diff options
Diffstat (limited to 'source4')
-rw-r--r-- | source4/scripting/python/samba/netcmd/__init__.py | 2 | ||||
-rw-r--r-- | source4/scripting/python/samba/netcmd/ntacl.py | 119 | ||||
-rw-r--r-- | source4/scripting/python/samba/ntacls.py | 10 | ||||
-rw-r--r-- | source4/utils/config.mk | 26 | ||||
-rw-r--r-- | source4/utils/getntacl.c | 121 | ||||
-rw-r--r-- | source4/utils/setntacl.c | 28 |
6 files changed, 126 insertions, 180 deletions
diff --git a/source4/scripting/python/samba/netcmd/__init__.py b/source4/scripting/python/samba/netcmd/__init__.py index a204ab897b..d6a130c942 100644 --- a/source4/scripting/python/samba/netcmd/__init__.py +++ b/source4/scripting/python/samba/netcmd/__init__.py @@ -143,3 +143,5 @@ from samba.netcmd.enableaccount import cmd_enableaccount commands["enableaccount"] = cmd_enableaccount() from samba.netcmd.newuser import cmd_newuser commands["newuser"] = cmd_newuser() +from samba.netcmd.ntacl import cmd_acl +commands["acl"] = cmd_acl() diff --git a/source4/scripting/python/samba/netcmd/ntacl.py b/source4/scripting/python/samba/netcmd/ntacl.py new file mode 100644 index 0000000000..a96593ef0c --- /dev/null +++ b/source4/scripting/python/samba/netcmd/ntacl.py @@ -0,0 +1,119 @@ +#!/usr/bin/python +# +# Manipulate file NT ACLs +# +# Copyright Matthieu Patou 2010 <mat@matws.net> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +from samba.credentials import DONT_USE_KERBEROS +import samba.getopt as options +from samba.dcerpc import security +from samba.ntacls import setntacl, getntacl +from samba import Ldb +from samba.ndr import ndr_unpack + +from ldb import SCOPE_BASE +import ldb +import os +import sys + +from samba.auth import system_session +from samba.netcmd import ( + Command, + SuperCommand, + CommandError, + Option, + ) + +class cmd_acl_set(Command): + """Set ACLs on a file""" + synopsis = "%prog set <acl> <file> [--xattr-backend=native|tdb] [--eadb-file=file] [options]" + + takes_optiongroups = { + "sambaopts": options.SambaOptions, + "credopts": options.CredentialsOptions, + "versionopts": options.VersionOptions, + } + + takes_options = [ + Option("--quiet", help="Be quiet", action="store_true"), + Option("--xattr-backend", type="choice", help="xattr backend type (native fs or tdb)", + choices=["native","tdb"]), + Option("--eadb-file", help="Name of the tdb file where attributes are stored", type="string"), + ] + + takes_args = ["acl","file"] + + def run(self, acl, file, quiet=False,xattr_backend=None,eadb_file=None, + credopts=None, sambaopts=None, versionopts=None): + lp = sambaopts.get_loadparm() + creds = credopts.get_credentials(lp) + path = os.path.join(lp.get("private dir"), lp.get("sam database") or "samdb.ldb") + creds = credopts.get_credentials(lp) + creds.set_kerberos_state(DONT_USE_KERBEROS) + try: + ldb = Ldb(path, session_info=system_session(), credentials=creds,lp=lp) + except: + print "Unable to read domain SID from configuration files" + sys.exit(1) + attrs = ["objectSid"] + print lp.get("realm") + res = ldb.search(expression="(objectClass=*)",base="DC=%s"%lp.get("realm").lower().replace(".",",DC="), scope=SCOPE_BASE, attrs=attrs) + if len(res) !=0: + domainsid = ndr_unpack( security.dom_sid,res[0]["objectSid"][0]) + setntacl(lp,file,acl,str(domainsid),xattr_backend,eadb_file) + else: + print "Unable to read domain SID from configuration files" + sys.exit(1) + +class cmd_acl_get(Command): + """Set ACLs on a file""" + synopsis = "%prog get <file> [--as-sddl] [--xattr-backend=native|tdb] [--eadb-file=file] [options]" + + takes_optiongroups = { + "sambaopts": options.SambaOptions, + "credopts": options.CredentialsOptions, + "versionopts": options.VersionOptions, + } + + takes_options = [ + Option("--as-sddl", help="Output ACL in the SDDL format", action="store_true"), + Option("--xattr-backend", type="choice", help="xattr backend type (native fs or tdb)", + choices=["native","tdb"]), + Option("--eadb-file", help="Name of the tdb file where attributes are stored", type="string"), + ] + + takes_args = ["file"] + + def run(self, file, as_sddl=False,xattr_backend=None,eadb_file=None, + credopts=None, sambaopts=None, versionopts=None): + lp = sambaopts.get_loadparm() + creds = credopts.get_credentials(lp) + acl = getntacl(lp,file,xattr_backend,eadb_file) + if as_sddl: + anysid=security.dom_sid(security.SID_NT_SELF) + print acl.info.as_sddl(anysid) + else: + acl.dump() + + +class cmd_acl(SuperCommand): + """NT ACLs manipulation""" + + subcommands = {} + subcommands["set"] = cmd_acl_set() + subcommands["get"] = cmd_acl_get() + diff --git a/source4/scripting/python/samba/ntacls.py b/source4/scripting/python/samba/ntacls.py index d6226807ce..15f310b27d 100644 --- a/source4/scripting/python/samba/ntacls.py +++ b/source4/scripting/python/samba/ntacls.py @@ -63,8 +63,8 @@ def setntacl(lp,file,sddl,domsid,backend=None,eadbfile=None): raise ntacl=xattr.NTACL() ntacl.version = 1 - anysid=security.dom_sid(domsid) - sd = security.descriptor.from_sddl(sddl, anysid) + sid=security.dom_sid(domsid) + sd = security.descriptor.from_sddl(sddl, sid) ntacl.info = sd eadbname = lp.get("posix:eadb") if eadbname != None and eadbname != "": @@ -135,8 +135,8 @@ def ldapmask2filemask(ldm): # for files. It's used for Policy object provision def dsacl2fsacl(dssddl,domsid): - anysid = security.dom_sid(domsid) - ref = security.descriptor.from_sddl(dssddl,anysid) + sid = security.dom_sid(domsid) + ref = security.descriptor.from_sddl(dssddl,sid) fdescr = security.descriptor() fdescr.owner_sid = ref.owner_sid fdescr.group_sid = ref.group_sid @@ -155,4 +155,4 @@ def dsacl2fsacl(dssddl,domsid): ace.access_mask = ldapmask2filemask(ace.access_mask) fdescr.dacl_add(ace) - return fdescr.as_sddl(anysid) + return fdescr.as_sddl(sid) diff --git a/source4/utils/config.mk b/source4/utils/config.mk index 5fa7e200f0..dcf1bdf2d0 100644 --- a/source4/utils/config.mk +++ b/source4/utils/config.mk @@ -23,33 +23,7 @@ ntlm_auth_OBJ_FILES = $(utilssrcdir)/ntlm_auth.o MANPAGES += $(utilssrcdir)/man/ntlm_auth.1 -################################# -# Start BINARY getntacl -[BINARY::getntacl] -INSTALLDIR = BINDIR -PRIVATE_DEPENDENCIES = \ - LIBSAMBA-HOSTCONFIG \ - LIBSAMBA-UTIL \ - NDR_XATTR \ - WRAP_XATTR \ - LIBSAMBA-ERRORS - -getntacl_OBJ_FILES = $(utilssrcdir)/getntacl.o - -# End BINARY getntacl -################################# - -MANPAGES += $(utilssrcdir)/man/getntacl.1 - -################################# -# Start BINARY setntacl -[BINARY::setntacl] -# disabled until rewritten -#INSTALLDIR = BINDIR -# End BINARY setntacl -################################# -setntacl_OBJ_FILES = $(utilssrcdir)/setntacl.o ################################# # Start BINARY setnttoken diff --git a/source4/utils/getntacl.c b/source4/utils/getntacl.c deleted file mode 100644 index f26c87bd85..0000000000 --- a/source4/utils/getntacl.c +++ /dev/null @@ -1,121 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - Get NT ACLs from UNIX files. - - Copyright (C) Tim Potter <tpot@samba.org> 2005 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#include "system/filesys.h" -#include "librpc/gen_ndr/ndr_xattr.h" -#include "../lib/util/wrap_xattr.h" -#include "param/param.h" - -static void ntacl_print_debug_helper(struct ndr_print *ndr, const char *format, ...) PRINTF_ATTRIBUTE(2,3); - -static void ntacl_print_debug_helper(struct ndr_print *ndr, const char *format, ...) -{ - va_list ap; - char *s = NULL; - int i; - - va_start(ap, format); - vasprintf(&s, format, ap); - va_end(ap); - - for (i=0;i<ndr->depth;i++) { - printf(" "); - } - - printf("%s\n", s); - free(s); -} - -static NTSTATUS get_ntacl(TALLOC_CTX *mem_ctx, - char *filename, - struct xattr_NTACL **ntacl, - ssize_t *ntacl_len) -{ - DATA_BLOB blob; - ssize_t size; - enum ndr_err_code ndr_err; - struct ndr_pull *ndr; - - *ntacl = talloc(mem_ctx, struct xattr_NTACL); - - size = wrap_getxattr(filename, XATTR_NTACL_NAME, NULL, 0); - - if (size < 0) { - fprintf(stderr, "get_ntacl: %s\n", strerror(errno)); - return NT_STATUS_INTERNAL_ERROR; - } - - blob.data = talloc_array(*ntacl, uint8_t, size); - size = wrap_getxattr(filename, XATTR_NTACL_NAME, blob.data, size); - if (size < 0) { - fprintf(stderr, "get_ntacl: %s\n", strerror(errno)); - return NT_STATUS_INTERNAL_ERROR; - } - blob.length = size; - - ndr = ndr_pull_init_blob(&blob, NULL, NULL); - - ndr_err = ndr_pull_xattr_NTACL(ndr, NDR_SCALARS|NDR_BUFFERS, *ntacl); - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { - return ndr_map_error2ntstatus(ndr_err); - } - - return NT_STATUS_OK; -} - -static void print_ntacl(TALLOC_CTX *mem_ctx, - const char *fname, - struct xattr_NTACL *ntacl) -{ - struct ndr_print *pr; - - pr = talloc_zero(mem_ctx, struct ndr_print); - if (!pr) return; - pr->print = ntacl_print_debug_helper; - - ndr_print_xattr_NTACL(pr, fname, ntacl); - talloc_free(pr); -} - -int main(int argc, char *argv[]) -{ - NTSTATUS status; - struct xattr_NTACL *ntacl; - ssize_t ntacl_len; - - if (argc != 2) { - fprintf(stderr, "Usage: getntacl FILENAME\n"); - return 1; - } - - status = get_ntacl(NULL, argv[1], &ntacl, &ntacl_len); - if (!NT_STATUS_IS_OK(status)) { - fprintf(stderr, "get_ntacl failed: %s\n", nt_errstr(status)); - return 1; - } - - print_ntacl(ntacl, argv[1], ntacl); - - talloc_free(ntacl); - - return 0; -} diff --git a/source4/utils/setntacl.c b/source4/utils/setntacl.c deleted file mode 100644 index 3a008a4c37..0000000000 --- a/source4/utils/setntacl.c +++ /dev/null @@ -1,28 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - Set NT ACLs on UNIX files. - - Copyright (C) Tim Potter <tpot@samba.org> 2004 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" - -int main(int argc, char **argv) -{ - printf("This utility disabled until rewritten\n"); - return 1; -} |