//+------------------------------------------------------------------
//
// Copyright (C) 1995, Microsoft Corporation.
//
// File:        t2.cxx
//
// Contents:
//
// Classes:
//
// History:     Nov-93      DaveMont         Created.
//
//-------------------------------------------------------------------
#include <t2.hxx>
#include <filesec.hxx>
#include <fileenum.hxx>
#include <dumpsec.hxx>
#include "caclsmsg.h"
#include <locale.h>
#include <string.h>
#include <winnlsp.h>
#include <tchar.h>
#if DBG
ULONG Debug;
#endif
//+----------------------------------------------------------------------------
//
// local prototypes
//
//+----------------------------------------------------------------------------
BOOLEAN OpenToken(PHANDLE ph);
void printfsid(SID *psid, ULONG *outputoffset);
void printface(ACE_HEADER *paceh, BOOL fdir, ULONG outputoffset);
void printfmask(ULONG mask, UCHAR acetype, BOOL fdir, ULONG outputoffset);
WCHAR *mbstowcs(char *aname );
BOOL GetUserAndAccess(TCHAR *arg, WCHAR **user, ULONG *access);
#if DBG
ULONG DebugEnumerate(TCHAR *filename, ULONG option);
#endif
ULONG DisplayAces(TCHAR *filename, ULONG option);
ULONG ModifyAces(TCHAR *filename,
                 MODE emode,
                 ULONG option,
                 TCHAR *argv[],
                 LONG astart[], LONG aend[] );

ULONG GetCmdLineArgs(INT argc, TCHAR *argv[],
                     ULONG *option,
                     LONG astart[], LONG aend[],
                     MODE *emode
#if DBG
                     ,ULONG *debug
#endif
                     );
ULONG
__cdecl
printmessage (FILE* fp, DWORD messageID, ...);



//+----------------------------------------------------------------------------
//
//  Function:   vfcprintf
//
//  Synopsis:   prints formatted text to [pOut].  This function will call the
//              defulat c printf functions if it can not call WriteConsole().
//              We are calling WriteConsole() because it will display extended
//              characters, were as fprintf, printf ..., functions do not display
//              multi linguel strings.
//
//  Arguments: [pOut]         - Must be stdout, stderr, otherwise the function will just
//                              call standard c functions.
//             [pszFormate]   - Format string
//             [argList]      - variable length argument list.
//
//----------------------------------------------------------------------------
void vfcprintf(FILE *pOut, LPCTSTR pszFormat, va_list argList)
{
   HANDLE handle;

   //
   // Get the standard handles for output.  This assumes that the callers is calling with
   // either stdout or stderr, if it's anything else then just use normal sprintf.
   //
   TCHAR szText[2048];
   if(pOut == stdout){
      handle = GetStdHandle(STD_OUTPUT_HANDLE);
   } else if(pOut == stderr ){
      handle = GetStdHandle(STD_ERROR_HANDLE);
   } else {
do_normal:
#if defined(_UNICODE) || defined(UNICODE)
      vswprintf( szText, pszFormat, argList );
      fwprintf(pOut, szText );
#else
      vsprintf( szText, pszFormat, argList );
      fprintf(pOut, szText );
#endif
      return;
   }

   //
   // If we can't get the output handle then just send it to standard fprintf functions
   //
   if(INVALID_HANDLE_VALUE == handle){
      goto do_normal;
   }

   //
   // Format the text using standard C functions.
   //
#if defined(_UNICODE) || defined(UNICODE)
   vswprintf( szText, pszFormat, argList );
#else
   vsprintf( szText, pszFormat, argList );
#endif

   DWORD cRead = 0;
   //
   // If we can't get the console mode from this handle, then it is being piped somewhere else
   // and we must use sprintf to write, because WriteConsole only works with a console
   // output handle.
   //
   if(!GetConsoleMode( handle, &cRead ))
   {
	    DWORD cchBuffer = lstrlen(szText);
        LPSTR  lpAnsiBuffer = (LPSTR) LocalAlloc(LMEM_FIXED, (cchBuffer+1)*sizeof(WCHAR));

        if (lpAnsiBuffer != NULL)
        {
            cchBuffer = WideCharToMultiByte(CP_OEMCP,
                                            0,
                                            szText,
                                            cchBuffer + 1,
                                            lpAnsiBuffer,
                                            (cchBuffer +1) * sizeof(WCHAR),
                                            NULL,
                                            NULL);

            if (cchBuffer != 0)
            {
                fprintf(pOut,"%s",lpAnsiBuffer);
            }

            LocalFree(lpAnsiBuffer);
		}

   } else {
      WriteConsole( handle, szText, lstrlen(szText), &cRead, NULL);
   }

}


//+----------------------------------------------------------------------------
//
//  Function:   fcprintf
//
//  synopsis:   Same as fprintf, except this will call vfcprintf, which
//              prints to the console use WriteConsole.
//
//  Arguments: [pOut]         - FILE stream to output to.
//             [pszFormate]   - Format string
//             [...]          - variable length argument list.
//
//----------------------------------------------------------------------------
void
__cdecl
fcprintf( FILE *pOut, LPCTSTR pszFormat, ...)
{
   va_list marker;
   va_start(marker, pszFormat);
   vfcprintf( pOut, pszFormat, marker);
   va_end(marker);
}


//+----------------------------------------------------------------------------
//
//  Function:   fcprintf
//
//  synopsis:   Same as printf, except this will call vfcprintf, which
//              prints to the console use WriteConsole.
//
//  Arguments: [pszFormate]   - Format string
//             [...]          - variable length argument list.
//
//----------------------------------------------------------------------------
void
__cdecl
cprintf( LPCTSTR pszFormat, ...)
{
   va_list marker;
   va_start(marker, pszFormat);
   vfcprintf( stdout, pszFormat, marker);
   va_end(marker);
}

//+----------------------------------------------------------------------------
//
//  Function:   Usage
//
//  Synopsis:   prints usage functionality
//
//  Arguments: none
//
//----------------------------------------------------------------------------
VOID usage()
{
    printmessage(stdout, MSG_CACLS_USAGE, NULL);

#if DBG
    if (Debug)
    {
        printf("\n   /B            deBug <[#]>\n");
        printf("                 default is display error returned\n");
        printf("                 in /B '#' is a mask: 1  display SIDS values\n");
        printf("                                      2  display access masks\n");
        printf("                                      4  display error returned\n");
        printf("                                      8  display error location\n");
        printf("                                   0x10  verbose\n");
        printf("                                   0x20  verboser\n");
        printf("                                   0x40  enumerate names\n");
        printf("                                   0x80  enumerate failures\n");
        printf("                                  0x100  enumerate starts and returns\n");
        printf("                                  0x200  enumerate extra data\n");
        printf("                                  0x400  size allocation data\n");
        printf("                                  0x800  display enumeration of files\n");
    }
#endif
}

BOOL
IsAclSupported(LPCWSTR lpszFileName)
{
	BOOL bReturn = TRUE;
	WCHAR szVolumePathName[MAX_PATH+1];
	if(GetVolumePathName(lpszFileName,
						 szVolumePathName,
						 MAX_PATH))
	{
		int nLen = wcslen(szVolumePathName);
		if((WCHAR)szVolumePathName[nLen -1] != L'\\')
		{
			szVolumePathName[nLen] = L'\\';
			szVolumePathName[nLen++] = L'\0';
		}
		DWORD dwFlags = 0;
		if(GetVolumeInformation(szVolumePathName,
                                 NULL,
                                 NULL,
                                 NULL,
                                 NULL,
                                 &dwFlags,
                                 NULL,
                                 0))
        {
			if(!(FS_PERSISTENT_ACLS & dwFlags))
			{
				printmessage(stdout,MSG_CACLS_NOT_NTFS);
				return FALSE;
			}
        }
		
	}		
	return bReturn;
}
//+----------------------------------------------------------------------------
//
//  Function:     Main, Public
//
//  Synopsis:     main!!
//
//  Arguments:    IN [argc] - cmdline arguement count
//                IN [argv] - input cmdline arguements
//
//----------------------------------------------------------------------------
#if defined( __cplusplus )
extern "C" {
#endif
VOID _cdecl wmain(int argc, wchar_t *argvw[])
{
    char lBuf[6];

    //
    // Set the local to system OEM code page.
    //
    setlocale(LC_ALL, ".OCP" );
	SetThreadUILanguage(0);
	
    //
    // Convert the wide character set to string array.
    //
    LONG astart[MAX_OPTIONS], aend[MAX_OPTIONS];
    MODE emode;

    LONG ret = 0;
    ULONG option;

    if (ERROR_SUCCESS != (ret = GetCmdLineArgs(argc, argvw,
                                               &option,
                                               astart, aend,
                                               &emode
#if DBG
                                               ,&Debug
#endif
                                               )))
    {
        usage();
        exit(ret);
    }

	if(!IsAclSupported(argvw[1]))
		exit(1);
    switch (emode)
    {
        case MODE_DISPLAY:
            ret = DisplayAces(argvw[1], option);
            break;
        case MODE_REPLACE:
        case MODE_MODIFY:
            ret = ModifyAces(argvw[1], emode, option, argvw, astart, aend );
            break;
#if DBG
        case MODE_DEBUG_ENUMERATE:
            ret = DebugEnumerate(argvw[1], option);
            break;
#endif
        default:
        {
            usage();
            exit(1);
        }
    }
    if (ERROR_SUCCESS != ret)
    {
        LAST_ERROR((stderr, "Cacls failed, %ld\n",ret))
        if( ret == ERROR_BAD_ARGUMENTS )
            ret = MSG_CACLS_INVALID_ARGUMENT;
        printmessage(stderr, ret, NULL);

        if( ret == MSG_CACLS_INVALID_ARGUMENT )
            usage();
 }
    exit(ret);
}
#if defined( __cplusplus )
}
#endif

//---------------------------------------------------------------------------
//
//  Function:     GetCmdLineArgs
//
//  Synopsis:     gets and parses command line arguments into commands
//                recognized by this program
//
//  Arguments:    IN  [argc]   - cmdline arguement count
//                IN  [argv]   - input cmdline arguements
//                OUT [option] - requested option
//                OUT [astart] - start of arguments for each option
//                OUT [aend]   - end of arguments for each option
//                OUT [emode]  - mode of operation
//                OUT [debug]  - debug mask
//
//
//----------------------------------------------------------------------------
ULONG GetCmdLineArgs(INT argc, TCHAR *argv[],
                     ULONG *option,
                     LONG astart[], LONG aend[],
                     MODE *emode
#if DBG
                     ,ULONG *debug
#endif
                     )
{
    ARG_MODE_INDEX am = ARG_MODE_INDEX_NEED_OPTION;

#if DBG
    *debug = 0;
#endif
    *emode = MODE_DISPLAY;
    *option = 0;

    for (LONG j=0; j < MAX_OPTIONS ;j++ )
    {
        astart[j] = 0;
        aend[j] = 0;
    }

    if ( (argc < 2) || (argv[1][0] == '/') )
    {
#if DBG
        // do this so debug args are printed out

        if (argc >= 2)
        {
            if ( (0 == lstrcmpi(&argv[1][1], TEXT("deBug"))) ||
                 (0 == lstrcmpi(&argv[1][1], TEXT("b")))  )
            {
                *debug = DEBUG_LAST_ERROR;
            }
        }
#endif
        return(ERROR_BAD_ARGUMENTS);
    }

    for (LONG k = 2; k < argc ; k++ )
    {
        if (argv[k][0] == '/')
        {
            switch (am)
            {
                case ARG_MODE_INDEX_NEED_OPTION:
#if DBG
                case ARG_MODE_INDEX_DEBUG:
#endif
                    break;

                case ARG_MODE_INDEX_DENY:
                case ARG_MODE_INDEX_REVOKE:
                case ARG_MODE_INDEX_GRANT:
                case ARG_MODE_INDEX_REPLACE:
                    if (astart[am] == k)
                        return(ERROR_BAD_ARGUMENTS);
                    break;

                default:
                    return(ERROR_BAD_ARGUMENTS);
            }

            if ( (0 == lstrcmpi(&argv[k][1], TEXT("Tree"))) ||
                 (0 == lstrcmpi(&argv[k][1], TEXT("t"))) )
            {
                if (*option & OPTION_TREE)
                    return(ERROR_BAD_ARGUMENTS);
                *option |= OPTION_TREE;
                am = ARG_MODE_INDEX_NEED_OPTION;
                continue;
            }

            if ( (0 == lstrcmpi(&argv[k][1], TEXT("Continue"))) ||
                 (0 == lstrcmpi(&argv[k][1], TEXT("c"))) )
            {
                if (*option & OPTION_CONTINUE_ON_ERROR)
                    return(ERROR_BAD_ARGUMENTS);
                *option |= OPTION_CONTINUE_ON_ERROR;
                am = ARG_MODE_INDEX_NEED_OPTION;
                continue;
            }

            if ( (0 == lstrcmpi(&argv[k][1], TEXT("Edit"))) ||
                 (0 == lstrcmpi(&argv[k][1], TEXT("E"))) )
            {
                if (*emode != MODE_DISPLAY)
                    return(ERROR_BAD_ARGUMENTS);
                *emode = MODE_MODIFY;
                am = ARG_MODE_INDEX_NEED_OPTION;
                continue;
            }

#if DBG
            if ( (0 == lstrcmpi(&argv[k][1], TEXT("deBug"))) ||
                 (0 == lstrcmpi(&argv[k][1], TEXT("b")))  )
            {
                if (*debug)
                    return(ERROR_BAD_ARGUMENTS);
                am = ARG_MODE_INDEX_DEBUG;
                *debug = DEBUG_LAST_ERROR;
                continue;
            }
#endif
            if ( (0 == lstrcmpi(&argv[k][1], TEXT("Deny"))) ||
                 (0 == lstrcmpi(&argv[k][1], TEXT("D"))) )
            {
                am = ARG_MODE_INDEX_DENY;
                *option |= OPTION_DENY;
            } else if ( (0 == lstrcmpi(&argv[k][1], TEXT("Revoke"))) ||
                        (0 == lstrcmpi(&argv[k][1], TEXT("R"))) )
            {
                am = ARG_MODE_INDEX_REVOKE;
                *option |= OPTION_REVOKE;
            } else if ( (0 == lstrcmpi(&argv[k][1], TEXT("Grant"))) ||
                        (0 == lstrcmpi(&argv[k][1], TEXT("G"))) )
            {
                am = ARG_MODE_INDEX_GRANT;
                *option |= OPTION_GRANT;
            } else if ( (0 == lstrcmpi(&argv[k][1], TEXT("rePlace"))) ||
                        (0 == lstrcmpi(&argv[k][1], TEXT("P"))) )
            {
                *option |= OPTION_REPLACE;
                am = ARG_MODE_INDEX_REPLACE;
            } else
                return(ERROR_BAD_ARGUMENTS);

            if (astart[am] != 0)
                return(ERROR_BAD_ARGUMENTS);
            astart[am] = k+1;
        } else
        {
            switch (am)
            {
                case ARG_MODE_INDEX_NEED_OPTION:
                    return(ERROR_BAD_ARGUMENTS);

#if DBG
                case ARG_MODE_INDEX_DEBUG:
                    *debug = _wtol(argv[k]);
                    if (*debug & DEBUG_ENUMERATE)
                        if (*emode == MODE_DISPLAY)
                            *emode = MODE_DEBUG_ENUMERATE;
                        else
                            return(ERROR_BAD_ARGUMENTS);

                    am = ARG_MODE_INDEX_NEED_OPTION;
                    break;
#endif
                case ARG_MODE_INDEX_DENY:
                case ARG_MODE_INDEX_REVOKE:
                case ARG_MODE_INDEX_GRANT:
                case ARG_MODE_INDEX_REPLACE:
                    aend[am] = k+1;
                    break;

                default:
                    return(ERROR_BAD_ARGUMENTS);
            }
        }
    }

    if ( ( (*option & OPTION_DENY) && (aend[ARG_MODE_INDEX_DENY] == 0) ) ||
         ( (*option & OPTION_REVOKE) && (aend[ARG_MODE_INDEX_REVOKE] == 0) ) ||
         ( (*option & OPTION_GRANT) && (aend[ARG_MODE_INDEX_GRANT] == 0) ) ||
         ( (*option & OPTION_REPLACE) && (aend[ARG_MODE_INDEX_REPLACE] == 0) ) )
    {
        return(ERROR_BAD_ARGUMENTS);
    } else if ( (*option & OPTION_DENY) ||
                (*option & OPTION_REVOKE) ||
                (*option & OPTION_GRANT) ||
                (*option & OPTION_REPLACE) )
    {
        if (*emode == MODE_DISPLAY)
        {
            if (*option & OPTION_REVOKE)
            {
                return(ERROR_BAD_ARGUMENTS);
            }
            *emode = MODE_REPLACE;
        }
    }
    return(ERROR_SUCCESS);
}

//---------------------------------------------------------------------------
//
//  Function:     DisplayAces
//
//  Synopsis:     displays ACL from specified file
//
//  Arguments:    IN [filename] - file name
//                IN [option]   - display option
//
//----------------------------------------------------------------------------
ULONG DisplayAces(TCHAR *filename, ULONG option)
{
    CFileEnumerate cfe(option & OPTION_TREE);
    WCHAR *pwfilename;
    BOOL fdir;
    ULONG ret;

    if (NO_ERROR == (ret = cfe.Init(filename, &pwfilename, &fdir)))
    {
        while ( (NO_ERROR == ret) ||
                ( ( (ERROR_ACCESS_DENIED == ret ) || (ERROR_SHARING_VIOLATION == ret) )&&
                  (option & OPTION_CONTINUE_ON_ERROR) ) )
        {
#if DBG
            if (fdir)
                DISPLAY((stderr, "processing file: "))
            else
                DISPLAY((stderr, "processing dir: "))
#endif
            cprintf( TEXT("%s"), pwfilename);
            if (ERROR_ACCESS_DENIED == ret)
            {
                printmessage(stdout,MSG_CACLS_ACCESS_DENIED, NULL);
            } else if (ERROR_SHARING_VIOLATION == ret)
            {
                printmessage(stdout,MSG_CACLS_SHARING_VIOLATION, NULL);
            } else
            {
                DISPLAY((stderr, "\n"))
                VERBOSE((stderr, "\n"))
                CDumpSecurity cds(pwfilename);

                if (NO_ERROR == (ret = cds.Init()))
                {
#if DBG
                    if (Debug & DEBUG_VERBOSE)
                    {
                        SID *psid;
                        ULONG oo;

                        if (NO_ERROR == (ret = cds.GetSDOwner(&psid)))
                        {
                            printf("  Owner = ");
                            printfsid(psid, &oo);
                            if (NO_ERROR == (ret = cds.GetSDGroup(&psid)))
                            {
                                printf("  Group = ");
                                printfsid(psid, &oo);
                            }
                            else
                                ERRORS((stderr, "GetSDGroup failed, %d\n",ret))
                        }
                        else
                            ERRORS((stderr, "GetSDOwner failed, %d\n",ret))
                    }
#endif
                    ACE_HEADER *paceh;

                    LONG retace;
                    if (NO_ERROR == ret)
                        for (retace = cds.GetNextAce(&paceh); retace >= 0; )
                        {
                            printface(paceh, fdir, wcslen(pwfilename));
                            retace = cds.GetNextAce(&paceh);
                            if (retace >= 0)
                                printf("%*s",
                                       WideCharToMultiByte(CP_ACP, 0,
                                               pwfilename, -1,
                                               NULL, 0,
                                               NULL, NULL)-1," ");
                        }
                }
#if DBG
                   else
                    ERRORS((stderr, "cds.init failed, %d\n",ret))
#endif
            }
            fprintf(stdout, "\n");

            if ( (NO_ERROR == ret) ||
                ( ( (ERROR_ACCESS_DENIED == ret ) || (ERROR_SHARING_VIOLATION == ret) )&&
                   (option & OPTION_CONTINUE_ON_ERROR) ) )
                ret = cfe.Next(&pwfilename, &fdir);
        }

        switch (ret)
        {
            case ERROR_NO_MORE_FILES:
                ret = ERROR_SUCCESS;
                break;
            case ERROR_ACCESS_DENIED:
            case ERROR_SHARING_VIOLATION:
                break;
            case ERROR_SUCCESS:
                break;
            default:
                break;
        }

    } else
    {
        ERRORS((stderr, "cfe.init failed, %d\n",ret))
    }
    return(ret);
}
//---------------------------------------------------------------------------
//
//  Function:     ModifyAces
//
//  Synopsis:     modifies the aces for the specified file(s)
//
//  Arguments:    IN [filename] - name of file(s) to modify the aces on
//                IN [emode]  - mode of operation
//                IN [option] - requested option
//                IN [astart] - start of arguments for each option
//                IN [aend]   - end of arguments for each option
//
//----------------------------------------------------------------------------
ULONG ModifyAces(TCHAR *filename,
                 MODE emode,
                 ULONG option,
                 TCHAR *argv[],
                 LONG astart[], LONG aend[])
{
    CDaclWrap cdw;
    CFileEnumerate cfe(option & OPTION_TREE);
    WCHAR *user = NULL;
    ULONG access;
    ULONG ret = ERROR_SUCCESS;
    WCHAR *pwfilename;
    ULONG curoption;

    VERBOSERW((stderr, TEXT("user:permission pairs\n") ))

    // first proces the command line args to build up the new ace

    for (ULONG j = 0, k = 1;j < MAX_OPTIONS ; k <<= 1, j++ )
    {
        curoption = k;
        if (option & k)
        {
            for (LONG q = astart[j];
                      q < aend[j] ; q++ )
            {
                VERBOSERW((stderr, TEXT("      %s\n"),argv[q] ))

                if ((k & OPTION_GRANT) || (k & OPTION_REPLACE))
                {
                    if (!GetUserAndAccess(argv[q], &user, &access))
                    {
#if !defined(UNICODE) || !defined(_UNICODE)
                        if (user)
                            LocalFree(user);
#endif
                        return(ERROR_BAD_ARGUMENTS);
                    }
                    if (GENERIC_NONE == access)
                    {
                        if (!(k & OPTION_REPLACE))
                        {
#if !defined(UNICODE) || !defined(_UNICODE)
                            if (user)
                                LocalFree(user);
#endif
                            return(ERROR_BAD_ARGUMENTS);
                        }
                    }
                } else
                {
#if !defined(UNICODE) || !defined(_UNICODE)
                    user = mbstowcs(argv[q]);
#else
                    user = argv[q];
#endif
                    access = GENERIC_NONE;
                }

                VERBOSERW((stderr, TEXT("OPTION = %d, USER = %ws, ACCESS = %lx\n"),
                       option,
                       user,
                       access))


                if (ERROR_SUCCESS != (ret = cdw.SetAccess(curoption,
                                                     user,
                                                     NULL,
                                                     access)))
                {
                    ERRORS((stderr, "SetAccess for %ws:%lx failed, %d\n",
                           user,
                           access,
                           ret))
#if !defined(UNICODE) || !defined(_UNICODE)
                    LocalFree(user);
#endif
                    return(ret);
                }
#if !defined(UNICODE) || !defined(_UNICODE)
                LocalFree(user);
#endif
                user = NULL;
            }
        }
    }

    BOOL fdir;

    if (emode == MODE_REPLACE)
    {
        CHAR well[MAX_PATH];
        CHAR msgbuf[MAX_PATH];
        printmessage(stdout,MSG_CACLS_ARE_YOU_SURE, NULL);
        FormatMessageA(FORMAT_MESSAGE_FROM_HMODULE, NULL, MSG_CACLS_Y, 0,
                      msgbuf, MAX_PATH, NULL);
        fgets(well,MAX_PATH,stdin);

        // remove the trailing return
        if ('\n' == well[strlen(well) - sizeof(CHAR)])
            well[strlen(well) - sizeof(CHAR)] = '\0';

        if (0 != _stricmp(well, msgbuf))
        {
            FormatMessageA(FORMAT_MESSAGE_FROM_HMODULE, NULL, MSG_CACLS_YES, 0,
                          msgbuf, MAX_PATH, NULL);
            if (0 != _stricmp(well, msgbuf))
                return(ERROR_SUCCESS);
        }
    }

    if (NO_ERROR == (ret = cfe.Init(filename, &pwfilename, &fdir)))
    {
        while ( (NO_ERROR == ret) ||
                ( ( (ERROR_ACCESS_DENIED == ret ) || (ERROR_SHARING_VIOLATION == ret) )&&
                  (option & OPTION_CONTINUE_ON_ERROR) ) )
        {
            CFileSecurity cfs(pwfilename);

            if (NO_ERROR == (ret = cfs.Init()))
            {
                if (NO_ERROR != (ret = cfs.SetFS(emode == MODE_REPLACE ? FALSE : TRUE, &cdw, fdir)))
                {
                    if (!(((ERROR_ACCESS_DENIED == ret) || (ERROR_SHARING_VIOLATION == ret)) &&
                          (option & OPTION_CONTINUE_ON_ERROR)))
                    {
                        ERRORS((stderr, "SetFS on %ws failed %ld\n",pwfilename, ret))
                        return(ret);
                    }
                }
            }
            else
            {
               //
               // If the error is access denied or sharing violation and we are to continue on error,
               // then keep going. Otherwise bail out here.
               //

               if (!(((ERROR_ACCESS_DENIED == ret) || (ERROR_SHARING_VIOLATION == ret)) &&
                   (option & OPTION_CONTINUE_ON_ERROR))) {

                  ERRORS((stderr, "init failed, %d\n",ret))
                  return(ret);
               }
            }

            if (NO_ERROR == ret)
            {

                if (fdir)
                {
                    printmessage(stdout, MSG_CACLS_PROCESSED_DIR, NULL);
                    cprintf(L"%s\n",  pwfilename);
                }
                else
                {
                    printmessage(stdout, MSG_CACLS_PROCESSED_FILE, NULL);
                    cprintf(L"%s\n",  pwfilename);
                }
            }
            else if (ERROR_ACCESS_DENIED == ret)
            {
                printmessage(stdout, MSG_CACLS_ACCESS_DENIED, NULL);
                cprintf(L"%s\n",  pwfilename);
            }
            else if (ret == ERROR_SHARING_VIOLATION)
            {
                printmessage(stdout, MSG_CACLS_SHARING_VIOLATION, NULL);
                cprintf(L"%s\n",  pwfilename);
            }

            if ( (NO_ERROR == ret) ||
                 ( ( (ERROR_ACCESS_DENIED == ret ) || (ERROR_SHARING_VIOLATION == ret) ) &&
                   (option & OPTION_CONTINUE_ON_ERROR) ) )
                ret = cfe.Next(&pwfilename, &fdir);
        }

        switch (ret)
        {
            case ERROR_NO_MORE_FILES:
                ret = ERROR_SUCCESS;
                break;
            case ERROR_ACCESS_DENIED:
            case ERROR_SHARING_VIOLATION:
                break;
            case ERROR_SUCCESS:
                break;
            default:
                DISPLAY((stderr, "%ws failed: %d\n", pwfilename, ret))
                break;
        }
    } else
        ERRORS((stderr, "file enumeration failed to initialize %ws, %ld\n",pwfilename, ret))

    if (ret == ERROR_NO_MORE_FILES)
    {
        ret = ERROR_SUCCESS;
    }

    if (ret != ERROR_SUCCESS)
    {
        ERRORS((stderr, "Enumeration failed, %d\n",ret))
    }

    return(ret);
}
#if DBG
//---------------------------------------------------------------------------
//
//  Function:     DebugEnumerate
//
//  Synopsis:     debug function
//
//  Arguments:    IN [filename] - file name
//                IN [option]   - option
//
//----------------------------------------------------------------------------
ULONG DebugEnumerate(TCHAR *filename, ULONG option)
{
    CFileEnumerate cfe(option & OPTION_TREE);
    WCHAR *pwfilename;
    BOOL fdir;
    ULONG ret;

    ret = cfe.Init(filename, &pwfilename, &fdir);
    while ( (ERROR_SUCCESS == ret) ||
            ( (ERROR_ACCESS_DENIED == ret ) &&
              (option & OPTION_CONTINUE_ON_ERROR) ) )
    {
        if (fdir)
            printf("dir  name = %ws%ws\n",pwfilename,
                   ERROR_ACCESS_DENIED == ret ? L"ACCESS DENIED" : L"");
        else
            printf("file name = %ws%ws\n",pwfilename,
                   ERROR_ACCESS_DENIED == ret ? L"ACCESS DENIED" : L"");
        ret = cfe.Next(&pwfilename, &fdir);
    }
    if (ret == ERROR_ACCESS_DENIED)
    {
        if (fdir)
            printf("dir  name = %ws%ws\n",pwfilename,
                   ERROR_ACCESS_DENIED == ret ? L"ACCESS DENIED" : L"");
        else
            printf("file name = %ws%ws\n",pwfilename,
                   ERROR_ACCESS_DENIED == ret ? L"ACCESS DENIED" : L"");
    }
    if (ret != ERROR_NO_MORE_FILES)
        printf("Enumeration failed, %d\n",ret);

    return(ret);
}
#endif
//---------------------------------------------------------------------------
//
//  Function:     GetUserAccess
//
//  Synopsis:     parses an input string for user:access
//
//  Arguments:    IN  [arg]    - input string to parse
//                OUT [user]   - user if found
//                OUT [access] - access if found
//
//----------------------------------------------------------------------------
BOOL GetUserAndAccess(TCHAR *arg, WCHAR **user, ULONG *access)
{
    TCHAR *saccess = wcschr(arg,':');
    if (saccess)
    {
        *saccess = NULL;
        saccess++;

        if (wcschr(saccess,':'))
            return(FALSE);
#if defined(UNICODE) || defined(_UNICODE)
        *user = arg;
#else
        *user = mbstowcs(arg);
#endif

        if (0 == lstrcmpi(saccess, TEXT("F") ))
        {
            *access = ( STANDARD_RIGHTS_ALL |
                        FILE_READ_DATA |
                        FILE_WRITE_DATA |
                        FILE_APPEND_DATA |
                        FILE_READ_EA |
                        FILE_WRITE_EA |
                        FILE_EXECUTE |
                        FILE_DELETE_CHILD |
                        FILE_READ_ATTRIBUTES |
                        FILE_WRITE_ATTRIBUTES );
        }
        else if (0 == lstrcmpi(saccess,TEXT("R") ))
        {
            *access = FILE_GENERIC_READ | FILE_EXECUTE;
        }
        else if (0 == lstrcmpi(saccess, TEXT("C") ))
        {
            *access = FILE_GENERIC_WRITE | FILE_GENERIC_READ | FILE_EXECUTE | DELETE;
        }
        else if (0 == lstrcmpi(saccess, TEXT("N") ))
        {
            *access = GENERIC_NONE;
        }
        else if (0 == lstrcmpi(saccess, TEXT("W") ))
        {
            *access = FILE_GENERIC_WRITE | FILE_EXECUTE;
        }
        else
            return(FALSE);
        return(TRUE);
    }
    return(FALSE);
}
//---------------------------------------------------------------------------
//
//  Function:     mbstowcs
//
//  Synopsis:     converts char to wchar, allocates space for wchar
//
//  Arguments:    IN [aname] - char string
//
//----------------------------------------------------------------------------
WCHAR *mbstowcs(char *aname )
{
    if (aname)
    {
        WCHAR *pwname = NULL;
        pwname = (WCHAR *)LocalAlloc(LMEM_FIXED, sizeof(WCHAR) * (strlen(aname)+1));
        if (NULL == pwname)
            return(NULL);
        WCHAR *prwname = pwname;
        if (MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED,
                                aname, -1,
                                prwname, sizeof(WCHAR)*(strlen(aname)+1)) == 0)
            return(NULL);
        return(pwname);
    } else
        return(NULL);
}
//----------------------------------------------------------------------------
//
//  Function:
//
//  Synopsis:
//
//  Arguments:
//
//----------------------------------------------------------------------------
BOOLEAN OpenToken(PHANDLE ph)
{
    HANDLE hprocess;

    hprocess = OpenProcess( PROCESS_QUERY_INFORMATION, FALSE, GetCurrentProcessId());
    if (hprocess == NULL)
        return(FALSE);

    if (OpenProcessToken(hprocess, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ph))
    {
        CloseHandle(hprocess);
        return(TRUE);
    }

    CloseHandle(hprocess);
    return(FALSE);
}
//----------------------------------------------------------------------------
//
//  Function:     printfsid
//
//  Synopsis:     prints a NT SID
//
//  Arguments:    IN [psid] - pointer to the sid to print
//
//----------------------------------------------------------------------------
void printfsid(SID *psid, ULONG *outputoffset)
{
#if DBG
    if ((Debug & DEBUG_VERBOSE) || (Debug & DEBUG_DISPLAY_SIDS))
    {
        printf("S-%lx",psid->Revision);

        if ( (psid->IdentifierAuthority.Value[0] != 0) ||
             (psid->IdentifierAuthority.Value[1] != 0) )
        {
            printf("0x%02hx%02hx%02hx%02hx%02hx%02hx",
                        (USHORT)psid->IdentifierAuthority.Value[0],
                        (USHORT)psid->IdentifierAuthority.Value[1],
                        (USHORT)psid->IdentifierAuthority.Value[2],
                        (USHORT)psid->IdentifierAuthority.Value[3],
                        (USHORT)psid->IdentifierAuthority.Value[4],
                        (USHORT)psid->IdentifierAuthority.Value[5] );
        } else
        {
            printf("-%lu",
                   (ULONG)psid->IdentifierAuthority.Value[5]          +
                   (ULONG)(psid->IdentifierAuthority.Value[4] <<  8)  +
                   (ULONG)(psid->IdentifierAuthority.Value[3] << 16)  +
                   (ULONG)(psid->IdentifierAuthority.Value[2] << 24) );
        }

        if ( 0 < psid->SubAuthorityCount )
        {
            for (int k = 0; k < psid->SubAuthorityCount; k++ )
            {
                printf("-%d",psid->SubAuthority[k]);
            }
        }
    }
#endif
    ULONG ret;

    CAccount ca(psid, NULL);

    WCHAR *domain = NULL;
    WCHAR *user;

    if (NO_ERROR == ( ret = ca.GetAccountDomain(&domain) ) )
    {
        if ( (NULL == domain) || (0 == wcslen(domain)) )
        {
            fprintf(stdout, " ");
            *outputoffset +=1;
        }
        else
        {
            fprintf(stdout, " ");
            wprintf(L"%s",  domain);
			fprintf(stdout, "\\");
            *outputoffset += 2 + wcslen( domain );;
        }

        if (NO_ERROR == ( ret = ca.GetAccountName(&user) ) )
        {
            wprintf(L"%s",  user);
			fprintf(stdout, ":");
            *outputoffset += 1 + wcslen(user);
        } else
        {
            *outputoffset += printmessage(stdout, MSG_CACLS_NAME_NOT_FOUND, NULL);

            ERRORS((stderr, "(%lx)",ret))
        }
    } else
    {
        *outputoffset+= printmessage(stdout, MSG_CACLS_DOMAIN_NOT_FOUND, NULL);
        ERRORS((stderr, "(%lx)",ret))
    }
    VERBOSE((stderr, "\n"))
}
//----------------------------------------------------------------------------
//
//  Function:     printface
//
//  Synopsis:     prints the specifed ace
//
//  Arguments:    IN [paceh] - input ace (header)
//                IN [fdir]  - TRUE = directory (different display options)
//
//----------------------------------------------------------------------------
void printface(ACE_HEADER *paceh, BOOL fdir, ULONG outputoffset)
{
    VERBOSE((stderr, "  "))
    VERBOSER((stderr, "\npaceh->AceType  = %x\n",paceh->AceType  ))
    VERBOSER((stderr, "paceh->AceFlags = %x\n",paceh->AceFlags ))
    VERBOSER((stderr, "paceh->AceSize  = %x\n",paceh->AceSize  ))
    ACCESS_ALLOWED_ACE *paaa = (ACCESS_ALLOWED_ACE *)paceh;
    printfsid((SID *)&(paaa->SidStart),&outputoffset);
    if (paceh->AceFlags & OBJECT_INHERIT_ACE      )
    {
        outputoffset+= printmessage(stdout, MSG_CACLS_OBJECT_INHERIT, NULL);
    }
    if (paceh->AceFlags & CONTAINER_INHERIT_ACE   )
    {
        outputoffset+= printmessage(stdout, MSG_CACLS_CONTAINER_INHERIT, NULL);
    }
    if (paceh->AceFlags & NO_PROPAGATE_INHERIT_ACE)
    {
        outputoffset+= printmessage(stdout, MSG_CACLS_NO_PROPAGATE_INHERIT, NULL);
    }
    if (paceh->AceFlags & INHERIT_ONLY_ACE        )
    {
        outputoffset+= printmessage(stdout, MSG_CACLS_INHERIT_ONLY, NULL);
    }

    if (paceh->AceType == ACCESS_DENIED_ACE_TYPE)
    {
            DISPLAY_MASK((stderr, "(DENIED)"))
            VERBOSE((stderr, "(DENIED)"))
    }

    printfmask(paaa->Mask, paceh->AceType, fdir, outputoffset);
    fprintf(stdout, "\n");
}
//----------------------------------------------------------------------------
//
//  Function:     printfmask
//
//  Synopsis:     prints the access mask
//
//  Arguments:    IN [mask]    - the access mask
//                IN [acetype] -  allowed/denied
//                IN [fdir]    - TRUE = directory
//
//----------------------------------------------------------------------------
CHAR  *aRightsStr[] = { "STANDARD_RIGHTS_ALL",
                        "DELETE",
                        "READ_CONTROL",
                        "WRITE_DAC",
                        "WRITE_OWNER",
                        "SYNCHRONIZE",
                        "STANDARD_RIGHTS_REQUIRED",
                        "SPECIFIC_RIGHTS_ALL",
                        "ACCESS_SYSTEM_SECURITY",
                        "MAXIMUM_ALLOWED",
                        "GENERIC_READ",
                        "GENERIC_WRITE",
                        "GENERIC_EXECUTE",
                        "GENERIC_ALL",
                        "FILE_GENERIC_READ",
                        "FILE_GENERIC_WRITE",
                        "FILE_GENERIC_EXECUTE",
                        "FILE_READ_DATA",
                        //FILE_LIST_DIRECTORY
                        "FILE_WRITE_DATA",
                        //FILE_ADD_FILE
                        "FILE_APPEND_DATA",
                        //FILE_ADD_SUBDIRECTORY
                        "FILE_READ_EA",
                        "FILE_WRITE_EA",
                        "FILE_EXECUTE",
                        //FILE_TRAVERSE
                        "FILE_DELETE_CHILD",
                        "FILE_READ_ATTRIBUTES",
                        "FILE_WRITE_ATTRIBUTES" };

#define NUMRIGHTS 26
ULONG aRights[NUMRIGHTS] = { STANDARD_RIGHTS_ALL  ,
                         DELETE                   ,
                         READ_CONTROL             ,
                         WRITE_DAC                ,
                         WRITE_OWNER              ,
                         SYNCHRONIZE              ,
                         STANDARD_RIGHTS_REQUIRED ,
                         SPECIFIC_RIGHTS_ALL      ,
                         ACCESS_SYSTEM_SECURITY   ,
                         MAXIMUM_ALLOWED          ,
                         GENERIC_READ             ,
                         GENERIC_WRITE            ,
                         GENERIC_EXECUTE          ,
                         GENERIC_ALL              ,
                         FILE_GENERIC_READ        ,
                         FILE_GENERIC_WRITE       ,
                         FILE_GENERIC_EXECUTE     ,
                         FILE_READ_DATA           ,
                         //FILE_LIST_DIRECTORY    ,
                         FILE_WRITE_DATA          ,
                         //FILE_ADD_FILE          ,
                         FILE_APPEND_DATA         ,
                         //FILE_ADD_SUBDIRECTORY  ,
                         FILE_READ_EA             ,
                         FILE_WRITE_EA            ,
                         FILE_EXECUTE             ,
                         //FILE_TRAVERSE          ,
                         FILE_DELETE_CHILD        ,
                         FILE_READ_ATTRIBUTES     ,
                         FILE_WRITE_ATTRIBUTES  };

void printfmask(ULONG mask, UCHAR acetype, BOOL fdir, ULONG outputoffset)
{
    ULONG savmask = mask;
    VERBOSER((stderr, "mask = %08lx ", mask))
    DISPLAY_MASK((stderr, "mask = %08lx\n", mask))

    VERBOSE((stderr, "    "))

#if DBG
    if (!(Debug & (DEBUG_VERBOSE | DEBUG_DISPLAY_MASK)))
    {
#endif
        if ((acetype == ACCESS_ALLOWED_ACE_TYPE) &&
                   (mask == (FILE_GENERIC_READ | FILE_EXECUTE)))
        {
            printmessage(stdout, MSG_CACLS_READ, NULL);
        } else if ((acetype == ACCESS_ALLOWED_ACE_TYPE) &&
                   (mask == (FILE_GENERIC_WRITE | FILE_GENERIC_READ | FILE_EXECUTE | DELETE)))
        {
            printmessage(stdout, MSG_CACLS_CHANGE, NULL);
        } else if ((acetype == ACCESS_ALLOWED_ACE_TYPE) &&
                   (mask == (GENERIC_WRITE | GENERIC_READ | GENERIC_EXECUTE | DELETE)))
        {
            printmessage(stdout, MSG_CACLS_CHANGE, NULL);
        } else if ((acetype == ACCESS_ALLOWED_ACE_TYPE) &&
                   (mask ==  ( STANDARD_RIGHTS_ALL |
                             FILE_READ_DATA |
                             FILE_WRITE_DATA |
                             FILE_APPEND_DATA |
                             FILE_READ_EA |
                             FILE_WRITE_EA |
                             FILE_EXECUTE |
                             FILE_DELETE_CHILD |
                             FILE_READ_ATTRIBUTES |
                             FILE_WRITE_ATTRIBUTES )) )
        {
            printmessage(stdout, MSG_CACLS_FULL_CONTROL, NULL);
        } else if ((acetype == ACCESS_ALLOWED_ACE_TYPE) &&
                   (mask ==  GENERIC_ALL))
        {
            printmessage(stdout, MSG_CACLS_FULL_CONTROL, NULL);
        } else if ((acetype == ACCESS_DENIED_ACE_TYPE) &&
                   (mask == GENERIC_ALL))
        {
            printmessage(stdout, MSG_CACLS_NONE, NULL);
        } else if ((acetype == ACCESS_DENIED_ACE_TYPE) &&
                   (mask ==  ( STANDARD_RIGHTS_ALL |
                             FILE_READ_DATA |
                             FILE_WRITE_DATA |
                             FILE_APPEND_DATA |
                             FILE_READ_EA |
                             FILE_WRITE_EA |
                             FILE_EXECUTE |
                             FILE_DELETE_CHILD |
                             FILE_READ_ATTRIBUTES |
                             FILE_WRITE_ATTRIBUTES )) )
        {
            printmessage(stdout, MSG_CACLS_NONE, NULL);
        } else
        {
            if (acetype == ACCESS_DENIED_ACE_TYPE)
                printmessage(stdout, MSG_CACLS_DENY, NULL);

            printmessage(stdout, MSG_CACLS_SPECIAL_ACCESS, NULL);

            for (int k = 0; k<NUMRIGHTS ; k++ )
            {
                if ((mask & aRights[k]) == aRights[k])
                {
                    fprintf(stdout, "%*s%s\n",outputoffset, " ", aRightsStr[k]);
                }
                if (mask == 0)
                    break;
            }
        }
#if DBG
    } else
    {
        if (Debug & (DEBUG_DISPLAY_MASK | DEBUG_VERBOSE))
        {
            printf("\n");
            for (int k = 0; k<NUMRIGHTS ; k++ )
            {
                if ((mask & aRights[k]) == aRights[k])
                {
                    if (mask != savmask) printf(" |\n");
                    printf("    %s",aRightsStr[k]);
                    mask &= ~aRights[k];
                }
                if (mask == 0)
                break;
            }
        }
        VERBOSE((stderr, "=%x",mask))
        if (mask != 0)
            DISPLAY((stderr, "=%x/%x",mask,savmask))
    }
#endif
    fprintf(stdout, " ");
}
//----------------------------------------------------------------------------
//
//  Function:     printmessage
//
//  Synopsis:     prints a message, either from the local message file, or from the system
//
//  Arguments:    IN [fp]    - stderr, stdio, etc.
//                IN [messageID] - variable argument list
//
//  Returns:      length of the output buffer
//
//----------------------------------------------------------------------------
ULONG
__cdecl
printmessage (FILE* fp, DWORD messageID, ...)
{
    WCHAR  messagebuffer[4096];
    va_list ap;

    va_start(ap, messageID);

    if (!FormatMessage(FORMAT_MESSAGE_FROM_HMODULE, NULL, messageID, 0,
                      messagebuffer, 4095, &ap))
       FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, NULL, messageID, 0,
                        messagebuffer, 4095, &ap);

    CHAR achOem[2048];
    WideCharToMultiByte(CP_OEMCP,
                        0,
                        messagebuffer,
                        -1,
                        achOem,
                        sizeof(achOem),
                        NULL,
                        NULL);

    fprintf(fp,  achOem);
    va_end(ap);

    return(wcslen(messagebuffer));
}