From 0ca0cec504710d3c0f00826605408d80562d4672 Mon Sep 17 00:00:00 2001
From: Simo Sorce <idra@samba.org>
Date: Sun, 20 Mar 2005 18:01:46 +0000
Subject: r5912: - Enhance net rpc rights utility - Make it possible to list
 users that are given a specific privilege - Make the lisitng interface a bit
 more usable by distinguishing   between "keys" and "names", using user names
 directly still   supported for backward compatibility (This used to be commit
 9797b33f2377375875b2c473d9899f36fe75246b)

---
 source3/utils/net_rpc_rights.c | 154 +++++++++++++++++++++++++++++++++++------
 1 file changed, 131 insertions(+), 23 deletions(-)

(limited to 'source3/utils/net_rpc_rights.c')

diff --git a/source3/utils/net_rpc_rights.c b/source3/utils/net_rpc_rights.c
index 32cb6a4650..ce95226951 100644
--- a/source3/utils/net_rpc_rights.c
+++ b/source3/utils/net_rpc_rights.c
@@ -133,6 +133,36 @@ static NTSTATUS enum_privileges( TALLOC_CTX *ctx, struct cli_state *cli,
 /********************************************************************
 ********************************************************************/
 
+static NTSTATUS check_privilege_for_user( TALLOC_CTX *ctx, struct cli_state *cli,
+                                          POLICY_HND *pol, DOM_SID *sid, const char *right)
+{
+	NTSTATUS result;
+	uint32 count;
+	char **rights;
+	int i;
+
+	result = cli_lsa_enum_account_rights(cli, ctx, pol, sid, &count, &rights);
+
+	if (!NT_STATUS_IS_OK(result)) {
+		return result;
+	}
+
+	if (count == 0) {
+		return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+	}
+		
+	for (i = 0; i < count; i++) {
+		if (StrCaseCmp(rights[i], right) == 0) {
+			return NT_STATUS_OK;
+		}
+	}
+
+	return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+}
+
+/********************************************************************
+********************************************************************/
+
 static NTSTATUS enum_privileges_for_user( TALLOC_CTX *ctx, struct cli_state *cli,
                                           POLICY_HND *pol, DOM_SID *sid )
 {
@@ -159,6 +189,52 @@ static NTSTATUS enum_privileges_for_user( TALLOC_CTX *ctx, struct cli_state *cli
 /********************************************************************
 ********************************************************************/
 
+static NTSTATUS enum_accounts_for_privilege(TALLOC_CTX *ctx, struct cli_state *cli,
+					    POLICY_HND *pol, const char *privilege)
+{
+	NTSTATUS result;
+	uint32 enum_context=0;
+	uint32 pref_max_length=0x1000;
+	DOM_SID *sids;
+	uint32 count=0;
+	int i;
+	fstring name;
+
+	result = cli_lsa_enum_sids(cli, ctx, pol, &enum_context, 
+		pref_max_length, &count, &sids);
+
+	if (!NT_STATUS_IS_OK(result))
+		return result;
+		
+	d_printf("%s:\n", privilege);
+
+	for ( i=0; i<count; i++ ) {
+	
+		   
+		result = check_privilege_for_user( ctx, cli, pol, &sids[i], privilege);
+		
+		if ( ! NT_STATUS_IS_OK(result)) {
+			if ( ! NT_STATUS_EQUAL(result, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
+				return result;
+			}
+			continue;
+		}
+
+		/* try to convert the SID to a name.  Fall back to 
+		   printing the raw SID if necessary */
+		result = sid_to_name( cli, ctx, &sids[i], name );
+		if ( !NT_STATUS_IS_OK (result) )
+			fstrcpy( name, sid_string_static(&sids[i]) );
+			
+		d_printf("  %s\n", name);
+	}
+
+	return NT_STATUS_OK;
+}
+
+/********************************************************************
+********************************************************************/
+
 static NTSTATUS enum_privileges_for_accounts( TALLOC_CTX *ctx, struct cli_state *cli,
                                               POLICY_HND *pol )
 {
@@ -215,36 +291,68 @@ static NTSTATUS rpc_rights_list_internal( const DOM_SID *domain_sid, const char
 	if ( !NT_STATUS_IS_OK(result) )
 		return result;
 		
-	switch (argc) {
-	case 0:
-		result = enum_privileges( mem_ctx, cli, &pol );
-		break;
-			
-	case 1:
-		/* special case to enuemrate all privileged SIDs 
-		   with associated rights */
-		
-		if ( strequal( argv[0], "accounts" ) ) {
-			result = enum_privileges_for_accounts( mem_ctx, cli, &pol );
-		}
-		else {
+	if (argc == 0) {
+		d_printf("Usage: net rpc rights list [accounts|privileges] [name|SID]\n");
+		result = NT_STATUS_OK;
+		goto done;
+	}
+
+	if (strequal(argv[0], "privileges")) {
+		int i = 1;
 
-			result = name_to_sid(cli, mem_ctx, &sid, argv[0]);
-			if (!NT_STATUS_IS_OK(result))
-				goto done;	
-			result = enum_privileges_for_user( mem_ctx, cli, &pol, &sid );
+		if (argv[1] == NULL) {
+			result = enum_privileges( mem_ctx, cli, &pol );
+			goto done;
 		}
-		break;
-			
-	default:		
-		if ( argc > 1 ) {
-			d_printf("Usage: net rpc rights list [name|SID]\n");
-			result = NT_STATUS_OK;
+
+		while (argv[i] != NULL) {
+			result = enum_accounts_for_privilege(mem_ctx, cli, &pol, argv[i]);
+			if (!NT_STATUS_IS_OK(result)) {
+				goto done;
+			}
+			i++;
 		}
+		goto done;
 	}
 
+	/* special case to enuemrate all privileged SIDs 
+	   with associated rights */
 	
+	if (strequal( argv[0], "accounts")) {
+		int i = 1;
+
+		if (argv[1] == NULL) {
+			result = enum_privileges_for_accounts(mem_ctx, cli, &pol);
+			goto done;
+		}
 
+		while (argv[i] != NULL) {
+			result = name_to_sid(cli, mem_ctx, &sid, argv[i]);
+			if (!NT_STATUS_IS_OK(result)) {
+				goto done;
+			}
+			result = enum_privileges_for_user(mem_ctx, cli, &pol, &sid);
+			if (!NT_STATUS_IS_OK(result)) {
+				goto done;
+			}
+			i++;
+		}
+		goto done;
+	}
+
+	/* backward comaptibility: if no keyword provided, treat the key
+	   as an account name */
+	if (argc > 1) {
+		d_printf("Usage: net rpc rights list [accounts|privileges] [name|SID]\n");
+		result = NT_STATUS_OK;
+		goto done;
+	}
+
+	result = name_to_sid(cli, mem_ctx, &sid, argv[0]);
+	if (!NT_STATUS_IS_OK(result)) {
+		goto done;
+	}
+	result = enum_privileges_for_user( mem_ctx, cli, &pol, &sid );
 
 done:
 	cli_lsa_close(cli, mem_ctx, &pol);
-- 
cgit