1 # Unix SMB/CIFS implementation. Tests for NT and posix ACL manipulation
2 # Copyright (C) Matthieu Patou <mat@matws.net> 2009-2010
3 # Copyright (C) Andrew Bartlett 2012
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
19 """Tests for the Samba3 NT -> posix ACL layer"""
21 from samba.ntacls import setntacl, getntacl, checkset_backend
22 from samba.dcerpc import security, smb_acl, idmap
23 from samba.tests.smbd_base import SmbdBaseTests
24 from samba import provision
26 from samba.samba3 import smbd, passdb
27 from samba.samba3 import param as s3param
28 from samba import auth
29 from samba.samdb import SamDB
31 DOM_SID = "S-1-5-21-2212615479-2695158682-2101375467"
32 ACL = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
35 class PosixAclMappingTests(SmbdBaseTests):
38 super(PosixAclMappingTests, self).setUp()
39 s3conf = s3param.get_context()
40 s3conf.load(self.get_loadparm().configfile)
41 s3conf.set("xattr_tdb:file", os.path.join(self.tempdir, "xattr.tdb"))
43 self.tempf = os.path.join(self.tempdir, "test")
44 open(self.tempf, 'w').write("empty")
45 self.samdb = SamDB(lp=self.lp, session_info=auth.system_session())
48 smbd.unlink(self.tempf)
49 os.unlink(os.path.join(self.tempdir, "xattr.tdb"))
50 super(PosixAclMappingTests, self).tearDown()
52 def get_session_info(self, domsid=DOM_SID):
54 Get session_info for setntacl.
56 This test case always return None, to run tests without session_info
57 like before. To be overridden in derived class.
61 def print_posix_acl(self, posix_acl):
63 for entry in posix_acl.acl:
64 aclstr += "a_type: %d\n" % entry.a_type
65 aclstr += "a_perm: %o\n" % entry.a_perm
66 if entry.a_type == smb_acl.SMB_ACL_USER:
67 aclstr += "uid: %d\n" % entry.info.uid
68 if entry.a_type == smb_acl.SMB_ACL_GROUP:
69 aclstr += "gid: %d\n" % entry.info.gid
72 def test_setntacl(self):
74 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
75 session_info=self.get_session_info())
77 def test_setntacl_smbd_getntacl(self):
79 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True,
80 session_info=self.get_session_info())
81 facl = getntacl(self.lp, self.tempf, direct_db_access=True)
82 anysid = security.dom_sid(security.SID_NT_SELF)
83 self.assertEquals(facl.as_sddl(anysid), acl)
85 def test_setntacl_smbd_setposixacl_getntacl(self):
87 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True,
88 session_info=self.get_session_info())
90 # This will invalidate the ACL, as we have a hook!
91 smbd.set_simple_acl(self.tempf, 0o640)
93 # However, this only asks the xattr
95 TypeError, getntacl, self.lp, self.tempf, direct_db_access=True)
97 def test_setntacl_invalidate_getntacl(self):
99 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True,
100 session_info=self.get_session_info())
102 # This should invalidate the ACL, as we include the posix ACL in the hash
103 (backend_obj, dbname) = checkset_backend(self.lp, None, None)
104 backend_obj.wrap_setxattr(dbname,
105 self.tempf, "system.fake_access_acl", b"")
107 # however, as this is direct DB access, we do not notice it
108 facl = getntacl(self.lp, self.tempf, direct_db_access=True)
109 anysid = security.dom_sid(security.SID_NT_SELF)
110 self.assertEquals(acl, facl.as_sddl(anysid))
112 def test_setntacl_invalidate_getntacl_smbd(self):
114 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
115 session_info=self.get_session_info())
117 # This should invalidate the ACL, as we include the posix ACL in the hash
118 (backend_obj, dbname) = checkset_backend(self.lp, None, None)
119 backend_obj.wrap_setxattr(dbname,
120 self.tempf, "system.fake_access_acl", b"")
122 # the hash would break, and we return an ACL based only on the mode, except we set the ACL using the 'ntvfs' mode that doesn't include a hash
123 facl = getntacl(self.lp, self.tempf)
124 anysid = security.dom_sid(security.SID_NT_SELF)
125 self.assertEquals(acl, facl.as_sddl(anysid))
127 def test_setntacl_smbd_invalidate_getntacl_smbd(self):
129 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x001200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
130 os.chmod(self.tempf, 0o750)
131 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
132 session_info=self.get_session_info())
134 # This should invalidate the ACL, as we include the posix ACL in the hash
135 (backend_obj, dbname) = checkset_backend(self.lp, None, None)
136 backend_obj.wrap_setxattr(dbname,
137 self.tempf, "system.fake_access_acl", b"")
139 # the hash will break, and we return an ACL based only on the mode
140 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
141 anysid = security.dom_sid(security.SID_NT_SELF)
142 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
144 def test_setntacl_getntacl_smbd(self):
146 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True,
147 session_info=self.get_session_info())
148 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
149 anysid = security.dom_sid(security.SID_NT_SELF)
150 self.assertEquals(facl.as_sddl(anysid), acl)
152 def test_setntacl_smbd_getntacl_smbd(self):
154 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
155 session_info=self.get_session_info())
156 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
157 anysid = security.dom_sid(security.SID_NT_SELF)
158 self.assertEquals(facl.as_sddl(anysid), acl)
160 def test_setntacl_smbd_setposixacl_getntacl_smbd(self):
162 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
163 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
164 session_info=self.get_session_info())
165 # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
166 smbd.set_simple_acl(self.tempf, 0o640)
167 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
168 anysid = security.dom_sid(security.SID_NT_SELF)
169 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
171 def test_setntacl_smbd_setposixacl_group_getntacl_smbd(self):
173 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
174 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
175 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
176 session_info=self.get_session_info())
177 # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
178 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
179 (BA_gid, BA_type) = s4_passdb.sid_to_id(BA_sid)
180 smbd.set_simple_acl(self.tempf, 0o640, BA_gid)
182 # This should re-calculate an ACL based on the posix details
183 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
184 anysid = security.dom_sid(security.SID_NT_SELF)
185 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
187 def test_setntacl_smbd_getntacl_smbd_gpo(self):
188 acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
189 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
190 session_info=self.get_session_info())
191 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
192 domsid = security.dom_sid(DOM_SID)
193 self.assertEquals(facl.as_sddl(domsid), acl)
195 def test_setntacl_getposixacl(self):
197 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
198 session_info=self.get_session_info())
199 facl = getntacl(self.lp, self.tempf)
200 anysid = security.dom_sid(security.SID_NT_SELF)
201 self.assertEquals(facl.as_sddl(anysid), acl)
202 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
204 def test_setposixacl_getntacl(self):
205 smbd.set_simple_acl(self.tempf, 0o750)
206 # We don't expect the xattr to be filled in in this case
207 self.assertRaises(TypeError, getntacl, self.lp, self.tempf)
209 def test_setposixacl_getntacl_smbd(self):
210 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
211 group_SID = s4_passdb.gid_to_sid(os.stat(self.tempf).st_gid)
212 user_SID = s4_passdb.uid_to_sid(os.stat(self.tempf).st_uid)
213 smbd.set_simple_acl(self.tempf, 0o640)
214 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
215 acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
216 anysid = security.dom_sid(security.SID_NT_SELF)
217 self.assertEquals(acl, facl.as_sddl(anysid))
219 def test_setposixacl_dir_getntacl_smbd(self):
220 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
221 user_SID = s4_passdb.uid_to_sid(os.stat(self.tempdir).st_uid)
222 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
223 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
224 (BA_id, BA_type) = s4_passdb.sid_to_id(BA_sid)
225 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
226 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
227 (SO_id, SO_type) = s4_passdb.sid_to_id(SO_sid)
228 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
229 smbd.chown(self.tempdir, BA_id, SO_id)
230 smbd.set_simple_acl(self.tempdir, 0o750)
231 facl = getntacl(self.lp, self.tempdir, direct_db_access=False)
232 acl = "O:BAG:SOD:(A;;0x001f01ff;;;BA)(A;;0x001200a9;;;SO)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)"
234 anysid = security.dom_sid(security.SID_NT_SELF)
235 self.assertEquals(acl, facl.as_sddl(anysid))
237 def test_setposixacl_group_getntacl_smbd(self):
238 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
239 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
240 (BA_gid, BA_type) = s4_passdb.sid_to_id(BA_sid)
241 group_SID = s4_passdb.gid_to_sid(os.stat(self.tempf).st_gid)
242 user_SID = s4_passdb.uid_to_sid(os.stat(self.tempf).st_uid)
243 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
244 smbd.set_simple_acl(self.tempf, 0o640, BA_gid)
245 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
246 domsid = passdb.get_global_sam_sid()
247 acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;BA)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
248 anysid = security.dom_sid(security.SID_NT_SELF)
249 self.assertEquals(acl, facl.as_sddl(anysid))
251 def test_setposixacl_getposixacl(self):
252 smbd.set_simple_acl(self.tempf, 0o640)
253 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
254 self.assertEquals(posix_acl.count, 4, self.print_posix_acl(posix_acl))
256 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
257 self.assertEquals(posix_acl.acl[0].a_perm, 6)
259 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
260 self.assertEquals(posix_acl.acl[1].a_perm, 4)
262 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
263 self.assertEquals(posix_acl.acl[2].a_perm, 0)
265 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
266 self.assertEquals(posix_acl.acl[3].a_perm, 7)
268 def test_setposixacl_dir_getposixacl(self):
269 smbd.set_simple_acl(self.tempdir, 0o750)
270 posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
271 self.assertEquals(posix_acl.count, 4, self.print_posix_acl(posix_acl))
273 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
274 self.assertEquals(posix_acl.acl[0].a_perm, 7)
276 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
277 self.assertEquals(posix_acl.acl[1].a_perm, 5)
279 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
280 self.assertEquals(posix_acl.acl[2].a_perm, 0)
282 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
283 self.assertEquals(posix_acl.acl[3].a_perm, 7)
285 def test_setposixacl_group_getposixacl(self):
286 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
287 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
288 (BA_gid, BA_type) = s4_passdb.sid_to_id(BA_sid)
289 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
290 smbd.set_simple_acl(self.tempf, 0o670, BA_gid)
291 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
293 self.assertEquals(posix_acl.count, 5, self.print_posix_acl(posix_acl))
295 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
296 self.assertEquals(posix_acl.acl[0].a_perm, 6)
298 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
299 self.assertEquals(posix_acl.acl[1].a_perm, 7)
301 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
302 self.assertEquals(posix_acl.acl[2].a_perm, 0)
304 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_GROUP)
305 self.assertEquals(posix_acl.acl[3].a_perm, 7)
306 self.assertEquals(posix_acl.acl[3].info.gid, BA_gid)
308 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_MASK)
309 self.assertEquals(posix_acl.acl[4].a_perm, 7)
311 def test_setntacl_sysvol_check_getposixacl(self):
312 acl = provision.SYSVOL_ACL
313 domsid = passdb.get_global_sam_sid()
314 session_info = self.get_session_info(domsid)
315 setntacl(self.lp, self.tempf, acl, str(domsid), use_ntvfs=False,
316 session_info=session_info)
317 facl = getntacl(self.lp, self.tempf)
318 self.assertEquals(facl.as_sddl(domsid), acl)
319 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
321 nwrap_module_so_path = os.getenv('NSS_WRAPPER_MODULE_SO_PATH')
322 nwrap_module_fn_prefix = os.getenv('NSS_WRAPPER_MODULE_FN_PREFIX')
324 nwrap_winbind_active = (nwrap_module_so_path != "" and
325 nwrap_module_fn_prefix == "winbind")
327 LA_sid = security.dom_sid(str(domsid) + "-" + str(security.DOMAIN_RID_ADMINISTRATOR))
328 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
329 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
330 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
331 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
333 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
335 # These assertions correct for current ad_dc selftest
336 # configuration. When other environments have a broad range of
337 # groups mapped via passdb, we can relax some of these checks
338 (LA_uid, LA_type) = s4_passdb.sid_to_id(LA_sid)
339 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
340 (BA_gid, BA_type) = s4_passdb.sid_to_id(BA_sid)
341 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
342 (SO_gid, SO_type) = s4_passdb.sid_to_id(SO_sid)
343 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
344 (SY_gid, SY_type) = s4_passdb.sid_to_id(SY_sid)
345 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
346 (AU_gid, AU_type) = s4_passdb.sid_to_id(AU_sid)
347 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
349 self.assertEquals(posix_acl.count, 13, self.print_posix_acl(posix_acl))
351 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
352 self.assertEquals(posix_acl.acl[0].a_perm, 7)
353 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
355 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
356 if nwrap_winbind_active or session_info:
357 self.assertEquals(posix_acl.acl[1].a_perm, 7)
359 self.assertEquals(posix_acl.acl[1].a_perm, 6)
360 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
362 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
363 self.assertEquals(posix_acl.acl[2].a_perm, 0)
365 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
366 if nwrap_winbind_active or session_info:
367 self.assertEquals(posix_acl.acl[3].a_perm, 7)
369 self.assertEquals(posix_acl.acl[3].a_perm, 6)
371 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
372 self.assertEquals(posix_acl.acl[4].a_perm, 7)
373 self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)
375 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
376 self.assertEquals(posix_acl.acl[5].a_perm, 7)
378 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
379 self.assertEquals(posix_acl.acl[6].a_perm, 5)
380 self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)
382 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
383 self.assertEquals(posix_acl.acl[7].a_perm, 5)
384 self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)
386 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
387 self.assertEquals(posix_acl.acl[8].a_perm, 7)
388 self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)
390 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
391 self.assertEquals(posix_acl.acl[9].a_perm, 7)
392 self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)
394 self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
395 self.assertEquals(posix_acl.acl[10].a_perm, 5)
396 self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)
398 self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
399 self.assertEquals(posix_acl.acl[11].a_perm, 5)
400 self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)
402 self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_MASK)
403 self.assertEquals(posix_acl.acl[12].a_perm, 7)
405 # check that it matches:
407 # user:root:rwx (selftest user actually)
409 # group:Local Admins:rwx
416 # This is in this order in the NDR smb_acl(not re-orderded for display)
423 # uid: 0 (selftest user actually)
454 def test_setntacl_sysvol_dir_check_getposixacl(self):
455 acl = provision.SYSVOL_ACL
456 domsid = passdb.get_global_sam_sid()
457 session_info = self.get_session_info(domsid)
458 setntacl(self.lp, self.tempdir, acl, str(domsid), use_ntvfs=False,
459 session_info=session_info)
460 facl = getntacl(self.lp, self.tempdir)
461 self.assertEquals(facl.as_sddl(domsid), acl)
462 posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
464 LA_sid = security.dom_sid(str(domsid) + "-" + str(security.DOMAIN_RID_ADMINISTRATOR))
465 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
466 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
467 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
468 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
470 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
472 # These assertions correct for current ad_dc selftest
473 # configuration. When other environments have a broad range of
474 # groups mapped via passdb, we can relax some of these checks
475 (LA_uid, LA_type) = s4_passdb.sid_to_id(LA_sid)
476 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
477 (BA_gid, BA_type) = s4_passdb.sid_to_id(BA_sid)
478 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
479 (SO_gid, SO_type) = s4_passdb.sid_to_id(SO_sid)
480 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
481 (SY_gid, SY_type) = s4_passdb.sid_to_id(SY_sid)
482 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
483 (AU_gid, AU_type) = s4_passdb.sid_to_id(AU_sid)
484 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
486 self.assertEquals(posix_acl.count, 13, self.print_posix_acl(posix_acl))
488 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
489 self.assertEquals(posix_acl.acl[0].a_perm, 7)
490 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
492 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
493 self.assertEquals(posix_acl.acl[1].a_perm, 7)
494 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
496 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
497 self.assertEquals(posix_acl.acl[2].a_perm, 0)
499 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
500 self.assertEquals(posix_acl.acl[3].a_perm, 7)
502 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
503 self.assertEquals(posix_acl.acl[4].a_perm, 7)
504 self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)
506 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
507 self.assertEquals(posix_acl.acl[5].a_perm, 7)
509 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
510 self.assertEquals(posix_acl.acl[6].a_perm, 5)
511 self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)
513 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
514 self.assertEquals(posix_acl.acl[7].a_perm, 5)
515 self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)
517 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
518 self.assertEquals(posix_acl.acl[8].a_perm, 7)
519 self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)
521 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
522 self.assertEquals(posix_acl.acl[9].a_perm, 7)
523 self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)
525 self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
526 self.assertEquals(posix_acl.acl[10].a_perm, 5)
527 self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)
529 self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
530 self.assertEquals(posix_acl.acl[11].a_perm, 5)
531 self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)
533 self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_MASK)
534 self.assertEquals(posix_acl.acl[12].a_perm, 7)
536 # check that it matches:
538 # user:root:rwx (selftest user actually)
547 def test_setntacl_policies_dir_check_getposixacl(self):
548 acl = provision.POLICIES_ACL
549 domsid = passdb.get_global_sam_sid()
550 session_info = self.get_session_info(domsid)
551 setntacl(self.lp, self.tempdir, acl, str(domsid), use_ntvfs=False,
552 session_info=session_info)
553 facl = getntacl(self.lp, self.tempdir)
554 self.assertEquals(facl.as_sddl(domsid), acl)
555 posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
557 LA_sid = security.dom_sid(str(domsid) + "-" + str(security.DOMAIN_RID_ADMINISTRATOR))
558 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
559 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
560 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
561 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
562 PA_sid = security.dom_sid(str(domsid) + "-" + str(security.DOMAIN_RID_POLICY_ADMINS))
564 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
566 # These assertions correct for current ad_dc selftest
567 # configuration. When other environments have a broad range of
568 # groups mapped via passdb, we can relax some of these checks
569 (LA_uid, LA_type) = s4_passdb.sid_to_id(LA_sid)
570 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
571 (BA_gid, BA_type) = s4_passdb.sid_to_id(BA_sid)
572 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
573 (SO_gid, SO_type) = s4_passdb.sid_to_id(SO_sid)
574 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
575 (SY_gid, SY_type) = s4_passdb.sid_to_id(SY_sid)
576 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
577 (AU_gid, AU_type) = s4_passdb.sid_to_id(AU_sid)
578 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
579 (PA_gid, PA_type) = s4_passdb.sid_to_id(PA_sid)
580 self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
582 self.assertEquals(posix_acl.count, 15, self.print_posix_acl(posix_acl))
584 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
585 self.assertEquals(posix_acl.acl[0].a_perm, 7)
586 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
588 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
589 self.assertEquals(posix_acl.acl[1].a_perm, 7)
590 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
592 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
593 self.assertEquals(posix_acl.acl[2].a_perm, 0)
595 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
596 self.assertEquals(posix_acl.acl[3].a_perm, 7)
598 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
599 self.assertEquals(posix_acl.acl[4].a_perm, 7)
600 self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)
602 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
603 self.assertEquals(posix_acl.acl[5].a_perm, 7)
605 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
606 self.assertEquals(posix_acl.acl[6].a_perm, 5)
607 self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)
609 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
610 self.assertEquals(posix_acl.acl[7].a_perm, 5)
611 self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)
613 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
614 self.assertEquals(posix_acl.acl[8].a_perm, 7)
615 self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)
617 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
618 self.assertEquals(posix_acl.acl[9].a_perm, 7)
619 self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)
621 self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
622 self.assertEquals(posix_acl.acl[10].a_perm, 5)
623 self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)
625 self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
626 self.assertEquals(posix_acl.acl[11].a_perm, 5)
627 self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)
629 self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_USER)
630 self.assertEquals(posix_acl.acl[12].a_perm, 7)
631 self.assertEquals(posix_acl.acl[12].info.uid, PA_gid)
633 self.assertEquals(posix_acl.acl[13].a_type, smb_acl.SMB_ACL_GROUP)
634 self.assertEquals(posix_acl.acl[13].a_perm, 7)
635 self.assertEquals(posix_acl.acl[13].info.gid, PA_gid)
637 self.assertEquals(posix_acl.acl[14].a_type, smb_acl.SMB_ACL_MASK)
638 self.assertEquals(posix_acl.acl[14].a_perm, 7)
640 # check that it matches:
642 # user:root:rwx (selftest user actually)
652 def test_setntacl_policies_check_getposixacl(self):
653 acl = provision.POLICIES_ACL
655 domsid = passdb.get_global_sam_sid()
656 session_info = self.get_session_info(domsid)
657 setntacl(self.lp, self.tempf, acl, str(domsid), use_ntvfs=False,
658 session_info=session_info)
659 facl = getntacl(self.lp, self.tempf)
660 self.assertEquals(facl.as_sddl(domsid), acl)
661 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
663 nwrap_module_so_path = os.getenv('NSS_WRAPPER_MODULE_SO_PATH')
664 nwrap_module_fn_prefix = os.getenv('NSS_WRAPPER_MODULE_FN_PREFIX')
666 nwrap_winbind_active = (nwrap_module_so_path != "" and
667 nwrap_module_fn_prefix == "winbind")
669 LA_sid = security.dom_sid(str(domsid) + "-" + str(security.DOMAIN_RID_ADMINISTRATOR))
670 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
671 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
672 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
673 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
674 PA_sid = security.dom_sid(str(domsid) + "-" + str(security.DOMAIN_RID_POLICY_ADMINS))
676 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
678 # These assertions correct for current ad_dc selftest
679 # configuration. When other environments have a broad range of
680 # groups mapped via passdb, we can relax some of these checks
681 (LA_uid, LA_type) = s4_passdb.sid_to_id(LA_sid)
682 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
683 (BA_gid, BA_type) = s4_passdb.sid_to_id(BA_sid)
684 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
685 (SO_gid, SO_type) = s4_passdb.sid_to_id(SO_sid)
686 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
687 (SY_gid, SY_type) = s4_passdb.sid_to_id(SY_sid)
688 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
689 (AU_gid, AU_type) = s4_passdb.sid_to_id(AU_sid)
690 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
691 (PA_gid, PA_type) = s4_passdb.sid_to_id(PA_sid)
692 self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
694 self.assertEquals(posix_acl.count, 15, self.print_posix_acl(posix_acl))
696 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
697 self.assertEquals(posix_acl.acl[0].a_perm, 7)
698 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
700 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
701 if nwrap_winbind_active or session_info:
702 self.assertEquals(posix_acl.acl[1].a_perm, 7)
704 self.assertEquals(posix_acl.acl[1].a_perm, 6)
705 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
707 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
708 self.assertEquals(posix_acl.acl[2].a_perm, 0)
710 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
711 if nwrap_winbind_active or session_info:
712 self.assertEquals(posix_acl.acl[3].a_perm, 7)
714 self.assertEquals(posix_acl.acl[3].a_perm, 6)
716 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
717 self.assertEquals(posix_acl.acl[4].a_perm, 7)
718 self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)
720 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
721 self.assertEquals(posix_acl.acl[5].a_perm, 7)
723 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
724 self.assertEquals(posix_acl.acl[6].a_perm, 5)
725 self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)
727 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
728 self.assertEquals(posix_acl.acl[7].a_perm, 5)
729 self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)
731 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
732 self.assertEquals(posix_acl.acl[8].a_perm, 7)
733 self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)
735 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
736 self.assertEquals(posix_acl.acl[9].a_perm, 7)
737 self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)
739 self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
740 self.assertEquals(posix_acl.acl[10].a_perm, 5)
741 self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)
743 self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
744 self.assertEquals(posix_acl.acl[11].a_perm, 5)
745 self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)
747 self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_USER)
748 self.assertEquals(posix_acl.acl[12].a_perm, 7)
749 self.assertEquals(posix_acl.acl[12].info.uid, PA_gid)
751 self.assertEquals(posix_acl.acl[13].a_type, smb_acl.SMB_ACL_GROUP)
752 self.assertEquals(posix_acl.acl[13].a_perm, 7)
753 self.assertEquals(posix_acl.acl[13].info.gid, PA_gid)
755 self.assertEquals(posix_acl.acl[14].a_type, smb_acl.SMB_ACL_MASK)
756 self.assertEquals(posix_acl.acl[14].a_perm, 7)
758 # check that it matches:
760 # user:root:rwx (selftest user actually)
762 # group:Local Admins:rwx
770 # This is in this order in the NDR smb_acl(not re-orderded for display)
777 # uid: 0 (selftest user actually)
813 class SessionedPosixAclMappingTests(PosixAclMappingTests):
815 Run same test suite with session enabled.
818 def get_session_info(self, domsid=DOM_SID):
820 Get session_info for setntacl.
822 if str(domsid) != str(self.samdb.get_domain_sid()):
823 # fake it with admin session as domsid is not in local db
824 return auth.admin_session(self.lp, str(domsid))
826 dn = '<SID={0}-{1}>'.format(domsid, security.DOMAIN_RID_ADMINISTRATOR)
827 flags = (auth.AUTH_SESSION_INFO_DEFAULT_GROUPS |
828 auth.AUTH_SESSION_INFO_AUTHENTICATED |
829 auth.AUTH_SESSION_INFO_SIMPLE_PRIVILEGES)
830 return auth.user_session(self.samdb, lp_ctx=self.lp, dn=dn,
831 session_info_flags=flags)
834 class UnixSessionedPosixAclMappingTests(PosixAclMappingTests):
836 Run same test suite with session enabled.
839 def get_session_info(self, domsid=DOM_SID):
841 Get session_info for setntacl.
843 if str(domsid) != str(self.samdb.get_domain_sid()):
844 # fake it with admin session as domsid is not in local db
845 return auth.admin_session(self.lp, str(domsid))
847 dn = '<SID={0}-{1}>'.format(domsid, security.DOMAIN_RID_ADMINISTRATOR)
848 flags = (auth.AUTH_SESSION_INFO_DEFAULT_GROUPS |
849 auth.AUTH_SESSION_INFO_AUTHENTICATED |
850 auth.AUTH_SESSION_INFO_SIMPLE_PRIVILEGES)
852 session = auth.user_session(self.samdb, lp_ctx=self.lp, dn=dn,
853 session_info_flags=flags)
854 auth.session_info_fill_unix(session,
856 user_name="Administrator")