search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3-lsa: Fix static list of luids in our privileges implementation.
[Samba/ekacnet.git] / source4 / scripting / python / samba / ntacls.py
blob478a5125bf16df40f5c53b8b1076dca0d1aa6596
1 #!/usr/bin/python
2
3 # Unix SMB/CIFS implementation.
4 # Copyright (C) Matthieu Patou <mat@matws.net> 2009-2010
5 #
6 #
7 # This program is free software; you can redistribute it and/or modify
8 # it under the terms of the GNU General Public License as published by
9 # the Free Software Foundation; either version 3 of the License, or
10 # (at your option) any later version.
11 #
12 # This program is distributed in the hope that it will be useful,
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 # GNU General Public License for more details.
16 #
17 # You should have received a copy of the GNU General Public License
18 # along with this program. If not, see <http://www.gnu.org/licenses/>.
19 #
20
21 import os
22 import samba.xattr_native, samba.xattr_tdb
23 from samba.dcerpc import security, xattr
24 from samba.ndr import ndr_pack, ndr_unpack
25
26 class XattrBackendError(Exception):
27 """A generic xattr backend error."""
28
29
30 def checkset_backend(lp, backend, eadbfile):
31 if backend is not None:
32 if backend == "native":
33 lp.set("posix:eadb","")
34 elif backend == "tdb":
35 if eadbfile != None:
36 lp.set("posix:eadb", eadbfile)
37 else:
38 os.path.abspath(os.path.join(lp.get("private dir"), "eadb.tdb"))
39 else:
40 raise XattrBackendError("Invalid xattr backend choice %s"%backend)
41
42
43 def getntacl(lp, file, backend=None, eadbfile=None):
44 checkset_backend(lp, backend, eadbfile)
45 eadbname = lp.get("posix:eadb")
46 if eadbname is not None and eadbname != "":
47 try:
48 attribute = samba.xattr_tdb.wrap_getxattr(eadbname, file,
49 xattr.XATTR_NTACL_NAME)
50 except:
51 # FIXME: Don't catch all exceptions, just those related to opening
52 # xattrdb
53 print "Fail to open %s" % eadbname
54 attribute = samba.xattr_native.wrap_getxattr(file,
55 xattr.XATTR_NTACL_NAME)
56 else:
57 attribute = samba.xattr_native.wrap_getxattr(file,
58 xattr.XATTR_NTACL_NAME)
59 ntacl = ndr_unpack(xattr.NTACL,attribute)
60 return ntacl
61
62 def setntacl(lp, file, sddl, domsid, backend=None, eadbfile=None):
63 checkset_backend(lp, backend, eadbfile)
64 ntacl = xattr.NTACL()
65 ntacl.version = 1
66 sid = security.dom_sid(domsid)
67 sd = security.descriptor.from_sddl(sddl, sid)
68 ntacl.info = sd
69 eadbname = lp.get("posix:eadb")
70 if eadbname is not None and eadbname != "":
71 try:
72 samba.xattr_tdb.wrap_setxattr(eadbname,
73 file,xattr.XATTR_NTACL_NAME,ndr_pack(ntacl))
74 except:
75 # FIXME: Don't catch all exceptions, just those related to opening
76 # xattrdb
77 print "Fail to open %s"%eadbname
78 samba.xattr_native.wrap_setxattr(file,xattr.XATTR_NTACL_NAME,ndr_pack(ntacl))
79 else:
80 samba.xattr_native.wrap_setxattr(file,xattr.XATTR_NTACL_NAME,ndr_pack(ntacl))
81
82 def ldapmask2filemask(ldm):
83 """Takes the access mask of a DS ACE and transform them in a File ACE mask"""
84 RIGHT_DS_CREATE_CHILD = 0x00000001
85 RIGHT_DS_DELETE_CHILD = 0x00000002
86 RIGHT_DS_LIST_CONTENTS = 0x00000004
87 ACTRL_DS_SELF = 0x00000008
88 RIGHT_DS_READ_PROPERTY = 0x00000010
89 RIGHT_DS_WRITE_PROPERTY = 0x00000020
90 RIGHT_DS_DELETE_TREE = 0x00000040
91 RIGHT_DS_LIST_OBJECT = 0x00000080
92 RIGHT_DS_CONTROL_ACCESS = 0x00000100
93 FILE_READ_DATA = 0x0001
94 FILE_LIST_DIRECTORY = 0x0001
95 FILE_WRITE_DATA = 0x0002
96 FILE_ADD_FILE = 0x0002
97 FILE_APPEND_DATA = 0x0004
98 FILE_ADD_SUBDIRECTORY = 0x0004
99 FILE_CREATE_PIPE_INSTANCE = 0x0004
100 FILE_READ_EA = 0x0008
101 FILE_WRITE_EA = 0x0010
102 FILE_EXECUTE = 0x0020
103 FILE_TRAVERSE = 0x0020
104 FILE_DELETE_CHILD = 0x0040
105 FILE_READ_ATTRIBUTES = 0x0080
106 FILE_WRITE_ATTRIBUTES = 0x0100
107 DELETE = 0x00010000
108 READ_CONTROL = 0x00020000
109 WRITE_DAC = 0x00040000
110 WRITE_OWNER = 0x00080000
111 SYNCHRONIZE = 0x00100000
112 STANDARD_RIGHTS_ALL = 0x001F0000
113
114 filemask = ldm & STANDARD_RIGHTS_ALL
115
116 if (ldm & RIGHT_DS_READ_PROPERTY) and (ldm & RIGHT_DS_LIST_CONTENTS):
117 filemask = filemask | (SYNCHRONIZE | FILE_LIST_DIRECTORY |\
118 FILE_READ_ATTRIBUTES | FILE_READ_EA |\
119 FILE_READ_DATA | FILE_EXECUTE)
120
121 if ldm & RIGHT_DS_WRITE_PROPERTY:
122 filemask = filemask | (SYNCHRONIZE | FILE_WRITE_DATA |\
123 FILE_APPEND_DATA | FILE_WRITE_EA |\
124 FILE_WRITE_ATTRIBUTES | FILE_ADD_FILE |\
125 FILE_ADD_SUBDIRECTORY)
126
127 if ldm & RIGHT_DS_CREATE_CHILD:
128 filemask = filemask | (FILE_ADD_SUBDIRECTORY | FILE_ADD_FILE)
129
130 if ldm & RIGHT_DS_DELETE_CHILD:
131 filemask = filemask | FILE_DELETE_CHILD
132
133 return filemask
134
135
136 def dsacl2fsacl(dssddl, domsid):
137 """
138
139 This function takes an the SDDL representation of a DS
140 ACL and return the SDDL representation of this ACL adapted
141 for files. It's used for Policy object provision
142 """
143 sid = security.dom_sid(domsid)
144 ref = security.descriptor.from_sddl(dssddl,sid)
145 fdescr = security.descriptor()
146 fdescr.owner_sid = ref.owner_sid
147 fdescr.group_sid = ref.group_sid
148 fdescr.type = ref.type
149 fdescr.revision = ref.revision
150 fdescr.sacl = ref.sacl
151 aces = ref.dacl.aces
152 for i in range(0, len(aces)):
153 ace = aces[i]
154 if not ace.type & security.SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT and str(ace.trustee) != security.SID_BUILTIN_PREW2K:
155 # if fdescr.type & security.SEC_DESC_DACL_AUTO_INHERITED:
156 ace.flags = ace.flags | security.SEC_ACE_FLAG_OBJECT_INHERIT | security.SEC_ACE_FLAG_CONTAINER_INHERIT
157 if str(ace.trustee) == security.SID_CREATOR_OWNER:
158 # For Creator/Owner the IO flag is set as this ACE has only a sense for child objects
159 ace.flags = ace.flags | security.SEC_ACE_FLAG_INHERIT_ONLY
160 ace.access_mask = ldapmask2filemask(ace.access_mask)
161 fdescr.dacl_add(ace)
162
163 return fdescr.as_sddl(sid)