summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorTim Potter <tpot@samba.org>2004-09-24 01:20:30 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:59:07 -0500
commit1cf7a3420e501f023b0289a47adf0d89e2d12d17 (patch)
treeb3d8ee1baf506db3e4fff78eab61d6b568f72b32 /source4
parentcb0cd473a0c7d3d7565fccdc9be30cefd19a0473 (diff)
downloadsamba-1cf7a3420e501f023b0289a47adf0d89e2d12d17.tar.gz
samba-1cf7a3420e501f023b0289a47adf0d89e2d12d17.tar.bz2
samba-1cf7a3420e501f023b0289a47adf0d89e2d12d17.zip
r2576: Some userspace tools for getting and setting ntacls via the 'security.ntacl'
extended attribute. (This used to be commit 5b88226f9002711baac73e66d04ecf92b7765809)
Diffstat (limited to 'source4')
-rw-r--r--source4/utils/config.m43
-rw-r--r--source4/utils/config.mk28
-rw-r--r--source4/utils/getntacl.c116
-rw-r--r--source4/utils/setntacl.c105
4 files changed, 252 insertions, 0 deletions
diff --git a/source4/utils/config.m4 b/source4/utils/config.m4
index 562f5ce7b1..74a31de177 100644
--- a/source4/utils/config.m4
+++ b/source4/utils/config.m4
@@ -5,3 +5,6 @@ SMB_BINARY_MK(ntlm_auth, utils/config.mk)
#SMB_BINARY_MK(lookupuuid, utils/config.mk)
SMB_INCLUDE_M4(utils/net/config.m4)
+
+SMB_BINARY_MK(getntacl, utils/config.mk)
+SMB_BINARY_MK(setntacl, utils/config.mk)
diff --git a/source4/utils/config.mk b/source4/utils/config.mk
index 32999e103c..0860e89ea3 100644
--- a/source4/utils/config.mk
+++ b/source4/utils/config.mk
@@ -39,3 +39,31 @@ REQUIRED_SUBSYSTEMS = \
LIBRPC
# End BINARY ntlm_auth
#################################
+
+#################################
+# Start BINARY getntacl
+[BINARY::getntacl]
+OBJ_FILES = \
+ utils/getntacl.o
+REQUIRED_SUBSYSTEMS = \
+ CONFIG \
+ LIBCMDLINE \
+ LIBBASIC \
+ LIBSMB \
+ LIBRPC
+# End BINARY getntacl
+#################################
+
+#################################
+# Start BINARY setntacl
+[BINARY::setntacl]
+OBJ_FILES = \
+ utils/setntacl.o
+REQUIRED_SUBSYSTEMS = \
+ CONFIG \
+ LIBCMDLINE \
+ LIBBASIC \
+ LIBSMB \
+ LIBRPC
+# End BINARY setntacl
+#################################
diff --git a/source4/utils/getntacl.c b/source4/utils/getntacl.c
new file mode 100644
index 0000000000..b17200aeb5
--- /dev/null
+++ b/source4/utils/getntacl.c
@@ -0,0 +1,116 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Get NT ACLs from UNIX files.
+
+ Copyright (C) Tim Potter <tpot@samba.org> 2004
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+#include <attr/xattr.h>
+
+/* Display a security descriptor in "psec" format which is as follows.
+
+ The first two lines describe the owner user and owner group of the
+ object. If either of these lines are blank then the respective
+ owner property is not set. The remaining lines list the individual
+ permissions or ACE entries, one per line. Each column describes a
+ different property of the ACE:
+
+ Column Description
+ -------------------------------------------------------------------
+ 1 ACE type (allow/deny etc)
+ 2 ACE flags
+ 3 ACE mask
+ 4 SID the ACE applies to
+
+ Example:
+
+ S-1-5-21-1067277791-1719175008-3000797951-500
+
+ 1 9 0x10000000 S-1-5-21-1067277791-1719175008-3000797951-501
+ 1 2 0x10000000 S-1-5-21-1067277791-1719175008-3000797951-501
+ 0 9 0x10000000 S-1-5-21-1067277791-1719175008-3000797951-500
+ 0 2 0x10000000 S-1-5-21-1067277791-1719175008-3000797951-500
+ 0 9 0x10000000 S-1-5-21-1067277791-1719175008-3000797951-513
+ 0 2 0x00020000 S-1-5-21-1067277791-1719175008-3000797951-513
+ 0 2 0xe0000000 S-1-1-0
+*/
+
+static void print_psec(TALLOC_CTX *mem_ctx, struct security_descriptor *sd)
+{
+ if (sd->owner_sid)
+ printf("%s\n", dom_sid_string(mem_ctx, sd->owner_sid));
+ else
+ printf("\n");
+
+ if (sd->group_sid)
+ printf("%s\n", dom_sid_string(mem_ctx, sd->owner_sid));
+ else
+ printf("\n");
+
+ /* Note: SACL not displayed */
+
+ if (sd->dacl) {
+ int i;
+
+ for (i = 0; i < sd->dacl->num_aces; i++) {
+ struct security_ace *ace = &sd->dacl->aces[i];
+
+ printf("%d %d 0x%08x %s\n", ace->type, ace->flags,
+ ace->access_mask,
+ dom_sid_string(mem_ctx, &ace->trustee));
+ }
+
+ }
+}
+
+int main(int argc, char **argv)
+{
+ TALLOC_CTX *mem_ctx;
+ ssize_t size;
+ char *data;
+ struct security_descriptor sd;
+ DATA_BLOB blob;
+ struct ndr_pull *ndr;
+ NTSTATUS result;
+
+ mem_ctx = talloc_init("getntacl");
+
+ /* Fetch ACL data */
+
+ size = getxattr(argv[1], "security.ntacl", NULL, 0);
+
+ if (size == -1) {
+ fprintf(stderr, "%s: %s\n", argv[1], strerror(errno));
+ exit(1);
+ }
+
+ data = talloc(mem_ctx, size);
+
+ size = getxattr(argv[1], "security.ntacl", data, size);
+
+ blob = data_blob_talloc(mem_ctx, data, size);
+
+ ndr = ndr_pull_init_blob(&blob, mem_ctx);
+
+ result = ndr_pull_security_descriptor(
+ ndr, NDR_SCALARS|NDR_BUFFERS, &sd);
+
+ print_psec(data, &sd);
+ return 0;
+}
diff --git a/source4/utils/setntacl.c b/source4/utils/setntacl.c
new file mode 100644
index 0000000000..492c3ba9fe
--- /dev/null
+++ b/source4/utils/setntacl.c
@@ -0,0 +1,105 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Set NT ACLs on UNIX files.
+
+ Copyright (C) Tim Potter <tpot@samba.org> 2004
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+#include <attr/xattr.h>
+
+static void setntacl(char *filename, struct security_descriptor *sd)
+{
+ NTSTATUS status;
+ struct ndr_push *ndr;
+ ssize_t result;
+
+ ndr = ndr_push_init();
+
+ status = ndr_push_security_descriptor(
+ ndr, NDR_SCALARS|NDR_BUFFERS, sd);
+
+ result = setxattr(
+ filename, "security.ntacl", ndr->data, ndr->offset, 0);
+
+ if (result == -1) {
+ fprintf(stderr, "%s: %s\n", filename, strerror(errno));
+ exit(1);
+ }
+
+}
+
+ int main(int argc, char **argv)
+{
+ char line[255];
+ struct security_descriptor *sd;
+ TALLOC_CTX *mem_ctx;
+ struct security_acl *acl;
+
+ setup_logging("setntacl", DEBUG_STDOUT);
+
+ mem_ctx = talloc_init("setntacl");
+
+ sd = sd_initialise(mem_ctx);
+
+ fgets(line, sizeof(line), stdin);
+ sd->owner_sid = dom_sid_parse_talloc(mem_ctx, line);
+
+ fgets(line, sizeof(line), stdin);
+ sd->group_sid = dom_sid_parse_talloc(mem_ctx, line);
+
+ acl = talloc(mem_ctx, sizeof(struct security_acl));
+
+ acl->revision = 2;
+ acl->size = 0;
+ acl->num_aces = 0;
+ acl->aces = NULL;
+
+ while(fgets(line, sizeof(line), stdin)) {
+ int ace_type, ace_flags;
+ uint32 ace_mask;
+ char sidstr[255];
+ struct dom_sid *sid;
+
+ if (sscanf(line, "%d %d 0x%x %s", &ace_type, &ace_flags,
+ &ace_mask, sidstr) != 4) {
+ fprintf(stderr, "invalid ACL line\ndr");
+ return 1;
+ }
+
+ acl->aces = talloc_realloc(
+ acl->aces,
+ (acl->num_aces + 1) * sizeof(struct security_ace));
+
+ acl->aces[acl->num_aces].type = ace_type;
+ acl->aces[acl->num_aces].flags = ace_flags;
+ acl->aces[acl->num_aces].access_mask = ace_mask;
+
+ sid = dom_sid_parse_talloc(mem_ctx, sidstr);
+
+ acl->aces[acl->num_aces].trustee = *sid;
+
+ acl->num_aces++;
+ }
+
+ sd->dacl = acl;
+
+ setntacl(argv[1], sd);
+
+ return 0;
+}