search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
net_idmap: use wbcSet[U|G]idMapping() and wbcSet[U|G]idHwm() functions
[Samba.git] / source / utils / net_rpc_rights.c
blob7857dbcbafb6741ed0aaa5e59ba72adc540c3052
1 /*
2 Samba Unix/Linux SMB client library
3 Distributed SMB/CIFS Server Management Utility
4 Copyright (C) Gerald (Jerry) Carter 2004
5 Copyright (C) Guenther Deschner 2008
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>. */
19
20 #include "includes.h"
21 #include "utils/net.h"
22
23 /********************************************************************
24 ********************************************************************/
25
26 static NTSTATUS sid_to_name(struct rpc_pipe_client *pipe_hnd,
27 TALLOC_CTX *mem_ctx,
28 DOM_SID *sid,
29 fstring name)
30 {
31 POLICY_HND pol;
32 enum lsa_SidType *sid_types = NULL;
33 NTSTATUS result;
34 char **domains = NULL, **names = NULL;
35
36 result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, True,
37 SEC_RIGHTS_MAXIMUM_ALLOWED, &pol);
38
39 if ( !NT_STATUS_IS_OK(result) )
40 return result;
41
42 result = rpccli_lsa_lookup_sids(pipe_hnd, mem_ctx, &pol, 1, sid, &domains, &names, &sid_types);
43
44 if ( NT_STATUS_IS_OK(result) ) {
45 if ( *domains[0] )
46 fstr_sprintf( name, "%s\\%s", domains[0], names[0] );
47 else
48 fstrcpy( name, names[0] );
49 }
50
51 rpccli_lsa_Close(pipe_hnd, mem_ctx, &pol);
52 return result;
53 }
54
55 /********************************************************************
56 ********************************************************************/
57
58 static NTSTATUS name_to_sid(struct rpc_pipe_client *pipe_hnd,
59 TALLOC_CTX *mem_ctx,
60 DOM_SID *sid, const char *name)
61 {
62 POLICY_HND pol;
63 enum lsa_SidType *sid_types;
64 NTSTATUS result;
65 DOM_SID *sids;
66
67 /* maybe its a raw SID */
68 if ( strncmp(name, "S-", 2) == 0 && string_to_sid(sid, name) ) {
69 return NT_STATUS_OK;
70 }
71
72 result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, True,
73 SEC_RIGHTS_MAXIMUM_ALLOWED, &pol);
74
75 if ( !NT_STATUS_IS_OK(result) )
76 return result;
77
78 result = rpccli_lsa_lookup_names(pipe_hnd, mem_ctx, &pol, 1, &name,
79 NULL, 1, &sids, &sid_types);
80
81 if ( NT_STATUS_IS_OK(result) )
82 sid_copy( sid, &sids[0] );
83
84 rpccli_lsa_Close(pipe_hnd, mem_ctx, &pol);
85 return result;
86 }
87
88 /********************************************************************
89 ********************************************************************/
90
91 static NTSTATUS enum_privileges(struct rpc_pipe_client *pipe_hnd,
92 TALLOC_CTX *ctx,
93 POLICY_HND *pol )
94 {
95 NTSTATUS result;
96 uint32 enum_context = 0;
97 uint32 pref_max_length=0x1000;
98 int i;
99 uint16 lang_id=0;
100 uint16 lang_id_sys=0;
101 uint16 lang_id_desc;
102 struct lsa_StringLarge *description = NULL;
103 struct lsa_PrivArray priv_array;
104
105 result = rpccli_lsa_EnumPrivs(pipe_hnd, ctx,
106 pol,
107 &enum_context,
108 &priv_array,
109 pref_max_length);
110
111 if ( !NT_STATUS_IS_OK(result) )
112 return result;
113
114 /* Print results */
115
116 for (i = 0; i < priv_array.count; i++) {
117
118 struct lsa_String lsa_name;
119
120 d_printf("%30s ",
121 priv_array.privs[i].name.string ? priv_array.privs[i].name.string : "*unknown*" );
122
123 /* try to get the description */
124
125 init_lsa_String(&lsa_name, priv_array.privs[i].name.string);
126
127 result = rpccli_lsa_LookupPrivDisplayName(pipe_hnd, ctx,
128 pol,
129 &lsa_name,
130 lang_id,
131 lang_id_sys,
132 &description,
133 &lang_id_desc);
134
135 if (!NT_STATUS_IS_OK(result)) {
136 d_printf("??????\n");
137 continue;
138 }
139
140 d_printf("%s\n", description->string);
141 }
142
143 return NT_STATUS_OK;
144 }
145
146 /********************************************************************
147 ********************************************************************/
148
149 static NTSTATUS check_privilege_for_user(struct rpc_pipe_client *pipe_hnd,
150 TALLOC_CTX *ctx,
151 POLICY_HND *pol,
152 DOM_SID *sid,
153 const char *right)
154 {
155 NTSTATUS result;
156 struct lsa_RightSet rights;
157 int i;
158
159 result = rpccli_lsa_EnumAccountRights(pipe_hnd, ctx,
160 pol,
161 sid,
162 &rights);
163
164 if (!NT_STATUS_IS_OK(result)) {
165 return result;
166 }
167
168 if (rights.count == 0) {
169 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
170 }
171
172 for (i = 0; i < rights.count; i++) {
173 if (StrCaseCmp(rights.names[i].string, right) == 0) {
174 return NT_STATUS_OK;
175 }
176 }
177
178 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
179 }
180
181 /********************************************************************
182 ********************************************************************/
183
184 static NTSTATUS enum_privileges_for_user(struct rpc_pipe_client *pipe_hnd,
185 TALLOC_CTX *ctx,
186 POLICY_HND *pol,
187 DOM_SID *sid )
188 {
189 NTSTATUS result;
190 struct lsa_RightSet rights;
191 int i;
192
193 result = rpccli_lsa_EnumAccountRights(pipe_hnd, ctx,
194 pol,
195 sid,
196 &rights);
197
198 if (!NT_STATUS_IS_OK(result))
199 return result;
200
201 if (rights.count == 0) {
202 d_printf("No privileges assigned\n");
203 }
204
205 for (i = 0; i < rights.count; i++) {
206 printf("%s\n", rights.names[i].string);
207 }
208
209 return NT_STATUS_OK;
210 }
211
212 /********************************************************************
213 ********************************************************************/
214
215 static NTSTATUS enum_accounts_for_privilege(struct rpc_pipe_client *pipe_hnd,
216 TALLOC_CTX *ctx,
217 POLICY_HND *pol,
218 const char *privilege)
219 {
220 NTSTATUS result;
221 uint32 enum_context=0;
222 uint32 pref_max_length=0x1000;
223 struct lsa_SidArray sid_array;
224 int i;
225 fstring name;
226
227 result = rpccli_lsa_EnumAccounts(pipe_hnd, ctx,
228 pol,
229 &enum_context,
230 &sid_array,
231 pref_max_length);
232
233 if (!NT_STATUS_IS_OK(result))
234 return result;
235
236 d_printf("%s:\n", privilege);
237
238 for ( i=0; i<sid_array.num_sids; i++ ) {
239
240 result = check_privilege_for_user(pipe_hnd, ctx, pol,
241 sid_array.sids[i].sid,
242 privilege);
243
244 if ( ! NT_STATUS_IS_OK(result)) {
245 if ( ! NT_STATUS_EQUAL(result, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
246 return result;
247 }
248 continue;
249 }
250
251 /* try to convert the SID to a name. Fall back to
252 printing the raw SID if necessary */
253 result = sid_to_name( pipe_hnd, ctx, sid_array.sids[i].sid, name );
254 if ( !NT_STATUS_IS_OK (result) )
255 sid_to_fstring(name, sid_array.sids[i].sid);
256
257 d_printf(" %s\n", name);
258 }
259
260 return NT_STATUS_OK;
261 }
262
263 /********************************************************************
264 ********************************************************************/
265
266 static NTSTATUS enum_privileges_for_accounts(struct rpc_pipe_client *pipe_hnd,
267 TALLOC_CTX *ctx,
268 POLICY_HND *pol)
269 {
270 NTSTATUS result;
271 uint32 enum_context=0;
272 uint32 pref_max_length=0x1000;
273 struct lsa_SidArray sid_array;
274 int i;
275 fstring name;
276
277 result = rpccli_lsa_EnumAccounts(pipe_hnd, ctx,
278 pol,
279 &enum_context,
280 &sid_array,
281 pref_max_length);
282
283 if (!NT_STATUS_IS_OK(result))
284 return result;
285
286 for ( i=0; i<sid_array.num_sids; i++ ) {
287
288 /* try to convert the SID to a name. Fall back to
289 printing the raw SID if necessary */
290
291 result = sid_to_name(pipe_hnd, ctx, sid_array.sids[i].sid, name);
292 if ( !NT_STATUS_IS_OK (result) )
293 sid_to_fstring(name, sid_array.sids[i].sid);
294
295 d_printf("%s\n", name);
296
297 result = enum_privileges_for_user(pipe_hnd, ctx, pol,
298 sid_array.sids[i].sid);
299 if ( !NT_STATUS_IS_OK(result) )
300 return result;
301
302 d_printf("\n");
303 }
304
305 return NT_STATUS_OK;
306 }
307
308 /********************************************************************
309 ********************************************************************/
310
311 static NTSTATUS rpc_rights_list_internal(const DOM_SID *domain_sid,
312 const char *domain_name,
313 struct cli_state *cli,
314 struct rpc_pipe_client *pipe_hnd,
315 TALLOC_CTX *mem_ctx,
316 int argc,
317 const char **argv )
318 {
319 POLICY_HND pol;
320 NTSTATUS result;
321 DOM_SID sid;
322 fstring privname;
323 struct lsa_String lsa_name;
324 struct lsa_StringLarge *description = NULL;
325 uint16 lang_id = 0;
326 uint16 lang_id_sys = 0;
327 uint16 lang_id_desc;
328
329
330 result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, True,
331 SEC_RIGHTS_MAXIMUM_ALLOWED, &pol);
332
333 if ( !NT_STATUS_IS_OK(result) )
334 return result;
335
336 /* backwards compatibility; just list available privileges if no arguement */
337
338 if (argc == 0) {
339 result = enum_privileges(pipe_hnd, mem_ctx, &pol );
340 goto done;
341 }
342
343 if (strequal(argv[0], "privileges")) {
344 int i = 1;
345
346 if (argv[1] == NULL) {
347 result = enum_privileges(pipe_hnd, mem_ctx, &pol );
348 goto done;
349 }
350
351 while ( argv[i] != NULL ) {
352 fstrcpy(privname, argv[i]);
353 init_lsa_String(&lsa_name, argv[i]);
354 i++;
355
356 /* verify that this is a valid privilege for error reporting */
357 result = rpccli_lsa_LookupPrivDisplayName(pipe_hnd, mem_ctx,
358 &pol,
359 &lsa_name,
360 lang_id,
361 lang_id_sys,
362 &description,
363 &lang_id_desc);
364
365 if ( !NT_STATUS_IS_OK(result) ) {
366 if ( NT_STATUS_EQUAL( result, NT_STATUS_NO_SUCH_PRIVILEGE ) )
367 d_fprintf(stderr, "No such privilege exists: %s.\n", privname);
368 else
369 d_fprintf(stderr, "Error resolving privilege display name [%s].\n", nt_errstr(result));
370 continue;
371 }
372
373 result = enum_accounts_for_privilege(pipe_hnd, mem_ctx, &pol, privname);
374 if (!NT_STATUS_IS_OK(result)) {
375 d_fprintf(stderr, "Error enumerating accounts for privilege %s [%s].\n",
376 privname, nt_errstr(result));
377 continue;
378 }
379 }
380 goto done;
381 }
382
383 /* special case to enumerate all privileged SIDs with associated rights */
384
385 if (strequal( argv[0], "accounts")) {
386 int i = 1;
387
388 if (argv[1] == NULL) {
389 result = enum_privileges_for_accounts(pipe_hnd, mem_ctx, &pol);
390 goto done;
391 }
392
393 while (argv[i] != NULL) {
394 result = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[i]);
395 if (!NT_STATUS_IS_OK(result)) {
396 goto done;
397 }
398 result = enum_privileges_for_user(pipe_hnd, mem_ctx, &pol, &sid);
399 if (!NT_STATUS_IS_OK(result)) {
400 goto done;
401 }
402 i++;
403 }
404 goto done;
405 }
406
407 /* backward comaptibility: if no keyword provided, treat the key
408 as an account name */
409 if (argc > 1) {
410 d_printf("Usage: net rpc rights list [[accounts|privileges] [name|SID]]\n");
411 result = NT_STATUS_OK;
412 goto done;
413 }
414
415 result = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[0]);
416 if (!NT_STATUS_IS_OK(result)) {
417 goto done;
418 }
419 result = enum_privileges_for_user(pipe_hnd, mem_ctx, &pol, &sid );
420
421 done:
422 rpccli_lsa_Close(pipe_hnd, mem_ctx, &pol);
423
424 return result;
425 }
426
427 /********************************************************************
428 ********************************************************************/
429
430 static NTSTATUS rpc_rights_grant_internal(const DOM_SID *domain_sid,
431 const char *domain_name,
432 struct cli_state *cli,
433 struct rpc_pipe_client *pipe_hnd,
434 TALLOC_CTX *mem_ctx,
435 int argc,
436 const char **argv )
437 {
438 POLICY_HND dom_pol;
439 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
440 struct lsa_RightSet rights;
441 int i;
442
443 DOM_SID sid;
444
445 if (argc < 2 ) {
446 d_printf("Usage: net rpc rights grant <name|SID> <rights...>\n");
447 return NT_STATUS_OK;
448 }
449
450 result = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[0]);
451 if (!NT_STATUS_IS_OK(result))
452 return result;
453
454 result = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, True,
455 SEC_RIGHTS_MAXIMUM_ALLOWED,
456 &dom_pol);
457
458 if (!NT_STATUS_IS_OK(result))
459 return result;
460
461 rights.count = argc-1;
462 rights.names = TALLOC_ARRAY(mem_ctx, struct lsa_StringLarge,
463 rights.count);
464 if (!rights.names) {
465 return NT_STATUS_NO_MEMORY;
466 }
467
468 for (i=0; i<argc-1; i++) {
469 init_lsa_StringLarge(&rights.names[i], argv[i+1]);
470 }
471
472 result = rpccli_lsa_AddAccountRights(pipe_hnd, mem_ctx,
473 &dom_pol,
474 &sid,
475 &rights);
476
477 if (!NT_STATUS_IS_OK(result))
478 goto done;
479
480 d_printf("Successfully granted rights.\n");
481
482 done:
483 if ( !NT_STATUS_IS_OK(result) ) {
484 d_fprintf(stderr, "Failed to grant privileges for %s (%s)\n",
485 argv[0], nt_errstr(result));
486 }
487
488 rpccli_lsa_Close(pipe_hnd, mem_ctx, &dom_pol);
489
490 return result;
491 }
492
493 /********************************************************************
494 ********************************************************************/
495
496 static NTSTATUS rpc_rights_revoke_internal(const DOM_SID *domain_sid,
497 const char *domain_name,
498 struct cli_state *cli,
499 struct rpc_pipe_client *pipe_hnd,
500 TALLOC_CTX *mem_ctx,
501 int argc,
502 const char **argv )
503 {
504 POLICY_HND dom_pol;
505 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
506 struct lsa_RightSet rights;
507 DOM_SID sid;
508 int i;
509
510 if (argc < 2 ) {
511 d_printf("Usage: net rpc rights revoke <name|SID> <rights...>\n");
512 return NT_STATUS_OK;
513 }
514
515 result = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[0]);
516 if (!NT_STATUS_IS_OK(result))
517 return result;
518
519 result = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, True,
520 SEC_RIGHTS_MAXIMUM_ALLOWED,
521 &dom_pol);
522
523 if (!NT_STATUS_IS_OK(result))
524 return result;
525
526 rights.count = argc-1;
527 rights.names = TALLOC_ARRAY(mem_ctx, struct lsa_StringLarge,
528 rights.count);
529 if (!rights.names) {
530 return NT_STATUS_NO_MEMORY;
531 }
532
533 for (i=0; i<argc-1; i++) {
534 init_lsa_StringLarge(&rights.names[i], argv[i+1]);
535 }
536
537 result = rpccli_lsa_RemoveAccountRights(pipe_hnd, mem_ctx,
538 &dom_pol,
539 &sid,
540 false,
541 &rights);
542
543 if (!NT_STATUS_IS_OK(result))
544 goto done;
545
546 d_printf("Successfully revoked rights.\n");
547
548 done:
549 if ( !NT_STATUS_IS_OK(result) ) {
550 d_fprintf(stderr, "Failed to revoke privileges for %s (%s)\n",
551 argv[0], nt_errstr(result));
552 }
553
554 rpccli_lsa_Close(pipe_hnd, mem_ctx, &dom_pol);
555
556 return result;
557 }
558
559
560 /********************************************************************
561 ********************************************************************/
562
563 static int rpc_rights_list( int argc, const char **argv )
564 {
565 return run_rpc_command( NULL, PI_LSARPC, 0,
566 rpc_rights_list_internal, argc, argv );
567 }
568
569 /********************************************************************
570 ********************************************************************/
571
572 static int rpc_rights_grant( int argc, const char **argv )
573 {
574 return run_rpc_command( NULL, PI_LSARPC, 0,
575 rpc_rights_grant_internal, argc, argv );
576 }
577
578 /********************************************************************
579 ********************************************************************/
580
581 static int rpc_rights_revoke( int argc, const char **argv )
582 {
583 return run_rpc_command( NULL, PI_LSARPC, 0,
584 rpc_rights_revoke_internal, argc, argv );
585 }
586
587 /********************************************************************
588 ********************************************************************/
589
590 static int net_help_rights( int argc, const char **argv )
591 {
592 d_printf("net rpc rights list [{accounts|privileges} [name|SID]] View available or assigned privileges\n");
593 d_printf("net rpc rights grant <name|SID> <right> Assign privilege[s]\n");
594 d_printf("net rpc rights revoke <name|SID> <right> Revoke privilege[s]\n");
595
596 d_printf("\nBoth 'grant' and 'revoke' require a SID and a list of privilege names.\n");
597 d_printf("For example\n");
598 d_printf("\n net rpc rights grant 'VALE\\biddle' SePrintOperatorPrivilege SeDiskOperatorPrivilege\n");
599 d_printf("\nwould grant the printer admin and disk manager rights to the user 'VALE\\biddle'\n\n");
600
601
602 return -1;
603 }
604
605 /********************************************************************
606 ********************************************************************/
607
608 int net_rpc_rights(int argc, const char **argv)
609 {
610 struct functable func[] = {
611 {"list", rpc_rights_list},
612 {"grant", rpc_rights_grant},
613 {"revoke", rpc_rights_revoke},
614 {NULL, NULL}
615 };
616
617 if ( argc )
618 return net_run_function( argc, argv, func, net_help_rights );
619
620 return net_help_rights( argc, argv );
621 }
622
623 static NTSTATUS rpc_sh_rights_list(TALLOC_CTX *mem_ctx, struct rpc_sh_ctx *ctx,
624 struct rpc_pipe_client *pipe_hnd,
625 int argc, const char **argv)
626 {
627 return rpc_rights_list_internal(ctx->domain_sid, ctx->domain_name,
628 ctx->cli, pipe_hnd, mem_ctx,
629 argc, argv);
630 }
631
632 static NTSTATUS rpc_sh_rights_grant(TALLOC_CTX *mem_ctx,
633 struct rpc_sh_ctx *ctx,
634 struct rpc_pipe_client *pipe_hnd,
635 int argc, const char **argv)
636 {
637 return rpc_rights_grant_internal(ctx->domain_sid, ctx->domain_name,
638 ctx->cli, pipe_hnd, mem_ctx,
639 argc, argv);
640 }
641
642 static NTSTATUS rpc_sh_rights_revoke(TALLOC_CTX *mem_ctx,
643 struct rpc_sh_ctx *ctx,
644 struct rpc_pipe_client *pipe_hnd,
645 int argc, const char **argv)
646 {
647 return rpc_rights_revoke_internal(ctx->domain_sid, ctx->domain_name,
648 ctx->cli, pipe_hnd, mem_ctx,
649 argc, argv);
650 }
651
652 struct rpc_sh_cmd *net_rpc_rights_cmds(TALLOC_CTX *mem_ctx,
653 struct rpc_sh_ctx *ctx)
654 {
655 static struct rpc_sh_cmd cmds[] = {
656
657 { "list", NULL, PI_LSARPC, rpc_sh_rights_list,
658 "View available or assigned privileges" },
659
660 { "grant", NULL, PI_LSARPC, rpc_sh_rights_grant,
661 "Assign privilege[s]" },
662
663 { "revoke", NULL, PI_LSARPC, rpc_sh_rights_revoke,
664 "Revoke privilege[s]" },
665
666 { NULL, NULL, 0, NULL, NULL }
667 };
668
669 return cmds;
670 }
671
Samba GIT mirror