Context Navigation

← Previous Revision
Next Revision →
Blame
Revision Log

source: branches/samba-3.3.x/source/utils/net_rpc_rights.c

Visit:

Last change on this file was 206, checked in by Herwig Bauernfeind, 16 years ago
Import Samba 3.3 branch at 3.0.0 level (psmedley's port)
File size: 17.7 KB

Line
1	/*
2	Samba Unix/Linux SMB client library
3	Distributed SMB/CIFS Server Management Utility
4	Copyright (C) Gerald (Jerry) Carter 2004
5	Copyright (C) Guenther Deschner 2008
6
7	This program is free software; you can redistribute it and/or modify
8	it under the terms of the GNU General Public License as published by
9	the Free Software Foundation; either version 3 of the License, or
10	(at your option) any later version.
11
12	This program is distributed in the hope that it will be useful,
13	but WITHOUT ANY WARRANTY; without even the implied warranty of
14	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15	GNU General Public License for more details.
16
17	You should have received a copy of the GNU General Public License
18	along with this program. If not, see <http://www.gnu.org/licenses/>.
19	*/
20	#include "includes.h"
21	#include "utils/net.h"
22
23	/********************************************************************
24	********************************************************************/
25
26	static NTSTATUS sid_to_name(struct rpc_pipe_client *pipe_hnd,
27	TALLOC_CTX *mem_ctx,
28	DOM_SID *sid,
29	fstring name)
30	{
31	POLICY_HND pol;
32	enum lsa_SidType *sid_types = NULL;
33	NTSTATUS result;
34	char domains = NULL, names = NULL;
35
36	result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
37	SEC_RIGHTS_MAXIMUM_ALLOWED, &pol);
38
39	if ( !NT_STATUS_IS_OK(result) )
40	return result;
41
42	result = rpccli_lsa_lookup_sids(pipe_hnd, mem_ctx, &pol, 1, sid, &domains, &names, &sid_types);
43
44	if ( NT_STATUS_IS_OK(result) ) {
45	if ( *domains[0] )
46	fstr_sprintf( name, "%s\\%s", domains[0], names[0] );
47	else
48	fstrcpy( name, names[0] );
49	}
50
51	rpccli_lsa_Close(pipe_hnd, mem_ctx, &pol);
52	return result;
53	}
54
55	/********************************************************************
56	********************************************************************/
57
58	static NTSTATUS name_to_sid(struct rpc_pipe_client *pipe_hnd,
59	TALLOC_CTX *mem_ctx,
60	DOM_SID sid, const char name)
61	{
62	POLICY_HND pol;
63	enum lsa_SidType *sid_types;
64	NTSTATUS result;
65	DOM_SID *sids;
66
67	/* maybe its a raw SID */
68	if ( strncmp(name, "S-", 2) == 0 && string_to_sid(sid, name) ) {
69	return NT_STATUS_OK;
70	}
71
72	result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
73	SEC_RIGHTS_MAXIMUM_ALLOWED, &pol);
74
75	if ( !NT_STATUS_IS_OK(result) )
76	return result;
77
78	result = rpccli_lsa_lookup_names(pipe_hnd, mem_ctx, &pol, 1, &name,
79	NULL, 1, &sids, &sid_types);
80
81	if ( NT_STATUS_IS_OK(result) )
82	sid_copy( sid, &sids[0] );
83
84	rpccli_lsa_Close(pipe_hnd, mem_ctx, &pol);
85	return result;
86	}
87
88	/********************************************************************
89	********************************************************************/
90
91	static NTSTATUS enum_privileges(struct rpc_pipe_client *pipe_hnd,
92	TALLOC_CTX *ctx,
93	POLICY_HND *pol )
94	{
95	NTSTATUS result;
96	uint32 enum_context = 0;
97	uint32 pref_max_length=0x1000;
98	int i;
99	uint16 lang_id=0;
100	uint16 lang_id_sys=0;
101	uint16 lang_id_desc;
102	struct lsa_StringLarge *description = NULL;
103	struct lsa_PrivArray priv_array;
104
105	result = rpccli_lsa_EnumPrivs(pipe_hnd, ctx,
106	pol,
107	&enum_context,
108	&priv_array,
109	pref_max_length);
110
111	if ( !NT_STATUS_IS_OK(result) )
112	return result;
113
114	/* Print results */
115
116	for (i = 0; i < priv_array.count; i++) {
117
118	struct lsa_String lsa_name;
119
120	d_printf("%30s ",
121	priv_array.privs[i].name.string ? priv_array.privs[i].name.string : "unknown" );
122
123	/* try to get the description */
124
125	init_lsa_String(&lsa_name, priv_array.privs[i].name.string);
126
127	result = rpccli_lsa_LookupPrivDisplayName(pipe_hnd, ctx,
128	pol,
129	&lsa_name,
130	lang_id,
131	lang_id_sys,
132	&description,
133	&lang_id_desc);
134
135	if (!NT_STATUS_IS_OK(result)) {
136	d_printf("??????\n");
137	continue;
138	}
139
140	d_printf("%s\n", description->string);
141	}
142
143	return NT_STATUS_OK;
144	}
145
146	/********************************************************************
147	********************************************************************/
148
149	static NTSTATUS check_privilege_for_user(struct rpc_pipe_client *pipe_hnd,
150	TALLOC_CTX *ctx,
151	POLICY_HND *pol,
152	DOM_SID *sid,
153	const char *right)
154	{
155	NTSTATUS result;
156	struct lsa_RightSet rights;
157	int i;
158
159	result = rpccli_lsa_EnumAccountRights(pipe_hnd, ctx,
160	pol,
161	sid,
162	&rights);
163
164	if (!NT_STATUS_IS_OK(result)) {
165	return result;
166	}
167
168	if (rights.count == 0) {
169	return NT_STATUS_OBJECT_NAME_NOT_FOUND;
170	}
171
172	for (i = 0; i < rights.count; i++) {
173	if (StrCaseCmp(rights.names[i].string, right) == 0) {
174	return NT_STATUS_OK;
175	}
176	}
177
178	return NT_STATUS_OBJECT_NAME_NOT_FOUND;
179	}
180
181	/********************************************************************
182	********************************************************************/
183
184	static NTSTATUS enum_privileges_for_user(struct rpc_pipe_client *pipe_hnd,
185	TALLOC_CTX *ctx,
186	POLICY_HND *pol,
187	DOM_SID *sid )
188	{
189	NTSTATUS result;
190	struct lsa_RightSet rights;
191	int i;
192
193	result = rpccli_lsa_EnumAccountRights(pipe_hnd, ctx,
194	pol,
195	sid,
196	&rights);
197
198	if (!NT_STATUS_IS_OK(result))
199	return result;
200
201	if (rights.count == 0) {
202	d_printf("No privileges assigned\n");
203	}
204
205	for (i = 0; i < rights.count; i++) {
206	printf("%s\n", rights.names[i].string);
207	}
208
209	return NT_STATUS_OK;
210	}
211
212	/********************************************************************
213	********************************************************************/
214
215	static NTSTATUS enum_accounts_for_privilege(struct rpc_pipe_client *pipe_hnd,
216	TALLOC_CTX *ctx,
217	POLICY_HND *pol,
218	const char *privilege)
219	{
220	NTSTATUS result;
221	uint32 enum_context=0;
222	uint32 pref_max_length=0x1000;
223	struct lsa_SidArray sid_array;
224	int i;
225	fstring name;
226
227	result = rpccli_lsa_EnumAccounts(pipe_hnd, ctx,
228	pol,
229	&enum_context,
230	&sid_array,
231	pref_max_length);
232
233	if (!NT_STATUS_IS_OK(result))
234	return result;
235
236	d_printf("%s:\n", privilege);
237
238	for ( i=0; i<sid_array.num_sids; i++ ) {
239
240	result = check_privilege_for_user(pipe_hnd, ctx, pol,
241	sid_array.sids[i].sid,
242	privilege);
243
244	if ( ! NT_STATUS_IS_OK(result)) {
245	if ( ! NT_STATUS_EQUAL(result, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
246	return result;
247	}
248	continue;
249	}
250
251	/* try to convert the SID to a name. Fall back to
252	printing the raw SID if necessary */
253	result = sid_to_name( pipe_hnd, ctx, sid_array.sids[i].sid, name );
254	if ( !NT_STATUS_IS_OK (result) )
255	sid_to_fstring(name, sid_array.sids[i].sid);
256
257	d_printf(" %s\n", name);
258	}
259
260	return NT_STATUS_OK;
261	}
262
263	/********************************************************************
264	********************************************************************/
265
266	static NTSTATUS enum_privileges_for_accounts(struct rpc_pipe_client *pipe_hnd,
267	TALLOC_CTX *ctx,
268	POLICY_HND *pol)
269	{
270	NTSTATUS result;
271	uint32 enum_context=0;
272	uint32 pref_max_length=0x1000;
273	struct lsa_SidArray sid_array;
274	int i;
275	fstring name;
276
277	result = rpccli_lsa_EnumAccounts(pipe_hnd, ctx,
278	pol,
279	&enum_context,
280	&sid_array,
281	pref_max_length);
282
283	if (!NT_STATUS_IS_OK(result))
284	return result;
285
286	for ( i=0; i<sid_array.num_sids; i++ ) {
287
288	/* try to convert the SID to a name. Fall back to
289	printing the raw SID if necessary */
290
291	result = sid_to_name(pipe_hnd, ctx, sid_array.sids[i].sid, name);
292	if ( !NT_STATUS_IS_OK (result) )
293	sid_to_fstring(name, sid_array.sids[i].sid);
294
295	d_printf("%s\n", name);
296
297	result = enum_privileges_for_user(pipe_hnd, ctx, pol,
298	sid_array.sids[i].sid);
299	if ( !NT_STATUS_IS_OK(result) )
300	return result;
301
302	d_printf("\n");
303	}
304
305	return NT_STATUS_OK;
306	}
307
308	/********************************************************************
309	********************************************************************/
310
311	static NTSTATUS rpc_rights_list_internal(struct net_context *c,
312	const DOM_SID *domain_sid,
313	const char *domain_name,
314	struct cli_state *cli,
315	struct rpc_pipe_client *pipe_hnd,
316	TALLOC_CTX *mem_ctx,
317	int argc,
318	const char **argv )
319	{
320	POLICY_HND pol;
321	NTSTATUS result;
322	DOM_SID sid;
323	fstring privname;
324	struct lsa_String lsa_name;
325	struct lsa_StringLarge *description = NULL;
326	uint16 lang_id = 0;
327	uint16 lang_id_sys = 0;
328	uint16 lang_id_desc;
329
330	result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
331	SEC_RIGHTS_MAXIMUM_ALLOWED, &pol);
332
333	if ( !NT_STATUS_IS_OK(result) )
334	return result;
335
336	/* backwards compatibility; just list available privileges if no arguement */
337
338	if (argc == 0) {
339	result = enum_privileges(pipe_hnd, mem_ctx, &pol );
340	goto done;
341	}
342
343	if (strequal(argv[0], "privileges")) {
344	int i = 1;
345
346	if (argv[1] == NULL) {
347	result = enum_privileges(pipe_hnd, mem_ctx, &pol );
348	goto done;
349	}
350
351	while ( argv[i] != NULL ) {
352	fstrcpy(privname, argv[i]);
353	init_lsa_String(&lsa_name, argv[i]);
354	i++;
355
356	/* verify that this is a valid privilege for error reporting */
357	result = rpccli_lsa_LookupPrivDisplayName(pipe_hnd, mem_ctx,
358	&pol,
359	&lsa_name,
360	lang_id,
361	lang_id_sys,
362	&description,
363	&lang_id_desc);
364
365	if ( !NT_STATUS_IS_OK(result) ) {
366	if ( NT_STATUS_EQUAL( result, NT_STATUS_NO_SUCH_PRIVILEGE ) )
367	d_fprintf(stderr, "No such privilege exists: %s.\n", privname);
368	else
369	d_fprintf(stderr, "Error resolving privilege display name [%s].\n", nt_errstr(result));
370	continue;
371	}
372
373	result = enum_accounts_for_privilege(pipe_hnd, mem_ctx, &pol, privname);
374	if (!NT_STATUS_IS_OK(result)) {
375	d_fprintf(stderr, "Error enumerating accounts for privilege %s [%s].\n",
376	privname, nt_errstr(result));
377	continue;
378	}
379	}
380	goto done;
381	}
382
383	/* special case to enumerate all privileged SIDs with associated rights */
384
385	if (strequal( argv[0], "accounts")) {
386	int i = 1;
387
388	if (argv[1] == NULL) {
389	result = enum_privileges_for_accounts(pipe_hnd, mem_ctx, &pol);
390	goto done;
391	}
392
393	while (argv[i] != NULL) {
394	result = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[i]);
395	if (!NT_STATUS_IS_OK(result)) {
396	goto done;
397	}
398	result = enum_privileges_for_user(pipe_hnd, mem_ctx, &pol, &sid);
399	if (!NT_STATUS_IS_OK(result)) {
400	goto done;
401	}
402	i++;
403	}
404	goto done;
405	}
406
407	/* backward comaptibility: if no keyword provided, treat the key
408	as an account name */
409	if (argc > 1) {
410	d_printf("Usage: net rpc rights list [[accounts\|privileges] [name\|SID]]\n");
411	result = NT_STATUS_OK;
412	goto done;
413	}
414
415	result = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[0]);
416	if (!NT_STATUS_IS_OK(result)) {
417	goto done;
418	}
419	result = enum_privileges_for_user(pipe_hnd, mem_ctx, &pol, &sid );
420
421	done:
422	rpccli_lsa_Close(pipe_hnd, mem_ctx, &pol);
423
424	return result;
425	}
426
427	/********************************************************************
428	********************************************************************/
429
430	static NTSTATUS rpc_rights_grant_internal(struct net_context *c,
431	const DOM_SID *domain_sid,
432	const char *domain_name,
433	struct cli_state *cli,
434	struct rpc_pipe_client *pipe_hnd,
435	TALLOC_CTX *mem_ctx,
436	int argc,
437	const char **argv )
438	{
439	POLICY_HND dom_pol;
440	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
441	struct lsa_RightSet rights;
442	int i;
443
444	DOM_SID sid;
445
446	if (argc < 2 ) {
447	d_printf("Usage: net rpc rights grant <name\|SID> <rights...>\n");
448	return NT_STATUS_OK;
449	}
450
451	result = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[0]);
452	if (!NT_STATUS_IS_OK(result))
453	return result;
454
455	result = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, true,
456	SEC_RIGHTS_MAXIMUM_ALLOWED,
457	&dom_pol);
458
459	if (!NT_STATUS_IS_OK(result))
460	return result;
461
462	rights.count = argc-1;
463	rights.names = TALLOC_ARRAY(mem_ctx, struct lsa_StringLarge,
464	rights.count);
465	if (!rights.names) {
466	return NT_STATUS_NO_MEMORY;
467	}
468
469	for (i=0; i<argc-1; i++) {
470	init_lsa_StringLarge(&rights.names[i], argv[i+1]);
471	}
472
473	result = rpccli_lsa_AddAccountRights(pipe_hnd, mem_ctx,
474	&dom_pol,
475	&sid,
476	&rights);
477
478	if (!NT_STATUS_IS_OK(result))
479	goto done;
480
481	d_printf("Successfully granted rights.\n");
482
483	done:
484	if ( !NT_STATUS_IS_OK(result) ) {
485	d_fprintf(stderr, "Failed to grant privileges for %s (%s)\n",
486	argv[0], nt_errstr(result));
487	}
488
489	rpccli_lsa_Close(pipe_hnd, mem_ctx, &dom_pol);
490
491	return result;
492	}
493
494	/********************************************************************
495	********************************************************************/
496
497	static NTSTATUS rpc_rights_revoke_internal(struct net_context *c,
498	const DOM_SID *domain_sid,
499	const char *domain_name,
500	struct cli_state *cli,
501	struct rpc_pipe_client *pipe_hnd,
502	TALLOC_CTX *mem_ctx,
503	int argc,
504	const char **argv )
505	{
506	POLICY_HND dom_pol;
507	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
508	struct lsa_RightSet rights;
509	DOM_SID sid;
510	int i;
511
512	if (argc < 2 ) {
513	d_printf("Usage: net rpc rights revoke <name\|SID> <rights...>\n");
514	return NT_STATUS_OK;
515	}
516
517	result = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[0]);
518	if (!NT_STATUS_IS_OK(result))
519	return result;
520
521	result = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, true,
522	SEC_RIGHTS_MAXIMUM_ALLOWED,
523	&dom_pol);
524
525	if (!NT_STATUS_IS_OK(result))
526	return result;
527
528	rights.count = argc-1;
529	rights.names = TALLOC_ARRAY(mem_ctx, struct lsa_StringLarge,
530	rights.count);
531	if (!rights.names) {
532	return NT_STATUS_NO_MEMORY;
533	}
534
535	for (i=0; i<argc-1; i++) {
536	init_lsa_StringLarge(&rights.names[i], argv[i+1]);
537	}
538
539	result = rpccli_lsa_RemoveAccountRights(pipe_hnd, mem_ctx,
540	&dom_pol,
541	&sid,
542	false,
543	&rights);
544
545	if (!NT_STATUS_IS_OK(result))
546	goto done;
547
548	d_printf("Successfully revoked rights.\n");
549
550	done:
551	if ( !NT_STATUS_IS_OK(result) ) {
552	d_fprintf(stderr, "Failed to revoke privileges for %s (%s)\n",
553	argv[0], nt_errstr(result));
554	}
555
556	rpccli_lsa_Close(pipe_hnd, mem_ctx, &dom_pol);
557
558	return result;
559	}
560
561
562	/********************************************************************
563	********************************************************************/
564
565	static int rpc_rights_list(struct net_context c, int argc, const char *argv )
566	{
567	if (c->display_usage) {
568	d_printf("Usage:\n"
569	"net rpc rights list [{accounts\|privileges} "
570	"[name\|SID]]\n"
571	" View available/assigned privileges\n");
572	return 0;
573	}
574
575	return run_rpc_command(c, NULL, &ndr_table_lsarpc.syntax_id, 0,
576	rpc_rights_list_internal, argc, argv );
577	}
578
579	/********************************************************************
580	********************************************************************/
581
582	static int rpc_rights_grant(struct net_context c, int argc, const char *argv )
583	{
584	if (c->display_usage) {
585	d_printf("Usage:\n"
586	"net rpc rights grant <name\|SID> <right>\n"
587	" Assign privilege[s]\n");
588	d_printf("For example:\n");
589	d_printf(" net rpc rights grant 'VALE\\biddle' "
590	"SePrintOperatorPrivilege SeDiskOperatorPrivilege\n");
591	d_printf(" would grant the printer admin and disk manager "
592	"rights to the user 'VALE\\biddle'\n");
593	return 0;
594	}
595
596	return run_rpc_command(c, NULL, &ndr_table_lsarpc.syntax_id, 0,
597	rpc_rights_grant_internal, argc, argv );
598	}
599
600	/********************************************************************
601	********************************************************************/
602
603	static int rpc_rights_revoke(struct net_context c, int argc, const char *argv)
604	{
605	if (c->display_usage) {
606	d_printf("Usage:\n"
607	"net rpc rights revoke <name\|SID> <right>\n"
608	" Revoke privilege[s]\n");
609	d_printf("For example:\n");
610	d_printf(" net rpc rights revoke 'VALE\\biddle' "
611	"SePrintOperatorPrivilege SeDiskOperatorPrivilege\n");
612	d_printf(" would revoke the printer admin and disk manager "
613	"rights from the user 'VALE\\biddle'\n");
614	return 0;
615	}
616
617	return run_rpc_command(c, NULL, &ndr_table_lsarpc.syntax_id, 0,
618	rpc_rights_revoke_internal, argc, argv );
619	}
620
621	/********************************************************************
622	********************************************************************/
623
624	int net_rpc_rights(struct net_context c, int argc, const char *argv)
625	{
626	struct functable func[] = {
627	{
628	"list",
629	rpc_rights_list,
630	NET_TRANSPORT_RPC,
631	"View available/assigned privileges",
632	"net rpc rights list\n"
633	" View available/assigned privileges"
634	},
635	{
636	"grant",
637	rpc_rights_grant,
638	NET_TRANSPORT_RPC,
639	"Assign privilege[s]",
640	"net rpc rights grant\n"
641	" Assign privilege[s]"
642	},
643	{
644	"revoke",
645	rpc_rights_revoke,
646	NET_TRANSPORT_RPC,
647	"Revoke privilege[s]",
648	"net rpc rights revoke\n"
649	" Revoke privilege[s]"
650	},
651	{NULL, NULL, 0, NULL, NULL}
652	};
653
654	return net_run_function(c, argc, argv, "net rpc rights", func);
655	}
656
657	static NTSTATUS rpc_sh_rights_list(struct net_context *c,
658	TALLOC_CTX mem_ctx, struct rpc_sh_ctx ctx,
659	struct rpc_pipe_client *pipe_hnd,
660	int argc, const char **argv)
661	{
662	return rpc_rights_list_internal(c, ctx->domain_sid, ctx->domain_name,
663	ctx->cli, pipe_hnd, mem_ctx,
664	argc, argv);
665	}
666
667	static NTSTATUS rpc_sh_rights_grant(struct net_context *c,
668	TALLOC_CTX *mem_ctx,
669	struct rpc_sh_ctx *ctx,
670	struct rpc_pipe_client *pipe_hnd,
671	int argc, const char **argv)
672	{
673	return rpc_rights_grant_internal(c, ctx->domain_sid, ctx->domain_name,
674	ctx->cli, pipe_hnd, mem_ctx,
675	argc, argv);
676	}
677
678	static NTSTATUS rpc_sh_rights_revoke(struct net_context *c,
679	TALLOC_CTX *mem_ctx,
680	struct rpc_sh_ctx *ctx,
681	struct rpc_pipe_client *pipe_hnd,
682	int argc, const char **argv)
683	{
684	return rpc_rights_revoke_internal(c, ctx->domain_sid, ctx->domain_name,
685	ctx->cli, pipe_hnd, mem_ctx,
686	argc, argv);
687	}
688
689	struct rpc_sh_cmd net_rpc_rights_cmds(struct net_context c, TALLOC_CTX *mem_ctx,
690	struct rpc_sh_ctx *ctx)
691	{
692	static struct rpc_sh_cmd cmds[] = {
693
694	{ "list", NULL, &ndr_table_lsarpc.syntax_id, rpc_sh_rights_list,
695	"View available or assigned privileges" },
696
697	{ "grant", NULL, &ndr_table_lsarpc.syntax_id, rpc_sh_rights_grant,
698	"Assign privilege[s]" },
699
700	{ "revoke", NULL, &ndr_table_lsarpc.syntax_id, rpc_sh_rights_revoke,
701	"Revoke privilege[s]" },
702
703	{ NULL, NULL, 0, NULL, NULL }
704	};
705
706	return cmds;
707	}
708

Note: See TracBrowser for help on using the repository browser.

Download in other formats: