2 Samba Unix/Linux SMB client library
3 Distributed SMB/CIFS Server Management Utility
4 Copyright (C) Gerald (Jerry) Carter 2004
5 Copyright (C) Guenther Deschner 2008
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include "utils/net.h"
23 /********************************************************************
24 ********************************************************************/
26 static NTSTATUS
sid_to_name(struct rpc_pipe_client
*pipe_hnd
,
31 struct policy_handle pol
;
32 enum lsa_SidType
*sid_types
= NULL
;
34 char **domains
= NULL
, **names
= NULL
;
36 result
= rpccli_lsa_open_policy(pipe_hnd
, mem_ctx
, true,
37 SEC_FLAG_MAXIMUM_ALLOWED
, &pol
);
39 if ( !NT_STATUS_IS_OK(result
) )
42 result
= rpccli_lsa_lookup_sids(pipe_hnd
, mem_ctx
, &pol
, 1, sid
, &domains
, &names
, &sid_types
);
44 if ( NT_STATUS_IS_OK(result
) ) {
46 fstr_sprintf( name
, "%s\\%s", domains
[0], names
[0] );
48 fstrcpy( name
, names
[0] );
51 rpccli_lsa_Close(pipe_hnd
, mem_ctx
, &pol
);
55 /********************************************************************
56 ********************************************************************/
58 static NTSTATUS
name_to_sid(struct rpc_pipe_client
*pipe_hnd
,
60 DOM_SID
*sid
, const char *name
)
62 struct policy_handle pol
;
63 enum lsa_SidType
*sid_types
;
67 /* maybe its a raw SID */
68 if ( strncmp(name
, "S-", 2) == 0 && string_to_sid(sid
, name
) ) {
72 result
= rpccli_lsa_open_policy(pipe_hnd
, mem_ctx
, true,
73 SEC_FLAG_MAXIMUM_ALLOWED
, &pol
);
75 if ( !NT_STATUS_IS_OK(result
) )
78 result
= rpccli_lsa_lookup_names(pipe_hnd
, mem_ctx
, &pol
, 1, &name
,
79 NULL
, 1, &sids
, &sid_types
);
81 if ( NT_STATUS_IS_OK(result
) )
82 sid_copy( sid
, &sids
[0] );
84 rpccli_lsa_Close(pipe_hnd
, mem_ctx
, &pol
);
88 /********************************************************************
89 ********************************************************************/
91 static NTSTATUS
enum_privileges(struct rpc_pipe_client
*pipe_hnd
,
93 struct policy_handle
*pol
)
96 uint32 enum_context
= 0;
97 uint32 pref_max_length
=0x1000;
100 uint16 lang_id_sys
=0;
102 struct lsa_StringLarge
*description
= NULL
;
103 struct lsa_PrivArray priv_array
;
105 result
= rpccli_lsa_EnumPrivs(pipe_hnd
, ctx
,
111 if ( !NT_STATUS_IS_OK(result
) )
116 for (i
= 0; i
< priv_array
.count
; i
++) {
118 struct lsa_String lsa_name
;
121 priv_array
.privs
[i
].name
.string
? priv_array
.privs
[i
].name
.string
: "*unknown*" );
123 /* try to get the description */
125 init_lsa_String(&lsa_name
, priv_array
.privs
[i
].name
.string
);
127 result
= rpccli_lsa_LookupPrivDisplayName(pipe_hnd
, ctx
,
135 if (!NT_STATUS_IS_OK(result
)) {
136 d_printf("??????\n");
140 d_printf("%s\n", description
->string
);
146 /********************************************************************
147 ********************************************************************/
149 static NTSTATUS
check_privilege_for_user(struct rpc_pipe_client
*pipe_hnd
,
151 struct policy_handle
*pol
,
156 struct lsa_RightSet rights
;
159 result
= rpccli_lsa_EnumAccountRights(pipe_hnd
, ctx
,
164 if (!NT_STATUS_IS_OK(result
)) {
168 if (rights
.count
== 0) {
169 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
172 for (i
= 0; i
< rights
.count
; i
++) {
173 if (StrCaseCmp(rights
.names
[i
].string
, right
) == 0) {
178 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
181 /********************************************************************
182 ********************************************************************/
184 static NTSTATUS
enum_privileges_for_user(struct rpc_pipe_client
*pipe_hnd
,
186 struct policy_handle
*pol
,
190 struct lsa_RightSet rights
;
193 result
= rpccli_lsa_EnumAccountRights(pipe_hnd
, ctx
,
198 if (!NT_STATUS_IS_OK(result
))
201 if (rights
.count
== 0) {
202 d_printf("No privileges assigned\n");
205 for (i
= 0; i
< rights
.count
; i
++) {
206 printf("%s\n", rights
.names
[i
].string
);
212 /********************************************************************
213 ********************************************************************/
215 static NTSTATUS
enum_accounts_for_privilege(struct rpc_pipe_client
*pipe_hnd
,
217 struct policy_handle
*pol
,
218 const char *privilege
)
221 uint32 enum_context
=0;
222 uint32 pref_max_length
=0x1000;
223 struct lsa_SidArray sid_array
;
227 result
= rpccli_lsa_EnumAccounts(pipe_hnd
, ctx
,
233 if (!NT_STATUS_IS_OK(result
))
236 d_printf("%s:\n", privilege
);
238 for ( i
=0; i
<sid_array
.num_sids
; i
++ ) {
240 result
= check_privilege_for_user(pipe_hnd
, ctx
, pol
,
241 sid_array
.sids
[i
].sid
,
244 if ( ! NT_STATUS_IS_OK(result
)) {
245 if ( ! NT_STATUS_EQUAL(result
, NT_STATUS_OBJECT_NAME_NOT_FOUND
)) {
251 /* try to convert the SID to a name. Fall back to
252 printing the raw SID if necessary */
253 result
= sid_to_name( pipe_hnd
, ctx
, sid_array
.sids
[i
].sid
, name
);
254 if ( !NT_STATUS_IS_OK (result
) )
255 sid_to_fstring(name
, sid_array
.sids
[i
].sid
);
257 d_printf(" %s\n", name
);
263 /********************************************************************
264 ********************************************************************/
266 static NTSTATUS
enum_privileges_for_accounts(struct rpc_pipe_client
*pipe_hnd
,
268 struct policy_handle
*pol
)
271 uint32 enum_context
=0;
272 uint32 pref_max_length
=0x1000;
273 struct lsa_SidArray sid_array
;
277 result
= rpccli_lsa_EnumAccounts(pipe_hnd
, ctx
,
283 if (!NT_STATUS_IS_OK(result
))
286 for ( i
=0; i
<sid_array
.num_sids
; i
++ ) {
288 /* try to convert the SID to a name. Fall back to
289 printing the raw SID if necessary */
291 result
= sid_to_name(pipe_hnd
, ctx
, sid_array
.sids
[i
].sid
, name
);
292 if ( !NT_STATUS_IS_OK (result
) )
293 sid_to_fstring(name
, sid_array
.sids
[i
].sid
);
295 d_printf("%s\n", name
);
297 result
= enum_privileges_for_user(pipe_hnd
, ctx
, pol
,
298 sid_array
.sids
[i
].sid
);
299 if ( !NT_STATUS_IS_OK(result
) )
308 /********************************************************************
309 ********************************************************************/
311 static NTSTATUS
rpc_rights_list_internal(struct net_context
*c
,
312 const DOM_SID
*domain_sid
,
313 const char *domain_name
,
314 struct cli_state
*cli
,
315 struct rpc_pipe_client
*pipe_hnd
,
320 struct policy_handle pol
;
324 struct lsa_String lsa_name
;
325 struct lsa_StringLarge
*description
= NULL
;
327 uint16 lang_id_sys
= 0;
330 result
= rpccli_lsa_open_policy(pipe_hnd
, mem_ctx
, true,
331 SEC_FLAG_MAXIMUM_ALLOWED
, &pol
);
333 if ( !NT_STATUS_IS_OK(result
) )
336 /* backwards compatibility; just list available privileges if no arguement */
339 result
= enum_privileges(pipe_hnd
, mem_ctx
, &pol
);
343 if (strequal(argv
[0], "privileges")) {
346 if (argv
[1] == NULL
) {
347 result
= enum_privileges(pipe_hnd
, mem_ctx
, &pol
);
351 while ( argv
[i
] != NULL
) {
352 fstrcpy(privname
, argv
[i
]);
353 init_lsa_String(&lsa_name
, argv
[i
]);
356 /* verify that this is a valid privilege for error reporting */
357 result
= rpccli_lsa_LookupPrivDisplayName(pipe_hnd
, mem_ctx
,
365 if ( !NT_STATUS_IS_OK(result
) ) {
366 if ( NT_STATUS_EQUAL( result
, NT_STATUS_NO_SUCH_PRIVILEGE
) )
367 d_fprintf(stderr
, "No such privilege exists: %s.\n", privname
);
369 d_fprintf(stderr
, "Error resolving privilege display name [%s].\n", nt_errstr(result
));
373 result
= enum_accounts_for_privilege(pipe_hnd
, mem_ctx
, &pol
, privname
);
374 if (!NT_STATUS_IS_OK(result
)) {
375 d_fprintf(stderr
, "Error enumerating accounts for privilege %s [%s].\n",
376 privname
, nt_errstr(result
));
383 /* special case to enumerate all privileged SIDs with associated rights */
385 if (strequal( argv
[0], "accounts")) {
388 if (argv
[1] == NULL
) {
389 result
= enum_privileges_for_accounts(pipe_hnd
, mem_ctx
, &pol
);
393 while (argv
[i
] != NULL
) {
394 result
= name_to_sid(pipe_hnd
, mem_ctx
, &sid
, argv
[i
]);
395 if (!NT_STATUS_IS_OK(result
)) {
398 result
= enum_privileges_for_user(pipe_hnd
, mem_ctx
, &pol
, &sid
);
399 if (!NT_STATUS_IS_OK(result
)) {
407 /* backward comaptibility: if no keyword provided, treat the key
408 as an account name */
410 d_printf("Usage: net rpc rights list [[accounts|privileges] [name|SID]]\n");
411 result
= NT_STATUS_OK
;
415 result
= name_to_sid(pipe_hnd
, mem_ctx
, &sid
, argv
[0]);
416 if (!NT_STATUS_IS_OK(result
)) {
419 result
= enum_privileges_for_user(pipe_hnd
, mem_ctx
, &pol
, &sid
);
422 rpccli_lsa_Close(pipe_hnd
, mem_ctx
, &pol
);
427 /********************************************************************
428 ********************************************************************/
430 static NTSTATUS
rpc_rights_grant_internal(struct net_context
*c
,
431 const DOM_SID
*domain_sid
,
432 const char *domain_name
,
433 struct cli_state
*cli
,
434 struct rpc_pipe_client
*pipe_hnd
,
439 struct policy_handle dom_pol
;
440 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
441 struct lsa_RightSet rights
;
447 d_printf("Usage: net rpc rights grant <name|SID> <rights...>\n");
451 result
= name_to_sid(pipe_hnd
, mem_ctx
, &sid
, argv
[0]);
452 if (NT_STATUS_EQUAL(result
, NT_STATUS_NONE_MAPPED
))
453 result
= NT_STATUS_NO_SUCH_USER
;
455 if (!NT_STATUS_IS_OK(result
))
458 result
= rpccli_lsa_open_policy2(pipe_hnd
, mem_ctx
, true,
459 SEC_FLAG_MAXIMUM_ALLOWED
,
462 if (!NT_STATUS_IS_OK(result
))
465 rights
.count
= argc
-1;
466 rights
.names
= TALLOC_ARRAY(mem_ctx
, struct lsa_StringLarge
,
469 return NT_STATUS_NO_MEMORY
;
472 for (i
=0; i
<argc
-1; i
++) {
473 init_lsa_StringLarge(&rights
.names
[i
], argv
[i
+1]);
476 result
= rpccli_lsa_AddAccountRights(pipe_hnd
, mem_ctx
,
481 if (!NT_STATUS_IS_OK(result
))
484 d_printf("Successfully granted rights.\n");
487 if ( !NT_STATUS_IS_OK(result
) ) {
488 d_fprintf(stderr
, "Failed to grant privileges for %s (%s)\n",
489 argv
[0], nt_errstr(result
));
492 rpccli_lsa_Close(pipe_hnd
, mem_ctx
, &dom_pol
);
497 /********************************************************************
498 ********************************************************************/
500 static NTSTATUS
rpc_rights_revoke_internal(struct net_context
*c
,
501 const DOM_SID
*domain_sid
,
502 const char *domain_name
,
503 struct cli_state
*cli
,
504 struct rpc_pipe_client
*pipe_hnd
,
509 struct policy_handle dom_pol
;
510 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
511 struct lsa_RightSet rights
;
516 d_printf("Usage: net rpc rights revoke <name|SID> <rights...>\n");
520 result
= name_to_sid(pipe_hnd
, mem_ctx
, &sid
, argv
[0]);
521 if (!NT_STATUS_IS_OK(result
))
524 result
= rpccli_lsa_open_policy2(pipe_hnd
, mem_ctx
, true,
525 SEC_FLAG_MAXIMUM_ALLOWED
,
528 if (!NT_STATUS_IS_OK(result
))
531 rights
.count
= argc
-1;
532 rights
.names
= TALLOC_ARRAY(mem_ctx
, struct lsa_StringLarge
,
535 return NT_STATUS_NO_MEMORY
;
538 for (i
=0; i
<argc
-1; i
++) {
539 init_lsa_StringLarge(&rights
.names
[i
], argv
[i
+1]);
542 result
= rpccli_lsa_RemoveAccountRights(pipe_hnd
, mem_ctx
,
548 if (!NT_STATUS_IS_OK(result
))
551 d_printf("Successfully revoked rights.\n");
554 if ( !NT_STATUS_IS_OK(result
) ) {
555 d_fprintf(stderr
, "Failed to revoke privileges for %s (%s)\n",
556 argv
[0], nt_errstr(result
));
559 rpccli_lsa_Close(pipe_hnd
, mem_ctx
, &dom_pol
);
565 /********************************************************************
566 ********************************************************************/
568 static int rpc_rights_list(struct net_context
*c
, int argc
, const char **argv
)
570 if (c
->display_usage
) {
572 "net rpc rights list [{accounts|privileges} "
574 " View available/assigned privileges\n");
578 return run_rpc_command(c
, NULL
, &ndr_table_lsarpc
.syntax_id
, 0,
579 rpc_rights_list_internal
, argc
, argv
);
582 /********************************************************************
583 ********************************************************************/
585 static int rpc_rights_grant(struct net_context
*c
, int argc
, const char **argv
)
587 if (c
->display_usage
) {
589 "net rpc rights grant <name|SID> <right>\n"
590 " Assign privilege[s]\n");
591 d_printf("For example:\n");
592 d_printf(" net rpc rights grant 'VALE\\biddle' "
593 "SePrintOperatorPrivilege SeDiskOperatorPrivilege\n");
594 d_printf(" would grant the printer admin and disk manager "
595 "rights to the user 'VALE\\biddle'\n");
599 return run_rpc_command(c
, NULL
, &ndr_table_lsarpc
.syntax_id
, 0,
600 rpc_rights_grant_internal
, argc
, argv
);
603 /********************************************************************
604 ********************************************************************/
606 static int rpc_rights_revoke(struct net_context
*c
, int argc
, const char **argv
)
608 if (c
->display_usage
) {
610 "net rpc rights revoke <name|SID> <right>\n"
611 " Revoke privilege[s]\n");
612 d_printf("For example:\n");
613 d_printf(" net rpc rights revoke 'VALE\\biddle' "
614 "SePrintOperatorPrivilege SeDiskOperatorPrivilege\n");
615 d_printf(" would revoke the printer admin and disk manager "
616 "rights from the user 'VALE\\biddle'\n");
620 return run_rpc_command(c
, NULL
, &ndr_table_lsarpc
.syntax_id
, 0,
621 rpc_rights_revoke_internal
, argc
, argv
);
624 /********************************************************************
625 ********************************************************************/
627 int net_rpc_rights(struct net_context
*c
, int argc
, const char **argv
)
629 struct functable func
[] = {
634 "View available/assigned privileges",
635 "net rpc rights list\n"
636 " View available/assigned privileges"
642 "Assign privilege[s]",
643 "net rpc rights grant\n"
644 " Assign privilege[s]"
650 "Revoke privilege[s]",
651 "net rpc rights revoke\n"
652 " Revoke privilege[s]"
654 {NULL
, NULL
, 0, NULL
, NULL
}
657 return net_run_function(c
, argc
, argv
, "net rpc rights", func
);
660 static NTSTATUS
rpc_sh_rights_list(struct net_context
*c
,
661 TALLOC_CTX
*mem_ctx
, struct rpc_sh_ctx
*ctx
,
662 struct rpc_pipe_client
*pipe_hnd
,
663 int argc
, const char **argv
)
665 return rpc_rights_list_internal(c
, ctx
->domain_sid
, ctx
->domain_name
,
666 ctx
->cli
, pipe_hnd
, mem_ctx
,
670 static NTSTATUS
rpc_sh_rights_grant(struct net_context
*c
,
672 struct rpc_sh_ctx
*ctx
,
673 struct rpc_pipe_client
*pipe_hnd
,
674 int argc
, const char **argv
)
676 return rpc_rights_grant_internal(c
, ctx
->domain_sid
, ctx
->domain_name
,
677 ctx
->cli
, pipe_hnd
, mem_ctx
,
681 static NTSTATUS
rpc_sh_rights_revoke(struct net_context
*c
,
683 struct rpc_sh_ctx
*ctx
,
684 struct rpc_pipe_client
*pipe_hnd
,
685 int argc
, const char **argv
)
687 return rpc_rights_revoke_internal(c
, ctx
->domain_sid
, ctx
->domain_name
,
688 ctx
->cli
, pipe_hnd
, mem_ctx
,
692 struct rpc_sh_cmd
*net_rpc_rights_cmds(struct net_context
*c
, TALLOC_CTX
*mem_ctx
,
693 struct rpc_sh_ctx
*ctx
)
695 static struct rpc_sh_cmd cmds
[] = {
697 { "list", NULL
, &ndr_table_lsarpc
.syntax_id
, rpc_sh_rights_list
,
698 "View available or assigned privileges" },
700 { "grant", NULL
, &ndr_table_lsarpc
.syntax_id
, rpc_sh_rights_grant
,
701 "Assign privilege[s]" },
703 { "revoke", NULL
, &ndr_table_lsarpc
.syntax_id
, rpc_sh_rights_revoke
,
704 "Revoke privilege[s]" },
706 { NULL
, NULL
, 0, NULL
, NULL
}