[PATCH] s4: enhance command line tool for NT ACL manipulation

Matthieu Patou mat at matws.net
Sun Jun 21 13:42:04 MDT 2009 

  Add the possibility to get a NT ACL into a SDDL format.
  (Re)Create setntacl to allow setting NTACL extended attribute from command line.
  Such programs are very useful in automated scripts.
---
 source4/utils/config.mk  |   19 ++++++--
 source4/utils/getntacl.c |   33 +++++++++++---
 source4/utils/setntacl.c |  108 +++++++++++++++++++++++++++++++++++++---------
 3 files changed, 128 insertions(+), 32 deletions(-)

diff --git a/source4/utils/config.mk b/source4/utils/config.mk
index 5fa7e20..7ae10e2 100644
--- a/source4/utils/config.mk
+++ b/source4/utils/config.mk
@@ -44,12 +44,21 @@ MANPAGES += $(utilssrcdir)/man/getntacl.1
 #################################
 # Start BINARY setntacl
 [BINARY::setntacl]
-# disabled until rewritten
-#INSTALLDIR = BINDIR
-# End BINARY setntacl
-#################################
+INSTALLDIR = BINDIR
+PRIVATE_DEPENDENCIES = \
+		LIBSECURITY \
+		LIBSAMBA-HOSTCONFIG \
+		LIBSAMBA-UTIL \
+		NDR_XATTR \
+		WRAP_XATTR \
+		LIBSECURITY \
+		SAMDB_COMMON \
+		LIBSAMBA-ERRORS
+
+setntacl_OBJ_FILES =  $(utilssrcdir)/setntacl.o
 
-setntacl_OBJ_FILES = $(utilssrcdir)/setntacl.o
+# End BINARY getntacl
+#################################
 
 #################################
 # Start BINARY setnttoken
diff --git a/source4/utils/getntacl.c b/source4/utils/getntacl.c
index f26c87b..a5d4e3e 100644
--- a/source4/utils/getntacl.c
+++ b/source4/utils/getntacl.c
@@ -25,6 +25,8 @@
 #include "../lib/util/wrap_xattr.h"
 #include "param/param.h"
 
+
+static char* AS_SDDL_TEXT="--as-sddl";
 static void ntacl_print_debug_helper(struct ndr_print *ndr, const char *format, ...) PRINTF_ATTRIBUTE(2,3);
 
 static void ntacl_print_debug_helper(struct ndr_print *ndr, const char *format, ...)
@@ -82,6 +84,15 @@ static NTSTATUS get_ntacl(TALLOC_CTX *mem_ctx,
 	return NT_STATUS_OK;
 }
 
+static void print_ntacl_sddl(TALLOC_CTX *mem_ctx,
+			struct xattr_NTACL *ntacl)
+{
+	char *sddl;
+	/* For some reason gcc don't like when I return directly the pointer 
+	   so let's cast it ...*/
+	sddl = (char*)sddl_encode(mem_ctx,ntacl->info.sd,NULL);
+	printf("%s\n",sddl);
+}
 static void print_ntacl(TALLOC_CTX *mem_ctx,
 			const char *fname,
 			struct xattr_NTACL *ntacl)
@@ -101,19 +112,29 @@ int main(int argc, char *argv[])
 	NTSTATUS status;
 	struct xattr_NTACL *ntacl;
 	ssize_t ntacl_len;
+	int print_as_sddl = 0;
 
-	if (argc != 2) {
-		fprintf(stderr, "Usage: getntacl FILENAME\n");
+	if (argc < 2 || argc >3) {
+		fprintf(stderr, "Usage: getntacl [--as-sddl] FILENAME\n");
 		return 1;
 	}
-
-	status = get_ntacl(NULL, argv[1], &ntacl, &ntacl_len);
+	if (strncmp(argv[1],AS_SDDL_TEXT,strlen(AS_SDDL_TEXT) )== 0) {
+		status = get_ntacl(NULL, argv[2], &ntacl, &ntacl_len);
+		print_as_sddl = 1;
+	} else {
+		status = get_ntacl(NULL, argv[1], &ntacl, &ntacl_len);
+	}
+	
 	if (!NT_STATUS_IS_OK(status)) {
 		fprintf(stderr, "get_ntacl failed: %s\n", nt_errstr(status));
 		return 1;
 	}
-
-	print_ntacl(ntacl, argv[1], ntacl);
+	
+	if( print_as_sddl ) {
+		print_ntacl_sddl(ntacl,  ntacl);
+	} else {
+		print_ntacl(ntacl, argv[1], ntacl);
+	}
 
 	talloc_free(ntacl);
 
diff --git a/source4/utils/setntacl.c b/source4/utils/setntacl.c
index 3a008a4..f6eadff 100644
--- a/source4/utils/setntacl.c
+++ b/source4/utils/setntacl.c
@@ -1,28 +1,94 @@
 /* 
-   Unix SMB/CIFS implementation.
-
-   Set NT ACLs on UNIX files.
-
-   Copyright (C) Tim Potter <tpot at samba.org> 2004
-   
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 3 of the License, or
-   (at your option) any later version.
-   
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-   
-   You should have received a copy of the GNU General Public License
-   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+	 Unix SMB/CIFS implementation.
+
+	 Get NT ACLs from UNIX files.
+
+	 Copyright (C) Tim Potter <tpot at samba.org> 2005
+	 
+	 This program is free software; you can redistribute it and/or modify
+	 it under the terms of the GNU General Public License as published by
+	 the Free Software Foundation; either version 3 of the License, or
+	 (at your option) any later version.
+	 
+	 This program is distributed in the hope that it will be useful,
+	 but WITHOUT ANY WARRANTY; without even the implied warranty of
+	 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.	See the
+	 GNU General Public License for more details.
+	 
+	 You should have received a copy of the GNU General Public License
+	 along with this program.	If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "includes.h"
+#include "system/filesys.h"
+#include "librpc/gen_ndr/ndr_xattr.h"
+#include "../lib/util/wrap_xattr.h"
+#include "dsdb/samdb/samdb.h"
+#include "../libcli/security/security_descriptor.h"
+#include "../libcli/security/dom_sid.h"
+#include "param/param.h"
+
+static NTSTATUS build_acl(TALLOC_CTX *mem_ctx, char* acls,  struct xattr_NTACL **ntacl)
+{
+	struct xattr_NTACL *acl = talloc(mem_ctx, struct xattr_NTACL);
+	struct security_descriptor *sd;
+	NTSTATUS status;
+	sd = (struct security_descriptor*) sddl_decode(mem_ctx,acls,NULL);
+	if( !sd ) 
+	{
+		return NT_STATUS_INTERNAL_ERROR;
+	}
 
-int main(int argc, char **argv)
+	acl->version = 1;
+	acl->info.sd = sd;
+	
+	*ntacl = acl;
+	return NT_STATUS_OK;
+}
+
+static NTSTATUS set_ntacl(TALLOC_CTX *mem_ctx,
+				char *filename,
+				void *ntacl)
 {
-	printf("This utility disabled until rewritten\n");
-	return 1;
+	enum ndr_err_code ndr_err;
+	int ret;
+	DATA_BLOB blob;
+
+	ndr_err = ndr_push_struct_blob(&blob, mem_ctx, lp_iconv_convenience(NULL), ntacl ,(ndr_push_flags_fn_t)ndr_push_xattr_NTACL);
+	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+		return ndr_map_error2ntstatus(ndr_err);
+	}
+	ret = wrap_setxattr(filename, XATTR_NTACL_NAME, blob.data,blob.length, 0);
+
+	if (ret !=	0) {
+		fprintf(stderr, "set_ntacl: %s\n", strerror(errno));
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+	return NT_STATUS_OK;
+}
+
+int main(int argc, char *argv[])
+{
+	NTSTATUS status;
+	struct xattr_NTACL *ntacl;
+
+	if (argc <= 2) {
+		fprintf(stderr, "Usage: setntacl FILENAME ACLS \nACL must be in the SDDL format");
+		return 1;
+	}
+
+	status = build_acl(NULL, argv[2], &ntacl);
+	if (!NT_STATUS_IS_OK(status)) {
+		fprintf(stderr, "build_acl failed: %s\n", nt_errstr(status));
+		return 1;
+	}
+	status = set_ntacl(NULL, argv[1], ntacl);
+	if (!NT_STATUS_IS_OK(status)) {
+		fprintf(stderr, "set_ntacl failed: %s\n", nt_errstr(status));
+		return 1;
+	}
+
+	talloc_free(ntacl);
+
+	return 0;
 }
-- 
1.6.0.4


--------------010101010701090704080508--

More information about the samba-technical mailing list