1 # Unix SMB/CIFS implementation. Tests for NT and posix ACL manipulation
2 # Copyright (C) Matthieu Patou <mat@matws.net> 2009-2010
3 # Copyright (C) Andrew Bartlett 2012
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
19 """Tests for the Samba3 NT -> posix ACL layer"""
21 from samba.ntacls import setntacl, getntacl, checkset_backend
22 from samba.dcerpc import xattr, security, smb_acl, idmap
23 from samba.param import LoadParm
24 from samba.tests import TestCaseInTempDir
25 from samba import provision
28 from samba.samba3 import smbd, passdb
29 from samba.samba3 import param as s3param
31 # To print a posix ACL use:
32 # for entry in posix_acl.acl:
33 # print "a_type: %d" % entry.a_type
34 # print "a_perm: %o" % entry.a_perm
35 # if entry.a_type == smb_acl.SMB_ACL_USER:
36 # print "uid: %d" % entry.uid
37 # if entry.a_type == smb_acl.SMB_ACL_GROUP:
38 # print "gid: %d" % entry.gid
40 class PosixAclMappingTests(TestCaseInTempDir):
42 def print_posix_acl(self, posix_acl):
44 for entry in posix_acl.acl:
45 aclstr += "a_type: %d\n" % entry.a_type
46 aclstr += "a_perm: %o\n" % entry.a_perm
47 if entry.a_type == smb_acl.SMB_ACL_USER:
48 aclstr += "uid: %d\n" % entry.info.uid
49 if entry.a_type == smb_acl.SMB_ACL_GROUP:
50 aclstr += "gid: %d\n" % entry.info.gid
53 def test_setntacl(self):
54 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
55 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
57 def test_setntacl_smbd_getntacl(self):
58 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
59 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
60 facl = getntacl(self.lp, self.tempf, direct_db_access=True)
61 anysid = security.dom_sid(security.SID_NT_SELF)
62 self.assertEquals(facl.as_sddl(anysid),acl)
64 def test_setntacl_smbd_setposixacl_getntacl(self):
65 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
66 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
68 # This will invalidate the ACL, as we have a hook!
69 smbd.set_simple_acl(self.tempf, 0o640)
71 # However, this only asks the xattr
73 facl = getntacl(self.lp, self.tempf, direct_db_access=True)
74 self.assertTrue(False)
78 def test_setntacl_invalidate_getntacl(self):
79 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
80 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
82 # This should invalidate the ACL, as we include the posix ACL in the hash
83 (backend_obj, dbname) = checkset_backend(self.lp, None, None)
84 backend_obj.wrap_setxattr(dbname,
85 self.tempf, "system.fake_access_acl", "")
87 #however, as this is direct DB access, we do not notice it
88 facl = getntacl(self.lp, self.tempf, direct_db_access=True)
89 anysid = security.dom_sid(security.SID_NT_SELF)
90 self.assertEquals(acl, facl.as_sddl(anysid))
92 def test_setntacl_invalidate_getntacl_smbd(self):
93 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
94 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
96 # This should invalidate the ACL, as we include the posix ACL in the hash
97 (backend_obj, dbname) = checkset_backend(self.lp, None, None)
98 backend_obj.wrap_setxattr(dbname,
99 self.tempf, "system.fake_access_acl", "")
101 #the hash would break, and we return an ACL based only on the mode, except we set the ACL using the 'ntvfs' mode that doesn't include a hash
102 facl = getntacl(self.lp, self.tempf)
103 anysid = security.dom_sid(security.SID_NT_SELF)
104 self.assertEquals(acl, facl.as_sddl(anysid))
106 def test_setntacl_smbd_invalidate_getntacl_smbd(self):
107 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
108 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x001200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
109 os.chmod(self.tempf, 0o750)
110 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
112 # This should invalidate the ACL, as we include the posix ACL in the hash
113 (backend_obj, dbname) = checkset_backend(self.lp, None, None)
114 backend_obj.wrap_setxattr(dbname,
115 self.tempf, "system.fake_access_acl", "")
117 #the hash will break, and we return an ACL based only on the mode
118 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
119 anysid = security.dom_sid(security.SID_NT_SELF)
120 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
122 def test_setntacl_getntacl_smbd(self):
123 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
124 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
125 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
126 anysid = security.dom_sid(security.SID_NT_SELF)
127 self.assertEquals(facl.as_sddl(anysid),acl)
129 def test_setntacl_smbd_getntacl_smbd(self):
130 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
131 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
132 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
133 anysid = security.dom_sid(security.SID_NT_SELF)
134 self.assertEquals(facl.as_sddl(anysid),acl)
136 def test_setntacl_smbd_setposixacl_getntacl_smbd(self):
137 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
138 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
139 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
140 # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
141 smbd.set_simple_acl(self.tempf, 0o640)
142 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
143 anysid = security.dom_sid(security.SID_NT_SELF)
144 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
146 def test_setntacl_smbd_setposixacl_group_getntacl_smbd(self):
147 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
148 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
149 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
150 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
151 # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
152 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
153 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
154 smbd.set_simple_acl(self.tempf, 0o640, BA_gid)
156 # This should re-calculate an ACL based on the posix details
157 facl = getntacl(self.lp,self.tempf, direct_db_access=False)
158 anysid = security.dom_sid(security.SID_NT_SELF)
159 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
161 def test_setntacl_smbd_getntacl_smbd_gpo(self):
162 acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
163 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
164 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
165 domsid = security.dom_sid("S-1-5-21-2212615479-2695158682-2101375467")
166 self.assertEquals(facl.as_sddl(domsid),acl)
168 def test_setntacl_getposixacl(self):
169 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
170 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
171 facl = getntacl(self.lp, self.tempf)
172 anysid = security.dom_sid(security.SID_NT_SELF)
173 self.assertEquals(facl.as_sddl(anysid),acl)
174 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
176 def test_setposixacl_getposixacl(self):
177 smbd.set_simple_acl(self.tempf, 0o640)
178 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
179 self.assertEquals(posix_acl.count, 4, self.print_posix_acl(posix_acl))
181 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
182 self.assertEquals(posix_acl.acl[0].a_perm, 6)
184 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
185 self.assertEquals(posix_acl.acl[1].a_perm, 4)
187 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
188 self.assertEquals(posix_acl.acl[2].a_perm, 0)
190 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
191 self.assertEquals(posix_acl.acl[3].a_perm, 6)
193 def test_setposixacl_getntacl(self):
195 smbd.set_simple_acl(self.tempf, 0o750)
197 facl = getntacl(self.lp, self.tempf)
198 self.assertTrue(False)
200 # We don't expect the xattr to be filled in in this case
203 def test_setposixacl_getntacl_smbd(self):
204 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
205 group_SID = s4_passdb.gid_to_sid(os.stat(self.tempf).st_gid)
206 user_SID = s4_passdb.uid_to_sid(os.stat(self.tempf).st_uid)
207 smbd.set_simple_acl(self.tempf, 0o640)
208 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
209 acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
210 anysid = security.dom_sid(security.SID_NT_SELF)
211 self.assertEquals(acl, facl.as_sddl(anysid))
213 def test_setposixacl_dir_getntacl_smbd(self):
214 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
215 user_SID = s4_passdb.uid_to_sid(os.stat(self.tempdir).st_uid)
216 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
217 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
218 (BA_id,BA_type) = s4_passdb.sid_to_id(BA_sid)
219 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
220 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
221 (SO_id,SO_type) = s4_passdb.sid_to_id(SO_sid)
222 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
223 smbd.chown(self.tempdir, BA_id, SO_id)
224 smbd.set_simple_acl(self.tempdir, 0o750)
225 facl = getntacl(self.lp, self.tempdir, direct_db_access=False)
226 acl = "O:BAG:SOD:(A;;0x001f01ff;;;BA)(A;;0x001200a9;;;SO)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)"
228 anysid = security.dom_sid(security.SID_NT_SELF)
229 self.assertEquals(acl, facl.as_sddl(anysid))
231 def test_setposixacl_group_getntacl_smbd(self):
232 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
233 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
234 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
235 group_SID = s4_passdb.gid_to_sid(os.stat(self.tempf).st_gid)
236 user_SID = s4_passdb.uid_to_sid(os.stat(self.tempf).st_uid)
237 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
238 smbd.set_simple_acl(self.tempf, 0o640, BA_gid)
239 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
240 domsid = passdb.get_global_sam_sid()
241 acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;BA)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
242 anysid = security.dom_sid(security.SID_NT_SELF)
243 self.assertEquals(acl, facl.as_sddl(anysid))
245 def test_setposixacl_getposixacl(self):
246 smbd.set_simple_acl(self.tempf, 0o640)
247 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
248 self.assertEquals(posix_acl.count, 4, self.print_posix_acl(posix_acl))
250 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
251 self.assertEquals(posix_acl.acl[0].a_perm, 6)
253 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
254 self.assertEquals(posix_acl.acl[1].a_perm, 4)
256 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
257 self.assertEquals(posix_acl.acl[2].a_perm, 0)
259 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
260 self.assertEquals(posix_acl.acl[3].a_perm, 7)
262 def test_setposixacl_dir_getposixacl(self):
263 smbd.set_simple_acl(self.tempdir, 0o750)
264 posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
265 self.assertEquals(posix_acl.count, 4, self.print_posix_acl(posix_acl))
267 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
268 self.assertEquals(posix_acl.acl[0].a_perm, 7)
270 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
271 self.assertEquals(posix_acl.acl[1].a_perm, 5)
273 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
274 self.assertEquals(posix_acl.acl[2].a_perm, 0)
276 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
277 self.assertEquals(posix_acl.acl[3].a_perm, 7)
279 def test_setposixacl_group_getposixacl(self):
280 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
281 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
282 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
283 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
284 smbd.set_simple_acl(self.tempf, 0o670, BA_gid)
285 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
287 self.assertEquals(posix_acl.count, 5, self.print_posix_acl(posix_acl))
289 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
290 self.assertEquals(posix_acl.acl[0].a_perm, 6)
292 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
293 self.assertEquals(posix_acl.acl[1].a_perm, 7)
295 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
296 self.assertEquals(posix_acl.acl[2].a_perm, 0)
298 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_GROUP)
299 self.assertEquals(posix_acl.acl[3].a_perm, 7)
300 self.assertEquals(posix_acl.acl[3].info.gid, BA_gid)
302 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_MASK)
303 self.assertEquals(posix_acl.acl[4].a_perm, 7)
305 def test_setntacl_sysvol_check_getposixacl(self):
306 acl = provision.SYSVOL_ACL
307 domsid = passdb.get_global_sam_sid()
308 setntacl(self.lp, self.tempf,acl,str(domsid), use_ntvfs=False)
309 facl = getntacl(self.lp, self.tempf)
310 self.assertEquals(facl.as_sddl(domsid),acl)
311 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
313 nwrap_module_so_path = os.getenv('NSS_WRAPPER_MODULE_SO_PATH')
314 nwrap_module_fn_prefix = os.getenv('NSS_WRAPPER_MODULE_FN_PREFIX')
316 nwrap_winbind_active = (nwrap_module_so_path != "" and
317 nwrap_module_fn_prefix == "winbind")
319 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
320 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
321 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
322 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
323 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
325 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
327 # These assertions correct for current ad_dc selftest
328 # configuration. When other environments have a broad range of
329 # groups mapped via passdb, we can relax some of these checks
330 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
331 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
332 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
333 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
334 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
335 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
336 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
337 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
338 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
339 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
341 self.assertEquals(posix_acl.count, 13, self.print_posix_acl(posix_acl))
343 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
344 self.assertEquals(posix_acl.acl[0].a_perm, 7)
345 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
347 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
348 if nwrap_winbind_active:
349 self.assertEquals(posix_acl.acl[1].a_perm, 7)
351 self.assertEquals(posix_acl.acl[1].a_perm, 6)
352 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
354 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
355 self.assertEquals(posix_acl.acl[2].a_perm, 0)
357 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
358 if nwrap_winbind_active:
359 self.assertEquals(posix_acl.acl[3].a_perm, 7)
361 self.assertEquals(posix_acl.acl[3].a_perm, 6)
363 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
364 self.assertEquals(posix_acl.acl[4].a_perm, 7)
365 self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)
367 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
368 self.assertEquals(posix_acl.acl[5].a_perm, 7)
370 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
371 self.assertEquals(posix_acl.acl[6].a_perm, 5)
372 self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)
374 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
375 self.assertEquals(posix_acl.acl[7].a_perm, 5)
376 self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)
378 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
379 self.assertEquals(posix_acl.acl[8].a_perm, 7)
380 self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)
382 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
383 self.assertEquals(posix_acl.acl[9].a_perm, 7)
384 self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)
386 self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
387 self.assertEquals(posix_acl.acl[10].a_perm, 5)
388 self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)
390 self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
391 self.assertEquals(posix_acl.acl[11].a_perm, 5)
392 self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)
394 self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_MASK)
395 self.assertEquals(posix_acl.acl[12].a_perm, 7)
398 # check that it matches:
400 # user:root:rwx (selftest user actually)
402 # group:Local Admins:rwx
410 # This is in this order in the NDR smb_acl (not re-orderded for display)
417 # uid: 0 (selftest user actually)
451 def test_setntacl_sysvol_dir_check_getposixacl(self):
452 acl = provision.SYSVOL_ACL
453 domsid = passdb.get_global_sam_sid()
454 setntacl(self.lp, self.tempdir,acl,str(domsid), use_ntvfs=False)
455 facl = getntacl(self.lp, self.tempdir)
456 self.assertEquals(facl.as_sddl(domsid),acl)
457 posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
459 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
460 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
461 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
462 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
463 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
465 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
467 # These assertions correct for current ad_dc selftest
468 # configuration. When other environments have a broad range of
469 # groups mapped via passdb, we can relax some of these checks
470 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
471 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
472 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
473 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
474 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
475 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
476 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
477 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
478 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
479 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
481 self.assertEquals(posix_acl.count, 13, self.print_posix_acl(posix_acl))
483 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
484 self.assertEquals(posix_acl.acl[0].a_perm, 7)
485 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
487 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
488 self.assertEquals(posix_acl.acl[1].a_perm, 7)
489 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
491 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
492 self.assertEquals(posix_acl.acl[2].a_perm, 0)
494 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
495 self.assertEquals(posix_acl.acl[3].a_perm, 7)
497 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
498 self.assertEquals(posix_acl.acl[4].a_perm, 7)
499 self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)
501 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
502 self.assertEquals(posix_acl.acl[5].a_perm, 7)
504 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
505 self.assertEquals(posix_acl.acl[6].a_perm, 5)
506 self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)
508 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
509 self.assertEquals(posix_acl.acl[7].a_perm, 5)
510 self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)
512 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
513 self.assertEquals(posix_acl.acl[8].a_perm, 7)
514 self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)
516 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
517 self.assertEquals(posix_acl.acl[9].a_perm, 7)
518 self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)
520 self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
521 self.assertEquals(posix_acl.acl[10].a_perm, 5)
522 self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)
524 self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
525 self.assertEquals(posix_acl.acl[11].a_perm, 5)
526 self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)
528 self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_MASK)
529 self.assertEquals(posix_acl.acl[12].a_perm, 7)
532 # check that it matches:
534 # user:root:rwx (selftest user actually)
544 def test_setntacl_policies_dir_check_getposixacl(self):
545 acl = provision.POLICIES_ACL
546 domsid = passdb.get_global_sam_sid()
547 setntacl(self.lp, self.tempdir,acl,str(domsid), use_ntvfs=False)
548 facl = getntacl(self.lp, self.tempdir)
549 self.assertEquals(facl.as_sddl(domsid),acl)
550 posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
552 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
553 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
554 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
555 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
556 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
557 PA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_POLICY_ADMINS))
559 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
561 # These assertions correct for current ad_dc selftest
562 # configuration. When other environments have a broad range of
563 # groups mapped via passdb, we can relax some of these checks
564 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
565 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
566 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
567 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
568 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
569 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
570 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
571 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
572 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
573 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
574 (PA_gid,PA_type) = s4_passdb.sid_to_id(PA_sid)
575 self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
577 self.assertEquals(posix_acl.count, 15, self.print_posix_acl(posix_acl))
579 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
580 self.assertEquals(posix_acl.acl[0].a_perm, 7)
581 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
583 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
584 self.assertEquals(posix_acl.acl[1].a_perm, 7)
585 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
587 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
588 self.assertEquals(posix_acl.acl[2].a_perm, 0)
590 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
591 self.assertEquals(posix_acl.acl[3].a_perm, 7)
593 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
594 self.assertEquals(posix_acl.acl[4].a_perm, 7)
595 self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)
597 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
598 self.assertEquals(posix_acl.acl[5].a_perm, 7)
600 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
601 self.assertEquals(posix_acl.acl[6].a_perm, 5)
602 self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)
604 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
605 self.assertEquals(posix_acl.acl[7].a_perm, 5)
606 self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)
608 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
609 self.assertEquals(posix_acl.acl[8].a_perm, 7)
610 self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)
612 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
613 self.assertEquals(posix_acl.acl[9].a_perm, 7)
614 self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)
616 self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
617 self.assertEquals(posix_acl.acl[10].a_perm, 5)
618 self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)
620 self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
621 self.assertEquals(posix_acl.acl[11].a_perm, 5)
622 self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)
624 self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_USER)
625 self.assertEquals(posix_acl.acl[12].a_perm, 7)
626 self.assertEquals(posix_acl.acl[12].info.uid, PA_gid)
628 self.assertEquals(posix_acl.acl[13].a_type, smb_acl.SMB_ACL_GROUP)
629 self.assertEquals(posix_acl.acl[13].a_perm, 7)
630 self.assertEquals(posix_acl.acl[13].info.gid, PA_gid)
632 self.assertEquals(posix_acl.acl[14].a_type, smb_acl.SMB_ACL_MASK)
633 self.assertEquals(posix_acl.acl[14].a_perm, 7)
636 # check that it matches:
638 # user:root:rwx (selftest user actually)
650 def test_setntacl_policies_check_getposixacl(self):
651 acl = provision.POLICIES_ACL
653 domsid = passdb.get_global_sam_sid()
654 setntacl(self.lp, self.tempf, acl, str(domsid), use_ntvfs=False)
655 facl = getntacl(self.lp, self.tempf)
656 self.assertEquals(facl.as_sddl(domsid),acl)
657 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
659 nwrap_module_so_path = os.getenv('NSS_WRAPPER_MODULE_SO_PATH')
660 nwrap_module_fn_prefix = os.getenv('NSS_WRAPPER_MODULE_FN_PREFIX')
662 nwrap_winbind_active = (nwrap_module_so_path != "" and
663 nwrap_module_fn_prefix == "winbind")
665 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
666 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
667 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
668 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
669 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
670 PA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_POLICY_ADMINS))
672 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
674 # These assertions correct for current ad_dc selftest
675 # configuration. When other environments have a broad range of
676 # groups mapped via passdb, we can relax some of these checks
677 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
678 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
679 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
680 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
681 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
682 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
683 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
684 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
685 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
686 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
687 (PA_gid,PA_type) = s4_passdb.sid_to_id(PA_sid)
688 self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
690 self.assertEquals(posix_acl.count, 15, self.print_posix_acl(posix_acl))
692 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
693 self.assertEquals(posix_acl.acl[0].a_perm, 7)
694 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
696 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
697 if nwrap_winbind_active:
698 self.assertEquals(posix_acl.acl[1].a_perm, 7)
700 self.assertEquals(posix_acl.acl[1].a_perm, 6)
701 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
703 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
704 self.assertEquals(posix_acl.acl[2].a_perm, 0)
706 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
707 if nwrap_winbind_active:
708 self.assertEquals(posix_acl.acl[3].a_perm, 7)
710 self.assertEquals(posix_acl.acl[3].a_perm, 6)
712 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
713 self.assertEquals(posix_acl.acl[4].a_perm, 7)
714 self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)
716 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
717 self.assertEquals(posix_acl.acl[5].a_perm, 7)
719 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
720 self.assertEquals(posix_acl.acl[6].a_perm, 5)
721 self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)
723 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
724 self.assertEquals(posix_acl.acl[7].a_perm, 5)
725 self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)
727 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
728 self.assertEquals(posix_acl.acl[8].a_perm, 7)
729 self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)
731 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
732 self.assertEquals(posix_acl.acl[9].a_perm, 7)
733 self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)
735 self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
736 self.assertEquals(posix_acl.acl[10].a_perm, 5)
737 self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)
739 self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
740 self.assertEquals(posix_acl.acl[11].a_perm, 5)
741 self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)
743 self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_USER)
744 self.assertEquals(posix_acl.acl[12].a_perm, 7)
745 self.assertEquals(posix_acl.acl[12].info.uid, PA_gid)
747 self.assertEquals(posix_acl.acl[13].a_type, smb_acl.SMB_ACL_GROUP)
748 self.assertEquals(posix_acl.acl[13].a_perm, 7)
749 self.assertEquals(posix_acl.acl[13].info.gid, PA_gid)
751 self.assertEquals(posix_acl.acl[14].a_type, smb_acl.SMB_ACL_MASK)
752 self.assertEquals(posix_acl.acl[14].a_perm, 7)
755 # check that it matches:
757 # user:root:rwx (selftest user actually)
759 # group:Local Admins:rwx
768 # This is in this order in the NDR smb_acl (not re-orderded for display)
775 # uid: 0 (selftest user actually)
813 super(PosixAclMappingTests, self).setUp()
814 s3conf = s3param.get_context()
815 s3conf.load(self.get_loadparm().configfile)
816 s3conf.set("xattr_tdb:file", os.path.join(self.tempdir,"xattr.tdb"))
818 self.tempf = os.path.join(self.tempdir, "test")
819 open(self.tempf, 'w').write("empty")
822 smbd.unlink(self.tempf)
823 os.unlink(os.path.join(self.tempdir,"xattr.tdb"))
824 super(PosixAclMappingTests, self).tearDown()