1 # Unix SMB/CIFS implementation. Tests for NT and posix ACL manipulation
2 # Copyright (C) Matthieu Patou <mat@matws.net> 2009-2010
3 # Copyright (C) Andrew Bartlett 2012
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
19 """Tests for the Samba3 NT -> posix ACL layer"""
21 from samba
.ntacls
import setntacl
, getntacl
, XattrBackendError
22 from samba
.dcerpc
import xattr
, security
, smb_acl
, idmap
23 from samba
.param
import LoadParm
24 from samba
.tests
import TestCase
, TestSkipped
25 from samba
import provision
28 from samba
.samba3
import smbd
, passdb
29 from samba
.samba3
import param
as s3param
31 # To print a posix ACL use:
32 # for entry in posix_acl.acl:
33 # print "a_type: %d" % entry.a_type
34 # print "a_perm: %o" % entry.a_perm
35 # print "uid: %d" % entry.uid
36 # print "gid: %d" % entry.gid
38 class PosixAclMappingTests(TestCase
):
40 def test_setntacl(self
):
43 path
= os
.environ
['SELFTEST_PREFIX']
44 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
45 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
46 open(tempf
, 'w').write("empty")
47 setntacl(lp
, tempf
, acl
, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
50 def test_setntacl_smbd_getntacl(self
):
54 path
= os
.environ
['SELFTEST_PREFIX']
55 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
56 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
57 open(tempf
, 'w').write("empty")
58 setntacl(lp
,tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=True)
59 facl
= getntacl(lp
,tempf
, direct_db_access
=True)
60 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
61 self
.assertEquals(facl
.as_sddl(anysid
),acl
)
64 def test_setntacl_getntacl_smbd(self
):
68 path
= os
.environ
['SELFTEST_PREFIX']
69 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
70 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
71 open(tempf
, 'w').write("empty")
72 setntacl(lp
,tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=True)
73 facl
= getntacl(lp
,tempf
, direct_db_access
=False)
74 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
75 self
.assertEquals(facl
.as_sddl(anysid
),acl
)
78 def test_setntacl_smbd_getntacl_smbd(self
):
82 path
= os
.environ
['SELFTEST_PREFIX']
83 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
84 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
85 open(tempf
, 'w').write("empty")
86 setntacl(lp
,tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
87 facl
= getntacl(lp
,tempf
, direct_db_access
=False)
88 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
89 self
.assertEquals(facl
.as_sddl(anysid
),acl
)
92 def test_setntacl_smbd_getntacl_smbd_gpo(self
):
96 path
= os
.environ
['SELFTEST_PREFIX']
97 acl
= "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
98 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
99 open(tempf
, 'w').write("empty")
100 setntacl(lp
,tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
101 facl
= getntacl(lp
,tempf
, direct_db_access
=False)
102 domsid
= security
.dom_sid("S-1-5-21-2212615479-2695158682-2101375467")
103 self
.assertEquals(facl
.as_sddl(domsid
),acl
)
106 def test_setntacl_getposixacl(self
):
110 path
= os
.environ
['SELFTEST_PREFIX']
111 acl
= "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
112 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
113 open(tempf
, 'w').write("empty")
114 setntacl(lp
,tempf
,acl
,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs
=False)
115 facl
= getntacl(lp
,tempf
)
116 anysid
= security
.dom_sid(security
.SID_NT_SELF
)
117 self
.assertEquals(facl
.as_sddl(anysid
),acl
)
118 posix_acl
= smbd
.get_sys_acl(tempf
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
121 def test_setntacl_sysvol_check_getposixacl(self
):
124 s3conf
= s3param
.get_context()
126 path
= os
.environ
['SELFTEST_PREFIX']
127 acl
= provision
.SYSVOL_ACL
128 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
129 open(tempf
, 'w').write("empty")
130 domsid
= passdb
.get_global_sam_sid()
131 setntacl(lp
,tempf
,acl
,str(domsid
), use_ntvfs
=False)
132 facl
= getntacl(lp
,tempf
)
133 self
.assertEquals(facl
.as_sddl(domsid
),acl
)
134 posix_acl
= smbd
.get_sys_acl(tempf
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
136 LA_sid
= security
.dom_sid(str(domsid
)+"-"+str(security
.DOMAIN_RID_ADMINISTRATOR
))
137 BA_sid
= security
.dom_sid(security
.SID_BUILTIN_ADMINISTRATORS
)
138 SO_sid
= security
.dom_sid(security
.SID_BUILTIN_SERVER_OPERATORS
)
139 SY_sid
= security
.dom_sid(security
.SID_NT_SYSTEM
)
140 AU_sid
= security
.dom_sid(security
.SID_NT_AUTHENTICATED_USERS
)
142 s4_passdb
= passdb
.PDB(s3conf
.get("passdb backend"))
144 # These assertions correct for current plugin_s4_dc selftest
145 # configuration. When other environments have a broad range of
146 # groups mapped via passdb, we can relax some of these checks
147 (LA_uid
,LA_type
) = s4_passdb
.sid_to_id(LA_sid
)
148 self
.assertEquals(LA_type
, idmap
.ID_TYPE_UID
)
149 (BA_gid
,BA_type
) = s4_passdb
.sid_to_id(BA_sid
)
150 self
.assertEquals(BA_type
, idmap
.ID_TYPE_GID
)
151 (SO_gid
,SO_type
) = s4_passdb
.sid_to_id(SO_sid
)
152 self
.assertEquals(SO_type
, idmap
.ID_TYPE_BOTH
)
153 (SY_gid
,SY_type
) = s4_passdb
.sid_to_id(SY_sid
)
154 self
.assertEquals(SO_type
, idmap
.ID_TYPE_BOTH
)
155 (AU_gid
,AU_type
) = s4_passdb
.sid_to_id(AU_sid
)
156 self
.assertEquals(AU_type
, idmap
.ID_TYPE_BOTH
)
158 self
.assertEquals(posix_acl
.count
, 9)
160 self
.assertEquals(posix_acl
.acl
[0].a_type
, smb_acl
.SMB_ACL_GROUP
)
161 self
.assertEquals(posix_acl
.acl
[0].a_perm
, 7)
162 self
.assertEquals(posix_acl
.acl
[0].info
.gid
, BA_gid
)
164 self
.assertEquals(posix_acl
.acl
[1].a_type
, smb_acl
.SMB_ACL_USER
)
165 self
.assertEquals(posix_acl
.acl
[1].a_perm
, 6)
166 self
.assertEquals(posix_acl
.acl
[1].info
.uid
, LA_uid
)
168 self
.assertEquals(posix_acl
.acl
[2].a_type
, smb_acl
.SMB_ACL_OTHER
)
169 self
.assertEquals(posix_acl
.acl
[2].a_perm
, 0)
171 self
.assertEquals(posix_acl
.acl
[3].a_type
, smb_acl
.SMB_ACL_USER_OBJ
)
172 self
.assertEquals(posix_acl
.acl
[3].a_perm
, 6)
174 self
.assertEquals(posix_acl
.acl
[4].a_type
, smb_acl
.SMB_ACL_GROUP_OBJ
)
175 self
.assertEquals(posix_acl
.acl
[4].a_perm
, 7)
177 self
.assertEquals(posix_acl
.acl
[5].a_type
, smb_acl
.SMB_ACL_GROUP
)
178 self
.assertEquals(posix_acl
.acl
[5].a_perm
, 5)
179 self
.assertEquals(posix_acl
.acl
[5].info
.gid
, SO_gid
)
181 self
.assertEquals(posix_acl
.acl
[6].a_type
, smb_acl
.SMB_ACL_GROUP
)
182 self
.assertEquals(posix_acl
.acl
[6].a_perm
, 7)
183 self
.assertEquals(posix_acl
.acl
[6].info
.gid
, SY_gid
)
185 self
.assertEquals(posix_acl
.acl
[7].a_type
, smb_acl
.SMB_ACL_GROUP
)
186 self
.assertEquals(posix_acl
.acl
[7].a_perm
, 5)
187 self
.assertEquals(posix_acl
.acl
[7].info
.gid
, AU_gid
)
189 self
.assertEquals(posix_acl
.acl
[8].a_type
, smb_acl
.SMB_ACL_MASK
)
190 self
.assertEquals(posix_acl
.acl
[8].a_perm
, 7)
193 # check that it matches:
195 # user:root:rwx (selftest user actually)
205 # This is in this order in the NDR smb_acl (not re-orderded for display)
212 # uid: 0 (selftest user actually)
247 def test_setntacl_policies_check_getposixacl(self
):
250 s3conf
= s3param
.get_context()
252 path
= os
.environ
['SELFTEST_PREFIX']
253 acl
= provision
.POLICIES_ACL
254 tempf
= os
.path
.join(path
,"pytests"+str(int(100000*random
.random())))
255 open(tempf
, 'w').write("empty")
256 domsid
= passdb
.get_global_sam_sid()
257 setntacl(lp
,tempf
,acl
,str(domsid
), use_ntvfs
=False)
258 facl
= getntacl(lp
,tempf
)
259 self
.assertEquals(facl
.as_sddl(domsid
),acl
)
260 posix_acl
= smbd
.get_sys_acl(tempf
, smb_acl
.SMB_ACL_TYPE_ACCESS
)
262 LA_sid
= security
.dom_sid(str(domsid
)+"-"+str(security
.DOMAIN_RID_ADMINISTRATOR
))
263 BA_sid
= security
.dom_sid(security
.SID_BUILTIN_ADMINISTRATORS
)
264 SO_sid
= security
.dom_sid(security
.SID_BUILTIN_SERVER_OPERATORS
)
265 SY_sid
= security
.dom_sid(security
.SID_NT_SYSTEM
)
266 AU_sid
= security
.dom_sid(security
.SID_NT_AUTHENTICATED_USERS
)
267 PA_sid
= security
.dom_sid(str(domsid
)+"-"+str(security
.DOMAIN_RID_POLICY_ADMINS
))
269 s4_passdb
= passdb
.PDB(s3conf
.get("passdb backend"))
271 # These assertions correct for current plugin_s4_dc selftest
272 # configuration. When other environments have a broad range of
273 # groups mapped via passdb, we can relax some of these checks
274 (LA_uid
,LA_type
) = s4_passdb
.sid_to_id(LA_sid
)
275 self
.assertEquals(LA_type
, idmap
.ID_TYPE_UID
)
276 (BA_gid
,BA_type
) = s4_passdb
.sid_to_id(BA_sid
)
277 self
.assertEquals(BA_type
, idmap
.ID_TYPE_GID
)
278 (SO_gid
,SO_type
) = s4_passdb
.sid_to_id(SO_sid
)
279 self
.assertEquals(SO_type
, idmap
.ID_TYPE_BOTH
)
280 (SY_gid
,SY_type
) = s4_passdb
.sid_to_id(SY_sid
)
281 self
.assertEquals(SO_type
, idmap
.ID_TYPE_BOTH
)
282 (AU_gid
,AU_type
) = s4_passdb
.sid_to_id(AU_sid
)
283 self
.assertEquals(AU_type
, idmap
.ID_TYPE_BOTH
)
284 (PA_gid
,PA_type
) = s4_passdb
.sid_to_id(PA_sid
)
285 self
.assertEquals(PA_type
, idmap
.ID_TYPE_BOTH
)
287 self
.assertEquals(posix_acl
.count
, 10)
289 self
.assertEquals(posix_acl
.acl
[0].a_type
, smb_acl
.SMB_ACL_GROUP
)
290 self
.assertEquals(posix_acl
.acl
[0].a_perm
, 7)
291 self
.assertEquals(posix_acl
.acl
[0].info
.gid
, BA_gid
)
293 self
.assertEquals(posix_acl
.acl
[1].a_type
, smb_acl
.SMB_ACL_USER
)
294 self
.assertEquals(posix_acl
.acl
[1].a_perm
, 6)
295 self
.assertEquals(posix_acl
.acl
[1].info
.uid
, LA_uid
)
297 self
.assertEquals(posix_acl
.acl
[2].a_type
, smb_acl
.SMB_ACL_OTHER
)
298 self
.assertEquals(posix_acl
.acl
[2].a_perm
, 0)
300 self
.assertEquals(posix_acl
.acl
[3].a_type
, smb_acl
.SMB_ACL_USER_OBJ
)
301 self
.assertEquals(posix_acl
.acl
[3].a_perm
, 6)
303 self
.assertEquals(posix_acl
.acl
[4].a_type
, smb_acl
.SMB_ACL_GROUP_OBJ
)
304 self
.assertEquals(posix_acl
.acl
[4].a_perm
, 7)
306 self
.assertEquals(posix_acl
.acl
[5].a_type
, smb_acl
.SMB_ACL_GROUP
)
307 self
.assertEquals(posix_acl
.acl
[5].a_perm
, 5)
308 self
.assertEquals(posix_acl
.acl
[5].info
.gid
, SO_gid
)
310 self
.assertEquals(posix_acl
.acl
[6].a_type
, smb_acl
.SMB_ACL_GROUP
)
311 self
.assertEquals(posix_acl
.acl
[6].a_perm
, 7)
312 self
.assertEquals(posix_acl
.acl
[6].info
.gid
, SY_gid
)
314 self
.assertEquals(posix_acl
.acl
[7].a_type
, smb_acl
.SMB_ACL_GROUP
)
315 self
.assertEquals(posix_acl
.acl
[7].a_perm
, 5)
316 self
.assertEquals(posix_acl
.acl
[7].info
.gid
, AU_gid
)
318 self
.assertEquals(posix_acl
.acl
[8].a_type
, smb_acl
.SMB_ACL_GROUP
)
319 self
.assertEquals(posix_acl
.acl
[8].a_perm
, 7)
320 self
.assertEquals(posix_acl
.acl
[8].info
.gid
, PA_gid
)
322 self
.assertEquals(posix_acl
.acl
[9].a_type
, smb_acl
.SMB_ACL_MASK
)
323 self
.assertEquals(posix_acl
.acl
[9].a_perm
, 7)
326 # check that it matches:
328 # user:root:rwx (selftest user actually)
339 # This is in this order in the NDR smb_acl (not re-orderded for display)
346 # uid: 0 (selftest user actually)
386 super(PosixAclMappingTests
, self
).setUp()
387 s3conf
= s3param
.get_context()
388 s3conf
.load(self
.get_loadparm().configfile
)