2 Samba Unix/Linux SMB client library
3 Distributed SMB/CIFS Server Management Utility
4 Copyright (C) Gerald (Jerry) Carter 2004
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>. */
20 #include "utils/net.h"
22 /********************************************************************
23 ********************************************************************/
25 static NTSTATUS sid_to_name(struct rpc_pipe_client *pipe_hnd,
31 enum lsa_SidType *sid_types = NULL;
33 char **domains = NULL, **names = NULL;
35 result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, True,
36 SEC_RIGHTS_MAXIMUM_ALLOWED, &pol);
38 if ( !NT_STATUS_IS_OK(result) )
41 result = rpccli_lsa_lookup_sids(pipe_hnd, mem_ctx, &pol, 1, sid, &domains, &names, &sid_types);
43 if ( NT_STATUS_IS_OK(result) ) {
45 fstr_sprintf( name, "%s\\%s", domains[0], names[0] );
47 fstrcpy( name, names[0] );
50 rpccli_lsa_Close(pipe_hnd, mem_ctx, &pol);
54 /********************************************************************
55 ********************************************************************/
57 static NTSTATUS name_to_sid(struct rpc_pipe_client *pipe_hnd,
59 DOM_SID *sid, const char *name)
62 enum lsa_SidType *sid_types;
66 /* maybe its a raw SID */
67 if ( strncmp(name, "S-", 2) == 0 && string_to_sid(sid, name) ) {
71 result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, True,
72 SEC_RIGHTS_MAXIMUM_ALLOWED, &pol);
74 if ( !NT_STATUS_IS_OK(result) )
77 result = rpccli_lsa_lookup_names(pipe_hnd, mem_ctx, &pol, 1, &name,
78 NULL, 1, &sids, &sid_types);
80 if ( NT_STATUS_IS_OK(result) )
81 sid_copy( sid, &sids[0] );
83 rpccli_lsa_Close(pipe_hnd, mem_ctx, &pol);
87 /********************************************************************
88 ********************************************************************/
90 static NTSTATUS enum_privileges(struct rpc_pipe_client *pipe_hnd,
95 uint32 enum_context = 0;
96 uint32 pref_max_length=0x1000;
101 struct lsa_StringLarge *description = NULL;
102 struct lsa_PrivArray priv_array;
104 result = rpccli_lsa_EnumPrivs(pipe_hnd, ctx,
110 if ( !NT_STATUS_IS_OK(result) )
115 for (i = 0; i < priv_array.count; i++) {
117 struct lsa_String lsa_name;
120 priv_array.privs[i].name.string ? priv_array.privs[i].name.string : "*unknown*" );
122 /* try to get the description */
124 init_lsa_String(&lsa_name, priv_array.privs[i].name.string);
126 result = rpccli_lsa_LookupPrivDisplayName(pipe_hnd, ctx,
134 if (!NT_STATUS_IS_OK(result)) {
135 d_printf("??????\n");
139 d_printf("%s\n", description->string);
145 /********************************************************************
146 ********************************************************************/
148 static NTSTATUS check_privilege_for_user(struct rpc_pipe_client *pipe_hnd,
155 struct lsa_RightSet rights;
158 result = rpccli_lsa_EnumAccountRights(pipe_hnd, ctx,
163 if (!NT_STATUS_IS_OK(result)) {
167 if (rights.count == 0) {
168 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
171 for (i = 0; i < rights.count; i++) {
172 if (StrCaseCmp(rights.names[i].string, right) == 0) {
177 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
180 /********************************************************************
181 ********************************************************************/
183 static NTSTATUS enum_privileges_for_user(struct rpc_pipe_client *pipe_hnd,
189 struct lsa_RightSet rights;
192 result = rpccli_lsa_EnumAccountRights(pipe_hnd, ctx,
197 if (!NT_STATUS_IS_OK(result))
200 if (rights.count == 0) {
201 d_printf("No privileges assigned\n");
204 for (i = 0; i < rights.count; i++) {
205 printf("%s\n", rights.names[i].string);
211 /********************************************************************
212 ********************************************************************/
214 static NTSTATUS enum_accounts_for_privilege(struct rpc_pipe_client *pipe_hnd,
217 const char *privilege)
220 uint32 enum_context=0;
221 uint32 pref_max_length=0x1000;
222 struct lsa_SidArray sid_array;
226 result = rpccli_lsa_EnumAccounts(pipe_hnd, ctx,
232 if (!NT_STATUS_IS_OK(result))
235 d_printf("%s:\n", privilege);
237 for ( i=0; i<sid_array.num_sids; i++ ) {
239 result = check_privilege_for_user(pipe_hnd, ctx, pol,
240 sid_array.sids[i].sid,
243 if ( ! NT_STATUS_IS_OK(result)) {
244 if ( ! NT_STATUS_EQUAL(result, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
250 /* try to convert the SID to a name. Fall back to
251 printing the raw SID if necessary */
252 result = sid_to_name( pipe_hnd, ctx, sid_array.sids[i].sid, name );
253 if ( !NT_STATUS_IS_OK (result) )
254 sid_to_fstring(name, sid_array.sids[i].sid);
256 d_printf(" %s\n", name);
262 /********************************************************************
263 ********************************************************************/
265 static NTSTATUS enum_privileges_for_accounts(struct rpc_pipe_client *pipe_hnd,
270 uint32 enum_context=0;
271 uint32 pref_max_length=0x1000;
272 struct lsa_SidArray sid_array;
276 result = rpccli_lsa_EnumAccounts(pipe_hnd, ctx,
282 if (!NT_STATUS_IS_OK(result))
285 for ( i=0; i<sid_array.num_sids; i++ ) {
287 /* try to convert the SID to a name. Fall back to
288 printing the raw SID if necessary */
290 result = sid_to_name(pipe_hnd, ctx, sid_array.sids[i].sid, name);
291 if ( !NT_STATUS_IS_OK (result) )
292 sid_to_fstring(name, sid_array.sids[i].sid);
294 d_printf("%s\n", name);
296 result = enum_privileges_for_user(pipe_hnd, ctx, pol,
297 sid_array.sids[i].sid);
298 if ( !NT_STATUS_IS_OK(result) )
307 /********************************************************************
308 ********************************************************************/
310 static NTSTATUS rpc_rights_list_internal(const DOM_SID *domain_sid,
311 const char *domain_name,
312 struct cli_state *cli,
313 struct rpc_pipe_client *pipe_hnd,
322 struct lsa_String lsa_name;
323 struct lsa_StringLarge *description = NULL;
325 uint16 lang_id_sys = 0;
329 result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, True,
330 SEC_RIGHTS_MAXIMUM_ALLOWED, &pol);
332 if ( !NT_STATUS_IS_OK(result) )
335 /* backwards compatibility; just list available privileges if no arguement */
338 result = enum_privileges(pipe_hnd, mem_ctx, &pol );
342 if (strequal(argv[0], "privileges")) {
345 if (argv[1] == NULL) {
346 result = enum_privileges(pipe_hnd, mem_ctx, &pol );
350 while ( argv[i] != NULL ) {
351 fstrcpy(privname, argv[i]);
352 init_lsa_String(&lsa_name, argv[i]);
355 /* verify that this is a valid privilege for error reporting */
356 result = rpccli_lsa_LookupPrivDisplayName(pipe_hnd, mem_ctx,
364 if ( !NT_STATUS_IS_OK(result) ) {
365 if ( NT_STATUS_EQUAL( result, NT_STATUS_NO_SUCH_PRIVILEGE ) )
366 d_fprintf(stderr, "No such privilege exists: %s.\n", privname);
368 d_fprintf(stderr, "Error resolving privilege display name [%s].\n", nt_errstr(result));
372 result = enum_accounts_for_privilege(pipe_hnd, mem_ctx, &pol, privname);
373 if (!NT_STATUS_IS_OK(result)) {
374 d_fprintf(stderr, "Error enumerating accounts for privilege %s [%s].\n",
375 privname, nt_errstr(result));
382 /* special case to enumerate all privileged SIDs with associated rights */
384 if (strequal( argv[0], "accounts")) {
387 if (argv[1] == NULL) {
388 result = enum_privileges_for_accounts(pipe_hnd, mem_ctx, &pol);
392 while (argv[i] != NULL) {
393 result = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[i]);
394 if (!NT_STATUS_IS_OK(result)) {
397 result = enum_privileges_for_user(pipe_hnd, mem_ctx, &pol, &sid);
398 if (!NT_STATUS_IS_OK(result)) {
406 /* backward comaptibility: if no keyword provided, treat the key
407 as an account name */
409 d_printf("Usage: net rpc rights list [[accounts|privileges] [name|SID]]\n");
410 result = NT_STATUS_OK;
414 result = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[0]);
415 if (!NT_STATUS_IS_OK(result)) {
418 result = enum_privileges_for_user(pipe_hnd, mem_ctx, &pol, &sid );
421 rpccli_lsa_Close(pipe_hnd, mem_ctx, &pol);
426 /********************************************************************
427 ********************************************************************/
429 static NTSTATUS rpc_rights_grant_internal(const DOM_SID *domain_sid,
430 const char *domain_name,
431 struct cli_state *cli,
432 struct rpc_pipe_client *pipe_hnd,
438 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
439 struct lsa_RightSet rights;
445 d_printf("Usage: net rpc rights grant <name|SID> <rights...>\n");
449 result = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[0]);
450 if (!NT_STATUS_IS_OK(result))
453 result = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, True,
454 SEC_RIGHTS_MAXIMUM_ALLOWED,
457 if (!NT_STATUS_IS_OK(result))
460 rights.count = argc-1;
461 rights.names = TALLOC_ARRAY(mem_ctx, struct lsa_StringLarge,
464 return NT_STATUS_NO_MEMORY;
467 for (i=0; i<argc-1; i++) {
468 init_lsa_StringLarge(&rights.names[i], argv[i+1]);
471 result = rpccli_lsa_AddAccountRights(pipe_hnd, mem_ctx,
476 if (!NT_STATUS_IS_OK(result))
479 d_printf("Successfully granted rights.\n");
482 if ( !NT_STATUS_IS_OK(result) ) {
483 d_fprintf(stderr, "Failed to grant privileges for %s (%s)\n",
484 argv[0], nt_errstr(result));
487 rpccli_lsa_Close(pipe_hnd, mem_ctx, &dom_pol);
492 /********************************************************************
493 ********************************************************************/
495 static NTSTATUS rpc_rights_revoke_internal(const DOM_SID *domain_sid,
496 const char *domain_name,
497 struct cli_state *cli,
498 struct rpc_pipe_client *pipe_hnd,
504 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
509 d_printf("Usage: net rpc rights revoke <name|SID> <rights...>\n");
513 result = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[0]);
514 if (!NT_STATUS_IS_OK(result))
517 result = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, True,
518 SEC_RIGHTS_MAXIMUM_ALLOWED,
521 if (!NT_STATUS_IS_OK(result))
524 result = rpccli_lsa_remove_account_rights(pipe_hnd, mem_ctx, &dom_pol, sid,
525 False, argc-1, argv+1);
527 if (!NT_STATUS_IS_OK(result))
530 d_printf("Successfully revoked rights.\n");
533 if ( !NT_STATUS_IS_OK(result) ) {
534 d_fprintf(stderr, "Failed to revoke privileges for %s (%s)\n",
535 argv[0], nt_errstr(result));
538 rpccli_lsa_Close(pipe_hnd, mem_ctx, &dom_pol);
544 /********************************************************************
545 ********************************************************************/
547 static int rpc_rights_list( int argc, const char **argv )
549 return run_rpc_command( NULL, PI_LSARPC, 0,
550 rpc_rights_list_internal, argc, argv );
553 /********************************************************************
554 ********************************************************************/
556 static int rpc_rights_grant( int argc, const char **argv )
558 return run_rpc_command( NULL, PI_LSARPC, 0,
559 rpc_rights_grant_internal, argc, argv );
562 /********************************************************************
563 ********************************************************************/
565 static int rpc_rights_revoke( int argc, const char **argv )
567 return run_rpc_command( NULL, PI_LSARPC, 0,
568 rpc_rights_revoke_internal, argc, argv );
571 /********************************************************************
572 ********************************************************************/
574 static int net_help_rights( int argc, const char **argv )
576 d_printf("net rpc rights list [{accounts|privileges} [name|SID]] View available or assigned privileges\n");
577 d_printf("net rpc rights grant <name|SID> <right> Assign privilege[s]\n");
578 d_printf("net rpc rights revoke <name|SID> <right> Revoke privilege[s]\n");
580 d_printf("\nBoth 'grant' and 'revoke' require a SID and a list of privilege names.\n");
581 d_printf("For example\n");
582 d_printf("\n net rpc rights grant 'VALE\\biddle' SePrintOperatorPrivilege SeDiskOperatorPrivilege\n");
583 d_printf("\nwould grant the printer admin and disk manager rights to the user 'VALE\\biddle'\n\n");
589 /********************************************************************
590 ********************************************************************/
592 int net_rpc_rights(int argc, const char **argv)
594 struct functable func[] = {
595 {"list", rpc_rights_list},
596 {"grant", rpc_rights_grant},
597 {"revoke", rpc_rights_revoke},
602 return net_run_function( argc, argv, func, net_help_rights );
604 return net_help_rights( argc, argv );
607 static NTSTATUS rpc_sh_rights_list(TALLOC_CTX *mem_ctx, struct rpc_sh_ctx *ctx,
608 struct rpc_pipe_client *pipe_hnd,
609 int argc, const char **argv)
611 return rpc_rights_list_internal(ctx->domain_sid, ctx->domain_name,
612 ctx->cli, pipe_hnd, mem_ctx,
616 static NTSTATUS rpc_sh_rights_grant(TALLOC_CTX *mem_ctx,
617 struct rpc_sh_ctx *ctx,
618 struct rpc_pipe_client *pipe_hnd,
619 int argc, const char **argv)
621 return rpc_rights_grant_internal(ctx->domain_sid, ctx->domain_name,
622 ctx->cli, pipe_hnd, mem_ctx,
626 static NTSTATUS rpc_sh_rights_revoke(TALLOC_CTX *mem_ctx,
627 struct rpc_sh_ctx *ctx,
628 struct rpc_pipe_client *pipe_hnd,
629 int argc, const char **argv)
631 return rpc_rights_revoke_internal(ctx->domain_sid, ctx->domain_name,
632 ctx->cli, pipe_hnd, mem_ctx,
636 struct rpc_sh_cmd *net_rpc_rights_cmds(TALLOC_CTX *mem_ctx,
637 struct rpc_sh_ctx *ctx)
639 static struct rpc_sh_cmd cmds[] = {
641 { "list", NULL, PI_LSARPC, rpc_sh_rights_list,
642 "View available or assigned privileges" },
644 { "grant", NULL, PI_LSARPC, rpc_sh_rights_grant,
645 "Assign privilege[s]" },
647 { "revoke", NULL, PI_LSARPC, rpc_sh_rights_revoke,
648 "Revoke privilege[s]" },
650 { NULL, NULL, 0, NULL, NULL }