search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
selftest: Cover the important non-Samba invalidation of the NT ACL
[Samba/gebeck_regimport.git] / source4 / scripting / python / samba / tests / posixacl.py
blobcf7a40f03149cc745b7ec6fde89a6db0204e1d9f
1 # Unix SMB/CIFS implementation. Tests for NT and posix ACL manipulation
2 # Copyright (C) Matthieu Patou <mat@matws.net> 2009-2010
3 # Copyright (C) Andrew Bartlett 2012
4 #
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
9 #
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
14 #
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
17 #
18
19 """Tests for the Samba3 NT -> posix ACL layer"""
20
21 from samba.ntacls import setntacl, getntacl, checkset_backend
22 from samba.dcerpc import xattr, security, smb_acl, idmap
23 from samba.param import LoadParm
24 from samba.tests import TestCase
25 from samba import provision
26 import random
27 import os
28 from samba.samba3 import smbd, passdb
29 from samba.samba3 import param as s3param
30
31 # To print a posix ACL use:
32 # for entry in posix_acl.acl:
33 # print "a_type: %d" % entry.a_type
34 # print "a_perm: %o" % entry.a_perm
35 # print "uid: %d" % entry.uid
36 # print "gid: %d" % entry.gid
37
38 class PosixAclMappingTests(TestCase):
39
40 def test_setntacl(self):
41 random.seed()
42 lp = LoadParm()
43 path = os.environ['SELFTEST_PREFIX']
44 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
45 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
46 open(tempf, 'w').write("empty")
47 setntacl(lp, tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
48 os.unlink(tempf)
49
50 def test_setntacl_smbd_getntacl(self):
51 random.seed()
52 lp = LoadParm()
53 path = None
54 path = os.environ['SELFTEST_PREFIX']
55 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
56 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
57 open(tempf, 'w').write("empty")
58 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
59 facl = getntacl(lp,tempf, direct_db_access=True)
60 anysid = security.dom_sid(security.SID_NT_SELF)
61 self.assertEquals(facl.as_sddl(anysid),acl)
62 os.unlink(tempf)
63
64 def test_setntacl_smbd_setposixacl_getntacl(self):
65 random.seed()
66 lp = LoadParm()
67 path = None
68 path = os.environ['SELFTEST_PREFIX']
69 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
70 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
71 open(tempf, 'w').write("empty")
72 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
73
74 # This will invalidate the ACL, as we have a hook!
75 smbd.set_simple_acl(tempf, 0640)
76
77 # However, this only asks the xattr
78 try:
79 facl = getntacl(lp,tempf, direct_db_access=True)
80 self.assertTrue(False)
81 except TypeError:
82 pass
83 os.unlink(tempf)
84
85 def test_setntacl_invalidate_getntacl(self):
86 random.seed()
87 lp = LoadParm()
88 path = None
89 path = os.environ['SELFTEST_PREFIX']
90 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
91 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
92 open(tempf, 'w').write("empty")
93 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
94
95 # This should invalidate the ACL, as we include the posix ACL in the hash
96 (backend_obj, dbname) = checkset_backend(lp, None, None)
97 backend_obj.wrap_setxattr(dbname,
98 tempf, "system.fake_access_acl", "")
99
100 #however, as this is direct DB access, we do not notice it
101 facl = getntacl(lp,tempf, direct_db_access=True)
102 anysid = security.dom_sid(security.SID_NT_SELF)
103 self.assertEquals(acl, facl.as_sddl(anysid))
104 os.unlink(tempf)
105
106 def test_setntacl_invalidate_getntacl_smbd(self):
107 random.seed()
108 lp = LoadParm()
109 path = None
110 path = os.environ['SELFTEST_PREFIX']
111 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
112 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
113 open(tempf, 'w').write("empty")
114 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
115
116 # This should invalidate the ACL, as we include the posix ACL in the hash
117 (backend_obj, dbname) = checkset_backend(lp, None, None)
118 backend_obj.wrap_setxattr(dbname,
119 tempf, "system.fake_access_acl", "")
120
121 #the hash would break, and we return an ACL based only on the mode, except we set the ACL using the 'ntvfs' mode that doesn't include a hash
122 facl = getntacl(lp,tempf)
123 anysid = security.dom_sid(security.SID_NT_SELF)
124 self.assertEquals(acl, facl.as_sddl(anysid))
125 os.unlink(tempf)
126
127 def test_setntacl_smbd_invalidate_getntacl_smbd(self):
128 random.seed()
129 lp = LoadParm()
130 path = None
131 path = os.environ['SELFTEST_PREFIX']
132 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
133 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x001200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
134 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
135 open(tempf, 'w').write("empty")
136 os.chmod(tempf, 0750)
137 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
138
139 # This should invalidate the ACL, as we include the posix ACL in the hash
140 (backend_obj, dbname) = checkset_backend(lp, None, None)
141 backend_obj.wrap_setxattr(dbname,
142 tempf, "system.fake_access_acl", "")
143
144 #the hash will break, and we return an ACL based only on the mode
145 facl = getntacl(lp,tempf, direct_db_access=False)
146 anysid = security.dom_sid(security.SID_NT_SELF)
147 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
148 os.unlink(tempf)
149
150 def test_setntacl_getntacl_smbd(self):
151 random.seed()
152 lp = LoadParm()
153 path = None
154 path = os.environ['SELFTEST_PREFIX']
155 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
156 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
157 open(tempf, 'w').write("empty")
158 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
159 facl = getntacl(lp,tempf, direct_db_access=False)
160 anysid = security.dom_sid(security.SID_NT_SELF)
161 self.assertEquals(facl.as_sddl(anysid),acl)
162 os.unlink(tempf)
163
164 def test_setntacl_smbd_getntacl_smbd(self):
165 random.seed()
166 lp = LoadParm()
167 path = None
168 path = os.environ['SELFTEST_PREFIX']
169 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
170 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
171 open(tempf, 'w').write("empty")
172 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
173 facl = getntacl(lp,tempf, direct_db_access=False)
174 anysid = security.dom_sid(security.SID_NT_SELF)
175 self.assertEquals(facl.as_sddl(anysid),acl)
176 os.unlink(tempf)
177
178 def test_setntacl_smbd_setposixacl_getntacl_smbd(self):
179 random.seed()
180 lp = LoadParm()
181 path = None
182 path = os.environ['SELFTEST_PREFIX']
183 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
184 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
185 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
186 open(tempf, 'w').write("empty")
187 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
188 # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
189 smbd.set_simple_acl(tempf, 0640)
190 facl = getntacl(lp,tempf, direct_db_access=False)
191 anysid = security.dom_sid(security.SID_NT_SELF)
192 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
193 os.unlink(tempf)
194
195 def test_setntacl_smbd_setposixacl_group_getntacl_smbd(self):
196 random.seed()
197 lp = LoadParm()
198 path = None
199 path = os.environ['SELFTEST_PREFIX']
200 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
201 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
202 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
203 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
204 open(tempf, 'w').write("empty")
205 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
206 # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
207 s3conf = s3param.get_context()
208 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
209 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
210 smbd.set_simple_acl(tempf, 0640, BA_gid)
211
212 # This should re-calculate an ACL based on the posix details
213 facl = getntacl(lp,tempf, direct_db_access=False)
214 anysid = security.dom_sid(security.SID_NT_SELF)
215 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
216 os.unlink(tempf)
217
218 def test_setntacl_smbd_getntacl_smbd_gpo(self):
219 random.seed()
220 lp = LoadParm()
221 path = None
222 path = os.environ['SELFTEST_PREFIX']
223 acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
224 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
225 open(tempf, 'w').write("empty")
226 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
227 facl = getntacl(lp,tempf, direct_db_access=False)
228 domsid = security.dom_sid("S-1-5-21-2212615479-2695158682-2101375467")
229 self.assertEquals(facl.as_sddl(domsid),acl)
230 os.unlink(tempf)
231
232 def test_setntacl_getposixacl(self):
233 random.seed()
234 lp = LoadParm()
235 path = None
236 path = os.environ['SELFTEST_PREFIX']
237 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
238 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
239 open(tempf, 'w').write("empty")
240 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
241 facl = getntacl(lp,tempf)
242 anysid = security.dom_sid(security.SID_NT_SELF)
243 self.assertEquals(facl.as_sddl(anysid),acl)
244 posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
245 os.unlink(tempf)
246
247 def test_setposixacl_getposixacl(self):
248 random.seed()
249 lp = LoadParm()
250 path = None
251 path = os.environ['SELFTEST_PREFIX']
252 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
253 open(tempf, 'w').write("empty")
254 smbd.set_simple_acl(tempf, 0640)
255 posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
256 self.assertEquals(posix_acl.count, 4)
257
258 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
259 self.assertEquals(posix_acl.acl[0].a_perm, 6)
260
261 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
262 self.assertEquals(posix_acl.acl[1].a_perm, 4)
263
264 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
265 self.assertEquals(posix_acl.acl[2].a_perm, 0)
266
267 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
268 self.assertEquals(posix_acl.acl[3].a_perm, 6)
269 os.unlink(tempf)
270
271 def test_setposixacl_getntacl(self):
272 random.seed()
273 lp = LoadParm()
274 acl = ""
275 path = os.environ['SELFTEST_PREFIX']
276 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
277 open(tempf, 'w').write("empty")
278 smbd.set_simple_acl(tempf, 0750)
279 try:
280 facl = getntacl(lp,tempf)
281 except TypeError:
282 # We don't expect the xattr to be filled in in this case
283 pass
284
285 def test_setposixacl_getntacl_smbd(self):
286 random.seed()
287 lp = LoadParm()
288 path = os.environ['SELFTEST_PREFIX']
289 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
290 open(tempf, 'w').write("empty")
291 s3conf = s3param.get_context()
292 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
293 group_SID = s4_passdb.gid_to_sid(os.stat(tempf).st_gid)
294 user_SID = s4_passdb.uid_to_sid(os.stat(tempf).st_uid)
295 smbd.set_simple_acl(tempf, 0640)
296 facl = getntacl(lp, tempf, direct_db_access=False)
297 domsid = passdb.get_global_sam_sid()
298 acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;%s)(A;;WO;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
299 anysid = security.dom_sid(security.SID_NT_SELF)
300 self.assertEquals(acl, facl.as_sddl(anysid))
301
302 def test_setposixacl_group_getntacl_smbd(self):
303 random.seed()
304 lp = LoadParm()
305 path = os.environ['SELFTEST_PREFIX']
306 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
307 open(tempf, 'w').write("empty")
308 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
309 s3conf = s3param.get_context()
310 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
311 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
312 group_SID = s4_passdb.gid_to_sid(os.stat(tempf).st_gid)
313 user_SID = s4_passdb.uid_to_sid(os.stat(tempf).st_uid)
314 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
315 smbd.set_simple_acl(tempf, 0640, BA_gid)
316 facl = getntacl(lp, tempf, direct_db_access=False)
317 domsid = passdb.get_global_sam_sid()
318 acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;BA)(A;;0x00120089;;;%s)(A;;WO;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
319 anysid = security.dom_sid(security.SID_NT_SELF)
320 self.assertEquals(acl, facl.as_sddl(anysid))
321
322 def test_setposixacl_getposixacl(self):
323 random.seed()
324 lp = LoadParm()
325 path = os.environ['SELFTEST_PREFIX']
326 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
327 open(tempf, 'w').write("empty")
328 smbd.set_simple_acl(tempf, 0640)
329 posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
330 self.assertEquals(posix_acl.count, 4)
331
332 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
333 self.assertEquals(posix_acl.acl[0].a_perm, 6)
334
335 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
336 self.assertEquals(posix_acl.acl[1].a_perm, 4)
337
338 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
339 self.assertEquals(posix_acl.acl[2].a_perm, 0)
340
341 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
342 self.assertEquals(posix_acl.acl[3].a_perm, 6)
343 os.unlink(tempf)
344
345 def test_setposixacl_group_getposixacl(self):
346 random.seed()
347 lp = LoadParm()
348 path = os.environ['SELFTEST_PREFIX']
349 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
350 open(tempf, 'w').write("empty")
351 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
352 s3conf = s3param.get_context()
353 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
354 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
355 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
356 smbd.set_simple_acl(tempf, 0670, BA_gid)
357 posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
358
359 self.assertEquals(posix_acl.count, 5)
360
361 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
362 self.assertEquals(posix_acl.acl[0].a_perm, 6)
363
364 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
365 self.assertEquals(posix_acl.acl[1].a_perm, 7)
366
367 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
368 self.assertEquals(posix_acl.acl[2].a_perm, 0)
369
370 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_GROUP)
371 self.assertEquals(posix_acl.acl[3].a_perm, 7)
372 self.assertEquals(posix_acl.acl[3].info.gid, BA_gid)
373
374 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_MASK)
375 self.assertEquals(posix_acl.acl[4].a_perm, 6)
376 os.unlink(tempf)
377
378 def test_setntacl_sysvol_check_getposixacl(self):
379 random.seed()
380 lp = LoadParm()
381 s3conf = s3param.get_context()
382 path = None
383 path = os.environ['SELFTEST_PREFIX']
384 acl = provision.SYSVOL_ACL
385 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
386 open(tempf, 'w').write("empty")
387 domsid = passdb.get_global_sam_sid()
388 setntacl(lp,tempf,acl,str(domsid), use_ntvfs=False)
389 facl = getntacl(lp,tempf)
390 self.assertEquals(facl.as_sddl(domsid),acl)
391 posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
392
393 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
394 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
395 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
396 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
397 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
398
399 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
400
401 # These assertions correct for current plugin_s4_dc selftest
402 # configuration. When other environments have a broad range of
403 # groups mapped via passdb, we can relax some of these checks
404 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
405 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
406 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
407 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
408 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
409 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
410 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
411 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
412 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
413 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
414
415 self.assertEquals(posix_acl.count, 9)
416
417 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
418 self.assertEquals(posix_acl.acl[0].a_perm, 7)
419 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
420
421 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
422 self.assertEquals(posix_acl.acl[1].a_perm, 6)
423 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
424
425 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
426 self.assertEquals(posix_acl.acl[2].a_perm, 0)
427
428 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
429 self.assertEquals(posix_acl.acl[3].a_perm, 6)
430
431 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
432 self.assertEquals(posix_acl.acl[4].a_perm, 7)
433
434 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
435 self.assertEquals(posix_acl.acl[5].a_perm, 5)
436 self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
437
438 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
439 self.assertEquals(posix_acl.acl[6].a_perm, 7)
440 self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
441
442 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
443 self.assertEquals(posix_acl.acl[7].a_perm, 5)
444 self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
445
446 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_MASK)
447 self.assertEquals(posix_acl.acl[8].a_perm, 7)
448
449
450 # check that it matches:
451 # user::rwx
452 # user:root:rwx (selftest user actually)
453 # group::rwx
454 # group:Local Admins:rwx
455 # group:3000000:r-x
456 # group:3000001:rwx
457 # group:3000002:r-x
458 # mask::rwx
459 # other::---
460
461 #
462 # This is in this order in the NDR smb_acl (not re-orderded for display)
463 # a_type: GROUP
464 # a_perm: 7
465 # uid: -1
466 # gid: 10
467 # a_type: USER
468 # a_perm: 6
469 # uid: 0 (selftest user actually)
470 # gid: -1
471 # a_type: OTHER
472 # a_perm: 0
473 # uid: -1
474 # gid: -1
475 # a_type: USER_OBJ
476 # a_perm: 6
477 # uid: -1
478 # gid: -1
479 # a_type: GROUP_OBJ
480 # a_perm: 7
481 # uid: -1
482 # gid: -1
483 # a_type: GROUP
484 # a_perm: 5
485 # uid: -1
486 # gid: 3000020
487 # a_type: GROUP
488 # a_perm: 7
489 # uid: -1
490 # gid: 3000000
491 # a_type: GROUP
492 # a_perm: 5
493 # uid: -1
494 # gid: 3000001
495 # a_type: MASK
496 # a_perm: 7
497 # uid: -1
498 # gid: -1
499
500 #
501
502 os.unlink(tempf)
503
504 def test_setntacl_policies_check_getposixacl(self):
505 random.seed()
506 lp = LoadParm()
507 s3conf = s3param.get_context()
508 path = None
509 path = os.environ['SELFTEST_PREFIX']
510 acl = provision.POLICIES_ACL
511 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
512 open(tempf, 'w').write("empty")
513 domsid = passdb.get_global_sam_sid()
514 setntacl(lp,tempf,acl,str(domsid), use_ntvfs=False)
515 facl = getntacl(lp,tempf)
516 self.assertEquals(facl.as_sddl(domsid),acl)
517 posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
518
519 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
520 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
521 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
522 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
523 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
524 PA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_POLICY_ADMINS))
525
526 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
527
528 # These assertions correct for current plugin_s4_dc selftest
529 # configuration. When other environments have a broad range of
530 # groups mapped via passdb, we can relax some of these checks
531 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
532 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
533 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
534 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
535 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
536 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
537 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
538 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
539 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
540 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
541 (PA_gid,PA_type) = s4_passdb.sid_to_id(PA_sid)
542 self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
543
544 self.assertEquals(posix_acl.count, 10)
545
546 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
547 self.assertEquals(posix_acl.acl[0].a_perm, 7)
548 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
549
550 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
551 self.assertEquals(posix_acl.acl[1].a_perm, 6)
552 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
553
554 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
555 self.assertEquals(posix_acl.acl[2].a_perm, 0)
556
557 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
558 self.assertEquals(posix_acl.acl[3].a_perm, 6)
559
560 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
561 self.assertEquals(posix_acl.acl[4].a_perm, 7)
562
563 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
564 self.assertEquals(posix_acl.acl[5].a_perm, 5)
565 self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
566
567 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
568 self.assertEquals(posix_acl.acl[6].a_perm, 7)
569 self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
570
571 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
572 self.assertEquals(posix_acl.acl[7].a_perm, 5)
573 self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
574
575 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_GROUP)
576 self.assertEquals(posix_acl.acl[8].a_perm, 7)
577 self.assertEquals(posix_acl.acl[8].info.gid, PA_gid)
578
579 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_MASK)
580 self.assertEquals(posix_acl.acl[9].a_perm, 7)
581
582
583 # check that it matches:
584 # user::rwx
585 # user:root:rwx (selftest user actually)
586 # group::rwx
587 # group:Local Admins:rwx
588 # group:3000000:r-x
589 # group:3000001:rwx
590 # group:3000002:r-x
591 # group:3000003:rwx
592 # mask::rwx
593 # other::---
594
595 #
596 # This is in this order in the NDR smb_acl (not re-orderded for display)
597 # a_type: GROUP
598 # a_perm: 7
599 # uid: -1
600 # gid: 10
601 # a_type: USER
602 # a_perm: 6
603 # uid: 0 (selftest user actually)
604 # gid: -1
605 # a_type: OTHER
606 # a_perm: 0
607 # uid: -1
608 # gid: -1
609 # a_type: USER_OBJ
610 # a_perm: 6
611 # uid: -1
612 # gid: -1
613 # a_type: GROUP_OBJ
614 # a_perm: 7
615 # uid: -1
616 # gid: -1
617 # a_type: GROUP
618 # a_perm: 5
619 # uid: -1
620 # gid: 3000020
621 # a_type: GROUP
622 # a_perm: 7
623 # uid: -1
624 # gid: 3000000
625 # a_type: GROUP
626 # a_perm: 5
627 # uid: -1
628 # gid: 3000001
629 # a_type: GROUP
630 # a_perm: 7
631 # uid: -1
632 # gid: 3000003
633 # a_type: MASK
634 # a_perm: 7
635 # uid: -1
636 # gid: -1
637
638 #
639
640 os.unlink(tempf)
641
642 def setUp(self):
643 super(PosixAclMappingTests, self).setUp()
644 s3conf = s3param.get_context()
645 s3conf.load(self.get_loadparm().configfile)
reg import