Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

388 lines
10 KiB

/*--
Copyright (c) 1996-1997 Microsoft Corporation
Module Name:
dacls.c
Abstract:
Extended version of cacls.exe
Author:
14-Dec-1996 (macm)
Environment:
User mode only.
Requires ANSI C extensions: slash-slash comments, long external names.
Revision History:
--*/
#include <windows.h>
#include <caclscom.h>
#include <dsysdbg.h>
#include <stdio.h>
#include <aclapi.h>
#define CMD_PRESENT(index, list) ((list)[index].iIndex != -1)
#define NO_INHERIT_ONLY
//
// Enumeration of command tags
//
typedef enum _CMD_TAGS {
CmdTree = 0,
CmdEdit,
CmdContinue,
CmdGrant,
CmdRevoke,
CmdReplace,
CmdDeny,
CmdICont,
CmdIObj,
#ifndef NO_INHERIT_ONLY
CmdIOnly,
#endif
CmdIProp
} CMD_TAGS, *PCMD_TAGS;
VOID
Usage (
IN PCACLS_STR_RIGHTS pStrRights,
IN INT cStrRights,
IN PCACLS_CMDLINE pCmdVals
)
/*++
Routine Description:
Displays the expected usage
Arguments:
Return Value:
VOID
--*/
{
INT i;
printf("Displays or modifies access control lists (ACLs) of files\n\n");
printf("DACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]]\n");
printf(" [/P user:perm [...]] [/D user [...]]\n");
printf(" filename Displays ACLs.\n");
printf(" /%s Changes ACLs of specified files in\n", pCmdVals[CmdTree].pszSwitch);
printf(" the current directory and all subdirectories.\n");
printf(" /%s Edit ACL instead of replacing it.\n", pCmdVals[CmdEdit].pszSwitch);
printf(" /%s Continue on access denied errors.\n", pCmdVals[CmdContinue].pszSwitch);
printf(" /%s user:perms Grant specified user access rights .\n", pCmdVals[CmdGrant].pszSwitch);
printf(" /%s user Revoke specified user's access rights (only valid with /E).\n", pCmdVals[CmdRevoke].pszSwitch);
printf(" /%s user:perms Replace specified user's access rights.\n", pCmdVals[CmdReplace].pszSwitch);
printf(" /%s user:perms Deny specified user access.\n", pCmdVals[CmdDeny].pszSwitch);
printf(" /%s Mark the ace as CONTAINER_INHERIT (folder or directory inherit)\n", pCmdVals[CmdICont].pszSwitch);
printf(" /%s Mark the ace as OBJECT_INHERIT\n", pCmdVals[CmdIObj].pszSwitch);
#ifndef NO_INHERIT_ONLY
printf(" /%s Mark the ace as INHERIT_ONLY\n", pCmdVals[CmdIOnly].pszSwitch);
#endif
printf(" /%s Mark the ace as INHERIT_NO_PROPAGATE\n", pCmdVals[CmdIProp].pszSwitch);
printf("The list of supported perms for the Grant and Replace operations are:\n");
for (i = 0; i < cStrRights; i++) {
printf(" %c%c %s\n",
pStrRights[i].szRightsTag[0],
pStrRights[i].szRightsTag[1],
pStrRights[i].pszDisplayTag);
}
printf("\nMultiple perms can be specified per user\n");
printf("Wildcards can be used to specify more that one file in a command.\n");
printf("You can specify more than one user in a command.\n\n");
printf("Example: DACLS c:\\temp /G user1:GRGW user2:SDRC\n");
}
INT
__cdecl main (
int argc,
char *argv[])
/*++
Routine Description:
The main the for this executable
Arguments:
argc - Count of arguments
argv - List of arguments
Return Value:
VOID
--*/
{
DWORD dwErr = 0;
CACLS_STR_RIGHTS pStrRights[] = {
"NA", 0, "No Access",
"GR", GENERIC_READ, "Read",
"GC", GENERIC_WRITE, "Change (write)",
"GF", GENERIC_ALL, "Full control",
"SD", DELETE, "Delete",
"RC", READ_CONTROL, "Read Control",
"WP", WRITE_DAC, "Write DAC",
"WO", WRITE_OWNER, "Write Owner",
"RD", FILE_READ_DATA, "Read Data (on file) / List Directory (on Dir)",
"WD", FILE_WRITE_DATA, "Write Data (on file) / Add File (on Dir)",
"AD", FILE_APPEND_DATA, "Append Data (on file) / Add SubDir (on Dir)",
"FE", FILE_EXECUTE, "Execute (on file) / Traverse (on Dir)",
"DC", FILE_DELETE_CHILD, "Delete Child (on Dir only)",
"RA", FILE_READ_ATTRIBUTES, "Read Attributes",
"WA", FILE_WRITE_ATTRIBUTES, "Write Attributes",
"RE", FILE_READ_EA, "Read Extended Attributes",
"WE", FILE_WRITE_EA, "Write Extended Attributes"
};
INT cStrRights = sizeof(pStrRights) / sizeof(CACLS_STR_RIGHTS);
CACLS_CMDLINE pCmdVals[] = {
"T", -1, FALSE, 0, // CmdTree
"E", -1, FALSE, 0, // CmdEdit
"C", -1, FALSE, 0, // CmdContinue
"G", -1, TRUE, 0, // CmdGrant
"R", -1, TRUE, 0, // CmdRevoke
"P", -1, TRUE, 0, // CmdReplace
"D", -1, TRUE, 0, // CmdDeny
"F", -1, FALSE, 0, // CmdICont
"O", -1, FALSE, 0, // CmdIObj
#ifndef NO_INHERIT_ONLY
"I", -1, FALSE, 0, // CmdIOnly
#endif
"N", -1, FALSE, 0, // CmdIProp
};
INT cCmdVals = sizeof(pCmdVals) / sizeof(CACLS_CMDLINE);
INT i;
PSECURITY_DESCRIPTOR pInitialSD = NULL, pFinalSD;
PACL pOldAcl = NULL, pNewAcl = NULL;
DWORD fInherit = 0;
BOOL fFreeAcl = FALSE;
if (argc < 2) {
Usage(pStrRights, cStrRights, pCmdVals);
return(1);
} else if (argc == 2 && (strcmp(argv[1], "-?") == 0 || strcmp(argv[1], "/?") == 0)) {
Usage(pStrRights, cStrRights, pCmdVals);
return(0);
}
//
// Parse the command line
//
dwErr = ParseCmdline(argv, argc, 2, pCmdVals, cCmdVals);
if (dwErr != ERROR_SUCCESS) {
Usage(pStrRights, cStrRights, pCmdVals);
return(1);
}
//
// Set our inheritance flags
//
if (CMD_PRESENT(CmdICont, pCmdVals)) {
fInherit |= CONTAINER_INHERIT_ACE;
}
if (CMD_PRESENT(CmdIObj, pCmdVals)) {
fInherit |= OBJECT_INHERIT_ACE;
}
#ifndef NO_INHERIT_ONLY
if (CMD_PRESENT(CmdIOnly, pCmdVals)) {
fInherit |= INHERIT_ONLY_ACE;
}
#endif
if (CMD_PRESENT(CmdIProp, pCmdVals)) {
fInherit |= NO_PROPAGATE_INHERIT_ACE;
}
//
// Ok, see if we need to read the existing security
//
if (CMD_PRESENT(CmdEdit, pCmdVals) || argc == 2) {
dwErr = GetNamedSecurityInfoA(argv[1], SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
NULL, NULL, &pOldAcl, NULL, &pInitialSD);
if (dwErr != ERROR_SUCCESS) {
fprintf(stderr, "Failed to read the security off of %s: %lu\n", argv[1], dwErr);
}
}
//
// Either display the existing access or do the sets as requested
//
if (dwErr == ERROR_SUCCESS && argc == 2) {
dwErr = DisplayAcl ( argv[1], pOldAcl, pStrRights, cStrRights );
} else {
//
// Ok, first we do the revokes
//
if (dwErr == ERROR_SUCCESS && CMD_PRESENT(CmdRevoke, pCmdVals)) {
//
// Make sure we've read it first...
//
if (CMD_PRESENT(CmdEdit, pCmdVals)) {
dwErr = ProcessOperation( argv, &pCmdVals[CmdRevoke], REVOKE_ACCESS, pStrRights,
cStrRights, fInherit, pOldAcl, &pNewAcl );
if (dwErr == ERROR_SUCCESS) {
pOldAcl = pNewAcl;
}
} else {
dwErr = ERROR_INVALID_PARAMETER;
}
}
//
// Then the grants
//
if (dwErr == ERROR_SUCCESS && CMD_PRESENT(CmdGrant, pCmdVals)) {
//
// First, see if we need to free the old acl on completion
//
if (pOldAcl == pNewAcl) {
fFreeAcl = TRUE;
}
dwErr = ProcessOperation(argv, &pCmdVals[CmdGrant], GRANT_ACCESS, pStrRights,
cStrRights, 0, pOldAcl, &pNewAcl);
if (dwErr == ERROR_SUCCESS) {
if (fFreeAcl == TRUE) {
LocalFree(pOldAcl);
}
pOldAcl = pNewAcl;
//
// Now set it and optionally propagate it
//
dwErr = SetAndPropagateFileRights(argv[1], pNewAcl, DACL_SECURITY_INFORMATION,
CMD_PRESENT(CmdTree, pCmdVals),
CMD_PRESENT(CmdContinue, pCmdVals), TRUE,
fInherit);
}
}
//
// Finally, the denieds
//
if (dwErr == ERROR_SUCCESS && CMD_PRESENT(CmdDeny, pCmdVals)) {
//
// First, see if we need to free the old acl on completion
//
if (pOldAcl == pNewAcl) {
fFreeAcl = TRUE;
}
dwErr = ProcessOperation(argv, &pCmdVals[CmdDeny], DENY_ACCESS, pStrRights,
cStrRights, 0, pOldAcl, &pNewAcl);
if (dwErr == ERROR_SUCCESS) {
if (fFreeAcl == TRUE) {
LocalFree(pOldAcl);
}
pOldAcl = pNewAcl;
//
// Now set it and optionally propagate it
//
dwErr = SetAndPropagateFileRights(argv[1], pNewAcl, DACL_SECURITY_INFORMATION,
CMD_PRESENT(CmdTree, pCmdVals),
CMD_PRESENT(CmdContinue, pCmdVals), FALSE,
fInherit);
}
}
//
// Finally, do the set if it hasn't already been done
//
if (dwErr == ERROR_SUCCESS && !CMD_PRESENT(CmdGrant, pCmdVals) &&
!CMD_PRESENT(CmdDeny, pCmdVals)) {
dwErr = SetAndPropagateFileRights(argv[1], pNewAcl, DACL_SECURITY_INFORMATION,
CMD_PRESENT(CmdTree, pCmdVals),
CMD_PRESENT(CmdContinue, pCmdVals), FALSE,
fInherit);
}
if (dwErr == ERROR_INVALID_PARAMETER) {
Usage(pStrRights, cStrRights, pCmdVals);
}
LocalFree(pInitialSD);
}
LocalFree(pOldAcl);
if(dwErr == ERROR_SUCCESS) {
printf("The command completed successfully\n");
} else {
printf("The command failed with an error %lu\n", dwErr);
}
return(dwErr == 0 ? 0 : 1);
}