017f4035b07fe028b32055d45c8a3882e8491ec6
[kai/samba.git] / source3 / utils / smbcacls.c
1 /* 
2    Unix SMB/CIFS implementation.
3    ACL get/set utility
4    
5    Copyright (C) Andrew Tridgell 2000
6    Copyright (C) Tim Potter      2000
7    Copyright (C) Jeremy Allison  2000
8    
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 2 of the License, or
12    (at your option) any later version.
13    
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18    
19    You should have received a copy of the GNU General Public License
20    along with this program; if not, write to the Free Software
21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 */
23
24 #include "includes.h"
25
26 static fstring password;
27 static pstring username;
28 static pstring owner_username;
29 static fstring server;
30 static int got_pass;
31 static int test_args;
32 TALLOC_CTX *ctx;
33
34 #define CREATE_ACCESS_READ READ_CONTROL_ACCESS
35 #define CREATE_ACCESS_WRITE (WRITE_DAC_ACCESS | WRITE_OWNER_ACCESS)
36
37 /* numeric is set when the user wants numeric SIDs and ACEs rather
38    than going via LSA calls to resolve them */
39 static int numeric;
40
41 enum acl_mode {SMB_ACL_SET, SMB_ACL_DELETE, SMB_ACL_MODIFY, SMB_ACL_ADD };
42 enum chown_mode {REQUEST_NONE, REQUEST_CHOWN, REQUEST_CHGRP};
43 enum exit_values {EXIT_OK, EXIT_FAILED, EXIT_PARSE_ERROR};
44
45 struct perm_value {
46         char *perm;
47         uint32 mask;
48 };
49
50 /* These values discovered by inspection */
51
52 static struct perm_value special_values[] = {
53         { "R", 0x00120089 },
54         { "W", 0x00120116 },
55         { "X", 0x001200a0 },
56         { "D", 0x00010000 },
57         { "P", 0x00040000 },
58         { "O", 0x00080000 },
59         { NULL, 0 },
60 };
61
62 static struct perm_value standard_values[] = {
63         { "READ",   0x001200a9 },
64         { "CHANGE", 0x001301bf },
65         { "FULL",   0x001f01ff },
66         { NULL, 0 },
67 };
68
69 struct cli_state lsa_cli;
70 POLICY_HND pol;
71 struct ntuser_creds creds;
72 BOOL got_policy_hnd;
73
74 /* Open cli connection and policy handle */
75
76 static BOOL cacls_open_policy_hnd(void)
77 {
78         creds.pwd.null_pwd = 1;
79
80         /* Initialise cli LSA connection */
81
82         if (!lsa_cli.initialised && 
83             !cli_lsa_initialise(&lsa_cli, server, &creds)) {
84                 return False;
85         }
86
87         /* Open policy handle */
88
89         if (!got_policy_hnd) {
90
91                 /* Some systems don't support SEC_RIGHTS_MAXIMUM_ALLOWED,
92                    but NT sends 0x2000000 so we might as well do it too. */
93
94                 if (!NT_STATUS_IS_OK(cli_lsa_open_policy(&lsa_cli, lsa_cli.mem_ctx, True, 
95                                                          GENERIC_EXECUTE_ACCESS, &pol))) {
96                         return False;
97                 }
98
99                 got_policy_hnd = True;
100         }
101         
102         return True;
103 }
104
105 /* convert a SID to a string, either numeric or username/group */
106 static void SidToString(fstring str, DOM_SID *sid)
107 {
108         char **domains = NULL;
109         char **names = NULL;
110         uint32 *types = NULL;
111
112         sid_to_string(str, sid);
113
114         if (numeric) return;
115
116         /* Ask LSA to convert the sid to a name */
117
118         if (!cacls_open_policy_hnd() ||
119             !NT_STATUS_IS_OK(cli_lsa_lookup_sids(&lsa_cli, lsa_cli.mem_ctx,  
120                                                  &pol, 1, sid, &domains, 
121                                                  &names, &types)) ||
122             !domains || !domains[0] || !names || !names[0]) {
123                 return;
124         }
125
126         /* Converted OK */
127
128         slprintf(str, sizeof(fstring) - 1, "%s%s%s",
129                  domains[0], lp_winbind_separator(),
130                  names[0]);
131         
132 }
133
134 /* convert a string to a SID, either numeric or username/group */
135 static BOOL StringToSid(DOM_SID *sid, const char *str)
136 {
137         uint32 *types = NULL;
138         DOM_SID *sids = NULL;
139         BOOL result = True;
140
141         if (strncmp(str, "S-", 2) == 0) {
142                 return string_to_sid(sid, str);
143         }
144
145         if (!cacls_open_policy_hnd() ||
146             !NT_STATUS_IS_OK(cli_lsa_lookup_names(&lsa_cli, lsa_cli.mem_ctx, 
147                                                   &pol, 1, &str, &sids, 
148                                                   &types))) {
149                 result = False;
150                 goto done;
151         }
152
153         sid_copy(sid, &sids[0]);
154
155  done:
156
157         return result;
158 }
159
160
161 /* print an ACE on a FILE, using either numeric or ascii representation */
162 static void print_ace(FILE *f, SEC_ACE *ace)
163 {
164         struct perm_value *v;
165         fstring sidstr;
166         int do_print = 0;
167         uint32 got_mask;
168
169         SidToString(sidstr, &ace->trustee);
170
171         fprintf(f, "%s:", sidstr);
172
173         if (numeric) {
174                 fprintf(f, "%d/%d/0x%08x", 
175                         ace->type, ace->flags, ace->info.mask);
176                 return;
177         }
178
179         /* Ace type */
180
181         if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) {
182                 fprintf(f, "ALLOWED");
183         } else if (ace->type == SEC_ACE_TYPE_ACCESS_DENIED) {
184                 fprintf(f, "DENIED");
185         } else {
186                 fprintf(f, "%d", ace->type);
187         }
188
189         /* Not sure what flags can be set in a file ACL */
190
191         fprintf(f, "/%d/", ace->flags);
192
193         /* Standard permissions */
194
195         for (v = standard_values; v->perm; v++) {
196                 if (ace->info.mask == v->mask) {
197                         fprintf(f, "%s", v->perm);
198                         return;
199                 }
200         }
201
202         /* Special permissions.  Print out a hex value if we have
203            leftover bits in the mask. */
204
205         got_mask = ace->info.mask;
206
207  again:
208         for (v = special_values; v->perm; v++) {
209                 if ((ace->info.mask & v->mask) == v->mask) {
210                         if (do_print) {
211                                 fprintf(f, "%s", v->perm);
212                         }
213                         got_mask &= ~v->mask;
214                 }
215         }
216
217         if (!do_print) {
218                 if (got_mask != 0) {
219                         fprintf(f, "0x%08x", ace->info.mask);
220                 } else {
221                         do_print = 1;
222                         goto again;
223                 }
224         }
225 }
226
227
228 /* parse an ACE in the same format as print_ace() */
229 static BOOL parse_ace(SEC_ACE *ace, char *str)
230 {
231         char *p;
232         fstring tok;
233         unsigned atype, aflags, amask;
234         DOM_SID sid;
235         SEC_ACCESS mask;
236         struct perm_value *v;
237
238         ZERO_STRUCTP(ace);
239         p = strchr_m(str,':');
240         if (!p) return False;
241         *p = '\0';
242         p++;
243
244         /* Try to parse numeric form */
245
246         if (sscanf(p, "%i/%i/%i", &atype, &aflags, &amask) == 3 &&
247             StringToSid(&sid, str)) {
248                 goto done;
249         }
250
251         /* Try to parse text form */
252
253         if (!StringToSid(&sid, str)) {
254                 return False;
255         }
256
257         if (!next_token(&p, tok, "/", sizeof(fstring))) {
258                 return False;
259         }
260
261         if (strncmp(tok, "ALLOWED", strlen("ALLOWED")) == 0) {
262                 atype = SEC_ACE_TYPE_ACCESS_ALLOWED;
263         } else if (strncmp(tok, "DENIED", strlen("DENIED")) == 0) {
264                 atype = SEC_ACE_TYPE_ACCESS_DENIED;
265         } else {
266                 return False;
267         }
268
269         /* Only numeric form accepted for flags at present */
270
271         if (!(next_token(&p, tok, "/", sizeof(fstring)) &&
272               sscanf(tok, "%i", &aflags))) {
273                 return False;
274         }
275
276         if (!next_token(&p, tok, "/", sizeof(fstring))) {
277                 return False;
278         }
279
280         if (strncmp(tok, "0x", 2) == 0) {
281                 if (sscanf(tok, "%i", &amask) != 1) {
282                         return False;
283                 }
284                 goto done;
285         }
286
287         for (v = standard_values; v->perm; v++) {
288                 if (strcmp(tok, v->perm) == 0) {
289                         amask = v->mask;
290                         goto done;
291                 }
292         }
293
294         p = tok;
295
296         while(*p) {
297                 BOOL found = False;
298
299                 for (v = special_values; v->perm; v++) {
300                         if (v->perm[0] == *p) {
301                                 amask |= v->mask;
302                                 found = True;
303                         }
304                 }
305
306                 if (!found) return False;
307                 p++;
308         }
309
310         if (*p) {
311                 return False;
312         }
313
314  done:
315         mask.mask = amask;
316         init_sec_ace(ace, &sid, atype, mask, aflags);
317         return True;
318 }
319
320 /* add an ACE to a list of ACEs in a SEC_ACL */
321 static BOOL add_ace(SEC_ACL **the_acl, SEC_ACE *ace)
322 {
323         SEC_ACL *new;
324         SEC_ACE *aces;
325         if (! *the_acl) {
326                 (*the_acl) = make_sec_acl(ctx, 3, 1, ace);
327                 return True;
328         }
329
330         aces = calloc(1+(*the_acl)->num_aces,sizeof(SEC_ACE));
331         memcpy(aces, (*the_acl)->ace, (*the_acl)->num_aces * sizeof(SEC_ACE));
332         memcpy(aces+(*the_acl)->num_aces, ace, sizeof(SEC_ACE));
333         new = make_sec_acl(ctx,(*the_acl)->revision,1+(*the_acl)->num_aces, aces);
334         SAFE_FREE(aces);
335         (*the_acl) = new;
336         return True;
337 }
338
339 /* parse a ascii version of a security descriptor */
340 static SEC_DESC *sec_desc_parse(char *str)
341 {
342         char *p = str;
343         fstring tok;
344         SEC_DESC *ret;
345         size_t sd_size;
346         DOM_SID *grp_sid=NULL, *owner_sid=NULL;
347         SEC_ACL *dacl=NULL;
348         int revision=1;
349
350         while (next_token(&p, tok, "\t,\r\n", sizeof(tok))) {
351
352                 if (strncmp(tok,"REVISION:", 9) == 0) {
353                         revision = strtol(tok+9, NULL, 16);
354                         continue;
355                 }
356
357                 if (strncmp(tok,"OWNER:", 6) == 0) {
358                         owner_sid = (DOM_SID *)calloc(1, sizeof(DOM_SID));
359                         if (!owner_sid ||
360                             !StringToSid(owner_sid, tok+6)) {
361                                 printf("Failed to parse owner sid\n");
362                                 return NULL;
363                         }
364                         continue;
365                 }
366
367                 if (strncmp(tok,"GROUP:", 6) == 0) {
368                         grp_sid = (DOM_SID *)calloc(1, sizeof(DOM_SID));
369                         if (!grp_sid ||
370                             !StringToSid(grp_sid, tok+6)) {
371                                 printf("Failed to parse group sid\n");
372                                 return NULL;
373                         }
374                         continue;
375                 }
376
377                 if (strncmp(tok,"ACL:", 4) == 0) {
378                         SEC_ACE ace;
379                         if (!parse_ace(&ace, tok+4)) {
380                                 printf("Failed to parse ACL %s\n", tok);
381                                 return NULL;
382                         }
383                         if(!add_ace(&dacl, &ace)) {
384                                 printf("Failed to add ACL %s\n", tok);
385                                 return NULL;
386                         }
387                         continue;
388                 }
389
390                 printf("Failed to parse security descriptor\n");
391                 return NULL;
392         }
393
394         ret = make_sec_desc(ctx,revision, owner_sid, grp_sid, 
395                             NULL, dacl, &sd_size);
396
397         SAFE_FREE(grp_sid);
398         SAFE_FREE(owner_sid);
399
400         return ret;
401 }
402
403
404 /* print a ascii version of a security descriptor on a FILE handle */
405 static void sec_desc_print(FILE *f, SEC_DESC *sd)
406 {
407         fstring sidstr;
408         uint32 i;
409
410         printf("REVISION:%d\n", sd->revision);
411
412         /* Print owner and group sid */
413
414         if (sd->owner_sid) {
415                 SidToString(sidstr, sd->owner_sid);
416         } else {
417                 fstrcpy(sidstr, "");
418         }
419
420         printf("OWNER:%s\n", sidstr);
421
422         if (sd->grp_sid) {
423                 SidToString(sidstr, sd->grp_sid);
424         } else {
425                 fstrcpy(sidstr, "");
426         }
427
428         fprintf(f, "GROUP:%s\n", sidstr);
429
430         /* Print aces */
431         for (i = 0; sd->dacl && i < sd->dacl->num_aces; i++) {
432                 SEC_ACE *ace = &sd->dacl->ace[i];
433                 fprintf(f, "ACL:");
434                 print_ace(f, ace);
435                 fprintf(f, "\n");
436         }
437
438 }
439
440 /***************************************************** 
441 dump the acls for a file
442 *******************************************************/
443 static int cacl_dump(struct cli_state *cli, char *filename)
444 {
445         int fnum;
446         SEC_DESC *sd;
447
448         if (test_args) return EXIT_OK;
449
450         fnum = cli_nt_create(cli, filename, CREATE_ACCESS_READ);
451         if (fnum == -1) {
452                 printf("Failed to open %s: %s\n", filename, cli_errstr(cli));
453                 return EXIT_FAILED;
454         }
455
456         sd = cli_query_secdesc(cli, fnum, ctx);
457
458         if (!sd) {
459                 printf("ERROR: secdesc query failed: %s\n", cli_errstr(cli));
460                 return EXIT_FAILED;
461         }
462
463         sec_desc_print(stdout, sd);
464
465         cli_close(cli, fnum);
466
467         return EXIT_OK;
468 }
469
470 /***************************************************** 
471 Change the ownership or group ownership of a file. Just
472 because the NT docs say this can't be done :-). JRA.
473 *******************************************************/
474
475 static int owner_set(struct cli_state *cli, enum chown_mode change_mode, 
476                      char *filename, char *new_username)
477 {
478         int fnum;
479         DOM_SID sid;
480         SEC_DESC *sd, *old;
481         size_t sd_size;
482
483         fnum = cli_nt_create(cli, filename, CREATE_ACCESS_READ);
484
485         if (fnum == -1) {
486                 printf("Failed to open %s: %s\n", filename, cli_errstr(cli));
487                 return EXIT_FAILED;
488         }
489
490         if (!StringToSid(&sid, new_username))
491                 return EXIT_PARSE_ERROR;
492
493         old = cli_query_secdesc(cli, fnum, ctx);
494
495         cli_close(cli, fnum);
496
497         if (!old) {
498                 printf("owner_set: Failed to query old descriptor\n");
499                 return EXIT_FAILED;
500         }
501
502         sd = make_sec_desc(ctx,old->revision,
503                                 (change_mode == REQUEST_CHOWN) ? &sid : old->owner_sid,
504                                 (change_mode == REQUEST_CHGRP) ? &sid : old->grp_sid,
505                            NULL, old->dacl, &sd_size);
506
507         fnum = cli_nt_create(cli, filename, CREATE_ACCESS_WRITE);
508
509         if (fnum == -1) {
510                 printf("Failed to open %s: %s\n", filename, cli_errstr(cli));
511                 return EXIT_FAILED;
512         }
513
514         if (!cli_set_secdesc(cli, fnum, sd)) {
515                 printf("ERROR: secdesc set failed: %s\n", cli_errstr(cli));
516         }
517
518         cli_close(cli, fnum);
519
520         return EXIT_OK;
521 }
522
523
524 /* The MSDN is contradictory over the ordering of ACE entries in an ACL.
525    However NT4 gives a "The information may have been modified by a
526    computer running Windows NT 5.0" if denied ACEs do not appear before
527    allowed ACEs. */
528
529 static int ace_compare(SEC_ACE *ace1, SEC_ACE *ace2)
530 {
531         if (sec_ace_equal(ace1, ace2)) 
532                 return 0;
533
534         if (ace1->type != ace2->type) 
535                 return ace2->type - ace1->type;
536
537         if (sid_compare(&ace1->trustee, &ace2->trustee)) 
538                 return sid_compare(&ace1->trustee, &ace2->trustee);
539
540         if (ace1->flags != ace2->flags) 
541                 return ace1->flags - ace2->flags;
542
543         if (ace1->info.mask != ace2->info.mask) 
544                 return ace1->info.mask - ace2->info.mask;
545
546         if (ace1->size != ace2->size) 
547                 return ace1->size - ace2->size;
548
549         return memcmp(ace1, ace2, sizeof(SEC_ACE));
550 }
551
552 static void sort_acl(SEC_ACL *the_acl)
553 {
554         uint32 i;
555         if (!the_acl) return;
556
557         qsort(the_acl->ace, the_acl->num_aces, sizeof(the_acl->ace[0]), QSORT_CAST ace_compare);
558
559         for (i=1;i<the_acl->num_aces;) {
560                 if (sec_ace_equal(&the_acl->ace[i-1], &the_acl->ace[i])) {
561                         int j;
562                         for (j=i; j<the_acl->num_aces-1; j++) {
563                                 the_acl->ace[j] = the_acl->ace[j+1];
564                         }
565                         the_acl->num_aces--;
566                 } else {
567                         i++;
568                 }
569         }
570 }
571
572 /***************************************************** 
573 set the ACLs on a file given an ascii description
574 *******************************************************/
575 static int cacl_set(struct cli_state *cli, char *filename, 
576                     char *the_acl, enum acl_mode mode)
577 {
578         int fnum;
579         SEC_DESC *sd, *old;
580         uint32 i, j;
581         size_t sd_size;
582         int result = EXIT_OK;
583
584         sd = sec_desc_parse(the_acl);
585
586         if (!sd) return EXIT_PARSE_ERROR;
587         if (test_args) return EXIT_OK;
588
589         /* The desired access below is the only one I could find that works
590            with NT4, W2KP and Samba */
591
592         fnum = cli_nt_create(cli, filename, CREATE_ACCESS_READ);
593
594         if (fnum == -1) {
595                 printf("cacl_set failed to open %s: %s\n", filename, cli_errstr(cli));
596                 return EXIT_FAILED;
597         }
598
599         old = cli_query_secdesc(cli, fnum, ctx);
600
601         if (!old) {
602                 printf("calc_set: Failed to query old descriptor\n");
603                 return EXIT_FAILED;
604         }
605
606         cli_close(cli, fnum);
607
608         /* the logic here is rather more complex than I would like */
609         switch (mode) {
610         case SMB_ACL_DELETE:
611                 for (i=0;sd->dacl && i<sd->dacl->num_aces;i++) {
612                         BOOL found = False;
613
614                         for (j=0;old->dacl && j<old->dacl->num_aces;j++) {
615                                 if (sec_ace_equal(&sd->dacl->ace[i],
616                                                   &old->dacl->ace[j])) {
617                                         uint32 k;
618                                         for (k=j; k<old->dacl->num_aces-1;k++) {
619                                                 old->dacl->ace[k] = old->dacl->ace[k+1];
620                                         }
621                                         old->dacl->num_aces--;
622                                         if (old->dacl->num_aces == 0) {
623                                                 SAFE_FREE(old->dacl->ace);
624                                                 SAFE_FREE(old->dacl);
625                                                 old->off_dacl = 0;
626                                         }
627                                         found = True;
628                                         break;
629                                 }
630                         }
631
632                         if (!found) {
633                                 printf("ACL for ACE:"); 
634                                 print_ace(stdout, &sd->dacl->ace[i]);
635                                 printf(" not found\n");
636                         }
637                 }
638                 break;
639
640         case SMB_ACL_MODIFY:
641                 for (i=0;sd->dacl && i<sd->dacl->num_aces;i++) {
642                         BOOL found = False;
643
644                         for (j=0;old->dacl && j<old->dacl->num_aces;j++) {
645                                 if (sid_equal(&sd->dacl->ace[i].trustee,
646                                               &old->dacl->ace[j].trustee)) {
647                                         old->dacl->ace[j] = sd->dacl->ace[i];
648                                         found = True;
649                                 }
650                         }
651
652                         if (!found) {
653                                 fstring str;
654
655                                 SidToString(str, &sd->dacl->ace[i].trustee);
656                                 printf("ACL for SID %s not found\n", str);
657                         }
658                 }
659
660                 break;
661
662         case SMB_ACL_ADD:
663                 for (i=0;sd->dacl && i<sd->dacl->num_aces;i++) {
664                         add_ace(&old->dacl, &sd->dacl->ace[i]);
665                 }
666                 break;
667
668         case SMB_ACL_SET:
669                 old = sd;
670                 break;
671         }
672
673         /* Denied ACE entries must come before allowed ones */
674         sort_acl(old->dacl);
675
676         /* Create new security descriptor and set it */
677         sd = make_sec_desc(ctx,old->revision, old->owner_sid, old->grp_sid, 
678                            NULL, old->dacl, &sd_size);
679
680         fnum = cli_nt_create(cli, filename, CREATE_ACCESS_WRITE);
681
682         if (fnum == -1) {
683                 printf("cacl_set failed to open %s: %s\n", filename, cli_errstr(cli));
684                 return EXIT_FAILED;
685         }
686
687         if (!cli_set_secdesc(cli, fnum, sd)) {
688                 printf("ERROR: secdesc set failed: %s\n", cli_errstr(cli));
689                 result = EXIT_FAILED;
690         }
691
692         /* Clean up */
693
694         cli_close(cli, fnum);
695
696         return result;
697 }
698
699
700 /***************************************************** 
701 return a connection to a server
702 *******************************************************/
703 struct cli_state *connect_one(char *share)
704 {
705         struct cli_state *c;
706         struct nmb_name called, calling;
707         struct in_addr ip;
708         extern pstring global_myname;
709
710         fstrcpy(server,share+2);
711         share = strchr_m(server,'\\');
712         if (!share) return NULL;
713         *share = 0;
714         share++;
715
716         zero_ip(&ip);
717
718         make_nmb_name(&calling, global_myname, 0x0);
719         make_nmb_name(&called , server, 0x20);
720
721  again:
722         zero_ip(&ip);
723
724         /* have to open a new connection */
725         if (!(c=cli_initialise(NULL)) || !cli_connect(c, server, &ip)) {
726                 DEBUG(0,("Connection to %s failed\n", server));
727                 cli_shutdown(c);
728                 return NULL;
729         }
730
731         if (!cli_session_request(c, &calling, &called)) {
732                 DEBUG(0,("session request to %s failed\n", called.name));
733                 cli_shutdown(c);
734                 if (strcmp(called.name, "*SMBSERVER")) {
735                         make_nmb_name(&called , "*SMBSERVER", 0x20);
736                         goto again;
737                 }
738                 return NULL;
739         }
740
741         DEBUG(4,(" session request ok\n"));
742
743         if (!cli_negprot(c)) {
744                 DEBUG(0,("protocol negotiation failed\n"));
745                 cli_shutdown(c);
746                 return NULL;
747         }
748
749         if (!got_pass) {
750                 char *pass = getpass("Password: ");
751                 if (pass) {
752                         pstrcpy(password, pass);
753                 }
754         }
755
756         if (!cli_session_setup(c, username, 
757                                password, strlen(password),
758                                password, strlen(password),
759                                lp_workgroup())) {
760                 DEBUG(0,("session setup failed: %s\n", cli_errstr(c)));
761                 cli_shutdown(c);
762                 return NULL;
763         }
764
765         DEBUG(4,(" session setup ok\n"));
766
767         if (!cli_send_tconX(c, share, "?????",
768                             password, strlen(password)+1)) {
769                 DEBUG(0,("tree connect failed: %s\n", cli_errstr(c)));
770                 cli_shutdown(c);
771                 return NULL;
772         }
773
774         DEBUG(4,(" tconx ok\n"));
775
776         return c;
777 }
778
779
780 static void usage(void)
781 {
782         printf(
783 "Usage: smbcacls //server1/share1 filename [options]\n\
784 \n\
785 \t-D <acls>               delete an acl\n\
786 \t-M <acls>               modify an acl\n\
787 \t-A <acls>               add an acl\n\
788 \t-S <acls>               set acls\n\
789 \t-C username             change ownership of a file\n\
790 \t-G username             change group ownership of a file\n\
791 \t-n                      don't resolve sids or masks to names\n\
792 \t-h                      print help\n\
793 \t-d debuglevel           set debug output level\n\
794 \t-U username             user to autheticate as\n\
795 \n\
796 The username can be of the form username%%password or\n\
797 workgroup\\username%%password.\n\n\
798 An acl is of the form ACL:<SID>:type/flags/mask\n\
799 You can string acls together with spaces, commas or newlines\n\
800 ");
801 }
802
803 /****************************************************************************
804   main program
805 ****************************************************************************/
806  int main(int argc,char *argv[])
807 {
808         char *share;
809         pstring filename;
810         extern char *optarg;
811         extern int optind;
812         int opt;
813         char *p;
814         struct cli_state *cli=NULL;
815         enum acl_mode mode = SMB_ACL_SET;
816         char *the_acl = NULL;
817         enum chown_mode change_mode = REQUEST_NONE;
818         int result;
819
820         ctx=talloc_init();
821
822         setlinebuf(stdout);
823
824         dbf = x_stderr;
825
826         if (argc < 3 || argv[1][0] == '-') {
827                 usage();
828                 talloc_destroy(ctx);
829                 exit(EXIT_PARSE_ERROR);
830         }
831
832         setup_logging(argv[0],True);
833
834         share = argv[1];
835         pstrcpy(filename, argv[2]);
836         all_string_sub(share,"/","\\",0);
837
838         argc -= 2;
839         argv += 2;
840
841         lp_load(dyn_CONFIGFILE,True,False,False);
842         load_interfaces();
843
844         if (getenv("USER")) {
845                 pstrcpy(username,getenv("USER"));
846
847                 if ((p=strchr_m(username,'%'))) {
848                         *p = 0;
849                         pstrcpy(password,p+1);
850                         got_pass = True;
851                         memset(strchr_m(getenv("USER"), '%') + 1, 'X',
852                                strlen(password));
853                 }
854         }
855
856         while ((opt = getopt(argc, argv, "U:nhS:D:A:M:C:G:td:")) != EOF) {
857                 switch (opt) {
858                 case 'U':
859                         pstrcpy(username,optarg);
860                         p = strchr_m(username,'%');
861                         if (p) {
862                                 *p = 0;
863                                 pstrcpy(password, p+1);
864                                 got_pass = 1;
865                         }
866                         break;
867
868                 case 'S':
869                         the_acl = optarg;
870                         mode = SMB_ACL_SET;
871                         break;
872
873                 case 'D':
874                         the_acl = optarg;
875                         mode = SMB_ACL_DELETE;
876                         break;
877
878                 case 'M':
879                         the_acl = optarg;
880                         mode = SMB_ACL_MODIFY;
881                         break;
882
883                 case 'A':
884                         the_acl = optarg;
885                         mode = SMB_ACL_ADD;
886                         break;
887
888                 case 'C':
889                         pstrcpy(owner_username,optarg);
890                         change_mode = REQUEST_CHOWN;
891                         break;
892
893                 case 'G':
894                         pstrcpy(owner_username,optarg);
895                         change_mode = REQUEST_CHGRP;
896                         break;
897
898                 case 'n':
899                         numeric = 1;
900                         break;
901
902                 case 't':
903                         test_args = 1;
904                         break;
905
906                 case 'h':
907                         usage();
908                         talloc_destroy(ctx);
909                         exit(EXIT_PARSE_ERROR);
910
911                 case 'd':
912                         DEBUGLEVEL = atoi(optarg);
913                         break;
914
915                 default:
916                         printf("Unknown option %c (%d)\n", (char)opt, opt);
917                         talloc_destroy(ctx);
918                         exit(EXIT_PARSE_ERROR);
919                 }
920         }
921
922         argc -= optind;
923         argv += optind;
924         
925         if (argc > 0) {
926                 usage();
927                 talloc_destroy(ctx);
928                 exit(EXIT_PARSE_ERROR);
929         }
930
931         /* Make connection to server */
932
933         if (!test_args) {
934                 cli = connect_one(share);
935                 if (!cli) {
936                         talloc_destroy(ctx);
937                         exit(EXIT_FAILED);
938                 }
939         }
940
941         all_string_sub(filename, "/", "\\", 0);
942         if (filename[0] != '\\') {
943                 pstring s;
944                 s[0] = '\\';
945                 safe_strcpy(&s[1], filename, sizeof(pstring)-1);
946                 pstrcpy(filename, s);
947         }
948
949         /* Perform requested action */
950
951         if (change_mode != REQUEST_NONE) {
952                 result = owner_set(cli, change_mode, filename, owner_username);
953         } else if (the_acl) {
954                 result = cacl_set(cli, filename, the_acl, mode);
955         } else {
956                 result = cacl_dump(cli, filename);
957         }
958
959         talloc_destroy(ctx);
960
961         return result;
962 }