docs:smbdotconf: fix type of "preferred master" parameter.
[Samba.git] / python / samba / ntacls.py
blob53438d84bffbc088e3aa0d177b728a2797407c05
1 # Unix SMB/CIFS implementation.
2 # Copyright (C) Matthieu Patou <mat@matws.net> 2009-2010
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
19 """NT Acls."""
22 import os
23 import samba.xattr_native, samba.xattr_tdb, samba.posix_eadb
24 from samba.dcerpc import security, xattr, idmap
25 from samba.ndr import ndr_pack, ndr_unpack
26 from samba.samba3 import smbd
28 class XattrBackendError(Exception):
29 """A generic xattr backend error."""
32 def checkset_backend(lp, backend, eadbfile):
33 '''return the path to the eadb, or None'''
34 if backend is None:
35 xattr_tdb = lp.get("xattr_tdb:file")
36 if xattr_tdb is not None:
37 return (samba.xattr_tdb, lp.get("xattr_tdb:file"))
38 posix_eadb = lp.get("posix:eadb")
39 if posix_eadb is not None:
40 return (samba.posix_eadb, lp.get("posix:eadb"))
41 return (None, None)
42 elif backend == "native":
43 return (None, None)
44 elif backend == "eadb":
45 if eadbfile is not None:
46 return (samba.posix_eadb, eadbfile)
47 else:
48 return (samba.posix_eadb, os.path.abspath(os.path.join(lp.get("private dir"), "eadb.tdb")))
49 elif backend == "tdb":
50 if eadbfile is not None:
51 return (samba.xattr_tdb, eadbfile)
52 else:
53 return (samba.xattr_tdb, os.path.abspath(os.path.join(lp.get("state dir"), "xattr.tdb")))
54 else:
55 raise XattrBackendError("Invalid xattr backend choice %s"%backend)
58 def getntacl(lp, file, backend=None, eadbfile=None, direct_db_access=True, service=None):
59 if direct_db_access:
60 (backend_obj, dbname) = checkset_backend(lp, backend, eadbfile)
61 if dbname is not None:
62 try:
63 attribute = backend_obj.wrap_getxattr(dbname, file,
64 xattr.XATTR_NTACL_NAME)
65 except Exception:
66 # FIXME: Don't catch all exceptions, just those related to opening
67 # xattrdb
68 print "Fail to open %s" % dbname
69 attribute = samba.xattr_native.wrap_getxattr(file,
70 xattr.XATTR_NTACL_NAME)
71 else:
72 attribute = samba.xattr_native.wrap_getxattr(file,
73 xattr.XATTR_NTACL_NAME)
74 ntacl = ndr_unpack(xattr.NTACL, attribute)
75 if ntacl.version == 1:
76 return ntacl.info
77 elif ntacl.version == 2:
78 return ntacl.info.sd
79 elif ntacl.version == 3:
80 return ntacl.info.sd
81 elif ntacl.version == 4:
82 return ntacl.info.sd
83 else:
84 return smbd.get_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, service=service)
87 def setntacl(lp, file, sddl, domsid, backend=None, eadbfile=None, use_ntvfs=True, skip_invalid_chown=False, passdb=None, service=None):
88 assert(isinstance(domsid, str) or isinstance(domsid, security.dom_sid))
89 if isinstance(domsid, str):
90 sid = security.dom_sid(domsid)
91 elif isinstance(domsid, security.dom_sid):
92 sid = domsid
93 domsid = str(sid)
95 assert(isinstance(sddl, str) or isinstance(sddl, security.descriptor))
96 if isinstance(sddl, str):
97 sd = security.descriptor.from_sddl(sddl, sid)
98 elif isinstance(sddl, security.descriptor):
99 sd = sddl
100 sddl = sd.as_sddl(sid)
102 if not use_ntvfs and skip_invalid_chown:
103 # Check if the owner can be resolved as a UID
104 (owner_id, owner_type) = passdb.sid_to_id(sd.owner_sid)
105 if ((owner_type != idmap.ID_TYPE_UID) and (owner_type != idmap.ID_TYPE_BOTH)):
106 # Check if this particular owner SID was domain admins,
107 # because we special-case this as mapping to
108 # 'administrator' instead.
109 if sd.owner_sid == security.dom_sid("%s-%d" % (domsid, security.DOMAIN_RID_ADMINS)):
110 administrator = security.dom_sid("%s-%d" % (domsid, security.DOMAIN_RID_ADMINISTRATOR))
111 (admin_id, admin_type) = passdb.sid_to_id(administrator)
113 # Confirm we have a UID for administrator
114 if ((admin_type == idmap.ID_TYPE_UID) or (admin_type == idmap.ID_TYPE_BOTH)):
116 # Set it, changing the owner to 'administrator' rather than domain admins
117 sd2 = sd
118 sd2.owner_sid = administrator
120 smbd.set_nt_acl(file, security.SECINFO_OWNER |security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd2, service=service)
122 # and then set an NTVFS ACL (which does not set the posix ACL) to pretend the owner really was set
123 use_ntvfs = True
124 else:
125 raise XattrBackendError("Unable to find UID for domain administrator %s, got id %d of type %d" % (administrator, admin_id, admin_type))
126 else:
127 # For all other owning users, reset the owner to root
128 # and then set the ACL without changing the owner
130 # This won't work in test environments, as it tries a real (rather than xattr-based fake) chown
132 os.chown(file, 0, 0)
133 smbd.set_nt_acl(file, security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
135 if use_ntvfs:
136 (backend_obj, dbname) = checkset_backend(lp, backend, eadbfile)
137 ntacl = xattr.NTACL()
138 ntacl.version = 1
139 ntacl.info = sd
140 if dbname is not None:
141 try:
142 backend_obj.wrap_setxattr(dbname,
143 file, xattr.XATTR_NTACL_NAME, ndr_pack(ntacl))
144 except Exception:
145 # FIXME: Don't catch all exceptions, just those related to opening
146 # xattrdb
147 print "Fail to open %s" % dbname
148 samba.xattr_native.wrap_setxattr(file, xattr.XATTR_NTACL_NAME,
149 ndr_pack(ntacl))
150 else:
151 samba.xattr_native.wrap_setxattr(file, xattr.XATTR_NTACL_NAME,
152 ndr_pack(ntacl))
153 else:
154 smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
157 def ldapmask2filemask(ldm):
158 """Takes the access mask of a DS ACE and transform them in a File ACE mask.
160 RIGHT_DS_CREATE_CHILD = 0x00000001
161 RIGHT_DS_DELETE_CHILD = 0x00000002
162 RIGHT_DS_LIST_CONTENTS = 0x00000004
163 ACTRL_DS_SELF = 0x00000008
164 RIGHT_DS_READ_PROPERTY = 0x00000010
165 RIGHT_DS_WRITE_PROPERTY = 0x00000020
166 RIGHT_DS_DELETE_TREE = 0x00000040
167 RIGHT_DS_LIST_OBJECT = 0x00000080
168 RIGHT_DS_CONTROL_ACCESS = 0x00000100
169 FILE_READ_DATA = 0x0001
170 FILE_LIST_DIRECTORY = 0x0001
171 FILE_WRITE_DATA = 0x0002
172 FILE_ADD_FILE = 0x0002
173 FILE_APPEND_DATA = 0x0004
174 FILE_ADD_SUBDIRECTORY = 0x0004
175 FILE_CREATE_PIPE_INSTANCE = 0x0004
176 FILE_READ_EA = 0x0008
177 FILE_WRITE_EA = 0x0010
178 FILE_EXECUTE = 0x0020
179 FILE_TRAVERSE = 0x0020
180 FILE_DELETE_CHILD = 0x0040
181 FILE_READ_ATTRIBUTES = 0x0080
182 FILE_WRITE_ATTRIBUTES = 0x0100
183 DELETE = 0x00010000
184 READ_CONTROL = 0x00020000
185 WRITE_DAC = 0x00040000
186 WRITE_OWNER = 0x00080000
187 SYNCHRONIZE = 0x00100000
188 STANDARD_RIGHTS_ALL = 0x001F0000
190 filemask = ldm & STANDARD_RIGHTS_ALL
192 if (ldm & RIGHT_DS_READ_PROPERTY) and (ldm & RIGHT_DS_LIST_CONTENTS):
193 filemask = filemask | (SYNCHRONIZE | FILE_LIST_DIRECTORY |
194 FILE_READ_ATTRIBUTES | FILE_READ_EA |
195 FILE_READ_DATA | FILE_EXECUTE)
197 if ldm & RIGHT_DS_WRITE_PROPERTY:
198 filemask = filemask | (SYNCHRONIZE | FILE_WRITE_DATA |
199 FILE_APPEND_DATA | FILE_WRITE_EA |
200 FILE_WRITE_ATTRIBUTES | FILE_ADD_FILE |
201 FILE_ADD_SUBDIRECTORY)
203 if ldm & RIGHT_DS_CREATE_CHILD:
204 filemask = filemask | (FILE_ADD_SUBDIRECTORY | FILE_ADD_FILE)
206 if ldm & RIGHT_DS_DELETE_CHILD:
207 filemask = filemask | FILE_DELETE_CHILD
209 return filemask
212 def dsacl2fsacl(dssddl, sid, as_sddl=True):
215 This function takes an the SDDL representation of a DS
216 ACL and return the SDDL representation of this ACL adapted
217 for files. It's used for Policy object provision
219 ref = security.descriptor.from_sddl(dssddl, sid)
220 fdescr = security.descriptor()
221 fdescr.owner_sid = ref.owner_sid
222 fdescr.group_sid = ref.group_sid
223 fdescr.type = ref.type
224 fdescr.revision = ref.revision
225 aces = ref.dacl.aces
226 for i in range(0, len(aces)):
227 ace = aces[i]
228 if not ace.type & security.SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT and str(ace.trustee) != security.SID_BUILTIN_PREW2K:
229 # if fdescr.type & security.SEC_DESC_DACL_AUTO_INHERITED:
230 ace.flags = ace.flags | security.SEC_ACE_FLAG_OBJECT_INHERIT | security.SEC_ACE_FLAG_CONTAINER_INHERIT
231 if str(ace.trustee) == security.SID_CREATOR_OWNER:
232 # For Creator/Owner the IO flag is set as this ACE has only a sense for child objects
233 ace.flags = ace.flags | security.SEC_ACE_FLAG_INHERIT_ONLY
234 ace.access_mask = ldapmask2filemask(ace.access_mask)
235 fdescr.dacl_add(ace)
237 if not as_sddl:
238 return fdescr
240 return fdescr.as_sddl(sid)