From 9f2e29799eac96068fa033bdc4a9df5a82ec470d Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 6 Mar 2006 15:22:00 +0000 Subject: r13864: Some cleanup and the samr set security object function client-side. Guenther (This used to be commit 0ae3fddf95a95ec8a2f4d52e1276c1721b33ddfd) --- source3/Makefile.in | 3 +- source3/libmsrpc/cac_samr.c | 4 +- source3/rpc_client/cli_samr.c | 39 +++++++++++- source3/rpc_parse/parse_samr.c | 15 +++++ source3/rpcclient/cmd_samr.c | 14 +++-- source3/rpcclient/display_sec.c | 43 +++++++++++++ source3/utils/net_rpc_printer.c | 130 ---------------------------------------- 7 files changed, 108 insertions(+), 140 deletions(-) (limited to 'source3') diff --git a/source3/Makefile.in b/source3/Makefile.in index bf565a80af..25cecf891b 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -573,7 +573,8 @@ NET_OBJ = $(NET_OBJ1) $(PARAM_OBJ) $(SECRETS_OBJ) $(LIBSMB_OBJ) \ $(LIBMSRPC_OBJ) $(IDMAP_OBJ) \ $(LIBADS_OBJ) $(LIBADS_SERVER_OBJ) $(POPT_LIB_OBJ) \ $(SMBLDAP_OBJ) $(DCUTIL_OBJ) $(SERVER_MUTEX_OBJ) \ - $(AFS_OBJ) $(AFS_SETTOKEN_OBJ) $(REGFIO_OBJ) $(READLINE_OBJ) + $(AFS_OBJ) $(AFS_SETTOKEN_OBJ) $(REGFIO_OBJ) $(READLINE_OBJ) \ + rpcclient/display_sec.o CUPS_OBJ = client/smbspool.o $(PARAM_OBJ) $(LIBSMB_OBJ) \ $(LIB_NONSMBD_OBJ) $(KRBCLIENT_OBJ) $(SECRETS_OBJ) diff --git a/source3/libmsrpc/cac_samr.c b/source3/libmsrpc/cac_samr.c index 7f39e76813..60c6562988 100644 --- a/source3/libmsrpc/cac_samr.c +++ b/source3/libmsrpc/cac_samr.c @@ -2343,7 +2343,7 @@ int cac_SamGetSecurityObject(CacServerHandle *hnd, TALLOC_CTX *mem_ctx, struct S struct rpc_pipe_client *pipe_hnd = NULL; /*this number taken from rpcclient/cmd_samr.c, I think it is the only supported level*/ - uint16 info_level = 4; + uint32 sec_info = DACL_SECURITY_INFORMATION; SEC_DESC_BUF *sec_out = NULL; @@ -2366,7 +2366,7 @@ int cac_SamGetSecurityObject(CacServerHandle *hnd, TALLOC_CTX *mem_ctx, struct S return CAC_FAILURE; } - hnd->status = rpccli_samr_query_sec_obj(pipe_hnd, mem_ctx, op->in.pol, info_level, mem_ctx, &sec_out); + hnd->status = rpccli_samr_query_sec_obj(pipe_hnd, mem_ctx, op->in.pol, sec_info, mem_ctx, &sec_out); if(!NT_STATUS_IS_OK(hnd->status)) return CAC_FAILURE; diff --git a/source3/rpc_client/cli_samr.c b/source3/rpc_client/cli_samr.c index adb61a48bb..07b876cc22 100644 --- a/source3/rpc_client/cli_samr.c +++ b/source3/rpc_client/cli_samr.c @@ -1808,7 +1808,7 @@ NTSTATUS rpccli_samr_remove_sid_foreign_domain(struct rpc_pipe_client *cli, /* Query user security object */ NTSTATUS rpccli_samr_query_sec_obj(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, - POLICY_HND *user_pol, uint16 switch_value, + POLICY_HND *user_pol, uint32 sec_info, TALLOC_CTX *ctx, SEC_DESC_BUF **sec_desc_buf) { prs_struct qbuf, rbuf; @@ -1823,7 +1823,7 @@ NTSTATUS rpccli_samr_query_sec_obj(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ /* Marshall data and send request */ - init_samr_q_query_sec_obj(&q, user_pol, switch_value); + init_samr_q_query_sec_obj(&q, user_pol, sec_info); CLI_DO_RPC(cli, mem_ctx, PI_SAMR, SAMR_QUERY_SEC_OBJECT, q, r, @@ -1840,6 +1840,41 @@ NTSTATUS rpccli_samr_query_sec_obj(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ return result; } +/* Set user security object */ + +NTSTATUS rpccli_samr_set_sec_obj(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, + POLICY_HND *user_pol, uint32 sec_info, + SEC_DESC_BUF *sec_desc_buf) +{ + prs_struct qbuf, rbuf; + SAMR_Q_SET_SEC_OBJ q; + SAMR_R_SET_SEC_OBJ r; + NTSTATUS result = NT_STATUS_UNSUCCESSFUL; + + DEBUG(10,("cli_samr_set_sec_obj\n")); + + ZERO_STRUCT(q); + ZERO_STRUCT(r); + + /* Marshall data and send request */ + + init_samr_q_set_sec_obj(&q, user_pol, sec_info, sec_desc_buf); + + CLI_DO_RPC(cli, mem_ctx, PI_SAMR, SAMR_SET_SEC_OBJECT, + q, r, + qbuf, rbuf, + samr_io_q_set_sec_obj, + samr_io_r_set_sec_obj, + NT_STATUS_UNSUCCESSFUL); + + /* Return output parameters */ + + result = r.status; + + return result; +} + + /* Get domain password info */ NTSTATUS rpccli_samr_get_dom_pwinfo(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, diff --git a/source3/rpc_parse/parse_samr.c b/source3/rpc_parse/parse_samr.c index 49d0fb7d72..3147ae0028 100644 --- a/source3/rpc_parse/parse_samr.c +++ b/source3/rpc_parse/parse_samr.c @@ -918,6 +918,21 @@ BOOL samr_io_r_query_dom_info(const char *desc, SAMR_R_QUERY_DOMAIN_INFO * r_u, return True; } +/******************************************************************* +reads or writes a structure. +********************************************************************/ + +void init_samr_q_set_sec_obj(SAMR_Q_SET_SEC_OBJ * q_u, + POLICY_HND *pol, uint32 sec_info, SEC_DESC_BUF *buf) +{ + DEBUG(5, ("samr_init_samr_q_set_sec_obj\n")); + + q_u->pol = *pol; + q_u->sec_info = sec_info; + q_u->buf = buf; +} + + /******************************************************************* reads or writes a SAMR_R_SET_SEC_OBJ structure. ********************************************************************/ diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c index 82194c84c7..5e1f0c37dd 100644 --- a/source3/rpcclient/cmd_samr.c +++ b/source3/rpcclient/cmd_samr.c @@ -1757,7 +1757,7 @@ static NTSTATUS cmd_samr_query_sec_obj(struct rpc_pipe_client *cli, { POLICY_HND connect_pol, domain_pol, user_pol, *pol; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - uint32 info_level = 4; + uint32 sec_info = DACL_SECURITY_INFORMATION; fstring server; uint32 user_rid = 0; TALLOC_CTX *ctx = NULL; @@ -1766,8 +1766,8 @@ static NTSTATUS cmd_samr_query_sec_obj(struct rpc_pipe_client *cli, ctx=talloc_init("cmd_samr_query_sec_obj"); - if ((argc < 1) || (argc > 2)) { - printf("Usage: %s [rid|-d]\n", argv[0]); + if ((argc < 1) || (argc > 3)) { + printf("Usage: %s [rid|-d] [sec_info]\n", argv[0]); printf("\tSpecify rid for security on user, -d for security on domain\n"); return NT_STATUS_OK; } @@ -1778,6 +1778,10 @@ static NTSTATUS cmd_samr_query_sec_obj(struct rpc_pipe_client *cli, else sscanf(argv[1], "%i", &user_rid); } + + if (argc == 3) { + sec_info = atoi(argv[2]); + } slprintf(server, sizeof(fstring)-1, "\\\\%s", cli->cli->desthost); strupper_m(server); @@ -1815,14 +1819,14 @@ static NTSTATUS cmd_samr_query_sec_obj(struct rpc_pipe_client *cli, /* Query SAM security object */ - result = rpccli_samr_query_sec_obj(cli, mem_ctx, pol, info_level, ctx, + result = rpccli_samr_query_sec_obj(cli, mem_ctx, pol, sec_info, ctx, &sec_desc_buf); if (!NT_STATUS_IS_OK(result)) goto done; display_sec_desc(sec_desc_buf->sec); - + rpccli_samr_close(cli, mem_ctx, &user_pol); rpccli_samr_close(cli, mem_ctx, &domain_pol); rpccli_samr_close(cli, mem_ctx, &connect_pol); diff --git a/source3/rpcclient/display_sec.c b/source3/rpcclient/display_sec.c index 2a93c915f1..bc735fa00c 100644 --- a/source3/rpcclient/display_sec.c +++ b/source3/rpcclient/display_sec.c @@ -115,6 +115,41 @@ void display_sec_acl(SEC_ACL *sec_acl) } +void display_acl_type(uint16 type) +{ + static fstring typestr=""; + + typestr[0] = 0; + + if (type & SEC_DESC_OWNER_DEFAULTED) /* 0x0001 */ + fstrcat(typestr, "SEC_DESC_OWNER_DEFAULTED "); + if (type & SEC_DESC_GROUP_DEFAULTED) /* 0x0002 */ + fstrcat(typestr, "SEC_DESC_GROUP_DEFAULTED "); + if (type & SEC_DESC_DACL_PRESENT) /* 0x0004 */ + fstrcat(typestr, "SEC_DESC_DACL_PRESENT "); + if (type & SEC_DESC_DACL_DEFAULTED) /* 0x0008 */ + fstrcat(typestr, "SEC_DESC_DACL_DEFAULTED "); + if (type & SEC_DESC_SACL_PRESENT) /* 0x0010 */ + fstrcat(typestr, "SEC_DESC_SACL_PRESENT "); + if (type & SEC_DESC_SACL_DEFAULTED) /* 0x0020 */ + fstrcat(typestr, "SEC_DESC_SACL_DEFAULTED "); + if (type & SEC_DESC_DACL_TRUSTED) /* 0x0040 */ + fstrcat(typestr, "SEC_DESC_DACL_TRUSTED "); + if (type & SEC_DESC_SERVER_SECURITY) /* 0x0080 */ + fstrcat(typestr, "SEC_DESC_SERVER_SECURITY "); + if (type & 0x0100) fstrcat(typestr, "0x0100 "); + if (type & 0x0200) fstrcat(typestr, "0x0200 "); + if (type & 0x0400) fstrcat(typestr, "0x0400 "); + if (type & 0x0800) fstrcat(typestr, "0x0800 "); + if (type & 0x1000) fstrcat(typestr, "0x1000 "); + if (type & 0x2000) fstrcat(typestr, "0x2000 "); + if (type & 0x4000) fstrcat(typestr, "0x4000 "); + if (type & SEC_DESC_SELF_RELATIVE) /* 0x8000 */ + fstrcat(typestr, "SEC_DESC_SELF_RELATIVE "); + + printf("type: 0x%04x: %s\n", type, typestr); +} + /**************************************************************************** display sec_desc structure ****************************************************************************/ @@ -122,6 +157,14 @@ void display_sec_desc(SEC_DESC *sec) { fstring sid_str; + if (!sec) { + printf("NULL\n"); + return; + } + + printf("revision: %d\n", sec->revision); + display_acl_type(sec->type); + if (sec->sacl) { printf("SACL\n"); display_sec_acl(sec->sacl); diff --git a/source3/utils/net_rpc_printer.c b/source3/utils/net_rpc_printer.c index 5e282403a2..9bae6a9b4e 100644 --- a/source3/utils/net_rpc_printer.c +++ b/source3/utils/net_rpc_printer.c @@ -42,136 +42,6 @@ static const struct table_node archi_table[]= { }; -/** - * The display-functions for Security-Descriptors were taken from rpcclient - * - * They reside here for debugging purpose and should - * possibly be removed later on - * - **/ - -/**************************************************************************** - Convert a security permissions into a string. -****************************************************************************/ - -char *get_sec_mask_str(uint32 type) -{ - static fstring typestr=""; - - typestr[0] = 0; - - if (type & GENERIC_ALL_ACCESS) - fstrcat(typestr, "Generic all access "); - if (type & GENERIC_EXECUTE_ACCESS) - fstrcat(typestr, "Generic execute access "); - if (type & GENERIC_WRITE_ACCESS) - fstrcat(typestr, "Generic write access "); - if (type & GENERIC_READ_ACCESS) - fstrcat(typestr, "Generic read access "); - if (type & MAXIMUM_ALLOWED_ACCESS) - fstrcat(typestr, "MAXIMUM_ALLOWED_ACCESS "); - if (type & SYSTEM_SECURITY_ACCESS) - fstrcat(typestr, "SYSTEM_SECURITY_ACCESS "); - if (type & SYNCHRONIZE_ACCESS) - fstrcat(typestr, "SYNCHRONIZE_ACCESS "); - if (type & WRITE_OWNER_ACCESS) - fstrcat(typestr, "WRITE_OWNER_ACCESS "); - if (type & WRITE_DAC_ACCESS) - fstrcat(typestr, "WRITE_DAC_ACCESS "); - if (type & READ_CONTROL_ACCESS) - fstrcat(typestr, "READ_CONTROL_ACCESS "); - if (type & DELETE_ACCESS) - fstrcat(typestr, "DELETE_ACCESS "); - - printf("\t\tSpecific bits: 0x%lx\n", (unsigned long)type&SPECIFIC_RIGHTS_MASK); - - return typestr; -} - -/**************************************************************************** - Display sec_ace structure. - ****************************************************************************/ - -void display_sec_ace(SEC_ACE *ace) -{ - fstring sid_str; - - printf("\tACE\n\t\ttype: "); - switch (ace->type) { - case SEC_ACE_TYPE_ACCESS_ALLOWED: - printf("ACCESS ALLOWED"); - break; - case SEC_ACE_TYPE_ACCESS_DENIED: - printf("ACCESS DENIED"); - break; - case SEC_ACE_TYPE_SYSTEM_AUDIT: - printf("SYSTEM AUDIT"); - break; - case SEC_ACE_TYPE_SYSTEM_ALARM: - printf("SYSTEM ALARM"); - break; - default: - printf("????"); - break; - } - printf(" (%d) flags: %d\n", ace->type, ace->flags); - printf("\t\tPermissions: 0x%x: %s\n", ace->info.mask, get_sec_mask_str(ace->info.mask)); - - sid_to_string(sid_str, &ace->trustee); - printf("\t\tSID: %s\n\n", sid_str); -} - -/**************************************************************************** - Display sec_acl structure. - ****************************************************************************/ - -void display_sec_acl(SEC_ACL *sec_acl) -{ - int i; - - printf("\tACL\tNum ACEs:\t%d\trevision:\t%x\n", - sec_acl->num_aces, sec_acl->revision); - printf("\t---\n"); - - if (sec_acl->size != 0 && sec_acl->num_aces != 0) - for (i = 0; i < sec_acl->num_aces; i++) - display_sec_ace(&sec_acl->ace[i]); - -} - -/**************************************************************************** - Display sec_desc structure. - ****************************************************************************/ - -void display_sec_desc(SEC_DESC *sec) -{ - fstring sid_str; - - if (sec == NULL) - return; - - if (sec->sacl) { - printf("SACL\n"); - display_sec_acl(sec->sacl); - } - - if (sec->dacl) { - printf("DACL\n"); - display_sec_acl(sec->dacl); - } - - if (sec->owner_sid) { - sid_to_string(sid_str, sec->owner_sid); - printf("\tOwner SID:\t%s\n", sid_str); - } - - if (sec->grp_sid) { - sid_to_string(sid_str, sec->grp_sid); - printf("\tParent SID:\t%s\n", sid_str); - } -} - - /** * This display-printdriver-functions was borrowed from rpcclient/cmd_spoolss.c. * It is here for debugging purpose and should be removed later on. -- cgit