Пример #1
0
 def test_setntacl_getposixacl(self):
     acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
     setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
     facl = getntacl(self.lp, self.tempf)
     anysid = security.dom_sid(security.SID_NT_SELF)
     self.assertEquals(facl.as_sddl(anysid),acl)
     posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
Пример #2
0
    def run(self, file, use_ntvfs=False, use_s3fs=False,
            as_sddl=False, xattr_backend=None, eadb_file=None,
            credopts=None, sambaopts=None, versionopts=None,
            service=None):
        lp = sambaopts.get_loadparm()
        try:
            samdb = SamDB(session_info=system_session(),
                          lp=lp)
        except Exception as e:
            raise CommandError("Unable to open samdb:", e)

        if not use_ntvfs and not use_s3fs:
            use_ntvfs = "smb" in lp.get("server services")
        elif use_s3fs:
            use_ntvfs = False


        s3conf = s3param.get_context()
        s3conf.load(lp.configfile)
        # ensure we are using the right samba_dsdb passdb backend, no matter what
        s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url)

        acl = getntacl(lp, file, xattr_backend, eadb_file, direct_db_access=use_ntvfs, service=service)
        if as_sddl:
            try:
                domain_sid = security.dom_sid(samdb.domain_sid)
            except:
                raise CommandError("Unable to read domain SID from configuration files")
            self.outf.write(acl.as_sddl(domain_sid)+"\n")
        else:
            self.outf.write(ndr_print(acl))
Пример #3
0
 def test_setntacl_smbd_getntacl(self):
     acl = ACL
     setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True,
              session_info=self.get_session_info())
     facl = getntacl(self.lp, self.tempf, direct_db_access=True)
     anysid = security.dom_sid(security.SID_NT_SELF)
     self.assertEquals(facl.as_sddl(anysid),acl)
Пример #4
0
    def run(self,
            file,
            use_ntvfs=False,
            use_s3fs=False,
            as_sddl=False,
            xattr_backend=None,
            eadb_file=None,
            credopts=None,
            sambaopts=None,
            versionopts=None,
            service=None):
        lp = sambaopts.get_loadparm()
        domain_sid = get_local_domain_sid(lp)

        if not use_ntvfs and not use_s3fs:
            use_ntvfs = "smb" in lp.get("server services")
        elif use_s3fs:
            use_ntvfs = False

        acl = getntacl(lp,
                       file,
                       system_session_unix(),
                       xattr_backend,
                       eadb_file,
                       direct_db_access=use_ntvfs,
                       service=service)
        if as_sddl:
            self.outf.write(acl.as_sddl(domain_sid) + "\n")
        else:
            self.outf.write(ndr_print(acl))
Пример #5
0
 def test_setntacl_getposixacl(self):
     acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
     setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
     facl = getntacl(self.lp, self.tempf)
     anysid = security.dom_sid(security.SID_NT_SELF)
     self.assertEquals(facl.as_sddl(anysid),acl)
     posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
Пример #6
0
 def test_setntacl_smbd_getntacl_smbd_gpo(self):
     acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
     setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
              session_info=self.get_session_info())
     facl = getntacl(self.lp, self.tempf, direct_db_access=False)
     domsid = security.dom_sid(DOM_SID)
     self.assertEquals(facl.as_sddl(domsid),acl)
Пример #7
0
 def test_setntacl_getposixacl(self):
     acl = ACL
     setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
              session_info=self.get_session_info())
     facl = getntacl(self.lp, self.tempf)
     anysid = security.dom_sid(security.SID_NT_SELF)
     self.assertEquals(facl.as_sddl(anysid),acl)
     posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
Пример #8
0
 def test_setposixacl_getntacl_smbd(self):
     s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
     group_SID = s4_passdb.gid_to_sid(os.stat(self.tempf).st_gid)
     user_SID = s4_passdb.uid_to_sid(os.stat(self.tempf).st_uid)
     smbd.set_simple_acl(self.tempf, 0640)
     facl = getntacl(self.lp, self.tempf, direct_db_access=False)
     acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
     anysid = security.dom_sid(security.SID_NT_SELF)
     self.assertEquals(acl, facl.as_sddl(anysid))
Пример #9
0
 def test_setntacl_smbd_setposixacl_getntacl_smbd(self):
     acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
     simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
     setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
     # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
     smbd.set_simple_acl(self.tempf, 0640)
     facl = getntacl(self.lp, self.tempf, direct_db_access=False)
     anysid = security.dom_sid(security.SID_NT_SELF)
     self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
Пример #10
0
 def run(self, file, as_sddl=False, xattr_backend=None, eadb_file=None,
         credopts=None, sambaopts=None, versionopts=None):
     lp = sambaopts.get_loadparm()
     acl = getntacl(lp, file, xattr_backend, eadb_file)
     if as_sddl:
         anysid = security.dom_sid(security.SID_NT_SELF)
         self.outf.write(acl.info.as_sddl(anysid)+"\n")
     else:
         acl.dump()
Пример #11
0
 def test_setposixacl_getntacl(self):
     acl = ""
     smbd.set_simple_acl(self.tempf, 0750)
     try:
         facl = getntacl(self.lp, self.tempf)
         self.assertTrue(False)
     except TypeError:
         # We don't expect the xattr to be filled in in this case
         pass
Пример #12
0
 def test_setntacl_getntacl(self):
     lp = LoadParm()
     open(self.tempf, 'w').write("empty")
     lp.set("posix:eadb", os.path.join(self.tempdir, "eadbtest.tdb"))
     setntacl(lp, self.tempf, NTACL_SDDL, DOMAIN_SID)
     facl = getntacl(lp, self.tempf)
     anysid = security.dom_sid(security.SID_NT_SELF)
     self.assertEquals(facl.as_sddl(anysid), NTACL_SDDL)
     os.unlink(os.path.join(self.tempdir, "eadbtest.tdb"))
Пример #13
0
 def test_setposixacl_getntacl_smbd(self):
     s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
     group_SID = s4_passdb.gid_to_sid(os.stat(self.tempf).st_gid)
     user_SID = s4_passdb.uid_to_sid(os.stat(self.tempf).st_uid)
     smbd.set_simple_acl(self.tempf, 0640)
     facl = getntacl(self.lp, self.tempf, direct_db_access=False)
     acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
     anysid = security.dom_sid(security.SID_NT_SELF)
     self.assertEquals(acl, facl.as_sddl(anysid))
Пример #14
0
 def test_setposixacl_getntacl(self):
     acl = ""
     smbd.set_simple_acl(self.tempf, 0750)
     try:
         facl = getntacl(self.lp, self.tempf)
         self.assertTrue(False)
     except TypeError:
         # We don't expect the xattr to be filled in in this case
         pass
Пример #15
0
 def test_setntacl_smbd_setposixacl_getntacl_smbd(self):
     acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
     simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
     setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
     # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
     smbd.set_simple_acl(self.tempf, 0640)
     facl = getntacl(self.lp, self.tempf, direct_db_access=False)
     anysid = security.dom_sid(security.SID_NT_SELF)
     self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
Пример #16
0
 def test_setntacl_getntacl(self):
     lp = LoadParm()
     open(self.tempf, 'w').write("empty")
     lp.set("posix:eadb", os.path.join(self.tempdir, "eadbtest.tdb"))
     setntacl(lp, self.tempf, NTACL_SDDL, DOMAIN_SID, self.session_info)
     facl = getntacl(lp, self.tempf, self.session_info)
     anysid = security.dom_sid(security.SID_NT_SELF)
     self.assertEqual(facl.as_sddl(anysid), NTACL_SDDL)
     os.unlink(os.path.join(self.tempdir, "eadbtest.tdb"))
Пример #17
0
 def test_setntacl_getntacl_param(self):
     lp = LoadParm()
     acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
     open(self.tempf, 'w').write("empty")
     setntacl(lp,self.tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467","tdb",os.path.join(self.tempdir,"eadbtest.tdb"))
     facl=getntacl(lp,self.tempf,"tdb",os.path.join(self.tempdir,"eadbtest.tdb"))
     domsid=security.dom_sid(security.SID_NT_SELF)
     self.assertEquals(facl.as_sddl(domsid),acl)
     os.unlink(os.path.join(self.tempdir,"eadbtest.tdb"))
Пример #18
0
        def changedom_sids(file):
            if verbose:
                self.outf.write("file: %s\n" % file)

            try:
                acl = getntacl(lp,
                               file,
                               system_session_unix(),
                               xattr_backend,
                               eadb_file,
                               direct_db_access=use_ntvfs,
                               service=service)
            except Exception as e:
                raise CommandError("Could not get acl for %s: %s" % (file, e))

            orig_sddl = acl.as_sddl(domain_sid)
            if verbose:
                self.outf.write("before:\n%s\n" % orig_sddl)

            def replace_domain_sid(sid):
                (dom, rid) = sid.split()
                if dom == old_domain_sid:
                    return security.dom_sid("%s-%i" % (new_domain_sid, rid))
                return sid

            acl.owner_sid = replace_domain_sid(acl.owner_sid)
            acl.group_sid = replace_domain_sid(acl.group_sid)

            if acl.sacl:
                for ace in acl.sacl.aces:
                    ace.trustee = replace_domain_sid(ace.trustee)
            if acl.dacl:
                for ace in acl.dacl.aces:
                    ace.trustee = replace_domain_sid(ace.trustee)

            new_sddl = acl.as_sddl(domain_sid)
            if verbose:
                self.outf.write("after:\n%s\n" % new_sddl)

            if orig_sddl == new_sddl:
                if verbose:
                    self.outf.write("nothing to do\n")
                return True

            try:
                setntacl(lp,
                         file,
                         acl,
                         new_domain_sid,
                         system_session_unix(),
                         xattr_backend,
                         eadb_file,
                         use_ntvfs=use_ntvfs,
                         service=service)
            except Exception as e:
                raise CommandError("Could not set acl for %s: %s" % (file, e))
Пример #19
0
    def run(self, file, as_sddl=False,xattr_backend=None,eadb_file=None,
            credopts=None, sambaopts=None, versionopts=None):
        lp = sambaopts.get_loadparm()
        creds = credopts.get_credentials(lp)
	acl = getntacl(lp,file,xattr_backend,eadb_file)
        if as_sddl:
            anysid=security.dom_sid(security.SID_NT_SELF)
            print acl.info.as_sddl(anysid)
        else:
            acl.dump()
Пример #20
0
 def test_setntacl_getntacl_param(self):
     lp = LoadParm()
     open(self.tempf, 'w').write("empty")
     setntacl(lp, self.tempf, NTACL_SDDL, DOMAIN_SID, "tdb",
              os.path.join(self.tempdir, "eadbtest.tdb"))
     facl = getntacl(lp, self.tempf, "tdb", os.path.join(
         self.tempdir, "eadbtest.tdb"))
     domsid = security.dom_sid(security.SID_NT_SELF)
     self.assertEquals(facl.as_sddl(domsid), NTACL_SDDL)
     os.unlink(os.path.join(self.tempdir, "eadbtest.tdb"))
Пример #21
0
 def run(self, file, as_sddl=False, xattr_backend=None, eadb_file=None,
         credopts=None, sambaopts=None, versionopts=None):
     lp = sambaopts.get_loadparm()
     creds = credopts.get_credentials(lp)
     acl = getntacl(lp, file, xattr_backend, eadb_file)
     if as_sddl:
         anysid = security.dom_sid(security.SID_NT_SELF)
         print acl.info.as_sddl(anysid)
     else:
         acl.dump()
Пример #22
0
 def test_setntacl_smbd_getntacl(self):
     acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
     setntacl(self.lp,
              self.tempf,
              acl,
              "S-1-5-21-2212615479-2695158682-2101375467",
              use_ntvfs=True)
     facl = getntacl(self.lp, self.tempf, direct_db_access=True)
     anysid = security.dom_sid(security.SID_NT_SELF)
     self.assertEquals(facl.as_sddl(anysid), acl)
Пример #23
0
 def test_setntacl_smbd_getntacl_smbd_gpo(self):
     acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
     setntacl(self.lp,
              self.tempf,
              acl,
              "S-1-5-21-2212615479-2695158682-2101375467",
              use_ntvfs=False)
     facl = getntacl(self.lp, self.tempf, direct_db_access=False)
     domsid = security.dom_sid("S-1-5-21-2212615479-2695158682-2101375467")
     self.assertEquals(facl.as_sddl(domsid), acl)
Пример #24
0
    def run(self,
            file,
            use_ntvfs=False,
            use_s3fs=False,
            as_sddl=False,
            xattr_backend=None,
            eadb_file=None,
            credopts=None,
            sambaopts=None,
            versionopts=None,
            service=None):
        lp = sambaopts.get_loadparm()

        is_ad_dc = False
        server_role = lp.server_role()
        if server_role == "ROLE_ACTIVE_DIRECTORY_DC":
            is_ad_dc = True

        if not use_ntvfs and not use_s3fs:
            use_ntvfs = "smb" in lp.get("server services")
        elif use_s3fs:
            use_ntvfs = False

        s3conf = s3param.get_context()
        s3conf.load(lp.configfile)
        if is_ad_dc:
            try:
                samdb = SamDB(session_info=system_session(), lp=lp)
            except Exception as e:
                raise CommandError("Unable to open samdb:", e)

            # ensure we are using the right samba_dsdb passdb backend, no
            # matter what
            s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url)

        acl = getntacl(lp,
                       file,
                       xattr_backend,
                       eadb_file,
                       direct_db_access=use_ntvfs,
                       service=service,
                       session_info=system_session_unix())
        if as_sddl:
            try:
                if is_ad_dc:
                    domain_sid = security.dom_sid(samdb.domain_sid)
                else:
                    domain_sid = passdb.get_domain_sid()
            except:
                raise CommandError("Unable to read domain SID from "
                                   "configuration files")
            self.outf.write(acl.as_sddl(domain_sid) + "\n")
        else:
            self.outf.write(ndr_print(acl))
Пример #25
0
 def test_setntacl_getntacl(self):
     lp = LoadParm()
     acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
     open(self.tempf, 'w').write("empty")
     lp.set("posix:eadb", os.path.join(self.tempdir, "eadbtest.tdb"))
     setntacl(lp, self.tempf, acl,
              "S-1-5-21-2212615479-2695158682-2101375467")
     facl = getntacl(lp, self.tempf)
     anysid = security.dom_sid(security.SID_NT_SELF)
     self.assertEquals(facl.as_sddl(anysid), acl)
     os.unlink(os.path.join(self.tempdir, "eadbtest.tdb"))
Пример #26
0
    def test_setntacl_invalidate_getntacl(self):
        acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
        setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)

        # This should invalidate the ACL, as we include the posix ACL in the hash
        (backend_obj, dbname) = checkset_backend(self.lp, None, None)
        backend_obj.wrap_setxattr(dbname, self.tempf, "system.fake_access_acl", "")

        # however, as this is direct DB access, we do not notice it
        facl = getntacl(self.lp, self.tempf, direct_db_access=True)
        anysid = security.dom_sid(security.SID_NT_SELF)
        self.assertEquals(acl, facl.as_sddl(anysid))
Пример #27
0
    def test_setntacl_invalidate_getntacl_smbd(self):
        acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
        setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)

        # This should invalidate the ACL, as we include the posix ACL in the hash
        (backend_obj, dbname) = checkset_backend(self.lp, None, None)
        backend_obj.wrap_setxattr(dbname, self.tempf, "system.fake_access_acl", "")

        # the hash would break, and we return an ACL based only on the mode, except we set the ACL using the 'ntvfs' mode that doesn't include a hash
        facl = getntacl(self.lp, self.tempf)
        anysid = security.dom_sid(security.SID_NT_SELF)
        self.assertEquals(acl, facl.as_sddl(anysid))
Пример #28
0
    def test_setntacl_smbd_setposixacl_getntacl(self):
        acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
        setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)

        # This will invalidate the ACL, as we have a hook!
        smbd.set_simple_acl(self.tempf, 0640)

        # However, this only asks the xattr
        try:
            facl = getntacl(self.lp, self.tempf, direct_db_access=True)
            self.assertTrue(False)
        except TypeError:
            pass
Пример #29
0
    def test_setntacl_smbd_setposixacl_getntacl(self):
        acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
        setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)

        # This will invalidate the ACL, as we have a hook!
        smbd.set_simple_acl(self.tempf, 0640)

        # However, this only asks the xattr
        try:
            facl = getntacl(self.lp, self.tempf, direct_db_access=True)
            self.assertTrue(False)
        except TypeError:
            pass
Пример #30
0
    def test_setntacl_invalidate_getntacl_smbd(self):
        acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
        setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)

        # This should invalidate the ACL, as we include the posix ACL in the hash
        (backend_obj, dbname) = checkset_backend(self.lp, None, None)
        backend_obj.wrap_setxattr(dbname,
                                  self.tempf, "system.fake_access_acl", "")

        #the hash would break, and we return an ACL based only on the mode, except we set the ACL using the 'ntvfs' mode that doesn't include a hash
        facl = getntacl(self.lp, self.tempf)
        anysid = security.dom_sid(security.SID_NT_SELF)
        self.assertEquals(acl, facl.as_sddl(anysid))
Пример #31
0
    def test_setntacl_invalidate_getntacl(self):
        acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
        setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)

        # This should invalidate the ACL, as we include the posix ACL in the hash
        (backend_obj, dbname) = checkset_backend(self.lp, None, None)
        backend_obj.wrap_setxattr(dbname,
                                  self.tempf, "system.fake_access_acl", "")

        #however, as this is direct DB access, we do not notice it
        facl = getntacl(self.lp, self.tempf, direct_db_access=True)
        anysid = security.dom_sid(security.SID_NT_SELF)
        self.assertEquals(acl, facl.as_sddl(anysid))
Пример #32
0
 def test_setposixacl_group_getntacl_smbd(self):
     BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
     s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
     (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
     group_SID = s4_passdb.gid_to_sid(os.stat(self.tempf).st_gid)
     user_SID = s4_passdb.uid_to_sid(os.stat(self.tempf).st_uid)
     self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
     smbd.set_simple_acl(self.tempf, 0640, BA_gid)
     facl = getntacl(self.lp, self.tempf, direct_db_access=False)
     domsid = passdb.get_global_sam_sid()
     acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;BA)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
     anysid = security.dom_sid(security.SID_NT_SELF)
     self.assertEquals(acl, facl.as_sddl(anysid))
Пример #33
0
 def test_setposixacl_group_getntacl_smbd(self):
     BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
     s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
     (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
     group_SID = s4_passdb.gid_to_sid(os.stat(self.tempf).st_gid)
     user_SID = s4_passdb.uid_to_sid(os.stat(self.tempf).st_uid)
     self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
     smbd.set_simple_acl(self.tempf, 0640, BA_gid)
     facl = getntacl(self.lp, self.tempf, direct_db_access=False)
     domsid = passdb.get_global_sam_sid()
     acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;BA)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
     anysid = security.dom_sid(security.SID_NT_SELF)
     self.assertEquals(acl, facl.as_sddl(anysid))
Пример #34
0
class cmd_ntacl_get(Command):
    """Get ACLs of a file."""
    synopsis = "%prog <file> [options]"

    takes_optiongroups = {
        "sambaopts": options.SambaOptions,
        "credopts": options.CredentialsOptions,
        "versionopts": options.VersionOptions,
        }

    takes_options = [
        Option("--as-sddl", help="Output ACL in the SDDL format", action="store_true"),
        Option("--xattr-backend", type="choice", help="xattr backend type (native fs or tdb)",
               choices=["native","tdb"]),
        Option("--eadb-file", help="Name of the tdb file where attributes are stored", type="string"),
        Option("--use-ntvfs", help="Get the ACLs directly from the TDB or xattr used with the ntvfs file server", action="store_true"),
        Option("--use-s3fs", help="Get the ACLs for use via the VFS layer used by the default s3fs file server", action="store_true")
        ]

    takes_args = ["file"]

    def run(self, file, use_ntvfs=False, use_s3fs=False,
            as_sddl=False, xattr_backend=None, eadb_file=None,
            credopts=None, sambaopts=None, versionopts=None):
        lp = sambaopts.get_loadparm()
        try:
            samdb = SamDB(session_info=system_session(),
                          lp=lp)
        except Exception, e:
            raise CommandError("Unable to open samdb:", e)

        if not use_ntvfs and not use_s3fs:
            use_ntvfs = "smb" in lp.get("server services")
        elif use_s3fs:
            use_ntvfs = False


        s3conf = s3param.get_context()
        s3conf.load(lp.configfile)
        # ensure we are using the right samba_dsdb passdb backend, no matter what
        s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url)

        acl = getntacl(lp, file, xattr_backend, eadb_file, direct_db_access=use_ntvfs)
        if as_sddl:
            try:
                domain_sid = security.dom_sid(samdb.domain_sid)
            except:
                raise CommandError("Unable to read domain SID from configuration files")
            self.outf.write(acl.as_sddl(domain_sid)+"\n")
        else:
            self.outf.write(ndr_print(acl))
Пример #35
0
    def test_setntacl_invalidate_getntacl_smbd(self):
        acl = ACL
        setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
                 session_info=self.get_session_info())

        # This should invalidate the ACL, as we include the posix ACL in the hash
        (backend_obj, dbname) = checkset_backend(self.lp, None, None)
        backend_obj.wrap_setxattr(dbname,
                                  self.tempf, "system.fake_access_acl", b"")

        #the hash would break, and we return an ACL based only on the mode, except we set the ACL using the 'ntvfs' mode that doesn't include a hash
        facl = getntacl(self.lp, self.tempf)
        anysid = security.dom_sid(security.SID_NT_SELF)
        self.assertEquals(acl, facl.as_sddl(anysid))
Пример #36
0
 def test_setntacl_getntacl_param(self):
     random.seed()
     lp = LoadParm()
     acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
     path = os.environ['SELFTEST_PREFIX']
     tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
     ntacl = xattr.NTACL()
     ntacl.version = 1
     open(tempf, 'w').write("empty")
     setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467","tdb",os.path.join(path,"eadbtest.tdb"))
     facl=getntacl(lp,tempf,"tdb",os.path.join(path,"eadbtest.tdb"))
     domsid=security.dom_sid(security.SID_NT_SELF)
     self.assertEquals(facl.info.as_sddl(domsid),acl)
     os.unlink(tempf)
Пример #37
0
    def test_setntacl_invalidate_getntacl(self):
        acl = ACL
        setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True,
                 session_info=self.get_session_info())

        # This should invalidate the ACL, as we include the posix ACL in the hash
        (backend_obj, dbname) = checkset_backend(self.lp, None, None)
        backend_obj.wrap_setxattr(dbname,
                                  self.tempf, "system.fake_access_acl", b"")

        #however, as this is direct DB access, we do not notice it
        facl = getntacl(self.lp, self.tempf, direct_db_access=True)
        anysid = security.dom_sid(security.SID_NT_SELF)
        self.assertEquals(acl, facl.as_sddl(anysid))
Пример #38
0
    def test_setntacl_smbd_setposixacl_group_getntacl_smbd(self):
        acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
        BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
        simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
        setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
        # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
        s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
        (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
        smbd.set_simple_acl(self.tempf, 0640, BA_gid)

        # This should re-calculate an ACL based on the posix details
        facl = getntacl(self.lp,self.tempf, direct_db_access=False)
        anysid = security.dom_sid(security.SID_NT_SELF)
        self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
Пример #39
0
    def test_setntacl_smbd_setposixacl_group_getntacl_smbd(self):
        acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
        BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
        simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
        setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
        # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
        s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
        (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
        smbd.set_simple_acl(self.tempf, 0640, BA_gid)

        # This should re-calculate an ACL based on the posix details
        facl = getntacl(self.lp,self.tempf, direct_db_access=False)
        anysid = security.dom_sid(security.SID_NT_SELF)
        self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
Пример #40
0
    def test_setntacl_smbd_invalidate_getntacl_smbd(self):
        acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
        simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x001200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
        os.chmod(self.tempf, 0o750)
        setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)

        # This should invalidate the ACL, as we include the posix ACL in the hash
        (backend_obj, dbname) = checkset_backend(self.lp, None, None)
        backend_obj.wrap_setxattr(dbname, self.tempf, "system.fake_access_acl", "")

        # the hash will break, and we return an ACL based only on the mode
        facl = getntacl(self.lp, self.tempf, direct_db_access=False)
        anysid = security.dom_sid(security.SID_NT_SELF)
        self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
Пример #41
0
    def test_setntacl_smbd_invalidate_getntacl_smbd(self):
        acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
        simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x001200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
        os.chmod(self.tempf, 0750)
        setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)

        # This should invalidate the ACL, as we include the posix ACL in the hash
        (backend_obj, dbname) = checkset_backend(self.lp, None, None)
        backend_obj.wrap_setxattr(dbname,
                                  self.tempf, "system.fake_access_acl", "")

        #the hash will break, and we return an ACL based only on the mode
        facl = getntacl(self.lp, self.tempf, direct_db_access=False)
        anysid = security.dom_sid(security.SID_NT_SELF)
        self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
Пример #42
0
 def run(self,
         file,
         as_sddl=False,
         xattr_backend=None,
         eadb_file=None,
         credopts=None,
         sambaopts=None,
         versionopts=None):
     lp = sambaopts.get_loadparm()
     acl = getntacl(lp, file, xattr_backend, eadb_file)
     if as_sddl:
         anysid = security.dom_sid(security.SID_NT_SELF)
         self.outf.write(acl.info.as_sddl(anysid) + "\n")
     else:
         acl.dump()
Пример #43
0
    def test_setntacl_smbd_dont_invalidate_getntacl_smbd(self):
        # set an ACL on a tempfile
        acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
        os.chmod(self.tempf, 0750)
        setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)

        # now influence the POSIX ACL->SD mapping it returns something else than
        # what was set previously
        # this should not invalidate the hash and the complete ACL should still
        # be returned
        self.lp.set("profile acls", "yes")
        # we should still get back the ACL (and not one mapped from POSIX ACL)
        facl = getntacl(self.lp, self.tempf, direct_db_access=False)
        self.lp.set("profile acls", "no")
        anysid = security.dom_sid(security.SID_NT_SELF)
        self.assertEquals(acl, facl.as_sddl(anysid))
Пример #44
0
 def test_setntacl_getntacl_param(self):
     random.seed()
     lp = LoadParm()
     acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
     path = os.environ['SELFTEST_PREFIX']
     tempf = os.path.join(path,
                          "pytests" + str(int(100000 * random.random())))
     ntacl = xattr.NTACL()
     ntacl.version = 1
     open(tempf, 'w').write("empty")
     setntacl(lp, tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467",
              "tdb", os.path.join(path, "eadbtest.tdb"))
     facl = getntacl(lp, tempf, "tdb", os.path.join(path, "eadbtest.tdb"))
     domsid = security.dom_sid(security.SID_NT_SELF)
     self.assertEquals(facl.info.as_sddl(domsid), acl)
     os.unlink(tempf)
Пример #45
0
    def test_setntacl_smbd_dont_invalidate_getntacl_smbd(self):
        # set an ACL on a tempfile
        acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
        os.chmod(self.tempf, 0750)
        setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)

        # now influence the POSIX ACL->SD mapping it returns something else than
        # what was set previously
        # this should not invalidate the hash and the complete ACL should still
        # be returned
        self.lp.set("profile acls", "yes")
        # we should still get back the ACL (and not one mapped from POSIX ACL)
        facl = getntacl(self.lp, self.tempf, direct_db_access=False)
        self.lp.set("profile acls", "no")
        anysid = security.dom_sid(security.SID_NT_SELF)
        self.assertEquals(acl, facl.as_sddl(anysid))
Пример #46
0
    def test_setposixacl_dir_getntacl_smbd(self):
        s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
        user_SID = s4_passdb.uid_to_sid(os.stat(self.tempdir).st_uid)
        BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
        s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
        (BA_id, BA_type) = s4_passdb.sid_to_id(BA_sid)
        self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
        SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
        (SO_id, SO_type) = s4_passdb.sid_to_id(SO_sid)
        self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
        smbd.chown(self.tempdir, BA_id, SO_id)
        smbd.set_simple_acl(self.tempdir, 0750)
        facl = getntacl(self.lp, self.tempdir, direct_db_access=False)
        acl = "O:BAG:SOD:(A;;0x001f01ff;;;BA)(A;;0x001200a9;;;SO)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)"

        anysid = security.dom_sid(security.SID_NT_SELF)
        self.assertEquals(acl, facl.as_sddl(anysid))
Пример #47
0
    def test_setposixacl_dir_getntacl_smbd(self):
        s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
        user_SID = s4_passdb.uid_to_sid(os.stat(self.tempdir).st_uid)
        BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
        s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
        (BA_id,BA_type) = s4_passdb.sid_to_id(BA_sid)
        self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
        SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
        (SO_id,SO_type) = s4_passdb.sid_to_id(SO_sid)
        self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
        smbd.chown(self.tempdir, BA_id, SO_id)
        smbd.set_simple_acl(self.tempdir, 0750)
        facl = getntacl(self.lp, self.tempdir, direct_db_access=False)
        acl = "O:BAG:SOD:(A;;0x001f01ff;;;BA)(A;;0x001200a9;;;SO)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)"

        anysid = security.dom_sid(security.SID_NT_SELF)
        self.assertEquals(acl, facl.as_sddl(anysid))
Пример #48
0
	def test_setntacl_getntacl(self):
		random.seed()
		lp=LoadParm()
		path=None
		try:
			path=os.environ['SELFTEST_PREFIX']
		except:
			self.assertTrue(path!=None, "SELFTEST_PREFIX env not set")
		acl="O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
		tempf=os.path.join(path,"pytests"+str(int(100000*random.random())))
		ntacl=xattr.NTACL()
		ntacl.version = 1
		open(tempf, 'w').write("empty")
		lp.set("posix:eadb",os.path.join(path,"eadbtest.tdb"))
		setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467")
		facl=getntacl(lp,tempf)
		anysid=security.dom_sid(security.SID_NT_SELF)
		self.assertEquals(facl.info.as_sddl(anysid),acl)
		os.unlink(tempf)
Пример #49
0
 def test_setntacl_smbd_getntacl_smbd_gpo(self):
     acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
     setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
     facl = getntacl(self.lp, self.tempf, direct_db_access=False)
     domsid = security.dom_sid("S-1-5-21-2212615479-2695158682-2101375467")
     self.assertEquals(facl.as_sddl(domsid),acl)
Пример #50
0
    def test_setntacl_policies_check_getposixacl(self):
        acl = provision.POLICIES_ACL

        domsid = passdb.get_global_sam_sid()
        setntacl(self.lp, self.tempf, acl, str(domsid), use_ntvfs=False)
        facl = getntacl(self.lp, self.tempf)
        self.assertEquals(facl.as_sddl(domsid), acl)
        posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)

        LA_sid = security.dom_sid(
            str(domsid) + "-" + str(security.DOMAIN_RID_ADMINISTRATOR))
        BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
        SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
        SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
        AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
        PA_sid = security.dom_sid(
            str(domsid) + "-" + str(security.DOMAIN_RID_POLICY_ADMINS))

        s4_passdb = passdb.PDB(self.lp.get("passdb backend"))

        # These assertions correct for current plugin_s4_dc selftest
        # configuration.  When other environments have a broad range of
        # groups mapped via passdb, we can relax some of these checks
        (LA_uid, LA_type) = s4_passdb.sid_to_id(LA_sid)
        self.assertEquals(LA_type, idmap.ID_TYPE_UID)
        (BA_gid, BA_type) = s4_passdb.sid_to_id(BA_sid)
        self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
        (SO_gid, SO_type) = s4_passdb.sid_to_id(SO_sid)
        self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
        (SY_gid, SY_type) = s4_passdb.sid_to_id(SY_sid)
        self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
        (AU_gid, AU_type) = s4_passdb.sid_to_id(AU_sid)
        self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
        (PA_gid, PA_type) = s4_passdb.sid_to_id(PA_sid)
        self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)

        self.assertEquals(posix_acl.count, 15)

        self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
        self.assertEquals(posix_acl.acl[0].a_perm, 7)
        self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)

        self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
        self.assertEquals(posix_acl.acl[1].a_perm, 6)
        self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)

        self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
        self.assertEquals(posix_acl.acl[2].a_perm, 0)

        self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
        self.assertEquals(posix_acl.acl[3].a_perm, 6)

        self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
        self.assertEquals(posix_acl.acl[4].a_perm, 7)
        self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)

        self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
        self.assertEquals(posix_acl.acl[5].a_perm, 7)

        self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
        self.assertEquals(posix_acl.acl[6].a_perm, 5)
        self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)

        self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
        self.assertEquals(posix_acl.acl[7].a_perm, 5)
        self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)

        self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
        self.assertEquals(posix_acl.acl[8].a_perm, 7)
        self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)

        self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
        self.assertEquals(posix_acl.acl[9].a_perm, 7)
        self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)

        self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
        self.assertEquals(posix_acl.acl[10].a_perm, 5)
        self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)

        self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
        self.assertEquals(posix_acl.acl[11].a_perm, 5)
        self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)

        self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_USER)
        self.assertEquals(posix_acl.acl[12].a_perm, 7)
        self.assertEquals(posix_acl.acl[12].info.uid, PA_gid)

        self.assertEquals(posix_acl.acl[13].a_type, smb_acl.SMB_ACL_GROUP)
        self.assertEquals(posix_acl.acl[13].a_perm, 7)
        self.assertEquals(posix_acl.acl[13].info.gid, PA_gid)

        self.assertEquals(posix_acl.acl[14].a_type, smb_acl.SMB_ACL_MASK)
        self.assertEquals(posix_acl.acl[14].a_perm, 7)
Пример #51
0
    def test_setntacl_policies_check_getposixacl(self):
        acl = provision.POLICIES_ACL

        domsid = passdb.get_global_sam_sid()
        setntacl(self.lp, self.tempf, acl, str(domsid), use_ntvfs=False)
        facl = getntacl(self.lp, self.tempf)
        self.assertEquals(facl.as_sddl(domsid),acl)
        posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)

        nwrap_module_so_path = os.getenv('NSS_WRAPPER_MODULE_SO_PATH')
        nwrap_module_fn_prefix = os.getenv('NSS_WRAPPER_MODULE_FN_PREFIX')

        nwrap_winbind_active = (nwrap_module_so_path != "" and
                nwrap_module_fn_prefix == "winbind")

        LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
        BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
        SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
        SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
        AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
        PA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_POLICY_ADMINS))

        s4_passdb = passdb.PDB(self.lp.get("passdb backend"))

        # These assertions correct for current ad_dc selftest
        # configuration.  When other environments have a broad range of
        # groups mapped via passdb, we can relax some of these checks
        (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
        self.assertEquals(LA_type, idmap.ID_TYPE_UID)
        (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
        self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
        (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
        self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
        (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
        self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
        (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
        self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
        (PA_gid,PA_type) = s4_passdb.sid_to_id(PA_sid)
        self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)

        self.assertEquals(posix_acl.count, 15, self.print_posix_acl(posix_acl))

        self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
        self.assertEquals(posix_acl.acl[0].a_perm, 7)
        self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)

        self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
        if nwrap_winbind_active:
            self.assertEquals(posix_acl.acl[1].a_perm, 7)
        else:
            self.assertEquals(posix_acl.acl[1].a_perm, 6)
        self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)

        self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
        self.assertEquals(posix_acl.acl[2].a_perm, 0)

        self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
        if nwrap_winbind_active:
            self.assertEquals(posix_acl.acl[3].a_perm, 7)
        else:
            self.assertEquals(posix_acl.acl[3].a_perm, 6)

        self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
        self.assertEquals(posix_acl.acl[4].a_perm, 7)
        self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)

        self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
        self.assertEquals(posix_acl.acl[5].a_perm, 7)

        self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
        self.assertEquals(posix_acl.acl[6].a_perm, 5)
        self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)

        self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
        self.assertEquals(posix_acl.acl[7].a_perm, 5)
        self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)

        self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
        self.assertEquals(posix_acl.acl[8].a_perm, 7)
        self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)

        self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
        self.assertEquals(posix_acl.acl[9].a_perm, 7)
        self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)

        self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
        self.assertEquals(posix_acl.acl[10].a_perm, 5)
        self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)

        self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
        self.assertEquals(posix_acl.acl[11].a_perm, 5)
        self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)

        self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_USER)
        self.assertEquals(posix_acl.acl[12].a_perm, 7)
        self.assertEquals(posix_acl.acl[12].info.uid, PA_gid)

        self.assertEquals(posix_acl.acl[13].a_type, smb_acl.SMB_ACL_GROUP)
        self.assertEquals(posix_acl.acl[13].a_perm, 7)
        self.assertEquals(posix_acl.acl[13].info.gid, PA_gid)

        self.assertEquals(posix_acl.acl[14].a_type, smb_acl.SMB_ACL_MASK)
        self.assertEquals(posix_acl.acl[14].a_perm, 7)
Пример #52
0
 def test_setntacl_smbd_getntacl(self):
     acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
     setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
     facl = getntacl(self.lp, self.tempf, direct_db_access=True)
     anysid = security.dom_sid(security.SID_NT_SELF)
     self.assertEquals(facl.as_sddl(anysid),acl)
Пример #53
0
    def test_setntacl_sysvol_dir_check_getposixacl(self):
        acl = provision.SYSVOL_ACL
        domsid = passdb.get_global_sam_sid()
        setntacl(self.lp, self.tempdir,acl,str(domsid), use_ntvfs=False)
        facl = getntacl(self.lp, self.tempdir)
        self.assertEquals(facl.as_sddl(domsid),acl)
        posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)

        LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
        BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
        SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
        SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
        AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)

        s4_passdb = passdb.PDB(self.lp.get("passdb backend"))

        # These assertions correct for current ad_dc selftest
        # configuration.  When other environments have a broad range of
        # groups mapped via passdb, we can relax some of these checks
        (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
        self.assertEquals(LA_type, idmap.ID_TYPE_UID)
        (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
        self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
        (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
        self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
        (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
        self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
        (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
        self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)

        self.assertEquals(posix_acl.count, 13, self.print_posix_acl(posix_acl))

        self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
        self.assertEquals(posix_acl.acl[0].a_perm, 7)
        self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)

        self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
        self.assertEquals(posix_acl.acl[1].a_perm, 7)
        self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)

        self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
        self.assertEquals(posix_acl.acl[2].a_perm, 0)

        self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
        self.assertEquals(posix_acl.acl[3].a_perm, 7)

        self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
        self.assertEquals(posix_acl.acl[4].a_perm, 7)
        self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)

        self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
        self.assertEquals(posix_acl.acl[5].a_perm, 7)

        self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
        self.assertEquals(posix_acl.acl[6].a_perm, 5)
        self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)

        self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
        self.assertEquals(posix_acl.acl[7].a_perm, 5)
        self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)

        self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
        self.assertEquals(posix_acl.acl[8].a_perm, 7)
        self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)

        self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
        self.assertEquals(posix_acl.acl[9].a_perm, 7)
        self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)

        self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
        self.assertEquals(posix_acl.acl[10].a_perm, 5)
        self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)

        self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
        self.assertEquals(posix_acl.acl[11].a_perm, 5)
        self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)

        self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_MASK)
        self.assertEquals(posix_acl.acl[12].a_perm, 7)