2 Unix SMB/CIFS implementation.
3 Set NT and POSIX ACLs and other VFS operations from Python
5 Copyrigyt (C) Andrew Bartlett 2012
6 Copyright (C) Jeremy Allison 1994-2009.
7 Copyright (C) Andreas Gruenbacher 2002.
8 Copyright (C) Simo Sorce <idra@samba.org> 2009.
9 Copyright (C) Simo Sorce 2002
10 Copyright (C) Eric Lorimer 2002
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
28 #include "python/py3compat.h"
29 #include "smbd/smbd.h"
30 #include "libcli/util/pyerrors.h"
31 #include "librpc/rpc/pyrpc_util.h"
33 #include "system/filesys.h"
38 extern const struct generic_mapping file_generic_mapping;
41 #define DBGC_CLASS DBGC_ACLS
44 #define DIRECTORY_FLAGS O_RDONLY|O_DIRECTORY
46 /* POSIX allows us to open a directory with O_RDONLY. */
47 #define DIRECTORY_FLAGS O_RDONLY
51 static connection_struct *get_conn_tos(
53 const struct auth_session_info *session_info)
55 struct conn_struct_tos *c = NULL;
59 if (!posix_locking_init(false)) {
65 snum = lp_servicenumber(service);
67 PyErr_SetString(PyExc_RuntimeError, "unknown service");
72 status = create_conn_struct_tos(NULL,
77 PyErr_NTSTATUS_IS_ERR_RAISE(status);
79 /* Ignore read-only and share restrictions */
80 c->conn->read_only = false;
81 c->conn->share_access = SEC_RIGHTS_FILE_ALL;
85 static int set_sys_acl_conn(const char *fname,
86 SMB_ACL_TYPE_T acltype,
87 SMB_ACL_T theacl, connection_struct *conn)
90 struct smb_filename *smb_fname = NULL;
93 TALLOC_CTX *frame = talloc_stackframe();
95 /* we want total control over the permissions on created files,
96 so set our umask to 0 */
97 saved_umask = umask(0);
99 smb_fname = synthetic_smb_fname_split(frame,
101 lp_posix_pathnames());
102 if (smb_fname == NULL) {
108 ret = SMB_VFS_SYS_ACL_SET_FILE( conn, smb_fname, acltype, theacl);
117 static NTSTATUS init_files_struct(TALLOC_CTX *mem_ctx,
119 struct connection_struct *conn,
121 struct files_struct **_fsp)
123 struct smb_filename *smb_fname = NULL;
126 struct files_struct *fsp;
128 fsp = talloc_zero(mem_ctx, struct files_struct);
130 return NT_STATUS_NO_MEMORY;
132 fsp->fh = talloc(fsp, struct fd_handle);
133 if (fsp->fh == NULL) {
134 return NT_STATUS_NO_MEMORY;
138 /* we want total control over the permissions on created files,
139 so set our umask to 0 */
140 saved_umask = umask(0);
142 smb_fname = synthetic_smb_fname_split(fsp,
144 lp_posix_pathnames());
145 if (smb_fname == NULL) {
147 return NT_STATUS_NO_MEMORY;
150 fsp->fsp_name = smb_fname;
151 fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, 00644);
152 if (fsp->fh->fd == -1) {
156 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
158 return NT_STATUS_INVALID_PARAMETER;
161 ret = SMB_VFS_FSTAT(fsp, &smb_fname->st);
163 /* If we have an fd, this stat should succeed. */
164 DEBUG(0,("Error doing fstat on open file %s (%s)\n",
165 smb_fname_str_dbg(smb_fname),
168 return map_nt_error_from_unix(errno);
171 fsp->file_id = vfs_file_id_from_sbuf(conn, &smb_fname->st);
172 fsp->vuid = UID_FIELD_INVALID;
174 fsp->can_lock = True;
175 fsp->can_read = True;
176 fsp->can_write = True;
177 fsp->print_file = NULL;
178 fsp->modified = False;
179 fsp->sent_oplock_break = NO_BREAK_SENT;
180 fsp->is_directory = S_ISDIR(smb_fname->st.st_ex_mode);
187 static NTSTATUS set_nt_acl_conn(const char *fname,
188 uint32_t security_info_sent, const struct security_descriptor *sd,
189 connection_struct *conn)
191 TALLOC_CTX *frame = talloc_stackframe();
192 struct files_struct *fsp = NULL;
193 NTSTATUS status = NT_STATUS_OK;
195 /* first, try to open it as a file with flag O_RDWR */
196 status = init_files_struct(frame,
201 if (!NT_STATUS_IS_OK(status) && errno == EISDIR) {
202 /* if fail, try to open as dir */
203 status = init_files_struct(frame,
210 if (!NT_STATUS_IS_OK(status)) {
211 DBG_ERR("init_files_struct failed: %s\n",
220 status = SMB_VFS_FSET_NT_ACL(fsp, security_info_sent, sd);
221 if (!NT_STATUS_IS_OK(status)) {
222 DEBUG(0,("set_nt_acl_no_snum: fset_nt_acl returned %s.\n", nt_errstr(status)));
231 static NTSTATUS get_nt_acl_conn(TALLOC_CTX *mem_ctx,
233 connection_struct *conn,
234 uint32_t security_info_wanted,
235 struct security_descriptor **sd)
237 TALLOC_CTX *frame = talloc_stackframe();
239 struct smb_filename *smb_fname = synthetic_smb_fname(talloc_tos(),
243 lp_posix_pathnames() ?
244 SMB_FILENAME_POSIX_PATH : 0);
246 if (smb_fname == NULL) {
248 return NT_STATUS_NO_MEMORY;
251 status = SMB_VFS_GET_NT_ACL(conn,
253 security_info_wanted,
256 if (!NT_STATUS_IS_OK(status)) {
257 DEBUG(0,("get_nt_acl_conn: get_nt_acl returned %s.\n", nt_errstr(status)));
265 static int set_acl_entry_perms(SMB_ACL_ENTRY_T entry, mode_t perm_mask)
267 SMB_ACL_PERMSET_T perms = NULL;
269 if (sys_acl_get_permset(entry, &perms) != 0) {
273 if (sys_acl_clear_perms(perms) != 0) {
277 if ((perm_mask & SMB_ACL_READ) != 0 &&
278 sys_acl_add_perm(perms, SMB_ACL_READ) != 0) {
282 if ((perm_mask & SMB_ACL_WRITE) != 0 &&
283 sys_acl_add_perm(perms, SMB_ACL_WRITE) != 0) {
287 if ((perm_mask & SMB_ACL_EXECUTE) != 0 &&
288 sys_acl_add_perm(perms, SMB_ACL_EXECUTE) != 0) {
292 if (sys_acl_set_permset(entry, perms) != 0) {
299 static SMB_ACL_T make_simple_acl(TALLOC_CTX *mem_ctx,
303 mode_t mode = SMB_ACL_READ|SMB_ACL_WRITE|SMB_ACL_EXECUTE;
305 mode_t mode_user = (chmod_mode & 0700) >> 6;
306 mode_t mode_group = (chmod_mode & 070) >> 3;
307 mode_t mode_other = chmod_mode & 07;
308 SMB_ACL_ENTRY_T entry;
309 SMB_ACL_T acl = sys_acl_init(mem_ctx);
315 if (sys_acl_create_entry(&acl, &entry) != 0) {
320 if (sys_acl_set_tag_type(entry, SMB_ACL_USER_OBJ) != 0) {
325 if (set_acl_entry_perms(entry, mode_user) != 0) {
330 if (sys_acl_create_entry(&acl, &entry) != 0) {
335 if (sys_acl_set_tag_type(entry, SMB_ACL_GROUP_OBJ) != 0) {
340 if (set_acl_entry_perms(entry, mode_group) != 0) {
345 if (sys_acl_create_entry(&acl, &entry) != 0) {
350 if (sys_acl_set_tag_type(entry, SMB_ACL_OTHER) != 0) {
355 if (set_acl_entry_perms(entry, mode_other) != 0) {
361 if (sys_acl_create_entry(&acl, &entry) != 0) {
366 if (sys_acl_set_tag_type(entry, SMB_ACL_GROUP) != 0) {
371 if (sys_acl_set_qualifier(entry, &gid) != 0) {
376 if (set_acl_entry_perms(entry, mode_group) != 0) {
382 if (sys_acl_create_entry(&acl, &entry) != 0) {
387 if (sys_acl_set_tag_type(entry, SMB_ACL_MASK) != 0) {
392 if (set_acl_entry_perms(entry, mode) != 0) {
401 set a simple ACL on a file, as a test
403 static PyObject *py_smbd_set_simple_acl(PyObject *self, PyObject *args, PyObject *kwargs)
405 const char * const kwnames[] = { "fname", "mode", "gid", "service", NULL };
406 char *fname, *service = NULL;
411 connection_struct *conn;
413 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "si|iz",
414 discard_const_p(char *, kwnames),
415 &fname, &mode, &gid, &service))
418 frame = talloc_stackframe();
420 acl = make_simple_acl(frame, gid, mode);
426 conn = get_conn_tos(service, NULL);
432 ret = set_sys_acl_conn(fname, SMB_ACL_TYPE_ACCESS, acl, conn);
437 return PyErr_SetFromErrno(PyExc_OSError);
448 static PyObject *py_smbd_chown(PyObject *self, PyObject *args, PyObject *kwargs)
450 const char * const kwnames[] = { "fname", "uid", "gid", "service", NULL };
451 connection_struct *conn;
454 char *fname, *service = NULL;
458 struct smb_filename *smb_fname = NULL;
460 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "sii|z",
461 discard_const_p(char *, kwnames),
462 &fname, &uid, &gid, &service))
465 frame = talloc_stackframe();
467 conn = get_conn_tos(service, NULL);
473 /* we want total control over the permissions on created files,
474 so set our umask to 0 */
475 saved_umask = umask(0);
477 smb_fname = synthetic_smb_fname(talloc_tos(),
481 lp_posix_pathnames() ?
482 SMB_FILENAME_POSIX_PATH : 0);
483 if (smb_fname == NULL) {
487 return PyErr_SetFromErrno(PyExc_OSError);
490 ret = SMB_VFS_CHOWN(conn, smb_fname, uid, gid);
495 return PyErr_SetFromErrno(PyExc_OSError);
508 static PyObject *py_smbd_unlink(PyObject *self, PyObject *args, PyObject *kwargs)
510 const char * const kwnames[] = { "fname", "service", NULL };
511 connection_struct *conn;
513 struct smb_filename *smb_fname = NULL;
514 char *fname, *service = NULL;
517 frame = talloc_stackframe();
519 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "s|z",
520 discard_const_p(char *, kwnames),
526 conn = get_conn_tos(service, NULL);
532 smb_fname = synthetic_smb_fname_split(frame,
534 lp_posix_pathnames());
535 if (smb_fname == NULL) {
537 return PyErr_NoMemory();
540 ret = SMB_VFS_UNLINK(conn, smb_fname);
544 return PyErr_SetFromErrno(PyExc_OSError);
553 check if we have ACL support
555 static PyObject *py_smbd_have_posix_acls(PyObject *self)
557 #ifdef HAVE_POSIX_ACLS
558 return PyBool_FromLong(true);
560 return PyBool_FromLong(false);
565 set the NT ACL on a file
567 static PyObject *py_smbd_set_nt_acl(PyObject *self, PyObject *args, PyObject *kwargs)
569 const char * const kwnames[] = {
570 "fname", "security_info_sent", "sd",
571 "service", "session_info", NULL };
574 char *fname, *service = NULL;
575 int security_info_sent;
577 struct security_descriptor *sd;
578 PyObject *py_session = Py_None;
579 struct auth_session_info *session_info = NULL;
580 connection_struct *conn;
583 frame = talloc_stackframe();
585 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "siO|zO",
586 discard_const_p(char *, kwnames),
587 &fname, &security_info_sent, &py_sd,
588 &service, &py_session)) {
593 if (!py_check_dcerpc_type(py_sd, "samba.dcerpc.security", "descriptor")) {
598 if (py_session != Py_None) {
599 if (!py_check_dcerpc_type(py_session,
605 session_info = pytalloc_get_type(py_session,
606 struct auth_session_info);
608 PyErr_Format(PyExc_TypeError,
609 "Expected auth_session_info for session_info argument got %s",
610 talloc_get_name(pytalloc_get_ptr(py_session)));
615 conn = get_conn_tos(service, session_info);
621 sd = pytalloc_get_type(py_sd, struct security_descriptor);
623 status = set_nt_acl_conn(fname, security_info_sent, sd, conn);
625 PyErr_NTSTATUS_IS_ERR_RAISE(status);
631 Return the NT ACL on a file
633 static PyObject *py_smbd_get_nt_acl(PyObject *self, PyObject *args, PyObject *kwargs)
635 const char * const kwnames[] = { "fname",
636 "security_info_wanted",
640 char *fname, *service = NULL;
641 int security_info_wanted;
643 struct security_descriptor *sd;
644 TALLOC_CTX *frame = talloc_stackframe();
645 PyObject *py_session = Py_None;
646 struct auth_session_info *session_info = NULL;
647 connection_struct *conn;
651 ret = PyArg_ParseTupleAndKeywords(args,
654 discard_const_p(char *, kwnames),
656 &security_info_wanted,
664 if (py_session != Py_None) {
665 if (!py_check_dcerpc_type(py_session,
671 session_info = pytalloc_get_type(py_session,
672 struct auth_session_info);
676 "Expected auth_session_info for "
677 "session_info argument got %s",
678 talloc_get_name(pytalloc_get_ptr(py_session)));
683 conn = get_conn_tos(service, session_info);
689 status = get_nt_acl_conn(frame, fname, conn, security_info_wanted, &sd);
690 PyErr_NTSTATUS_IS_ERR_RAISE(status);
692 py_sd = py_return_ndr_struct("samba.dcerpc.security", "descriptor", sd, sd);
700 set the posix (or similar) ACL on a file
702 static PyObject *py_smbd_set_sys_acl(PyObject *self, PyObject *args, PyObject *kwargs)
704 const char * const kwnames[] = { "fname", "acl_type", "acl", "service", NULL };
705 TALLOC_CTX *frame = talloc_stackframe();
707 char *fname, *service = NULL;
709 struct smb_acl_t *acl;
711 connection_struct *conn;
713 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "siO|z",
714 discard_const_p(char *, kwnames),
715 &fname, &acl_type, &py_acl, &service)) {
720 if (!py_check_dcerpc_type(py_acl, "samba.dcerpc.smb_acl", "t")) {
725 conn = get_conn_tos(service, NULL);
731 acl = pytalloc_get_type(py_acl, struct smb_acl_t);
733 ret = set_sys_acl_conn(fname, acl_type, acl, conn);
737 return PyErr_SetFromErrno(PyExc_OSError);
745 Return the posix (or similar) ACL on a file
747 static PyObject *py_smbd_get_sys_acl(PyObject *self, PyObject *args, PyObject *kwargs)
749 const char * const kwnames[] = { "fname", "acl_type", "service", NULL };
752 struct smb_acl_t *acl;
754 TALLOC_CTX *frame = talloc_stackframe();
755 connection_struct *conn;
756 char *service = NULL;
757 struct smb_filename *smb_fname = NULL;
759 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "si|z",
760 discard_const_p(char *, kwnames),
761 &fname, &acl_type, &service)) {
766 conn = get_conn_tos(service, NULL);
772 smb_fname = synthetic_smb_fname_split(frame,
774 lp_posix_pathnames());
775 if (smb_fname == NULL) {
779 acl = SMB_VFS_SYS_ACL_GET_FILE( conn, smb_fname, acl_type, frame);
782 return PyErr_SetFromErrno(PyExc_OSError);
785 py_acl = py_return_ndr_struct("samba.dcerpc.smb_acl", "t", acl, acl);
792 static PyObject *py_smbd_mkdir(PyObject *self, PyObject *args, PyObject *kwargs)
794 const char * const kwnames[] = { "fname", "service", NULL };
795 char *fname, *service = NULL;
796 TALLOC_CTX *frame = talloc_stackframe();
797 struct connection_struct *conn = NULL;
798 struct smb_filename *smb_fname = NULL;
800 if (!PyArg_ParseTupleAndKeywords(args,
803 discard_const_p(char *,
811 conn = get_conn_tos(service, NULL);
817 smb_fname = synthetic_smb_fname(talloc_tos(),
821 lp_posix_pathnames() ?
822 SMB_FILENAME_POSIX_PATH : 0);
824 if (smb_fname == NULL) {
830 if (SMB_VFS_MKDIR(conn, smb_fname, 00755) == -1) {
831 DBG_ERR("mkdir error=%d (%s)\n", errno, strerror(errno));
844 static PyObject *py_smbd_create_file(PyObject *self, PyObject *args, PyObject *kwargs)
846 const char * const kwnames[] = { "fname", "service", NULL };
847 char *fname, *service = NULL;
848 TALLOC_CTX *frame = talloc_stackframe();
849 struct connection_struct *conn = NULL;
850 struct files_struct *fsp = NULL;
853 if (!PyArg_ParseTupleAndKeywords(args,
856 discard_const_p(char *,
864 conn = get_conn_tos(service, NULL);
870 status = init_files_struct(frame,
873 O_CREAT|O_EXCL|O_RDWR,
875 if (!NT_STATUS_IS_OK(status)) {
876 DBG_ERR("init_files_struct failed: %s\n",
885 static PyMethodDef py_smbd_methods[] = {
887 (PyCFunction)py_smbd_have_posix_acls, METH_NOARGS,
890 (PyCFunction)py_smbd_set_simple_acl, METH_VARARGS|METH_KEYWORDS,
893 (PyCFunction)py_smbd_set_nt_acl, METH_VARARGS|METH_KEYWORDS,
896 (PyCFunction)py_smbd_get_nt_acl, METH_VARARGS|METH_KEYWORDS,
899 (PyCFunction)py_smbd_get_sys_acl, METH_VARARGS|METH_KEYWORDS,
902 (PyCFunction)py_smbd_set_sys_acl, METH_VARARGS|METH_KEYWORDS,
905 (PyCFunction)py_smbd_chown, METH_VARARGS|METH_KEYWORDS,
908 (PyCFunction)py_smbd_unlink, METH_VARARGS|METH_KEYWORDS,
911 (PyCFunction)py_smbd_mkdir, METH_VARARGS|METH_KEYWORDS,
914 (PyCFunction)py_smbd_create_file, METH_VARARGS|METH_KEYWORDS,
921 static struct PyModuleDef moduledef = {
922 PyModuleDef_HEAD_INIT,
924 .m_doc = "Python bindings for the smbd file server.",
926 .m_methods = py_smbd_methods,
929 MODULE_INIT_FUNC(smbd)
933 m = PyModule_Create(&moduledef);