PageRenderTime 49ms CodeModel.GetById 17ms RepoModel.GetById 1ms app.codeStats 0ms

/source3/utils/sharesec.c

https://bitbucket.org/resara/rdssamba4
C | 717 lines | 532 code | 128 blank | 57 comment | 120 complexity | bf8308251ad8e8c2089d21f357ed1ffb MD5 | raw file
Possible License(s): LGPL-3.0, Apache-2.0, BSD-3-Clause, GPL-3.0, LGPL-2.1 
    

  1. /*
    2. 

  2.  *  Unix SMB/Netbios implementation.
    3. 

  3.  *  Utility for managing share permissions
    4. 

  4.  *
    5. 

  5.  *  Copyright (C) Tim Potter                    2000
    6. 

  6.  *  Copyright (C) Jeremy Allison                2000
    7. 

  7.  *  Copyright (C) Jelmer Vernooij               2003
    8. 

  8.  *  Copyright (C) Gerald (Jerry) Carter         2005.
    9. 

  9.  *
    10. 

  10.  *  This program is free software; you can redistribute it and/or modify
    11. 

  11.  *  it under the terms of the GNU General Public License as published by
    12. 

  12.  *  the Free Software Foundation; either version 3 of the License, or
    13. 

  13.  *  (at your option) any later version.
    14. 

  14.  *
    15. 

  15.  *  This program is distributed in the hope that it will be useful,
    16. 

  16.  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
    17. 

  17.  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    18. 

  18.  *  GNU General Public License for more details.
    19. 

  19.  *
    20. 

  20.  *  You should have received a copy of the GNU General Public License
    21. 

  21.  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
    22. 

  22.  */
    23. 

  23. 

  24. 

  25. #include "includes.h"
    26. 

  26. #include "popt_common.h"
    27. 

  27. #include "../libcli/security/security.h"
    28. 

  28. #include "passdb/machine_sid.h"
    29. 

  29. 

  30. static TALLOC_CTX *ctx;
    31. 

  31. 

  32. enum acl_mode { SMB_ACL_DELETE,
    33. 

  33. 	        SMB_ACL_MODIFY,
    34. 

  34. 	        SMB_ACL_ADD,
    35. 

  35. 	        SMB_ACL_SET,
    36. 

  36. 		SMB_SD_DELETE,
    37. 

  37. 		SMB_SD_SETSDDL,
    38. 

  38. 		SMB_SD_VIEWSDDL,
    39. 

  39. 	        SMB_ACL_VIEW };
    40. 

  40. 

  41. struct perm_value {
    42. 

  42. 	const char *perm;
    43. 

  43. 	uint32 mask;
    44. 

  44. };
    45. 

  45. 

  46. /* These values discovered by inspection */
    47. 

  47. 

  48. static const struct perm_value special_values[] = {
    49. 

  49. 	{ "R", SEC_RIGHTS_FILE_READ },
    50. 

  50. 	{ "W", SEC_RIGHTS_FILE_WRITE },
    51. 

  51. 	{ "X", SEC_RIGHTS_FILE_EXECUTE },
    52. 

  52. 	{ "D", SEC_STD_DELETE },
    53. 

  53. 	{ "P", SEC_STD_WRITE_DAC },
    54. 

  54. 	{ "O", SEC_STD_WRITE_OWNER },
    55. 

  55. 	{ NULL, 0 },
    56. 

  56. };
    57. 

  57. 

  58. #define SEC_RIGHTS_DIR_CHANGE ( SEC_RIGHTS_DIR_READ|SEC_STD_DELETE|\
    59. 

  59. 				SEC_RIGHTS_DIR_WRITE|SEC_DIR_TRAVERSE )
    60. 

  60. 

  61. static const struct perm_value standard_values[] = {
    62. 

  62. 	{ "READ",   SEC_RIGHTS_DIR_READ|SEC_DIR_TRAVERSE },
    63. 

  63. 	{ "CHANGE", SEC_RIGHTS_DIR_CHANGE },
    64. 

  64. 	{ "FULL",   SEC_RIGHTS_DIR_ALL },
    65. 

  65. 	{ NULL, 0 },
    66. 

  66. };
    67. 

  67. 

  68. /********************************************************************
    69. 

  69.  print an ACE on a FILE
    70. 

  70. ********************************************************************/
    71. 

  71. 

  72. static void print_ace(FILE *f, struct security_ace *ace)
    73. 

  73. {
    74. 

  74. 	const struct perm_value *v;
    75. 

  75. 	int do_print = 0;
    76. 

  76. 	uint32 got_mask;
    77. 

  77. 

  78. 	fprintf(f, "%s:", sid_string_tos(&ace->trustee));
    79. 

  79. 

  80. 	/* Ace type */
    81. 

  81. 

  82. 	if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) {
    83. 

  83. 		fprintf(f, "ALLOWED");
    84. 

  84. 	} else if (ace->type == SEC_ACE_TYPE_ACCESS_DENIED) {
    85. 

  85. 		fprintf(f, "DENIED");
    86. 

  86. 	} else {
    87. 

  87. 		fprintf(f, "%d", ace->type);
    88. 

  88. 	}
    89. 

  89. 

  90. 	/* Not sure what flags can be set in a file ACL */
    91. 

  91. 

  92. 	fprintf(f, "/%d/", ace->flags);
    93. 

  93. 

  94. 	/* Standard permissions */
    95. 

  95. 

  96. 	for (v = standard_values; v->perm; v++) {
    97. 

  97. 		if (ace->access_mask == v->mask) {
    98. 

  98. 			fprintf(f, "%s", v->perm);
    99. 

  99. 			return;
    100. 

  100. 		}
    101. 

  101. 	}
    102. 

  102. 

  103. 	/* Special permissions.  Print out a hex value if we have
    104. 

  104. 	   leftover bits in the mask. */
    105. 

  105. 

  106. 	got_mask = ace->access_mask;
    107. 

  107. 

  108.  again:
    109. 

  109. 	for (v = special_values; v->perm; v++) {
    110. 

  110. 		if ((ace->access_mask & v->mask) == v->mask) {
    111. 

  111. 			if (do_print) {
    112. 

  112. 				fprintf(f, "%s", v->perm);
    113. 

  113. 			}
    114. 

  114. 			got_mask &= ~v->mask;
    115. 

  115. 		}
    116. 

  116. 	}
    117. 

  117. 

  118. 	if (!do_print) {
    119. 

  119. 		if (got_mask != 0) {
    120. 

  120. 			fprintf(f, "0x%08x", ace->access_mask);
    121. 

  121. 		} else {
    122. 

  122. 			do_print = 1;
    123. 

  123. 			goto again;
    124. 

  124. 		}
    125. 

  125. 	}
    126. 

  126. }
    127. 

  127. 

  128. /********************************************************************
    129. 

  129.  print an ascii version of a security descriptor on a FILE handle
    130. 

  130. ********************************************************************/
    131. 

  131. 

  132. static void sec_desc_print(FILE *f, struct security_descriptor *sd)
    133. 

  133. {
    134. 

  134. 	uint32 i;
    135. 

  135. 

  136. 	fprintf(f, "REVISION:%d\n", sd->revision);
    137. 

  137. 

  138. 	/* Print owner and group sid */
    139. 

  139. 

  140. 	fprintf(f, "OWNER:%s\n", sid_string_tos(sd->owner_sid));
    141. 

  141. 

  142. 	fprintf(f, "GROUP:%s\n", sid_string_tos(sd->group_sid));
    143. 

  143. 

  144. 	/* Print aces */
    145. 

  145. 	for (i = 0; sd->dacl && i < sd->dacl->num_aces; i++) {
    146. 

  146. 		struct security_ace *ace = &sd->dacl->aces[i];
    147. 

  147. 		fprintf(f, "ACL:");
    148. 

  148. 		print_ace(f, ace);
    149. 

  149. 		fprintf(f, "\n");
    150. 

  150. 	}
    151. 

  151. }
    152. 

  152. 

  153. /********************************************************************
    154. 

  154.  parse an ACE in the same format as print_ace()
    155. 

  155. ********************************************************************/
    156. 

  156. 

  157. static bool parse_ace(struct security_ace *ace, const char *orig_str)
    158. 

  158. {
    159. 

  159. 	char *p;
    160. 

  160. 	const char *cp;
    161. 

  161. 	char *tok;
    162. 

  162. 	unsigned int atype = 0;
    163. 

  163. 	unsigned int aflags = 0;
    164. 

  164. 	unsigned int amask = 0;
    165. 

  165. 	struct dom_sid sid;
    166. 

  166. 	uint32_t mask;
    167. 

  167. 	const struct perm_value *v;
    168. 

  168. 	char *str = SMB_STRDUP(orig_str);
    169. 

  169. 	TALLOC_CTX *frame = talloc_stackframe();
    170. 

  170. 

  171. 	if (!str) {
    172. 

  172. 		TALLOC_FREE(frame);
    173. 

  173. 		return False;
    174. 

  174. 	}
    175. 

  175. 

  176. 	ZERO_STRUCTP(ace);
    177. 

  177. 	p = strchr_m(str,':');
    178. 

  178. 	if (!p) {
    179. 

  179. 		fprintf(stderr, "ACE '%s': missing ':'.\n", orig_str);
    180. 

  180. 		SAFE_FREE(str);
    181. 

  181. 		TALLOC_FREE(frame);
    182. 

  182. 		return False;
    183. 

  183. 	}
    184. 

  184. 	*p = '\0';
    185. 

  185. 	p++;
    186. 

  186. 	/* Try to parse numeric form */
    187. 

  187. 

  188. 	if (sscanf(p, "%i/%i/%i", &atype, &aflags, &amask) == 3 &&
    189. 

  189. 	    string_to_sid(&sid, str)) {
    190. 

  190. 		goto done;
    191. 

  191. 	}
    192. 

  192. 

  193. 	/* Try to parse text form */
    194. 

  194. 

  195. 	if (!string_to_sid(&sid, str)) {
    196. 

  196. 		fprintf(stderr, "ACE '%s': failed to convert '%s' to SID\n",
    197. 

  197. 			orig_str, str);
    198. 

  198. 		SAFE_FREE(str);
    199. 

  199. 		TALLOC_FREE(frame);
    200. 

  200. 		return False;
    201. 

  201. 	}
    202. 

  202. 

  203. 	cp = p;
    204. 

  204. 	if (!next_token_talloc(frame, &cp, &tok, "/")) {
    205. 

  205. 		fprintf(stderr, "ACE '%s': failed to find '/' character.\n",
    206. 

  206. 			orig_str);
    207. 

  207. 		SAFE_FREE(str);
    208. 

  208. 		TALLOC_FREE(frame);
    209. 

  209. 		return False;
    210. 

  210. 	}
    211. 

  211. 

  212. 	if (strncmp(tok, "ALLOWED", strlen("ALLOWED")) == 0) {
    213. 

  213. 		atype = SEC_ACE_TYPE_ACCESS_ALLOWED;
    214. 

  214. 	} else if (strncmp(tok, "DENIED", strlen("DENIED")) == 0) {
    215. 

  215. 		atype = SEC_ACE_TYPE_ACCESS_DENIED;
    216. 

  216. 	} else {
    217. 

  217. 		fprintf(stderr, "ACE '%s': missing 'ALLOWED' or 'DENIED' "
    218. 

  218. 			"entry at '%s'\n", orig_str, tok);
    219. 

  219. 		SAFE_FREE(str);
    220. 

  220. 		TALLOC_FREE(frame);
    221. 

  221. 		return False;
    222. 

  222. 	}
    223. 

  223. 

  224. 	/* Only numeric form accepted for flags at present */
    225. 

  225. 	/* no flags on share permissions */
    226. 

  226. 

  227. 	if (!(next_token_talloc(frame, &cp, &tok, "/") &&
    228. 

  228. 	      sscanf(tok, "%i", &aflags) && aflags == 0)) {
    229. 

  229. 		fprintf(stderr, "ACE '%s': bad integer flags entry at '%s'\n",
    230. 

  230. 			orig_str, tok);
    231. 

  231. 		SAFE_FREE(str);
    232. 

  232. 		TALLOC_FREE(frame);
    233. 

  233. 		return False;
    234. 

  234. 	}
    235. 

  235. 

  236. 	if (!next_token_talloc(frame, &cp, &tok, "/")) {
    237. 

  237. 		fprintf(stderr, "ACE '%s': missing / at '%s'\n",
    238. 

  238. 			orig_str, tok);
    239. 

  239. 		SAFE_FREE(str);
    240. 

  240. 		TALLOC_FREE(frame);
    241. 

  241. 		return False;
    242. 

  242. 	}
    243. 

  243. 

  244. 	if (strncmp(tok, "0x", 2) == 0) {
    245. 

  245. 		if (sscanf(tok, "%i", &amask) != 1) {
    246. 

  246. 			fprintf(stderr, "ACE '%s': bad hex number at '%s'\n",
    247. 

  247. 				orig_str, tok);
    248. 

  248. 			TALLOC_FREE(frame);
    249. 

  249. 			SAFE_FREE(str);
    250. 

  250. 			return False;
    251. 

  251. 		}
    252. 

  252. 		goto done;
    253. 

  253. 	}
    254. 

  254. 

  255. 	for (v = standard_values; v->perm; v++) {
    256. 

  256. 		if (strcmp(tok, v->perm) == 0) {
    257. 

  257. 			amask = v->mask;
    258. 

  258. 			goto done;
    259. 

  259. 		}
    260. 

  260. 	}
    261. 

  261. 

  262. 	p = tok;
    263. 

  263. 

  264. 	while(*p) {
    265. 

  265. 		bool found = False;
    266. 

  266. 

  267. 		for (v = special_values; v->perm; v++) {
    268. 

  268. 			if (v->perm[0] == *p) {
    269. 

  269. 				amask |= v->mask;
    270. 

  270. 				found = True;
    271. 

  271. 			}
    272. 

  272. 		}
    273. 

  273. 

  274. 		if (!found) {
    275. 

  275. 			fprintf(stderr, "ACE '%s': bad permission value at "
    276. 

  276. 				"'%s'\n", orig_str, p);
    277. 

  277. 			TALLOC_FREE(frame);
    278. 

  278. 			SAFE_FREE(str);
    279. 

  279. 			return False;
    280. 

  280. 		}
    281. 

  281. 		p++;
    282. 

  282. 	}
    283. 

  283. 

  284. 	if (*p) {
    285. 

  285. 		TALLOC_FREE(frame);
    286. 

  286. 		SAFE_FREE(str);
    287. 

  287. 		return False;
    288. 

  288. 	}
    289. 

  289. 

  290.  done:
    291. 

  291. 	mask = amask;
    292. 

  292. 	init_sec_ace(ace, &sid, atype, mask, aflags);
    293. 

  293. 	SAFE_FREE(str);
    294. 

  294. 	TALLOC_FREE(frame);
    295. 

  295. 	return True;
    296. 

  296. }
    297. 

  297. 

  298. 

  299. /********************************************************************
    300. 

  300. ********************************************************************/
    301. 

  301. 

  302. static struct security_descriptor* parse_acl_string(TALLOC_CTX *mem_ctx, const char *szACL, size_t *sd_size )
    303. 

  303. {
    304. 

  304. 	struct security_descriptor *sd = NULL;
    305. 

  305. 	struct security_ace *ace;
    306. 

  306. 	struct security_acl *theacl;
    307. 

  307. 	int num_ace;
    308. 

  308. 	const char *pacl;
    309. 

  309. 	int i;
    310. 

  310. 

  311. 	if ( !szACL )
    312. 

  312. 		return NULL;
    313. 

  313. 

  314. 	pacl = szACL;
    315. 

  315. 	num_ace = count_chars( pacl, ',' ) + 1;
    316. 

  316. 

  317. 	if ( !(ace = talloc_zero_array( mem_ctx, struct security_ace, num_ace )) )
    318. 

  318. 		return NULL;
    319. 

  319. 

  320. 	for ( i=0; i<num_ace; i++ ) {
    321. 

  321. 		char *end_acl = strchr_m( pacl, ',' );
    322. 

  322. 		fstring acl_string;
    323. 

  323. 

  324. 		strncpy( acl_string, pacl, MIN( PTR_DIFF( end_acl, pacl ), sizeof(fstring)-1) );
    325. 

  325. 		acl_string[MIN( PTR_DIFF( end_acl, pacl ), sizeof(fstring)-1)] = '\0';
    326. 

  326. 

  327. 		if ( !parse_ace( &ace[i], acl_string ) )
    328. 

  328. 			return NULL;
    329. 

  329. 

  330. 		pacl = end_acl;
    331. 

  331. 		pacl++;
    332. 

  332. 	}
    333. 

  333. 

  334. 	if ( !(theacl = make_sec_acl( mem_ctx, NT4_ACL_REVISION, num_ace, ace )) )
    335. 

  335. 		return NULL;
    336. 

  336. 

  337. 	sd = make_sec_desc( mem_ctx, SD_REVISION, SEC_DESC_SELF_RELATIVE,
    338. 

  338. 		NULL, NULL, NULL, theacl, sd_size);
    339. 

  339. 

  340. 	return sd;
    341. 

  341. }
    342. 

  342. 

  343. /* add an ACE to a list of ACEs in a struct security_acl */
    344. 

  344. static bool add_ace(TALLOC_CTX *mem_ctx, struct security_acl **the_acl, struct security_ace *ace)
    345. 

  345. {
    346. 

  346. 	struct security_acl *new_ace;
    347. 

  347. 	struct security_ace *aces;
    348. 

  348. 	if (! *the_acl) {
    349. 

  349. 		return (((*the_acl) = make_sec_acl(mem_ctx, 3, 1, ace)) != NULL);
    350. 

  350. 	}
    351. 

  351. 

  352. 	if (!(aces = SMB_CALLOC_ARRAY(struct security_ace, 1+(*the_acl)->num_aces))) {
    353. 

  353. 		return False;
    354. 

  354. 	}
    355. 

  355. 	memcpy(aces, (*the_acl)->aces, (*the_acl)->num_aces * sizeof(struct
    356. 

  356. 	security_ace));
    357. 

  357. 	memcpy(aces+(*the_acl)->num_aces, ace, sizeof(struct security_ace));
    358. 

  358. 	new_ace = make_sec_acl(mem_ctx,(*the_acl)->revision,1+(*the_acl)->num_aces, aces);
    359. 

  359. 	SAFE_FREE(aces);
    360. 

  360. 	(*the_acl) = new_ace;
    361. 

  361. 	return True;
    362. 

  362. }
    363. 

  363. 

  364. /* The MSDN is contradictory over the ordering of ACE entries in an ACL.
    365. 

  365.    However NT4 gives a "The information may have been modified by a
    366. 

  366.    computer running Windows NT 5.0" if denied ACEs do not appear before
    367. 

  367.    allowed ACEs. */
    368. 

  368. 

  369. static int ace_compare(struct security_ace *ace1, struct security_ace *ace2)
    370. 

  370. {
    371. 

  371. 	if (sec_ace_equal(ace1, ace2))
    372. 

  372. 		return 0;
    373. 

  373. 

  374. 	if (ace1->type != ace2->type)
    375. 

  375. 		return ace2->type - ace1->type;
    376. 

  376. 

  377. 	if (dom_sid_compare(&ace1->trustee, &ace2->trustee))
    378. 

  378. 		return dom_sid_compare(&ace1->trustee, &ace2->trustee);
    379. 

  379. 

  380. 	if (ace1->flags != ace2->flags)
    381. 

  381. 		return ace1->flags - ace2->flags;
    382. 

  382. 

  383. 	if (ace1->access_mask != ace2->access_mask)
    384. 

  384. 		return ace1->access_mask - ace2->access_mask;
    385. 

  385. 

  386. 	if (ace1->size != ace2->size)
    387. 

  387. 		return ace1->size - ace2->size;
    388. 

  388. 

  389. 	return memcmp(ace1, ace2, sizeof(struct security_ace));
    390. 

  390. }
    391. 

  391. 

  392. static void sort_acl(struct security_acl *the_acl)
    393. 

  393. {
    394. 

  394. 	uint32 i;
    395. 

  395. 	if (!the_acl) return;
    396. 

  396. 

  397. 	TYPESAFE_QSORT(the_acl->aces, the_acl->num_aces, ace_compare);
    398. 

  398. 

  399. 	for (i=1;i<the_acl->num_aces;) {
    400. 

  400. 		if (sec_ace_equal(&the_acl->aces[i-1], &the_acl->aces[i])) {
    401. 

  401. 			int j;
    402. 

  402. 			for (j=i; j<the_acl->num_aces-1; j++) {
    403. 

  403. 				the_acl->aces[j] = the_acl->aces[j+1];
    404. 

  404. 			}
    405. 

  405. 			the_acl->num_aces--;
    406. 

  406. 		} else {
    407. 

  407. 			i++;
    408. 

  408. 		}
    409. 

  409. 	}
    410. 

  410. }
    411. 

  411. 

  412. 

  413. static int change_share_sec(TALLOC_CTX *mem_ctx, const char *sharename, char *the_acl, enum acl_mode mode)
    414. 

  414. {
    415. 

  415. 	struct security_descriptor *sd = NULL;
    416. 

  416. 	struct security_descriptor *old = NULL;
    417. 

  417. 	size_t sd_size = 0;
    418. 

  418. 	uint32 i, j;
    419. 

  419. 

  420. 	if (mode != SMB_ACL_SET && mode != SMB_SD_DELETE) {
    421. 

  421. 	    if (!(old = get_share_security( mem_ctx, sharename, &sd_size )) ) {
    422. 

  422. 		fprintf(stderr, "Unable to retrieve permissions for share "
    423. 

  423. 			"[%s]\n", sharename);
    424. 

  424. 		return -1;
    425. 

  425. 	    }
    426. 

  426. 	}
    427. 

  427. 

  428. 	if ( (mode != SMB_ACL_VIEW && mode != SMB_SD_DELETE) &&
    429. 

  429. 	    !(sd = parse_acl_string(mem_ctx, the_acl, &sd_size )) ) {
    430. 

  430. 		fprintf( stderr, "Failed to parse acl\n");
    431. 

  431. 		return -1;
    432. 

  432. 	}
    433. 

  433. 

  434. 	switch (mode) {
    435. 

  435. 	case SMB_ACL_VIEW:
    436. 

  436. 		sec_desc_print( stdout, old);
    437. 

  437. 		return 0;
    438. 

  438. 	case SMB_ACL_DELETE:
    439. 

  439. 	    for (i=0;sd->dacl && i<sd->dacl->num_aces;i++) {
    440. 

  440. 		bool found = False;
    441. 

  441. 

  442. 		for (j=0;old->dacl && j<old->dacl->num_aces;j++) {
    443. 

  443. 		    if (sec_ace_equal(&sd->dacl->aces[i], &old->dacl->aces[j])) {
    444. 

  444. 			uint32 k;
    445. 

  445. 			for (k=j; k<old->dacl->num_aces-1;k++) {
    446. 

  446. 			    old->dacl->aces[k] = old->dacl->aces[k+1];
    447. 

  447. 			}
    448. 

  448. 			old->dacl->num_aces--;
    449. 

  449. 			found = True;
    450. 

  450. 			break;
    451. 

  451. 		    }
    452. 

  452. 		}
    453. 

  453. 

  454. 		if (!found) {
    455. 

  455. 		printf("ACL for ACE:");
    456. 

  456. 		print_ace(stdout, &sd->dacl->aces[i]);
    457. 

  457. 		printf(" not found\n");
    458. 

  458. 		}
    459. 

  459. 	    }
    460. 

  460. 	    break;
    461. 

  461. 	case SMB_ACL_MODIFY:
    462. 

  462. 	    for (i=0;sd->dacl && i<sd->dacl->num_aces;i++) {
    463. 

  463. 		bool found = False;
    464. 

  464. 

  465. 		for (j=0;old->dacl && j<old->dacl->num_aces;j++) {
    466. 

  466. 		    if (dom_sid_equal(&sd->dacl->aces[i].trustee,
    467. 

  467. 			&old->dacl->aces[j].trustee)) {
    468. 

  468. 			old->dacl->aces[j] = sd->dacl->aces[i];
    469. 

  469. 			found = True;
    470. 

  470. 		    }
    471. 

  471. 		}
    472. 

  472. 

  473. 		if (!found) {
    474. 

  474. 		    printf("ACL for SID %s not found\n",
    475. 

  475. 			   sid_string_tos(&sd->dacl->aces[i].trustee));
    476. 

  476. 		}
    477. 

  477. 	    }
    478. 

  478. 

  479. 	    if (sd->owner_sid) {
    480. 

  480. 		old->owner_sid = sd->owner_sid;
    481. 

  481. 	    }
    482. 

  482. 

  483. 	    if (sd->group_sid) {
    484. 

  484. 		old->group_sid = sd->group_sid;
    485. 

  485. 	    }
    486. 

  486. 	    break;
    487. 

  487. 	case SMB_ACL_ADD:
    488. 

  488. 	    for (i=0;sd->dacl && i<sd->dacl->num_aces;i++) {
    489. 

  489. 		add_ace(mem_ctx, &old->dacl, &sd->dacl->aces[i]);
    490. 

  490. 	    }
    491. 

  491. 	    break;
    492. 

  492. 	case SMB_ACL_SET:
    493. 

  493. 	    old = sd;
    494. 

  494. 	    break;
    495. 

  495. 	case SMB_SD_DELETE:
    496. 

  496. 	    if (!delete_share_security(sharename)) {
    497. 

  497. 		fprintf( stderr, "Failed to delete security descriptor for "
    498. 

  498. 			 "share [%s]\n", sharename );
    499. 

  499. 		return -1;
    500. 

  500. 	    }
    501. 

  501. 	    return 0;
    502. 

  502. 	default:
    503. 

  503. 		fprintf(stderr, "invalid command\n");
    504. 

  504. 		return -1;
    505. 

  505. 	}
    506. 

  506. 

  507. 	/* Denied ACE entries must come before allowed ones */
    508. 

  508. 	sort_acl(old->dacl);
    509. 

  509. 

  510. 	if ( !set_share_security( sharename, old ) ) {
    511. 

  511. 	    fprintf( stderr, "Failed to store acl for share [%s]\n", sharename );
    512. 

  512. 	    return 2;
    513. 

  513. 	}
    514. 

  514. 	return 0;
    515. 

  515. }
    516. 

  516. 

  517. static int set_sharesec_sddl(const char *sharename, const char *sddl)
    518. 

  518. {
    519. 

  519. 	struct security_descriptor *sd;
    520. 

  520. 	bool ret;
    521. 

  521. 

  522. 	sd = sddl_decode(talloc_tos(), sddl, get_global_sam_sid());
    523. 

  523. 	if (sd == NULL) {
    524. 

  524. 		fprintf(stderr, "Failed to parse acl\n");
    525. 

  525. 		return -1;
    526. 

  526. 	}
    527. 

  527. 

  528. 	ret = set_share_security(sharename, sd);
    529. 

  529. 	TALLOC_FREE(sd);
    530. 

  530. 	if (!ret) {
    531. 

  531. 		fprintf(stderr, "Failed to store acl for share [%s]\n",
    532. 

  532. 			sharename);
    533. 

  533. 		return -1;
    534. 

  534. 	}
    535. 

  535. 

  536. 	return 0;
    537. 

  537. }
    538. 

  538. 

  539. static int view_sharesec_sddl(const char *sharename)
    540. 

  540. {
    541. 

  541. 	struct security_descriptor *sd;
    542. 

  542. 	size_t sd_size;
    543. 

  543. 	char *acl;
    544. 

  544. 

  545. 	sd = get_share_security(talloc_tos(), sharename, &sd_size);
    546. 

  546. 	if (sd == NULL) {
    547. 

  547. 		fprintf(stderr, "Unable to retrieve permissions for share "
    548. 

  548. 			"[%s]\n", sharename);
    549. 

  549. 		return -1;
    550. 

  550. 	}
    551. 

  551. 

  552. 	acl = sddl_encode(talloc_tos(), sd, get_global_sam_sid());
    553. 

  553. 	TALLOC_FREE(sd);
    554. 

  554. 	if (acl == NULL) {
    555. 

  555. 		fprintf(stderr, "Unable to sddl-encode permissions for share "
    556. 

  556. 			"[%s]\n", sharename);
    557. 

  557. 		return -1;
    558. 

  558. 	}
    559. 

  559. 	printf("%s\n", acl);
    560. 

  560. 	TALLOC_FREE(acl);
    561. 

  561. 	return 0;
    562. 

  562. }
    563. 

  563. 

  564. /********************************************************************
    565. 

  565.   main program
    566. 

  566. ********************************************************************/
    567. 

  567. 

  568. int main(int argc, const char *argv[])
    569. 

  569. {
    570. 

  570. 	int opt;
    571. 

  571. 	int retval = 0;
    572. 

  572. 	enum acl_mode mode = SMB_ACL_SET;
    573. 

  573. 	static char *the_acl = NULL;
    574. 

  574. 	fstring sharename;
    575. 

  575. 	bool force_acl = False;
    576. 

  576. 	int snum;
    577. 

  577. 	poptContext pc;
    578. 

  578. 	bool initialize_sid = False;
    579. 

  579. 	struct poptOption long_options[] = {
    580. 

  580. 		POPT_AUTOHELP
    581. 

  581. 		{ "remove", 'r', POPT_ARG_STRING, &the_acl, 'r', "Remove ACEs", "ACL" },
    582. 

  582. 		{ "modify", 'm', POPT_ARG_STRING, &the_acl, 'm', "Modify existing ACEs", "ACL" },
    583. 

  583. 		{ "add", 'a', POPT_ARG_STRING, &the_acl, 'a', "Add ACEs", "ACL" },
    584. 

  584. 		{ "replace", 'R', POPT_ARG_STRING, &the_acl, 'R', "Overwrite share permission ACL", "ACLS" },
    585. 

  585. 		{ "delete", 'D', POPT_ARG_NONE, NULL, 'D', "Delete the entire security descriptor" },
    586. 

  586. 		{ "setsddl", 'S', POPT_ARG_STRING, the_acl, 'S',
    587. 

  587. 		  "Set the SD in sddl format" },
    588. 

  588. 		{ "viewsddl", 'V', POPT_ARG_NONE, the_acl, 'V',
    589. 

  589. 		  "View the SD in sddl format" },
    590. 

  590. 		{ "view", 'v', POPT_ARG_NONE, NULL, 'v', "View current share permissions" },
    591. 

  591. 		{ "machine-sid", 'M', POPT_ARG_NONE, NULL, 'M', "Initialize the machine SID" },
    592. 

  592. 		{ "force", 'F', POPT_ARG_NONE, NULL, 'F', "Force storing the ACL", "ACLS" },
    593. 

  593. 		POPT_COMMON_SAMBA
    594. 

  594. 		{ NULL }
    595. 

  595. 	};
    596. 

  596. 

  597. 	if ( !(ctx = talloc_stackframe()) ) {
    598. 

  598. 		fprintf( stderr, "Failed to initialize talloc context!\n");
    599. 

  599. 		return -1;
    600. 

  600. 	}
    601. 

  601. 

  602. 	/* set default debug level to 1 regardless of what smb.conf sets */
    603. 

  603. 	setup_logging( "sharesec", DEBUG_STDERR);
    604. 

  604. 

  605. 	load_case_tables();
    606. 

  606. 

  607. 	lp_set_cmdline("log level", "1");
    608. 

  608. 

  609. 	pc = poptGetContext("sharesec", argc, argv, long_options, 0);
    610. 

  610. 

  611. 	poptSetOtherOptionHelp(pc, "sharename\n");
    612. 

  612. 

  613. 	while ((opt = poptGetNextOpt(pc)) != -1) {
    614. 

  614. 		switch (opt) {
    615. 

  615. 		case 'r':
    616. 

  616. 			the_acl = smb_xstrdup(poptGetOptArg(pc));
    617. 

  617. 			mode = SMB_ACL_DELETE;
    618. 

  618. 			break;
    619. 

  619. 

  620. 		case 'm':
    621. 

  621. 			the_acl = smb_xstrdup(poptGetOptArg(pc));
    622. 

  622. 			mode = SMB_ACL_MODIFY;
    623. 

  623. 			break;
    624. 

  624. 

  625. 		case 'a':
    626. 

  626. 			the_acl = smb_xstrdup(poptGetOptArg(pc));
    627. 

  627. 			mode = SMB_ACL_ADD;
    628. 

  628. 			break;
    629. 

  629. 

  630. 		case 'R':
    631. 

  631. 			the_acl = smb_xstrdup(poptGetOptArg(pc));
    632. 

  632. 			mode = SMB_ACL_SET;
    633. 

  633. 			break;
    634. 

  634. 

  635. 		case 'D':
    636. 

  636. 			mode = SMB_SD_DELETE;
    637. 

  637. 			break;
    638. 

  638. 

  639. 		case 'S':
    640. 

  640. 			mode = SMB_SD_SETSDDL;
    641. 

  641. 			the_acl = smb_xstrdup(poptGetOptArg(pc));
    642. 

  642. 			break;
    643. 

  643. 

  644. 		case 'V':
    645. 

  645. 			mode = SMB_SD_VIEWSDDL;
    646. 

  646. 			break;
    647. 

  647. 

  648. 		case 'v':
    649. 

  649. 			mode = SMB_ACL_VIEW;
    650. 

  650. 			break;
    651. 

  651. 

  652. 		case 'F':
    653. 

  653. 			force_acl = True;
    654. 

  654. 			break;
    655. 

  655. 

  656. 		case 'M':
    657. 

  657. 			initialize_sid = True;
    658. 

  658. 			break;
    659. 

  659. 		}
    660. 

  660. 	}
    661. 

  661. 

  662. 	setlinebuf(stdout);
    663. 

  663. 

  664. 	lp_load_with_registry_shares( get_dyn_CONFIGFILE(), False, False, False,
    665. 

  665. 				      True );
    666. 

  666. 

  667. 	/* check for initializing secrets.tdb first */
    668. 

  668. 

  669. 	if ( initialize_sid ) {
    670. 

  670. 		struct dom_sid *sid = get_global_sam_sid();
    671. 

  671. 

  672. 		if ( !sid ) {
    673. 

  673. 			fprintf( stderr, "Failed to retrieve Machine SID!\n");
    674. 

  674. 			return 3;
    675. 

  675. 		}
    676. 

  676. 

  677. 		printf ("%s\n", sid_string_tos( sid ) );
    678. 

  678. 		return 0;
    679. 

  679. 	}
    680. 

  680. 

  681. 	if ( mode == SMB_ACL_VIEW && force_acl ) {
    682. 

  682. 		fprintf( stderr, "Invalid combination of -F and -v\n");
    683. 

  683. 		return -1;
    684. 

  684. 	}
    685. 

  685. 

  686. 	/* get the sharename */
    687. 

  687. 

  688. 	if(!poptPeekArg(pc)) {
    689. 

  689. 		poptPrintUsage(pc, stderr, 0);
    690. 

  690. 		return -1;
    691. 

  691. 	}
    692. 

  692. 

  693. 	fstrcpy(sharename, poptGetArg(pc));
    694. 

  694. 

  695. 	snum = lp_servicenumber( sharename );
    696. 

  696. 

  697. 	if ( snum == -1 && !force_acl ) {
    698. 

  698. 		fprintf( stderr, "Invalid sharename: %s\n", sharename);
    699. 

  699. 		return -1;
    700. 

  700. 	}
    701. 

  701. 

  702. 	switch (mode) {
    703. 

  703. 	case SMB_SD_SETSDDL:
    704. 

  704. 		retval = set_sharesec_sddl(sharename, the_acl);
    705. 

  705. 		break;
    706. 

  706. 	case SMB_SD_VIEWSDDL:
    707. 

  707. 		retval = view_sharesec_sddl(sharename);
    708. 

  708. 		break;
    709. 

  709. 	default:
    710. 

  710. 		retval = change_share_sec(ctx, sharename, the_acl, mode);
    711. 

  711. 		break;
    712. 

  712. 	}
    713. 

  713. 

  714. 	talloc_destroy(ctx);
    715. 

  715. 

  716. 	return retval;
    717. 

  717. }
    718. 

  718.