1 # Unix SMB/CIFS implementation. Tests for NT and posix ACL manipulation
2 # Copyright (C) Matthieu Patou <mat@matws.net> 2009-2010
3 # Copyright (C) Andrew Bartlett 2012
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
19 """Tests for the Samba3 NT -> posix ACL layer"""
21 from samba
.ntacls
import setntacl
, getntacl
, checkset_backend
22 from samba
.dcerpc
import xattr
, security
, smb_acl
, idmap
23 from samba
.param
import LoadParm
24 from samba
.tests
import TestCase
25 from samba
import provision
28 from samba
.samba3
import smbd
, passdb
29 from samba
.samba3
import param
as s3param
31 # To print a posix ACL use:
32 # for entry in posix_acl.acl:
33 # print "a_type: %d" % entry.a_type
34 # print "a_perm: %o" % entry.a_perm
35 # print "uid: %d" % entry.uid
36 # print "gid: %d" % entry.gid
38 class PosixAclMappingTests(TestCase
):
40 def test_setntacl(self
):
43 path
= os
.environ
['SELFTEST_PREFIX']
44 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
45 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
46 open(tempf
, 'w').write("empty")
47 setntacl(lp
, tempf
, acl
, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
50 def test_setntacl_smbd_getntacl(self
):
54 path
= os
.environ
['SELFTEST_PREFIX']
55 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
56 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
57 open(tempf
, 'w').write("empty")
58 setntacl(lp
,tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=True)
59 facl
= getntacl(lp
,tempf
, direct_db_access
=True)
60 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
61 self
.assertEquals(facl
.as_sddl(anysid
),acl
)
64 def test_setntacl_smbd_setposixacl_getntacl(self
):
68 path
= os
.environ
['SELFTEST_PREFIX']
69 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
70 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
71 open(tempf
, 'w').write("empty")
72 setntacl(lp
,tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=True)
74 # This will invalidate the ACL, as we have a hook!
75 smbd
.set_simple_acl(tempf
, 0640)
77 # However, this only asks the xattr
79 facl
= getntacl(lp
,tempf
, direct_db_access
=True)
80 self
.assertTrue(False)
85 def test_setntacl_invalidate_getntacl(self
):
89 path
= os
.environ
['SELFTEST_PREFIX']
90 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
91 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
92 open(tempf
, 'w').write("empty")
93 setntacl(lp
,tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=True)
95 # This should invalidate the ACL, as we include the posix ACL in the hash
96 (backend_obj
, dbname
) = checkset_backend(lp
, None, None)
97 backend_obj
.wrap_setxattr(dbname
,
98 tempf
, "system.fake_access_acl", "")
100 #however, as this is direct DB access, we do not notice it
101 facl
= getntacl(lp
,tempf
, direct_db_access
=True)
102 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
103 self
.assertEquals(acl
, facl
.as_sddl(anysid
))
106 def test_setntacl_invalidate_getntacl_smbd(self
):
110 path
= os
.environ
['SELFTEST_PREFIX']
111 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
112 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
113 open(tempf
, 'w').write("empty")
114 setntacl(lp
,tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
116 # This should invalidate the ACL, as we include the posix ACL in the hash
117 (backend_obj
, dbname
) = checkset_backend(lp
, None, None)
118 backend_obj
.wrap_setxattr(dbname
,
119 tempf
, "system.fake_access_acl", "")
121 #the hash would break, and we return an ACL based only on the mode, except we set the ACL using the 'ntvfs' mode that doesn't include a hash
122 facl
= getntacl(lp
,tempf
)
123 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
124 self
.assertEquals(acl
, facl
.as_sddl(anysid
))
127 def test_setntacl_smbd_invalidate_getntacl_smbd(self
):
131 path
= os
.environ
['SELFTEST_PREFIX']
132 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
133 simple_acl_from_posix
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x001200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
134 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
135 open(tempf
, 'w').write("empty")
136 os
.chmod(tempf
, 0750)
137 setntacl(lp
,tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
139 # This should invalidate the ACL, as we include the posix ACL in the hash
140 (backend_obj
, dbname
) = checkset_backend(lp
, None, None)
141 backend_obj
.wrap_setxattr(dbname
,
142 tempf
, "system.fake_access_acl", "")
144 #the hash will break, and we return an ACL based only on the mode
145 facl
= getntacl(lp
,tempf
, direct_db_access
=False)
146 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
147 self
.assertEquals(simple_acl_from_posix
, facl
.as_sddl(anysid
))
150 def test_setntacl_getntacl_smbd(self
):
154 path
= os
.environ
['SELFTEST_PREFIX']
155 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
156 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
157 open(tempf
, 'w').write("empty")
158 setntacl(lp
,tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=True)
159 facl
= getntacl(lp
,tempf
, direct_db_access
=False)
160 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
161 self
.assertEquals(facl
.as_sddl(anysid
),acl
)
164 def test_setntacl_smbd_getntacl_smbd(self
):
168 path
= os
.environ
['SELFTEST_PREFIX']
169 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
170 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
171 open(tempf
, 'w').write("empty")
172 setntacl(lp
,tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
173 facl
= getntacl(lp
,tempf
, direct_db_access
=False)
174 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
175 self
.assertEquals(facl
.as_sddl(anysid
),acl
)
178 def test_setntacl_smbd_setposixacl_getntacl_smbd(self
):
182 path
= os
.environ
['SELFTEST_PREFIX']
183 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
184 simple_acl_from_posix
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
185 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
186 open(tempf
, 'w').write("empty")
187 setntacl(lp
,tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
188 # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
189 smbd
.set_simple_acl(tempf
, 0640)
190 facl
= getntacl(lp
,tempf
, direct_db_access
=False)
191 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
192 self
.assertEquals(simple_acl_from_posix
, facl
.as_sddl(anysid
))
195 def test_setntacl_smbd_setposixacl_group_getntacl_smbd(self
):
199 path
= os
.environ
['SELFTEST_PREFIX']
200 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
201 BA_sid
= security
.dom_sid(security
.SID_BUILTIN_ADMINISTRATORS
)
202 simple_acl_from_posix
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
203 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
204 open(tempf
, 'w').write("empty")
205 setntacl(lp
,tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
206 # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
207 s3conf
= s3param
.get_context()
208 s4_passdb
= passdb
.PDB(s3conf
.get("passdb backend"))
209 (BA_gid
,BA_type
) = s4_passdb
.sid_to_id(BA_sid
)
210 smbd
.set_simple_acl(tempf
, 0640, BA_gid
)
212 # This should re-calculate an ACL based on the posix details
213 facl
= getntacl(lp
,tempf
, direct_db_access
=False)
214 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
215 self
.assertEquals(simple_acl_from_posix
, facl
.as_sddl(anysid
))
218 def test_setntacl_smbd_getntacl_smbd_gpo(self
):
222 path
= os
.environ
['SELFTEST_PREFIX']
223 acl
= "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
224 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
225 open(tempf
, 'w').write("empty")
226 setntacl(lp
,tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
227 facl
= getntacl(lp
,tempf
, direct_db_access
=False)
228 domsid
= security
.dom_sid("S-1-5-21-2212615479-2695158682-2101375467")
229 self
.assertEquals(facl
.as_sddl(domsid
),acl
)
232 def test_setntacl_getposixacl(self
):
236 path
= os
.environ
['SELFTEST_PREFIX']
237 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
238 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
239 open(tempf
, 'w').write("empty")
240 setntacl(lp
,tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
241 facl
= getntacl(lp
,tempf
)
242 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
243 self
.assertEquals(facl
.as_sddl(anysid
),acl
)
244 posix_acl
= smbd
.get_sys_acl(tempf
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
247 def test_setposixacl_getposixacl(self
):
251 path
= os
.environ
['SELFTEST_PREFIX']
252 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
253 open(tempf
, 'w').write("empty")
254 smbd
.set_simple_acl(tempf
, 0640)
255 posix_acl
= smbd
.get_sys_acl(tempf
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
256 self
.assertEquals(posix_acl
.count
, 4)
258 self
.assertEquals(posix_acl
.acl
[0].a_type
, smb_acl
.SMB_ACL_USER_OBJ
)
259 self
.assertEquals(posix_acl
.acl
[0].a_perm
, 6)
261 self
.assertEquals(posix_acl
.acl
[1].a_type
, smb_acl
.SMB_ACL_GROUP_OBJ
)
262 self
.assertEquals(posix_acl
.acl
[1].a_perm
, 4)
264 self
.assertEquals(posix_acl
.acl
[2].a_type
, smb_acl
.SMB_ACL_OTHER
)
265 self
.assertEquals(posix_acl
.acl
[2].a_perm
, 0)
267 self
.assertEquals(posix_acl
.acl
[3].a_type
, smb_acl
.SMB_ACL_MASK
)
268 self
.assertEquals(posix_acl
.acl
[3].a_perm
, 6)
271 def test_setposixacl_getntacl(self
):
275 path
= os
.environ
['SELFTEST_PREFIX']
276 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
277 open(tempf
, 'w').write("empty")
278 smbd
.set_simple_acl(tempf
, 0750)
280 facl
= getntacl(lp
,tempf
)
282 # We don't expect the xattr to be filled in in this case
285 def test_setposixacl_getntacl_smbd(self
):
288 path
= os
.environ
['SELFTEST_PREFIX']
289 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
290 open(tempf
, 'w').write("empty")
291 s3conf
= s3param
.get_context()
292 s4_passdb
= passdb
.PDB(s3conf
.get("passdb backend"))
293 group_SID
= s4_passdb
.gid_to_sid(os
.stat(tempf
).st_gid
)
294 user_SID
= s4_passdb
.uid_to_sid(os
.stat(tempf
).st_uid
)
295 smbd
.set_simple_acl(tempf
, 0640)
296 facl
= getntacl(lp
, tempf
, direct_db_access
=False)
297 domsid
= passdb
.get_global_sam_sid()
298 acl
= "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;%s)(A;;WO;;;WD)" % (user_SID
, group_SID
, user_SID
, group_SID
)
299 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
300 self
.assertEquals(acl
, facl
.as_sddl(anysid
))
302 def test_setposixacl_group_getntacl_smbd(self
):
305 path
= os
.environ
['SELFTEST_PREFIX']
306 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
307 open(tempf
, 'w').write("empty")
308 BA_sid
= security
.dom_sid(security
.SID_BUILTIN_ADMINISTRATORS
)
309 s3conf
= s3param
.get_context()
310 s4_passdb
= passdb
.PDB(s3conf
.get("passdb backend"))
311 (BA_gid
,BA_type
) = s4_passdb
.sid_to_id(BA_sid
)
312 group_SID
= s4_passdb
.gid_to_sid(os
.stat(tempf
).st_gid
)
313 user_SID
= s4_passdb
.uid_to_sid(os
.stat(tempf
).st_uid
)
314 self
.assertEquals(BA_type
, idmap
.ID_TYPE_BOTH
)
315 smbd
.set_simple_acl(tempf
, 0640, BA_gid
)
316 facl
= getntacl(lp
, tempf
, direct_db_access
=False)
317 domsid
= passdb
.get_global_sam_sid()
318 acl
= "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;BA)(A;;0x00120089;;;%s)(A;;WO;;;WD)" % (user_SID
, group_SID
, user_SID
, group_SID
)
319 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
320 self
.assertEquals(acl
, facl
.as_sddl(anysid
))
322 def test_setposixacl_getposixacl(self
):
325 path
= os
.environ
['SELFTEST_PREFIX']
326 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
327 open(tempf
, 'w').write("empty")
328 smbd
.set_simple_acl(tempf
, 0640)
329 posix_acl
= smbd
.get_sys_acl(tempf
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
330 self
.assertEquals(posix_acl
.count
, 4)
332 self
.assertEquals(posix_acl
.acl
[0].a_type
, smb_acl
.SMB_ACL_USER_OBJ
)
333 self
.assertEquals(posix_acl
.acl
[0].a_perm
, 6)
335 self
.assertEquals(posix_acl
.acl
[1].a_type
, smb_acl
.SMB_ACL_GROUP_OBJ
)
336 self
.assertEquals(posix_acl
.acl
[1].a_perm
, 4)
338 self
.assertEquals(posix_acl
.acl
[2].a_type
, smb_acl
.SMB_ACL_OTHER
)
339 self
.assertEquals(posix_acl
.acl
[2].a_perm
, 0)
341 self
.assertEquals(posix_acl
.acl
[3].a_type
, smb_acl
.SMB_ACL_MASK
)
342 self
.assertEquals(posix_acl
.acl
[3].a_perm
, 6)
345 def test_setposixacl_group_getposixacl(self
):
348 path
= os
.environ
['SELFTEST_PREFIX']
349 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
350 open(tempf
, 'w').write("empty")
351 BA_sid
= security
.dom_sid(security
.SID_BUILTIN_ADMINISTRATORS
)
352 s3conf
= s3param
.get_context()
353 s4_passdb
= passdb
.PDB(s3conf
.get("passdb backend"))
354 (BA_gid
,BA_type
) = s4_passdb
.sid_to_id(BA_sid
)
355 self
.assertEquals(BA_type
, idmap
.ID_TYPE_BOTH
)
356 smbd
.set_simple_acl(tempf
, 0670, BA_gid
)
357 posix_acl
= smbd
.get_sys_acl(tempf
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
359 self
.assertEquals(posix_acl
.count
, 5)
361 self
.assertEquals(posix_acl
.acl
[0].a_type
, smb_acl
.SMB_ACL_USER_OBJ
)
362 self
.assertEquals(posix_acl
.acl
[0].a_perm
, 6)
364 self
.assertEquals(posix_acl
.acl
[1].a_type
, smb_acl
.SMB_ACL_GROUP_OBJ
)
365 self
.assertEquals(posix_acl
.acl
[1].a_perm
, 7)
367 self
.assertEquals(posix_acl
.acl
[2].a_type
, smb_acl
.SMB_ACL_OTHER
)
368 self
.assertEquals(posix_acl
.acl
[2].a_perm
, 0)
370 self
.assertEquals(posix_acl
.acl
[3].a_type
, smb_acl
.SMB_ACL_GROUP
)
371 self
.assertEquals(posix_acl
.acl
[3].a_perm
, 7)
372 self
.assertEquals(posix_acl
.acl
[3].info
.gid
, BA_gid
)
374 self
.assertEquals(posix_acl
.acl
[4].a_type
, smb_acl
.SMB_ACL_MASK
)
375 self
.assertEquals(posix_acl
.acl
[4].a_perm
, 6)
378 def test_setntacl_sysvol_check_getposixacl(self
):
381 s3conf
= s3param
.get_context()
383 path
= os
.environ
['SELFTEST_PREFIX']
384 acl
= provision
.SYSVOL_ACL
385 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
386 open(tempf
, 'w').write("empty")
387 domsid
= passdb
.get_global_sam_sid()
388 setntacl(lp
,tempf
,acl
,str(domsid
), use_ntvfs
=False)
389 facl
= getntacl(lp
,tempf
)
390 self
.assertEquals(facl
.as_sddl(domsid
),acl
)
391 posix_acl
= smbd
.get_sys_acl(tempf
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
393 LA_sid
= security
.dom_sid(str(domsid
)+"-"+str(security
.DOMAIN_RID_ADMINISTRATOR
))
394 BA_sid
= security
.dom_sid(security
.SID_BUILTIN_ADMINISTRATORS
)
395 SO_sid
= security
.dom_sid(security
.SID_BUILTIN_SERVER_OPERATORS
)
396 SY_sid
= security
.dom_sid(security
.SID_NT_SYSTEM
)
397 AU_sid
= security
.dom_sid(security
.SID_NT_AUTHENTICATED_USERS
)
399 s4_passdb
= passdb
.PDB(s3conf
.get("passdb backend"))
401 # These assertions correct for current plugin_s4_dc selftest
402 # configuration. When other environments have a broad range of
403 # groups mapped via passdb, we can relax some of these checks
404 (LA_uid
,LA_type
) = s4_passdb
.sid_to_id(LA_sid
)
405 self
.assertEquals(LA_type
, idmap
.ID_TYPE_UID
)
406 (BA_gid
,BA_type
) = s4_passdb
.sid_to_id(BA_sid
)
407 self
.assertEquals(BA_type
, idmap
.ID_TYPE_BOTH
)
408 (SO_gid
,SO_type
) = s4_passdb
.sid_to_id(SO_sid
)
409 self
.assertEquals(SO_type
, idmap
.ID_TYPE_BOTH
)
410 (SY_gid
,SY_type
) = s4_passdb
.sid_to_id(SY_sid
)
411 self
.assertEquals(SO_type
, idmap
.ID_TYPE_BOTH
)
412 (AU_gid
,AU_type
) = s4_passdb
.sid_to_id(AU_sid
)
413 self
.assertEquals(AU_type
, idmap
.ID_TYPE_BOTH
)
415 self
.assertEquals(posix_acl
.count
, 9)
417 self
.assertEquals(posix_acl
.acl
[0].a_type
, smb_acl
.SMB_ACL_GROUP
)
418 self
.assertEquals(posix_acl
.acl
[0].a_perm
, 7)
419 self
.assertEquals(posix_acl
.acl
[0].info
.gid
, BA_gid
)
421 self
.assertEquals(posix_acl
.acl
[1].a_type
, smb_acl
.SMB_ACL_USER
)
422 self
.assertEquals(posix_acl
.acl
[1].a_perm
, 6)
423 self
.assertEquals(posix_acl
.acl
[1].info
.uid
, LA_uid
)
425 self
.assertEquals(posix_acl
.acl
[2].a_type
, smb_acl
.SMB_ACL_OTHER
)
426 self
.assertEquals(posix_acl
.acl
[2].a_perm
, 0)
428 self
.assertEquals(posix_acl
.acl
[3].a_type
, smb_acl
.SMB_ACL_USER_OBJ
)
429 self
.assertEquals(posix_acl
.acl
[3].a_perm
, 6)
431 self
.assertEquals(posix_acl
.acl
[4].a_type
, smb_acl
.SMB_ACL_GROUP_OBJ
)
432 self
.assertEquals(posix_acl
.acl
[4].a_perm
, 7)
434 self
.assertEquals(posix_acl
.acl
[5].a_type
, smb_acl
.SMB_ACL_GROUP
)
435 self
.assertEquals(posix_acl
.acl
[5].a_perm
, 5)
436 self
.assertEquals(posix_acl
.acl
[5].info
.gid
, SO_gid
)
438 self
.assertEquals(posix_acl
.acl
[6].a_type
, smb_acl
.SMB_ACL_GROUP
)
439 self
.assertEquals(posix_acl
.acl
[6].a_perm
, 7)
440 self
.assertEquals(posix_acl
.acl
[6].info
.gid
, SY_gid
)
442 self
.assertEquals(posix_acl
.acl
[7].a_type
, smb_acl
.SMB_ACL_GROUP
)
443 self
.assertEquals(posix_acl
.acl
[7].a_perm
, 5)
444 self
.assertEquals(posix_acl
.acl
[7].info
.gid
, AU_gid
)
446 self
.assertEquals(posix_acl
.acl
[8].a_type
, smb_acl
.SMB_ACL_MASK
)
447 self
.assertEquals(posix_acl
.acl
[8].a_perm
, 7)
450 # check that it matches:
452 # user:root:rwx (selftest user actually)
454 # group:Local Admins:rwx
462 # This is in this order in the NDR smb_acl (not re-orderded for display)
469 # uid: 0 (selftest user actually)
504 def test_setntacl_policies_check_getposixacl(self
):
507 s3conf
= s3param
.get_context()
509 path
= os
.environ
['SELFTEST_PREFIX']
510 acl
= provision
.POLICIES_ACL
511 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
512 open(tempf
, 'w').write("empty")
513 domsid
= passdb
.get_global_sam_sid()
514 setntacl(lp
,tempf
,acl
,str(domsid
), use_ntvfs
=False)
515 facl
= getntacl(lp
,tempf
)
516 self
.assertEquals(facl
.as_sddl(domsid
),acl
)
517 posix_acl
= smbd
.get_sys_acl(tempf
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
519 LA_sid
= security
.dom_sid(str(domsid
)+"-"+str(security
.DOMAIN_RID_ADMINISTRATOR
))
520 BA_sid
= security
.dom_sid(security
.SID_BUILTIN_ADMINISTRATORS
)
521 SO_sid
= security
.dom_sid(security
.SID_BUILTIN_SERVER_OPERATORS
)
522 SY_sid
= security
.dom_sid(security
.SID_NT_SYSTEM
)
523 AU_sid
= security
.dom_sid(security
.SID_NT_AUTHENTICATED_USERS
)
524 PA_sid
= security
.dom_sid(str(domsid
)+"-"+str(security
.DOMAIN_RID_POLICY_ADMINS
))
526 s4_passdb
= passdb
.PDB(s3conf
.get("passdb backend"))
528 # These assertions correct for current plugin_s4_dc selftest
529 # configuration. When other environments have a broad range of
530 # groups mapped via passdb, we can relax some of these checks
531 (LA_uid
,LA_type
) = s4_passdb
.sid_to_id(LA_sid
)
532 self
.assertEquals(LA_type
, idmap
.ID_TYPE_UID
)
533 (BA_gid
,BA_type
) = s4_passdb
.sid_to_id(BA_sid
)
534 self
.assertEquals(BA_type
, idmap
.ID_TYPE_BOTH
)
535 (SO_gid
,SO_type
) = s4_passdb
.sid_to_id(SO_sid
)
536 self
.assertEquals(SO_type
, idmap
.ID_TYPE_BOTH
)
537 (SY_gid
,SY_type
) = s4_passdb
.sid_to_id(SY_sid
)
538 self
.assertEquals(SO_type
, idmap
.ID_TYPE_BOTH
)
539 (AU_gid
,AU_type
) = s4_passdb
.sid_to_id(AU_sid
)
540 self
.assertEquals(AU_type
, idmap
.ID_TYPE_BOTH
)
541 (PA_gid
,PA_type
) = s4_passdb
.sid_to_id(PA_sid
)
542 self
.assertEquals(PA_type
, idmap
.ID_TYPE_BOTH
)
544 self
.assertEquals(posix_acl
.count
, 10)
546 self
.assertEquals(posix_acl
.acl
[0].a_type
, smb_acl
.SMB_ACL_GROUP
)
547 self
.assertEquals(posix_acl
.acl
[0].a_perm
, 7)
548 self
.assertEquals(posix_acl
.acl
[0].info
.gid
, BA_gid
)
550 self
.assertEquals(posix_acl
.acl
[1].a_type
, smb_acl
.SMB_ACL_USER
)
551 self
.assertEquals(posix_acl
.acl
[1].a_perm
, 6)
552 self
.assertEquals(posix_acl
.acl
[1].info
.uid
, LA_uid
)
554 self
.assertEquals(posix_acl
.acl
[2].a_type
, smb_acl
.SMB_ACL_OTHER
)
555 self
.assertEquals(posix_acl
.acl
[2].a_perm
, 0)
557 self
.assertEquals(posix_acl
.acl
[3].a_type
, smb_acl
.SMB_ACL_USER_OBJ
)
558 self
.assertEquals(posix_acl
.acl
[3].a_perm
, 6)
560 self
.assertEquals(posix_acl
.acl
[4].a_type
, smb_acl
.SMB_ACL_GROUP_OBJ
)
561 self
.assertEquals(posix_acl
.acl
[4].a_perm
, 7)
563 self
.assertEquals(posix_acl
.acl
[5].a_type
, smb_acl
.SMB_ACL_GROUP
)
564 self
.assertEquals(posix_acl
.acl
[5].a_perm
, 5)
565 self
.assertEquals(posix_acl
.acl
[5].info
.gid
, SO_gid
)
567 self
.assertEquals(posix_acl
.acl
[6].a_type
, smb_acl
.SMB_ACL_GROUP
)
568 self
.assertEquals(posix_acl
.acl
[6].a_perm
, 7)
569 self
.assertEquals(posix_acl
.acl
[6].info
.gid
, SY_gid
)
571 self
.assertEquals(posix_acl
.acl
[7].a_type
, smb_acl
.SMB_ACL_GROUP
)
572 self
.assertEquals(posix_acl
.acl
[7].a_perm
, 5)
573 self
.assertEquals(posix_acl
.acl
[7].info
.gid
, AU_gid
)
575 self
.assertEquals(posix_acl
.acl
[8].a_type
, smb_acl
.SMB_ACL_GROUP
)
576 self
.assertEquals(posix_acl
.acl
[8].a_perm
, 7)
577 self
.assertEquals(posix_acl
.acl
[8].info
.gid
, PA_gid
)
579 self
.assertEquals(posix_acl
.acl
[9].a_type
, smb_acl
.SMB_ACL_MASK
)
580 self
.assertEquals(posix_acl
.acl
[9].a_perm
, 7)
583 # check that it matches:
585 # user:root:rwx (selftest user actually)
587 # group:Local Admins:rwx
596 # This is in this order in the NDR smb_acl (not re-orderded for display)
603 # uid: 0 (selftest user actually)
643 super(PosixAclMappingTests
, self
).setUp()
644 s3conf
= s3param
.get_context()
645 s3conf
.load(self
.get_loadparm().configfile
)