OXIESEC PANEL

Name	Size	Modified	Perms
📁 ..	-	02/03/2022 06:37:41 AM	rwxr-xr-x
📄 __init__.py	7.89 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 __init__.pyc	8.33 KB	02/03/2022 06:37:40 AM	rw-r--r--
📄 common.py	2.38 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 common.pyc	2.28 KB	02/03/2022 06:37:40 AM	rw-r--r--
📄 dbcheck.py	6.49 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 dbcheck.pyc	5.25 KB	02/03/2022 06:37:40 AM	rw-r--r--
📄 delegation.py	10.88 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 delegation.pyc	9.22 KB	02/03/2022 06:37:40 AM	rw-r--r--
📄 dns.py	43.86 KB	11/02/2017 11:38:36 AM	rw-r--r--
📄 dns.pyc	38.13 KB	02/03/2022 06:37:40 AM	rw-r--r--
📄 domain.py	175.3 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 domain.pyc	108.8 KB	02/03/2022 06:37:40 AM	rw-r--r--
📄 drs.py	24.81 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 drs.pyc	22.57 KB	02/03/2022 06:37:40 AM	rw-r--r--
📄 dsacl.py	7.37 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 dsacl.pyc	6.67 KB	02/03/2022 06:37:40 AM	rw-r--r--
📄 fsmo.py	20.25 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 fsmo.pyc	14.39 KB	02/03/2022 06:37:41 AM	rw-r--r--
📄 gpo.py	39.7 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 gpo.pyc	33.57 KB	02/03/2022 06:37:41 AM	rw-r--r--
📄 group.py	18.49 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 group.pyc	16.74 KB	02/03/2022 06:37:41 AM	rw-r--r--
📄 ldapcmp.py	40.5 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 ldapcmp.pyc	31.22 KB	02/03/2022 06:37:41 AM	rw-r--r--
📄 main.py	2.31 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 main.pyc	2.22 KB	02/03/2022 06:37:41 AM	rw-r--r--
📄 nettime.py	1.96 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 nettime.pyc	1.81 KB	02/03/2022 06:37:41 AM	rw-r--r--
📄 ntacl.py	10.58 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 ntacl.pyc	9.65 KB	02/03/2022 06:37:41 AM	rw-r--r--
📄 processes.py	2.78 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 processes.pyc	2.08 KB	02/03/2022 06:37:41 AM	rw-r--r--
📄 rodc.py	5.76 KB	09/17/2017 07:15:34 PM	rw-r--r--
📄 rodc.pyc	5.61 KB	02/03/2022 06:37:41 AM	rw-r--r--
📄 sites.py	7.53 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 sites.pyc	7.2 KB	02/03/2022 06:37:41 AM	rw-r--r--
📄 spn.py	7.44 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 spn.pyc	6.08 KB	02/03/2022 06:37:41 AM	rw-r--r--
📄 testparm.py	8.26 KB	07/04/2017 10:05:25 AM	rw-r--r--
📄 testparm.pyc	6.14 KB	02/03/2022 06:37:41 AM	rw-r--r--
📄 user.py	104.51 KB	01/25/2022 03:20:03 PM	rw-r--r--
📄 user.pyc	82.91 KB	02/03/2022 06:37:41 AM	rw-r--r--

Editing: dsacl.py

# Manipulate ACLs on directory objects
#
# Copyright (C) Nadezhda Ivanova <nivanova@samba.org> 2010
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

import samba.getopt as options
from samba.dcerpc import security
from samba.samdb import SamDB
from samba.ndr import ndr_unpack, ndr_pack
from samba.dcerpc.security import (
    GUID_DRS_ALLOCATE_RIDS, GUID_DRS_CHANGE_DOMAIN_MASTER,
    GUID_DRS_CHANGE_INFR_MASTER, GUID_DRS_CHANGE_PDC,
    GUID_DRS_CHANGE_RID_MASTER, GUID_DRS_CHANGE_SCHEMA_MASTER,
    GUID_DRS_GET_CHANGES, GUID_DRS_GET_ALL_CHANGES,
    GUID_DRS_GET_FILTERED_ATTRIBUTES, GUID_DRS_MANAGE_TOPOLOGY,
    GUID_DRS_MONITOR_TOPOLOGY, GUID_DRS_REPL_SYNCRONIZE,
    GUID_DRS_RO_REPL_SECRET_SYNC)

import ldb
from ldb import SCOPE_BASE
import re

from samba.auth import system_session
from samba.netcmd import (
    Command,
    CommandError,
    SuperCommand,
    Option,
    )

class cmd_dsacl_set(Command):
    """Modify access list on a directory object."""

synopsis = "%prog [options]"
    car_help = """ The access control right to allow or deny """

takes_optiongroups = {
        "sambaopts": options.SambaOptions,
        "credopts": options.CredentialsOptions,
        "versionopts": options.VersionOptions,
        }

takes_options = [
        Option("-H", "--URL", help="LDB URL for database or target server",
               type=str, metavar="URL", dest="H"),
        Option("--car", type="choice", choices=["change-rid",
                                                "change-pdc",
                                                "change-infrastructure",
                                                "change-schema",
                                                "change-naming",
                                                "allocate_rids",
                                                "get-changes",
                                                "get-changes-all",
                                                "get-changes-filtered",
                                                "topology-manage",
                                                "topology-monitor",
                                                "repl-sync",
                                                "ro-repl-secret-sync"],
               help=car_help),
        Option("--action", type="choice", choices=["allow", "deny"],
                help="""Deny or allow access"""),
        Option("--objectdn", help="DN of the object whose SD to modify",
            type="string"),
        Option("--trusteedn", help="DN of the entity that gets access",
            type="string"),
        Option("--sddl", help="An ACE or group of ACEs to be added on the object",
            type="string"),
        ]

def find_trustee_sid(self, samdb, trusteedn):
        res = samdb.search(base=trusteedn, expression="(objectClass=*)",
            scope=SCOPE_BASE)
        assert(len(res) == 1)
        return ndr_unpack( security.dom_sid,res[0]["objectSid"][0])

def modify_descriptor(self, samdb, object_dn, desc, controls=None):
        assert(isinstance(desc, security.descriptor))
        m = ldb.Message()
        m.dn = ldb.Dn(samdb, object_dn)
        m["nTSecurityDescriptor"]= ldb.MessageElement(
                (ndr_pack(desc)), ldb.FLAG_MOD_REPLACE,
                "nTSecurityDescriptor")
        samdb.modify(m)

def read_descriptor(self, samdb, object_dn):
        res = samdb.search(base=object_dn, scope=SCOPE_BASE,
                attrs=["nTSecurityDescriptor"])
        # we should theoretically always have an SD
        assert(len(res) == 1)
        desc = res[0]["nTSecurityDescriptor"][0]
        return ndr_unpack(security.descriptor, desc)

def get_domain_sid(self, samdb):
        res = samdb.search(base=samdb.domain_dn(),
                expression="(objectClass=*)", scope=SCOPE_BASE)
        return ndr_unpack( security.dom_sid,res[0]["objectSid"][0])

def add_ace(self, samdb, object_dn, new_ace):
        """Add new ace explicitly."""
        desc = self.read_descriptor(samdb, object_dn)
        desc_sddl = desc.as_sddl(self.get_domain_sid(samdb))
        #TODO add bindings for descriptor manipulation and get rid of this
        desc_aces = re.findall("\(.*?\)", desc_sddl)
        for ace in desc_aces:
            if ("ID" in ace):
                desc_sddl = desc_sddl.replace(ace, "")
        if new_ace in desc_sddl:
            return
        if desc_sddl.find("(") >= 0:
            desc_sddl = desc_sddl[:desc_sddl.index("(")] + new_ace + desc_sddl[desc_sddl.index("("):]
        else:
            desc_sddl = desc_sddl + new_ace
        desc = security.descriptor.from_sddl(desc_sddl, self.get_domain_sid(samdb))
        self.modify_descriptor(samdb, object_dn, desc)

def print_new_acl(self, samdb, object_dn):
        desc = self.read_descriptor(samdb, object_dn)
        desc_sddl = desc.as_sddl(self.get_domain_sid(samdb))
        self.outf.write("new descriptor for %s:\n" % object_dn)
        self.outf.write(desc_sddl + "\n")

def run(self, car, action, objectdn, trusteedn, sddl,
            H=None, credopts=None, sambaopts=None, versionopts=None):
        lp = sambaopts.get_loadparm()
        creds = credopts.get_credentials(lp)

if sddl is None and (car is None or action is None
                             or objectdn is None or trusteedn is None):
            return self.usage()

samdb = SamDB(url=H, session_info=system_session(),
            credentials=creds, lp=lp)
        cars = {'change-rid' : GUID_DRS_CHANGE_RID_MASTER,
                'change-pdc' : GUID_DRS_CHANGE_PDC,
                'change-infrastructure' : GUID_DRS_CHANGE_INFR_MASTER,
                'change-schema' : GUID_DRS_CHANGE_SCHEMA_MASTER,
                'change-naming' : GUID_DRS_CHANGE_DOMAIN_MASTER,
                'allocate_rids' : GUID_DRS_ALLOCATE_RIDS,
                'get-changes' : GUID_DRS_GET_CHANGES,
                'get-changes-all' : GUID_DRS_GET_ALL_CHANGES,
                'get-changes-filtered' : GUID_DRS_GET_FILTERED_ATTRIBUTES,
                'topology-manage' : GUID_DRS_MANAGE_TOPOLOGY,
                'topology-monitor' : GUID_DRS_MONITOR_TOPOLOGY,
                'repl-sync' : GUID_DRS_REPL_SYNCRONIZE,
                'ro-repl-secret-sync' : GUID_DRS_RO_REPL_SECRET_SYNC,
                }
        sid = self.find_trustee_sid(samdb, trusteedn)
        if sddl:
            new_ace = sddl
        elif action == "allow":
            new_ace = "(OA;;CR;%s;;%s)" % (cars[car], str(sid))
        elif action == "deny":
            new_ace = "(OD;;CR;%s;;%s)" % (cars[car], str(sid))
        else:
            raise CommandError("Wrong argument '%s'!" % action)

self.print_new_acl(samdb, objectdn)
        self.add_ace(samdb, objectdn, new_ace)
        self.print_new_acl(samdb, objectdn)

class cmd_dsacl(SuperCommand):
    """DS ACLs manipulation."""

subcommands = {}
    subcommands["set"] = cmd_dsacl_set()