1 # Unix SMB/CIFS implementation.
2 # Copyright (C) Matthieu Patou <mat@matws.net> 2009-2010
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
23 import samba
.xattr_native
, samba
.xattr_tdb
, samba
.posix_eadb
24 from samba
.dcerpc
import security
, xattr
25 from samba
.ndr
import ndr_pack
, ndr_unpack
26 from samba
.samba3
import smbd
28 class XattrBackendError(Exception):
29 """A generic xattr backend error."""
32 def checkset_backend(lp
, backend
, eadbfile
):
33 '''return the path to the eadb, or None'''
35 xattr_tdb
= lp
.get("xattr_tdb:file")
36 if xattr_tdb
is not None:
37 return (samba
.xattr_tdb
, lp
.get("xattr_tdb:file"))
38 posix_eadb
= lp
.get("posix:eadb")
39 if posix_eadb
is not None:
40 return (samba
.posix_eadb
, lp
.get("posix:eadb"))
42 elif backend
== "native":
44 elif backend
== "eadb":
45 if eadbfile
is not None:
46 return (samba
.posix_eadb
, eadbfile
)
48 return (samba
.posix_eadb
, os
.path
.abspath(os
.path
.join(lp
.get("private dir"), "eadb.tdb")))
49 elif backend
== "tdb":
50 if eadbfile
is not None:
51 return (samba
.xattr_tdb
, eadbfile
)
53 return (samba
.xattr_tdb
, os
.path
.abspath(os
.path
.join(lp
.get("state dir"), "xattr.tdb")))
55 raise XattrBackendError("Invalid xattr backend choice %s"%backend
)
58 def getntacl(lp
, file, backend
=None, eadbfile
=None):
60 (backend_obj
, dbname
) = checkset_backend(lp
, backend
, eadbfile
)
61 if dbname
is not None:
63 attribute
= backend_obj
.wrap_getxattr(dbname
, file,
64 xattr
.XATTR_NTACL_NAME
)
66 # FIXME: Don't catch all exceptions, just those related to opening
68 print "Fail to open %s" % dbname
69 attribute
= samba
.xattr_native
.wrap_getxattr(file,
70 xattr
.XATTR_NTACL_NAME
)
72 attribute
= samba
.xattr_native
.wrap_getxattr(file,
73 xattr
.XATTR_NTACL_NAME
)
74 ntacl
= ndr_unpack(xattr
.NTACL
, attribute
)
77 return smbd
.get_nt_acl(file)
80 def setntacl(lp
, file, sddl
, domsid
, backend
=None, eadbfile
=None, use_ntvfs
=True):
81 sid
= security
.dom_sid(domsid
)
82 sd
= security
.descriptor
.from_sddl(sddl
, sid
)
85 (backend_obj
, dbname
) = checkset_backend(lp
, backend
, eadbfile
)
89 if dbname
is not None:
91 backend_obj
.wrap_setxattr(dbname
,
92 file, xattr
.XATTR_NTACL_NAME
, ndr_pack(ntacl
))
94 # FIXME: Don't catch all exceptions, just those related to opening
96 print "Fail to open %s" % dbname
97 samba
.xattr_native
.wrap_setxattr(file, xattr
.XATTR_NTACL_NAME
,
100 samba
.xattr_native
.wrap_setxattr(file, xattr
.XATTR_NTACL_NAME
,
103 smbd
.set_nt_acl(file, security
.SECINFO_OWNER | security
.SECINFO_GROUP | security
.SECINFO_DACL
, sd
)
106 def ldapmask2filemask(ldm
):
107 """Takes the access mask of a DS ACE and transform them in a File ACE mask.
109 RIGHT_DS_CREATE_CHILD
= 0x00000001
110 RIGHT_DS_DELETE_CHILD
= 0x00000002
111 RIGHT_DS_LIST_CONTENTS
= 0x00000004
112 ACTRL_DS_SELF
= 0x00000008
113 RIGHT_DS_READ_PROPERTY
= 0x00000010
114 RIGHT_DS_WRITE_PROPERTY
= 0x00000020
115 RIGHT_DS_DELETE_TREE
= 0x00000040
116 RIGHT_DS_LIST_OBJECT
= 0x00000080
117 RIGHT_DS_CONTROL_ACCESS
= 0x00000100
118 FILE_READ_DATA
= 0x0001
119 FILE_LIST_DIRECTORY
= 0x0001
120 FILE_WRITE_DATA
= 0x0002
121 FILE_ADD_FILE
= 0x0002
122 FILE_APPEND_DATA
= 0x0004
123 FILE_ADD_SUBDIRECTORY
= 0x0004
124 FILE_CREATE_PIPE_INSTANCE
= 0x0004
125 FILE_READ_EA
= 0x0008
126 FILE_WRITE_EA
= 0x0010
127 FILE_EXECUTE
= 0x0020
128 FILE_TRAVERSE
= 0x0020
129 FILE_DELETE_CHILD
= 0x0040
130 FILE_READ_ATTRIBUTES
= 0x0080
131 FILE_WRITE_ATTRIBUTES
= 0x0100
133 READ_CONTROL
= 0x00020000
134 WRITE_DAC
= 0x00040000
135 WRITE_OWNER
= 0x00080000
136 SYNCHRONIZE
= 0x00100000
137 STANDARD_RIGHTS_ALL
= 0x001F0000
139 filemask
= ldm
& STANDARD_RIGHTS_ALL
141 if (ldm
& RIGHT_DS_READ_PROPERTY
) and (ldm
& RIGHT_DS_LIST_CONTENTS
):
142 filemask
= filemask |
(SYNCHRONIZE | FILE_LIST_DIRECTORY |\
143 FILE_READ_ATTRIBUTES | FILE_READ_EA |\
144 FILE_READ_DATA | FILE_EXECUTE
)
146 if ldm
& RIGHT_DS_WRITE_PROPERTY
:
147 filemask
= filemask |
(SYNCHRONIZE | FILE_WRITE_DATA |\
148 FILE_APPEND_DATA | FILE_WRITE_EA |\
149 FILE_WRITE_ATTRIBUTES | FILE_ADD_FILE |\
150 FILE_ADD_SUBDIRECTORY
)
152 if ldm
& RIGHT_DS_CREATE_CHILD
:
153 filemask
= filemask |
(FILE_ADD_SUBDIRECTORY | FILE_ADD_FILE
)
155 if ldm
& RIGHT_DS_DELETE_CHILD
:
156 filemask
= filemask | FILE_DELETE_CHILD
161 def dsacl2fsacl(dssddl
, domsid
):
164 This function takes an the SDDL representation of a DS
165 ACL and return the SDDL representation of this ACL adapted
166 for files. It's used for Policy object provision
168 sid
= security
.dom_sid(domsid
)
169 ref
= security
.descriptor
.from_sddl(dssddl
, sid
)
170 fdescr
= security
.descriptor()
171 fdescr
.owner_sid
= ref
.owner_sid
172 fdescr
.group_sid
= ref
.group_sid
173 fdescr
.type = ref
.type
174 fdescr
.revision
= ref
.revision
175 fdescr
.sacl
= ref
.sacl
177 for i
in range(0, len(aces
)):
179 if not ace
.type & security
.SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT
and str(ace
.trustee
) != security
.SID_BUILTIN_PREW2K
:
180 # if fdescr.type & security.SEC_DESC_DACL_AUTO_INHERITED:
181 ace
.flags
= ace
.flags | security
.SEC_ACE_FLAG_OBJECT_INHERIT | security
.SEC_ACE_FLAG_CONTAINER_INHERIT
182 if str(ace
.trustee
) == security
.SID_CREATOR_OWNER
:
183 # For Creator/Owner the IO flag is set as this ACE has only a sense for child objects
184 ace
.flags
= ace
.flags | security
.SEC_ACE_FLAG_INHERIT_ONLY
185 ace
.access_mask
= ldapmask2filemask(ace
.access_mask
)
188 return fdescr
.as_sddl(sid
)
