 | errors++; |
6253 | } |
6254 | if (get2l(entry,10) != 4) { |
6255 | printf("** index key size %d (instead of 4)\n",(int)get2l(entry,10)); |
6256 | valid = FALSE; |
6257 | errors++; |
6258 | } |
6259 | if ((get2l(entry,12) & ~3) != 0) { |
6260 | printf("** flags 0x%x (instead of < 4)\n",(int)get2l(entry,12)); |
6261 | valid = FALSE; |
6262 | errors++; |
6263 | } |
6264 | if (get2l(entry,14) != 0) { |
6265 | printf("** fill2 %d (instead of 0)\n",(int)get2l(entry,14)); |
6266 | valid = FALSE; |
6267 | errors++; |
6268 | } |
6269 | if (get4l(entry,24) != key) { |
6270 | printf("** key 0x%x (instead of 0x%x)\n", |
6271 | (int)get4l(entry,24),(int)key); |
6272 | valid = FALSE; |
6273 | errors++; |
6274 | } |
6275 | return (valid); |
6276 | } |
6277 | |
6278 | /* |
6279 | * Check whether a SII entry is consistent with other known data |
6280 | */ |
6281 | |
6282 | int consist_sii(const char *entry) |
6283 | { |
6284 | int errcnt; |
6285 | u32 key; |
6286 | struct SECURITY_DATA *psecurdata; |
6287 | |
6288 | errcnt = 0; |
6289 | key = get4l(entry,16); |
6290 | if ((key > 0) && (key < MAXSECURID)) { |
6291 | printf("Valid entry for key 0x%lx\n",(long)key); |
6292 | if (!securdata[key >> SECBLKSZ]) |
6293 | newblock(key); |
6294 | if (securdata[key >> SECBLKSZ]) { |
6295 | psecurdata = &securdata[key >> SECBLKSZ][key & ((1 << SECBLKSZ) - 1)]; |
6296 | psecurdata->flags |= INSII; |
6297 | if (psecurdata->flags & (INSDS1 | INSDS2)) { |
6298 | if ((u32)get4l(entry,20) != psecurdata->hash) { |
6299 | printf("** hash 0x%x (instead of 0x%x)\n", |
6300 | (unsigned int)get4l(entry,20), |
6301 | (unsigned int)psecurdata->hash); |
6302 | errors++; |
6303 | } |
6304 | if (get8l(entry,28) != psecurdata->offset) { |
6305 | printf("** offset 0x%llx (instead of 0x%llx)\n", |
6306 | (long long)get8l(entry,28), |
6307 | (long long)psecurdata->offset); |
6308 | errors++; |
6309 | } |
6310 | if (get4l(entry,36) != psecurdata->length) { |
6311 | printf("** length 0x%lx (instead of %ld)\n", |
6312 | (long)get4l(entry,36), |
6313 | (long)psecurdata->length); |
6314 | errors++; |
6315 | } |
6316 | } else { |
6317 | printf("** Entry was not present in $SDS\n"); |
6318 | errors++; |
6319 | psecurdata->hash = get4l(entry,20); |
6320 | psecurdata->offset = get8l(entry,28); |
6321 | psecurdata->length = get4l(entry,36); |
6322 | if (opt_v) { |
6323 | printf(" hash 0x%x\n",(unsigned int)psecurdata->hash); |
6324 | printf(" offset 0x%llx\n",(long long)psecurdata->offset); |
6325 | printf(" length %ld\n",(long)psecurdata->length); |
6326 | } |
6327 | errcnt++; |
6328 | } |
6329 | } |
6330 | } else { |
6331 | printf("** Security_id 0x%x out of bounds\n",key); |
6332 | warnings++; |
6333 | } |
6334 | return (errcnt); |
6335 | } |
6336 | |
6337 | |
6338 | /* |
6339 | * Auditing of $SII (Linux only) |
6340 | */ |
6341 | |
6342 | int audit_sii() |
6343 | { |
6344 | char *entry; |
6345 | int errcnt; |
6346 | u32 prevkey; |
6347 | BOOL valid; |
6348 | BOOL done; |
6349 | int count; |
6350 | |
6351 | printf("\nAuditing $SII\n"); |
6352 | errcnt = 0; |
6353 | count = 0; |
6354 | entry = (char*)NULL; |
6355 | prevkey = 0; |
6356 | done = FALSE; |
6357 | do { |
6358 | entry = (char*)ntfs_read_sii(ntfs_context,(void*)entry); |
6359 | if (entry) { |
6360 | valid = valid_sii(entry,prevkey); |
6361 | if (valid) { |
6362 | count++; |
6363 | errcnt += consist_sii(entry); |
6364 | prevkey = get4l(entry,16); |
6365 | } else |
6366 | errcnt++; |
6367 | } else |
6368 | if ((errno == ENOTSUP) && !prevkey) |
6369 | printf("** There is no $SII in this volume\n"); |
6370 | } while (entry && !done); |
6371 | if (count || errcnt) { |
6372 | printf("%d valid entries in $SII\n",count); |
6373 | printf("%d errors in $SII\n",errcnt); |
6374 | } |
6375 | return (errcnt); |
6376 | } |
6377 | |
6378 | /* |
6379 | * Check whether a SII entry is sane |
6380 | */ |
6381 | |
6382 | BOOL valid_sdh(const char *entry, u32 prevkey, u32 prevhash) |
6383 | { |
6384 | BOOL valid; |
6385 | u32 key; |
6386 | u32 currhash; |
6387 | |
6388 | valid = TRUE; |
6389 | currhash = get4l(entry,16); |
6390 | key = get4l(entry,20); |
6391 | if ((currhash < prevhash) |
6392 | || ((currhash == prevhash) && (key <= prevkey))) { |
6393 | printf("** Unordered hash and key 0x%x 0x%x after 0x%x 0x%x\n", |
6394 | (unsigned int)currhash,(unsigned int)key, |
6395 | (unsigned int)prevhash,(unsigned int)prevkey); |
6396 | valid = FALSE; |
6397 | errors++; |
6398 | } |
6399 | if ((opt_v >= 2) && (currhash == prevhash)) |
6400 | printf("Hash collision (not an error)\n"); |
6401 | |
6402 | if (get2l(entry,0) != 24) { |
6403 | printf("** offset %d (instead of 24)\n",(int)get2l(entry,0)); |
6404 | valid = FALSE; |
6405 | errors++; |
6406 | } |
6407 | if (get2l(entry,2) != 20) { |
6408 | printf("** size %d (instead of 20)\n",(int)get2l(entry,2)); |
6409 | valid = FALSE; |
6410 | errors++; |
6411 | } |
6412 | if (get4l(entry,4) != 0) { |
6413 | printf("** fill1 %d (instead of 0)\n",(int)get4l(entry,4)); |
6414 | valid = FALSE; |
6415 | errors++; |
6416 | } |
6417 | if (get2l(entry,12) & 1) { |
6418 | if (get2l(entry,8) != 56) { |
6419 | printf("** index size %d (instead of 56)\n",(int)get2l(entry,8)); |
6420 | valid = FALSE; |
6421 | errors++; |
6422 | } |
6423 | } else |
6424 | if (get2l(entry,8) != 48) { |
6425 | printf("** index size %d (instead of 48)\n",(int)get2l(entry,8)); |
6426 | valid = FALSE; |
6427 | errors++; |
6428 | } |
6429 | if (get2l(entry,10) != 8) { |
6430 | printf("** index key size %d (instead of 8)\n",(int)get2l(entry,10)); |
6431 | valid = FALSE; |
6432 | errors++; |
6433 | } |
6434 | if ((get2l(entry,12) & ~3) != 0) { |
6435 | printf("** flags 0x%x (instead of < 4)\n",(int)get2l(entry,12)); |
6436 | valid = FALSE; |
6437 | errors++; |
6438 | } |
6439 | if (get2l(entry,14) != 0) { |
6440 | printf("** fill2 %d (instead of 0)\n",(int)get2l(entry,14)); |
6441 | valid = FALSE; |
6442 | errors++; |
6443 | } |
6444 | if ((u32)get4l(entry,24) != currhash) { |
6445 | printf("** hash 0x%x (instead of 0x%x)\n", |
6446 | (unsigned int)get4l(entry,24),(unsigned int)currhash); |
6447 | valid = FALSE; |
6448 | errors++; |
6449 | } |
6450 | if (get4l(entry,28) != key) { |
6451 | printf("** key 0x%x (instead of 0x%x)\n", |
6452 | (int)get4l(entry,28),(int)key); |
6453 | valid = FALSE; |
6454 | errors++; |
6455 | } |
6456 | if (get4l(entry,44) |
6457 | && (get4l(entry,44) != 0x490049)) { |
6458 | printf("** fill3 0x%lx (instead of 0 or 0x490049)\n", |
6459 | (long)get4l(entry,44)); |
6460 | valid = FALSE; |
6461 | errors++; |
6462 | } |
6463 | return (valid); |
6464 | } |
6465 | |
6466 | /* |
6467 | * Check whether a SDH entry is consistent with other known data |
6468 | */ |
6469 | |
6470 | int consist_sdh(const char *entry) |
6471 | { |
6472 | int errcnt; |
6473 | u32 key; |
6474 | struct SECURITY_DATA *psecurdata; |
6475 | |
6476 | errcnt = 0; |
6477 | key = get4l(entry,20); |
6478 | if ((key > 0) && (key < MAXSECURID)) { |
6479 | printf("Valid entry for key 0x%lx\n",(long)key); |
6480 | if (!securdata[key >> SECBLKSZ]) |
6481 | newblock(key); |
6482 | if (securdata[key >> SECBLKSZ]) { |
6483 | psecurdata = &securdata[key >> SECBLKSZ][key & ((1 << SECBLKSZ) - 1)]; |
6484 | psecurdata->flags |= INSDH; |
6485 | if (psecurdata->flags & (INSDS1 | INSDS2 | INSII)) { |
6486 | if ((u32)get4l(entry,24) != psecurdata->hash) { |
6487 | printf("** hash 0x%x (instead of 0x%x)\n", |
6488 | (unsigned int)get4l(entry,24), |
6489 | (unsigned int)psecurdata->hash); |
6490 | errors++; |
6491 | } |
6492 | if (get8l(entry,32) != psecurdata->offset) { |
6493 | printf("** offset 0x%llx (instead of 0x%llx)\n", |
6494 | (long long)get8l(entry,32), |
6495 | (long long)psecurdata->offset); |
6496 | errors++; |
6497 | } |
6498 | if (get4l(entry,40) != psecurdata->length) { |
6499 | printf("** length %ld (instead of %ld)\n", |
6500 | (long)get4l(entry,40), |
6501 | (long)psecurdata->length); |
6502 | errors++; |
6503 | } |
6504 | } else { |
6505 | printf("** Entry was not present in $SDS nor in $SII\n"); |
6506 | errors++; |
6507 | psecurdata->hash = get4l(entry,24); |
6508 | psecurdata->offset = get8l(entry,32); |
6509 | psecurdata->length = get4l(entry,40); |
6510 | if (opt_v) { |
6511 | printf(" offset 0x%llx\n",(long long)psecurdata->offset); |
6512 | printf(" length %ld\n",(long)psecurdata->length); |
6513 | } |
6514 | errcnt++; |
6515 | } |
6516 | } |
6517 | } else { |
6518 | printf("** Security_id 0x%x out of bounds\n",key); |
6519 | warnings++; |
6520 | } |
6521 | return (errcnt); |
6522 | } |
6523 | |
6524 | /* |
6525 | * Auditing of $SDH (Linux only) |
6526 | */ |
6527 | |
6528 | int audit_sdh() |
6529 | { |
6530 | char *entry; |
6531 | int errcnt; |
6532 | int count; |
6533 | u32 prevkey; |
6534 | u32 prevhash; |
6535 | BOOL valid; |
6536 | BOOL done; |
6537 | |
6538 | printf("\nAuditing $SDH\n"); |
6539 | count = 0; |
6540 | errcnt = 0; |
6541 | prevkey = 0; |
6542 | prevhash = 0; |
6543 | entry = (char*)NULL; |
6544 | done = FALSE; |
6545 | do { |
6546 | entry = (char*)ntfs_read_sdh(ntfs_context,(void*)entry); |
6547 | if (entry) { |
6548 | valid = valid_sdh(entry,prevkey,prevhash); |
6549 | if (valid) { |
6550 | count++; |
6551 | errcnt += consist_sdh(entry); |
6552 | prevhash = get4l(entry,16); |
6553 | prevkey = get4l(entry,20); |
6554 | } else |
6555 | errcnt++; |
6556 | } else |
6557 | if ((errno == ENOTSUP) && !prevkey) |
6558 | printf("** There is no $SDH in this volume\n"); |
6559 | } while (entry && !done); |
6560 | if (count || errcnt) { |
6561 | printf("%d valid entries in $SDH\n",count); |
6562 | printf("%d errors in $SDH\n",errcnt); |
6563 | } |
6564 | return (errcnt); |
6565 | } |
6566 | |
6567 | /* |
6568 | * Audit summary |
6569 | */ |
6570 | |
6571 | void audit_summary() |
6572 | { |
6573 | int count; |
6574 | int flags; |
6575 | int cnt; |
6576 | int found; |
6577 | int i,j; |
6578 | |
6579 | count = 0; |
6580 | found = 0; |
6581 | if (opt_r) printf("Summary of security key use :\n"); |
6582 | for (i=0; i<(MAXSECURID + (1 << SECBLKSZ) - 1)/(1 << SECBLKSZ); i++) |
6583 | if (securdata[i]) |
6584 | for (j=0; j<(1 << SECBLKSZ); j++) { |
6585 | flags = securdata[i][j].flags & (INSDS1 + INSDS2 + INSII + INSDH); |
6586 | if (flags) found++; |
6587 | if (flags |
6588 | && (flags != (INSDS1 + INSDS2 + INSII + INSDH))) |
6589 | { |
6590 | if (!count && !opt_r) |
6591 | printf("\n** Keys not present in all files :\n"); |
6592 | cnt = securdata[i][j].filecount; |
6593 | if (opt_r) |
6594 | printf("Key 0x%x used by %d %s, not in", |
6595 | i*(1 << SECBLKSZ)+j,cnt, |
6596 | (cnt > 1 ? "files" : "file")); |
6597 | else |
6598 | printf("Key 0x%x not in", i*(1 << SECBLKSZ)+j); |
6599 | if (!(flags & INSDS1)) |
6600 | printf(" SDS-1"); |
6601 | if (!(flags & INSDS2)) |
6602 | printf(" SDS-2"); |
6603 | if (!(flags & INSII)) |
6604 | printf(" SII"); |
6605 | if (!(flags & INSDH)) |
6606 | printf(" SDH"); |
6607 | printf("\n"); |
6608 | count++; |
6609 | } else { |
6610 | cnt = securdata[i][j].filecount; |
6611 | if (opt_r && cnt) |
6612 | printf("Key 0x%x used by %d %s\n", |
6613 | i*(1 << SECBLKSZ)+j,cnt, |
6614 | (cnt > 1 ? "files" : "file")); |
6615 | } |
6616 | } |
6617 | if (found) { |
6618 | if (count) |
6619 | printf("%d keys not present in all lists\n",count); |
6620 | else |
6621 | printf("All keys are present in all lists\n"); |
6622 | } |
6623 | } |
6624 | |
6625 | /* |
6626 | * Auditing (Linux only) |
6627 | */ |
6628 | |
6629 | BOOL audit(const char *volume) |
6630 | { |
6631 | BOOL err; |
6632 | |
6633 | err = FALSE; |
6634 | if (!getuid() && open_security_api()) { |
6635 | if (open_volume(volume,NTFS_MNT_RDONLY)) { |
6636 | if (audit_sds(FALSE)) err = TRUE; |
6637 | if (audit_sds(TRUE)) err = TRUE; |
6638 | if (audit_sii()) err = TRUE; |
6639 | if (audit_sdh()) err = TRUE; |
6640 | if (opt_r) recurseshow("/"); |
6641 | |
6642 | audit_summary(); |
6643 | close_volume(volume); |
6644 | } |
6645 | else { |
6646 | fprintf(stderr,"Could not open volume %s\n",volume); |
6647 | printerror(stdout); |
6648 | err = TRUE; |
6649 | } |
6650 | close_security_api(); |
6651 | } |
6652 | else { |
6653 | if (getuid()) |
6654 | fprintf(stderr,"This is only possible as root\n"); |
6655 | else fprintf(stderr,"Could not open security API\n"); |
6656 | err = TRUE; |
6657 | } |
6658 | return (err); |
6659 | } |
6660 | |
6661 | #endif |
6662 | |
6663 | #if POSIXACLS |
6664 | |
6665 | /* |
6666 | * Encode a Posix ACL string |
6667 | * [d:]{ugmo}:uid[:perms],... |
6668 | */ |
6669 | |
6670 | struct POSIX_SECURITY *encode_posix_acl(const char *str) |
6671 | { |
6672 | int acccnt; |
6673 | int defcnt; |
6674 | int i,k,l; |
6675 | int c; |
6676 | s32 id; |
6677 | u16 perms; |
6678 | u16 apermsset; |
6679 | u16 dpermsset; |
6680 | u16 tag; |
6681 | u16 tagsset; |
6682 | mode_t mode; |
6683 | BOOL defacl; |
6684 | BOOL dmask; |
6685 | BOOL amask; |
6686 | const char *p; |
6687 | struct POSIX_ACL *acl; |
6688 | struct POSIX_SECURITY *pxdesc; |
6689 | enum { PXBEGIN, PXTAG, PXTAG1, PXID, PXID1, PXID2, |
6690 | PXPERM, PXPERM1, PXPERM2, PXOCT, PXNEXT, PXEND, PXERR |
6691 | } state; |
6692 | |
6693 | /* raw evaluation of ACE count */ |
6694 | p = str; |
6695 | amask = FALSE; |
6696 | dmask = FALSE; |
6697 | if (*p == 'd') { |
6698 | acccnt = 0; |
6699 | defcnt = 1; |
6700 | } else { |
6701 | if ((*p >= '0') && (*p <= '7')) |
6702 | acccnt = 0; |
6703 | else |
6704 | acccnt = 1; |
6705 | defcnt = 0; |
6706 | } |
6707 | while (*p) |
6708 | if (*p++ == ',') { |
6709 | if (*p == 'd') { |
6710 | defcnt++; |
6711 | if (p[1] && (p[2] == 'm')) |
6712 | dmask = TRUE; |
6713 | } else { |
6714 | acccnt++; |
6715 | if (*p == 'm') |
6716 | amask = TRUE; |
6717 | } |
6718 | } |
6719 | /* account for an implicit mask if none defined */ |
6720 | if (acccnt && !amask) |
6721 | acccnt++; |
6722 | if (defcnt && !dmask) |
6723 | defcnt++; |
6724 | pxdesc = (struct POSIX_SECURITY*)malloc(sizeof(struct POSIX_SECURITY) |
6725 | + (acccnt + defcnt)*sizeof(struct POSIX_ACE)); |
6726 | if (pxdesc) { |
6727 | pxdesc->acccnt = acccnt; |
6728 | pxdesc->firstdef = acccnt; |
6729 | pxdesc->defcnt = defcnt; |
6730 | acl = &pxdesc->acl; |
6731 | p = str; |
6732 | state = PXBEGIN; |
6733 | id = 0; |
6734 | defacl = FALSE; |
6735 | mode = 0; |
6736 | apermsset = 0; |
6737 | dpermsset = 0; |
6738 | tag = 0; |
6739 | perms = 0; |
6740 | k = l = 0; |
6741 | c = *p++; |
6742 | while ((state != PXEND) && (state != PXERR)) { |
6743 | switch (state) { |
6744 | case PXBEGIN : |
6745 | if (c == 'd') { |
6746 | defacl = TRUE; |
6747 | state = PXTAG1; |
6748 | break; |
6749 | } else |
6750 | if ((c >= '0') && (c <= '7')) { |
6751 | mode = c - '0'; |
6752 | state = PXOCT; |
6753 | break; |
6754 | } |
6755 | defacl = FALSE; |
6756 | /* fall through */ |
6757 | case PXTAG : |
6758 | switch (c) { |
6759 | case 'u' : |
6760 | tag = POSIX_ACL_USER; |
6761 | state = PXID; |
6762 | break; |
6763 | case 'g' : |
6764 | tag = POSIX_ACL_GROUP; |
6765 | state = PXID; |
6766 | break; |
6767 | case 'o' : |
6768 | tag = POSIX_ACL_OTHER; |
6769 | state = PXID; |
6770 | break; |
6771 | case 'm' : |
6772 | tag = POSIX_ACL_MASK; |
6773 | state = PXID; |
6774 | break; |
6775 | default : |
6776 | state = PXERR; |
6777 | break; |
6778 | } |
6779 | break; |
6780 | case PXTAG1 : |
6781 | if (c == ':') |
6782 | state = PXTAG; |
6783 | else |
6784 | state = PXERR; |
6785 | break; |
6786 | case PXID : |
6787 | if (c == ':') { |
6788 | if ((tag == POSIX_ACL_OTHER) |
6789 | || (tag == POSIX_ACL_MASK)) |
6790 | state = PXPERM; |
6791 | else |
6792 | state = PXID1; |
6793 | } else |
6794 | state = PXERR; |
6795 | break; |
6796 | case PXID1 : |
6797 | if ((c >= '0') && (c <= '9')) { |
6798 | id = c - '0'; |
6799 | state = PXID2; |
6800 | } else |
6801 | if (c == ':') { |
6802 | id = -1; |
6803 | if (tag == POSIX_ACL_USER) |
6804 | tag = POSIX_ACL_USER_OBJ; |
6805 | if (tag == POSIX_ACL_GROUP) |
6806 | tag = POSIX_ACL_GROUP_OBJ; |
6807 | state = PXPERM1; |
6808 | } else |
6809 | state = PXERR; |
6810 | break; |
6811 | case PXID2 : |
6812 | if ((c >= '0') && (c <= '9')) |
6813 | id = 10*id + c - '0'; |
6814 | else |
6815 | if (c == ':') |
6816 | state = PXPERM1; |
6817 | else |
6818 | state = PXERR; |
6819 | break; |
6820 | case PXPERM : |
6821 | if (c == ':') { |
6822 | id = -1; |
6823 | state = PXPERM1; |
6824 | } else |
6825 | state = PXERR; |
6826 | break; |
6827 | case PXPERM1 : |
6828 | if ((c >= '0') && (c <= '7')) { |
6829 | perms = c - '0'; |
6830 | state = PXNEXT; |
6831 | break; |
6832 | } |
6833 | state = PXPERM2; |
6834 | perms = 0; |
6835 | /* fall through */ |
6836 | case PXPERM2 : |
6837 | switch (c) { |
6838 | case 'r' : |
6839 | perms |= POSIX_PERM_R; |
6840 | break; |
6841 | case 'w' : |
6842 | perms |= POSIX_PERM_W; |
6843 | break; |
6844 | case 'x' : |
6845 | perms |= POSIX_PERM_X; |
6846 | break; |
6847 | case ',' : |
6848 | case '\0' : |
6849 | if (defacl) { |
6850 | i = acccnt + l++; |
6851 | dpermsset |= perms; |
6852 | } else { |
6853 | i = k++; |
6854 | apermsset |= perms; |
6855 | } |
6856 | acl->ace[i].tag = tag; |
6857 | acl->ace[i].perms = perms; |
6858 | acl->ace[i].id = id; |
6859 | if (c == '\0') |
6860 | state = PXEND; |
6861 | else |
6862 | state = PXBEGIN; |
6863 | break; |
6864 | } |
6865 | break; |
6866 | case PXNEXT : |
6867 | if (!c || (c == ',')) { |
6868 | if (defacl) { |
6869 | i = acccnt + l++; |
6870 | dpermsset |= perms; |
6871 | } else { |
6872 | i = k++; |
6873 | apermsset |= perms; |
6874 | } |
6875 | acl->ace[i].tag = tag; |
6876 | acl->ace[i].perms = perms; |
6877 | acl->ace[i].id = id; |
6878 | if (c == '\0') |
6879 | state = PXEND; |
6880 | else |
6881 | state = PXBEGIN; |
6882 | } else |
6883 | state = PXERR; |
6884 | break; |
6885 | case PXOCT : |
6886 | if ((c >= '0') && (c <= '7')) |
6887 | mode = (mode << 3) + c - '0'; |
6888 | else |
6889 | if (c == '\0') |
6890 | state = PXEND; |
6891 | else |
6892 | state = PXBEGIN; |
6893 | break; |
6894 | default : |
6895 | break; |
6896 | } |
6897 | c = *p++; |
6898 | } |
6899 | /* insert default mask if none defined */ |
6900 | if (acccnt && !amask) { |
6901 | i = k++; |
6902 | acl->ace[i].tag = POSIX_ACL_MASK; |
6903 | acl->ace[i].perms = apermsset; |
6904 | acl->ace[i].id = -1; |
6905 | } |
6906 | if (defcnt && !dmask) { |
6907 | i = acccnt + l++; |
6908 | acl->ace[i].tag = POSIX_ACL_MASK; |
6909 | acl->ace[i].perms = dpermsset; |
6910 | acl->ace[i].id = -1; |
6911 | } |
6912 | /* compute the mode and tagsset */ |
6913 | tagsset = 0; |
6914 | for (i=0; i<acccnt; i++) |
6915 | tagsset |= acl->ace[i].tag; |
6916 | switch (acl->ace[i].tag) { |
6917 | case POSIX_ACL_USER_OBJ : |
6918 | mode |= acl->ace[i].perms << 6; |
6919 | break; |
6920 | case POSIX_ACL_GROUP_OBJ : |
6921 | mode |= acl->ace[i].perms << 3; |
6922 | break; |
6923 | case POSIX_ACL_OTHER : |
6924 | mode |= acl->ace[i].perms; |
6925 | break; |
6926 | default : |
6927 | break; |
6928 | } |
6929 | pxdesc->mode = mode; |
6930 | pxdesc->tagsset = tagsset; |
6931 | pxdesc->acl.version = POSIX_VERSION; |
6932 | pxdesc->acl.flags = 0; |
6933 | pxdesc->acl.filler = 0; |
6934 | if (state != PXERR) |
6935 | ntfs_sort_posix(pxdesc); |
6936 | showposix(pxdesc); |
6937 | if ((state == PXERR) |
6938 | || (k != acccnt) |
6939 | || (l != defcnt) |
6940 | || !ntfs_valid_posix(pxdesc)) { |
6941 | if (~pxdesc->tagsset |
6942 | & (POSIX_ACL_USER_OBJ | POSIX_ACL_GROUP_OBJ | POSIX_ACL_OTHER)) |
6943 | fprintf(stderr,"User, group or other permissions missing\n"); |
6944 | else |
6945 | fprintf(stderr,"Bad ACL description\n"); |
6946 | free(pxdesc); |
6947 | pxdesc = (struct POSIX_SECURITY*)NULL; |
6948 | } else |
6949 | if (opt_v >= 2) { |
6950 | printf("Interpreted input description :\n"); |
6951 | showposix(pxdesc); |
6952 | } |
6953 | } else |
6954 | errno = ENOMEM; |
6955 | return (pxdesc); |
6956 | } |
6957 | |
6958 | #endif /* POSIXACLS */ |
6959 | |
6960 | |
6961 | int getoptions(int argc, char *argv[]) |
6962 | { |
6963 | int xarg; |
6964 | int narg; |
6965 | const char *parg; |
6966 | BOOL err; |
6967 | |
6968 | opt_a = FALSE; |
6969 | opt_b = FALSE; |
6970 | opt_e = FALSE; |
6971 | opt_h = FALSE; |
6972 | #if FORCEMASK |
6973 | opt_m = FALSE; |
6974 | #endif |
6975 | opt_r = FALSE; |
6976 | opt_s = FALSE; |
6977 | #if SELFTESTS & !USESTUBS |
6978 | opt_t = FALSE; |
6979 | #endif |
6980 | opt_u = FALSE; |
6981 | opt_v = 0; |
6982 | xarg = 1; |
6983 | err = FALSE; |
6984 | while ((xarg < argc) && (argv[xarg][0] == '-')) { |
6985 | parg = argv[xarg++]; |
6986 | while (*++parg) |
6987 | switch (*parg) |
6988 | { |
6989 | #ifndef WIN32 |
6990 | case 'a' : |
6991 | opt_a = TRUE; |
6992 | break; |
6993 | #endif |
6994 | case 'b' : |
6995 | opt_b = TRUE; |
6996 | break; |
6997 | case 'e' : |
6998 | opt_e = TRUE; |
6999 | break; |
7000 | case 'h' : |
7001 | opt_h = TRUE; |
7002 | break; |
7003 | #if FORCEMASK |
7004 | case 'm' : |
7005 | opt_m = TRUE; |
7006 | break; |
7007 | #endif |
7008 | case 'r' : |
7009 | case 'R' : |
7010 | opt_r = TRUE; |
7011 | break; |
7012 | case 's' : |
7013 | opt_s = TRUE; |
7014 | break; |
7015 | #if SELFTESTS & !USESTUBS |
7016 | case 't' : |
7017 | opt_t = TRUE; |
7018 | break; |
7019 | #endif |
7020 | case 'u' : |
7021 | opt_u = TRUE; |
7022 | break; |
7023 | case 'v' : |
7024 | opt_v++; |
7025 | break; |
7026 | default : |
7027 | fprintf(stderr,"Invalid option -%c\n",*parg); |
7028 | err = TRUE; |
7029 | } |
7030 | } |
7031 | narg = argc - xarg; |
7032 | #ifdef WIN32 |
7033 | if ( ((opt_h || opt_s) && (narg > 1)) |
7034 | || ((opt_r || opt_b || opt_u) && ((narg < 1) || (narg > 2))) |
7035 | #if SELFTESTS & !USESTUBS |
7036 | || (opt_t && (narg > 0)) |
7037 | #endif |
7038 | || (opt_e && !opt_s) |
7039 | || (!opt_h && !opt_r && !opt_b && !opt_s |
7040 | #if SELFTESTS & !USESTUBS |
7041 | && !opt_t |
7042 | #endif |
7043 | && ((narg < 1) || (narg > 2)))) |
7044 | |
7045 | err = TRUE; |
7046 | if (err) { |
7047 | xarg = 0; |
7048 | fprintf(stderr,"Usage:\n"); |
7049 | #if SELFTESTS & !USESTUBS |
7050 | fprintf(stderr," secaudit -t\n"); |
7051 | fprintf(stderr," run self-tests\n"); |
7052 | #endif |
7053 | fprintf(stderr," secaudit -h [file]\n"); |
7054 | fprintf(stderr," display security descriptors within file\n"); |
7055 | fprintf(stderr," secaudit [-v] file\n"); |
7056 | fprintf(stderr," display the security parameters of file\n"); |
7057 | fprintf(stderr," secaudit -r[v] directory\n"); |
7058 | fprintf(stderr," display the security parameters of files in directory\n"); |
7059 | fprintf(stderr," secaudit -b[v] directory\n"); |
7060 | fprintf(stderr," backup the security parameters of files in directory\n"); |
7061 | fprintf(stderr," secaudit -s[ev] [backupfile]\n"); |
7062 | fprintf(stderr," set the security parameters as indicated in backup file\n"); |
7063 | fprintf(stderr," with -e also set extra parameters (Windows attrib)\n"); |
7064 | fprintf(stderr," secaudit perms file\n"); |
7065 | fprintf(stderr," set the security parameters of file to perms\n"); |
7066 | fprintf(stderr," secaudit -r[v] perms directory\n"); |
7067 | fprintf(stderr," set the security parameters of files in directory to perms\n"); |
7068 | fprintf(stderr," secaudit -u file\n"); |
7069 | fprintf(stderr," get a user mapping proposal applicable to file\n"); |
7070 | #if POSIXACLS |
7071 | fprintf(stderr," Note: perms can be an octal mode or a Posix ACL description\n"); |
7072 | #else |
7073 | fprintf(stderr," Note: perms is an octal mode\n"); |
7074 | #endif |
7075 | fprintf(stderr," -v is for verbose, -vv for very verbose\n"); |
7076 | } |
7077 | #else |
7078 | if ( (opt_h && (narg > 1)) |
7079 | || (opt_a && (narg != 1)) |
7080 | || ((opt_r || opt_b || opt_s || opt_u) |
7081 | && ((narg < 1) || (narg > 3))) |
7082 | #if SELFTESTS & !USESTUBS |
7083 | || (opt_t && (narg > 0)) |
7084 | #endif |
7085 | || (opt_e && !opt_s) |
7086 | || (!opt_h && !opt_a && !opt_r && !opt_b && !opt_s && !opt_u |
7087 | #if SELFTESTS & !USESTUBS |
7088 | && !opt_t |
7089 | #endif |
7090 | #ifdef HAVE_SETXATTR |
7091 | && ((narg < 1) || (narg > 3)))) |
7092 | #else |
7093 | && ((narg < 2) || (narg > 3)))) |
7094 | #endif |
7095 | err = TRUE; |
7096 | if (err) { |
7097 | xarg = 0; |
7098 | fprintf(stderr,"Usage:\n"); |
7099 | #if SELFTESTS & !USESTUBS |
7100 | fprintf(stderr," secaudit -t\n"); |
7101 | fprintf(stderr," run self-tests\n"); |
7102 | #endif |
7103 | fprintf(stderr," secaudit -h [file]\n"); |
7104 | fprintf(stderr," display security descriptors within file\n"); |
7105 | fprintf(stderr," secaudit -a[rv] volume\n"); |
7106 | fprintf(stderr," audit the volume\n"); |
7107 | fprintf(stderr," secaudit [-v] volume file\n"); |
7108 | fprintf(stderr," display the security parameters of file\n"); |
7109 | fprintf(stderr," secaudit -r[v] volume directory\n"); |
7110 | fprintf(stderr," display the security parameters of files in directory\n"); |
7111 | fprintf(stderr," secaudit -b[v] volume directory\n"); |
7112 | fprintf(stderr," backup the security parameters of files in directory\n"); |
7113 | fprintf(stderr," secaudit -s[ev] volume [backupfile]\n"); |
7114 | fprintf(stderr," set the security parameters as indicated in backup file\n"); |
7115 | fprintf(stderr," with -e also set extra parameters (Windows attrib)\n"); |
7116 | fprintf(stderr," secaudit volume perms file\n"); |
7117 | fprintf(stderr," set the security parameters of file to perms\n"); |
7118 | fprintf(stderr," secaudit -r[v] volume perms directory\n"); |
7119 | fprintf(stderr," set the security parameters of files in directory to perms\n"); |
7120 | fprintf(stderr," secaudit -u volume file\n"); |
7121 | fprintf(stderr," get a user mapping proposal applicable to file\n"); |
7122 | #ifdef HAVE_SETXATTR |
7123 | fprintf(stderr," special cases, do not require being root :\n"); |
7124 | fprintf(stderr," secaudit -u mounted-file\n"); |
7125 | fprintf(stderr," get a user mapping proposal applicable to mounted file\n"); |
7126 | fprintf(stderr," secaudit [-v] mounted-file\n"); |
7127 | fprintf(stderr," display the security parameters of a mounted file\n"); |
7128 | #endif |
7129 | #if POSIXACLS |
7130 | fprintf(stderr," Note: perms can be an octal mode or a Posix ACL description\n"); |
7131 | #else |
7132 | fprintf(stderr," Note: perms is an octal mode\n"); |
7133 | #endif |
7134 | fprintf(stderr," -v is for verbose, -vv for very verbose\n"); |
7135 | } |
7136 | #endif |
7137 | if ((sizeof(SID) != 12) && !err) { |
7138 | fprintf(stderr,"Possible alignment problem, check your compiler options\n"); |
7139 | err = TRUE; |
7140 | xarg = 0; |
7141 | } |
7142 | return (xarg); |
7143 | } |
7144 | |
7145 | /* |
7146 | * Memory allocation with checks |
7147 | */ |
7148 | |
7149 | #undef malloc |
7150 | #undef calloc |
7151 | #undef free |
7152 | #undef isalloc |
7153 | |
7154 | void dumpalloc(const char *txt) |
7155 | { |
7156 | struct CHKALLOC *q; |
7157 | |
7158 | if (firstalloc) { |
7159 | printf("alloc table at %s\n",txt); |
7160 | for (q=firstalloc; q; q=q->next) |
7161 | printf("%08lx : %u bytes at %08lx allocated at %s line %d\n", |
7162 | (long)q,(unsigned int)q->size, |
7163 | (long)q->alloc,q->file,q->line); |
7164 | } |
7165 | } |
7166 | |
7167 | void *chkmalloc(size_t size, const char *file, int line) |
7168 | { |
7169 | void *p; |
7170 | struct CHKALLOC *q; |
7171 | |
7172 | p = (void*)malloc(size+1); |
7173 | if (p) { |
7174 | ((unsigned char*)p)[size] = 0xaa; |
7175 | q = (struct CHKALLOC*)malloc(sizeof(struct CHKALLOC)); |
7176 | if (q) { |
7177 | q->next = firstalloc; |
7178 | q->alloc = p; |
7179 | q->size = size; |
7180 | q->file = file; |
7181 | q->line = line; |
7182 | firstalloc = q; |
7183 | } |
7184 | } |
7185 | return (p); |
7186 | } |
7187 | |
7188 | void *chkcalloc(size_t cnt, size_t size, const char *file, int line) |
7189 | { |
7190 | return (chkmalloc(cnt*size,file,line)); |
7191 | } |
7192 | |
7193 | void chkfree(void *p, const char *file, int line) |
7194 | { |
7195 | struct CHKALLOC *q; |
7196 | struct CHKALLOC *r; |
7197 | |
7198 | if (p) { |
7199 | if (firstalloc && (firstalloc->alloc == p)) { |
7200 | r = firstalloc; |
7201 | firstalloc = firstalloc->next; |
7202 | } else { |
7203 | q = firstalloc; |
7204 | if (q) |
7205 | while (q->next && (q->next->alloc != p)) |
7206 | q = q->next; |
7207 | if (q && q->next) { |
7208 | r = q->next; |
7209 | q->next = r->next; |
7210 | } else { |
7211 | r = (struct CHKALLOC*)NULL; |
7212 | printf("** freeing unallocated memory in %s line %d\n",file,line); |
7213 | if (!isatty(1)) |
7214 | fprintf(stderr,"** freeing unallocated memory in %s line %d\n",file,line); |
7215 | } |
7216 | } |
7217 | if (r) { |
7218 | if (((unsigned char*)p)[r->size] != 0xaa) { |
7219 | printf("** memory corruption, alloc in %s line %d release in %s %d\n", |
7220 | r->file,r->line,file,line); |
7221 | if (!isatty(1)) |
7222 | fprintf(stderr,"** memory corruption, alloc in %s line %d release in %s %d\n", |
7223 | r->file,r->line,file,line); |
7224 | } |
7225 | memset(p,0xaa,r->size); |
7226 | free(r); |
7227 | free(p); |
7228 | } |
7229 | } |
7230 | } |
7231 | |
7232 | void *stdmalloc(size_t size) |
7233 | { |
7234 | return (malloc(size)); |
7235 | } |
7236 | |
7237 | void stdfree(void *p) |
7238 | { |
7239 | free(p); |
7240 | } |
7241 | |
7242 | BOOL chkisalloc(void *p, const char *file, int line) |
7243 | { |
7244 | struct CHKALLOC *q; |
7245 | |
7246 | if (p) { |
7247 | q = firstalloc; |
7248 | while (q && (q->alloc != p)) |
7249 | q = q->next; |
7250 | } else |
7251 | q = (struct CHKALLOC*)NULL; |
7252 | if (!p || !q) { |
7253 | printf("error in %s %d : 0x%lx not allocated\n",file,line,(long)p); |
7254 | } |
7255 | return (p && q); |
7256 | } |
7257 | |
7258 | |
7259 | |
7260 | |
7261 | #ifdef WIN32 |
7262 | |
7263 | /* |
7264 | * Windows version |
7265 | */ |
7266 | |
7267 | main(argc,argv) |
7268 | int argc; |
7269 | char *argv[]; |
7270 | { |
7271 | FILE *fd; |
7272 | int xarg; |
7273 | int mode; |
7274 | unsigned int size; |
7275 | BOOL cmderr; |
7276 | char *filename; |
7277 | const char *p; |
7278 | int i; |
7279 | #if POSIXACLS |
7280 | struct POSIX_SECURITY *pxdesc; |
7281 | #endif |
7282 | |
7283 | printf("%s\n",BANNER); |
7284 | cmderr = FALSE; |
7285 | errors = 0; |
7286 | warnings = 0; |
7287 | xarg = getoptions(argc,argv); |
7288 | if (xarg) { |
7289 | for (i=0; i<(MAXSECURID + (1 << SECBLKSZ) - 1)/(1 << SECBLKSZ); i++) |
7290 | securdata[i] = (struct SECURITY_DATA*)NULL; |
7291 | #if POSIXACLS |
7292 | context.mapping[MAPUSERS] = (struct MAPPING*)NULL; |
7293 | context.mapping[MAPGROUPS] = (struct MAPPING*)NULL; |
7294 | #endif |
7295 | firstalloc = (struct CHKALLOC*)NULL; |
7296 | mappingtype = MAPNONE; |
7297 | switch (argc - xarg) { |
7298 | case 0 : |
7299 | if (opt_h) |
7300 | showhex(stdin); |
7301 | else |
7302 | if (opt_s) |
7303 | restore(stdin); |
7304 | #if SELFTESTS & !USESTUBS |
7305 | if (opt_t) |
7306 | selftests(); |
7307 | #endif |
7308 | break; |
7309 | case 1 : |
7310 | if (opt_h || opt_s) { |
7311 | fd = fopen(argv[xarg],"r"); |
7312 | if (fd) { |
7313 | if (opt_h) |
7314 | showhex(fd); |
7315 | else |
7316 | restore(fd); |
7317 | fclose(fd); |
7318 | } else { |
7319 | fprintf(stderr,"Could not open %s\n",argv[xarg]); |
7320 | cmderr = TRUE; |
7321 | } |
7322 | } else { |
7323 | size = utf16size(argv[xarg]); |
7324 | if (size) { |
7325 | filename = (char*)malloc(2*size + 2); |
7326 | if (filename) { |
7327 | makeutf16(filename,argv[xarg]); |
7328 | if (opt_u) { |
7329 | cmderr = mapproposal(filename); |
7330 | } else { |
7331 | #if POSIXACLS |
7332 | if (local_build_mapping(context.mapping,filename)) { |
7333 | printf("*** Could not get user mapping data\n"); |
7334 | warnings++; |
7335 | } |
7336 | #endif |
7337 | if (opt_b) |
7338 | cmderr = backup(filename); |
7339 | else { |
7340 | if (opt_r) |
7341 | cmderr = listfiles(filename); |
7342 | else |
7343 | cmderr = singleshow(filename); |
7344 | } |
7345 | #if POSIXACLS |
7346 | ntfs_free_mapping(context.mapping); |
7347 | #endif |
7348 | } |
7349 | free(filename); |
7350 | } else { |
7351 | fprintf(stderr,"No more memory\n"); |
7352 | cmderr = TRUE; |
7353 | } |
7354 | } else { |
7355 | fprintf(stderr,"Bad UTF-8 name \"%s\"\n",argv[xarg]); |
7356 | cmderr = TRUE; |
7357 | } |
7358 | } |
7359 | break; |
7360 | case 2 : |
7361 | mode = 0; |
7362 | p = argv[xarg]; |
7363 | #if POSIXACLS |
7364 | pxdesc = encode_posix_acl(p); |
7365 | if (pxdesc) { |
7366 | size = utf16size(argv[xarg + 1]); |
7367 | if (size) { |
7368 | filename = (char*)malloc(2*size + 2); |
7369 | if (filename) { |
7370 | makeutf16(filename,argv[xarg + 1]); |
7371 | if (local_build_mapping(context.mapping,filename)) { |
7372 | printf("*** Could not get user mapping data\n"); |
7373 | warnings++; |
7374 | } |
7375 | if (opt_r) { |
7376 | for (i=0; i<(MAXSECURID + (1 << SECBLKSZ) - 1)/(1 << SECBLKSZ); i++) |
7377 | securdata[i] = (struct SECURITY_DATA*)NULL; |
7378 | recurseset_posix(filename,pxdesc); |
7379 | } else |
7380 | singleset_posix(filename,pxdesc); |
7381 | ntfs_free_mapping(context.mapping); |
7382 | free(filename); |
7383 | } else { |
7384 | fprintf(stderr,"No more memory\n"); |
7385 | cmderr = TRUE; |
7386 | } |
7387 | chkfree(pxdesc,__FILE__,__LINE__); |
7388 | } else { |
7389 | fprintf(stderr,"Bad UTF-8 name \"%s\"\n",argv[xarg + 1]); |
7390 | cmderr = TRUE; |
7391 | } |
7392 | } |
7393 | #else |
7394 | while ((*p >= '0') && (*p <= '7')) |
7395 | mode = (mode << 3) + (*p++) - '0'; |
7396 | if (*p) { |
7397 | fprintf(stderr,"New mode should be given in octal\n"); |
7398 | cmderr = TRUE; |
7399 | } else { |
7400 | size = utf16size(argv[xarg + 1]); |
7401 | if (size) { |
7402 | filename = (char*)malloc(2*size + 2); |
7403 | if (filename) { |
7404 | makeutf16(filename,argv[xarg + 1]); |
7405 | #if POSIXACLS |
7406 | if (local_build_mapping(&context,filename)) { |
7407 | printf("*** Could not get user mapping data\n"); |
7408 | warnings++; |
7409 | } |
7410 | #endif |
7411 | if (opt_r) { |
7412 | for (i=0; i<(MAXSECURID + (1 << SECBLKSZ) - 1)/(1 << SECBLKSZ); i++) |
7413 | securdata[i] = (struct SECURITY_DATA*)NULL; |
7414 | recurseset(filename,mode); |
7415 | } else |
7416 | singleset(filename,mode); |
7417 | free(filename); |
7418 | } else { |
7419 | fprintf(stderr,"No more memory\n"); |
7420 | cmderr = TRUE; |
7421 | } |
7422 | } else { |
7423 | fprintf(stderr,"Bad UTF-8 name \"%s\"\n",argv[xarg + 1]); |
7424 | cmderr = TRUE; |
7425 | } |
7426 | } |
7427 | #endif |
7428 | break; |
7429 | #if FORCEMASK |
7430 | case 3 : |
7431 | mode = 0; |
7432 | forcemsk = 0; |
7433 | p = argv[xarg]; |
7434 | while (*p) { |
7435 | if ((*p >= '0') && (*p <= '9')) |
7436 | forcemsk = (forcemsk << 4) + *p - '0'; |
7437 | else forcemsk = (forcemsk << 4) + (*p & 7) + 9; |
7438 | p++; |
7439 | } |
7440 | p = argv[xarg + 1]; |
7441 | while ((*p >= '0') && (*p <= '7')) |
7442 | mode = (mode << 3) + (*p++) - '0'; |
7443 | if (*p) { |
7444 | fprintf(stderr,"New mode should be given in octal\n"); |
7445 | cmderr = TRUE; |
7446 | } else { |
7447 | if (opt_r) { |
7448 | recurseset(argv[xarg + 2],mode); |
7449 | } |
7450 | else singleset(argv[xarg + 2],mode); |
7451 | } |
7452 | break; |
7453 | #endif |
7454 | } |
7455 | if (warnings) |
7456 | printf("** %u %s signalled\n",warnings, |
7457 | (warnings > 1 ? "warnings were" : "warning was")); |
7458 | if (errors) |
7459 | printf("** %u %s found\n",errors, |
7460 | (errors > 1 ? "errors were" : "error was")); |
7461 | else |
7462 | if (!cmderr) |
7463 | printf("No errors were found\n"); |
7464 | if (!isatty(1)) { |
7465 | fflush(stdout); |
7466 | if (warnings) |
7467 | fprintf(stderr,"** %u %s signalled\n",warnings, |
7468 | (warnings > 1 ? "warnings were" : "warning was")); |
7469 | if (errors) |
7470 | fprintf(stderr,"** %u %s found\n",errors, |
7471 | (errors > 1 ? "errors were" : "error was")); |
7472 | else |
7473 | fprintf(stderr,"No errors were found\n"); |
7474 | freeblocks(); |
7475 | } |
7476 | } |
7477 | dumpalloc("termination"); |
7478 | if (cmderr || errors) |
7479 | exit(1); |
7480 | return (0); |
7481 | } |
7482 | |
7483 | #else |
7484 | |
7485 | /* |
7486 | * Linux version |
7487 | */ |
7488 | |
7489 | int main(int argc, char *argv[]) |
7490 | { |
7491 | FILE *fd; |
7492 | const char *p; |
7493 | int xarg; |
7494 | BOOL cmderr; |
7495 | int i; |
7496 | #if POSIXACLS |
7497 | struct POSIX_SECURITY *pxdesc; |
7498 | #else |
7499 | unsigned int mode; |
7500 | #endif |
7501 | |
7502 | printf("%s\n",BANNER); |
7503 | cmderr = FALSE; |
7504 | errors = 0; |
7505 | warnings = 0; |
7506 | xarg = getoptions(argc,argv); |
7507 | if (xarg) { |
7508 | for (i=0; i<(MAXSECURID + (1 << SECBLKSZ) - 1)/(1 << SECBLKSZ); i++) |
7509 | securdata[i] = (struct SECURITY_DATA*)NULL; |
7510 | #if POSIXACLS |
7511 | context.mapping[MAPUSERS] = (struct MAPPING*)NULL; |
7512 | context.mapping[MAPGROUPS] = (struct MAPPING*)NULL; |
7513 | #endif |
7514 | firstalloc = (struct CHKALLOC*)NULL; |
7515 | mappingtype = MAPNONE; |
7516 | switch (argc - xarg) { |
7517 | case 0 : |
7518 | if (opt_h) |
7519 | showhex(stdin); |
7520 | #if SELFTESTS & !USESTUBS |
7521 | if (opt_t) |
7522 | selftests(); |
7523 | #endif |
7524 | break; |
7525 | case 1 : |
7526 | if (opt_a) |
7527 | cmderr = audit(argv[xarg]); |
7528 | else |
7529 | if (opt_h) { |
7530 | fd = fopen(argv[xarg],"rb"); |
7531 | if (fd) { |
7532 | showhex(fd); |
7533 | fclose(fd); |
7534 | } else { |
7535 | fprintf(stderr,"Could not open %s\n",argv[xarg]); |
7536 | cmderr = TRUE; |
7537 | } |
7538 | } else |
7539 | if (opt_b) |
7540 | cmderr = backup(argv[xarg],"/"); |
7541 | else |
7542 | if (opt_r) |
7543 | cmderr = listfiles(argv[xarg],"/"); |
7544 | else |
7545 | if (opt_s) |
7546 | cmderr = dorestore(argv[xarg],stdin); |
7547 | else |
7548 | cmderr = processmounted(argv[xarg]); |
7549 | break; |
7550 | case 2 : |
7551 | if (opt_b) |
7552 | cmderr = backup(argv[xarg],argv[xarg+1]); |
7553 | else |
7554 | if (opt_s) { |
7555 | fd = fopen(argv[xarg+1],"rb"); |
7556 | if (fd) { |
7557 | if (dorestore(argv[xarg],fd)) |
7558 | cmderr = TRUE; |
7559 | fclose(fd); |
7560 | } else { |
7561 | fprintf(stderr,"Could not open %s\n",argv[xarg]); |
7562 | cmderr = TRUE; |
7563 | } |
7564 | } else |
7565 | if (opt_u) |
7566 | cmderr = mapproposal(argv[xarg],argv[xarg+1]); |
7567 | else |
7568 | cmderr = listfiles(argv[xarg],argv[xarg+1]); |
7569 | break; |
7570 | case 3 : |
7571 | p = argv[xarg+1]; |
7572 | #if POSIXACLS |
7573 | pxdesc = encode_posix_acl(p); |
7574 | if (pxdesc) { |
7575 | if (!getuid() && open_security_api()) { |
7576 | if (open_volume(argv[xarg],NTFS_MNT_NONE)) { |
7577 | if (opt_r) { |
7578 | for (i=0; i<(MAXSECURID + (1 << SECBLKSZ) - 1)/(1 << SECBLKSZ); i++) |
7579 | securdata[i] = (struct SECURITY_DATA*)NULL; |
7580 | recurseset_posix(argv[xarg + 2],pxdesc); |
7581 | } else |
7582 | singleset_posix(argv[xarg + 2],pxdesc); |
7583 | close_volume(argv[xarg]); |
7584 | } else { |
7585 | fprintf(stderr,"Could not open volume %s\n",argv[xarg]); |
7586 | printerror(stderr); |
7587 | cmderr = TRUE; |
7588 | } |
7589 | close_security_api(); |
7590 | } else { |
7591 | if (getuid()) |
7592 | fprintf(stderr,"This is only possible as root\n"); |
7593 | else |
7594 | fprintf(stderr,"Could not open security API\n"); |
7595 | cmderr = TRUE; |
7596 | } |
7597 | chkfree(pxdesc,__FILE__,__LINE__); |
7598 | } else |
7599 | cmderr = TRUE; |
7600 | #else |
7601 | mode = 0; |
7602 | while ((*p >= '0') && (*p <= '7')) |
7603 | mode = (mode << 3) + (*p++) - '0'; |
7604 | if (*p) { |
7605 | fprintf(stderr,"New mode should be given in octal\n"); |
7606 | cmderr = TRUE; |
7607 | } else |
7608 | if (!getuid() && open_security_api()) { |
7609 | if (open_volume(argv[xarg],NTFS_MNT_NONE)) { |
7610 | if (opt_r) { |
7611 | for (i=0; i<(MAXSECURID + (1 << SECBLKSZ) - 1)/(1 << SECBLKSZ); i++) |
7612 | securdata[i] = (struct SECURITY_DATA*)NULL; |
7613 | recurseset(argv[xarg + 2],mode); |
7614 | } else |
7615 | singleset(argv[xarg + 2],mode); |
7616 | close_volume(argv[xarg]); |
7617 | } else { |
7618 | fprintf(stderr,"Could not open volume %s\n",argv[xarg]); |
7619 | printerror(stderr); |
7620 | cmderr = TRUE; |
7621 | } |
7622 | close_security_api(); |
7623 | } else { |
7624 | if (getuid()) |
7625 | fprintf(stderr,"This is only possible as root\n"); |
7626 | else |
7627 | fprintf(stderr,"Could not open security API\n"); |
7628 | cmderr = TRUE; |
7629 | } |
7630 | #endif |
7631 | break; |
7632 | } |
7633 | if (warnings) |
7634 | printf("** %u %s signalled\n",warnings, |
7635 | (warnings > 1 ? "warnings were" : "warning was")); |
7636 | if (errors) |
7637 | printf("** %u %s found\n",errors, |
7638 | (errors > 1 ? "errors were" : "error was")); |
7639 | else |
7640 | if (!cmderr) |
7641 | printf("No errors were found\n"); |
7642 | if (!isatty(1)) { |
7643 | fflush(stdout); |
7644 | if (warnings) |
7645 | fprintf(stderr,"** %u %s signalled\n",warnings, |
7646 | (warnings > 1 ? "warnings were" : "warning was")); |
7647 | if (errors) |
7648 | fprintf(stderr,"** %u %s found\n",errors, |
7649 | (errors > 1 ? "errors were" : "error was")); |
7650 | else |
7651 | if (!cmderr) |
7652 | fprintf(stderr,"No errors were found\n"); |
7653 | } |
7654 | freeblocks(); |
7655 | } else |
7656 | cmderr = TRUE; |
7657 | dumpalloc("termination"); |
7658 | if (cmderr || errors) |
7659 | exit(1); |
7660 | return (0); |
7661 | } |
7662 | |
7663 | #endif |
7664 |