2011-01-15 18:07:31 +03:00
/*
2002-01-30 09:08:46 +03:00
Unix SMB / CIFS implementation .
2000-12-03 14:05:11 +03:00
ACL get / set utility
2011-01-15 18:07:31 +03:00
2000-12-03 05:19:27 +03:00
Copyright ( C ) Andrew Tridgell 2000
2000-12-14 06:27:53 +03:00
Copyright ( C ) Tim Potter 2000
2000-12-16 03:08:05 +03:00
Copyright ( C ) Jeremy Allison 2000
2003-04-14 07:59:04 +04:00
Copyright ( C ) Jelmer Vernooij 2003
2011-01-15 18:07:31 +03:00
2000-12-03 05:19:27 +03:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-09 23:25:36 +04:00
the Free Software Foundation ; either version 3 of the License , or
2000-12-03 05:19:27 +03:00
( at your option ) any later version .
2011-01-15 18:07:31 +03:00
2000-12-03 05:19:27 +03:00
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
2011-01-15 18:07:31 +03:00
2000-12-03 05:19:27 +03:00
You should have received a copy of the GNU General Public License
2007-07-10 04:52:41 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2000-12-03 05:19:27 +03:00
*/
# include "includes.h"
2010-08-05 12:49:53 +04:00
# include "popt_common.h"
2011-02-28 12:19:44 +03:00
# include "rpc_client/cli_pipe.h"
2010-05-05 03:39:16 +04:00
# include "../librpc/gen_ndr/ndr_lsa.h"
2010-05-18 20:26:16 +04:00
# include "rpc_client/cli_lsarpc.h"
2010-10-12 08:27:50 +04:00
# include "../libcli/security/security.h"
2011-05-06 13:47:43 +04:00
# include "libsmb/libsmb.h"
2011-02-24 12:46:55 +03:00
# include "libsmb/clirap.h"
2011-03-22 18:50:02 +03:00
# include "passdb/machine_sid.h"
2011-06-09 16:32:27 +04:00
# include "../librpc/gen_ndr/ndr_lsa_c.h"
2015-04-24 18:37:13 +03:00
# include "util_sd.h"
2000-12-03 05:19:27 +03:00
2008-10-15 03:09:17 +04:00
static int test_args ;
2000-12-03 05:19:27 +03:00
2001-02-22 06:40:01 +03:00
# define CREATE_ACCESS_READ READ_CONTROL_ACCESS
2010-03-01 00:20:03 +03:00
static int sddl ;
2012-11-30 17:36:07 +04:00
static int query_sec_info = - 1 ;
static int set_sec_info = - 1 ;
2010-03-01 00:20:03 +03:00
2011-06-09 17:29:32 +04:00
static const char * domain_sid = NULL ;
2001-04-11 05:34:37 +04:00
enum acl_mode { SMB_ACL_SET , SMB_ACL_DELETE , SMB_ACL_MODIFY , SMB_ACL_ADD } ;
2010-05-06 09:35:02 +04:00
enum chown_mode { REQUEST_NONE , REQUEST_CHOWN , REQUEST_CHGRP , REQUEST_INHERIT } ;
2000-12-22 02:36:25 +03:00
enum exit_values { EXIT_OK , EXIT_FAILED , EXIT_PARSE_ERROR } ;
2000-12-03 15:41:28 +03:00
2011-06-09 16:32:27 +04:00
static NTSTATUS cli_lsa_lookup_domain_sid ( struct cli_state * cli ,
struct dom_sid * sid )
{
union lsa_PolicyInformation * info = NULL ;
2017-06-14 02:56:48 +03:00
struct smbXcli_tcon * orig_tcon = NULL ;
2011-06-09 16:32:27 +04:00
struct rpc_pipe_client * rpc_pipe = NULL ;
struct policy_handle handle ;
NTSTATUS status , result ;
TALLOC_CTX * frame = talloc_stackframe ( ) ;
2017-06-14 02:56:48 +03:00
if ( cli_state_has_tcon ( cli ) ) {
orig_tcon = cli_state_save_tcon ( cli ) ;
if ( orig_tcon = = NULL ) {
status = NT_STATUS_NO_MEMORY ;
goto done ;
}
}
2016-12-08 09:13:57 +03:00
status = cli_tree_connect ( cli , " IPC$ " , " ????? " , NULL ) ;
2011-06-09 16:32:27 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto done ;
}
2013-05-24 15:29:28 +04:00
status = cli_rpc_pipe_open_noauth ( cli , & ndr_table_lsarpc , & rpc_pipe ) ;
2011-06-09 16:32:27 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto tdis ;
}
status = rpccli_lsa_open_policy ( rpc_pipe , frame , True ,
GENERIC_EXECUTE_ACCESS , & handle ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto tdis ;
}
status = dcerpc_lsa_QueryInfoPolicy2 ( rpc_pipe - > binding_handle ,
frame , & handle ,
LSA_POLICY_INFO_DOMAIN ,
& info , & result ) ;
if ( any_nt_status_not_ok ( status , result , & status ) ) {
goto tdis ;
}
* sid = * info - > domain . sid ;
tdis :
TALLOC_FREE ( rpc_pipe ) ;
cli_tdis ( cli ) ;
done :
2017-06-14 02:56:48 +03:00
cli_state_restore_tcon ( cli , orig_tcon ) ;
2011-06-09 16:32:27 +04:00
TALLOC_FREE ( frame ) ;
return status ;
}
2011-10-12 16:34:45 +04:00
static struct dom_sid * get_domain_sid ( struct cli_state * cli )
{
2011-06-09 16:32:27 +04:00
NTSTATUS status ;
struct dom_sid * sid = talloc ( talloc_tos ( ) , struct dom_sid ) ;
if ( sid = = NULL ) {
DEBUG ( 0 , ( " Out of memory \n " ) ) ;
return NULL ;
}
2011-06-09 17:29:32 +04:00
if ( domain_sid ) {
if ( ! dom_sid_parse ( domain_sid , sid ) ) {
DEBUG ( 0 , ( " failed to parse domain sid \n " ) ) ;
TALLOC_FREE ( sid ) ;
}
2011-06-09 16:32:27 +04:00
} else {
2011-06-09 17:29:32 +04:00
status = cli_lsa_lookup_domain_sid ( cli , sid ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( " failed to lookup domain sid: %s \n " , nt_errstr ( status ) ) ) ;
TALLOC_FREE ( sid ) ;
}
2011-06-09 16:32:27 +04:00
}
2011-06-09 17:29:32 +04:00
DEBUG ( 2 , ( " Domain SID: %s \n " , sid_string_dbg ( sid ) ) ) ;
2011-06-09 16:32:27 +04:00
return sid ;
}
2010-05-18 05:30:40 +04:00
/* add an ACE to a list of ACEs in a struct security_acl */
static bool add_ace ( struct security_acl * * the_acl , struct security_ace * ace )
2000-12-03 10:36:15 +03:00
{
2010-05-18 05:30:40 +04:00
struct security_acl * new_ace ;
2010-05-18 05:25:38 +04:00
struct security_ace * aces ;
2000-12-14 08:38:05 +03:00
if ( ! * the_acl ) {
2007-10-10 18:57:34 +04:00
return ( ( ( * the_acl ) = make_sec_acl ( talloc_tos ( ) , 3 , 1 , ace ) )
! = NULL ) ;
2000-12-03 10:36:15 +03:00
}
2010-05-18 05:25:38 +04:00
if ( ! ( aces = SMB_CALLOC_ARRAY ( struct security_ace , 1 + ( * the_acl ) - > num_aces ) ) ) {
2006-06-20 13:16:53 +04:00
return False ;
}
2010-05-18 05:25:38 +04:00
memcpy ( aces , ( * the_acl ) - > aces , ( * the_acl ) - > num_aces * sizeof ( struct
security_ace ) ) ;
memcpy ( aces + ( * the_acl ) - > num_aces , ace , sizeof ( struct security_ace ) ) ;
2007-10-10 18:57:34 +04:00
new_ace = make_sec_acl ( talloc_tos ( ) , ( * the_acl ) - > revision , 1 + ( * the_acl ) - > num_aces , aces ) ;
2001-09-17 15:48:29 +04:00
SAFE_FREE ( aces ) ;
2005-06-25 00:25:18 +04:00
( * the_acl ) = new_ace ;
2000-12-03 10:36:15 +03:00
return True ;
}
/* parse a ascii version of a security descriptor */
2010-05-18 12:29:34 +04:00
static struct security_descriptor * sec_desc_parse ( TALLOC_CTX * ctx , struct cli_state * cli , char * str )
2000-12-03 10:36:15 +03:00
{
2002-11-13 02:20:50 +03:00
const char * p = str ;
2007-12-08 04:32:32 +03:00
char * tok ;
2010-05-18 12:29:34 +04:00
struct security_descriptor * ret = NULL ;
2001-06-20 21:49:38 +04:00
size_t sd_size ;
2010-05-21 05:25:01 +04:00
struct dom_sid * grp_sid = NULL , * owner_sid = NULL ;
2010-05-18 05:30:40 +04:00
struct security_acl * dacl = NULL ;
2000-12-03 14:05:11 +03:00
int revision = 1 ;
2000-12-03 10:36:15 +03:00
2007-12-08 04:32:32 +03:00
while ( next_token_talloc ( ctx , & p , & tok , " \t , \r \n " ) ) {
2000-12-03 10:36:15 +03:00
if ( strncmp ( tok , " REVISION: " , 9 ) = = 0 ) {
2000-12-03 14:05:11 +03:00
revision = strtol ( tok + 9 , NULL , 16 ) ;
2000-12-12 09:06:10 +03:00
continue ;
2000-12-03 10:36:15 +03:00
}
if ( strncmp ( tok , " OWNER: " , 6 ) = = 0 ) {
2006-03-13 04:32:30 +03:00
if ( owner_sid ) {
printf ( " Only specify owner once \n " ) ;
goto done ;
}
2010-05-21 05:25:01 +04:00
owner_sid = SMB_CALLOC_ARRAY ( struct dom_sid , 1 ) ;
2000-12-03 14:05:11 +03:00
if ( ! owner_sid | |
2007-10-10 18:57:34 +04:00
! StringToSid ( cli , owner_sid , tok + 6 ) ) {
2000-12-03 10:36:15 +03:00
printf ( " Failed to parse owner sid \n " ) ;
2006-03-13 03:35:33 +03:00
goto done ;
2000-12-03 10:36:15 +03:00
}
2000-12-12 09:06:10 +03:00
continue ;
2000-12-03 10:36:15 +03:00
}
if ( strncmp ( tok , " GROUP: " , 6 ) = = 0 ) {
2006-03-13 04:32:30 +03:00
if ( grp_sid ) {
printf ( " Only specify group once \n " ) ;
goto done ;
}
2010-05-21 05:25:01 +04:00
grp_sid = SMB_CALLOC_ARRAY ( struct dom_sid , 1 ) ;
2000-12-03 14:05:11 +03:00
if ( ! grp_sid | |
2007-10-10 18:57:34 +04:00
! StringToSid ( cli , grp_sid , tok + 6 ) ) {
2000-12-03 10:36:15 +03:00
printf ( " Failed to parse group sid \n " ) ;
2006-03-13 03:35:33 +03:00
goto done ;
2000-12-03 10:36:15 +03:00
}
2000-12-12 09:06:10 +03:00
continue ;
2000-12-03 10:36:15 +03:00
}
2000-12-04 07:58:40 +03:00
if ( strncmp ( tok , " ACL: " , 4 ) = = 0 ) {
2010-05-18 05:25:38 +04:00
struct security_ace ace ;
2007-10-10 18:57:34 +04:00
if ( ! parse_ace ( cli , & ace , tok + 4 ) ) {
2006-03-13 03:35:33 +03:00
goto done ;
2000-12-15 04:02:11 +03:00
}
if ( ! add_ace ( & dacl , & ace ) ) {
printf ( " Failed to add ACL %s \n " , tok ) ;
2006-03-13 03:35:33 +03:00
goto done ;
2000-12-03 10:36:15 +03:00
}
2000-12-12 09:06:10 +03:00
continue ;
2000-12-03 10:36:15 +03:00
}
2000-12-12 09:06:10 +03:00
2005-11-02 05:13:08 +03:00
printf ( " Failed to parse token '%s' in security descriptor, \n " , tok ) ;
2006-03-13 03:35:33 +03:00
goto done ;
2000-12-03 10:36:15 +03:00
}
2007-12-08 04:32:32 +03:00
ret = make_sec_desc ( ctx , revision , SEC_DESC_SELF_RELATIVE , owner_sid , grp_sid ,
2000-12-04 07:58:40 +03:00
NULL , dacl , & sd_size ) ;
2000-12-03 10:36:15 +03:00
2006-03-13 03:35:33 +03:00
done :
2001-09-17 15:48:29 +04:00
SAFE_FREE ( grp_sid ) ;
SAFE_FREE ( owner_sid ) ;
2000-12-03 10:36:15 +03:00
return ret ;
}
2010-05-06 09:35:02 +04:00
/*****************************************************
get fileinfo for filename
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2015-05-07 03:00:06 +03:00
static uint16_t get_fileinfo ( struct cli_state * cli , const char * filename )
2010-05-06 09:35:02 +04:00
{
uint16_t fnum = ( uint16_t ) - 1 ;
2015-05-07 03:00:06 +03:00
uint16_t mode = 0 ;
2011-01-15 18:32:00 +03:00
NTSTATUS status ;
2010-05-06 09:35:02 +04:00
/* The desired access below is the only one I could find that works
with NT4 , W2KP and Samba */
2011-01-15 18:32:00 +03:00
status = cli_ntcreate ( cli , filename , 0 , CREATE_ACCESS_READ ,
0 , FILE_SHARE_READ | FILE_SHARE_WRITE ,
2014-05-09 07:55:57 +04:00
FILE_OPEN , 0x0 , 0x0 , & fnum , NULL ) ;
2011-01-15 18:32:00 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " Failed to open %s: %s \n " , filename , nt_errstr ( status ) ) ;
return 0 ;
2010-05-06 09:35:02 +04:00
}
2011-01-15 18:32:00 +03:00
status = cli_qfileinfo_basic ( cli , fnum , & mode , NULL , NULL , NULL ,
NULL , NULL , NULL ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2010-05-06 09:35:02 +04:00
printf ( " Failed to file info %s: %s \n " , filename ,
2011-01-15 18:32:00 +03:00
nt_errstr ( status ) ) ;
2010-05-06 09:35:02 +04:00
}
cli_close ( cli , fnum ) ;
return mode ;
}
2010-05-03 05:08:29 +04:00
/*****************************************************
get sec desc for filename
2000-12-03 05:19:27 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-18 12:29:34 +04:00
static struct security_descriptor * get_secdesc ( struct cli_state * cli , const char * filename )
2000-12-03 05:19:27 +03:00
{
2009-05-01 02:26:43 +04:00
uint16_t fnum = ( uint16_t ) - 1 ;
2010-05-18 12:29:34 +04:00
struct security_descriptor * sd ;
2011-01-15 18:32:00 +03:00
NTSTATUS status ;
2012-11-30 17:36:07 +04:00
uint32_t sec_info ;
uint32_t desired_access = 0 ;
2000-12-03 05:19:27 +03:00
2012-11-30 17:36:07 +04:00
if ( query_sec_info = = - 1 ) {
sec_info = SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL ;
} else {
sec_info = query_sec_info ;
}
2000-12-07 09:05:57 +03:00
2012-11-30 17:36:07 +04:00
if ( sec_info & ( SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL ) ) {
desired_access | = SEC_STD_READ_CONTROL ;
}
if ( sec_info & SECINFO_SACL ) {
desired_access | = SEC_FLAG_SYSTEM_SECURITY ;
}
if ( desired_access = = 0 ) {
desired_access | = SEC_STD_READ_CONTROL ;
}
status = cli_ntcreate ( cli , filename , 0 , desired_access ,
2011-01-15 18:32:00 +03:00
0 , FILE_SHARE_READ | FILE_SHARE_WRITE ,
2014-05-09 07:55:57 +04:00
FILE_OPEN , 0x0 , 0x0 , & fnum , NULL ) ;
2011-01-15 18:32:00 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " Failed to open %s: %s \n " , filename , nt_errstr ( status ) ) ;
2010-05-03 05:08:29 +04:00
return NULL ;
2000-12-03 05:19:27 +03:00
}
2012-11-30 17:36:07 +04:00
status = cli_query_security_descriptor ( cli , fnum , sec_info ,
talloc_tos ( ) , & sd ) ;
2000-12-03 08:24:16 +03:00
2010-05-03 05:08:29 +04:00
cli_close ( cli , fnum ) ;
2011-07-22 18:56:04 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " Failed to get security descriptor: %s \n " ,
nt_errstr ( status ) ) ;
2010-05-03 05:08:29 +04:00
return NULL ;
2000-12-03 08:24:16 +03:00
}
2010-05-03 05:08:29 +04:00
return sd ;
}
2000-12-03 08:24:16 +03:00
2010-05-06 09:26:15 +04:00
/*****************************************************
set sec desc for filename
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static bool set_secdesc ( struct cli_state * cli , const char * filename ,
2010-05-18 12:29:34 +04:00
struct security_descriptor * sd )
2010-05-06 09:26:15 +04:00
{
uint16_t fnum = ( uint16_t ) - 1 ;
bool result = true ;
2011-01-15 18:20:37 +03:00
NTSTATUS status ;
2012-02-03 04:28:39 +04:00
uint32_t desired_access = 0 ;
2012-11-30 17:36:07 +04:00
uint32_t sec_info ;
if ( set_sec_info = = - 1 ) {
sec_info = 0 ;
if ( sd - > dacl | | ( sd - > type & SEC_DESC_DACL_PRESENT ) ) {
sec_info | = SECINFO_DACL ;
}
if ( sd - > sacl | | ( sd - > type & SEC_DESC_SACL_PRESENT ) ) {
sec_info | = SECINFO_SACL ;
}
if ( sd - > owner_sid ) {
sec_info | = SECINFO_OWNER ;
}
if ( sd - > group_sid ) {
sec_info | = SECINFO_GROUP ;
}
} else {
sec_info = set_sec_info ;
}
2010-05-06 09:26:15 +04:00
2012-02-03 04:28:39 +04:00
/* Make the desired_access more specific. */
2012-11-30 17:36:07 +04:00
if ( sec_info & SECINFO_DACL ) {
desired_access | = SEC_STD_WRITE_DAC ;
2012-02-03 04:28:39 +04:00
}
2012-11-30 17:36:07 +04:00
if ( sec_info & SECINFO_SACL ) {
2012-02-03 04:28:39 +04:00
desired_access | = SEC_FLAG_SYSTEM_SECURITY ;
}
2012-11-30 17:36:07 +04:00
if ( sec_info & ( SECINFO_OWNER | SECINFO_GROUP ) ) {
desired_access | = SEC_STD_WRITE_OWNER ;
2012-02-03 04:28:39 +04:00
}
2010-05-06 09:26:15 +04:00
2011-01-15 18:32:00 +03:00
status = cli_ntcreate ( cli , filename , 0 ,
2012-02-03 04:28:39 +04:00
desired_access ,
2011-01-15 18:32:00 +03:00
0 , FILE_SHARE_READ | FILE_SHARE_WRITE ,
2014-05-09 07:55:57 +04:00
FILE_OPEN , 0x0 , 0x0 , & fnum , NULL ) ;
2011-01-15 18:32:00 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " Failed to open %s: %s \n " , filename , nt_errstr ( status ) ) ;
2010-05-06 09:26:15 +04:00
return false ;
}
2012-11-30 17:36:07 +04:00
status = cli_set_security_descriptor ( cli , fnum , sec_info , sd ) ;
2011-01-15 18:20:37 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2010-05-06 09:26:15 +04:00
printf ( " ERROR: security description set failed: %s \n " ,
2011-01-15 18:20:37 +03:00
nt_errstr ( status ) ) ;
2010-05-06 09:26:15 +04:00
result = false ;
}
cli_close ( cli , fnum ) ;
return result ;
}
2010-05-03 05:08:29 +04:00
/*****************************************************
dump the acls for a file
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2015-04-24 18:31:41 +03:00
static int cacl_dump ( struct cli_state * cli , const char * filename , bool numeric )
2010-05-03 05:08:29 +04:00
{
2010-05-18 12:29:34 +04:00
struct security_descriptor * sd ;
2000-12-03 05:19:27 +03:00
2011-06-14 15:56:22 +04:00
if ( test_args ) {
2010-05-03 05:08:29 +04:00
return EXIT_OK ;
2011-06-14 15:56:22 +04:00
}
2000-12-22 02:36:25 +03:00
2010-05-03 05:08:29 +04:00
sd = get_secdesc ( cli , filename ) ;
2011-06-14 15:56:22 +04:00
if ( sd = = NULL ) {
return EXIT_FAILED ;
}
2010-05-03 05:08:29 +04:00
2011-06-14 15:56:22 +04:00
if ( sddl ) {
char * str = sddl_encode ( talloc_tos ( ) , sd , get_domain_sid ( cli ) ) ;
if ( str = = NULL ) {
return EXIT_FAILED ;
2010-05-03 05:08:29 +04:00
}
2011-06-14 15:56:22 +04:00
printf ( " %s \n " , str ) ;
TALLOC_FREE ( str ) ;
} else {
2015-04-24 18:31:41 +03:00
sec_desc_print ( cli , stdout , sd , numeric ) ;
2010-05-03 05:08:29 +04:00
}
2002-12-20 04:35:21 +03:00
2011-06-14 15:56:22 +04:00
return EXIT_OK ;
2000-12-03 05:19:27 +03:00
}
2000-12-16 03:08:05 +03:00
/*****************************************************
Change the ownership or group ownership of a file . Just
because the NT docs say this can ' t be done : - ) . JRA .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2000-12-22 02:36:25 +03:00
static int owner_set ( struct cli_state * cli , enum chown_mode change_mode ,
2007-12-04 05:48:41 +03:00
const char * filename , const char * new_username )
2000-12-16 03:08:05 +03:00
{
2010-05-21 05:25:01 +04:00
struct dom_sid sid ;
2010-05-18 12:29:34 +04:00
struct security_descriptor * sd , * old ;
2000-12-16 03:08:05 +03:00
size_t sd_size ;
2007-10-10 18:57:34 +04:00
if ( ! StringToSid ( cli , & sid , new_username ) )
2000-12-22 02:36:25 +03:00
return EXIT_PARSE_ERROR ;
2000-12-16 03:08:05 +03:00
2010-05-03 05:08:29 +04:00
old = get_secdesc ( cli , filename ) ;
2001-02-22 06:40:01 +03:00
if ( ! old ) {
return EXIT_FAILED ;
}
2013-12-19 01:56:18 +04:00
sd = make_sec_desc ( talloc_tos ( ) , old - > revision , SEC_DESC_SELF_RELATIVE ,
2003-06-24 05:09:36 +04:00
( change_mode = = REQUEST_CHOWN ) ? & sid : NULL ,
( change_mode = = REQUEST_CHGRP ) ? & sid : NULL ,
NULL , NULL , & sd_size ) ;
2000-12-16 03:08:05 +03:00
2010-05-06 09:26:15 +04:00
if ( ! set_secdesc ( cli , filename , sd ) ) {
2001-02-22 06:40:01 +03:00
return EXIT_FAILED ;
}
2000-12-22 02:36:25 +03:00
return EXIT_OK ;
2000-12-16 03:08:05 +03:00
}
2001-02-23 10:20:11 +03:00
2008-10-15 03:09:17 +04:00
/* The MSDN is contradictory over the ordering of ACE entries in an
ACL . However NT4 gives a " The information may have been modified
by a computer running Windows NT 5.0 " if denied ACEs do not appear
before allowed ACEs . At
http : //technet.microsoft.com/en-us/library/cc781716.aspx the
canonical order is specified as " Explicit Deny, Explicit Allow,
Inherited ACEs unchanged " */
2000-12-21 09:21:26 +03:00
2010-05-18 05:25:38 +04:00
static int ace_compare ( struct security_ace * ace1 , struct security_ace * ace2 )
2000-12-21 09:21:26 +03:00
{
2014-05-28 19:44:43 +04:00
if ( security_ace_equal ( ace1 , ace2 ) )
2001-11-30 04:04:15 +03:00
return 0 ;
2008-10-15 03:09:17 +04:00
if ( ( ace1 - > flags & SEC_ACE_FLAG_INHERITED_ACE ) & &
! ( ace2 - > flags & SEC_ACE_FLAG_INHERITED_ACE ) )
return 1 ;
if ( ! ( ace1 - > flags & SEC_ACE_FLAG_INHERITED_ACE ) & &
( ace2 - > flags & SEC_ACE_FLAG_INHERITED_ACE ) )
return - 1 ;
if ( ( ace1 - > flags & SEC_ACE_FLAG_INHERITED_ACE ) & &
( ace2 - > flags & SEC_ACE_FLAG_INHERITED_ACE ) )
return ace1 - ace2 ;
if ( ace1 - > type ! = ace2 - > type )
2001-11-30 04:04:15 +03:00
return ace2 - > type - ace1 - > type ;
2010-08-26 17:48:50 +04:00
if ( dom_sid_compare ( & ace1 - > trustee , & ace2 - > trustee ) )
return dom_sid_compare ( & ace1 - > trustee , & ace2 - > trustee ) ;
2001-11-30 04:04:15 +03:00
2008-10-15 03:09:17 +04:00
if ( ace1 - > flags ! = ace2 - > flags )
2001-11-30 04:04:15 +03:00
return ace1 - > flags - ace2 - > flags ;
2008-10-15 03:09:17 +04:00
if ( ace1 - > access_mask ! = ace2 - > access_mask )
2006-09-21 02:23:12 +04:00
return ace1 - > access_mask - ace2 - > access_mask ;
2001-11-30 04:04:15 +03:00
2008-10-15 03:09:17 +04:00
if ( ace1 - > size ! = ace2 - > size )
2001-11-30 04:04:15 +03:00
return ace1 - > size - ace2 - > size ;
2010-05-18 05:25:38 +04:00
return memcmp ( ace1 , ace2 , sizeof ( struct security_ace ) ) ;
2001-02-23 10:20:11 +03:00
}
2000-12-21 09:21:26 +03:00
2010-05-18 05:30:40 +04:00
static void sort_acl ( struct security_acl * the_acl )
2001-02-23 10:20:11 +03:00
{
2015-05-07 03:00:06 +03:00
uint32_t i ;
2001-02-22 09:35:54 +03:00
if ( ! the_acl ) return ;
2010-02-14 02:03:55 +03:00
TYPESAFE_QSORT ( the_acl - > aces , the_acl - > num_aces , ace_compare ) ;
2000-12-21 09:21:26 +03:00
2001-02-23 10:20:11 +03:00
for ( i = 1 ; i < the_acl - > num_aces ; ) {
2014-05-28 19:44:43 +04:00
if ( security_ace_equal ( & the_acl - > aces [ i - 1 ] ,
& the_acl - > aces [ i ] ) ) {
2001-02-23 10:20:11 +03:00
int j ;
for ( j = i ; j < the_acl - > num_aces - 1 ; j + + ) {
2006-09-21 02:23:12 +04:00
the_acl - > aces [ j ] = the_acl - > aces [ j + 1 ] ;
2001-02-23 10:20:11 +03:00
}
the_acl - > num_aces - - ;
} else {
i + + ;
2000-12-21 09:21:26 +03:00
}
}
}
2000-12-03 10:36:15 +03:00
/*****************************************************
set the ACLs on a file given an ascii description
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-10-15 03:09:17 +04:00
2010-05-03 05:08:02 +04:00
static int cacl_set ( struct cli_state * cli , const char * filename ,
2015-04-24 18:31:41 +03:00
char * the_acl , enum acl_mode mode , bool numeric )
2000-12-03 10:36:15 +03:00
{
2010-05-18 12:29:34 +04:00
struct security_descriptor * sd , * old ;
2015-05-07 03:00:06 +03:00
uint32_t i , j ;
2000-12-16 03:08:05 +03:00
size_t sd_size ;
2000-12-22 02:36:25 +03:00
int result = EXIT_OK ;
2000-12-03 10:36:15 +03:00
2010-03-15 14:16:52 +03:00
if ( sddl ) {
2011-06-09 16:32:27 +04:00
sd = sddl_decode ( talloc_tos ( ) , the_acl , get_domain_sid ( cli ) ) ;
2010-03-15 14:16:52 +03:00
} else {
sd = sec_desc_parse ( talloc_tos ( ) , cli , the_acl ) ;
}
2000-12-03 10:36:15 +03:00
2000-12-22 02:36:25 +03:00
if ( ! sd ) return EXIT_PARSE_ERROR ;
if ( test_args ) return EXIT_OK ;
2000-12-07 09:05:57 +03:00
2016-04-30 01:12:38 +03:00
if ( mode ! = SMB_ACL_SET ) {
/*
* Do not fetch old ACL when it will be overwritten
* completely with a new one .
*/
old = get_secdesc ( cli , filename ) ;
if ( ! old ) {
return EXIT_FAILED ;
}
2001-02-22 06:40:01 +03:00
}
2000-12-03 15:41:28 +03:00
/* the logic here is rather more complex than I would like */
switch ( mode ) {
2001-04-11 05:34:37 +04:00
case SMB_ACL_DELETE :
2000-12-03 15:41:28 +03:00
for ( i = 0 ; sd - > dacl & & i < sd - > dacl - > num_aces ; i + + ) {
2007-10-19 04:40:25 +04:00
bool found = False ;
2000-12-12 09:06:10 +03:00
2000-12-03 15:41:28 +03:00
for ( j = 0 ; old - > dacl & & j < old - > dacl - > num_aces ; j + + ) {
2014-05-28 19:44:43 +04:00
if ( security_ace_equal ( & sd - > dacl - > aces [ i ] ,
& old - > dacl - > aces [ j ] ) ) {
2015-05-07 03:00:06 +03:00
uint32_t k ;
2001-02-23 10:20:11 +03:00
for ( k = j ; k < old - > dacl - > num_aces - 1 ; k + + ) {
2006-09-21 02:23:12 +04:00
old - > dacl - > aces [ k ] = old - > dacl - > aces [ k + 1 ] ;
2000-12-04 03:33:08 +03:00
}
old - > dacl - > num_aces - - ;
2000-12-12 09:06:10 +03:00
found = True ;
2000-12-04 03:33:08 +03:00
break ;
2000-12-03 15:41:28 +03:00
}
}
2000-12-12 09:06:10 +03:00
if ( ! found ) {
2008-10-15 03:09:17 +04:00
printf ( " ACL for ACE: " ) ;
2015-04-24 18:31:41 +03:00
print_ace ( cli , stdout , & sd - > dacl - > aces [ i ] ,
numeric ) ;
2001-02-23 10:20:11 +03:00
printf ( " not found \n " ) ;
2000-12-12 09:06:10 +03:00
}
2000-12-03 15:41:28 +03:00
}
break ;
2001-04-11 05:34:37 +04:00
case SMB_ACL_MODIFY :
2000-12-03 15:41:28 +03:00
for ( i = 0 ; sd - > dacl & & i < sd - > dacl - > num_aces ; i + + ) {
2007-10-19 04:40:25 +04:00
bool found = False ;
2000-12-04 09:43:36 +03:00
2000-12-03 15:41:28 +03:00
for ( j = 0 ; old - > dacl & & j < old - > dacl - > num_aces ; j + + ) {
2010-08-26 17:48:50 +04:00
if ( dom_sid_equal ( & sd - > dacl - > aces [ i ] . trustee ,
2006-09-21 02:23:12 +04:00
& old - > dacl - > aces [ j ] . trustee ) ) {
old - > dacl - > aces [ j ] = sd - > dacl - > aces [ i ] ;
2000-12-04 09:43:36 +03:00
found = True ;
2000-12-03 15:41:28 +03:00
}
}
2000-12-04 09:43:36 +03:00
if ( ! found ) {
fstring str ;
2007-10-10 18:57:34 +04:00
SidToString ( cli , str ,
2015-04-24 18:31:41 +03:00
& sd - > dacl - > aces [ i ] . trustee ,
numeric ) ;
2000-12-04 09:43:36 +03:00
printf ( " ACL for SID %s not found \n " , str ) ;
}
2000-12-03 15:41:28 +03:00
}
2000-12-04 09:43:36 +03:00
2004-11-23 04:05:31 +03:00
if ( sd - > owner_sid ) {
old - > owner_sid = sd - > owner_sid ;
}
2008-10-15 03:09:17 +04:00
if ( sd - > group_sid ) {
2006-09-21 02:23:12 +04:00
old - > group_sid = sd - > group_sid ;
2004-11-23 04:05:31 +03:00
}
2000-12-03 15:41:28 +03:00
break ;
2001-04-11 05:34:37 +04:00
case SMB_ACL_ADD :
2000-12-03 15:41:28 +03:00
for ( i = 0 ; sd - > dacl & & i < sd - > dacl - > num_aces ; i + + ) {
2006-09-21 02:23:12 +04:00
add_ace ( & old - > dacl , & sd - > dacl - > aces [ i ] ) ;
2000-12-03 15:41:28 +03:00
}
break ;
2001-04-11 05:34:37 +04:00
case SMB_ACL_SET :
2000-12-12 09:06:10 +03:00
old = sd ;
2000-12-03 15:41:28 +03:00
break ;
}
2000-12-03 10:36:15 +03:00
2000-12-21 09:21:26 +03:00
/* Denied ACE entries must come before allowed ones */
sort_acl ( old - > dacl ) ;
/* Create new security descriptor and set it */
2007-07-10 02:15:22 +04:00
2005-11-02 05:35:48 +03:00
/* We used to just have "WRITE_DAC_ACCESS" without WRITE_OWNER.
But if we ' re sending an owner , even if it ' s the same as the one
that already exists then W2K3 insists we open with WRITE_OWNER access .
I need to check that setting a SD with no owner set works against WNT
and W2K . JRA .
*/
2007-10-10 18:57:34 +04:00
sd = make_sec_desc ( talloc_tos ( ) , old - > revision , old - > type ,
old - > owner_sid , old - > group_sid ,
2000-12-04 07:58:40 +03:00
NULL , old - > dacl , & sd_size ) ;
2000-12-04 03:33:08 +03:00
2010-05-06 09:26:15 +04:00
if ( ! set_secdesc ( cli , filename , sd ) ) {
2000-12-22 02:36:25 +03:00
result = EXIT_FAILED ;
2000-12-03 10:36:15 +03:00
}
2000-12-22 02:36:25 +03:00
return result ;
2000-12-03 10:36:15 +03:00
}
2010-05-06 09:35:02 +04:00
/*****************************************************
set the inherit on a file
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static int inherit ( struct cli_state * cli , const char * filename ,
const char * type )
{
2010-05-18 12:29:34 +04:00
struct security_descriptor * old , * sd ;
2015-05-07 03:00:06 +03:00
uint32_t oldattr ;
2010-05-06 09:35:02 +04:00
size_t sd_size ;
int result = EXIT_OK ;
old = get_secdesc ( cli , filename ) ;
if ( ! old ) {
return EXIT_FAILED ;
}
oldattr = get_fileinfo ( cli , filename ) ;
if ( strcmp ( type , " allow " ) = = 0 ) {
if ( ( old - > type & SEC_DESC_DACL_PROTECTED ) = =
SEC_DESC_DACL_PROTECTED ) {
int i ;
char * parentname , * temp ;
2010-05-18 12:29:34 +04:00
struct security_descriptor * parent ;
2010-05-06 09:35:02 +04:00
temp = talloc_strdup ( talloc_tos ( ) , filename ) ;
old - > type = old - > type & ( ~ SEC_DESC_DACL_PROTECTED ) ;
/* look at parent and copy in all its inheritable ACL's. */
string_replace ( temp , ' \\ ' , ' / ' ) ;
if ( ! parent_dirname ( talloc_tos ( ) , temp , & parentname , NULL ) ) {
return EXIT_FAILED ;
}
string_replace ( parentname , ' / ' , ' \\ ' ) ;
parent = get_secdesc ( cli , parentname ) ;
2011-03-23 15:11:26 +03:00
if ( parent = = NULL ) {
return EXIT_FAILED ;
}
2010-05-06 09:35:02 +04:00
for ( i = 0 ; i < parent - > dacl - > num_aces ; i + + ) {
2010-05-18 05:25:38 +04:00
struct security_ace * ace = & parent - > dacl - > aces [ i ] ;
2010-06-05 04:48:40 +04:00
/* Add inherited flag to all aces */
ace - > flags = ace - > flags |
SEC_ACE_FLAG_INHERITED_ACE ;
2011-04-29 05:57:02 +04:00
if ( ( oldattr & FILE_ATTRIBUTE_DIRECTORY ) = = FILE_ATTRIBUTE_DIRECTORY ) {
2010-05-06 09:35:02 +04:00
if ( ( ace - > flags & SEC_ACE_FLAG_CONTAINER_INHERIT ) = =
SEC_ACE_FLAG_CONTAINER_INHERIT ) {
add_ace ( & old - > dacl , ace ) ;
}
} else {
if ( ( ace - > flags & SEC_ACE_FLAG_OBJECT_INHERIT ) = =
SEC_ACE_FLAG_OBJECT_INHERIT ) {
2010-06-05 04:48:40 +04:00
/* clear flags for files */
ace - > flags = 0 ;
2010-05-06 09:35:02 +04:00
add_ace ( & old - > dacl , ace ) ;
}
}
}
} else {
printf ( " Already set to inheritable permissions. \n " ) ;
return EXIT_FAILED ;
}
} else if ( strcmp ( type , " remove " ) = = 0 ) {
if ( ( old - > type & SEC_DESC_DACL_PROTECTED ) ! =
SEC_DESC_DACL_PROTECTED ) {
old - > type = old - > type | SEC_DESC_DACL_PROTECTED ;
/* remove all inherited ACL's. */
if ( old - > dacl ) {
int i ;
2010-05-18 05:30:40 +04:00
struct security_acl * temp = old - > dacl ;
2010-05-06 09:35:02 +04:00
old - > dacl = make_sec_acl ( talloc_tos ( ) , 3 , 0 , NULL ) ;
for ( i = temp - > num_aces - 1 ; i > = 0 ; i - - ) {
2010-05-18 05:25:38 +04:00
struct security_ace * ace = & temp - > aces [ i ] ;
2010-05-06 09:35:02 +04:00
/* Remove all ace with INHERITED flag set */
if ( ( ace - > flags & SEC_ACE_FLAG_INHERITED_ACE ) ! =
SEC_ACE_FLAG_INHERITED_ACE ) {
add_ace ( & old - > dacl , ace ) ;
}
}
}
} else {
printf ( " Already set to no inheritable permissions. \n " ) ;
return EXIT_FAILED ;
}
} else if ( strcmp ( type , " copy " ) = = 0 ) {
if ( ( old - > type & SEC_DESC_DACL_PROTECTED ) ! =
SEC_DESC_DACL_PROTECTED ) {
old - > type = old - > type | SEC_DESC_DACL_PROTECTED ;
/* convert all inherited ACL's to non inherated ACL's. */
if ( old - > dacl ) {
int i ;
for ( i = 0 ; i < old - > dacl - > num_aces ; i + + ) {
2010-05-18 05:25:38 +04:00
struct security_ace * ace = & old - > dacl - > aces [ i ] ;
2010-05-06 09:35:02 +04:00
/* Remove INHERITED FLAG from all aces */
ace - > flags = ace - > flags & ( ~ SEC_ACE_FLAG_INHERITED_ACE ) ;
}
}
} else {
printf ( " Already set to no inheritable permissions. \n " ) ;
return EXIT_FAILED ;
}
}
/* Denied ACE entries must come before allowed ones */
sort_acl ( old - > dacl ) ;
sd = make_sec_desc ( talloc_tos ( ) , old - > revision , old - > type ,
old - > owner_sid , old - > group_sid ,
NULL , old - > dacl , & sd_size ) ;
if ( ! set_secdesc ( cli , filename , sd ) ) {
result = EXIT_FAILED ;
}
return result ;
}
2000-12-03 05:19:27 +03:00
2007-10-25 01:16:54 +04:00
/*****************************************************
Return a connection to a server .
2000-12-03 05:19:27 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2016-10-21 18:22:03 +03:00
static struct cli_state * connect_one ( const struct user_auth_info * auth_info ,
2008-12-14 15:06:19 +03:00
const char * server , const char * share )
2000-12-03 05:19:27 +03:00
{
2008-01-05 11:23:35 +03:00
struct cli_state * c = NULL ;
2002-07-15 14:35:28 +04:00
NTSTATUS nt_status ;
2008-05-05 18:58:24 +04:00
uint32_t flags = 0 ;
2008-12-14 15:06:19 +03:00
if ( get_cmdline_auth_info_use_kerberos ( auth_info ) ) {
2008-05-05 18:58:24 +04:00
flags | = CLI_FULL_CONNECTION_USE_KERBEROS |
CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS ;
}
2011-06-09 09:31:03 +04:00
nt_status = cli_full_connection ( & c , lp_netbios_name ( ) , server ,
2011-07-22 14:29:57 +04:00
NULL , 0 ,
2008-01-05 11:23:35 +03:00
share , " ????? " ,
2008-12-14 15:06:19 +03:00
get_cmdline_auth_info_username ( auth_info ) ,
2008-01-05 11:23:35 +03:00
lp_workgroup ( ) ,
2008-12-14 15:06:19 +03:00
get_cmdline_auth_info_password ( auth_info ) ,
2008-05-05 18:58:24 +04:00
flags ,
2010-12-20 18:37:23 +03:00
get_cmdline_auth_info_signing_state ( auth_info ) ) ;
2008-01-05 11:23:35 +03:00
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
2002-07-15 14:35:28 +04:00
DEBUG ( 0 , ( " cli_full_connection failed! (%s) \n " , nt_errstr ( nt_status ) ) ) ;
2000-12-03 05:19:27 +03:00
return NULL ;
}
2008-01-05 11:23:35 +03:00
2008-12-14 15:06:19 +03:00
if ( get_cmdline_auth_info_smb_encrypt ( auth_info ) ) {
2008-01-05 11:23:35 +03:00
nt_status = cli_cm_force_encryption ( c ,
2008-12-14 15:06:19 +03:00
get_cmdline_auth_info_username ( auth_info ) ,
get_cmdline_auth_info_password ( auth_info ) ,
2008-01-05 11:23:35 +03:00
lp_workgroup ( ) ,
share ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
cli_shutdown ( c ) ;
c = NULL ;
}
}
return c ;
2000-12-03 05:19:27 +03:00
}
/****************************************************************************
main program
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2014-02-26 23:16:26 +04:00
int main ( int argc , char * argv [ ] )
2000-12-03 05:19:27 +03:00
{
2014-02-26 23:16:26 +04:00
const char * * argv_const = discard_const_p ( const char * , argv ) ;
2000-12-03 05:19:27 +03:00
char * share ;
int opt ;
2001-06-19 04:44:23 +04:00
enum acl_mode mode = SMB_ACL_SET ;
2003-04-14 07:59:04 +04:00
static char * the_acl = NULL ;
2000-12-16 03:08:05 +03:00
enum chown_mode change_mode = REQUEST_NONE ;
2000-12-22 02:36:25 +03:00
int result ;
2007-12-04 05:48:41 +03:00
char * path ;
char * filename = NULL ;
2003-04-14 07:59:04 +04:00
poptContext pc ;
2015-04-24 18:31:41 +03:00
/* numeric is set when the user wants numeric SIDs and ACEs rather
than going via LSA calls to resolve them */
2016-01-20 10:34:26 +03:00
int numeric = 0 ;
2015-04-24 18:31:41 +03:00
2003-04-14 07:59:04 +04:00
struct poptOption long_options [ ] = {
POPT_AUTOHELP
{ " delete " , ' D ' , POPT_ARG_STRING , NULL , ' D ' , " Delete an acl " , " ACL " } ,
{ " modify " , ' M ' , POPT_ARG_STRING , NULL , ' M ' , " Modify an acl " , " ACL " } ,
2003-09-01 14:43:21 +04:00
{ " add " , ' a ' , POPT_ARG_STRING , NULL , ' a ' , " Add an acl " , " ACL " } ,
2003-04-14 07:59:04 +04:00
{ " set " , ' S ' , POPT_ARG_STRING , NULL , ' S ' , " Set acls " , " ACLS " } ,
{ " chown " , ' C ' , POPT_ARG_STRING , NULL , ' C ' , " Change ownership of a file " , " USERNAME " } ,
{ " chgrp " , ' G ' , POPT_ARG_STRING , NULL , ' G ' , " Change group ownership of a file " , " GROUPNAME " } ,
2010-05-06 09:35:02 +04:00
{ " inherit " , ' I ' , POPT_ARG_STRING , NULL , ' I ' , " Inherit allow|remove|copy " } ,
2008-10-15 03:09:17 +04:00
{ " numeric " , 0 , POPT_ARG_NONE , & numeric , 1 , " Don't resolve sids or masks to names " } ,
2010-03-15 14:16:52 +03:00
{ " sddl " , 0 , POPT_ARG_NONE , & sddl , 1 , " Output and input acls in sddl format " } ,
2012-11-30 17:36:07 +04:00
{ " query-security-info " , 0 , POPT_ARG_INT , & query_sec_info , 1 ,
" The security-info flags for queries "
} ,
{ " set-security-info " , 0 , POPT_ARG_INT , & set_sec_info , 1 ,
" The security-info flags for modifications "
} ,
2008-10-15 03:09:17 +04:00
{ " test-args " , ' t ' , POPT_ARG_NONE , & test_args , 1 , " Test arguments " } ,
2011-06-09 17:29:32 +04:00
{ " domain-sid " , 0 , POPT_ARG_STRING , & domain_sid , 0 , " Domain SID for sddl " , " SID " } ,
2013-08-08 22:43:16 +04:00
{ " max-protocol " , ' m ' , POPT_ARG_STRING , NULL , ' m ' , " Set the max protocol level " , " LEVEL " } ,
2003-04-14 07:59:04 +04:00
POPT_COMMON_SAMBA
2008-07-08 02:51:08 +04:00
POPT_COMMON_CONNECTION
2003-04-14 07:59:04 +04:00
POPT_COMMON_CREDENTIALS
2008-07-08 02:51:08 +04:00
POPT_TABLEEND
2003-04-14 07:59:04 +04:00
} ;
2000-12-03 05:19:27 +03:00
2002-07-15 14:35:28 +04:00
struct cli_state * cli ;
2007-11-16 01:19:52 +03:00
TALLOC_CTX * frame = talloc_stackframe ( ) ;
2007-12-04 05:48:41 +03:00
const char * owner_username = " " ;
char * server ;
2002-07-15 14:35:28 +04:00
2015-03-21 22:00:06 +03:00
smb_init_locale ( ) ;
2005-12-29 01:48:54 +03:00
2004-11-18 16:29:10 +03:00
/* set default debug level to 1 regardless of what smb.conf sets */
2010-10-29 07:19:32 +04:00
setup_logging ( " smbcacls " , DEBUG_STDERR ) ;
2010-10-29 08:06:36 +04:00
lp_set_cmdline ( " log level " , " 1 " ) ;
2000-12-03 05:19:27 +03:00
2004-09-15 17:57:33 +04:00
setlinebuf ( stdout ) ;
2000-12-03 05:19:27 +03:00
2016-12-09 18:04:38 +03:00
popt_common_credentials_set_ignore_missing_conf ( ) ;
2014-02-26 23:16:26 +04:00
pc = poptGetContext ( " smbcacls " , argc , argv_const , long_options , 0 ) ;
2007-12-04 05:48:41 +03:00
2005-11-04 20:40:35 +03:00
poptSetOtherOptionHelp ( pc , " //server1/share1 filename \n ACLs look like: "
" 'ACL:user:[ALLOWED|DENIED]/flags/permissions' " ) ;
2000-12-03 05:19:27 +03:00
2003-04-14 07:59:04 +04:00
while ( ( opt = poptGetNextOpt ( pc ) ) ! = - 1 ) {
2000-12-03 05:19:27 +03:00
switch ( opt ) {
2000-12-03 11:35:11 +03:00
case ' S ' :
2003-04-14 07:59:04 +04:00
the_acl = smb_xstrdup ( poptGetOptArg ( pc ) ) ;
2001-04-11 05:34:37 +04:00
mode = SMB_ACL_SET ;
2000-12-03 15:41:28 +03:00
break ;
case ' D ' :
2003-04-14 07:59:04 +04:00
the_acl = smb_xstrdup ( poptGetOptArg ( pc ) ) ;
2001-04-11 05:34:37 +04:00
mode = SMB_ACL_DELETE ;
2000-12-03 15:41:28 +03:00
break ;
case ' M ' :
2003-04-14 07:59:04 +04:00
the_acl = smb_xstrdup ( poptGetOptArg ( pc ) ) ;
2001-04-11 05:34:37 +04:00
mode = SMB_ACL_MODIFY ;
2000-12-03 15:41:28 +03:00
break ;
2003-09-01 14:43:21 +04:00
case ' a ' :
2003-04-14 07:59:04 +04:00
the_acl = smb_xstrdup ( poptGetOptArg ( pc ) ) ;
2001-04-11 05:34:37 +04:00
mode = SMB_ACL_ADD ;
2000-12-03 10:36:15 +03:00
break ;
2000-12-03 11:35:11 +03:00
2000-12-16 03:08:05 +03:00
case ' C ' :
2007-12-04 05:48:41 +03:00
owner_username = poptGetOptArg ( pc ) ;
2000-12-16 03:08:05 +03:00
change_mode = REQUEST_CHOWN ;
break ;
case ' G ' :
2007-12-04 05:48:41 +03:00
owner_username = poptGetOptArg ( pc ) ;
2000-12-16 03:08:05 +03:00
change_mode = REQUEST_CHGRP ;
break ;
2010-05-06 09:35:02 +04:00
case ' I ' :
owner_username = poptGetOptArg ( pc ) ;
change_mode = REQUEST_INHERIT ;
break ;
2013-08-08 22:43:16 +04:00
case ' m ' :
lp_set_cmdline ( " client max protocol " , poptGetOptArg ( pc ) ) ;
break ;
2000-12-03 05:19:27 +03:00
}
}
2003-04-14 07:59:04 +04:00
/* Make connection to server */
2007-12-04 05:48:41 +03:00
if ( ! poptPeekArg ( pc ) ) {
2003-04-14 07:59:04 +04:00
poptPrintUsage ( pc , stderr , 0 ) ;
return - 1 ;
2000-12-07 09:05:57 +03:00
}
2007-12-04 05:48:41 +03:00
path = talloc_strdup ( frame , poptGetArg ( pc ) ) ;
if ( ! path ) {
2003-04-14 07:59:04 +04:00
return - 1 ;
}
2000-12-03 05:19:27 +03:00
2007-12-04 05:48:41 +03:00
if ( ! poptPeekArg ( pc ) ) {
poptPrintUsage ( pc , stderr , 0 ) ;
return - 1 ;
}
filename = talloc_strdup ( frame , poptGetArg ( pc ) ) ;
if ( ! filename ) {
return - 1 ;
}
2000-12-21 03:12:59 +03:00
2012-10-30 00:12:14 +04:00
poptFreeContext ( pc ) ;
2012-11-06 12:27:43 +04:00
popt_burn_cmdline_password ( argc , argv ) ;
2017-05-04 13:21:45 +03:00
popt_common_credentials_post ( ) ;
2012-10-30 00:12:14 +04:00
2007-12-04 05:48:41 +03:00
string_replace ( path , ' / ' , ' \\ ' ) ;
server = talloc_strdup ( frame , path + 2 ) ;
if ( ! server ) {
return - 1 ;
}
2002-07-15 14:35:28 +04:00
share = strchr_m ( server , ' \\ ' ) ;
if ( ! share ) {
2007-05-19 08:23:04 +04:00
printf ( " Invalid argument: %s \n " , share ) ;
return - 1 ;
2002-07-15 14:35:28 +04:00
}
* share = 0 ;
share + + ;
2000-12-07 09:05:57 +03:00
if ( ! test_args ) {
2017-04-26 03:03:10 +03:00
cli = connect_one ( popt_get_cmdline_auth_info ( ) , server , share ) ;
2001-02-28 04:38:12 +03:00
if ( ! cli ) {
exit ( EXIT_FAILED ) ;
}
2002-07-15 14:35:28 +04:00
} else {
2017-04-26 03:08:30 +03:00
popt_free_cmdline_auth_info ( ) ;
2002-07-15 14:35:28 +04:00
exit ( 0 ) ;
2000-12-07 09:05:57 +03:00
}
2000-12-03 05:19:27 +03:00
2007-12-04 05:48:41 +03:00
string_replace ( filename , ' / ' , ' \\ ' ) ;
2001-02-22 09:22:20 +03:00
if ( filename [ 0 ] ! = ' \\ ' ) {
2007-12-04 05:48:41 +03:00
filename = talloc_asprintf ( frame ,
" \\ %s " ,
filename ) ;
if ( ! filename ) {
return - 1 ;
}
2000-12-21 08:28:39 +03:00
}
2000-12-21 03:12:59 +03:00
/* Perform requested action */
2010-05-06 09:35:02 +04:00
if ( change_mode = = REQUEST_INHERIT ) {
result = inherit ( cli , filename , owner_username ) ;
} else if ( change_mode ! = REQUEST_NONE ) {
2000-12-22 02:36:25 +03:00
result = owner_set ( cli , change_mode , filename , owner_username ) ;
2000-12-16 03:08:05 +03:00
} else if ( the_acl ) {
2015-04-24 18:31:41 +03:00
result = cacl_set ( cli , filename , the_acl , mode , numeric ) ;
2000-12-03 10:36:15 +03:00
} else {
2015-04-24 18:31:41 +03:00
result = cacl_dump ( cli , filename , numeric ) ;
2000-12-03 10:36:15 +03:00
}
2000-12-03 05:19:27 +03:00
2017-04-26 03:08:30 +03:00
popt_free_cmdline_auth_info ( ) ;
2007-10-10 18:57:34 +04:00
TALLOC_FREE ( frame ) ;
2001-02-28 04:38:12 +03:00
2000-12-22 02:36:25 +03:00
return result ;
2000-12-03 05:19:27 +03:00
}