summaryrefslogtreecommitdiff
path: root/python/samba/netcmd/dsacl.py
blob: 9046763841556a43b443fcd0d67e5ba2e0f0d7fa (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
# Manipulate ACLs on directory objects
#
# Copyright (C) Nadezhda Ivanova <nivanova@samba.org> 2010
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

import samba.getopt as options
from samba.dcerpc import security
from samba.samdb import SamDB
from samba.ndr import ndr_unpack, ndr_pack
from samba.dcerpc.security import (
    GUID_DRS_ALLOCATE_RIDS, GUID_DRS_CHANGE_DOMAIN_MASTER,
    GUID_DRS_CHANGE_INFR_MASTER, GUID_DRS_CHANGE_PDC,
    GUID_DRS_CHANGE_RID_MASTER, GUID_DRS_CHANGE_SCHEMA_MASTER,
    GUID_DRS_GET_CHANGES, GUID_DRS_GET_ALL_CHANGES,
    GUID_DRS_GET_FILTERED_ATTRIBUTES, GUID_DRS_MANAGE_TOPOLOGY,
    GUID_DRS_MONITOR_TOPOLOGY, GUID_DRS_REPL_SYNCRONIZE,
    GUID_DRS_RO_REPL_SECRET_SYNC)


import ldb
from ldb import SCOPE_BASE
import re

from samba.auth import system_session
from samba.netcmd import (
    Command,
    CommandError,
    SuperCommand,
    Option,
)



class cmd_dsacl_set(Command):
    """Modify access list on a directory object."""

    synopsis = "%prog [options]"
    car_help = """ The access control right to allow or deny """

    takes_optiongroups = {
        "sambaopts": options.SambaOptions,
        "credopts": options.CredentialsOptions,
        "versionopts": options.VersionOptions,
    }

    takes_options = [
        Option("-H", "--URL", help="LDB URL for database or target server",
               type=str, metavar="URL", dest="H"),
        Option("--car", type="choice", choices=["change-rid",
                                                "change-pdc",
                                                "change-infrastructure",
                                                "change-schema",
                                                "change-naming",
                                                "allocate_rids",
                                                "get-changes",
                                                "get-changes-all",
                                                "get-changes-filtered",
                                                "topology-manage",
                                                "topology-monitor",
                                                "repl-sync",
                                                "ro-repl-secret-sync"],
               help=car_help),
        Option("--action", type="choice", choices=["allow", "deny"],
               help="""Deny or allow access"""),
        Option("--objectdn", help="DN of the object whose SD to modify",
            type="string"),
        Option("--trusteedn", help="DN of the entity that gets access",
            type="string"),
        Option("--sddl", help="An ACE or group of ACEs to be added on the object",
            type="string"),
    ]

    def find_trustee_sid(self, samdb, trusteedn):
        res = samdb.search(base=trusteedn, expression="(objectClass=*)",
            scope=SCOPE_BASE)
        assert(len(res) == 1)
        return ndr_unpack( security.dom_sid,res[0]["objectSid"][0])

    def modify_descriptor(self, samdb, object_dn, desc, controls=None):
        assert(isinstance(desc, security.descriptor))
        m = ldb.Message()
        m.dn = ldb.Dn(samdb, object_dn)
        m["nTSecurityDescriptor"]= ldb.MessageElement(
                (ndr_pack(desc)), ldb.FLAG_MOD_REPLACE,
                "nTSecurityDescriptor")
        samdb.modify(m)

    def read_descriptor(self, samdb, object_dn):
        res = samdb.search(base=object_dn, scope=SCOPE_BASE,
                attrs=["nTSecurityDescriptor"])
        # we should theoretically always have an SD
        assert(len(res) == 1)
        desc = res[0]["nTSecurityDescriptor"][0]
        return ndr_unpack(security.descriptor, desc)

    def get_domain_sid(self, samdb):
        res = samdb.search(base=samdb.domain_dn(),
                expression="(objectClass=*)", scope=SCOPE_BASE)
        return ndr_unpack( security.dom_sid,res[0]["objectSid"][0])

    def add_ace(self, samdb, object_dn, new_ace):
        """Add new ace explicitly."""
        desc = self.read_descriptor(samdb, object_dn)
        desc_sddl = desc.as_sddl(self.get_domain_sid(samdb))
        #TODO add bindings for descriptor manipulation and get rid of this
        desc_aces = re.findall("\(.*?\)", desc_sddl)
        for ace in desc_aces:
            if ("ID" in ace):
                desc_sddl = desc_sddl.replace(ace, "")
        if new_ace in desc_sddl:
            return
        if desc_sddl.find("(") >= 0:
            desc_sddl = desc_sddl[:desc_sddl.index("(")] + new_ace + desc_sddl[desc_sddl.index("("):]
        else:
            desc_sddl = desc_sddl + new_ace
        desc = security.descriptor.from_sddl(desc_sddl, self.get_domain_sid(samdb))
        self.modify_descriptor(samdb, object_dn, desc)

    def print_new_acl(self, samdb, object_dn):
        desc = self.read_descriptor(samdb, object_dn)
        desc_sddl = desc.as_sddl(self.get_domain_sid(samdb))
        self.outf.write("new descriptor for %s:\n" % object_dn)
        self.outf.write(desc_sddl + "\n")

    def run(self, car, action, objectdn, trusteedn, sddl,
            H=None, credopts=None, sambaopts=None, versionopts=None):
        lp = sambaopts.get_loadparm()
        creds = credopts.get_credentials(lp)

        if sddl is None and (car is None or action is None
                             or objectdn is None or trusteedn is None):
            return self.usage()

        samdb = SamDB(url=H, session_info=system_session(),
            credentials=creds, lp=lp)
        cars = {'change-rid' : GUID_DRS_CHANGE_RID_MASTER,
                'change-pdc' : GUID_DRS_CHANGE_PDC,
                'change-infrastructure' : GUID_DRS_CHANGE_INFR_MASTER,
                'change-schema' : GUID_DRS_CHANGE_SCHEMA_MASTER,
                'change-naming' : GUID_DRS_CHANGE_DOMAIN_MASTER,
                'allocate_rids' : GUID_DRS_ALLOCATE_RIDS,
                'get-changes' : GUID_DRS_GET_CHANGES,
                'get-changes-all' : GUID_DRS_GET_ALL_CHANGES,
                'get-changes-filtered' : GUID_DRS_GET_FILTERED_ATTRIBUTES,
                'topology-manage' : GUID_DRS_MANAGE_TOPOLOGY,
                'topology-monitor' : GUID_DRS_MONITOR_TOPOLOGY,
                'repl-sync' : GUID_DRS_REPL_SYNCRONIZE,
                'ro-repl-secret-sync' : GUID_DRS_RO_REPL_SECRET_SYNC,
                }
        sid = self.find_trustee_sid(samdb, trusteedn)
        if sddl:
            new_ace = sddl
        elif action == "allow":
            new_ace = "(OA;;CR;%s;;%s)" % (cars[car], str(sid))
        elif action == "deny":
            new_ace = "(OD;;CR;%s;;%s)" % (cars[car], str(sid))
        else:
            raise CommandError("Wrong argument '%s'!" % action)

        self.print_new_acl(samdb, objectdn)
        self.add_ace(samdb, objectdn, new_ace)
        self.print_new_acl(samdb, objectdn)


class cmd_dsacl(SuperCommand):
    """DS ACLs manipulation."""

    subcommands = {}
    subcommands["set"] = cmd_dsacl_set()