Move python modules from source4/scripting/python/ to python/.
[Samba.git] / python / samba / tests / posixacl.py
blob7cd22ebccd12d20cfe101d0b46a832b7580e28f9
1 # Unix SMB/CIFS implementation. Tests for NT and posix ACL manipulation
2 # Copyright (C) Matthieu Patou <mat@matws.net> 2009-2010
3 # Copyright (C) Andrew Bartlett 2012
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
19 """Tests for the Samba3 NT -> posix ACL layer"""
21 from samba.ntacls import setntacl, getntacl, checkset_backend
22 from samba.dcerpc import xattr, security, smb_acl, idmap
23 from samba.param import LoadParm
24 from samba.tests import TestCaseInTempDir
25 from samba import provision
26 import random
27 import os
28 from samba.samba3 import smbd, passdb
29 from samba.samba3 import param as s3param
31 # To print a posix ACL use:
32 # for entry in posix_acl.acl:
33 # print "a_type: %d" % entry.a_type
34 # print "a_perm: %o" % entry.a_perm
35 # print "uid: %d" % entry.uid
36 # print "gid: %d" % entry.gid
38 class PosixAclMappingTests(TestCaseInTempDir):
40 def test_setntacl(self):
41 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
42 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
44 def test_setntacl_smbd_getntacl(self):
45 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
46 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
47 facl = getntacl(self.lp, self.tempf, direct_db_access=True)
48 anysid = security.dom_sid(security.SID_NT_SELF)
49 self.assertEquals(facl.as_sddl(anysid),acl)
51 def test_setntacl_smbd_setposixacl_getntacl(self):
52 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
53 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
55 # This will invalidate the ACL, as we have a hook!
56 smbd.set_simple_acl(self.tempf, 0640)
58 # However, this only asks the xattr
59 try:
60 facl = getntacl(self.lp, self.tempf, direct_db_access=True)
61 self.assertTrue(False)
62 except TypeError:
63 pass
65 def test_setntacl_invalidate_getntacl(self):
66 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
67 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
69 # This should invalidate the ACL, as we include the posix ACL in the hash
70 (backend_obj, dbname) = checkset_backend(self.lp, None, None)
71 backend_obj.wrap_setxattr(dbname,
72 self.tempf, "system.fake_access_acl", "")
74 #however, as this is direct DB access, we do not notice it
75 facl = getntacl(self.lp, self.tempf, direct_db_access=True)
76 anysid = security.dom_sid(security.SID_NT_SELF)
77 self.assertEquals(acl, facl.as_sddl(anysid))
79 def test_setntacl_invalidate_getntacl_smbd(self):
80 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
81 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
83 # This should invalidate the ACL, as we include the posix ACL in the hash
84 (backend_obj, dbname) = checkset_backend(self.lp, None, None)
85 backend_obj.wrap_setxattr(dbname,
86 self.tempf, "system.fake_access_acl", "")
88 #the hash would break, and we return an ACL based only on the mode, except we set the ACL using the 'ntvfs' mode that doesn't include a hash
89 facl = getntacl(self.lp, self.tempf)
90 anysid = security.dom_sid(security.SID_NT_SELF)
91 self.assertEquals(acl, facl.as_sddl(anysid))
93 def test_setntacl_smbd_invalidate_getntacl_smbd(self):
94 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
95 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x001200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
96 os.chmod(self.tempf, 0750)
97 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
99 # This should invalidate the ACL, as we include the posix ACL in the hash
100 (backend_obj, dbname) = checkset_backend(self.lp, None, None)
101 backend_obj.wrap_setxattr(dbname,
102 self.tempf, "system.fake_access_acl", "")
104 #the hash will break, and we return an ACL based only on the mode
105 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
106 anysid = security.dom_sid(security.SID_NT_SELF)
107 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
109 def test_setntacl_smbd_dont_invalidate_getntacl_smbd(self):
110 # set an ACL on a tempfile
111 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
112 os.chmod(self.tempf, 0750)
113 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
115 # now influence the POSIX ACL->SD mapping it returns something else than
116 # what was set previously
117 # this should not invalidate the hash and the complete ACL should still
118 # be returned
119 self.lp.set("profile acls", "yes")
120 # we should still get back the ACL (and not one mapped from POSIX ACL)
121 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
122 self.lp.set("profile acls", "no")
123 anysid = security.dom_sid(security.SID_NT_SELF)
124 self.assertEquals(acl, facl.as_sddl(anysid))
126 def test_setntacl_getntacl_smbd(self):
127 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
128 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
129 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
130 anysid = security.dom_sid(security.SID_NT_SELF)
131 self.assertEquals(facl.as_sddl(anysid),acl)
133 def test_setntacl_smbd_getntacl_smbd(self):
134 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
135 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
136 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
137 anysid = security.dom_sid(security.SID_NT_SELF)
138 self.assertEquals(facl.as_sddl(anysid),acl)
140 def test_setntacl_smbd_setposixacl_getntacl_smbd(self):
141 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
142 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
143 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
144 # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
145 smbd.set_simple_acl(self.tempf, 0640)
146 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
147 anysid = security.dom_sid(security.SID_NT_SELF)
148 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
150 def test_setntacl_smbd_setposixacl_group_getntacl_smbd(self):
151 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
152 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
153 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
154 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
155 # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
156 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
157 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
158 smbd.set_simple_acl(self.tempf, 0640, BA_gid)
160 # This should re-calculate an ACL based on the posix details
161 facl = getntacl(self.lp,self.tempf, direct_db_access=False)
162 anysid = security.dom_sid(security.SID_NT_SELF)
163 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
165 def test_setntacl_smbd_getntacl_smbd_gpo(self):
166 acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
167 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
168 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
169 domsid = security.dom_sid("S-1-5-21-2212615479-2695158682-2101375467")
170 self.assertEquals(facl.as_sddl(domsid),acl)
172 def test_setntacl_getposixacl(self):
173 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
174 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
175 facl = getntacl(self.lp, self.tempf)
176 anysid = security.dom_sid(security.SID_NT_SELF)
177 self.assertEquals(facl.as_sddl(anysid),acl)
178 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
180 def test_setposixacl_getposixacl(self):
181 smbd.set_simple_acl(self.tempf, 0640)
182 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
183 self.assertEquals(posix_acl.count, 4)
185 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
186 self.assertEquals(posix_acl.acl[0].a_perm, 6)
188 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
189 self.assertEquals(posix_acl.acl[1].a_perm, 4)
191 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
192 self.assertEquals(posix_acl.acl[2].a_perm, 0)
194 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
195 self.assertEquals(posix_acl.acl[3].a_perm, 6)
197 def test_setposixacl_getntacl(self):
198 acl = ""
199 smbd.set_simple_acl(self.tempf, 0750)
200 try:
201 facl = getntacl(self.lp, self.tempf)
202 self.assertTrue(False)
203 except TypeError:
204 # We don't expect the xattr to be filled in in this case
205 pass
207 def test_setposixacl_getntacl_smbd(self):
208 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
209 group_SID = s4_passdb.gid_to_sid(os.stat(self.tempf).st_gid)
210 user_SID = s4_passdb.uid_to_sid(os.stat(self.tempf).st_uid)
211 smbd.set_simple_acl(self.tempf, 0640)
212 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
213 acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
214 anysid = security.dom_sid(security.SID_NT_SELF)
215 self.assertEquals(acl, facl.as_sddl(anysid))
217 def test_setposixacl_dir_getntacl_smbd(self):
218 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
219 user_SID = s4_passdb.uid_to_sid(os.stat(self.tempdir).st_uid)
220 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
221 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
222 (BA_id,BA_type) = s4_passdb.sid_to_id(BA_sid)
223 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
224 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
225 (SO_id,SO_type) = s4_passdb.sid_to_id(SO_sid)
226 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
227 smbd.chown(self.tempdir, BA_id, SO_id)
228 smbd.set_simple_acl(self.tempdir, 0750)
229 facl = getntacl(self.lp, self.tempdir, direct_db_access=False)
230 acl = "O:BAG:SOD:(A;;0x001f01ff;;;BA)(A;;0x001200a9;;;SO)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001f01ff;;;CG)(A;OICIIO;0x001f01ff;;;WD)"
232 anysid = security.dom_sid(security.SID_NT_SELF)
233 self.assertEquals(acl, facl.as_sddl(anysid))
235 def test_setposixacl_group_getntacl_smbd(self):
236 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
237 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
238 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
239 group_SID = s4_passdb.gid_to_sid(os.stat(self.tempf).st_gid)
240 user_SID = s4_passdb.uid_to_sid(os.stat(self.tempf).st_uid)
241 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
242 smbd.set_simple_acl(self.tempf, 0640, BA_gid)
243 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
244 domsid = passdb.get_global_sam_sid()
245 acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;BA)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
246 anysid = security.dom_sid(security.SID_NT_SELF)
247 self.assertEquals(acl, facl.as_sddl(anysid))
249 def test_setposixacl_getposixacl(self):
250 smbd.set_simple_acl(self.tempf, 0640)
251 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
252 self.assertEquals(posix_acl.count, 4)
254 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
255 self.assertEquals(posix_acl.acl[0].a_perm, 6)
257 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
258 self.assertEquals(posix_acl.acl[1].a_perm, 4)
260 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
261 self.assertEquals(posix_acl.acl[2].a_perm, 0)
263 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
264 self.assertEquals(posix_acl.acl[3].a_perm, 7)
266 def test_setposixacl_dir_getposixacl(self):
267 smbd.set_simple_acl(self.tempdir, 0750)
268 posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
269 self.assertEquals(posix_acl.count, 4)
271 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
272 self.assertEquals(posix_acl.acl[0].a_perm, 7)
274 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
275 self.assertEquals(posix_acl.acl[1].a_perm, 5)
277 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
278 self.assertEquals(posix_acl.acl[2].a_perm, 0)
280 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
281 self.assertEquals(posix_acl.acl[3].a_perm, 7)
283 def test_setposixacl_group_getposixacl(self):
284 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
285 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
286 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
287 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
288 smbd.set_simple_acl(self.tempf, 0670, BA_gid)
289 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
291 self.assertEquals(posix_acl.count, 5)
293 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
294 self.assertEquals(posix_acl.acl[0].a_perm, 6)
296 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
297 self.assertEquals(posix_acl.acl[1].a_perm, 7)
299 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
300 self.assertEquals(posix_acl.acl[2].a_perm, 0)
302 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_GROUP)
303 self.assertEquals(posix_acl.acl[3].a_perm, 7)
304 self.assertEquals(posix_acl.acl[3].info.gid, BA_gid)
306 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_MASK)
307 self.assertEquals(posix_acl.acl[4].a_perm, 7)
309 def test_setntacl_sysvol_check_getposixacl(self):
310 acl = provision.SYSVOL_ACL
311 domsid = passdb.get_global_sam_sid()
312 setntacl(self.lp, self.tempf,acl,str(domsid), use_ntvfs=False)
313 facl = getntacl(self.lp, self.tempf)
314 self.assertEquals(facl.as_sddl(domsid),acl)
315 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
317 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
318 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
319 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
320 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
321 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
323 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
325 # These assertions correct for current plugin_s4_dc selftest
326 # configuration. When other environments have a broad range of
327 # groups mapped via passdb, we can relax some of these checks
328 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
329 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
330 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
331 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
332 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
333 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
334 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
335 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
336 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
337 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
339 self.assertEquals(posix_acl.count, 9)
341 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
342 self.assertEquals(posix_acl.acl[0].a_perm, 7)
343 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
345 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
346 self.assertEquals(posix_acl.acl[1].a_perm, 6)
347 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
349 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
350 self.assertEquals(posix_acl.acl[2].a_perm, 0)
352 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
353 self.assertEquals(posix_acl.acl[3].a_perm, 6)
355 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
356 self.assertEquals(posix_acl.acl[4].a_perm, 7)
358 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
359 self.assertEquals(posix_acl.acl[5].a_perm, 5)
360 self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
362 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
363 self.assertEquals(posix_acl.acl[6].a_perm, 7)
364 self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
366 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
367 self.assertEquals(posix_acl.acl[7].a_perm, 5)
368 self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
370 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_MASK)
371 self.assertEquals(posix_acl.acl[8].a_perm, 7)
374 # check that it matches:
375 # user::rwx
376 # user:root:rwx (selftest user actually)
377 # group::rwx
378 # group:Local Admins:rwx
379 # group:3000000:r-x
380 # group:3000001:rwx
381 # group:3000002:r-x
382 # mask::rwx
383 # other::---
386 # This is in this order in the NDR smb_acl (not re-orderded for display)
387 # a_type: GROUP
388 # a_perm: 7
389 # uid: -1
390 # gid: 10
391 # a_type: USER
392 # a_perm: 6
393 # uid: 0 (selftest user actually)
394 # gid: -1
395 # a_type: OTHER
396 # a_perm: 0
397 # uid: -1
398 # gid: -1
399 # a_type: USER_OBJ
400 # a_perm: 6
401 # uid: -1
402 # gid: -1
403 # a_type: GROUP_OBJ
404 # a_perm: 7
405 # uid: -1
406 # gid: -1
407 # a_type: GROUP
408 # a_perm: 5
409 # uid: -1
410 # gid: 3000020
411 # a_type: GROUP
412 # a_perm: 7
413 # uid: -1
414 # gid: 3000000
415 # a_type: GROUP
416 # a_perm: 5
417 # uid: -1
418 # gid: 3000001
419 # a_type: MASK
420 # a_perm: 7
421 # uid: -1
422 # gid: -1
427 def test_setntacl_sysvol_dir_check_getposixacl(self):
428 acl = provision.SYSVOL_ACL
429 domsid = passdb.get_global_sam_sid()
430 setntacl(self.lp, self.tempdir,acl,str(domsid), use_ntvfs=False)
431 facl = getntacl(self.lp, self.tempdir)
432 self.assertEquals(facl.as_sddl(domsid),acl)
433 posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
435 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
436 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
437 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
438 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
439 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
441 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
443 # These assertions correct for current plugin_s4_dc selftest
444 # configuration. When other environments have a broad range of
445 # groups mapped via passdb, we can relax some of these checks
446 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
447 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
448 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
449 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
450 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
451 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
452 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
453 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
454 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
455 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
457 self.assertEquals(posix_acl.count, 9)
459 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
460 self.assertEquals(posix_acl.acl[0].a_perm, 7)
461 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
463 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
464 self.assertEquals(posix_acl.acl[1].a_perm, 7)
465 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
467 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
468 self.assertEquals(posix_acl.acl[2].a_perm, 0)
470 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
471 self.assertEquals(posix_acl.acl[3].a_perm, 7)
473 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
474 self.assertEquals(posix_acl.acl[4].a_perm, 7)
476 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
477 self.assertEquals(posix_acl.acl[5].a_perm, 5)
478 self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
480 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
481 self.assertEquals(posix_acl.acl[6].a_perm, 7)
482 self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
484 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
485 self.assertEquals(posix_acl.acl[7].a_perm, 5)
486 self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
488 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_MASK)
489 self.assertEquals(posix_acl.acl[8].a_perm, 7)
492 # check that it matches:
493 # user::rwx
494 # user:root:rwx (selftest user actually)
495 # group::rwx
496 # group:3000000:rwx
497 # group:3000001:r-x
498 # group:3000002:rwx
499 # group:3000003:r-x
500 # mask::rwx
501 # other::---
504 def test_setntacl_policies_dir_check_getposixacl(self):
505 acl = provision.POLICIES_ACL
506 domsid = passdb.get_global_sam_sid()
507 setntacl(self.lp, self.tempdir,acl,str(domsid), use_ntvfs=False)
508 facl = getntacl(self.lp, self.tempdir)
509 self.assertEquals(facl.as_sddl(domsid),acl)
510 posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
512 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
513 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
514 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
515 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
516 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
517 PA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_POLICY_ADMINS))
519 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
521 # These assertions correct for current plugin_s4_dc selftest
522 # configuration. When other environments have a broad range of
523 # groups mapped via passdb, we can relax some of these checks
524 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
525 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
526 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
527 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
528 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
529 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
530 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
531 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
532 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
533 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
534 (PA_gid,PA_type) = s4_passdb.sid_to_id(PA_sid)
535 self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
537 self.assertEquals(posix_acl.count, 10)
539 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
540 self.assertEquals(posix_acl.acl[0].a_perm, 7)
541 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
543 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
544 self.assertEquals(posix_acl.acl[1].a_perm, 7)
545 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
547 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
548 self.assertEquals(posix_acl.acl[2].a_perm, 0)
550 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
551 self.assertEquals(posix_acl.acl[3].a_perm, 7)
553 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
554 self.assertEquals(posix_acl.acl[4].a_perm, 7)
556 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
557 self.assertEquals(posix_acl.acl[5].a_perm, 5)
558 self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
560 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
561 self.assertEquals(posix_acl.acl[6].a_perm, 7)
562 self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
564 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
565 self.assertEquals(posix_acl.acl[7].a_perm, 5)
566 self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
568 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_GROUP)
569 self.assertEquals(posix_acl.acl[8].a_perm, 7)
570 self.assertEquals(posix_acl.acl[8].info.gid, PA_gid)
572 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_MASK)
573 self.assertEquals(posix_acl.acl[9].a_perm, 7)
576 # check that it matches:
577 # user::rwx
578 # user:root:rwx (selftest user actually)
579 # group::rwx
580 # group:3000000:rwx
581 # group:3000001:r-x
582 # group:3000002:rwx
583 # group:3000003:r-x
584 # group:3000004:rwx
585 # mask::rwx
586 # other::---
590 def test_setntacl_policies_check_getposixacl(self):
591 acl = provision.POLICIES_ACL
593 domsid = passdb.get_global_sam_sid()
594 setntacl(self.lp, self.tempf, acl, str(domsid), use_ntvfs=False)
595 facl = getntacl(self.lp, self.tempf)
596 self.assertEquals(facl.as_sddl(domsid),acl)
597 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
599 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
600 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
601 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
602 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
603 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
604 PA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_POLICY_ADMINS))
606 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
608 # These assertions correct for current plugin_s4_dc selftest
609 # configuration. When other environments have a broad range of
610 # groups mapped via passdb, we can relax some of these checks
611 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
612 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
613 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
614 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
615 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
616 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
617 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
618 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
619 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
620 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
621 (PA_gid,PA_type) = s4_passdb.sid_to_id(PA_sid)
622 self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
624 self.assertEquals(posix_acl.count, 10)
626 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
627 self.assertEquals(posix_acl.acl[0].a_perm, 7)
628 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
630 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
631 self.assertEquals(posix_acl.acl[1].a_perm, 6)
632 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
634 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
635 self.assertEquals(posix_acl.acl[2].a_perm, 0)
637 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
638 self.assertEquals(posix_acl.acl[3].a_perm, 6)
640 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
641 self.assertEquals(posix_acl.acl[4].a_perm, 7)
643 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
644 self.assertEquals(posix_acl.acl[5].a_perm, 5)
645 self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
647 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
648 self.assertEquals(posix_acl.acl[6].a_perm, 7)
649 self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
651 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
652 self.assertEquals(posix_acl.acl[7].a_perm, 5)
653 self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
655 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_GROUP)
656 self.assertEquals(posix_acl.acl[8].a_perm, 7)
657 self.assertEquals(posix_acl.acl[8].info.gid, PA_gid)
659 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_MASK)
660 self.assertEquals(posix_acl.acl[9].a_perm, 7)
663 # check that it matches:
664 # user::rwx
665 # user:root:rwx (selftest user actually)
666 # group::rwx
667 # group:Local Admins:rwx
668 # group:3000000:r-x
669 # group:3000001:rwx
670 # group:3000002:r-x
671 # group:3000003:rwx
672 # mask::rwx
673 # other::---
676 # This is in this order in the NDR smb_acl (not re-orderded for display)
677 # a_type: GROUP
678 # a_perm: 7
679 # uid: -1
680 # gid: 10
681 # a_type: USER
682 # a_perm: 6
683 # uid: 0 (selftest user actually)
684 # gid: -1
685 # a_type: OTHER
686 # a_perm: 0
687 # uid: -1
688 # gid: -1
689 # a_type: USER_OBJ
690 # a_perm: 6
691 # uid: -1
692 # gid: -1
693 # a_type: GROUP_OBJ
694 # a_perm: 7
695 # uid: -1
696 # gid: -1
697 # a_type: GROUP
698 # a_perm: 5
699 # uid: -1
700 # gid: 3000020
701 # a_type: GROUP
702 # a_perm: 7
703 # uid: -1
704 # gid: 3000000
705 # a_type: GROUP
706 # a_perm: 5
707 # uid: -1
708 # gid: 3000001
709 # a_type: GROUP
710 # a_perm: 7
711 # uid: -1
712 # gid: 3000003
713 # a_type: MASK
714 # a_perm: 7
715 # uid: -1
716 # gid: -1
720 def setUp(self):
721 super(PosixAclMappingTests, self).setUp()
722 s3conf = s3param.get_context()
723 s3conf.load(self.get_loadparm().configfile)
724 s3conf.set("xattr_tdb:file", os.path.join(self.tempdir,"xattr.tdb"))
725 self.lp = s3conf
726 self.tempf = os.path.join(self.tempdir, "test")
727 open(self.tempf, 'w').write("empty")
729 def tearDown(self):
730 smbd.unlink(self.tempf)
731 os.unlink(os.path.join(self.tempdir,"xattr.tdb"))
732 super(PosixAclMappingTests, self).tearDown()