2 Unix SMB/CIFS implementation.
3 Set NT and POSIX ACLs and other VFS operations from Python
5 Copyrigyt (C) Andrew Bartlett 2012
6 Copyright (C) Jeremy Allison 1994-2009.
7 Copyright (C) Andreas Gruenbacher 2002.
8 Copyright (C) Simo Sorce <idra@samba.org> 2009.
9 Copyright (C) Simo Sorce 2002
10 Copyright (C) Eric Lorimer 2002
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #include "smbd/smbd.h"
29 #include "libcli/util/pyerrors.h"
30 #include "librpc/rpc/pyrpc_util.h"
32 #include "system/filesys.h"
34 extern const struct generic_mapping file_generic_mapping;
37 #define DBGC_CLASS DBGC_ACLS
39 static NTSTATUS set_sys_acl_no_snum(const char *fname,
40 SMB_ACL_TYPE_T acltype,
43 connection_struct *conn;
44 NTSTATUS status = NT_STATUS_OK;
48 conn = talloc_zero(NULL, connection_struct);
50 DEBUG(0, ("talloc failed\n"));
51 return NT_STATUS_NO_MEMORY;
54 if (!(conn->params = talloc(conn, struct share_params))) {
55 DEBUG(0,("set_sys_acl_no_snum: talloc() failed!\n"));
57 return NT_STATUS_NO_MEMORY;
60 /* we want total control over the permissions on created files,
61 so set our umask to 0 */
62 saved_umask = umask(0);
64 conn->params->service = -1;
66 set_conn_connectpath(conn, "/");
70 ret = SMB_VFS_SYS_ACL_SET_FILE( conn, fname, acltype, theacl);
72 status = map_nt_error_from_unix_common(ret);
73 DEBUG(0,("set_sys_acl_no_snum: SMB_VFS_SYS_ACL_SET_FILE "
84 static NTSTATUS set_nt_acl_no_snum(const char *fname,
85 uint32 security_info_sent, const struct security_descriptor *sd)
87 TALLOC_CTX *frame = talloc_stackframe();
88 connection_struct *conn;
89 NTSTATUS status = NT_STATUS_OK;
91 struct smb_filename *smb_fname = NULL;
95 if (!posix_locking_init(false)) {
97 return NT_STATUS_NO_MEMORY;
100 conn = talloc_zero(frame, connection_struct);
103 DEBUG(0, ("talloc failed\n"));
104 return NT_STATUS_NO_MEMORY;
107 if (!(conn->params = talloc(conn, struct share_params))) {
108 DEBUG(0,("set_nt_acl_no_snum: talloc() failed!\n"));
110 return NT_STATUS_NO_MEMORY;
113 fsp = talloc_zero(frame, struct files_struct);
116 return NT_STATUS_NO_MEMORY;
118 fsp->fh = talloc(fsp, struct fd_handle);
119 if (fsp->fh == NULL) {
121 return NT_STATUS_NO_MEMORY;
125 /* we want total control over the permissions on created files,
126 so set our umask to 0 */
127 saved_umask = umask(0);
129 conn->params->service = -1;
131 set_conn_connectpath(conn, "/");
135 status = create_synthetic_smb_fname_split(fsp, fname, NULL,
137 if (!NT_STATUS_IS_OK(status)) {
143 fsp->fsp_name = smb_fname;
146 flags = O_RDONLY|O_DIRECTORY;
148 /* POSIX allows us to open a directory with O_RDONLY. */
152 fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, O_RDWR, 00400);
153 if (fsp->fh->fd == -1 && errno == EISDIR) {
154 fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, 00400);
156 if (fsp->fh->fd == -1) {
157 printf("open: error=%d (%s)\n", errno, strerror(errno));
160 return NT_STATUS_UNSUCCESSFUL;
163 status = SMB_VFS_FSET_NT_ACL( fsp, security_info_sent, sd);
164 if (!NT_STATUS_IS_OK(status)) {
165 DEBUG(0,("set_nt_acl_no_snum: fset_nt_acl returned %s.\n", nt_errstr(status)));
178 static SMB_ACL_T make_simple_acl(gid_t gid, mode_t chmod_mode)
180 TALLOC_CTX *frame = talloc_stackframe();
182 mode_t mode = SMB_ACL_READ|SMB_ACL_WRITE;
184 mode_t mode_user = (chmod_mode & 0700) >> 6;
185 mode_t mode_group = (chmod_mode & 070) >> 3;
186 mode_t mode_other = chmod_mode & 07;
187 SMB_ACL_ENTRY_T entry;
188 SMB_ACL_T acl = sys_acl_init(frame);
194 if (sys_acl_create_entry(&acl, &entry) != 0) {
199 if (sys_acl_set_tag_type(entry, SMB_ACL_USER_OBJ) != 0) {
204 if (sys_acl_set_permset(entry, &mode_user) != 0) {
209 if (sys_acl_create_entry(&acl, &entry) != 0) {
214 if (sys_acl_set_tag_type(entry, SMB_ACL_GROUP_OBJ) != 0) {
219 if (sys_acl_set_permset(entry, &mode_group) != 0) {
224 if (sys_acl_create_entry(&acl, &entry) != 0) {
229 if (sys_acl_set_tag_type(entry, SMB_ACL_OTHER) != 0) {
234 if (sys_acl_set_permset(entry, &mode_other) != 0) {
240 if (sys_acl_create_entry(&acl, &entry) != 0) {
245 if (sys_acl_set_tag_type(entry, SMB_ACL_GROUP) != 0) {
250 if (sys_acl_set_qualifier(entry, &gid) != 0) {
255 if (sys_acl_set_permset(entry, &mode_group) != 0) {
261 if (sys_acl_create_entry(&acl, &entry) != 0) {
266 if (sys_acl_set_tag_type(entry, SMB_ACL_MASK) != 0) {
271 if (sys_acl_set_permset(entry, &mode) != 0) {
279 set a simple ACL on a file, as a test
281 static PyObject *py_smbd_set_simple_acl(PyObject *self, PyObject *args)
289 if (!PyArg_ParseTuple(args, "si|i", &fname, &mode, &gid))
292 acl = make_simple_acl(gid, mode);
294 frame = talloc_stackframe();
296 status = set_sys_acl_no_snum(fname, SMB_ACL_TYPE_ACCESS, acl);
301 PyErr_NTSTATUS_IS_ERR_RAISE(status);
309 static PyObject *py_smbd_chown(PyObject *self, PyObject *args)
311 connection_struct *conn;
312 NTSTATUS status = NT_STATUS_OK;
320 if (!PyArg_ParseTuple(args, "sii", &fname, &uid, &gid))
323 frame = talloc_stackframe();
325 conn = talloc_zero(frame, connection_struct);
331 if (!(conn->params = talloc(conn, struct share_params))) {
336 /* we want total control over the permissions on created files,
337 so set our umask to 0 */
338 saved_umask = umask(0);
340 conn->params->service = -1;
342 set_conn_connectpath(conn, "/");
346 ret = SMB_VFS_CHOWN( conn, fname, uid, gid);
348 status = map_nt_error_from_unix_common(errno);
349 DEBUG(0,("chown returned failure: %s\n", strerror(errno)));
358 PyErr_NTSTATUS_IS_ERR_RAISE(status);
366 static PyObject *py_smbd_unlink(PyObject *self, PyObject *args)
368 connection_struct *conn;
369 NTSTATUS status = NT_STATUS_OK;
371 struct smb_filename *smb_fname = NULL;
377 if (!PyArg_ParseTuple(args, "s", &fname))
380 frame = talloc_stackframe();
382 conn = talloc_zero(frame, connection_struct);
388 if (!(conn->params = talloc(conn, struct share_params))) {
393 /* we want total control over the permissions on created files,
394 so set our umask to 0 */
395 saved_umask = umask(0);
397 conn->params->service = -1;
399 set_conn_connectpath(conn, "/");
403 status = create_synthetic_smb_fname_split(frame, fname, NULL,
405 if (!NT_STATUS_IS_OK(status)) {
408 PyErr_NTSTATUS_IS_ERR_RAISE(status);
411 ret = SMB_VFS_UNLINK(conn, smb_fname);
413 status = map_nt_error_from_unix_common(errno);
414 DEBUG(0,("unlink returned failure: %s\n", strerror(errno)));
423 PyErr_NTSTATUS_IS_ERR_RAISE(status);
429 check if we have ACL support
431 static PyObject *py_smbd_have_posix_acls(PyObject *self, PyObject *args)
433 #ifdef HAVE_POSIX_ACLS
434 return PyBool_FromLong(true);
436 return PyBool_FromLong(false);
441 set the NT ACL on a file
443 static PyObject *py_smbd_set_nt_acl(PyObject *self, PyObject *args)
447 int security_info_sent;
449 struct security_descriptor *sd;
451 if (!PyArg_ParseTuple(args, "siO", &fname, &security_info_sent, &py_sd))
454 if (!py_check_dcerpc_type(py_sd, "samba.dcerpc.security", "descriptor")) {
458 sd = pytalloc_get_type(py_sd, struct security_descriptor);
460 status = set_nt_acl_no_snum(fname, security_info_sent, sd);
461 PyErr_NTSTATUS_IS_ERR_RAISE(status);
467 Return the NT ACL on a file
469 static PyObject *py_smbd_get_nt_acl(PyObject *self, PyObject *args)
472 int security_info_wanted;
474 struct security_descriptor *sd;
475 TALLOC_CTX *tmp_ctx = talloc_new(NULL);
477 if (!PyArg_ParseTuple(args, "si", &fname, &security_info_wanted))
480 sd = get_nt_acl_no_snum(tmp_ctx, fname, security_info_wanted);
482 py_sd = py_return_ndr_struct("samba.dcerpc.security", "descriptor", sd, sd);
484 talloc_free(tmp_ctx);
490 set the posix (or similar) ACL on a file
492 static PyObject *py_smbd_set_sys_acl(PyObject *self, PyObject *args)
497 struct smb_acl_t *acl;
500 if (!PyArg_ParseTuple(args, "siO", &fname, &acl_type, &py_acl))
503 if (!py_check_dcerpc_type(py_acl, "samba.dcerpc.smb_acl", "t")) {
507 acl = pytalloc_get_type(py_acl, struct smb_acl_t);
509 status = set_sys_acl_no_snum(fname, acl_type, acl);
510 PyErr_NTSTATUS_IS_ERR_RAISE(status);
516 Return the posix (or similar) ACL on a file
518 static PyObject *py_smbd_get_sys_acl(PyObject *self, PyObject *args)
522 struct smb_acl_t *acl;
524 TALLOC_CTX *frame = talloc_stackframe();
525 connection_struct *conn;
526 NTSTATUS status = NT_STATUS_OK;
528 if (!PyArg_ParseTuple(args, "si", &fname, &acl_type)) {
533 conn = talloc_zero(frame, connection_struct);
535 DEBUG(0, ("talloc failed\n"));
541 if (!(conn->params = talloc(conn, struct share_params))) {
542 DEBUG(0,("get_nt_acl_no_snum: talloc() failed!\n"));
548 conn->params->service = -1;
550 set_conn_connectpath(conn, "/");
554 acl = SMB_VFS_SYS_ACL_GET_FILE( conn, fname, acl_type, frame);
557 status = map_nt_error_from_unix_common(errno);
558 DEBUG(0,("sys_acl_get_file returned NULL: %s\n", strerror(errno)));
559 PyErr_NTSTATUS_IS_ERR_RAISE(status);
564 py_acl = py_return_ndr_struct("samba.dcerpc.smb_acl", "t", acl, acl);
571 static PyMethodDef py_smbd_methods[] = {
573 (PyCFunction)py_smbd_have_posix_acls, METH_VARARGS,
576 (PyCFunction)py_smbd_set_simple_acl, METH_VARARGS,
579 (PyCFunction)py_smbd_set_nt_acl, METH_VARARGS,
582 (PyCFunction)py_smbd_get_nt_acl, METH_VARARGS,
585 (PyCFunction)py_smbd_get_sys_acl, METH_VARARGS,
588 (PyCFunction)py_smbd_set_sys_acl, METH_VARARGS,
591 (PyCFunction)py_smbd_chown, METH_VARARGS,
594 (PyCFunction)py_smbd_unlink, METH_VARARGS,
604 m = Py_InitModule3("smbd", py_smbd_methods,
605 "Python bindings for the smbd file server.");
git.samba.org / metze / samba / wip.git / blob