jcifs.smb.ACE Maven / Gradle / Ivy
Show all versions of jcifs-ng Show documentation
/*
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
package jcifs.smb;
import jcifs.util.Hexdump;
/**
* An Access Control Entry (ACE) is an element in a security descriptor
* such as those associated with files and directories. The Windows OS
* determines which users have the necessary permissions to access objects
* based on these entries.
*
* To fully understand the information exposed by this class a description
* of the access check algorithm used by Windows is required. The following
* is a basic description of the algorithm. For a more complete description
* we recommend reading the section on Access Control in Keith Brown's
* "The .NET Developer's Guide to Windows Security" (which is also
* available online).
*
* Direct ACEs are evaluated first in order. The SID of the user performing
* the operation and the desired access bits are compared to the SID
* and access mask of each ACE. If the SID matches, the allow/deny flags
* and access mask are considered. If the ACE is a "deny"
* ACE and any of the desired access bits match bits in the access
* mask of the ACE, the whole access check fails. If the ACE is an "allow"
* ACE and all of the bits in the desired access bits match bits in
* the access mask of the ACE, the access check is successful. Otherwise,
* more ACEs are evaluated until all desired access bits (combined)
* are "allowed". If all of the desired access bits are not "allowed"
* the then same process is repeated for inherited ACEs.
*
* For example, if user WNET\alice tries to open a file
* with desired access bits 0x00000003 (FILE_READ_DATA |
* FILE_WRITE_DATA) and the target file has the following security
* descriptor ACEs:
*
*
* Allow WNET\alice 0x001200A9 Direct
* Allow Administrators 0x001F01FF Inherited
* Allow SYSTEM 0x001F01FF Inherited
*
*
* the access check would fail because the direct ACE has an access mask
* of 0x001200A9 which doesn't have the
* FILE_WRITE_DATA bit on (bit 0x00000002). Actually, this isn't quite correct. If
* WNET\alice is in the local Administrators group the access check
* will succeed because the inherited ACE allows local Administrators
* both FILE_READ_DATA and FILE_WRITE_DATA access.
*/
public class ACE {
/**
*
*/
public static final int FILE_READ_DATA = 0x00000001; // 1
/**
*
*/
public static final int FILE_WRITE_DATA = 0x00000002; // 2
/**
*
*/
public static final int FILE_APPEND_DATA = 0x00000004; // 3
/**
*
*/
public static final int FILE_READ_EA = 0x00000008; // 4
/**
*
*/
public static final int FILE_WRITE_EA = 0x00000010; // 5
/**
*
*/
public static final int FILE_EXECUTE = 0x00000020; // 6
/**
*
*/
public static final int FILE_DELETE = 0x00000040; // 7
/**
*
*/
public static final int FILE_READ_ATTRIBUTES = 0x00000080; // 8
/**
*
*/
public static final int FILE_WRITE_ATTRIBUTES = 0x00000100; // 9
/**
*
*/
public static final int DELETE = 0x00010000; // 16
/**
*
*/
public static final int READ_CONTROL = 0x00020000; // 17
/**
*
*/
public static final int WRITE_DAC = 0x00040000; // 18
/**
*
*/
public static final int WRITE_OWNER = 0x00080000; // 19
/**
*
*/
public static final int SYNCHRONIZE = 0x00100000; // 20
/**
*
*/
public static final int GENERIC_ALL = 0x10000000; // 28
/**
*
*/
public static final int GENERIC_EXECUTE = 0x20000000; // 29
/**
*
*/
public static final int GENERIC_WRITE = 0x40000000; // 30
/**
*
*/
public static final int GENERIC_READ = 0x80000000; // 31
/**
*
*/
public static final int FLAGS_OBJECT_INHERIT = 0x01;
/**
*
*/
public static final int FLAGS_CONTAINER_INHERIT = 0x02;
/**
*
*/
public static final int FLAGS_NO_PROPAGATE = 0x04;
/**
*
*/
public static final int FLAGS_INHERIT_ONLY = 0x08;
/**
*
*/
public static final int FLAGS_INHERITED = 0x10;
boolean allow;
int flags;
int access;
SID sid;
/**
* Returns true if this ACE is an allow ACE and false if it is a deny ACE.
*
* @return whether this in an allow ACE
*/
public boolean isAllow () {
return this.allow;
}
/**
* Returns true if this ACE is an inherited ACE and false if it is a direct ACE.
*
* Note: For reasons not fully understood, FLAGS_INHERITED may
* not be set within all security descriptors even though the ACE was in
* face inherited. If an inherited ACE is added to a parent the Windows
* ACL editor will rebuild all children ACEs and set this flag accordingly.
*
* @return whether this is an inherited ACE
*/
public boolean isInherited () {
return ( this.flags & FLAGS_INHERITED ) != 0;
}
/**
* Returns the flags for this ACE. The isInherited()
* method checks the FLAGS_INHERITED bit in these flags.
*
* @return the ACE falgs
*/
public int getFlags () {
return this.flags;
}
/**
* Returns the 'Apply To' text for inheritance of ACEs on
* directories such as 'This folder, subfolder and files'. For
* files the text is always 'This object only'.
*
* @return descriptive text for the ACE scope
*/
public String getApplyToText () {
switch ( this.flags & ( FLAGS_OBJECT_INHERIT | FLAGS_CONTAINER_INHERIT | FLAGS_INHERIT_ONLY ) ) {
case 0x00:
return "This folder only";
case 0x03:
return "This folder, subfolders and files";
case 0x0B:
return "Subfolders and files only";
case 0x02:
return "This folder and subfolders";
case 0x0A:
return "Subfolders only";
case 0x01:
return "This folder and files";
case 0x09:
return "Files only";
}
return "Invalid";
}
/**
* Returns the access mask accociated with this ACE. Use the
* constants for FILE_READ_DATA, FILE_WRITE_DATA,
* READ_CONTROL, GENERIC_ALL, etc with bitwise
* operators to determine which bits of the mask are on or off.
*
* @return the access mask
*/
public int getAccessMask () {
return this.access;
}
/**
* Return the SID associated with this ACE.
*
* @return ACE target SID
*/
public SID getSID () {
return this.sid;
}
int decode ( byte[] buf, int bi ) {
this.allow = buf[ bi++ ] == (byte) 0x00;
this.flags = buf[ bi++ ] & 0xFF;
int size = SMBUtil.readInt2(buf, bi);
bi += 2;
this.access = SMBUtil.readInt4(buf, bi);
bi += 4;
this.sid = new SID(buf, bi);
return size;
}
void appendCol ( StringBuffer sb, String str, int width ) {
sb.append(str);
int count = width - str.length();
for ( int i = 0; i < count; i++ ) {
sb.append(' ');
}
}
/**
* Return a string represeting this ACE.
*
* Note: This function should probably be changed to return SDDL
* fragments but currently it does not.
*/
@Override
public String toString () {
StringBuffer sb = new StringBuffer();
sb.append(isAllow() ? "Allow " : "Deny ");
appendCol(sb, this.sid.toDisplayString(), 25);
sb.append(" 0x").append(Hexdump.toHexString(this.access, 8)).append(' ');
sb.append(isInherited() ? "Inherited " : "Direct ");
appendCol(sb, getApplyToText(), 34);
return sb.toString();
}
}