[PATCH] s4: enhance command line tool for NT ACL manipulation
Matthieu Patou
mat at matws.net
Sun Jun 21 13:42:04 MDT 2009
Add the possibility to get a NT ACL into a SDDL format.
(Re)Create setntacl to allow setting NTACL extended attribute from command line.
Such programs are very useful in automated scripts.
---
source4/utils/config.mk | 19 ++++++--
source4/utils/getntacl.c | 33 +++++++++++---
source4/utils/setntacl.c | 108 +++++++++++++++++++++++++++++++++++++---------
3 files changed, 128 insertions(+), 32 deletions(-)
diff --git a/source4/utils/config.mk b/source4/utils/config.mk
index 5fa7e20..7ae10e2 100644
--- a/source4/utils/config.mk
+++ b/source4/utils/config.mk
@@ -44,12 +44,21 @@ MANPAGES += $(utilssrcdir)/man/getntacl.1
#################################
# Start BINARY setntacl
[BINARY::setntacl]
-# disabled until rewritten
-#INSTALLDIR = BINDIR
-# End BINARY setntacl
-#################################
+INSTALLDIR = BINDIR
+PRIVATE_DEPENDENCIES = \
+ LIBSECURITY \
+ LIBSAMBA-HOSTCONFIG \
+ LIBSAMBA-UTIL \
+ NDR_XATTR \
+ WRAP_XATTR \
+ LIBSECURITY \
+ SAMDB_COMMON \
+ LIBSAMBA-ERRORS
+
+setntacl_OBJ_FILES = $(utilssrcdir)/setntacl.o
-setntacl_OBJ_FILES = $(utilssrcdir)/setntacl.o
+# End BINARY getntacl
+#################################
#################################
# Start BINARY setnttoken
diff --git a/source4/utils/getntacl.c b/source4/utils/getntacl.c
index f26c87b..a5d4e3e 100644
--- a/source4/utils/getntacl.c
+++ b/source4/utils/getntacl.c
@@ -25,6 +25,8 @@
#include "../lib/util/wrap_xattr.h"
#include "param/param.h"
+
+static char* AS_SDDL_TEXT="--as-sddl";
static void ntacl_print_debug_helper(struct ndr_print *ndr, const char *format, ...) PRINTF_ATTRIBUTE(2,3);
static void ntacl_print_debug_helper(struct ndr_print *ndr, const char *format, ...)
@@ -82,6 +84,15 @@ static NTSTATUS get_ntacl(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
+static void print_ntacl_sddl(TALLOC_CTX *mem_ctx,
+ struct xattr_NTACL *ntacl)
+{
+ char *sddl;
+ /* For some reason gcc don't like when I return directly the pointer
+ so let's cast it ...*/
+ sddl = (char*)sddl_encode(mem_ctx,ntacl->info.sd,NULL);
+ printf("%s\n",sddl);
+}
static void print_ntacl(TALLOC_CTX *mem_ctx,
const char *fname,
struct xattr_NTACL *ntacl)
@@ -101,19 +112,29 @@ int main(int argc, char *argv[])
NTSTATUS status;
struct xattr_NTACL *ntacl;
ssize_t ntacl_len;
+ int print_as_sddl = 0;
- if (argc != 2) {
- fprintf(stderr, "Usage: getntacl FILENAME\n");
+ if (argc < 2 || argc >3) {
+ fprintf(stderr, "Usage: getntacl [--as-sddl] FILENAME\n");
return 1;
}
-
- status = get_ntacl(NULL, argv[1], &ntacl, &ntacl_len);
+ if (strncmp(argv[1],AS_SDDL_TEXT,strlen(AS_SDDL_TEXT) )== 0) {
+ status = get_ntacl(NULL, argv[2], &ntacl, &ntacl_len);
+ print_as_sddl = 1;
+ } else {
+ status = get_ntacl(NULL, argv[1], &ntacl, &ntacl_len);
+ }
+
if (!NT_STATUS_IS_OK(status)) {
fprintf(stderr, "get_ntacl failed: %s\n", nt_errstr(status));
return 1;
}
-
- print_ntacl(ntacl, argv[1], ntacl);
+
+ if( print_as_sddl ) {
+ print_ntacl_sddl(ntacl, ntacl);
+ } else {
+ print_ntacl(ntacl, argv[1], ntacl);
+ }
talloc_free(ntacl);
diff --git a/source4/utils/setntacl.c b/source4/utils/setntacl.c
index 3a008a4..f6eadff 100644
--- a/source4/utils/setntacl.c
+++ b/source4/utils/setntacl.c
@@ -1,28 +1,94 @@
/*
- Unix SMB/CIFS implementation.
-
- Set NT ACLs on UNIX files.
-
- Copyright (C) Tim Potter <tpot at samba.org> 2004
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
+ Unix SMB/CIFS implementation.
+
+ Get NT ACLs from UNIX files.
+
+ Copyright (C) Tim Potter <tpot at samba.org> 2005
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
+#include "system/filesys.h"
+#include "librpc/gen_ndr/ndr_xattr.h"
+#include "../lib/util/wrap_xattr.h"
+#include "dsdb/samdb/samdb.h"
+#include "../libcli/security/security_descriptor.h"
+#include "../libcli/security/dom_sid.h"
+#include "param/param.h"
+
+static NTSTATUS build_acl(TALLOC_CTX *mem_ctx, char* acls, struct xattr_NTACL **ntacl)
+{
+ struct xattr_NTACL *acl = talloc(mem_ctx, struct xattr_NTACL);
+ struct security_descriptor *sd;
+ NTSTATUS status;
+ sd = (struct security_descriptor*) sddl_decode(mem_ctx,acls,NULL);
+ if( !sd )
+ {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
-int main(int argc, char **argv)
+ acl->version = 1;
+ acl->info.sd = sd;
+
+ *ntacl = acl;
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS set_ntacl(TALLOC_CTX *mem_ctx,
+ char *filename,
+ void *ntacl)
{
- printf("This utility disabled until rewritten\n");
- return 1;
+ enum ndr_err_code ndr_err;
+ int ret;
+ DATA_BLOB blob;
+
+ ndr_err = ndr_push_struct_blob(&blob, mem_ctx, lp_iconv_convenience(NULL), ntacl ,(ndr_push_flags_fn_t)ndr_push_xattr_NTACL);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ return ndr_map_error2ntstatus(ndr_err);
+ }
+ ret = wrap_setxattr(filename, XATTR_NTACL_NAME, blob.data,blob.length, 0);
+
+ if (ret != 0) {
+ fprintf(stderr, "set_ntacl: %s\n", strerror(errno));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ return NT_STATUS_OK;
+}
+
+int main(int argc, char *argv[])
+{
+ NTSTATUS status;
+ struct xattr_NTACL *ntacl;
+
+ if (argc <= 2) {
+ fprintf(stderr, "Usage: setntacl FILENAME ACLS \nACL must be in the SDDL format");
+ return 1;
+ }
+
+ status = build_acl(NULL, argv[2], &ntacl);
+ if (!NT_STATUS_IS_OK(status)) {
+ fprintf(stderr, "build_acl failed: %s\n", nt_errstr(status));
+ return 1;
+ }
+ status = set_ntacl(NULL, argv[1], ntacl);
+ if (!NT_STATUS_IS_OK(status)) {
+ fprintf(stderr, "set_ntacl failed: %s\n", nt_errstr(status));
+ return 1;
+ }
+
+ talloc_free(ntacl);
+
+ return 0;
}
--
1.6.0.4
--------------050806060308020901090200--
More information about the samba-technical
mailing list