search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
selftest: Add many more tests for our posix ACL handling
[Samba/bb.git] / source4 / scripting / python / samba / tests / posixacl.py
blob449a87c1287443b535b599330353a67c502abe45
1 # Unix SMB/CIFS implementation. Tests for NT and posix ACL manipulation
2 # Copyright (C) Matthieu Patou <mat@matws.net> 2009-2010
3 # Copyright (C) Andrew Bartlett 2012
4 #
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
9 #
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
14 #
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
17 #
18
19 """Tests for the Samba3 NT -> posix ACL layer"""
20
21 from samba.ntacls import setntacl, getntacl, checkset_backend
22 from samba.dcerpc import xattr, security, smb_acl, idmap
23 from samba.param import LoadParm
24 from samba.tests import TestCase
25 from samba import provision
26 import random
27 import os
28 from samba.samba3 import smbd, passdb
29 from samba.samba3 import param as s3param
30
31 # To print a posix ACL use:
32 # for entry in posix_acl.acl:
33 # print "a_type: %d" % entry.a_type
34 # print "a_perm: %o" % entry.a_perm
35 # print "uid: %d" % entry.uid
36 # print "gid: %d" % entry.gid
37
38 class PosixAclMappingTests(TestCase):
39
40 def test_setntacl(self):
41 random.seed()
42 lp = LoadParm()
43 path = os.environ['SELFTEST_PREFIX']
44 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
45 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
46 open(tempf, 'w').write("empty")
47 setntacl(lp, tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
48 os.unlink(tempf)
49
50 def test_setntacl_smbd_getntacl(self):
51 random.seed()
52 lp = LoadParm()
53 path = None
54 path = os.environ['SELFTEST_PREFIX']
55 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
56 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
57 open(tempf, 'w').write("empty")
58 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
59 facl = getntacl(lp,tempf, direct_db_access=True)
60 anysid = security.dom_sid(security.SID_NT_SELF)
61 self.assertEquals(facl.as_sddl(anysid),acl)
62 os.unlink(tempf)
63
64 def test_setntacl_smbd_setposixacl_getntacl(self):
65 random.seed()
66 lp = LoadParm()
67 path = None
68 path = os.environ['SELFTEST_PREFIX']
69 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
70 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
71 open(tempf, 'w').write("empty")
72 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
73
74 # This will invalidate the ACL, as we have a hook!
75 smbd.set_simple_acl(tempf, 0640)
76
77 # However, this only asks the xattr
78 try:
79 facl = getntacl(lp,tempf, direct_db_access=True)
80 self.assertTrue(False)
81 except TypeError:
82 pass
83 os.unlink(tempf)
84
85 def test_setntacl_smbd_chmod_getntacl(self):
86 random.seed()
87 lp = LoadParm()
88 path = None
89 path = os.environ['SELFTEST_PREFIX']
90 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
91 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
92 open(tempf, 'w').write("empty")
93 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
94
95 # This should invalidate the ACL, as we include the posix ACL in the hash
96 (backend_obj, dbname) = checkset_backend(lp, None, None)
97 backend_obj.wrap_setxattr(dbname,
98 tempf, "system.fake_access_acl", "")
99
100 #however, as this is direct DB access, we do not notice it
101 facl = getntacl(lp,tempf, direct_db_access=True)
102 anysid = security.dom_sid(security.SID_NT_SELF)
103 self.assertEquals(acl, facl.as_sddl(anysid))
104 os.unlink(tempf)
105
106 def test_setntacl_smbd_chmod_getntacl_smbd(self):
107 random.seed()
108 lp = LoadParm()
109 path = None
110 path = os.environ['SELFTEST_PREFIX']
111 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
112 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
113 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
114 open(tempf, 'w').write("empty")
115 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
116
117 # This should invalidate the ACL, as we include the posix ACL in the hash
118 (backend_obj, dbname) = checkset_backend(lp, None, None)
119 backend_obj.wrap_setxattr(dbname,
120 tempf, "system.fake_access_acl", "")
121
122 #the hash breaks, and we return an ACL based only on the mode
123 facl = getntacl(lp,tempf)
124 anysid = security.dom_sid(security.SID_NT_SELF)
125 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
126 os.unlink(tempf)
127
128 def test_setntacl_getntacl_smbd(self):
129 random.seed()
130 lp = LoadParm()
131 path = None
132 path = os.environ['SELFTEST_PREFIX']
133 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
134 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
135 open(tempf, 'w').write("empty")
136 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
137 facl = getntacl(lp,tempf, direct_db_access=False)
138 anysid = security.dom_sid(security.SID_NT_SELF)
139 self.assertEquals(facl.as_sddl(anysid),acl)
140 os.unlink(tempf)
141
142 def test_setntacl_smbd_getntacl_smbd(self):
143 random.seed()
144 lp = LoadParm()
145 path = None
146 path = os.environ['SELFTEST_PREFIX']
147 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
148 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
149 open(tempf, 'w').write("empty")
150 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
151 facl = getntacl(lp,tempf, direct_db_access=False)
152 anysid = security.dom_sid(security.SID_NT_SELF)
153 self.assertEquals(facl.as_sddl(anysid),acl)
154 os.unlink(tempf)
155
156 def test_setntacl_smbd_setposixacl_getntacl_smbd(self):
157 random.seed()
158 lp = LoadParm()
159 path = None
160 path = os.environ['SELFTEST_PREFIX']
161 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
162 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
163 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
164 open(tempf, 'w').write("empty")
165 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
166 # This invalidates the hash of the NT acl just set
167 smbd.set_simple_acl(tempf, 0640)
168 facl = getntacl(lp,tempf, direct_db_access=False)
169 anysid = security.dom_sid(security.SID_NT_SELF)
170 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
171 os.unlink(tempf)
172
173 def test_setntacl_smbd_setposixacl_group_getntacl_smbd(self):
174 random.seed()
175 lp = LoadParm()
176 path = None
177 path = os.environ['SELFTEST_PREFIX']
178 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
179 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
180 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
181 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
182 open(tempf, 'w').write("empty")
183 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
184 # This invalidates the hash of the NT acl just set
185 s3conf = s3param.get_context()
186 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
187 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
188 smbd.set_simple_acl(tempf, 0640, BA_gid)
189
190 # This should re-calculate an ACL based on the posix details
191 facl = getntacl(lp,tempf, direct_db_access=False)
192 anysid = security.dom_sid(security.SID_NT_SELF)
193 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
194 os.unlink(tempf)
195
196 def test_setntacl_smbd_getntacl_smbd_gpo(self):
197 random.seed()
198 lp = LoadParm()
199 path = None
200 path = os.environ['SELFTEST_PREFIX']
201 acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
202 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
203 open(tempf, 'w').write("empty")
204 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
205 facl = getntacl(lp,tempf, direct_db_access=False)
206 domsid = security.dom_sid("S-1-5-21-2212615479-2695158682-2101375467")
207 self.assertEquals(facl.as_sddl(domsid),acl)
208 os.unlink(tempf)
209
210 def test_setntacl_getposixacl(self):
211 random.seed()
212 lp = LoadParm()
213 path = None
214 path = os.environ['SELFTEST_PREFIX']
215 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
216 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
217 open(tempf, 'w').write("empty")
218 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
219 facl = getntacl(lp,tempf)
220 anysid = security.dom_sid(security.SID_NT_SELF)
221 self.assertEquals(facl.as_sddl(anysid),acl)
222 posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
223 os.unlink(tempf)
224
225 def test_setposixacl_getposixacl(self):
226 random.seed()
227 lp = LoadParm()
228 path = None
229 path = os.environ['SELFTEST_PREFIX']
230 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
231 open(tempf, 'w').write("empty")
232 smbd.set_simple_acl(tempf, 0640)
233 posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
234 self.assertEquals(posix_acl.count, 4)
235
236 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
237 self.assertEquals(posix_acl.acl[0].a_perm, 6)
238
239 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
240 self.assertEquals(posix_acl.acl[1].a_perm, 4)
241
242 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
243 self.assertEquals(posix_acl.acl[2].a_perm, 0)
244
245 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
246 self.assertEquals(posix_acl.acl[3].a_perm, 6)
247 os.unlink(tempf)
248
249 def test_setposixacl_getntacl(self):
250 random.seed()
251 lp = LoadParm()
252 acl = ""
253 path = os.environ['SELFTEST_PREFIX']
254 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
255 open(tempf, 'w').write("empty")
256 smbd.set_simple_acl(tempf, 0750)
257 try:
258 facl = getntacl(lp,tempf)
259 except TypeError:
260 # We don't expect the xattr to be filled in in this case
261 pass
262
263 def test_setposixacl_getntacl_smbd(self):
264 random.seed()
265 lp = LoadParm()
266 path = os.environ['SELFTEST_PREFIX']
267 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
268 open(tempf, 'w').write("empty")
269 s3conf = s3param.get_context()
270 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
271 group_SID = s4_passdb.gid_to_sid(os.stat(tempf).st_gid)
272 user_SID = s4_passdb.uid_to_sid(os.stat(tempf).st_uid)
273 smbd.set_simple_acl(tempf, 0640)
274 facl = getntacl(lp, tempf, direct_db_access=False)
275 domsid = passdb.get_global_sam_sid()
276 acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;%s)(A;;WO;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
277 anysid = security.dom_sid(security.SID_NT_SELF)
278 self.assertEquals(acl, facl.as_sddl(anysid))
279
280 def test_setposixacl_group_getntacl_smbd(self):
281 random.seed()
282 lp = LoadParm()
283 path = os.environ['SELFTEST_PREFIX']
284 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
285 open(tempf, 'w').write("empty")
286 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
287 s3conf = s3param.get_context()
288 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
289 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
290 group_SID = s4_passdb.gid_to_sid(os.stat(tempf).st_gid)
291 user_SID = s4_passdb.uid_to_sid(os.stat(tempf).st_uid)
292 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
293 smbd.set_simple_acl(tempf, 0640, BA_gid)
294 facl = getntacl(lp, tempf, direct_db_access=False)
295 domsid = passdb.get_global_sam_sid()
296 acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;BA)(A;;0x00120089;;;%s)(A;;WO;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
297 anysid = security.dom_sid(security.SID_NT_SELF)
298 self.assertEquals(acl, facl.as_sddl(anysid))
299
300 def test_setposixacl_getposixacl(self):
301 random.seed()
302 lp = LoadParm()
303 path = os.environ['SELFTEST_PREFIX']
304 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
305 open(tempf, 'w').write("empty")
306 smbd.set_simple_acl(tempf, 0640)
307 posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
308 self.assertEquals(posix_acl.count, 4)
309
310 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
311 self.assertEquals(posix_acl.acl[0].a_perm, 6)
312
313 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
314 self.assertEquals(posix_acl.acl[1].a_perm, 4)
315
316 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
317 self.assertEquals(posix_acl.acl[2].a_perm, 0)
318
319 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
320 self.assertEquals(posix_acl.acl[3].a_perm, 6)
321 os.unlink(tempf)
322
323 def test_setposixacl_group_getposixacl(self):
324 random.seed()
325 lp = LoadParm()
326 path = os.environ['SELFTEST_PREFIX']
327 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
328 open(tempf, 'w').write("empty")
329 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
330 s3conf = s3param.get_context()
331 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
332 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
333 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
334 smbd.set_simple_acl(tempf, 0670, BA_gid)
335 posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
336
337 self.assertEquals(posix_acl.count, 5)
338
339 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
340 self.assertEquals(posix_acl.acl[0].a_perm, 6)
341
342 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
343 self.assertEquals(posix_acl.acl[1].a_perm, 7)
344
345 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
346 self.assertEquals(posix_acl.acl[2].a_perm, 0)
347
348 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_GROUP)
349 self.assertEquals(posix_acl.acl[3].a_perm, 7)
350 self.assertEquals(posix_acl.acl[3].info.gid, BA_gid)
351
352 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_MASK)
353 self.assertEquals(posix_acl.acl[4].a_perm, 6)
354 os.unlink(tempf)
355
356 def test_setntacl_sysvol_check_getposixacl(self):
357 random.seed()
358 lp = LoadParm()
359 s3conf = s3param.get_context()
360 path = None
361 path = os.environ['SELFTEST_PREFIX']
362 acl = provision.SYSVOL_ACL
363 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
364 open(tempf, 'w').write("empty")
365 domsid = passdb.get_global_sam_sid()
366 setntacl(lp,tempf,acl,str(domsid), use_ntvfs=False)
367 facl = getntacl(lp,tempf)
368 self.assertEquals(facl.as_sddl(domsid),acl)
369 posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
370
371 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
372 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
373 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
374 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
375 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
376
377 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
378
379 # These assertions correct for current plugin_s4_dc selftest
380 # configuration. When other environments have a broad range of
381 # groups mapped via passdb, we can relax some of these checks
382 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
383 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
384 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
385 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
386 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
387 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
388 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
389 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
390 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
391 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
392
393 self.assertEquals(posix_acl.count, 9)
394
395 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
396 self.assertEquals(posix_acl.acl[0].a_perm, 7)
397 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
398
399 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
400 self.assertEquals(posix_acl.acl[1].a_perm, 6)
401 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
402
403 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
404 self.assertEquals(posix_acl.acl[2].a_perm, 0)
405
406 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
407 self.assertEquals(posix_acl.acl[3].a_perm, 6)
408
409 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
410 self.assertEquals(posix_acl.acl[4].a_perm, 7)
411
412 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
413 self.assertEquals(posix_acl.acl[5].a_perm, 5)
414 self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
415
416 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
417 self.assertEquals(posix_acl.acl[6].a_perm, 7)
418 self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
419
420 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
421 self.assertEquals(posix_acl.acl[7].a_perm, 5)
422 self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
423
424 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_MASK)
425 self.assertEquals(posix_acl.acl[8].a_perm, 7)
426
427
428 # check that it matches:
429 # user::rwx
430 # user:root:rwx (selftest user actually)
431 # group::rwx
432 # group:Local Admins:rwx
433 # group:3000000:r-x
434 # group:3000001:rwx
435 # group:3000002:r-x
436 # mask::rwx
437 # other::---
438
439 #
440 # This is in this order in the NDR smb_acl (not re-orderded for display)
441 # a_type: GROUP
442 # a_perm: 7
443 # uid: -1
444 # gid: 10
445 # a_type: USER
446 # a_perm: 6
447 # uid: 0 (selftest user actually)
448 # gid: -1
449 # a_type: OTHER
450 # a_perm: 0
451 # uid: -1
452 # gid: -1
453 # a_type: USER_OBJ
454 # a_perm: 6
455 # uid: -1
456 # gid: -1
457 # a_type: GROUP_OBJ
458 # a_perm: 7
459 # uid: -1
460 # gid: -1
461 # a_type: GROUP
462 # a_perm: 5
463 # uid: -1
464 # gid: 3000020
465 # a_type: GROUP
466 # a_perm: 7
467 # uid: -1
468 # gid: 3000000
469 # a_type: GROUP
470 # a_perm: 5
471 # uid: -1
472 # gid: 3000001
473 # a_type: MASK
474 # a_perm: 7
475 # uid: -1
476 # gid: -1
477
478 #
479
480 os.unlink(tempf)
481
482 def test_setntacl_policies_check_getposixacl(self):
483 random.seed()
484 lp = LoadParm()
485 s3conf = s3param.get_context()
486 path = None
487 path = os.environ['SELFTEST_PREFIX']
488 acl = provision.POLICIES_ACL
489 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
490 open(tempf, 'w').write("empty")
491 domsid = passdb.get_global_sam_sid()
492 setntacl(lp,tempf,acl,str(domsid), use_ntvfs=False)
493 facl = getntacl(lp,tempf)
494 self.assertEquals(facl.as_sddl(domsid),acl)
495 posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
496
497 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
498 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
499 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
500 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
501 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
502 PA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_POLICY_ADMINS))
503
504 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
505
506 # These assertions correct for current plugin_s4_dc selftest
507 # configuration. When other environments have a broad range of
508 # groups mapped via passdb, we can relax some of these checks
509 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
510 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
511 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
512 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
513 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
514 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
515 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
516 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
517 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
518 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
519 (PA_gid,PA_type) = s4_passdb.sid_to_id(PA_sid)
520 self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
521
522 self.assertEquals(posix_acl.count, 10)
523
524 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
525 self.assertEquals(posix_acl.acl[0].a_perm, 7)
526 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
527
528 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
529 self.assertEquals(posix_acl.acl[1].a_perm, 6)
530 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
531
532 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
533 self.assertEquals(posix_acl.acl[2].a_perm, 0)
534
535 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
536 self.assertEquals(posix_acl.acl[3].a_perm, 6)
537
538 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
539 self.assertEquals(posix_acl.acl[4].a_perm, 7)
540
541 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
542 self.assertEquals(posix_acl.acl[5].a_perm, 5)
543 self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
544
545 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
546 self.assertEquals(posix_acl.acl[6].a_perm, 7)
547 self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
548
549 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
550 self.assertEquals(posix_acl.acl[7].a_perm, 5)
551 self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
552
553 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_GROUP)
554 self.assertEquals(posix_acl.acl[8].a_perm, 7)
555 self.assertEquals(posix_acl.acl[8].info.gid, PA_gid)
556
557 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_MASK)
558 self.assertEquals(posix_acl.acl[9].a_perm, 7)
559
560
561 # check that it matches:
562 # user::rwx
563 # user:root:rwx (selftest user actually)
564 # group::rwx
565 # group:Local Admins:rwx
566 # group:3000000:r-x
567 # group:3000001:rwx
568 # group:3000002:r-x
569 # group:3000003:rwx
570 # mask::rwx
571 # other::---
572
573 #
574 # This is in this order in the NDR smb_acl (not re-orderded for display)
575 # a_type: GROUP
576 # a_perm: 7
577 # uid: -1
578 # gid: 10
579 # a_type: USER
580 # a_perm: 6
581 # uid: 0 (selftest user actually)
582 # gid: -1
583 # a_type: OTHER
584 # a_perm: 0
585 # uid: -1
586 # gid: -1
587 # a_type: USER_OBJ
588 # a_perm: 6
589 # uid: -1
590 # gid: -1
591 # a_type: GROUP_OBJ
592 # a_perm: 7
593 # uid: -1
594 # gid: -1
595 # a_type: GROUP
596 # a_perm: 5
597 # uid: -1
598 # gid: 3000020
599 # a_type: GROUP
600 # a_perm: 7
601 # uid: -1
602 # gid: 3000000
603 # a_type: GROUP
604 # a_perm: 5
605 # uid: -1
606 # gid: 3000001
607 # a_type: GROUP
608 # a_perm: 7
609 # uid: -1
610 # gid: 3000003
611 # a_type: MASK
612 # a_perm: 7
613 # uid: -1
614 # gid: -1
615
616 #
617
618 os.unlink(tempf)
619
620 def setUp(self):
621 super(PosixAclMappingTests, self).setUp()
622 s3conf = s3param.get_context()
623 s3conf.load(self.get_loadparm().configfile)