Professional Documents
Culture Documents
*
Display and audit security attributes in an NTFS volume
*
* Copyright (c) 2007-2015 Jean-Pierre Andre
*
*
Options :
*
-a auditing security data
*
-b backing up NTFS ACLs
*
-e set extra backed-up parameters (in conjunction with -s)
*
-h displaying hexadecimal security descriptors within a file
*
-r recursing in a directory
*
-s setting backed-up NTFS ACLs
*
-u getting a user mapping proposal
*
-v verbose (very verbose if set twice)
*
also, if compile-time option is set
*
-t run internal tests (with no access to storage)
*
*
On Linux (being root, with volume not mounted) :
*
secaudit -h [file]
*
display the security descriptors found in file
*
secaudit -a[rv] volume
*
audit the volume
*
secaudit [-v] volume file
*
display the security parameters of file
*
secaudit -r[v] volume directory
*
display the security parameters of files in directory
*
secaudit -b[v] volume [directory]
*
backup the security parameters of files in directory
*
secaudit -s[ve] volume [backupfile]
*
set the security parameters as indicated in backup
*
with -e set extra parameters (Windows attrib)
*
secaudit volume perms file
*
set the security parameters of file to perms (mode or ac
l)
*
secaudit -r[v] volume perms directory
*
set the security parameters of files in directory to per
ms
*
special case, does not require being root :
*
secaudit [-v] mounted-file
*
display the security parameters of mounted file
*
*
*
On Windows (the volume being part of file name)
*
secaudit -h [file]
*
display the security descriptors found in file
*
secaudit [-v] file
*
display the security parameters of file
*
secaudit -r[v] directory
*
display the security parameters of files in directory
*
secaudit -b[v] directory
*
backup the security parameters of files in directory
*
secaudit -s[v] [backupfile]
*
set the security parameters as indicated in backup
*
with -e set extra parameters (Windows attrib)
*
secaudit perms file
*
set the security parameters of file to perms (mode or ac
l)
*
secaudit -r[v] perms directory
*
set the security parameters of files in directory to per
ms
*/
/*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
History
Nov 2007
- first version, by concatenating miscellaneous utilities
Jan 2008, version 1.0.1
- fixed mode displaying
- added a global severe errors count
Feb 2008, version 1.0.2
- implemented conversions for big-endian machines
Mar 2008, version 1.0.3
- avoided consistency checks on $Secure when there is no such file
Mar 2008, version 1.0.4
- changed ordering of ACE's
- changed representation for special flags
- defaulted to stdin for option -h
- added self tests (compile time option)
- fixed errors specific to big-endian computers
Apr 2008, version 1.1.0
- developped Posix ACLs to NTFS ACLs conversions
- developped NTFS ACLs backup and restore
Apr 2008, version 1.1.1
- fixed an error specific to big-endian computers
- checked hash value and fixed error report in restore
- improved display in showhex() and restore()
Apr 2008, version 1.1.2
- improved and fixed Posix ACLs to NTFS ACLs conversions
Apr 2008, version 1.1.3
- reenabled recursion for setting a new mode or ACL
- processed Unicode file names and displayed them as UTF-8
- allocated dynamically memory for file names when recursing
May 2008, version 1.1.4
- all Unicode/UTF-8 strings checked and processed
Jul 2008, version 1.1.5
- made Windows owner consistent with Linux owner when changing mode
- allowed owner change on Windows when it does not match Linux owner
- skipped currently unused code
Aug 2008, version 1.2.0
- processed \.NTFS-3G\UserMapping on Windows
- made use of user mappings through the security API or direct access
- fixed a bug in restore
- fixed UTF-8 conversions
Sep 2008, version 1.3.0
- split the code to have part of it shared with ntfs-3g library
- fixed testing for end of SDS block
- added samples checking in selftest for easier debugging
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*/
/*
*
*
*
*
*
*
*
*
*
*
* You should have received a copy of the GNU General Public License
* along with this program (in the main directory of the NTFS-3G
* distribution in the file COPYING); if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
/*
*
*/
GET_FILE_SECURITY "ntfs_get_file_security"
SET_FILE_SECURITY "ntfs_set_file_security"
GET_FILE_ATTRIBUTES "ntfs_get_file_attributes"
SET_FILE_ATTRIBUTES "ntfs_set_file_attributes"
READ_DIRECTORY "ntfs_read_directory"
READ_SDS "ntfs_read_sds"
READ_SII "ntfs_read_sii"
READ_SDH "ntfs_read_sdh"
GET_USER "ntfs_get_user"
GET_GROUP "ntfs_get_group"
GET_USID "ntfs_get_usid"
GET_GSID "ntfs_get_gsid"
INIT_FILE_SECURITY "ntfs_initialize_file_security"
LEAVE_FILE_SECURITY "ntfs_leave_file_security"
/*
*
*/
#include
#include
#include
#include
#include
#include
#include
#include
External declarations
<stdio.h>
<time.h>
<string.h>
<stdlib.h>
<sys/types.h>
<fcntl.h>
<errno.h>
<stdarg.h>
/*
* integration into secaudit, check whether Win3
2,
* may have to be adapted to compiler or somethi
ng else
*/
#ifndef WIN32
#if defined(__WIN32) | defined(__WIN32__) | defined(WNSC)
#define WIN32 1
#endif
#endif
/*
* integration into secaudit/Win32
*/
#ifdef WIN32
#include <windows.h>
#define __LITTLE_ENDIAN 1234
#define __BYTE_ORDER __LITTLE_ENDIAN
#else
/*
* integration into secaudit/STSC
*/
#ifdef STSC
#include <stat.h>
#undef __BYTE_ORDER
#define __BYTE_ORDER __BIG_ENDIAN
#else
/*
* integration into secaudit/Linux
*/
#include <sys/stat.h>
#ifdef HAVE_ENDIAN_H
#include <endian.h>
#endif
#ifdef HAVE_MACHINE_ENDIAN_H
#include <machine/endian.h>
#endif
#include <unistd.h>
#include <dlfcn.h>
#endif /* STSC */
#endif /* WIN32 */
#include "secaudit.h"
#ifndef WIN32
#ifndef STSC
#if !defined(HAVE_CONFIG_H) && POSIXACLS && !defined(__SVR4)
/* require <sys/xattr.h> if not integrated into ntfs-3g package */
#define HAVE_SETXATTR 1
#endif
#ifdef HAVE_CONFIG_H
#ifdef _FILE_OFFSET_BITS
#undef _FILE_OFFSET_BITS /* work around "_FILE_OFFSET_BITS" possibly already de
fined */
#endif
/* <sys/xattr.h> according to config.h if integrated into ntfs-3g package
*/
#include "config.h"
#ifdef const /* work around "const" possibly redefined in config.h */
#undef const
#endif
#ifndef POSIXACLS
#define POSIXACLS 0
#endif
#endif /* HAVE_CONFIG_H */
#ifdef HAVE_SETXATTR
#include <sys/xattr.h>
#else
#warning "The extended attribute package is not available"
#endif /* HAVE_SETXATTR */
#endif /* STSC */
#define NTFS_MNT_NONE 0
BOOL open_security_api(void);
BOOL close_security_api(void);
#ifndef WIN32
BOOL open_volume(const char*, unsigned long flags);
BOOL close_volume(const char*);
#endif
unsigned int get2l(const char*, int);
unsigned long get4l(const char*, int);
u64 get6l(const char*, int);
u64 get6h(const char*, int);
u64 get8l(const char*, int);
void set2l(char*, unsigned int);
void set4l(char*, unsigned long);
void hexdump(const char*, int, int);
u32 hash(const le32*, int);
unsigned int utf8size(const char*, int);
unsigned int makeutf8(char*, const char*, int);
unsigned int utf16size(const char*);
unsigned int makeutf16(char*, const char*);
unsigned int utf16len(const char*);
void printname(FILE*, const char*);
void printerror(FILE*);
BOOL guess_dir(const char*);
void showsid(const char*, int, const char*, int);
void showusid(const char*, int);
void showgsid(const char*, int);
void showownership(const char*);
struct LINK {
struct LINK *next;
char name[1];
} ;
struct CALLBACK {
struct LINK *head;
const char *dir;
} ;
int callback(struct CALLBACK *context, char *ntfsname,
int length, int type, long long pos, u64 mft_ref,
unsigned int dt_type);
#endif
/*
*
*/
Global constants
#define BANNER "secaudit " AUDT_VERSION " : NTFS security data auditing"
#if SELFTESTS & !USESTUBS
/*
*
*/
/*
*
*/
{
revision */
auth count */
/* base */
1st level */
0, 0, 0, 0, 0, 5,
/* base */
18, 0, 0, 0
/* 1st level */
};
static const SID *systemsid = (const SID*)systemsidbytes;
#endif
/*
*
*/
Global variables
BOOL opt_a;
/* audit security data */
BOOL opt_b;
/* backup NTFS ACLs */
BOOL opt_e;
/* restore extra (currently windows attribs) */
BOOL opt_h;
/* display an hexadecimal descriptor in a file */
BOOL opt_r;
/* recursively apply to subdirectories */
BOOL opt_s;
/* restore NTFS ACLs */
BOOL opt_u;
/* user mapping proposal */
#if SELFTESTS & !USESTUBS
BOOL opt_t;
/* run self-tests */
#endif
int opt_v; /* verbose or very verbose*/
struct SECURITY_DATA *securdata[(MAXSECURID + (1 << SECBLKSZ) - 1)/(1 << SECBLKS
Z)];
#if FORCEMASK
BOOL opt_m;
/* force a mask - dangerous */
u32 forcemsk /* mask to force */
#endif
unsigned int errors; /* number of severe errors */
unsigned int warnings; /* number of non-severe errors */
struct CHKALLOC *firstalloc;
struct SECURITY_CONTEXT context;
MAPTYPE mappingtype;
#ifdef STSC
#define static
#endif
#ifndef WIN32
void *ntfs_handle;
void *ntfs_context = (void*)NULL;
/*
*
*/
BOOL open_security_api(void)
{
#if USESTUBS | defined(STSC)
return (TRUE);
#else
char *error;
BOOL err;
const char *libfile;
err = TRUE;
libfile = getenv(ENVNTFS3G);
if (!libfile)
libfile = (sizeof(char*) == 8 ? LIBFILE64 : LIBFILE);
#ifdef __SVR4
/* do not override library functions by caller ones */
ntfs_handle = dlopen(libfile,RTLD_LAZY | RTLD_GROUP);
#else
ntfs_handle = dlopen(libfile,RTLD_LAZY);
#endif
if (ntfs_handle) {
ntfs_initialize_file_security = (type_initialize_file_security)
dlsym(ntfs_handle,INIT_FILE_SECURITY);
error = dlerror();
if (error)
fprintf(stderr," %s\n",error);
else {
ntfs_leave_file_security = (type_leave_file_security)
dlsym(ntfs_handle,LEAVE_FILE_SECURITY);
ntfs_get_file_security = (type_get_file_security)
dlsym(ntfs_handle,GET_FILE_SECURITY);
ntfs_set_file_security = (type_set_file_security)
dlsym(ntfs_handle,SET_FILE_SECURITY);
ntfs_get_file_attributes = (type_get_file_attributes)
dlsym(ntfs_handle,GET_FILE_ATTRIBUTES);
ntfs_set_file_attributes = (type_set_file_attributes)
dlsym(ntfs_handle,SET_FILE_ATTRIBUTES);
ntfs_read_directory = (type_read_directory)
dlsym(ntfs_handle,READ_DIRECTORY);
ntfs_read_sds = (type_read_sds)
dlsym(ntfs_handle,READ_SDS);
ntfs_read_sii = (type_read_sii)
dlsym(ntfs_handle,READ_SII);
ntfs_read_sdh = (type_read_sdh)
dlsym(ntfs_handle,READ_SDH);
ntfs_get_user = (type_get_user)
dlsym(ntfs_handle,GET_USER);
ntfs_get_group = (type_get_group)
dlsym(ntfs_handle,GET_GROUP);
ntfs_get_usid = (type_get_usid)
dlsym(ntfs_handle,GET_USID);
ntfs_get_gsid = (type_get_gsid)
dlsym(ntfs_handle,GET_GSID);
err = !ntfs_initialize_file_security
|| !ntfs_leave_file_security
|| !ntfs_get_file_security
|| !ntfs_set_file_security
|| !ntfs_get_file_attributes
|| !ntfs_set_file_attributes
|| !ntfs_read_directory
|| !ntfs_read_sds
|| !ntfs_read_sii
|| !ntfs_read_sdh
|| !ntfs_get_user
|| !ntfs_get_group
|| !ntfs_get_usid
|| !ntfs_get_gsid;
if (error)
fprintf(stderr,"ntfs-3g API not available\n");
}
} else {
return (r);
}
#endif /* WIN32 */
/*
*
*/
size = 0;
rem = 0;
state = BASE;
for (i=0; i<2*length; i+=2) {
switch (state) {
case BASE :
if (utf16[i+1] & 0xf8) {
if ((utf16[i+1] & 0xf8) == 0xd8) {
if (utf16[i+1] & 4)
state = ERR;
else {
utf8[size++] = 0xf0 + (utf16[i+1
] & 7)
+ ((utf16[i]
& 0xc0) == 0xc0);
utf8[size++] = 0x80 + (((utf16[i
] + 64) >> 2) & 63);
rem = utf16[i] & 3;
state = SURR;
}
} else {
#if NOREVBOM
if (((utf16[i+1] & 0xff) == 0xff)
&& ((utf16[i] & 0xfe) == 0xfe))
state = ERR;
else {
utf8[size++] = 0xe0 + ((utf16[i+
1] >> 4) & 15);
utf8[size++] = 0x80
+ ((utf16[i+1] & 15) <<
2)
+ ((utf16[i] >> 6) & 3);
utf8[size++] = 0x80 + (utf16[i]
& 63);
}
#else
utf8[size++] = 0xe0 + ((utf16[i+1] >> 4)
& 15);
utf8[size++] = 0x80
+ ((utf16[i+1] & 15) << 2)
+ ((utf16[i] >> 6) & 3);
utf8[size++] = 0x80 + (utf16[i] & 63);
#endif
}
} else
if ((utf16[i] & 0x80) || utf16[i+1]) {
utf8[size++] = 0xc0
+ ((utf16[i+1] & 15) << 2)
+ ((utf16[i] >> 6) & 3);
utf8[size++] = 0x80 + (utf16[i] & 63);
} else
utf8[size++] = utf16[i];
break;
case SURR :
if ((utf16[i+1] & 0xfc) == 0xdc) {
utf8[size++] = 0x80 + (rem << 4)
+ ((utf16[i+1] & 3) << 2)
+ ((utf16[i] >> 6) & 3);
utf8[size++] = 0x80 + (utf16[i] & 63);
state = BASE;
} else
state = ERR;
break;
case ERR :
break;
}
}
utf8[size] = 0;
if (state != BASE)
state = ERR;
return (state == ERR ? 0 : size);
}
#ifdef WIN32
/*
*
*
*
*/
state = ERR;
break;
case TWO :
if ((c & 0xc0) != 0x80)
state = ERR;
else {
size++;
state = BASE;
}
break;
case THREE :
if ((c & 0xc0) != 0x80)
state = ERR;
else
state = TWO;
break;
case THREE2 :
if ((c & 0xe0) != 0xa0)
state = ERR;
else
state = TWO;
break;
case THREE3 :
if ((c & 0xe0) != 0x80)
state = ERR;
else
state = TWO;
break;
case FOUR :
if ((((code << 6) + (c & 63)) > 0x10f)
|| (((code << 6) + (c & 63)) < 0x10))
state = ERR;
else {
size++;
state = THREE;
}
break;
case ERR :
break;
}
}
if (state != BASE) size = 0;
return (size);
}
/*
*
*
*
*
*/
p = utf8;
size = 0;
c = 0;
state = BASE;
while (*p) {
c = *p++ & 255;
switch (state) {
case BASE :
if (!(c & 0x80)) {
target[2*size] = c;
target[2*size + 1] = 0;
size++;
} else {
if (c < 0xc2)
state = ERR;
else
if (c < 0xe0) {
code = c & 31;
state = TWO;
} else
if (c < 0xf0) {
code = c & 15;
if (c == 0xe0)
state = THREE2;
else
if (c == 0xed)
state =
THREE3;
else
state =
THREE;
} else
if (c < 0xf8) {
code = c & 7;
state = FOUR;
} else
state = ERR;
}
break;
case TWO :
#if NOREVBOM
if (((c & 0xc0) != 0x80)
|| ((code == 0x3ff) && (c >= 0xbe)))
#else
if ((c & 0xc0) != 0x80)
#endif
state = ERR;
else {
target[2*size] = ((code & 3) << 6) + (c & 63);
target[2*size + 1] = ((code >> 2) & 255);
size++;
state = BASE;
}
break;
case THREE :
if ((c & 0xc0) != 0x80)
state = ERR;
else {
code = ((code & 15) << 6) + (c & 63);
state = TWO;
}
break;
case THREE2 :
if ((c & 0xe0) != 0xa0)
state = ERR;
else {
code = ((code & 15) << 6)
state = TWO;
}
break;
case THREE3 :
if ((c & 0xe0) != 0x80)
state = ERR;
else {
code = ((code & 15) << 6)
state = TWO;
}
break;
case FOUR :
if ((c & 0xc0) != 0x80)
state = ERR;
else {
code = (code << 6) + (c &
state = FOUR2;
}
break;
case FOUR2 :
if ((c & 0xc0) != 0x80)
state = ERR;
else {
code = (code << 6) + (c &
state = FOUR3;
}
break;
case FOUR3 :
if ((code > 0x43ff)
|| (code < 0x400)
|| ((c & 0xc0) != 0x80))
state = ERR;
else {
target[2*size] = ((code target[2*size+1] = 0xd8 +
+ (c & 63);
+ (c & 63);
63);
63);
) & 3);
target[2*size+2] = ((code & 3) << 6) + (c & 63);
target[2*size+3] = 0xdc + ((code >> 2) & 3);
size += 2;
state = BASE;
}
break;
case ERR :
break;
}
}
if (state != BASE)
size = 0;
target[2*size] = 0;
target[2*size + 1] = 0;
return (size);
}
fprintf(file,"Error %d : %s\n",err,txt);
else
fprintf(file,"Error %d\n",err);
#else
#ifdef STSC
if (errno) fprintf(file,"Error code %d\n",errno);
#else
if (errno) fprintf(file,"Error code %d : %s\n",errno,strerror(errno));
#endif
#endif
}
#ifndef HAVE_SYSLOG_H
/*
*
*/
Display a SID
See http://msdn2.microsoft.com/en-us/library/aa379649.aspx
*/
void showsid(const char *attr, int off, const char *prefix, int level)
{
int cnt;
int i;
BOOL known;
u64 auth;
unsigned long first;
unsigned long second;
unsigned long last;
char marker;
if (opt_b)
marker = '#';
else
marker = ' ';
cnt = attr[off+1] & 255;
auth = get6h(attr,off+2);
first = get4l(attr,off+8);
known = FALSE;
if ((attr[off] == 1) /* revision */
&& (auth < 100))
switch (cnt) {
case 0 : /* no level (error) */
break;
case 1 : /* single level */
switch (auth) {
case 0 :
if (first == 0) {
known = TRUE;
printf("%*cNull SID\n",-level,marker);
}
break;
case 1 :
if (first == 0) {
known = TRUE;
printf("%*cWorld SID\n",-level,marker);
}
break;
case 3 :
switch (first) {
case 0 :
known = TRUE;
printf("%*cCreator owner SID\n",-level,m
arker);
break;
case 1 :
known = TRUE;
printf("%*cCreator group SID\n",-level,m
arker);
break;
}
break;
case 5 :
switch (first) {
case 1 :
known = TRUE;
printf("%*cDialup SID\n",-level,marker);
break;
case 2 :
known = TRUE;
printf("%*cNetwork SID\n",-level,marker)
;
break;
case 3 :
known = TRUE;
printf("%*cBatch SID\n",-level,marker);
break;
case 4 :
known = TRUE;
printf("%*cInteractive SID\n",-level,mar
ker);
break;
case 6 :
known = TRUE;
printf("%*cService SID\n",-level,marker)
;
break;
case 7 :
known = TRUE;
printf("%*cAnonymous logon SID\n",-level
,marker);
break;
case 11 :
known = TRUE;
printf("%*cAuthenticated user SID\n",-le
vel,marker);
break;
case 13 :
known = TRUE;
printf("%*cLocal service SID\n",-level,m
arker);
break;
case 14 :
known = TRUE;
printf("%*cNetwork service SID\n",-level
,marker);
break;
case 18 :
known = TRUE;
printf("%*cNT System SID\n",-level,marke
r);
break;
}
break;
}
break;
case 2 : /* double level */
second = get4l(attr,off+12);
switch (auth) {
case 5 :
if (first == 32) {
known = TRUE;
switch (second) {
case 544 :
printf("%*cLocal admins SID\n",level,marker);
break;
case 545 :
printf("%llu",auth);
for (i=0; i<cnt; i++)
printf("-%lu",get4l(attr,off+8+4*i));
printf("\n");
}
void showusid(const char *attr, int level)
{
int off;
char marker;
if (opt_b)
marker = '#';
else
marker = ' ';
if (level)
printf("%*c",-level,marker);
printf("Owner SID\n");
off = get4l(attr,4);
showsid(attr,off,"O:",level+4);
}
void showgsid(const char *attr, int level)
{
int off;
char marker;
if (opt_b)
marker = '#';
else
marker = ' ';
if (level)
printf("%*c",-level,marker);
printf("Group SID\n");
off = get4l(attr,8);
showsid(attr,off,"G:",level+4);
}
void showownership(const char *attr)
{
#ifdef WIN32
char account[ACCOUNTSIZE];
BIGSID sidcopy;
SID_NAME_USE use;
unsigned long accountsz;
unsigned long domainsz;
#endif
enum { SHOWOWN, SHOWGRP, SHOWINT } shown;
const char *sid;
const char *prefix;
u64 auth;
int cnt;
int off;
int i;
for (shown=SHOWOWN; shown<=SHOWINT; shown++) {
switch (shown) {
case SHOWOWN :
off = get4l(attr,4);
sid = &attr[off];
printf("%*cflags
0x%x\n",-level-4,marker,flags);
if (flags & 1)
printf("%*c
owner is defaulted\n",-level-4,marker);
if (flags & 2)
printf("%*c
group is defaulted\n",-level-4,marker);
if (flags & 4)
printf("%*c
DACL present\n",-level-4,marker);
if (flags & 8)
printf("%*c
DACL is defaulted\n",-level-4,marker);
if (flags & 0x10)
printf("%*c
SACL present\n",-level-4,marker);
if (flags & 0x20)
printf("%*c
SACL is defaulted\n",-level-4,marker);
if (flags & 0x100)
printf("%*c
DACL inheritance is requested\n",-level-4,marker)
;
if (flags & 0x200)
printf("%*c
;
er);
er);
if (flags & 0x1000)
printf("%*c
evel-4,marker);
if (flags & 0x2000)
printf("%*c
evel-4,marker);
if (flags & 0x8000)
printf("%*c
if (flags & 0x43eb)
printf("%*c
printf("%*cOff
printf("%*cOff
printf("%*cOff
printf("%*cOff
USID
GSID
SACL
DACL
}
void showace(const char *attr, int off, int isdir, int level)
{
int flags;
u32 rights;
char marker;
if (opt_b)
marker = '#';
else
marker = ' ';
printf("%*ctype
%d\n",-level,marker,attr[off]);
switch (attr[off]) {
case 0 :
printf("%*cAccess allowed\n",-level-4,marker);
break;
case 1 :
printf("%*cAccess denied\n",-level-4,marker);
break;
case 2 :
printf("%*cSystem audit\n",-level-4,marker);
break;
default :
printf("%*cunknown\n",-level-4,marker);
break;
}
flags = attr[off+1] & 255;
printf("%*cflags
0x%x\n",-level,marker,flags);
if (flags & 1)
printf("%*cObject inherits ACE\n",-level-4,marker);
if (flags & 2)
printf("%*cContainer inherits ACE\n",-level-4,marker);
if (flags & 4)
printf("%*cDon\'t propagate inherits ACE\n",-level-4,marker);
if (flags & 8)
printf("%*cInherit only ACE\n",-level-4,marker);
if (flags & 0x10)
printf("%*cACE was inherited\n",-level-4,marker);
if (flags & 0x40)
printf("%*cAudit on success\n",-level-4,marker);
if (flags & 0x80)
printf("%*cAudit on failure\n",-level-4,marker);
printf("%*cSize
0x%x\n",-level,marker,get2l(attr,off+2));
rights = get4l(attr,off+4);
printf("%*cAcc rgts 0x%lx\n",-level,marker,(long)rights);
printf("%*cObj specific acc rgts 0x%lx\n",-level-4,marker,(long)rights &
65535);
if (isdir) /* a directory */ {
if (rights & 0x01)
printf("%*cList directory\n",-level-8,marker);
if (rights & 0x02)
printf("%*cAdd file\n",-level-8,marker);
if (rights & 0x04)
printf("%*cAdd subdirectory\n",-level-8,marker);
if (rights & 0x08)
printf("%*cRead EA\n",-level-8,marker);
if (rights & 0x10)
printf("%*cWrite EA\n",-level-8,marker);
if (rights & 0x20)
printf("%*cTraverse\n",-level-8,marker);
if (rights & 0x40)
printf("%*cDelete child\n",-level-8,marker);
if (rights & 0x80)
printf("%*cRead attributes\n",-level-8,marker);
if (rights & 0x100)
printf("%*cWrite attributes\n",-level-8,marker);
}
else {
/* see FILE_READ_DATA etc in winnt.h */
if (rights & 0x01)
printf("%*cRead data\n",-level-8,marker);
if (rights & 0x02)
printf("%*cWrite data\n",-level-8,marker);
if (rights & 0x04)
printf("%*cAppend data\n",-level-8,marker);
if (rights & 0x08)
printf("%*cRead EA\n",-level-8,marker);
}
printf("\n");
}
void showacl(const char *attr, int off, int isdir, int level)
{
int i;
int cnt;
int size;
int x;
char marker;
if (opt_b)
marker = '#';
else
marker = ' ';
size = get2l(attr,off+2);
printf("%*crevision %d\n",-level,marker,attr[off]);
printf("%*cACL size %d\n",-level,marker,size);
cnt = get2l(attr,off+4);
printf("%*cACE cnt %d\n",-level,marker,cnt);
x = 8;
for (i=0; (i<cnt) && (x < size); i++) {
printf("%*cACE %d at 0x%x\n",-level,marker,i + 1,off+x);
showace(attr,off + x,isdir,level+4);
x += get2l(attr,off + x + 2);
}
}
void showdacl(const char *attr, int isdir, int level)
{
int off;
char marker;
if (opt_b)
marker = '#';
else
marker = ' ';
off = get4l(attr,16);
if (off) {
if (level)
printf("%*c",-level,marker);
printf("DACL\n");
showacl(attr,off,isdir,level+4);
} else {
if (level)
printf("%*c",-level,marker);
printf("No DACL\n");
}
}
void showsacl(const char *attr, int isdir, int level)
{
int off;
char marker;
if (opt_b)
marker = '#';
else
printf("
flags 0x%02x\n",(int)acl->flags);
for (k=0; k<(acccnt + defcnt); k++) {
if (k < acccnt)
l = k;
else
l = firstdef + k - acccnt;
pxace = &acl->ace[l];
tag = pxace->tag;
perms = pxace->perms;
if (tag == POSIX_ACL_SPECIAL) {
txperm[0] = (perms & S_ISVTX ? 's' : '-');
txperm[1] = (perms & S_ISUID ? 'u' : '-');
txperm[2] = (perms & S_ISGID ? 'g' : '-');
} else {
txperm[0] = (perms & 4 ? 'r' : '-');
txperm[1] = (perms & 2 ? 'w' : '-');
txperm[2] = (perms & 1 ? 'x' : '-');
}
txperm[3] = 0;
if (k >= acccnt)
txtype = "default";
else
txtype = "access ";
switch (tag) {
case POSIX_ACL_USER :
txtag = "USER ";
break;
case POSIX_ACL_USER_OBJ :
txtag = "USR-O";
break;
case POSIX_ACL_GROUP :
txtag = "GROUP";
break;
case POSIX_ACL_GROUP_OBJ :
txtag = "GRP-O";
break;
case POSIX_ACL_MASK :
txtag = "MASK ";
break;
case POSIX_ACL_OTHER :
txtag = "OTHER";
break;
case POSIX_ACL_SPECIAL :
txtag = "SPECL";
break;
default :
txtag = "UNKWN";
break;
}
id = pxace->id;
printf("ace %d : %s %s %4ld perms 0%03o %s\n",
l,txtype,txtag,(long)id,
perms,txperm);
}
} else
printf("** NULL ACL\n");
}
#endif /* POSIXACLS */
*/
struct passwd *getpwnam(const char *user)
{
ntfs_log_error("Cannot interpret id \"%s\"", user);
ntfs_log_error("please use numeric uids in UserMapping file\n");
return ((struct passwd*)NULL);
}
/*
*
*/
}
#if SELFTESTS & !USESTUBS
/*
*
*/
MAPPING));
#else
groupmapping = (struct MAPPING*)ntfs_malloc(sizeof(struc
t MAPPING));
#endif
if (groupmapping) {
usermapping->sid = sid;
usermapping->xid = 0;
usermapping->next = (struct MAPPING*)NULL;
groupmapping->sid = sid;
groupmapping->xid = 0;
groupmapping->next = (struct MAPPING*)NULL;
mapping[MAPUSERS] = usermapping;
mapping[MAPGROUPS] = groupmapping;
res = 0;
}
}
}
return (res);
}
/*
*
*
*
*
*
*
*
*
*
*/
const_cpu_to_le32(DEFSECAUTH1), const_cpu_to_le32(DEFSECAUTH2),
const_cpu_to_le32(DEFSECAUTH3), const_cpu_to_le32(DEFSECBASE)
} ;
/* be sure not to map anything until done */
mapping[MAPUSERS] = (struct MAPPING*)NULL;
mapping[MAPGROUPS] = (struct MAPPING*)NULL;
if (usermap_path) {
#ifdef WIN32
/* TODO : check whether the device can store acls */
strcpy(mapfile,"x:\\" MAPDIR "\\" MAPFILE);
if (((const le16*)usermap_path)[1] == ':')
mapfile[0] = usermap_path[0];
else {
GetModuleFileName(NULL, currpath, 261);
mapfile[0] = currpath[0];
}
fd = open(mapfile,O_RDONLY);
#else
fd = 0;
mapfile = (char*)malloc(MAXFILENAME);
if (mapfile) {
/* build a full path to locate the mapping file */
if ((usermap_path[0] != '/')
&& getcwd(mapfile,MAXFILENAME)) {
strcat(mapfile,"/");
strcat(mapfile,usermap_path);
} else
strcpy(mapfile,usermap_path);
p = strrchr(mapfile,'/');
if (p)
do {
strcpy(p,"/" MAPDIR "/" MAPFILE);
fd = open(mapfile,O_RDONLY);
if (fd <= 0) {
*p = 0;
p = strrchr(mapfile,'/');
if (p == mapfile)
p = (char*)NULL;
}
} while ((fd <= 0) && p);
free(mapfile);
if (!p) {
printf("** Could not find the user mapping file\
n");
if (usermap_path[0] != '/')
printf(" Retry with full path of file\
n");
errors++;
}
}
#endif
if (fd > 0) {
firstitem = ntfs_read_mapping(basicread, (void*)&fd);
close(fd);
}
} else {
#if SELFTESTS & !USESTUBS
firstitem = ntfs_read_mapping(dummyread, (void*)NULL);
#endif
}
if (firstitem) {
usermapping = ntfs_do_user_mapping(firstitem);
groupmapping = ntfs_do_group_mapping(firstitem);
if (usermapping && groupmapping) {
mapping[MAPUSERS] = usermapping;
mapping[MAPGROUPS] = groupmapping;
} else
ntfs_log_error("There were no valid user or no valid gro
up\n");
/* now we can free the memory copy of input text */
/* and rely on internal representation */
while (firstitem) {
item = firstitem->next;
#if USESTUBS
stdfree(firstitem); /* allocated within library */
#else
free(firstitem);
#endif
firstitem = item;
}
} else {
do_default_mapping(mapping,(const SID*)&defmap);
}
if (mapping[MAPUSERS])
mappingtype = MAPLOCAL;
return (!mapping[MAPUSERS]);
}
/*
*
*/
*
*
*/
/*
*
*
*/
showownership(attr);
mode = linux_permissions(attr,isdir);
printf("Interpreted Unix mode 0%03o\n",mode);
#if POSIXACLS
/*
* Posix display not possible when user
* mapping is not available (option -h)
*/
if (mappingtype != MAPNONE) {
pxdesc = linux_permissions_posix(attr,isdir);
if (pxdesc) {
showposix(pxdesc);
free(pxdesc);
}
}
#endif
pos = 0;
}
if (isdump && !off)
pos = off;
/* line looks like an hexadecimal dump */
/* decode it into attribute */
if (isdump && (off == pos)) {
for (i=first+8; i<lth; i+=9) {
pattr = (le32*)&attr[pos];
v = getlsbhex(&line[i]);
*pattr = cpu_to_le32(v);
pos += 4;
}
}
/* display (full) current line */
if (lth) printf("! ");
for (i=0; i<lth; i++) {
c = line[i];
putchar(c);
}
while (!done && (c != '\n')) {
c = getc(fd);
if (c == EOF)
done = TRUE;
else
putchar(c);
}
} while (!done);
}
BOOL applyattr(const char *fullname, const char *attr,
BOOL withattr, int attrib, s32 key)
{
struct SECURITY_DATA *psecurdata;
const char *curattr;
char *newattr;
int selection;
BOOL bad;
BOOL badattrib;
BOOL err;
#ifdef WIN32
HANDLE htoken;
TOKEN_PRIVILEGES tkp;
#endif
err = FALSE;
psecurdata = (struct SECURITY_DATA*)NULL;
curattr = (const char*)NULL;
newattr = (char*)NULL;
if ((key > 0) && (key < MAXSECURID)) {
if (!securdata[key >> SECBLKSZ])
newblock(key);
if (securdata[key >> SECBLKSZ]) {
psecurdata = &securdata[key >> SECBLKSZ]
[key & ((1 << SECBLKSZ) - 1)];
}
}
/* If we have a usable attrib value. Try applying */
badattrib = FALSE;
if (opt_e && (attrib != INVALID_FILE_ATTRIBUTES)) {
#ifdef WIN32
badattrib = !SetFileAttributesW((LPCWSTR)fullname, attrib);
#else
badattrib = !ntfs_set_file_attributes(ntfs_context, fullname, at
trib);
#endif
if (badattrib) {
printf("** Could not set Windows attrib of ");
printname(stdout,fullname);
printf(" to 0x%x\n", attrib);
printerror(stdout);
warnings++;
}
}
if (withattr) {
if (psecurdata) {
newattr = (char*)malloc(ntfs_attr_size(attr));
if (newattr) {
memcpy(newattr,attr,ntfs_attr_size(attr));
psecurdata->attr = newattr;
}
}
curattr = attr;
} else
/*
* No explicit attr in backup, use attr defined
* previously for the same id
*/
if (psecurdata)
curattr = psecurdata->attr;
if (curattr) {
#ifdef WIN32
selection = OWNER_SECURITY_INFORMATION
| GROUP_SECURITY_INFORMATION
| DACL_SECURITY_INFORMATION;
if (OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &htoken))
{
if (LookupPrivilegeValue(NULL, SE_SECURITY_NAME,
&tkp.Privileges[0].Luid)) {
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENAB
LED;
if (AdjustTokenPrivileges(htoken, FALSE, &tkp, 0
, NULL, 0)) {
selection |= SACL_SECURITY_INFORMATION;
}
}
}
/* const missing from stupid prototype */
bad = !SetFileSecurityW((LPCWSTR)fullname,
selection, (PSECURITY_DESCRIPTOR)(LONG_PTR)curattr);
if (bad)
switch (GetLastError()) {
case 1307 :
case 1314 :
printf("** Could not set owner or SACL of ");
printname(stdout,fullname);
printf(", retrying with no owner or SACL setting
\n");
warnings++;
/* const missing from stupid prototype */
bad = !SetFileSecurityW((LPCWSTR)fullname,
selection & ~OWNER_SECURITY_INFORMATION
& ~SACL_SECURITY_INFORMATION,
(PSECURITY_DESCRIPTOR)
(LONG_PTR)curattr);
break;
default :
break;
}
/* Release privileges once we are done*/
if (selection ^ SACL_SECURITY_INFORMATION) {
tkp.Privileges[0].Attributes = 0;
AdjustTokenPrivileges(htoken, FALSE, &tkp, 0, NULL, 0);
}
#else
selection = OWNER_SECURITY_INFORMATION
| GROUP_SECURITY_INFORMATION
| DACL_SECURITY_INFORMATION
| SACL_SECURITY_INFORMATION;
bad = !ntfs_set_file_security(ntfs_context,fullname,
selection, (const char*)curattr);
#endif
if (bad) {
printf("** Could not set the ACL of ");
printname(stdout,fullname);
printf("\n");
printerror(stdout);
err = TRUE;
} else
if (opt_v) {
if (opt_e && !badattrib)
printf("ACL and attrib have been applied
to ");
else
printf("ACL has been applied to ");
printname(stdout,fullname);
printf("\n");
}
} else {
printf("** There was no valid ACL for ");
printname(stdout,fullname);
printf("\n");
err = TRUE;
}
return (!err);
}
/*
*
*/
line[lth++] = c;
} while (!done && (c != '\n') && (lth < (MAXFILENAME + 24)));
/* check whether this looks like an hexadecimal dump */
isdump = ishexdump(line, first, lth);
if (isdump) off = getmsbhex(&line[first]);
/* line is not an hexadecimal dump */
/* apply what we have in store */
if ((!isdump || !off) && pos && ntfs_valid_descr((char*)attr,pos
)) {
withattr = TRUE;
if (opt_v >= 2) {
printf("
ectory" : "file"));
showheader(attr,4);
showusid(attr,4);
showgsid(attr,4);
showdacl(attr,isdir,4);
showsacl(attr,isdir,4);
mode = linux_permissions(attr,isdir);
showownership(attr);
printf("Interpreted Unix mode 0%03o\n",mode);
}
pos = 0;
}
if (isdump && !off)
pos = off;
/* line looks like an hexadecimal dump */
/* decode it into attribute */
if (isdump && (off == pos)) {
for (i=first+8; i<lth; i+=9) {
pattr = (le32*)&attr[pos];
v = getlsbhex(&line[i]);
*pattr = cpu_to_le32(v);
pos += 4;
}
}
/* display (full) current line unless dump or verbose */
if (!isdump || opt_v) {
if(lth) printf("! ");
for (i=0; i<lth; i++) {
c = line[i];
putchar(c);
}
}
while (!done && (c != '\n')) {
c = getc(fd);
if (c == EOF)
done = TRUE;
else
if (!isdump || opt_v)
putchar(c);
}
line[lth] = 0;
while ((lth > 0)
&& ((line[lth-1] == '\n') || (line[lth-1] == '\r')))
line[--lth] = 0;
if (!strncmp(line,"Computed hash : 0x",18))
oldhash = getmsbhex(&line[18]);
if (!strncmp(line,"Security key : 0x",17))
key = getmsbhex(&line[17]);
if (!strncmp(line,"Windows attrib : 0x",19))
attrib = getmsbhex(&line[19]);
if (done
|| !strncmp(line,"File ",5)
|| !strncmp(line,"Directory ",10)) {
/*
* New file or directory (or end of file) :
* apply attribute just collected
* or apply attribute defined from current key
*/
if (withattr
&& oldhash
&& (hash((const le32*)attr,ntfs_attr_size(attr)) !=
oldhash)) {
printf("** ACL rejected, its hash is not as expe
cted\n");
errors++;
} else
if (fullname[0]) {
phead = (SECURITY_DESCRIPTOR_RELATIVE*)a
ttr;
/* set the request for auto-inheritance
*/
if (phead->control & SE_DACL_AUTO_INHERI
TED)
phead->control |= SE_DACL_AUTO_I
NHERIT_REQ;
if (!applyattr(fullname,attr,withattr,
attrib,key))
errors++;
else
count++;
}
/* save current file or directory name */
withattr = FALSE;
key = 0;
oldhash = 0;
attrib = INVALID_FILE_ATTRIBUTES;
if (!done) {
#ifdef WIN32
if (!strncmp(line,"File ",5))
makeutf16(fullname,&line[5]);
else
makeutf16(fullname,&line[10]);
#else
if (!strncmp(line,"File ",5))
strcpy(fullname,&line[5]);
else
strcpy(fullname,&line[10]);
#endif
}
}
} while (!done);
printf("%d ACLs have been applied\n",count);
return (FALSE);
}
/*
*
*/
#ifdef WIN32
#else
BOOL dorestore(const char *volume, FILE *fd)
{
BOOL err;
err = FALSE;
if (!getuid()) {
if (open_security_api()) {
if (open_volume(volume,NTFS_MNT_NONE)) {
if (restore(fd)) err = TRUE;
close_volume(volume);
} else {
fprintf(stderr,"Could not open volume %s\n",volu
me);
printerror(stderr);
err = TRUE;
}
close_security_api();
} else {
fprintf(stderr,"Could not open security API\n");
printerror(stderr);
err = TRUE;
}
} else {
fprintf(stderr,"Restore is only possible as root\n");
err = TRUE;
}
return (err);
}
#endif /* WIN32 */
#if POSIXACLS & SELFTESTS & !USESTUBS
/*
*
Merge Posix ACL rights into an u32 (self test only)
*
*
Result format : -----rwxrwxrwxrwxrwx---rwxrwxrwx
*
U1 U2 G1 G2 M
o g w
*
*
Only two users (U1, U2) and two groups (G1, G2) taken into account
*/
u32 merge_rights(const struct POSIX_SECURITY *pxdesc, BOOL def)
{
const struct POSIX_ACE *pxace;
int i;
int users;
int groups;
int first;
int last;
u32 rights;
rights = 0;
users = 0;
groups = 0;
if (def) {
first = pxdesc->firstdef;
last = pxdesc->firstdef + pxdesc->defcnt - 1;
} else {
first = 0;
last = pxdesc->acccnt - 1;
}
pxace = pxdesc->acl.ace;
for (i=first; i<=last; i++) {
switch (pxace[i].tag) {
case POSIX_ACL_USER_OBJ :
rights |= (pxace[i].perms & 7) << 6;
break;
case POSIX_ACL_USER :
if (users < 2)
rights |= ((u32)pxace[i].perms & 7) << (24 - 3*u
sers);
users++;
break;
case POSIX_ACL_GROUP_OBJ :
rights |= (pxace[i].perms & 7) << 3;
break;
case POSIX_ACL_GROUP :
if (groups < 2)
rights |= ((u32)pxace[i].perms & 7) << (18 - 3*g
roups);
groups++;
break;
case POSIX_ACL_MASK :
rights |= ((u32)pxace[i].perms & 7) << 12;
break;
case POSIX_ACL_OTHER :
rights |= (pxace[i].perms & 7);
break;
default :
break;
}
}
return (rights);
}
void tryposix(struct POSIX_SECURITY *pxdesc)
{
le32 owner_sid[] = /* S-1-5-21-3141592653-589793238-462843383-1016 */
{
const_cpu_to_le32(0x501), const_cpu_to_le32(0x05000000),
const_cpu_to_le32(21), const_cpu_to_le32(DEFSECAUTH1),
const_cpu_to_le32(DEFSECAUTH2), const_cpu_to_le32(DEFSECAUTH3),
const_cpu_to_le32(1016)
} ;
le32 group_sid[] = /* S-1-5-21-3141592653-589793238-462843383-513 */
{
const_cpu_to_le32(0x501), const_cpu_to_le32(0x05000000),
const_cpu_to_le32(21), const_cpu_to_le32(DEFSECAUTH1),
const_cpu_to_le32(DEFSECAUTH2), const_cpu_to_le32(DEFSECAUTH3),
const_cpu_to_le32(513)
} ;
char *attr;
BOOL isdir;
mode_t mode;
struct POSIX_SECURITY *newpxdesc;
struct POSIX_SECURITY *oldpxdesc;
static char *oldattr = (char*)NULL;
isdir = FALSE;
if (oldattr) {
oldpxdesc = linux_permissions_posix(oldattr, isdir);
newpxdesc = ntfs_merge_descr_posix(pxdesc, oldpxdesc);
if (!newpxdesc)
newpxdesc = pxdesc;
free(oldpxdesc);
if (opt_v) {
printf("merged descriptors :\n");
showposix(newpxdesc);
}
} else
newpxdesc = pxdesc;
attr = ntfs_build_descr_posix(context.mapping,newpxdesc,
isdir,(SID*)owner_sid,(SID*)group_sid);
if (attr && ntfs_valid_descr(attr, ntfs_attr_size(attr))) {
if (opt_v)
hexdump(attr,ntfs_attr_size(attr),8);
if (opt_v >= 2) {
showheader(attr,4);
showusid(attr,4);
showgsid(attr,4);
showdacl(attr,isdir,4);
showsacl(attr,isdir,4);
mode = linux_permissions(attr,isdir);
printf("Interpreted Unix mode 0%03o\n",mode);
printf("Interpreted back Posix descriptor :\n");
newpxdesc = linux_permissions_posix(attr,isdir);
showposix(newpxdesc);
free(newpxdesc);
}
if (oldattr) free(oldattr);
oldattr = attr;
}
}
static BOOL same_posix(struct POSIX_SECURITY *pxdesc1,
struct POSIX_SECURITY *pxdesc2)
{
BOOL same;
int i;
same = pxdesc1
&& pxdesc2
&& (pxdesc1->mode == pxdesc2->mode)
&& (pxdesc1->acccnt == pxdesc2->acccnt)
&& (pxdesc1->defcnt == pxdesc2->defcnt)
&& (pxdesc1->firstdef == pxdesc2->firstdef)
&& (pxdesc1->tagsset == pxdesc2->tagsset)
&& (pxdesc1->acl.version == pxdesc2->acl.version)
&& (pxdesc1->acl.flags == pxdesc2->acl.flags);
i = 0;
while (same && (i < pxdesc1->acccnt)) {
= ntfs_sid_size(usid);
= 0;
= ntfs_sid_size(gsid);
= 0;
+ usidsz + gsidsz
+ sizeof(ACL)
+ cnt*40;
attr = (char*)ntfs_malloc(attrsz);
if (attr) {
/* build the main header part */
pnhead = (SECURITY_DESCRIPTOR_RELATIVE*) attr;
pnhead->revision = SECURITY_DESCRIPTOR_REVISION;
pnhead->alignment = 0;
/*
* The flag SE_DACL_PROTECTED prevents the ACL
* to be changed in an inheritance after creation
*/
pnhead->control = SE_DACL_PRESENT | SE_DACL_PROTECTED
| SE_SELF_RELATIVE;
/*
* Windows prefers ACL first, do the same to
* get the same hash value and avoid duplication
*/
/* build the ACL header */
pos = sizeof(SECURITY_DESCRIPTOR_RELATIVE);
pacl = (ACL*)&attr[pos];
pacl->revision = ACL_REVISION;
pacl->alignment1 = 0;
pacl->size = const_cpu_to_le16(0); /* fixed later */
pacl->ace_count = cpu_to_le16(cnt);
pacl->alignment2 = const_cpu_to_le16(0);
/* enter the ACEs */
pos += sizeof(ACL);
aclsz = sizeof(ACL);
va_start(ap,cnt);
for (i=0; i<cnt; i++) {
pace = (ACCESS_ALLOWED_ACE*)&attr[pos];
allow = va_arg(ap,int);
sid = va_arg(ap,SID*);
flags = va_arg(ap,int);
umask = va_arg(ap,u32);
mask = cpu_to_le32(umask);
sidsz = ntfs_sid_size(sid);
pace->type = (allow ? ACCESS_ALLOWED_ACE_TYPE : ACCESS_D
ENIED_ACE_TYPE);
pace->flags = flags;
pace->size = cpu_to_le16(sidsz + 8);
pace->mask = mask;
memcpy(&pace->sid,sid,sidsz);
aclsz += sidsz + 8;
pos += sidsz + 8;
}
va_end(ap);
/* append usid and gsid if defined */
/* positions of ACL, USID and GSID into header */
pnhead->owner = const_cpu_to_le32(0);
pnhead->group = const_cpu_to_le32(0);
if (usid) {
memcpy(&attr[pos], usid, usidsz);
pnhead->owner = cpu_to_le32(pos);
}
if (gsid) {
memcpy(&attr[pos + usidsz], gsid, gsidsz);
pnhead->group = cpu_to_le32(pos + usidsz);
}
/* positions of DACL and SACL into header */
pnhead->sacl = const_cpu_to_le32(0);
if (cnt) {
pacl->size = cpu_to_le16(aclsz);
pnhead->dacl =
const_cpu_to_le32(sizeof(
SECURITY_DESCRIPTOR_RELATIVE));
} else
pnhead->dacl = const_cpu_to_le32(0);
if (!ntfs_valid_descr(attr,pos+usidsz+gsidsz)) {
printf("** Bad sample descriptor\n");
free(attr);
attr = (char*)NULL;
errors++;
}
} else
errno = ENOMEM;
return (attr);
}
/*
*
*/
void check_samples()
{
char *descr = (char*)NULL;
BOOL isdir = FALSE;
mode_t perms;
mode_t expect = 0;
int cnt;
u32 expectacc;
u32 expectdef;
#if POSIXACLS
u32 accrights;
u32 defrights;
mode_t mixmode;
struct POSIX_SECURITY *pxdesc;
struct POSIX_SECURITY *pxsample;
const char *txsample;
#endif
le32 owner1[] = /* S-1-5-21-1833069642-4243175381-1340018762-1003 */
{
const_cpu_to_le32(0x501), const_cpu_to_le32(0x05000000),
const_cpu_to_le32(21), const_cpu_to_le32(1833069642),
const_cpu_to_le32(4243175381), const_cpu_to_le32(1340018762),
const_cpu_to_le32(1003)
} ;
le32 group1[] = /* S-1-5-21-1833069642-4243175381-1340018762-513 */
{
const_cpu_to_le32(0x501), const_cpu_to_le32(0x05000000),
const_cpu_to_le32(21), const_cpu_to_le32(1833069642),
const_cpu_to_le32(4243175381), const_cpu_to_le32(1340018762),
const_cpu_to_le32(513)
} ;
} sampletry4 =
{
{ 0140, 8, 0, 8, 0x3f,
{ POSIX_VERSION, 0, 0 }
},
{
{ 1, 1, -1 },
{ 2, 3, 516 },
{ 2, 6, 1000 },
{ 4, 1, -1 },
{ 8, 6, 500 },
{ 8, 3, 1002 },
{ 16, 4, -1 },
{ 32, 0, -1 }
}
} ;
struct {
struct POSIX_SECURITY head;
struct POSIX_ACE ace[6];
} sampletry5 =
{
{ 0454, 6, 0, 6, 0x3f,
{ POSIX_VERSION, 0, 0 }
},
{
{ 1, 4, -1 },
{ 2, 5, 516 },
{ 4, 4, -1 },
{ 8, 6, 500 },
{ 16, 5, -1 },
{ 32, 4, -1 }
}
} ;
struct {
struct POSIX_SECURITY head;
struct POSIX_ACE ace[8];
} sampletry6 =
{
{ 0332, 8, 0, 8, 0x3f,
{ POSIX_VERSION, 0, 0 }
},
{
{ 1, 3, -1 },
{ 2, 1, 0 },
{ 2, 2, 1000 },
{ 4, 6, -1 },
{ 8, 4, 0 },
{ 8, 5, 1002 },
{ 16, 3, -1 },
{ 32, 2, -1 }
}
} ;
struct {
struct POSIX_SECURITY head;
struct POSIX_ACE ace[4];
} sampletry8 =
{
{ 0677, 4, 0, 4, 0x35,
{ POSIX_VERSION, 0, 0 }
},
{
{ 1, 6, -1 },
{ 4, 7, -1 },
{ 16, 7, -1 },
{ 32, 7, -1 }
}
} ;
#endif /* POSIXACLS */
#if POSIXACLS
for (cnt=1; cnt<=8; cnt++) {
switch (cnt) {
case 1 :
pxsample = &sampletry1.head;
txsample = "sampletry1-a";
isdir = FALSE;
descr = ntfs_build_descr_posix(context.mapping,&sampletr
y1.head,
isdir, (const SID*)owner3, (const SID*)group3);
break;
case 2 :
pxsample = &sampletry1.head;
txsample = "sampletry1-b";
isdir = FALSE;
descr = ntfs_build_descr_posix(context.mapping,&sampletr
y1.head,
isdir, (const SID*)adminsid, (const SID*)group3)
;
break;
case 3 :
isdir = FALSE;
pxsample = &sampletry3.head;
txsample = "sampletry3";
descr = ntfs_build_descr_posix(context.mapping,pxsample,
isdir, (const SID*)group3, (const SID*)group3);
break;
case 4 :
isdir = FALSE;
pxsample = &sampletry4.head;
txsample = "sampletry4";
descr = ntfs_build_descr_posix(context.mapping,pxsample,
isdir, (const SID*)owner3, (const SID*)group3);
break;
case 5 :
isdir = FALSE;
pxsample = &sampletry5.head;
txsample = "sampletry5";
descr = ntfs_build_descr_posix(context.mapping,pxsample,
isdir, (const SID*)owner3, (const SID*)group3);
break;
case 6 :
isdir = FALSE;
pxsample = &sampletry6.head;
txsample = "sampletry6-a";
descr = ntfs_build_descr_posix(context.mapping,pxsample,
roup2,
2,
(int)TRUE, worldsid, (int)0x0, (u32)0x1f01ff,
(int)TRUE, worldsid, (int)0xb, (u32)0x1f01ff);
expectacc = expect = 0777;
expectdef = 0777;
break;
case 3 : /* Dr Watson */
isdir = TRUE;
descr = build_dummy_descr(isdir, (const SID*)owner3, (co
nst SID*)group3,
0);
expectacc = expect = 0700;
expectdef = 0;
break;
case 4 :
isdir = FALSE;
descr = build_dummy_descr(isdir,
(const SID*)owner3, (const SID*)group3,
4,
(int)TRUE, (const SID*)owner3, 0,
le32_to_cpu(FILE_READ_DATA | OWNER_RIGHT
S),
(int)TRUE, (const SID*)group3, 0,
le32_to_cpu(FILE_WRITE_DATA),
(int)TRUE, (const SID*)group2, 0,
le32_to_cpu(FILE_WRITE_DATA | FILE_READ_
DATA),
(int)TRUE, (const SID*)worldsid, 0,
le32_to_cpu(FILE_EXECUTE));
expect = 0731;
expectacc = 07070731;
expectdef = 0;
break;
case 5 : /* Vista/JP */
isdir = TRUE;
descr = build_dummy_descr(isdir, systemsid, systemsid,
6,
(int)TRUE, owner1, (int)0x0, (u32)0x1f01ff,
(int)TRUE, systemsid, (int)0x0, (u32)0x1f01ff,
(int)TRUE, adminsid, (int)0x0, (u32)0x1f01ff,
(int)TRUE, owner1, (int)0xb, (u32)0x10000000,
(int)TRUE, systemsid, (int)0xb, (u32)0x10000000,
(int)TRUE, adminsid, (int)0xb, (u32)0x10000000);
expectacc = expect = 0700;
expectdef = 0700;
break;
case 6 : /* Vista/JP2 */
isdir = TRUE;
descr = build_dummy_descr(isdir, systemsid, systemsid,
7,
(int)TRUE, owner1,
(int)0x0, (u32)0x1f01ff,
(int)TRUE, systemsid, (int)0x0, (u32)0x1f01ff,
(int)TRUE, adminsid, (int)0x0, (u32)0x1f01ff,
(int)TRUE, owner1,
(int)0xb, (u32)0x1f01ff,
(int)TRUE, systemsid, (int)0xb, (u32)0x1f01ff,
(int)TRUE, adminsid, (int)0xb, (u32)0x1f01ff,
(int)TRUE, owner3,
(int)0x3, (u32)0x1200a9);
expectacc = 0500070700;
expectdef = 0700;
expect = 0700;
break;
case 7 : /* WinXP/JP */
isdir = TRUE;
descr = build_dummy_descr(isdir, adminsid, systemsid,
6,
(int)TRUE, owner1, (int)0x0, (u32)0x1f01ff,
(int)TRUE, systemsid, (int)0x0, (u32)0x1f01ff,
(int)TRUE, adminsid, (int)0x0, (u32)0x1f01ff,
(int)TRUE, owner1, (int)0xb, (u32)0x10000000,
(int)TRUE, systemsid, (int)0xb, (u32)0x10000000,
(int)TRUE, adminsid, (int)0xb, (u32)0x10000000);
expectacc = expect = 0700;
expectdef = 0700;
break;
case 8 : /* WinXP/JP2 */
isdir = TRUE;
descr = build_dummy_descr(isdir, adminsid, systemsid,
6,
(int)TRUE, owner1,
(int)0x0, (u32)0x1f01ff,
(int)TRUE, systemsid, (int)0x0, (u32)0x1f01ff,
(int)TRUE, adminsid, (int)0x0, (u32)0x1f01ff,
(int)TRUE, owner1,
(int)0xb, (u32)0x10000000,
(int)TRUE, systemsid, (int)0xb, (u32)0x10000000,
(int)TRUE, adminsid, (int)0xb, (u32)0x10000000)
;
expectacc = expect = 0700;
expectdef = 0700;
break;
case 9 : /* Win8/bin */
isdir = TRUE;
descr = build_dummy_descr(isdir,
(const SID*)owner3, (const SID*)owner3,
6,
(int)TRUE, authsid, (int)0x3, (u32)0x1f01ff,
(int)TRUE, adminsid, (int)0x13, (u32)0x1f01ff,
(int)TRUE, systemsid, (int)0x13, (u32)0x1f01ff,
(int)TRUE, localsid, (int)0x13, (u32)0x1200a9,
(int)TRUE, authsid, (int)0x10, (u32)0x1301bf,
(int)TRUE, authsid, (int)0x1b, (u32)0xe0010000
);
expectacc = expect = 0777;
expectdef = 0777;
break;
case 10 : /* Win8/bin/linem.exe */
isdir = FALSE;
descr = build_dummy_descr(isdir,
(const SID*)owner3, (const SID*)owner3,
4,
(int)TRUE, authsid, (int)0x10, (u32)0x1f01ff,
(int)TRUE, adminsid, (int)0x10, (u32)0x1f01ff,
(int)TRUE, systemsid, (int)0x10, (u32)0x1ff,
(int)TRUE, localsid, (int)0x10, (u32)0x1200a9);
expectacc = expect = 0777;
expectdef = 0;
break;
default :
expectacc = expectdef = 0;
break;
}
if (descr) {
perms = linux_permissions(descr, isdir);
if (perms != expect) {
printf("** Error in sample %d, perms 0%03o expec
ted 0%03o\n",
cnt,perms,expect);
showall(descr,0);
errors++;
} else {
#if POSIXACLS
pxdesc = linux_permissions_posix(descr, isdir);
if (pxdesc) {
accrights = merge_rights(pxdesc,FALSE);
defrights = merge_rights(pxdesc,TRUE);
if (!(pxdesc->tagsset & ~(POSIX_ACL_USER
_OBJ | POSIX_ACL_GROUP_OBJ | POSIX_ACL_OTHER)))
mixmode = expect;
else
mixmode = (expect & 07707) | ((a
ccrights >> 9) & 070);
if ((pxdesc->mode != mixmode)
|| (accrights != expectacc)
|| (defrights != expectdef)) {
printf("** Error in sample %d :
mode %03o expected 0%03o\n",
cnt,pxdesc->mode,mixmode
);
printf("
Posix access rights
0%03lo expected 0%03lo\n",
(long)accrights,(long)ex
pectacc);
printf("
default rights
0%03lo expected 0%03lo\n",
(long)defrights,(long)ex
pectdef);
showall(descr,0);
showposix(pxdesc);
exit(1);
}
free(pxdesc);
}
#endif
}
free(descr);
}
}
}
/*
*
*
*/
void basictest(int kind, BOOL isdir, const SID *owner, const SID *group)
{
char *attr;
mode_t perm;
mode_t gotback;
u32 count;
u32 acecount;
u32 globhash;
const SECURITY_DESCRIPTOR_RELATIVE *phead;
const ACL *pacl;
enum { ERRNO,
ERRMA, ERRPA, /* error converting mode or Posix ACL to NTFS */
ERRAM, ERRAP, /* error converting NTFS to mode or Posix ACL */
} err;
u32 expectcnt[] = {
27800, 31896,
24064, 28160,
24064, 28160,
24064, 28160,
24904, 29000
} ;
u32 expecthash[] = {
0x8f80865b, 0x7bc7960,
0x8fd9ecfe, 0xddd4db0,
0xa8b07400, 0xa189c20,
0xc5689a00, 0xb6c09000,
0xb040e509, 0x4f4db7f7
} ;
#if POSIXACLS
struct POSIX_SECURITY *pxdesc;
char *pxattr;
u32 pxcount;
u32 pxacecount;
u32 pxglobhash;
#endif
count = 0;
acecount = 0;
globhash = 0;
#if POSIXACLS
pxcount = 0;
pxacecount = 0;
pxglobhash = 0;
#endif
for (perm=0; (perm<=07777) && (errors < 10); perm++) {
err = ERRNO;
/* file owned by plain user and group */
attr = ntfs_build_descr(perm,isdir,owner,(const SID*)group);
if (attr && ntfs_valid_descr(attr, ntfs_attr_size(attr))) {
phead = (const SECURITY_DESCRIPTOR_RELATIVE*)attr;
pacl = (const ACL*)&attr[le32_to_cpu(phead->dacl)];
acecount += le16_to_cpu(pacl->ace_count);
globhash += hash((const le32*)attr,ntfs_attr_size(attr))
;
count++;
#if POSIXACLS
/*
* Build a NTFS ACL from a mode, and
* decode to a Posix ACL, expecting to
* get the original mode back.
*/
pxdesc = linux_permissions_posix(attr, isdir);
if (!pxdesc || (pxdesc->mode != perm)) {
err = ERRAP;
if (pxdesc)
gotback = pxdesc->mode;
else
gotback = 0;
} else {
/*
* Build a NTFS ACL from the Posix ACL, expecting to
* get exactly the same NTFS ACL, then decode to a
* mode, expecting to get the original mode back.
*/
pxattr = ntfs_build_descr_posix(context.mapping,
pxdesc,isdir,owner,
(const SID*)group);
if (pxattr && !memcmp(pxattr,attr,
ntfs_attr_size(attr))) {
phead = (const SECURITY_DESCRIPTOR_RELAT
IVE*)attr;
pacl = (const ACL*)&attr[le32_to_cpu(phe
ad->dacl)];
pxacecount += le16_to_cpu(pacl->ace_coun
t);
pxglobhash += hash((const le32*)attr,ntf
s_attr_size(attr));
pxcount++;
gotback = linux_permissions(pxattr, isdi
r);
if (gotback != perm)
err = ERRAM;
else
free(pxattr);
} else
err = ERRPA;
free(attr);
}
free(pxdesc);
#else
gotback = linux_permissions(attr, isdir);
if (gotback != perm)
err = ERRAM;
else
free(attr);
#endif /* POSIXACLS */
} else
err = ERRMA;
switch (err) {
case ERRMA :
printf("** no or wrong permission settings "
"for kind %d perm %03o\n",kind,perm);
if (attr && opt_v)
hexdump(attr,ntfs_attr_size(attr),8);
if (attr && (opt_v >= 2)) {
showheader(attr,4);
showusid(attr,4);
showgsid(attr,4);
showdacl(attr,isdir,4);
showsacl(attr,isdir,4);
}
errors++;
break;
case ERRPA :
printf("** no or wrong permission settings from PX "
#if POSIXACLS
printf("%lu ACLs built from Posix ACLs, %lu ACE built, mean count %lu.%0
2lu\n",
(unsigned long)pxcount,(unsigned long)pxacecount,
(unsigned long)pxacecount/pxcount,pxacecount*100L/pxcount%100L);
if (pxacecount != expectcnt[kind]) {
printf("** Error : ACE count %lu instead of %lu\n",
(unsigned long)pxacecount,
(unsigned long)expectcnt[kind]);
errors++;
}
if (pxglobhash != expecthash[kind]) {
printf("** Error : wrong global hash 0x%lx instead of 0x%lx\n",
(unsigned long)pxglobhash, (unsigned long)expecthash[kin
d]);
errors++;
}
#endif /* POSIXACLS */
}
#if POSIXACLS
/*
*
*
*/
26460,
0, 0,
0, 0,
0, 0,
24516,
20736,
20736,
20736,
21060,
29052,
27108,
23328,
23328,
23328,
23652,
#else
252720,
199584,
199584,
199584,
203904,
0, 0,
0, 0,
0, 0,
196452,
165888,
165888,
165888,
168480,
273456,
220320,
220320,
220320,
224640,
217188,
186624,
186624,
186624,
189216,
#endif
0, 0,
0, 0,
0, 0,
16368, 18672,
0, 0,
13824, 0,
0, 0,
14640, 0
} ;
u32 expecthash[] = {
#ifdef STSC
0xf9f82115, 0x40666647,
0xde826d30, 0xa181b660,
0x952d4500, 0x8ac49450,
0xf80acee0, 0xbd9ec6c0,
0xfe09b868, 0xde24e84d,
0, 0,
0, 0,
0, 0,
0x2381438d, 0x3ab42dc6,
0x7cccf6f8, 0x108ad430,
0x5e448840, 0x83ab6c40,
0x9b037100, 0x8f7c3b40,
0x04a359dc, 0xa4619609,
#else
0x1808a6cd, 0xd82f7c60,
0x5ad29e85, 0x518c7620,
0x188ce270, 0x7e44e590,
0x48a64800, 0x5bdf0030,
0x1c64aec6, 0x8b0168fa,
0, 0,
0, 0,
0, 0,
0x169fb80e, 0x382d9a59,
0xf9c28164, 0x1855d352,
0xf9685700, 0x44d16700,
0x587ebe90, 0xf7c51480,
0x2cb1b518, 0x52408df6,
#endif
0, 0,
0, 0,
0, 0,
0x905f2e38, 0xd40c22f0,
0, 0,
0xdd76da00, 0,
0, 0,
0x718e34a0, 0
};
count = 0;
acecount = 0;
globhash = 0;
/* fill headers */
pxdesc = &desc.pxdesc;
pxdesc->mode = 0;
pxdesc->defcnt = 0;
if (kind & 32) {
pxdesc->acccnt = 4;
pxdesc->firstdef = 4;
pxdesc->tagsset = 0x35;
} else {
pxdesc->acccnt = 6;;
pxdesc->firstdef = 6;
pxdesc->tagsset = 0x3f;
}
pxdesc->acl.version = POSIX_VERSION;
pxdesc->acl.flags = 0;
pxdesc->acl.filler = 0;
/* prefill aces */
pxdesc->acl.ace[0].tag = POSIX_ACL_USER_OBJ;
pxdesc->acl.ace[0].id = -1;
if (kind & 32) {
pxdesc->acl.ace[1].tag = POSIX_ACL_GROUP_OBJ;
pxdesc->acl.ace[1].id = -1;
pxdesc->acl.ace[2].tag = POSIX_ACL_MASK;
pxdesc->acl.ace[2].id = -1;
pxdesc->acl.ace[3].tag = POSIX_ACL_OTHER;
pxdesc->acl.ace[3].id = -1;
} else {
pxdesc->acl.ace[1].tag = POSIX_ACL_USER;
pxdesc->acl.ace[1].id = (kind & 16 ? 0 : 1000);
pxdesc->acl.ace[2].tag = POSIX_ACL_GROUP_OBJ;
pxdesc->acl.ace[2].id = -1;
pxdesc->acl.ace[3].tag = POSIX_ACL_GROUP;
pxdesc->acl.ace[3].id = (kind & 16 ? 0 : 1002);
pxdesc->acl.ace[4].tag = POSIX_ACL_MASK;
pxdesc->acl.ace[4].id = -1;
pxdesc->acl.ace[5].tag = POSIX_ACL_OTHER;
pxdesc->acl.ace[5].id = -1;
}
mindes
maxdes
#ifdef STSC
minmsk
maxmsk
= 3;
= (kind & 32 ? mindes : 6);
= (kind & 32 ? 0 : 3);
= (kind & 32 ? 7 : 3);
#else
minmsk = 0;
maxmsk = 7;
#endif
for (mask=minmsk; mask<=maxmsk; mask++)
for (ownobj=1; ownobj<7; ownobj++)
for (grpobj=1; grpobj<7; grpobj++)
for (wrld=0; wrld<8; wrld++)
for (usr=mindes; usr<=maxdes; usr++)
if (usr != 4)
for (grp=mindes; grp<=maxdes; grp++)
if (grp != 4) {
pxdesc->mode = (ownobj << 6) | (mask << 3) | wrld;
pxdesc->acl.ace[0].perms = ownobj;
if (kind & 32) {
pxdesc->acl.ace[1].perms =
pxdesc->acl.ace[2].perms =
pxdesc->acl.ace[3].perms =
} else {
pxdesc->acl.ace[1].perms =
pxdesc->acl.ace[2].perms =
pxdesc->acl.ace[3].perms =
pxdesc->acl.ace[4].perms =
pxdesc->acl.ace[5].perms =
}
grpobj;
mask;
wrld;
usr;
grpobj;
grp;
mask;
wrld;
err = ERRNO;
gotback = (struct POSIX_SECURITY*)NULL;
pxattr = ntfs_build_descr_posix(context.mapping,
pxdesc,isdir,owner,group);
if (pxattr && ntfs_valid_descr(pxattr, ntfs_attr_size(pxattr)))
{
phead = (const SECURITY_DESCRIPTOR_RELATIVE*)pxattr;
pacl = (const ACL*)&pxattr[le32_to_cpu(phead->dacl)];
acecount += le16_to_cpu(pacl->ace_count);
globhash += hash((const le32*)pxattr,ntfs_attr_size(pxat
tr));
count++;
gotback = linux_permissions_posix(pxattr, isdir);
if (gotback) {
if (ntfs_valid_posix(gotback)) {
if (!same_posix(pxdesc,gotback)) {
printf("Non matching got back Po
six ACL\n");
printf("input ACL\n");
showposix(pxdesc);
printf("NTFS owner\n");
showusid(pxattr,4);
printf("NTFS group\n");
showgsid(pxattr,4);
printf("NTFS DACL\n");
showdacl(pxattr,isdir,4);
printf("gotback ACL\n");
showposix(gotback);
errors++;
exit(1);
}
} else {
printf("Got back an invalid Posix ACL\n"
);
errors++;
}
free(gotback);
} else {
printf("Could not get Posix ACL back\n");
errors++;
}
} else {
printf("NTFS ACL incorrect or not build\n");
printf("input ACL\n");
showposix(pxdesc);
printf("NTFS DACL\n");
if (pxattr)
showdacl(pxattr,isdir,4);
else
printf(" (none)\n");
if (gotback) {
printf("gotback ACL\n");
showposix(gotback);
} else
printf("no gotback ACL\n");
errors++;
}
if (pxattr)
free(pxattr);
}
printf("%lu ACLs built from Posix ACLs, %lu ACE built, mean count %lu.%0
2lu\n",
(unsigned long)count,(unsigned long)acecount,
(unsigned long)acecount/count,acecount*100L/count%100L);
if (acecount != expectcnt[kind]) {
printf("** Error ! expected ACE count %lu\n",
(unsigned long)expectcnt[kind]);
errors++;
}
if (globhash != expecthash[kind]) {
printf("** Error : wrong global hash 0x%lx instead of 0x%lx\n",
(unsigned long)globhash, (unsigned long)expecthash[kind]
);
errors++;
}
}
#endif /* POSIXACLS */
void selftests(void)
{
le32 owner_sid[] = /* S-1-5-21-3141592653-589793238-462843383-1016 */
{
const_cpu_to_le32(0x501), const_cpu_to_le32(0x05000000),
const_cpu_to_le32(21), const_cpu_to_le32(DEFSECAUTH1),
const_cpu_to_le32(DEFSECAUTH2), const_cpu_to_le32(DEFSECAUTH3),
const_cpu_to_le32(1016)
} ;
le32 group_sid[] = /* S-1-5-21-3141592653-589793238-462843383-513 */
{
const_cpu_to_le32(0x501), const_cpu_to_le32(0x05000000),
const_cpu_to_le32(21), const_cpu_to_le32(DEFSECAUTH1),
const_cpu_to_le32(DEFSECAUTH2), const_cpu_to_le32(DEFSECAUTH3),
const_cpu_to_le32(513)
} ;
#if POSIXACLS
#ifdef STSC
unsigned char kindlist[] =
16, 17,
32, 33,
#else
unsigned char kindlist[] =
16, 17,
32, 33,
#endif
unsigned int k;
#endif /* POSIXACLS */
int kind;
const SID *owner;
const SID *group;
BOOL isdir;
{ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,
18, 20, 22, 24,
36, 40 } ;
{ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,
18, 20, 22, 24, 19, 21, 23, 25,
36, 40 } ;
#if POSIXACLS
local_build_mapping(context.mapping, (const char*)NULL);
#endif
/* first check samples */
mappingtype = MAPDUMMY;
check_samples();
if (errors) exit(1);
/*
* kind is oring of :
* 1 : directory
* 2 : owner is root
* 4 : group is root
* 8 : group is owner
* 16 : root is designated user/group
* 32 : mask present with no designated user/group
*/
for (kind=0; (kind<10) && (errors<10); kind++) {
isdir = kind & 1;
if (kind & 8)
owner = (const SID*)group_sid;
else
owner = (kind & 2 ? adminsid : (const SID*)owner_sid);
group = (kind & 4 ? adminsid : (const SID*)group_sid);
basictest(kind, isdir, owner, group);
}
#if POSIXACLS
for (k=0; (k<sizeof(kindlist)) && (errors<10); k++) {
kind = kindlist[k];
isdir = kind & 1;
if (kind & 8)
owner = (const SID*)group_sid;
else
owner = (kind & 2 ? adminsid : (const SID*)owner_sid);
group = (kind & 4 ? adminsid : (const SID*)group_sid);
posixtest(kind, isdir, owner, group);
}
ntfs_free_mapping(context.mapping);
#endif
if (errors >= 10)
printf("** too many errors, test aborted\n");
}
#endif /* SELFTESTS & !USESTUBS */
#ifdef WIN32
/*
*
*/
saclsuccess = TRUE;
}
tkp.Privileges[0].Attributes = 0;
AdjustTokenPrivileges(htoken, FALSE, &tk
p, 0, NULL, 0);
}
}
}
if (!saclsuccess) {
attrsz = 20;
set4l(attr,0);
attr[0] = SECURITY_DESCRIPTOR_REVISION;
set4l(&attr[12],0);
if (opt_v >= 2)
printf(" No SACL\n");
}
/*
* append DACL and merge its flags
*/
partsz = 0;
set4l(&attr[16],0);
if (GetFileSecurityW((LPCWSTR)fullname,DACL_SECURITY_INFORMATION
,
(char*)part,MAXATTRSZ,&partsz)) {
if ((attrsz + partsz - 20) <= MAXATTRSZ) {
memcpy(&attr[attrsz],&part[20],partsz-20);
set4l(&attr[16],(partsz > 20 ? attrsz : 0));
set2l(&attr[2],get2l(attr,2) | (get2l(part,2)
& const_le16_to_cpu(SE_DACL_PROTECTED
| SE_DACL_AUTO_INHERITED
| SE_DACL_PRESENT)));
attrsz += partsz - 20;
} else
overflow = TRUE;
} else
if (partsz > MAXATTRSZ)
overflow = TRUE;
else {
if (opt_b)
printf("#
rol list\n");
else
printf("
ol list\n");
warnings++;
}
/*
* append owner and merge its flag
*/
if (xowner && !overflow) {
memcpy(&attr[attrsz],ownsid,ownersz);
set4l(&attr[4],attrsz);
set2l(&attr[2],get2l(attr,2)
| (ownerfl & const_le16_to_cpu(SE_OWNER_DEFAULTED)));
attrsz += ownersz;
} else
set4l(&attr[4],0);
/*
* append group
*/
partsz = 0;
set4l(&attr[8],0);
if (GetFileSecurityW((LPCWSTR)fullname,GROUP_SECURITY_INFORMATIO
N,
(char*)part,MAXATTRSZ,&partsz)) {
if ((attrsz + partsz - 20) <= MAXATTRSZ) {
memcpy(&attr[attrsz],&part[20],partsz-20);
set4l(&attr[8],(partsz > 20 ? attrsz : 0));
set2l(&attr[2],get2l(attr,2) | (get2l(part,2)
& const_le16_to_cpu(SE_GROUP_DEFAULTED))
);
attrsz += partsz - 20;
} else
overflow = TRUE;
} else
if (partsz > MAXATTRSZ)
overflow = TRUE;
else {
printf("** No group SID\n");
warnings++;
}
set2l(&attr[2],get2l(attr,2)
| const_le16_to_cpu(SE_SELF_RELATIVE));
if (overflow) {
printf("** Descriptor was too long (> %d)\n",MAXATTRSZ);
warnings++;
attrsz = 0;
} else
if (!ntfs_valid_descr((char*)attr,attrsz)) {
printf("** Descriptor for ");
printname(stdout,fullname);
printf(" is not valid\n");
errors++;
attrsz = 0;
}
} else {
printf("** Could not get owner of ");
printname(stdout,fullname);
printf(", partsz %d\n",partsz);
printerror(stdout);
warnings++;
attrsz = 0;
}
return (attrsz);
}
/*
*
*/
attr[0] = SECURITY_DESCRIPTOR_REVISION;
set4l(&attr[12],0);
if (opt_v >= 2)
printf(" No SACL\n");
}
/*
* append DACL and merge its flags
*/
partsz = 0;
set4l(&attr[16],0);
if (ntfs_get_file_security(ntfs_context,fullname,
DACL_SECURITY_INFORMATION,
(char*)part,MAXATTRSZ,&partsz)) {
if ((attrsz + partsz - 20) <= MAXATTRSZ) {
memcpy(&attr[attrsz],&part[20],partsz-20);
set4l(&attr[16],(partsz > 20 ? attrsz : 0));
set2l(&attr[2],get2l(attr,2) | (get2l(part,2)
& const_le16_to_cpu(SE_DACL_PROTECTED
| SE_DACL_AUTO_INHERITED
| SE_DACL_PRESENT)));
attrsz += partsz - 20;
} else
overflow = TRUE;
} else
if (partsz > MAXATTRSZ)
overflow = TRUE;
else {
if (opt_b)
printf("# No discretionary access cont
rol list\n");
else
printf("
ol list\n");
warnings++;
}
/*
* append owner and merge its flag
*/
if (xowner && !overflow) {
memcpy(&attr[attrsz],ownsid,ownersz);
set4l(&attr[4],attrsz);
set2l(&attr[2],get2l(attr,2)
| (ownerfl & const_le16_to_cpu(SE_OWNER_DEFAULTED)));
attrsz += ownersz;
} else
set4l(&attr[4],0);
/*
* append group
*/
partsz = 0;
set4l(&attr[8],0);
if (ntfs_get_file_security(ntfs_context,fullname,
GROUP_SECURITY_INFORMATION,
(char*)part,MAXATTRSZ,&partsz)) {
if ((attrsz + partsz - 20) <= MAXATTRSZ) {
memcpy(&attr[attrsz],&part[20],partsz-20);
set4l(&attr[8],(partsz > 20 ? attrsz : 0));
set2l(&attr[2],get2l(attr,2) | (get2l(part,2)
& const_le16_to_cpu(SE_GROUP_DEFAULTED))
);
attrsz += partsz - 20;
} else
overflow = TRUE;
} else
if (partsz > MAXATTRSZ)
overflow = TRUE;
else {
printf("** No group SID\n");
warnings++;
}
if (overflow) {
printf("** Descriptor was too long (> %d)\n",MAXATTRSZ);
warnings++;
attrsz = 0;
} else
if (!ntfs_valid_descr((char*)attr,attrsz)) {
printf("** Descriptor for %s is not valid\n",ful
lname);
errors++;
attrsz = 0;
}
} else {
printf("** Could not get owner of %s\n",fullname);
warnings++;
attrsz = 0;
}
return (attrsz);
}
/*
*
*/
#endif
BOOL setfull(const char *fullname, int mode, BOOL isdir)
{
static char attr[MAXATTRSZ];
const SECURITY_DESCRIPTOR_RELATIVE *phead;
char *newattr;
int err;
unsigned int attrsz;
int newattrsz;
const SID *usid;
const SID *gsid;
#if OWNERFROMACL
const SID *osid;
#endif
printf("%s ",(isdir ? "Directory" : "File"));
printname(stdout,fullname);
printf(" mode 0%03o\n",mode);
attrsz = getfull(attr, fullname);
err = FALSE;
if (attrsz) {
phead = (const SECURITY_DESCRIPTOR_RELATIVE*)attr;
gsid = (const SID*)&attr[le32_to_cpu(phead->group)];
#if OWNERFROMACL
osid = (const SID*)&attr[le32_to_cpu(phead->owner)];
usid = ntfs_acl_owner((const char*)attr);
if (!ntfs_same_sid(usid,osid))
printf("== Windows owner might change\n");
#else
usid = (const SID*)&attr[le32_to_cpu(phead->owner)];
#endif
newattr = ntfs_build_descr(mode,isdir,usid,gsid);
if (newattr) {
newattrsz = ntfs_attr_size(newattr);
if (opt_v) {
printf("Security descriptor\n");
hexdump(newattr,newattrsz,4);
}
if (opt_v >= 2) {
printf("Expected hash : 0x%08lx\n",
(unsigned long)hash((le32*)newattr,ntfs_
attr_size(newattr)));
showheader(newattr,0);
showusid(newattr,0);
showgsid(newattr,0);
showdacl(newattr,isdir,0);
showsacl(newattr,isdir,0);
}
#ifdef WIN32
/*
* avoid getting a set owner error on Windows
* owner should not be changed anyway
*/
if (!updatefull(fullname,
DACL_SECURITY_INFORMATION
| GROUP_SECURITY_INFORMATION
| OWNER_SECURITY_INFORMATION,
newattr))
#else
if (!updatefull(fullname,
DACL_SECURITY_INFORMATION
| GROUP_SECURITY_INFORMATION
| OWNER_SECURITY_INFORMATION,
newattr))
#endif
err = TRUE;
free(newattr);
}
} else
err = TRUE;
return (err);
}
BOOL proposal(const char *name, const char *attr)
{
char fullname[MAXFILENAME];
int uoff, goff;
int i;
u64 uauth, gauth;
int ucnt, gcnt;
int uid, gid;
BOOL err;
#ifdef WIN32
char driveletter;
#else
struct stat st;
char *p,*q;
#endif
err = FALSE;
#ifdef WIN32
uid = gid = 0;
#else
uid = getuid();
gid = getgid();
#endif
uoff = get4l(attr,4);
uauth = get6h(attr,uoff+2);
ucnt = attr[uoff+1] & 255;
goff = get4l(attr,8);
gauth = get6h(attr,goff+2);
gcnt = attr[goff+1] & 255;
if ((ucnt == 5) && (gcnt == 5)
&& (uauth == 5) && (gauth == 5)
&& (get4l(attr,uoff+8) == 21) && (get4l(attr,goff+8) == 21)) {
printf("# User mapping proposal :\n");
printf("# -------------------- cut here -------------------\n");
if (uid)
printf("%d::",uid);
else
printf("user::");
printf("S-%d-%llu",attr[uoff] & 255,uauth);
for (i=0; i<ucnt; i++)
printf("-%lu",get4l(attr,uoff+8+4*i));
printf("\n");
if (gid)
printf(":%d:",gid);
else
printf(":group:");
printf("S-%d-%llu",attr[goff] & 255,gauth);
for (i=0; i<gcnt; i++)
printf("-%lu",get4l(attr,goff+8+4*i));
printf("\n");
/* generic rule, based on group */
printf("::S-%d-%llu",attr[goff] & 255,gauth);
for (i=0; i<gcnt-1; i++)
printf("-%lu",get4l(attr,goff+8+4*i));
printf("-10000\n");
printf("# -------------------- cut here -------------------\n");
if (!uid || !gid) {
printf("# Please replace \"user\" and \"group\" above by
the uid\n");
printf("# and gid of the Linux owner and group of ");
printname(stdout,name);
printf(", then\n");
printf("# insert the modified lines into .NTFS-3G/UserMa
pping, with .NTFS-3G\n");
} else
printf("# Insert the above lines into .NTFS-3G/UserMappi
ng, with .NTFS-3G\n");
#ifdef WIN32
printf("# being a directory of the root of the NTFS file system.
\n");
/* Get the drive letter to the file system */
driveletter = 0;
if ((((name[0] >= 'a') && (name[0] <= 'z'))
|| ((name[0] >= 'A') && (name[0] <= 'Z')))
&& (name[1] == ':'))
driveletter = name[0];
else {
if (GetCurrentDirectoryA(MAXFILENAME, fullname)
&& (fullname[1] == ':'))
driveletter = fullname[0];
}
if (driveletter) {
printf("# Example : %c:\\.NTFS-3G\\UserMapping\n",
driveletter);
}
#else
printf("# being a hidden subdirectory of the root of the NTFS fi
le system.\n");
/* Get the path to the root of the file system */
if (name[0] != '/') {
p = getcwd(fullname,MAXFILENAME);
if (p) {
strcat(fullname,"/");
strcat(fullname,name);
}
} else {
strcpy(fullname,name);
p = fullname;
}
if (p) {
err = FALSE;
filter = (char*)malloc(MAXFILENAME);
inner = (char*)malloc(MAXFILENAME);
if (filter && inner) {
len = utf16len(fullname);
memcpy(filter, fullname, 2*len);
makeutf16(&filter[2*len],"\\*.*");
search = FindFirstFileW((LPCWSTR)filter, &found);
if (search != INVALID_HANDLE_VALUE) {
do {
if (found.cFileName[0] != UNICODE('.')) {
memcpy(inner, fullname, 2*len);
inner[2*len] = '\\';
inner[2*len+1] = 0;
memcpy(&inner[2*len+2],found.cFileName,
2*utf16len((char*)found.cFileNam
e)+2);
if (opt_v)
if (opt_b)
printf("#\n#\n");
else
printf("\n\n");
switch (call) {
case RECSHOW :
if (recurseshow(inner))
err = TRUE;
break;
#if POSIXACLS
case RECSETPOSIX :
if (recurseset_posix(inner,pxdes
c))
err = TRUE;
break;
#else
case RECSET :
if (recurseset(inner,mode))
err = TRUE;
break;
#endif
default :
err = TRUE;
}
}
} while (FindNextFileW(search, &found));
FindClose(search);
}
free(filter);
free(inner);
} else {
printf("** Cannot process deeper : not enough memory\n");
errors++;
err = TRUE;
}
return (err);
}
/*
*
ion)
*/
void showfull(const char *fullname, BOOL isdir)
{
static char attr[MAXATTRSZ];
#if POSIXACLS
struct POSIX_SECURITY *pxdesc;
#endif
ULONG attrsz;
int mode;
uid_t uid;
gid_t gid;
int attrib;
int level;
printf("%s ",(isdir ? "Directory" : "File"));
printname(stdout,fullname);
printf("\n");
/* get individual parameters, as when trying to get them */
/* all, and one (typically SACL) is missing, we get none, */
/* and concatenate them, to be able to compute the hash code */
attrsz = getfull(attr, fullname);
if (attrsz) {
if (opt_v || opt_b) {
hexdump(attr,attrsz,8);
printf("Computed hash : 0x%08lx\n",
(unsigned long)hash((le32*)attr,attrsz))
;
}
if (opt_v && opt_b) {
printf("# %s ",(isdir ? "Directory" : "File"));
printname(stdout,fullname);
printf(" hash 0x%lx\n",
(unsigned long)hash((le32*)attr,attrsz))
;
}
attrib = GetFileAttributesW((LPCWSTR)fullname);
if (attrib == INVALID_FILE_ATTRIBUTES) {
printf("** Could not get file attrib\n");
errors++;
} else
printf("Windows attrib : 0x%x\n",attrib);
if (ntfs_valid_descr(attr,attrsz)) {
#if POSIXACLS
pxdesc = linux_permissions_posix(attr,isdir);
if (pxdesc)
mode = pxdesc->mode;
else
mode = 0;
#else
mode = linux_permissions(attr,isdir);
#endif
if (opt_v >= 2) {
level = (opt_b ? 4 : 0);
showheader(attr,level);
showusid(attr,level);
showgsid(attr,level);
showdacl(attr,isdir,level);
showsacl(attr,isdir,level);
}
uid = linux_owner(attr);
gid = linux_group(attr);
if (opt_b) {
showownership(attr);
printf("# Interpreted Unix owner %d, gro
up %d, mode 0%03o\n",
(int)uid,(int)gid,mode);
} else {
showownership(attr);
printf("Interpreted Unix owner %d, group
%d, mode 0%03o\n",
(int)uid,(int)gid,mode);
}
#if POSIXACLS
if (pxdesc) {
if (!opt_b
&& (pxdesc->defcnt
|| (pxdesc->tagsset
& (POSIX_ACL_USER
| POSIX_ACL_GROUP
| POSIX_ACL_MASK))))
showposix(pxdesc);
free(pxdesc);
}
#endif
} else
if (opt_b)
printf("# Descriptor fails sanity check\
n");
else
printf("Descriptor fails sanity check\n"
);
}
}
BOOL recurseshow(const char *fullname)
{
int attrib;
int err;
BOOL isdir;
err = FALSE;
attrib = GetFileAttributesW((LPCWSTR)fullname);
if (attrib != INVALID_FILE_ATTRIBUTES) {
isdir = (attrib & FILE_ATTRIBUTE_DIRECTORY) != 0;
showfull(fullname,isdir);
if (isdir
&& !((attrib & FILE_ATTRIBUTE_REPARSE_POINT)
&& islink(fullname))) {
#if POSIXACLS
err = iterate(RECSHOW, fullname, (struct POSIX_SECURITY*
)NULL);
#else
err = iterate(RECSHOW, fullname, 0);
#endif
}
} else {
return (err);
}
#endif
#if POSIXACLS
BOOL singleset_posix(const char *path, const struct POSIX_SECURITY *pxdesc)
{
BOOL isdir;
BOOL err;
int attrib;
err = FALSE;
attrib = GetFileAttributesW((LPCWSTR)path);
if (attrib != INVALID_FILE_ATTRIBUTES) {
isdir = (attrib & FILE_ATTRIBUTE_DIRECTORY);
err = !setfull_posix(path,pxdesc,isdir);
if (err) {
printf("** Failed to update ");
printname(stdout,path);
printf("\n");
errors++;
}
} else {
printf("** Could not access ");
printname(stdout,path);
printf("\n");
printerror(stdout);
errors++;
err = TRUE;
}
return (!err);
}
#endif
BOOL singleset(const char *path, int mode)
{
BOOL isdir;
BOOL err;
int attrib;
err = FALSE;
attrib = GetFileAttributesW((LPCWSTR)path);
if (attrib != INVALID_FILE_ATTRIBUTES) {
isdir = (attrib & FILE_ATTRIBUTE_DIRECTORY);
setfull(path,mode,isdir);
} else {
printf("** Could not access ");
printname(stdout,path);
printf("\n");
printerror(stdout);
errors++;
err = TRUE;
}
return (!err);
}
#else
/*
*
n)
*/
showusid(attr,level);
showgsid(attr,level);
showdacl(attr,isdir,level);
showsacl(attr,isdir,level);
}
if (attrib != INVALID_FILE_ATTRIBUTES)
printf("Windows attrib : 0x%x\n",attrib)
;
uid = linux_owner(attr);
gid = linux_group(attr);
if (opt_b) {
showownership(attr);
printf("# Interpreted Unix owner %d, gro
up %d, mode 0%03o\n",
(int)uid,(int)gid,mode);
} else {
showownership(attr);
printf("Interpreted Unix owner %d, group
%d, mode 0%03o\n",
(int)uid,(int)gid,mode);
}
#if POSIXACLS
if (pxdesc) {
if (!opt_b
&& (pxdesc->defcnt
|| (pxdesc->tagsset
& (POSIX_ACL_USER
| POSIX_ACL_GROUP
| POSIX_ACL_MASK))))
showposix(pxdesc);
#if USESTUBS
stdfree(pxdesc); /* allocated within lib
rary */
#else
free(pxdesc);
#endif
}
#endif
if ((opt_r || opt_b) && (securindex < MAXSECURID
)
&& (securindex > 0) && psecurdata) {
psecurdata->filecount++;
psecurdata->mode = mode;
}
} else {
printf("** Descriptor fails sanity check\n");
errors++;
}
}
} else
if (securindex > 0) {
if (securdata[securindex >> SECBLKSZ]) {
psecurdata = &securdata[securindex >> SECBLKSZ]
[securindex & ((1 << SECBLKSZ) - 1)];
psecurdata->filecount++;
if (opt_b || opt_r) {
if (!opt_b && !opt_v)
printf("%s %s\n",(isdir ? "Direc
tory" : "File"),fullname);
printf("Security key : 0x%x mode %03o (a
lready displayed)\n",
securindex,psecurdata->mode);
if (attrib != INVALID_FILE_ATTRIBUTES)
printf("Windows attrib : 0x%x\n"
,attrib);
} else {
printf("%s %s",(isdir ? "Directory" : "F
ile"),fullname);
printf(" : key 0x%x\n",securindex);
}
if ((opt_a || opt_b) && opt_v
&& psecurdata && psecurdata->attr) {
printf("# %s %s hash 0x%lx\n",(isdir ? "
Directory" : "File"),
fullname,
(unsigned long)hash((le32*)psecu
rdata->attr,
ntfs_attr_size(psecurdat
a->attr)));
}
}
} else {
if (!opt_v && !opt_b)
printf("%s %s",(isdir ? "Directory" : "File"),fu
llname);
printf(" (Failed)\n");
printf("** Could not get security data of %s, partsz %d\
n",
fullname,partsz);
printerror(stdout);
errors++;
}
}
BOOL recurseshow(const char *path)
{
struct CALLBACK dircontext;
struct LINK *current;
BOOL isdir;
BOOL err;
err = FALSE;
dircontext.head = (struct LINK*)NULL;
dircontext.dir = path;
isdir = ntfs_read_directory(ntfs_context, path,
callback, &dircontext);
if (isdir) {
showfull(path,TRUE);
if (opt_v) {
if (opt_b)
printf("#\n#\n");
else
printf("\n\n");
}
while (dircontext.head) {
current = dircontext.head;
if (recurseshow(current->name)) err = TRUE;
dircontext.head = dircontext.head->next;
free(current);
}
} else
if (errno == ENOTDIR) {
showfull(path,FALSE);
if (opt_v) {
if (opt_b)
printf("#\n#\n");
else
printf("\n\n");
}
} else {
printf("** Could not access %s\n",path);
printerror(stdout);
errors++;
err = TRUE;
}
return (!err);
}
BOOL singleshow(const char *path)
{
BOOL isdir;
BOOL err;
err = FALSE;
isdir = ntfs_read_directory(ntfs_context, path,
callback, (struct CALLBACK*)NULL);
if (isdir || (errno == ENOTDIR))
showfull(path,isdir);
else {
printf("** Could not access %s\n",path);
printerror(stdout);
errors++;
err = TRUE;
}
return (err);
}
#ifdef HAVE_SETXATTR
static ssize_t ntfs_getxattr(const char *path, const char *name, void *value, si
ze_t size)
{
#if defined(__APPLE__) || defined(__DARWIN__)
return getxattr(path, name, value, size, 0, 0);
#else
return getxattr(path, name, value, size);
#endif
}
/*
*
*/
showdacl(attr,isdir,level);
showsacl(attr,isdir,level);
}
showownership(attr);
if (mapped) {
uid = linux_owner(attr);
gid = linux_group(attr);
printf("Interpreted Unix owner %d, group
%d, mode 0%03o\n",
(int)uid,(int)gid,mode);
} else {
printf("Interpreted Unix mode 0%03o (own
er and group are unmapped)\n",
mode);
}
#if POSIXACLS
if (pxdesc) {
if ((pxdesc->defcnt
|| (pxdesc->tagsset
& (POSIX_ACL_USER
| POSIX_ACL_GROUP
| POSIX_ACL_MASK))))
showposix(pxdesc);
#if USESTUBS
stdfree(pxdesc); /* allocated within lib
rary */
#else
free(pxdesc);
#endif
}
if (mapped)
ntfs_free_mapping(context.mapping);
#endif
} else {
printf("Descriptor fails sanity check\n");
errors++;
}
} else {
printf("** Could not get the NTFS ACL, check whether fil
e is on NTFS\n");
errors++;
}
} else {
printf("%s not found\n",fullname);
err = TRUE;
}
return (err);
}
BOOL processmounted(const char *fullname)
{
static char attr[MAXATTRSZ];
struct stat st;
int attrsz;
BOOL err;
err = FALSE;
if (!opt_u)
err = showmounted(fullname);
else
if (!stat(fullname,&st)) {
attrsz = ntfs_getxattr(fullname,"system.ntfs_acl",attr,MAXATTRSZ
);
if (attrsz > 0) {
if (opt_v) {
hexdump(attr,attrsz,8);
printf("Computed hash : 0x%08lx\n",
(unsigned long)hash((le32*)attr,attrsz))
;
}
if (ntfs_valid_descr(attr,attrsz)) {
err = proposal(fullname, attr);
} else {
printf("*** Descriptor fails sanity check\n");
errors++;
}
} else {
printf("** Could not get the NTFS ACL, check whether fil
e is on NTFS\n");
errors++;
}
} else {
printf("%s not found\n",fullname);
err = TRUE;
}
return (err);
}
#else /* HAVE_SETXATTR */
BOOL processmounted(const char *fullname __attribute__((unused)))
{
fprintf(stderr,"Not possible on this configuration,\n");
fprintf(stderr,"you have to use an unmounted partition\n");
return (TRUE);
}
#endif /* HAVE_SETXATTR */
#if POSIXACLS
BOOL recurseset_posix(const char *path, const struct POSIX_SECURITY *pxdesc)
{
struct CALLBACK dircontext;
struct LINK *current;
BOOL isdir;
BOOL err;
err = FALSE;
dircontext.head = (struct LINK*)NULL;
dircontext.dir = path;
isdir = ntfs_read_directory(ntfs_context, path,
callback, &dircontext);
if (isdir) {
err = !setfull_posix(path,pxdesc,TRUE);
if (err) {
printf("** Failed to update %s\n",path);
printerror(stdout);
errors++;
} else {
if (opt_b)
printf("#\n#\n");
else
printf("\n\n");
while (dircontext.head) {
current = dircontext.head;
recurseset_posix(current->name,pxdesc);
dircontext.head = dircontext.head->next;
free(current);
}
}
} else
if (errno == ENOTDIR) {
err = !setfull_posix(path,pxdesc,FALSE);
if (err) {
printf("** Failed to update %s\n",path);
printerror(stdout);
errors++;
}
} else {
printf("** Could not access %s\n",path);
printerror(stdout);
errors++;
err = TRUE;
}
return (!err);
}
#else
BOOL recurseset(const char *path, int mode)
{
struct CALLBACK dircontext;
struct LINK *current;
BOOL isdir;
BOOL err;
err = FALSE;
dircontext.head = (struct LINK*)NULL;
dircontext.dir = path;
isdir = ntfs_read_directory(ntfs_context, path,
callback, &dircontext);
if (isdir) {
setfull(path,mode,TRUE);
if (opt_b)
printf("#\n#\n");
else
printf("\n\n");
while (dircontext.head) {
current = dircontext.head;
recurseset(current->name,mode);
dircontext.head = dircontext.head->next;
free(current);
}
} else
if (errno == ENOTDIR)
setfull(path,mode,FALSE);
else {
printf("** Could not access %s\n",path);
printerror(stdout);
errors++;
err = TRUE;
}
return (!err);
}
#endif
#if POSIXACLS
BOOL singleset_posix(const char *path, const struct POSIX_SECURITY *pxdesc)
{
BOOL isdir;
BOOL err;
err = FALSE;
isdir = ntfs_read_directory(ntfs_context, path,
callback, (struct CALLBACK*)NULL);
if (isdir || (errno == ENOTDIR)) {
err = !setfull_posix(path,pxdesc,isdir);
if (err) {
printf("** Failed to update %s\n",path);
printerror(stdout);
errors++;
}
} else {
printf("** Could not access %s\n",path);
printerror(stdout);
errors++;
err = TRUE;
}
return (!err);
}
#endif
BOOL singleset(const char *path, int mode)
{
BOOL isdir;
BOOL err;
err = FALSE;
isdir = ntfs_read_directory(ntfs_context, path,
callback, (struct CALLBACK*)NULL);
if (isdir || (errno == ENOTDIR))
setfull(path,mode,isdir);
else {
printf("** Could not access %s\n",path);
printerror(stdout);
errors++;
err = TRUE;
}
return (!err);
}
int callback(struct CALLBACK *dircontext, char *ntfsname,
int length, int type,
long long pos __attribute__((unused)), u64 mft_ref __attribute__((unuse
d)),
*
*/
return (err);
}
#else
/*
*
*/
u32 attrsz;
int securindex;
char attr[256]; /* header (20) and a couple of SIDs (max 40 each) */
err = FALSE;
if (!getuid() && open_security_api()) {
if (open_volume(volume,NTFS_MNT_RDONLY)) {
attrsz = 0;
securindex = ntfs_get_file_security(ntfs_context,name,
OWNER_SECURITY_INFORMATION
| GROUP_SECURITY_INFORMATION,
(char*)attr,MAXATTRSZ,&attrsz);
if (securindex)
err = proposal(name,attr);
else {
fprintf(stderr,"*** Could not get the ACL of %s\
n",
name);
printerror(stdout);
errors++;
}
close_volume(volume);
} else {
fprintf(stderr,"Could not open volume %s\n",volume);
printerror(stdout);
err = TRUE;
}
close_security_api();
} else {
if (getuid())
fprintf(stderr,"This is only possible as root\n");
else
fprintf(stderr,"Could not open security API\n");
err = TRUE;
}
return (err);
}
#endif
#ifndef WIN32
/*
*
*/
0x%lx (correct)\n",(lon
g)offset);
} else {
printf("** offset 0x%llx (expected : 0x%llx)\n"
,
(long long)get8l(attr,8),
(long long)(second ? get8l(attr,8) - 0x4
0000 : get8l(attr,8)));
//
unsane = TRUE;
errors++;
}
}
if (!unsane) {
key = get4l(attr,4);
if (opt_v >= 2)
printf("Key
0x%x\n",(int)key);
if (key) {
if (key <= prevkey) {
printf("** Unordered key 0x%lx after 0x%
lx\n",
(long)key,(long)prevkey);
unsane = TRUE;
errors++;
}
}
}
}
return (!unsane);
}
/*
*
*
*/
}
psecurdata->hash = comphash;
psecurdata->offset = get8l(attr,8);
psecurdata->length = get4l(attr,16);
}
psecurdata->flags |= (second ? INSDS2 : INSDS1);
}
} else
if (key || get4l(attr,0)) {
printf("** Security_id 0x%x out of bounds\n",key);
warnings++;
}
return (errcnt);
}
/*
*
*/
} else
do {
entrysz = get4l(attr,16);
entryalsz = ((entrysz - 1) | 15) + 1;
if (entryalsz <= (MAXATTRSZ + 20)) {
/* read next header in anticipation, to get its
size */
size = ntfs_read_sds(ntfs_context,
(char*)&attr[20],entryalsz,offset + 20);
if (opt_v)
printf("\nAt offset 0x%lx got %lu bytes\
n",(long)offset,(long)size);
} else {
printf("** Security attribute is too long (%ld b
ytes) - stopping\n",
(long)entryalsz);
errcnt++;
}
if ((entryalsz > (MAXATTRSZ + 20)) || (size < (int)(entr
ysz - 20)))
done = TRUE;
else {
if (opt_v) {
printf("Entry size %d bytes\n",entrysz);
hexdump(&attr[20],size,8);
}
unsane = !valid_sds(attr,offset,entrysz,
size,prevkey,second);
if (!unsane) {
if (!get4l(attr,0) && !get4l(attr,4))
deleted++;
else
count++;
errcnt += consist_sds(attr,offset,
entrysz, second);
if (opt_v >= 2) {
isdir = guess_dir(&attr[20]);
printf("Assuming %s descriptor\n
",(isdir ? "directory" : "file"));
showheader(&attr[20],0);
showusid(&attr[20],0);
showgsid(&attr[20],0);
showdacl(&attr[20],isdir,0);
showsacl(&attr[20],isdir,0);
showownership(&attr[20]);
mode = linux_permissions(
&attr[20],isdir);
printf("Interpreted Unix mode 0%
03o\n",mode);
}
prevkey = get4l(attr,4);
}
if (!unsane) {
memcpy(attr,&attr[entryalsz],20);
offset += entryalsz;
if (!get4l(attr,16)
|| ((((offset - 1) | 0x3ffff) - offse
t + 1) < 20)) {
if (second)
offset = ((offset - 1) |
0x7ffff) + 0x40001;
else
offset = ((offset - 1) |
0x7ffff) + 1;
if (opt_v)
printf("Trying next SDS%d block at offset 0x%lx\n",
(second ? 2 : 1)
, (long)offset);
size = ntfs_read_sds(ntfs_contex
t,
(char*)attr,20,offset);
if (size != 20) {
if (opt_v)
printf("Assuming
end of $SDS, got %d bytes\n",size);
done = TRUE;
}
}
} else {
printf("** Sanity check failed - stoppin
g there\n");
errcnt++;
errors++;
done = TRUE;
}
}
} while (!done);
if (count || deleted || errcnt) {
printf("%d valid and %d deleted entries in $SDS-%d\n",
count,deleted,(second ? 2 : 1));
printf("%d errors in $SDS-%c\n",errcnt,(second ? '2' : '1'));
}
return (errcnt);
}
/*
*
*/
if (get2l(entry,2) != 20) {
printf("** size %d (instead of 20)\n",(int)get2l(entry,2));
valid = FALSE;
errors++;
}
if (get4l(entry,4) != 0) {
printf("** fill1 %d (instead of 0)\n",(int)get4l(entry,4));
valid = FALSE;
errors++;
}
if (get2l(entry,12) & 1) {
if (get2l(entry,8) != 48) {
printf("** index size %d (instead of 48)\n",(int)get2l(e
ntry,8));
valid = FALSE;
errors++;
}
} else
if (get2l(entry,8) != 40) {
printf("** index size %d (instead of 40)\n",(int)get2l(e
ntry,8));
valid = FALSE;
errors++;
}
if (get2l(entry,10) != 4) {
printf("** index key size %d (instead of 4)\n",(int)get2l(entry,
10));
valid = FALSE;
errors++;
}
if ((get2l(entry,12) & ~3) != 0) {
printf("** flags 0x%x (instead of < 4)\n",(int)get2l(entry,12));
valid = FALSE;
errors++;
}
if (get2l(entry,14) != 0) {
printf("** fill2 %d (instead of 0)\n",(int)get2l(entry,14));
valid = FALSE;
errors++;
}
if (get4l(entry,24) != key) {
printf("** key 0x%x (instead of 0x%x)\n",
(int)get4l(entry,24),(int)key);
valid = FALSE;
errors++;
}
return (valid);
}
/*
*
*/
key = get4l(entry,16);
if ((key > 0) && (key < MAXSECURID)) {
printf("Valid entry for key 0x%lx\n",(long)key);
if (!securdata[key >> SECBLKSZ])
newblock(key);
if (securdata[key >> SECBLKSZ]) {
psecurdata = &securdata[key >> SECBLKSZ][key & ((1 << SE
CBLKSZ) - 1)];
psecurdata->flags |= INSII;
if (psecurdata->flags & (INSDS1 | INSDS2)) {
if ((u32)get4l(entry,20) != psecurdata->hash) {
printf("** hash 0x%x (instead of 0x%x)\n
",
(unsigned int)get4l(entry,20),
(unsigned int)psecurdata->hash);
errors++;
}
if (get8l(entry,28) != psecurdata->offset) {
printf("** offset 0x%llx (instead of 0x%
llx)\n",
(long long)get8l(entry,28),
(long long)psecurdata->offset);
errors++;
}
if (get4l(entry,36) != psecurdata->length) {
printf("** length 0x%lx (instead of %ld)
\n",
(long)get4l(entry,36),
(long)psecurdata->length);
errors++;
}
} else {
printf("** Entry was not present in $SDS\n");
errors++;
psecurdata->hash = get4l(entry,20);
psecurdata->offset = get8l(entry,28);
psecurdata->length = get4l(entry,36);
if (opt_v) {
printf(" hash 0x%x\n",(unsigned int)ps
ecurdata->hash);
printf(" offset 0x%llx\n",(long long)p
securdata->offset);
printf(" length %ld\n",(long)psecurdat
a->length);
}
errcnt++;
}
}
} else {
printf("** Security_id 0x%x out of bounds\n",key);
warnings++;
}
return (errcnt);
}
/*
*
*/
int audit_sii()
{
char *entry;
int errcnt;
u32 prevkey;
BOOL valid;
BOOL done;
int count;
printf("\nAuditing $SII\n");
errcnt = 0;
count = 0;
entry = (char*)NULL;
prevkey = 0;
done = FALSE;
do {
entry = (char*)ntfs_read_sii(ntfs_context,(void*)entry);
if (entry) {
valid = valid_sii(entry,prevkey);
if (valid) {
count++;
errcnt += consist_sii(entry);
prevkey = get4l(entry,16);
} else
errcnt++;
} else
if ((errno == ENOTSUP) && !prevkey)
printf("** There is no $SII in this volume\n");
} while (entry && !done);
if (count || errcnt) {
printf("%d valid entries in $SII\n",count);
printf("%d errors in $SII\n",errcnt);
}
return (errcnt);
}
/*
*
*/
if (get2l(entry,0) != 24) {
printf("** offset %d (instead of 24)\n",(int)get2l(entry,0));
valid = FALSE;
errors++;
}
if (get2l(entry,2) != 20) {
printf("** size %d (instead of 20)\n",(int)get2l(entry,2));
valid = FALSE;
errors++;
}
if (get4l(entry,4) != 0) {
printf("** fill1 %d (instead of 0)\n",(int)get4l(entry,4));
valid = FALSE;
errors++;
}
if (get2l(entry,12) & 1) {
if (get2l(entry,8) != 56) {
printf("** index size %d (instead of 56)\n",(int)get2l(e
ntry,8));
valid = FALSE;
errors++;
}
} else
if (get2l(entry,8) != 48) {
printf("** index size %d (instead of 48)\n",(int)get2l(e
ntry,8));
valid = FALSE;
errors++;
}
if (get2l(entry,10) != 8) {
printf("** index key size %d (instead of 8)\n",(int)get2l(entry,
10));
valid = FALSE;
errors++;
}
if ((get2l(entry,12) & ~3) != 0) {
printf("** flags 0x%x (instead of < 4)\n",(int)get2l(entry,12));
valid = FALSE;
errors++;
}
if (get2l(entry,14) != 0) {
printf("** fill2 %d (instead of 0)\n",(int)get2l(entry,14));
valid = FALSE;
errors++;
}
if ((u32)get4l(entry,24) != currhash) {
printf("** hash 0x%x (instead of 0x%x)\n",
(unsigned int)get4l(entry,24),(unsigned int)currhash);
valid = FALSE;
errors++;
}
if (get4l(entry,28) != key) {
printf("** key 0x%x (instead of 0x%x)\n",
(int)get4l(entry,28),(int)key);
valid = FALSE;
errors++;
}
if (get4l(entry,44)
&& (get4l(entry,44) != 0x490049)) {
printf("** fill3 0x%lx (instead of 0 or 0x490049)\n",
(long)get4l(entry,44));
valid = FALSE;
errors++;
}
return (valid);
}
/*
*
*/
a->length);
}
errcnt++;
}
}
} else {
printf("** Security_id 0x%x out of bounds\n",key);
warnings++;
}
return (errcnt);
}
/*
*
*/
int audit_sdh()
{
char *entry;
int errcnt;
int count;
u32 prevkey;
u32 prevhash;
BOOL valid;
BOOL done;
printf("\nAuditing $SDH\n");
count = 0;
errcnt = 0;
prevkey = 0;
prevhash = 0;
entry = (char*)NULL;
done = FALSE;
do {
entry = (char*)ntfs_read_sdh(ntfs_context,(void*)entry);
if (entry) {
valid = valid_sdh(entry,prevkey,prevhash);
if (valid) {
count++;
errcnt += consist_sdh(entry);
prevhash = get4l(entry,16);
prevkey = get4l(entry,20);
} else
errcnt++;
} else
if ((errno == ENOTSUP) && !prevkey)
printf("** There is no $SDH in this volume\n");
} while (entry && !done);
if (count || errcnt) {
printf("%d valid entries in $SDH\n",count);
printf("%d errors in $SDH\n",errcnt);
}
return (errcnt);
}
/*
*
*/
Audit summary
void audit_summary()
{
int
int
int
int
int
count;
flags;
cnt;
found;
i,j;
count = 0;
found = 0;
if (opt_r) printf("Summary of security key use :\n");
for (i=0; i<(MAXSECURID + (1 << SECBLKSZ) - 1)/(1 << SECBLKSZ); i++)
if (securdata[i])
for (j=0; j<(1 << SECBLKSZ); j++) {
flags = securdata[i][j].flags & (INSDS1 + INSDS2
+ INSII + INSDH);
if (flags) found++;
if (flags
&& (flags != (INSDS1 + INSDS2 + INSII +
INSDH)))
{
if (!count && !opt_r)
printf("\n** Keys not present in
all files :\n");
cnt = securdata[i][j].filecount;
if (opt_r)
printf("Key 0x%x used by %d %s,
not in",
i*(1 << SECBLKSZ)+j,cnt,
(cnt > 1 ? "files" : "fi
le"));
else
printf("Key 0x%x not in", i*(1 <
< SECBLKSZ)+j);
if (!(flags & INSDS1))
printf(" SDS-1");
if (!(flags & INSDS2))
printf(" SDS-2");
if (!(flags & INSII))
printf(" SII");
if (!(flags & INSDH))
printf(" SDH");
printf("\n");
count++;
} else {
cnt = securdata[i][j].filecount;
if (opt_r && cnt)
printf("Key 0x%x used by %d %s\n
",
i*(1 << SECBLKSZ)+j,cnt,
(cnt > 1 ? "files" : "fi
le"));
}
}
if (found) {
if (count)
printf("%d keys not present in all lists\n",count);
else
printf("All keys are present in all lists\n");
}
}
/*
*
*/
BOOL dmask;
BOOL amask;
const char *p;
struct POSIX_ACL *acl;
struct POSIX_SECURITY *pxdesc;
enum { PXBEGIN, PXTAG, PXTAG1, PXID, PXID1, PXID2,
PXPERM, PXPERM1, PXPERM2, PXOCT, PXNEXT, PXEND, PXERR
} state;
/* raw evaluation of ACE count */
p = str;
amask = FALSE;
dmask = FALSE;
if (*p == 'd') {
acccnt = 0;
defcnt = 1;
} else {
if ((*p >= '0') && (*p <= '7'))
acccnt = 0;
else
acccnt = 1;
defcnt = 0;
}
while (*p)
if (*p++ == ',') {
if (*p == 'd') {
defcnt++;
if (p[1] && (p[2] == 'm'))
dmask = TRUE;
} else {
acccnt++;
if (*p == 'm')
amask = TRUE;
}
}
/* account for an implicit mask if none defined */
if (acccnt && !amask)
acccnt++;
if (defcnt && !dmask)
defcnt++;
pxdesc = (struct POSIX_SECURITY*)malloc(sizeof(struct POSIX_SECURITY)
+ (acccnt + defcnt)*sizeof(struct POSIX_ACE));
if (pxdesc) {
pxdesc->acccnt = acccnt;
pxdesc->firstdef = acccnt;
pxdesc->defcnt = defcnt;
acl = &pxdesc->acl;
p = str;
state = PXBEGIN;
id = 0;
defacl = FALSE;
mode = 0;
apermsset = 0;
dpermsset = 0;
tag = 0;
perms = 0;
k = l = 0;
c = *p++;
while ((state != PXEND) && (state != PXERR)) {
switch (state) {
case PXBEGIN :
if (c == 'd') {
defacl = TRUE;
state = PXTAG1;
break;
} else
if ((c >= '0') && (c <= '7')) {
mode = c - '0';
state = PXOCT;
break;
}
defacl = FALSE;
/* fall through */
case PXTAG :
switch (c) {
case 'u' :
tag = POSIX_ACL_USER;
state = PXID;
break;
case 'g' :
tag = POSIX_ACL_GROUP;
state = PXID;
break;
case 'o' :
tag = POSIX_ACL_OTHER;
state = PXID;
break;
case 'm' :
tag = POSIX_ACL_MASK;
state = PXID;
break;
default :
state = PXERR;
break;
}
break;
case PXTAG1 :
if (c == ':')
state = PXTAG;
else
state = PXERR;
break;
case PXID :
if (c == ':') {
if ((tag == POSIX_ACL_OTHER)
|| (tag == POSIX_ACL_MASK))
state = PXPERM;
else
state = PXID1;
} else
state = PXERR;
break;
case PXID1 :
if ((c >= '0') && (c <= '9')) {
id = c - '0';
state = PXID2;
} else
if (c == ':') {
id = -1;
if (tag == POSIX_ACL_USER)
tag = POSIX_ACL_USER_OBJ
;
if (tag == POSIX_ACL_GROUP)
tag = POSIX_ACL_GROUP_OB
J;
state = PXPERM1;
} else
state = PXERR;
break;
case PXID2 :
if ((c >= '0') && (c <= '9'))
id = 10*id + c - '0';
else
if (c == ':')
state = PXPERM1;
else
state = PXERR;
break;
case PXPERM :
if (c == ':') {
id = -1;
state = PXPERM1;
} else
state = PXERR;
break;
case PXPERM1 :
if ((c >= '0') && (c <= '7')) {
perms = c - '0';
state = PXNEXT;
break;
}
state = PXPERM2;
perms = 0;
/* fall through */
case PXPERM2 :
switch (c) {
case 'r' :
perms |= POSIX_PERM_R;
break;
case 'w' :
perms |= POSIX_PERM_W;
break;
case 'x' :
perms |= POSIX_PERM_X;
break;
case ',' :
case '\0' :
if (defacl) {
i = acccnt + l++;
dpermsset |= perms;
} else {
i = k++;
apermsset |= perms;
}
acl->ace[i].tag = tag;
acl->ace[i].perms = perms;
acl->ace[i].id = id;
if (c == '\0')
state = PXEND;
else
state = PXBEGIN;
break;
}
break;
case PXNEXT :
if (!c || (c == ',')) {
if (defacl) {
i = acccnt + l++;
dpermsset |= perms;
} else {
i = k++;
apermsset |= perms;
}
acl->ace[i].tag = tag;
acl->ace[i].perms = perms;
acl->ace[i].id = id;
if (c == '\0')
state = PXEND;
else
state = PXBEGIN;
} else
state = PXERR;
break;
case PXOCT :
if ((c >= '0') && (c <= '7'))
mode = (mode << 3) + c - '0';
else
if (c == '\0')
state = PXEND;
else
state = PXBEGIN;
break;
default :
break;
}
c = *p++;
}
/* insert default mask if none defined */
if (acccnt && !amask) {
i = k++;
acl->ace[i].tag = POSIX_ACL_MASK;
acl->ace[i].perms = apermsset;
acl->ace[i].id = -1;
}
if (defcnt && !dmask) {
i = acccnt + l++;
acl->ace[i].tag = POSIX_ACL_MASK;
acl->ace[i].perms = dpermsset;
acl->ace[i].id = -1;
}
/* compute the mode and tagsset */
tagsset = 0;
for (i=0; i<acccnt; i++)
tagsset |= acl->ace[i].tag;
switch (acl->ace[i].tag) {
case POSIX_ACL_USER_OBJ :
mode |= acl->ace[i].perms << 6;
break;
case POSIX_ACL_GROUP_OBJ :
mode |= acl->ace[i].perms << 3;
break;
case POSIX_ACL_OTHER :
mode |= acl->ace[i].perms;
break;
default :
break;
}
pxdesc->mode = mode;
pxdesc->tagsset = tagsset;
pxdesc->acl.version = POSIX_VERSION;
pxdesc->acl.flags = 0;
pxdesc->acl.filler = 0;
if (state != PXERR)
ntfs_sort_posix(pxdesc);
showposix(pxdesc);
if ((state == PXERR)
|| (k != acccnt)
|| (l != defcnt)
|| !ntfs_valid_posix(pxdesc)) {
if (~pxdesc->tagsset
& (POSIX_ACL_USER_OBJ | POSIX_ACL_GROUP_OBJ | POSIX_
ACL_OTHER))
fprintf(stderr,"User, group or other permissions
missing\n");
else
fprintf(stderr,"Bad ACL description\n");
free(pxdesc);
pxdesc = (struct POSIX_SECURITY*)NULL;
} else
if (opt_v >= 2) {
printf("Interpreted input description :\n");
showposix(pxdesc);
}
} else
errno = ENOMEM;
return (pxdesc);
}
#endif /* POSIXACLS */
int getoptions(int argc, char *argv[])
{
int xarg;
int narg;
const char *parg;
BOOL err;
opt_a
opt_b
opt_e
opt_h
#if FORCEMASK
opt_m
#endif
opt_r
opt_s
#if SELFTESTS
opt_t
#endif
=
=
=
=
FALSE;
FALSE;
FALSE;
FALSE;
= FALSE;
=
=
&
=
FALSE;
FALSE;
!USESTUBS
FALSE;
opt_u = FALSE;
opt_v = 0;
xarg = 1;
err = FALSE;
while ((xarg < argc) && (argv[xarg][0] == '-')) {
parg = argv[xarg++];
while (*++parg)
switch (*parg)
{
#ifndef WIN32
case 'a' :
opt_a = TRUE;
break;
#endif
case 'b' :
opt_b = TRUE;
break;
case 'e' :
opt_e = TRUE;
break;
case 'h' :
opt_h = TRUE;
break;
#if FORCEMASK
case 'm' :
opt_m = TRUE;
break;
#endif
case 'r' :
case 'R' :
opt_r = TRUE;
break;
case 's' :
opt_s = TRUE;
break;
#if SELFTESTS & !USESTUBS
case 't' :
opt_t = TRUE;
break;
#endif
case 'u' :
opt_u = TRUE;
break;
case 'v' :
opt_v++;
break;
default :
fprintf(stderr,"Invalid option -%c\n",*p
arg);
err = TRUE;
}
}
narg = argc - xarg;
#ifdef WIN32
if ( ((opt_h || opt_s) && (narg > 1))
|| ((opt_r || opt_b || opt_u) && ((narg < 1) || (narg > 2)))
#if SELFTESTS & !USESTUBS
|| (opt_t && (narg > 0))
#endif
|| (opt_e && !opt_s)
&& !opt_t
#endif
#ifdef HAVE_SETXATTR
&& ((narg < 1) || (narg > 3))))
#else
&& ((narg < 2) || (narg > 3))))
#endif
err = TRUE;
if (err) {
xarg = 0;
fprintf(stderr,"Usage:\n");
#if SELFTESTS & !USESTUBS
fprintf(stderr," secaudit -t\n");
fprintf(stderr,"
run self-tests\n");
#endif
fprintf(stderr," secaudit -h [file]\n");
fprintf(stderr,"
display security descriptors within file
\n");
fprintf(stderr," secaudit -a[rv] volume\n");
fprintf(stderr,"
audit the volume\n");
fprintf(stderr," secaudit [-v] volume file\n");
fprintf(stderr,"
display the security parameters of file\
n");
fprintf(stderr," secaudit -r[v] volume directory\n");
fprintf(stderr,"
display the security parameters of files
in directory\n");
fprintf(stderr," secaudit -b[v] volume directory\n");
fprintf(stderr,"
backup the security parameters of files
in directory\n");
fprintf(stderr," secaudit -s[ev] volume [backupfile]\n");
fprintf(stderr,"
set the security parameters as indicated
in backup file\n");
fprintf(stderr,"
with -e also set extra parameters (Windo
ws attrib)\n");
fprintf(stderr," secaudit volume perms file\n");
fprintf(stderr,"
set the security parameters of file to p
erms\n");
fprintf(stderr," secaudit -r[v] volume perms directory\n");
fprintf(stderr,"
set the security parameters of files in
directory to perms\n");
fprintf(stderr," secaudit -u volume file\n");
fprintf(stderr,"
get a user mapping proposal applicable t
o file\n");
#ifdef HAVE_SETXATTR
fprintf(stderr," special cases, do not require being root :\n");
fprintf(stderr," secaudit -u mounted-file\n");
fprintf(stderr,"
get a user mapping proposal applicable t
o mounted file\n");
fprintf(stderr," secaudit [-v] mounted-file\n");
fprintf(stderr,"
display the security parameters of a mou
nted file\n");
#endif
#if POSIXACLS
fprintf(stderr," Note: perms can be an octal mode or a Posix A
CL description\n");
#else
fprintf(stderr," Note: perms is an octal mode\n");
#endif
fprintf(stderr,"
-v is for verbose, -vv for very verbos
e\n");
}
#endif
if ((sizeof(SID) != 12) && !err) {
fprintf(stderr,"Possible alignment problem, check your compiler
options\n");
err = TRUE;
xarg = 0;
}
return (xarg);
}
/*
*
*/
#undef
#undef
#undef
#undef
}
void *chkcalloc(size_t cnt, size_t size, const char *file, int line)
{
return (chkmalloc(cnt*size,file,line));
}
void chkfree(void *p, const char *file, int line)
{
struct CHKALLOC *q;
struct CHKALLOC *r;
if (p) {
if (firstalloc && (firstalloc->alloc == p)) {
r = firstalloc;
firstalloc = firstalloc->next;
} else {
q = firstalloc;
if (q)
while (q->next && (q->next->alloc != p))
q = q->next;
if (q && q->next) {
r = q->next;
q->next = r->next;
} else {
r = (struct CHKALLOC*)NULL;
printf("** freeing unallocated memory in %s line
%d\n",file,line);
if (!isatty(1))
fprintf(stderr,"** freeing unallocated m
emory in %s line %d\n",file,line);
}
}
if (r) {
if (((unsigned char*)p)[r->size] != 0xaa) {
printf("** memory corruption, alloc in %s line %
d release in %s %d\n",
r->file,r->line,file,line);
if (!isatty(1))
fprintf(stderr,"** memory corruption, al
loc in %s line %d release in %s %d\n",
r->file,r->line,file,line);
}
memset(p,0xaa,r->size);
free(r);
free(p);
}
}
}
void *stdmalloc(size_t size)
{
return (malloc(size));
}
void stdfree(void *p)
{
free(p);
}
#ifdef WIN32
/*
*
*/
Windows version
main(argc,argv)
int argc;
char *argv[];
{
FILE *fd;
int xarg;
int mode;
unsigned int size;
BOOL cmderr;
char *filename;
const char *p;
int i;
#if POSIXACLS
struct POSIX_SECURITY *pxdesc;
#endif
printf("%s\n",BANNER);
cmderr = FALSE;
errors = 0;
warnings = 0;
xarg = getoptions(argc,argv);
if (xarg) {
for (i=0; i<(MAXSECURID + (1 << SECBLKSZ) - 1)/(1 << SECBLKSZ);
i++)
securdata[i] = (struct SECURITY_DATA*)NULL;
#if POSIXACLS
context.mapping[MAPUSERS] = (struct MAPPING*)NULL;
context.mapping[MAPGROUPS] = (struct MAPPING*)NULL;
#endif
#endif
}
free(filename);
} else {
fprintf(stderr,"No more memory\n
");
cmderr = TRUE;
}
} else {
fprintf(stderr,"Bad UTF-8 name \"%s\"\n"
,argv[xarg]);
cmderr = TRUE;
}
}
break;
case 2 :
mode = 0;
p = argv[xarg];
#if POSIXACLS
pxdesc = encode_posix_acl(p);
if (pxdesc) {
size = utf16size(argv[xarg + 1]);
if (size) {
filename = (char*)malloc(2*size + 2);
if (filename) {
makeutf16(filename,argv[xarg + 1
]);
if (local_build_mapping(context.
mapping,filename)) {
printf("*** Could not ge
t user mapping data\n");
warnings++;
}
if (opt_r) {
for (i=0; i<(MAXSECURID
+ (1 << SECBLKSZ) - 1)/(1 << SECBLKSZ); i++)
securdata[i] = (
struct SECURITY_DATA*)NULL;
recurseset_posix(filenam
e,pxdesc);
} else
singleset_posix(filename
,pxdesc);
ntfs_free_mapping(context.mappin
g);
free(filename);
} else {
fprintf(stderr,"No more memory\n
");
cmderr = TRUE;
}
chkfree(pxdesc,__FILE__,__LINE__);
} else {
fprintf(stderr,"Bad UTF-8 name \"%s\"\n"
,argv[xarg + 1]);
cmderr = TRUE;
}
}
#else
while ((*p >= '0') && (*p <= '7'))
l\n");
cmderr = TRUE;
} else {
if (opt_r) {
recurseset(argv[xarg + 2],mode);
}
else singleset(argv[xarg + 2],mode);
}
break;
#endif
}
if (warnings)
printf("** %u %s signalled\n",warnings,
(warnings > 1 ? "warnings were" : "warning was")
);
if (errors)
printf("** %u %s found\n",errors,
(errors > 1 ? "errors were" : "error was"));
else
if (!cmderr)
printf("No errors were found\n");
if (!isatty(1)) {
fflush(stdout);
if (warnings)
fprintf(stderr,"** %u %s signalled\n",warnings,
(warnings > 1 ? "warnings were" : "warni
ng was"));
if (errors)
fprintf(stderr,"** %u %s found\n",errors,
(errors > 1 ? "errors were" : "error was
"));
else
fprintf(stderr,"No errors were found\n");
freeblocks();
}
}
dumpalloc("termination");
if (cmderr || errors)
exit(1);
return (0);
}
#else
/*
*
*/
Linux version
printf("%s\n",BANNER);
cmderr = FALSE;
errors = 0;
warnings = 0;
xarg = getoptions(argc,argv);
if (xarg) {
for (i=0; i<(MAXSECURID + (1 << SECBLKSZ) - 1)/(1 << SECBLKSZ);
i++)
securdata[i] = (struct SECURITY_DATA*)NULL;
#if POSIXACLS
context.mapping[MAPUSERS] = (struct MAPPING*)NULL;
context.mapping[MAPGROUPS] = (struct MAPPING*)NULL;
#endif
firstalloc = (struct CHKALLOC*)NULL;
mappingtype = MAPNONE;
switch (argc - xarg) {
case 0 :
if (opt_h)
showhex(stdin);
#if SELFTESTS & !USESTUBS
if (opt_t)
selftests();
#endif
break;
case 1 :
if (opt_a)
cmderr = audit(argv[xarg]);
else
if (opt_h) {
fd = fopen(argv[xarg],"rb");
if (fd) {
showhex(fd);
fclose(fd);
} else {
fprintf(stderr,"Could not open %
s\n",argv[xarg]);
cmderr = TRUE;
}
} else
if (opt_b)
cmderr = backup(argv[xarg],"/");
else
if (opt_r)
cmderr = listfiles(argv[
xarg],"/");
else
if (opt_s)
cmderr = doresto
re(argv[xarg],stdin);
else
cmderr = process
mounted(argv[xarg]);
break;
case 2 :
if (opt_b)
cmderr = backup(argv[xarg],argv[xarg+1]);
else
if (opt_s) {
fd = fopen(argv[xarg+1],"rb");
if (fd) {
if (dorestore(argv[xarg],fd))
cmderr = TRUE;
fclose(fd);
} else {
fprintf(stderr,"Could not open %
s\n",argv[xarg]);
cmderr = TRUE;
}
} else
if (opt_u)
cmderr = mapproposal(argv[xarg],
argv[xarg+1]);
else
cmderr = listfiles(argv[xarg],ar
gv[xarg+1]);
break;
case 3 :
p = argv[xarg+1];
#if POSIXACLS
pxdesc = encode_posix_acl(p);
if (pxdesc) {
if (!getuid() && open_security_api()) {
if (open_volume(argv[xarg],NTFS_MNT_NONE
)) {
if (opt_r) {
for (i=0; i<(MAXSECURID
+ (1 << SECBLKSZ) - 1)/(1 << SECBLKSZ); i++)
securdata[i] = (
struct SECURITY_DATA*)NULL;
recurseset_posix(argv[xa
rg + 2],pxdesc);
} else
singleset_posix(argv[xar
g + 2],pxdesc);
close_volume(argv[xarg]);
} else {
fprintf(stderr,"Could not open v
olume %s\n",argv[xarg]);
printerror(stderr);
cmderr = TRUE;
}
close_security_api();
} else {
if (getuid())
fprintf(stderr,"This is only pos
sible as root\n");
else
fprintf(stderr,"Could not open s
ecurity API\n");
cmderr = TRUE;
}
chkfree(pxdesc,__FILE__,__LINE__);
} else
cmderr = TRUE;
#else
mode = 0;
while ((*p >= '0') && (*p <= '7'))
mode = (mode << 3) + (*p++) - '0';
if (*p) {
;
}
freeblocks();
} else
cmderr = TRUE;
dumpalloc("termination");
if (cmderr || errors)
exit(1);
return (0);
}
#endif