[PATCH] Log security descriptors coming in from clients
Volker Lendecke
Volker.Lendecke at SerNet.DE
Thu Aug 7 05:44:00 MDT 2014
Hi!
Attached find a set of patches that make full_audit log
incoming security descriptors in SDDL form when a client
wants to set an ACL. A customer wants to diagnose problems
with this, and I don't want to maintain this as a custom
patch :-)
Review would be appreciated!
Thanks,
Volker
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
-------------- next part --------------
From eed2988b25ec043a7d576977f476ffdc2337b092 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Thu, 7 Aug 2014 10:23:25 +0000
Subject: [PATCH 1/5] vfs_full_audit: Pass "vfs_full_audit_private_data" to
log_failure/success()
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/modules/vfs_full_audit.c | 25 +++++++++----------------
1 file changed, 9 insertions(+), 16 deletions(-)
diff --git a/source3/modules/vfs_full_audit.c b/source3/modules/vfs_full_audit.c
index 262b241..90d27df 100644
--- a/source3/modules/vfs_full_audit.c
+++ b/source3/modules/vfs_full_audit.c
@@ -385,14 +385,8 @@ static char *audit_prefix(TALLOC_CTX *ctx, connection_struct *conn)
return result;
}
-static bool log_success(vfs_handle_struct *handle, vfs_op_type op)
+static bool log_success(struct vfs_full_audit_private_data *pd, vfs_op_type op)
{
- struct vfs_full_audit_private_data *pd = NULL;
-
- SMB_VFS_HANDLE_GET_DATA(handle, pd,
- struct vfs_full_audit_private_data,
- return True);
-
if (pd->success_ops == NULL) {
return True;
}
@@ -400,14 +394,8 @@ static bool log_success(vfs_handle_struct *handle, vfs_op_type op)
return bitmap_query(pd->success_ops, op);
}
-static bool log_failure(vfs_handle_struct *handle, vfs_op_type op)
+static bool log_failure(struct vfs_full_audit_private_data *pd, vfs_op_type op)
{
- struct vfs_full_audit_private_data *pd = NULL;
-
- SMB_VFS_HANDLE_GET_DATA(handle, pd,
- struct vfs_full_audit_private_data,
- return True);
-
if (pd->failure_ops == NULL)
return True;
@@ -498,16 +486,21 @@ static TALLOC_CTX *do_log_ctx(void)
static void do_log(vfs_op_type op, bool success, vfs_handle_struct *handle,
const char *format, ...)
{
+ struct vfs_full_audit_private_data *pd;
fstring err_msg;
char *audit_pre = NULL;
va_list ap;
char *op_msg = NULL;
int priority;
- if (success && (!log_success(handle, op)))
+ SMB_VFS_HANDLE_GET_DATA(handle, pd,
+ struct vfs_full_audit_private_data,
+ return;);
+
+ if (success && (!log_success(pd, op)))
goto out;
- if (!success && (!log_failure(handle, op)))
+ if (!success && (!log_failure(pd, op)))
goto out;
if (success)
--
1.8.1.2
From de0a3956fd9aa480d7e356143d15bc2fd966e589 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Thu, 7 Aug 2014 10:34:18 +0000
Subject: [PATCH 2/5] vfs_full_audit: Save full_audit:facility in private_data
lp_parm_enum can become expensive
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/modules/vfs_full_audit.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/source3/modules/vfs_full_audit.c b/source3/modules/vfs_full_audit.c
index 90d27df..ec886c5 100644
--- a/source3/modules/vfs_full_audit.c
+++ b/source3/modules/vfs_full_audit.c
@@ -73,6 +73,7 @@ static int vfs_full_audit_debug_level = DBGC_VFS;
struct vfs_full_audit_private_data {
struct bitmap *success_ops;
struct bitmap *failure_ops;
+ int syslog_facility;
};
#undef DBGC_CLASS
@@ -520,8 +521,7 @@ static void do_log(vfs_op_type op, bool success, vfs_handle_struct *handle,
* Specify the facility to interoperate with other syslog callers
* (smbd for example).
*/
- priority = audit_syslog_priority(handle) |
- audit_syslog_facility(handle);
+ priority = audit_syslog_priority(handle) | pd->syslog_facility;
audit_pre = audit_prefix(talloc_tos(), handle->conn);
syslog(priority, "%s|%s|%s|%s\n",
@@ -580,8 +580,18 @@ static int smb_full_audit_connect(vfs_handle_struct *handle,
return -1;
}
+ pd->syslog_facility = audit_syslog_facility(handle);
+ if (pd->syslog_facility == -1) {
+ DEBUG(1, ("%s: Unknown facility %s\n", __func__,
+ lp_parm_const_string(SNUM(handle->conn),
+ "full_audit", "facility",
+ "USER")));
+ SMB_VFS_NEXT_DISCONNECT(handle);
+ return -1;
+ }
+
#ifdef WITH_SYSLOG
- openlog("smbd_audit", 0, audit_syslog_facility(handle));
+ openlog("smbd_audit", 0, pd->syslog_facility);
#endif
pd->success_ops = init_bitmap(
--
1.8.1.2
From e3f09a7ca35eba8b2a0c99680efb901ea65f16dd Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Thu, 7 Aug 2014 10:34:18 +0000
Subject: [PATCH 3/5] vfs_full_audit: Save full_audit:priority in private_data
lp_parm_enum can become expensive
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/modules/vfs_full_audit.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/source3/modules/vfs_full_audit.c b/source3/modules/vfs_full_audit.c
index ec886c5..00af87c 100644
--- a/source3/modules/vfs_full_audit.c
+++ b/source3/modules/vfs_full_audit.c
@@ -74,6 +74,7 @@ struct vfs_full_audit_private_data {
struct bitmap *success_ops;
struct bitmap *failure_ops;
int syslog_facility;
+ int syslog_priority;
};
#undef DBGC_CLASS
@@ -521,7 +522,7 @@ static void do_log(vfs_op_type op, bool success, vfs_handle_struct *handle,
* Specify the facility to interoperate with other syslog callers
* (smbd for example).
*/
- priority = audit_syslog_priority(handle) | pd->syslog_facility;
+ priority = pd->syslog_priority | pd->syslog_facility;
audit_pre = audit_prefix(talloc_tos(), handle->conn);
syslog(priority, "%s|%s|%s|%s\n",
@@ -590,6 +591,8 @@ static int smb_full_audit_connect(vfs_handle_struct *handle,
return -1;
}
+ pd->syslog_priority = audit_syslog_priority(handle);
+
#ifdef WITH_SYSLOG
openlog("smbd_audit", 0, pd->syslog_facility);
#endif
--
1.8.1.2
From 0dd59a4100c8a6c36250a86d3d6fd0c93bc8ebd8 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Thu, 7 Aug 2014 10:44:01 +0000
Subject: [PATCH 4/5] vfs_full_audit: Add "full_audit:syslog"
Defaults to true (for compatibility)
With full_audit:syslog=false we DEBUG the messages with level 1.
You can explicitly [en|dis]able this with debug class full_audit:0/1
Signed-off-by: Volker Lendecke <vl at samba.org>
---
docs-xml/manpages/vfs_full_audit.8.xml | 9 +++++++++
source3/modules/vfs_full_audit.c | 35 +++++++++++++++++++++++-----------
2 files changed, 33 insertions(+), 11 deletions(-)
diff --git a/docs-xml/manpages/vfs_full_audit.8.xml b/docs-xml/manpages/vfs_full_audit.8.xml
index 2be26b0..b7d9be4 100644
--- a/docs-xml/manpages/vfs_full_audit.8.xml
+++ b/docs-xml/manpages/vfs_full_audit.8.xml
@@ -202,6 +202,15 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>full_audit:syslog = true/false</term>
+ <listitem>
+ <para>Log messages to syslog (default) or as a debug level 1
+ message.
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>
diff --git a/source3/modules/vfs_full_audit.c b/source3/modules/vfs_full_audit.c
index 00af87c..eee8246 100644
--- a/source3/modules/vfs_full_audit.c
+++ b/source3/modules/vfs_full_audit.c
@@ -75,6 +75,7 @@ struct vfs_full_audit_private_data {
struct bitmap *failure_ops;
int syslog_facility;
int syslog_priority;
+ bool do_syslog;
};
#undef DBGC_CLASS
@@ -493,7 +494,6 @@ static void do_log(vfs_op_type op, bool success, vfs_handle_struct *handle,
char *audit_pre = NULL;
va_list ap;
char *op_msg = NULL;
- int priority;
SMB_VFS_HANDLE_GET_DATA(handle, pd,
struct vfs_full_audit_private_data,
@@ -518,17 +518,25 @@ static void do_log(vfs_op_type op, bool success, vfs_handle_struct *handle,
goto out;
}
- /*
- * Specify the facility to interoperate with other syslog callers
- * (smbd for example).
- */
- priority = pd->syslog_priority | pd->syslog_facility;
-
audit_pre = audit_prefix(talloc_tos(), handle->conn);
- syslog(priority, "%s|%s|%s|%s\n",
- audit_pre ? audit_pre : "",
- audit_opname(op), err_msg, op_msg);
+ if (pd->do_syslog) {
+ int priority;
+
+ /*
+ * Specify the facility to interoperate with other syslog
+ * callers (smbd for example).
+ */
+ priority = pd->syslog_priority | pd->syslog_facility;
+
+ syslog(priority, "%s|%s|%s|%s\n",
+ audit_pre ? audit_pre : "",
+ audit_opname(op), err_msg, op_msg);
+ } else {
+ DEBUG(1, ("%s|%s|%s|%s\n",
+ audit_pre ? audit_pre : "",
+ audit_opname(op), err_msg, op_msg));
+ }
out:
TALLOC_FREE(audit_pre);
TALLOC_FREE(op_msg);
@@ -593,8 +601,13 @@ static int smb_full_audit_connect(vfs_handle_struct *handle,
pd->syslog_priority = audit_syslog_priority(handle);
+ pd->do_syslog = lp_parm_bool(SNUM(handle->conn),
+ "full_audit", "syslog", true);
+
#ifdef WITH_SYSLOG
- openlog("smbd_audit", 0, pd->syslog_facility);
+ if (pd->do_syslog) {
+ openlog("smbd_audit", 0, pd->syslog_facility);
+ }
#endif
pd->success_ops = init_bitmap(
--
1.8.1.2
From 9c74d8c7cf490c3a33ab394106fa7d9d4a8b00da Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Thu, 7 Aug 2014 10:53:33 +0000
Subject: [PATCH 5/5] vfs_full_audit: Optionally log security descriptors in
FSET_NT_ACL
Signed-off-by: Volker Lendecke <vl at samba.org>
---
docs-xml/manpages/vfs_full_audit.8.xml | 9 +++++++++
source3/modules/vfs_full_audit.c | 22 ++++++++++++++++++++--
2 files changed, 29 insertions(+), 2 deletions(-)
diff --git a/docs-xml/manpages/vfs_full_audit.8.xml b/docs-xml/manpages/vfs_full_audit.8.xml
index b7d9be4..24545db 100644
--- a/docs-xml/manpages/vfs_full_audit.8.xml
+++ b/docs-xml/manpages/vfs_full_audit.8.xml
@@ -211,6 +211,15 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>full_audit:log_secdesc = true/false</term>
+ <listitem>
+ <para>Log an sddl form of the security descriptor coming in
+ when a client sets an acl. Defaults to false.
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>
diff --git a/source3/modules/vfs_full_audit.c b/source3/modules/vfs_full_audit.c
index eee8246..7f0222c 100644
--- a/source3/modules/vfs_full_audit.c
+++ b/source3/modules/vfs_full_audit.c
@@ -67,6 +67,8 @@
#include "lib/param/loadparm.h"
#include "lib/util/bitmap.h"
#include "lib/util/tevent_unix.h"
+#include "libcli/security/sddl.h"
+#include "passdb/machine_sid.h"
static int vfs_full_audit_debug_level = DBGC_VFS;
@@ -75,6 +77,7 @@ struct vfs_full_audit_private_data {
struct bitmap *failure_ops;
int syslog_facility;
int syslog_priority;
+ bool log_secdesc;
bool do_syslog;
};
@@ -601,6 +604,9 @@ static int smb_full_audit_connect(vfs_handle_struct *handle,
pd->syslog_priority = audit_syslog_priority(handle);
+ pd->log_secdesc = lp_parm_bool(SNUM(handle->conn),
+ "full_audit", "log_secdesc", false);
+
pd->do_syslog = lp_parm_bool(SNUM(handle->conn),
"full_audit", "syslog", true);
@@ -1863,12 +1869,24 @@ static NTSTATUS smb_full_audit_fset_nt_acl(vfs_handle_struct *handle, files_stru
uint32 security_info_sent,
const struct security_descriptor *psd)
{
+ struct vfs_full_audit_private_data *pd;
NTSTATUS result;
+ char *sd = NULL;
+
+ SMB_VFS_HANDLE_GET_DATA(handle, pd,
+ struct vfs_full_audit_private_data,
+ return NT_STATUS_INTERNAL_ERROR);
+
+ if (pd->log_secdesc) {
+ sd = sddl_encode(talloc_tos(), psd, get_global_sam_sid());
+ }
result = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd);
- do_log(SMB_VFS_OP_FSET_NT_ACL, NT_STATUS_IS_OK(result), handle, "%s",
- fsp_str_do_log(fsp));
+ do_log(SMB_VFS_OP_FSET_NT_ACL, NT_STATUS_IS_OK(result), handle,
+ "%s [%s]", fsp_str_do_log(fsp), sd ? sd : "");
+
+ TALLOC_FREE(sd);
return result;
}
--
1.8.1.2
More information about the samba-technical
mailing list