2 Unix SMB/Netbios implementation.
5 Printer security permission manipulation.
7 Copyright (C) Tim Potter 2000
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 /* This program can get or set NT printer security permissions from the
25 command line. Usage: psec getsec|setsec printername. You must have
26 write access to the ntdrivers.tdb file to set permissions and read
27 access to get permissions.
29 For this program to compile using the supplied Makefile.psec, Samba
30 must be configured with the --srcdir option
32 For getsec, output like the following is sent to standard output:
34 S-1-5-21-1067277791-1719175008-3000797951-500
36 1 9 0x10000000 S-1-5-21-1067277791-1719175008-3000797951-501
37 1 2 0x10000000 S-1-5-21-1067277791-1719175008-3000797951-501
38 0 9 0x10000000 S-1-5-21-1067277791-1719175008-3000797951-500
39 0 2 0x10000000 S-1-5-21-1067277791-1719175008-3000797951-500
40 0 9 0x10000000 S-1-5-21-1067277791-1719175008-3000797951-513
41 0 2 0x00020000 S-1-5-21-1067277791-1719175008-3000797951-513
42 0 2 0xe0000000 S-1-1-0
44 The first two lines describe the owner user and owner group of the printer.
45 If either of these lines are blank then the respective owner property is
46 not set. The remaining lines list the printer permissions or ACE entries,
47 one per line. Each column describes a different property of the ACE:
50 -------------------------------------------------------------------
51 1 ACE type (allow/deny etc) defined in rpc_secdes.h
52 2 ACE flags defined in rpc_secdes.h
53 3 ACE mask - printer ACE masks are defined in rpc_spoolss.h
54 4 SID the ACE applies to
56 The above example describes the following permissions in order:
58 - The guest user has No Access to the printer
59 - The domain administrator has Full Access
60 - Domain Users can Manage Documents
61 - Everyone has Print access
63 The setsec command takes the output format but sets the security descriptor
70 /* ACE type conversions */
72 char *ace_type_to_str(uint ace_type)
77 case SEC_ACE_TYPE_ACCESS_DENIED:
79 case SEC_ACE_TYPE_ACCESS_ALLOWED:
83 slprintf(temp, sizeof(temp) - 1, "0x%02x", ace_type);
87 uint str_to_ace_type(char *ace_type)
89 if (strcmp(ace_type, "ALLOWED") == 0)
90 return SEC_ACE_TYPE_ACCESS_ALLOWED;
92 if (strcmp(ace_type, "DENIED") == 0)
93 return SEC_ACE_TYPE_ACCESS_DENIED;
98 /* ACE mask (permission) conversions */
100 char *ace_mask_to_str(uint32 ace_mask)
105 case PRINTER_ACE_FULL_CONTROL:
106 return "Full Control";
107 case PRINTER_ACE_MANAGE_DOCUMENTS:
108 return "Manage Documents";
109 case PRINTER_ACE_PRINT:
113 slprintf(temp, sizeof(temp) - 1, "0x%08x", ace_mask);
117 uint32 str_to_ace_mask(char *ace_mask)
119 if (strcmp(ace_mask, "Full Control") == 0)
120 return PRINTER_ACE_FULL_CONTROL;
122 if (strcmp(ace_mask, "Manage Documents") == 0)
123 return PRINTER_ACE_MANAGE_DOCUMENTS;
125 if (strcmp(ace_mask, "Print") == 0)
126 return PRINTER_ACE_PRINT;
131 /* ACE conversions */
133 char *ace_to_str(SEC_ACE *ace)
138 sid_to_string(sidstr, &ace->sid);
140 slprintf(temp, sizeof(temp) - 1, "%s %d %s %s",
141 ace_type_to_str(ace->type), ace->flags,
142 ace_mask_to_str(ace->info.mask), sidstr);
147 int str_to_ace(SEC_ACE *ace, char *ace_str)
154 init_sec_access(&sa, mask);
155 init_sec_ace(ace, &sid, type, sa, flags);
158 /* Get a printer security descriptor */
160 int psec_getsec(char *printer)
162 SEC_DESC_BUF *secdesc_ctr = NULL;
163 TALLOC_CTX *mem_ctx = NULL;
164 fstring keystr, sidstr, tdb_path;
168 /* Open tdb for reading */
170 slprintf(tdb_path, sizeof(tdb_path) - 1, "%s/ntdrivers.tdb", LOCKDIR);
171 tdb = tdb_open(tdb_path, 0, 0, O_RDONLY, 0600);
174 printf("psec: failed to open nt drivers database: %s\n",
179 /* Get security blob from tdb */
181 slprintf(keystr, sizeof(keystr) - 1, "SECDESC/%s", printer);
183 mem_ctx = talloc_init();
186 printf("memory allocation error\n");
191 if (tdb_prs_fetch(tdb, keystr, &ps, mem_ctx) != 0) {
192 printf("error fetching descriptor for printer %s\n",
198 /* Unpack into security descriptor buffer */
200 if (!sec_io_desc_buf("nt_printing_getsec", &secdesc_ctr, &ps, 1)) {
201 printf("error unpacking sec_desc_buf\n");
206 /* Print owner and group sid */
208 if (secdesc_ctr->sec->owner_sid) {
209 sid_to_string(sidstr, secdesc_ctr->sec->owner_sid);
214 printf("%s\n", sidstr);
216 if (secdesc_ctr->sec->grp_sid) {
217 sid_to_string(sidstr, secdesc_ctr->sec->grp_sid);
222 printf("%s\n", sidstr);
226 if (!secdesc_ctr->sec->dacl) {
231 for (i = 0; i < secdesc_ctr->sec->dacl->num_aces; i++) {
232 SEC_ACE *ace = &secdesc_ctr->sec->dacl->ace[i];
235 sid_to_string(sidstr, &ace->sid);
237 printf("%d %d 0x%08x %s\n", ace->type, ace->flags,
238 ace->info.mask, sidstr);
242 if (tdb) tdb_close(tdb);
243 if (mem_ctx) talloc_destroy(mem_ctx);
244 if (secdesc_ctr) free_sec_desc_buf(&secdesc_ctr);
249 /* Set a printer security descriptor */
251 int psec_setsec(char *printer)
253 DOM_SID user_sid, group_sid;
254 SEC_ACE *ace_list = NULL;
257 SEC_DESC_BUF *sdb = NULL;
258 int result = 0, num_aces = 0;
259 fstring line, keystr, tdb_path;
262 TALLOC_CTX *mem_ctx = NULL;
263 BOOL has_user_sid = False, has_group_sid = False;
265 /* Open tdb for reading */
267 slprintf(tdb_path, sizeof(tdb_path) - 1, "%s/ntdrivers.tdb", LOCKDIR);
268 tdb = tdb_open(tdb_path, 0, 0, O_RDWR, 0600);
271 printf("psec: failed to open nt drivers database: %s\n",
277 /* Read owner and group sid */
279 fgets(line, sizeof(fstring), stdin);
280 if (line[0] != '\n') {
281 string_to_sid(&user_sid, line);
285 fgets(line, sizeof(fstring), stdin);
286 if (line[0] != '\n') {
287 string_to_sid(&group_sid, line);
288 has_group_sid = True;
291 /* Read ACEs from standard input for discretionary ACL */
293 while(fgets(line, sizeof(fstring), stdin)) {
294 int ace_type, ace_flags;
300 if (sscanf(line, "%d %d 0x%x %s", &ace_type, &ace_flags,
301 &ace_mask, sidstr) != 4) {
305 string_to_sid(&sid, sidstr);
307 ace_list = Realloc(ace_list, sizeof(SEC_ACE) *
310 init_sec_access(&sa, ace_mask);
311 init_sec_ace(&ace_list[num_aces], &sid, ace_type, sa,
317 dacl = make_sec_acl(ACL_REVISION, num_aces, ace_list);
320 /* Create security descriptor */
322 sd = make_sec_desc(SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE |
323 SEC_DESC_DACL_PRESENT,
324 has_user_sid ? &user_sid : NULL,
325 has_group_sid ? &group_sid : NULL,
326 NULL, /* System ACL */
327 dacl, /* Discretionary ACL */
330 sdb = make_sec_desc_buf(size, sd);
334 /* Write security descriptor to tdb */
336 mem_ctx = talloc_init();
339 printf("memory allocation error\n");
344 prs_init(&ps, (uint32)sec_desc_size(sdb->sec) +
345 sizeof(SEC_DESC_BUF), 4, mem_ctx, MARSHALL);
347 if (!sec_io_desc_buf("nt_printing_setsec", &sdb, &ps, 1)) {
348 printf("sec_io_desc_buf failed\n");
352 slprintf(keystr, sizeof(keystr) - 1, "SECDESC/%s", printer);
354 if (!tdb_prs_store(tdb, keystr, &ps)==0) {
355 printf("Failed to store secdesc for %s\n", printer);
360 if (tdb) tdb_close(tdb);
361 if (sdb) free_sec_desc_buf(&sdb);
362 if (mem_ctx) talloc_destroy(mem_ctx);
371 printf("Usage: psec getsec|setsec printername\n");
376 int main(int argc, char **argv)
387 if (strcmp(argv[1], "setsec") == 0) {
394 return psec_setsec(argv[2]);
397 if (strcmp(argv[1], "getsec") == 0) {
404 return psec_getsec(argv[2]);
407 /* An unknown command */
409 printf("psec: unknown command %s\n", argv[1]);