1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-27 03:21:53 +03:00
samba-mirror/testsuite/printing/psec.c
Rusty Russell ca1936fbb2 tdb_compat: use tdb_open_compat.
This is a helper for the common case of opening a tdb with a logging
function, but it doesn't do all the work, since TDB1 and TDB2's log
functions are different types.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2011-06-20 11:18:35 +02:00

439 lines
9.7 KiB
C

/*
Unix SMB/Netbios implementation.
Version 2.0
Printer security permission manipulation.
Copyright (C) Tim Potter 2000
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/* This program can get or set NT printer security permissions from the
command line. Usage: psec getsec|setsec printername. You must have
write access to the ntdrivers.tdb file to set permissions and read
access to get permissions.
For this program to compile using the supplied Makefile.psec, Samba
must be configured with the --srcdir option
For getsec, output like the following is sent to standard output:
S-1-5-21-1067277791-1719175008-3000797951-500
1 9 0x10000000 S-1-5-21-1067277791-1719175008-3000797951-501
1 2 0x10000000 S-1-5-21-1067277791-1719175008-3000797951-501
0 9 0x10000000 S-1-5-21-1067277791-1719175008-3000797951-500
0 2 0x10000000 S-1-5-21-1067277791-1719175008-3000797951-500
0 9 0x10000000 S-1-5-21-1067277791-1719175008-3000797951-513
0 2 0x00020000 S-1-5-21-1067277791-1719175008-3000797951-513
0 2 0xe0000000 S-1-1-0
The first two lines describe the owner user and owner group of the printer.
If either of these lines are blank then the respective owner property is
not set. The remaining lines list the printer permissions or ACE entries,
one per line. Each column describes a different property of the ACE:
Column Description
-------------------------------------------------------------------
1 ACE type (allow/deny etc) defined in rpc_secdes.h
2 ACE flags defined in rpc_secdes.h
3 ACE mask - printer ACE masks are defined in rpc_spoolss.h
4 SID the ACE applies to
The above example describes the following permissions in order:
- The guest user has No Access to the printer
- The domain administrator has Full Access
- Domain Users can Manage Documents
- Everyone has Print access
The setsec command takes the output format but sets the security descriptor
appropriately. */
#include "includes.h"
TDB_CONTEXT *tdb;
/* ACE type conversions */
char *ace_type_to_str(uint ace_type)
{
static fstring temp;
switch(ace_type) {
case SEC_ACE_TYPE_ACCESS_DENIED:
return "DENY";
case SEC_ACE_TYPE_ACCESS_ALLOWED:
return "ALLOW";
}
slprintf(temp, sizeof(temp) - 1, "0x%02x", ace_type);
return temp;
}
uint str_to_ace_type(char *ace_type)
{
if (strcmp(ace_type, "ALLOWED") == 0)
return SEC_ACE_TYPE_ACCESS_ALLOWED;
if (strcmp(ace_type, "DENIED") == 0)
return SEC_ACE_TYPE_ACCESS_DENIED;
return -1;
}
/* ACE mask (permission) conversions */
char *ace_mask_to_str(uint32 ace_mask)
{
static fstring temp;
switch (ace_mask) {
case PRINTER_ACE_FULL_CONTROL:
return "Full Control";
case PRINTER_ACE_MANAGE_DOCUMENTS:
return "Manage Documents";
case PRINTER_ACE_PRINT:
return "Print";
}
slprintf(temp, sizeof(temp) - 1, "0x%08x", ace_mask);
return temp;
}
uint32 str_to_ace_mask(char *ace_mask)
{
if (strcmp(ace_mask, "Full Control") == 0)
return PRINTER_ACE_FULL_CONTROL;
if (strcmp(ace_mask, "Manage Documents") == 0)
return PRINTER_ACE_MANAGE_DOCUMENTS;
if (strcmp(ace_mask, "Print") == 0)
return PRINTER_ACE_PRINT;
return -1;
}
/* ACE conversions */
char *ace_to_str(SEC_ACE *ace)
{
static pstring temp;
fstring sidstr;
sid_to_string(sidstr, &ace->sid);
slprintf(temp, sizeof(temp) - 1, "%s %d %s %s",
ace_type_to_str(ace->type), ace->flags,
ace_mask_to_str(ace->info.mask), sidstr);
return temp;
}
void str_to_ace(SEC_ACE *ace, char *ace_str)
{
SEC_ACCESS sa;
struct dom_sid sid;
uint32 mask;
uint8 type, flags;
init_sec_access(&sa, mask);
init_sec_ace(ace, &sid, type, sa, flags);
}
/* Get a printer security descriptor */
int psec_getsec(char *printer)
{
SEC_DESC_BUF *secdesc_ctr = NULL;
TALLOC_CTX *mem_ctx = NULL;
fstring keystr, sidstr, tdb_path;
prs_struct ps;
int result = 0, i;
ZERO_STRUCT(ps);
/* Open tdb for reading */
slprintf(tdb_path, sizeof(tdb_path) - 1, "%s/ntdrivers.tdb",
lp_lockdir());
tdb = tdb_open_compat(tdb_path, 0, 0, O_RDONLY, 0600, NULL, NULL);
if (!tdb) {
printf("psec: failed to open nt drivers database: %s\n",
sys_errlist[errno]);
return 1;
}
/* Get security blob from tdb */
slprintf(keystr, sizeof(keystr) - 1, "SECDESC/%s", printer);
mem_ctx = talloc_init();
if (!mem_ctx) {
printf("memory allocation error\n");
result = 1;
goto done;
}
if (tdb_prs_fetch(tdb, keystr, &ps, mem_ctx) != 0) {
printf("error fetching descriptor for printer %s\n",
printer);
/* cannot do a prs_mem_free() when tdb_prs_fetch fails */
/* as the prs structure has not been initialized */
tdb_close(tdb);
talloc_destroy(mem_ctx);
return 1;
}
/* Unpack into security descriptor buffer */
if (!sec_io_desc_buf("nt_printing_getsec", &secdesc_ctr, &ps, 1)) {
printf("error unpacking sec_desc_buf\n");
result = 1;
goto done;
}
/* Print owner and group sid */
if (secdesc_ctr->sec->owner_sid) {
sid_to_string(sidstr, secdesc_ctr->sec->owner_sid);
} else {
fstrcpy(sidstr, "");
}
printf("%s\n", sidstr);
if (secdesc_ctr->sec->grp_sid) {
sid_to_string(sidstr, secdesc_ctr->sec->grp_sid);
} else {
fstrcpy(sidstr, "");
}
printf("%s\n", sidstr);
/* Print aces */
if (!secdesc_ctr->sec->dacl) {
result = 0;
goto done;
}
for (i = 0; i < secdesc_ctr->sec->dacl->num_aces; i++) {
SEC_ACE *ace = &secdesc_ctr->sec->dacl->ace[i];
sid_to_string(sidstr, &ace->sid);
printf("%d %d 0x%08x %s\n", ace->type, ace->flags,
ace->info.mask, sidstr);
}
done:
if (tdb) tdb_close(tdb);
if (mem_ctx) talloc_destroy(mem_ctx);
if (secdesc_ctr) free_sec_desc_buf(&secdesc_ctr);
prs_mem_free(&ps);
return result;
}
/* Set a printer security descriptor */
int psec_setsec(char *printer)
{
struct dom_sid user_sid, group_sid;
SEC_ACE *ace_list = NULL;
SEC_ACL *dacl = NULL;
SEC_DESC *sd;
SEC_DESC_BUF *sdb = NULL;
int result = 0, num_aces = 0;
fstring line, keystr, tdb_path;
size_t size;
prs_struct ps;
TALLOC_CTX *mem_ctx = NULL;
BOOL has_user_sid = False, has_group_sid = False;
ZERO_STRUCT(ps);
/* Open tdb for reading */
slprintf(tdb_path, sizeof(tdb_path) - 1, "%s/ntdrivers.tdb",
lp_lockdir());
tdb = tdb_open_compat(tdb_path, 0, 0, O_RDWR, 0600, NULL, NULL);
if (!tdb) {
printf("psec: failed to open nt drivers database: %s\n",
sys_errlist[errno]);
result = 1;
goto done;
}
/* Read owner and group sid */
fgets(line, sizeof(fstring), stdin);
if (line[0] != '\n') {
string_to_sid(&user_sid, line);
has_user_sid = True;
}
fgets(line, sizeof(fstring), stdin);
if (line[0] != '\n') {
string_to_sid(&group_sid, line);
has_group_sid = True;
}
/* Read ACEs from standard input for discretionary ACL */
while(fgets(line, sizeof(fstring), stdin)) {
int ace_type, ace_flags;
uint32 ace_mask;
fstring sidstr;
struct dom_sid sid;
SEC_ACCESS sa;
if (sscanf(line, "%d %d 0x%x %s", &ace_type, &ace_flags,
&ace_mask, sidstr) != 4) {
continue;
}
string_to_sid(&sid, sidstr);
ace_list = Realloc(ace_list, sizeof(SEC_ACE) *
(num_aces + 1));
init_sec_access(&sa, ace_mask);
init_sec_ace(&ace_list[num_aces], &sid, ace_type, sa,
ace_flags);
num_aces++;
}
dacl = make_sec_acl(ACL_REVISION, num_aces, ace_list);
free(ace_list);
/* Create security descriptor */
sd = make_sec_desc(SEC_DESC_REVISION,
has_user_sid ? &user_sid : NULL,
has_group_sid ? &group_sid : NULL,
NULL, /* System ACL */
dacl, /* Discretionary ACL */
&size);
free_sec_acl(&dacl);
sdb = make_sec_desc_buf(size, sd);
free_sec_desc(&sd);
/* Write security descriptor to tdb */
mem_ctx = talloc_init();
if (!mem_ctx) {
printf("memory allocation error\n");
result = 1;
goto done;
}
if (!prs_init(&ps, (uint32)sec_desc_size(sdb->sec) +
sizeof(SEC_DESC_BUF), 4, mem_ctx, MARSHALL)) {
printf("prs_init() failed\n");
goto done;
}
if (!sec_io_desc_buf("nt_printing_setsec", &sdb, &ps, 1)) {
printf("sec_io_desc_buf failed\n");
goto done;
}
slprintf(keystr, sizeof(keystr) - 1, "SECDESC/%s", printer);
if (!tdb_prs_store(tdb, keystr, &ps)==0) {
printf("Failed to store secdesc for %s\n", printer);
goto done;
}
done:
if (tdb) tdb_close(tdb);
if (sdb) free_sec_desc_buf(&sdb);
if (mem_ctx) talloc_destroy(mem_ctx);
prs_mem_free(&ps);
return result;
}
/* Help */
void usage(void)
{
printf("Usage: psec getsec|setsec printername\n");
}
/* Main function */
int main(int argc, char **argv)
{
pstring servicesf = CONFIGFILE;
/* Argument check */
if (argc == 1) {
usage();
return 1;
}
/* Load smb.conf file */
charset_initialise();
if (!lp_load(servicesf,False,False,True)) {
fprintf(stderr, "Couldn't load confiuration file %s\n",
servicesf);
return 1;
}
/* Do commands */
if (strcmp(argv[1], "setsec") == 0) {
if (argc != 3) {
usage();
return 1;
}
return psec_setsec(argv[2]);
}
if (strcmp(argv[1], "getsec") == 0) {
if (argc != 3) {
usage();
return 1;
}
return psec_getsec(argv[2]);
}
/* An unknown command */
printf("psec: unknown command %s\n", argv[1]);
return 1;
}