LCOV - code coverage report
Current view: top level - source3/utils - smbcacls.c (source / functions) Hit Total Coverage
Test: coverage report for master 70ed9daf Lines: 804 1121 71.7 %
Date: 2024-01-11 09:59:51 Functions: 33 33 100.0 %

          Line data    Source code
       1             : /*
       2             :    Unix SMB/CIFS implementation.
       3             :    ACL get/set utility
       4             : 
       5             :    Copyright (C) Andrew Tridgell 2000
       6             :    Copyright (C) Tim Potter      2000
       7             :    Copyright (C) Jeremy Allison  2000
       8             :    Copyright (C) Jelmer Vernooij 2003
       9             :    Copyright (C) Noel Power <noel.power@suse.com> 2013
      10             : 
      11             :    This program is free software; you can redistribute it and/or modify
      12             :    it under the terms of the GNU General Public License as published by
      13             :    the Free Software Foundation; either version 3 of the License, or
      14             :    (at your option) any later version.
      15             : 
      16             :    This program is distributed in the hope that it will be useful,
      17             :    but WITHOUT ANY WARRANTY; without even the implied warranty of
      18             :    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      19             :    GNU General Public License for more details.
      20             : 
      21             :    You should have received a copy of the GNU General Public License
      22             :    along with this program.  If not, see <http://www.gnu.org/licenses/>.
      23             : */
      24             : 
      25             : #include "includes.h"
      26             : #include "lib/cmdline/cmdline.h"
      27             : #include "rpc_client/cli_pipe.h"
      28             : #include "../librpc/gen_ndr/ndr_lsa.h"
      29             : #include "rpc_client/cli_lsarpc.h"
      30             : #include "../libcli/security/security.h"
      31             : #include "libsmb/libsmb.h"
      32             : #include "libsmb/clirap.h"
      33             : #include "passdb/machine_sid.h"
      34             : #include "../librpc/gen_ndr/ndr_lsa_c.h"
      35             : #include "util_sd.h"
      36             : #include "lib/param/param.h"
      37             : 
      38             : static char DIRSEP_CHAR = '\\';
      39             : 
      40             : static int inheritance = 0;
      41             : static const char *save_file = NULL;
      42             : static const char *restore_file = NULL;
      43             : static int recurse;
      44             : static int test_args;
      45             : static int sddl;
      46             : static int query_sec_info = -1;
      47             : static int set_sec_info = -1;
      48             : static bool want_mxac;
      49             : 
      50             : static const char *domain_sid = NULL;
      51             : 
      52             : enum acl_mode {SMB_ACL_SET, SMB_ACL_DELETE, SMB_ACL_MODIFY, SMB_ACL_ADD };
      53             : enum chown_mode {REQUEST_NONE, REQUEST_CHOWN, REQUEST_CHGRP, REQUEST_INHERIT};
      54             : enum exit_values {EXIT_OK, EXIT_FAILED, EXIT_PARSE_ERROR};
      55             : 
      56             : struct cacl_callback_state {
      57             :         struct cli_credentials *creds;
      58             :         struct cli_state *cli;
      59             :         struct security_descriptor *aclsd;
      60             :         struct security_acl *acl_to_add;
      61             :         enum acl_mode mode;
      62             :         char *the_acl;
      63             :         bool acl_no_propagate;
      64             :         bool numeric;
      65             : };
      66             : 
      67         128 : static NTSTATUS cli_lsa_lookup_domain_sid(struct cli_state *cli,
      68             :                                           struct dom_sid *sid)
      69             : {
      70         128 :         union lsa_PolicyInformation *info = NULL;
      71         128 :         struct smbXcli_tcon *orig_tcon = NULL;
      72         128 :         char *orig_share = NULL;
      73         128 :         struct rpc_pipe_client *rpc_pipe = NULL;
      74             :         struct policy_handle handle;
      75             :         NTSTATUS status, result;
      76         128 :         TALLOC_CTX *frame = talloc_stackframe();
      77             : 
      78         128 :         if (cli_state_has_tcon(cli)) {
      79         128 :                 cli_state_save_tcon_share(cli, &orig_tcon, &orig_share);
      80             :         }
      81             : 
      82         128 :         status = cli_tree_connect(cli, "IPC$", "?????", NULL);
      83         128 :         if (!NT_STATUS_IS_OK(status)) {
      84           0 :                 goto done;
      85             :         }
      86             : 
      87         128 :         status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc, &rpc_pipe);
      88         128 :         if (!NT_STATUS_IS_OK(status)) {
      89           0 :                 goto tdis;
      90             :         }
      91             : 
      92         128 :         status = rpccli_lsa_open_policy(rpc_pipe, frame, True,
      93             :                                         GENERIC_EXECUTE_ACCESS, &handle);
      94         128 :         if (!NT_STATUS_IS_OK(status)) {
      95           0 :                 goto tdis;
      96             :         }
      97             : 
      98         128 :         status = dcerpc_lsa_QueryInfoPolicy2(rpc_pipe->binding_handle,
      99             :                                              frame, &handle,
     100             :                                              LSA_POLICY_INFO_DOMAIN,
     101             :                                              &info, &result);
     102             : 
     103         128 :         if (any_nt_status_not_ok(status, result, &status)) {
     104         128 :                 goto tdis;
     105             :         }
     106             : 
     107           0 :         *sid = *info->domain.sid;
     108             : 
     109         128 : tdis:
     110         128 :         TALLOC_FREE(rpc_pipe);
     111         128 :         cli_tdis(cli);
     112         128 : done:
     113         128 :         cli_state_restore_tcon_share(cli, orig_tcon, orig_share);
     114         128 :         TALLOC_FREE(frame);
     115         128 :         return status;
     116             : }
     117             : 
     118         128 : static struct dom_sid *get_domain_sid(struct cli_state *cli)
     119             : {
     120             :         NTSTATUS status;
     121             :         struct dom_sid_buf buf;
     122             : 
     123         128 :         struct dom_sid *sid = talloc(talloc_tos(), struct dom_sid);
     124         128 :         if (sid == NULL) {
     125           0 :                 DEBUG(0, ("Out of memory\n"));
     126           0 :                 return NULL;
     127             :         }
     128             : 
     129         128 :         if (domain_sid) {
     130           0 :                 if (!dom_sid_parse(domain_sid, sid)) {
     131           0 :                         DEBUG(0,("failed to parse domain sid\n"));
     132           0 :                         TALLOC_FREE(sid);
     133             :                 }
     134             :         } else {
     135         128 :                 status = cli_lsa_lookup_domain_sid(cli, sid);
     136             : 
     137         128 :                 if (!NT_STATUS_IS_OK(status)) {
     138         128 :                         DEBUG(0,("failed to lookup domain sid: %s\n", nt_errstr(status)));
     139         128 :                         TALLOC_FREE(sid);
     140             :                 }
     141             : 
     142             :         }
     143             : 
     144         128 :         DEBUG(2,("Domain SID: %s\n", dom_sid_str_buf(sid, &buf)));
     145         128 :         return sid;
     146             : }
     147             : 
     148             : /* add an ACE to a list of ACEs in a struct security_acl */
     149        8490 : static bool add_ace_with_ctx(TALLOC_CTX *ctx, struct security_acl **the_acl,
     150             :                              const struct security_ace *ace)
     151             : 
     152             : {
     153        8490 :         struct security_acl *acl = *the_acl;
     154             : 
     155        8490 :         if (acl == NULL) {
     156        2292 :                 acl = make_sec_acl(ctx, 3, 0, NULL);
     157        2292 :                 if (acl == NULL) {
     158           0 :                         return false;
     159             :                 }
     160             :         }
     161             : 
     162        8490 :         if (acl->num_aces == UINT32_MAX) {
     163           0 :                 return false;
     164             :         }
     165        8490 :         ADD_TO_ARRAY(
     166             :                 acl, struct security_ace, *ace, &acl->aces, &acl->num_aces);
     167        8490 :         *the_acl = acl;
     168        8490 :         return True;
     169             : }
     170             : 
     171        1654 : static bool add_ace(struct security_acl **the_acl, struct security_ace *ace)
     172             : {
     173        1654 :         return add_ace_with_ctx(talloc_tos(), the_acl, ace);
     174             : }
     175             : 
     176             : /* parse a ascii version of a security descriptor */
     177        1370 : static struct security_descriptor *sec_desc_parse(TALLOC_CTX *ctx, struct cli_state *cli, char *str)
     178             : {
     179        1370 :         const char *p = str;
     180             :         char *tok;
     181        1370 :         struct security_descriptor *ret = NULL;
     182             :         size_t sd_size;
     183        1370 :         struct dom_sid owner_sid = { .num_auths = 0 };
     184        1370 :         bool have_owner = false;
     185        1370 :         struct dom_sid group_sid = { .num_auths = 0 };
     186        1370 :         bool have_group = false;
     187        1370 :         struct security_acl *dacl=NULL;
     188        1370 :         int revision=1;
     189             : 
     190        2776 :         while (next_token_talloc(ctx, &p, &tok, "\t,\r\n")) {
     191        1406 :                 if (strncmp(tok,"REVISION:", 9) == 0) {
     192          12 :                         revision = strtol(tok+9, NULL, 16);
     193          12 :                         continue;
     194             :                 }
     195             : 
     196        1394 :                 if (strncmp(tok,"OWNER:", 6) == 0) {
     197          12 :                         if (have_owner) {
     198           0 :                                 printf("Only specify owner once\n");
     199           0 :                                 goto done;
     200             :                         }
     201          12 :                         if (!StringToSid(cli, &owner_sid, tok+6)) {
     202           0 :                                 printf("Failed to parse owner sid\n");
     203           0 :                                 goto done;
     204             :                         }
     205          12 :                         have_owner = true;
     206          12 :                         continue;
     207             :                 }
     208             : 
     209        1382 :                 if (strncmp(tok,"GROUP:", 6) == 0) {
     210          12 :                         if (have_group) {
     211           0 :                                 printf("Only specify group once\n");
     212           0 :                                 goto done;
     213             :                         }
     214          12 :                         if (!StringToSid(cli, &group_sid, tok+6)) {
     215           0 :                                 printf("Failed to parse group sid\n");
     216           0 :                                 goto done;
     217             :                         }
     218          12 :                         have_group = true;
     219          12 :                         continue;
     220             :                 }
     221             : 
     222        1370 :                 if (strncmp(tok,"ACL:", 4) == 0) {
     223             :                         struct security_ace ace;
     224        1370 :                         if (!parse_ace(cli, &ace, tok+4)) {
     225           0 :                                 goto done;
     226             :                         }
     227        1370 :                         if(!add_ace(&dacl, &ace)) {
     228           0 :                                 printf("Failed to add ACL %s\n", tok);
     229           0 :                                 goto done;
     230             :                         }
     231        1370 :                         continue;
     232             :                 }
     233             : 
     234           0 :                 printf("Failed to parse token '%s' in security descriptor,\n", tok);
     235           0 :                 goto done;
     236             :         }
     237             : 
     238        1370 :         ret = make_sec_desc(
     239             :                 ctx,
     240             :                 revision,
     241             :                 SEC_DESC_SELF_RELATIVE,
     242             :                 have_owner ? &owner_sid : NULL,
     243             :                 have_group ? &group_sid : NULL,
     244             :                 NULL,
     245             :                 dacl,
     246             :                 &sd_size);
     247             : 
     248        1370 : done:
     249        1370 :         return ret;
     250             : }
     251             : 
     252             : /*****************************************************
     253             : get fileinfo for filename
     254             : *******************************************************/
     255         746 : static uint16_t get_fileinfo(struct cli_state *cli, const char *filename)
     256             : {
     257         746 :         uint16_t fnum = (uint16_t)-1;
     258             :         NTSTATUS status;
     259         746 :         struct smb_create_returns cr = {0};
     260             : 
     261             :         /* The desired access below is the only one I could find that works
     262             :            with NT4, W2KP and Samba */
     263             : 
     264         746 :         status = cli_ntcreate(
     265             :                 cli,                    /* cli */
     266             :                 filename,               /* fname */
     267             :                 0,                      /* CreatFlags */
     268             :                 READ_CONTROL_ACCESS,    /* CreatFlags */
     269             :                 0,                      /* FileAttributes */
     270             :                 FILE_SHARE_READ|
     271             :                 FILE_SHARE_WRITE,       /* ShareAccess */
     272             :                 FILE_OPEN,              /* CreateDisposition */
     273             :                 0x0,                    /* CreateOptions */
     274             :                 0x0,                    /* SecurityFlags */
     275             :                 &fnum,                      /* pfid */
     276             :                 &cr);                       /* cr */
     277         746 :         if (!NT_STATUS_IS_OK(status)) {
     278           0 :                 printf("Failed to open %s: %s\n", filename, nt_errstr(status));
     279           0 :                 return 0;
     280             :         }
     281             : 
     282         746 :         cli_close(cli, fnum);
     283         746 :         return cr.file_attributes;
     284             : }
     285             : 
     286             : /*****************************************************
     287             : get sec desc for filename
     288             : *******************************************************/
     289        3104 : static struct security_descriptor *get_secdesc_with_ctx(TALLOC_CTX *ctx,
     290             :                                                         struct cli_state *cli,
     291             :                                                         const char *filename)
     292             : {
     293        3104 :         uint16_t fnum = (uint16_t)-1;
     294             :         struct security_descriptor *sd;
     295             :         NTSTATUS status;
     296             :         uint32_t sec_info;
     297        3104 :         uint32_t desired_access = 0;
     298             : 
     299        3104 :         if (query_sec_info == -1) {
     300        3104 :                 sec_info = SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL;
     301             :         } else {
     302           0 :                 sec_info = query_sec_info;
     303             :         }
     304             : 
     305        3104 :         if (sec_info & (SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL)) {
     306        3104 :                 desired_access |= SEC_STD_READ_CONTROL;
     307             :         }
     308        3104 :         if (sec_info & SECINFO_SACL) {
     309           0 :                 desired_access |= SEC_FLAG_SYSTEM_SECURITY;
     310             :         }
     311             : 
     312        3104 :         if (desired_access == 0) {
     313           0 :                 desired_access |= SEC_STD_READ_CONTROL;
     314             :         }
     315             : 
     316        3104 :         status = cli_ntcreate(cli, filename, 0, desired_access,
     317             :                               0, FILE_SHARE_READ|FILE_SHARE_WRITE,
     318             :                               FILE_OPEN, 0x0, 0x0, &fnum, NULL);
     319        3104 :         if (!NT_STATUS_IS_OK(status)) {
     320           0 :                 printf("Failed to open %s: %s\n", filename, nt_errstr(status));
     321           0 :                 return NULL;
     322             :         }
     323             : 
     324        3104 :         status = cli_query_security_descriptor(cli, fnum, sec_info,
     325             :                                                ctx, &sd);
     326             : 
     327        3104 :         cli_close(cli, fnum);
     328             : 
     329        3104 :         if (!NT_STATUS_IS_OK(status)) {
     330           0 :                 printf("Failed to get security descriptor: %s\n",
     331             :                        nt_errstr(status));
     332           0 :                 return NULL;
     333             :         }
     334        3104 :         return sd;
     335             : }
     336             : 
     337        2054 : static struct security_descriptor *get_secdesc(struct cli_state *cli,
     338             :                                                const char *filename)
     339             : {
     340        2054 :         return get_secdesc_with_ctx(talloc_tos(), cli, filename);
     341             : }
     342             : /*****************************************************
     343             : set sec desc for filename
     344             : *******************************************************/
     345        2028 : static bool set_secdesc(struct cli_state *cli, const char *filename,
     346             :                         struct security_descriptor *sd)
     347             : {
     348        2028 :         uint16_t fnum = (uint16_t)-1;
     349        2028 :         bool result=true;
     350             :         NTSTATUS status;
     351        2028 :         uint32_t desired_access = 0;
     352             :         uint32_t sec_info;
     353             : 
     354        2028 :         if (set_sec_info == -1) {
     355        2028 :                 sec_info = 0;
     356             : 
     357        2028 :                 if (sd->dacl || (sd->type & SEC_DESC_DACL_PRESENT)) {
     358        1988 :                         sec_info |= SECINFO_DACL;
     359             :                 }
     360        2028 :                 if (sd->sacl || (sd->type & SEC_DESC_SACL_PRESENT)) {
     361           0 :                         sec_info |= SECINFO_SACL;
     362             :                 }
     363        2028 :                 if (sd->owner_sid) {
     364        1922 :                         sec_info |= SECINFO_OWNER;
     365             :                 }
     366        2028 :                 if (sd->group_sid) {
     367        1890 :                         sec_info |= SECINFO_GROUP;
     368             :                 }
     369             :         } else {
     370           0 :                 sec_info = set_sec_info;
     371             :         }
     372             : 
     373             :         /* Make the desired_access more specific. */
     374        2028 :         if (sec_info & SECINFO_DACL) {
     375        1988 :                 desired_access |= SEC_STD_WRITE_DAC;
     376             :         }
     377        2028 :         if (sec_info & SECINFO_SACL) {
     378           0 :                 desired_access |= SEC_FLAG_SYSTEM_SECURITY;
     379             :         }
     380        2028 :         if (sec_info & (SECINFO_OWNER | SECINFO_GROUP)) {
     381        1926 :                 desired_access |= SEC_STD_WRITE_OWNER;
     382             :         }
     383             : 
     384        2028 :         status = cli_ntcreate(cli, filename, 0,
     385             :                               desired_access,
     386             :                               0, FILE_SHARE_READ|FILE_SHARE_WRITE,
     387             :                               FILE_OPEN, 0x0, 0x0, &fnum, NULL);
     388        2028 :         if (!NT_STATUS_IS_OK(status)) {
     389           0 :                 printf("Failed to open %s: %s\n", filename, nt_errstr(status));
     390           0 :                 return false;
     391             :         }
     392             : 
     393        2028 :         status = cli_set_security_descriptor(cli, fnum, sec_info, sd);
     394        2028 :         if (!NT_STATUS_IS_OK(status)) {
     395           2 :                 printf("ERROR: security descriptor set failed: %s\n",
     396             :                        nt_errstr(status));
     397           2 :                 result=false;
     398             :         }
     399             : 
     400        2028 :         cli_close(cli, fnum);
     401        2028 :         return result;
     402             : }
     403             : 
     404             : /*****************************************************
     405             : get maximum access for a file
     406             : *******************************************************/
     407           4 : static int cacl_mxac(struct cli_state *cli, const char *filename)
     408             : {
     409             :         NTSTATUS status;
     410             :         uint32_t mxac;
     411             : 
     412           4 :         status = cli_query_mxac(cli, filename, &mxac);
     413           4 :         if (!NT_STATUS_IS_OK(status)) {
     414           0 :                 printf("Failed to get mxac: %s\n", nt_errstr(status));
     415           0 :                 return EXIT_FAILED;
     416             :         }
     417             : 
     418           4 :         printf("Maximum access: 0x%x\n", mxac);
     419             : 
     420           4 :         return EXIT_OK;
     421             : }
     422             : 
     423             : 
     424             : /*****************************************************
     425             : dump the acls for a file
     426             : *******************************************************/
     427         642 : static int cacl_dump(struct cli_state *cli, const char *filename, bool numeric)
     428             : {
     429             :         struct security_descriptor *sd;
     430             :         int ret;
     431             : 
     432         642 :         if (test_args) {
     433           0 :                 return EXIT_OK;
     434             :         }
     435             : 
     436         642 :         sd = get_secdesc(cli, filename);
     437         642 :         if (sd == NULL) {
     438           0 :                 return EXIT_FAILED;
     439             :         }
     440             : 
     441         642 :         if (sddl) {
     442           4 :                 char *str = sddl_encode(talloc_tos(), sd, get_domain_sid(cli));
     443           4 :                 if (str == NULL) {
     444           0 :                         return EXIT_FAILED;
     445             :                 }
     446           4 :                 printf("%s\n", str);
     447           4 :                 TALLOC_FREE(str);
     448             :         } else {
     449         638 :                 sec_desc_print(cli, stdout, sd, numeric);
     450             :         }
     451             : 
     452         642 :         if (want_mxac) {
     453           4 :                 ret = cacl_mxac(cli, filename);
     454           4 :                 if (ret != EXIT_OK) {
     455           0 :                         return ret;
     456             :                 }
     457             :         }
     458             : 
     459         642 :         return EXIT_OK;
     460             : }
     461             : 
     462             : /*****************************************************
     463             : Change the ownership or group ownership of a file. Just
     464             : because the NT docs say this can't be done :-). JRA.
     465             : *******************************************************/
     466             : 
     467          40 : static int owner_set(struct cli_state *cli, enum chown_mode change_mode,
     468             :                         const char *filename, const char *new_username)
     469             : {
     470             :         struct dom_sid sid;
     471             :         struct security_descriptor *sd;
     472             :         size_t sd_size;
     473             : 
     474          40 :         if (!StringToSid(cli, &sid, new_username))
     475           0 :                 return EXIT_PARSE_ERROR;
     476             : 
     477          40 :         sd = make_sec_desc(talloc_tos(),
     478             :                            SECURITY_DESCRIPTOR_REVISION_1,
     479             :                            SEC_DESC_SELF_RELATIVE,
     480             :                            (change_mode == REQUEST_CHOWN) ? &sid : NULL,
     481             :                            (change_mode == REQUEST_CHGRP) ? &sid : NULL,
     482             :                            NULL, NULL, &sd_size);
     483             : 
     484          40 :         if (!set_secdesc(cli, filename, sd)) {
     485           2 :                 return EXIT_FAILED;
     486             :         }
     487             : 
     488          38 :         return EXIT_OK;
     489             : }
     490             : 
     491             : 
     492             : /* The MSDN is contradictory over the ordering of ACE entries in an
     493             :    ACL.  However NT4 gives a "The information may have been modified
     494             :    by a computer running Windows NT 5.0" if denied ACEs do not appear
     495             :    before allowed ACEs. At
     496             :    http://technet.microsoft.com/en-us/library/cc781716.aspx the
     497             :    canonical order is specified as "Explicit Deny, Explicit Allow,
     498             :    Inherited ACEs unchanged" */
     499             : 
     500       20906 : static int ace_compare(struct security_ace *ace1, struct security_ace *ace2)
     501             : {
     502       20906 :         if (security_ace_equal(ace1, ace2))
     503         396 :                 return 0;
     504             : 
     505       20510 :         if ((ace1->flags & SEC_ACE_FLAG_INHERITED_ACE) &&
     506        6176 :                         !(ace2->flags & SEC_ACE_FLAG_INHERITED_ACE))
     507        1944 :                 return 1;
     508       18566 :         if (!(ace1->flags & SEC_ACE_FLAG_INHERITED_ACE) &&
     509       14334 :                         (ace2->flags & SEC_ACE_FLAG_INHERITED_ACE))
     510        2822 :                 return -1;
     511       15744 :         if ((ace1->flags & SEC_ACE_FLAG_INHERITED_ACE) &&
     512        4232 :                         (ace2->flags & SEC_ACE_FLAG_INHERITED_ACE))
     513        4232 :                 return ace1 - ace2;
     514             : 
     515       11512 :         if (ace1->type != ace2->type)
     516           0 :                 return ace2->type - ace1->type;
     517             : 
     518       11512 :         if (dom_sid_compare(&ace1->trustee, &ace2->trustee))
     519       11312 :                 return dom_sid_compare(&ace1->trustee, &ace2->trustee);
     520             : 
     521         200 :         if (ace1->flags != ace2->flags)
     522         196 :                 return ace1->flags - ace2->flags;
     523             : 
     524           4 :         if (ace1->access_mask != ace2->access_mask)
     525           4 :                 return ace1->access_mask - ace2->access_mask;
     526             : 
     527           0 :         if (ace1->size != ace2->size)
     528           0 :                 return ace1->size - ace2->size;
     529             : 
     530           0 :         return memcmp(ace1, ace2, sizeof(struct security_ace));
     531             : }
     532             : 
     533        1988 : static void sort_acl(struct security_acl *the_acl)
     534             : {
     535             :         uint32_t i;
     536        1988 :         if (!the_acl) return;
     537             : 
     538        1988 :         TYPESAFE_QSORT(the_acl->aces, the_acl->num_aces, ace_compare);
     539             : 
     540       12344 :         for (i=1;i<the_acl->num_aces;) {
     541       10356 :                 if (security_ace_equal(&the_acl->aces[i-1],
     542       10356 :                                        &the_acl->aces[i])) {
     543          46 :                         ARRAY_DEL_ELEMENT(
     544             :                                 the_acl->aces, i, the_acl->num_aces);
     545          46 :                         the_acl->num_aces--;
     546             :                 } else {
     547       10310 :                         i++;
     548             :                 }
     549             :         }
     550             : }
     551             : 
     552             : /*****************************************************
     553             : set the ACLs on a file given a security descriptor
     554             : *******************************************************/
     555             : 
     556        1970 : static int cacl_set_from_sd(struct cli_state *cli, const char *filename,
     557             :                             struct security_descriptor *sd, enum acl_mode mode,
     558             :                             bool numeric)
     559             : {
     560        1970 :         struct security_descriptor *old = NULL;
     561             :         uint32_t i, j;
     562             :         size_t sd_size;
     563        1970 :         int result = EXIT_OK;
     564             : 
     565        1970 :         if (!sd) return EXIT_PARSE_ERROR;
     566        1970 :         if (test_args) return EXIT_OK;
     567             : 
     568        1970 :         if (mode != SMB_ACL_SET) {
     569             :                 /*
     570             :                  * Do not fetch old ACL when it will be overwritten
     571             :                  * completely with a new one.
     572             :                  */
     573        1282 :                 old = get_secdesc(cli, filename);
     574             : 
     575        1282 :                 if (!old) {
     576           0 :                         return EXIT_FAILED;
     577             :                 }
     578             :         }
     579             : 
     580             :         /* the logic here is rather more complex than I would like */
     581        1970 :         switch (mode) {
     582          66 :         case SMB_ACL_DELETE:
     583         132 :                 for (i=0;sd->dacl && i<sd->dacl->num_aces;i++) {
     584          66 :                         bool found = False;
     585             : 
     586         316 :                         for (j=0;old->dacl && j<old->dacl->num_aces;j++) {
     587         290 :                                 if (security_ace_equal(&sd->dacl->aces[i],
     588         290 :                                                        &old->dacl->aces[j])) {
     589             :                                         uint32_t k;
     590          84 :                                         for (k=j; k<old->dacl->num_aces-1;k++) {
     591          44 :                                                 old->dacl->aces[k] = old->dacl->aces[k+1];
     592             :                                         }
     593          40 :                                         old->dacl->num_aces--;
     594          40 :                                         found = True;
     595          40 :                                         break;
     596             :                                 }
     597             :                         }
     598             : 
     599          66 :                         if (!found) {
     600          26 :                                 printf("ACL for ACE:");
     601          26 :                                 print_ace(cli, stdout, &sd->dacl->aces[i],
     602             :                                           numeric);
     603          26 :                                 printf(" not found\n");
     604             :                         }
     605             :                 }
     606          66 :                 break;
     607             : 
     608         932 :         case SMB_ACL_MODIFY:
     609        1864 :                 for (i=0;sd->dacl && i<sd->dacl->num_aces;i++) {
     610         932 :                         bool found = False;
     611             : 
     612        5068 :                         for (j=0;old->dacl && j<old->dacl->num_aces;j++) {
     613        4136 :                                 if (dom_sid_equal(&sd->dacl->aces[i].trustee,
     614        4136 :                                               &old->dacl->aces[j].trustee)) {
     615         968 :                                         old->dacl->aces[j] = sd->dacl->aces[i];
     616         968 :                                         found = True;
     617             :                                 }
     618             :                         }
     619             : 
     620         932 :                         if (!found) {
     621             :                                 fstring str;
     622             : 
     623           0 :                                 SidToString(cli, str,
     624           0 :                                             &sd->dacl->aces[i].trustee,
     625             :                                             numeric);
     626           0 :                                 printf("ACL for SID %s not found\n", str);
     627             :                         }
     628             :                 }
     629             : 
     630         932 :                 if (sd->owner_sid) {
     631           0 :                         old->owner_sid = sd->owner_sid;
     632             :                 }
     633             : 
     634         932 :                 if (sd->group_sid) {
     635           0 :                         old->group_sid = sd->group_sid;
     636             :                 }
     637             : 
     638         932 :                 break;
     639             : 
     640         284 :         case SMB_ACL_ADD:
     641         568 :                 for (i=0;sd->dacl && i<sd->dacl->num_aces;i++) {
     642         284 :                         add_ace(&old->dacl, &sd->dacl->aces[i]);
     643             :                 }
     644         284 :                 break;
     645             : 
     646         688 :         case SMB_ACL_SET:
     647         688 :                 old = sd;
     648         688 :                 break;
     649             :         }
     650             : 
     651             :         /* Denied ACE entries must come before allowed ones */
     652        1970 :         sort_acl(old->dacl);
     653             : 
     654             :         /* Create new security descriptor and set it */
     655             : 
     656             :         /* We used to just have "WRITE_DAC_ACCESS" without WRITE_OWNER.
     657             :            But if we're sending an owner, even if it's the same as the one
     658             :            that already exists then W2K3 insists we open with WRITE_OWNER access.
     659             :            I need to check that setting a SD with no owner set works against WNT
     660             :            and W2K. JRA.
     661             :         */
     662             : 
     663        1970 :         sd = make_sec_desc(talloc_tos(),old->revision, old->type,
     664        1970 :                            old->owner_sid, old->group_sid,
     665             :                            NULL, old->dacl, &sd_size);
     666             : 
     667        1970 :         if (!set_secdesc(cli, filename, sd)) {
     668           0 :                 result = EXIT_FAILED;
     669             :         }
     670             : 
     671        1970 :         return result;
     672             : }
     673             : 
     674             : /*****************************************************
     675             : set the ACLs on a file given an ascii description
     676             : *******************************************************/
     677             : 
     678        1252 : static int cacl_set(struct cli_state *cli, const char *filename,
     679             :                     char *the_acl, enum acl_mode mode, bool numeric)
     680             : {
     681        1252 :         struct security_descriptor *sd = NULL;
     682             : 
     683        1252 :         if (sddl) {
     684           4 :                 const char *msg = NULL;
     685           4 :                 size_t msg_offset = 0;
     686           4 :                 enum ace_condition_flags flags =
     687             :                         ACE_CONDITION_FLAG_ALLOW_DEVICE;
     688           4 :                 sd = sddl_decode_err_msg(talloc_tos(),
     689             :                                         the_acl,
     690           4 :                                         get_domain_sid(cli),
     691             :                                         flags,
     692             :                                         &msg,
     693             :                                         &msg_offset);
     694           4 :                 if (sd == NULL) {
     695           0 :                         DBG_ERR("could not decode '%s'\n", the_acl);
     696           0 :                         if (msg != NULL) {
     697           0 :                                 DBG_ERR("                  %*c\n",
     698             :                                         (int)msg_offset, '^');
     699           0 :                                 DBG_ERR("error '%s'\n", msg);
     700             :                         }
     701             :                 }
     702             :         } else {
     703        1248 :                 sd = sec_desc_parse(talloc_tos(), cli, the_acl);
     704             :         }
     705             : 
     706        1252 :         if (sd == NULL) {
     707           0 :                 return EXIT_PARSE_ERROR;
     708             :         }
     709        1252 :         if (test_args) {
     710           0 :                 return EXIT_OK;
     711             :         }
     712        1252 :         return cacl_set_from_sd(cli, filename, sd, mode, numeric);
     713             : }
     714             : 
     715             : /*****************************************************
     716             : set the inherit on a file
     717             : *******************************************************/
     718          18 : static int inherit(struct cli_state *cli, const char *filename,
     719             :                    const char *type)
     720             : {
     721             :         struct security_descriptor *old,*sd;
     722             :         uint32_t oldattr;
     723             :         size_t sd_size;
     724          18 :         int result = EXIT_OK;
     725             : 
     726          18 :         old = get_secdesc(cli, filename);
     727             : 
     728          18 :         if (!old) {
     729           0 :                 return EXIT_FAILED;
     730             :         }
     731             : 
     732          18 :         oldattr = get_fileinfo(cli,filename);
     733             : 
     734          18 :         if (strcmp(type,"allow")==0) {
     735           0 :                 if ((old->type & SEC_DESC_DACL_PROTECTED) ==
     736             :                     SEC_DESC_DACL_PROTECTED) {
     737             :                         uint32_t i;
     738             :                         char *parentname,*temp;
     739             :                         struct security_descriptor *parent;
     740           0 :                         temp = talloc_strdup(talloc_tos(), filename);
     741             : 
     742           0 :                         old->type=old->type & (~SEC_DESC_DACL_PROTECTED);
     743             : 
     744             :                         /* look at parent and copy in all its inheritable ACL's. */
     745           0 :                         string_replace(temp, '\\', '/');
     746           0 :                         if (!parent_dirname(talloc_tos(),temp,&parentname,NULL)) {
     747           0 :                                 return EXIT_FAILED;
     748             :                         }
     749           0 :                         string_replace(parentname, '/', '\\');
     750           0 :                         parent = get_secdesc(cli,parentname);
     751           0 :                         if (parent == NULL) {
     752           0 :                                 return EXIT_FAILED;
     753             :                         }
     754           0 :                         for (i=0;i<parent->dacl->num_aces;i++) {
     755           0 :                                 struct security_ace *ace=&parent->dacl->aces[i];
     756             :                                 /* Add inherited flag to all aces */
     757           0 :                                 ace->flags=ace->flags|
     758             :                                            SEC_ACE_FLAG_INHERITED_ACE;
     759           0 :                                 if ((oldattr & FILE_ATTRIBUTE_DIRECTORY) == FILE_ATTRIBUTE_DIRECTORY) {
     760           0 :                                         if ((ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT) ==
     761             :                                             SEC_ACE_FLAG_CONTAINER_INHERIT) {
     762           0 :                                                 add_ace(&old->dacl, ace);
     763             :                                         }
     764             :                                 } else {
     765           0 :                                         if ((ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT) ==
     766             :                                             SEC_ACE_FLAG_OBJECT_INHERIT) {
     767             :                                                 /* clear flags for files */
     768           0 :                                                 ace->flags=0;
     769           0 :                                                 add_ace(&old->dacl, ace);
     770             :                                         }
     771             :                                 }
     772             :                         }
     773             :                 } else {
     774           0 :                         printf("Already set to inheritable permissions.\n");
     775           0 :                         return EXIT_FAILED;
     776             :                 }
     777          18 :         } else if (strcmp(type,"remove")==0) {
     778           0 :                 if ((old->type & SEC_DESC_DACL_PROTECTED) !=
     779             :                     SEC_DESC_DACL_PROTECTED) {
     780           0 :                         old->type=old->type | SEC_DESC_DACL_PROTECTED;
     781             : 
     782             :                         /* remove all inherited ACL's. */
     783           0 :                         if (old->dacl) {
     784             :                                 int i;
     785           0 :                                 struct security_acl *temp=old->dacl;
     786           0 :                                 old->dacl=make_sec_acl(talloc_tos(), 3, 0, NULL);
     787           0 :                                 for (i=temp->num_aces-1;i>=0;i--) {
     788           0 :                                         struct security_ace *ace=&temp->aces[i];
     789             :                                         /* Remove all ace with INHERITED flag set */
     790           0 :                                         if ((ace->flags & SEC_ACE_FLAG_INHERITED_ACE) !=
     791             :                                             SEC_ACE_FLAG_INHERITED_ACE) {
     792           0 :                                                 add_ace(&old->dacl,ace);
     793             :                                         }
     794             :                                 }
     795             :                         }
     796             :                 } else {
     797           0 :                         printf("Already set to no inheritable permissions.\n");
     798           0 :                         return EXIT_FAILED;
     799             :                 }
     800          18 :         } else if (strcmp(type,"copy")==0) {
     801          18 :                 if ((old->type & SEC_DESC_DACL_PROTECTED) !=
     802             :                     SEC_DESC_DACL_PROTECTED) {
     803          18 :                         old->type=old->type | SEC_DESC_DACL_PROTECTED;
     804             : 
     805             :                         /*
     806             :                          * convert all inherited ACL's to non
     807             :                          * inherited ACL's.
     808             :                          */
     809          18 :                         if (old->dacl) {
     810             :                                 uint32_t i;
     811         108 :                                 for (i=0;i<old->dacl->num_aces;i++) {
     812          90 :                                         struct security_ace *ace=&old->dacl->aces[i];
     813             :                                         /* Remove INHERITED FLAG from all aces */
     814          90 :                                         ace->flags=ace->flags&(~SEC_ACE_FLAG_INHERITED_ACE);
     815             :                                 }
     816             :                         }
     817             :                 } else {
     818           0 :                         printf("Already set to no inheritable permissions.\n");
     819           0 :                         return EXIT_FAILED;
     820             :                 }
     821             :         }
     822             : 
     823             :         /* Denied ACE entries must come before allowed ones */
     824          18 :         sort_acl(old->dacl);
     825             : 
     826          18 :         sd = make_sec_desc(talloc_tos(),old->revision, old->type,
     827          18 :                            old->owner_sid, old->group_sid,
     828             :                            NULL, old->dacl, &sd_size);
     829             : 
     830          18 :         if (!set_secdesc(cli, filename, sd)) {
     831           0 :                 result = EXIT_FAILED;
     832             :         }
     833             : 
     834          18 :         return result;
     835             : }
     836             : 
     837             : /*****************************************************
     838             :  Return a connection to a server.
     839             : *******************************************************/
     840        2114 : static struct cli_state *connect_one(struct cli_credentials *creds,
     841             :                                      const char *server, const char *share)
     842             : {
     843        2114 :         struct cli_state *c = NULL;
     844             :         NTSTATUS nt_status;
     845        2114 :         uint32_t flags = 0;
     846             : 
     847        2114 :         nt_status = cli_full_connection_creds(&c, lp_netbios_name(), server,
     848             :                                 NULL, 0,
     849             :                                 share, "?????",
     850             :                                 creds,
     851             :                                 flags);
     852        2114 :         if (!NT_STATUS_IS_OK(nt_status)) {
     853           0 :                 DEBUG(0,("cli_full_connection failed! (%s)\n", nt_errstr(nt_status)));
     854           0 :                 return NULL;
     855             :         }
     856             : 
     857        2114 :         return c;
     858             : }
     859             : 
     860             : /*
     861             :  * Process resulting combination of mask & fname ensuring
     862             :  * terminated with wildcard
     863             :  */
     864         232 : static char *build_dirname(TALLOC_CTX *ctx,
     865             :         const char *mask, char *dir, char *fname)
     866             : {
     867         232 :         char *mask2 = NULL;
     868         232 :         char *p = NULL;
     869             : 
     870         232 :         mask2 = talloc_strdup(ctx, mask);
     871         232 :         if (!mask2) {
     872           0 :                 return NULL;
     873             :         }
     874         232 :         p = strrchr_m(mask2, DIRSEP_CHAR);
     875         232 :         if (p) {
     876         232 :                 p[1] = 0;
     877             :         } else {
     878           0 :                 mask2[0] = '\0';
     879             :         }
     880         232 :         mask2 = talloc_asprintf_append(mask2,
     881             :                                 "%s\\*",
     882             :                                 fname);
     883         232 :         return mask2;
     884             : }
     885             : 
     886             : /*
     887             :  * Returns a copy of the ACL flags in ace modified according
     888             :  * to some inheritance rules.
     889             :  *   a) SEC_ACE_FLAG_INHERITED_ACE is propagated to children
     890             :  *   b) SEC_ACE_FLAG_INHERIT_ONLY is set on container children for OI (only)
     891             :  *   c) SEC_ACE_FLAG_OBJECT_INHERIT & SEC_ACE_FLAG_CONTAINER_INHERIT are
     892             :  *      stripped from flags to be propagated to non-container children
     893             :  *   d) SEC_ACE_FLAG_OBJECT_INHERIT & SEC_ACE_FLAG_CONTAINER_INHERIT are
     894             :  *      stripped from flags to be propagated if the NP flag
     895             :  *      SEC_ACE_FLAG_NO_PROPAGATE_INHERIT is present
     896             :  */
     897             : 
     898        3566 : static uint8_t get_flags_to_propagate(bool is_container,
     899             :                                 struct security_ace *ace)
     900             : {
     901        3566 :         uint8_t newflags = ace->flags;
     902             :         /* OBJECT inheritance */
     903        3566 :         bool acl_objinherit = (ace->flags &
     904             :                 SEC_ACE_FLAG_OBJECT_INHERIT) == SEC_ACE_FLAG_OBJECT_INHERIT;
     905             :         /* CONTAINER inheritance */
     906        3566 :         bool acl_cntrinherit = (ace->flags &
     907             :                 SEC_ACE_FLAG_CONTAINER_INHERIT) ==
     908             :                         SEC_ACE_FLAG_CONTAINER_INHERIT;
     909             :         /* PROHIBIT inheritance */
     910        3566 :         bool prohibit_inheritance = ((ace->flags &
     911             :                 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) ==
     912             :                         SEC_ACE_FLAG_NO_PROPAGATE_INHERIT);
     913             : 
     914             :         /* Assume we are not propagating the ACE */
     915             : 
     916        3566 :         newflags &= ~SEC_ACE_FLAG_INHERITED_ACE;
     917             :         /* all children need to have the SEC_ACE_FLAG_INHERITED_ACE set */
     918        3566 :         if (acl_cntrinherit || acl_objinherit) {
     919             :                 /*
     920             :                  * object inherit ( alone ) on a container needs
     921             :                  * SEC_ACE_FLAG_INHERIT_ONLY
     922             :                  */
     923        3566 :                 if (is_container) {
     924        1232 :                         if (acl_objinherit && !acl_cntrinherit) {
     925          30 :                                 newflags |= SEC_ACE_FLAG_INHERIT_ONLY;
     926             :                         }
     927             :                         /*
     928             :                          * this is tricky, the only time we would not
     929             :                          * propagate the ace for a container is if
     930             :                          * prohibit_inheritance is set and object inheritance
     931             :                          * alone is set
     932             :                          */
     933        1232 :                         if ((prohibit_inheritance
     934          18 :                             && acl_objinherit
     935        1250 :                             && !acl_cntrinherit) == false) {
     936        1226 :                                 newflags |= SEC_ACE_FLAG_INHERITED_ACE;
     937             :                         }
     938             :                 } else {
     939             :                         /*
     940             :                          * don't apply object/container inheritance flags to
     941             :                          * non dirs
     942             :                          */
     943        2334 :                         newflags &= ~(SEC_ACE_FLAG_OBJECT_INHERIT
     944             :                                         | SEC_ACE_FLAG_CONTAINER_INHERIT
     945             :                                         | SEC_ACE_FLAG_INHERIT_ONLY);
     946             :                         /*
     947             :                          * only apply ace to file if object inherit
     948             :                          */
     949        2334 :                         if (acl_objinherit) {
     950        2334 :                                 newflags |= SEC_ACE_FLAG_INHERITED_ACE;
     951             :                         }
     952             :                 }
     953             : 
     954             :                 /* if NP is specified strip NP and all OI/CI INHERIT flags */
     955        3566 :                 if (prohibit_inheritance) {
     956          30 :                         newflags &= ~(SEC_ACE_FLAG_OBJECT_INHERIT
     957             :                                         | SEC_ACE_FLAG_CONTAINER_INHERIT
     958             :                                         | SEC_ACE_FLAG_INHERIT_ONLY
     959             :                                         | SEC_ACE_FLAG_NO_PROPAGATE_INHERIT);
     960             :                 }
     961             :         }
     962        3566 :         return newflags;
     963             : }
     964             : 
     965             : /*
     966             :  * This function builds a new acl for 'caclfile', first it removes any
     967             :  * existing inheritable ace(s) from the current acl of caclfile, secondly it
     968             :  * applies any inheritable acls of the parent of caclfile ( inheritable acls of
     969             :  * caclfile's parent are passed via acl_to_add member of cbstate )
     970             :  *
     971             :  */
     972         580 : static NTSTATUS propagate_inherited_aces(char *caclfile,
     973             :                         struct cacl_callback_state *cbstate)
     974             : {
     975         580 :         TALLOC_CTX *aclctx = NULL;
     976             :         NTSTATUS status;
     977             :         int result;
     978             :         int fileattr;
     979         580 :         struct security_descriptor *old = NULL;
     980         580 :         bool is_container = false;
     981         580 :         struct security_acl *acl_to_add = cbstate->acl_to_add;
     982         580 :         struct security_acl *acl_to_remove = NULL;
     983             :         uint32_t i, j;
     984             : 
     985         580 :         aclctx = talloc_new(NULL);
     986         580 :         if (aclctx == NULL) {
     987           0 :                 return NT_STATUS_NO_MEMORY;
     988             :         }
     989         580 :         old = get_secdesc_with_ctx(aclctx, cbstate->cli, caclfile);
     990             : 
     991         580 :         if (!old) {
     992           0 :                 status = NT_STATUS_UNSUCCESSFUL;
     993           0 :                 goto out;
     994             :         }
     995             : 
     996             :         /* inhibit propagation? */
     997         580 :         if ((old->type & SEC_DESC_DACL_PROTECTED) ==
     998             :                 SEC_DESC_DACL_PROTECTED){
     999           6 :                 status = NT_STATUS_OK;
    1000           6 :                 goto out;
    1001             :         }
    1002             : 
    1003         574 :         fileattr = get_fileinfo(cbstate->cli, caclfile);
    1004         574 :         is_container = (fileattr & FILE_ATTRIBUTE_DIRECTORY);
    1005             : 
    1006             :         /* find acl(s) that are inherited */
    1007        3122 :         for (j = 0; old->dacl && j < old->dacl->num_aces; j++) {
    1008             : 
    1009        2548 :                 if (old->dacl->aces[j].flags & SEC_ACE_FLAG_INHERITED_ACE) {
    1010         882 :                         if (!add_ace_with_ctx(aclctx, &acl_to_remove,
    1011         882 :                                               &old->dacl->aces[j])) {
    1012           0 :                                 status = NT_STATUS_NO_MEMORY;
    1013           0 :                                 goto out;
    1014             :                         }
    1015             :                 }
    1016             :         }
    1017             : 
    1018             :         /* remove any acl(s) that are inherited */
    1019         574 :         if (acl_to_remove) {
    1020        1456 :                 for (i = 0; i < acl_to_remove->num_aces; i++) {
    1021         882 :                         struct security_ace ace = acl_to_remove->aces[i];
    1022        3866 :                         for (j = 0; old->dacl && j < old->dacl->num_aces; j++) {
    1023             : 
    1024        3866 :                                 if (security_ace_equal(&ace,
    1025        3866 :                                                   &old->dacl->aces[j])) {
    1026             :                                         uint32_t k;
    1027        1670 :                                         for (k = j; k < old->dacl->num_aces-1;
    1028         788 :                                                 k++) {
    1029         788 :                                                 old->dacl->aces[k] =
    1030         788 :                                                         old->dacl->aces[k+1];
    1031             :                                         }
    1032         882 :                                         old->dacl->num_aces--;
    1033         882 :                                         break;
    1034             :                                 }
    1035             :                         }
    1036             :                 }
    1037             :         }
    1038             :         /* propagate any inheritable ace to be added */
    1039         574 :         if (acl_to_add) {
    1040        4200 :                 for (i = 0; i < acl_to_add->num_aces; i++) {
    1041        3626 :                         struct security_ace ace = acl_to_add->aces[i];
    1042        3626 :                         bool is_objectinherit = (ace.flags &
    1043             :                                 SEC_ACE_FLAG_OBJECT_INHERIT) ==
    1044             :                                         SEC_ACE_FLAG_OBJECT_INHERIT;
    1045             :                         bool is_inherited;
    1046             :                         /* don't propagate flags to a file unless OI */
    1047        3626 :                         if (!is_objectinherit && !is_container) {
    1048          66 :                                 continue;
    1049             :                         }
    1050             :                         /*
    1051             :                          * adjust flags according to inheritance
    1052             :                          * rules
    1053             :                          */
    1054        3566 :                         ace.flags = get_flags_to_propagate(is_container, &ace);
    1055        3566 :                         is_inherited = (ace.flags &
    1056             :                                 SEC_ACE_FLAG_INHERITED_ACE) ==
    1057             :                                         SEC_ACE_FLAG_INHERITED_ACE;
    1058             :                         /* don't propagate non inherited flags */
    1059        3566 :                         if (!is_inherited) {
    1060           6 :                                 continue;
    1061             :                         }
    1062        3560 :                         if (!add_ace_with_ctx(aclctx, &old->dacl, &ace)) {
    1063           0 :                                 status = NT_STATUS_NO_MEMORY;
    1064           0 :                                 goto out;
    1065             :                         }
    1066             :                 }
    1067             :         }
    1068             : 
    1069         574 :         result = cacl_set_from_sd(cbstate->cli, caclfile,
    1070             :                                   old,
    1071         574 :                                   SMB_ACL_SET, cbstate->numeric);
    1072         574 :         if (result != EXIT_OK) {
    1073           0 :                 status = NT_STATUS_UNSUCCESSFUL;
    1074           0 :                 goto out;
    1075             :         }
    1076             : 
    1077         574 :         status = NT_STATUS_OK;
    1078         580 : out:
    1079         580 :         TALLOC_FREE(aclctx);
    1080         580 :         return status;
    1081             : }
    1082             : 
    1083             : /*
    1084             :  * Returns true if 'ace' contains SEC_ACE_FLAG_OBJECT_INHERIT or
    1085             :  * SEC_ACE_FLAG_CONTAINER_INHERIT
    1086             :  */
    1087        2906 : static bool is_inheritable_ace(struct security_ace *ace)
    1088             : {
    1089        2906 :         uint8_t flags = ace->flags;
    1090        2906 :         if (flags & (SEC_ACE_FLAG_OBJECT_INHERIT
    1091             :                         | SEC_ACE_FLAG_CONTAINER_INHERIT)) {
    1092        2510 :                 return true;
    1093             :         }
    1094         396 :         return false;
    1095             : }
    1096             : 
    1097             : /* This method does some basic sanity checking with respect to automatic
    1098             :  * inheritance. e.g. it checks if it is possible to do a set, it detects illegal
    1099             :  * attempts to set inherited permissions directly. Additionally this method
    1100             :  * does some basic initialisation for instance it parses the ACL passed on the
    1101             :  * command line.
    1102             :  */
    1103         122 : static NTSTATUS prepare_inheritance_propagation(TALLOC_CTX *ctx, char *filename,
    1104             :                         struct cacl_callback_state *cbstate)
    1105             : {
    1106             :         NTSTATUS result;
    1107         122 :         char *the_acl = cbstate->the_acl;
    1108         122 :         struct cli_state *cli = cbstate->cli;
    1109         122 :         enum acl_mode mode = cbstate->mode;
    1110         122 :         struct security_descriptor *sd = NULL;
    1111         122 :         struct security_descriptor *old = NULL;
    1112             :         uint32_t j;
    1113         122 :         bool propagate = false;
    1114             : 
    1115         122 :         old = get_secdesc_with_ctx(ctx, cli, filename);
    1116         122 :         if (old == NULL) {
    1117           0 :                 return NT_STATUS_NO_MEMORY;
    1118             :         }
    1119             : 
    1120             :         /* parse acl passed on the command line */
    1121         122 :         if (sddl) {
    1122           0 :                 const char *msg = NULL;
    1123           0 :                 size_t msg_offset = 0;
    1124           0 :                 enum ace_condition_flags flags =
    1125             :                         ACE_CONDITION_FLAG_ALLOW_DEVICE;
    1126             : 
    1127           0 :                 cbstate->aclsd = sddl_decode_err_msg(ctx,
    1128             :                                                      the_acl,
    1129           0 :                                                      get_domain_sid(cli),
    1130             :                                                      flags,
    1131             :                                                      &msg,
    1132             :                                                      &msg_offset);
    1133           0 :                 if (cbstate->aclsd == NULL) {
    1134           0 :                         DBG_ERR("could not decode '%s'\n", the_acl);
    1135           0 :                         if (msg != NULL) {
    1136           0 :                                 DBG_ERR("                  %*c\n",
    1137             :                                         (int)msg_offset, '^');
    1138           0 :                                 DBG_ERR("error '%s'\n", msg);
    1139             :                         }
    1140             :                 }
    1141             :         } else {
    1142         122 :                 cbstate->aclsd = sec_desc_parse(ctx, cli, the_acl);
    1143             :         }
    1144             : 
    1145         122 :         if (!cbstate->aclsd) {
    1146           0 :                 result = NT_STATUS_UNSUCCESSFUL;
    1147           0 :                 goto out;
    1148             :         }
    1149             : 
    1150         122 :         sd = cbstate->aclsd;
    1151             : 
    1152             :         /* set operation if inheritance is enabled doesn't make sense */
    1153         122 :         if (mode == SMB_ACL_SET && ((old->type & SEC_DESC_DACL_PROTECTED) !=
    1154             :                 SEC_DESC_DACL_PROTECTED)){
    1155           6 :                 d_printf("Inheritance enabled at %s, can't apply set operation\n",filename);
    1156           6 :                 result = NT_STATUS_UNSUCCESSFUL;
    1157           6 :                 goto out;
    1158             : 
    1159             :         }
    1160             : 
    1161             :         /*
    1162             :          * search command line acl for any illegal SEC_ACE_FLAG_INHERITED_ACE
    1163             :          * flags that are set
    1164             :          */
    1165         232 :         for (j = 0; sd->dacl && j < sd->dacl->num_aces; j++) {
    1166         116 :                 struct security_ace *ace = &sd->dacl->aces[j];
    1167         116 :                 if (ace->flags & SEC_ACE_FLAG_INHERITED_ACE) {
    1168           0 :                         d_printf("Illegal parameter %s\n", the_acl);
    1169           0 :                         result = NT_STATUS_UNSUCCESSFUL;
    1170           0 :                         goto out;
    1171             :                 }
    1172         116 :                 if (!propagate) {
    1173         116 :                         if (is_inheritable_ace(ace)) {
    1174         116 :                                 propagate = true;
    1175             :                         }
    1176             :                 }
    1177             :         }
    1178             : 
    1179         116 :         result = NT_STATUS_OK;
    1180         122 : out:
    1181         122 :         cbstate->acl_no_propagate = !propagate;
    1182         122 :         return result;
    1183             : }
    1184             : 
    1185             : /*
    1186             :  * This method builds inheritable ace(s) from filename (which should be
    1187             :  * a container) that need propagating to children in order to provide
    1188             :  * automatic inheritance. Those inheritable ace(s) are stored in
    1189             :  * acl_to_add member of cbstate for later processing
    1190             :  * (see propagate_inherited_aces)
    1191             :  */
    1192         348 : static NTSTATUS get_inheritable_aces(TALLOC_CTX *ctx, char *filename,
    1193             :                         struct cacl_callback_state *cbstate)
    1194             : {
    1195             :         NTSTATUS result;
    1196         348 :         struct cli_state *cli = NULL;
    1197         348 :         struct security_descriptor *sd = NULL;
    1198         348 :         struct security_acl *acl_to_add = NULL;
    1199             :         uint32_t j;
    1200             : 
    1201         348 :         cli = cbstate->cli;
    1202         348 :         sd = get_secdesc_with_ctx(ctx, cli, filename);
    1203             : 
    1204         348 :         if (sd == NULL) {
    1205           0 :                 return NT_STATUS_NO_MEMORY;
    1206             :         }
    1207             : 
    1208             :         /*
    1209             :          * Check if any inheritance related flags are used, if not then
    1210             :          * nothing to do. At the same time populate acls for inheritance
    1211             :          * related ace(s) that need to be added to or deleted from children as
    1212             :          * a result of inheritance propagation.
    1213             :          */
    1214             : 
    1215        3138 :         for (j = 0; sd->dacl && j < sd->dacl->num_aces; j++) {
    1216        2790 :                 struct security_ace *ace = &sd->dacl->aces[j];
    1217        2790 :                 if (is_inheritable_ace(ace)) {
    1218        2394 :                         bool added = add_ace_with_ctx(ctx, &acl_to_add, ace);
    1219        2394 :                         if (!added) {
    1220           0 :                                 result = NT_STATUS_NO_MEMORY;
    1221           0 :                                 goto out;
    1222             :                         }
    1223             :                 }
    1224             :         }
    1225         348 :         cbstate->acl_to_add = acl_to_add;
    1226         348 :         result = NT_STATUS_OK;
    1227         348 : out:
    1228         348 :         return result;
    1229             : }
    1230             : 
    1231             : /*
    1232             :  * Callback handler to handle child elements processed by cli_list,  we attempt
    1233             :  * to propagate inheritable ace(s) to each child via the function
    1234             :  * propagate_inherited_aces. Children that are themselves directories are passed
    1235             :  * to cli_list again ( to descend the directory structure )
    1236             :  */
    1237        1276 : static NTSTATUS cacl_set_cb(struct file_info *f,
    1238             :                            const char *mask, void *state)
    1239             : {
    1240        1276 :         struct cacl_callback_state *cbstate =
    1241             :                 (struct cacl_callback_state *)state;
    1242        1276 :         struct cli_state *cli = NULL;
    1243        1276 :         struct cli_credentials *creds = NULL;
    1244             : 
    1245        1276 :         TALLOC_CTX *dirctx = NULL;
    1246             :         NTSTATUS status;
    1247        1276 :         struct cli_state *targetcli = NULL;
    1248             : 
    1249        1276 :         char *dir = NULL;
    1250        1276 :         char *dir_end = NULL;
    1251        1276 :         char *mask2 = NULL;
    1252        1276 :         char *targetpath = NULL;
    1253        1276 :         char *caclfile = NULL;
    1254             : 
    1255        1276 :         dirctx = talloc_new(NULL);
    1256        1276 :         if (!dirctx) {
    1257           0 :                 status = NT_STATUS_NO_MEMORY;
    1258           0 :                 goto out;
    1259             :         }
    1260             : 
    1261        1276 :         cli = cbstate->cli;
    1262        1276 :         creds = cbstate->creds;
    1263             : 
    1264             :         /* Work out the directory. */
    1265        1276 :         dir = talloc_strdup(dirctx, mask);
    1266        1276 :         if (!dir) {
    1267           0 :                 status = NT_STATUS_NO_MEMORY;
    1268           0 :                 goto out;
    1269             :         }
    1270             : 
    1271        1276 :         dir_end = strrchr(dir, DIRSEP_CHAR);
    1272        1276 :         if (dir_end != NULL) {
    1273        1276 :                 *dir_end = '\0';
    1274             :         }
    1275             : 
    1276        1276 :         if (!f->name || !f->name[0]) {
    1277           0 :                 d_printf("Empty dir name returned. Possible server misconfiguration.\n");
    1278           0 :                 status = NT_STATUS_UNSUCCESSFUL;
    1279           0 :                 goto out;
    1280             :         }
    1281             : 
    1282        1276 :         if (f->attr & FILE_ATTRIBUTE_DIRECTORY) {
    1283             :                 struct cacl_callback_state dir_cbstate;
    1284         928 :                 uint16_t attribute = FILE_ATTRIBUTE_DIRECTORY
    1285             :                         | FILE_ATTRIBUTE_SYSTEM
    1286             :                         | FILE_ATTRIBUTE_HIDDEN;
    1287         928 :                 dir_end = NULL;
    1288             : 
    1289             :                 /* ignore special '.' & '..' */
    1290         928 :                 if ((f->name == NULL) || ISDOT(f->name) || ISDOTDOT(f->name)) {
    1291         696 :                         status = NT_STATUS_OK;
    1292         696 :                         goto out;
    1293             :                 }
    1294             : 
    1295         232 :                 mask2 = build_dirname(dirctx, mask, dir, f->name);
    1296         232 :                 if (mask2 == NULL) {
    1297           0 :                         status = NT_STATUS_NO_MEMORY;
    1298           0 :                         goto out;
    1299             :                 }
    1300             : 
    1301             :                 /* check for dfs */
    1302         232 :                 status = cli_resolve_path(dirctx, "", creds, cli,
    1303             :                         mask2, &targetcli, &targetpath);
    1304         232 :                 if (!NT_STATUS_IS_OK(status)) {
    1305           0 :                         goto out;
    1306             :                 }
    1307             : 
    1308             :                 /*
    1309             :                  * prepare path to caclfile, remove any existing wildcard
    1310             :                  * chars and convert path separators.
    1311             :                  */
    1312             : 
    1313         232 :                 caclfile = talloc_strdup(dirctx, targetpath);
    1314         232 :                 if (!caclfile) {
    1315           0 :                         status = NT_STATUS_NO_MEMORY;
    1316           0 :                         goto out;
    1317             :                 }
    1318         232 :                 dir_end = strrchr(caclfile, '*');
    1319         232 :                 if (dir_end != NULL) {
    1320         232 :                         *dir_end = '\0';
    1321             :                 }
    1322             : 
    1323         232 :                 string_replace(caclfile, '/', '\\');
    1324             :                 /*
    1325             :                  * make directory specific copy of cbstate here
    1326             :                  * (for this directory level) to be available as
    1327             :                  * the parent cbstate for the children of this directory.
    1328             :                  * Note: cbstate is overwritten for the current file being
    1329             :                  *       processed.
    1330             :                  */
    1331         232 :                 dir_cbstate = *cbstate;
    1332         232 :                 dir_cbstate.cli = targetcli;
    1333             : 
    1334             :                 /*
    1335             :                  * propagate any inherited ace from our parent
    1336             :                  */
    1337         232 :                 status = propagate_inherited_aces(caclfile, &dir_cbstate);
    1338         232 :                 if (!NT_STATUS_IS_OK(status)) {
    1339           0 :                         goto out;
    1340             :                 }
    1341             : 
    1342             :                 /*
    1343             :                  * get inheritable ace(s) for this dir/container
    1344             :                  * that will be propagated to its children
    1345             :                  */
    1346         232 :                 status = get_inheritable_aces(dirctx, caclfile,
    1347             :                                                       &dir_cbstate);
    1348         232 :                 if (!NT_STATUS_IS_OK(status)) {
    1349           0 :                         goto out;
    1350             :                 }
    1351             : 
    1352             :                 /*
    1353             :                  * ensure cacl_set_cb gets called for children
    1354             :                  * of this directory (targetpath)
    1355             :                  */
    1356         232 :                 status = cli_list(targetcli, targetpath,
    1357             :                         attribute, cacl_set_cb,
    1358             :                         (void *)&dir_cbstate);
    1359             : 
    1360         232 :                 if (!NT_STATUS_IS_OK(status)) {
    1361           0 :                         goto out;
    1362             :                 }
    1363             : 
    1364             :         } else {
    1365             :                 /*
    1366             :                  * build full path to caclfile and replace '/' with '\' so
    1367             :                  * other utility functions can deal with it
    1368             :                  */
    1369             : 
    1370         348 :                 targetpath = talloc_asprintf(dirctx, "%s/%s", dir, f->name);
    1371         348 :                 if (!targetpath) {
    1372           0 :                         status = NT_STATUS_NO_MEMORY;
    1373           0 :                         goto out;
    1374             :                 }
    1375         348 :                 string_replace(targetpath, '/', '\\');
    1376             : 
    1377             :                 /* attempt to propagate any inherited ace to file caclfile */
    1378         348 :                 status = propagate_inherited_aces(targetpath, cbstate);
    1379             : 
    1380         348 :                 if (!NT_STATUS_IS_OK(status)) {
    1381           0 :                         goto out;
    1382             :                 }
    1383             :         }
    1384         580 :         status = NT_STATUS_OK;
    1385        1276 : out:
    1386        1276 :         if (!NT_STATUS_IS_OK(status)) {
    1387           0 :                 d_printf("error %s: processing %s\n",
    1388             :                         nt_errstr(status),
    1389             :                         targetpath);
    1390             :         }
    1391        1276 :         TALLOC_FREE(dirctx);
    1392        1276 :         return status;
    1393             : }
    1394             : 
    1395             : 
    1396             : /*
    1397             :  * Wrapper around cl_list to descend the directory tree pointed to by 'filename',
    1398             :  * helper callback function 'cacl_set_cb' handles the child elements processed
    1399             :  * by cli_list.
    1400             :  */
    1401         122 : static int inheritance_cacl_set(char *filename,
    1402             :                         struct cacl_callback_state *cbstate)
    1403             : {
    1404             :         int result;
    1405             :         NTSTATUS ntstatus;
    1406             :         int fileattr;
    1407         122 :         char *mask = NULL;
    1408         122 :         struct cli_state *cli = cbstate->cli;
    1409         122 :         TALLOC_CTX *ctx = NULL;
    1410         122 :         bool isdirectory = false;
    1411         122 :         uint16_t attribute = FILE_ATTRIBUTE_DIRECTORY | FILE_ATTRIBUTE_SYSTEM
    1412             :                                 | FILE_ATTRIBUTE_HIDDEN;
    1413         122 :         ctx = talloc_init("inherit_set");
    1414         122 :         if (ctx == NULL) {
    1415           0 :                 d_printf("out of memory\n");
    1416           0 :                 result = EXIT_FAILED;
    1417           0 :                 goto out;
    1418             :         }
    1419             : 
    1420             :         /* ensure we have a filename that starts with '\' */
    1421         122 :         if (!filename || *filename != DIRSEP_CHAR) {
    1422             :                 /* illegal or no filename */
    1423           0 :                 result = EXIT_FAILED;
    1424           0 :                 d_printf("illegal or missing name '%s'\n", filename);
    1425           0 :                 goto out;
    1426             :         }
    1427             : 
    1428             : 
    1429         122 :         fileattr = get_fileinfo(cli, filename);
    1430         122 :         isdirectory = (fileattr & FILE_ATTRIBUTE_DIRECTORY)
    1431             :                 == FILE_ATTRIBUTE_DIRECTORY;
    1432             : 
    1433             :         /*
    1434             :          * if we've got as far as here then we have already evaluated
    1435             :          * the args.
    1436             :          */
    1437         122 :         if (test_args) {
    1438           0 :                 result = EXIT_OK;
    1439           0 :                 goto out;
    1440             :         }
    1441             : 
    1442         122 :         mask = NULL;
    1443             :         /* make sure we have a trailing '\*' for directory */
    1444         122 :         if (!isdirectory) {
    1445           0 :                 mask = talloc_strdup(ctx, filename);
    1446         122 :         } else if (strlen(filename) > 1) {
    1447             :                 /*
    1448             :                  * if the passed file name doesn't have a trailing '\'
    1449             :                  * append it.
    1450             :                  */
    1451         122 :                 char *name_end = strrchr(filename, DIRSEP_CHAR);
    1452         122 :                 if (name_end != filename + strlen(filename) + 1) {
    1453         122 :                         mask = talloc_asprintf(ctx, "%s\\*", filename);
    1454             :                 } else {
    1455           0 :                         mask = talloc_strdup(ctx, filename);
    1456             :                 }
    1457             :         } else {
    1458             :                 /* filename is a single '\', just append '*' */
    1459           0 :                 mask = talloc_asprintf_append(mask, "%s*", filename);
    1460             :         }
    1461             : 
    1462         122 :         if (!mask) {
    1463           0 :                 result = EXIT_FAILED;
    1464           0 :                 goto out;
    1465             :         }
    1466             : 
    1467             :         /*
    1468             :          * prepare for automatic propagation of the acl passed on the
    1469             :          * cmdline.
    1470             :          */
    1471             : 
    1472         122 :         ntstatus = prepare_inheritance_propagation(ctx, filename,
    1473             :                                                            cbstate);
    1474         122 :         if (!NT_STATUS_IS_OK(ntstatus)) {
    1475           6 :                 d_printf("error: %s processing %s\n",
    1476             :                          nt_errstr(ntstatus), filename);
    1477           6 :                 result = EXIT_FAILED;
    1478           6 :                 goto out;
    1479             :         }
    1480             : 
    1481         116 :         result = cacl_set_from_sd(cli, filename, cbstate->aclsd,
    1482         116 :                                 cbstate->mode, cbstate->numeric);
    1483             : 
    1484             :         /*
    1485             :          * strictly speaking it could be considered an error if a file was
    1486             :          * specified with '--propagate-inheritance'. However we really want
    1487             :          * to eventually get rid of '--propagate-inheritance' so we will be
    1488             :          * more forgiving here and instead just exit early.
    1489             :          */
    1490         116 :         if (!isdirectory || (result != EXIT_OK)) {
    1491           0 :                 goto out;
    1492             :         }
    1493             : 
    1494             :         /* check if there is actually any need to propagate */
    1495         116 :         if (cbstate->acl_no_propagate) {
    1496           0 :                 goto out;
    1497             :         }
    1498             :         /* get inheritable attributes this parent container (e.g. filename) */
    1499         116 :         ntstatus = get_inheritable_aces(ctx, filename, cbstate);
    1500         116 :         if (NT_STATUS_IS_OK(ntstatus)) {
    1501             :                 /* process children */
    1502         116 :                 ntstatus = cli_list(cli, mask, attribute,
    1503             :                                 cacl_set_cb,
    1504             :                                 (void *)cbstate);
    1505             :         }
    1506             : 
    1507         116 :         if (!NT_STATUS_IS_OK(ntstatus)) {
    1508           0 :                 d_printf("error: %s processing %s\n",
    1509             :                          nt_errstr(ntstatus), filename);
    1510           0 :                 result = EXIT_FAILED;
    1511           0 :                 goto out;
    1512             :         }
    1513             : 
    1514         116 : out:
    1515         122 :         TALLOC_FREE(ctx);
    1516         122 :         return result;
    1517             : }
    1518             : 
    1519             : struct diritem {
    1520             :        struct diritem *prev, *next;
    1521             :        /*
    1522             :         * dirname and targetpath below are sanitized,
    1523             :         * e.g.
    1524             :         *   + start and end with '\'
    1525             :         *   + have no trailing '*'
    1526             :         *   + all '/' have been converted to '\'
    1527             :         */
    1528             :        char *dirname;
    1529             :        char  *targetpath;
    1530             :        struct cli_state *targetcli;
    1531             : };
    1532             : 
    1533             : struct save_restore_stats
    1534             : {
    1535             :         int success;
    1536             :         int failure;
    1537             : };
    1538             : 
    1539             : struct dump_context {
    1540             :         struct diritem *list;
    1541             :         struct cli_credentials *creds;
    1542             :         struct cli_state *cli;
    1543             :         struct save_restore_stats *stats;
    1544             :         int save_fd;
    1545             :         struct diritem *dir;
    1546             :         NTSTATUS status;
    1547             : };
    1548             : 
    1549         112 : static int write_dacl(struct dump_context *ctx,
    1550             :                       struct cli_state *cli,
    1551             :                       const char *filename,
    1552             :                       const char *origfname)
    1553             : {
    1554         112 :         struct security_descriptor *sd = NULL;
    1555         112 :         char *str = NULL;
    1556         112 :         const char *output_fmt = "%s\r\n%s\r\n";
    1557         112 :         const char *tmp = NULL;
    1558         112 :         char *out_str = NULL;
    1559         112 :         uint8_t *dest = NULL;
    1560             :         ssize_t s_len;
    1561             :         size_t d_len;
    1562             :         bool ok;
    1563             :         int result;
    1564         112 :         TALLOC_CTX *frame = talloc_stackframe();
    1565             : 
    1566         112 :         if (test_args) {
    1567           0 :                 return EXIT_OK;
    1568             :         }
    1569             : 
    1570         112 :         if (ctx->save_fd < 0) {
    1571           0 :                 DBG_ERR("error processing %s no file descriptor\n", filename);
    1572           0 :                 result = EXIT_FAILED;
    1573           0 :                 goto out;
    1574             :         }
    1575             : 
    1576         112 :         sd = get_secdesc(cli, filename);
    1577         112 :         if (sd == NULL) {
    1578           0 :                 result = EXIT_FAILED;
    1579           0 :                 goto out;
    1580             :         }
    1581             : 
    1582         112 :         sd->owner_sid = NULL;
    1583         112 :         sd->group_sid = NULL;
    1584             : 
    1585         112 :         str = sddl_encode(frame, sd, get_domain_sid(cli));
    1586         112 :         if (str == NULL) {
    1587           0 :                 DBG_ERR("error processing %s couldn't encode DACL\n", filename);
    1588           0 :                 result = EXIT_FAILED;
    1589           0 :                 goto out;
    1590             :         }
    1591             :         /*
    1592             :          * format of icacls save file is
    1593             :          * a line containing the path of the file/dir
    1594             :          * followed by a line containing the sddl format
    1595             :          * of the dacl.
    1596             :          * The format of the strings are null terminated
    1597             :          * 16-bit Unicode. Each line is terminated by "\r\n"
    1598             :          */
    1599             : 
    1600         112 :         tmp = origfname;
    1601             :         /* skip leading '\' */
    1602         112 :         if (tmp[0] == '\\') {
    1603         112 :                 tmp++;
    1604             :         }
    1605         112 :         out_str = talloc_asprintf(frame, output_fmt, tmp, str);
    1606             : 
    1607         112 :         if (out_str == NULL) {
    1608           0 :                 result = EXIT_FAILED;
    1609           0 :                 goto out;
    1610             :         }
    1611             : 
    1612         112 :         s_len = strlen(out_str);
    1613             : 
    1614         112 :         ok = convert_string_talloc(out_str,
    1615             :                                    CH_UNIX,
    1616             :                                    CH_UTF16,
    1617             :                                    out_str,
    1618             :                                    s_len, (void **)(void *)&dest, &d_len);
    1619         112 :         if (!ok) {
    1620           0 :                 DBG_ERR("error processing %s out of memory\n", tmp);
    1621           0 :                 result = EXIT_FAILED;
    1622           0 :                 goto out;
    1623             :         }
    1624             : 
    1625         112 :         if (write(ctx->save_fd, dest, d_len) != d_len) {
    1626           0 :                 DBG_ERR("error processing %s failed to write to file.\n", tmp);
    1627           0 :                 result = EXIT_FAILED;
    1628           0 :                 goto out;
    1629             :         }
    1630         112 :         fsync(ctx->save_fd);
    1631             : 
    1632         112 :         result = EXIT_OK;
    1633         112 :         ctx->stats->success += 1;
    1634         112 :         fprintf(stdout, "Successfully processed file: %s\n", tmp);
    1635         112 : out:
    1636         112 :         TALLOC_FREE(frame);
    1637         112 :         if (result != EXIT_OK) {
    1638           0 :                 ctx->stats->failure += 1;
    1639             :         }
    1640         112 :         return result;
    1641             : }
    1642             : 
    1643             : /*
    1644             :  * Sanitize directory name.
    1645             :  * Given a directory name 'dir' ensure it;
    1646             :  *    o starts with '\'
    1647             :  *    o ends with '\'
    1648             :  *    o doesn't end with trailing '*'
    1649             :  *    o ensure all '/' are converted to '\'
    1650             :  */
    1651             : 
    1652         320 : static char *sanitize_dirname(TALLOC_CTX *ctx,
    1653             :                          const char *dir)
    1654             : {
    1655         320 :         char *mask = NULL;
    1656         320 :         char *name_end = NULL;
    1657             : 
    1658         320 :         mask = talloc_strdup(ctx, dir);
    1659         320 :         name_end = strrchr(mask, '*');
    1660         320 :         if (name_end) {
    1661         176 :                 *name_end = '\0';
    1662             :         }
    1663             : 
    1664         320 :         name_end = strrchr(mask, DIRSEP_CHAR);
    1665             : 
    1666         320 :         if (strlen(mask) > 0 && name_end != mask + (strlen(mask) - 1)) {
    1667         112 :                 mask = talloc_asprintf(ctx, "%s\\", mask);
    1668             :         }
    1669             : 
    1670         320 :         string_replace(mask, '/', '\\');
    1671         320 :         return mask;
    1672             : }
    1673             : 
    1674             : /*
    1675             :  * Process each entry (child) of a directory.
    1676             :  * Each entry, regardless of whether it is itself a file or directory
    1677             :  * has it's dacl written to the restore/save file.
    1678             :  * Each directory is saved to context->list (for further processing)
    1679             :  * write_dacl will update the stats (success/fail)
    1680             :  */
    1681         176 : static NTSTATUS cacl_dump_dacl_cb(struct file_info *f,
    1682             :                                   const char *mask, void *state)
    1683             : {
    1684         176 :         struct dump_context *ctx = talloc_get_type_abort(state,
    1685             :                                                          struct dump_context);
    1686             : 
    1687             :         NTSTATUS status;
    1688             : 
    1689         176 :         char *mask2 = NULL;
    1690         176 :         char *targetpath = NULL;
    1691         176 :         char *unresolved = NULL;
    1692             : 
    1693             :         /*
    1694             :          * if we have already encountered an error
    1695             :          * bail out
    1696             :          */
    1697         176 :         if (!NT_STATUS_IS_OK(ctx->status)) {
    1698           0 :                 return ctx->status;
    1699             :         }
    1700             : 
    1701         176 :         if (!f->name || !f->name[0]) {
    1702           0 :                 DBG_ERR("Empty dir name returned. Possible server "
    1703             :                         "misconfiguration.\n");
    1704           0 :                 status = NT_STATUS_UNSUCCESSFUL;
    1705           0 :                 goto out;
    1706             :         }
    1707             : 
    1708         176 :         mask2 = sanitize_dirname(ctx, mask);
    1709         176 :         if (!mask2) {
    1710           0 :                 status = NT_STATUS_NO_MEMORY;
    1711           0 :                 goto out;
    1712             :         }
    1713         176 :         if (f->attr & FILE_ATTRIBUTE_DIRECTORY) {
    1714         128 :                 struct diritem *item = NULL;
    1715             : 
    1716             :                 /* ignore special '.' & '..' */
    1717         128 :                 if ((f->name == NULL) || ISDOT(f->name) || ISDOTDOT(f->name)) {
    1718          96 :                         status = NT_STATUS_OK;
    1719          96 :                         goto out;
    1720             :                 }
    1721             : 
    1722             :                 /* Work out the directory. */
    1723          32 :                 unresolved = sanitize_dirname(ctx, ctx->dir->dirname);
    1724          32 :                 if (!unresolved) {
    1725           0 :                         status = NT_STATUS_NO_MEMORY;
    1726           0 :                         goto out;
    1727             :                 }
    1728             : 
    1729          32 :                 unresolved = talloc_asprintf(ctx, "%s%s", unresolved, f->name);
    1730             : 
    1731          32 :                 if (unresolved == NULL) {
    1732           0 :                         status = NT_STATUS_NO_MEMORY;
    1733           0 :                         goto out;
    1734             :                 }
    1735             : 
    1736          32 :                 item = talloc_zero(ctx, struct diritem);
    1737          32 :                 if (item == NULL) {
    1738           0 :                         status = NT_STATUS_NO_MEMORY;
    1739           0 :                         goto out;
    1740             :                 }
    1741             : 
    1742          32 :                 item->dirname = unresolved;
    1743             : 
    1744          32 :                 mask2 = talloc_asprintf(ctx, "%s%s", mask2, f->name);
    1745          32 :                 if (!mask2) {
    1746           0 :                         status = NT_STATUS_NO_MEMORY;
    1747           0 :                         goto out;
    1748             :                 }
    1749             : 
    1750          32 :                 status = cli_resolve_path(ctx, "", ctx->creds, ctx->cli,
    1751             :                                           mask2, &item->targetcli, &targetpath);
    1752             : 
    1753          32 :                 if (!NT_STATUS_IS_OK(status)) {
    1754           0 :                         DBG_ERR("error failed to resolve: %s\n",
    1755             :                                 nt_errstr(status));
    1756           0 :                         goto out;
    1757             :                 }
    1758             : 
    1759          32 :                 item->targetpath = sanitize_dirname(ctx, targetpath);
    1760          32 :                 if (!item->targetpath) {
    1761           0 :                         status = NT_STATUS_NO_MEMORY;
    1762           0 :                         goto out;
    1763             :                 }
    1764             : 
    1765          32 :                 if (write_dacl(ctx,
    1766             :                                item->targetcli,
    1767          32 :                                item->targetpath, unresolved) != EXIT_OK) {
    1768           0 :                         status = NT_STATUS_UNSUCCESSFUL;
    1769             :                         /*
    1770             :                          * cli_list happily ignores error encountered
    1771             :                          * when processing the callback so we need
    1772             :                          * to save any error status encountered while
    1773             :                          * processing directories (so we can stop recursing
    1774             :                          * those as soon as possible).
    1775             :                          * Changing the current behaviour of the callback
    1776             :                          * handling by cli_list would be I think be too
    1777             :                          * risky.
    1778             :                          */
    1779           0 :                         ctx->status = status;
    1780           0 :                         goto out;
    1781             :                 }
    1782             : 
    1783          32 :                 DLIST_ADD_END(ctx->list, item);
    1784             : 
    1785             :         } else {
    1786          48 :                 unresolved = sanitize_dirname(ctx, ctx->dir->dirname);
    1787          48 :                 if (!unresolved) {
    1788           0 :                         status = NT_STATUS_NO_MEMORY;
    1789           0 :                         goto out;
    1790             :                 }
    1791             : 
    1792          48 :                 unresolved = talloc_asprintf(ctx, "%s%s", unresolved, f->name);
    1793             : 
    1794          48 :                 if (!unresolved) {
    1795           0 :                         status = NT_STATUS_NO_MEMORY;
    1796           0 :                         goto out;
    1797             :                 }
    1798             :                 /*
    1799             :                  * build full path to the file and replace '/' with '\' so
    1800             :                  * other utility functions can deal with it
    1801             :                  */
    1802             : 
    1803          48 :                 targetpath = talloc_asprintf(ctx, "%s%s", mask2, f->name);
    1804             : 
    1805          48 :                 if (!targetpath) {
    1806           0 :                         status = NT_STATUS_NO_MEMORY;
    1807           0 :                         goto out;
    1808             :                 }
    1809             : 
    1810          48 :                 if (write_dacl(ctx,
    1811          48 :                                ctx->dir->targetcli,
    1812             :                                targetpath, unresolved) != EXIT_OK) {
    1813           0 :                         status = NT_STATUS_UNSUCCESSFUL;
    1814             :                         /*
    1815             :                          * cli_list happily ignores error encountered
    1816             :                          * when processing the callback so we need
    1817             :                          * to save any error status encountered while
    1818             :                          * processing directories (so we can stop recursing
    1819             :                          * those as soon as possible).
    1820             :                          * Changing the current behaviour of the callback
    1821             :                          * handling by cli_list would be I think be too
    1822             :                          * risky.
    1823             :                          */
    1824           0 :                         ctx->status = status;
    1825           0 :                         goto out;
    1826             :                 }
    1827             :         }
    1828          80 :         status = NT_STATUS_OK;
    1829         176 : out:
    1830         176 :         if (!NT_STATUS_IS_OK(status)) {
    1831           0 :                 DBG_ERR("error %s: processing %s\n",
    1832             :                         nt_errstr(status), targetpath);
    1833             :         }
    1834         176 :         return status;
    1835             : }
    1836             : 
    1837             : /*
    1838             :  * dump_ctx contains a list of directories to be processed
    1839             :  *    + each directory 'dir' is scanned by cli_list, the cli_list
    1840             :  *      callback 'cacl_dump_dacl_cb' writes out the dacl of each
    1841             :  *      child of 'dir' (regardless of whether it is a dir or file)
    1842             :  *      to the restore/save file. Additionally any directories encountered
    1843             :  *      are returned in the passed in dump_ctx->list member
    1844             :  *    + the directory list returned from cli_list is passed and processed
    1845             :  *      by recursively calling dump_dacl_dirtree
    1846             :  *
    1847             :  */
    1848          64 : static int dump_dacl_dirtree(struct dump_context *dump_ctx)
    1849             : {
    1850          64 :         struct diritem *item = NULL;
    1851          64 :         struct dump_context *new_dump_ctx = NULL;
    1852             :         int result;
    1853         112 :         for (item = dump_ctx->list; item; item = item->next) {
    1854          48 :                 uint16_t attribute = FILE_ATTRIBUTE_DIRECTORY
    1855             :                     | FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN;
    1856             :                 NTSTATUS status;
    1857          48 :                 char *mask = NULL;
    1858             : 
    1859          48 :                 new_dump_ctx = talloc_zero(dump_ctx, struct dump_context);
    1860             : 
    1861          48 :                 if (new_dump_ctx == NULL) {
    1862           0 :                         DBG_ERR("out of memory\n");
    1863           0 :                         result = EXIT_FAILED;
    1864           0 :                         goto out;
    1865             :                 }
    1866             : 
    1867          48 :                 if (item->targetcli == NULL) {
    1868          16 :                         status = cli_resolve_path(new_dump_ctx,
    1869             :                                                   "",
    1870             :                                                   dump_ctx->creds,
    1871             :                                                   dump_ctx->cli,
    1872          16 :                                                   item->dirname,
    1873             :                                                   &item->targetcli,
    1874             :                                                   &item->targetpath);
    1875          16 :                         if (!NT_STATUS_IS_OK(status)) {
    1876           0 :                                 DBG_ERR("failed to resolve path %s "
    1877             :                                         "error: %s\n",
    1878             :                                         item->dirname, nt_errstr(status));
    1879           0 :                                 result = EXIT_FAILED;
    1880           0 :                                 goto out;
    1881             :                         }
    1882             :                 }
    1883          48 :                 new_dump_ctx->creds = dump_ctx->creds;
    1884          48 :                 new_dump_ctx->save_fd = dump_ctx->save_fd;
    1885          48 :                 new_dump_ctx->stats = dump_ctx->stats;
    1886          48 :                 new_dump_ctx->dir = item;
    1887          48 :                 new_dump_ctx->cli = item->targetcli;
    1888             : 
    1889          48 :                 mask = talloc_asprintf(new_dump_ctx, "%s*",
    1890          48 :                                        new_dump_ctx->dir->targetpath);
    1891          48 :                 status = cli_list(new_dump_ctx->dir->targetcli,
    1892             :                                   mask,
    1893             :                                   attribute, cacl_dump_dacl_cb, new_dump_ctx);
    1894             : 
    1895          48 :                 if (!NT_STATUS_IS_OK(status) ||
    1896          48 :                     !NT_STATUS_IS_OK(new_dump_ctx->status)) {
    1897             :                         NTSTATUS tmpstatus;
    1898           0 :                         if (!NT_STATUS_IS_OK(status)) {
    1899             :                                 /*
    1900             :                                  * cli_list failed for some reason
    1901             :                                  * so we need to update the failure stat
    1902             :                                  */
    1903           0 :                                 new_dump_ctx->stats->failure += 1;
    1904           0 :                                 tmpstatus = status;
    1905             :                         } else {
    1906             :                                 /* cacl_dump_dacl_cb should have updated stat */
    1907           0 :                                 tmpstatus = new_dump_ctx->status;
    1908             :                         }
    1909           0 :                         DBG_ERR("error %s: processing %s\n",
    1910             :                                 nt_errstr(tmpstatus), item->dirname);
    1911           0 :                         result = EXIT_FAILED;
    1912           0 :                         goto out;
    1913             :                 }
    1914          48 :                 result = dump_dacl_dirtree(new_dump_ctx);
    1915          48 :                 if (result != EXIT_OK) {
    1916           0 :                         goto out;
    1917             :                 }
    1918             :         }
    1919             : 
    1920          64 :         result = EXIT_OK;
    1921          64 : out:
    1922          64 :         TALLOC_FREE(new_dump_ctx);
    1923          64 :         return result;
    1924             : }
    1925             : 
    1926          32 : static int cacl_dump_dacl(struct cli_state *cli,
    1927             :                           struct cli_credentials *creds,
    1928             :                           char *filename)
    1929             : {
    1930             :         int fileattr;
    1931          32 :         char *mask = NULL;
    1932          32 :         TALLOC_CTX *ctx = NULL;
    1933          32 :         bool isdirectory = false;
    1934             :         int result;
    1935          32 :         struct dump_context *dump_ctx = NULL;
    1936          32 :         struct save_restore_stats stats = {0};
    1937          32 :         struct diritem *item = NULL;
    1938          32 :         struct cli_state *targetcli = NULL;
    1939          32 :         char *targetpath = NULL;
    1940             :         NTSTATUS status;
    1941             : 
    1942          32 :         ctx = talloc_init("cacl_dump");
    1943          32 :         if (ctx == NULL) {
    1944           0 :                 DBG_ERR("out of memory\n");
    1945           0 :                 result = EXIT_FAILED;
    1946           0 :                 goto out;
    1947             :         }
    1948             : 
    1949          32 :         dump_ctx = talloc_zero(ctx, struct dump_context);
    1950          32 :         if (dump_ctx == NULL) {
    1951           0 :                 DBG_ERR("out of memory\n");
    1952           0 :                 result = EXIT_FAILED;
    1953           0 :                 goto out;
    1954             :         }
    1955             : 
    1956          32 :         dump_ctx->save_fd = open(save_file,
    1957             :                                  O_CREAT | O_RDWR | O_TRUNC, S_IRUSR | S_IWUSR);
    1958             : 
    1959          32 :         if (dump_ctx->save_fd < 0) {
    1960           0 :                 result = EXIT_FAILED;
    1961           0 :                 goto out;
    1962             :         }
    1963             : 
    1964          32 :         dump_ctx->creds = creds;
    1965          32 :         dump_ctx->cli = cli;
    1966          32 :         dump_ctx->stats = &stats;
    1967             : 
    1968             :         /* ensure we have a filename that starts with '\' */
    1969          32 :         if (!filename || *filename != DIRSEP_CHAR) {
    1970             :                 /* illegal or no filename */
    1971           0 :                 result = EXIT_FAILED;
    1972           0 :                 DBG_ERR("illegal or missing name '%s'\n", filename);
    1973           0 :                 goto out;
    1974             :         }
    1975             : 
    1976          32 :         status = cli_resolve_path(dump_ctx, "",
    1977             :                                   dump_ctx->creds,
    1978             :                                   dump_ctx->cli,
    1979             :                                   filename, &targetcli, &targetpath);
    1980          32 :         if (!NT_STATUS_IS_OK(status)) {
    1981           0 :                 DBG_ERR("failed resolve %s\n", filename);
    1982           0 :                 result = EXIT_FAILED;
    1983           0 :                 goto out;
    1984             :         }
    1985             : 
    1986          32 :         fileattr = get_fileinfo(targetcli, targetpath);
    1987          32 :         isdirectory = (fileattr & FILE_ATTRIBUTE_DIRECTORY)
    1988             :             == FILE_ATTRIBUTE_DIRECTORY;
    1989             : 
    1990             :         /*
    1991             :          * if we've got as far as here then we have already evaluated
    1992             :          * the args.
    1993             :          */
    1994          32 :         if (test_args) {
    1995           0 :                 result = EXIT_OK;
    1996           0 :                 goto out;
    1997             :         }
    1998             : 
    1999          32 :         mask = NULL;
    2000             :         /* make sure we have a trailing '\*' for directory */
    2001          32 :         if (!isdirectory) {
    2002           0 :                 mask = talloc_strdup(ctx, filename);
    2003          32 :         } else if (strlen(filename) > 1) {
    2004          32 :                 mask = sanitize_dirname(ctx, filename);
    2005             :         } else {
    2006             :                 /* filename is a single '\' */
    2007           0 :                 mask = talloc_strdup(ctx, filename);
    2008             :         }
    2009          32 :         if (!mask) {
    2010           0 :                 result = EXIT_FAILED;
    2011           0 :                 goto out;
    2012             :         }
    2013             : 
    2014          32 :         write_dacl(dump_ctx, targetcli, targetpath, filename);
    2015          32 :         if (isdirectory && recurse) {
    2016          16 :                 item = talloc_zero(dump_ctx, struct diritem);
    2017          16 :                 if (!item) {
    2018           0 :                         result = EXIT_FAILED;
    2019           0 :                         goto out;
    2020             :                 }
    2021          16 :                 item->dirname = mask;
    2022          16 :                 DLIST_ADD_END(dump_ctx->list, item);
    2023          16 :                 dump_dacl_dirtree(dump_ctx);
    2024             :         }
    2025             : 
    2026          32 :         fprintf(stdout, "Successfully processed %d files: "
    2027             :                 "Failed processing %d files\n",
    2028          32 :                 dump_ctx->stats->success, dump_ctx->stats->failure);
    2029          32 :         result = EXIT_OK;
    2030          32 : out:
    2031          32 :         if (dump_ctx && dump_ctx->save_fd > 0) {
    2032          32 :                 close(dump_ctx->save_fd);
    2033             :         }
    2034          32 :         TALLOC_FREE(ctx);
    2035          32 :         return result;
    2036             : }
    2037             : 
    2038             : struct restore_dacl {
    2039             :         const char *path;
    2040             :         struct security_descriptor *sd;
    2041             : };
    2042             : 
    2043             : /*
    2044             :  * Restore dacls from 'savefile' produced by
    2045             :  * 'icacls name /save' or 'smbcacls --save'
    2046             :  */
    2047           8 : static int cacl_restore(struct cli_state *cli,
    2048             :                         struct cli_credentials *creds,
    2049             :                         bool numeric, const char *restorefile)
    2050             : {
    2051             :         int restore_fd;
    2052             :         int result;
    2053           8 :         struct save_restore_stats stats = { 0 };
    2054             : 
    2055           8 :         char **lines = NULL;
    2056           8 :         char *content = NULL;
    2057           8 :         char *convert_content = NULL;
    2058             :         size_t content_size;
    2059           8 :         struct restore_dacl *entries = NULL;
    2060           8 :         int numlines, i = 0;
    2061             :         bool ok;
    2062           8 :         struct dom_sid *sid = NULL;
    2063             : 
    2064           8 :         if (restorefile == NULL) {
    2065           0 :                 DBG_ERR("No restore file specified\n");
    2066           0 :                 result = EXIT_FAILED;
    2067           0 :                 goto out;
    2068             :         }
    2069             : 
    2070           8 :         if (test_args) {
    2071           0 :                 result = EXIT_OK;
    2072           0 :                 goto out;
    2073             :         }
    2074             : 
    2075           8 :         restore_fd = open(restorefile, O_RDONLY, S_IRUSR | S_IWUSR);
    2076           8 :         if (restore_fd < 0) {
    2077           0 :                 DBG_ERR("Failed to open %s.\n", restorefile);
    2078           0 :                 result = EXIT_FAILED;
    2079           0 :                 goto out;
    2080             :         }
    2081             : 
    2082           8 :         content = fd_load(restore_fd, &content_size, 0, talloc_tos());
    2083             : 
    2084           8 :         close(restore_fd);
    2085             : 
    2086           8 :         if (content == NULL) {
    2087           0 :                 DBG_ERR("Failed to load content from %s.\n", restorefile);
    2088           0 :                 result = EXIT_FAILED;
    2089           0 :                 goto out;
    2090             :         }
    2091             : 
    2092           8 :         ok = convert_string_talloc(talloc_tos(),
    2093             :                                    CH_UTF16,
    2094             :                                    CH_UNIX,
    2095             :                                    content,
    2096             :                                    utf16_len_n(content, content_size),
    2097             :                                    (void **)(void *)&convert_content,
    2098             :                                    &content_size);
    2099             : 
    2100           8 :         TALLOC_FREE(content);
    2101             : 
    2102           8 :         if (!ok) {
    2103           0 :                 DBG_ERR("Failed to convert content from %s "
    2104             :                         "to CH_UNIX.\n", restorefile);
    2105           0 :                 result = EXIT_FAILED;
    2106           0 :                 goto out;
    2107             :         }
    2108             : 
    2109           8 :         lines = file_lines_parse(convert_content,
    2110             :                                  content_size, &numlines, talloc_tos());
    2111             : 
    2112           8 :         if (lines == NULL) {
    2113           0 :                 DBG_ERR("Failed to parse lines from content of %s.",
    2114             :                         restorefile);
    2115           0 :                 result = EXIT_FAILED;
    2116           0 :                 goto out;
    2117             :         }
    2118             : 
    2119           8 :         entries = talloc_zero_array(lines, struct restore_dacl, numlines / 2);
    2120             : 
    2121           8 :         if (entries == NULL) {
    2122           0 :                 DBG_ERR("error processing %s, out of memory\n", restorefile);
    2123           0 :                 result = EXIT_FAILED;
    2124           0 :                 goto out;
    2125             :         }
    2126             : 
    2127           8 :         sid = get_domain_sid(cli);
    2128             : 
    2129          64 :         while (i < numlines) {
    2130          56 :                 int index = i / 2;
    2131          56 :                 int first_line = (i % 2) == 0;
    2132             : 
    2133          56 :                 if (first_line) {
    2134          28 :                         char *tmp = NULL;
    2135          28 :                         tmp = lines[i];
    2136             :                         /* line can be blank if root of share */
    2137          28 :                         if (strlen(tmp) == 0) {
    2138           0 :                                 entries[index].path = talloc_strdup(lines,
    2139             :                                                                     "\\");
    2140             :                         } else {
    2141          28 :                                 entries[index].path = lines[i];
    2142             :                         }
    2143             :                 } else {
    2144          28 :                         const char *msg = NULL;
    2145          28 :                         size_t msg_offset = 0;
    2146          28 :                         enum ace_condition_flags flags =
    2147             :                                 ACE_CONDITION_FLAG_ALLOW_DEVICE;
    2148          56 :                         entries[index].sd = sddl_decode_err_msg(lines,
    2149          28 :                                                                 lines[i],
    2150             :                                                                 sid,
    2151             :                                                                 flags,
    2152             :                                                                 &msg,
    2153             :                                                                 &msg_offset);
    2154          28 :                         if(entries[index].sd == NULL) {
    2155           0 :                                 DBG_ERR("could not decode '%s'\n", lines[i]);
    2156           0 :                                 if (msg != NULL) {
    2157           0 :                                         DBG_ERR("                  %*c\n",
    2158             :                                                 (int)msg_offset, '^');
    2159           0 :                                         DBG_ERR("error '%s'\n", msg);
    2160             :                                 }
    2161           0 :                                 result = EXIT_FAILED;
    2162           0 :                                 goto out;
    2163             :                         }
    2164          28 :                         entries[index].sd->type |=
    2165             :                             SEC_DESC_DACL_AUTO_INHERIT_REQ;
    2166          28 :                         entries[index].sd->type |= SEC_DESC_SACL_AUTO_INHERITED;
    2167             :                 }
    2168          56 :                 i++;
    2169             :         }
    2170          36 :         for (i = 0; i < (numlines / 2); i++) {
    2171          28 :                 int mode = SMB_ACL_SET;
    2172             :                 int set_result;
    2173          28 :                 struct cli_state *targetcli = NULL;
    2174          28 :                 char *targetpath = NULL;
    2175             :                 NTSTATUS status;
    2176             : 
    2177             :                 /* check for dfs */
    2178          28 :                 status = cli_resolve_path(talloc_tos(),
    2179             :                                           "",
    2180             :                                           creds,
    2181             :                                           cli,
    2182          28 :                                           entries[i].path,
    2183             :                                           &targetcli, &targetpath);
    2184             : 
    2185          28 :                 if (!NT_STATUS_IS_OK(status)) {
    2186           0 :                         printf("Error failed to process file: %s\n",
    2187           0 :                                entries[i].path);
    2188           0 :                         stats.failure += 1;
    2189           0 :                         continue;
    2190             :                 }
    2191             : 
    2192          28 :                 set_result = cacl_set_from_sd(targetcli,
    2193             :                                               targetpath,
    2194          28 :                                               entries[i].sd, mode, numeric);
    2195             : 
    2196          28 :                 if (set_result == EXIT_OK) {
    2197          28 :                         printf("Successfully processed file: %s\n",
    2198          28 :                                entries[i].path);
    2199          28 :                         stats.success += 1;
    2200             :                 } else {
    2201           0 :                         printf("Error failed to process file: %s\n",
    2202           0 :                                entries[i].path);
    2203           0 :                         stats.failure += 1;
    2204             :                 }
    2205             :         }
    2206             : 
    2207           8 :         result = EXIT_OK;
    2208           8 : out:
    2209           8 :         TALLOC_FREE(lines);
    2210           8 :         fprintf(stdout, "Successfully processed %d files: "
    2211             :                 "Failed processing %d files\n", stats.success, stats.failure);
    2212           8 :         return result;
    2213             : }
    2214             : 
    2215             : /****************************************************************************
    2216             :   main program
    2217             : ****************************************************************************/
    2218        2114 : int main(int argc, char *argv[])
    2219             : {
    2220        2114 :         const char **argv_const = discard_const_p(const char *, argv);
    2221             :         char *share;
    2222             :         int opt;
    2223        2114 :         enum acl_mode mode = SMB_ACL_SET;
    2224             :         static char *the_acl = NULL;
    2225        2114 :         enum chown_mode change_mode = REQUEST_NONE;
    2226             :         int result;
    2227             :         char *path;
    2228        2114 :         char *filename = NULL;
    2229             :         poptContext pc;
    2230             :         /* numeric is set when the user wants numeric SIDs and ACEs rather
    2231             :            than going via LSA calls to resolve them */
    2232        2114 :         int numeric = 0;
    2233        2114 :         struct cli_state *targetcli = NULL;
    2234        2114 :         struct cli_credentials *creds = NULL;
    2235        2114 :         char *targetfile = NULL;
    2236             :         NTSTATUS status;
    2237             :         bool ok;
    2238        2114 :         struct loadparm_context *lp_ctx = NULL;
    2239             : 
    2240       12684 :         struct poptOption long_options[] = {
    2241             :                 POPT_AUTOHELP
    2242             :                 {
    2243             :                         .longName   = "delete",
    2244             :                         .shortName  = 'D',
    2245             :                         .argInfo    = POPT_ARG_STRING,
    2246             :                         .arg        = NULL,
    2247             :                         .val        = 'D',
    2248             :                         .descrip    = "Delete an acl",
    2249             :                         .argDescrip = "ACL",
    2250             :                 },
    2251             :                 {
    2252             :                         .longName   = "modify",
    2253             :                         .shortName  = 'M',
    2254             :                         .argInfo    = POPT_ARG_STRING,
    2255             :                         .arg        = NULL,
    2256             :                         .val        = 'M',
    2257             :                         .descrip    = "Modify an acl",
    2258             :                         .argDescrip = "ACL",
    2259             :                 },
    2260             :                 {
    2261             :                         .longName   = "add",
    2262             :                         .shortName  = 'a',
    2263             :                         .argInfo    = POPT_ARG_STRING,
    2264             :                         .arg        = NULL,
    2265             :                         .val        = 'a',
    2266             :                         .descrip    = "Add an acl",
    2267             :                         .argDescrip = "ACL",
    2268             :                 },
    2269             :                 {
    2270             :                         .longName   = "set",
    2271             :                         .shortName  = 'S',
    2272             :                         .argInfo    = POPT_ARG_STRING,
    2273             :                         .arg        = NULL,
    2274             :                         .val        = 'S',
    2275             :                         .descrip    = "Set acls",
    2276             :                         .argDescrip = "ACLS",
    2277             :                 },
    2278             :                 {
    2279             :                         .longName   = "chown",
    2280             :                         .shortName  = 'C',
    2281             :                         .argInfo    = POPT_ARG_STRING,
    2282             :                         .arg        = NULL,
    2283             :                         .val        = 'C',
    2284             :                         .descrip    = "Change ownership of a file",
    2285             :                         .argDescrip = "USERNAME",
    2286             :                 },
    2287             :                 {
    2288             :                         .longName   = "chgrp",
    2289             :                         .shortName  = 'G',
    2290             :                         .argInfo    = POPT_ARG_STRING,
    2291             :                         .arg        = NULL,
    2292             :                         .val        = 'G',
    2293             :                         .descrip    = "Change group ownership of a file",
    2294             :                         .argDescrip = "GROUPNAME",
    2295             :                 },
    2296             :                 {
    2297             :                         .longName   = "inherit",
    2298             :                         .shortName  = 'I',
    2299             :                         .argInfo    = POPT_ARG_STRING,
    2300             :                         .arg        = NULL,
    2301             :                         .val        = 'I',
    2302             :                         .descrip    = "Inherit allow|remove|copy",
    2303             :                 },
    2304             :                 {
    2305             :                         .longName   = "propagate-inheritance",
    2306             :                         .shortName  = 0,
    2307             :                         .argInfo    = POPT_ARG_NONE,
    2308             :                         .arg        = &inheritance,
    2309             :                         .val        = 1,
    2310             :                         .descrip    = "Supports propagation of inheritable ACE(s) when used in conjunction with add, delete, set or modify",
    2311             :                 },
    2312             :                 {
    2313             :                         .longName   = "save",
    2314             :                         .shortName  = 0,
    2315             :                         .argInfo    = POPT_ARG_STRING,
    2316             :                         .arg        = &save_file,
    2317             :                         .val        = 1,
    2318             :                         .descrip    = "stores the DACLs in sddl format of the "
    2319             :                                       "specified file or folder for later use "
    2320             :                                       "with restore. SACLS, owner or integrity"
    2321             :                                       " labels are not stored",
    2322             :                 },
    2323             :                 {
    2324             :                         .longName   = "restore",
    2325             :                         .shortName  = 0,
    2326             :                         .argInfo    = POPT_ARG_STRING,
    2327             :                         .arg        = &restore_file,
    2328             :                         .val        = 1,
    2329             :                         .descrip    = "applies the stored DACLS to files in "
    2330             :                                       "directory.",
    2331             :                 },
    2332             :                 {
    2333             :                         .longName   = "recurse",
    2334             :                         .shortName  = 0,
    2335             :                         .argInfo    = POPT_ARG_NONE,
    2336             :                         .arg        = &recurse,
    2337             :                         .val        = 1,
    2338             :                         .descrip    = "indicates the operation is performed "
    2339             :                                       "on directory and all files/directories"
    2340             :                                       " below. (only applies to save option)",
    2341             :                 },
    2342             :                 {
    2343             :                         .longName   = "numeric",
    2344             :                         .shortName  = 0,
    2345             :                         .argInfo    = POPT_ARG_NONE,
    2346             :                         .arg        = &numeric,
    2347             :                         .val        = 1,
    2348             :                         .descrip    = "Don't resolve sids or masks to names",
    2349             :                 },
    2350             :                 {
    2351             :                         .longName   = "sddl",
    2352             :                         .shortName  = 0,
    2353             :                         .argInfo    = POPT_ARG_NONE,
    2354             :                         .arg        = &sddl,
    2355             :                         .val        = 1,
    2356             :                         .descrip    = "Output and input acls in sddl format",
    2357             :                 },
    2358             :                 {
    2359             :                         .longName   = "query-security-info",
    2360             :                         .shortName  = 0,
    2361             :                         .argInfo    = POPT_ARG_INT,
    2362             :                         .arg        = &query_sec_info,
    2363             :                         .val        = 1,
    2364             :                         .descrip    = "The security-info flags for queries"
    2365             :                 },
    2366             :                 {
    2367             :                         .longName   = "set-security-info",
    2368             :                         .shortName  = 0,
    2369             :                         .argInfo    = POPT_ARG_INT,
    2370             :                         .arg        = &set_sec_info,
    2371             :                         .val        = 1,
    2372             :                         .descrip    = "The security-info flags for modifications"
    2373             :                 },
    2374             :                 {
    2375             :                         .longName   = "test-args",
    2376             :                         .shortName  = 't',
    2377             :                         .argInfo    = POPT_ARG_NONE,
    2378             :                         .arg        = &test_args,
    2379             :                         .val        = 1,
    2380             :                         .descrip    = "Test arguments"
    2381             :                 },
    2382             :                 {
    2383             :                         .longName   = "domain-sid",
    2384             :                         .shortName  = 0,
    2385             :                         .argInfo    = POPT_ARG_STRING,
    2386             :                         .arg        = &domain_sid,
    2387             :                         .val        = 0,
    2388             :                         .descrip    = "Domain SID for sddl",
    2389             :                         .argDescrip = "SID"},
    2390             :                 {
    2391             :                         .longName   = "maximum-access",
    2392             :                         .shortName  = 'x',
    2393             :                         .argInfo    = POPT_ARG_NONE,
    2394             :                         .arg        = NULL,
    2395             :                         .val        = 'x',
    2396             :                         .descrip    = "Query maximum permissions",
    2397             :                 },
    2398        2114 :                 POPT_COMMON_SAMBA
    2399        2114 :                 POPT_COMMON_CONNECTION
    2400        2114 :                 POPT_COMMON_CREDENTIALS
    2401        2114 :                 POPT_LEGACY_S3
    2402        2114 :                 POPT_COMMON_VERSION
    2403             :                 POPT_TABLEEND
    2404             :         };
    2405             : 
    2406             :         struct cli_state *cli;
    2407        2114 :         TALLOC_CTX *frame = talloc_stackframe();
    2408        2114 :         const char *owner_username = "";
    2409             :         char *server;
    2410             : 
    2411        2114 :         smb_init_locale();
    2412             : 
    2413        2114 :         ok = samba_cmdline_init(frame,
    2414             :                                 SAMBA_CMDLINE_CONFIG_CLIENT,
    2415             :                                 false /* require_smbconf */);
    2416        2114 :         if (!ok) {
    2417           0 :                 DBG_ERR("Failed to init cmdline parser!\n");
    2418           0 :                 TALLOC_FREE(frame);
    2419           0 :                 exit(1);
    2420             :         }
    2421        2114 :         lp_ctx = samba_cmdline_get_lp_ctx();
    2422             :         /* set default debug level to 1 regardless of what smb.conf sets */
    2423        2114 :         lpcfg_set_cmdline(lp_ctx, "log level", "1");
    2424             : 
    2425        2114 :         setlinebuf(stdout);
    2426             : 
    2427        2114 :         pc = samba_popt_get_context(getprogname(),
    2428             :                                     argc,
    2429             :                                     argv_const,
    2430             :                                     long_options,
    2431             :                                     0);
    2432        2114 :         if (pc == NULL) {
    2433           0 :                 DBG_ERR("Failed to setup popt context!\n");
    2434           0 :                 TALLOC_FREE(frame);
    2435           0 :                 exit(1);
    2436             :         }
    2437             : 
    2438        2114 :         poptSetOtherOptionHelp(pc, "//server1/share1 filename\nACLs look like: "
    2439             :                 "'ACL:user:[ALLOWED|DENIED]/flags/permissions'");
    2440             : 
    2441        3780 :         while ((opt = poptGetNextOpt(pc)) != -1) {
    2442        1626 :                 switch (opt) {
    2443          92 :                 case 'S':
    2444          92 :                         the_acl = smb_xstrdup(poptGetOptArg(pc));
    2445          92 :                         mode = SMB_ACL_SET;
    2446          92 :                         break;
    2447             : 
    2448          66 :                 case 'D':
    2449          66 :                         the_acl = smb_xstrdup(poptGetOptArg(pc));
    2450          66 :                         mode = SMB_ACL_DELETE;
    2451          66 :                         break;
    2452             : 
    2453         932 :                 case 'M':
    2454         932 :                         the_acl = smb_xstrdup(poptGetOptArg(pc));
    2455         932 :                         mode = SMB_ACL_MODIFY;
    2456         932 :                         break;
    2457             : 
    2458         284 :                 case 'a':
    2459         284 :                         the_acl = smb_xstrdup(poptGetOptArg(pc));
    2460         284 :                         mode = SMB_ACL_ADD;
    2461         284 :                         break;
    2462             : 
    2463          36 :                 case 'C':
    2464          36 :                         owner_username = poptGetOptArg(pc);
    2465          36 :                         change_mode = REQUEST_CHOWN;
    2466          36 :                         break;
    2467             : 
    2468           4 :                 case 'G':
    2469           4 :                         owner_username = poptGetOptArg(pc);
    2470           4 :                         change_mode = REQUEST_CHGRP;
    2471           4 :                         break;
    2472             : 
    2473          18 :                 case 'I':
    2474          18 :                         owner_username = poptGetOptArg(pc);
    2475          18 :                         change_mode = REQUEST_INHERIT;
    2476          18 :                         break;
    2477           0 :                 case 'm':
    2478           0 :                         lpcfg_set_cmdline(lp_ctx, "client max protocol", poptGetOptArg(pc));
    2479           0 :                         break;
    2480           4 :                 case 'x':
    2481           4 :                         want_mxac = true;
    2482           4 :                         break;
    2483           0 :                 case POPT_ERROR_BADOPT:
    2484           0 :                         fprintf(stderr, "\nInvalid option %s: %s\n\n",
    2485             :                                 poptBadOption(pc, 0), poptStrerror(opt));
    2486           0 :                         poptPrintUsage(pc, stderr, 0);
    2487           0 :                         exit(1);
    2488             :                 }
    2489             :         }
    2490        2114 :         if (inheritance && !the_acl) {
    2491           0 :                 poptPrintUsage(pc, stderr, 0);
    2492           0 :                 return -1;
    2493             :         }
    2494             : 
    2495        2114 :         if(!poptPeekArg(pc)) {
    2496           0 :                 poptPrintUsage(pc, stderr, 0);
    2497           0 :                 return -1;
    2498             :         }
    2499             : 
    2500        2114 :         path = talloc_strdup(frame, poptGetArg(pc));
    2501        2114 :         if (!path) {
    2502           0 :                 return -1;
    2503             :         }
    2504             : 
    2505        2114 :         if (strncmp(path, "\\\\", 2) && strncmp(path, "//", 2)) {
    2506           0 :                 printf("Invalid argument: %s\n", path);
    2507           0 :                 return -1;
    2508             :         }
    2509             : 
    2510        2114 :         if(!poptPeekArg(pc)) {
    2511           0 :                 poptPrintUsage(pc, stderr, 0);
    2512           0 :                 return -1;
    2513             :         }
    2514             : 
    2515        2114 :         filename = talloc_strdup(frame, poptGetArg(pc));
    2516        2114 :         if (!filename) {
    2517           0 :                 return -1;
    2518             :         }
    2519             : 
    2520        2114 :         poptFreeContext(pc);
    2521        2114 :         samba_cmdline_burn(argc, argv);
    2522             : 
    2523        2114 :         string_replace(path,'/','\\');
    2524             : 
    2525        2114 :         server = talloc_strdup(frame, path+2);
    2526        2114 :         if (!server) {
    2527           0 :                 return -1;
    2528             :         }
    2529        2114 :         share = strchr_m(server,'\\');
    2530        2114 :         if (share == NULL) {
    2531           0 :                 printf("Invalid argument\n");
    2532           0 :                 return -1;
    2533             :         }
    2534             : 
    2535        2114 :         *share = 0;
    2536        2114 :         share++;
    2537             : 
    2538        2114 :         creds = samba_cmdline_get_creds();
    2539             : 
    2540             :         /* Make connection to server */
    2541        2114 :         if (!test_args) {
    2542        2114 :                 cli = connect_one(creds, server, share);
    2543        2114 :                 if (!cli) {
    2544           0 :                         exit(EXIT_FAILED);
    2545             :                 }
    2546             :         } else {
    2547           0 :                 exit(0);
    2548             :         }
    2549             : 
    2550        2114 :         string_replace(filename, '/', '\\');
    2551        2114 :         if (filename[0] != '\\') {
    2552        2106 :                 filename = talloc_asprintf(frame,
    2553             :                                 "\\%s",
    2554             :                                 filename);
    2555        2106 :                 if (!filename) {
    2556           0 :                         return -1;
    2557             :                 }
    2558             :         }
    2559             : 
    2560        2114 :         status = cli_resolve_path(frame,
    2561             :                                   "",
    2562             :                                   creds,
    2563             :                                   cli,
    2564             :                                   filename,
    2565             :                                   &targetcli,
    2566             :                                   &targetfile);
    2567        2114 :         if (!NT_STATUS_IS_OK(status)) {
    2568           0 :                 DEBUG(0,("cli_resolve_path failed for %s! (%s)\n", filename, nt_errstr(status)));
    2569           0 :                 return -1;
    2570             :         }
    2571             : 
    2572             :         /* Perform requested action */
    2573             : 
    2574        2114 :         if (change_mode == REQUEST_INHERIT) {
    2575          18 :                 result = inherit(targetcli, targetfile, owner_username);
    2576        2096 :         } else if (change_mode != REQUEST_NONE) {
    2577          40 :                 result = owner_set(targetcli, change_mode, targetfile, owner_username);
    2578        2056 :         } else if (the_acl) {
    2579        1374 :                 if (inheritance) {
    2580         122 :                         struct cacl_callback_state cbstate = {
    2581             :                                 .creds = creds,
    2582             :                                 .cli = targetcli,
    2583             :                                 .mode = mode,
    2584             :                                 .the_acl = the_acl,
    2585             :                                 .numeric = numeric,
    2586             :                         };
    2587         122 :                         result = inheritance_cacl_set(targetfile, &cbstate);
    2588             :                 } else {
    2589        1252 :                         result =  cacl_set(targetcli,
    2590             :                                            targetfile,
    2591             :                                            the_acl,
    2592             :                                            mode,
    2593             :                                            numeric);
    2594             :                 }
    2595             :         } else {
    2596         682 :                 if (save_file || restore_file) {
    2597          40 :                         sddl = 1;
    2598          40 :                         if (save_file) {
    2599          32 :                                 result = cacl_dump_dacl(cli, creds, filename);
    2600             :                         } else {
    2601           8 :                                 result = cacl_restore(targetcli,
    2602             :                                                       creds,
    2603             :                                                       numeric, restore_file);
    2604             :                         }
    2605             :                 } else {
    2606         642 :                         result = cacl_dump(targetcli, targetfile, numeric);
    2607             :                 }
    2608             :         }
    2609             : 
    2610        2114 :         gfree_all();
    2611        2114 :         TALLOC_FREE(frame);
    2612             : 
    2613        2114 :         return result;
    2614             : }

Generated by: LCOV version 1.14