search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
sefltest: use TestCaseInTempDir and setUp/tearDown for posixacl.py temp file
[Samba.git] / source4 / scripting / python / samba / tests / posixacl.py
blob5e10f8ddf87a0aebfb4af4e6c7e85247afcd6601
1 # Unix SMB/CIFS implementation. Tests for NT and posix ACL manipulation
2 # Copyright (C) Matthieu Patou <mat@matws.net> 2009-2010
3 # Copyright (C) Andrew Bartlett 2012
4 #
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
9 #
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
14 #
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
17 #
18
19 """Tests for the Samba3 NT -> posix ACL layer"""
20
21 from samba.ntacls import setntacl, getntacl, checkset_backend
22 from samba.dcerpc import xattr, security, smb_acl, idmap
23 from samba.param import LoadParm
24 from samba.tests import TestCaseInTempDir
25 from samba import provision
26 import random
27 import os
28 from samba.samba3 import smbd, passdb
29 from samba.samba3 import param as s3param
30
31 # To print a posix ACL use:
32 # for entry in posix_acl.acl:
33 # print "a_type: %d" % entry.a_type
34 # print "a_perm: %o" % entry.a_perm
35 # print "uid: %d" % entry.uid
36 # print "gid: %d" % entry.gid
37
38 class PosixAclMappingTests(TestCaseInTempDir):
39
40 def test_setntacl(self):
41 lp = LoadParm()
42 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
43 setntacl(lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
44
45 def test_setntacl_smbd_getntacl(self):
46 lp = LoadParm()
47 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
48 setntacl(lp,self.tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
49 facl = getntacl(lp,self.tempf, direct_db_access=True)
50 anysid = security.dom_sid(security.SID_NT_SELF)
51 self.assertEquals(facl.as_sddl(anysid),acl)
52
53 def test_setntacl_smbd_setposixacl_getntacl(self):
54 lp = LoadParm()
55 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
56 setntacl(lp,self.tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
57
58 # This will invalidate the ACL, as we have a hook!
59 smbd.set_simple_acl(self.tempf, 0640)
60
61 # However, this only asks the xattr
62 try:
63 facl = getntacl(lp, self.tempf, direct_db_access=True)
64 self.assertTrue(False)
65 except TypeError:
66 pass
67
68 def test_setntacl_invalidate_getntacl(self):
69 lp = LoadParm()
70 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
71 setntacl(lp, self.tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
72
73 # This should invalidate the ACL, as we include the posix ACL in the hash
74 (backend_obj, dbname) = checkset_backend(lp, None, None)
75 backend_obj.wrap_setxattr(dbname,
76 self.tempf, "system.fake_access_acl", "")
77
78 #however, as this is direct DB access, we do not notice it
79 facl = getntacl(lp, self.tempf, direct_db_access=True)
80 anysid = security.dom_sid(security.SID_NT_SELF)
81 self.assertEquals(acl, facl.as_sddl(anysid))
82
83 def test_setntacl_invalidate_getntacl_smbd(self):
84 lp = LoadParm()
85 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
86 setntacl(lp, self.tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
87
88 # This should invalidate the ACL, as we include the posix ACL in the hash
89 (backend_obj, dbname) = checkset_backend(lp, None, None)
90 backend_obj.wrap_setxattr(dbname,
91 self.tempf, "system.fake_access_acl", "")
92
93 #the hash would break, and we return an ACL based only on the mode, except we set the ACL using the 'ntvfs' mode that doesn't include a hash
94 facl = getntacl(lp, self.tempf)
95 anysid = security.dom_sid(security.SID_NT_SELF)
96 self.assertEquals(acl, facl.as_sddl(anysid))
97
98 def test_setntacl_smbd_invalidate_getntacl_smbd(self):
99 lp = LoadParm()
100 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
101 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x001200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
102 os.chmod(self.tempf, 0750)
103 setntacl(lp, self.tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
104
105 # This should invalidate the ACL, as we include the posix ACL in the hash
106 (backend_obj, dbname) = checkset_backend(lp, None, None)
107 backend_obj.wrap_setxattr(dbname,
108 self.tempf, "system.fake_access_acl", "")
109
110 #the hash will break, and we return an ACL based only on the mode
111 facl = getntacl(lp, self.tempf, direct_db_access=False)
112 anysid = security.dom_sid(security.SID_NT_SELF)
113 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
114
115 def test_setntacl_getntacl_smbd(self):
116 lp = LoadParm()
117 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
118 setntacl(lp, self.tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
119 facl = getntacl(lp, self.tempf, direct_db_access=False)
120 anysid = security.dom_sid(security.SID_NT_SELF)
121 self.assertEquals(facl.as_sddl(anysid),acl)
122
123 def test_setntacl_smbd_getntacl_smbd(self):
124 lp = LoadParm()
125 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
126 setntacl(lp, self.tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
127 facl = getntacl(lp, self.tempf, direct_db_access=False)
128 anysid = security.dom_sid(security.SID_NT_SELF)
129 self.assertEquals(facl.as_sddl(anysid),acl)
130
131 def test_setntacl_smbd_setposixacl_getntacl_smbd(self):
132 lp = LoadParm()
133 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
134 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
135 setntacl(lp, self.tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
136 # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
137 smbd.set_simple_acl(self.tempf, 0640)
138 facl = getntacl(lp, self.tempf, direct_db_access=False)
139 anysid = security.dom_sid(security.SID_NT_SELF)
140 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
141
142 def test_setntacl_smbd_setposixacl_group_getntacl_smbd(self):
143 lp = LoadParm()
144 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
145 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
146 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
147 setntacl(lp,self.tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
148 # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
149 s3conf = s3param.get_context()
150 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
151 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
152 smbd.set_simple_acl(self.tempf, 0640, BA_gid)
153
154 # This should re-calculate an ACL based on the posix details
155 facl = getntacl(lp,self.tempf, direct_db_access=False)
156 anysid = security.dom_sid(security.SID_NT_SELF)
157 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
158
159 def test_setntacl_smbd_getntacl_smbd_gpo(self):
160 lp = LoadParm()
161 acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
162 setntacl(lp, self.tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
163 facl = getntacl(lp, self.tempf, direct_db_access=False)
164 domsid = security.dom_sid("S-1-5-21-2212615479-2695158682-2101375467")
165 self.assertEquals(facl.as_sddl(domsid),acl)
166
167 def test_setntacl_getposixacl(self):
168 lp = LoadParm()
169 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
170 setntacl(lp, self.tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
171 facl = getntacl(lp, self.tempf)
172 anysid = security.dom_sid(security.SID_NT_SELF)
173 self.assertEquals(facl.as_sddl(anysid),acl)
174 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
175
176 def test_setposixacl_getposixacl(self):
177 lp = LoadParm()
178 smbd.set_simple_acl(self.tempf, 0640)
179 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
180 self.assertEquals(posix_acl.count, 4)
181
182 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
183 self.assertEquals(posix_acl.acl[0].a_perm, 6)
184
185 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
186 self.assertEquals(posix_acl.acl[1].a_perm, 4)
187
188 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
189 self.assertEquals(posix_acl.acl[2].a_perm, 0)
190
191 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
192 self.assertEquals(posix_acl.acl[3].a_perm, 6)
193
194 def test_setposixacl_getntacl(self):
195 lp = LoadParm()
196 acl = ""
197 smbd.set_simple_acl(self.tempf, 0750)
198 try:
199 facl = getntacl(lp, self.tempf)
200 self.assertTrue(False)
201 except TypeError:
202 # We don't expect the xattr to be filled in in this case
203 pass
204
205 def test_setposixacl_getntacl_smbd(self):
206 lp = LoadParm()
207 s3conf = s3param.get_context()
208 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
209 group_SID = s4_passdb.gid_to_sid(os.stat(self.tempf).st_gid)
210 user_SID = s4_passdb.uid_to_sid(os.stat(self.tempf).st_uid)
211 smbd.set_simple_acl(self.tempf, 0640)
212 facl = getntacl(lp, self.tempf, direct_db_access=False)
213 acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;%s)(A;;WO;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
214 anysid = security.dom_sid(security.SID_NT_SELF)
215 self.assertEquals(acl, facl.as_sddl(anysid))
216
217 def test_setposixacl_group_getntacl_smbd(self):
218 lp = LoadParm()
219 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
220 s3conf = s3param.get_context()
221 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
222 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
223 group_SID = s4_passdb.gid_to_sid(os.stat(self.tempf).st_gid)
224 user_SID = s4_passdb.uid_to_sid(os.stat(self.tempf).st_uid)
225 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
226 smbd.set_simple_acl(self.tempf, 0640, BA_gid)
227 facl = getntacl(lp, self.tempf, direct_db_access=False)
228 domsid = passdb.get_global_sam_sid()
229 acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;BA)(A;;0x00120089;;;%s)(A;;WO;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
230 anysid = security.dom_sid(security.SID_NT_SELF)
231 self.assertEquals(acl, facl.as_sddl(anysid))
232
233 def test_setposixacl_getposixacl(self):
234 lp = LoadParm()
235 smbd.set_simple_acl(self.tempf, 0640)
236 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
237 self.assertEquals(posix_acl.count, 4)
238
239 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
240 self.assertEquals(posix_acl.acl[0].a_perm, 6)
241
242 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
243 self.assertEquals(posix_acl.acl[1].a_perm, 4)
244
245 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
246 self.assertEquals(posix_acl.acl[2].a_perm, 0)
247
248 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
249 self.assertEquals(posix_acl.acl[3].a_perm, 6)
250
251 def test_setposixacl_group_getposixacl(self):
252 lp = LoadParm()
253 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
254 s3conf = s3param.get_context()
255 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
256 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
257 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
258 smbd.set_simple_acl(self.tempf, 0670, BA_gid)
259 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
260
261 self.assertEquals(posix_acl.count, 5)
262
263 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
264 self.assertEquals(posix_acl.acl[0].a_perm, 6)
265
266 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
267 self.assertEquals(posix_acl.acl[1].a_perm, 7)
268
269 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
270 self.assertEquals(posix_acl.acl[2].a_perm, 0)
271
272 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_GROUP)
273 self.assertEquals(posix_acl.acl[3].a_perm, 7)
274 self.assertEquals(posix_acl.acl[3].info.gid, BA_gid)
275
276 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_MASK)
277 self.assertEquals(posix_acl.acl[4].a_perm, 6)
278
279 def test_setntacl_sysvol_check_getposixacl(self):
280 lp = LoadParm()
281 s3conf = s3param.get_context()
282 acl = provision.SYSVOL_ACL
283 domsid = passdb.get_global_sam_sid()
284 setntacl(lp, self.tempf,acl,str(domsid), use_ntvfs=False)
285 facl = getntacl(lp, self.tempf)
286 self.assertEquals(facl.as_sddl(domsid),acl)
287 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
288
289 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
290 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
291 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
292 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
293 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
294
295 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
296
297 # These assertions correct for current plugin_s4_dc selftest
298 # configuration. When other environments have a broad range of
299 # groups mapped via passdb, we can relax some of these checks
300 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
301 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
302 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
303 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
304 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
305 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
306 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
307 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
308 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
309 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
310
311 self.assertEquals(posix_acl.count, 9)
312
313 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
314 self.assertEquals(posix_acl.acl[0].a_perm, 7)
315 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
316
317 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
318 self.assertEquals(posix_acl.acl[1].a_perm, 6)
319 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
320
321 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
322 self.assertEquals(posix_acl.acl[2].a_perm, 0)
323
324 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
325 self.assertEquals(posix_acl.acl[3].a_perm, 6)
326
327 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
328 self.assertEquals(posix_acl.acl[4].a_perm, 7)
329
330 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
331 self.assertEquals(posix_acl.acl[5].a_perm, 5)
332 self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
333
334 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
335 self.assertEquals(posix_acl.acl[6].a_perm, 7)
336 self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
337
338 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
339 self.assertEquals(posix_acl.acl[7].a_perm, 5)
340 self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
341
342 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_MASK)
343 self.assertEquals(posix_acl.acl[8].a_perm, 7)
344
345
346 # check that it matches:
347 # user::rwx
348 # user:root:rwx (selftest user actually)
349 # group::rwx
350 # group:Local Admins:rwx
351 # group:3000000:r-x
352 # group:3000001:rwx
353 # group:3000002:r-x
354 # mask::rwx
355 # other::---
356
357 #
358 # This is in this order in the NDR smb_acl (not re-orderded for display)
359 # a_type: GROUP
360 # a_perm: 7
361 # uid: -1
362 # gid: 10
363 # a_type: USER
364 # a_perm: 6
365 # uid: 0 (selftest user actually)
366 # gid: -1
367 # a_type: OTHER
368 # a_perm: 0
369 # uid: -1
370 # gid: -1
371 # a_type: USER_OBJ
372 # a_perm: 6
373 # uid: -1
374 # gid: -1
375 # a_type: GROUP_OBJ
376 # a_perm: 7
377 # uid: -1
378 # gid: -1
379 # a_type: GROUP
380 # a_perm: 5
381 # uid: -1
382 # gid: 3000020
383 # a_type: GROUP
384 # a_perm: 7
385 # uid: -1
386 # gid: 3000000
387 # a_type: GROUP
388 # a_perm: 5
389 # uid: -1
390 # gid: 3000001
391 # a_type: MASK
392 # a_perm: 7
393 # uid: -1
394 # gid: -1
395
396 #
397
398
399 def test_setntacl_policies_check_getposixacl(self):
400 lp = LoadParm()
401 s3conf = s3param.get_context()
402 acl = provision.POLICIES_ACL
403
404 domsid = passdb.get_global_sam_sid()
405 setntacl(lp, self.tempf,acl,str(domsid), use_ntvfs=False)
406 facl = getntacl(lp, self.tempf)
407 self.assertEquals(facl.as_sddl(domsid),acl)
408 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
409
410 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
411 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
412 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
413 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
414 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
415 PA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_POLICY_ADMINS))
416
417 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
418
419 # These assertions correct for current plugin_s4_dc selftest
420 # configuration. When other environments have a broad range of
421 # groups mapped via passdb, we can relax some of these checks
422 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
423 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
424 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
425 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
426 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
427 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
428 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
429 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
430 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
431 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
432 (PA_gid,PA_type) = s4_passdb.sid_to_id(PA_sid)
433 self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
434
435 self.assertEquals(posix_acl.count, 10)
436
437 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
438 self.assertEquals(posix_acl.acl[0].a_perm, 7)
439 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
440
441 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
442 self.assertEquals(posix_acl.acl[1].a_perm, 6)
443 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
444
445 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
446 self.assertEquals(posix_acl.acl[2].a_perm, 0)
447
448 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
449 self.assertEquals(posix_acl.acl[3].a_perm, 6)
450
451 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
452 self.assertEquals(posix_acl.acl[4].a_perm, 7)
453
454 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
455 self.assertEquals(posix_acl.acl[5].a_perm, 5)
456 self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
457
458 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
459 self.assertEquals(posix_acl.acl[6].a_perm, 7)
460 self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
461
462 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
463 self.assertEquals(posix_acl.acl[7].a_perm, 5)
464 self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
465
466 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_GROUP)
467 self.assertEquals(posix_acl.acl[8].a_perm, 7)
468 self.assertEquals(posix_acl.acl[8].info.gid, PA_gid)
469
470 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_MASK)
471 self.assertEquals(posix_acl.acl[9].a_perm, 7)
472
473
474 # check that it matches:
475 # user::rwx
476 # user:root:rwx (selftest user actually)
477 # group::rwx
478 # group:Local Admins:rwx
479 # group:3000000:r-x
480 # group:3000001:rwx
481 # group:3000002:r-x
482 # group:3000003:rwx
483 # mask::rwx
484 # other::---
485
486 #
487 # This is in this order in the NDR smb_acl (not re-orderded for display)
488 # a_type: GROUP
489 # a_perm: 7
490 # uid: -1
491 # gid: 10
492 # a_type: USER
493 # a_perm: 6
494 # uid: 0 (selftest user actually)
495 # gid: -1
496 # a_type: OTHER
497 # a_perm: 0
498 # uid: -1
499 # gid: -1
500 # a_type: USER_OBJ
501 # a_perm: 6
502 # uid: -1
503 # gid: -1
504 # a_type: GROUP_OBJ
505 # a_perm: 7
506 # uid: -1
507 # gid: -1
508 # a_type: GROUP
509 # a_perm: 5
510 # uid: -1
511 # gid: 3000020
512 # a_type: GROUP
513 # a_perm: 7
514 # uid: -1
515 # gid: 3000000
516 # a_type: GROUP
517 # a_perm: 5
518 # uid: -1
519 # gid: 3000001
520 # a_type: GROUP
521 # a_perm: 7
522 # uid: -1
523 # gid: 3000003
524 # a_type: MASK
525 # a_perm: 7
526 # uid: -1
527 # gid: -1
528
529 #
530
531 def setUp(self):
532 super(PosixAclMappingTests, self).setUp()
533 s3conf = s3param.get_context()
534 s3conf.load(self.get_loadparm().configfile)
535 self.tempf = os.path.join(self.tempdir, "test")
536 open(self.tempf, 'w').write("empty")
537
538 def tearDown(self):
539 smbd.unlink(self.tempf)
540 super(PosixAclMappingTests, self).tearDown()
Samba GIT mirror