r3wp [groups: 83 posts: 189283]
  • Home
  • Script library
  • AltME Archive
  • Mailing list
  • Articles Index
  • Site search
 

World: r3wp

[Parse] Discussion of PARSE dialect

Pekr
5-Jun-2009
[3832]
So I start from right, making longer rule as [rights-section | doman-section 
user-section rights-section]
Ladislav
5-Jun-2009
[3833]
...makes no sense to define a rule, if you don't actually know where 
the path ends, as I see it
Pekr
5-Jun-2009
[3834]
There is one exception - "NT AUTHORITY" ... I would break both hands 
of the designer, which allowed this one exception - space in domain 
name is not normally allowed :-)
BrianH
5-Jun-2009
[3835]
parse/all/case line [[to "WALMARK" | to "BUILTIN"] a: (do something)]
Ladislav
5-Jun-2009
[3836]
aha, so, you actually know, where the path ends?, you didn't tell
BrianH
5-Jun-2009
[3837]
Or to "NT AUTHORITY"
Pekr
5-Jun-2009
[3838x2]
But you can define following rule: 

domain-chars: charset [#"A" - #"Z" "-"]
domain-rule: [
    "NT AUTHORITY\" (domain: "NT AUTHORITY")
    |
     copy domain some domain-chars "\"  
]


domain-user-rights: [rights-rule | domain-rule user-rule rights-rule]
So except the NT AUTHORITY, there can't be any space. So I filtered 
out the when there is only rights on the first line (OI)(CI) etc. 
and the second case - DOMAIN\USER-GROUP:(RIGHTS)
BrianH
5-Jun-2009
[3840]
If you know the names of all the domains in your network, you can 
treat them as keywords. Just add "BUILTIN" and "NT AUTHORITY" to 
the list of keywords and you are set. No need to deal with character 
sets.
Pekr
5-Jun-2009
[3841]
The rest should/Could be spaces or PATH
Paul
5-Jun-2009
[3842]
copy/part path find/reverse find/reverse find path "(" " " " "
Pekr
5-Jun-2009
[3843]
BrianH: yes, but that would hardly be a challenge then :-) I wanted 
to have it flexible, hence being able to identify any domain ...
BrianH
5-Jun-2009
[3844]
Flexibility is overrated :)
Pekr
5-Jun-2009
[3845]
Paul - good one - I thought about reversing the string from reaching 
the newline too ...
BrianH
5-Jun-2009
[3846]
Also, seriously, consider switching utilities to one that gives you 
better output.
Pekr
5-Jun-2009
[3847x3]
there's none other utility in default console :-)
but - I could also not do it all with one ICACLS call, but instead 
to REBOL level recursion and using separate CALL to ICACLS for each 
dir separately ...
But that ICACLS output run for > 3 hours, so I don't want to repeat 
it :-)
BrianH
5-Jun-2009
[3850x2]
Since this is a one-off for a known network, flexibility is *really* 
overrated here. Go with the known domains method this time, then 
you'll have time to come up with a general solution for the next 
run.
You first asked this question > 3 hours ago, anyways :)
Pekr
5-Jun-2009
[3852]
NO :-)
BrianH
5-Jun-2009
[3853]
Well, I don't have an NT server running locally here, so I can't 
generate test data or even check its command line options.
Pekr
5-Jun-2009
[3854]
don't worry. I am mostly done. It can be "almost" done, but nevertheless 
we will switch to VBScript ....
Ladislav
5-Jun-2009
[3855]
do I understand correctly, that it can be done in VBScript?
BrianH
5-Jun-2009
[3856x2]
You would use VBScript as a replacement for the command line tool.
It's either that or powershell.
Pekr
5-Jun-2009
[3858]
Well, I saw some examples and although I don't fully understand them, 
there might not be the place for REBOL. You can do everything in 
VB script, and that is what I don't like :-)
BrianH
5-Jun-2009
[3859]
Or other languages with ActiveX support, and there are many.
Pekr
5-Jun-2009
[3860x2]
But - the easiest way probably was to use mixture of REBOL and ICACLS 
CALLS - traversing recursively directories and querying ICACLS. That 
way I would always know the path, so it would be easy to strip it 
from output. Now as CALL is fixed and no more opens black console 
windows, REBOL is good tool.
R3 with ActiveX support, yes, can't wait for it :-)
BrianH
5-Jun-2009
[3862]
What question does icacls ask about the access control lists? I don't 
have the tool locally.
Pekr
5-Jun-2009
[3863]
http://www.mydigitallife.info/2007/04/30/icacls-vista-command-prompt-tool-to-manage-acls/
BrianH
5-Jun-2009
[3864]
Looks like AccessChk: http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx
Pekr
5-Jun-2009
[3865x2]
It does not even have parameter to distinguish directory and file 
- what a lame tool. You have to use trick - icacls c:\some-dir\sub-dir-or-file*. 
, which is relict of 8.3 naming, so actually it will match and dir 
and file, not having suffix ....
What would lame MS do without buying Sysinternals guys escapes my 
mind ...
BrianH
5-Jun-2009
[3867]
This is how they get their tech.
Pekr
5-Jun-2009
[3868]
WTF :-) No I am upset about myself, as I use other SysInternal tools 
often, but dunno why I haven't looked for that tool mysel :-)
BrianH
5-Jun-2009
[3869x2]
Haven't used it yet either.
ICACLS has a /save option - what does that output? It's supposed 
to be machine readable, unlike its stdout output.
Pekr
5-Jun-2009
[3871]
it outputs complete mess. It almost looks like binary, but it is 
not - but no newlines, etc. It is kind of despaced output, which 
can be later used to set right back ....
BrianH
5-Jun-2009
[3872]
Might be more parseable though.
Pekr
5-Jun-2009
[3873x6]
there are no names though ... just SIDs ...
Following does what I need, and the output is nicer

accesschk.exe  -s -d L:\Sprava\* > ble.txt
-s recursion, -d dir-only
L:\My-dir\My-sub-dir
  Medium Mandatory Level (Default) [No-Write-Up]
  RW BUILTIN\Administrators
  RW WALMARK\AJMV
This is parseable ... maybe I can even use read/lines and skip the 
second line ...
It is just "not standard", e.g. If I would be planning (which I am 
not :-) to write simple Identity management, I would be probably 
better with "standard". This is already converted to R, W, etc.
BrianH
5-Jun-2009
[3879x2]
If you don't need it, sure :)
All Vista shop then? The nearest person I know that runs Vista is 
more than 60 miles from me.
Pekr
5-Jun-2009
[3881]
Windows console is so lame, that I have to use iconv to convert to 
win1250 first. It looks like they still live in DOS age :-)