diff options
author | Volker Lendecke <vl@samba.org> | 2011-09-15 19:27:07 +0200 |
---|---|---|
committer | Volker Lendecke <vlendec@samba.org> | 2011-09-16 00:08:42 +0200 |
commit | d68ed1b9c603aebadcf986fe776f995e0b7959d1 (patch) | |
tree | 3522ab84073d77c970ce66e6f52917adaf0b2a89 /source3/utils | |
parent | 4117c291387344c94bbda596e4615181793e56b1 (diff) | |
download | samba-d68ed1b9c603aebadcf986fe776f995e0b7959d1.tar.gz samba-d68ed1b9c603aebadcf986fe776f995e0b7959d1.tar.xz samba-d68ed1b9c603aebadcf986fe776f995e0b7959d1.zip |
s3: Make sharesec optionally use sddl
Diffstat (limited to 'source3/utils')
-rw-r--r-- | source3/utils/sharesec.c | 77 |
1 files changed, 76 insertions, 1 deletions
diff --git a/source3/utils/sharesec.c b/source3/utils/sharesec.c index ab52e4727a..641a2ce140 100644 --- a/source3/utils/sharesec.c +++ b/source3/utils/sharesec.c @@ -34,6 +34,8 @@ enum acl_mode { SMB_ACL_DELETE, SMB_ACL_ADD, SMB_ACL_SET, SMB_SD_DELETE, + SMB_SD_SETSDDL, + SMB_SD_VIEWSDDL, SMB_ACL_VIEW }; struct perm_value { @@ -497,6 +499,9 @@ static int change_share_sec(TALLOC_CTX *mem_ctx, const char *sharename, char *th return -1; } return 0; + default: + fprintf(stderr, "invalid command\n"); + return -1; } /* Denied ACE entries must come before allowed ones */ @@ -509,6 +514,53 @@ static int change_share_sec(TALLOC_CTX *mem_ctx, const char *sharename, char *th return 0; } +static int set_sharesec_sddl(const char *sharename, const char *sddl) +{ + struct security_descriptor *sd; + bool ret; + + sd = sddl_decode(talloc_tos(), sddl, get_global_sam_sid()); + if (sd == NULL) { + fprintf(stderr, "Failed to parse acl\n"); + return -1; + } + + ret = set_share_security(sharename, sd); + TALLOC_FREE(sd); + if (!ret) { + fprintf(stderr, "Failed to store acl for share [%s]\n", + sharename); + return -1; + } + + return 0; +} + +static int view_sharesec_sddl(const char *sharename) +{ + struct security_descriptor *sd; + size_t sd_size; + char *acl; + + sd = get_share_security(talloc_tos(), sharename, &sd_size); + if (sd == NULL) { + fprintf(stderr, "Unable to retrieve permissions for share " + "[%s]\n", sharename); + return -1; + } + + acl = sddl_encode(talloc_tos(), sd, get_global_sam_sid()); + TALLOC_FREE(sd); + if (acl == NULL) { + fprintf(stderr, "Unable to sddl-encode permissions for share " + "[%s]\n", sharename); + return -1; + } + printf("%s\n", acl); + TALLOC_FREE(acl); + return 0; +} + /******************************************************************** main program ********************************************************************/ @@ -531,6 +583,10 @@ int main(int argc, const char *argv[]) { "add", 'a', POPT_ARG_STRING, &the_acl, 'a', "Add ACEs", "ACL" }, { "replace", 'R', POPT_ARG_STRING, &the_acl, 'R', "Overwrite share permission ACL", "ACLS" }, { "delete", 'D', POPT_ARG_NONE, NULL, 'D', "Delete the entire security descriptor" }, + { "setsddl", 'S', POPT_ARG_STRING, the_acl, 'S', + "Set the SD in sddl format" }, + { "viewsddl", 'V', POPT_ARG_NONE, the_acl, 'V', + "View the SD in sddl format" }, { "view", 'v', POPT_ARG_NONE, NULL, 'v', "View current share permissions" }, { "machine-sid", 'M', POPT_ARG_NONE, NULL, 'M', "Initialize the machine SID" }, { "force", 'F', POPT_ARG_NONE, NULL, 'F', "Force storing the ACL", "ACLS" }, @@ -580,6 +636,15 @@ int main(int argc, const char *argv[]) mode = SMB_SD_DELETE; break; + case 'S': + mode = SMB_SD_SETSDDL; + the_acl = smb_xstrdup(poptGetOptArg(pc)); + break; + + case 'V': + mode = SMB_SD_VIEWSDDL; + break; + case 'v': mode = SMB_ACL_VIEW; break; @@ -634,7 +699,17 @@ int main(int argc, const char *argv[]) return -1; } - retval = change_share_sec(ctx, sharename, the_acl, mode); + switch (mode) { + case SMB_SD_SETSDDL: + retval = set_sharesec_sddl(sharename, the_acl); + break; + case SMB_SD_VIEWSDDL: + retval = view_sharesec_sddl(sharename); + break; + default: + retval = change_share_sec(ctx, sharename, the_acl, mode); + break; + } talloc_destroy(ctx); |