source4/scripting/python/samba/tests/posixacl.py

   1 # Unix SMB/CIFS implementation. Tests for NT and posix ACL manipulation
   2 # Copyright (C) Matthieu Patou <mat@matws.net> 2009-2010
   3 # Copyright (C) Andrew Bartlett 2012
   4 #
   5 # This program is free software; you can redistribute it and/or modify
   6 # it under the terms of the GNU General Public License as published by
   7 # the Free Software Foundation; either version 3 of the License, or
   8 # (at your option) any later version.
   9 #
  10 # This program is distributed in the hope that it will be useful,
  11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13 # GNU General Public License for more details.
  14 #
  15 # You should have received a copy of the GNU General Public License
  16 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  17 #
  18
  19 """Tests for the Samba3 NT -> posix ACL layer"""
  20
  21 from samba.ntacls import setntacl, getntacl, checkset_backend
  22 from samba.dcerpc import xattr, security, smb_acl, idmap
  23 from samba.param import LoadParm
  24 from samba.tests import TestCase
  25 from samba import provision
  26 import random
  27 import os
  28 from samba.samba3 import smbd, passdb
  29 from samba.samba3 import param as s3param
  30
  31 # To print a posix ACL use:
  32 #        for entry in posix_acl.acl:
  33 #            print "a_type: %d" % entry.a_type
  34 #            print "a_perm: %o" % entry.a_perm
  35 #            print "uid: %d" % entry.uid
  36 #            print "gid: %d" % entry.gid
  37
  38 class PosixAclMappingTests(TestCase):
  39
  40     def test_setntacl(self):
  41         random.seed()
  42         lp = LoadParm()
  43         path = os.environ['SELFTEST_PREFIX']
  44         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
  45         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
  46         open(tempf, 'w').write("empty")
  47         setntacl(lp, tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
  48         smbd.unlink(tempf)
  49
  50     def test_setntacl_smbd_getntacl(self):
  51         random.seed()
  52         lp = LoadParm()
  53         path = None
  54         path = os.environ['SELFTEST_PREFIX']
  55         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
  56         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
  57         open(tempf, 'w').write("empty")
  58         setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
  59         facl = getntacl(lp,tempf, direct_db_access=True)
  60         anysid = security.dom_sid(security.SID_NT_SELF)
  61         self.assertEquals(facl.as_sddl(anysid),acl)
  62         smbd.unlink(tempf)
  63
  64     def test_setntacl_smbd_setposixacl_getntacl(self):
  65         random.seed()
  66         lp = LoadParm()
  67         path = None
  68         path = os.environ['SELFTEST_PREFIX']
  69         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
  70         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
  71         open(tempf, 'w').write("empty")
  72         setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
  73
  74         # This will invalidate the ACL, as we have a hook!
  75         smbd.set_simple_acl(tempf, 0640)
  76
  77         # However, this only asks the xattr
  78         try:
  79             facl = getntacl(lp,tempf, direct_db_access=True)
  80             self.assertTrue(False)
  81         except TypeError:
  82             pass
  83         smbd.unlink(tempf)
  84
  85     def test_setntacl_invalidate_getntacl(self):
  86         random.seed()
  87         lp = LoadParm()
  88         path = None
  89         path = os.environ['SELFTEST_PREFIX']
  90         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
  91         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
  92         open(tempf, 'w').write("empty")
  93         setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
  94
  95         # This should invalidate the ACL, as we include the posix ACL in the hash
  96         (backend_obj, dbname) = checkset_backend(lp, None, None)
  97         backend_obj.wrap_setxattr(dbname,
  98                                   tempf, "system.fake_access_acl", "")
  99
 100         #however, as this is direct DB access, we do not notice it
 101         facl = getntacl(lp,tempf, direct_db_access=True)
 102         anysid = security.dom_sid(security.SID_NT_SELF)
 103         self.assertEquals(acl, facl.as_sddl(anysid))
 104         smbd.unlink(tempf)
 105
 106     def test_setntacl_invalidate_getntacl_smbd(self):
 107         random.seed()
 108         lp = LoadParm()
 109         path = None
 110         path = os.environ['SELFTEST_PREFIX']
 111         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
 112         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
 113         open(tempf, 'w').write("empty")
 114         setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
 115
 116         # This should invalidate the ACL, as we include the posix ACL in the hash
 117         (backend_obj, dbname) = checkset_backend(lp, None, None)
 118         backend_obj.wrap_setxattr(dbname,
 119                                   tempf, "system.fake_access_acl", "")
 120
 121         #the hash would break, and we return an ACL based only on the mode, except we set the ACL using the 'ntvfs' mode that doesn't include a hash
 122         facl = getntacl(lp,tempf)
 123         anysid = security.dom_sid(security.SID_NT_SELF)
 124         self.assertEquals(acl, facl.as_sddl(anysid))
 125         smbd.unlink(tempf)
 126
 127     def test_setntacl_smbd_invalidate_getntacl_smbd(self):
 128         random.seed()
 129         lp = LoadParm()
 130         path = None
 131         path = os.environ['SELFTEST_PREFIX']
 132         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
 133         simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x001200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
 134         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
 135         open(tempf, 'w').write("empty")
 136         os.chmod(tempf, 0750)
 137         setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
 138
 139         # This should invalidate the ACL, as we include the posix ACL in the hash
 140         (backend_obj, dbname) = checkset_backend(lp, None, None)
 141         backend_obj.wrap_setxattr(dbname,
 142                                   tempf, "system.fake_access_acl", "")
 143
 144         #the hash will break, and we return an ACL based only on the mode
 145         facl = getntacl(lp,tempf, direct_db_access=False)
 146         anysid = security.dom_sid(security.SID_NT_SELF)
 147         self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
 148         smbd.unlink(tempf)
 149
 150     def test_setntacl_getntacl_smbd(self):
 151         random.seed()
 152         lp = LoadParm()
 153         path = None
 154         path = os.environ['SELFTEST_PREFIX']
 155         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
 156         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
 157         open(tempf, 'w').write("empty")
 158         setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
 159         facl = getntacl(lp,tempf, direct_db_access=False)
 160         anysid = security.dom_sid(security.SID_NT_SELF)
 161         self.assertEquals(facl.as_sddl(anysid),acl)
 162         smbd.unlink(tempf)
 163
 164     def test_setntacl_smbd_getntacl_smbd(self):
 165         random.seed()
 166         lp = LoadParm()
 167         path = None
 168         path = os.environ['SELFTEST_PREFIX']
 169         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
 170         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
 171         open(tempf, 'w').write("empty")
 172         setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
 173         facl = getntacl(lp,tempf, direct_db_access=False)
 174         anysid = security.dom_sid(security.SID_NT_SELF)
 175         self.assertEquals(facl.as_sddl(anysid),acl)
 176         smbd.unlink(tempf)
 177
 178     def test_setntacl_smbd_setposixacl_getntacl_smbd(self):
 179         random.seed()
 180         lp = LoadParm()
 181         path = None
 182         path = os.environ['SELFTEST_PREFIX']
 183         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
 184         simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
 185         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
 186         open(tempf, 'w').write("empty")
 187         setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
 188         # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
 189         smbd.set_simple_acl(tempf, 0640)
 190         facl = getntacl(lp,tempf, direct_db_access=False)
 191         anysid = security.dom_sid(security.SID_NT_SELF)
 192         self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
 193         smbd.unlink(tempf)
 194
 195     def test_setntacl_smbd_setposixacl_group_getntacl_smbd(self):
 196         random.seed()
 197         lp = LoadParm()
 198         path = None
 199         path = os.environ['SELFTEST_PREFIX']
 200         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
 201         BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
 202         simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
 203         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
 204         open(tempf, 'w').write("empty")
 205         setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
 206         # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
 207         s3conf = s3param.get_context()
 208         s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
 209         (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
 210         smbd.set_simple_acl(tempf, 0640, BA_gid)
 211
 212         # This should re-calculate an ACL based on the posix details
 213         facl = getntacl(lp,tempf, direct_db_access=False)
 214         anysid = security.dom_sid(security.SID_NT_SELF)
 215         self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
 216         smbd.unlink(tempf)
 217
 218     def test_setntacl_smbd_getntacl_smbd_gpo(self):
 219         random.seed()
 220         lp = LoadParm()
 221         path = None
 222         path = os.environ['SELFTEST_PREFIX']
 223         acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
 224         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
 225         open(tempf, 'w').write("empty")
 226         setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
 227         facl = getntacl(lp,tempf, direct_db_access=False)
 228         domsid = security.dom_sid("S-1-5-21-2212615479-2695158682-2101375467")
 229         self.assertEquals(facl.as_sddl(domsid),acl)
 230         smbd.unlink(tempf)
 231
 232     def test_setntacl_getposixacl(self):
 233         random.seed()
 234         lp = LoadParm()
 235         path = None
 236         path = os.environ['SELFTEST_PREFIX']
 237         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
 238         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
 239         open(tempf, 'w').write("empty")
 240         setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
 241         facl = getntacl(lp,tempf)
 242         anysid = security.dom_sid(security.SID_NT_SELF)
 243         self.assertEquals(facl.as_sddl(anysid),acl)
 244         posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
 245         smbd.unlink(tempf)
 246
 247     def test_setposixacl_getposixacl(self):
 248         random.seed()
 249         lp = LoadParm()
 250         path = None
 251         path = os.environ['SELFTEST_PREFIX']
 252         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
 253         open(tempf, 'w').write("empty")
 254         smbd.set_simple_acl(tempf, 0640)
 255         posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
 256         self.assertEquals(posix_acl.count, 4)
 257
 258         self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
 259         self.assertEquals(posix_acl.acl[0].a_perm, 6)
 260
 261         self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
 262         self.assertEquals(posix_acl.acl[1].a_perm, 4)
 263
 264         self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
 265         self.assertEquals(posix_acl.acl[2].a_perm, 0)
 266
 267         self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
 268         self.assertEquals(posix_acl.acl[3].a_perm, 6)
 269         smbd.unlink(tempf)
 270
 271     def test_setposixacl_getntacl(self):
 272         random.seed()
 273         lp = LoadParm()
 274         acl = ""
 275         path = os.environ['SELFTEST_PREFIX']
 276         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
 277         open(tempf, 'w').write("empty")
 278         smbd.set_simple_acl(tempf, 0750)
 279         try:
 280             facl = getntacl(lp,tempf)
 281             self.assertTrue(False)
 282         except TypeError:
 283             # We don't expect the xattr to be filled in in this case
 284             pass
 285         smbd.unlink(tempf)
 286
 287     def test_setposixacl_getntacl_smbd(self):
 288         random.seed()
 289         lp = LoadParm()
 290         path = os.environ['SELFTEST_PREFIX']
 291         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
 292         open(tempf, 'w').write("empty")
 293         s3conf = s3param.get_context()
 294         s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
 295         group_SID = s4_passdb.gid_to_sid(os.stat(tempf).st_gid)
 296         user_SID = s4_passdb.uid_to_sid(os.stat(tempf).st_uid)
 297         smbd.set_simple_acl(tempf, 0640)
 298         facl = getntacl(lp, tempf, direct_db_access=False)
 299         acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;%s)(A;;WO;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
 300         anysid = security.dom_sid(security.SID_NT_SELF)
 301         self.assertEquals(acl, facl.as_sddl(anysid))
 302         smbd.unlink(tempf)
 303
 304     def test_setposixacl_group_getntacl_smbd(self):
 305         random.seed()
 306         lp = LoadParm()
 307         path = os.environ['SELFTEST_PREFIX']
 308         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
 309         open(tempf, 'w').write("empty")
 310         BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
 311         s3conf = s3param.get_context()
 312         s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
 313         (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
 314         group_SID = s4_passdb.gid_to_sid(os.stat(tempf).st_gid)
 315         user_SID = s4_passdb.uid_to_sid(os.stat(tempf).st_uid)
 316         self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
 317         smbd.set_simple_acl(tempf, 0640, BA_gid)
 318         facl = getntacl(lp, tempf, direct_db_access=False)
 319         domsid = passdb.get_global_sam_sid()
 320         acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;BA)(A;;0x00120089;;;%s)(A;;WO;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
 321         anysid = security.dom_sid(security.SID_NT_SELF)
 322         self.assertEquals(acl, facl.as_sddl(anysid))
 323         smbd.unlink(tempf)
 324
 325     def test_setposixacl_getposixacl(self):
 326         random.seed()
 327         lp = LoadParm()
 328         path = os.environ['SELFTEST_PREFIX']
 329         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
 330         open(tempf, 'w').write("empty")
 331         smbd.set_simple_acl(tempf, 0640)
 332         posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
 333         self.assertEquals(posix_acl.count, 4)
 334
 335         self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
 336         self.assertEquals(posix_acl.acl[0].a_perm, 6)
 337
 338         self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
 339         self.assertEquals(posix_acl.acl[1].a_perm, 4)
 340
 341         self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
 342         self.assertEquals(posix_acl.acl[2].a_perm, 0)
 343
 344         self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
 345         self.assertEquals(posix_acl.acl[3].a_perm, 6)
 346         smbd.unlink(tempf)
 347
 348     def test_setposixacl_group_getposixacl(self):
 349         random.seed()
 350         lp = LoadParm()
 351         path = os.environ['SELFTEST_PREFIX']
 352         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
 353         open(tempf, 'w').write("empty")
 354         BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
 355         s3conf = s3param.get_context()
 356         s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
 357         (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
 358         self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
 359         smbd.set_simple_acl(tempf, 0670, BA_gid)
 360         posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
 361
 362         self.assertEquals(posix_acl.count, 5)
 363
 364         self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
 365         self.assertEquals(posix_acl.acl[0].a_perm, 6)
 366
 367         self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
 368         self.assertEquals(posix_acl.acl[1].a_perm, 7)
 369
 370         self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
 371         self.assertEquals(posix_acl.acl[2].a_perm, 0)
 372
 373         self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_GROUP)
 374         self.assertEquals(posix_acl.acl[3].a_perm, 7)
 375         self.assertEquals(posix_acl.acl[3].info.gid, BA_gid)
 376
 377         self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_MASK)
 378         self.assertEquals(posix_acl.acl[4].a_perm, 6)
 379         smbd.unlink(tempf)
 380
 381     def test_setntacl_sysvol_check_getposixacl(self):
 382         random.seed()
 383         lp = LoadParm()
 384         s3conf = s3param.get_context()
 385         path = None
 386         path = os.environ['SELFTEST_PREFIX']
 387         acl = provision.SYSVOL_ACL
 388         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
 389         open(tempf, 'w').write("empty")
 390         domsid = passdb.get_global_sam_sid()
 391         setntacl(lp,tempf,acl,str(domsid), use_ntvfs=False)
 392         facl = getntacl(lp,tempf)
 393         self.assertEquals(facl.as_sddl(domsid),acl)
 394         posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
 395
 396         LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
 397         BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
 398         SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
 399         SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
 400         AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
 401
 402         s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
 403
 404         # These assertions correct for current plugin_s4_dc selftest
 405         # configuration.  When other environments have a broad range of
 406         # groups mapped via passdb, we can relax some of these checks
 407         (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
 408         self.assertEquals(LA_type, idmap.ID_TYPE_UID)
 409         (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
 410         self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
 411         (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
 412         self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
 413         (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
 414         self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
 415         (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
 416         self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
 417
 418         self.assertEquals(posix_acl.count, 9)
 419
 420         self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
 421         self.assertEquals(posix_acl.acl[0].a_perm, 7)
 422         self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
 423
 424         self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
 425         self.assertEquals(posix_acl.acl[1].a_perm, 6)
 426         self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
 427
 428         self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
 429         self.assertEquals(posix_acl.acl[2].a_perm, 0)
 430
 431         self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
 432         self.assertEquals(posix_acl.acl[3].a_perm, 6)
 433
 434         self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
 435         self.assertEquals(posix_acl.acl[4].a_perm, 7)
 436
 437         self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
 438         self.assertEquals(posix_acl.acl[5].a_perm, 5)
 439         self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
 440
 441         self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
 442         self.assertEquals(posix_acl.acl[6].a_perm, 7)
 443         self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
 444
 445         self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
 446         self.assertEquals(posix_acl.acl[7].a_perm, 5)
 447         self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
 448
 449         self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_MASK)
 450         self.assertEquals(posix_acl.acl[8].a_perm, 7)
 451
 452
 453 # check that it matches:
 454 # user::rwx
 455 # user:root:rwx (selftest user actually)
 456 # group::rwx
 457 # group:Local Admins:rwx
 458 # group:3000000:r-x
 459 # group:3000001:rwx
 460 # group:3000002:r-x
 461 # mask::rwx
 462 # other::---
 463
 464 #
 465 # This is in this order in the NDR smb_acl (not re-orderded for display)
 466 # a_type: GROUP
 467 # a_perm: 7
 468 # uid: -1
 469 # gid: 10
 470 # a_type: USER
 471 # a_perm: 6
 472 # uid: 0 (selftest user actually)
 473 # gid: -1
 474 # a_type: OTHER
 475 # a_perm: 0
 476 # uid: -1
 477 # gid: -1
 478 # a_type: USER_OBJ
 479 # a_perm: 6
 480 # uid: -1
 481 # gid: -1
 482 # a_type: GROUP_OBJ
 483 # a_perm: 7
 484 # uid: -1
 485 # gid: -1
 486 # a_type: GROUP
 487 # a_perm: 5
 488 # uid: -1
 489 # gid: 3000020
 490 # a_type: GROUP
 491 # a_perm: 7
 492 # uid: -1
 493 # gid: 3000000
 494 # a_type: GROUP
 495 # a_perm: 5
 496 # uid: -1
 497 # gid: 3000001
 498 # a_type: MASK
 499 # a_perm: 7
 500 # uid: -1
 501 # gid: -1
 502
 503 #
 504
 505         smbd.unlink(tempf)
 506
 507     def test_setntacl_policies_check_getposixacl(self):
 508         random.seed()
 509         lp = LoadParm()
 510         s3conf = s3param.get_context()
 511         path = None
 512         path = os.environ['SELFTEST_PREFIX']
 513         acl = provision.POLICIES_ACL
 514         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
 515         open(tempf, 'w').write("empty")
 516         domsid = passdb.get_global_sam_sid()
 517         setntacl(lp,tempf,acl,str(domsid), use_ntvfs=False)
 518         facl = getntacl(lp,tempf)
 519         self.assertEquals(facl.as_sddl(domsid),acl)
 520         posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
 521
 522         LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
 523         BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
 524         SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
 525         SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
 526         AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
 527         PA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_POLICY_ADMINS))
 528
 529         s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
 530
 531         # These assertions correct for current plugin_s4_dc selftest
 532         # configuration.  When other environments have a broad range of
 533         # groups mapped via passdb, we can relax some of these checks
 534         (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
 535         self.assertEquals(LA_type, idmap.ID_TYPE_UID)
 536         (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
 537         self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
 538         (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
 539         self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
 540         (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
 541         self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
 542         (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
 543         self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
 544         (PA_gid,PA_type) = s4_passdb.sid_to_id(PA_sid)
 545         self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
 546
 547         self.assertEquals(posix_acl.count, 10)
 548
 549         self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
 550         self.assertEquals(posix_acl.acl[0].a_perm, 7)
 551         self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
 552
 553         self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
 554         self.assertEquals(posix_acl.acl[1].a_perm, 6)
 555         self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
 556
 557         self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
 558         self.assertEquals(posix_acl.acl[2].a_perm, 0)
 559
 560         self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
 561         self.assertEquals(posix_acl.acl[3].a_perm, 6)
 562
 563         self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
 564         self.assertEquals(posix_acl.acl[4].a_perm, 7)
 565
 566         self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
 567         self.assertEquals(posix_acl.acl[5].a_perm, 5)
 568         self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
 569
 570         self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
 571         self.assertEquals(posix_acl.acl[6].a_perm, 7)
 572         self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
 573
 574         self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
 575         self.assertEquals(posix_acl.acl[7].a_perm, 5)
 576         self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
 577
 578         self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_GROUP)
 579         self.assertEquals(posix_acl.acl[8].a_perm, 7)
 580         self.assertEquals(posix_acl.acl[8].info.gid, PA_gid)
 581
 582         self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_MASK)
 583         self.assertEquals(posix_acl.acl[9].a_perm, 7)
 584
 585
 586 # check that it matches:
 587 # user::rwx
 588 # user:root:rwx (selftest user actually)
 589 # group::rwx
 590 # group:Local Admins:rwx
 591 # group:3000000:r-x
 592 # group:3000001:rwx
 593 # group:3000002:r-x
 594 # group:3000003:rwx
 595 # mask::rwx
 596 # other::---
 597
 598 #
 599 # This is in this order in the NDR smb_acl (not re-orderded for display)
 600 # a_type: GROUP
 601 # a_perm: 7
 602 # uid: -1
 603 # gid: 10
 604 # a_type: USER
 605 # a_perm: 6
 606 # uid: 0 (selftest user actually)
 607 # gid: -1
 608 # a_type: OTHER
 609 # a_perm: 0
 610 # uid: -1
 611 # gid: -1
 612 # a_type: USER_OBJ
 613 # a_perm: 6
 614 # uid: -1
 615 # gid: -1
 616 # a_type: GROUP_OBJ
 617 # a_perm: 7
 618 # uid: -1
 619 # gid: -1
 620 # a_type: GROUP
 621 # a_perm: 5
 622 # uid: -1
 623 # gid: 3000020
 624 # a_type: GROUP
 625 # a_perm: 7
 626 # uid: -1
 627 # gid: 3000000
 628 # a_type: GROUP
 629 # a_perm: 5
 630 # uid: -1
 631 # gid: 3000001
 632 # a_type: GROUP
 633 # a_perm: 7
 634 # uid: -1
 635 # gid: 3000003
 636 # a_type: MASK
 637 # a_perm: 7
 638 # uid: -1
 639 # gid: -1
 640
 641 #
 642
 643         smbd.unlink(tempf)
 644
 645     def setUp(self):
 646         super(PosixAclMappingTests, self).setUp()
 647         s3conf = s3param.get_context()
 648         s3conf.load(self.get_loadparm().configfile)