1 # Unix SMB/CIFS implementation. Tests for NT and posix ACL manipulation
2 # Copyright (C) Matthieu Patou <mat@matws.net> 2009-2010
3 # Copyright (C) Andrew Bartlett 2012
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
19 """Tests for the Samba3 NT -> posix ACL layer"""
21 from samba
.ntacls
import setntacl
, getntacl
, checkset_backend
22 from samba
.dcerpc
import xattr
, security
, smb_acl
, idmap
23 from samba
.param
import LoadParm
24 from samba
.tests
import TestCaseInTempDir
25 from samba
import provision
28 from samba
.samba3
import smbd
, passdb
29 from samba
.samba3
import param
as s3param
31 # To print a posix ACL use:
32 # for entry in posix_acl.acl:
33 # print "a_type: %d" % entry.a_type
34 # print "a_perm: %o" % entry.a_perm
35 # print "uid: %d" % entry.uid
36 # print "gid: %d" % entry.gid
38 class PosixAclMappingTests(TestCaseInTempDir
):
40 def test_setntacl(self
):
41 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
42 setntacl(self
.lp
, self
.tempf
, acl
, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
44 def test_setntacl_smbd_getntacl(self
):
45 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
46 setntacl(self
.lp
, self
.tempf
, acl
, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=True)
47 facl
= getntacl(self
.lp
, self
.tempf
, direct_db_access
=True)
48 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
49 self
.assertEquals(facl
.as_sddl(anysid
),acl
)
51 def test_setntacl_smbd_setposixacl_getntacl(self
):
52 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
53 setntacl(self
.lp
, self
.tempf
, acl
, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=True)
55 # This will invalidate the ACL, as we have a hook!
56 smbd
.set_simple_acl(self
.tempf
, 0640)
58 # However, this only asks the xattr
60 facl
= getntacl(self
.lp
, self
.tempf
, direct_db_access
=True)
61 self
.assertTrue(False)
65 def test_setntacl_invalidate_getntacl(self
):
66 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
67 setntacl(self
.lp
, self
.tempf
, acl
, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=True)
69 # This should invalidate the ACL, as we include the posix ACL in the hash
70 (backend_obj
, dbname
) = checkset_backend(self
.lp
, None, None)
71 backend_obj
.wrap_setxattr(dbname
,
72 self
.tempf
, "system.fake_access_acl", "")
74 #however, as this is direct DB access, we do not notice it
75 facl
= getntacl(self
.lp
, self
.tempf
, direct_db_access
=True)
76 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
77 self
.assertEquals(acl
, facl
.as_sddl(anysid
))
79 def test_setntacl_invalidate_getntacl_smbd(self
):
80 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
81 setntacl(self
.lp
, self
.tempf
, acl
, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
83 # This should invalidate the ACL, as we include the posix ACL in the hash
84 (backend_obj
, dbname
) = checkset_backend(self
.lp
, None, None)
85 backend_obj
.wrap_setxattr(dbname
,
86 self
.tempf
, "system.fake_access_acl", "")
88 #the hash would break, and we return an ACL based only on the mode, except we set the ACL using the 'ntvfs' mode that doesn't include a hash
89 facl
= getntacl(self
.lp
, self
.tempf
)
90 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
91 self
.assertEquals(acl
, facl
.as_sddl(anysid
))
93 def test_setntacl_smbd_invalidate_getntacl_smbd(self
):
94 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
95 simple_acl_from_posix
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x001200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
96 os
.chmod(self
.tempf
, 0750)
97 setntacl(self
.lp
, self
.tempf
, acl
, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
99 # This should invalidate the ACL, as we include the posix ACL in the hash
100 (backend_obj
, dbname
) = checkset_backend(self
.lp
, None, None)
101 backend_obj
.wrap_setxattr(dbname
,
102 self
.tempf
, "system.fake_access_acl", "")
104 #the hash will break, and we return an ACL based only on the mode
105 facl
= getntacl(self
.lp
, self
.tempf
, direct_db_access
=False)
106 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
107 self
.assertEquals(simple_acl_from_posix
, facl
.as_sddl(anysid
))
109 def test_setntacl_getntacl_smbd(self
):
110 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
111 setntacl(self
.lp
, self
.tempf
, acl
, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=True)
112 facl
= getntacl(self
.lp
, self
.tempf
, direct_db_access
=False)
113 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
114 self
.assertEquals(facl
.as_sddl(anysid
),acl
)
116 def test_setntacl_smbd_getntacl_smbd(self
):
117 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
118 setntacl(self
.lp
, self
.tempf
, acl
, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
119 facl
= getntacl(self
.lp
, self
.tempf
, direct_db_access
=False)
120 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
121 self
.assertEquals(facl
.as_sddl(anysid
),acl
)
123 def test_setntacl_smbd_setposixacl_getntacl_smbd(self
):
124 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
125 simple_acl_from_posix
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
126 setntacl(self
.lp
, self
.tempf
, acl
, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
127 # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
128 smbd
.set_simple_acl(self
.tempf
, 0640)
129 facl
= getntacl(self
.lp
, self
.tempf
, direct_db_access
=False)
130 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
131 self
.assertEquals(simple_acl_from_posix
, facl
.as_sddl(anysid
))
133 def test_setntacl_smbd_setposixacl_group_getntacl_smbd(self
):
134 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
135 BA_sid
= security
.dom_sid(security
.SID_BUILTIN_ADMINISTRATORS
)
136 simple_acl_from_posix
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
137 setntacl(self
.lp
, self
.tempf
, acl
, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
138 # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
139 s4_passdb
= passdb
.PDB(self
.lp
.get("passdb backend"))
140 (BA_gid
,BA_type
) = s4_passdb
.sid_to_id(BA_sid
)
141 smbd
.set_simple_acl(self
.tempf
, 0640, BA_gid
)
143 # This should re-calculate an ACL based on the posix details
144 facl
= getntacl(self
.lp
,self
.tempf
, direct_db_access
=False)
145 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
146 self
.assertEquals(simple_acl_from_posix
, facl
.as_sddl(anysid
))
148 def test_setntacl_smbd_getntacl_smbd_gpo(self
):
149 acl
= "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
150 setntacl(self
.lp
, self
.tempf
, acl
, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
151 facl
= getntacl(self
.lp
, self
.tempf
, direct_db_access
=False)
152 domsid
= security
.dom_sid("S-1-5-21-2212615479-2695158682-2101375467")
153 self
.assertEquals(facl
.as_sddl(domsid
),acl
)
155 def test_setntacl_getposixacl(self
):
156 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
157 setntacl(self
.lp
, self
.tempf
, acl
, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
158 facl
= getntacl(self
.lp
, self
.tempf
)
159 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
160 self
.assertEquals(facl
.as_sddl(anysid
),acl
)
161 posix_acl
= smbd
.get_sys_acl(self
.tempf
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
163 def test_setposixacl_getposixacl(self
):
164 smbd
.set_simple_acl(self
.tempf
, 0640)
165 posix_acl
= smbd
.get_sys_acl(self
.tempf
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
166 self
.assertEquals(posix_acl
.count
, 4)
168 self
.assertEquals(posix_acl
.acl
[0].a_type
, smb_acl
.SMB_ACL_USER_OBJ
)
169 self
.assertEquals(posix_acl
.acl
[0].a_perm
, 6)
171 self
.assertEquals(posix_acl
.acl
[1].a_type
, smb_acl
.SMB_ACL_GROUP_OBJ
)
172 self
.assertEquals(posix_acl
.acl
[1].a_perm
, 4)
174 self
.assertEquals(posix_acl
.acl
[2].a_type
, smb_acl
.SMB_ACL_OTHER
)
175 self
.assertEquals(posix_acl
.acl
[2].a_perm
, 0)
177 self
.assertEquals(posix_acl
.acl
[3].a_type
, smb_acl
.SMB_ACL_MASK
)
178 self
.assertEquals(posix_acl
.acl
[3].a_perm
, 6)
180 def test_setposixacl_getntacl(self
):
182 smbd
.set_simple_acl(self
.tempf
, 0750)
184 facl
= getntacl(self
.lp
, self
.tempf
)
185 self
.assertTrue(False)
187 # We don't expect the xattr to be filled in in this case
190 def test_setposixacl_getntacl_smbd(self
):
191 s4_passdb
= passdb
.PDB(self
.lp
.get("passdb backend"))
192 group_SID
= s4_passdb
.gid_to_sid(os
.stat(self
.tempf
).st_gid
)
193 user_SID
= s4_passdb
.uid_to_sid(os
.stat(self
.tempf
).st_uid
)
194 smbd
.set_simple_acl(self
.tempf
, 0640)
195 facl
= getntacl(self
.lp
, self
.tempf
, direct_db_access
=False)
196 acl
= "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID
, group_SID
, user_SID
, group_SID
)
197 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
198 self
.assertEquals(acl
, facl
.as_sddl(anysid
))
200 def test_setposixacl_dir_getntacl_smbd(self
):
201 s4_passdb
= passdb
.PDB(self
.lp
.get("passdb backend"))
202 user_SID
= s4_passdb
.uid_to_sid(os
.stat(self
.tempdir
).st_uid
)
203 BA_sid
= security
.dom_sid(security
.SID_BUILTIN_ADMINISTRATORS
)
204 s4_passdb
= passdb
.PDB(self
.lp
.get("passdb backend"))
205 (BA_id
,BA_type
) = s4_passdb
.sid_to_id(BA_sid
)
206 self
.assertEquals(BA_type
, idmap
.ID_TYPE_BOTH
)
207 SO_sid
= security
.dom_sid(security
.SID_BUILTIN_SERVER_OPERATORS
)
208 (SO_id
,SO_type
) = s4_passdb
.sid_to_id(SO_sid
)
209 self
.assertEquals(SO_type
, idmap
.ID_TYPE_BOTH
)
210 smbd
.chown(self
.tempdir
, BA_id
, SO_id
)
211 smbd
.set_simple_acl(self
.tempdir
, 0750)
212 facl
= getntacl(self
.lp
, self
.tempdir
, direct_db_access
=False)
213 acl
= "O:BAG:SOD:(A;;0x001f01ff;;;BA)(A;;0x001200a9;;;SO)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001f01ff;;;CG)(A;OICIIO;0x001f01ff;;;WD)"
215 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
216 self
.assertEquals(acl
, facl
.as_sddl(anysid
))
218 def test_setposixacl_group_getntacl_smbd(self
):
219 BA_sid
= security
.dom_sid(security
.SID_BUILTIN_ADMINISTRATORS
)
220 s4_passdb
= passdb
.PDB(self
.lp
.get("passdb backend"))
221 (BA_gid
,BA_type
) = s4_passdb
.sid_to_id(BA_sid
)
222 group_SID
= s4_passdb
.gid_to_sid(os
.stat(self
.tempf
).st_gid
)
223 user_SID
= s4_passdb
.uid_to_sid(os
.stat(self
.tempf
).st_uid
)
224 self
.assertEquals(BA_type
, idmap
.ID_TYPE_BOTH
)
225 smbd
.set_simple_acl(self
.tempf
, 0640, BA_gid
)
226 facl
= getntacl(self
.lp
, self
.tempf
, direct_db_access
=False)
227 domsid
= passdb
.get_global_sam_sid()
228 acl
= "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;BA)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID
, group_SID
, user_SID
, group_SID
)
229 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
230 self
.assertEquals(acl
, facl
.as_sddl(anysid
))
232 def test_setposixacl_getposixacl(self
):
233 smbd
.set_simple_acl(self
.tempf
, 0640)
234 posix_acl
= smbd
.get_sys_acl(self
.tempf
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
235 self
.assertEquals(posix_acl
.count
, 4)
237 self
.assertEquals(posix_acl
.acl
[0].a_type
, smb_acl
.SMB_ACL_USER_OBJ
)
238 self
.assertEquals(posix_acl
.acl
[0].a_perm
, 6)
240 self
.assertEquals(posix_acl
.acl
[1].a_type
, smb_acl
.SMB_ACL_GROUP_OBJ
)
241 self
.assertEquals(posix_acl
.acl
[1].a_perm
, 4)
243 self
.assertEquals(posix_acl
.acl
[2].a_type
, smb_acl
.SMB_ACL_OTHER
)
244 self
.assertEquals(posix_acl
.acl
[2].a_perm
, 0)
246 self
.assertEquals(posix_acl
.acl
[3].a_type
, smb_acl
.SMB_ACL_MASK
)
247 self
.assertEquals(posix_acl
.acl
[3].a_perm
, 7)
249 def test_setposixacl_dir_getposixacl(self
):
250 smbd
.set_simple_acl(self
.tempdir
, 0750)
251 posix_acl
= smbd
.get_sys_acl(self
.tempdir
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
252 self
.assertEquals(posix_acl
.count
, 4)
254 self
.assertEquals(posix_acl
.acl
[0].a_type
, smb_acl
.SMB_ACL_USER_OBJ
)
255 self
.assertEquals(posix_acl
.acl
[0].a_perm
, 7)
257 self
.assertEquals(posix_acl
.acl
[1].a_type
, smb_acl
.SMB_ACL_GROUP_OBJ
)
258 self
.assertEquals(posix_acl
.acl
[1].a_perm
, 5)
260 self
.assertEquals(posix_acl
.acl
[2].a_type
, smb_acl
.SMB_ACL_OTHER
)
261 self
.assertEquals(posix_acl
.acl
[2].a_perm
, 0)
263 self
.assertEquals(posix_acl
.acl
[3].a_type
, smb_acl
.SMB_ACL_MASK
)
264 self
.assertEquals(posix_acl
.acl
[3].a_perm
, 7)
266 def test_setposixacl_group_getposixacl(self
):
267 BA_sid
= security
.dom_sid(security
.SID_BUILTIN_ADMINISTRATORS
)
268 s4_passdb
= passdb
.PDB(self
.lp
.get("passdb backend"))
269 (BA_gid
,BA_type
) = s4_passdb
.sid_to_id(BA_sid
)
270 self
.assertEquals(BA_type
, idmap
.ID_TYPE_BOTH
)
271 smbd
.set_simple_acl(self
.tempf
, 0670, BA_gid
)
272 posix_acl
= smbd
.get_sys_acl(self
.tempf
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
274 self
.assertEquals(posix_acl
.count
, 5)
276 self
.assertEquals(posix_acl
.acl
[0].a_type
, smb_acl
.SMB_ACL_USER_OBJ
)
277 self
.assertEquals(posix_acl
.acl
[0].a_perm
, 6)
279 self
.assertEquals(posix_acl
.acl
[1].a_type
, smb_acl
.SMB_ACL_GROUP_OBJ
)
280 self
.assertEquals(posix_acl
.acl
[1].a_perm
, 7)
282 self
.assertEquals(posix_acl
.acl
[2].a_type
, smb_acl
.SMB_ACL_OTHER
)
283 self
.assertEquals(posix_acl
.acl
[2].a_perm
, 0)
285 self
.assertEquals(posix_acl
.acl
[3].a_type
, smb_acl
.SMB_ACL_GROUP
)
286 self
.assertEquals(posix_acl
.acl
[3].a_perm
, 7)
287 self
.assertEquals(posix_acl
.acl
[3].info
.gid
, BA_gid
)
289 self
.assertEquals(posix_acl
.acl
[4].a_type
, smb_acl
.SMB_ACL_MASK
)
290 self
.assertEquals(posix_acl
.acl
[4].a_perm
, 7)
292 def test_setntacl_sysvol_check_getposixacl(self
):
293 acl
= provision
.SYSVOL_ACL
294 domsid
= passdb
.get_global_sam_sid()
295 setntacl(self
.lp
, self
.tempf
,acl
,str(domsid
), use_ntvfs
=False)
296 facl
= getntacl(self
.lp
, self
.tempf
)
297 self
.assertEquals(facl
.as_sddl(domsid
),acl
)
298 posix_acl
= smbd
.get_sys_acl(self
.tempf
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
300 LA_sid
= security
.dom_sid(str(domsid
)+"-"+str(security
.DOMAIN_RID_ADMINISTRATOR
))
301 BA_sid
= security
.dom_sid(security
.SID_BUILTIN_ADMINISTRATORS
)
302 SO_sid
= security
.dom_sid(security
.SID_BUILTIN_SERVER_OPERATORS
)
303 SY_sid
= security
.dom_sid(security
.SID_NT_SYSTEM
)
304 AU_sid
= security
.dom_sid(security
.SID_NT_AUTHENTICATED_USERS
)
306 s4_passdb
= passdb
.PDB(self
.lp
.get("passdb backend"))
308 # These assertions correct for current plugin_s4_dc selftest
309 # configuration. When other environments have a broad range of
310 # groups mapped via passdb, we can relax some of these checks
311 (LA_uid
,LA_type
) = s4_passdb
.sid_to_id(LA_sid
)
312 self
.assertEquals(LA_type
, idmap
.ID_TYPE_UID
)
313 (BA_gid
,BA_type
) = s4_passdb
.sid_to_id(BA_sid
)
314 self
.assertEquals(BA_type
, idmap
.ID_TYPE_BOTH
)
315 (SO_gid
,SO_type
) = s4_passdb
.sid_to_id(SO_sid
)
316 self
.assertEquals(SO_type
, idmap
.ID_TYPE_BOTH
)
317 (SY_gid
,SY_type
) = s4_passdb
.sid_to_id(SY_sid
)
318 self
.assertEquals(SO_type
, idmap
.ID_TYPE_BOTH
)
319 (AU_gid
,AU_type
) = s4_passdb
.sid_to_id(AU_sid
)
320 self
.assertEquals(AU_type
, idmap
.ID_TYPE_BOTH
)
322 self
.assertEquals(posix_acl
.count
, 9)
324 self
.assertEquals(posix_acl
.acl
[0].a_type
, smb_acl
.SMB_ACL_GROUP
)
325 self
.assertEquals(posix_acl
.acl
[0].a_perm
, 7)
326 self
.assertEquals(posix_acl
.acl
[0].info
.gid
, BA_gid
)
328 self
.assertEquals(posix_acl
.acl
[1].a_type
, smb_acl
.SMB_ACL_USER
)
329 self
.assertEquals(posix_acl
.acl
[1].a_perm
, 6)
330 self
.assertEquals(posix_acl
.acl
[1].info
.uid
, LA_uid
)
332 self
.assertEquals(posix_acl
.acl
[2].a_type
, smb_acl
.SMB_ACL_OTHER
)
333 self
.assertEquals(posix_acl
.acl
[2].a_perm
, 0)
335 self
.assertEquals(posix_acl
.acl
[3].a_type
, smb_acl
.SMB_ACL_USER_OBJ
)
336 self
.assertEquals(posix_acl
.acl
[3].a_perm
, 6)
338 self
.assertEquals(posix_acl
.acl
[4].a_type
, smb_acl
.SMB_ACL_GROUP_OBJ
)
339 self
.assertEquals(posix_acl
.acl
[4].a_perm
, 7)
341 self
.assertEquals(posix_acl
.acl
[5].a_type
, smb_acl
.SMB_ACL_GROUP
)
342 self
.assertEquals(posix_acl
.acl
[5].a_perm
, 5)
343 self
.assertEquals(posix_acl
.acl
[5].info
.gid
, SO_gid
)
345 self
.assertEquals(posix_acl
.acl
[6].a_type
, smb_acl
.SMB_ACL_GROUP
)
346 self
.assertEquals(posix_acl
.acl
[6].a_perm
, 7)
347 self
.assertEquals(posix_acl
.acl
[6].info
.gid
, SY_gid
)
349 self
.assertEquals(posix_acl
.acl
[7].a_type
, smb_acl
.SMB_ACL_GROUP
)
350 self
.assertEquals(posix_acl
.acl
[7].a_perm
, 5)
351 self
.assertEquals(posix_acl
.acl
[7].info
.gid
, AU_gid
)
353 self
.assertEquals(posix_acl
.acl
[8].a_type
, smb_acl
.SMB_ACL_MASK
)
354 self
.assertEquals(posix_acl
.acl
[8].a_perm
, 7)
357 # check that it matches:
359 # user:root:rwx (selftest user actually)
361 # group:Local Admins:rwx
369 # This is in this order in the NDR smb_acl (not re-orderded for display)
376 # uid: 0 (selftest user actually)
410 def test_setntacl_sysvol_dir_check_getposixacl(self
):
411 acl
= provision
.SYSVOL_ACL
412 domsid
= passdb
.get_global_sam_sid()
413 setntacl(self
.lp
, self
.tempdir
,acl
,str(domsid
), use_ntvfs
=False)
414 facl
= getntacl(self
.lp
, self
.tempdir
)
415 self
.assertEquals(facl
.as_sddl(domsid
),acl
)
416 posix_acl
= smbd
.get_sys_acl(self
.tempdir
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
418 LA_sid
= security
.dom_sid(str(domsid
)+"-"+str(security
.DOMAIN_RID_ADMINISTRATOR
))
419 BA_sid
= security
.dom_sid(security
.SID_BUILTIN_ADMINISTRATORS
)
420 SO_sid
= security
.dom_sid(security
.SID_BUILTIN_SERVER_OPERATORS
)
421 SY_sid
= security
.dom_sid(security
.SID_NT_SYSTEM
)
422 AU_sid
= security
.dom_sid(security
.SID_NT_AUTHENTICATED_USERS
)
424 s4_passdb
= passdb
.PDB(self
.lp
.get("passdb backend"))
426 # These assertions correct for current plugin_s4_dc selftest
427 # configuration. When other environments have a broad range of
428 # groups mapped via passdb, we can relax some of these checks
429 (LA_uid
,LA_type
) = s4_passdb
.sid_to_id(LA_sid
)
430 self
.assertEquals(LA_type
, idmap
.ID_TYPE_UID
)
431 (BA_gid
,BA_type
) = s4_passdb
.sid_to_id(BA_sid
)
432 self
.assertEquals(BA_type
, idmap
.ID_TYPE_BOTH
)
433 (SO_gid
,SO_type
) = s4_passdb
.sid_to_id(SO_sid
)
434 self
.assertEquals(SO_type
, idmap
.ID_TYPE_BOTH
)
435 (SY_gid
,SY_type
) = s4_passdb
.sid_to_id(SY_sid
)
436 self
.assertEquals(SO_type
, idmap
.ID_TYPE_BOTH
)
437 (AU_gid
,AU_type
) = s4_passdb
.sid_to_id(AU_sid
)
438 self
.assertEquals(AU_type
, idmap
.ID_TYPE_BOTH
)
440 self
.assertEquals(posix_acl
.count
, 9)
442 self
.assertEquals(posix_acl
.acl
[0].a_type
, smb_acl
.SMB_ACL_GROUP
)
443 self
.assertEquals(posix_acl
.acl
[0].a_perm
, 7)
444 self
.assertEquals(posix_acl
.acl
[0].info
.gid
, BA_gid
)
446 self
.assertEquals(posix_acl
.acl
[1].a_type
, smb_acl
.SMB_ACL_USER
)
447 self
.assertEquals(posix_acl
.acl
[1].a_perm
, 7)
448 self
.assertEquals(posix_acl
.acl
[1].info
.uid
, LA_uid
)
450 self
.assertEquals(posix_acl
.acl
[2].a_type
, smb_acl
.SMB_ACL_OTHER
)
451 self
.assertEquals(posix_acl
.acl
[2].a_perm
, 0)
453 self
.assertEquals(posix_acl
.acl
[3].a_type
, smb_acl
.SMB_ACL_USER_OBJ
)
454 self
.assertEquals(posix_acl
.acl
[3].a_perm
, 7)
456 self
.assertEquals(posix_acl
.acl
[4].a_type
, smb_acl
.SMB_ACL_GROUP_OBJ
)
457 self
.assertEquals(posix_acl
.acl
[4].a_perm
, 7)
459 self
.assertEquals(posix_acl
.acl
[5].a_type
, smb_acl
.SMB_ACL_GROUP
)
460 self
.assertEquals(posix_acl
.acl
[5].a_perm
, 5)
461 self
.assertEquals(posix_acl
.acl
[5].info
.gid
, SO_gid
)
463 self
.assertEquals(posix_acl
.acl
[6].a_type
, smb_acl
.SMB_ACL_GROUP
)
464 self
.assertEquals(posix_acl
.acl
[6].a_perm
, 7)
465 self
.assertEquals(posix_acl
.acl
[6].info
.gid
, SY_gid
)
467 self
.assertEquals(posix_acl
.acl
[7].a_type
, smb_acl
.SMB_ACL_GROUP
)
468 self
.assertEquals(posix_acl
.acl
[7].a_perm
, 5)
469 self
.assertEquals(posix_acl
.acl
[7].info
.gid
, AU_gid
)
471 self
.assertEquals(posix_acl
.acl
[8].a_type
, smb_acl
.SMB_ACL_MASK
)
472 self
.assertEquals(posix_acl
.acl
[8].a_perm
, 7)
475 # check that it matches:
477 # user:root:rwx (selftest user actually)
487 def test_setntacl_policies_dir_check_getposixacl(self
):
488 acl
= provision
.POLICIES_ACL
489 domsid
= passdb
.get_global_sam_sid()
490 setntacl(self
.lp
, self
.tempdir
,acl
,str(domsid
), use_ntvfs
=False)
491 facl
= getntacl(self
.lp
, self
.tempdir
)
492 self
.assertEquals(facl
.as_sddl(domsid
),acl
)
493 posix_acl
= smbd
.get_sys_acl(self
.tempdir
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
495 LA_sid
= security
.dom_sid(str(domsid
)+"-"+str(security
.DOMAIN_RID_ADMINISTRATOR
))
496 BA_sid
= security
.dom_sid(security
.SID_BUILTIN_ADMINISTRATORS
)
497 SO_sid
= security
.dom_sid(security
.SID_BUILTIN_SERVER_OPERATORS
)
498 SY_sid
= security
.dom_sid(security
.SID_NT_SYSTEM
)
499 AU_sid
= security
.dom_sid(security
.SID_NT_AUTHENTICATED_USERS
)
500 PA_sid
= security
.dom_sid(str(domsid
)+"-"+str(security
.DOMAIN_RID_POLICY_ADMINS
))
502 s4_passdb
= passdb
.PDB(self
.lp
.get("passdb backend"))
504 # These assertions correct for current plugin_s4_dc selftest
505 # configuration. When other environments have a broad range of
506 # groups mapped via passdb, we can relax some of these checks
507 (LA_uid
,LA_type
) = s4_passdb
.sid_to_id(LA_sid
)
508 self
.assertEquals(LA_type
, idmap
.ID_TYPE_UID
)
509 (BA_gid
,BA_type
) = s4_passdb
.sid_to_id(BA_sid
)
510 self
.assertEquals(BA_type
, idmap
.ID_TYPE_BOTH
)
511 (SO_gid
,SO_type
) = s4_passdb
.sid_to_id(SO_sid
)
512 self
.assertEquals(SO_type
, idmap
.ID_TYPE_BOTH
)
513 (SY_gid
,SY_type
) = s4_passdb
.sid_to_id(SY_sid
)
514 self
.assertEquals(SO_type
, idmap
.ID_TYPE_BOTH
)
515 (AU_gid
,AU_type
) = s4_passdb
.sid_to_id(AU_sid
)
516 self
.assertEquals(AU_type
, idmap
.ID_TYPE_BOTH
)
517 (PA_gid
,PA_type
) = s4_passdb
.sid_to_id(PA_sid
)
518 self
.assertEquals(PA_type
, idmap
.ID_TYPE_BOTH
)
520 self
.assertEquals(posix_acl
.count
, 10)
522 self
.assertEquals(posix_acl
.acl
[0].a_type
, smb_acl
.SMB_ACL_GROUP
)
523 self
.assertEquals(posix_acl
.acl
[0].a_perm
, 7)
524 self
.assertEquals(posix_acl
.acl
[0].info
.gid
, BA_gid
)
526 self
.assertEquals(posix_acl
.acl
[1].a_type
, smb_acl
.SMB_ACL_USER
)
527 self
.assertEquals(posix_acl
.acl
[1].a_perm
, 7)
528 self
.assertEquals(posix_acl
.acl
[1].info
.uid
, LA_uid
)
530 self
.assertEquals(posix_acl
.acl
[2].a_type
, smb_acl
.SMB_ACL_OTHER
)
531 self
.assertEquals(posix_acl
.acl
[2].a_perm
, 0)
533 self
.assertEquals(posix_acl
.acl
[3].a_type
, smb_acl
.SMB_ACL_USER_OBJ
)
534 self
.assertEquals(posix_acl
.acl
[3].a_perm
, 7)
536 self
.assertEquals(posix_acl
.acl
[4].a_type
, smb_acl
.SMB_ACL_GROUP_OBJ
)
537 self
.assertEquals(posix_acl
.acl
[4].a_perm
, 7)
539 self
.assertEquals(posix_acl
.acl
[5].a_type
, smb_acl
.SMB_ACL_GROUP
)
540 self
.assertEquals(posix_acl
.acl
[5].a_perm
, 5)
541 self
.assertEquals(posix_acl
.acl
[5].info
.gid
, SO_gid
)
543 self
.assertEquals(posix_acl
.acl
[6].a_type
, smb_acl
.SMB_ACL_GROUP
)
544 self
.assertEquals(posix_acl
.acl
[6].a_perm
, 7)
545 self
.assertEquals(posix_acl
.acl
[6].info
.gid
, SY_gid
)
547 self
.assertEquals(posix_acl
.acl
[7].a_type
, smb_acl
.SMB_ACL_GROUP
)
548 self
.assertEquals(posix_acl
.acl
[7].a_perm
, 5)
549 self
.assertEquals(posix_acl
.acl
[7].info
.gid
, AU_gid
)
551 self
.assertEquals(posix_acl
.acl
[8].a_type
, smb_acl
.SMB_ACL_GROUP
)
552 self
.assertEquals(posix_acl
.acl
[8].a_perm
, 7)
553 self
.assertEquals(posix_acl
.acl
[8].info
.gid
, PA_gid
)
555 self
.assertEquals(posix_acl
.acl
[9].a_type
, smb_acl
.SMB_ACL_MASK
)
556 self
.assertEquals(posix_acl
.acl
[9].a_perm
, 7)
559 # check that it matches:
561 # user:root:rwx (selftest user actually)
573 def test_setntacl_policies_check_getposixacl(self
):
574 acl
= provision
.POLICIES_ACL
576 domsid
= passdb
.get_global_sam_sid()
577 setntacl(self
.lp
, self
.tempf
, acl
, str(domsid
), use_ntvfs
=False)
578 facl
= getntacl(self
.lp
, self
.tempf
)
579 self
.assertEquals(facl
.as_sddl(domsid
),acl
)
580 posix_acl
= smbd
.get_sys_acl(self
.tempf
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
582 LA_sid
= security
.dom_sid(str(domsid
)+"-"+str(security
.DOMAIN_RID_ADMINISTRATOR
))
583 BA_sid
= security
.dom_sid(security
.SID_BUILTIN_ADMINISTRATORS
)
584 SO_sid
= security
.dom_sid(security
.SID_BUILTIN_SERVER_OPERATORS
)
585 SY_sid
= security
.dom_sid(security
.SID_NT_SYSTEM
)
586 AU_sid
= security
.dom_sid(security
.SID_NT_AUTHENTICATED_USERS
)
587 PA_sid
= security
.dom_sid(str(domsid
)+"-"+str(security
.DOMAIN_RID_POLICY_ADMINS
))
589 s4_passdb
= passdb
.PDB(self
.lp
.get("passdb backend"))
591 # These assertions correct for current plugin_s4_dc selftest
592 # configuration. When other environments have a broad range of
593 # groups mapped via passdb, we can relax some of these checks
594 (LA_uid
,LA_type
) = s4_passdb
.sid_to_id(LA_sid
)
595 self
.assertEquals(LA_type
, idmap
.ID_TYPE_UID
)
596 (BA_gid
,BA_type
) = s4_passdb
.sid_to_id(BA_sid
)
597 self
.assertEquals(BA_type
, idmap
.ID_TYPE_BOTH
)
598 (SO_gid
,SO_type
) = s4_passdb
.sid_to_id(SO_sid
)
599 self
.assertEquals(SO_type
, idmap
.ID_TYPE_BOTH
)
600 (SY_gid
,SY_type
) = s4_passdb
.sid_to_id(SY_sid
)
601 self
.assertEquals(SO_type
, idmap
.ID_TYPE_BOTH
)
602 (AU_gid
,AU_type
) = s4_passdb
.sid_to_id(AU_sid
)
603 self
.assertEquals(AU_type
, idmap
.ID_TYPE_BOTH
)
604 (PA_gid
,PA_type
) = s4_passdb
.sid_to_id(PA_sid
)
605 self
.assertEquals(PA_type
, idmap
.ID_TYPE_BOTH
)
607 self
.assertEquals(posix_acl
.count
, 10)
609 self
.assertEquals(posix_acl
.acl
[0].a_type
, smb_acl
.SMB_ACL_GROUP
)
610 self
.assertEquals(posix_acl
.acl
[0].a_perm
, 7)
611 self
.assertEquals(posix_acl
.acl
[0].info
.gid
, BA_gid
)
613 self
.assertEquals(posix_acl
.acl
[1].a_type
, smb_acl
.SMB_ACL_USER
)
614 self
.assertEquals(posix_acl
.acl
[1].a_perm
, 6)
615 self
.assertEquals(posix_acl
.acl
[1].info
.uid
, LA_uid
)
617 self
.assertEquals(posix_acl
.acl
[2].a_type
, smb_acl
.SMB_ACL_OTHER
)
618 self
.assertEquals(posix_acl
.acl
[2].a_perm
, 0)
620 self
.assertEquals(posix_acl
.acl
[3].a_type
, smb_acl
.SMB_ACL_USER_OBJ
)
621 self
.assertEquals(posix_acl
.acl
[3].a_perm
, 6)
623 self
.assertEquals(posix_acl
.acl
[4].a_type
, smb_acl
.SMB_ACL_GROUP_OBJ
)
624 self
.assertEquals(posix_acl
.acl
[4].a_perm
, 7)
626 self
.assertEquals(posix_acl
.acl
[5].a_type
, smb_acl
.SMB_ACL_GROUP
)
627 self
.assertEquals(posix_acl
.acl
[5].a_perm
, 5)
628 self
.assertEquals(posix_acl
.acl
[5].info
.gid
, SO_gid
)
630 self
.assertEquals(posix_acl
.acl
[6].a_type
, smb_acl
.SMB_ACL_GROUP
)
631 self
.assertEquals(posix_acl
.acl
[6].a_perm
, 7)
632 self
.assertEquals(posix_acl
.acl
[6].info
.gid
, SY_gid
)
634 self
.assertEquals(posix_acl
.acl
[7].a_type
, smb_acl
.SMB_ACL_GROUP
)
635 self
.assertEquals(posix_acl
.acl
[7].a_perm
, 5)
636 self
.assertEquals(posix_acl
.acl
[7].info
.gid
, AU_gid
)
638 self
.assertEquals(posix_acl
.acl
[8].a_type
, smb_acl
.SMB_ACL_GROUP
)
639 self
.assertEquals(posix_acl
.acl
[8].a_perm
, 7)
640 self
.assertEquals(posix_acl
.acl
[8].info
.gid
, PA_gid
)
642 self
.assertEquals(posix_acl
.acl
[9].a_type
, smb_acl
.SMB_ACL_MASK
)
643 self
.assertEquals(posix_acl
.acl
[9].a_perm
, 7)
646 # check that it matches:
648 # user:root:rwx (selftest user actually)
650 # group:Local Admins:rwx
659 # This is in this order in the NDR smb_acl (not re-orderded for display)
666 # uid: 0 (selftest user actually)
704 super(PosixAclMappingTests
, self
).setUp()
705 s3conf
= s3param
.get_context()
706 s3conf
.load(self
.get_loadparm().configfile
)
707 s3conf
.set("xattr_tdb:file", os
.path
.join(self
.tempdir
,"xattr.tdb"))
709 self
.tempf
= os
.path
.join(self
.tempdir
, "test")
710 open(self
.tempf
, 'w').write("empty")
713 smbd
.unlink(self
.tempf
)
714 os
.unlink(os
.path
.join(self
.tempdir
,"xattr.tdb"))
715 super(PosixAclMappingTests
, self
).tearDown()