1 # Unix SMB/CIFS implementation. Tests for NT and posix ACL manipulation
2 # Copyright (C) Matthieu Patou <mat@matws.net> 2009-2010
3 # Copyright (C) Andrew Bartlett 2012
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
19 """Tests for the Samba3 NT -> posix ACL layer"""
21 from samba
.ntacls
import setntacl
, getntacl
, checkset_backend
22 from samba
.dcerpc
import xattr
, security
, smb_acl
, idmap
23 from samba
.param
import LoadParm
24 from samba
.tests
import TestCaseInTempDir
25 from samba
import provision
28 from samba
.samba3
import smbd
, passdb
29 from samba
.samba3
import param
as s3param
31 # To print a posix ACL use:
32 # for entry in posix_acl.acl:
33 # print "a_type: %d" % entry.a_type
34 # print "a_perm: %o" % entry.a_perm
35 # print "uid: %d" % entry.uid
36 # print "gid: %d" % entry.gid
38 class PosixAclMappingTests(TestCaseInTempDir
):
40 def test_setntacl(self
):
42 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
43 setntacl(lp
, self
.tempf
, acl
, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
45 def test_setntacl_smbd_getntacl(self
):
47 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
48 setntacl(lp
,self
.tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=True)
49 facl
= getntacl(lp
,self
.tempf
, direct_db_access
=True)
50 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
51 self
.assertEquals(facl
.as_sddl(anysid
),acl
)
53 def test_setntacl_smbd_setposixacl_getntacl(self
):
55 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
56 setntacl(lp
,self
.tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=True)
58 # This will invalidate the ACL, as we have a hook!
59 smbd
.set_simple_acl(self
.tempf
, 0640)
61 # However, this only asks the xattr
63 facl
= getntacl(lp
, self
.tempf
, direct_db_access
=True)
64 self
.assertTrue(False)
68 def test_setntacl_invalidate_getntacl(self
):
70 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
71 setntacl(lp
, self
.tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=True)
73 # This should invalidate the ACL, as we include the posix ACL in the hash
74 (backend_obj
, dbname
) = checkset_backend(lp
, None, None)
75 backend_obj
.wrap_setxattr(dbname
,
76 self
.tempf
, "system.fake_access_acl", "")
78 #however, as this is direct DB access, we do not notice it
79 facl
= getntacl(lp
, self
.tempf
, direct_db_access
=True)
80 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
81 self
.assertEquals(acl
, facl
.as_sddl(anysid
))
83 def test_setntacl_invalidate_getntacl_smbd(self
):
85 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
86 setntacl(lp
, self
.tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
88 # This should invalidate the ACL, as we include the posix ACL in the hash
89 (backend_obj
, dbname
) = checkset_backend(lp
, None, None)
90 backend_obj
.wrap_setxattr(dbname
,
91 self
.tempf
, "system.fake_access_acl", "")
93 #the hash would break, and we return an ACL based only on the mode, except we set the ACL using the 'ntvfs' mode that doesn't include a hash
94 facl
= getntacl(lp
, self
.tempf
)
95 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
96 self
.assertEquals(acl
, facl
.as_sddl(anysid
))
98 def test_setntacl_smbd_invalidate_getntacl_smbd(self
):
100 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
101 simple_acl_from_posix
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x001200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
102 os
.chmod(self
.tempf
, 0750)
103 setntacl(lp
, self
.tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
105 # This should invalidate the ACL, as we include the posix ACL in the hash
106 (backend_obj
, dbname
) = checkset_backend(lp
, None, None)
107 backend_obj
.wrap_setxattr(dbname
,
108 self
.tempf
, "system.fake_access_acl", "")
110 #the hash will break, and we return an ACL based only on the mode
111 facl
= getntacl(lp
, self
.tempf
, direct_db_access
=False)
112 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
113 self
.assertEquals(simple_acl_from_posix
, facl
.as_sddl(anysid
))
115 def test_setntacl_getntacl_smbd(self
):
117 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
118 setntacl(lp
, self
.tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=True)
119 facl
= getntacl(lp
, self
.tempf
, direct_db_access
=False)
120 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
121 self
.assertEquals(facl
.as_sddl(anysid
),acl
)
123 def test_setntacl_smbd_getntacl_smbd(self
):
125 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
126 setntacl(lp
, self
.tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
127 facl
= getntacl(lp
, self
.tempf
, direct_db_access
=False)
128 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
129 self
.assertEquals(facl
.as_sddl(anysid
),acl
)
131 def test_setntacl_smbd_setposixacl_getntacl_smbd(self
):
133 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
134 simple_acl_from_posix
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
135 setntacl(lp
, self
.tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
136 # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
137 smbd
.set_simple_acl(self
.tempf
, 0640)
138 facl
= getntacl(lp
, self
.tempf
, direct_db_access
=False)
139 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
140 self
.assertEquals(simple_acl_from_posix
, facl
.as_sddl(anysid
))
142 def test_setntacl_smbd_setposixacl_group_getntacl_smbd(self
):
144 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
145 BA_sid
= security
.dom_sid(security
.SID_BUILTIN_ADMINISTRATORS
)
146 simple_acl_from_posix
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
147 setntacl(lp
,self
.tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
148 # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
149 s3conf
= s3param
.get_context()
150 s4_passdb
= passdb
.PDB(s3conf
.get("passdb backend"))
151 (BA_gid
,BA_type
) = s4_passdb
.sid_to_id(BA_sid
)
152 smbd
.set_simple_acl(self
.tempf
, 0640, BA_gid
)
154 # This should re-calculate an ACL based on the posix details
155 facl
= getntacl(lp
,self
.tempf
, direct_db_access
=False)
156 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
157 self
.assertEquals(simple_acl_from_posix
, facl
.as_sddl(anysid
))
159 def test_setntacl_smbd_getntacl_smbd_gpo(self
):
161 acl
= "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
162 setntacl(lp
, self
.tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
163 facl
= getntacl(lp
, self
.tempf
, direct_db_access
=False)
164 domsid
= security
.dom_sid("S-1-5-21-2212615479-2695158682-2101375467")
165 self
.assertEquals(facl
.as_sddl(domsid
),acl
)
167 def test_setntacl_getposixacl(self
):
169 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
170 setntacl(lp
, self
.tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
171 facl
= getntacl(lp
, self
.tempf
)
172 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
173 self
.assertEquals(facl
.as_sddl(anysid
),acl
)
174 posix_acl
= smbd
.get_sys_acl(self
.tempf
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
176 def test_setposixacl_getposixacl(self
):
178 smbd
.set_simple_acl(self
.tempf
, 0640)
179 posix_acl
= smbd
.get_sys_acl(self
.tempf
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
180 self
.assertEquals(posix_acl
.count
, 4)
182 self
.assertEquals(posix_acl
.acl
[0].a_type
, smb_acl
.SMB_ACL_USER_OBJ
)
183 self
.assertEquals(posix_acl
.acl
[0].a_perm
, 6)
185 self
.assertEquals(posix_acl
.acl
[1].a_type
, smb_acl
.SMB_ACL_GROUP_OBJ
)
186 self
.assertEquals(posix_acl
.acl
[1].a_perm
, 4)
188 self
.assertEquals(posix_acl
.acl
[2].a_type
, smb_acl
.SMB_ACL_OTHER
)
189 self
.assertEquals(posix_acl
.acl
[2].a_perm
, 0)
191 self
.assertEquals(posix_acl
.acl
[3].a_type
, smb_acl
.SMB_ACL_MASK
)
192 self
.assertEquals(posix_acl
.acl
[3].a_perm
, 6)
194 def test_setposixacl_getntacl(self
):
197 smbd
.set_simple_acl(self
.tempf
, 0750)
199 facl
= getntacl(lp
, self
.tempf
)
200 self
.assertTrue(False)
202 # We don't expect the xattr to be filled in in this case
205 def test_setposixacl_getntacl_smbd(self
):
207 s3conf
= s3param
.get_context()
208 s4_passdb
= passdb
.PDB(s3conf
.get("passdb backend"))
209 group_SID
= s4_passdb
.gid_to_sid(os
.stat(self
.tempf
).st_gid
)
210 user_SID
= s4_passdb
.uid_to_sid(os
.stat(self
.tempf
).st_uid
)
211 smbd
.set_simple_acl(self
.tempf
, 0640)
212 facl
= getntacl(lp
, self
.tempf
, direct_db_access
=False)
213 acl
= "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;%s)(A;;WO;;;WD)" % (user_SID
, group_SID
, user_SID
, group_SID
)
214 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
215 self
.assertEquals(acl
, facl
.as_sddl(anysid
))
217 def test_setposixacl_dir_getntacl_smbd(self
):
219 s3conf
= s3param
.get_context()
220 s4_passdb
= passdb
.PDB(s3conf
.get("passdb backend"))
221 user_SID
= s4_passdb
.uid_to_sid(os
.stat(self
.tempdir
).st_uid
)
222 smbd
.set_simple_acl(self
.tempdir
, 0750)
223 facl
= getntacl(lp
, self
.tempdir
, direct_db_access
=False)
224 acl
= "O:%sG:BAD:(A;;0x001f01ff;;;%s)(A;;0x001200a9;;;BA)(A;;WO;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001f01ff;;;CG)(A;OICIIO;0x001f01ff;;;WD)" % (user_SID
, user_SID
)
226 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
227 self
.assertEquals(acl
, facl
.as_sddl(anysid
))
229 def test_setposixacl_group_getntacl_smbd(self
):
231 BA_sid
= security
.dom_sid(security
.SID_BUILTIN_ADMINISTRATORS
)
232 s3conf
= s3param
.get_context()
233 s4_passdb
= passdb
.PDB(s3conf
.get("passdb backend"))
234 (BA_gid
,BA_type
) = s4_passdb
.sid_to_id(BA_sid
)
235 group_SID
= s4_passdb
.gid_to_sid(os
.stat(self
.tempf
).st_gid
)
236 user_SID
= s4_passdb
.uid_to_sid(os
.stat(self
.tempf
).st_uid
)
237 self
.assertEquals(BA_type
, idmap
.ID_TYPE_BOTH
)
238 smbd
.set_simple_acl(self
.tempf
, 0640, BA_gid
)
239 facl
= getntacl(lp
, self
.tempf
, direct_db_access
=False)
240 domsid
= passdb
.get_global_sam_sid()
241 acl
= "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;BA)(A;;0x00120089;;;%s)(A;;WO;;;WD)" % (user_SID
, group_SID
, user_SID
, group_SID
)
242 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
243 self
.assertEquals(acl
, facl
.as_sddl(anysid
))
245 def test_setposixacl_getposixacl(self
):
247 smbd
.set_simple_acl(self
.tempf
, 0640)
248 posix_acl
= smbd
.get_sys_acl(self
.tempf
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
249 self
.assertEquals(posix_acl
.count
, 4)
251 self
.assertEquals(posix_acl
.acl
[0].a_type
, smb_acl
.SMB_ACL_USER_OBJ
)
252 self
.assertEquals(posix_acl
.acl
[0].a_perm
, 6)
254 self
.assertEquals(posix_acl
.acl
[1].a_type
, smb_acl
.SMB_ACL_GROUP_OBJ
)
255 self
.assertEquals(posix_acl
.acl
[1].a_perm
, 4)
257 self
.assertEquals(posix_acl
.acl
[2].a_type
, smb_acl
.SMB_ACL_OTHER
)
258 self
.assertEquals(posix_acl
.acl
[2].a_perm
, 0)
260 self
.assertEquals(posix_acl
.acl
[3].a_type
, smb_acl
.SMB_ACL_MASK
)
261 self
.assertEquals(posix_acl
.acl
[3].a_perm
, 7)
263 def test_setposixacl_dir_getposixacl(self
):
265 smbd
.set_simple_acl(self
.tempdir
, 0750)
266 posix_acl
= smbd
.get_sys_acl(self
.tempdir
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
267 self
.assertEquals(posix_acl
.count
, 4)
269 self
.assertEquals(posix_acl
.acl
[0].a_type
, smb_acl
.SMB_ACL_USER_OBJ
)
270 self
.assertEquals(posix_acl
.acl
[0].a_perm
, 7)
272 self
.assertEquals(posix_acl
.acl
[1].a_type
, smb_acl
.SMB_ACL_GROUP_OBJ
)
273 self
.assertEquals(posix_acl
.acl
[1].a_perm
, 5)
275 self
.assertEquals(posix_acl
.acl
[2].a_type
, smb_acl
.SMB_ACL_OTHER
)
276 self
.assertEquals(posix_acl
.acl
[2].a_perm
, 0)
278 self
.assertEquals(posix_acl
.acl
[3].a_type
, smb_acl
.SMB_ACL_MASK
)
279 self
.assertEquals(posix_acl
.acl
[3].a_perm
, 7)
281 def test_setposixacl_group_getposixacl(self
):
283 BA_sid
= security
.dom_sid(security
.SID_BUILTIN_ADMINISTRATORS
)
284 s3conf
= s3param
.get_context()
285 s4_passdb
= passdb
.PDB(s3conf
.get("passdb backend"))
286 (BA_gid
,BA_type
) = s4_passdb
.sid_to_id(BA_sid
)
287 self
.assertEquals(BA_type
, idmap
.ID_TYPE_BOTH
)
288 smbd
.set_simple_acl(self
.tempf
, 0670, BA_gid
)
289 posix_acl
= smbd
.get_sys_acl(self
.tempf
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
291 self
.assertEquals(posix_acl
.count
, 5)
293 self
.assertEquals(posix_acl
.acl
[0].a_type
, smb_acl
.SMB_ACL_USER_OBJ
)
294 self
.assertEquals(posix_acl
.acl
[0].a_perm
, 6)
296 self
.assertEquals(posix_acl
.acl
[1].a_type
, smb_acl
.SMB_ACL_GROUP_OBJ
)
297 self
.assertEquals(posix_acl
.acl
[1].a_perm
, 7)
299 self
.assertEquals(posix_acl
.acl
[2].a_type
, smb_acl
.SMB_ACL_OTHER
)
300 self
.assertEquals(posix_acl
.acl
[2].a_perm
, 0)
302 self
.assertEquals(posix_acl
.acl
[3].a_type
, smb_acl
.SMB_ACL_GROUP
)
303 self
.assertEquals(posix_acl
.acl
[3].a_perm
, 7)
304 self
.assertEquals(posix_acl
.acl
[3].info
.gid
, BA_gid
)
306 self
.assertEquals(posix_acl
.acl
[4].a_type
, smb_acl
.SMB_ACL_MASK
)
307 self
.assertEquals(posix_acl
.acl
[4].a_perm
, 7)
309 def test_setntacl_sysvol_check_getposixacl(self
):
311 s3conf
= s3param
.get_context()
312 acl
= provision
.SYSVOL_ACL
313 domsid
= passdb
.get_global_sam_sid()
314 setntacl(lp
, self
.tempf
,acl
,str(domsid
), use_ntvfs
=False)
315 facl
= getntacl(lp
, self
.tempf
)
316 self
.assertEquals(facl
.as_sddl(domsid
),acl
)
317 posix_acl
= smbd
.get_sys_acl(self
.tempf
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
319 LA_sid
= security
.dom_sid(str(domsid
)+"-"+str(security
.DOMAIN_RID_ADMINISTRATOR
))
320 BA_sid
= security
.dom_sid(security
.SID_BUILTIN_ADMINISTRATORS
)
321 SO_sid
= security
.dom_sid(security
.SID_BUILTIN_SERVER_OPERATORS
)
322 SY_sid
= security
.dom_sid(security
.SID_NT_SYSTEM
)
323 AU_sid
= security
.dom_sid(security
.SID_NT_AUTHENTICATED_USERS
)
325 s4_passdb
= passdb
.PDB(s3conf
.get("passdb backend"))
327 # These assertions correct for current plugin_s4_dc selftest
328 # configuration. When other environments have a broad range of
329 # groups mapped via passdb, we can relax some of these checks
330 (LA_uid
,LA_type
) = s4_passdb
.sid_to_id(LA_sid
)
331 self
.assertEquals(LA_type
, idmap
.ID_TYPE_UID
)
332 (BA_gid
,BA_type
) = s4_passdb
.sid_to_id(BA_sid
)
333 self
.assertEquals(BA_type
, idmap
.ID_TYPE_BOTH
)
334 (SO_gid
,SO_type
) = s4_passdb
.sid_to_id(SO_sid
)
335 self
.assertEquals(SO_type
, idmap
.ID_TYPE_BOTH
)
336 (SY_gid
,SY_type
) = s4_passdb
.sid_to_id(SY_sid
)
337 self
.assertEquals(SO_type
, idmap
.ID_TYPE_BOTH
)
338 (AU_gid
,AU_type
) = s4_passdb
.sid_to_id(AU_sid
)
339 self
.assertEquals(AU_type
, idmap
.ID_TYPE_BOTH
)
341 self
.assertEquals(posix_acl
.count
, 9)
343 self
.assertEquals(posix_acl
.acl
[0].a_type
, smb_acl
.SMB_ACL_GROUP
)
344 self
.assertEquals(posix_acl
.acl
[0].a_perm
, 7)
345 self
.assertEquals(posix_acl
.acl
[0].info
.gid
, BA_gid
)
347 self
.assertEquals(posix_acl
.acl
[1].a_type
, smb_acl
.SMB_ACL_USER
)
348 self
.assertEquals(posix_acl
.acl
[1].a_perm
, 6)
349 self
.assertEquals(posix_acl
.acl
[1].info
.uid
, LA_uid
)
351 self
.assertEquals(posix_acl
.acl
[2].a_type
, smb_acl
.SMB_ACL_OTHER
)
352 self
.assertEquals(posix_acl
.acl
[2].a_perm
, 0)
354 self
.assertEquals(posix_acl
.acl
[3].a_type
, smb_acl
.SMB_ACL_USER_OBJ
)
355 self
.assertEquals(posix_acl
.acl
[3].a_perm
, 6)
357 self
.assertEquals(posix_acl
.acl
[4].a_type
, smb_acl
.SMB_ACL_GROUP_OBJ
)
358 self
.assertEquals(posix_acl
.acl
[4].a_perm
, 7)
360 self
.assertEquals(posix_acl
.acl
[5].a_type
, smb_acl
.SMB_ACL_GROUP
)
361 self
.assertEquals(posix_acl
.acl
[5].a_perm
, 5)
362 self
.assertEquals(posix_acl
.acl
[5].info
.gid
, SO_gid
)
364 self
.assertEquals(posix_acl
.acl
[6].a_type
, smb_acl
.SMB_ACL_GROUP
)
365 self
.assertEquals(posix_acl
.acl
[6].a_perm
, 7)
366 self
.assertEquals(posix_acl
.acl
[6].info
.gid
, SY_gid
)
368 self
.assertEquals(posix_acl
.acl
[7].a_type
, smb_acl
.SMB_ACL_GROUP
)
369 self
.assertEquals(posix_acl
.acl
[7].a_perm
, 5)
370 self
.assertEquals(posix_acl
.acl
[7].info
.gid
, AU_gid
)
372 self
.assertEquals(posix_acl
.acl
[8].a_type
, smb_acl
.SMB_ACL_MASK
)
373 self
.assertEquals(posix_acl
.acl
[8].a_perm
, 7)
376 # check that it matches:
378 # user:root:rwx (selftest user actually)
380 # group:Local Admins:rwx
388 # This is in this order in the NDR smb_acl (not re-orderded for display)
395 # uid: 0 (selftest user actually)
429 def test_setntacl_sysvol_dir_check_getposixacl(self
):
431 s3conf
= s3param
.get_context()
432 acl
= provision
.SYSVOL_ACL
433 domsid
= passdb
.get_global_sam_sid()
434 setntacl(lp
, self
.tempdir
,acl
,str(domsid
), use_ntvfs
=False)
435 facl
= getntacl(lp
, self
.tempdir
)
436 self
.assertEquals(facl
.as_sddl(domsid
),acl
)
437 posix_acl
= smbd
.get_sys_acl(self
.tempdir
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
439 LA_sid
= security
.dom_sid(str(domsid
)+"-"+str(security
.DOMAIN_RID_ADMINISTRATOR
))
440 BA_sid
= security
.dom_sid(security
.SID_BUILTIN_ADMINISTRATORS
)
441 SO_sid
= security
.dom_sid(security
.SID_BUILTIN_SERVER_OPERATORS
)
442 SY_sid
= security
.dom_sid(security
.SID_NT_SYSTEM
)
443 AU_sid
= security
.dom_sid(security
.SID_NT_AUTHENTICATED_USERS
)
445 s4_passdb
= passdb
.PDB(s3conf
.get("passdb backend"))
447 # These assertions correct for current plugin_s4_dc selftest
448 # configuration. When other environments have a broad range of
449 # groups mapped via passdb, we can relax some of these checks
450 (LA_uid
,LA_type
) = s4_passdb
.sid_to_id(LA_sid
)
451 self
.assertEquals(LA_type
, idmap
.ID_TYPE_UID
)
452 (BA_gid
,BA_type
) = s4_passdb
.sid_to_id(BA_sid
)
453 self
.assertEquals(BA_type
, idmap
.ID_TYPE_BOTH
)
454 (SO_gid
,SO_type
) = s4_passdb
.sid_to_id(SO_sid
)
455 self
.assertEquals(SO_type
, idmap
.ID_TYPE_BOTH
)
456 (SY_gid
,SY_type
) = s4_passdb
.sid_to_id(SY_sid
)
457 self
.assertEquals(SO_type
, idmap
.ID_TYPE_BOTH
)
458 (AU_gid
,AU_type
) = s4_passdb
.sid_to_id(AU_sid
)
459 self
.assertEquals(AU_type
, idmap
.ID_TYPE_BOTH
)
461 self
.assertEquals(posix_acl
.count
, 9)
463 self
.assertEquals(posix_acl
.acl
[0].a_type
, smb_acl
.SMB_ACL_GROUP
)
464 self
.assertEquals(posix_acl
.acl
[0].a_perm
, 7)
465 self
.assertEquals(posix_acl
.acl
[0].info
.gid
, BA_gid
)
467 self
.assertEquals(posix_acl
.acl
[1].a_type
, smb_acl
.SMB_ACL_USER
)
468 self
.assertEquals(posix_acl
.acl
[1].a_perm
, 7)
469 self
.assertEquals(posix_acl
.acl
[1].info
.uid
, LA_uid
)
471 self
.assertEquals(posix_acl
.acl
[2].a_type
, smb_acl
.SMB_ACL_OTHER
)
472 self
.assertEquals(posix_acl
.acl
[2].a_perm
, 0)
474 self
.assertEquals(posix_acl
.acl
[3].a_type
, smb_acl
.SMB_ACL_USER_OBJ
)
475 self
.assertEquals(posix_acl
.acl
[3].a_perm
, 7)
477 self
.assertEquals(posix_acl
.acl
[4].a_type
, smb_acl
.SMB_ACL_GROUP_OBJ
)
478 self
.assertEquals(posix_acl
.acl
[4].a_perm
, 7)
480 self
.assertEquals(posix_acl
.acl
[5].a_type
, smb_acl
.SMB_ACL_GROUP
)
481 self
.assertEquals(posix_acl
.acl
[5].a_perm
, 5)
482 self
.assertEquals(posix_acl
.acl
[5].info
.gid
, SO_gid
)
484 self
.assertEquals(posix_acl
.acl
[6].a_type
, smb_acl
.SMB_ACL_GROUP
)
485 self
.assertEquals(posix_acl
.acl
[6].a_perm
, 7)
486 self
.assertEquals(posix_acl
.acl
[6].info
.gid
, SY_gid
)
488 self
.assertEquals(posix_acl
.acl
[7].a_type
, smb_acl
.SMB_ACL_GROUP
)
489 self
.assertEquals(posix_acl
.acl
[7].a_perm
, 5)
490 self
.assertEquals(posix_acl
.acl
[7].info
.gid
, AU_gid
)
492 self
.assertEquals(posix_acl
.acl
[8].a_type
, smb_acl
.SMB_ACL_MASK
)
493 self
.assertEquals(posix_acl
.acl
[8].a_perm
, 7)
496 # check that it matches:
498 # user:root:rwx (selftest user actually)
508 def test_setntacl_policies_dir_check_getposixacl(self
):
510 s3conf
= s3param
.get_context()
511 acl
= provision
.POLICIES_ACL
512 domsid
= passdb
.get_global_sam_sid()
513 setntacl(lp
, self
.tempdir
,acl
,str(domsid
), use_ntvfs
=False)
514 facl
= getntacl(lp
, self
.tempdir
)
515 self
.assertEquals(facl
.as_sddl(domsid
),acl
)
516 posix_acl
= smbd
.get_sys_acl(self
.tempdir
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
518 LA_sid
= security
.dom_sid(str(domsid
)+"-"+str(security
.DOMAIN_RID_ADMINISTRATOR
))
519 BA_sid
= security
.dom_sid(security
.SID_BUILTIN_ADMINISTRATORS
)
520 SO_sid
= security
.dom_sid(security
.SID_BUILTIN_SERVER_OPERATORS
)
521 SY_sid
= security
.dom_sid(security
.SID_NT_SYSTEM
)
522 AU_sid
= security
.dom_sid(security
.SID_NT_AUTHENTICATED_USERS
)
523 PA_sid
= security
.dom_sid(str(domsid
)+"-"+str(security
.DOMAIN_RID_POLICY_ADMINS
))
525 s4_passdb
= passdb
.PDB(s3conf
.get("passdb backend"))
527 # These assertions correct for current plugin_s4_dc selftest
528 # configuration. When other environments have a broad range of
529 # groups mapped via passdb, we can relax some of these checks
530 (LA_uid
,LA_type
) = s4_passdb
.sid_to_id(LA_sid
)
531 self
.assertEquals(LA_type
, idmap
.ID_TYPE_UID
)
532 (BA_gid
,BA_type
) = s4_passdb
.sid_to_id(BA_sid
)
533 self
.assertEquals(BA_type
, idmap
.ID_TYPE_BOTH
)
534 (SO_gid
,SO_type
) = s4_passdb
.sid_to_id(SO_sid
)
535 self
.assertEquals(SO_type
, idmap
.ID_TYPE_BOTH
)
536 (SY_gid
,SY_type
) = s4_passdb
.sid_to_id(SY_sid
)
537 self
.assertEquals(SO_type
, idmap
.ID_TYPE_BOTH
)
538 (AU_gid
,AU_type
) = s4_passdb
.sid_to_id(AU_sid
)
539 self
.assertEquals(AU_type
, idmap
.ID_TYPE_BOTH
)
540 (PA_gid
,PA_type
) = s4_passdb
.sid_to_id(PA_sid
)
541 self
.assertEquals(PA_type
, idmap
.ID_TYPE_BOTH
)
543 self
.assertEquals(posix_acl
.count
, 10)
545 self
.assertEquals(posix_acl
.acl
[0].a_type
, smb_acl
.SMB_ACL_GROUP
)
546 self
.assertEquals(posix_acl
.acl
[0].a_perm
, 7)
547 self
.assertEquals(posix_acl
.acl
[0].info
.gid
, BA_gid
)
549 self
.assertEquals(posix_acl
.acl
[1].a_type
, smb_acl
.SMB_ACL_USER
)
550 self
.assertEquals(posix_acl
.acl
[1].a_perm
, 7)
551 self
.assertEquals(posix_acl
.acl
[1].info
.uid
, LA_uid
)
553 self
.assertEquals(posix_acl
.acl
[2].a_type
, smb_acl
.SMB_ACL_OTHER
)
554 self
.assertEquals(posix_acl
.acl
[2].a_perm
, 0)
556 self
.assertEquals(posix_acl
.acl
[3].a_type
, smb_acl
.SMB_ACL_USER_OBJ
)
557 self
.assertEquals(posix_acl
.acl
[3].a_perm
, 7)
559 self
.assertEquals(posix_acl
.acl
[4].a_type
, smb_acl
.SMB_ACL_GROUP_OBJ
)
560 self
.assertEquals(posix_acl
.acl
[4].a_perm
, 7)
562 self
.assertEquals(posix_acl
.acl
[5].a_type
, smb_acl
.SMB_ACL_GROUP
)
563 self
.assertEquals(posix_acl
.acl
[5].a_perm
, 5)
564 self
.assertEquals(posix_acl
.acl
[5].info
.gid
, SO_gid
)
566 self
.assertEquals(posix_acl
.acl
[6].a_type
, smb_acl
.SMB_ACL_GROUP
)
567 self
.assertEquals(posix_acl
.acl
[6].a_perm
, 7)
568 self
.assertEquals(posix_acl
.acl
[6].info
.gid
, SY_gid
)
570 self
.assertEquals(posix_acl
.acl
[7].a_type
, smb_acl
.SMB_ACL_GROUP
)
571 self
.assertEquals(posix_acl
.acl
[7].a_perm
, 5)
572 self
.assertEquals(posix_acl
.acl
[7].info
.gid
, AU_gid
)
574 self
.assertEquals(posix_acl
.acl
[8].a_type
, smb_acl
.SMB_ACL_GROUP
)
575 self
.assertEquals(posix_acl
.acl
[8].a_perm
, 7)
576 self
.assertEquals(posix_acl
.acl
[8].info
.gid
, PA_gid
)
578 self
.assertEquals(posix_acl
.acl
[9].a_type
, smb_acl
.SMB_ACL_MASK
)
579 self
.assertEquals(posix_acl
.acl
[9].a_perm
, 7)
582 # check that it matches:
584 # user:root:rwx (selftest user actually)
596 def test_setntacl_policies_check_getposixacl(self
):
598 s3conf
= s3param
.get_context()
599 acl
= provision
.POLICIES_ACL
601 domsid
= passdb
.get_global_sam_sid()
602 setntacl(lp
, self
.tempf
,acl
,str(domsid
), use_ntvfs
=False)
603 facl
= getntacl(lp
, self
.tempf
)
604 self
.assertEquals(facl
.as_sddl(domsid
),acl
)
605 posix_acl
= smbd
.get_sys_acl(self
.tempf
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
607 LA_sid
= security
.dom_sid(str(domsid
)+"-"+str(security
.DOMAIN_RID_ADMINISTRATOR
))
608 BA_sid
= security
.dom_sid(security
.SID_BUILTIN_ADMINISTRATORS
)
609 SO_sid
= security
.dom_sid(security
.SID_BUILTIN_SERVER_OPERATORS
)
610 SY_sid
= security
.dom_sid(security
.SID_NT_SYSTEM
)
611 AU_sid
= security
.dom_sid(security
.SID_NT_AUTHENTICATED_USERS
)
612 PA_sid
= security
.dom_sid(str(domsid
)+"-"+str(security
.DOMAIN_RID_POLICY_ADMINS
))
614 s4_passdb
= passdb
.PDB(s3conf
.get("passdb backend"))
616 # These assertions correct for current plugin_s4_dc selftest
617 # configuration. When other environments have a broad range of
618 # groups mapped via passdb, we can relax some of these checks
619 (LA_uid
,LA_type
) = s4_passdb
.sid_to_id(LA_sid
)
620 self
.assertEquals(LA_type
, idmap
.ID_TYPE_UID
)
621 (BA_gid
,BA_type
) = s4_passdb
.sid_to_id(BA_sid
)
622 self
.assertEquals(BA_type
, idmap
.ID_TYPE_BOTH
)
623 (SO_gid
,SO_type
) = s4_passdb
.sid_to_id(SO_sid
)
624 self
.assertEquals(SO_type
, idmap
.ID_TYPE_BOTH
)
625 (SY_gid
,SY_type
) = s4_passdb
.sid_to_id(SY_sid
)
626 self
.assertEquals(SO_type
, idmap
.ID_TYPE_BOTH
)
627 (AU_gid
,AU_type
) = s4_passdb
.sid_to_id(AU_sid
)
628 self
.assertEquals(AU_type
, idmap
.ID_TYPE_BOTH
)
629 (PA_gid
,PA_type
) = s4_passdb
.sid_to_id(PA_sid
)
630 self
.assertEquals(PA_type
, idmap
.ID_TYPE_BOTH
)
632 self
.assertEquals(posix_acl
.count
, 10)
634 self
.assertEquals(posix_acl
.acl
[0].a_type
, smb_acl
.SMB_ACL_GROUP
)
635 self
.assertEquals(posix_acl
.acl
[0].a_perm
, 7)
636 self
.assertEquals(posix_acl
.acl
[0].info
.gid
, BA_gid
)
638 self
.assertEquals(posix_acl
.acl
[1].a_type
, smb_acl
.SMB_ACL_USER
)
639 self
.assertEquals(posix_acl
.acl
[1].a_perm
, 6)
640 self
.assertEquals(posix_acl
.acl
[1].info
.uid
, LA_uid
)
642 self
.assertEquals(posix_acl
.acl
[2].a_type
, smb_acl
.SMB_ACL_OTHER
)
643 self
.assertEquals(posix_acl
.acl
[2].a_perm
, 0)
645 self
.assertEquals(posix_acl
.acl
[3].a_type
, smb_acl
.SMB_ACL_USER_OBJ
)
646 self
.assertEquals(posix_acl
.acl
[3].a_perm
, 6)
648 self
.assertEquals(posix_acl
.acl
[4].a_type
, smb_acl
.SMB_ACL_GROUP_OBJ
)
649 self
.assertEquals(posix_acl
.acl
[4].a_perm
, 7)
651 self
.assertEquals(posix_acl
.acl
[5].a_type
, smb_acl
.SMB_ACL_GROUP
)
652 self
.assertEquals(posix_acl
.acl
[5].a_perm
, 5)
653 self
.assertEquals(posix_acl
.acl
[5].info
.gid
, SO_gid
)
655 self
.assertEquals(posix_acl
.acl
[6].a_type
, smb_acl
.SMB_ACL_GROUP
)
656 self
.assertEquals(posix_acl
.acl
[6].a_perm
, 7)
657 self
.assertEquals(posix_acl
.acl
[6].info
.gid
, SY_gid
)
659 self
.assertEquals(posix_acl
.acl
[7].a_type
, smb_acl
.SMB_ACL_GROUP
)
660 self
.assertEquals(posix_acl
.acl
[7].a_perm
, 5)
661 self
.assertEquals(posix_acl
.acl
[7].info
.gid
, AU_gid
)
663 self
.assertEquals(posix_acl
.acl
[8].a_type
, smb_acl
.SMB_ACL_GROUP
)
664 self
.assertEquals(posix_acl
.acl
[8].a_perm
, 7)
665 self
.assertEquals(posix_acl
.acl
[8].info
.gid
, PA_gid
)
667 self
.assertEquals(posix_acl
.acl
[9].a_type
, smb_acl
.SMB_ACL_MASK
)
668 self
.assertEquals(posix_acl
.acl
[9].a_perm
, 7)
671 # check that it matches:
673 # user:root:rwx (selftest user actually)
675 # group:Local Admins:rwx
684 # This is in this order in the NDR smb_acl (not re-orderded for display)
691 # uid: 0 (selftest user actually)
729 super(PosixAclMappingTests
, self
).setUp()
730 s3conf
= s3param
.get_context()
731 s3conf
.load(self
.get_loadparm().configfile
)
732 self
.tempf
= os
.path
.join(self
.tempdir
, "test")
733 open(self
.tempf
, 'w').write("empty")
736 smbd
.unlink(self
.tempf
)
737 super(PosixAclMappingTests
, self
).tearDown()