diff options
author | Stefan Metzmacher <metze@samba.org> | 2012-11-30 14:36:07 +0100 |
---|---|---|
committer | Michael Adam <obnox@samba.org> | 2012-12-02 23:08:23 +0100 |
commit | 0e2e3ff5e864115495be68040959838e2835e260 (patch) | |
tree | 941ceda11ae3bca9faa9ced6a77511a5c764dee0 | |
parent | 9afba14417ebb8e13623b62d3c81492629b92f29 (diff) | |
download | samba-0e2e3ff5e864115495be68040959838e2835e260.tar.gz samba-0e2e3ff5e864115495be68040959838e2835e260.tar.bz2 samba-0e2e3ff5e864115495be68040959838e2835e260.zip |
s3:smbcacls: add --query-security-info and --set-security-info options
This allows the caller to specify the security_information flags.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
-rw-r--r-- | source3/utils/smbcacls.c | 65 |
1 files changed, 55 insertions, 10 deletions
diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c index da190ddda1..39400c8bdd 100644 --- a/source3/utils/smbcacls.c +++ b/source3/utils/smbcacls.c @@ -41,6 +41,8 @@ static int test_args; static int numeric; static int sddl; +static int query_sec_info = -1; +static int set_sec_info = -1; static const char *domain_sid = NULL; @@ -835,11 +837,27 @@ static struct security_descriptor *get_secdesc(struct cli_state *cli, const char uint16_t fnum = (uint16_t)-1; struct security_descriptor *sd; NTSTATUS status; + uint32_t sec_info; + uint32_t desired_access = 0; - /* The desired access below is the only one I could find that works - with NT4, W2KP and Samba */ + if (query_sec_info == -1) { + sec_info = SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL; + } else { + sec_info = query_sec_info; + } - status = cli_ntcreate(cli, filename, 0, CREATE_ACCESS_READ, + if (sec_info & (SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL)) { + desired_access |= SEC_STD_READ_CONTROL; + } + if (sec_info & SECINFO_SACL) { + desired_access |= SEC_FLAG_SYSTEM_SECURITY; + } + + if (desired_access == 0) { + desired_access |= SEC_STD_READ_CONTROL; + } + + status = cli_ntcreate(cli, filename, 0, desired_access, 0, FILE_SHARE_READ|FILE_SHARE_WRITE, FILE_OPEN, 0x0, 0x0, &fnum); if (!NT_STATUS_IS_OK(status)) { @@ -847,7 +865,8 @@ static struct security_descriptor *get_secdesc(struct cli_state *cli, const char return NULL; } - status = cli_query_secdesc(cli, fnum, talloc_tos(), &sd); + status = cli_query_security_descriptor(cli, fnum, sec_info, + talloc_tos(), &sd); cli_close(cli, fnum); @@ -869,16 +888,36 @@ static bool set_secdesc(struct cli_state *cli, const char *filename, bool result=true; NTSTATUS status; uint32_t desired_access = 0; + uint32_t sec_info; + + if (set_sec_info == -1) { + sec_info = 0; + + if (sd->dacl || (sd->type & SEC_DESC_DACL_PRESENT)) { + sec_info |= SECINFO_DACL; + } + if (sd->sacl || (sd->type & SEC_DESC_SACL_PRESENT)) { + sec_info |= SECINFO_SACL; + } + if (sd->owner_sid) { + sec_info |= SECINFO_OWNER; + } + if (sd->group_sid) { + sec_info |= SECINFO_GROUP; + } + } else { + sec_info = set_sec_info; + } /* Make the desired_access more specific. */ - if (sd->dacl) { - desired_access |= WRITE_DAC_ACCESS; + if (sec_info & SECINFO_DACL) { + desired_access |= SEC_STD_WRITE_DAC; } - if (sd->sacl) { + if (sec_info & SECINFO_SACL) { desired_access |= SEC_FLAG_SYSTEM_SECURITY; } - if (sd->owner_sid || sd->group_sid) { - desired_access |= WRITE_OWNER_ACCESS; + if (sec_info & (SECINFO_OWNER | SECINFO_GROUP)) { + desired_access |= SEC_STD_WRITE_OWNER; } status = cli_ntcreate(cli, filename, 0, @@ -890,7 +929,7 @@ static bool set_secdesc(struct cli_state *cli, const char *filename, return false; } - status = cli_set_secdesc(cli, fnum, sd); + status = cli_set_security_descriptor(cli, fnum, sec_info, sd); if (!NT_STATUS_IS_OK(status)) { printf("ERROR: security description set failed: %s\n", nt_errstr(status)); @@ -1339,6 +1378,12 @@ static struct cli_state *connect_one(struct user_auth_info *auth_info, { "inherit", 'I', POPT_ARG_STRING, NULL, 'I', "Inherit allow|remove|copy" }, { "numeric", 0, POPT_ARG_NONE, &numeric, 1, "Don't resolve sids or masks to names" }, { "sddl", 0, POPT_ARG_NONE, &sddl, 1, "Output and input acls in sddl format" }, + { "query-security-info", 0, POPT_ARG_INT, &query_sec_info, 1, + "The security-info flags for queries" + }, + { "set-security-info", 0, POPT_ARG_INT, &set_sec_info, 1, + "The security-info flags for modifications" + }, { "test-args", 't', POPT_ARG_NONE, &test_args, 1, "Test arguments"}, { "domain-sid", 0, POPT_ARG_STRING, &domain_sid, 0, "Domain SID for sddl", "SID"}, POPT_COMMON_SAMBA |