5ccdae6d08f356af0affdb24157a0ba3c1e97ad6
[sfrench/samba-autobuild/.git] / source3 / utils / smbcacls.c
1 /* 
2    Unix SMB/CIFS implementation.
3    ACL get/set utility
4    
5    Copyright (C) Andrew Tridgell 2000
6    Copyright (C) Tim Potter      2000
7    Copyright (C) Jeremy Allison  2000
8    Copyright (C) Jelmer Vernooij 2003
9    
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 3 of the License, or
13    (at your option) any later version.
14    
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19    
20    You should have received a copy of the GNU General Public License
21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "popt_common.h"
26 #include "../librpc/gen_ndr/ndr_lsa.h"
27 #include "rpc_client/cli_lsarpc.h"
28 #include "../libcli/security/security.h"
29
30 extern bool AllowDebugChange;
31
32 static int test_args;
33
34 #define CREATE_ACCESS_READ READ_CONTROL_ACCESS
35
36 /* numeric is set when the user wants numeric SIDs and ACEs rather
37    than going via LSA calls to resolve them */
38 static int numeric;
39
40 static int sddl;
41
42 enum acl_mode {SMB_ACL_SET, SMB_ACL_DELETE, SMB_ACL_MODIFY, SMB_ACL_ADD };
43 enum chown_mode {REQUEST_NONE, REQUEST_CHOWN, REQUEST_CHGRP, REQUEST_INHERIT};
44 enum exit_values {EXIT_OK, EXIT_FAILED, EXIT_PARSE_ERROR};
45
46 struct perm_value {
47         const char *perm;
48         uint32 mask;
49 };
50
51 /* These values discovered by inspection */
52
53 static const struct perm_value special_values[] = {
54         { "R", 0x00120089 },
55         { "W", 0x00120116 },
56         { "X", 0x001200a0 },
57         { "D", 0x00010000 },
58         { "P", 0x00040000 },
59         { "O", 0x00080000 },
60         { NULL, 0 },
61 };
62
63 static const struct perm_value standard_values[] = {
64         { "READ",   0x001200a9 },
65         { "CHANGE", 0x001301bf },
66         { "FULL",   0x001f01ff },
67         { NULL, 0 },
68 };
69
70 /* Open cli connection and policy handle */
71
72 static NTSTATUS cli_lsa_lookup_sid(struct cli_state *cli,
73                                    const struct dom_sid *sid,
74                                    TALLOC_CTX *mem_ctx,
75                                    enum lsa_SidType *type,
76                                    char **domain, char **name)
77 {
78         uint16 orig_cnum = cli->cnum;
79         struct rpc_pipe_client *p = NULL;
80         struct policy_handle handle;
81         NTSTATUS status;
82         TALLOC_CTX *frame = talloc_stackframe();
83         enum lsa_SidType *types;
84         char **domains;
85         char **names;
86
87         status = cli_tcon_andx(cli, "IPC$", "?????", "", 0);
88         if (!NT_STATUS_IS_OK(status)) {
89                 return status;
90         }
91
92         status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
93                                           &p);
94         if (!NT_STATUS_IS_OK(status)) {
95                 goto fail;
96         }
97
98         status = rpccli_lsa_open_policy(p, talloc_tos(), True,
99                                         GENERIC_EXECUTE_ACCESS, &handle);
100         if (!NT_STATUS_IS_OK(status)) {
101                 goto fail;
102         }
103
104         status = rpccli_lsa_lookup_sids(p, talloc_tos(), &handle, 1, sid,
105                                         &domains, &names, &types);
106         if (!NT_STATUS_IS_OK(status)) {
107                 goto fail;
108         }
109
110         *type = types[0];
111         *domain = talloc_move(mem_ctx, &domains[0]);
112         *name = talloc_move(mem_ctx, &names[0]);
113
114         status = NT_STATUS_OK;
115  fail:
116         TALLOC_FREE(p);
117         cli_tdis(cli);
118         cli->cnum = orig_cnum;
119         TALLOC_FREE(frame);
120         return status;
121 }
122
123 static NTSTATUS cli_lsa_lookup_name(struct cli_state *cli,
124                                     const char *name,
125                                     enum lsa_SidType *type,
126                                     struct dom_sid *sid)
127 {
128         uint16 orig_cnum = cli->cnum;
129         struct rpc_pipe_client *p;
130         struct policy_handle handle;
131         NTSTATUS status;
132         TALLOC_CTX *frame = talloc_stackframe();
133         struct dom_sid *sids;
134         enum lsa_SidType *types;
135
136         status = cli_tcon_andx(cli, "IPC$", "?????", "", 0);
137         if (!NT_STATUS_IS_OK(status)) {
138                 return status;
139         }
140
141         status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
142                                           &p);
143         if (!NT_STATUS_IS_OK(status)) {
144                 goto fail;
145         }
146
147         status = rpccli_lsa_open_policy(p, talloc_tos(), True,
148                                         GENERIC_EXECUTE_ACCESS, &handle);
149         if (!NT_STATUS_IS_OK(status)) {
150                 goto fail;
151         }
152
153         status = rpccli_lsa_lookup_names(p, talloc_tos(), &handle, 1, &name,
154                                          NULL, 1, &sids, &types);
155         if (!NT_STATUS_IS_OK(status)) {
156                 goto fail;
157         }
158
159         *type = types[0];
160         *sid = sids[0];
161
162         status = NT_STATUS_OK;
163  fail:
164         TALLOC_FREE(p);
165         cli_tdis(cli);
166         cli->cnum = orig_cnum;
167         TALLOC_FREE(frame);
168         return status;
169 }
170
171 /* convert a SID to a string, either numeric or username/group */
172 static void SidToString(struct cli_state *cli, fstring str, const struct dom_sid *sid)
173 {
174         char *domain = NULL;
175         char *name = NULL;
176         enum lsa_SidType type;
177         NTSTATUS status;
178
179         sid_to_fstring(str, sid);
180
181         if (numeric) {
182                 return;
183         }
184
185         status = cli_lsa_lookup_sid(cli, sid, talloc_tos(), &type,
186                                     &domain, &name);
187
188         if (!NT_STATUS_IS_OK(status)) {
189                 return;
190         }
191
192         if (*domain) {
193                 slprintf(str, sizeof(fstring) - 1, "%s%s%s",
194                         domain, lp_winbind_separator(), name);
195         } else {
196                 fstrcpy(str, name);
197         }
198 }
199
200 /* convert a string to a SID, either numeric or username/group */
201 static bool StringToSid(struct cli_state *cli, struct dom_sid *sid, const char *str)
202 {
203         enum lsa_SidType type;
204
205         if (strncmp(str, "S-", 2) == 0) {
206                 return string_to_sid(sid, str);
207         }
208
209         return NT_STATUS_IS_OK(cli_lsa_lookup_name(cli, str, &type, sid));
210 }
211
212 static void print_ace_flags(FILE *f, uint8_t flags)
213 {
214         char *str = talloc_strdup(NULL, "");
215
216         if (!str) {
217                 goto out;
218         }
219
220         if (flags & SEC_ACE_FLAG_OBJECT_INHERIT) {
221                 str = talloc_asprintf(str, "%s%s",
222                                 str, "OI|");
223                 if (!str) {
224                         goto out;
225                 }
226         }
227         if (flags & SEC_ACE_FLAG_CONTAINER_INHERIT) {
228                 str = talloc_asprintf(str, "%s%s",
229                                 str, "CI|");
230                 if (!str) {
231                         goto out;
232                 }
233         }
234         if (flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) {
235                 str = talloc_asprintf(str, "%s%s",
236                                 str, "NP|");
237                 if (!str) {
238                         goto out;
239                 }
240         }
241         if (flags & SEC_ACE_FLAG_INHERIT_ONLY) {
242                 str = talloc_asprintf(str, "%s%s",
243                                 str, "IO|");
244                 if (!str) {
245                         goto out;
246                 }
247         }
248         if (flags & SEC_ACE_FLAG_INHERITED_ACE) {
249                 str = talloc_asprintf(str, "%s%s",
250                                 str, "I|");
251                 if (!str) {
252                         goto out;
253                 }
254         }
255         /* Ignore define SEC_ACE_FLAG_SUCCESSFUL_ACCESS ( 0x40 )
256            and SEC_ACE_FLAG_FAILED_ACCESS ( 0x80 ) as they're
257            audit ace flags. */
258
259         if (str[strlen(str)-1] == '|') {
260                 str[strlen(str)-1] = '\0';
261                 fprintf(f, "/%s/", str);
262         } else {
263                 fprintf(f, "/0x%x/", flags);
264         }
265         TALLOC_FREE(str);
266         return;
267
268   out:
269         fprintf(f, "/0x%x/", flags);
270 }
271
272 /* print an ACE on a FILE, using either numeric or ascii representation */
273 static void print_ace(struct cli_state *cli, FILE *f, struct security_ace *ace)
274 {
275         const struct perm_value *v;
276         fstring sidstr;
277         int do_print = 0;
278         uint32 got_mask;
279
280         SidToString(cli, sidstr, &ace->trustee);
281
282         fprintf(f, "%s:", sidstr);
283
284         if (numeric) {
285                 fprintf(f, "%d/0x%x/0x%08x",
286                         ace->type, ace->flags, ace->access_mask);
287                 return;
288         }
289
290         /* Ace type */
291
292         if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) {
293                 fprintf(f, "ALLOWED");
294         } else if (ace->type == SEC_ACE_TYPE_ACCESS_DENIED) {
295                 fprintf(f, "DENIED");
296         } else {
297                 fprintf(f, "%d", ace->type);
298         }
299
300         print_ace_flags(f, ace->flags);
301
302         /* Standard permissions */
303
304         for (v = standard_values; v->perm; v++) {
305                 if (ace->access_mask == v->mask) {
306                         fprintf(f, "%s", v->perm);
307                         return;
308                 }
309         }
310
311         /* Special permissions.  Print out a hex value if we have
312            leftover bits in the mask. */
313
314         got_mask = ace->access_mask;
315
316  again:
317         for (v = special_values; v->perm; v++) {
318                 if ((ace->access_mask & v->mask) == v->mask) {
319                         if (do_print) {
320                                 fprintf(f, "%s", v->perm);
321                         }
322                         got_mask &= ~v->mask;
323                 }
324         }
325
326         if (!do_print) {
327                 if (got_mask != 0) {
328                         fprintf(f, "0x%08x", ace->access_mask);
329                 } else {
330                         do_print = 1;
331                         goto again;
332                 }
333         }
334 }
335
336 static bool parse_ace_flags(const char *str, unsigned int *pflags)
337 {
338         const char *p = str;
339         *pflags = 0;
340
341         while (*p) {
342                 if (strnequal(p, "OI", 2)) {
343                         *pflags |= SEC_ACE_FLAG_OBJECT_INHERIT;
344                         p += 2;
345                 } else if (strnequal(p, "CI", 2)) {
346                         *pflags |= SEC_ACE_FLAG_CONTAINER_INHERIT;
347                         p += 2;
348                 } else if (strnequal(p, "NP", 2)) {
349                         *pflags |= SEC_ACE_FLAG_NO_PROPAGATE_INHERIT;
350                         p += 2;
351                 } else if (strnequal(p, "IO", 2)) {
352                         *pflags |= SEC_ACE_FLAG_INHERIT_ONLY;
353                         p += 2;
354                 } else if (*p == 'I') {
355                         *pflags |= SEC_ACE_FLAG_INHERITED_ACE;
356                         p += 1;
357                 } else if (*p) {
358                         return false;
359                 }
360
361                 if (*p != '|' && *p != '\0') {
362                         return false;
363                 }
364         }
365         return true;
366 }
367
368 /* parse an ACE in the same format as print_ace() */
369 static bool parse_ace(struct cli_state *cli, struct security_ace *ace,
370                       const char *orig_str)
371 {
372         char *p;
373         const char *cp;
374         char *tok;
375         unsigned int atype = 0;
376         unsigned int aflags = 0;
377         unsigned int amask = 0;
378         struct dom_sid sid;
379         uint32_t mask;
380         const struct perm_value *v;
381         char *str = SMB_STRDUP(orig_str);
382         TALLOC_CTX *frame = talloc_stackframe();
383
384         if (!str) {
385                 TALLOC_FREE(frame);
386                 return False;
387         }
388
389         ZERO_STRUCTP(ace);
390         p = strchr_m(str,':');
391         if (!p) {
392                 printf("ACE '%s': missing ':'.\n", orig_str);
393                 SAFE_FREE(str);
394                 TALLOC_FREE(frame);
395                 return False;
396         }
397         *p = '\0';
398         p++;
399         /* Try to parse numeric form */
400
401         if (sscanf(p, "%i/%i/%i", &atype, &aflags, &amask) == 3 &&
402             StringToSid(cli, &sid, str)) {
403                 goto done;
404         }
405
406         /* Try to parse text form */
407
408         if (!StringToSid(cli, &sid, str)) {
409                 printf("ACE '%s': failed to convert '%s' to SID\n",
410                         orig_str, str);
411                 SAFE_FREE(str);
412                 TALLOC_FREE(frame);
413                 return False;
414         }
415
416         cp = p;
417         if (!next_token_talloc(frame, &cp, &tok, "/")) {
418                 printf("ACE '%s': failed to find '/' character.\n",
419                         orig_str);
420                 SAFE_FREE(str);
421                 TALLOC_FREE(frame);
422                 return False;
423         }
424
425         if (strncmp(tok, "ALLOWED", strlen("ALLOWED")) == 0) {
426                 atype = SEC_ACE_TYPE_ACCESS_ALLOWED;
427         } else if (strncmp(tok, "DENIED", strlen("DENIED")) == 0) {
428                 atype = SEC_ACE_TYPE_ACCESS_DENIED;
429         } else {
430                 printf("ACE '%s': missing 'ALLOWED' or 'DENIED' entry at '%s'\n",
431                         orig_str, tok);
432                 SAFE_FREE(str);
433                 TALLOC_FREE(frame);
434                 return False;
435         }
436
437         /* Only numeric form accepted for flags at present */
438
439         if (!next_token_talloc(frame, &cp, &tok, "/")) {
440                 printf("ACE '%s': bad flags entry at '%s'\n",
441                         orig_str, tok);
442                 SAFE_FREE(str);
443                 TALLOC_FREE(frame);
444                 return False;
445         }
446
447         if (tok[0] < '0' || tok[0] > '9') {
448                 if (!parse_ace_flags(tok, &aflags)) {
449                         printf("ACE '%s': bad named flags entry at '%s'\n",
450                                 orig_str, tok);
451                         SAFE_FREE(str);
452                         TALLOC_FREE(frame);
453                         return False;
454                 }
455         } else if (strnequal(tok, "0x", 2)) {
456                 if (!sscanf(tok, "%x", &aflags)) {
457                         printf("ACE '%s': bad hex flags entry at '%s'\n",
458                                 orig_str, tok);
459                         SAFE_FREE(str);
460                         TALLOC_FREE(frame);
461                         return False;
462                 }
463         } else {
464                 if (!sscanf(tok, "%i", &aflags)) {
465                         printf("ACE '%s': bad integer flags entry at '%s'\n",
466                                 orig_str, tok);
467                         SAFE_FREE(str);
468                         TALLOC_FREE(frame);
469                         return False;
470                 }
471         }
472
473         if (!next_token_talloc(frame, &cp, &tok, "/")) {
474                 printf("ACE '%s': missing / at '%s'\n",
475                         orig_str, tok);
476                 SAFE_FREE(str);
477                 TALLOC_FREE(frame);
478                 return False;
479         }
480
481         if (strncmp(tok, "0x", 2) == 0) {
482                 if (sscanf(tok, "%i", &amask) != 1) {
483                         printf("ACE '%s': bad hex number at '%s'\n",
484                                 orig_str, tok);
485                         SAFE_FREE(str);
486                         TALLOC_FREE(frame);
487                         return False;
488                 }
489                 goto done;
490         }
491
492         for (v = standard_values; v->perm; v++) {
493                 if (strcmp(tok, v->perm) == 0) {
494                         amask = v->mask;
495                         goto done;
496                 }
497         }
498
499         p = tok;
500
501         while(*p) {
502                 bool found = False;
503
504                 for (v = special_values; v->perm; v++) {
505                         if (v->perm[0] == *p) {
506                                 amask |= v->mask;
507                                 found = True;
508                         }
509                 }
510
511                 if (!found) {
512                         printf("ACE '%s': bad permission value at '%s'\n",
513                                 orig_str, p);
514                         SAFE_FREE(str);
515                         TALLOC_FREE(frame);
516                         return False;
517                 }
518                 p++;
519         }
520
521         if (*p) {
522                 TALLOC_FREE(frame);
523                 SAFE_FREE(str);
524                 return False;
525         }
526
527  done:
528         mask = amask;
529         init_sec_ace(ace, &sid, atype, mask, aflags);
530         TALLOC_FREE(frame);
531         SAFE_FREE(str);
532         return True;
533 }
534
535 /* add an ACE to a list of ACEs in a struct security_acl */
536 static bool add_ace(struct security_acl **the_acl, struct security_ace *ace)
537 {
538         struct security_acl *new_ace;
539         struct security_ace *aces;
540         if (! *the_acl) {
541                 return (((*the_acl) = make_sec_acl(talloc_tos(), 3, 1, ace))
542                         != NULL);
543         }
544
545         if (!(aces = SMB_CALLOC_ARRAY(struct security_ace, 1+(*the_acl)->num_aces))) {
546                 return False;
547         }
548         memcpy(aces, (*the_acl)->aces, (*the_acl)->num_aces * sizeof(struct
549         security_ace));
550         memcpy(aces+(*the_acl)->num_aces, ace, sizeof(struct security_ace));
551         new_ace = make_sec_acl(talloc_tos(),(*the_acl)->revision,1+(*the_acl)->num_aces, aces);
552         SAFE_FREE(aces);
553         (*the_acl) = new_ace;
554         return True;
555 }
556
557 /* parse a ascii version of a security descriptor */
558 static struct security_descriptor *sec_desc_parse(TALLOC_CTX *ctx, struct cli_state *cli, char *str)
559 {
560         const char *p = str;
561         char *tok;
562         struct security_descriptor *ret = NULL;
563         size_t sd_size;
564         struct dom_sid *grp_sid=NULL, *owner_sid=NULL;
565         struct security_acl *dacl=NULL;
566         int revision=1;
567
568         while (next_token_talloc(ctx, &p, &tok, "\t,\r\n")) {
569                 if (strncmp(tok,"REVISION:", 9) == 0) {
570                         revision = strtol(tok+9, NULL, 16);
571                         continue;
572                 }
573
574                 if (strncmp(tok,"OWNER:", 6) == 0) {
575                         if (owner_sid) {
576                                 printf("Only specify owner once\n");
577                                 goto done;
578                         }
579                         owner_sid = SMB_CALLOC_ARRAY(struct dom_sid, 1);
580                         if (!owner_sid ||
581                             !StringToSid(cli, owner_sid, tok+6)) {
582                                 printf("Failed to parse owner sid\n");
583                                 goto done;
584                         }
585                         continue;
586                 }
587
588                 if (strncmp(tok,"GROUP:", 6) == 0) {
589                         if (grp_sid) {
590                                 printf("Only specify group once\n");
591                                 goto done;
592                         }
593                         grp_sid = SMB_CALLOC_ARRAY(struct dom_sid, 1);
594                         if (!grp_sid ||
595                             !StringToSid(cli, grp_sid, tok+6)) {
596                                 printf("Failed to parse group sid\n");
597                                 goto done;
598                         }
599                         continue;
600                 }
601
602                 if (strncmp(tok,"ACL:", 4) == 0) {
603                         struct security_ace ace;
604                         if (!parse_ace(cli, &ace, tok+4)) {
605                                 goto done;
606                         }
607                         if(!add_ace(&dacl, &ace)) {
608                                 printf("Failed to add ACL %s\n", tok);
609                                 goto done;
610                         }
611                         continue;
612                 }
613
614                 printf("Failed to parse token '%s' in security descriptor,\n", tok);
615                 goto done;
616         }
617
618         ret = make_sec_desc(ctx,revision, SEC_DESC_SELF_RELATIVE, owner_sid, grp_sid,
619                             NULL, dacl, &sd_size);
620
621   done:
622         SAFE_FREE(grp_sid);
623         SAFE_FREE(owner_sid);
624
625         return ret;
626 }
627
628
629 /* print a ascii version of a security descriptor on a FILE handle */
630 static void sec_desc_print(struct cli_state *cli, FILE *f, struct security_descriptor *sd)
631 {
632         fstring sidstr;
633         uint32 i;
634
635         fprintf(f, "REVISION:%d\n", sd->revision);
636         fprintf(f, "CONTROL:0x%x\n", sd->type);
637
638         /* Print owner and group sid */
639
640         if (sd->owner_sid) {
641                 SidToString(cli, sidstr, sd->owner_sid);
642         } else {
643                 fstrcpy(sidstr, "");
644         }
645
646         fprintf(f, "OWNER:%s\n", sidstr);
647
648         if (sd->group_sid) {
649                 SidToString(cli, sidstr, sd->group_sid);
650         } else {
651                 fstrcpy(sidstr, "");
652         }
653
654         fprintf(f, "GROUP:%s\n", sidstr);
655
656         /* Print aces */
657         for (i = 0; sd->dacl && i < sd->dacl->num_aces; i++) {
658                 struct security_ace *ace = &sd->dacl->aces[i];
659                 fprintf(f, "ACL:");
660                 print_ace(cli, f, ace);
661                 fprintf(f, "\n");
662         }
663
664 }
665
666 /*****************************************************
667 get fileinfo for filename
668 *******************************************************/
669 static uint16 get_fileinfo(struct cli_state *cli, const char *filename)
670 {
671         uint16_t fnum = (uint16_t)-1;
672         uint16 mode;
673
674         /* The desired access below is the only one I could find that works
675            with NT4, W2KP and Samba */
676
677         if (!NT_STATUS_IS_OK(cli_ntcreate(cli, filename, 0, CREATE_ACCESS_READ,
678                                           0, FILE_SHARE_READ|FILE_SHARE_WRITE,
679                                           FILE_OPEN, 0x0, 0x0, &fnum))) {
680                 printf("Failed to open %s: %s\n", filename, cli_errstr(cli));
681         }
682
683         if (!NT_STATUS_IS_OK(cli_qfileinfo_basic(
684                                      cli, fnum, &mode, NULL, NULL, NULL,
685                                      NULL, NULL, NULL))) {
686                 printf("Failed to file info %s: %s\n", filename,
687                                                        cli_errstr(cli));
688         }
689
690         cli_close(cli, fnum);
691
692         return mode;
693 }
694
695 /*****************************************************
696 get sec desc for filename
697 *******************************************************/
698 static struct security_descriptor *get_secdesc(struct cli_state *cli, const char *filename)
699 {
700         uint16_t fnum = (uint16_t)-1;
701         struct security_descriptor *sd;
702
703         /* The desired access below is the only one I could find that works
704            with NT4, W2KP and Samba */
705
706         if (!NT_STATUS_IS_OK(cli_ntcreate(cli, filename, 0, CREATE_ACCESS_READ,
707                                           0, FILE_SHARE_READ|FILE_SHARE_WRITE,
708                                           FILE_OPEN, 0x0, 0x0, &fnum))) {
709                 printf("Failed to open %s: %s\n", filename, cli_errstr(cli));
710                 return NULL;
711         }
712
713         sd = cli_query_secdesc(cli, fnum, talloc_tos());
714
715         cli_close(cli, fnum);
716
717         if (!sd) {
718                 printf("Failed to get security descriptor\n");
719                 return NULL;
720         }
721         return sd;
722 }
723
724 /*****************************************************
725 set sec desc for filename
726 *******************************************************/
727 static bool set_secdesc(struct cli_state *cli, const char *filename,
728                         struct security_descriptor *sd)
729 {
730         uint16_t fnum = (uint16_t)-1;
731         bool result=true;
732
733         /* The desired access below is the only one I could find that works
734            with NT4, W2KP and Samba */
735
736         if (!NT_STATUS_IS_OK(cli_ntcreate(cli, filename, 0,
737                                           WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS,
738                                           0, FILE_SHARE_READ|FILE_SHARE_WRITE,
739                                           FILE_OPEN, 0x0, 0x0, &fnum))) {
740                 printf("Failed to open %s: %s\n", filename, cli_errstr(cli));
741                 return false;
742         }
743
744         if (!cli_set_secdesc(cli, fnum, sd)) {
745                 printf("ERROR: security description set failed: %s\n",
746                        cli_errstr(cli));
747                 result=false;
748         }
749
750         cli_close(cli, fnum);
751         return result;
752 }
753
754 /*****************************************************
755 dump the acls for a file
756 *******************************************************/
757 static int cacl_dump(struct cli_state *cli, const char *filename)
758 {
759         int result = EXIT_FAILED;
760         struct security_descriptor *sd;
761
762         if (test_args)
763                 return EXIT_OK;
764
765         sd = get_secdesc(cli, filename);
766
767         if (sd) {
768                 if (sddl) {
769                         printf("%s\n", sddl_encode(talloc_tos(), sd,
770                                            get_global_sam_sid()));
771                 } else {
772                         sec_desc_print(cli, stdout, sd);
773                 }
774                 result = EXIT_OK;
775         }
776
777         return result;
778 }
779
780 /***************************************************** 
781 Change the ownership or group ownership of a file. Just
782 because the NT docs say this can't be done :-). JRA.
783 *******************************************************/
784
785 static int owner_set(struct cli_state *cli, enum chown_mode change_mode, 
786                         const char *filename, const char *new_username)
787 {
788         struct dom_sid sid;
789         struct security_descriptor *sd, *old;
790         size_t sd_size;
791
792         if (!StringToSid(cli, &sid, new_username))
793                 return EXIT_PARSE_ERROR;
794
795         old = get_secdesc(cli, filename);
796
797         if (!old) {
798                 return EXIT_FAILED;
799         }
800
801         sd = make_sec_desc(talloc_tos(),old->revision, old->type,
802                                 (change_mode == REQUEST_CHOWN) ? &sid : NULL,
803                                 (change_mode == REQUEST_CHGRP) ? &sid : NULL,
804                            NULL, NULL, &sd_size);
805
806         if (!set_secdesc(cli, filename, sd)) {
807                 return EXIT_FAILED;
808         }
809
810         return EXIT_OK;
811 }
812
813
814 /* The MSDN is contradictory over the ordering of ACE entries in an
815    ACL.  However NT4 gives a "The information may have been modified
816    by a computer running Windows NT 5.0" if denied ACEs do not appear
817    before allowed ACEs. At
818    http://technet.microsoft.com/en-us/library/cc781716.aspx the
819    canonical order is specified as "Explicit Deny, Explicit Allow,
820    Inherited ACEs unchanged" */
821
822 static int ace_compare(struct security_ace *ace1, struct security_ace *ace2)
823 {
824         if (sec_ace_equal(ace1, ace2))
825                 return 0;
826
827         if ((ace1->flags & SEC_ACE_FLAG_INHERITED_ACE) &&
828                         !(ace2->flags & SEC_ACE_FLAG_INHERITED_ACE))
829                 return 1;
830         if (!(ace1->flags & SEC_ACE_FLAG_INHERITED_ACE) &&
831                         (ace2->flags & SEC_ACE_FLAG_INHERITED_ACE))
832                 return -1;
833         if ((ace1->flags & SEC_ACE_FLAG_INHERITED_ACE) &&
834                         (ace2->flags & SEC_ACE_FLAG_INHERITED_ACE))
835                 return ace1 - ace2;
836
837         if (ace1->type != ace2->type)
838                 return ace2->type - ace1->type;
839
840         if (dom_sid_compare(&ace1->trustee, &ace2->trustee))
841                 return dom_sid_compare(&ace1->trustee, &ace2->trustee);
842
843         if (ace1->flags != ace2->flags)
844                 return ace1->flags - ace2->flags;
845
846         if (ace1->access_mask != ace2->access_mask)
847                 return ace1->access_mask - ace2->access_mask;
848
849         if (ace1->size != ace2->size)
850                 return ace1->size - ace2->size;
851
852         return memcmp(ace1, ace2, sizeof(struct security_ace));
853 }
854
855 static void sort_acl(struct security_acl *the_acl)
856 {
857         uint32 i;
858         if (!the_acl) return;
859
860         TYPESAFE_QSORT(the_acl->aces, the_acl->num_aces, ace_compare);
861
862         for (i=1;i<the_acl->num_aces;) {
863                 if (sec_ace_equal(&the_acl->aces[i-1], &the_acl->aces[i])) {
864                         int j;
865                         for (j=i; j<the_acl->num_aces-1; j++) {
866                                 the_acl->aces[j] = the_acl->aces[j+1];
867                         }
868                         the_acl->num_aces--;
869                 } else {
870                         i++;
871                 }
872         }
873 }
874
875 /***************************************************** 
876 set the ACLs on a file given an ascii description
877 *******************************************************/
878
879 static int cacl_set(struct cli_state *cli, const char *filename,
880                     char *the_acl, enum acl_mode mode)
881 {
882         struct security_descriptor *sd, *old;
883         uint32 i, j;
884         size_t sd_size;
885         int result = EXIT_OK;
886
887         if (sddl) {
888                 sd = sddl_decode(talloc_tos(), the_acl, get_global_sam_sid());
889         } else {
890                 sd = sec_desc_parse(talloc_tos(), cli, the_acl);
891         }
892
893         if (!sd) return EXIT_PARSE_ERROR;
894         if (test_args) return EXIT_OK;
895
896         old = get_secdesc(cli, filename);
897
898         if (!old) {
899                 return EXIT_FAILED;
900         }
901
902         /* the logic here is rather more complex than I would like */
903         switch (mode) {
904         case SMB_ACL_DELETE:
905                 for (i=0;sd->dacl && i<sd->dacl->num_aces;i++) {
906                         bool found = False;
907
908                         for (j=0;old->dacl && j<old->dacl->num_aces;j++) {
909                                 if (sec_ace_equal(&sd->dacl->aces[i],
910                                                   &old->dacl->aces[j])) {
911                                         uint32 k;
912                                         for (k=j; k<old->dacl->num_aces-1;k++) {
913                                                 old->dacl->aces[k] = old->dacl->aces[k+1];
914                                         }
915                                         old->dacl->num_aces--;
916                                         found = True;
917                                         break;
918                                 }
919                         }
920
921                         if (!found) {
922                                 printf("ACL for ACE:");
923                                 print_ace(cli, stdout, &sd->dacl->aces[i]);
924                                 printf(" not found\n");
925                         }
926                 }
927                 break;
928
929         case SMB_ACL_MODIFY:
930                 for (i=0;sd->dacl && i<sd->dacl->num_aces;i++) {
931                         bool found = False;
932
933                         for (j=0;old->dacl && j<old->dacl->num_aces;j++) {
934                                 if (dom_sid_equal(&sd->dacl->aces[i].trustee,
935                                               &old->dacl->aces[j].trustee)) {
936                                         old->dacl->aces[j] = sd->dacl->aces[i];
937                                         found = True;
938                                 }
939                         }
940
941                         if (!found) {
942                                 fstring str;
943
944                                 SidToString(cli, str,
945                                             &sd->dacl->aces[i].trustee);
946                                 printf("ACL for SID %s not found\n", str);
947                         }
948                 }
949
950                 if (sd->owner_sid) {
951                         old->owner_sid = sd->owner_sid;
952                 }
953
954                 if (sd->group_sid) {
955                         old->group_sid = sd->group_sid;
956                 }
957
958                 break;
959
960         case SMB_ACL_ADD:
961                 for (i=0;sd->dacl && i<sd->dacl->num_aces;i++) {
962                         add_ace(&old->dacl, &sd->dacl->aces[i]);
963                 }
964                 break;
965
966         case SMB_ACL_SET:
967                 old = sd;
968                 break;
969         }
970
971         /* Denied ACE entries must come before allowed ones */
972         sort_acl(old->dacl);
973
974         /* Create new security descriptor and set it */
975
976         /* We used to just have "WRITE_DAC_ACCESS" without WRITE_OWNER.
977            But if we're sending an owner, even if it's the same as the one
978            that already exists then W2K3 insists we open with WRITE_OWNER access.
979            I need to check that setting a SD with no owner set works against WNT
980            and W2K. JRA.
981         */
982
983         sd = make_sec_desc(talloc_tos(),old->revision, old->type,
984                            old->owner_sid, old->group_sid,
985                            NULL, old->dacl, &sd_size);
986
987         if (!set_secdesc(cli, filename, sd)) {
988                 result = EXIT_FAILED;
989         }
990
991         return result;
992 }
993
994 /*****************************************************
995 set the inherit on a file
996 *******************************************************/
997 static int inherit(struct cli_state *cli, const char *filename,
998                    const char *type)
999 {
1000         struct security_descriptor *old,*sd;
1001         uint32 oldattr;
1002         size_t sd_size;
1003         int result = EXIT_OK;
1004
1005         old = get_secdesc(cli, filename);
1006
1007         if (!old) {
1008                 return EXIT_FAILED;
1009         }
1010
1011         oldattr = get_fileinfo(cli,filename);
1012
1013         if (strcmp(type,"allow")==0) {
1014                 if ((old->type & SEC_DESC_DACL_PROTECTED) ==
1015                     SEC_DESC_DACL_PROTECTED) {
1016                         int i;
1017                         char *parentname,*temp;
1018                         struct security_descriptor *parent;
1019                         temp = talloc_strdup(talloc_tos(), filename);
1020
1021                         old->type=old->type & (~SEC_DESC_DACL_PROTECTED);
1022
1023                         /* look at parent and copy in all its inheritable ACL's. */
1024                         string_replace(temp, '\\', '/');
1025                         if (!parent_dirname(talloc_tos(),temp,&parentname,NULL)) {
1026                                 return EXIT_FAILED;
1027                         }
1028                         string_replace(parentname, '/', '\\');
1029                         parent = get_secdesc(cli,parentname);
1030                         for (i=0;i<parent->dacl->num_aces;i++) {
1031                                 struct security_ace *ace=&parent->dacl->aces[i];
1032                                 /* Add inherited flag to all aces */
1033                                 ace->flags=ace->flags|
1034                                            SEC_ACE_FLAG_INHERITED_ACE;
1035                                 if ((oldattr & aDIR) == aDIR) {
1036                                         if ((ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT) ==
1037                                             SEC_ACE_FLAG_CONTAINER_INHERIT) {
1038                                                 add_ace(&old->dacl, ace);
1039                                         }
1040                                 } else {
1041                                         if ((ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT) ==
1042                                             SEC_ACE_FLAG_OBJECT_INHERIT) {
1043                                                 /* clear flags for files */
1044                                                 ace->flags=0;
1045                                                 add_ace(&old->dacl, ace);
1046                                         }
1047                                 }
1048                         }
1049                 } else {
1050                         printf("Already set to inheritable permissions.\n");
1051                         return EXIT_FAILED;
1052                 }
1053         } else if (strcmp(type,"remove")==0) {
1054                 if ((old->type & SEC_DESC_DACL_PROTECTED) !=
1055                     SEC_DESC_DACL_PROTECTED) {
1056                         old->type=old->type | SEC_DESC_DACL_PROTECTED;
1057
1058                         /* remove all inherited ACL's. */
1059                         if (old->dacl) {
1060                                 int i;
1061                                 struct security_acl *temp=old->dacl;
1062                                 old->dacl=make_sec_acl(talloc_tos(), 3, 0, NULL);
1063                                 for (i=temp->num_aces-1;i>=0;i--) {
1064                                         struct security_ace *ace=&temp->aces[i];
1065                                         /* Remove all ace with INHERITED flag set */
1066                                         if ((ace->flags & SEC_ACE_FLAG_INHERITED_ACE) !=
1067                                             SEC_ACE_FLAG_INHERITED_ACE) {
1068                                                 add_ace(&old->dacl,ace);
1069                                         }
1070                                 }
1071                         }
1072                 } else {
1073                         printf("Already set to no inheritable permissions.\n");
1074                         return EXIT_FAILED;
1075                 }
1076         } else if (strcmp(type,"copy")==0) {
1077                 if ((old->type & SEC_DESC_DACL_PROTECTED) !=
1078                     SEC_DESC_DACL_PROTECTED) {
1079                         old->type=old->type | SEC_DESC_DACL_PROTECTED;
1080
1081                         /* convert all inherited ACL's to non inherated ACL's. */
1082                         if (old->dacl) {
1083                                 int i;
1084                                 for (i=0;i<old->dacl->num_aces;i++) {
1085                                         struct security_ace *ace=&old->dacl->aces[i];
1086                                         /* Remove INHERITED FLAG from all aces */
1087                                         ace->flags=ace->flags&(~SEC_ACE_FLAG_INHERITED_ACE);
1088                                 }
1089                         }
1090                 } else {
1091                         printf("Already set to no inheritable permissions.\n");
1092                         return EXIT_FAILED;
1093                 }
1094         }
1095
1096         /* Denied ACE entries must come before allowed ones */
1097         sort_acl(old->dacl);
1098
1099         sd = make_sec_desc(talloc_tos(),old->revision, old->type,
1100                            old->owner_sid, old->group_sid,
1101                            NULL, old->dacl, &sd_size);
1102
1103         if (!set_secdesc(cli, filename, sd)) {
1104                 result = EXIT_FAILED;
1105         }
1106
1107         return result;
1108 }
1109
1110 /*****************************************************
1111  Return a connection to a server.
1112 *******************************************************/
1113 static struct cli_state *connect_one(struct user_auth_info *auth_info,
1114                                      const char *server, const char *share)
1115 {
1116         struct cli_state *c = NULL;
1117         struct sockaddr_storage ss;
1118         NTSTATUS nt_status;
1119         uint32_t flags = 0;
1120
1121         zero_sockaddr(&ss);
1122
1123         if (get_cmdline_auth_info_use_kerberos(auth_info)) {
1124                 flags |= CLI_FULL_CONNECTION_USE_KERBEROS |
1125                          CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
1126         }
1127
1128         if (get_cmdline_auth_info_use_machine_account(auth_info) &&
1129             !set_cmdline_auth_info_machine_account_creds(auth_info)) {
1130                 return NULL;
1131         }
1132
1133         set_cmdline_auth_info_getpass(auth_info);
1134
1135         nt_status = cli_full_connection(&c, global_myname(), server, 
1136                                 &ss, 0,
1137                                 share, "?????",
1138                                 get_cmdline_auth_info_username(auth_info),
1139                                 lp_workgroup(),
1140                                 get_cmdline_auth_info_password(auth_info),
1141                                 flags,
1142                                 get_cmdline_auth_info_signing_state(auth_info),
1143                                 NULL);
1144         if (!NT_STATUS_IS_OK(nt_status)) {
1145                 DEBUG(0,("cli_full_connection failed! (%s)\n", nt_errstr(nt_status)));
1146                 return NULL;
1147         }
1148
1149         if (get_cmdline_auth_info_smb_encrypt(auth_info)) {
1150                 nt_status = cli_cm_force_encryption(c,
1151                                         get_cmdline_auth_info_username(auth_info),
1152                                         get_cmdline_auth_info_password(auth_info),
1153                                         lp_workgroup(),
1154                                         share);
1155                 if (!NT_STATUS_IS_OK(nt_status)) {
1156                         cli_shutdown(c);
1157                         c = NULL;
1158                 }
1159         }
1160
1161         return c;
1162 }
1163
1164 /****************************************************************************
1165   main program
1166 ****************************************************************************/
1167  int main(int argc, const char *argv[])
1168 {
1169         char *share;
1170         int opt;
1171         enum acl_mode mode = SMB_ACL_SET;
1172         static char *the_acl = NULL;
1173         enum chown_mode change_mode = REQUEST_NONE;
1174         int result;
1175         char *path;
1176         char *filename = NULL;
1177         poptContext pc;
1178         struct poptOption long_options[] = {
1179                 POPT_AUTOHELP
1180                 { "delete", 'D', POPT_ARG_STRING, NULL, 'D', "Delete an acl", "ACL" },
1181                 { "modify", 'M', POPT_ARG_STRING, NULL, 'M', "Modify an acl", "ACL" },
1182                 { "add", 'a', POPT_ARG_STRING, NULL, 'a', "Add an acl", "ACL" },
1183                 { "set", 'S', POPT_ARG_STRING, NULL, 'S', "Set acls", "ACLS" },
1184                 { "chown", 'C', POPT_ARG_STRING, NULL, 'C', "Change ownership of a file", "USERNAME" },
1185                 { "chgrp", 'G', POPT_ARG_STRING, NULL, 'G', "Change group ownership of a file", "GROUPNAME" },
1186                 { "inherit", 'I', POPT_ARG_STRING, NULL, 'I', "Inherit allow|remove|copy" },
1187                 { "numeric", 0, POPT_ARG_NONE, &numeric, 1, "Don't resolve sids or masks to names" },
1188                 { "sddl", 0, POPT_ARG_NONE, &sddl, 1, "Output and input acls in sddl format" },
1189                 { "test-args", 't', POPT_ARG_NONE, &test_args, 1, "Test arguments"},
1190                 POPT_COMMON_SAMBA
1191                 POPT_COMMON_CONNECTION
1192                 POPT_COMMON_CREDENTIALS
1193                 POPT_TABLEEND
1194         };
1195
1196         struct cli_state *cli;
1197         TALLOC_CTX *frame = talloc_stackframe();
1198         const char *owner_username = "";
1199         char *server;
1200         struct user_auth_info *auth_info;
1201
1202         load_case_tables();
1203
1204
1205         /* set default debug level to 1 regardless of what smb.conf sets */
1206         setup_logging( "smbcacls", DEBUG_STDERR);
1207         DEBUGLEVEL_CLASS[DBGC_ALL] = 1;
1208         AllowDebugChange = false;
1209
1210         setlinebuf(stdout);
1211
1212         lp_load(get_dyn_CONFIGFILE(),True,False,False,True);
1213         load_interfaces();
1214
1215         auth_info = user_auth_info_init(frame);
1216         if (auth_info == NULL) {
1217                 exit(1);
1218         }
1219         popt_common_set_auth_info(auth_info);
1220
1221         pc = poptGetContext("smbcacls", argc, argv, long_options, 0);
1222
1223         poptSetOtherOptionHelp(pc, "//server1/share1 filename\nACLs look like: "
1224                 "'ACL:user:[ALLOWED|DENIED]/flags/permissions'");
1225
1226         while ((opt = poptGetNextOpt(pc)) != -1) {
1227                 switch (opt) {
1228                 case 'S':
1229                         the_acl = smb_xstrdup(poptGetOptArg(pc));
1230                         mode = SMB_ACL_SET;
1231                         break;
1232
1233                 case 'D':
1234                         the_acl = smb_xstrdup(poptGetOptArg(pc));
1235                         mode = SMB_ACL_DELETE;
1236                         break;
1237
1238                 case 'M':
1239                         the_acl = smb_xstrdup(poptGetOptArg(pc));
1240                         mode = SMB_ACL_MODIFY;
1241                         break;
1242
1243                 case 'a':
1244                         the_acl = smb_xstrdup(poptGetOptArg(pc));
1245                         mode = SMB_ACL_ADD;
1246                         break;
1247
1248                 case 'C':
1249                         owner_username = poptGetOptArg(pc);
1250                         change_mode = REQUEST_CHOWN;
1251                         break;
1252
1253                 case 'G':
1254                         owner_username = poptGetOptArg(pc);
1255                         change_mode = REQUEST_CHGRP;
1256                         break;
1257
1258                 case 'I':
1259                         owner_username = poptGetOptArg(pc);
1260                         change_mode = REQUEST_INHERIT;
1261                         break;
1262                 }
1263         }
1264
1265         /* Make connection to server */
1266         if(!poptPeekArg(pc)) {
1267                 poptPrintUsage(pc, stderr, 0);
1268                 return -1;
1269         }
1270
1271         path = talloc_strdup(frame, poptGetArg(pc));
1272         if (!path) {
1273                 return -1;
1274         }
1275
1276         if(!poptPeekArg(pc)) {
1277                 poptPrintUsage(pc, stderr, 0);
1278                 return -1;
1279         }
1280
1281         filename = talloc_strdup(frame, poptGetArg(pc));
1282         if (!filename) {
1283                 return -1;
1284         }
1285
1286         string_replace(path,'/','\\');
1287
1288         server = talloc_strdup(frame, path+2);
1289         if (!server) {
1290                 return -1;
1291         }
1292         share = strchr_m(server,'\\');
1293         if (!share) {
1294                 printf("Invalid argument: %s\n", share);
1295                 return -1;
1296         }
1297
1298         *share = 0;
1299         share++;
1300
1301         if (!test_args) {
1302                 cli = connect_one(auth_info, server, share);
1303                 if (!cli) {
1304                         exit(EXIT_FAILED);
1305                 }
1306         } else {
1307                 exit(0);
1308         }
1309
1310         string_replace(filename, '/', '\\');
1311         if (filename[0] != '\\') {
1312                 filename = talloc_asprintf(frame,
1313                                 "\\%s",
1314                                 filename);
1315                 if (!filename) {
1316                         return -1;
1317                 }
1318         }
1319
1320         /* Perform requested action */
1321
1322         if (change_mode == REQUEST_INHERIT) {
1323                 result = inherit(cli, filename, owner_username);
1324         } else if (change_mode != REQUEST_NONE) {
1325                 result = owner_set(cli, change_mode, filename, owner_username);
1326         } else if (the_acl) {
1327                 result = cacl_set(cli, filename, the_acl, mode);
1328         } else {
1329                 result = cacl_dump(cli, filename);
1330         }
1331
1332         TALLOC_FREE(frame);
1333
1334         return result;
1335 }