def test_setntacl(rootpath, sddl):
s3conf = s3param.get_context()
s3conf.load("/etc/samba/smb.conf")
sd = security.descriptor.from_sddl(sddl, security.dom_sid())
smbd.set_nt_acl(rootpath,
security.SECINFO_OWNER | security.SECINFO_GROUP
| security.SECINFO_DACL | security.SECINFO_SACL,
sd,
service=None)
def smbd_set_ntacl(path, sd):
try:
smbd.set_nt_acl(path,
security.SECINFO_OWNER | security.SECINFO_GROUP
| security.SECINFO_DACL | security.SECINFO_SACL,
sd,
service=None)
return 0
except:
return -1
def setntacl_file(fpath, fsd_dic):
sd = getntacl_util(fpath)
if sd.type & SEC_DESC_DACL_AUTO_INHERITED == 0 and sd.type & SEC_DESC_SACL_PRESENT != 0:
print "Not set acl", fpath
return
if sd.type & SEC_DESC_DACL_PROTECTED != 0:
print "Not set acl", fpath
return
sd_dic = ntacl_parser_from_sd(sd)
rsddl = get_update_aces(sd_dic, fsd_dic)
print "rsddl", rsddl
smbd.set_nt_acl(fpath,
security.SECINFO_OWNER | security.SECINFO_GROUP
| security.SECINFO_DACL | security.SECINFO_SACL,
security.descriptor.from_sddl(rsddl, security.dom_sid()),
service=None)
def setntacl(rootpath, sddl):
print rootpath, sddl
s3conf = s3param.get_context()
s3conf.load("/etc/samba/smb.conf")
sd = security.descriptor.from_sddl(sddl, security.dom_sid())
smbd.set_nt_acl(rootpath,
security.SECINFO_OWNER | security.SECINFO_GROUP
| security.SECINFO_DACL | security.SECINFO_SACL,
sd,
service=None)
sd_dic = ntacl_parser_from_sd(sd)
fsd_dic = get_sd_file(sd_dic)
dsd_dic = get_sd_dir(sd_dic)
for f in os.listdir(rootpath):
subpath = rootpath + "/" + f
if os.path.isfile(subpath):
setntacl_file(subpath, fsd_dic)
else:
setntacl_dir(subpath, dsd_dic)
return {'status': 0}
def setntacl_dir(dpath, dsd_dic):
sd = getntacl_util(dpath)
if sd.type & SEC_DESC_DACL_AUTO_INHERITED == 0 or sd.type & SEC_DESC_DACL_PROTECTED != 0:
print "Not set acl", dpath
return
sd_dic = ntacl_parser_from_sd(sd)
rsddl = get_update_aces(sd_dic, dsd_dic)
print "rsddl", rsddl
smbd.set_nt_acl(dpath,
security.SECINFO_OWNER | security.SECINFO_GROUP
| security.SECINFO_DACL | security.SECINFO_SACL,
security.descriptor.from_sddl(rsddl, security.dom_sid()),
service=None)
fsd_dic = get_sd_file(sd_dic)
dsd_dic = get_sd_dir(sd_dic)
for f in os.listdir(dpath):
subpath = rootpath + "/" + f
if os.path.isfile(subpath):
setntacl_file(subpath, fsd_dic)
else:
setntacl_dir(subpath, dsd_dic)
def setntacl(lp, file, sddl, domsid, backend=None, eadbfile=None, use_ntvfs=True, skip_invalid_chown=False, passdb=None):
assert(isinstance(domsid, str) or isinstance(domsid, security.dom_sid))
if isinstance(domsid, str):
sid = security.dom_sid(domsid)
elif isinstance(domsid, security.dom_sid):
sid = domsid
domsid = str(sid)
assert(isinstance(sddl, str) or isinstance(sddl, security.descriptor))
if isinstance(sddl, str):
sd = security.descriptor.from_sddl(sddl, sid)
elif isinstance(sddl, security.descriptor):
sd = sddl
sddl = sd.as_sddl(sid)
if not use_ntvfs and skip_invalid_chown:
# Check if the owner can be resolved as a UID
(owner_id, owner_type) = passdb.sid_to_id(sd.owner_sid)
if ((owner_type != idmap.ID_TYPE_UID) and (owner_type != idmap.ID_TYPE_BOTH)):
# Check if this particular owner SID was domain admins,
# because we special-case this as mapping to
# 'administrator' instead.
if sd.owner_sid == security.dom_sid("%s-%d" % (domsid, security.DOMAIN_RID_ADMINS)):
administrator = security.dom_sid("%s-%d" % (domsid, security.DOMAIN_RID_ADMINISTRATOR))
(admin_id, admin_type) = passdb.sid_to_id(administrator)
# Confirm we have a UID for administrator
if ((admin_type == idmap.ID_TYPE_UID) or (admin_type == idmap.ID_TYPE_BOTH)):
# Set it, changing the owner to 'administrator' rather than domain admins
sd2 = sd
sd2.owner_sid = administrator
smbd.set_nt_acl(file, security.SECINFO_OWNER |security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd2)
# and then set an NTVFS ACL (which does not set the posix ACL) to pretend the owner really was set
use_ntvfs = True
else:
raise XattrBackendError("Unable to find UID for domain administrator %s, got id %d of type %d" % (administrator, admin_id, admin_type))
else:
# For all other owning users, reset the owner to root
# and then set the ACL without changing the owner
#
# This won't work in test environments, as it tries a real (rather than xattr-based fake) chown
os.chown(file, 0, 0)
smbd.set_nt_acl(file, security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd)
if use_ntvfs:
(backend_obj, dbname) = checkset_backend(lp, backend, eadbfile)
ntacl = xattr.NTACL()
ntacl.version = 1
ntacl.info = sd
if dbname is not None:
try:
backend_obj.wrap_setxattr(dbname,
file, xattr.XATTR_NTACL_NAME, ndr_pack(ntacl))
except Exception:
# FIXME: Don't catch all exceptions, just those related to opening
# xattrdb
print "Fail to open %s" % dbname
samba.xattr_native.wrap_setxattr(file, xattr.XATTR_NTACL_NAME,
ndr_pack(ntacl))
else:
samba.xattr_native.wrap_setxattr(file, xattr.XATTR_NTACL_NAME,
ndr_pack(ntacl))
else:
smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd)