1 # Unix SMB/CIFS implementation. Tests for NT and posix ACL manipulation
2 # Copyright (C) Matthieu Patou <mat@matws.net> 2009-2010
3 # Copyright (C) Andrew Bartlett 2012
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
19 """Tests for the Samba3 NT -> posix ACL layer"""
21 from samba
.ntacls
import setntacl
, getntacl
, checkset_backend
22 from samba
.dcerpc
import xattr
, security
, smb_acl
, idmap
23 from samba
.param
import LoadParm
24 from samba
.tests
import TestCase
25 from samba
import provision
28 from samba
.samba3
import smbd
, passdb
29 from samba
.samba3
import param
as s3param
31 # To print a posix ACL use:
32 # for entry in posix_acl.acl:
33 # print "a_type: %d" % entry.a_type
34 # print "a_perm: %o" % entry.a_perm
35 # print "uid: %d" % entry.uid
36 # print "gid: %d" % entry.gid
38 class PosixAclMappingTests(TestCase
):
40 def test_setntacl(self
):
43 path
= os
.environ
['SELFTEST_PREFIX']
44 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
45 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
46 open(tempf
, 'w').write("empty")
47 setntacl(lp
, tempf
, acl
, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
50 def test_setntacl_smbd_getntacl(self
):
54 path
= os
.environ
['SELFTEST_PREFIX']
55 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
56 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
57 open(tempf
, 'w').write("empty")
58 setntacl(lp
,tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=True)
59 facl
= getntacl(lp
,tempf
, direct_db_access
=True)
60 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
61 self
.assertEquals(facl
.as_sddl(anysid
),acl
)
64 def test_setntacl_smbd_setposixacl_getntacl(self
):
68 path
= os
.environ
['SELFTEST_PREFIX']
69 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
70 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
71 open(tempf
, 'w').write("empty")
72 setntacl(lp
,tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=True)
74 # This will invalidate the ACL, as we have a hook!
75 smbd
.set_simple_acl(tempf
, 0640)
77 # However, this only asks the xattr
79 facl
= getntacl(lp
,tempf
, direct_db_access
=True)
80 self
.assertTrue(False)
85 def test_setntacl_smbd_chmod_getntacl(self
):
89 path
= os
.environ
['SELFTEST_PREFIX']
90 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
91 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
92 open(tempf
, 'w').write("empty")
93 setntacl(lp
,tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=True)
95 # This should invalidate the ACL, as we include the posix ACL in the hash
96 (backend_obj
, dbname
) = checkset_backend(lp
, None, None)
97 backend_obj
.wrap_setxattr(dbname
,
98 tempf
, "system.fake_access_acl", "")
100 #however, as this is direct DB access, we do not notice it
101 facl
= getntacl(lp
,tempf
, direct_db_access
=True)
102 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
103 self
.assertEquals(acl
, facl
.as_sddl(anysid
))
106 def test_setntacl_smbd_chmod_getntacl_smbd(self
):
110 path
= os
.environ
['SELFTEST_PREFIX']
111 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
112 simple_acl_from_posix
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
113 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
114 open(tempf
, 'w').write("empty")
115 setntacl(lp
,tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=True)
117 # This should invalidate the ACL, as we include the posix ACL in the hash
118 (backend_obj
, dbname
) = checkset_backend(lp
, None, None)
119 backend_obj
.wrap_setxattr(dbname
,
120 tempf
, "system.fake_access_acl", "")
122 #the hash breaks, and we return an ACL based only on the mode
123 facl
= getntacl(lp
,tempf
)
124 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
125 self
.assertEquals(simple_acl_from_posix
, facl
.as_sddl(anysid
))
128 def test_setntacl_getntacl_smbd(self
):
132 path
= os
.environ
['SELFTEST_PREFIX']
133 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
134 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
135 open(tempf
, 'w').write("empty")
136 setntacl(lp
,tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=True)
137 facl
= getntacl(lp
,tempf
, direct_db_access
=False)
138 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
139 self
.assertEquals(facl
.as_sddl(anysid
),acl
)
142 def test_setntacl_smbd_getntacl_smbd(self
):
146 path
= os
.environ
['SELFTEST_PREFIX']
147 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
148 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
149 open(tempf
, 'w').write("empty")
150 setntacl(lp
,tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
151 facl
= getntacl(lp
,tempf
, direct_db_access
=False)
152 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
153 self
.assertEquals(facl
.as_sddl(anysid
),acl
)
156 def test_setntacl_smbd_setposixacl_getntacl_smbd(self
):
160 path
= os
.environ
['SELFTEST_PREFIX']
161 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
162 simple_acl_from_posix
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
163 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
164 open(tempf
, 'w').write("empty")
165 setntacl(lp
,tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
166 # This invalidates the hash of the NT acl just set
167 smbd
.set_simple_acl(tempf
, 0640)
168 facl
= getntacl(lp
,tempf
, direct_db_access
=False)
169 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
170 self
.assertEquals(simple_acl_from_posix
, facl
.as_sddl(anysid
))
173 def test_setntacl_smbd_setposixacl_group_getntacl_smbd(self
):
177 path
= os
.environ
['SELFTEST_PREFIX']
178 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
179 BA_sid
= security
.dom_sid(security
.SID_BUILTIN_ADMINISTRATORS
)
180 simple_acl_from_posix
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
181 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
182 open(tempf
, 'w').write("empty")
183 setntacl(lp
,tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
184 # This invalidates the hash of the NT acl just set
185 s3conf
= s3param
.get_context()
186 s4_passdb
= passdb
.PDB(s3conf
.get("passdb backend"))
187 (BA_gid
,BA_type
) = s4_passdb
.sid_to_id(BA_sid
)
188 smbd
.set_simple_acl(tempf
, 0640, BA_gid
)
190 # This should re-calculate an ACL based on the posix details
191 facl
= getntacl(lp
,tempf
, direct_db_access
=False)
192 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
193 self
.assertEquals(simple_acl_from_posix
, facl
.as_sddl(anysid
))
196 def test_setntacl_smbd_getntacl_smbd_gpo(self
):
200 path
= os
.environ
['SELFTEST_PREFIX']
201 acl
= "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
202 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
203 open(tempf
, 'w').write("empty")
204 setntacl(lp
,tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
205 facl
= getntacl(lp
,tempf
, direct_db_access
=False)
206 domsid
= security
.dom_sid("S-1-5-21-2212615479-2695158682-2101375467")
207 self
.assertEquals(facl
.as_sddl(domsid
),acl
)
210 def test_setntacl_getposixacl(self
):
214 path
= os
.environ
['SELFTEST_PREFIX']
215 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
216 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
217 open(tempf
, 'w').write("empty")
218 setntacl(lp
,tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
219 facl
= getntacl(lp
,tempf
)
220 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
221 self
.assertEquals(facl
.as_sddl(anysid
),acl
)
222 posix_acl
= smbd
.get_sys_acl(tempf
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
225 def test_setposixacl_getposixacl(self
):
229 path
= os
.environ
['SELFTEST_PREFIX']
230 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
231 open(tempf
, 'w').write("empty")
232 smbd
.set_simple_acl(tempf
, 0640)
233 posix_acl
= smbd
.get_sys_acl(tempf
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
234 self
.assertEquals(posix_acl
.count
, 4)
236 self
.assertEquals(posix_acl
.acl
[0].a_type
, smb_acl
.SMB_ACL_USER_OBJ
)
237 self
.assertEquals(posix_acl
.acl
[0].a_perm
, 6)
239 self
.assertEquals(posix_acl
.acl
[1].a_type
, smb_acl
.SMB_ACL_GROUP_OBJ
)
240 self
.assertEquals(posix_acl
.acl
[1].a_perm
, 4)
242 self
.assertEquals(posix_acl
.acl
[2].a_type
, smb_acl
.SMB_ACL_OTHER
)
243 self
.assertEquals(posix_acl
.acl
[2].a_perm
, 0)
245 self
.assertEquals(posix_acl
.acl
[3].a_type
, smb_acl
.SMB_ACL_MASK
)
246 self
.assertEquals(posix_acl
.acl
[3].a_perm
, 6)
249 def test_setposixacl_getntacl(self
):
253 path
= os
.environ
['SELFTEST_PREFIX']
254 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
255 open(tempf
, 'w').write("empty")
256 smbd
.set_simple_acl(tempf
, 0750)
258 facl
= getntacl(lp
,tempf
)
260 # We don't expect the xattr to be filled in in this case
263 def test_setposixacl_getntacl_smbd(self
):
266 path
= os
.environ
['SELFTEST_PREFIX']
267 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
268 open(tempf
, 'w').write("empty")
269 s3conf
= s3param
.get_context()
270 s4_passdb
= passdb
.PDB(s3conf
.get("passdb backend"))
271 group_SID
= s4_passdb
.gid_to_sid(os
.stat(tempf
).st_gid
)
272 user_SID
= s4_passdb
.uid_to_sid(os
.stat(tempf
).st_uid
)
273 smbd
.set_simple_acl(tempf
, 0640)
274 facl
= getntacl(lp
, tempf
, direct_db_access
=False)
275 domsid
= passdb
.get_global_sam_sid()
276 acl
= "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;%s)(A;;WO;;;WD)" % (user_SID
, group_SID
, user_SID
, group_SID
)
277 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
278 self
.assertEquals(acl
, facl
.as_sddl(anysid
))
280 def test_setposixacl_group_getntacl_smbd(self
):
283 path
= os
.environ
['SELFTEST_PREFIX']
284 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
285 open(tempf
, 'w').write("empty")
286 BA_sid
= security
.dom_sid(security
.SID_BUILTIN_ADMINISTRATORS
)
287 s3conf
= s3param
.get_context()
288 s4_passdb
= passdb
.PDB(s3conf
.get("passdb backend"))
289 (BA_gid
,BA_type
) = s4_passdb
.sid_to_id(BA_sid
)
290 group_SID
= s4_passdb
.gid_to_sid(os
.stat(tempf
).st_gid
)
291 user_SID
= s4_passdb
.uid_to_sid(os
.stat(tempf
).st_uid
)
292 self
.assertEquals(BA_type
, idmap
.ID_TYPE_BOTH
)
293 smbd
.set_simple_acl(tempf
, 0640, BA_gid
)
294 facl
= getntacl(lp
, tempf
, direct_db_access
=False)
295 domsid
= passdb
.get_global_sam_sid()
296 acl
= "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;BA)(A;;0x00120089;;;%s)(A;;WO;;;WD)" % (user_SID
, group_SID
, user_SID
, group_SID
)
297 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
298 self
.assertEquals(acl
, facl
.as_sddl(anysid
))
300 def test_setposixacl_getposixacl(self
):
303 path
= os
.environ
['SELFTEST_PREFIX']
304 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
305 open(tempf
, 'w').write("empty")
306 smbd
.set_simple_acl(tempf
, 0640)
307 posix_acl
= smbd
.get_sys_acl(tempf
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
308 self
.assertEquals(posix_acl
.count
, 4)
310 self
.assertEquals(posix_acl
.acl
[0].a_type
, smb_acl
.SMB_ACL_USER_OBJ
)
311 self
.assertEquals(posix_acl
.acl
[0].a_perm
, 6)
313 self
.assertEquals(posix_acl
.acl
[1].a_type
, smb_acl
.SMB_ACL_GROUP_OBJ
)
314 self
.assertEquals(posix_acl
.acl
[1].a_perm
, 4)
316 self
.assertEquals(posix_acl
.acl
[2].a_type
, smb_acl
.SMB_ACL_OTHER
)
317 self
.assertEquals(posix_acl
.acl
[2].a_perm
, 0)
319 self
.assertEquals(posix_acl
.acl
[3].a_type
, smb_acl
.SMB_ACL_MASK
)
320 self
.assertEquals(posix_acl
.acl
[3].a_perm
, 6)
323 def test_setposixacl_group_getposixacl(self
):
326 path
= os
.environ
['SELFTEST_PREFIX']
327 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
328 open(tempf
, 'w').write("empty")
329 BA_sid
= security
.dom_sid(security
.SID_BUILTIN_ADMINISTRATORS
)
330 s3conf
= s3param
.get_context()
331 s4_passdb
= passdb
.PDB(s3conf
.get("passdb backend"))
332 (BA_gid
,BA_type
) = s4_passdb
.sid_to_id(BA_sid
)
333 self
.assertEquals(BA_type
, idmap
.ID_TYPE_BOTH
)
334 smbd
.set_simple_acl(tempf
, 0670, BA_gid
)
335 posix_acl
= smbd
.get_sys_acl(tempf
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
337 self
.assertEquals(posix_acl
.count
, 5)
339 self
.assertEquals(posix_acl
.acl
[0].a_type
, smb_acl
.SMB_ACL_USER_OBJ
)
340 self
.assertEquals(posix_acl
.acl
[0].a_perm
, 6)
342 self
.assertEquals(posix_acl
.acl
[1].a_type
, smb_acl
.SMB_ACL_GROUP_OBJ
)
343 self
.assertEquals(posix_acl
.acl
[1].a_perm
, 7)
345 self
.assertEquals(posix_acl
.acl
[2].a_type
, smb_acl
.SMB_ACL_OTHER
)
346 self
.assertEquals(posix_acl
.acl
[2].a_perm
, 0)
348 self
.assertEquals(posix_acl
.acl
[3].a_type
, smb_acl
.SMB_ACL_GROUP
)
349 self
.assertEquals(posix_acl
.acl
[3].a_perm
, 7)
350 self
.assertEquals(posix_acl
.acl
[3].info
.gid
, BA_gid
)
352 self
.assertEquals(posix_acl
.acl
[4].a_type
, smb_acl
.SMB_ACL_MASK
)
353 self
.assertEquals(posix_acl
.acl
[4].a_perm
, 6)
356 def test_setntacl_sysvol_check_getposixacl(self
):
359 s3conf
= s3param
.get_context()
361 path
= os
.environ
['SELFTEST_PREFIX']
362 acl
= provision
.SYSVOL_ACL
363 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
364 open(tempf
, 'w').write("empty")
365 domsid
= passdb
.get_global_sam_sid()
366 setntacl(lp
,tempf
,acl
,str(domsid
), use_ntvfs
=False)
367 facl
= getntacl(lp
,tempf
)
368 self
.assertEquals(facl
.as_sddl(domsid
),acl
)
369 posix_acl
= smbd
.get_sys_acl(tempf
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
371 LA_sid
= security
.dom_sid(str(domsid
)+"-"+str(security
.DOMAIN_RID_ADMINISTRATOR
))
372 BA_sid
= security
.dom_sid(security
.SID_BUILTIN_ADMINISTRATORS
)
373 SO_sid
= security
.dom_sid(security
.SID_BUILTIN_SERVER_OPERATORS
)
374 SY_sid
= security
.dom_sid(security
.SID_NT_SYSTEM
)
375 AU_sid
= security
.dom_sid(security
.SID_NT_AUTHENTICATED_USERS
)
377 s4_passdb
= passdb
.PDB(s3conf
.get("passdb backend"))
379 # These assertions correct for current plugin_s4_dc selftest
380 # configuration. When other environments have a broad range of
381 # groups mapped via passdb, we can relax some of these checks
382 (LA_uid
,LA_type
) = s4_passdb
.sid_to_id(LA_sid
)
383 self
.assertEquals(LA_type
, idmap
.ID_TYPE_UID
)
384 (BA_gid
,BA_type
) = s4_passdb
.sid_to_id(BA_sid
)
385 self
.assertEquals(BA_type
, idmap
.ID_TYPE_BOTH
)
386 (SO_gid
,SO_type
) = s4_passdb
.sid_to_id(SO_sid
)
387 self
.assertEquals(SO_type
, idmap
.ID_TYPE_BOTH
)
388 (SY_gid
,SY_type
) = s4_passdb
.sid_to_id(SY_sid
)
389 self
.assertEquals(SO_type
, idmap
.ID_TYPE_BOTH
)
390 (AU_gid
,AU_type
) = s4_passdb
.sid_to_id(AU_sid
)
391 self
.assertEquals(AU_type
, idmap
.ID_TYPE_BOTH
)
393 self
.assertEquals(posix_acl
.count
, 9)
395 self
.assertEquals(posix_acl
.acl
[0].a_type
, smb_acl
.SMB_ACL_GROUP
)
396 self
.assertEquals(posix_acl
.acl
[0].a_perm
, 7)
397 self
.assertEquals(posix_acl
.acl
[0].info
.gid
, BA_gid
)
399 self
.assertEquals(posix_acl
.acl
[1].a_type
, smb_acl
.SMB_ACL_USER
)
400 self
.assertEquals(posix_acl
.acl
[1].a_perm
, 6)
401 self
.assertEquals(posix_acl
.acl
[1].info
.uid
, LA_uid
)
403 self
.assertEquals(posix_acl
.acl
[2].a_type
, smb_acl
.SMB_ACL_OTHER
)
404 self
.assertEquals(posix_acl
.acl
[2].a_perm
, 0)
406 self
.assertEquals(posix_acl
.acl
[3].a_type
, smb_acl
.SMB_ACL_USER_OBJ
)
407 self
.assertEquals(posix_acl
.acl
[3].a_perm
, 6)
409 self
.assertEquals(posix_acl
.acl
[4].a_type
, smb_acl
.SMB_ACL_GROUP_OBJ
)
410 self
.assertEquals(posix_acl
.acl
[4].a_perm
, 7)
412 self
.assertEquals(posix_acl
.acl
[5].a_type
, smb_acl
.SMB_ACL_GROUP
)
413 self
.assertEquals(posix_acl
.acl
[5].a_perm
, 5)
414 self
.assertEquals(posix_acl
.acl
[5].info
.gid
, SO_gid
)
416 self
.assertEquals(posix_acl
.acl
[6].a_type
, smb_acl
.SMB_ACL_GROUP
)
417 self
.assertEquals(posix_acl
.acl
[6].a_perm
, 7)
418 self
.assertEquals(posix_acl
.acl
[6].info
.gid
, SY_gid
)
420 self
.assertEquals(posix_acl
.acl
[7].a_type
, smb_acl
.SMB_ACL_GROUP
)
421 self
.assertEquals(posix_acl
.acl
[7].a_perm
, 5)
422 self
.assertEquals(posix_acl
.acl
[7].info
.gid
, AU_gid
)
424 self
.assertEquals(posix_acl
.acl
[8].a_type
, smb_acl
.SMB_ACL_MASK
)
425 self
.assertEquals(posix_acl
.acl
[8].a_perm
, 7)
428 # check that it matches:
430 # user:root:rwx (selftest user actually)
432 # group:Local Admins:rwx
440 # This is in this order in the NDR smb_acl (not re-orderded for display)
447 # uid: 0 (selftest user actually)
482 def test_setntacl_policies_check_getposixacl(self
):
485 s3conf
= s3param
.get_context()
487 path
= os
.environ
['SELFTEST_PREFIX']
488 acl
= provision
.POLICIES_ACL
489 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
490 open(tempf
, 'w').write("empty")
491 domsid
= passdb
.get_global_sam_sid()
492 setntacl(lp
,tempf
,acl
,str(domsid
), use_ntvfs
=False)
493 facl
= getntacl(lp
,tempf
)
494 self
.assertEquals(facl
.as_sddl(domsid
),acl
)
495 posix_acl
= smbd
.get_sys_acl(tempf
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
497 LA_sid
= security
.dom_sid(str(domsid
)+"-"+str(security
.DOMAIN_RID_ADMINISTRATOR
))
498 BA_sid
= security
.dom_sid(security
.SID_BUILTIN_ADMINISTRATORS
)
499 SO_sid
= security
.dom_sid(security
.SID_BUILTIN_SERVER_OPERATORS
)
500 SY_sid
= security
.dom_sid(security
.SID_NT_SYSTEM
)
501 AU_sid
= security
.dom_sid(security
.SID_NT_AUTHENTICATED_USERS
)
502 PA_sid
= security
.dom_sid(str(domsid
)+"-"+str(security
.DOMAIN_RID_POLICY_ADMINS
))
504 s4_passdb
= passdb
.PDB(s3conf
.get("passdb backend"))
506 # These assertions correct for current plugin_s4_dc selftest
507 # configuration. When other environments have a broad range of
508 # groups mapped via passdb, we can relax some of these checks
509 (LA_uid
,LA_type
) = s4_passdb
.sid_to_id(LA_sid
)
510 self
.assertEquals(LA_type
, idmap
.ID_TYPE_UID
)
511 (BA_gid
,BA_type
) = s4_passdb
.sid_to_id(BA_sid
)
512 self
.assertEquals(BA_type
, idmap
.ID_TYPE_BOTH
)
513 (SO_gid
,SO_type
) = s4_passdb
.sid_to_id(SO_sid
)
514 self
.assertEquals(SO_type
, idmap
.ID_TYPE_BOTH
)
515 (SY_gid
,SY_type
) = s4_passdb
.sid_to_id(SY_sid
)
516 self
.assertEquals(SO_type
, idmap
.ID_TYPE_BOTH
)
517 (AU_gid
,AU_type
) = s4_passdb
.sid_to_id(AU_sid
)
518 self
.assertEquals(AU_type
, idmap
.ID_TYPE_BOTH
)
519 (PA_gid
,PA_type
) = s4_passdb
.sid_to_id(PA_sid
)
520 self
.assertEquals(PA_type
, idmap
.ID_TYPE_BOTH
)
522 self
.assertEquals(posix_acl
.count
, 10)
524 self
.assertEquals(posix_acl
.acl
[0].a_type
, smb_acl
.SMB_ACL_GROUP
)
525 self
.assertEquals(posix_acl
.acl
[0].a_perm
, 7)
526 self
.assertEquals(posix_acl
.acl
[0].info
.gid
, BA_gid
)
528 self
.assertEquals(posix_acl
.acl
[1].a_type
, smb_acl
.SMB_ACL_USER
)
529 self
.assertEquals(posix_acl
.acl
[1].a_perm
, 6)
530 self
.assertEquals(posix_acl
.acl
[1].info
.uid
, LA_uid
)
532 self
.assertEquals(posix_acl
.acl
[2].a_type
, smb_acl
.SMB_ACL_OTHER
)
533 self
.assertEquals(posix_acl
.acl
[2].a_perm
, 0)
535 self
.assertEquals(posix_acl
.acl
[3].a_type
, smb_acl
.SMB_ACL_USER_OBJ
)
536 self
.assertEquals(posix_acl
.acl
[3].a_perm
, 6)
538 self
.assertEquals(posix_acl
.acl
[4].a_type
, smb_acl
.SMB_ACL_GROUP_OBJ
)
539 self
.assertEquals(posix_acl
.acl
[4].a_perm
, 7)
541 self
.assertEquals(posix_acl
.acl
[5].a_type
, smb_acl
.SMB_ACL_GROUP
)
542 self
.assertEquals(posix_acl
.acl
[5].a_perm
, 5)
543 self
.assertEquals(posix_acl
.acl
[5].info
.gid
, SO_gid
)
545 self
.assertEquals(posix_acl
.acl
[6].a_type
, smb_acl
.SMB_ACL_GROUP
)
546 self
.assertEquals(posix_acl
.acl
[6].a_perm
, 7)
547 self
.assertEquals(posix_acl
.acl
[6].info
.gid
, SY_gid
)
549 self
.assertEquals(posix_acl
.acl
[7].a_type
, smb_acl
.SMB_ACL_GROUP
)
550 self
.assertEquals(posix_acl
.acl
[7].a_perm
, 5)
551 self
.assertEquals(posix_acl
.acl
[7].info
.gid
, AU_gid
)
553 self
.assertEquals(posix_acl
.acl
[8].a_type
, smb_acl
.SMB_ACL_GROUP
)
554 self
.assertEquals(posix_acl
.acl
[8].a_perm
, 7)
555 self
.assertEquals(posix_acl
.acl
[8].info
.gid
, PA_gid
)
557 self
.assertEquals(posix_acl
.acl
[9].a_type
, smb_acl
.SMB_ACL_MASK
)
558 self
.assertEquals(posix_acl
.acl
[9].a_perm
, 7)
561 # check that it matches:
563 # user:root:rwx (selftest user actually)
565 # group:Local Admins:rwx
574 # This is in this order in the NDR smb_acl (not re-orderded for display)
581 # uid: 0 (selftest user actually)
621 super(PosixAclMappingTests
, self
).setUp()
622 s3conf
= s3param
.get_context()
623 s3conf
.load(self
.get_loadparm().configfile
)