search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3: use monotonic clock for time deltas in namequery functions
[Samba/gebeck_regimport.git] / source3 / utils / net_rpc_rights.c
blob5af984ee07ba2f20433e04c1be174e07857a10b6
1 /*
2 Samba Unix/Linux SMB client library
3 Distributed SMB/CIFS Server Management Utility
4 Copyright (C) Gerald (Jerry) Carter 2004
5 Copyright (C) Guenther Deschner 2008
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20 #include "includes.h"
21 #include "utils/net.h"
22 #include "../librpc/gen_ndr/cli_lsa.h"
23 #include "rpc_client/cli_lsarpc.h"
24 #include "rpc_client/init_lsa.h"
25
26 /********************************************************************
27 ********************************************************************/
28
29 static NTSTATUS sid_to_name(struct rpc_pipe_client *pipe_hnd,
30 TALLOC_CTX *mem_ctx,
31 struct dom_sid *sid,
32 fstring name)
33 {
34 struct policy_handle pol;
35 enum lsa_SidType *sid_types = NULL;
36 NTSTATUS result;
37 char **domains = NULL, **names = NULL;
38
39 result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
40 SEC_FLAG_MAXIMUM_ALLOWED, &pol);
41
42 if ( !NT_STATUS_IS_OK(result) )
43 return result;
44
45 result = rpccli_lsa_lookup_sids(pipe_hnd, mem_ctx, &pol, 1, sid, &domains, &names, &sid_types);
46
47 if ( NT_STATUS_IS_OK(result) ) {
48 if ( *domains[0] )
49 fstr_sprintf( name, "%s\\%s", domains[0], names[0] );
50 else
51 fstrcpy( name, names[0] );
52 }
53
54 rpccli_lsa_Close(pipe_hnd, mem_ctx, &pol);
55 return result;
56 }
57
58 /********************************************************************
59 ********************************************************************/
60
61 static NTSTATUS name_to_sid(struct rpc_pipe_client *pipe_hnd,
62 TALLOC_CTX *mem_ctx,
63 struct dom_sid *sid, const char *name)
64 {
65 struct policy_handle pol;
66 enum lsa_SidType *sid_types;
67 NTSTATUS result;
68 struct dom_sid *sids;
69
70 /* maybe its a raw SID */
71 if ( strncmp(name, "S-", 2) == 0 && string_to_sid(sid, name) ) {
72 return NT_STATUS_OK;
73 }
74
75 result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
76 SEC_FLAG_MAXIMUM_ALLOWED, &pol);
77
78 if ( !NT_STATUS_IS_OK(result) )
79 return result;
80
81 result = rpccli_lsa_lookup_names(pipe_hnd, mem_ctx, &pol, 1, &name,
82 NULL, 1, &sids, &sid_types);
83
84 if ( NT_STATUS_IS_OK(result) )
85 sid_copy( sid, &sids[0] );
86
87 rpccli_lsa_Close(pipe_hnd, mem_ctx, &pol);
88 return result;
89 }
90
91 /********************************************************************
92 ********************************************************************/
93
94 static NTSTATUS enum_privileges(struct rpc_pipe_client *pipe_hnd,
95 TALLOC_CTX *ctx,
96 struct policy_handle *pol )
97 {
98 NTSTATUS result;
99 uint32 enum_context = 0;
100 uint32 pref_max_length=0x1000;
101 int i;
102 uint16 lang_id=0;
103 uint16 lang_id_sys=0;
104 uint16 lang_id_desc;
105 struct lsa_StringLarge *description = NULL;
106 struct lsa_PrivArray priv_array;
107
108 result = rpccli_lsa_EnumPrivs(pipe_hnd, ctx,
109 pol,
110 &enum_context,
111 &priv_array,
112 pref_max_length);
113
114 if ( !NT_STATUS_IS_OK(result) )
115 return result;
116
117 /* Print results */
118
119 for (i = 0; i < priv_array.count; i++) {
120
121 struct lsa_String lsa_name;
122
123 d_printf("%30s ",
124 priv_array.privs[i].name.string ? priv_array.privs[i].name.string : "*unknown*" );
125
126 /* try to get the description */
127
128 init_lsa_String(&lsa_name, priv_array.privs[i].name.string);
129
130 result = rpccli_lsa_LookupPrivDisplayName(pipe_hnd, ctx,
131 pol,
132 &lsa_name,
133 lang_id,
134 lang_id_sys,
135 &description,
136 &lang_id_desc);
137
138 if (!NT_STATUS_IS_OK(result)) {
139 d_printf("??????\n");
140 continue;
141 }
142
143 d_printf("%s\n", description->string);
144 }
145
146 return NT_STATUS_OK;
147 }
148
149 /********************************************************************
150 ********************************************************************/
151
152 static NTSTATUS check_privilege_for_user(struct rpc_pipe_client *pipe_hnd,
153 TALLOC_CTX *ctx,
154 struct policy_handle *pol,
155 struct dom_sid *sid,
156 const char *right)
157 {
158 NTSTATUS result;
159 struct lsa_RightSet rights;
160 int i;
161
162 result = rpccli_lsa_EnumAccountRights(pipe_hnd, ctx,
163 pol,
164 sid,
165 &rights);
166
167 if (!NT_STATUS_IS_OK(result)) {
168 return result;
169 }
170
171 if (rights.count == 0) {
172 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
173 }
174
175 for (i = 0; i < rights.count; i++) {
176 if (StrCaseCmp(rights.names[i].string, right) == 0) {
177 return NT_STATUS_OK;
178 }
179 }
180
181 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
182 }
183
184 /********************************************************************
185 ********************************************************************/
186
187 static NTSTATUS enum_privileges_for_user(struct rpc_pipe_client *pipe_hnd,
188 TALLOC_CTX *ctx,
189 struct policy_handle *pol,
190 struct dom_sid *sid )
191 {
192 NTSTATUS result;
193 struct lsa_RightSet rights;
194 int i;
195
196 result = rpccli_lsa_EnumAccountRights(pipe_hnd, ctx,
197 pol,
198 sid,
199 &rights);
200
201 if (!NT_STATUS_IS_OK(result))
202 return result;
203
204 if (rights.count == 0) {
205 d_printf(_("No privileges assigned\n"));
206 }
207
208 for (i = 0; i < rights.count; i++) {
209 printf("%s\n", rights.names[i].string);
210 }
211
212 return NT_STATUS_OK;
213 }
214
215 /********************************************************************
216 ********************************************************************/
217
218 static NTSTATUS enum_accounts_for_privilege(struct rpc_pipe_client *pipe_hnd,
219 TALLOC_CTX *ctx,
220 struct policy_handle *pol,
221 const char *privilege)
222 {
223 NTSTATUS result;
224 uint32 enum_context=0;
225 uint32 pref_max_length=0x1000;
226 struct lsa_SidArray sid_array;
227 int i;
228 fstring name;
229
230 result = rpccli_lsa_EnumAccounts(pipe_hnd, ctx,
231 pol,
232 &enum_context,
233 &sid_array,
234 pref_max_length);
235
236 if (!NT_STATUS_IS_OK(result))
237 return result;
238
239 d_printf("%s:\n", privilege);
240
241 for ( i=0; i<sid_array.num_sids; i++ ) {
242
243 result = check_privilege_for_user(pipe_hnd, ctx, pol,
244 sid_array.sids[i].sid,
245 privilege);
246
247 if ( ! NT_STATUS_IS_OK(result)) {
248 if ( ! NT_STATUS_EQUAL(result, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
249 return result;
250 }
251 continue;
252 }
253
254 /* try to convert the SID to a name. Fall back to
255 printing the raw SID if necessary */
256 result = sid_to_name( pipe_hnd, ctx, sid_array.sids[i].sid, name );
257 if ( !NT_STATUS_IS_OK (result) )
258 sid_to_fstring(name, sid_array.sids[i].sid);
259
260 d_printf(" %s\n", name);
261 }
262
263 return NT_STATUS_OK;
264 }
265
266 /********************************************************************
267 ********************************************************************/
268
269 static NTSTATUS enum_privileges_for_accounts(struct rpc_pipe_client *pipe_hnd,
270 TALLOC_CTX *ctx,
271 struct policy_handle *pol)
272 {
273 NTSTATUS result;
274 uint32 enum_context=0;
275 uint32 pref_max_length=0x1000;
276 struct lsa_SidArray sid_array;
277 int i;
278 fstring name;
279
280 result = rpccli_lsa_EnumAccounts(pipe_hnd, ctx,
281 pol,
282 &enum_context,
283 &sid_array,
284 pref_max_length);
285
286 if (!NT_STATUS_IS_OK(result))
287 return result;
288
289 for ( i=0; i<sid_array.num_sids; i++ ) {
290
291 /* try to convert the SID to a name. Fall back to
292 printing the raw SID if necessary */
293
294 result = sid_to_name(pipe_hnd, ctx, sid_array.sids[i].sid, name);
295 if ( !NT_STATUS_IS_OK (result) )
296 sid_to_fstring(name, sid_array.sids[i].sid);
297
298 d_printf("%s\n", name);
299
300 result = enum_privileges_for_user(pipe_hnd, ctx, pol,
301 sid_array.sids[i].sid);
302 if ( !NT_STATUS_IS_OK(result) )
303 return result;
304
305 d_printf("\n");
306 }
307
308 return NT_STATUS_OK;
309 }
310
311 /********************************************************************
312 ********************************************************************/
313
314 static NTSTATUS rpc_rights_list_internal(struct net_context *c,
315 const struct dom_sid *domain_sid,
316 const char *domain_name,
317 struct cli_state *cli,
318 struct rpc_pipe_client *pipe_hnd,
319 TALLOC_CTX *mem_ctx,
320 int argc,
321 const char **argv )
322 {
323 struct policy_handle pol;
324 NTSTATUS result;
325 struct dom_sid sid;
326 fstring privname;
327 struct lsa_String lsa_name;
328 struct lsa_StringLarge *description = NULL;
329 uint16 lang_id = 0;
330 uint16 lang_id_sys = 0;
331 uint16 lang_id_desc;
332
333 result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
334 SEC_FLAG_MAXIMUM_ALLOWED, &pol);
335
336 if ( !NT_STATUS_IS_OK(result) )
337 return result;
338
339 /* backwards compatibility; just list available privileges if no arguement */
340
341 if (argc == 0) {
342 result = enum_privileges(pipe_hnd, mem_ctx, &pol );
343 goto done;
344 }
345
346 if (strequal(argv[0], "privileges")) {
347 int i = 1;
348
349 if (argv[1] == NULL) {
350 result = enum_privileges(pipe_hnd, mem_ctx, &pol );
351 goto done;
352 }
353
354 while ( argv[i] != NULL ) {
355 fstrcpy(privname, argv[i]);
356 init_lsa_String(&lsa_name, argv[i]);
357 i++;
358
359 /* verify that this is a valid privilege for error reporting */
360 result = rpccli_lsa_LookupPrivDisplayName(pipe_hnd, mem_ctx,
361 &pol,
362 &lsa_name,
363 lang_id,
364 lang_id_sys,
365 &description,
366 &lang_id_desc);
367
368 if ( !NT_STATUS_IS_OK(result) ) {
369 if ( NT_STATUS_EQUAL( result, NT_STATUS_NO_SUCH_PRIVILEGE ) )
370 d_fprintf(stderr, _("No such privilege "
371 "exists: %s.\n"), privname);
372 else
373 d_fprintf(stderr, _("Error resolving "
374 "privilege display name "
375 "[%s].\n"),
376 nt_errstr(result));
377 continue;
378 }
379
380 result = enum_accounts_for_privilege(pipe_hnd, mem_ctx, &pol, privname);
381 if (!NT_STATUS_IS_OK(result)) {
382 d_fprintf(stderr, _("Error enumerating "
383 "accounts for privilege %s [%s].\n"),
384 privname, nt_errstr(result));
385 continue;
386 }
387 }
388 goto done;
389 }
390
391 /* special case to enumerate all privileged SIDs with associated rights */
392
393 if (strequal( argv[0], "accounts")) {
394 int i = 1;
395
396 if (argv[1] == NULL) {
397 result = enum_privileges_for_accounts(pipe_hnd, mem_ctx, &pol);
398 goto done;
399 }
400
401 while (argv[i] != NULL) {
402 result = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[i]);
403 if (!NT_STATUS_IS_OK(result)) {
404 goto done;
405 }
406 result = enum_privileges_for_user(pipe_hnd, mem_ctx, &pol, &sid);
407 if (!NT_STATUS_IS_OK(result)) {
408 goto done;
409 }
410 i++;
411 }
412 goto done;
413 }
414
415 /* backward comaptibility: if no keyword provided, treat the key
416 as an account name */
417 if (argc > 1) {
418 d_printf("%s net rpc rights list [[accounts|privileges] "
419 "[name|SID]]\n", _("Usage:"));
420 result = NT_STATUS_OK;
421 goto done;
422 }
423
424 result = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[0]);
425 if (!NT_STATUS_IS_OK(result)) {
426 goto done;
427 }
428 result = enum_privileges_for_user(pipe_hnd, mem_ctx, &pol, &sid );
429
430 done:
431 rpccli_lsa_Close(pipe_hnd, mem_ctx, &pol);
432
433 return result;
434 }
435
436 /********************************************************************
437 ********************************************************************/
438
439 static NTSTATUS rpc_rights_grant_internal(struct net_context *c,
440 const struct dom_sid *domain_sid,
441 const char *domain_name,
442 struct cli_state *cli,
443 struct rpc_pipe_client *pipe_hnd,
444 TALLOC_CTX *mem_ctx,
445 int argc,
446 const char **argv )
447 {
448 struct policy_handle dom_pol;
449 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
450 struct lsa_RightSet rights;
451 int i;
452
453 struct dom_sid sid;
454
455 if (argc < 2 ) {
456 d_printf("%s\n%s",
457 _("Usage:"),
458 _(" net rpc rights grant <name|SID> <rights...>\n"));
459 return NT_STATUS_OK;
460 }
461
462 result = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[0]);
463 if (NT_STATUS_EQUAL(result, NT_STATUS_NONE_MAPPED))
464 result = NT_STATUS_NO_SUCH_USER;
465
466 if (!NT_STATUS_IS_OK(result))
467 goto done;
468
469 result = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, true,
470 SEC_FLAG_MAXIMUM_ALLOWED,
471 &dom_pol);
472
473 if (!NT_STATUS_IS_OK(result))
474 return result;
475
476 rights.count = argc-1;
477 rights.names = TALLOC_ARRAY(mem_ctx, struct lsa_StringLarge,
478 rights.count);
479 if (!rights.names) {
480 return NT_STATUS_NO_MEMORY;
481 }
482
483 for (i=0; i<argc-1; i++) {
484 init_lsa_StringLarge(&rights.names[i], argv[i+1]);
485 }
486
487 result = rpccli_lsa_AddAccountRights(pipe_hnd, mem_ctx,
488 &dom_pol,
489 &sid,
490 &rights);
491
492 if (!NT_STATUS_IS_OK(result))
493 goto done;
494
495 d_printf(_("Successfully granted rights.\n"));
496
497 done:
498 if ( !NT_STATUS_IS_OK(result) ) {
499 d_fprintf(stderr, _("Failed to grant privileges for %s (%s)\n"),
500 argv[0], nt_errstr(result));
501 }
502
503 rpccli_lsa_Close(pipe_hnd, mem_ctx, &dom_pol);
504
505 return result;
506 }
507
508 /********************************************************************
509 ********************************************************************/
510
511 static NTSTATUS rpc_rights_revoke_internal(struct net_context *c,
512 const struct dom_sid *domain_sid,
513 const char *domain_name,
514 struct cli_state *cli,
515 struct rpc_pipe_client *pipe_hnd,
516 TALLOC_CTX *mem_ctx,
517 int argc,
518 const char **argv )
519 {
520 struct policy_handle dom_pol;
521 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
522 struct lsa_RightSet rights;
523 struct dom_sid sid;
524 int i;
525
526 if (argc < 2 ) {
527 d_printf("%s\n%s",
528 _("Usage:"),
529 _(" net rpc rights revoke <name|SID> <rights...>\n"));
530 return NT_STATUS_OK;
531 }
532
533 result = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[0]);
534 if (!NT_STATUS_IS_OK(result))
535 return result;
536
537 result = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, true,
538 SEC_FLAG_MAXIMUM_ALLOWED,
539 &dom_pol);
540
541 if (!NT_STATUS_IS_OK(result))
542 return result;
543
544 rights.count = argc-1;
545 rights.names = TALLOC_ARRAY(mem_ctx, struct lsa_StringLarge,
546 rights.count);
547 if (!rights.names) {
548 return NT_STATUS_NO_MEMORY;
549 }
550
551 for (i=0; i<argc-1; i++) {
552 init_lsa_StringLarge(&rights.names[i], argv[i+1]);
553 }
554
555 result = rpccli_lsa_RemoveAccountRights(pipe_hnd, mem_ctx,
556 &dom_pol,
557 &sid,
558 false,
559 &rights);
560
561 if (!NT_STATUS_IS_OK(result))
562 goto done;
563
564 d_printf(_("Successfully revoked rights.\n"));
565
566 done:
567 if ( !NT_STATUS_IS_OK(result) ) {
568 d_fprintf(stderr,_("Failed to revoke privileges for %s (%s)\n"),
569 argv[0], nt_errstr(result));
570 }
571
572 rpccli_lsa_Close(pipe_hnd, mem_ctx, &dom_pol);
573
574 return result;
575 }
576
577
578 /********************************************************************
579 ********************************************************************/
580
581 static int rpc_rights_list(struct net_context *c, int argc, const char **argv )
582 {
583 if (c->display_usage) {
584 d_printf("%s\n%s",
585 _("Usage:"),
586 _("net rpc rights list [{accounts|privileges} "
587 "[name|SID]]\n"
588 " View available/assigned privileges\n"));
589 return 0;
590 }
591
592 return run_rpc_command(c, NULL, &ndr_table_lsarpc.syntax_id, 0,
593 rpc_rights_list_internal, argc, argv );
594 }
595
596 /********************************************************************
597 ********************************************************************/
598
599 static int rpc_rights_grant(struct net_context *c, int argc, const char **argv )
600 {
601 if (c->display_usage) {
602 d_printf("%s\n%s",
603 _("Usage:"),
604 _("net rpc rights grant <name|SID> <right>\n"
605 " Assign privilege[s]\n"));
606 d_printf(_("For example:\n"
607 " net rpc rights grant 'VALE\\biddle' "
608 "SePrintOperatorPrivilege SeDiskOperatorPrivilege\n"
609 " would grant the printer admin and disk manager "
610 "rights to the user 'VALE\\biddle'\n"));
611 return 0;
612 }
613
614 return run_rpc_command(c, NULL, &ndr_table_lsarpc.syntax_id, 0,
615 rpc_rights_grant_internal, argc, argv );
616 }
617
618 /********************************************************************
619 ********************************************************************/
620
621 static int rpc_rights_revoke(struct net_context *c, int argc, const char **argv)
622 {
623 if (c->display_usage) {
624 d_printf("%s\n%s",
625 _("Usage:"),
626 _("net rpc rights revoke <name|SID> <right>\n"
627 " Revoke privilege[s]\n"));
628 d_printf(_("For example:\n"
629 " net rpc rights revoke 'VALE\\biddle' "
630 "SePrintOperatorPrivilege SeDiskOperatorPrivilege\n"
631 " would revoke the printer admin and disk manager"
632 " rights from the user 'VALE\\biddle'\n"));
633 return 0;
634 }
635
636 return run_rpc_command(c, NULL, &ndr_table_lsarpc.syntax_id, 0,
637 rpc_rights_revoke_internal, argc, argv );
638 }
639
640 /********************************************************************
641 ********************************************************************/
642
643 int net_rpc_rights(struct net_context *c, int argc, const char **argv)
644 {
645 struct functable func[] = {
646 {
647 "list",
648 rpc_rights_list,
649 NET_TRANSPORT_RPC,
650 N_("View available/assigned privileges"),
651 N_("net rpc rights list\n"
652 " View available/assigned privileges")
653 },
654 {
655 "grant",
656 rpc_rights_grant,
657 NET_TRANSPORT_RPC,
658 N_("Assign privilege[s]"),
659 N_("net rpc rights grant\n"
660 " Assign privilege[s]")
661 },
662 {
663 "revoke",
664 rpc_rights_revoke,
665 NET_TRANSPORT_RPC,
666 N_("Revoke privilege[s]"),
667 N_("net rpc rights revoke\n"
668 " Revoke privilege[s]")
669 },
670 {NULL, NULL, 0, NULL, NULL}
671 };
672
673 return net_run_function(c, argc, argv, "net rpc rights", func);
674 }
675
676 static NTSTATUS rpc_sh_rights_list(struct net_context *c,
677 TALLOC_CTX *mem_ctx, struct rpc_sh_ctx *ctx,
678 struct rpc_pipe_client *pipe_hnd,
679 int argc, const char **argv)
680 {
681 return rpc_rights_list_internal(c, ctx->domain_sid, ctx->domain_name,
682 ctx->cli, pipe_hnd, mem_ctx,
683 argc, argv);
684 }
685
686 static NTSTATUS rpc_sh_rights_grant(struct net_context *c,
687 TALLOC_CTX *mem_ctx,
688 struct rpc_sh_ctx *ctx,
689 struct rpc_pipe_client *pipe_hnd,
690 int argc, const char **argv)
691 {
692 return rpc_rights_grant_internal(c, ctx->domain_sid, ctx->domain_name,
693 ctx->cli, pipe_hnd, mem_ctx,
694 argc, argv);
695 }
696
697 static NTSTATUS rpc_sh_rights_revoke(struct net_context *c,
698 TALLOC_CTX *mem_ctx,
699 struct rpc_sh_ctx *ctx,
700 struct rpc_pipe_client *pipe_hnd,
701 int argc, const char **argv)
702 {
703 return rpc_rights_revoke_internal(c, ctx->domain_sid, ctx->domain_name,
704 ctx->cli, pipe_hnd, mem_ctx,
705 argc, argv);
706 }
707
708 struct rpc_sh_cmd *net_rpc_rights_cmds(struct net_context *c, TALLOC_CTX *mem_ctx,
709 struct rpc_sh_ctx *ctx)
710 {
711 static struct rpc_sh_cmd cmds[] = {
712
713 { "list", NULL, &ndr_table_lsarpc.syntax_id, rpc_sh_rights_list,
714 N_("View available or assigned privileges") },
715
716 { "grant", NULL, &ndr_table_lsarpc.syntax_id, rpc_sh_rights_grant,
717 N_("Assign privilege[s]") },
718
719 { "revoke", NULL, &ndr_table_lsarpc.syntax_id, rpc_sh_rights_revoke,
720 N_("Revoke privilege[s]") },
721
722 { NULL, NULL, 0, NULL, NULL }
723 };
724
725 return cmds;
726 }
727
reg import