Context Navigation

← Previous Revision
Next Revision →
Blame
Revision Log

source: branches/samba-3.2.x/source/utils/net_rpc_rights.c

Visit:

Last change on this file was 133, checked in by Paul Smedley, 17 years ago
Update trunk to 3.2.0pre3
File size: 16.9 KB

Line
1	/*
2	Samba Unix/Linux SMB client library
3	Distributed SMB/CIFS Server Management Utility
4	Copyright (C) Gerald (Jerry) Carter 2004
5	Copyright (C) Guenther Deschner 2008
6
7	This program is free software; you can redistribute it and/or modify
8	it under the terms of the GNU General Public License as published by
9	the Free Software Foundation; either version 3 of the License, or
10	(at your option) any later version.
11
12	This program is distributed in the hope that it will be useful,
13	but WITHOUT ANY WARRANTY; without even the implied warranty of
14	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15	GNU General Public License for more details.
16
17	You should have received a copy of the GNU General Public License
18	along with this program. If not, see <http://www.gnu.org/licenses/>. */
19
20	#include "includes.h"
21	#include "utils/net.h"
22
23	/********************************************************************
24	********************************************************************/
25
26	static NTSTATUS sid_to_name(struct rpc_pipe_client *pipe_hnd,
27	TALLOC_CTX *mem_ctx,
28	DOM_SID *sid,
29	fstring name)
30	{
31	POLICY_HND pol;
32	enum lsa_SidType *sid_types = NULL;
33	NTSTATUS result;
34	char domains = NULL, names = NULL;
35
36	result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, True,
37	SEC_RIGHTS_MAXIMUM_ALLOWED, &pol);
38
39	if ( !NT_STATUS_IS_OK(result) )
40	return result;
41
42	result = rpccli_lsa_lookup_sids(pipe_hnd, mem_ctx, &pol, 1, sid, &domains, &names, &sid_types);
43
44	if ( NT_STATUS_IS_OK(result) ) {
45	if ( *domains[0] )
46	fstr_sprintf( name, "%s\\%s", domains[0], names[0] );
47	else
48	fstrcpy( name, names[0] );
49	}
50
51	rpccli_lsa_Close(pipe_hnd, mem_ctx, &pol);
52	return result;
53	}
54
55	/********************************************************************
56	********************************************************************/
57
58	static NTSTATUS name_to_sid(struct rpc_pipe_client *pipe_hnd,
59	TALLOC_CTX *mem_ctx,
60	DOM_SID sid, const char name)
61	{
62	POLICY_HND pol;
63	enum lsa_SidType *sid_types;
64	NTSTATUS result;
65	DOM_SID *sids;
66
67	/* maybe its a raw SID */
68	if ( strncmp(name, "S-", 2) == 0 && string_to_sid(sid, name) ) {
69	return NT_STATUS_OK;
70	}
71
72	result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, True,
73	SEC_RIGHTS_MAXIMUM_ALLOWED, &pol);
74
75	if ( !NT_STATUS_IS_OK(result) )
76	return result;
77
78	result = rpccli_lsa_lookup_names(pipe_hnd, mem_ctx, &pol, 1, &name,
79	NULL, 1, &sids, &sid_types);
80
81	if ( NT_STATUS_IS_OK(result) )
82	sid_copy( sid, &sids[0] );
83
84	rpccli_lsa_Close(pipe_hnd, mem_ctx, &pol);
85	return result;
86	}
87
88	/********************************************************************
89	********************************************************************/
90
91	static NTSTATUS enum_privileges(struct rpc_pipe_client *pipe_hnd,
92	TALLOC_CTX *ctx,
93	POLICY_HND *pol )
94	{
95	NTSTATUS result;
96	uint32 enum_context = 0;
97	uint32 pref_max_length=0x1000;
98	int i;
99	uint16 lang_id=0;
100	uint16 lang_id_sys=0;
101	uint16 lang_id_desc;
102	struct lsa_StringLarge *description = NULL;
103	struct lsa_PrivArray priv_array;
104
105	result = rpccli_lsa_EnumPrivs(pipe_hnd, ctx,
106	pol,
107	&enum_context,
108	&priv_array,
109	pref_max_length);
110
111	if ( !NT_STATUS_IS_OK(result) )
112	return result;
113
114	/* Print results */
115
116	for (i = 0; i < priv_array.count; i++) {
117
118	struct lsa_String lsa_name;
119
120	d_printf("%30s ",
121	priv_array.privs[i].name.string ? priv_array.privs[i].name.string : "unknown" );
122
123	/* try to get the description */
124
125	init_lsa_String(&lsa_name, priv_array.privs[i].name.string);
126
127	result = rpccli_lsa_LookupPrivDisplayName(pipe_hnd, ctx,
128	pol,
129	&lsa_name,
130	lang_id,
131	lang_id_sys,
132	&description,
133	&lang_id_desc);
134
135	if (!NT_STATUS_IS_OK(result)) {
136	d_printf("??????\n");
137	continue;
138	}
139
140	d_printf("%s\n", description->string);
141	}
142
143	return NT_STATUS_OK;
144	}
145
146	/********************************************************************
147	********************************************************************/
148
149	static NTSTATUS check_privilege_for_user(struct rpc_pipe_client *pipe_hnd,
150	TALLOC_CTX *ctx,
151	POLICY_HND *pol,
152	DOM_SID *sid,
153	const char *right)
154	{
155	NTSTATUS result;
156	struct lsa_RightSet rights;
157	int i;
158
159	result = rpccli_lsa_EnumAccountRights(pipe_hnd, ctx,
160	pol,
161	sid,
162	&rights);
163
164	if (!NT_STATUS_IS_OK(result)) {
165	return result;
166	}
167
168	if (rights.count == 0) {
169	return NT_STATUS_OBJECT_NAME_NOT_FOUND;
170	}
171
172	for (i = 0; i < rights.count; i++) {
173	if (StrCaseCmp(rights.names[i].string, right) == 0) {
174	return NT_STATUS_OK;
175	}
176	}
177
178	return NT_STATUS_OBJECT_NAME_NOT_FOUND;
179	}
180
181	/********************************************************************
182	********************************************************************/
183
184	static NTSTATUS enum_privileges_for_user(struct rpc_pipe_client *pipe_hnd,
185	TALLOC_CTX *ctx,
186	POLICY_HND *pol,
187	DOM_SID *sid )
188	{
189	NTSTATUS result;
190	struct lsa_RightSet rights;
191	int i;
192
193	result = rpccli_lsa_EnumAccountRights(pipe_hnd, ctx,
194	pol,
195	sid,
196	&rights);
197
198	if (!NT_STATUS_IS_OK(result))
199	return result;
200
201	if (rights.count == 0) {
202	d_printf("No privileges assigned\n");
203	}
204
205	for (i = 0; i < rights.count; i++) {
206	printf("%s\n", rights.names[i].string);
207	}
208
209	return NT_STATUS_OK;
210	}
211
212	/********************************************************************
213	********************************************************************/
214
215	static NTSTATUS enum_accounts_for_privilege(struct rpc_pipe_client *pipe_hnd,
216	TALLOC_CTX *ctx,
217	POLICY_HND *pol,
218	const char *privilege)
219	{
220	NTSTATUS result;
221	uint32 enum_context=0;
222	uint32 pref_max_length=0x1000;
223	struct lsa_SidArray sid_array;
224	int i;
225	fstring name;
226
227	result = rpccli_lsa_EnumAccounts(pipe_hnd, ctx,
228	pol,
229	&enum_context,
230	&sid_array,
231	pref_max_length);
232
233	if (!NT_STATUS_IS_OK(result))
234	return result;
235
236	d_printf("%s:\n", privilege);
237
238	for ( i=0; i<sid_array.num_sids; i++ ) {
239
240	result = check_privilege_for_user(pipe_hnd, ctx, pol,
241	sid_array.sids[i].sid,
242	privilege);
243
244	if ( ! NT_STATUS_IS_OK(result)) {
245	if ( ! NT_STATUS_EQUAL(result, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
246	return result;
247	}
248	continue;
249	}
250
251	/* try to convert the SID to a name. Fall back to
252	printing the raw SID if necessary */
253	result = sid_to_name( pipe_hnd, ctx, sid_array.sids[i].sid, name );
254	if ( !NT_STATUS_IS_OK (result) )
255	sid_to_fstring(name, sid_array.sids[i].sid);
256
257	d_printf(" %s\n", name);
258	}
259
260	return NT_STATUS_OK;
261	}
262
263	/********************************************************************
264	********************************************************************/
265
266	static NTSTATUS enum_privileges_for_accounts(struct rpc_pipe_client *pipe_hnd,
267	TALLOC_CTX *ctx,
268	POLICY_HND *pol)
269	{
270	NTSTATUS result;
271	uint32 enum_context=0;
272	uint32 pref_max_length=0x1000;
273	struct lsa_SidArray sid_array;
274	int i;
275	fstring name;
276
277	result = rpccli_lsa_EnumAccounts(pipe_hnd, ctx,
278	pol,
279	&enum_context,
280	&sid_array,
281	pref_max_length);
282
283	if (!NT_STATUS_IS_OK(result))
284	return result;
285
286	for ( i=0; i<sid_array.num_sids; i++ ) {
287
288	/* try to convert the SID to a name. Fall back to
289	printing the raw SID if necessary */
290
291	result = sid_to_name(pipe_hnd, ctx, sid_array.sids[i].sid, name);
292	if ( !NT_STATUS_IS_OK (result) )
293	sid_to_fstring(name, sid_array.sids[i].sid);
294
295	d_printf("%s\n", name);
296
297	result = enum_privileges_for_user(pipe_hnd, ctx, pol,
298	sid_array.sids[i].sid);
299	if ( !NT_STATUS_IS_OK(result) )
300	return result;
301
302	d_printf("\n");
303	}
304
305	return NT_STATUS_OK;
306	}
307
308	/********************************************************************
309	********************************************************************/
310
311	static NTSTATUS rpc_rights_list_internal(const DOM_SID *domain_sid,
312	const char *domain_name,
313	struct cli_state *cli,
314	struct rpc_pipe_client *pipe_hnd,
315	TALLOC_CTX *mem_ctx,
316	int argc,
317	const char **argv )
318	{
319	POLICY_HND pol;
320	NTSTATUS result;
321	DOM_SID sid;
322	fstring privname;
323	struct lsa_String lsa_name;
324	struct lsa_StringLarge *description = NULL;
325	uint16 lang_id = 0;
326	uint16 lang_id_sys = 0;
327	uint16 lang_id_desc;
328
329
330	result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, True,
331	SEC_RIGHTS_MAXIMUM_ALLOWED, &pol);
332
333	if ( !NT_STATUS_IS_OK(result) )
334	return result;
335
336	/* backwards compatibility; just list available privileges if no arguement */
337
338	if (argc == 0) {
339	result = enum_privileges(pipe_hnd, mem_ctx, &pol );
340	goto done;
341	}
342
343	if (strequal(argv[0], "privileges")) {
344	int i = 1;
345
346	if (argv[1] == NULL) {
347	result = enum_privileges(pipe_hnd, mem_ctx, &pol );
348	goto done;
349	}
350
351	while ( argv[i] != NULL ) {
352	fstrcpy(privname, argv[i]);
353	init_lsa_String(&lsa_name, argv[i]);
354	i++;
355
356	/* verify that this is a valid privilege for error reporting */
357	result = rpccli_lsa_LookupPrivDisplayName(pipe_hnd, mem_ctx,
358	&pol,
359	&lsa_name,
360	lang_id,
361	lang_id_sys,
362	&description,
363	&lang_id_desc);
364
365	if ( !NT_STATUS_IS_OK(result) ) {
366	if ( NT_STATUS_EQUAL( result, NT_STATUS_NO_SUCH_PRIVILEGE ) )
367	d_fprintf(stderr, "No such privilege exists: %s.\n", privname);
368	else
369	d_fprintf(stderr, "Error resolving privilege display name [%s].\n", nt_errstr(result));
370	continue;
371	}
372
373	result = enum_accounts_for_privilege(pipe_hnd, mem_ctx, &pol, privname);
374	if (!NT_STATUS_IS_OK(result)) {
375	d_fprintf(stderr, "Error enumerating accounts for privilege %s [%s].\n",
376	privname, nt_errstr(result));
377	continue;
378	}
379	}
380	goto done;
381	}
382
383	/* special case to enumerate all privileged SIDs with associated rights */
384
385	if (strequal( argv[0], "accounts")) {
386	int i = 1;
387
388	if (argv[1] == NULL) {
389	result = enum_privileges_for_accounts(pipe_hnd, mem_ctx, &pol);
390	goto done;
391	}
392
393	while (argv[i] != NULL) {
394	result = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[i]);
395	if (!NT_STATUS_IS_OK(result)) {
396	goto done;
397	}
398	result = enum_privileges_for_user(pipe_hnd, mem_ctx, &pol, &sid);
399	if (!NT_STATUS_IS_OK(result)) {
400	goto done;
401	}
402	i++;
403	}
404	goto done;
405	}
406
407	/* backward comaptibility: if no keyword provided, treat the key
408	as an account name */
409	if (argc > 1) {
410	d_printf("Usage: net rpc rights list [[accounts\|privileges] [name\|SID]]\n");
411	result = NT_STATUS_OK;
412	goto done;
413	}
414
415	result = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[0]);
416	if (!NT_STATUS_IS_OK(result)) {
417	goto done;
418	}
419	result = enum_privileges_for_user(pipe_hnd, mem_ctx, &pol, &sid );
420
421	done:
422	rpccli_lsa_Close(pipe_hnd, mem_ctx, &pol);
423
424	return result;
425	}
426
427	/********************************************************************
428	********************************************************************/
429
430	static NTSTATUS rpc_rights_grant_internal(const DOM_SID *domain_sid,
431	const char *domain_name,
432	struct cli_state *cli,
433	struct rpc_pipe_client *pipe_hnd,
434	TALLOC_CTX *mem_ctx,
435	int argc,
436	const char **argv )
437	{
438	POLICY_HND dom_pol;
439	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
440	struct lsa_RightSet rights;
441	int i;
442
443	DOM_SID sid;
444
445	if (argc < 2 ) {
446	d_printf("Usage: net rpc rights grant <name\|SID> <rights...>\n");
447	return NT_STATUS_OK;
448	}
449
450	result = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[0]);
451	if (!NT_STATUS_IS_OK(result))
452	return result;
453
454	result = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, True,
455	SEC_RIGHTS_MAXIMUM_ALLOWED,
456	&dom_pol);
457
458	if (!NT_STATUS_IS_OK(result))
459	return result;
460
461	rights.count = argc-1;
462	rights.names = TALLOC_ARRAY(mem_ctx, struct lsa_StringLarge,
463	rights.count);
464	if (!rights.names) {
465	return NT_STATUS_NO_MEMORY;
466	}
467
468	for (i=0; i<argc-1; i++) {
469	init_lsa_StringLarge(&rights.names[i], argv[i+1]);
470	}
471
472	result = rpccli_lsa_AddAccountRights(pipe_hnd, mem_ctx,
473	&dom_pol,
474	&sid,
475	&rights);
476
477	if (!NT_STATUS_IS_OK(result))
478	goto done;
479
480	d_printf("Successfully granted rights.\n");
481
482	done:
483	if ( !NT_STATUS_IS_OK(result) ) {
484	d_fprintf(stderr, "Failed to grant privileges for %s (%s)\n",
485	argv[0], nt_errstr(result));
486	}
487
488	rpccli_lsa_Close(pipe_hnd, mem_ctx, &dom_pol);
489
490	return result;
491	}
492
493	/********************************************************************
494	********************************************************************/
495
496	static NTSTATUS rpc_rights_revoke_internal(const DOM_SID *domain_sid,
497	const char *domain_name,
498	struct cli_state *cli,
499	struct rpc_pipe_client *pipe_hnd,
500	TALLOC_CTX *mem_ctx,
501	int argc,
502	const char **argv )
503	{
504	POLICY_HND dom_pol;
505	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
506	struct lsa_RightSet rights;
507	DOM_SID sid;
508	int i;
509
510	if (argc < 2 ) {
511	d_printf("Usage: net rpc rights revoke <name\|SID> <rights...>\n");
512	return NT_STATUS_OK;
513	}
514
515	result = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[0]);
516	if (!NT_STATUS_IS_OK(result))
517	return result;
518
519	result = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, True,
520	SEC_RIGHTS_MAXIMUM_ALLOWED,
521	&dom_pol);
522
523	if (!NT_STATUS_IS_OK(result))
524	return result;
525
526	rights.count = argc-1;
527	rights.names = TALLOC_ARRAY(mem_ctx, struct lsa_StringLarge,
528	rights.count);
529	if (!rights.names) {
530	return NT_STATUS_NO_MEMORY;
531	}
532
533	for (i=0; i<argc-1; i++) {
534	init_lsa_StringLarge(&rights.names[i], argv[i+1]);
535	}
536
537	result = rpccli_lsa_RemoveAccountRights(pipe_hnd, mem_ctx,
538	&dom_pol,
539	&sid,
540	false,
541	&rights);
542
543	if (!NT_STATUS_IS_OK(result))
544	goto done;
545
546	d_printf("Successfully revoked rights.\n");
547
548	done:
549	if ( !NT_STATUS_IS_OK(result) ) {
550	d_fprintf(stderr, "Failed to revoke privileges for %s (%s)\n",
551	argv[0], nt_errstr(result));
552	}
553
554	rpccli_lsa_Close(pipe_hnd, mem_ctx, &dom_pol);
555
556	return result;
557	}
558
559
560	/********************************************************************
561	********************************************************************/
562
563	static int rpc_rights_list( int argc, const char **argv )
564	{
565	return run_rpc_command( NULL, PI_LSARPC, 0,
566	rpc_rights_list_internal, argc, argv );
567	}
568
569	/********************************************************************
570	********************************************************************/
571
572	static int rpc_rights_grant( int argc, const char **argv )
573	{
574	return run_rpc_command( NULL, PI_LSARPC, 0,
575	rpc_rights_grant_internal, argc, argv );
576	}
577
578	/********************************************************************
579	********************************************************************/
580
581	static int rpc_rights_revoke( int argc, const char **argv )
582	{
583	return run_rpc_command( NULL, PI_LSARPC, 0,
584	rpc_rights_revoke_internal, argc, argv );
585	}
586
587	/********************************************************************
588	********************************************************************/
589
590	static int net_help_rights( int argc, const char **argv )
591	{
592	d_printf("net rpc rights list [{accounts\|privileges} [name\|SID]] View available or assigned privileges\n");
593	d_printf("net rpc rights grant <name\|SID> <right> Assign privilege[s]\n");
594	d_printf("net rpc rights revoke <name\|SID> <right> Revoke privilege[s]\n");
595
596	d_printf("\nBoth 'grant' and 'revoke' require a SID and a list of privilege names.\n");
597	d_printf("For example\n");
598	d_printf("\n net rpc rights grant 'VALE\\biddle' SePrintOperatorPrivilege SeDiskOperatorPrivilege\n");
599	d_printf("\nwould grant the printer admin and disk manager rights to the user 'VALE\\biddle'\n\n");
600
601
602	return -1;
603	}
604
605	/********************************************************************
606	********************************************************************/
607
608	int net_rpc_rights(int argc, const char **argv)
609	{
610	struct functable func[] = {
611	{"list", rpc_rights_list},
612	{"grant", rpc_rights_grant},
613	{"revoke", rpc_rights_revoke},
614	{NULL, NULL}
615	};
616
617	if ( argc )
618	return net_run_function( argc, argv, func, net_help_rights );
619
620	return net_help_rights( argc, argv );
621	}
622
623	static NTSTATUS rpc_sh_rights_list(TALLOC_CTX mem_ctx, struct rpc_sh_ctx ctx,
624	struct rpc_pipe_client *pipe_hnd,
625	int argc, const char **argv)
626	{
627	return rpc_rights_list_internal(ctx->domain_sid, ctx->domain_name,
628	ctx->cli, pipe_hnd, mem_ctx,
629	argc, argv);
630	}
631
632	static NTSTATUS rpc_sh_rights_grant(TALLOC_CTX *mem_ctx,
633	struct rpc_sh_ctx *ctx,
634	struct rpc_pipe_client *pipe_hnd,
635	int argc, const char **argv)
636	{
637	return rpc_rights_grant_internal(ctx->domain_sid, ctx->domain_name,
638	ctx->cli, pipe_hnd, mem_ctx,
639	argc, argv);
640	}
641
642	static NTSTATUS rpc_sh_rights_revoke(TALLOC_CTX *mem_ctx,
643	struct rpc_sh_ctx *ctx,
644	struct rpc_pipe_client *pipe_hnd,
645	int argc, const char **argv)
646	{
647	return rpc_rights_revoke_internal(ctx->domain_sid, ctx->domain_name,
648	ctx->cli, pipe_hnd, mem_ctx,
649	argc, argv);
650	}
651
652	struct rpc_sh_cmd net_rpc_rights_cmds(TALLOC_CTX mem_ctx,
653	struct rpc_sh_ctx *ctx)
654	{
655	static struct rpc_sh_cmd cmds[] = {
656
657	{ "list", NULL, PI_LSARPC, rpc_sh_rights_list,
658	"View available or assigned privileges" },
659
660	{ "grant", NULL, PI_LSARPC, rpc_sh_rights_grant,
661	"Assign privilege[s]" },
662
663	{ "revoke", NULL, PI_LSARPC, rpc_sh_rights_revoke,
664	"Revoke privilege[s]" },
665
666	{ NULL, NULL, 0, NULL, NULL }
667	};
668
669	return cmds;
670	}
671

Note: See TracBrowser for help on using the repository browser.

Download in other formats: