2 Unix SMB/CIFS implementation.
5 Copyright (C) Andrew Tridgell 2000
6 Copyright (C) Tim Potter 2000
7 Copyright (C) Jeremy Allison 2000
8 Copyright (C) Jelmer Vernooij 2003
9 Copyright (C) Noel Power <noel.power@suse.com> 2013
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "lib/cmdline/cmdline.h"
27 #include "rpc_client/cli_pipe.h"
28 #include "../librpc/gen_ndr/ndr_lsa.h"
29 #include "rpc_client/cli_lsarpc.h"
30 #include "../libcli/security/security.h"
31 #include "libsmb/libsmb.h"
32 #include "libsmb/clirap.h"
33 #include "passdb/machine_sid.h"
34 #include "../librpc/gen_ndr/ndr_lsa_c.h"
36 #include "lib/param/param.h"
38 static char DIRSEP_CHAR = '\\';
40 static int inheritance = 0;
41 static const char *save_file = NULL;
42 static const char *restore_file = NULL;
46 static int query_sec_info = -1;
47 static int set_sec_info = -1;
48 static bool want_mxac;
50 static const char *domain_sid = NULL;
52 enum acl_mode {SMB_ACL_SET, SMB_ACL_DELETE, SMB_ACL_MODIFY, SMB_ACL_ADD };
53 enum chown_mode {REQUEST_NONE, REQUEST_CHOWN, REQUEST_CHGRP, REQUEST_INHERIT};
54 enum exit_values {EXIT_OK, EXIT_FAILED, EXIT_PARSE_ERROR};
56 struct cacl_callback_state {
57 struct cli_credentials *creds;
58 struct cli_state *cli;
59 struct security_descriptor *aclsd;
60 struct security_acl *acl_to_add;
63 bool acl_no_propagate;
67 static NTSTATUS cli_lsa_lookup_domain_sid(struct cli_state *cli,
70 union lsa_PolicyInformation *info = NULL;
71 struct smbXcli_tcon *orig_tcon = NULL;
72 char *orig_share = NULL;
73 struct rpc_pipe_client *rpc_pipe = NULL;
74 struct policy_handle handle;
75 NTSTATUS status, result;
76 TALLOC_CTX *frame = talloc_stackframe();
78 if (cli_state_has_tcon(cli)) {
79 cli_state_save_tcon_share(cli, &orig_tcon, &orig_share);
82 status = cli_tree_connect(cli, "IPC$", "?????", NULL);
83 if (!NT_STATUS_IS_OK(status)) {
87 status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc, &rpc_pipe);
88 if (!NT_STATUS_IS_OK(status)) {
92 status = rpccli_lsa_open_policy(rpc_pipe, frame, True,
93 GENERIC_EXECUTE_ACCESS, &handle);
94 if (!NT_STATUS_IS_OK(status)) {
98 status = dcerpc_lsa_QueryInfoPolicy2(rpc_pipe->binding_handle,
100 LSA_POLICY_INFO_DOMAIN,
103 if (any_nt_status_not_ok(status, result, &status)) {
107 *sid = *info->domain.sid;
110 TALLOC_FREE(rpc_pipe);
113 cli_state_restore_tcon_share(cli, orig_tcon, orig_share);
118 static struct dom_sid *get_domain_sid(struct cli_state *cli)
121 struct dom_sid_buf buf;
123 struct dom_sid *sid = talloc(talloc_tos(), struct dom_sid);
125 DEBUG(0, ("Out of memory\n"));
130 if (!dom_sid_parse(domain_sid, sid)) {
131 DEBUG(0,("failed to parse domain sid\n"));
135 status = cli_lsa_lookup_domain_sid(cli, sid);
137 if (!NT_STATUS_IS_OK(status)) {
138 DEBUG(0,("failed to lookup domain sid: %s\n", nt_errstr(status)));
144 DEBUG(2,("Domain SID: %s\n", dom_sid_str_buf(sid, &buf)));
148 /* add an ACE to a list of ACEs in a struct security_acl */
149 static bool add_ace_with_ctx(TALLOC_CTX *ctx, struct security_acl **the_acl,
150 const struct security_ace *ace)
153 struct security_acl *acl = *the_acl;
156 acl = make_sec_acl(ctx, 3, 0, NULL);
162 if (acl->num_aces == UINT32_MAX) {
166 acl, struct security_ace, *ace, &acl->aces, &acl->num_aces);
171 static bool add_ace(struct security_acl **the_acl, struct security_ace *ace)
173 return add_ace_with_ctx(talloc_tos(), the_acl, ace);
176 /* parse a ascii version of a security descriptor */
177 static struct security_descriptor *sec_desc_parse(TALLOC_CTX *ctx, struct cli_state *cli, char *str)
181 struct security_descriptor *ret = NULL;
183 struct dom_sid owner_sid = { .num_auths = 0 };
184 bool have_owner = false;
185 struct dom_sid group_sid = { .num_auths = 0 };
186 bool have_group = false;
187 struct security_acl *dacl=NULL;
190 while (next_token_talloc(ctx, &p, &tok, "\t,\r\n")) {
191 if (strncmp(tok,"REVISION:", 9) == 0) {
192 revision = strtol(tok+9, NULL, 16);
196 if (strncmp(tok,"OWNER:", 6) == 0) {
198 printf("Only specify owner once\n");
201 if (!StringToSid(cli, &owner_sid, tok+6)) {
202 printf("Failed to parse owner sid\n");
209 if (strncmp(tok,"GROUP:", 6) == 0) {
211 printf("Only specify group once\n");
214 if (!StringToSid(cli, &group_sid, tok+6)) {
215 printf("Failed to parse group sid\n");
222 if (strncmp(tok,"ACL:", 4) == 0) {
223 struct security_ace ace;
224 if (!parse_ace(cli, &ace, tok+4)) {
227 if(!add_ace(&dacl, &ace)) {
228 printf("Failed to add ACL %s\n", tok);
234 printf("Failed to parse token '%s' in security descriptor,\n", tok);
241 SEC_DESC_SELF_RELATIVE,
242 have_owner ? &owner_sid : NULL,
243 have_group ? &group_sid : NULL,
252 /*****************************************************
253 get fileinfo for filename
254 *******************************************************/
255 static uint16_t get_fileinfo(struct cli_state *cli, const char *filename)
257 uint16_t fnum = (uint16_t)-1;
259 struct smb_create_returns cr = {0};
261 /* The desired access below is the only one I could find that works
262 with NT4, W2KP and Samba */
264 status = cli_ntcreate(
266 filename, /* fname */
268 READ_CONTROL_ACCESS, /* CreatFlags */
269 0, /* FileAttributes */
271 FILE_SHARE_WRITE, /* ShareAccess */
272 FILE_OPEN, /* CreateDisposition */
273 0x0, /* CreateOptions */
274 0x0, /* SecurityFlags */
277 if (!NT_STATUS_IS_OK(status)) {
278 printf("Failed to open %s: %s\n", filename, nt_errstr(status));
282 cli_close(cli, fnum);
283 return cr.file_attributes;
286 /*****************************************************
287 get sec desc for filename
288 *******************************************************/
289 static struct security_descriptor *get_secdesc_with_ctx(TALLOC_CTX *ctx,
290 struct cli_state *cli,
291 const char *filename)
293 uint16_t fnum = (uint16_t)-1;
294 struct security_descriptor *sd;
297 uint32_t desired_access = 0;
299 if (query_sec_info == -1) {
300 sec_info = SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL;
302 sec_info = query_sec_info;
305 if (sec_info & (SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL)) {
306 desired_access |= SEC_STD_READ_CONTROL;
308 if (sec_info & SECINFO_SACL) {
309 desired_access |= SEC_FLAG_SYSTEM_SECURITY;
312 if (desired_access == 0) {
313 desired_access |= SEC_STD_READ_CONTROL;
316 status = cli_ntcreate(cli, filename, 0, desired_access,
317 0, FILE_SHARE_READ|FILE_SHARE_WRITE,
318 FILE_OPEN, 0x0, 0x0, &fnum, NULL);
319 if (!NT_STATUS_IS_OK(status)) {
320 printf("Failed to open %s: %s\n", filename, nt_errstr(status));
324 status = cli_query_security_descriptor(cli, fnum, sec_info,
327 cli_close(cli, fnum);
329 if (!NT_STATUS_IS_OK(status)) {
330 printf("Failed to get security descriptor: %s\n",
337 static struct security_descriptor *get_secdesc(struct cli_state *cli,
338 const char *filename)
340 return get_secdesc_with_ctx(talloc_tos(), cli, filename);
342 /*****************************************************
343 set sec desc for filename
344 *******************************************************/
345 static bool set_secdesc(struct cli_state *cli, const char *filename,
346 struct security_descriptor *sd)
348 uint16_t fnum = (uint16_t)-1;
351 uint32_t desired_access = 0;
354 if (set_sec_info == -1) {
357 if (sd->dacl || (sd->type & SEC_DESC_DACL_PRESENT)) {
358 sec_info |= SECINFO_DACL;
360 if (sd->sacl || (sd->type & SEC_DESC_SACL_PRESENT)) {
361 sec_info |= SECINFO_SACL;
364 sec_info |= SECINFO_OWNER;
367 sec_info |= SECINFO_GROUP;
370 sec_info = set_sec_info;
373 /* Make the desired_access more specific. */
374 if (sec_info & SECINFO_DACL) {
375 desired_access |= SEC_STD_WRITE_DAC;
377 if (sec_info & SECINFO_SACL) {
378 desired_access |= SEC_FLAG_SYSTEM_SECURITY;
380 if (sec_info & (SECINFO_OWNER | SECINFO_GROUP)) {
381 desired_access |= SEC_STD_WRITE_OWNER;
384 status = cli_ntcreate(cli, filename, 0,
386 0, FILE_SHARE_READ|FILE_SHARE_WRITE,
387 FILE_OPEN, 0x0, 0x0, &fnum, NULL);
388 if (!NT_STATUS_IS_OK(status)) {
389 printf("Failed to open %s: %s\n", filename, nt_errstr(status));
393 status = cli_set_security_descriptor(cli, fnum, sec_info, sd);
394 if (!NT_STATUS_IS_OK(status)) {
395 printf("ERROR: security descriptor set failed: %s\n",
400 cli_close(cli, fnum);
404 /*****************************************************
405 get maximum access for a file
406 *******************************************************/
407 static int cacl_mxac(struct cli_state *cli, const char *filename)
412 status = cli_query_mxac(cli, filename, &mxac);
413 if (!NT_STATUS_IS_OK(status)) {
414 printf("Failed to get mxac: %s\n", nt_errstr(status));
418 printf("Maximum access: 0x%x\n", mxac);
424 /*****************************************************
425 dump the acls for a file
426 *******************************************************/
427 static int cacl_dump(struct cli_state *cli, const char *filename, bool numeric)
429 struct security_descriptor *sd;
436 sd = get_secdesc(cli, filename);
442 char *str = sddl_encode(talloc_tos(), sd, get_domain_sid(cli));
449 sec_desc_print(cli, stdout, sd, numeric);
453 ret = cacl_mxac(cli, filename);
454 if (ret != EXIT_OK) {
462 /*****************************************************
463 Change the ownership or group ownership of a file. Just
464 because the NT docs say this can't be done :-). JRA.
465 *******************************************************/
467 static int owner_set(struct cli_state *cli, enum chown_mode change_mode,
468 const char *filename, const char *new_username)
471 struct security_descriptor *sd;
474 if (!StringToSid(cli, &sid, new_username))
475 return EXIT_PARSE_ERROR;
477 sd = make_sec_desc(talloc_tos(),
478 SECURITY_DESCRIPTOR_REVISION_1,
479 SEC_DESC_SELF_RELATIVE,
480 (change_mode == REQUEST_CHOWN) ? &sid : NULL,
481 (change_mode == REQUEST_CHGRP) ? &sid : NULL,
482 NULL, NULL, &sd_size);
484 if (!set_secdesc(cli, filename, sd)) {
492 /* The MSDN is contradictory over the ordering of ACE entries in an
493 ACL. However NT4 gives a "The information may have been modified
494 by a computer running Windows NT 5.0" if denied ACEs do not appear
495 before allowed ACEs. At
496 http://technet.microsoft.com/en-us/library/cc781716.aspx the
497 canonical order is specified as "Explicit Deny, Explicit Allow,
498 Inherited ACEs unchanged" */
500 static int ace_compare(struct security_ace *ace1, struct security_ace *ace2)
502 if (security_ace_equal(ace1, ace2))
505 if ((ace1->flags & SEC_ACE_FLAG_INHERITED_ACE) &&
506 !(ace2->flags & SEC_ACE_FLAG_INHERITED_ACE))
508 if (!(ace1->flags & SEC_ACE_FLAG_INHERITED_ACE) &&
509 (ace2->flags & SEC_ACE_FLAG_INHERITED_ACE))
511 if ((ace1->flags & SEC_ACE_FLAG_INHERITED_ACE) &&
512 (ace2->flags & SEC_ACE_FLAG_INHERITED_ACE))
513 return NUMERIC_CMP(ace1, ace2);
515 if (ace1->type != ace2->type) {
516 /* note the reverse order */
517 return NUMERIC_CMP(ace2->type, ace1->type);
519 if (dom_sid_compare(&ace1->trustee, &ace2->trustee))
520 return dom_sid_compare(&ace1->trustee, &ace2->trustee);
522 if (ace1->flags != ace2->flags)
523 return NUMERIC_CMP(ace1->flags, ace2->flags);
525 if (ace1->access_mask != ace2->access_mask)
526 return NUMERIC_CMP(ace1->access_mask, ace2->access_mask);
528 if (ace1->size != ace2->size)
529 return NUMERIC_CMP(ace1->size, ace2->size);
531 return memcmp(ace1, ace2, sizeof(struct security_ace));
534 static void sort_acl(struct security_acl *the_acl)
537 if (!the_acl) return;
539 TYPESAFE_QSORT(the_acl->aces, the_acl->num_aces, ace_compare);
541 for (i=1;i<the_acl->num_aces;) {
542 if (security_ace_equal(&the_acl->aces[i-1],
543 &the_acl->aces[i])) {
545 the_acl->aces, i, the_acl->num_aces);
553 /*****************************************************
554 set the ACLs on a file given a security descriptor
555 *******************************************************/
557 static int cacl_set_from_sd(struct cli_state *cli, const char *filename,
558 struct security_descriptor *sd, enum acl_mode mode,
561 struct security_descriptor *old = NULL;
564 int result = EXIT_OK;
566 if (!sd) return EXIT_PARSE_ERROR;
567 if (test_args) return EXIT_OK;
569 if (mode != SMB_ACL_SET) {
571 * Do not fetch old ACL when it will be overwritten
572 * completely with a new one.
574 old = get_secdesc(cli, filename);
581 /* the logic here is rather more complex than I would like */
584 for (i=0;sd->dacl && i<sd->dacl->num_aces;i++) {
587 for (j=0;old->dacl && j<old->dacl->num_aces;j++) {
588 if (security_ace_equal(&sd->dacl->aces[i],
589 &old->dacl->aces[j])) {
591 for (k=j; k<old->dacl->num_aces-1;k++) {
592 old->dacl->aces[k] = old->dacl->aces[k+1];
594 old->dacl->num_aces--;
601 printf("ACL for ACE:");
602 print_ace(cli, stdout, &sd->dacl->aces[i],
604 printf(" not found\n");
610 for (i=0;sd->dacl && i<sd->dacl->num_aces;i++) {
613 for (j=0;old->dacl && j<old->dacl->num_aces;j++) {
614 if (dom_sid_equal(&sd->dacl->aces[i].trustee,
615 &old->dacl->aces[j].trustee)) {
616 old->dacl->aces[j] = sd->dacl->aces[i];
624 SidToString(cli, str,
625 &sd->dacl->aces[i].trustee,
627 printf("ACL for SID %s not found\n", str);
632 old->owner_sid = sd->owner_sid;
636 old->group_sid = sd->group_sid;
642 for (i=0;sd->dacl && i<sd->dacl->num_aces;i++) {
643 add_ace(&old->dacl, &sd->dacl->aces[i]);
652 /* Denied ACE entries must come before allowed ones */
655 /* Create new security descriptor and set it */
657 /* We used to just have "WRITE_DAC_ACCESS" without WRITE_OWNER.
658 But if we're sending an owner, even if it's the same as the one
659 that already exists then W2K3 insists we open with WRITE_OWNER access.
660 I need to check that setting a SD with no owner set works against WNT
664 sd = make_sec_desc(talloc_tos(),old->revision, old->type,
665 old->owner_sid, old->group_sid,
666 NULL, old->dacl, &sd_size);
668 if (!set_secdesc(cli, filename, sd)) {
669 result = EXIT_FAILED;
675 /*****************************************************
676 set the ACLs on a file given an ascii description
677 *******************************************************/
679 static int cacl_set(struct cli_state *cli, const char *filename,
680 char *the_acl, enum acl_mode mode, bool numeric)
682 struct security_descriptor *sd = NULL;
685 const char *msg = NULL;
686 size_t msg_offset = 0;
687 enum ace_condition_flags flags =
688 ACE_CONDITION_FLAG_ALLOW_DEVICE;
689 sd = sddl_decode_err_msg(talloc_tos(),
696 DBG_ERR("could not decode '%s'\n", the_acl);
699 (int)msg_offset, '^');
700 DBG_ERR("error '%s'\n", msg);
704 sd = sec_desc_parse(talloc_tos(), cli, the_acl);
708 return EXIT_PARSE_ERROR;
713 return cacl_set_from_sd(cli, filename, sd, mode, numeric);
716 /*****************************************************
717 set the inherit on a file
718 *******************************************************/
719 static int inherit(struct cli_state *cli, const char *filename,
722 struct security_descriptor *old,*sd;
725 int result = EXIT_OK;
727 old = get_secdesc(cli, filename);
733 oldattr = get_fileinfo(cli,filename);
735 if (strcmp(type,"allow")==0) {
736 if ((old->type & SEC_DESC_DACL_PROTECTED) ==
737 SEC_DESC_DACL_PROTECTED) {
739 char *parentname,*temp;
740 struct security_descriptor *parent;
741 temp = talloc_strdup(talloc_tos(), filename);
743 old->type=old->type & (~SEC_DESC_DACL_PROTECTED);
745 /* look at parent and copy in all its inheritable ACL's. */
746 string_replace(temp, '\\', '/');
747 if (!parent_dirname(talloc_tos(),temp,&parentname,NULL)) {
750 string_replace(parentname, '/', '\\');
751 parent = get_secdesc(cli,parentname);
752 if (parent == NULL) {
755 for (i=0;i<parent->dacl->num_aces;i++) {
756 struct security_ace *ace=&parent->dacl->aces[i];
757 /* Add inherited flag to all aces */
758 ace->flags=ace->flags|
759 SEC_ACE_FLAG_INHERITED_ACE;
760 if ((oldattr & FILE_ATTRIBUTE_DIRECTORY) == FILE_ATTRIBUTE_DIRECTORY) {
761 if ((ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT) ==
762 SEC_ACE_FLAG_CONTAINER_INHERIT) {
763 add_ace(&old->dacl, ace);
766 if ((ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT) ==
767 SEC_ACE_FLAG_OBJECT_INHERIT) {
768 /* clear flags for files */
770 add_ace(&old->dacl, ace);
775 printf("Already set to inheritable permissions.\n");
778 } else if (strcmp(type,"remove")==0) {
779 if ((old->type & SEC_DESC_DACL_PROTECTED) !=
780 SEC_DESC_DACL_PROTECTED) {
781 old->type=old->type | SEC_DESC_DACL_PROTECTED;
783 /* remove all inherited ACL's. */
786 struct security_acl *temp=old->dacl;
787 old->dacl=make_sec_acl(talloc_tos(), 3, 0, NULL);
788 for (i=temp->num_aces-1;i>=0;i--) {
789 struct security_ace *ace=&temp->aces[i];
790 /* Remove all ace with INHERITED flag set */
791 if ((ace->flags & SEC_ACE_FLAG_INHERITED_ACE) !=
792 SEC_ACE_FLAG_INHERITED_ACE) {
793 add_ace(&old->dacl,ace);
798 printf("Already set to no inheritable permissions.\n");
801 } else if (strcmp(type,"copy")==0) {
802 if ((old->type & SEC_DESC_DACL_PROTECTED) !=
803 SEC_DESC_DACL_PROTECTED) {
804 old->type=old->type | SEC_DESC_DACL_PROTECTED;
807 * convert all inherited ACL's to non
812 for (i=0;i<old->dacl->num_aces;i++) {
813 struct security_ace *ace=&old->dacl->aces[i];
814 /* Remove INHERITED FLAG from all aces */
815 ace->flags=ace->flags&(~SEC_ACE_FLAG_INHERITED_ACE);
819 printf("Already set to no inheritable permissions.\n");
824 /* Denied ACE entries must come before allowed ones */
827 sd = make_sec_desc(talloc_tos(),old->revision, old->type,
828 old->owner_sid, old->group_sid,
829 NULL, old->dacl, &sd_size);
831 if (!set_secdesc(cli, filename, sd)) {
832 result = EXIT_FAILED;
838 /*****************************************************
839 Return a connection to a server.
840 *******************************************************/
841 static struct cli_state *connect_one(struct cli_credentials *creds,
842 const char *server, const char *share)
844 struct cli_state *c = NULL;
848 nt_status = cli_full_connection_creds(&c, lp_netbios_name(), server,
853 if (!NT_STATUS_IS_OK(nt_status)) {
854 DEBUG(0,("cli_full_connection failed! (%s)\n", nt_errstr(nt_status)));
862 * Process resulting combination of mask & fname ensuring
863 * terminated with wildcard
865 static char *build_dirname(TALLOC_CTX *ctx,
866 const char *mask, char *dir, char *fname)
871 mask2 = talloc_strdup(ctx, mask);
875 p = strrchr_m(mask2, DIRSEP_CHAR);
881 mask2 = talloc_asprintf_append(mask2,
888 * Returns a copy of the ACL flags in ace modified according
889 * to some inheritance rules.
890 * a) SEC_ACE_FLAG_INHERITED_ACE is propagated to children
891 * b) SEC_ACE_FLAG_INHERIT_ONLY is set on container children for OI (only)
892 * c) SEC_ACE_FLAG_OBJECT_INHERIT & SEC_ACE_FLAG_CONTAINER_INHERIT are
893 * stripped from flags to be propagated to non-container children
894 * d) SEC_ACE_FLAG_OBJECT_INHERIT & SEC_ACE_FLAG_CONTAINER_INHERIT are
895 * stripped from flags to be propagated if the NP flag
896 * SEC_ACE_FLAG_NO_PROPAGATE_INHERIT is present
899 static uint8_t get_flags_to_propagate(bool is_container,
900 struct security_ace *ace)
902 uint8_t newflags = ace->flags;
903 /* OBJECT inheritance */
904 bool acl_objinherit = (ace->flags &
905 SEC_ACE_FLAG_OBJECT_INHERIT) == SEC_ACE_FLAG_OBJECT_INHERIT;
906 /* CONTAINER inheritance */
907 bool acl_cntrinherit = (ace->flags &
908 SEC_ACE_FLAG_CONTAINER_INHERIT) ==
909 SEC_ACE_FLAG_CONTAINER_INHERIT;
910 /* PROHIBIT inheritance */
911 bool prohibit_inheritance = ((ace->flags &
912 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) ==
913 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT);
915 /* Assume we are not propagating the ACE */
917 newflags &= ~SEC_ACE_FLAG_INHERITED_ACE;
918 /* all children need to have the SEC_ACE_FLAG_INHERITED_ACE set */
919 if (acl_cntrinherit || acl_objinherit) {
921 * object inherit ( alone ) on a container needs
922 * SEC_ACE_FLAG_INHERIT_ONLY
925 if (acl_objinherit && !acl_cntrinherit) {
926 newflags |= SEC_ACE_FLAG_INHERIT_ONLY;
929 * this is tricky, the only time we would not
930 * propagate the ace for a container is if
931 * prohibit_inheritance is set and object inheritance
934 if ((prohibit_inheritance
936 && !acl_cntrinherit) == false) {
937 newflags |= SEC_ACE_FLAG_INHERITED_ACE;
941 * don't apply object/container inheritance flags to
944 newflags &= ~(SEC_ACE_FLAG_OBJECT_INHERIT
945 | SEC_ACE_FLAG_CONTAINER_INHERIT
946 | SEC_ACE_FLAG_INHERIT_ONLY);
948 * only apply ace to file if object inherit
950 if (acl_objinherit) {
951 newflags |= SEC_ACE_FLAG_INHERITED_ACE;
955 /* if NP is specified strip NP and all OI/CI INHERIT flags */
956 if (prohibit_inheritance) {
957 newflags &= ~(SEC_ACE_FLAG_OBJECT_INHERIT
958 | SEC_ACE_FLAG_CONTAINER_INHERIT
959 | SEC_ACE_FLAG_INHERIT_ONLY
960 | SEC_ACE_FLAG_NO_PROPAGATE_INHERIT);
967 * This function builds a new acl for 'caclfile', first it removes any
968 * existing inheritable ace(s) from the current acl of caclfile, secondly it
969 * applies any inheritable acls of the parent of caclfile ( inheritable acls of
970 * caclfile's parent are passed via acl_to_add member of cbstate )
973 static NTSTATUS propagate_inherited_aces(char *caclfile,
974 struct cacl_callback_state *cbstate)
976 TALLOC_CTX *aclctx = NULL;
980 struct security_descriptor *old = NULL;
981 bool is_container = false;
982 struct security_acl *acl_to_add = cbstate->acl_to_add;
983 struct security_acl *acl_to_remove = NULL;
986 aclctx = talloc_new(NULL);
987 if (aclctx == NULL) {
988 return NT_STATUS_NO_MEMORY;
990 old = get_secdesc_with_ctx(aclctx, cbstate->cli, caclfile);
993 status = NT_STATUS_UNSUCCESSFUL;
997 /* inhibit propagation? */
998 if ((old->type & SEC_DESC_DACL_PROTECTED) ==
999 SEC_DESC_DACL_PROTECTED){
1000 status = NT_STATUS_OK;
1004 fileattr = get_fileinfo(cbstate->cli, caclfile);
1005 is_container = (fileattr & FILE_ATTRIBUTE_DIRECTORY);
1007 /* find acl(s) that are inherited */
1008 for (j = 0; old->dacl && j < old->dacl->num_aces; j++) {
1010 if (old->dacl->aces[j].flags & SEC_ACE_FLAG_INHERITED_ACE) {
1011 if (!add_ace_with_ctx(aclctx, &acl_to_remove,
1012 &old->dacl->aces[j])) {
1013 status = NT_STATUS_NO_MEMORY;
1019 /* remove any acl(s) that are inherited */
1020 if (acl_to_remove) {
1021 for (i = 0; i < acl_to_remove->num_aces; i++) {
1022 struct security_ace ace = acl_to_remove->aces[i];
1023 for (j = 0; old->dacl && j < old->dacl->num_aces; j++) {
1025 if (security_ace_equal(&ace,
1026 &old->dacl->aces[j])) {
1028 for (k = j; k < old->dacl->num_aces-1;
1030 old->dacl->aces[k] =
1031 old->dacl->aces[k+1];
1033 old->dacl->num_aces--;
1039 /* propagate any inheritable ace to be added */
1041 for (i = 0; i < acl_to_add->num_aces; i++) {
1042 struct security_ace ace = acl_to_add->aces[i];
1043 bool is_objectinherit = (ace.flags &
1044 SEC_ACE_FLAG_OBJECT_INHERIT) ==
1045 SEC_ACE_FLAG_OBJECT_INHERIT;
1047 /* don't propagate flags to a file unless OI */
1048 if (!is_objectinherit && !is_container) {
1052 * adjust flags according to inheritance
1055 ace.flags = get_flags_to_propagate(is_container, &ace);
1056 is_inherited = (ace.flags &
1057 SEC_ACE_FLAG_INHERITED_ACE) ==
1058 SEC_ACE_FLAG_INHERITED_ACE;
1059 /* don't propagate non inherited flags */
1060 if (!is_inherited) {
1063 if (!add_ace_with_ctx(aclctx, &old->dacl, &ace)) {
1064 status = NT_STATUS_NO_MEMORY;
1070 result = cacl_set_from_sd(cbstate->cli, caclfile,
1072 SMB_ACL_SET, cbstate->numeric);
1073 if (result != EXIT_OK) {
1074 status = NT_STATUS_UNSUCCESSFUL;
1078 status = NT_STATUS_OK;
1080 TALLOC_FREE(aclctx);
1085 * Returns true if 'ace' contains SEC_ACE_FLAG_OBJECT_INHERIT or
1086 * SEC_ACE_FLAG_CONTAINER_INHERIT
1088 static bool is_inheritable_ace(struct security_ace *ace)
1090 uint8_t flags = ace->flags;
1091 if (flags & (SEC_ACE_FLAG_OBJECT_INHERIT
1092 | SEC_ACE_FLAG_CONTAINER_INHERIT)) {
1098 /* This method does some basic sanity checking with respect to automatic
1099 * inheritance. e.g. it checks if it is possible to do a set, it detects illegal
1100 * attempts to set inherited permissions directly. Additionally this method
1101 * does some basic initialisation for instance it parses the ACL passed on the
1104 static NTSTATUS prepare_inheritance_propagation(TALLOC_CTX *ctx, char *filename,
1105 struct cacl_callback_state *cbstate)
1108 char *the_acl = cbstate->the_acl;
1109 struct cli_state *cli = cbstate->cli;
1110 enum acl_mode mode = cbstate->mode;
1111 struct security_descriptor *sd = NULL;
1112 struct security_descriptor *old = NULL;
1114 bool propagate = false;
1116 old = get_secdesc_with_ctx(ctx, cli, filename);
1118 return NT_STATUS_NO_MEMORY;
1121 /* parse acl passed on the command line */
1123 const char *msg = NULL;
1124 size_t msg_offset = 0;
1125 enum ace_condition_flags flags =
1126 ACE_CONDITION_FLAG_ALLOW_DEVICE;
1128 cbstate->aclsd = sddl_decode_err_msg(ctx,
1130 get_domain_sid(cli),
1134 if (cbstate->aclsd == NULL) {
1135 DBG_ERR("could not decode '%s'\n", the_acl);
1138 (int)msg_offset, '^');
1139 DBG_ERR("error '%s'\n", msg);
1143 cbstate->aclsd = sec_desc_parse(ctx, cli, the_acl);
1146 if (!cbstate->aclsd) {
1147 result = NT_STATUS_UNSUCCESSFUL;
1151 sd = cbstate->aclsd;
1153 /* set operation if inheritance is enabled doesn't make sense */
1154 if (mode == SMB_ACL_SET && ((old->type & SEC_DESC_DACL_PROTECTED) !=
1155 SEC_DESC_DACL_PROTECTED)){
1156 d_printf("Inheritance enabled at %s, can't apply set operation\n",filename);
1157 result = NT_STATUS_UNSUCCESSFUL;
1163 * search command line acl for any illegal SEC_ACE_FLAG_INHERITED_ACE
1164 * flags that are set
1166 for (j = 0; sd->dacl && j < sd->dacl->num_aces; j++) {
1167 struct security_ace *ace = &sd->dacl->aces[j];
1168 if (ace->flags & SEC_ACE_FLAG_INHERITED_ACE) {
1169 d_printf("Illegal parameter %s\n", the_acl);
1170 result = NT_STATUS_UNSUCCESSFUL;
1174 if (is_inheritable_ace(ace)) {
1180 result = NT_STATUS_OK;
1182 cbstate->acl_no_propagate = !propagate;
1187 * This method builds inheritable ace(s) from filename (which should be
1188 * a container) that need propagating to children in order to provide
1189 * automatic inheritance. Those inheritable ace(s) are stored in
1190 * acl_to_add member of cbstate for later processing
1191 * (see propagate_inherited_aces)
1193 static NTSTATUS get_inheritable_aces(TALLOC_CTX *ctx, char *filename,
1194 struct cacl_callback_state *cbstate)
1197 struct cli_state *cli = NULL;
1198 struct security_descriptor *sd = NULL;
1199 struct security_acl *acl_to_add = NULL;
1203 sd = get_secdesc_with_ctx(ctx, cli, filename);
1206 return NT_STATUS_NO_MEMORY;
1210 * Check if any inheritance related flags are used, if not then
1211 * nothing to do. At the same time populate acls for inheritance
1212 * related ace(s) that need to be added to or deleted from children as
1213 * a result of inheritance propagation.
1216 for (j = 0; sd->dacl && j < sd->dacl->num_aces; j++) {
1217 struct security_ace *ace = &sd->dacl->aces[j];
1218 if (is_inheritable_ace(ace)) {
1219 bool added = add_ace_with_ctx(ctx, &acl_to_add, ace);
1221 result = NT_STATUS_NO_MEMORY;
1226 cbstate->acl_to_add = acl_to_add;
1227 result = NT_STATUS_OK;
1233 * Callback handler to handle child elements processed by cli_list, we attempt
1234 * to propagate inheritable ace(s) to each child via the function
1235 * propagate_inherited_aces. Children that are themselves directories are passed
1236 * to cli_list again ( to descend the directory structure )
1238 static NTSTATUS cacl_set_cb(struct file_info *f,
1239 const char *mask, void *state)
1241 struct cacl_callback_state *cbstate =
1242 (struct cacl_callback_state *)state;
1243 struct cli_state *cli = NULL;
1244 struct cli_credentials *creds = NULL;
1246 TALLOC_CTX *dirctx = NULL;
1248 struct cli_state *targetcli = NULL;
1251 char *dir_end = NULL;
1253 char *targetpath = NULL;
1254 char *caclfile = NULL;
1256 dirctx = talloc_new(NULL);
1258 status = NT_STATUS_NO_MEMORY;
1263 creds = cbstate->creds;
1265 /* Work out the directory. */
1266 dir = talloc_strdup(dirctx, mask);
1268 status = NT_STATUS_NO_MEMORY;
1272 dir_end = strrchr(dir, DIRSEP_CHAR);
1273 if (dir_end != NULL) {
1277 if (!f->name || !f->name[0]) {
1278 d_printf("Empty dir name returned. Possible server misconfiguration.\n");
1279 status = NT_STATUS_UNSUCCESSFUL;
1283 if (f->attr & FILE_ATTRIBUTE_DIRECTORY) {
1284 struct cacl_callback_state dir_cbstate;
1285 uint16_t attribute = FILE_ATTRIBUTE_DIRECTORY
1286 | FILE_ATTRIBUTE_SYSTEM
1287 | FILE_ATTRIBUTE_HIDDEN;
1290 /* ignore special '.' & '..' */
1291 if ((f->name == NULL) || ISDOT(f->name) || ISDOTDOT(f->name)) {
1292 status = NT_STATUS_OK;
1296 mask2 = build_dirname(dirctx, mask, dir, f->name);
1297 if (mask2 == NULL) {
1298 status = NT_STATUS_NO_MEMORY;
1303 status = cli_resolve_path(dirctx, "", creds, cli,
1304 mask2, &targetcli, &targetpath);
1305 if (!NT_STATUS_IS_OK(status)) {
1310 * prepare path to caclfile, remove any existing wildcard
1311 * chars and convert path separators.
1314 caclfile = talloc_strdup(dirctx, targetpath);
1316 status = NT_STATUS_NO_MEMORY;
1319 dir_end = strrchr(caclfile, '*');
1320 if (dir_end != NULL) {
1324 string_replace(caclfile, '/', '\\');
1326 * make directory specific copy of cbstate here
1327 * (for this directory level) to be available as
1328 * the parent cbstate for the children of this directory.
1329 * Note: cbstate is overwritten for the current file being
1332 dir_cbstate = *cbstate;
1333 dir_cbstate.cli = targetcli;
1336 * propagate any inherited ace from our parent
1338 status = propagate_inherited_aces(caclfile, &dir_cbstate);
1339 if (!NT_STATUS_IS_OK(status)) {
1344 * get inheritable ace(s) for this dir/container
1345 * that will be propagated to its children
1347 status = get_inheritable_aces(dirctx, caclfile,
1349 if (!NT_STATUS_IS_OK(status)) {
1354 * ensure cacl_set_cb gets called for children
1355 * of this directory (targetpath)
1357 status = cli_list(targetcli, targetpath,
1358 attribute, cacl_set_cb,
1359 (void *)&dir_cbstate);
1361 if (!NT_STATUS_IS_OK(status)) {
1367 * build full path to caclfile and replace '/' with '\' so
1368 * other utility functions can deal with it
1371 targetpath = talloc_asprintf(dirctx, "%s/%s", dir, f->name);
1373 status = NT_STATUS_NO_MEMORY;
1376 string_replace(targetpath, '/', '\\');
1378 /* attempt to propagate any inherited ace to file caclfile */
1379 status = propagate_inherited_aces(targetpath, cbstate);
1381 if (!NT_STATUS_IS_OK(status)) {
1385 status = NT_STATUS_OK;
1387 if (!NT_STATUS_IS_OK(status)) {
1388 d_printf("error %s: processing %s\n",
1392 TALLOC_FREE(dirctx);
1398 * Wrapper around cl_list to descend the directory tree pointed to by 'filename',
1399 * helper callback function 'cacl_set_cb' handles the child elements processed
1402 static int inheritance_cacl_set(char *filename,
1403 struct cacl_callback_state *cbstate)
1409 struct cli_state *cli = cbstate->cli;
1410 TALLOC_CTX *ctx = NULL;
1411 bool isdirectory = false;
1412 uint16_t attribute = FILE_ATTRIBUTE_DIRECTORY | FILE_ATTRIBUTE_SYSTEM
1413 | FILE_ATTRIBUTE_HIDDEN;
1414 ctx = talloc_init("inherit_set");
1416 d_printf("out of memory\n");
1417 result = EXIT_FAILED;
1421 /* ensure we have a filename that starts with '\' */
1422 if (!filename || *filename != DIRSEP_CHAR) {
1423 /* illegal or no filename */
1424 result = EXIT_FAILED;
1425 d_printf("illegal or missing name '%s'\n", filename);
1430 fileattr = get_fileinfo(cli, filename);
1431 isdirectory = (fileattr & FILE_ATTRIBUTE_DIRECTORY)
1432 == FILE_ATTRIBUTE_DIRECTORY;
1435 * if we've got as far as here then we have already evaluated
1444 /* make sure we have a trailing '\*' for directory */
1446 mask = talloc_strdup(ctx, filename);
1447 } else if (strlen(filename) > 1) {
1449 * if the passed file name doesn't have a trailing '\'
1452 char *name_end = strrchr(filename, DIRSEP_CHAR);
1453 if (name_end != filename + strlen(filename) + 1) {
1454 mask = talloc_asprintf(ctx, "%s\\*", filename);
1456 mask = talloc_strdup(ctx, filename);
1459 /* filename is a single '\', just append '*' */
1460 mask = talloc_asprintf_append(mask, "%s*", filename);
1464 result = EXIT_FAILED;
1469 * prepare for automatic propagation of the acl passed on the
1473 ntstatus = prepare_inheritance_propagation(ctx, filename,
1475 if (!NT_STATUS_IS_OK(ntstatus)) {
1476 d_printf("error: %s processing %s\n",
1477 nt_errstr(ntstatus), filename);
1478 result = EXIT_FAILED;
1482 result = cacl_set_from_sd(cli, filename, cbstate->aclsd,
1483 cbstate->mode, cbstate->numeric);
1486 * strictly speaking it could be considered an error if a file was
1487 * specified with '--propagate-inheritance'. However we really want
1488 * to eventually get rid of '--propagate-inheritance' so we will be
1489 * more forgiving here and instead just exit early.
1491 if (!isdirectory || (result != EXIT_OK)) {
1495 /* check if there is actually any need to propagate */
1496 if (cbstate->acl_no_propagate) {
1499 /* get inheritable attributes this parent container (e.g. filename) */
1500 ntstatus = get_inheritable_aces(ctx, filename, cbstate);
1501 if (NT_STATUS_IS_OK(ntstatus)) {
1502 /* process children */
1503 ntstatus = cli_list(cli, mask, attribute,
1508 if (!NT_STATUS_IS_OK(ntstatus)) {
1509 d_printf("error: %s processing %s\n",
1510 nt_errstr(ntstatus), filename);
1511 result = EXIT_FAILED;
1521 struct diritem *prev, *next;
1523 * dirname and targetpath below are sanitized,
1525 * + start and end with '\'
1526 * + have no trailing '*'
1527 * + all '/' have been converted to '\'
1531 struct cli_state *targetcli;
1534 struct save_restore_stats
1540 struct dump_context {
1541 struct diritem *list;
1542 struct cli_credentials *creds;
1543 struct cli_state *cli;
1544 struct save_restore_stats *stats;
1546 struct diritem *dir;
1550 static int write_dacl(struct dump_context *ctx,
1551 struct cli_state *cli,
1552 const char *filename,
1553 const char *origfname)
1555 struct security_descriptor *sd = NULL;
1557 const char *output_fmt = "%s\r\n%s\r\n";
1558 const char *tmp = NULL;
1559 char *out_str = NULL;
1560 uint8_t *dest = NULL;
1565 TALLOC_CTX *frame = talloc_stackframe();
1571 if (ctx->save_fd < 0) {
1572 DBG_ERR("error processing %s no file descriptor\n", filename);
1573 result = EXIT_FAILED;
1577 sd = get_secdesc(cli, filename);
1579 result = EXIT_FAILED;
1583 sd->owner_sid = NULL;
1584 sd->group_sid = NULL;
1586 str = sddl_encode(frame, sd, get_domain_sid(cli));
1588 DBG_ERR("error processing %s couldn't encode DACL\n", filename);
1589 result = EXIT_FAILED;
1593 * format of icacls save file is
1594 * a line containing the path of the file/dir
1595 * followed by a line containing the sddl format
1597 * The format of the strings are null terminated
1598 * 16-bit Unicode. Each line is terminated by "\r\n"
1602 /* skip leading '\' */
1603 if (tmp[0] == '\\') {
1606 out_str = talloc_asprintf(frame, output_fmt, tmp, str);
1608 if (out_str == NULL) {
1609 result = EXIT_FAILED;
1613 s_len = strlen(out_str);
1615 ok = convert_string_talloc(out_str,
1619 s_len, (void **)(void *)&dest, &d_len);
1621 DBG_ERR("error processing %s out of memory\n", tmp);
1622 result = EXIT_FAILED;
1626 if (write(ctx->save_fd, dest, d_len) != d_len) {
1627 DBG_ERR("error processing %s failed to write to file.\n", tmp);
1628 result = EXIT_FAILED;
1631 fsync(ctx->save_fd);
1634 ctx->stats->success += 1;
1635 fprintf(stdout, "Successfully processed file: %s\n", tmp);
1638 if (result != EXIT_OK) {
1639 ctx->stats->failure += 1;
1645 * Sanitize directory name.
1646 * Given a directory name 'dir' ensure it;
1649 * o doesn't end with trailing '*'
1650 * o ensure all '/' are converted to '\'
1653 static char *sanitize_dirname(TALLOC_CTX *ctx,
1657 char *name_end = NULL;
1659 mask = talloc_strdup(ctx, dir);
1660 name_end = strrchr(mask, '*');
1665 name_end = strrchr(mask, DIRSEP_CHAR);
1667 if (strlen(mask) > 0 && name_end != mask + (strlen(mask) - 1)) {
1668 mask = talloc_asprintf(ctx, "%s\\", mask);
1671 string_replace(mask, '/', '\\');
1676 * Process each entry (child) of a directory.
1677 * Each entry, regardless of whether it is itself a file or directory
1678 * has it's dacl written to the restore/save file.
1679 * Each directory is saved to context->list (for further processing)
1680 * write_dacl will update the stats (success/fail)
1682 static NTSTATUS cacl_dump_dacl_cb(struct file_info *f,
1683 const char *mask, void *state)
1685 struct dump_context *ctx = talloc_get_type_abort(state,
1686 struct dump_context);
1691 char *targetpath = NULL;
1692 char *unresolved = NULL;
1695 * if we have already encountered an error
1698 if (!NT_STATUS_IS_OK(ctx->status)) {
1702 if (!f->name || !f->name[0]) {
1703 DBG_ERR("Empty dir name returned. Possible server "
1704 "misconfiguration.\n");
1705 status = NT_STATUS_UNSUCCESSFUL;
1709 mask2 = sanitize_dirname(ctx, mask);
1711 status = NT_STATUS_NO_MEMORY;
1714 if (f->attr & FILE_ATTRIBUTE_DIRECTORY) {
1715 struct diritem *item = NULL;
1717 /* ignore special '.' & '..' */
1718 if ((f->name == NULL) || ISDOT(f->name) || ISDOTDOT(f->name)) {
1719 status = NT_STATUS_OK;
1723 /* Work out the directory. */
1724 unresolved = sanitize_dirname(ctx, ctx->dir->dirname);
1726 status = NT_STATUS_NO_MEMORY;
1730 unresolved = talloc_asprintf(ctx, "%s%s", unresolved, f->name);
1732 if (unresolved == NULL) {
1733 status = NT_STATUS_NO_MEMORY;
1737 item = talloc_zero(ctx, struct diritem);
1739 status = NT_STATUS_NO_MEMORY;
1743 item->dirname = unresolved;
1745 mask2 = talloc_asprintf(ctx, "%s%s", mask2, f->name);
1747 status = NT_STATUS_NO_MEMORY;
1751 status = cli_resolve_path(ctx, "", ctx->creds, ctx->cli,
1752 mask2, &item->targetcli, &targetpath);
1754 if (!NT_STATUS_IS_OK(status)) {
1755 DBG_ERR("error failed to resolve: %s\n",
1760 item->targetpath = sanitize_dirname(ctx, targetpath);
1761 if (!item->targetpath) {
1762 status = NT_STATUS_NO_MEMORY;
1768 item->targetpath, unresolved) != EXIT_OK) {
1769 status = NT_STATUS_UNSUCCESSFUL;
1771 * cli_list happily ignores error encountered
1772 * when processing the callback so we need
1773 * to save any error status encountered while
1774 * processing directories (so we can stop recursing
1775 * those as soon as possible).
1776 * Changing the current behaviour of the callback
1777 * handling by cli_list would be I think be too
1780 ctx->status = status;
1784 DLIST_ADD_END(ctx->list, item);
1787 unresolved = sanitize_dirname(ctx, ctx->dir->dirname);
1789 status = NT_STATUS_NO_MEMORY;
1793 unresolved = talloc_asprintf(ctx, "%s%s", unresolved, f->name);
1796 status = NT_STATUS_NO_MEMORY;
1800 * build full path to the file and replace '/' with '\' so
1801 * other utility functions can deal with it
1804 targetpath = talloc_asprintf(ctx, "%s%s", mask2, f->name);
1807 status = NT_STATUS_NO_MEMORY;
1812 ctx->dir->targetcli,
1813 targetpath, unresolved) != EXIT_OK) {
1814 status = NT_STATUS_UNSUCCESSFUL;
1816 * cli_list happily ignores error encountered
1817 * when processing the callback so we need
1818 * to save any error status encountered while
1819 * processing directories (so we can stop recursing
1820 * those as soon as possible).
1821 * Changing the current behaviour of the callback
1822 * handling by cli_list would be I think be too
1825 ctx->status = status;
1829 status = NT_STATUS_OK;
1831 if (!NT_STATUS_IS_OK(status)) {
1832 DBG_ERR("error %s: processing %s\n",
1833 nt_errstr(status), targetpath);
1839 * dump_ctx contains a list of directories to be processed
1840 * + each directory 'dir' is scanned by cli_list, the cli_list
1841 * callback 'cacl_dump_dacl_cb' writes out the dacl of each
1842 * child of 'dir' (regardless of whether it is a dir or file)
1843 * to the restore/save file. Additionally any directories encountered
1844 * are returned in the passed in dump_ctx->list member
1845 * + the directory list returned from cli_list is passed and processed
1846 * by recursively calling dump_dacl_dirtree
1849 static int dump_dacl_dirtree(struct dump_context *dump_ctx)
1851 struct diritem *item = NULL;
1852 struct dump_context *new_dump_ctx = NULL;
1854 for (item = dump_ctx->list; item; item = item->next) {
1855 uint16_t attribute = FILE_ATTRIBUTE_DIRECTORY
1856 | FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN;
1860 new_dump_ctx = talloc_zero(dump_ctx, struct dump_context);
1862 if (new_dump_ctx == NULL) {
1863 DBG_ERR("out of memory\n");
1864 result = EXIT_FAILED;
1868 if (item->targetcli == NULL) {
1869 status = cli_resolve_path(new_dump_ctx,
1876 if (!NT_STATUS_IS_OK(status)) {
1877 DBG_ERR("failed to resolve path %s "
1879 item->dirname, nt_errstr(status));
1880 result = EXIT_FAILED;
1884 new_dump_ctx->creds = dump_ctx->creds;
1885 new_dump_ctx->save_fd = dump_ctx->save_fd;
1886 new_dump_ctx->stats = dump_ctx->stats;
1887 new_dump_ctx->dir = item;
1888 new_dump_ctx->cli = item->targetcli;
1890 mask = talloc_asprintf(new_dump_ctx, "%s*",
1891 new_dump_ctx->dir->targetpath);
1892 status = cli_list(new_dump_ctx->dir->targetcli,
1894 attribute, cacl_dump_dacl_cb, new_dump_ctx);
1896 if (!NT_STATUS_IS_OK(status) ||
1897 !NT_STATUS_IS_OK(new_dump_ctx->status)) {
1899 if (!NT_STATUS_IS_OK(status)) {
1901 * cli_list failed for some reason
1902 * so we need to update the failure stat
1904 new_dump_ctx->stats->failure += 1;
1907 /* cacl_dump_dacl_cb should have updated stat */
1908 tmpstatus = new_dump_ctx->status;
1910 DBG_ERR("error %s: processing %s\n",
1911 nt_errstr(tmpstatus), item->dirname);
1912 result = EXIT_FAILED;
1915 result = dump_dacl_dirtree(new_dump_ctx);
1916 if (result != EXIT_OK) {
1923 TALLOC_FREE(new_dump_ctx);
1927 static int cacl_dump_dacl(struct cli_state *cli,
1928 struct cli_credentials *creds,
1933 TALLOC_CTX *ctx = NULL;
1934 bool isdirectory = false;
1936 struct dump_context *dump_ctx = NULL;
1937 struct save_restore_stats stats = {0};
1938 struct diritem *item = NULL;
1939 struct cli_state *targetcli = NULL;
1940 char *targetpath = NULL;
1943 ctx = talloc_init("cacl_dump");
1945 DBG_ERR("out of memory\n");
1946 result = EXIT_FAILED;
1950 dump_ctx = talloc_zero(ctx, struct dump_context);
1951 if (dump_ctx == NULL) {
1952 DBG_ERR("out of memory\n");
1953 result = EXIT_FAILED;
1957 dump_ctx->save_fd = open(save_file,
1958 O_CREAT | O_RDWR | O_TRUNC, S_IRUSR | S_IWUSR);
1960 if (dump_ctx->save_fd < 0) {
1961 result = EXIT_FAILED;
1965 dump_ctx->creds = creds;
1966 dump_ctx->cli = cli;
1967 dump_ctx->stats = &stats;
1969 /* ensure we have a filename that starts with '\' */
1970 if (!filename || *filename != DIRSEP_CHAR) {
1971 /* illegal or no filename */
1972 result = EXIT_FAILED;
1973 DBG_ERR("illegal or missing name '%s'\n", filename);
1977 status = cli_resolve_path(dump_ctx, "",
1980 filename, &targetcli, &targetpath);
1981 if (!NT_STATUS_IS_OK(status)) {
1982 DBG_ERR("failed resolve %s\n", filename);
1983 result = EXIT_FAILED;
1987 fileattr = get_fileinfo(targetcli, targetpath);
1988 isdirectory = (fileattr & FILE_ATTRIBUTE_DIRECTORY)
1989 == FILE_ATTRIBUTE_DIRECTORY;
1992 * if we've got as far as here then we have already evaluated
2001 /* make sure we have a trailing '\*' for directory */
2003 mask = talloc_strdup(ctx, filename);
2004 } else if (strlen(filename) > 1) {
2005 mask = sanitize_dirname(ctx, filename);
2007 /* filename is a single '\' */
2008 mask = talloc_strdup(ctx, filename);
2011 result = EXIT_FAILED;
2015 write_dacl(dump_ctx, targetcli, targetpath, filename);
2016 if (isdirectory && recurse) {
2017 item = talloc_zero(dump_ctx, struct diritem);
2019 result = EXIT_FAILED;
2022 item->dirname = mask;
2023 DLIST_ADD_END(dump_ctx->list, item);
2024 dump_dacl_dirtree(dump_ctx);
2027 fprintf(stdout, "Successfully processed %d files: "
2028 "Failed processing %d files\n",
2029 dump_ctx->stats->success, dump_ctx->stats->failure);
2032 if (dump_ctx && dump_ctx->save_fd > 0) {
2033 close(dump_ctx->save_fd);
2039 struct restore_dacl {
2041 struct security_descriptor *sd;
2045 * Restore dacls from 'savefile' produced by
2046 * 'icacls name /save' or 'smbcacls --save'
2048 static int cacl_restore(struct cli_state *cli,
2049 struct cli_credentials *creds,
2050 bool numeric, const char *restorefile)
2054 struct save_restore_stats stats = { 0 };
2056 char **lines = NULL;
2057 char *content = NULL;
2058 char *convert_content = NULL;
2059 size_t content_size;
2060 struct restore_dacl *entries = NULL;
2061 int numlines, i = 0;
2063 struct dom_sid *sid = NULL;
2065 if (restorefile == NULL) {
2066 DBG_ERR("No restore file specified\n");
2067 result = EXIT_FAILED;
2076 restore_fd = open(restorefile, O_RDONLY, S_IRUSR | S_IWUSR);
2077 if (restore_fd < 0) {
2078 DBG_ERR("Failed to open %s.\n", restorefile);
2079 result = EXIT_FAILED;
2083 content = fd_load(restore_fd, &content_size, 0, talloc_tos());
2087 if (content == NULL) {
2088 DBG_ERR("Failed to load content from %s.\n", restorefile);
2089 result = EXIT_FAILED;
2093 ok = convert_string_talloc(talloc_tos(),
2097 utf16_len_n(content, content_size),
2098 (void **)(void *)&convert_content,
2101 TALLOC_FREE(content);
2104 DBG_ERR("Failed to convert content from %s "
2105 "to CH_UNIX.\n", restorefile);
2106 result = EXIT_FAILED;
2110 lines = file_lines_parse(convert_content,
2111 content_size, &numlines, talloc_tos());
2113 if (lines == NULL) {
2114 DBG_ERR("Failed to parse lines from content of %s.",
2116 result = EXIT_FAILED;
2120 entries = talloc_zero_array(lines, struct restore_dacl, numlines / 2);
2122 if (entries == NULL) {
2123 DBG_ERR("error processing %s, out of memory\n", restorefile);
2124 result = EXIT_FAILED;
2128 sid = get_domain_sid(cli);
2130 while (i < numlines) {
2132 int first_line = (i % 2) == 0;
2137 /* line can be blank if root of share */
2138 if (strlen(tmp) == 0) {
2139 entries[index].path = talloc_strdup(lines,
2142 entries[index].path = lines[i];
2145 const char *msg = NULL;
2146 size_t msg_offset = 0;
2147 enum ace_condition_flags flags =
2148 ACE_CONDITION_FLAG_ALLOW_DEVICE;
2149 entries[index].sd = sddl_decode_err_msg(lines,
2155 if(entries[index].sd == NULL) {
2156 DBG_ERR("could not decode '%s'\n", lines[i]);
2159 (int)msg_offset, '^');
2160 DBG_ERR("error '%s'\n", msg);
2162 result = EXIT_FAILED;
2165 entries[index].sd->type |=
2166 SEC_DESC_DACL_AUTO_INHERIT_REQ;
2167 entries[index].sd->type |= SEC_DESC_SACL_AUTO_INHERITED;
2171 for (i = 0; i < (numlines / 2); i++) {
2172 int mode = SMB_ACL_SET;
2174 struct cli_state *targetcli = NULL;
2175 char *targetpath = NULL;
2179 status = cli_resolve_path(talloc_tos(),
2184 &targetcli, &targetpath);
2186 if (!NT_STATUS_IS_OK(status)) {
2187 printf("Error failed to process file: %s\n",
2193 set_result = cacl_set_from_sd(targetcli,
2195 entries[i].sd, mode, numeric);
2197 if (set_result == EXIT_OK) {
2198 printf("Successfully processed file: %s\n",
2202 printf("Error failed to process file: %s\n",
2211 fprintf(stdout, "Successfully processed %d files: "
2212 "Failed processing %d files\n", stats.success, stats.failure);
2216 /****************************************************************************
2218 ****************************************************************************/
2219 int main(int argc, char *argv[])
2221 const char **argv_const = discard_const_p(const char *, argv);
2224 enum acl_mode mode = SMB_ACL_SET;
2225 static char *the_acl = NULL;
2226 enum chown_mode change_mode = REQUEST_NONE;
2229 char *filename = NULL;
2231 /* numeric is set when the user wants numeric SIDs and ACEs rather
2232 than going via LSA calls to resolve them */
2234 struct cli_state *targetcli = NULL;
2235 struct cli_credentials *creds = NULL;
2236 char *targetfile = NULL;
2239 struct loadparm_context *lp_ctx = NULL;
2241 struct poptOption long_options[] = {
2244 .longName = "delete",
2246 .argInfo = POPT_ARG_STRING,
2249 .descrip = "Delete an acl",
2250 .argDescrip = "ACL",
2253 .longName = "modify",
2255 .argInfo = POPT_ARG_STRING,
2258 .descrip = "Modify an acl",
2259 .argDescrip = "ACL",
2264 .argInfo = POPT_ARG_STRING,
2267 .descrip = "Add an acl",
2268 .argDescrip = "ACL",
2273 .argInfo = POPT_ARG_STRING,
2276 .descrip = "Set acls",
2277 .argDescrip = "ACLS",
2280 .longName = "chown",
2282 .argInfo = POPT_ARG_STRING,
2285 .descrip = "Change ownership of a file",
2286 .argDescrip = "USERNAME",
2289 .longName = "chgrp",
2291 .argInfo = POPT_ARG_STRING,
2294 .descrip = "Change group ownership of a file",
2295 .argDescrip = "GROUPNAME",
2298 .longName = "inherit",
2300 .argInfo = POPT_ARG_STRING,
2303 .descrip = "Inherit allow|remove|copy",
2306 .longName = "propagate-inheritance",
2308 .argInfo = POPT_ARG_NONE,
2309 .arg = &inheritance,
2311 .descrip = "Supports propagation of inheritable ACE(s) when used in conjunction with add, delete, set or modify",
2316 .argInfo = POPT_ARG_STRING,
2319 .descrip = "stores the DACLs in sddl format of the "
2320 "specified file or folder for later use "
2321 "with restore. SACLS, owner or integrity"
2322 " labels are not stored",
2325 .longName = "restore",
2327 .argInfo = POPT_ARG_STRING,
2328 .arg = &restore_file,
2330 .descrip = "applies the stored DACLS to files in "
2334 .longName = "recurse",
2336 .argInfo = POPT_ARG_NONE,
2339 .descrip = "indicates the operation is performed "
2340 "on directory and all files/directories"
2341 " below. (only applies to save option)",
2344 .longName = "numeric",
2346 .argInfo = POPT_ARG_NONE,
2349 .descrip = "Don't resolve sids or masks to names",
2354 .argInfo = POPT_ARG_NONE,
2357 .descrip = "Output and input acls in sddl format",
2360 .longName = "query-security-info",
2362 .argInfo = POPT_ARG_INT,
2363 .arg = &query_sec_info,
2365 .descrip = "The security-info flags for queries"
2368 .longName = "set-security-info",
2370 .argInfo = POPT_ARG_INT,
2371 .arg = &set_sec_info,
2373 .descrip = "The security-info flags for modifications"
2376 .longName = "test-args",
2378 .argInfo = POPT_ARG_NONE,
2381 .descrip = "Test arguments"
2384 .longName = "domain-sid",
2386 .argInfo = POPT_ARG_STRING,
2389 .descrip = "Domain SID for sddl",
2390 .argDescrip = "SID"},
2392 .longName = "maximum-access",
2394 .argInfo = POPT_ARG_NONE,
2397 .descrip = "Query maximum permissions",
2400 POPT_COMMON_CONNECTION
2401 POPT_COMMON_CREDENTIALS
2407 struct cli_state *cli;
2408 TALLOC_CTX *frame = talloc_stackframe();
2409 const char *owner_username = "";
2414 ok = samba_cmdline_init(frame,
2415 SAMBA_CMDLINE_CONFIG_CLIENT,
2416 false /* require_smbconf */);
2418 DBG_ERR("Failed to init cmdline parser!\n");
2422 lp_ctx = samba_cmdline_get_lp_ctx();
2423 /* set default debug level to 1 regardless of what smb.conf sets */
2424 lpcfg_set_cmdline(lp_ctx, "log level", "1");
2428 pc = samba_popt_get_context(getprogname(),
2434 DBG_ERR("Failed to setup popt context!\n");
2439 poptSetOtherOptionHelp(pc, "//server1/share1 filename\nACLs look like: "
2440 "'ACL:user:[ALLOWED|DENIED]/flags/permissions'");
2442 while ((opt = poptGetNextOpt(pc)) != -1) {
2445 the_acl = smb_xstrdup(poptGetOptArg(pc));
2450 the_acl = smb_xstrdup(poptGetOptArg(pc));
2451 mode = SMB_ACL_DELETE;
2455 the_acl = smb_xstrdup(poptGetOptArg(pc));
2456 mode = SMB_ACL_MODIFY;
2460 the_acl = smb_xstrdup(poptGetOptArg(pc));
2465 owner_username = poptGetOptArg(pc);
2466 change_mode = REQUEST_CHOWN;
2470 owner_username = poptGetOptArg(pc);
2471 change_mode = REQUEST_CHGRP;
2475 owner_username = poptGetOptArg(pc);
2476 change_mode = REQUEST_INHERIT;
2479 lpcfg_set_cmdline(lp_ctx, "client max protocol", poptGetOptArg(pc));
2484 case POPT_ERROR_BADOPT:
2485 fprintf(stderr, "\nInvalid option %s: %s\n\n",
2486 poptBadOption(pc, 0), poptStrerror(opt));
2487 poptPrintUsage(pc, stderr, 0);
2491 if (inheritance && !the_acl) {
2492 poptPrintUsage(pc, stderr, 0);
2496 if(!poptPeekArg(pc)) {
2497 poptPrintUsage(pc, stderr, 0);
2501 path = talloc_strdup(frame, poptGetArg(pc));
2506 if (strncmp(path, "\\\\", 2) && strncmp(path, "//", 2)) {
2507 printf("Invalid argument: %s\n", path);
2511 if(!poptPeekArg(pc)) {
2512 poptPrintUsage(pc, stderr, 0);
2516 filename = talloc_strdup(frame, poptGetArg(pc));
2521 poptFreeContext(pc);
2522 samba_cmdline_burn(argc, argv);
2524 string_replace(path,'/','\\');
2526 server = talloc_strdup(frame, path+2);
2530 share = strchr_m(server,'\\');
2531 if (share == NULL) {
2532 printf("Invalid argument\n");
2539 creds = samba_cmdline_get_creds();
2541 /* Make connection to server */
2543 cli = connect_one(creds, server, share);
2551 string_replace(filename, '/', '\\');
2552 if (filename[0] != '\\') {
2553 filename = talloc_asprintf(frame,
2561 status = cli_resolve_path(frame,
2568 if (!NT_STATUS_IS_OK(status)) {
2569 DEBUG(0,("cli_resolve_path failed for %s! (%s)\n", filename, nt_errstr(status)));
2573 /* Perform requested action */
2575 if (change_mode == REQUEST_INHERIT) {
2576 result = inherit(targetcli, targetfile, owner_username);
2577 } else if (change_mode != REQUEST_NONE) {
2578 result = owner_set(targetcli, change_mode, targetfile, owner_username);
2579 } else if (the_acl) {
2581 struct cacl_callback_state cbstate = {
2588 result = inheritance_cacl_set(targetfile, &cbstate);
2590 result = cacl_set(targetcli,
2597 if (save_file || restore_file) {
2600 result = cacl_dump_dacl(cli, creds, filename);
2602 result = cacl_restore(targetcli,
2604 numeric, restore_file);
2607 result = cacl_dump(targetcli, targetfile, numeric);