/usr/share/pyshared/samba/netcmd/dsacl.py is in python-samba 4.0.0~alpha18.dfsg1-4ubuntu2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 | #!/usr/bin/env python
#
# Manipulate ACLs on directory objects
#
# Copyright (C) Nadezhda Ivanova <nivanova@samba.org> 2010
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import samba.getopt as options
from samba.dcerpc import security
from samba.samdb import SamDB
from samba.ndr import ndr_unpack, ndr_pack
from samba.dcerpc.security import (
GUID_DRS_ALLOCATE_RIDS, GUID_DRS_CHANGE_DOMAIN_MASTER,
GUID_DRS_CHANGE_INFR_MASTER, GUID_DRS_CHANGE_PDC,
GUID_DRS_CHANGE_RID_MASTER, GUID_DRS_CHANGE_SCHEMA_MASTER,
GUID_DRS_GET_CHANGES, GUID_DRS_GET_ALL_CHANGES,
GUID_DRS_GET_FILTERED_ATTRIBUTES, GUID_DRS_MANAGE_TOPOLOGY,
GUID_DRS_MONITOR_TOPOLOGY, GUID_DRS_REPL_SYNCRONIZE,
GUID_DRS_RO_REPL_SECRET_SYNC)
import ldb
from ldb import SCOPE_BASE
import re
from samba.auth import system_session
from samba.netcmd import (
Command,
CommandError,
SuperCommand,
Option,
)
class cmd_dsacl_set(Command):
"""Modify access list on a directory object"""
synopsis = "%prog [options]"
car_help = """ The access control right to allow or deny """
takes_optiongroups = {
"sambaopts": options.SambaOptions,
"credopts": options.CredentialsOptions,
"versionopts": options.VersionOptions,
}
takes_options = [
Option("-H", "--URL", help="LDB URL for database or target server",
type=str, metavar="URL", dest="H"),
Option("--car", type="choice", choices=["change-rid",
"change-pdc",
"change-infrastructure",
"change-schema",
"change-naming",
"allocate_rids",
"get-changes",
"get-changes-all",
"get-changes-filtered",
"topology-manage",
"topology-monitor",
"repl-sync",
"ro-repl-secret-sync"],
help=car_help),
Option("--action", type="choice", choices=["allow", "deny"],
help="""Deny or allow access"""),
Option("--objectdn", help="DN of the object whose SD to modify",
type="string"),
Option("--trusteedn", help="DN of the entity that gets access",
type="string"),
Option("--sddl", help="An ACE or group of ACEs to be added on the object",
type="string"),
]
def find_trustee_sid(self, samdb, trusteedn):
res = samdb.search(base=trusteedn, expression="(objectClass=*)",
scope=SCOPE_BASE)
assert(len(res) == 1)
return ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
def modify_descriptor(self, samdb, object_dn, desc, controls=None):
assert(isinstance(desc, security.descriptor))
m = ldb.Message()
m.dn = ldb.Dn(samdb, object_dn)
m["nTSecurityDescriptor"]= ldb.MessageElement(
(ndr_pack(desc)), ldb.FLAG_MOD_REPLACE,
"nTSecurityDescriptor")
samdb.modify(m)
def read_descriptor(self, samdb, object_dn):
res = samdb.search(base=object_dn, scope=SCOPE_BASE,
attrs=["nTSecurityDescriptor"])
# we should theoretically always have an SD
assert(len(res) == 1)
desc = res[0]["nTSecurityDescriptor"][0]
return ndr_unpack(security.descriptor, desc)
def get_domain_sid(self, samdb):
res = samdb.search(base=samdb.domain_dn(),
expression="(objectClass=*)", scope=SCOPE_BASE)
return ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
def add_ace(self, samdb, object_dn, new_ace):
"""Add new ace explicitly."""
desc = self.read_descriptor(samdb, object_dn)
desc_sddl = desc.as_sddl(self.get_domain_sid(samdb))
#TODO add bindings for descriptor manipulation and get rid of this
desc_aces = re.findall("\(.*?\)", desc_sddl)
for ace in desc_aces:
if ("ID" in ace):
desc_sddl = desc_sddl.replace(ace, "")
if new_ace in desc_sddl:
return
if desc_sddl.find("(") >= 0:
desc_sddl = desc_sddl[:desc_sddl.index("(")] + new_ace + desc_sddl[desc_sddl.index("("):]
else:
desc_sddl = desc_sddl + new_ace
desc = security.descriptor.from_sddl(desc_sddl, self.get_domain_sid(samdb))
self.modify_descriptor(samdb, object_dn, desc)
def print_new_acl(self, samdb, object_dn):
desc = self.read_descriptor(samdb, object_dn)
desc_sddl = desc.as_sddl(self.get_domain_sid(samdb))
self.outf.write("new descriptor for %s:\n" % object_dn)
self.outf.write(desc_sddl + "\n")
def run(self, car, action, objectdn, trusteedn, sddl,
H=None, credopts=None, sambaopts=None, versionopts=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
if sddl is None and (car is None or action is None
or objectdn is None or trusteedn is None):
return self.usage()
samdb = SamDB(url=H, session_info=system_session(),
credentials=creds, lp=lp)
cars = {'change-rid' : GUID_DRS_CHANGE_RID_MASTER,
'change-pdc' : GUID_DRS_CHANGE_PDC,
'change-infrastructure' : GUID_DRS_CHANGE_INFR_MASTER,
'change-schema' : GUID_DRS_CHANGE_SCHEMA_MASTER,
'change-naming' : GUID_DRS_CHANGE_DOMAIN_MASTER,
'allocate_rids' : GUID_DRS_ALLOCATE_RIDS,
'get-changes' : GUID_DRS_GET_CHANGES,
'get-changes-all' : GUID_DRS_GET_ALL_CHANGES,
'get-changes-filtered' : GUID_DRS_GET_FILTERED_ATTRIBUTES,
'topology-manage' : GUID_DRS_MANAGE_TOPOLOGY,
'topology-monitor' : GUID_DRS_MONITOR_TOPOLOGY,
'repl-sync' : GUID_DRS_REPL_SYNCRONIZE,
'ro-repl-secret-sync' : GUID_DRS_RO_REPL_SECRET_SYNC,
}
sid = self.find_trustee_sid(samdb, trusteedn)
if sddl:
new_ace = sddl
elif action == "allow":
new_ace = "(OA;;CR;%s;;%s)" % (cars[car], str(sid))
elif action == "deny":
new_ace = "(OD;;CR;%s;;%s)" % (cars[car], str(sid))
else:
raise CommandError("Wrong argument '%s'!" % action)
self.print_new_acl(samdb, objectdn)
self.add_ace(samdb, objectdn, new_ace)
self.print_new_acl(samdb, objectdn)
class cmd_dsacl(SuperCommand):
"""DS ACLs manipulation"""
subcommands = {}
subcommands["set"] = cmd_dsacl_set()
|