LCOV - code coverage report
Current view: top level - source3/utils - net_rpc_rights.c (source / functions) Hit Total Coverage
Test: coverage report for master 70ed9daf Lines: 66 313 21.1 %
Date: 2024-01-11 09:59:51 Functions: 6 18 33.3 %

          Line data    Source code
       1             : /*
       2             :    Samba Unix/Linux SMB client library
       3             :    Distributed SMB/CIFS Server Management Utility
       4             :    Copyright (C) Gerald (Jerry) Carter          2004
       5             :    Copyright (C) Guenther Deschner              2008
       6             : 
       7             :    This program is free software; you can redistribute it and/or modify
       8             :    it under the terms of the GNU General Public License as published by
       9             :    the Free Software Foundation; either version 3 of the License, or
      10             :    (at your option) any later version.
      11             : 
      12             :    This program is distributed in the hope that it will be useful,
      13             :    but WITHOUT ANY WARRANTY; without even the implied warranty of
      14             :    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      15             :    GNU General Public License for more details.
      16             : 
      17             :    You should have received a copy of the GNU General Public License
      18             :    along with this program.  If not, see <http://www.gnu.org/licenses/>.
      19             : */
      20             : #include "includes.h"
      21             : #include "utils/net.h"
      22             : #include "rpc_client/rpc_client.h"
      23             : #include "../librpc/gen_ndr/ndr_lsa_c.h"
      24             : #include "rpc_client/cli_lsarpc.h"
      25             : #include "rpc_client/init_lsa.h"
      26             : #include "../libcli/security/security.h"
      27             : #include "lib/util/string_wrappers.h"
      28             : 
      29             : /********************************************************************
      30             : ********************************************************************/
      31             : 
      32           0 : static NTSTATUS sid_to_name(struct rpc_pipe_client *pipe_hnd,
      33             :                                 TALLOC_CTX *mem_ctx,
      34             :                                 struct dom_sid *sid,
      35             :                                 fstring name)
      36             : {
      37           0 :         struct policy_handle pol;
      38           0 :         enum lsa_SidType *sid_types = NULL;
      39           0 :         NTSTATUS status, result;
      40           0 :         char **domains = NULL, **names = NULL;
      41           0 :         struct dcerpc_binding_handle *b = pipe_hnd->binding_handle;
      42             : 
      43           0 :         status = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
      44             :                 SEC_FLAG_MAXIMUM_ALLOWED, &pol);
      45             : 
      46           0 :         if ( !NT_STATUS_IS_OK(status) )
      47           0 :                 return status;
      48             : 
      49           0 :         status = rpccli_lsa_lookup_sids(pipe_hnd, mem_ctx, &pol, 1, sid, &domains, &names, &sid_types);
      50             : 
      51           0 :         if ( NT_STATUS_IS_OK(status) ) {
      52           0 :                 if ( *domains[0] )
      53           0 :                         fstr_sprintf( name, "%s\\%s", domains[0], names[0] );
      54             :                 else
      55           0 :                         fstrcpy( name, names[0] );
      56             :         }
      57             : 
      58           0 :         dcerpc_lsa_Close(b, mem_ctx, &pol, &result);
      59           0 :         return status;
      60             : }
      61             : 
      62             : /********************************************************************
      63             : ********************************************************************/
      64             : 
      65          40 : static NTSTATUS name_to_sid(struct rpc_pipe_client *pipe_hnd,
      66             :                             TALLOC_CTX *mem_ctx,
      67             :                             struct dom_sid *sid, const char *name)
      68             : {
      69           0 :         struct policy_handle pol;
      70           0 :         enum lsa_SidType *sid_types;
      71           0 :         NTSTATUS status, result;
      72           0 :         struct dom_sid *sids;
      73          40 :         struct dcerpc_binding_handle *b = pipe_hnd->binding_handle;
      74             : 
      75             :         /* maybe its a raw SID */
      76          40 :         if (dom_sid_parse(name, sid)) {
      77           0 :                 return NT_STATUS_OK;
      78             :         }
      79             : 
      80          40 :         status = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
      81             :                 SEC_FLAG_MAXIMUM_ALLOWED, &pol);
      82             : 
      83          40 :         if ( !NT_STATUS_IS_OK(status) )
      84           0 :                 return status;
      85             : 
      86          40 :         status = rpccli_lsa_lookup_names(pipe_hnd, mem_ctx, &pol, 1, &name,
      87             :                                          NULL, 1, &sids, &sid_types);
      88             : 
      89          40 :         if ( NT_STATUS_IS_OK(status) )
      90          40 :                 sid_copy( sid, &sids[0] );
      91             : 
      92          40 :         dcerpc_lsa_Close(b, mem_ctx, &pol, &result);
      93          40 :         return status;
      94             : }
      95             : 
      96             : /********************************************************************
      97             : ********************************************************************/
      98             : 
      99           0 : static NTSTATUS enum_privileges(struct rpc_pipe_client *pipe_hnd,
     100             :                                 TALLOC_CTX *ctx,
     101             :                                 struct policy_handle *pol )
     102             : {
     103           0 :         NTSTATUS status, result;
     104           0 :         uint32_t enum_context = 0;
     105           0 :         uint32_t pref_max_length=0x1000;
     106           0 :         uint32_t i;
     107           0 :         uint16_t lang_id=0;
     108           0 :         uint16_t lang_id_sys=0;
     109           0 :         uint16_t lang_id_desc;
     110           0 :         struct lsa_StringLarge *description = NULL;
     111           0 :         struct lsa_PrivArray priv_array;
     112           0 :         struct dcerpc_binding_handle *b = pipe_hnd->binding_handle;
     113             : 
     114           0 :         status = dcerpc_lsa_EnumPrivs(b, ctx,
     115             :                                       pol,
     116             :                                       &enum_context,
     117             :                                       &priv_array,
     118             :                                       pref_max_length,
     119             :                                       &result);
     120             : 
     121           0 :         if ( !NT_STATUS_IS_OK(status) )
     122           0 :                 return status;
     123           0 :         if (!NT_STATUS_IS_OK(result)) {
     124           0 :                 return result;
     125             :         }
     126             : 
     127             :         /* Print results */
     128             : 
     129           0 :         for (i = 0; i < priv_array.count; i++) {
     130             : 
     131           0 :                 struct lsa_String lsa_name;
     132             : 
     133           0 :                 d_printf("%30s  ",
     134           0 :                         priv_array.privs[i].name.string ? priv_array.privs[i].name.string : "*unknown*" );
     135             : 
     136             :                 /* try to get the description */
     137             : 
     138           0 :                 init_lsa_String(&lsa_name, priv_array.privs[i].name.string);
     139             : 
     140           0 :                 status = dcerpc_lsa_LookupPrivDisplayName(b, ctx,
     141             :                                                           pol,
     142             :                                                           &lsa_name,
     143             :                                                           lang_id,
     144             :                                                           lang_id_sys,
     145             :                                                           &description,
     146             :                                                           &lang_id_desc,
     147             :                                                           &result);
     148           0 :                 if (!NT_STATUS_IS_OK(status)) {
     149           0 :                         d_printf("??????\n");
     150           0 :                         continue;
     151             :                 }
     152           0 :                 if (!NT_STATUS_IS_OK(result)) {
     153           0 :                         d_printf("??????\n");
     154           0 :                         continue;
     155             :                 }
     156             : 
     157           0 :                 d_printf("%s\n", description ? description->string : "??????");
     158             :         }
     159             : 
     160           0 :         return NT_STATUS_OK;
     161             : }
     162             : 
     163             : /********************************************************************
     164             : ********************************************************************/
     165             : 
     166           0 : static NTSTATUS check_privilege_for_user(struct rpc_pipe_client *pipe_hnd,
     167             :                                         TALLOC_CTX *ctx,
     168             :                                         struct policy_handle *pol,
     169             :                                         struct dom_sid *sid,
     170             :                                         const char *right)
     171             : {
     172           0 :         NTSTATUS status, result;
     173           0 :         struct lsa_RightSet rights;
     174           0 :         uint32_t i;
     175           0 :         struct dcerpc_binding_handle *b = pipe_hnd->binding_handle;
     176             : 
     177           0 :         status = dcerpc_lsa_EnumAccountRights(b, ctx,
     178             :                                               pol,
     179             :                                               sid,
     180             :                                               &rights,
     181             :                                               &result);
     182           0 :         if (!NT_STATUS_IS_OK(status)) {
     183           0 :                 return status;
     184             :         }
     185           0 :         if (!NT_STATUS_IS_OK(result)) {
     186           0 :                 return result;
     187             :         }
     188             : 
     189           0 :         if (rights.count == 0) {
     190           0 :                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
     191             :         }
     192             : 
     193           0 :         for (i = 0; i < rights.count; i++) {
     194           0 :                 if (strcasecmp_m(rights.names[i].string, right) == 0) {
     195           0 :                         return NT_STATUS_OK;
     196             :                 }
     197             :         }
     198             : 
     199           0 :         return NT_STATUS_OBJECT_NAME_NOT_FOUND;
     200             : }
     201             : 
     202             : /********************************************************************
     203             : ********************************************************************/
     204             : 
     205           0 : static NTSTATUS enum_privileges_for_user(struct rpc_pipe_client *pipe_hnd,
     206             :                                         TALLOC_CTX *ctx,
     207             :                                         struct policy_handle *pol,
     208             :                                         struct dom_sid *sid )
     209             : {
     210           0 :         NTSTATUS status, result;
     211           0 :         struct lsa_RightSet rights;
     212           0 :         uint32_t i;
     213           0 :         struct dcerpc_binding_handle *b = pipe_hnd->binding_handle;
     214             : 
     215           0 :         status = dcerpc_lsa_EnumAccountRights(b, ctx,
     216             :                                               pol,
     217             :                                               sid,
     218             :                                               &rights,
     219             :                                               &result);
     220           0 :         if (!NT_STATUS_IS_OK(status))
     221           0 :                 return status;
     222           0 :         if (!NT_STATUS_IS_OK(result))
     223           0 :                 return result;
     224             : 
     225           0 :         if (rights.count == 0) {
     226           0 :                 d_printf(_("No privileges assigned\n"));
     227             :         }
     228             : 
     229           0 :         for (i = 0; i < rights.count; i++) {
     230           0 :                 printf("%s\n", rights.names[i].string);
     231             :         }
     232             : 
     233           0 :         return NT_STATUS_OK;
     234             : }
     235             : 
     236             : /********************************************************************
     237             : ********************************************************************/
     238             : 
     239           0 : static NTSTATUS enum_accounts_for_privilege(struct rpc_pipe_client *pipe_hnd,
     240             :                                                 TALLOC_CTX *ctx,
     241             :                                                 struct policy_handle *pol,
     242             :                                                 const char *privilege)
     243             : {
     244           0 :         NTSTATUS status, result;
     245           0 :         uint32_t enum_context=0;
     246           0 :         uint32_t pref_max_length=0x1000;
     247           0 :         struct lsa_SidArray sid_array;
     248           0 :         uint32_t i;
     249           0 :         fstring name;
     250           0 :         struct dcerpc_binding_handle *b = pipe_hnd->binding_handle;
     251             : 
     252           0 :         status = dcerpc_lsa_EnumAccounts(b, ctx,
     253             :                                          pol,
     254             :                                          &enum_context,
     255             :                                          &sid_array,
     256             :                                          pref_max_length,
     257             :                                          &result);
     258           0 :         if (!NT_STATUS_IS_OK(status))
     259           0 :                 return status;
     260           0 :         if (!NT_STATUS_IS_OK(result))
     261           0 :                 return result;
     262             : 
     263           0 :         d_printf("%s:\n", privilege);
     264             : 
     265           0 :         for ( i=0; i<sid_array.num_sids; i++ ) {
     266             : 
     267           0 :                 status = check_privilege_for_user(pipe_hnd, ctx, pol,
     268           0 :                                                   sid_array.sids[i].sid,
     269             :                                                   privilege);
     270             : 
     271           0 :                 if ( ! NT_STATUS_IS_OK(status)) {
     272           0 :                         if ( ! NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
     273           0 :                                 return status;
     274             :                         }
     275           0 :                         continue;
     276             :                 }
     277             : 
     278             :                 /* try to convert the SID to a name.  Fall back to
     279             :                    printing the raw SID if necessary */
     280           0 :                 status = sid_to_name( pipe_hnd, ctx, sid_array.sids[i].sid, name );
     281           0 :                 if ( !NT_STATUS_IS_OK (status) )
     282           0 :                         sid_to_fstring(name, sid_array.sids[i].sid);
     283             : 
     284           0 :                 d_printf("  %s\n", name);
     285             :         }
     286             : 
     287           0 :         return NT_STATUS_OK;
     288             : }
     289             : 
     290             : /********************************************************************
     291             : ********************************************************************/
     292             : 
     293           0 : static NTSTATUS enum_privileges_for_accounts(struct rpc_pipe_client *pipe_hnd,
     294             :                                                 TALLOC_CTX *ctx,
     295             :                                                 struct policy_handle *pol)
     296             : {
     297           0 :         NTSTATUS status, result;
     298           0 :         uint32_t enum_context=0;
     299           0 :         uint32_t pref_max_length=0x1000;
     300           0 :         struct lsa_SidArray sid_array;
     301           0 :         uint32_t i;
     302           0 :         fstring name;
     303           0 :         struct dcerpc_binding_handle *b = pipe_hnd->binding_handle;
     304             : 
     305           0 :         status = dcerpc_lsa_EnumAccounts(b, ctx,
     306             :                                          pol,
     307             :                                          &enum_context,
     308             :                                          &sid_array,
     309             :                                          pref_max_length,
     310             :                                          &result);
     311           0 :         if (!NT_STATUS_IS_OK(status))
     312           0 :                 return status;
     313           0 :         if (!NT_STATUS_IS_OK(result))
     314           0 :                 return result;
     315             : 
     316           0 :         for ( i=0; i<sid_array.num_sids; i++ ) {
     317             : 
     318             :                 /* try to convert the SID to a name.  Fall back to
     319             :                    printing the raw SID if necessary */
     320             : 
     321           0 :                 status = sid_to_name(pipe_hnd, ctx, sid_array.sids[i].sid, name);
     322           0 :                 if ( !NT_STATUS_IS_OK (status) )
     323           0 :                         sid_to_fstring(name, sid_array.sids[i].sid);
     324             : 
     325           0 :                 d_printf("%s\n", name);
     326             : 
     327           0 :                 status = enum_privileges_for_user(pipe_hnd, ctx, pol,
     328           0 :                                                   sid_array.sids[i].sid);
     329           0 :                 if ( !NT_STATUS_IS_OK(status) )
     330           0 :                         return status;
     331             : 
     332           0 :                 d_printf("\n");
     333             :         }
     334             : 
     335           0 :         return NT_STATUS_OK;
     336             : }
     337             : 
     338             : /********************************************************************
     339             : ********************************************************************/
     340             : 
     341           0 : static NTSTATUS rpc_rights_list_internal(struct net_context *c,
     342             :                                         const struct dom_sid *domain_sid,
     343             :                                         const char *domain_name,
     344             :                                         struct cli_state *cli,
     345             :                                         struct rpc_pipe_client *pipe_hnd,
     346             :                                         TALLOC_CTX *mem_ctx,
     347             :                                         int argc,
     348             :                                         const char **argv )
     349             : {
     350           0 :         struct policy_handle pol;
     351           0 :         NTSTATUS status, result;
     352           0 :         struct dom_sid sid;
     353           0 :         fstring privname;
     354           0 :         struct lsa_String lsa_name;
     355           0 :         struct lsa_StringLarge *description = NULL;
     356           0 :         uint16_t lang_id = 0;
     357           0 :         uint16_t lang_id_sys = 0;
     358           0 :         uint16_t lang_id_desc;
     359           0 :         struct dcerpc_binding_handle *b = pipe_hnd->binding_handle;
     360             : 
     361           0 :         status = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
     362             :                 SEC_FLAG_MAXIMUM_ALLOWED, &pol);
     363             : 
     364           0 :         if ( !NT_STATUS_IS_OK(status) )
     365           0 :                 return status;
     366             : 
     367             :         /* backwards compatibility; just list available privileges if no argument */
     368             : 
     369           0 :         if (argc == 0) {
     370           0 :                 status = enum_privileges(pipe_hnd, mem_ctx, &pol );
     371           0 :                 goto done;
     372             :         }
     373             : 
     374           0 :         if (strequal(argv[0], "privileges")) {
     375           0 :                 int i = 1;
     376             : 
     377           0 :                 if (argv[1] == NULL) {
     378           0 :                         status = enum_privileges(pipe_hnd, mem_ctx, &pol );
     379           0 :                         goto done;
     380             :                 }
     381             : 
     382           0 :                 while ( argv[i] != NULL ) {
     383           0 :                         fstrcpy(privname, argv[i]);
     384           0 :                         init_lsa_String(&lsa_name, argv[i]);
     385           0 :                         i++;
     386             : 
     387             :                         /* verify that this is a valid privilege for error reporting */
     388           0 :                         status = dcerpc_lsa_LookupPrivDisplayName(b, mem_ctx,
     389             :                                                                   &pol,
     390             :                                                                   &lsa_name,
     391             :                                                                   lang_id,
     392             :                                                                   lang_id_sys,
     393             :                                                                   &description,
     394             :                                                                   &lang_id_desc,
     395             :                                                                   &result);
     396           0 :                         if (!NT_STATUS_IS_OK(status)) {
     397           0 :                                 continue;
     398             :                         }
     399           0 :                         status = result;
     400           0 :                         if ( !NT_STATUS_IS_OK(result) ) {
     401           0 :                                 if ( NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_PRIVILEGE))
     402           0 :                                         d_fprintf(stderr, _("No such privilege "
     403             :                                                   "exists: %s.\n"), privname);
     404             :                                 else
     405           0 :                                         d_fprintf(stderr, _("Error resolving "
     406             :                                                   "privilege display name "
     407             :                                                   "[%s].\n"),
     408             :                                                   nt_errstr(result));
     409           0 :                                 continue;
     410             :                         }
     411             : 
     412           0 :                         status = enum_accounts_for_privilege(pipe_hnd, mem_ctx, &pol, privname);
     413           0 :                         if (!NT_STATUS_IS_OK(status)) {
     414           0 :                                 d_fprintf(stderr, _("Error enumerating "
     415             :                                           "accounts for privilege %s [%s].\n"),
     416             :                                           privname, nt_errstr(status));
     417           0 :                                 continue;
     418             :                         }
     419             :                 }
     420           0 :                 goto done;
     421             :         }
     422             : 
     423             :         /* special case to enumerate all privileged SIDs with associated rights */
     424             : 
     425           0 :         if (strequal( argv[0], "accounts")) {
     426           0 :                 int i = 1;
     427             : 
     428           0 :                 if (argv[1] == NULL) {
     429           0 :                         status = enum_privileges_for_accounts(pipe_hnd, mem_ctx, &pol);
     430           0 :                         goto done;
     431             :                 }
     432             : 
     433           0 :                 while (argv[i] != NULL) {
     434           0 :                         status = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[i]);
     435           0 :                         if (!NT_STATUS_IS_OK(status)) {
     436           0 :                                 goto done;
     437             :                         }
     438           0 :                         status = enum_privileges_for_user(pipe_hnd, mem_ctx, &pol, &sid);
     439           0 :                         if (!NT_STATUS_IS_OK(status)) {
     440           0 :                                 goto done;
     441             :                         }
     442           0 :                         i++;
     443             :                 }
     444           0 :                 goto done;
     445             :         }
     446             : 
     447             :         /* backward compatibility: if no keyword provided, treat the key
     448             :            as an account name */
     449           0 :         if (argc > 1) {
     450           0 :                 d_printf("%s net rpc rights list [[accounts|privileges] "
     451             :                          "[name|SID]]\n", _("Usage:"));
     452           0 :                 status = NT_STATUS_OK;
     453           0 :                 goto done;
     454             :         }
     455             : 
     456           0 :         status = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[0]);
     457           0 :         if (!NT_STATUS_IS_OK(status)) {
     458           0 :                 goto done;
     459             :         }
     460           0 :         status = enum_privileges_for_user(pipe_hnd, mem_ctx, &pol, &sid );
     461             : 
     462           0 : done:
     463           0 :         dcerpc_lsa_Close(b, mem_ctx, &pol, &result);
     464             : 
     465           0 :         return status;
     466             : }
     467             : 
     468             : /********************************************************************
     469             : ********************************************************************/
     470             : 
     471          20 : static NTSTATUS rpc_rights_grant_internal(struct net_context *c,
     472             :                                         const struct dom_sid *domain_sid,
     473             :                                         const char *domain_name,
     474             :                                         struct cli_state *cli,
     475             :                                         struct rpc_pipe_client *pipe_hnd,
     476             :                                         TALLOC_CTX *mem_ctx,
     477             :                                         int argc,
     478             :                                         const char **argv )
     479             : {
     480          20 :         struct policy_handle dom_pol = {
     481             :                 .handle_type = 0,
     482             :         };
     483           0 :         NTSTATUS status, result;
     484           0 :         struct lsa_RightSet rights;
     485           0 :         int i;
     486          20 :         struct dcerpc_binding_handle *b = pipe_hnd->binding_handle;
     487          20 :         union lsa_revision_info out_revision_info = {
     488             :                 .info1 = {
     489             :                         .revision = 0,
     490             :                 },
     491             :         };
     492          20 :         uint32_t out_version = 0;
     493             : 
     494           0 :         struct dom_sid sid;
     495             : 
     496          20 :         if (argc < 2 ) {
     497           0 :                 d_printf("%s\n%s",
     498             :                          _("Usage:"),
     499             :                          _(" net rpc rights grant <name|SID> <rights...>\n"));
     500           0 :                 return NT_STATUS_OK;
     501             :         }
     502             : 
     503          20 :         status = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[0]);
     504          20 :         if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED))
     505           0 :                 status = NT_STATUS_NO_SUCH_USER;
     506             : 
     507          20 :         if (!NT_STATUS_IS_OK(status))
     508           0 :                 goto done;
     509             : 
     510          20 :         status = dcerpc_lsa_open_policy_fallback(b,
     511             :                                                  mem_ctx,
     512          20 :                                                  pipe_hnd->srv_name_slash,
     513             :                                                  true,
     514             :                                                  SEC_FLAG_MAXIMUM_ALLOWED,
     515             :                                                  &out_version,
     516             :                                                  &out_revision_info,
     517             :                                                  &dom_pol,
     518             :                                                  &result);
     519          20 :         if (any_nt_status_not_ok(status, result, &status)) {
     520           0 :                 DBG_DEBUG("Couldn't open policy handle: %s\n",
     521             :                           nt_errstr(status));
     522           0 :                 goto done;
     523             :         }
     524             : 
     525          20 :         rights.count = argc-1;
     526          20 :         rights.names = talloc_array(mem_ctx, struct lsa_StringLarge,
     527             :                                     rights.count);
     528          20 :         if (rights.names == NULL) {
     529           0 :                 status = NT_STATUS_NO_MEMORY;
     530           0 :                 goto done;
     531             :         }
     532             : 
     533          40 :         for (i=0; i<argc-1; i++) {
     534          20 :                 init_lsa_StringLarge(&rights.names[i], argv[i+1]);
     535             :         }
     536             : 
     537          20 :         status = dcerpc_lsa_AddAccountRights(b, mem_ctx,
     538             :                                              &dom_pol,
     539             :                                              &sid,
     540             :                                              &rights,
     541             :                                              &result);
     542          20 :         if (any_nt_status_not_ok(status, result, &status)) {
     543           0 :                 goto done;
     544             :         }
     545             : 
     546          20 :         d_printf(_("Successfully granted rights.\n"));
     547             : 
     548          20 :  done:
     549          20 :         if ( !NT_STATUS_IS_OK(status) ) {
     550           0 :                 d_fprintf(stderr, _("Failed to grant privileges for %s (%s)\n"),
     551             :                         argv[0], nt_errstr(status));
     552             :         }
     553             : 
     554          20 :         dcerpc_lsa_Close(b, mem_ctx, &dom_pol, &result);
     555             : 
     556          20 :         return status;
     557             : }
     558             : 
     559             : /********************************************************************
     560             : ********************************************************************/
     561             : 
     562          20 : static NTSTATUS rpc_rights_revoke_internal(struct net_context *c,
     563             :                                         const struct dom_sid *domain_sid,
     564             :                                         const char *domain_name,
     565             :                                         struct cli_state *cli,
     566             :                                         struct rpc_pipe_client *pipe_hnd,
     567             :                                         TALLOC_CTX *mem_ctx,
     568             :                                         int argc,
     569             :                                         const char **argv )
     570             : {
     571           0 :         struct policy_handle dom_pol;
     572           0 :         NTSTATUS status, result;
     573           0 :         struct lsa_RightSet rights;
     574           0 :         struct dom_sid sid;
     575           0 :         int i;
     576          20 :         struct dcerpc_binding_handle *b = pipe_hnd->binding_handle;
     577          20 :         union lsa_revision_info out_revision_info = {
     578             :                 .info1 =
     579             :                         {
     580             :                                 .revision = 0,
     581             :                         },
     582             :         };
     583          20 :         uint32_t out_version = 0;
     584             : 
     585          20 :         if (argc < 2 ) {
     586           0 :                 d_printf("%s\n%s",
     587             :                          _("Usage:"),
     588             :                          _(" net rpc rights revoke <name|SID> <rights...>\n"));
     589           0 :                 return NT_STATUS_OK;
     590             :         }
     591             : 
     592          20 :         status = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[0]);
     593          20 :         if (!NT_STATUS_IS_OK(status))
     594           0 :                 return status;
     595             : 
     596          20 :         status = dcerpc_lsa_open_policy_fallback(b,
     597             :                                                  mem_ctx,
     598          20 :                                                  pipe_hnd->srv_name_slash,
     599             :                                                  true,
     600             :                                                  SEC_FLAG_MAXIMUM_ALLOWED,
     601             :                                                  &out_version,
     602             :                                                  &out_revision_info,
     603             :                                                  &dom_pol,
     604             :                                                  &result);
     605          20 :         if (any_nt_status_not_ok(status, result, &status)) {
     606           0 :                 DBG_DEBUG("Couldn't open policy handle: %s\n",
     607             :                           nt_errstr(status));
     608           0 :                 return status;
     609             :         }
     610             : 
     611          20 :         rights.count = argc-1;
     612          20 :         rights.names = talloc_array(mem_ctx, struct lsa_StringLarge,
     613             :                                     rights.count);
     614          20 :         if (!rights.names) {
     615           0 :                 return NT_STATUS_NO_MEMORY;
     616             :         }
     617             : 
     618          40 :         for (i=0; i<argc-1; i++) {
     619          20 :                 init_lsa_StringLarge(&rights.names[i], argv[i+1]);
     620             :         }
     621             : 
     622          20 :         status = dcerpc_lsa_RemoveAccountRights(b, mem_ctx,
     623             :                                                 &dom_pol,
     624             :                                                 &sid,
     625             :                                                 false,
     626             :                                                 &rights,
     627             :                                                 &result);
     628          20 :         if (!NT_STATUS_IS_OK(status))
     629           0 :                 goto done;
     630          20 :         if (!NT_STATUS_IS_OK(result)) {
     631           0 :                 status = result;
     632           0 :                 goto done;
     633             :         }
     634             : 
     635          20 :         d_printf(_("Successfully revoked rights.\n"));
     636             : 
     637          20 : done:
     638          20 :         if ( !NT_STATUS_IS_OK(status) ) {
     639           0 :                 d_fprintf(stderr,_("Failed to revoke privileges for %s (%s)\n"),
     640             :                         argv[0], nt_errstr(status));
     641             :         }
     642             : 
     643          20 :         dcerpc_lsa_Close(b, mem_ctx, &dom_pol, &result);
     644             : 
     645          20 :         return status;
     646             : }
     647             : 
     648             : 
     649             : /********************************************************************
     650             : ********************************************************************/
     651             : 
     652           0 : static int rpc_rights_list(struct net_context *c, int argc, const char **argv )
     653             : {
     654           0 :         if (c->display_usage) {
     655           0 :                 d_printf("%s\n%s",
     656             :                          _("Usage:"),
     657             :                          _("net rpc rights list [{accounts|privileges} "
     658             :                            "[name|SID]]\n"
     659             :                            "    View available/assigned privileges\n"));
     660           0 :                 return 0;
     661             :         }
     662             : 
     663           0 :         return run_rpc_command(c, NULL, &ndr_table_lsarpc, 0,
     664             :                 rpc_rights_list_internal, argc, argv );
     665             : }
     666             : 
     667             : /********************************************************************
     668             : ********************************************************************/
     669             : 
     670          20 : static int rpc_rights_grant(struct net_context *c, int argc, const char **argv )
     671             : {
     672          20 :         if (c->display_usage) {
     673           0 :                 d_printf("%s\n%s",
     674             :                          _("Usage:"),
     675             :                          _("net rpc rights grant <name|SID> <right>\n"
     676             :                            "    Assign privilege[s]\n"));
     677           0 :                 d_printf(_("For example:\n"
     678             :                            "    net rpc rights grant 'VALE\\biddle' "
     679             :                            "SePrintOperatorPrivilege SeDiskOperatorPrivilege\n"
     680             :                            "    would grant the printer admin and disk manager "
     681             :                            "rights to the user 'VALE\\biddle'\n"));
     682           0 :                 return 0;
     683             :         }
     684             : 
     685          20 :         return run_rpc_command(c, NULL, &ndr_table_lsarpc, 0,
     686             :                 rpc_rights_grant_internal, argc, argv );
     687             : }
     688             : 
     689             : /********************************************************************
     690             : ********************************************************************/
     691             : 
     692          20 : static int rpc_rights_revoke(struct net_context *c, int argc, const char **argv)
     693             : {
     694          20 :         if (c->display_usage) {
     695           0 :                 d_printf("%s\n%s",
     696             :                          _("Usage:"),
     697             :                          _("net rpc rights revoke <name|SID> <right>\n"
     698             :                            "    Revoke privilege[s]\n"));
     699           0 :                 d_printf(_("For example:\n"
     700             :                            "    net rpc rights revoke 'VALE\\biddle' "
     701             :                            "SePrintOperatorPrivilege SeDiskOperatorPrivilege\n"
     702             :                            "    would revoke the printer admin and disk manager"
     703             :                            " rights from the user 'VALE\\biddle'\n"));
     704           0 :                 return 0;
     705             :         }
     706             : 
     707          20 :         return run_rpc_command(c, NULL, &ndr_table_lsarpc, 0,
     708             :                 rpc_rights_revoke_internal, argc, argv );
     709             : }
     710             : 
     711             : /********************************************************************
     712             : ********************************************************************/
     713             : 
     714          40 : int net_rpc_rights(struct net_context *c, int argc, const char **argv)
     715             : {
     716          40 :         struct functable func[] = {
     717             :                 {
     718             :                         "list",
     719             :                         rpc_rights_list,
     720             :                         NET_TRANSPORT_RPC,
     721             :                         N_("View available/assigned privileges"),
     722             :                         N_("net rpc rights list\n"
     723             :                            "    View available/assigned privileges")
     724             :                 },
     725             :                 {
     726             :                         "grant",
     727             :                         rpc_rights_grant,
     728             :                         NET_TRANSPORT_RPC,
     729             :                         N_("Assign privilege[s]"),
     730             :                         N_("net rpc rights grant\n"
     731             :                            "    Assign privilege[s]")
     732             :                 },
     733             :                 {
     734             :                         "revoke",
     735             :                         rpc_rights_revoke,
     736             :                         NET_TRANSPORT_RPC,
     737             :                         N_("Revoke privilege[s]"),
     738             :                         N_("net rpc rights revoke\n"
     739             :                            "    Revoke privilege[s]")
     740             :                 },
     741             :                 {NULL, NULL, 0, NULL, NULL}
     742             :         };
     743             : 
     744          40 :         return net_run_function(c, argc, argv, "net rpc rights", func);
     745             : }
     746             : 
     747           0 : static NTSTATUS rpc_sh_rights_list(struct net_context *c,
     748             :                                    TALLOC_CTX *mem_ctx, struct rpc_sh_ctx *ctx,
     749             :                                    struct rpc_pipe_client *pipe_hnd,
     750             :                                    int argc, const char **argv)
     751             : {
     752           0 :         return rpc_rights_list_internal(c, ctx->domain_sid, ctx->domain_name,
     753             :                                         ctx->cli, pipe_hnd, mem_ctx,
     754             :                                         argc, argv);
     755             : }
     756             : 
     757           0 : static NTSTATUS rpc_sh_rights_grant(struct net_context *c,
     758             :                                     TALLOC_CTX *mem_ctx,
     759             :                                     struct rpc_sh_ctx *ctx,
     760             :                                     struct rpc_pipe_client *pipe_hnd,
     761             :                                     int argc, const char **argv)
     762             : {
     763           0 :         return rpc_rights_grant_internal(c, ctx->domain_sid, ctx->domain_name,
     764             :                                          ctx->cli, pipe_hnd, mem_ctx,
     765             :                                          argc, argv);
     766             : }
     767             : 
     768           0 : static NTSTATUS rpc_sh_rights_revoke(struct net_context *c,
     769             :                                      TALLOC_CTX *mem_ctx,
     770             :                                      struct rpc_sh_ctx *ctx,
     771             :                                      struct rpc_pipe_client *pipe_hnd,
     772             :                                      int argc, const char **argv)
     773             : {
     774           0 :         return rpc_rights_revoke_internal(c, ctx->domain_sid, ctx->domain_name,
     775             :                                           ctx->cli, pipe_hnd, mem_ctx,
     776             :                                           argc, argv);
     777             : }
     778             : 
     779           0 : struct rpc_sh_cmd *net_rpc_rights_cmds(struct net_context *c, TALLOC_CTX *mem_ctx,
     780             :                                        struct rpc_sh_ctx *ctx)
     781             : {
     782           0 :         static struct rpc_sh_cmd cmds[] = {
     783             : 
     784             :         { "list", NULL, &ndr_table_lsarpc, rpc_sh_rights_list,
     785             :           N_("View available or assigned privileges") },
     786             : 
     787             :         { "grant", NULL, &ndr_table_lsarpc, rpc_sh_rights_grant,
     788             :           N_("Assign privilege[s]") },
     789             : 
     790             :         { "revoke", NULL, &ndr_table_lsarpc, rpc_sh_rights_revoke,
     791             :           N_("Revoke privilege[s]") },
     792             : 
     793             :         { NULL, NULL, 0, NULL, NULL }
     794             :         };
     795             : 
     796           0 :         return cmds;
     797             : }
     798             : 

Generated by: LCOV version 1.14