Exemple #1
0
static NTSTATUS cmd_lsa_remove_acct_rights(struct cli_state *cli, 
					TALLOC_CTX *mem_ctx, int argc, 
					const char **argv) 
{
	POLICY_HND dom_pol;
	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;

	DOM_SID sid;

	if (argc < 3 ) {
		printf("Usage: %s SID [rights...]\n", argv[0]);
		return NT_STATUS_OK;
	}

	result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
	if (!NT_STATUS_IS_OK(result))
		goto done;	

	result = cli_lsa_open_policy2(cli, mem_ctx, True, 
				     SEC_RIGHTS_MAXIMUM_ALLOWED,
				     &dom_pol);

	if (!NT_STATUS_IS_OK(result))
		goto done;

	result = cli_lsa_remove_account_rights(cli, mem_ctx, &dom_pol, sid, 
					       False, argc-2, argv+2);

	if (!NT_STATUS_IS_OK(result))
		goto done;

 done:
	return result;
}
Exemple #2
0
static NTSTATUS cmd_lsa_enum_privsaccounts(struct rpc_pipe_client *cli, 
                                           TALLOC_CTX *mem_ctx, int argc, 
                                           const char **argv) 
{
	struct policy_handle dom_pol;
	struct policy_handle user_pol;
	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
	uint32 access_desired = 0x000f000f;
	DOM_SID sid;
	struct lsa_PrivilegeSet *privs = NULL;
	int i;

	if (argc != 2 ) {
		printf("Usage: %s SID\n", argv[0]);
		return NT_STATUS_OK;
	}

	result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
	if (!NT_STATUS_IS_OK(result))
		goto done;	

	result = rpccli_lsa_open_policy2(cli, mem_ctx, True, 
				     SEC_FLAG_MAXIMUM_ALLOWED,
				     &dom_pol);

	if (!NT_STATUS_IS_OK(result))
		goto done;

	result = rpccli_lsa_OpenAccount(cli, mem_ctx,
					&dom_pol,
					&sid,
					access_desired,
					&user_pol);

	if (!NT_STATUS_IS_OK(result))
		goto done;

	result = rpccli_lsa_EnumPrivsAccount(cli, mem_ctx,
					     &user_pol,
					     &privs);

	if (!NT_STATUS_IS_OK(result))
		goto done;

	/* Print results */
	printf("found %d privileges for SID %s\n\n", privs->count, argv[1]);
	printf("high\tlow\tattribute\n");

	for (i = 0; i < privs->count; i++) {
		printf("%u\t%u\t%u\n",
			privs->set[i].luid.high,
			privs->set[i].luid.low,
			privs->set[i].attribute);
	}

	rpccli_lsa_Close(cli, mem_ctx, &dom_pol);
 done:
	return result;
}
Exemple #3
0
static NTSTATUS cmd_lsa_remove_acct_rights(struct rpc_pipe_client *cli, 
					TALLOC_CTX *mem_ctx, int argc, 
					const char **argv) 
{
	struct policy_handle dom_pol;
	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
	struct lsa_RightSet rights;
	DOM_SID sid;
	int i;

	if (argc < 3 ) {
		printf("Usage: %s SID [rights...]\n", argv[0]);
		return NT_STATUS_OK;
	}

	result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
	if (!NT_STATUS_IS_OK(result))
		goto done;	

	result = rpccli_lsa_open_policy2(cli, mem_ctx, True, 
				     SEC_FLAG_MAXIMUM_ALLOWED,
				     &dom_pol);

	if (!NT_STATUS_IS_OK(result))
		goto done;

	rights.count = argc-2;
	rights.names = TALLOC_ARRAY(mem_ctx, struct lsa_StringLarge,
				    rights.count);
	if (!rights.names) {
		return NT_STATUS_NO_MEMORY;
	}

	for (i=0; i<argc-2; i++) {
		init_lsa_StringLarge(&rights.names[i], argv[i+2]);
	}

	result = rpccli_lsa_RemoveAccountRights(cli, mem_ctx,
						&dom_pol,
						&sid,
						false,
						&rights);

	if (!NT_STATUS_IS_OK(result))
		goto done;

	rpccli_lsa_Close(cli, mem_ctx, &dom_pol);

 done:
	return result;
}
Exemple #4
0
static NTSTATUS cmd_lsa_enum_privsaccounts(struct cli_state *cli, 
                                           TALLOC_CTX *mem_ctx, int argc, 
                                           const char **argv) 
{
	POLICY_HND dom_pol;
	POLICY_HND user_pol;
	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
	uint32 access_desired = 0x000f000f;
	
	DOM_SID sid;
	uint32 count=0;
	LUID_ATTR *set;
	int i;

	if (argc != 2 ) {
		printf("Usage: %s SID\n", argv[0]);
		return NT_STATUS_OK;
	}

	result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
	if (!NT_STATUS_IS_OK(result))
		goto done;	

	result = cli_lsa_open_policy2(cli, mem_ctx, True, 
				     SEC_RIGHTS_MAXIMUM_ALLOWED,
				     &dom_pol);

	if (!NT_STATUS_IS_OK(result))
		goto done;

	result = cli_lsa_open_account(cli, mem_ctx, &dom_pol, &sid, access_desired, &user_pol);

	if (!NT_STATUS_IS_OK(result))
		goto done;

	result = cli_lsa_enum_privsaccount(cli, mem_ctx, &user_pol, &count, &set);

	if (!NT_STATUS_IS_OK(result))
		goto done;

	/* Print results */
	printf("found %d privileges for SID %s\n\n", count, argv[1]);
	printf("high\tlow\tattribute\n");

	for (i = 0; i < count; i++) {
		printf("%u\t%u\t%u\n", set[i].luid.high, set[i].luid.low, set[i].attr);
	}

 done:
	return result;
}
Exemple #5
0
static NTSTATUS rpc_rights_list_internal( const DOM_SID *domain_sid, const char *domain_name, 
                            struct cli_state *cli, TALLOC_CTX *mem_ctx, 
                            int argc, const char **argv )
{
	POLICY_HND pol;
	NTSTATUS result;
	DOM_SID sid;
	
	result = cli_lsa_open_policy(cli, mem_ctx, True, 
		SEC_RIGHTS_MAXIMUM_ALLOWED, &pol);

	if ( !NT_STATUS_IS_OK(result) )
		return result;
		
	switch (argc) {
	case 0:
		result = enum_privileges( mem_ctx, cli, &pol );
		break;
			
	case 1:
		/* special case to enuemrate all privileged SIDs 
		   with associated rights */
		
		if ( strequal( argv[0], "accounts" ) ) {
			result = enum_privileges_for_accounts( mem_ctx, cli, &pol );
		}
		else {

			result = name_to_sid(cli, mem_ctx, &sid, argv[0]);
			if (!NT_STATUS_IS_OK(result))
				goto done;	
			result = enum_privileges_for_user( mem_ctx, cli, &pol, &sid );
		}
		break;
			
	default:		
		if ( argc > 1 ) {
			d_printf("Usage: net rpc rights list [name|SID]\n");
			result = NT_STATUS_OK;
		}
	}

	


done:
	cli_lsa_close(cli, mem_ctx, &pol);

	return result;
}
Exemple #6
0
static NTSTATUS cmd_lsa_enum_acct_rights(struct rpc_pipe_client *cli, 
					 TALLOC_CTX *mem_ctx, int argc, 
					 const char **argv) 
{
	struct policy_handle dom_pol;
	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
	DOM_SID sid;
	struct lsa_RightSet rights;

	int i;

	if (argc != 2 ) {
		printf("Usage: %s SID\n", argv[0]);
		return NT_STATUS_OK;
	}

	result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
	if (!NT_STATUS_IS_OK(result))
		goto done;	

	result = rpccli_lsa_open_policy2(cli, mem_ctx, True, 
				     SEC_FLAG_MAXIMUM_ALLOWED,
				     &dom_pol);

	if (!NT_STATUS_IS_OK(result))
		goto done;

	result = rpccli_lsa_EnumAccountRights(cli, mem_ctx,
					      &dom_pol,
					      &sid,
					      &rights);

	if (!NT_STATUS_IS_OK(result))
		goto done;

	printf("found %d privileges for SID %s\n", rights.count,
	       sid_string_tos(&sid));

	for (i = 0; i < rights.count; i++) {
		printf("\t%s\n", rights.names[i].string);
	}

	rpccli_lsa_Close(cli, mem_ctx, &dom_pol);
 done:
	return result;
}
Exemple #7
0
static NTSTATUS cmd_lsa_create_account(struct rpc_pipe_client *cli, 
                                           TALLOC_CTX *mem_ctx, int argc, 
                                           const char **argv) 
{
	struct policy_handle dom_pol;
	struct policy_handle user_pol;
	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
	uint32 des_access = 0x000f000f;

	DOM_SID sid;

	if (argc != 2 ) {
		printf("Usage: %s SID\n", argv[0]);
		return NT_STATUS_OK;
	}

	result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
	if (!NT_STATUS_IS_OK(result))
		goto done;	

	result = rpccli_lsa_open_policy2(cli, mem_ctx, True, 
				     SEC_FLAG_MAXIMUM_ALLOWED,
				     &dom_pol);

	if (!NT_STATUS_IS_OK(result))
		goto done;

	result = rpccli_lsa_CreateAccount(cli, mem_ctx,
					  &dom_pol,
					  &sid,
					  des_access,
					  &user_pol);

	if (!NT_STATUS_IS_OK(result))
		goto done;

	printf("Account for SID %s successfully created\n\n", argv[1]);
	result = NT_STATUS_OK;

	rpccli_lsa_Close(cli, mem_ctx, &dom_pol);
 done:
	return result;
}
Exemple #8
0
static NTSTATUS rpc_rights_revoke_internal( const DOM_SID *domain_sid, const char *domain_name, 
                              struct cli_state *cli, TALLOC_CTX *mem_ctx, 
                              int argc, const char **argv )
{
	POLICY_HND dom_pol;
	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;

	DOM_SID sid;

	if (argc < 2 ) {
		d_printf("Usage: net rpc rights revoke <name|SID> <rights...>\n");
		return NT_STATUS_OK;
	}

	result = name_to_sid(cli, mem_ctx, &sid, argv[0]);
	if (!NT_STATUS_IS_OK(result))
		return result;	

	result = cli_lsa_open_policy2(cli, mem_ctx, True, 
				     SEC_RIGHTS_MAXIMUM_ALLOWED,
				     &dom_pol);

	if (!NT_STATUS_IS_OK(result))
		return result;	

	result = cli_lsa_remove_account_rights(cli, mem_ctx, &dom_pol, sid, 
					       False, argc-1, argv+1);

	if (!NT_STATUS_IS_OK(result))
		goto done;

	d_printf("Successfully revoked rights.\n");

done:
	if ( !NT_STATUS_IS_OK(result) ) {
		d_printf("Failed to revoke privileges for %s (%s)", 
			argv[0], nt_errstr(result));
	}
	
	cli_lsa_close(cli, mem_ctx, &dom_pol);

	return result;
}	
Exemple #9
0
static NTSTATUS cmd_lsa_enum_acct_rights(struct cli_state *cli, 
					 TALLOC_CTX *mem_ctx, int argc, 
					 const char **argv) 
{
	POLICY_HND dom_pol;
	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;

	DOM_SID sid;
	uint32 count;
	char **rights;

	int i;

	if (argc != 2 ) {
		printf("Usage: %s SID\n", argv[0]);
		return NT_STATUS_OK;
	}

	result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
	if (!NT_STATUS_IS_OK(result))
		goto done;	

	result = cli_lsa_open_policy2(cli, mem_ctx, True, 
				     SEC_RIGHTS_MAXIMUM_ALLOWED,
				     &dom_pol);

	if (!NT_STATUS_IS_OK(result))
		goto done;

	result = cli_lsa_enum_account_rights(cli, mem_ctx, &dom_pol, &sid, &count, &rights);

	if (!NT_STATUS_IS_OK(result))
		goto done;

	printf("found %d privileges for SID %s\n", count, sid_string_static(&sid));

	for (i = 0; i < count; i++) {
		printf("\t%s\n", rights[i]);
	}

 done:
	return result;
}
Exemple #10
0
static NTSTATUS cmd_lsa_create_account(struct cli_state *cli, 
                                           TALLOC_CTX *mem_ctx, int argc, 
                                           const char **argv) 
{
	POLICY_HND dom_pol;
	POLICY_HND user_pol;
	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
	uint32 des_access = 0x000f000f;
	
	DOM_SID sid;

	if (argc != 2 ) {
		printf("Usage: %s SID\n", argv[0]);
		return NT_STATUS_OK;
	}

	result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
	if (!NT_STATUS_IS_OK(result))
		goto done;	

	result = cli_lsa_open_policy2(cli, mem_ctx, True, 
				     SEC_RIGHTS_MAXIMUM_ALLOWED,
				     &dom_pol);

	if (!NT_STATUS_IS_OK(result))
		goto done;

	result = cli_lsa_create_account(cli, mem_ctx, &dom_pol, &sid, des_access, &user_pol);

	if (!NT_STATUS_IS_OK(result))
		goto done;

	printf("Account for SID %s successfully created\n\n", argv[1]);
	result = NT_STATUS_OK;

 done:
	return result;
}
Exemple #11
0
static NTSTATUS cmd_lsa_del_priv(struct rpc_pipe_client *cli,
				 TALLOC_CTX *mem_ctx, int argc,
				 const char **argv)
{
	struct policy_handle dom_pol, user_pol;
	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
	struct lsa_PrivilegeSet privs;
	struct lsa_LUIDAttribute *set = NULL;
	DOM_SID sid;
	int i;

	ZERO_STRUCT(privs);

	if (argc < 3 ) {
		printf("Usage: %s SID [rights...]\n", argv[0]);
		return NT_STATUS_OK;
	}

	result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
	if (!NT_STATUS_IS_OK(result)) {
		goto done;
	}

	result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
					 SEC_FLAG_MAXIMUM_ALLOWED,
					 &dom_pol);

	if (!NT_STATUS_IS_OK(result)) {
		goto done;
	}

	result = rpccli_lsa_OpenAccount(cli, mem_ctx,
					&dom_pol,
					&sid,
					SEC_FLAG_MAXIMUM_ALLOWED,
					&user_pol);

	if (!NT_STATUS_IS_OK(result)) {
		goto done;
	}

	for (i=2; i<argc; i++) {

		struct lsa_String priv_name;
		struct lsa_LUID luid;

		init_lsa_String(&priv_name, argv[i]);

		result = rpccli_lsa_LookupPrivValue(cli, mem_ctx,
						    &dom_pol,
						    &priv_name,
						    &luid);
		if (!NT_STATUS_IS_OK(result)) {
			continue;
		}

		privs.count++;
		set = TALLOC_REALLOC_ARRAY(mem_ctx, set,
					   struct lsa_LUIDAttribute,
					   privs.count);
		if (!set) {
			return NT_STATUS_NO_MEMORY;
		}

		set[privs.count-1].luid = luid;
		set[privs.count-1].attribute = 0;
	}

	privs.set = set;


	result = rpccli_lsa_RemovePrivilegesFromAccount(cli, mem_ctx,
							&user_pol,
							false,
							&privs);

	if (!NT_STATUS_IS_OK(result)) {
		goto done;
	}

	rpccli_lsa_Close(cli, mem_ctx, &user_pol);
	rpccli_lsa_Close(cli, mem_ctx, &dom_pol);
 done:
	return result;
}
Exemple #12
0
static NTSTATUS rpc_rights_revoke_internal(struct net_context *c,
					const DOM_SID *domain_sid,
					const char *domain_name,
					struct cli_state *cli,
					struct rpc_pipe_client *pipe_hnd,
					TALLOC_CTX *mem_ctx,
					int argc,
					const char **argv )
{
	struct policy_handle dom_pol;
	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
	struct lsa_RightSet rights;
	DOM_SID sid;
	int i;

	if (argc < 2 ) {
		d_printf(_("Usage: net rpc rights revoke <name|SID> "
			   "<rights...>\n"));
		return NT_STATUS_OK;
	}

	result = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[0]);
	if (!NT_STATUS_IS_OK(result))
		return result;

	result = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, true,
				     SEC_FLAG_MAXIMUM_ALLOWED,
				     &dom_pol);

	if (!NT_STATUS_IS_OK(result))
		return result;

	rights.count = argc-1;
	rights.names = TALLOC_ARRAY(mem_ctx, struct lsa_StringLarge,
				    rights.count);
	if (!rights.names) {
		return NT_STATUS_NO_MEMORY;
	}

	for (i=0; i<argc-1; i++) {
		init_lsa_StringLarge(&rights.names[i], argv[i+1]);
	}

	result = rpccli_lsa_RemoveAccountRights(pipe_hnd, mem_ctx,
						&dom_pol,
						&sid,
						false,
						&rights);

	if (!NT_STATUS_IS_OK(result))
		goto done;

	d_printf(_("Successfully revoked rights.\n"));

done:
	if ( !NT_STATUS_IS_OK(result) ) {
		d_fprintf(stderr,_("Failed to revoke privileges for %s (%s)\n"),
			argv[0], nt_errstr(result));
	}

	rpccli_lsa_Close(pipe_hnd, mem_ctx, &dom_pol);

	return result;
}
Exemple #13
0
static NTSTATUS rpc_rights_list_internal(struct net_context *c,
					const DOM_SID *domain_sid,
					const char *domain_name,
					struct cli_state *cli,
					struct rpc_pipe_client *pipe_hnd,
					TALLOC_CTX *mem_ctx,
					int argc,
					const char **argv )
{
	struct policy_handle pol;
	NTSTATUS result;
	DOM_SID sid;
	fstring privname;
	struct lsa_String lsa_name;
	struct lsa_StringLarge *description = NULL;
	uint16 lang_id = 0;
	uint16 lang_id_sys = 0;
	uint16 lang_id_desc;

	result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
		SEC_FLAG_MAXIMUM_ALLOWED, &pol);

	if ( !NT_STATUS_IS_OK(result) )
		return result;

	/* backwards compatibility; just list available privileges if no arguement */

	if (argc == 0) {
		result = enum_privileges(pipe_hnd, mem_ctx, &pol );
		goto done;
	}

	if (strequal(argv[0], "privileges")) {
		int i = 1;

		if (argv[1] == NULL) {
			result = enum_privileges(pipe_hnd, mem_ctx, &pol );
			goto done;
		}

		while ( argv[i] != NULL ) {
			fstrcpy(privname, argv[i]);
			init_lsa_String(&lsa_name, argv[i]);
			i++;

			/* verify that this is a valid privilege for error reporting */
			result = rpccli_lsa_LookupPrivDisplayName(pipe_hnd, mem_ctx,
								  &pol,
								  &lsa_name,
								  lang_id,
								  lang_id_sys,
								  &description,
								  &lang_id_desc);

			if ( !NT_STATUS_IS_OK(result) ) {
				if ( NT_STATUS_EQUAL( result, NT_STATUS_NO_SUCH_PRIVILEGE ) ) 
					d_fprintf(stderr, _("No such privilege "
						  "exists: %s.\n"), privname);
				else
					d_fprintf(stderr, _("Error resolving "
						  "privilege display name "
						  "[%s].\n"),
						  nt_errstr(result));
				continue;
			}

			result = enum_accounts_for_privilege(pipe_hnd, mem_ctx, &pol, privname);
			if (!NT_STATUS_IS_OK(result)) {
				d_fprintf(stderr, _("Error enumerating "
					  "accounts for privilege %s [%s].\n"),
					  privname, nt_errstr(result));
				continue;
			}
		}
		goto done;
	}

	/* special case to enumerate all privileged SIDs with associated rights */

	if (strequal( argv[0], "accounts")) {
		int i = 1;

		if (argv[1] == NULL) {
			result = enum_privileges_for_accounts(pipe_hnd, mem_ctx, &pol);
			goto done;
		}

		while (argv[i] != NULL) {
			result = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[i]);
			if (!NT_STATUS_IS_OK(result)) {
				goto done;
			}
			result = enum_privileges_for_user(pipe_hnd, mem_ctx, &pol, &sid);
			if (!NT_STATUS_IS_OK(result)) {
				goto done;
			}
			i++;
		}
		goto done;
	}

	/* backward comaptibility: if no keyword provided, treat the key
	   as an account name */
	if (argc > 1) {
		d_printf(_("Usage: net rpc rights list [[accounts|privileges] "
			   "[name|SID]]\n"));
		result = NT_STATUS_OK;
		goto done;
	}

	result = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[0]);
	if (!NT_STATUS_IS_OK(result)) {
		goto done;
	}
	result = enum_privileges_for_user(pipe_hnd, mem_ctx, &pol, &sid );

done:
	rpccli_lsa_Close(pipe_hnd, mem_ctx, &pol);

	return result;
}
Exemple #14
0
static NTSTATUS rpc_rights_revoke_internal(struct net_context *c,
					const struct dom_sid *domain_sid,
					const char *domain_name,
					struct cli_state *cli,
					struct rpc_pipe_client *pipe_hnd,
					TALLOC_CTX *mem_ctx,
					int argc,
					const char **argv )
{
	struct policy_handle dom_pol;
	NTSTATUS status, result;
	struct lsa_RightSet rights;
	struct dom_sid sid;
	int i;
	struct dcerpc_binding_handle *b = pipe_hnd->binding_handle;

	if (argc < 2 ) {
		d_printf("%s\n%s",
			 _("Usage:"),
			 _(" net rpc rights revoke <name|SID> <rights...>\n"));
		return NT_STATUS_OK;
	}

	status = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[0]);
	if (!NT_STATUS_IS_OK(status))
		return status;

	status = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, true,
				     SEC_FLAG_MAXIMUM_ALLOWED,
				     &dom_pol);

	if (!NT_STATUS_IS_OK(status))
		return status;

	rights.count = argc-1;
	rights.names = talloc_array(mem_ctx, struct lsa_StringLarge,
				    rights.count);
	if (!rights.names) {
		return NT_STATUS_NO_MEMORY;
	}

	for (i=0; i<argc-1; i++) {
		init_lsa_StringLarge(&rights.names[i], argv[i+1]);
	}

	status = dcerpc_lsa_RemoveAccountRights(b, mem_ctx,
						&dom_pol,
						&sid,
						false,
						&rights,
						&result);
	if (!NT_STATUS_IS_OK(status))
		goto done;
	if (!NT_STATUS_IS_OK(result)) {
		status = result;
		goto done;
	}

	d_printf(_("Successfully revoked rights.\n"));

done:
	if ( !NT_STATUS_IS_OK(status) ) {
		d_fprintf(stderr,_("Failed to revoke privileges for %s (%s)\n"),
			argv[0], nt_errstr(status));
	}

	dcerpc_lsa_Close(b, mem_ctx, &dom_pol, &result);

	return status;
}