def test_set_tdb_not_open(self): tempf = self._tmpfilename() ntacl = xattr.NTACL() ntacl.version = 1 open(tempf, 'w').write("empty") try: self.assertRaises(IOError, samba.xattr_tdb.wrap_setxattr, os.path.join("nonexistent", "eadb.tdb"), tempf, "user.unittests", ndr_pack(ntacl)) finally: os.unlink(tempf)
def test_set_xattr_tdb(self): tempf = self._tmpfilename() eadb_path = self._eadbpath() ntacl = xattr.NTACL() ntacl.version = 1 open(tempf, 'w').write("empty") try: samba.xattr_tdb.wrap_setxattr(eadb_path, tempf, "user.unittests", ndr_pack(ntacl)) finally: os.unlink(tempf) os.unlink(eadb_path)
def test_setntacl_invalidbackend(self): random.seed() lp = LoadParm() acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)" path = os.environ['SELFTEST_PREFIX'] tempf = os.path.join(path, "pytests" + str(int(100000 * random.random()))) ntacl = xattr.NTACL() ntacl.version = 1 open(tempf, 'w').write("empty") self.assertRaises(XattrBackendError, setntacl, lp, tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", "ttdb", os.path.join(path, "eadbtest.tdb"))
def test_set_xattr_native(self): if not samba.xattr_native.is_xattr_supported(): raise SkipTest() ntacl = xattr.NTACL() ntacl.version = 1 tempf = self._tmpfilename() open(tempf, 'w').write("empty") try: samba.xattr_native.wrap_setxattr(tempf, "user.unittests", ndr_pack(ntacl)) except IOError: raise SkipTest("the filesystem where the tests are runned do not support XATTR") os.unlink(tempf)
def test_setntacl(self): random.seed() lp = LoadParm() path = os.environ['SELFTEST_PREFIX'] acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)" tempf = os.path.join(path, "pytests" + str(int(100000 * random.random()))) ntacl = xattr.NTACL() ntacl.version = 1 open(tempf, 'w').write("empty") lp.set("posix:eadb", os.path.join(path, "eadbtest.tdb")) setntacl(lp, tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467") os.unlink(tempf)
def test_setntacl_getntacl_param(self): random.seed() lp = LoadParm() acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)" path = os.environ['SELFTEST_PREFIX'] tempf = os.path.join(path, "pytests" + str(int(100000 * random.random()))) ntacl = xattr.NTACL() ntacl.version = 1 open(tempf, 'w').write("empty") setntacl(lp, tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", "tdb", os.path.join(path, "eadbtest.tdb")) facl = getntacl(lp, tempf, "tdb", os.path.join(path, "eadbtest.tdb")) domsid = security.dom_sid(security.SID_NT_SELF) self.assertEquals(facl.info.as_sddl(domsid), acl) os.unlink(tempf)
def test_setntacl_forcenative(self): if os.getuid() == 0: raise TestSkipped("Running test as root, test skipped") random.seed() lp = LoadParm() acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)" path = os.environ['SELFTEST_PREFIX'] tempf = os.path.join(path, "pytests" + str(int(100000 * random.random()))) ntacl = xattr.NTACL() ntacl.version = 1 open(tempf, 'w').write("empty") lp.set("posix:eadb", os.path.join(path, "eadbtest.tdb")) self.assertRaises(Exception, setntacl, lp, tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", "native") os.unlink(tempf)
def setntacl(lp, file, sddl, domsid, backend=None, eadbfile=None): eadbname = checkset_backend(lp, backend, eadbfile) ntacl = xattr.NTACL() ntacl.version = 1 sid = security.dom_sid(domsid) sd = security.descriptor.from_sddl(sddl, sid) ntacl.info = sd if eadbname is not None: try: samba.xattr_tdb.wrap_setxattr(eadbname, file, xattr.XATTR_NTACL_NAME, ndr_pack(ntacl)) except Exception: # FIXME: Don't catch all exceptions, just those related to opening # xattrdb print "Fail to open %s" % eadbname samba.xattr_native.wrap_setxattr(file, xattr.XATTR_NTACL_NAME, ndr_pack(ntacl)) else: samba.xattr_native.wrap_setxattr(file, xattr.XATTR_NTACL_NAME, ndr_pack(ntacl))
def setntacl(lp, file, sddl, domsid, backend=None, eadbfile=None, use_ntvfs=True, skip_invalid_chown=False, passdb=None): assert(isinstance(domsid, str) or isinstance(domsid, security.dom_sid)) if isinstance(domsid, str): sid = security.dom_sid(domsid) elif isinstance(domsid, security.dom_sid): sid = domsid domsid = str(sid) assert(isinstance(sddl, str) or isinstance(sddl, security.descriptor)) if isinstance(sddl, str): sd = security.descriptor.from_sddl(sddl, sid) elif isinstance(sddl, security.descriptor): sd = sddl sddl = sd.as_sddl(sid) if not use_ntvfs and skip_invalid_chown: # Check if the owner can be resolved as a UID (owner_id, owner_type) = passdb.sid_to_id(sd.owner_sid) if ((owner_type != idmap.ID_TYPE_UID) and (owner_type != idmap.ID_TYPE_BOTH)): # Check if this particular owner SID was domain admins, # because we special-case this as mapping to # 'administrator' instead. if sd.owner_sid == security.dom_sid("%s-%d" % (domsid, security.DOMAIN_RID_ADMINS)): administrator = security.dom_sid("%s-%d" % (domsid, security.DOMAIN_RID_ADMINISTRATOR)) (admin_id, admin_type) = passdb.sid_to_id(administrator) # Confirm we have a UID for administrator if ((admin_type == idmap.ID_TYPE_UID) or (admin_type == idmap.ID_TYPE_BOTH)): # Set it, changing the owner to 'administrator' rather than domain admins sd2 = sd sd2.owner_sid = administrator smbd.set_nt_acl(file, security.SECINFO_OWNER |security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd2) # and then set an NTVFS ACL (which does not set the posix ACL) to pretend the owner really was set use_ntvfs = True else: raise XattrBackendError("Unable to find UID for domain administrator %s, got id %d of type %d" % (administrator, admin_id, admin_type)) else: # For all other owning users, reset the owner to root # and then set the ACL without changing the owner # # This won't work in test environments, as it tries a real (rather than xattr-based fake) chown os.chown(file, 0, 0) smbd.set_nt_acl(file, security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd) if use_ntvfs: (backend_obj, dbname) = checkset_backend(lp, backend, eadbfile) ntacl = xattr.NTACL() ntacl.version = 1 ntacl.info = sd if dbname is not None: try: backend_obj.wrap_setxattr(dbname, file, xattr.XATTR_NTACL_NAME, ndr_pack(ntacl)) except Exception: # FIXME: Don't catch all exceptions, just those related to opening # xattrdb print "Fail to open %s" % dbname samba.xattr_native.wrap_setxattr(file, xattr.XATTR_NTACL_NAME, ndr_pack(ntacl)) else: samba.xattr_native.wrap_setxattr(file, xattr.XATTR_NTACL_NAME, ndr_pack(ntacl)) else: smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd)
def t(dir_id, sddl): print('start!') #sddl = "O:SYG:S-1-5-21-3874029520-2253553080-878871061-1113D:PAI(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001201ff;;;S-1-5-21-3874029520-2253553080-878871061-1118)" print(sddl) sddl_sub_folder = sddl.replace("D:PAI", "D:AI").replace("A;OICI", "A;OICIID") print(sddl_sub_folder) sddl_file = sddl.replace("D:PAI", "D:AI").replace("A;OICI", "A;ID") print(sddl_file) sid = security.dom_sid("S-1-5-21-3874029520-2253553080-878871061") print(str(sid)) ## root sd sd_root = security.descriptor.from_sddl(sddl, sid) ntacl_root = xattr.NTACL() ntacl_root.version = 1 ntacl_root.info = sd_root ndrpack_root = ndr_pack(ntacl_root) #print(type(ndrpack)) # sub folder sd_subfolder = security.descriptor.from_sddl(sddl_sub_folder, sid) ntacl_subfolder = xattr.NTACL() ntacl_subfolder.version = 1 ntacl_subfolder.info = sd_subfolder ndrpack_subfolder = ndr_pack(ntacl_subfolder) # file sd_file = security.descriptor.from_sddl(sddl_file, sid) ntacl_file = xattr.NTACL() ntacl_file.version = 1 ntacl_file.info = sd_file ndrpack_file = ndr_pack(ntacl_file) try: conn = psycopg2.connect( "dbname='lportal' user='******' host='localhost' password='******'" ) except: print "I am unable to connect to the database." qid = dir_id #1603237 cur = conn.cursor() try: cur.callproc("func_update_ntacl", ( qid, psycopg2.Binary(ndrpack_root), psycopg2.Binary(ndrpack_subfolder), psycopg2.Binary(ndrpack_file), )) except: print "I can't call func_update_ntacl" conn.commit() cur.close() cur = conn.cursor() try: cur.callproc("func_get_tree", (qid, )) except: print "I can't call func_update_ntacl" conn.commit() ids = cur.fetchone()[0] cur.close() conn.close() import redis r = redis.StrictRedis(host='localhost', port=6379, db=0) for x in ids.split(" "): r.delete(x)
"A;OICI;", "A;OICIID;") print('dir - ' + sddl_result) else: sddl_result = sddlParent.replace("D:PAI", "D:AI").replace( "A;OICI;", "A;ID;").replace("A;OICIID;", "A;ID;") print('file - ' + sddl_result) # Save generated sddl to db sid = security.dom_sid("S-1-5-21-3874029520-2253553080-878871061") try: sd_root = security.descriptor.from_sddl(sddl_result, sid) except Exception, e: print str(e) ntacl_root = xattr.NTACL() ntacl_root.version = 1 ntacl_root.info = sd_root ndrpack_root = ndr_pack(ntacl_root) cur = conn.cursor() #updateValInXattr = "UPDATE xattr SET val=%s WHERE name='security.NTACL' and dir_id =%s;" try: cur.execute( "DELETE from xattr where name='security.NTACL' and dir_id =%s;", (id, )) except: print "I can't updateValInXattr" updateValInXattr = "INSERT INTO xattr(dir_id, name, val) VALUES(%s, %s, %s)"