[PATCH] s4: enhance command line tool for NT ACL manipulation
Matthieu Patou
mat at matws.net
Wed Sep 23 01:56:55 MDT 2009
Add the possibility to get a NT ACL into a SDDL format.
(Re)Create setntacl to allow setting NTACL extended attribute from command line.
Such programs are very useful in automated scripts.
---
source4/utils/getntacl.c | 33 ++++++++--
source4/utils/setntacl.c | 157 +++++++++++----------------------------------
2 files changed, 66 insertions(+), 124 deletions(-)
diff --git a/source4/utils/getntacl.c b/source4/utils/getntacl.c
index f26c87b..a5d4e3e 100644
--- a/source4/utils/getntacl.c
+++ b/source4/utils/getntacl.c
@@ -25,6 +25,8 @@
#include "../lib/util/wrap_xattr.h"
#include "param/param.h"
+
+static char* AS_SDDL_TEXT="--as-sddl";
static void ntacl_print_debug_helper(struct ndr_print *ndr, const char *format, ...) PRINTF_ATTRIBUTE(2,3);
static void ntacl_print_debug_helper(struct ndr_print *ndr, const char *format, ...)
@@ -82,6 +84,15 @@ static NTSTATUS get_ntacl(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
+static void print_ntacl_sddl(TALLOC_CTX *mem_ctx,
+ struct xattr_NTACL *ntacl)
+{
+ char *sddl;
+ /* For some reason gcc don't like when I return directly the pointer
+ so let's cast it ...*/
+ sddl = (char*)sddl_encode(mem_ctx,ntacl->info.sd,NULL);
+ printf("%s\n",sddl);
+}
static void print_ntacl(TALLOC_CTX *mem_ctx,
const char *fname,
struct xattr_NTACL *ntacl)
@@ -101,19 +112,29 @@ int main(int argc, char *argv[])
NTSTATUS status;
struct xattr_NTACL *ntacl;
ssize_t ntacl_len;
+ int print_as_sddl = 0;
- if (argc != 2) {
- fprintf(stderr, "Usage: getntacl FILENAME\n");
+ if (argc < 2 || argc >3) {
+ fprintf(stderr, "Usage: getntacl [--as-sddl] FILENAME\n");
return 1;
}
-
- status = get_ntacl(NULL, argv[1], &ntacl, &ntacl_len);
+ if (strncmp(argv[1],AS_SDDL_TEXT,strlen(AS_SDDL_TEXT) )== 0) {
+ status = get_ntacl(NULL, argv[2], &ntacl, &ntacl_len);
+ print_as_sddl = 1;
+ } else {
+ status = get_ntacl(NULL, argv[1], &ntacl, &ntacl_len);
+ }
+
if (!NT_STATUS_IS_OK(status)) {
fprintf(stderr, "get_ntacl failed: %s\n", nt_errstr(status));
return 1;
}
-
- print_ntacl(ntacl, argv[1], ntacl);
+
+ if( print_as_sddl ) {
+ print_ntacl_sddl(ntacl, ntacl);
+ } else {
+ print_ntacl(ntacl, argv[1], ntacl);
+ }
talloc_free(ntacl);
diff --git a/source4/utils/setntacl.c b/source4/utils/setntacl.c
index 4404453..f6eadff 100644
--- a/source4/utils/setntacl.c
+++ b/source4/utils/setntacl.c
@@ -1,22 +1,22 @@
/*
- Unix SMB/CIFS implementation.
-
- Get NT ACLs from UNIX files.
-
- Copyright (C) Tim Potter <tpot at samba.org> 2005
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
+ Unix SMB/CIFS implementation.
+
+ Get NT ACLs from UNIX files.
+
+ Copyright (C) Tim Potter <tpot at samba.org> 2005
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
@@ -26,124 +26,46 @@
#include "dsdb/samdb/samdb.h"
#include "../libcli/security/security_descriptor.h"
#include "../libcli/security/dom_sid.h"
-/*#include "dsdb/common/proto.h"*/
#include "param/param.h"
-static void ntacl_print_debug_helper(struct ndr_print *ndr, const char *format, ...) PRINTF_ATTRIBUTE(2,3);
-
-static void ntacl_print_debug_helper(struct ndr_print *ndr, const char *format, ...)
-{
- va_list ap;
- char *s = NULL;
- int i;
-
- va_start(ap, format);
- vasprintf(&s, format, ap);
- va_end(ap);
-
- for (i=0;i<ndr->depth;i++) {
- printf(" ");
- }
-
- printf("%s\n", s);
- free(s);
-}
-static NTSTATUS build_acl(TALLOC_CTX *mem_ctx, char* acls, int acls_size, struct xattr_NTACL **ntacl)
+static NTSTATUS build_acl(TALLOC_CTX *mem_ctx, char* acls, struct xattr_NTACL **ntacl)
{
- struct xattr_NTACL *acl = talloc(mem_ctx, struct xattr_NTACL);
-
- struct security_ace* ace;
- struct security_descriptor *sd;
+ struct xattr_NTACL *acl = talloc(mem_ctx, struct xattr_NTACL);
+ struct security_descriptor *sd;
NTSTATUS status;
- char* owner_sid="S-1-5-21-2615420635-1763525785-1844752631-500";
- char* group_sid="S-1-5-21-2615420635-1763525785-1844752631-513";
- char* cur_sid="S-1-5-21-2615420635-1763525785-1844752631-513";
- struct dom_sid *sid;
-
- sd = security_descriptor_dacl_create(mem_ctx,SEC_DESC_SELF_RELATIVE,owner_sid,group_sid,owner_sid,SEC_ACE_TYPE_ACCESS_ALLOWED,SEC_FILE_ALL,SEC_ACE_FLAG_OBJECT_INHERIT,NULL);
- if( !sd )
- {
- return NT_STATUS_INTERNAL_ERROR;
- }
-
- sd->revision = SD_REVISION;
- /*
- ace = talloc(sd,struct security_ace);
- ace->type = SEC_ACE_TYPE_ACCESS_ALLOWED,
- ace->flags = SEC_ACE_FLAG_OBJECT_INHERIT;
- ace->access_mask = SEC_FILE_ALL;
-
- sid = dom_sid_parse_talloc(ace,cur_sid);
- ace->trustee = *sid;
- status = security_descriptor_dacl_add(sd, ace);
- if( !NT_STATUS_IS_OK(status) )
- {
- return NT_STATUS_INTERNAL_ERROR;
- }
-
-
-*/
+ sd = (struct security_descriptor*) sddl_decode(mem_ctx,acls,NULL);
+ if( !sd )
+ {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
- acl->version = 1;
- acl->info.sd = sd;
-
- *ntacl = acl;
- return NT_STATUS_OK;
+ acl->version = 1;
+ acl->info.sd = sd;
+
+ *ntacl = acl;
+ return NT_STATUS_OK;
}
static NTSTATUS set_ntacl(TALLOC_CTX *mem_ctx,
- char *filename,
- void *ntacl)
+ char *filename,
+ void *ntacl)
{
enum ndr_err_code ndr_err;
- int ret;
- DATA_BLOB blob;
+ int ret;
+ DATA_BLOB blob;
- ndr_err = ndr_push_struct_blob(&blob, mem_ctx, lp_iconv_convenience(NULL), ntacl ,(ndr_push_flags_fn_t)ndr_push_xattr_NTACL);
+ ndr_err = ndr_push_struct_blob(&blob, mem_ctx, lp_iconv_convenience(NULL), ntacl ,(ndr_push_flags_fn_t)ndr_push_xattr_NTACL);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
return ndr_map_error2ntstatus(ndr_err);
}
ret = wrap_setxattr(filename, XATTR_NTACL_NAME, blob.data,blob.length, 0);
- if (ret != 0) {
+ if (ret != 0) {
fprintf(stderr, "set_ntacl: %s\n", strerror(errno));
return NT_STATUS_INTERNAL_ERROR;
}
- return NT_STATUS_OK;
-}
-/*
- struct ndr_pull *ndr;
- blob.data = talloc_array(*ntacl, uint8_t, size);
- size = wrap_getxattr(filename, XATTR_NTACL_NAME, blob.data, size);
- if (size < 0) {
- fprintf(stderr, "get_ntacl: %s\n", strerror(errno));
- return NT_STATUS_INTERNAL_ERROR;
- }
- blob.length = size;
-
- ndr = ndr_pull_init_blob(&blob, NULL, NULL);
-
- ndr_err = ndr_pull_xattr_NTACL(ndr, NDR_SCALARS|NDR_BUFFERS, *ntacl);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- return ndr_map_error2ntstatus(ndr_err);
- }
-
return NT_STATUS_OK;
}
-*/
-static void print_ntacl(TALLOC_CTX *mem_ctx,
- const char *fname,
- struct xattr_NTACL *ntacl)
-{
- struct ndr_print *pr;
-
- pr = talloc_zero(mem_ctx, struct ndr_print);
- if (!pr) return;
- pr->print = ntacl_print_debug_helper;
-
- ndr_print_xattr_NTACL(pr, fname, ntacl);
- talloc_free(pr);
-}
int main(int argc, char *argv[])
{
@@ -151,16 +73,15 @@ int main(int argc, char *argv[])
struct xattr_NTACL *ntacl;
if (argc <= 2) {
- fprintf(stderr, "Usage: setntacl FILENAME ACLS \n");
+ fprintf(stderr, "Usage: setntacl FILENAME ACLS \nACL must be in the SDDL format");
return 1;
}
- status = build_acl(NULL, argv[2], argc-2, &ntacl);
+ status = build_acl(NULL, argv[2], &ntacl);
if (!NT_STATUS_IS_OK(status)) {
fprintf(stderr, "build_acl failed: %s\n", nt_errstr(status));
return 1;
}
- print_ntacl(NULL,argv[1],ntacl);
status = set_ntacl(NULL, argv[1], ntacl);
if (!NT_STATUS_IS_OK(status)) {
fprintf(stderr, "set_ntacl failed: %s\n", nt_errstr(status));
--
1.6.0.4
--------------040901020009040905020008--
More information about the samba-technical
mailing list