summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
Diffstat (limited to 'source3')
-rw-r--r--source3/Makefile.in3
-rw-r--r--source3/libsmb/cli_lsarpc.c52
-rw-r--r--source3/rpcclient/cmd_lsarpc.c37
-rw-r--r--source3/rpcclient/cmd_samr.c124
-rw-r--r--source3/rpcclient/cmd_spoolss.c52
-rw-r--r--source3/rpcclient/display_sec.c254
6 files changed, 171 insertions, 351 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in
index cce0aecad7..ff9c9085f5 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -294,7 +294,8 @@ RPCCLIENT_OBJ1 = rpcclient/rpcclient.o rpcclient/cmd_lsarpc.o \
rpcclient/cmd_samr.o rpcclient/cmd_spoolss.o \
rpcclient/cmd_netlogon.o rpcclient/cmd_srvsvc.o \
rpcclient/cmd_dfs.o rpcclient/cmd_reg.o \
- rpc_client/cli_login.o rpc_client/cli_netlogon.o
+ rpc_client/cli_login.o rpc_client/cli_netlogon.o \
+ rpcclient/display_sec.o
RPCCLIENT_OBJ = $(RPCCLIENT_OBJ1) \
$(PARAM_OBJ) $(LIBSMB_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) \
diff --git a/source3/libsmb/cli_lsarpc.c b/source3/libsmb/cli_lsarpc.c
index c528ff48a9..ff4c4dfe30 100644
--- a/source3/libsmb/cli_lsarpc.c
+++ b/source3/libsmb/cli_lsarpc.c
@@ -988,6 +988,58 @@ NTSTATUS cli_lsa_lookupprivvalue(struct cli_state *cli, TALLOC_CTX *mem_ctx,
return result;
}
+/** Query LSA security object */
+
+NTSTATUS cli_lsa_query_secobj(struct cli_state *cli, TALLOC_CTX *mem_ctx,
+ POLICY_HND *pol, uint32 sec_info,
+ SEC_DESC_BUF **psdb)
+{
+ prs_struct qbuf, rbuf;
+ LSA_Q_QUERY_SEC_OBJ q;
+ LSA_R_QUERY_SEC_OBJ r;
+ NTSTATUS result;
+
+ ZERO_STRUCT(q);
+ ZERO_STRUCT(r);
+
+ /* Initialise parse structures */
+
+ prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL);
+ prs_init(&rbuf, 0, mem_ctx, UNMARSHALL);
+
+ /* Marshall data and send request */
+
+ init_q_query_sec_obj(&q, pol, sec_info);
+
+ if (!lsa_io_q_query_sec_obj("", &q, &qbuf, 0) ||
+ !rpc_api_pipe_req(cli, LSA_QUERYSECOBJ, &qbuf, &rbuf)) {
+ result = NT_STATUS_UNSUCCESSFUL;
+ goto done;
+ }
+
+ /* Unmarshall response */
+
+ if (!lsa_io_r_query_sec_obj("", &r, &rbuf, 0)) {
+ result = NT_STATUS_UNSUCCESSFUL;
+ goto done;
+ }
+
+ if (!NT_STATUS_IS_OK(result = r.status)) {
+ goto done;
+ }
+
+ /* Return output parameters */
+
+ if (psdb)
+ *psdb = r.buf;
+
+ done:
+ prs_mem_free(&qbuf);
+ prs_mem_free(&rbuf);
+
+ return result;
+}
+
/** Fetch a DOMAIN sid. Does complete cli setup / teardown anonymously. */
BOOL fetch_domain_sid( char *domain, char *remote_machine, DOM_SID *psid)
diff --git a/source3/rpcclient/cmd_lsarpc.c b/source3/rpcclient/cmd_lsarpc.c
index ef9518a7fc..52ab9c3800 100644
--- a/source3/rpcclient/cmd_lsarpc.c
+++ b/source3/rpcclient/cmd_lsarpc.c
@@ -452,6 +452,42 @@ static NTSTATUS cmd_lsa_lookupprivvalue(struct cli_state *cli,
return result;
}
+/* Query LSA security object */
+
+static NTSTATUS cmd_lsa_query_secobj(struct cli_state *cli,
+ TALLOC_CTX *mem_ctx, int argc,
+ char **argv)
+{
+ POLICY_HND pol;
+ NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ SEC_DESC_BUF *sdb;
+ uint32 sec_info = 0x00000004; /* ??? */
+
+ if (argc != 1 ) {
+ printf("Usage: %s\n", argv[0]);
+ return NT_STATUS_OK;
+ }
+
+ result = cli_lsa_open_policy2(cli, mem_ctx, True,
+ SEC_RIGHTS_MAXIMUM_ALLOWED,
+ &pol);
+
+ if (!NT_STATUS_IS_OK(result))
+ goto done;
+
+ result = cli_lsa_query_secobj(cli, mem_ctx, &pol, sec_info, &sdb);
+
+ if (!NT_STATUS_IS_OK(result))
+ goto done;
+
+ /* Print results */
+
+ display_sec_desc(sdb->sec);
+
+ done:
+ return result;
+}
+
/* List of commands exported by this module */
struct cmd_set lsarpc_commands[] = {
@@ -467,6 +503,7 @@ struct cmd_set lsarpc_commands[] = {
{ "lsaenumsid", cmd_lsa_enum_sids, PIPE_LSARPC, "Enumerate the LSA SIDS", "" },
{ "lsaenumprivsaccount", cmd_lsa_enum_privsaccounts, PIPE_LSARPC, "Enumerate the privileges of an SID", "" },
{ "lsalookupprivvalue", cmd_lsa_lookupprivvalue, PIPE_LSARPC, "Get a privilege value given its name", "" },
+ { "lsaquerysecobj", cmd_lsa_query_secobj, PIPE_LSARPC, "Query LSA security object", "" },
{ NULL }
};
diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c
index a6cdc4bfeb..dccd756add 100644
--- a/source3/rpcclient/cmd_samr.c
+++ b/source3/rpcclient/cmd_samr.c
@@ -29,128 +29,6 @@
extern DOM_SID domain_sid;
/****************************************************************************
-convert a security permissions into a string
-****************************************************************************/
-char *get_sec_mask_str(uint32 type)
-{
- static fstring typestr="";
- int i;
-
- typestr[0] = 0;
-
- if (type & GENERIC_ALL_ACCESS)
- fstrcat(typestr, "Generic all access ");
- if (type & GENERIC_EXECUTE_ACCESS)
- fstrcat(typestr, "Generic execute access ");
- if (type & GENERIC_WRITE_ACCESS)
- fstrcat(typestr, "Generic write access ");
- if (type & GENERIC_READ_ACCESS)
- fstrcat(typestr, "Generic read access ");
- if (type & MAXIMUM_ALLOWED_ACCESS)
- fstrcat(typestr, "MAXIMUM_ALLOWED_ACCESS ");
- if (type & SYSTEM_SECURITY_ACCESS)
- fstrcat(typestr, "SYSTEM_SECURITY_ACCESS ");
- if (type & SYNCHRONIZE_ACCESS)
- fstrcat(typestr, "SYNCHRONIZE_ACCESS ");
- if (type & WRITE_OWNER_ACCESS)
- fstrcat(typestr, "WRITE_OWNER_ACCESS ");
- if (type & WRITE_DAC_ACCESS)
- fstrcat(typestr, "WRITE_DAC_ACCESS ");
- if (type & READ_CONTROL_ACCESS)
- fstrcat(typestr, "READ_CONTROL_ACCESS ");
- if (type & DELETE_ACCESS)
- fstrcat(typestr, "DELETE_ACCESS ");
-
- printf("Specific bits: 0x%x\n", type&SPECIFIC_RIGHTS_MASK);
-
- return typestr;
-}
-
-/****************************************************************************
- display sec_access structure
- ****************************************************************************/
-void display_sec_access(SEC_ACCESS *info)
-{
- printf("\t\tPermissions: 0x%x: %s\n", info->mask, get_sec_mask_str(info->mask));
-}
-
-/****************************************************************************
- display sec_ace structure
- ****************************************************************************/
-void display_sec_ace(SEC_ACE *ace)
-{
- fstring sid_str;
-
- printf("\tACE\n\t\ttype: ");
- switch (ace->type) {
- case SEC_ACE_TYPE_ACCESS_ALLOWED:
- printf("ACCESS ALLOWED");
- break;
- case SEC_ACE_TYPE_ACCESS_DENIED:
- printf("ACCESS DENIED");
- break;
- case SEC_ACE_TYPE_SYSTEM_AUDIT:
- printf("SYSTEM AUDIT");
- break;
- case SEC_ACE_TYPE_SYSTEM_ALARM:
- printf("SYSTEM ALARM");
- break;
- default:
- printf("????");
- break;
- }
- printf(" (%d) flags: %d\n", ace->type, ace->flags);
- display_sec_access(&ace->info);
- sid_to_string(sid_str, &ace->trustee);
- printf("\t\tSID: %s\n\n", sid_str);
-}
-
-/****************************************************************************
- display sec_acl structure
- ****************************************************************************/
-void display_sec_acl(SEC_ACL *sec_acl)
-{
- int i;
-
- printf("\tACL\tNum ACEs:\t%d\trevision:\t%x\n",
- sec_acl->num_aces, sec_acl->revision);
- printf("\t---\n");
-
- if (sec_acl->size != 0 && sec_acl->num_aces != 0)
- for (i = 0; i < sec_acl->num_aces; i++)
- display_sec_ace(&sec_acl->ace[i]);
-
-}
-
-/****************************************************************************
- display sec_desc structure
- ****************************************************************************/
-void display_sec_desc(SEC_DESC *sec)
-{
- fstring sid_str;
-
- if (sec->off_sacl != 0) {
- printf("S-ACL\n");
- display_sec_acl(sec->sacl);
- }
-
- if (sec->off_dacl != 0) {
- printf("D-ACL\n");
- display_sec_acl(sec->dacl);
- }
-
- if (sec->off_owner_sid != 0) {
- sid_to_string(sid_str, sec->owner_sid);
- printf("\tOwner SID:\t%s\n", sid_str);
- }
-
- if (sec->off_grp_sid != 0) {
- sid_to_string(sid_str, sec->grp_sid);
- printf("\tParent SID:\t%s\n", sid_str);
- }
-}
-
-/****************************************************************************
display sam_user_info_21 structure
****************************************************************************/
static void display_sam_user_info_21(SAM_USER_INFO_21 *usr)
@@ -1301,7 +1179,7 @@ struct cmd_set samr_commands[] = {
{ "samlookupnames", cmd_samr_lookup_names, PIPE_SAMR, "Look up names", "" },
{ "samlookuprids", cmd_samr_lookup_rids, PIPE_SAMR, "Look up names", "" },
{ "deletedomuser", cmd_samr_delete_dom_user, PIPE_SAMR, "Delete domain user", "" },
- { "querysecobj", cmd_samr_query_sec_obj, PIPE_SAMR, "Query security object", "" },
+ { "samquerysecobj", cmd_samr_query_sec_obj, PIPE_SAMR, "Query SAMR security object", "" },
{ NULL }
};
diff --git a/source3/rpcclient/cmd_spoolss.c b/source3/rpcclient/cmd_spoolss.c
index 2f80295a53..1e521473d4 100644
--- a/source3/rpcclient/cmd_spoolss.c
+++ b/source3/rpcclient/cmd_spoolss.c
@@ -82,58 +82,6 @@ static NTSTATUS cmd_spoolss_not_implemented(struct cli_state *cli,
return NT_STATUS_OK;
}
-/****************************************************************************
- display sec_ace structure
- ****************************************************************************/
-static void display_sec_ace(SEC_ACE *ace)
-{
- fstring sid_str;
-
- sid_to_string(sid_str, &ace->trustee);
- printf("\t\tSID: %s\n", sid_str);
-
- printf("\t\ttype:[%d], flags:[0x%02x], mask:[0x%08x]\n",
- ace->type, ace->flags, ace->info.mask);
-}
-
-/****************************************************************************
- display sec_acl structure
- ****************************************************************************/
-static void display_sec_acl(SEC_ACL *acl)
-{
- if (acl->size != 0 && acl->num_aces != 0) {
- int i;
-
- printf("\t\tRevision:[%d]\n", acl->revision);
- for (i = 0; i < acl->num_aces; i++) {
- display_sec_ace(&acl->ace[i]);
- }
- }
-}
-
-/****************************************************************************
- display sec_desc structure
- ****************************************************************************/
-static void display_sec_desc(SEC_DESC *sec)
-{
- fstring sid_str;
-
- printf("\tRevision:[%d]\n", sec->revision);
-
- if (sec->off_owner_sid) {
- sid_to_string(sid_str, sec->owner_sid);
- printf("\tOwner SID: %s\n", sid_str);
- }
-
- if (sec->off_grp_sid) {
- sid_to_string(sid_str, sec->grp_sid);
- printf("\tGroup SID: %s\n", sid_str);
- }
-
- if (sec->off_sacl) display_sec_acl(sec->sacl);
- if (sec->off_dacl) display_sec_acl(sec->dacl);
-}
-
/***********************************************************************
* Get printer information
*/
diff --git a/source3/rpcclient/display_sec.c b/source3/rpcclient/display_sec.c
index a428a95686..009f88e49b 100644
--- a/source3/rpcclient/display_sec.c
+++ b/source3/rpcclient/display_sec.c
@@ -23,67 +23,40 @@
#include "includes.h"
#include "rpcclient.h"
-
/****************************************************************************
convert a security permissions into a string
****************************************************************************/
-static const char *get_sec_mask_str(uint32 type)
+char *get_sec_mask_str(uint32 type)
{
- static fstring typestr;
+ static fstring typestr="";
int i;
- switch (type)
- {
- case SEC_RIGHTS_FULL_CONTROL:
- {
- fstrcpy(typestr, "Full Control");
- return typestr;
- }
-
- case SEC_RIGHTS_READ:
- {
- fstrcpy(typestr, "Read");
- return typestr;
- }
- default:
- {
- break;
- }
- }
-
typestr[0] = 0;
- for (i = 0; i < 32; i++)
- {
- if (type & (1 << i))
- {
- switch (1 << i)
- {
- case SEC_RIGHTS_QUERY_VALUE : fstrcat(typestr, "Query " ); break;
- case SEC_RIGHTS_SET_VALUE : fstrcat(typestr, "Set " ); break;
- case SEC_RIGHTS_CREATE_SUBKEY : fstrcat(typestr, "Create "); break;
- case SEC_RIGHTS_ENUM_SUBKEYS : fstrcat(typestr, "Enum "); break;
- case SEC_RIGHTS_NOTIFY : fstrcat(typestr, "Notify "); break;
- case SEC_RIGHTS_CREATE_LINK : fstrcat(typestr, "CreateLink "); break;
- case DELETE_ACCESS : fstrcat(typestr, "Delete "); break;
- case READ_CONTROL_ACCESS : fstrcat(typestr, "ReadControl "); break;
- case WRITE_DAC_ACCESS : fstrcat(typestr, "WriteDAC "); break;
- case WRITE_OWNER_ACCESS : fstrcat(typestr, "WriteOwner "); break;
- }
- type &= ~(1 << i);
- }
- }
-
- /* remaining bits get added on as-is */
- if (type != 0)
- {
- fstring tmp;
- slprintf(tmp, sizeof(tmp)-1, "[%08x]", type);
- fstrcat(typestr, tmp);
- }
- /* remove last space */
- i = strlen(typestr)-1;
- if (typestr[i] == ' ') typestr[i] = 0;
+ if (type & GENERIC_ALL_ACCESS)
+ fstrcat(typestr, "Generic all access ");
+ if (type & GENERIC_EXECUTE_ACCESS)
+ fstrcat(typestr, "Generic execute access ");
+ if (type & GENERIC_WRITE_ACCESS)
+ fstrcat(typestr, "Generic write access ");
+ if (type & GENERIC_READ_ACCESS)
+ fstrcat(typestr, "Generic read access ");
+ if (type & MAXIMUM_ALLOWED_ACCESS)
+ fstrcat(typestr, "MAXIMUM_ALLOWED_ACCESS ");
+ if (type & SYSTEM_SECURITY_ACCESS)
+ fstrcat(typestr, "SYSTEM_SECURITY_ACCESS ");
+ if (type & SYNCHRONIZE_ACCESS)
+ fstrcat(typestr, "SYNCHRONIZE_ACCESS ");
+ if (type & WRITE_OWNER_ACCESS)
+ fstrcat(typestr, "WRITE_OWNER_ACCESS ");
+ if (type & WRITE_DAC_ACCESS)
+ fstrcat(typestr, "WRITE_DAC_ACCESS ");
+ if (type & READ_CONTROL_ACCESS)
+ fstrcat(typestr, "READ_CONTROL_ACCESS ");
+ if (type & DELETE_ACCESS)
+ fstrcat(typestr, "DELETE_ACCESS ");
+
+ printf("Specific bits: 0x%x\n", type&SPECIFIC_RIGHTS_MASK);
return typestr;
}
@@ -91,152 +64,83 @@ static const char *get_sec_mask_str(uint32 type)
/****************************************************************************
display sec_access structure
****************************************************************************/
-static void display_sec_access(FILE *out_hnd, enum action_type action, SEC_ACCESS *const info)
+void display_sec_access(SEC_ACCESS *info)
{
- switch (action)
- {
- case ACTION_HEADER:
- {
- break;
- }
- case ACTION_ENUMERATE:
- {
- report(out_hnd, "\t\tPermissions:\t%s\n",
- get_sec_mask_str(info->mask));
- }
- case ACTION_FOOTER:
- {
- break;
- }
- }
+ printf("\t\tPermissions: 0x%x: %s\n", info->mask, get_sec_mask_str(info->mask));
}
/****************************************************************************
display sec_ace structure
****************************************************************************/
-static void display_sec_ace(FILE *out_hnd, enum action_type action, SEC_ACE *const ace)
+void display_sec_ace(SEC_ACE *ace)
{
- switch (action)
- {
- case ACTION_HEADER:
- {
- report(out_hnd, "\tACE\n");
+ fstring sid_str;
+
+ printf("\tACE\n\t\ttype: ");
+ switch (ace->type) {
+ case SEC_ACE_TYPE_ACCESS_ALLOWED:
+ printf("ACCESS ALLOWED");
+ break;
+ case SEC_ACE_TYPE_ACCESS_DENIED:
+ printf("ACCESS DENIED");
break;
- }
- case ACTION_ENUMERATE:
- {
- fstring sid_str;
-
- report(out_hnd,
- "\t\tType:%2x Flags:%2x Perms:%04x\n",
- ace->type, ace->flags,
- (uint32) ace->info.mask);
-
- display_sec_access(out_hnd, ACTION_HEADER , &ace->info);
- display_sec_access(out_hnd, ACTION_ENUMERATE, &ace->info);
- display_sec_access(out_hnd, ACTION_FOOTER , &ace->info);
-
- sid_to_string(sid_str, &ace->sid);
- report(out_hnd, "\t\tSID:\t%s\n", sid_str);
- }
- case ACTION_FOOTER:
- {
+ case SEC_ACE_TYPE_SYSTEM_AUDIT:
+ printf("SYSTEM AUDIT");
+ break;
+ case SEC_ACE_TYPE_SYSTEM_ALARM:
+ printf("SYSTEM ALARM");
+ break;
+ default:
+ printf("????");
break;
- }
}
+ printf(" (%d) flags: %d\n", ace->type, ace->flags);
+ display_sec_access(&ace->info);
+ sid_to_string(sid_str, &ace->trustee);
+ printf("\t\tSID: %s\n\n", sid_str);
}
/****************************************************************************
display sec_acl structure
****************************************************************************/
-static void display_sec_acl(FILE *out_hnd, enum action_type action, SEC_ACL *const sec_acl)
+void display_sec_acl(SEC_ACL *sec_acl)
{
- if (sec_acl == NULL)
- {
- return;
- }
- switch (action)
- {
- case ACTION_HEADER:
- {
- report(out_hnd, "\tACL\tNum ACEs:\t%d\trevision:\t%x\n",
- sec_acl->num_aces, sec_acl->revision);
- report(out_hnd, "\t---\n");
+ int i;
- break;
- }
- case ACTION_ENUMERATE:
- {
- if (sec_acl->size != 0 && sec_acl->num_aces != 0)
- {
- int i;
- for (i = 0; i < sec_acl->num_aces; i++)
- {
- display_sec_ace(out_hnd, ACTION_HEADER , &sec_acl->ace[i]);
- display_sec_ace(out_hnd, ACTION_ENUMERATE, &sec_acl->ace[i]);
- display_sec_ace(out_hnd, ACTION_FOOTER , &sec_acl->ace[i]);
- }
- }
+ printf("\tACL\tNum ACEs:\t%d\trevision:\t%x\n",
+ sec_acl->num_aces, sec_acl->revision);
+ printf("\t---\n");
+
+ if (sec_acl->size != 0 && sec_acl->num_aces != 0)
+ for (i = 0; i < sec_acl->num_aces; i++)
+ display_sec_ace(&sec_acl->ace[i]);
- break;
- }
- case ACTION_FOOTER:
- {
- report(out_hnd, "\n");
- break;
- }
- }
}
/****************************************************************************
display sec_desc structure
****************************************************************************/
-void display_sec_desc(FILE *out_hnd, enum action_type action, SEC_DESC *const sec)
+void display_sec_desc(SEC_DESC *sec)
{
- switch (action)
- {
- case ACTION_HEADER:
- {
- report(out_hnd, "\tSecurity Descriptor\trevision:\t%x\ttype:\t%x\n",
- sec->revision, sec->type);
- report(out_hnd, "\t-------------------\n");
+ fstring sid_str;
- break;
- }
- case ACTION_ENUMERATE:
- {
- fstring sid_str;
-
- if (sec->off_sacl != 0)
- {
- display_sec_acl(out_hnd, ACTION_HEADER , sec->sacl);
- display_sec_acl(out_hnd, ACTION_ENUMERATE, sec->sacl);
- display_sec_acl(out_hnd, ACTION_FOOTER , sec->sacl);
- }
- if (sec->off_dacl != 0)
- {
- display_sec_acl(out_hnd, ACTION_HEADER , sec->dacl);
- display_sec_acl(out_hnd, ACTION_ENUMERATE, sec->dacl);
- display_sec_acl(out_hnd, ACTION_FOOTER , sec->dacl);
- }
- if (sec->off_owner_sid != 0)
- {
- sid_to_string(sid_str, sec->owner_sid);
- report(out_hnd, "\tOwner SID:\t%s\n", sid_str);
- }
- if (sec->off_grp_sid != 0)
- {
- sid_to_string(sid_str, sec->grp_sid);
- report(out_hnd, "\tParent SID:\t%s\n", sid_str);
- }
-
- break;
- }
- case ACTION_FOOTER:
- {
- report(out_hnd, "\n");
- break;
- }
+ if (sec->off_sacl != 0) {
+ printf("S-ACL\n");
+ display_sec_acl(sec->sacl);
+ }
+
+ if (sec->off_dacl != 0) {
+ printf("D-ACL\n");
+ display_sec_acl(sec->dacl);
}
-}
+ if (sec->off_owner_sid != 0) {
+ sid_to_string(sid_str, sec->owner_sid);
+ printf("\tOwner SID:\t%s\n", sid_str);
+ }
+
+ if (sec->off_grp_sid != 0) {
+ sid_to_string(sid_str, sec->grp_sid);
+ printf("\tParent SID:\t%s\n", sid_str);
+ }
+}