1 # Unix SMB/CIFS implementation. Tests for NT and posix ACL manipulation
2 # Copyright (C) Matthieu Patou <mat@matws.net> 2009-2010
3 # Copyright (C) Andrew Bartlett 2012
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
19 """Tests for the Samba3 NT -> posix ACL layer"""
21 from samba.ntacls import setntacl, getntacl, XattrBackendError
22 from samba.dcerpc import xattr, security, smb_acl, idmap
23 from samba.param import LoadParm
24 from samba.tests import TestCase, TestSkipped
25 from samba import provision
28 from samba.samba3 import smbd, passdb
29 from samba.samba3 import param as s3param
31 # To print a posix ACL use:
32 # for entry in posix_acl.acl:
33 # print "a_type: %d" % entry.a_type
34 # print "a_perm: %o" % entry.a_perm
35 # print "uid: %d" % entry.uid
36 # print "gid: %d" % entry.gid
38 def is_minus_one(val):
39 return (val == -1 or val == 4294967295)
41 class PosixAclMappingTests(TestCase):
43 def test_setntacl(self):
46 path = os.environ['SELFTEST_PREFIX']
47 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
48 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
49 open(tempf, 'w').write("empty")
50 setntacl(lp, tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
53 def test_setntacl_smbd_getntacl(self):
57 path = os.environ['SELFTEST_PREFIX']
58 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
59 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
60 open(tempf, 'w').write("empty")
61 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
62 facl = getntacl(lp,tempf, direct_db_access=True)
63 anysid = security.dom_sid(security.SID_NT_SELF)
64 self.assertEquals(facl.as_sddl(anysid),acl)
67 def test_setntacl_getntacl_smbd(self):
71 path = os.environ['SELFTEST_PREFIX']
72 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
73 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
74 open(tempf, 'w').write("empty")
75 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
76 facl = getntacl(lp,tempf, direct_db_access=False)
77 anysid = security.dom_sid(security.SID_NT_SELF)
78 self.assertEquals(facl.as_sddl(anysid),acl)
81 def test_setntacl_smbd_getntacl_smbd(self):
85 path = os.environ['SELFTEST_PREFIX']
86 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
87 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
88 open(tempf, 'w').write("empty")
89 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
90 facl = getntacl(lp,tempf, direct_db_access=False)
91 anysid = security.dom_sid(security.SID_NT_SELF)
92 self.assertEquals(facl.as_sddl(anysid),acl)
95 def test_setntacl_getposixacl(self):
99 path = os.environ['SELFTEST_PREFIX']
100 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
101 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
102 open(tempf, 'w').write("empty")
103 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
104 facl = getntacl(lp,tempf)
105 anysid = security.dom_sid(security.SID_NT_SELF)
106 self.assertEquals(facl.as_sddl(anysid),acl)
107 posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
110 def test_setntacl_sysvol_check_getposixacl(self):
113 s3conf = s3param.get_context()
115 path = os.environ['SELFTEST_PREFIX']
116 acl = provision.SYSVOL_ACL
117 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
118 open(tempf, 'w').write("empty")
119 domsid = passdb.get_global_sam_sid()
120 setntacl(lp,tempf,acl,str(domsid), use_ntvfs=False)
121 facl = getntacl(lp,tempf)
122 self.assertEquals(facl.as_sddl(domsid),acl)
123 posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
125 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
126 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
127 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
128 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
129 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
131 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
133 # These assertions correct for current plugin_s4_dc selftest
134 # configuration. When other environments have a broad range of
135 # groups mapped via passdb, we can relax some of these checks
136 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
137 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
138 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
139 self.assertEquals(BA_type, idmap.ID_TYPE_GID)
140 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
141 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
142 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
143 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
144 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
145 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
147 self.assertEquals(posix_acl.count, 9)
149 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
150 self.assertEquals(posix_acl.acl[0].a_perm, 7)
151 self.assertEquals(posix_acl.acl[0].gid, BA_gid)
152 self.assertTrue(is_minus_one(posix_acl.acl[0].uid))
154 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
155 self.assertEquals(posix_acl.acl[1].a_perm, 6)
156 self.assertEquals(posix_acl.acl[1].uid, LA_uid)
157 self.assertTrue(is_minus_one(posix_acl.acl[1].gid))
159 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
160 self.assertEquals(posix_acl.acl[2].a_perm, 0)
161 self.assertTrue(is_minus_one(posix_acl.acl[2].uid))
162 self.assertTrue(is_minus_one(posix_acl.acl[2].gid))
164 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
165 self.assertEquals(posix_acl.acl[3].a_perm, 6)
166 self.assertTrue(is_minus_one(posix_acl.acl[3].uid))
167 self.assertTrue(is_minus_one(posix_acl.acl[3].gid))
169 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
170 self.assertEquals(posix_acl.acl[4].a_perm, 7)
171 self.assertTrue(is_minus_one(posix_acl.acl[4].uid))
172 self.assertTrue(is_minus_one(posix_acl.acl[4].gid))
174 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
175 self.assertEquals(posix_acl.acl[5].a_perm, 5)
176 self.assertEquals(posix_acl.acl[5].gid, SO_gid)
177 self.assertTrue(is_minus_one(posix_acl.acl[5].uid))
179 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
180 self.assertEquals(posix_acl.acl[6].a_perm, 7)
181 self.assertEquals(posix_acl.acl[6].gid, SY_gid)
182 self.assertTrue(is_minus_one(posix_acl.acl[6].uid))
184 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
185 self.assertEquals(posix_acl.acl[7].a_perm, 5)
186 self.assertEquals(posix_acl.acl[7].gid, AU_gid)
187 self.assertTrue(is_minus_one(posix_acl.acl[7].uid))
189 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_MASK)
190 self.assertEquals(posix_acl.acl[8].a_perm, 7)
191 self.assertTrue(is_minus_one(posix_acl.acl[8].uid))
192 self.assertTrue(is_minus_one(posix_acl.acl[8].gid))
195 # check that it matches:
197 # user:root:rwx (selftest user actually)
207 # This is in this order in the NDR smb_acl (not re-orderded for display)
214 # uid: 0 (selftest user actually)
249 def test_setntacl_policies_check_getposixacl(self):
252 s3conf = s3param.get_context()
254 path = os.environ['SELFTEST_PREFIX']
255 acl = provision.POLICIES_ACL
256 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
257 open(tempf, 'w').write("empty")
258 domsid = passdb.get_global_sam_sid()
259 setntacl(lp,tempf,acl,str(domsid), use_ntvfs=False)
260 facl = getntacl(lp,tempf)
261 self.assertEquals(facl.as_sddl(domsid),acl)
262 posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
264 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
265 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
266 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
267 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
268 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
269 PA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_POLICY_ADMINS))
271 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
273 # These assertions correct for current plugin_s4_dc selftest
274 # configuration. When other environments have a broad range of
275 # groups mapped via passdb, we can relax some of these checks
276 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
277 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
278 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
279 self.assertEquals(BA_type, idmap.ID_TYPE_GID)
280 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
281 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
282 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
283 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
284 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
285 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
286 (PA_gid,PA_type) = s4_passdb.sid_to_id(PA_sid)
287 self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
289 self.assertEquals(posix_acl.count, 10)
291 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
292 self.assertEquals(posix_acl.acl[0].a_perm, 7)
293 self.assertEquals(posix_acl.acl[0].gid, BA_gid)
294 self.assertTrue(is_minus_one(posix_acl.acl[0].uid))
296 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
297 self.assertEquals(posix_acl.acl[1].a_perm, 6)
298 self.assertEquals(posix_acl.acl[1].uid, LA_uid)
299 self.assertTrue(is_minus_one(posix_acl.acl[1].gid))
301 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
302 self.assertEquals(posix_acl.acl[2].a_perm, 0)
303 self.assertTrue(is_minus_one(posix_acl.acl[2].uid))
304 self.assertTrue(is_minus_one(posix_acl.acl[2].gid))
306 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
307 self.assertEquals(posix_acl.acl[3].a_perm, 6)
308 self.assertTrue(is_minus_one(posix_acl.acl[3].uid))
309 self.assertTrue(is_minus_one(posix_acl.acl[3].gid))
311 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
312 self.assertEquals(posix_acl.acl[4].a_perm, 7)
313 self.assertTrue(is_minus_one(posix_acl.acl[4].uid))
314 self.assertTrue(is_minus_one(posix_acl.acl[4].gid))
316 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
317 self.assertEquals(posix_acl.acl[5].a_perm, 5)
318 self.assertEquals(posix_acl.acl[5].gid, SO_gid)
319 self.assertTrue(is_minus_one(posix_acl.acl[5].uid))
321 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
322 self.assertEquals(posix_acl.acl[6].a_perm, 7)
323 self.assertEquals(posix_acl.acl[6].gid, SY_gid)
324 self.assertTrue(is_minus_one(posix_acl.acl[6].uid))
326 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
327 self.assertEquals(posix_acl.acl[7].a_perm, 5)
328 self.assertEquals(posix_acl.acl[7].gid, AU_gid)
329 self.assertTrue(is_minus_one(posix_acl.acl[7].uid))
331 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_GROUP)
332 self.assertEquals(posix_acl.acl[8].a_perm, 7)
333 self.assertEquals(posix_acl.acl[8].gid, PA_gid)
334 self.assertTrue(is_minus_one(posix_acl.acl[8].uid))
336 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_MASK)
337 self.assertEquals(posix_acl.acl[9].a_perm, 7)
338 self.assertTrue(is_minus_one(posix_acl.acl[9].uid))
339 self.assertTrue(is_minus_one(posix_acl.acl[9].gid))
342 # check that it matches:
344 # user:root:rwx (selftest user actually)
355 # This is in this order in the NDR smb_acl (not re-orderded for display)
362 # uid: 0 (selftest user actually)
402 super(PosixAclMappingTests, self).setUp()
403 s3conf = s3param.get_context()
404 s3conf.load(self.get_loadparm().configfile)