search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4-ldb: fixed call argument order for ldb_dn_from_ldb_val
[Samba/cd1.git] / source3 / utils / net_rpc_rights.c
blobdefed479149f4e3416cab20cff9226ecd02eb877
1 /*
2 Samba Unix/Linux SMB client library
3 Distributed SMB/CIFS Server Management Utility
4 Copyright (C) Gerald (Jerry) Carter 2004
5 Copyright (C) Guenther Deschner 2008
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20 #include "includes.h"
21 #include "utils/net.h"
22
23 /********************************************************************
24 ********************************************************************/
25
26 static NTSTATUS sid_to_name(struct rpc_pipe_client *pipe_hnd,
27 TALLOC_CTX *mem_ctx,
28 DOM_SID *sid,
29 fstring name)
30 {
31 struct policy_handle pol;
32 enum lsa_SidType *sid_types = NULL;
33 NTSTATUS result;
34 char **domains = NULL, **names = NULL;
35
36 result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
37 SEC_FLAG_MAXIMUM_ALLOWED, &pol);
38
39 if ( !NT_STATUS_IS_OK(result) )
40 return result;
41
42 result = rpccli_lsa_lookup_sids(pipe_hnd, mem_ctx, &pol, 1, sid, &domains, &names, &sid_types);
43
44 if ( NT_STATUS_IS_OK(result) ) {
45 if ( *domains[0] )
46 fstr_sprintf( name, "%s\\%s", domains[0], names[0] );
47 else
48 fstrcpy( name, names[0] );
49 }
50
51 rpccli_lsa_Close(pipe_hnd, mem_ctx, &pol);
52 return result;
53 }
54
55 /********************************************************************
56 ********************************************************************/
57
58 static NTSTATUS name_to_sid(struct rpc_pipe_client *pipe_hnd,
59 TALLOC_CTX *mem_ctx,
60 DOM_SID *sid, const char *name)
61 {
62 struct policy_handle pol;
63 enum lsa_SidType *sid_types;
64 NTSTATUS result;
65 DOM_SID *sids;
66
67 /* maybe its a raw SID */
68 if ( strncmp(name, "S-", 2) == 0 && string_to_sid(sid, name) ) {
69 return NT_STATUS_OK;
70 }
71
72 result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
73 SEC_FLAG_MAXIMUM_ALLOWED, &pol);
74
75 if ( !NT_STATUS_IS_OK(result) )
76 return result;
77
78 result = rpccli_lsa_lookup_names(pipe_hnd, mem_ctx, &pol, 1, &name,
79 NULL, 1, &sids, &sid_types);
80
81 if ( NT_STATUS_IS_OK(result) )
82 sid_copy( sid, &sids[0] );
83
84 rpccli_lsa_Close(pipe_hnd, mem_ctx, &pol);
85 return result;
86 }
87
88 /********************************************************************
89 ********************************************************************/
90
91 static NTSTATUS enum_privileges(struct rpc_pipe_client *pipe_hnd,
92 TALLOC_CTX *ctx,
93 struct policy_handle *pol )
94 {
95 NTSTATUS result;
96 uint32 enum_context = 0;
97 uint32 pref_max_length=0x1000;
98 int i;
99 uint16 lang_id=0;
100 uint16 lang_id_sys=0;
101 uint16 lang_id_desc;
102 struct lsa_StringLarge *description = NULL;
103 struct lsa_PrivArray priv_array;
104
105 result = rpccli_lsa_EnumPrivs(pipe_hnd, ctx,
106 pol,
107 &enum_context,
108 &priv_array,
109 pref_max_length);
110
111 if ( !NT_STATUS_IS_OK(result) )
112 return result;
113
114 /* Print results */
115
116 for (i = 0; i < priv_array.count; i++) {
117
118 struct lsa_String lsa_name;
119
120 d_printf("%30s ",
121 priv_array.privs[i].name.string ? priv_array.privs[i].name.string : "*unknown*" );
122
123 /* try to get the description */
124
125 init_lsa_String(&lsa_name, priv_array.privs[i].name.string);
126
127 result = rpccli_lsa_LookupPrivDisplayName(pipe_hnd, ctx,
128 pol,
129 &lsa_name,
130 lang_id,
131 lang_id_sys,
132 &description,
133 &lang_id_desc);
134
135 if (!NT_STATUS_IS_OK(result)) {
136 d_printf("??????\n");
137 continue;
138 }
139
140 d_printf("%s\n", description->string);
141 }
142
143 return NT_STATUS_OK;
144 }
145
146 /********************************************************************
147 ********************************************************************/
148
149 static NTSTATUS check_privilege_for_user(struct rpc_pipe_client *pipe_hnd,
150 TALLOC_CTX *ctx,
151 struct policy_handle *pol,
152 DOM_SID *sid,
153 const char *right)
154 {
155 NTSTATUS result;
156 struct lsa_RightSet rights;
157 int i;
158
159 result = rpccli_lsa_EnumAccountRights(pipe_hnd, ctx,
160 pol,
161 sid,
162 &rights);
163
164 if (!NT_STATUS_IS_OK(result)) {
165 return result;
166 }
167
168 if (rights.count == 0) {
169 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
170 }
171
172 for (i = 0; i < rights.count; i++) {
173 if (StrCaseCmp(rights.names[i].string, right) == 0) {
174 return NT_STATUS_OK;
175 }
176 }
177
178 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
179 }
180
181 /********************************************************************
182 ********************************************************************/
183
184 static NTSTATUS enum_privileges_for_user(struct rpc_pipe_client *pipe_hnd,
185 TALLOC_CTX *ctx,
186 struct policy_handle *pol,
187 DOM_SID *sid )
188 {
189 NTSTATUS result;
190 struct lsa_RightSet rights;
191 int i;
192
193 result = rpccli_lsa_EnumAccountRights(pipe_hnd, ctx,
194 pol,
195 sid,
196 &rights);
197
198 if (!NT_STATUS_IS_OK(result))
199 return result;
200
201 if (rights.count == 0) {
202 d_printf(_("No privileges assigned\n"));
203 }
204
205 for (i = 0; i < rights.count; i++) {
206 printf("%s\n", rights.names[i].string);
207 }
208
209 return NT_STATUS_OK;
210 }
211
212 /********************************************************************
213 ********************************************************************/
214
215 static NTSTATUS enum_accounts_for_privilege(struct rpc_pipe_client *pipe_hnd,
216 TALLOC_CTX *ctx,
217 struct policy_handle *pol,
218 const char *privilege)
219 {
220 NTSTATUS result;
221 uint32 enum_context=0;
222 uint32 pref_max_length=0x1000;
223 struct lsa_SidArray sid_array;
224 int i;
225 fstring name;
226
227 result = rpccli_lsa_EnumAccounts(pipe_hnd, ctx,
228 pol,
229 &enum_context,
230 &sid_array,
231 pref_max_length);
232
233 if (!NT_STATUS_IS_OK(result))
234 return result;
235
236 d_printf("%s:\n", privilege);
237
238 for ( i=0; i<sid_array.num_sids; i++ ) {
239
240 result = check_privilege_for_user(pipe_hnd, ctx, pol,
241 sid_array.sids[i].sid,
242 privilege);
243
244 if ( ! NT_STATUS_IS_OK(result)) {
245 if ( ! NT_STATUS_EQUAL(result, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
246 return result;
247 }
248 continue;
249 }
250
251 /* try to convert the SID to a name. Fall back to
252 printing the raw SID if necessary */
253 result = sid_to_name( pipe_hnd, ctx, sid_array.sids[i].sid, name );
254 if ( !NT_STATUS_IS_OK (result) )
255 sid_to_fstring(name, sid_array.sids[i].sid);
256
257 d_printf(" %s\n", name);
258 }
259
260 return NT_STATUS_OK;
261 }
262
263 /********************************************************************
264 ********************************************************************/
265
266 static NTSTATUS enum_privileges_for_accounts(struct rpc_pipe_client *pipe_hnd,
267 TALLOC_CTX *ctx,
268 struct policy_handle *pol)
269 {
270 NTSTATUS result;
271 uint32 enum_context=0;
272 uint32 pref_max_length=0x1000;
273 struct lsa_SidArray sid_array;
274 int i;
275 fstring name;
276
277 result = rpccli_lsa_EnumAccounts(pipe_hnd, ctx,
278 pol,
279 &enum_context,
280 &sid_array,
281 pref_max_length);
282
283 if (!NT_STATUS_IS_OK(result))
284 return result;
285
286 for ( i=0; i<sid_array.num_sids; i++ ) {
287
288 /* try to convert the SID to a name. Fall back to
289 printing the raw SID if necessary */
290
291 result = sid_to_name(pipe_hnd, ctx, sid_array.sids[i].sid, name);
292 if ( !NT_STATUS_IS_OK (result) )
293 sid_to_fstring(name, sid_array.sids[i].sid);
294
295 d_printf("%s\n", name);
296
297 result = enum_privileges_for_user(pipe_hnd, ctx, pol,
298 sid_array.sids[i].sid);
299 if ( !NT_STATUS_IS_OK(result) )
300 return result;
301
302 d_printf("\n");
303 }
304
305 return NT_STATUS_OK;
306 }
307
308 /********************************************************************
309 ********************************************************************/
310
311 static NTSTATUS rpc_rights_list_internal(struct net_context *c,
312 const DOM_SID *domain_sid,
313 const char *domain_name,
314 struct cli_state *cli,
315 struct rpc_pipe_client *pipe_hnd,
316 TALLOC_CTX *mem_ctx,
317 int argc,
318 const char **argv )
319 {
320 struct policy_handle pol;
321 NTSTATUS result;
322 DOM_SID sid;
323 fstring privname;
324 struct lsa_String lsa_name;
325 struct lsa_StringLarge *description = NULL;
326 uint16 lang_id = 0;
327 uint16 lang_id_sys = 0;
328 uint16 lang_id_desc;
329
330 result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
331 SEC_FLAG_MAXIMUM_ALLOWED, &pol);
332
333 if ( !NT_STATUS_IS_OK(result) )
334 return result;
335
336 /* backwards compatibility; just list available privileges if no arguement */
337
338 if (argc == 0) {
339 result = enum_privileges(pipe_hnd, mem_ctx, &pol );
340 goto done;
341 }
342
343 if (strequal(argv[0], "privileges")) {
344 int i = 1;
345
346 if (argv[1] == NULL) {
347 result = enum_privileges(pipe_hnd, mem_ctx, &pol );
348 goto done;
349 }
350
351 while ( argv[i] != NULL ) {
352 fstrcpy(privname, argv[i]);
353 init_lsa_String(&lsa_name, argv[i]);
354 i++;
355
356 /* verify that this is a valid privilege for error reporting */
357 result = rpccli_lsa_LookupPrivDisplayName(pipe_hnd, mem_ctx,
358 &pol,
359 &lsa_name,
360 lang_id,
361 lang_id_sys,
362 &description,
363 &lang_id_desc);
364
365 if ( !NT_STATUS_IS_OK(result) ) {
366 if ( NT_STATUS_EQUAL( result, NT_STATUS_NO_SUCH_PRIVILEGE ) )
367 d_fprintf(stderr, _("No such privilege "
368 "exists: %s.\n"), privname);
369 else
370 d_fprintf(stderr, _("Error resolving "
371 "privilege display name "
372 "[%s].\n"),
373 nt_errstr(result));
374 continue;
375 }
376
377 result = enum_accounts_for_privilege(pipe_hnd, mem_ctx, &pol, privname);
378 if (!NT_STATUS_IS_OK(result)) {
379 d_fprintf(stderr, _("Error enumerating "
380 "accounts for privilege %s [%s].\n"),
381 privname, nt_errstr(result));
382 continue;
383 }
384 }
385 goto done;
386 }
387
388 /* special case to enumerate all privileged SIDs with associated rights */
389
390 if (strequal( argv[0], "accounts")) {
391 int i = 1;
392
393 if (argv[1] == NULL) {
394 result = enum_privileges_for_accounts(pipe_hnd, mem_ctx, &pol);
395 goto done;
396 }
397
398 while (argv[i] != NULL) {
399 result = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[i]);
400 if (!NT_STATUS_IS_OK(result)) {
401 goto done;
402 }
403 result = enum_privileges_for_user(pipe_hnd, mem_ctx, &pol, &sid);
404 if (!NT_STATUS_IS_OK(result)) {
405 goto done;
406 }
407 i++;
408 }
409 goto done;
410 }
411
412 /* backward comaptibility: if no keyword provided, treat the key
413 as an account name */
414 if (argc > 1) {
415 d_printf(_("Usage: net rpc rights list [[accounts|privileges] "
416 "[name|SID]]\n"));
417 result = NT_STATUS_OK;
418 goto done;
419 }
420
421 result = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[0]);
422 if (!NT_STATUS_IS_OK(result)) {
423 goto done;
424 }
425 result = enum_privileges_for_user(pipe_hnd, mem_ctx, &pol, &sid );
426
427 done:
428 rpccli_lsa_Close(pipe_hnd, mem_ctx, &pol);
429
430 return result;
431 }
432
433 /********************************************************************
434 ********************************************************************/
435
436 static NTSTATUS rpc_rights_grant_internal(struct net_context *c,
437 const DOM_SID *domain_sid,
438 const char *domain_name,
439 struct cli_state *cli,
440 struct rpc_pipe_client *pipe_hnd,
441 TALLOC_CTX *mem_ctx,
442 int argc,
443 const char **argv )
444 {
445 struct policy_handle dom_pol;
446 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
447 struct lsa_RightSet rights;
448 int i;
449
450 DOM_SID sid;
451
452 if (argc < 2 ) {
453 d_printf(_("Usage: net rpc rights grant <name|SID> "
454 "<rights...>\n"));
455 return NT_STATUS_OK;
456 }
457
458 result = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[0]);
459 if (NT_STATUS_EQUAL(result, NT_STATUS_NONE_MAPPED))
460 result = NT_STATUS_NO_SUCH_USER;
461
462 if (!NT_STATUS_IS_OK(result))
463 goto done;
464
465 result = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, true,
466 SEC_FLAG_MAXIMUM_ALLOWED,
467 &dom_pol);
468
469 if (!NT_STATUS_IS_OK(result))
470 return result;
471
472 rights.count = argc-1;
473 rights.names = TALLOC_ARRAY(mem_ctx, struct lsa_StringLarge,
474 rights.count);
475 if (!rights.names) {
476 return NT_STATUS_NO_MEMORY;
477 }
478
479 for (i=0; i<argc-1; i++) {
480 init_lsa_StringLarge(&rights.names[i], argv[i+1]);
481 }
482
483 result = rpccli_lsa_AddAccountRights(pipe_hnd, mem_ctx,
484 &dom_pol,
485 &sid,
486 &rights);
487
488 if (!NT_STATUS_IS_OK(result))
489 goto done;
490
491 d_printf(_("Successfully granted rights.\n"));
492
493 done:
494 if ( !NT_STATUS_IS_OK(result) ) {
495 d_fprintf(stderr, _("Failed to grant privileges for %s (%s)\n"),
496 argv[0], nt_errstr(result));
497 }
498
499 rpccli_lsa_Close(pipe_hnd, mem_ctx, &dom_pol);
500
501 return result;
502 }
503
504 /********************************************************************
505 ********************************************************************/
506
507 static NTSTATUS rpc_rights_revoke_internal(struct net_context *c,
508 const DOM_SID *domain_sid,
509 const char *domain_name,
510 struct cli_state *cli,
511 struct rpc_pipe_client *pipe_hnd,
512 TALLOC_CTX *mem_ctx,
513 int argc,
514 const char **argv )
515 {
516 struct policy_handle dom_pol;
517 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
518 struct lsa_RightSet rights;
519 DOM_SID sid;
520 int i;
521
522 if (argc < 2 ) {
523 d_printf(_("Usage: net rpc rights revoke <name|SID> "
524 "<rights...>\n"));
525 return NT_STATUS_OK;
526 }
527
528 result = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[0]);
529 if (!NT_STATUS_IS_OK(result))
530 return result;
531
532 result = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, true,
533 SEC_FLAG_MAXIMUM_ALLOWED,
534 &dom_pol);
535
536 if (!NT_STATUS_IS_OK(result))
537 return result;
538
539 rights.count = argc-1;
540 rights.names = TALLOC_ARRAY(mem_ctx, struct lsa_StringLarge,
541 rights.count);
542 if (!rights.names) {
543 return NT_STATUS_NO_MEMORY;
544 }
545
546 for (i=0; i<argc-1; i++) {
547 init_lsa_StringLarge(&rights.names[i], argv[i+1]);
548 }
549
550 result = rpccli_lsa_RemoveAccountRights(pipe_hnd, mem_ctx,
551 &dom_pol,
552 &sid,
553 false,
554 &rights);
555
556 if (!NT_STATUS_IS_OK(result))
557 goto done;
558
559 d_printf(_("Successfully revoked rights.\n"));
560
561 done:
562 if ( !NT_STATUS_IS_OK(result) ) {
563 d_fprintf(stderr,_("Failed to revoke privileges for %s (%s)\n"),
564 argv[0], nt_errstr(result));
565 }
566
567 rpccli_lsa_Close(pipe_hnd, mem_ctx, &dom_pol);
568
569 return result;
570 }
571
572
573 /********************************************************************
574 ********************************************************************/
575
576 static int rpc_rights_list(struct net_context *c, int argc, const char **argv )
577 {
578 if (c->display_usage) {
579 d_printf(_("Usage:\n"
580 "net rpc rights list [{accounts|privileges} "
581 "[name|SID]]\n"
582 " View available/assigned privileges\n"));
583 return 0;
584 }
585
586 return run_rpc_command(c, NULL, &ndr_table_lsarpc.syntax_id, 0,
587 rpc_rights_list_internal, argc, argv );
588 }
589
590 /********************************************************************
591 ********************************************************************/
592
593 static int rpc_rights_grant(struct net_context *c, int argc, const char **argv )
594 {
595 if (c->display_usage) {
596 d_printf(_("Usage:\n"
597 "net rpc rights grant <name|SID> <right>\n"
598 " Assign privilege[s]\n"));
599 d_printf(_("For example:\n"
600 " net rpc rights grant 'VALE\\biddle' "
601 "SePrintOperatorPrivilege SeDiskOperatorPrivilege\n"
602 " would grant the printer admin and disk manager "
603 "rights to the user 'VALE\\biddle'\n"));
604 return 0;
605 }
606
607 return run_rpc_command(c, NULL, &ndr_table_lsarpc.syntax_id, 0,
608 rpc_rights_grant_internal, argc, argv );
609 }
610
611 /********************************************************************
612 ********************************************************************/
613
614 static int rpc_rights_revoke(struct net_context *c, int argc, const char **argv)
615 {
616 if (c->display_usage) {
617 d_printf(_("Usage:\n"
618 "net rpc rights revoke <name|SID> <right>\n"
619 " Revoke privilege[s]\n"));
620 d_printf(_("For example:\n"
621 " net rpc rights revoke 'VALE\\biddle' "
622 "SePrintOperatorPrivilege SeDiskOperatorPrivilege\n"
623 " would revoke the printer admin and disk manager"
624 " rights from the user 'VALE\\biddle'\n"));
625 return 0;
626 }
627
628 return run_rpc_command(c, NULL, &ndr_table_lsarpc.syntax_id, 0,
629 rpc_rights_revoke_internal, argc, argv );
630 }
631
632 /********************************************************************
633 ********************************************************************/
634
635 int net_rpc_rights(struct net_context *c, int argc, const char **argv)
636 {
637 struct functable func[] = {
638 {
639 "list",
640 rpc_rights_list,
641 NET_TRANSPORT_RPC,
642 N_("View available/assigned privileges"),
643 N_("net rpc rights list\n"
644 " View available/assigned privileges")
645 },
646 {
647 "grant",
648 rpc_rights_grant,
649 NET_TRANSPORT_RPC,
650 N_("Assign privilege[s]"),
651 N_("net rpc rights grant\n"
652 " Assign privilege[s]")
653 },
654 {
655 "revoke",
656 rpc_rights_revoke,
657 NET_TRANSPORT_RPC,
658 N_("Revoke privilege[s]"),
659 N_("net rpc rights revoke\n"
660 " Revoke privilege[s]")
661 },
662 {NULL, NULL, 0, NULL, NULL}
663 };
664
665 return net_run_function(c, argc, argv, "net rpc rights", func);
666 }
667
668 static NTSTATUS rpc_sh_rights_list(struct net_context *c,
669 TALLOC_CTX *mem_ctx, struct rpc_sh_ctx *ctx,
670 struct rpc_pipe_client *pipe_hnd,
671 int argc, const char **argv)
672 {
673 return rpc_rights_list_internal(c, ctx->domain_sid, ctx->domain_name,
674 ctx->cli, pipe_hnd, mem_ctx,
675 argc, argv);
676 }
677
678 static NTSTATUS rpc_sh_rights_grant(struct net_context *c,
679 TALLOC_CTX *mem_ctx,
680 struct rpc_sh_ctx *ctx,
681 struct rpc_pipe_client *pipe_hnd,
682 int argc, const char **argv)
683 {
684 return rpc_rights_grant_internal(c, ctx->domain_sid, ctx->domain_name,
685 ctx->cli, pipe_hnd, mem_ctx,
686 argc, argv);
687 }
688
689 static NTSTATUS rpc_sh_rights_revoke(struct net_context *c,
690 TALLOC_CTX *mem_ctx,
691 struct rpc_sh_ctx *ctx,
692 struct rpc_pipe_client *pipe_hnd,
693 int argc, const char **argv)
694 {
695 return rpc_rights_revoke_internal(c, ctx->domain_sid, ctx->domain_name,
696 ctx->cli, pipe_hnd, mem_ctx,
697 argc, argv);
698 }
699
700 struct rpc_sh_cmd *net_rpc_rights_cmds(struct net_context *c, TALLOC_CTX *mem_ctx,
701 struct rpc_sh_ctx *ctx)
702 {
703 static struct rpc_sh_cmd cmds[] = {
704
705 { "list", NULL, &ndr_table_lsarpc.syntax_id, rpc_sh_rights_list,
706 N_("View available or assigned privileges") },
707
708 { "grant", NULL, &ndr_table_lsarpc.syntax_id, rpc_sh_rights_grant,
709 N_("Assign privilege[s]") },
710
711 { "revoke", NULL, &ndr_table_lsarpc.syntax_id, rpc_sh_rights_revoke,
712 N_("Revoke privilege[s]") },
713
714 { NULL, NULL, 0, NULL, NULL }
715 };
716
717 return cmds;
718 }
719
Crístian's Samba branch