Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dacledit inheritance flag #7

Merged
merged 3 commits into from
Jan 4, 2023
Merged

Dacledit inheritance flag #7

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d6998ac
Add the possibility to specify inheritance in the ACE flag
Dec 15, 2022
db611e5
Explicitly indicating flags instead of hardcoded value
ShutdownRepo Dec 15, 2022
204c5b6
adding log: adminCount=1 will prevent ACE inheritance
ShutdownRepo Dec 16, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 13 additions & 2 deletions examples/dacledit.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -239,6 +239,9 @@ def __init__(self, ldap_server, ldap_session, args):
self.rights = args.rights
self.rights_guid = args.rights_guid
self.filename = args.filename
self.inheritance = args.inheritance
if self.inheritance:
logging.info("NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU")

logging.debug('Initializing domainDumper()')
cnf = ldapdomaindump.domainDumpConfig()
Expand Down Expand Up @@ -634,7 +637,10 @@ def create_ace(self, access_mask, sid, ace_type):
else:
nace['AceType'] = ldaptypes.ACCESS_DENIED_ACE.ACE_TYPE
acedata = ldaptypes.ACCESS_DENIED_ACE()
nace['AceFlags'] = 0x00
if self.inheritance:
nace['AceFlags'] = ldaptypes.ACE.OBJECT_INHERIT_ACE + ldaptypes.ACE.CONTAINER_INHERIT_ACE
else:
nace['AceFlags'] = 0x00
acedata['Mask'] = ldaptypes.ACCESS_MASK()
acedata['Mask']['Mask'] = access_mask
acedata['Sid'] = ldaptypes.LDAP_SID()
Expand All @@ -658,7 +664,10 @@ def create_object_ace(self, privguid, sid, ace_type):
else:
nace['AceType'] = ldaptypes.ACCESS_DENIED_OBJECT_ACE.ACE_TYPE
acedata = ldaptypes.ACCESS_DENIED_OBJECT_ACE()
nace['AceFlags'] = 0x00
if self.inheritance:
nace['AceFlags'] = ldaptypes.ACE.OBJECT_INHERIT_ACE + ldaptypes.ACE.CONTAINER_INHERIT_ACE
else:
nace['AceFlags'] = 0x00
acedata['Mask'] = ldaptypes.ACCESS_MASK()
acedata['Mask']['Mask'] = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_CONTROL_ACCESS
acedata['ObjectType'] = string_to_bin(privguid)
Expand Down Expand Up @@ -705,6 +714,8 @@ def parse_args():
dacl_parser.add_argument('-ace-type', choices=['allowed', 'denied'], nargs='?', default='allowed', help='The ACE Type (access allowed or denied) that must be added or removed (default: allowed)')
dacl_parser.add_argument('-rights', choices=['FullControl', 'ResetPassword', 'WriteMembers', 'DCSync'], nargs='?', default='FullControl', help='Rights to write/remove in the target DACL (default: FullControl)')
dacl_parser.add_argument('-rights-guid', type=str, help='Manual GUID representing the right to write/remove')
dacl_parser.add_argument('-inheritance', action="store_true", help='Enable the inheritance in the ACE flag with CONTAINER_INHERIT_ACE and OBJECT_INHERIT_ACE. Useful when target is a Container or an OU, '
'ACE will be inherited by objects within the container/OU (except objects with adminCount=1)')

if len(sys.argv) == 1:
parser.print_help()
Expand Down