From: Tim Potter Date: Fri, 24 Sep 2004 01:20:30 +0000 (+0000) Subject: r2576: Some userspace tools for getting and setting ntacls via the 'security.ntacl' X-Git-Url: http://git.samba.org/samba.git/?a=commitdiff_plain;h=5b88226f9002711baac73e66d04ecf92b7765809;p=jelmer%2Fsamba4-debian.git r2576: Some userspace tools for getting and setting ntacls via the 'security.ntacl' extended attribute. --- diff --git a/source/utils/config.m4 b/source/utils/config.m4 index 562f5ce7b..74a31de17 100644 --- a/source/utils/config.m4 +++ b/source/utils/config.m4 @@ -5,3 +5,6 @@ SMB_BINARY_MK(ntlm_auth, utils/config.mk) #SMB_BINARY_MK(lookupuuid, utils/config.mk) SMB_INCLUDE_M4(utils/net/config.m4) + +SMB_BINARY_MK(getntacl, utils/config.mk) +SMB_BINARY_MK(setntacl, utils/config.mk) diff --git a/source/utils/config.mk b/source/utils/config.mk index 32999e103..0860e89ea 100644 --- a/source/utils/config.mk +++ b/source/utils/config.mk @@ -39,3 +39,31 @@ REQUIRED_SUBSYSTEMS = \ LIBRPC # End BINARY ntlm_auth ################################# + +################################# +# Start BINARY getntacl +[BINARY::getntacl] +OBJ_FILES = \ + utils/getntacl.o +REQUIRED_SUBSYSTEMS = \ + CONFIG \ + LIBCMDLINE \ + LIBBASIC \ + LIBSMB \ + LIBRPC +# End BINARY getntacl +################################# + +################################# +# Start BINARY setntacl +[BINARY::setntacl] +OBJ_FILES = \ + utils/setntacl.o +REQUIRED_SUBSYSTEMS = \ + CONFIG \ + LIBCMDLINE \ + LIBBASIC \ + LIBSMB \ + LIBRPC +# End BINARY setntacl +################################# diff --git a/source/utils/getntacl.c b/source/utils/getntacl.c new file mode 100644 index 000000000..b17200aeb --- /dev/null +++ b/source/utils/getntacl.c @@ -0,0 +1,116 @@ +/* + Unix SMB/CIFS implementation. + + Get NT ACLs from UNIX files. + + Copyright (C) Tim Potter 2004 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#include + +/* Display a security descriptor in "psec" format which is as follows. + + The first two lines describe the owner user and owner group of the + object. If either of these lines are blank then the respective + owner property is not set. The remaining lines list the individual + permissions or ACE entries, one per line. Each column describes a + different property of the ACE: + + Column Description + ------------------------------------------------------------------- + 1 ACE type (allow/deny etc) + 2 ACE flags + 3 ACE mask + 4 SID the ACE applies to + + Example: + + S-1-5-21-1067277791-1719175008-3000797951-500 + + 1 9 0x10000000 S-1-5-21-1067277791-1719175008-3000797951-501 + 1 2 0x10000000 S-1-5-21-1067277791-1719175008-3000797951-501 + 0 9 0x10000000 S-1-5-21-1067277791-1719175008-3000797951-500 + 0 2 0x10000000 S-1-5-21-1067277791-1719175008-3000797951-500 + 0 9 0x10000000 S-1-5-21-1067277791-1719175008-3000797951-513 + 0 2 0x00020000 S-1-5-21-1067277791-1719175008-3000797951-513 + 0 2 0xe0000000 S-1-1-0 +*/ + +static void print_psec(TALLOC_CTX *mem_ctx, struct security_descriptor *sd) +{ + if (sd->owner_sid) + printf("%s\n", dom_sid_string(mem_ctx, sd->owner_sid)); + else + printf("\n"); + + if (sd->group_sid) + printf("%s\n", dom_sid_string(mem_ctx, sd->owner_sid)); + else + printf("\n"); + + /* Note: SACL not displayed */ + + if (sd->dacl) { + int i; + + for (i = 0; i < sd->dacl->num_aces; i++) { + struct security_ace *ace = &sd->dacl->aces[i]; + + printf("%d %d 0x%08x %s\n", ace->type, ace->flags, + ace->access_mask, + dom_sid_string(mem_ctx, &ace->trustee)); + } + + } +} + +int main(int argc, char **argv) +{ + TALLOC_CTX *mem_ctx; + ssize_t size; + char *data; + struct security_descriptor sd; + DATA_BLOB blob; + struct ndr_pull *ndr; + NTSTATUS result; + + mem_ctx = talloc_init("getntacl"); + + /* Fetch ACL data */ + + size = getxattr(argv[1], "security.ntacl", NULL, 0); + + if (size == -1) { + fprintf(stderr, "%s: %s\n", argv[1], strerror(errno)); + exit(1); + } + + data = talloc(mem_ctx, size); + + size = getxattr(argv[1], "security.ntacl", data, size); + + blob = data_blob_talloc(mem_ctx, data, size); + + ndr = ndr_pull_init_blob(&blob, mem_ctx); + + result = ndr_pull_security_descriptor( + ndr, NDR_SCALARS|NDR_BUFFERS, &sd); + + print_psec(data, &sd); + return 0; +} diff --git a/source/utils/setntacl.c b/source/utils/setntacl.c new file mode 100644 index 000000000..492c3ba9f --- /dev/null +++ b/source/utils/setntacl.c @@ -0,0 +1,105 @@ +/* + Unix SMB/CIFS implementation. + + Set NT ACLs on UNIX files. + + Copyright (C) Tim Potter 2004 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#include + +static void setntacl(char *filename, struct security_descriptor *sd) +{ + NTSTATUS status; + struct ndr_push *ndr; + ssize_t result; + + ndr = ndr_push_init(); + + status = ndr_push_security_descriptor( + ndr, NDR_SCALARS|NDR_BUFFERS, sd); + + result = setxattr( + filename, "security.ntacl", ndr->data, ndr->offset, 0); + + if (result == -1) { + fprintf(stderr, "%s: %s\n", filename, strerror(errno)); + exit(1); + } + +} + + int main(int argc, char **argv) +{ + char line[255]; + struct security_descriptor *sd; + TALLOC_CTX *mem_ctx; + struct security_acl *acl; + + setup_logging("setntacl", DEBUG_STDOUT); + + mem_ctx = talloc_init("setntacl"); + + sd = sd_initialise(mem_ctx); + + fgets(line, sizeof(line), stdin); + sd->owner_sid = dom_sid_parse_talloc(mem_ctx, line); + + fgets(line, sizeof(line), stdin); + sd->group_sid = dom_sid_parse_talloc(mem_ctx, line); + + acl = talloc(mem_ctx, sizeof(struct security_acl)); + + acl->revision = 2; + acl->size = 0; + acl->num_aces = 0; + acl->aces = NULL; + + while(fgets(line, sizeof(line), stdin)) { + int ace_type, ace_flags; + uint32 ace_mask; + char sidstr[255]; + struct dom_sid *sid; + + if (sscanf(line, "%d %d 0x%x %s", &ace_type, &ace_flags, + &ace_mask, sidstr) != 4) { + fprintf(stderr, "invalid ACL line\ndr"); + return 1; + } + + acl->aces = talloc_realloc( + acl->aces, + (acl->num_aces + 1) * sizeof(struct security_ace)); + + acl->aces[acl->num_aces].type = ace_type; + acl->aces[acl->num_aces].flags = ace_flags; + acl->aces[acl->num_aces].access_mask = ace_mask; + + sid = dom_sid_parse_talloc(mem_ctx, sidstr); + + acl->aces[acl->num_aces].trustee = *sid; + + acl->num_aces++; + } + + sd->dacl = acl; + + setntacl(argv[1], sd); + + return 0; +}