search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
smbd-posix_acls: Use a IDL union to store the ACL entry
[Samba/gebeck_regimport.git] / source4 / scripting / python / samba / tests / posixacl.py
blobb323f91f1a3c57eccf69ecde0e62c6daad714f87
1 # Unix SMB/CIFS implementation. Tests for NT and posix ACL manipulation
2 # Copyright (C) Matthieu Patou <mat@matws.net> 2009-2010
3 # Copyright (C) Andrew Bartlett 2012
4 #
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
9 #
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
14 #
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
17 #
18
19 """Tests for the Samba3 NT -> posix ACL layer"""
20
21 from samba.ntacls import setntacl, getntacl, XattrBackendError
22 from samba.dcerpc import xattr, security, smb_acl, idmap
23 from samba.param import LoadParm
24 from samba.tests import TestCase, TestSkipped
25 from samba import provision
26 import random
27 import os
28 from samba.samba3 import smbd, passdb
29 from samba.samba3 import param as s3param
30
31 # To print a posix ACL use:
32 # for entry in posix_acl.acl:
33 # print "a_type: %d" % entry.a_type
34 # print "a_perm: %o" % entry.a_perm
35 # print "uid: %d" % entry.uid
36 # print "gid: %d" % entry.gid
37
38 class PosixAclMappingTests(TestCase):
39
40 def test_setntacl(self):
41 random.seed()
42 lp = LoadParm()
43 path = os.environ['SELFTEST_PREFIX']
44 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
45 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
46 open(tempf, 'w').write("empty")
47 setntacl(lp, tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
48 os.unlink(tempf)
49
50 def test_setntacl_smbd_getntacl(self):
51 random.seed()
52 lp = LoadParm()
53 path = None
54 path = os.environ['SELFTEST_PREFIX']
55 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
56 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
57 open(tempf, 'w').write("empty")
58 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
59 facl = getntacl(lp,tempf, direct_db_access=True)
60 anysid = security.dom_sid(security.SID_NT_SELF)
61 self.assertEquals(facl.as_sddl(anysid),acl)
62 os.unlink(tempf)
63
64 def test_setntacl_getntacl_smbd(self):
65 random.seed()
66 lp = LoadParm()
67 path = None
68 path = os.environ['SELFTEST_PREFIX']
69 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
70 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
71 open(tempf, 'w').write("empty")
72 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
73 facl = getntacl(lp,tempf, direct_db_access=False)
74 anysid = security.dom_sid(security.SID_NT_SELF)
75 self.assertEquals(facl.as_sddl(anysid),acl)
76 os.unlink(tempf)
77
78 def test_setntacl_smbd_getntacl_smbd(self):
79 random.seed()
80 lp = LoadParm()
81 path = None
82 path = os.environ['SELFTEST_PREFIX']
83 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
84 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
85 open(tempf, 'w').write("empty")
86 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
87 facl = getntacl(lp,tempf, direct_db_access=False)
88 anysid = security.dom_sid(security.SID_NT_SELF)
89 self.assertEquals(facl.as_sddl(anysid),acl)
90 os.unlink(tempf)
91
92 def test_setntacl_smbd_getntacl_smbd_gpo(self):
93 random.seed()
94 lp = LoadParm()
95 path = None
96 path = os.environ['SELFTEST_PREFIX']
97 acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
98 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
99 open(tempf, 'w').write("empty")
100 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
101 facl = getntacl(lp,tempf, direct_db_access=False)
102 domsid = security.dom_sid("S-1-5-21-2212615479-2695158682-2101375467")
103 self.assertEquals(facl.as_sddl(domsid),acl)
104 os.unlink(tempf)
105
106 def test_setntacl_getposixacl(self):
107 random.seed()
108 lp = LoadParm()
109 path = None
110 path = os.environ['SELFTEST_PREFIX']
111 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
112 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
113 open(tempf, 'w').write("empty")
114 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
115 facl = getntacl(lp,tempf)
116 anysid = security.dom_sid(security.SID_NT_SELF)
117 self.assertEquals(facl.as_sddl(anysid),acl)
118 posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
119 os.unlink(tempf)
120
121 def test_setntacl_sysvol_check_getposixacl(self):
122 random.seed()
123 lp = LoadParm()
124 s3conf = s3param.get_context()
125 path = None
126 path = os.environ['SELFTEST_PREFIX']
127 acl = provision.SYSVOL_ACL
128 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
129 open(tempf, 'w').write("empty")
130 domsid = passdb.get_global_sam_sid()
131 setntacl(lp,tempf,acl,str(domsid), use_ntvfs=False)
132 facl = getntacl(lp,tempf)
133 self.assertEquals(facl.as_sddl(domsid),acl)
134 posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
135
136 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
137 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
138 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
139 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
140 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
141
142 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
143
144 # These assertions correct for current plugin_s4_dc selftest
145 # configuration. When other environments have a broad range of
146 # groups mapped via passdb, we can relax some of these checks
147 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
148 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
149 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
150 self.assertEquals(BA_type, idmap.ID_TYPE_GID)
151 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
152 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
153 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
154 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
155 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
156 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
157
158 self.assertEquals(posix_acl.count, 9)
159
160 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
161 self.assertEquals(posix_acl.acl[0].a_perm, 7)
162 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
163
164 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
165 self.assertEquals(posix_acl.acl[1].a_perm, 6)
166 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
167
168 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
169 self.assertEquals(posix_acl.acl[2].a_perm, 0)
170
171 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
172 self.assertEquals(posix_acl.acl[3].a_perm, 6)
173
174 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
175 self.assertEquals(posix_acl.acl[4].a_perm, 7)
176
177 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
178 self.assertEquals(posix_acl.acl[5].a_perm, 5)
179 self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
180
181 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
182 self.assertEquals(posix_acl.acl[6].a_perm, 7)
183 self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
184
185 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
186 self.assertEquals(posix_acl.acl[7].a_perm, 5)
187 self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
188
189 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_MASK)
190 self.assertEquals(posix_acl.acl[8].a_perm, 7)
191
192
193 # check that it matches:
194 # user::rwx
195 # user:root:rwx (selftest user actually)
196 # group::rwx
197 # group:wheel:rwx
198 # group:3000000:r-x
199 # group:3000001:rwx
200 # group:3000002:r-x
201 # mask::rwx
202 # other::---
203
204 #
205 # This is in this order in the NDR smb_acl (not re-orderded for display)
206 # a_type: GROUP
207 # a_perm: 7
208 # uid: -1
209 # gid: 10
210 # a_type: USER
211 # a_perm: 6
212 # uid: 0 (selftest user actually)
213 # gid: -1
214 # a_type: OTHER
215 # a_perm: 0
216 # uid: -1
217 # gid: -1
218 # a_type: USER_OBJ
219 # a_perm: 6
220 # uid: -1
221 # gid: -1
222 # a_type: GROUP_OBJ
223 # a_perm: 7
224 # uid: -1
225 # gid: -1
226 # a_type: GROUP
227 # a_perm: 5
228 # uid: -1
229 # gid: 3000020
230 # a_type: GROUP
231 # a_perm: 7
232 # uid: -1
233 # gid: 3000000
234 # a_type: GROUP
235 # a_perm: 5
236 # uid: -1
237 # gid: 3000001
238 # a_type: MASK
239 # a_perm: 7
240 # uid: -1
241 # gid: -1
242
243 #
244
245 os.unlink(tempf)
246
247 def test_setntacl_policies_check_getposixacl(self):
248 random.seed()
249 lp = LoadParm()
250 s3conf = s3param.get_context()
251 path = None
252 path = os.environ['SELFTEST_PREFIX']
253 acl = provision.POLICIES_ACL
254 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
255 open(tempf, 'w').write("empty")
256 domsid = passdb.get_global_sam_sid()
257 setntacl(lp,tempf,acl,str(domsid), use_ntvfs=False)
258 facl = getntacl(lp,tempf)
259 self.assertEquals(facl.as_sddl(domsid),acl)
260 posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
261
262 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
263 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
264 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
265 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
266 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
267 PA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_POLICY_ADMINS))
268
269 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
270
271 # These assertions correct for current plugin_s4_dc selftest
272 # configuration. When other environments have a broad range of
273 # groups mapped via passdb, we can relax some of these checks
274 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
275 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
276 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
277 self.assertEquals(BA_type, idmap.ID_TYPE_GID)
278 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
279 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
280 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
281 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
282 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
283 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
284 (PA_gid,PA_type) = s4_passdb.sid_to_id(PA_sid)
285 self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
286
287 self.assertEquals(posix_acl.count, 10)
288
289 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
290 self.assertEquals(posix_acl.acl[0].a_perm, 7)
291 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
292
293 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
294 self.assertEquals(posix_acl.acl[1].a_perm, 6)
295 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
296
297 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
298 self.assertEquals(posix_acl.acl[2].a_perm, 0)
299
300 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
301 self.assertEquals(posix_acl.acl[3].a_perm, 6)
302
303 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
304 self.assertEquals(posix_acl.acl[4].a_perm, 7)
305
306 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
307 self.assertEquals(posix_acl.acl[5].a_perm, 5)
308 self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
309
310 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
311 self.assertEquals(posix_acl.acl[6].a_perm, 7)
312 self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
313
314 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
315 self.assertEquals(posix_acl.acl[7].a_perm, 5)
316 self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
317
318 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_GROUP)
319 self.assertEquals(posix_acl.acl[8].a_perm, 7)
320 self.assertEquals(posix_acl.acl[8].info.gid, PA_gid)
321
322 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_MASK)
323 self.assertEquals(posix_acl.acl[9].a_perm, 7)
324
325
326 # check that it matches:
327 # user::rwx
328 # user:root:rwx (selftest user actually)
329 # group::rwx
330 # group:wheel:rwx
331 # group:3000000:r-x
332 # group:3000001:rwx
333 # group:3000002:r-x
334 # group:3000003:rwx
335 # mask::rwx
336 # other::---
337
338 #
339 # This is in this order in the NDR smb_acl (not re-orderded for display)
340 # a_type: GROUP
341 # a_perm: 7
342 # uid: -1
343 # gid: 10
344 # a_type: USER
345 # a_perm: 6
346 # uid: 0 (selftest user actually)
347 # gid: -1
348 # a_type: OTHER
349 # a_perm: 0
350 # uid: -1
351 # gid: -1
352 # a_type: USER_OBJ
353 # a_perm: 6
354 # uid: -1
355 # gid: -1
356 # a_type: GROUP_OBJ
357 # a_perm: 7
358 # uid: -1
359 # gid: -1
360 # a_type: GROUP
361 # a_perm: 5
362 # uid: -1
363 # gid: 3000020
364 # a_type: GROUP
365 # a_perm: 7
366 # uid: -1
367 # gid: 3000000
368 # a_type: GROUP
369 # a_perm: 5
370 # uid: -1
371 # gid: 3000001
372 # a_type: GROUP
373 # a_perm: 7
374 # uid: -1
375 # gid: 3000003
376 # a_type: MASK
377 # a_perm: 7
378 # uid: -1
379 # gid: -1
380
381 #
382
383 os.unlink(tempf)
384
385 def setUp(self):
386 super(PosixAclMappingTests, self).setUp()
387 s3conf = s3param.get_context()
388 s3conf.load(self.get_loadparm().configfile)
reg import