Changeset 988 for vendor/current/source3/utils/smbcacls.c
- Timestamp:
- Nov 24, 2016, 1:14:11 PM (9 years ago)
- File:
-
- 1 edited
-
vendor/current/source3/utils/smbcacls.c (modified) (30 diffs)
Legend:
- Unmodified
- Added
- Removed
-
vendor/current/source3/utils/smbcacls.c
r740 r988 31 31 #include "libsmb/clirap.h" 32 32 #include "passdb/machine_sid.h" 33 #include "../librpc/gen_ndr/ndr_lsa_c.h" 34 #include "util_sd.h" 33 35 34 36 static int test_args; … … 36 38 #define CREATE_ACCESS_READ READ_CONTROL_ACCESS 37 39 38 /* numeric is set when the user wants numeric SIDs and ACEs rather39 than going via LSA calls to resolve them */40 static int numeric;41 42 40 static int sddl; 41 static int query_sec_info = -1; 42 static int set_sec_info = -1; 43 44 static const char *domain_sid = NULL; 43 45 44 46 enum acl_mode {SMB_ACL_SET, SMB_ACL_DELETE, SMB_ACL_MODIFY, SMB_ACL_ADD }; … … 46 48 enum exit_values {EXIT_OK, EXIT_FAILED, EXIT_PARSE_ERROR}; 47 49 48 struct perm_value { 49 const char *perm; 50 uint32 mask; 51 }; 52 53 /* These values discovered by inspection */ 54 55 static const struct perm_value special_values[] = { 56 { "R", 0x00120089 }, 57 { "W", 0x00120116 }, 58 { "X", 0x001200a0 }, 59 { "D", 0x00010000 }, 60 { "P", 0x00040000 }, 61 { "O", 0x00080000 }, 62 { NULL, 0 }, 63 }; 64 65 static const struct perm_value standard_values[] = { 66 { "READ", 0x001200a9 }, 67 { "CHANGE", 0x001301bf }, 68 { "FULL", 0x001f01ff }, 69 { NULL, 0 }, 70 }; 71 72 /* Open cli connection and policy handle */ 73 74 static NTSTATUS cli_lsa_lookup_sid(struct cli_state *cli, 75 const struct dom_sid *sid, 76 TALLOC_CTX *mem_ctx, 77 enum lsa_SidType *type, 78 char **domain, char **name) 79 { 80 uint16 orig_cnum = cli->cnum; 81 struct rpc_pipe_client *p = NULL; 50 static NTSTATUS cli_lsa_lookup_domain_sid(struct cli_state *cli, 51 struct dom_sid *sid) 52 { 53 union lsa_PolicyInformation *info = NULL; 54 uint16_t orig_cnum = cli_state_get_tid(cli); 55 struct rpc_pipe_client *rpc_pipe = NULL; 82 56 struct policy_handle handle; 83 NTSTATUS status ;57 NTSTATUS status, result; 84 58 TALLOC_CTX *frame = talloc_stackframe(); 85 enum lsa_SidType *types; 86 char **domains; 87 char **names; 88 89 status = cli_tcon_andx(cli, "IPC$", "?????", "", 0); 59 60 status = cli_tree_connect(cli, "IPC$", "?????", "", 0); 90 61 if (!NT_STATUS_IS_OK(status)) { 91 return status; 92 } 93 94 status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id, 95 &p); 62 goto done; 63 } 64 65 status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc, &rpc_pipe); 96 66 if (!NT_STATUS_IS_OK(status)) { 97 goto fail;98 } 99 100 status = rpccli_lsa_open_policy( p, talloc_tos(), True,67 goto tdis; 68 } 69 70 status = rpccli_lsa_open_policy(rpc_pipe, frame, True, 101 71 GENERIC_EXECUTE_ACCESS, &handle); 102 72 if (!NT_STATUS_IS_OK(status)) { 103 goto fail;104 } 105 106 status = rpccli_lsa_lookup_sids(p, talloc_tos(), &handle, 1, sid,107 &domains, &names, &types);108 if (!NT_STATUS_IS_OK(status)) {109 goto fail;110 } 111 112 *type = types[0];113 *domain = talloc_move(mem_ctx, &domains[0]);114 *name = talloc_move(mem_ctx, &names[0]); 115 116 status = NT_STATUS_OK; 117 fail:118 TALLOC_FREE( p);73 goto tdis; 74 } 75 76 status = dcerpc_lsa_QueryInfoPolicy2(rpc_pipe->binding_handle, 77 frame, &handle, 78 LSA_POLICY_INFO_DOMAIN, 79 &info, &result); 80 81 if (any_nt_status_not_ok(status, result, &status)) { 82 goto tdis; 83 } 84 85 *sid = *info->domain.sid; 86 87 tdis: 88 TALLOC_FREE(rpc_pipe); 119 89 cli_tdis(cli); 120 cli->cnum = orig_cnum; 90 done: 91 cli_state_set_tid(cli, orig_cnum); 121 92 TALLOC_FREE(frame); 122 93 return status; 123 94 } 124 95 125 static NTSTATUS cli_lsa_lookup_name(struct cli_state *cli, 126 const char *name, 127 enum lsa_SidType *type, 128 struct dom_sid *sid) 129 { 130 uint16 orig_cnum = cli->cnum; 131 struct rpc_pipe_client *p; 132 struct policy_handle handle; 96 static struct dom_sid *get_domain_sid(struct cli_state *cli) 97 { 133 98 NTSTATUS status; 134 TALLOC_CTX *frame = talloc_stackframe(); 135 struct dom_sid *sids; 136 enum lsa_SidType *types; 137 138 status = cli_tcon_andx(cli, "IPC$", "?????", "", 0); 139 if (!NT_STATUS_IS_OK(status)) { 140 return status; 141 } 142 143 status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id, 144 &p); 145 if (!NT_STATUS_IS_OK(status)) { 146 goto fail; 147 } 148 149 status = rpccli_lsa_open_policy(p, talloc_tos(), True, 150 GENERIC_EXECUTE_ACCESS, &handle); 151 if (!NT_STATUS_IS_OK(status)) { 152 goto fail; 153 } 154 155 status = rpccli_lsa_lookup_names(p, talloc_tos(), &handle, 1, &name, 156 NULL, 1, &sids, &types); 157 if (!NT_STATUS_IS_OK(status)) { 158 goto fail; 159 } 160 161 *type = types[0]; 162 *sid = sids[0]; 163 164 status = NT_STATUS_OK; 165 fail: 166 TALLOC_FREE(p); 167 cli_tdis(cli); 168 cli->cnum = orig_cnum; 169 TALLOC_FREE(frame); 170 return status; 171 } 172 173 /* convert a SID to a string, either numeric or username/group */ 174 static void SidToString(struct cli_state *cli, fstring str, const struct dom_sid *sid) 175 { 176 char *domain = NULL; 177 char *name = NULL; 178 enum lsa_SidType type; 179 NTSTATUS status; 180 181 sid_to_fstring(str, sid); 182 183 if (numeric) { 184 return; 185 } 186 187 status = cli_lsa_lookup_sid(cli, sid, talloc_tos(), &type, 188 &domain, &name); 189 190 if (!NT_STATUS_IS_OK(status)) { 191 return; 192 } 193 194 if (*domain) { 195 slprintf(str, sizeof(fstring) - 1, "%s%s%s", 196 domain, lp_winbind_separator(), name); 99 100 struct dom_sid *sid = talloc(talloc_tos(), struct dom_sid); 101 if (sid == NULL) { 102 DEBUG(0, ("Out of memory\n")); 103 return NULL; 104 } 105 106 if (domain_sid) { 107 if (!dom_sid_parse(domain_sid, sid)) { 108 DEBUG(0,("failed to parse domain sid\n")); 109 TALLOC_FREE(sid); 110 } 197 111 } else { 198 fstrcpy(str, name); 199 } 200 } 201 202 /* convert a string to a SID, either numeric or username/group */ 203 static bool StringToSid(struct cli_state *cli, struct dom_sid *sid, const char *str) 204 { 205 enum lsa_SidType type; 206 207 if (string_to_sid(sid, str)) { 208 return true; 209 } 210 211 return NT_STATUS_IS_OK(cli_lsa_lookup_name(cli, str, &type, sid)); 212 } 213 214 static void print_ace_flags(FILE *f, uint8_t flags) 215 { 216 char *str = talloc_strdup(NULL, ""); 217 218 if (!str) { 219 goto out; 220 } 221 222 if (flags & SEC_ACE_FLAG_OBJECT_INHERIT) { 223 str = talloc_asprintf(str, "%s%s", 224 str, "OI|"); 225 if (!str) { 226 goto out; 227 } 228 } 229 if (flags & SEC_ACE_FLAG_CONTAINER_INHERIT) { 230 str = talloc_asprintf(str, "%s%s", 231 str, "CI|"); 232 if (!str) { 233 goto out; 234 } 235 } 236 if (flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) { 237 str = talloc_asprintf(str, "%s%s", 238 str, "NP|"); 239 if (!str) { 240 goto out; 241 } 242 } 243 if (flags & SEC_ACE_FLAG_INHERIT_ONLY) { 244 str = talloc_asprintf(str, "%s%s", 245 str, "IO|"); 246 if (!str) { 247 goto out; 248 } 249 } 250 if (flags & SEC_ACE_FLAG_INHERITED_ACE) { 251 str = talloc_asprintf(str, "%s%s", 252 str, "I|"); 253 if (!str) { 254 goto out; 255 } 256 } 257 /* Ignore define SEC_ACE_FLAG_SUCCESSFUL_ACCESS ( 0x40 ) 258 and SEC_ACE_FLAG_FAILED_ACCESS ( 0x80 ) as they're 259 audit ace flags. */ 260 261 if (str[strlen(str)-1] == '|') { 262 str[strlen(str)-1] = '\0'; 263 fprintf(f, "/%s/", str); 264 } else { 265 fprintf(f, "/0x%x/", flags); 266 } 267 TALLOC_FREE(str); 268 return; 269 270 out: 271 fprintf(f, "/0x%x/", flags); 272 } 273 274 /* print an ACE on a FILE, using either numeric or ascii representation */ 275 static void print_ace(struct cli_state *cli, FILE *f, struct security_ace *ace) 276 { 277 const struct perm_value *v; 278 fstring sidstr; 279 int do_print = 0; 280 uint32 got_mask; 281 282 SidToString(cli, sidstr, &ace->trustee); 283 284 fprintf(f, "%s:", sidstr); 285 286 if (numeric) { 287 fprintf(f, "%d/0x%x/0x%08x", 288 ace->type, ace->flags, ace->access_mask); 289 return; 290 } 291 292 /* Ace type */ 293 294 if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) { 295 fprintf(f, "ALLOWED"); 296 } else if (ace->type == SEC_ACE_TYPE_ACCESS_DENIED) { 297 fprintf(f, "DENIED"); 298 } else { 299 fprintf(f, "%d", ace->type); 300 } 301 302 print_ace_flags(f, ace->flags); 303 304 /* Standard permissions */ 305 306 for (v = standard_values; v->perm; v++) { 307 if (ace->access_mask == v->mask) { 308 fprintf(f, "%s", v->perm); 309 return; 310 } 311 } 312 313 /* Special permissions. Print out a hex value if we have 314 leftover bits in the mask. */ 315 316 got_mask = ace->access_mask; 317 318 again: 319 for (v = special_values; v->perm; v++) { 320 if ((ace->access_mask & v->mask) == v->mask) { 321 if (do_print) { 322 fprintf(f, "%s", v->perm); 323 } 324 got_mask &= ~v->mask; 325 } 326 } 327 328 if (!do_print) { 329 if (got_mask != 0) { 330 fprintf(f, "0x%08x", ace->access_mask); 331 } else { 332 do_print = 1; 333 goto again; 334 } 335 } 336 } 337 338 static bool parse_ace_flags(const char *str, unsigned int *pflags) 339 { 340 const char *p = str; 341 *pflags = 0; 342 343 while (*p) { 344 if (strnequal(p, "OI", 2)) { 345 *pflags |= SEC_ACE_FLAG_OBJECT_INHERIT; 346 p += 2; 347 } else if (strnequal(p, "CI", 2)) { 348 *pflags |= SEC_ACE_FLAG_CONTAINER_INHERIT; 349 p += 2; 350 } else if (strnequal(p, "NP", 2)) { 351 *pflags |= SEC_ACE_FLAG_NO_PROPAGATE_INHERIT; 352 p += 2; 353 } else if (strnequal(p, "IO", 2)) { 354 *pflags |= SEC_ACE_FLAG_INHERIT_ONLY; 355 p += 2; 356 } else if (*p == 'I') { 357 *pflags |= SEC_ACE_FLAG_INHERITED_ACE; 358 p += 1; 359 } else if (*p) { 360 return false; 361 } 362 363 switch (*p) { 364 case '|': 365 p++; 366 case '\0': 367 continue; 368 default: 369 return false; 370 } 371 } 372 return true; 373 } 374 375 /* parse an ACE in the same format as print_ace() */ 376 static bool parse_ace(struct cli_state *cli, struct security_ace *ace, 377 const char *orig_str) 378 { 379 char *p; 380 const char *cp; 381 char *tok; 382 unsigned int atype = 0; 383 unsigned int aflags = 0; 384 unsigned int amask = 0; 385 struct dom_sid sid; 386 uint32_t mask; 387 const struct perm_value *v; 388 char *str = SMB_STRDUP(orig_str); 389 TALLOC_CTX *frame = talloc_stackframe(); 390 391 if (!str) { 392 TALLOC_FREE(frame); 393 return False; 394 } 395 396 ZERO_STRUCTP(ace); 397 p = strchr_m(str,':'); 398 if (!p) { 399 printf("ACE '%s': missing ':'.\n", orig_str); 400 SAFE_FREE(str); 401 TALLOC_FREE(frame); 402 return False; 403 } 404 *p = '\0'; 405 p++; 406 /* Try to parse numeric form */ 407 408 if (sscanf(p, "%i/%i/%i", &atype, &aflags, &amask) == 3 && 409 StringToSid(cli, &sid, str)) { 410 goto done; 411 } 412 413 /* Try to parse text form */ 414 415 if (!StringToSid(cli, &sid, str)) { 416 printf("ACE '%s': failed to convert '%s' to SID\n", 417 orig_str, str); 418 SAFE_FREE(str); 419 TALLOC_FREE(frame); 420 return False; 421 } 422 423 cp = p; 424 if (!next_token_talloc(frame, &cp, &tok, "/")) { 425 printf("ACE '%s': failed to find '/' character.\n", 426 orig_str); 427 SAFE_FREE(str); 428 TALLOC_FREE(frame); 429 return False; 430 } 431 432 if (strncmp(tok, "ALLOWED", strlen("ALLOWED")) == 0) { 433 atype = SEC_ACE_TYPE_ACCESS_ALLOWED; 434 } else if (strncmp(tok, "DENIED", strlen("DENIED")) == 0) { 435 atype = SEC_ACE_TYPE_ACCESS_DENIED; 436 } else { 437 printf("ACE '%s': missing 'ALLOWED' or 'DENIED' entry at '%s'\n", 438 orig_str, tok); 439 SAFE_FREE(str); 440 TALLOC_FREE(frame); 441 return False; 442 } 443 444 /* Only numeric form accepted for flags at present */ 445 446 if (!next_token_talloc(frame, &cp, &tok, "/")) { 447 printf("ACE '%s': bad flags entry at '%s'\n", 448 orig_str, tok); 449 SAFE_FREE(str); 450 TALLOC_FREE(frame); 451 return False; 452 } 453 454 if (tok[0] < '0' || tok[0] > '9') { 455 if (!parse_ace_flags(tok, &aflags)) { 456 printf("ACE '%s': bad named flags entry at '%s'\n", 457 orig_str, tok); 458 SAFE_FREE(str); 459 TALLOC_FREE(frame); 460 return False; 461 } 462 } else if (strnequal(tok, "0x", 2)) { 463 if (!sscanf(tok, "%x", &aflags)) { 464 printf("ACE '%s': bad hex flags entry at '%s'\n", 465 orig_str, tok); 466 SAFE_FREE(str); 467 TALLOC_FREE(frame); 468 return False; 469 } 470 } else { 471 if (!sscanf(tok, "%i", &aflags)) { 472 printf("ACE '%s': bad integer flags entry at '%s'\n", 473 orig_str, tok); 474 SAFE_FREE(str); 475 TALLOC_FREE(frame); 476 return False; 477 } 478 } 479 480 if (!next_token_talloc(frame, &cp, &tok, "/")) { 481 printf("ACE '%s': missing / at '%s'\n", 482 orig_str, tok); 483 SAFE_FREE(str); 484 TALLOC_FREE(frame); 485 return False; 486 } 487 488 if (strncmp(tok, "0x", 2) == 0) { 489 if (sscanf(tok, "%i", &amask) != 1) { 490 printf("ACE '%s': bad hex number at '%s'\n", 491 orig_str, tok); 492 SAFE_FREE(str); 493 TALLOC_FREE(frame); 494 return False; 495 } 496 goto done; 497 } 498 499 for (v = standard_values; v->perm; v++) { 500 if (strcmp(tok, v->perm) == 0) { 501 amask = v->mask; 502 goto done; 503 } 504 } 505 506 p = tok; 507 508 while(*p) { 509 bool found = False; 510 511 for (v = special_values; v->perm; v++) { 512 if (v->perm[0] == *p) { 513 amask |= v->mask; 514 found = True; 515 } 516 } 517 518 if (!found) { 519 printf("ACE '%s': bad permission value at '%s'\n", 520 orig_str, p); 521 SAFE_FREE(str); 522 TALLOC_FREE(frame); 523 return False; 524 } 525 p++; 526 } 527 528 if (*p) { 529 TALLOC_FREE(frame); 530 SAFE_FREE(str); 531 return False; 532 } 533 534 done: 535 mask = amask; 536 init_sec_ace(ace, &sid, atype, mask, aflags); 537 TALLOC_FREE(frame); 538 SAFE_FREE(str); 539 return True; 112 status = cli_lsa_lookup_domain_sid(cli, sid); 113 114 if (!NT_STATUS_IS_OK(status)) { 115 DEBUG(0,("failed to lookup domain sid: %s\n", nt_errstr(status))); 116 TALLOC_FREE(sid); 117 } 118 119 } 120 121 DEBUG(2,("Domain SID: %s\n", sid_string_dbg(sid))); 122 return sid; 540 123 } 541 124 … … 633 216 } 634 217 635 636 /* print a ascii version of a security descriptor on a FILE handle */637 static void sec_desc_print(struct cli_state *cli, FILE *f, struct security_descriptor *sd)638 {639 fstring sidstr;640 uint32 i;641 642 fprintf(f, "REVISION:%d\n", sd->revision);643 fprintf(f, "CONTROL:0x%x\n", sd->type);644 645 /* Print owner and group sid */646 647 if (sd->owner_sid) {648 SidToString(cli, sidstr, sd->owner_sid);649 } else {650 fstrcpy(sidstr, "");651 }652 653 fprintf(f, "OWNER:%s\n", sidstr);654 655 if (sd->group_sid) {656 SidToString(cli, sidstr, sd->group_sid);657 } else {658 fstrcpy(sidstr, "");659 }660 661 fprintf(f, "GROUP:%s\n", sidstr);662 663 /* Print aces */664 for (i = 0; sd->dacl && i < sd->dacl->num_aces; i++) {665 struct security_ace *ace = &sd->dacl->aces[i];666 fprintf(f, "ACL:");667 print_ace(cli, f, ace);668 fprintf(f, "\n");669 }670 671 }672 673 218 /***************************************************** 674 219 get fileinfo for filename 675 220 *******************************************************/ 676 static uint16 get_fileinfo(struct cli_state *cli, const char *filename)221 static uint16_t get_fileinfo(struct cli_state *cli, const char *filename) 677 222 { 678 223 uint16_t fnum = (uint16_t)-1; 679 uint16 mode = 0;224 uint16_t mode = 0; 680 225 NTSTATUS status; 681 226 … … 685 230 status = cli_ntcreate(cli, filename, 0, CREATE_ACCESS_READ, 686 231 0, FILE_SHARE_READ|FILE_SHARE_WRITE, 687 FILE_OPEN, 0x0, 0x0, &fnum );232 FILE_OPEN, 0x0, 0x0, &fnum, NULL); 688 233 if (!NT_STATUS_IS_OK(status)) { 689 234 printf("Failed to open %s: %s\n", filename, nt_errstr(status)); … … 711 256 struct security_descriptor *sd; 712 257 NTSTATUS status; 713 714 /* The desired access below is the only one I could find that works 715 with NT4, W2KP and Samba */ 716 717 status = cli_ntcreate(cli, filename, 0, CREATE_ACCESS_READ, 258 uint32_t sec_info; 259 uint32_t desired_access = 0; 260 261 if (query_sec_info == -1) { 262 sec_info = SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL; 263 } else { 264 sec_info = query_sec_info; 265 } 266 267 if (sec_info & (SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL)) { 268 desired_access |= SEC_STD_READ_CONTROL; 269 } 270 if (sec_info & SECINFO_SACL) { 271 desired_access |= SEC_FLAG_SYSTEM_SECURITY; 272 } 273 274 if (desired_access == 0) { 275 desired_access |= SEC_STD_READ_CONTROL; 276 } 277 278 status = cli_ntcreate(cli, filename, 0, desired_access, 718 279 0, FILE_SHARE_READ|FILE_SHARE_WRITE, 719 FILE_OPEN, 0x0, 0x0, &fnum );280 FILE_OPEN, 0x0, 0x0, &fnum, NULL); 720 281 if (!NT_STATUS_IS_OK(status)) { 721 282 printf("Failed to open %s: %s\n", filename, nt_errstr(status)); … … 723 284 } 724 285 725 sd = cli_query_secdesc(cli, fnum, talloc_tos()); 286 status = cli_query_security_descriptor(cli, fnum, sec_info, 287 talloc_tos(), &sd); 726 288 727 289 cli_close(cli, fnum); 728 290 729 if (!sd) { 730 printf("Failed to get security descriptor\n"); 291 if (!NT_STATUS_IS_OK(status)) { 292 printf("Failed to get security descriptor: %s\n", 293 nt_errstr(status)); 731 294 return NULL; 732 295 } … … 743 306 bool result=true; 744 307 NTSTATUS status; 745 746 /* The desired access below is the only one I could find that works 747 with NT4, W2KP and Samba */ 308 uint32_t desired_access = 0; 309 uint32_t sec_info; 310 311 if (set_sec_info == -1) { 312 sec_info = 0; 313 314 if (sd->dacl || (sd->type & SEC_DESC_DACL_PRESENT)) { 315 sec_info |= SECINFO_DACL; 316 } 317 if (sd->sacl || (sd->type & SEC_DESC_SACL_PRESENT)) { 318 sec_info |= SECINFO_SACL; 319 } 320 if (sd->owner_sid) { 321 sec_info |= SECINFO_OWNER; 322 } 323 if (sd->group_sid) { 324 sec_info |= SECINFO_GROUP; 325 } 326 } else { 327 sec_info = set_sec_info; 328 } 329 330 /* Make the desired_access more specific. */ 331 if (sec_info & SECINFO_DACL) { 332 desired_access |= SEC_STD_WRITE_DAC; 333 } 334 if (sec_info & SECINFO_SACL) { 335 desired_access |= SEC_FLAG_SYSTEM_SECURITY; 336 } 337 if (sec_info & (SECINFO_OWNER | SECINFO_GROUP)) { 338 desired_access |= SEC_STD_WRITE_OWNER; 339 } 748 340 749 341 status = cli_ntcreate(cli, filename, 0, 750 WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS,342 desired_access, 751 343 0, FILE_SHARE_READ|FILE_SHARE_WRITE, 752 FILE_OPEN, 0x0, 0x0, &fnum );344 FILE_OPEN, 0x0, 0x0, &fnum, NULL); 753 345 if (!NT_STATUS_IS_OK(status)) { 754 346 printf("Failed to open %s: %s\n", filename, nt_errstr(status)); … … 756 348 } 757 349 758 status = cli_set_sec desc(cli, fnum, sd);350 status = cli_set_security_descriptor(cli, fnum, sec_info, sd); 759 351 if (!NT_STATUS_IS_OK(status)) { 760 352 printf("ERROR: security description set failed: %s\n", … … 770 362 dump the acls for a file 771 363 *******************************************************/ 772 static int cacl_dump(struct cli_state *cli, const char *filename) 773 { 774 int result = EXIT_FAILED; 364 static int cacl_dump(struct cli_state *cli, const char *filename, bool numeric) 365 { 775 366 struct security_descriptor *sd; 776 367 777 if (test_args) 368 if (test_args) { 778 369 return EXIT_OK; 370 } 779 371 780 372 sd = get_secdesc(cli, filename); 781 782 if (sd) { 783 if (sddl) { 784 printf("%s\n", sddl_encode(talloc_tos(), sd, 785 get_global_sam_sid())); 786 } else { 787 sec_desc_print(cli, stdout, sd); 788 } 789 result = EXIT_OK; 790 } 791 792 return result; 373 if (sd == NULL) { 374 return EXIT_FAILED; 375 } 376 377 if (sddl) { 378 char *str = sddl_encode(talloc_tos(), sd, get_domain_sid(cli)); 379 if (str == NULL) { 380 return EXIT_FAILED; 381 } 382 printf("%s\n", str); 383 TALLOC_FREE(str); 384 } else { 385 sec_desc_print(cli, stdout, sd, numeric); 386 } 387 388 return EXIT_OK; 793 389 } 794 390 … … 814 410 } 815 411 816 sd = make_sec_desc(talloc_tos(),old->revision, old->type,412 sd = make_sec_desc(talloc_tos(),old->revision, SEC_DESC_SELF_RELATIVE, 817 413 (change_mode == REQUEST_CHOWN) ? &sid : NULL, 818 414 (change_mode == REQUEST_CHGRP) ? &sid : NULL, … … 837 433 static int ace_compare(struct security_ace *ace1, struct security_ace *ace2) 838 434 { 839 if (sec _ace_equal(ace1, ace2))435 if (security_ace_equal(ace1, ace2)) 840 436 return 0; 841 437 … … 870 466 static void sort_acl(struct security_acl *the_acl) 871 467 { 872 uint32 i;468 uint32_t i; 873 469 if (!the_acl) return; 874 470 … … 876 472 877 473 for (i=1;i<the_acl->num_aces;) { 878 if (sec_ace_equal(&the_acl->aces[i-1], &the_acl->aces[i])) { 474 if (security_ace_equal(&the_acl->aces[i-1], 475 &the_acl->aces[i])) { 879 476 int j; 880 477 for (j=i; j<the_acl->num_aces-1; j++) { … … 893 490 894 491 static int cacl_set(struct cli_state *cli, const char *filename, 895 char *the_acl, enum acl_mode mode )492 char *the_acl, enum acl_mode mode, bool numeric) 896 493 { 897 494 struct security_descriptor *sd, *old; 898 uint32 i, j;495 uint32_t i, j; 899 496 size_t sd_size; 900 497 int result = EXIT_OK; 901 498 902 499 if (sddl) { 903 sd = sddl_decode(talloc_tos(), the_acl, get_ global_sam_sid());500 sd = sddl_decode(talloc_tos(), the_acl, get_domain_sid(cli)); 904 501 } else { 905 502 sd = sec_desc_parse(talloc_tos(), cli, the_acl); … … 922 519 923 520 for (j=0;old->dacl && j<old->dacl->num_aces;j++) { 924 if (sec _ace_equal(&sd->dacl->aces[i],925 &old->dacl->aces[j])) {926 uint32 k;521 if (security_ace_equal(&sd->dacl->aces[i], 522 &old->dacl->aces[j])) { 523 uint32_t k; 927 524 for (k=j; k<old->dacl->num_aces-1;k++) { 928 525 old->dacl->aces[k] = old->dacl->aces[k+1]; … … 936 533 if (!found) { 937 534 printf("ACL for ACE:"); 938 print_ace(cli, stdout, &sd->dacl->aces[i]); 535 print_ace(cli, stdout, &sd->dacl->aces[i], 536 numeric); 939 537 printf(" not found\n"); 940 538 } … … 958 556 959 557 SidToString(cli, str, 960 &sd->dacl->aces[i].trustee); 558 &sd->dacl->aces[i].trustee, 559 numeric); 961 560 printf("ACL for SID %s not found\n", str); 962 561 } … … 1014 613 { 1015 614 struct security_descriptor *old,*sd; 1016 uint32 oldattr;615 uint32_t oldattr; 1017 616 size_t sd_size; 1018 617 int result = EXIT_OK; … … 1133 732 { 1134 733 struct cli_state *c = NULL; 1135 struct sockaddr_storage ss;1136 734 NTSTATUS nt_status; 1137 735 uint32_t flags = 0; 1138 1139 zero_sockaddr(&ss);1140 736 1141 737 if (get_cmdline_auth_info_use_kerberos(auth_info)) { … … 1151 747 set_cmdline_auth_info_getpass(auth_info); 1152 748 1153 nt_status = cli_full_connection(&c, global_myname(), server,1154 &ss, 0,749 nt_status = cli_full_connection(&c, lp_netbios_name(), server, 750 NULL, 0, 1155 751 share, "?????", 1156 752 get_cmdline_auth_info_username(auth_info), … … 1182 778 main program 1183 779 ****************************************************************************/ 1184 int main(int argc, const char *argv[]) 1185 { 780 int main(int argc, char *argv[]) 781 { 782 const char **argv_const = discard_const_p(const char *, argv); 1186 783 char *share; 1187 784 int opt; … … 1193 790 char *filename = NULL; 1194 791 poptContext pc; 792 /* numeric is set when the user wants numeric SIDs and ACEs rather 793 than going via LSA calls to resolve them */ 794 int numeric = 0; 795 1195 796 struct poptOption long_options[] = { 1196 797 POPT_AUTOHELP … … 1204 805 { "numeric", 0, POPT_ARG_NONE, &numeric, 1, "Don't resolve sids or masks to names" }, 1205 806 { "sddl", 0, POPT_ARG_NONE, &sddl, 1, "Output and input acls in sddl format" }, 807 { "query-security-info", 0, POPT_ARG_INT, &query_sec_info, 1, 808 "The security-info flags for queries" 809 }, 810 { "set-security-info", 0, POPT_ARG_INT, &set_sec_info, 1, 811 "The security-info flags for modifications" 812 }, 1206 813 { "test-args", 't', POPT_ARG_NONE, &test_args, 1, "Test arguments"}, 814 { "domain-sid", 0, POPT_ARG_STRING, &domain_sid, 0, "Domain SID for sddl", "SID"}, 815 { "max-protocol", 'm', POPT_ARG_STRING, NULL, 'm', "Set the max protocol level", "LEVEL" }, 1207 816 POPT_COMMON_SAMBA 1208 817 POPT_COMMON_CONNECTION … … 1217 826 struct user_auth_info *auth_info; 1218 827 1219 load_case_tables();828 smb_init_locale(); 1220 829 1221 830 /* set default debug level to 1 regardless of what smb.conf sets */ … … 1225 834 setlinebuf(stdout); 1226 835 1227 lp_load(get_dyn_CONFIGFILE(),True,False,False,True);1228 load_interfaces();1229 836 1230 837 auth_info = user_auth_info_init(frame); … … 1234 841 popt_common_set_auth_info(auth_info); 1235 842 1236 pc = poptGetContext("smbcacls", argc, argv , long_options, 0);843 pc = poptGetContext("smbcacls", argc, argv_const, long_options, 0); 1237 844 1238 845 poptSetOtherOptionHelp(pc, "//server1/share1 filename\nACLs look like: " … … 1275 882 change_mode = REQUEST_INHERIT; 1276 883 break; 884 case 'm': 885 lp_set_cmdline("client max protocol", poptGetOptArg(pc)); 886 break; 1277 887 } 1278 888 } … … 1294 904 } 1295 905 906 lp_load_global(get_dyn_CONFIGFILE()); 907 load_interfaces(); 908 1296 909 filename = talloc_strdup(frame, poptGetArg(pc)); 1297 910 if (!filename) { 1298 911 return -1; 1299 912 } 913 914 poptFreeContext(pc); 915 popt_burn_cmdline_password(argc, argv); 1300 916 1301 917 string_replace(path,'/','\\'); … … 1340 956 result = owner_set(cli, change_mode, filename, owner_username); 1341 957 } else if (the_acl) { 1342 result = cacl_set(cli, filename, the_acl, mode );958 result = cacl_set(cli, filename, the_acl, mode, numeric); 1343 959 } else { 1344 result = cacl_dump(cli, filename );960 result = cacl_dump(cli, filename, numeric); 1345 961 } 1346 962
Note:
See TracChangeset
for help on using the changeset viewer.
