From 36b48aa783743c86da21f8a896eac0f774fed27a Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Thu, 11 Jul 2019 16:23:53 +0200
Subject: [PATCH] s3:net: add 'net vfs getntacl' command

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jul 12 22:59:58 UTC 2019 on sn-devel-184
---
 docs-xml/manpages/net.8.xml |  20 +++++++
 source3/utils/net_vfs.c     | 111 ++++++++++++++++++++++++++++++++++++
 source3/utils/wscript_build |   1 +
 3 files changed, 132 insertions(+)

diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
index d7fb1e15b0f..94ea5fd9727 100644
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@@ -2953,6 +2953,26 @@ Dump the locking table of a certain global lock.
       </varlistentry>
     </variablelist>
   </refsect3>
+
+  <refsect3>
+    <title>vfs getntacl <replaceable>share</replaceable> <replaceable>path</replaceable></title>
+
+    <para>Display the security descriptor of a file or directory.</para>
+    <itemizedlist>
+      <listitem>
+	<para><replaceable>share</replaceable>
+	A Samba share.</para>
+      </listitem>
+    </itemizedlist>
+    <itemizedlist>
+      <listitem>
+	<para><replaceable>path</replaceable> A relative path of something in
+	the Samba share. "." can be used for the root directory of the
+	share.</para>
+      </listitem>
+    </itemizedlist>
+  </refsect3>
+
 </refsect2>
 
 <refsect2>
diff --git a/source3/utils/net_vfs.c b/source3/utils/net_vfs.c
index 041f98f7a82..e793daa8b9b 100644
--- a/source3/utils/net_vfs.c
+++ b/source3/utils/net_vfs.c
@@ -30,6 +30,8 @@
 #include "smbd/proto.h"
 #include "locking/proto.h"
 #include "auth.h"
+#include "client.h"
+#include "util_sd.h"
 #include "lib/adouble.h"
 #include "lib/string_replace.h"
 #include "utils/net.h"
@@ -50,6 +52,13 @@ static void net_vfs_usage(void)
 		"net vfs [OPTIONS] <share> ....\n");
 }
 
+static void net_vfs_getntacl_usage(void)
+{
+	fprintf(stderr,
+		"Usage:\n"
+		"net vfs getntacl <share> <path>\n");
+}
+
 static void net_vfs_stream_to_appledouble_usage(void)
 {
 	fprintf(stderr,
@@ -188,6 +197,101 @@ done:
 	return rc;
 }
 
+static int net_vfs_get_ntacl(struct net_context *net,
+			     int argc,
+			     const char **argv)
+{
+	const char *path = NULL;
+	struct smb_filename *smb_fname = NULL;
+	files_struct *fsp = NULL;
+	struct security_descriptor *sd = NULL;
+	NTSTATUS status;
+	int ret;
+	int rc = 1;
+
+	if (argc < 2 || net->display_usage) {
+		net_vfs_getntacl_usage();
+		goto done;
+	}
+
+	ret = net_vfs_init(net, argc, argv);
+	if (ret != 0) {
+		goto done;
+	}
+
+	path = argv[1];
+	smb_fname = synthetic_smb_fname(state.mem_ctx, path, NULL, NULL, 0);
+	if (smb_fname == NULL) {
+		goto done;
+	}
+
+	ret = SMB_VFS_STAT(state.conn_tos->conn, smb_fname);
+	if (ret != 0) {
+		fprintf(stderr, "stat [%s] failed: %s\n",
+			smb_fname_str_dbg(smb_fname), strerror(errno));
+		goto done;
+	}
+
+	status = SMB_VFS_CREATE_FILE(
+		state.conn_tos->conn,
+		NULL,				/* req */
+		0,				/* root_dir_fid */
+		smb_fname,
+		FILE_READ_ATTRIBUTES|READ_CONTROL_ACCESS,
+		FILE_SHARE_READ|FILE_SHARE_WRITE,
+		FILE_OPEN,
+		0,				/* create_options */
+		0,				/* file_attributes */
+		INTERNAL_OPEN_ONLY,		/* oplock_request */
+		NULL,				/* lease */
+		0,				/* allocation_size */
+		0,				/* private_flags */
+		NULL,				/* sd */
+		NULL,				/* ea_list */
+		&fsp,
+		NULL,				/* info */
+		NULL, NULL);			/* create context */
+	if (!NT_STATUS_IS_OK(status)) {
+		DBG_ERR("SMB_VFS_CREATE_FILE [%s] failed: %s\n",
+			smb_fname_str_dbg(smb_fname), nt_errstr(status));
+		goto done;
+	}
+
+	status = SMB_VFS_FGET_NT_ACL(fsp,
+				     SECINFO_OWNER|SECINFO_GROUP|SECINFO_DACL,
+				     fsp,
+				     &sd);
+	if (!NT_STATUS_IS_OK(status)) {
+		DBG_ERR("SMB_VFS_FGET_NT_ACL [%s] failed: %s\n",
+			smb_fname_str_dbg(smb_fname), nt_errstr(status));
+		goto done;
+	}
+
+	status = close_file(NULL, fsp, NORMAL_CLOSE);
+	if (!NT_STATUS_IS_OK(status)) {
+		DBG_ERR("close_file [%s] failed: %s\n",
+			smb_fname_str_dbg(smb_fname),
+			nt_errstr(status));
+		goto done;
+	}
+	fsp = NULL;
+
+	sec_desc_print(NULL, stdout, sd, true);
+
+	rc = 0;
+done:
+	if (fsp != NULL) {
+		status = close_file(NULL, fsp, NORMAL_CLOSE);
+		if (!NT_STATUS_IS_OK(status)) {
+			DBG_ERR("close_file [%s] failed: %s\n",
+				smb_fname_str_dbg(smb_fname),
+				nt_errstr(status));
+			rc = 1;
+		}
+	}
+	return rc;
+}
+
 static bool do_unfruit(const char *path)
 {
 	struct smb_filename *smb_fname = NULL;
@@ -323,6 +427,13 @@ done:
 }
 
 static struct functable func[] = {
+	{
+		"getntacl",
+		net_vfs_get_ntacl,
+		NET_TRANSPORT_LOCAL,
+		N_("Display security descriptor of a file or directory"),
+		N_("net vfs getntacl <share> <path> [<path> ...]")
+	},
 	{
 		NET_VFS_CMD_STREAM_TO_ADOUBLE,
 		net_vfs_stream_to_appledouble,
diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
index 8393ab92b88..b6ff3697ca0 100644
--- a/source3/utils/wscript_build
+++ b/source3/utils/wscript_build
@@ -229,6 +229,7 @@ bld.SAMBA3_BINARY('net',
                  ../registry/reg_format.c
                  ../registry/reg_import.c
                  net_registry_util.c
+                 ../lib/util_sd.c
                  net_help_common.c''',
                  deps='''
                  talloc
-- 
2.34.1