source4/scripting/python/samba/tests/posixacl.py

   1 # Unix SMB/CIFS implementation. Tests for NT and posix ACL manipulation
   2 # Copyright (C) Matthieu Patou <mat@matws.net> 2009-2010
   3 # Copyright (C) Andrew Bartlett 2012
   4 #
   5 # This program is free software; you can redistribute it and/or modify
   6 # it under the terms of the GNU General Public License as published by
   7 # the Free Software Foundation; either version 3 of the License, or
   8 # (at your option) any later version.
   9 #
  10 # This program is distributed in the hope that it will be useful,
  11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13 # GNU General Public License for more details.
  14 #
  15 # You should have received a copy of the GNU General Public License
  16 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  17 #
  18
  19 """Tests for the Samba3 NT -> posix ACL layer"""
  20
  21 from samba.ntacls import setntacl, getntacl, checkset_backend
  22 from samba.dcerpc import xattr, security, smb_acl, idmap
  23 from samba.param import LoadParm
  24 from samba.tests import TestCase
  25 from samba import provision
  26 import random
  27 import os
  28 from samba.samba3 import smbd, passdb
  29 from samba.samba3 import param as s3param
  30
  31 # To print a posix ACL use:
  32 #        for entry in posix_acl.acl:
  33 #            print "a_type: %d" % entry.a_type
  34 #            print "a_perm: %o" % entry.a_perm
  35 #            print "uid: %d" % entry.uid
  36 #            print "gid: %d" % entry.gid
  37
  38 class PosixAclMappingTests(TestCase):
  39
  40     def test_setntacl(self):
  41         random.seed()
  42         lp = LoadParm()
  43         path = os.environ['SELFTEST_PREFIX']
  44         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
  45         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
  46         open(tempf, 'w').write("empty")
  47         setntacl(lp, tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
  48         os.unlink(tempf)
  49
  50     def test_setntacl_smbd_getntacl(self):
  51         random.seed()
  52         lp = LoadParm()
  53         path = None
  54         path = os.environ['SELFTEST_PREFIX']
  55         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
  56         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
  57         open(tempf, 'w').write("empty")
  58         setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
  59         facl = getntacl(lp,tempf, direct_db_access=True)
  60         anysid = security.dom_sid(security.SID_NT_SELF)
  61         self.assertEquals(facl.as_sddl(anysid),acl)
  62         os.unlink(tempf)
  63
  64     def test_setntacl_smbd_setposixacl_getntacl(self):
  65         random.seed()
  66         lp = LoadParm()
  67         path = None
  68         path = os.environ['SELFTEST_PREFIX']
  69         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
  70         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
  71         open(tempf, 'w').write("empty")
  72         setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
  73
  74         # This will invalidate the ACL, as we have a hook!
  75         smbd.set_simple_acl(tempf, 0640)
  76
  77         # However, this only asks the xattr
  78         try:
  79             facl = getntacl(lp,tempf, direct_db_access=True)
  80             self.assertTrue(False)
  81         except TypeError:
  82             pass
  83         os.unlink(tempf)
  84
  85     def test_setntacl_invalidate_getntacl(self):
  86         random.seed()
  87         lp = LoadParm()
  88         path = None
  89         path = os.environ['SELFTEST_PREFIX']
  90         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
  91         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
  92         open(tempf, 'w').write("empty")
  93         setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
  94
  95         # This should invalidate the ACL, as we include the posix ACL in the hash
  96         (backend_obj, dbname) = checkset_backend(lp, None, None)
  97         backend_obj.wrap_setxattr(dbname,
  98                                   tempf, "system.fake_access_acl", "")
  99
 100         #however, as this is direct DB access, we do not notice it
 101         facl = getntacl(lp,tempf, direct_db_access=True)
 102         anysid = security.dom_sid(security.SID_NT_SELF)
 103         self.assertEquals(acl, facl.as_sddl(anysid))
 104         os.unlink(tempf)
 105
 106     def test_setntacl_invalidate_getntacl_smbd(self):
 107         random.seed()
 108         lp = LoadParm()
 109         path = None
 110         path = os.environ['SELFTEST_PREFIX']
 111         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
 112         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
 113         open(tempf, 'w').write("empty")
 114         setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
 115
 116         # This should invalidate the ACL, as we include the posix ACL in the hash
 117         (backend_obj, dbname) = checkset_backend(lp, None, None)
 118         backend_obj.wrap_setxattr(dbname,
 119                                   tempf, "system.fake_access_acl", "")
 120
 121         #the hash would break, and we return an ACL based only on the mode, except we set the ACL using the 'ntvfs' mode that doesn't include a hash
 122         facl = getntacl(lp,tempf)
 123         anysid = security.dom_sid(security.SID_NT_SELF)
 124         self.assertEquals(acl, facl.as_sddl(anysid))
 125         os.unlink(tempf)
 126
 127     def test_setntacl_smbd_invalidate_getntacl_smbd(self):
 128         random.seed()
 129         lp = LoadParm()
 130         path = None
 131         path = os.environ['SELFTEST_PREFIX']
 132         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
 133         simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x001200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
 134         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
 135         open(tempf, 'w').write("empty")
 136         os.chmod(tempf, 0750)
 137         setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
 138
 139         # This should invalidate the ACL, as we include the posix ACL in the hash
 140         (backend_obj, dbname) = checkset_backend(lp, None, None)
 141         backend_obj.wrap_setxattr(dbname,
 142                                   tempf, "system.fake_access_acl", "")
 143
 144         #the hash will break, and we return an ACL based only on the mode
 145         facl = getntacl(lp,tempf, direct_db_access=False)
 146         anysid = security.dom_sid(security.SID_NT_SELF)
 147         self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
 148         os.unlink(tempf)
 149
 150     def test_setntacl_getntacl_smbd(self):
 151         random.seed()
 152         lp = LoadParm()
 153         path = None
 154         path = os.environ['SELFTEST_PREFIX']
 155         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
 156         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
 157         open(tempf, 'w').write("empty")
 158         setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
 159         facl = getntacl(lp,tempf, direct_db_access=False)
 160         anysid = security.dom_sid(security.SID_NT_SELF)
 161         self.assertEquals(facl.as_sddl(anysid),acl)
 162         os.unlink(tempf)
 163
 164     def test_setntacl_smbd_getntacl_smbd(self):
 165         random.seed()
 166         lp = LoadParm()
 167         path = None
 168         path = os.environ['SELFTEST_PREFIX']
 169         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
 170         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
 171         open(tempf, 'w').write("empty")
 172         setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
 173         facl = getntacl(lp,tempf, direct_db_access=False)
 174         anysid = security.dom_sid(security.SID_NT_SELF)
 175         self.assertEquals(facl.as_sddl(anysid),acl)
 176         os.unlink(tempf)
 177
 178     def test_setntacl_smbd_setposixacl_getntacl_smbd(self):
 179         random.seed()
 180         lp = LoadParm()
 181         path = None
 182         path = os.environ['SELFTEST_PREFIX']
 183         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
 184         simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
 185         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
 186         open(tempf, 'w').write("empty")
 187         setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
 188         # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
 189         smbd.set_simple_acl(tempf, 0640)
 190         facl = getntacl(lp,tempf, direct_db_access=False)
 191         anysid = security.dom_sid(security.SID_NT_SELF)
 192         self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
 193         os.unlink(tempf)
 194
 195     def test_setntacl_smbd_setposixacl_group_getntacl_smbd(self):
 196         random.seed()
 197         lp = LoadParm()
 198         path = None
 199         path = os.environ['SELFTEST_PREFIX']
 200         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
 201         BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
 202         simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
 203         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
 204         open(tempf, 'w').write("empty")
 205         setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
 206         # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
 207         s3conf = s3param.get_context()
 208         s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
 209         (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
 210         smbd.set_simple_acl(tempf, 0640, BA_gid)
 211
 212         # This should re-calculate an ACL based on the posix details
 213         facl = getntacl(lp,tempf, direct_db_access=False)
 214         anysid = security.dom_sid(security.SID_NT_SELF)
 215         self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
 216         os.unlink(tempf)
 217
 218     def test_setntacl_smbd_getntacl_smbd_gpo(self):
 219         random.seed()
 220         lp = LoadParm()
 221         path = None
 222         path = os.environ['SELFTEST_PREFIX']
 223         acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
 224         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
 225         open(tempf, 'w').write("empty")
 226         setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
 227         facl = getntacl(lp,tempf, direct_db_access=False)
 228         domsid = security.dom_sid("S-1-5-21-2212615479-2695158682-2101375467")
 229         self.assertEquals(facl.as_sddl(domsid),acl)
 230         os.unlink(tempf)
 231
 232     def test_setntacl_getposixacl(self):
 233         random.seed()
 234         lp = LoadParm()
 235         path = None
 236         path = os.environ['SELFTEST_PREFIX']
 237         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
 238         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
 239         open(tempf, 'w').write("empty")
 240         setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
 241         facl = getntacl(lp,tempf)
 242         anysid = security.dom_sid(security.SID_NT_SELF)
 243         self.assertEquals(facl.as_sddl(anysid),acl)
 244         posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
 245         os.unlink(tempf)
 246
 247     def test_setposixacl_getposixacl(self):
 248         random.seed()
 249         lp = LoadParm()
 250         path = None
 251         path = os.environ['SELFTEST_PREFIX']
 252         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
 253         open(tempf, 'w').write("empty")
 254         smbd.set_simple_acl(tempf, 0640)
 255         posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
 256         self.assertEquals(posix_acl.count, 4)
 257
 258         self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
 259         self.assertEquals(posix_acl.acl[0].a_perm, 6)
 260
 261         self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
 262         self.assertEquals(posix_acl.acl[1].a_perm, 4)
 263
 264         self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
 265         self.assertEquals(posix_acl.acl[2].a_perm, 0)
 266
 267         self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
 268         self.assertEquals(posix_acl.acl[3].a_perm, 6)
 269         os.unlink(tempf)
 270
 271     def test_setposixacl_getntacl(self):
 272         random.seed()
 273         lp = LoadParm()
 274         acl = ""
 275         path = os.environ['SELFTEST_PREFIX']
 276         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
 277         open(tempf, 'w').write("empty")
 278         smbd.set_simple_acl(tempf, 0750)
 279         try:
 280             facl = getntacl(lp,tempf)
 281         except TypeError:
 282             # We don't expect the xattr to be filled in in this case
 283             pass
 284
 285     def test_setposixacl_getntacl_smbd(self):
 286         random.seed()
 287         lp = LoadParm()
 288         path = os.environ['SELFTEST_PREFIX']
 289         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
 290         open(tempf, 'w').write("empty")
 291         s3conf = s3param.get_context()
 292         s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
 293         group_SID = s4_passdb.gid_to_sid(os.stat(tempf).st_gid)
 294         user_SID = s4_passdb.uid_to_sid(os.stat(tempf).st_uid)
 295         smbd.set_simple_acl(tempf, 0640)
 296         facl = getntacl(lp, tempf, direct_db_access=False)
 297         domsid = passdb.get_global_sam_sid()
 298         acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;%s)(A;;WO;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
 299         anysid = security.dom_sid(security.SID_NT_SELF)
 300         self.assertEquals(acl, facl.as_sddl(anysid))
 301
 302     def test_setposixacl_group_getntacl_smbd(self):
 303         random.seed()
 304         lp = LoadParm()
 305         path = os.environ['SELFTEST_PREFIX']
 306         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
 307         open(tempf, 'w').write("empty")
 308         BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
 309         s3conf = s3param.get_context()
 310         s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
 311         (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
 312         group_SID = s4_passdb.gid_to_sid(os.stat(tempf).st_gid)
 313         user_SID = s4_passdb.uid_to_sid(os.stat(tempf).st_uid)
 314         self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
 315         smbd.set_simple_acl(tempf, 0640, BA_gid)
 316         facl = getntacl(lp, tempf, direct_db_access=False)
 317         domsid = passdb.get_global_sam_sid()
 318         acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;BA)(A;;0x00120089;;;%s)(A;;WO;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
 319         anysid = security.dom_sid(security.SID_NT_SELF)
 320         self.assertEquals(acl, facl.as_sddl(anysid))
 321
 322     def test_setposixacl_getposixacl(self):
 323         random.seed()
 324         lp = LoadParm()
 325         path = os.environ['SELFTEST_PREFIX']
 326         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
 327         open(tempf, 'w').write("empty")
 328         smbd.set_simple_acl(tempf, 0640)
 329         posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
 330         self.assertEquals(posix_acl.count, 4)
 331
 332         self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
 333         self.assertEquals(posix_acl.acl[0].a_perm, 6)
 334
 335         self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
 336         self.assertEquals(posix_acl.acl[1].a_perm, 4)
 337
 338         self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
 339         self.assertEquals(posix_acl.acl[2].a_perm, 0)
 340
 341         self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
 342         self.assertEquals(posix_acl.acl[3].a_perm, 6)
 343         os.unlink(tempf)
 344
 345     def test_setposixacl_group_getposixacl(self):
 346         random.seed()
 347         lp = LoadParm()
 348         path = os.environ['SELFTEST_PREFIX']
 349         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
 350         open(tempf, 'w').write("empty")
 351         BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
 352         s3conf = s3param.get_context()
 353         s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
 354         (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
 355         self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
 356         smbd.set_simple_acl(tempf, 0670, BA_gid)
 357         posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
 358
 359         self.assertEquals(posix_acl.count, 5)
 360
 361         self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
 362         self.assertEquals(posix_acl.acl[0].a_perm, 6)
 363
 364         self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
 365         self.assertEquals(posix_acl.acl[1].a_perm, 7)
 366
 367         self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
 368         self.assertEquals(posix_acl.acl[2].a_perm, 0)
 369
 370         self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_GROUP)
 371         self.assertEquals(posix_acl.acl[3].a_perm, 7)
 372         self.assertEquals(posix_acl.acl[3].info.gid, BA_gid)
 373
 374         self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_MASK)
 375         self.assertEquals(posix_acl.acl[4].a_perm, 6)
 376         os.unlink(tempf)
 377
 378     def test_setntacl_sysvol_check_getposixacl(self):
 379         random.seed()
 380         lp = LoadParm()
 381         s3conf = s3param.get_context()
 382         path = None
 383         path = os.environ['SELFTEST_PREFIX']
 384         acl = provision.SYSVOL_ACL
 385         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
 386         open(tempf, 'w').write("empty")
 387         domsid = passdb.get_global_sam_sid()
 388         setntacl(lp,tempf,acl,str(domsid), use_ntvfs=False)
 389         facl = getntacl(lp,tempf)
 390         self.assertEquals(facl.as_sddl(domsid),acl)
 391         posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
 392
 393         LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
 394         BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
 395         SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
 396         SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
 397         AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
 398
 399         s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
 400
 401         # These assertions correct for current plugin_s4_dc selftest
 402         # configuration.  When other environments have a broad range of
 403         # groups mapped via passdb, we can relax some of these checks
 404         (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
 405         self.assertEquals(LA_type, idmap.ID_TYPE_UID)
 406         (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
 407         self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
 408         (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
 409         self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
 410         (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
 411         self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
 412         (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
 413         self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
 414
 415         self.assertEquals(posix_acl.count, 9)
 416
 417         self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
 418         self.assertEquals(posix_acl.acl[0].a_perm, 7)
 419         self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
 420
 421         self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
 422         self.assertEquals(posix_acl.acl[1].a_perm, 6)
 423         self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
 424
 425         self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
 426         self.assertEquals(posix_acl.acl[2].a_perm, 0)
 427
 428         self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
 429         self.assertEquals(posix_acl.acl[3].a_perm, 6)
 430
 431         self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
 432         self.assertEquals(posix_acl.acl[4].a_perm, 7)
 433
 434         self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
 435         self.assertEquals(posix_acl.acl[5].a_perm, 5)
 436         self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
 437
 438         self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
 439         self.assertEquals(posix_acl.acl[6].a_perm, 7)
 440         self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
 441
 442         self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
 443         self.assertEquals(posix_acl.acl[7].a_perm, 5)
 444         self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
 445
 446         self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_MASK)
 447         self.assertEquals(posix_acl.acl[8].a_perm, 7)
 448
 449
 450 # check that it matches:
 451 # user::rwx
 452 # user:root:rwx (selftest user actually)
 453 # group::rwx
 454 # group:Local Admins:rwx
 455 # group:3000000:r-x
 456 # group:3000001:rwx
 457 # group:3000002:r-x
 458 # mask::rwx
 459 # other::---
 460
 461 #
 462 # This is in this order in the NDR smb_acl (not re-orderded for display)
 463 # a_type: GROUP
 464 # a_perm: 7
 465 # uid: -1
 466 # gid: 10
 467 # a_type: USER
 468 # a_perm: 6
 469 # uid: 0 (selftest user actually)
 470 # gid: -1
 471 # a_type: OTHER
 472 # a_perm: 0
 473 # uid: -1
 474 # gid: -1
 475 # a_type: USER_OBJ
 476 # a_perm: 6
 477 # uid: -1
 478 # gid: -1
 479 # a_type: GROUP_OBJ
 480 # a_perm: 7
 481 # uid: -1
 482 # gid: -1
 483 # a_type: GROUP
 484 # a_perm: 5
 485 # uid: -1
 486 # gid: 3000020
 487 # a_type: GROUP
 488 # a_perm: 7
 489 # uid: -1
 490 # gid: 3000000
 491 # a_type: GROUP
 492 # a_perm: 5
 493 # uid: -1
 494 # gid: 3000001
 495 # a_type: MASK
 496 # a_perm: 7
 497 # uid: -1
 498 # gid: -1
 499
 500 #
 501
 502         os.unlink(tempf)
 503
 504     def test_setntacl_policies_check_getposixacl(self):
 505         random.seed()
 506         lp = LoadParm()
 507         s3conf = s3param.get_context()
 508         path = None
 509         path = os.environ['SELFTEST_PREFIX']
 510         acl = provision.POLICIES_ACL
 511         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
 512         open(tempf, 'w').write("empty")
 513         domsid = passdb.get_global_sam_sid()
 514         setntacl(lp,tempf,acl,str(domsid), use_ntvfs=False)
 515         facl = getntacl(lp,tempf)
 516         self.assertEquals(facl.as_sddl(domsid),acl)
 517         posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
 518
 519         LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
 520         BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
 521         SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
 522         SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
 523         AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
 524         PA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_POLICY_ADMINS))
 525
 526         s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
 527
 528         # These assertions correct for current plugin_s4_dc selftest
 529         # configuration.  When other environments have a broad range of
 530         # groups mapped via passdb, we can relax some of these checks
 531         (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
 532         self.assertEquals(LA_type, idmap.ID_TYPE_UID)
 533         (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
 534         self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
 535         (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
 536         self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
 537         (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
 538         self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
 539         (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
 540         self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
 541         (PA_gid,PA_type) = s4_passdb.sid_to_id(PA_sid)
 542         self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
 543
 544         self.assertEquals(posix_acl.count, 10)
 545
 546         self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
 547         self.assertEquals(posix_acl.acl[0].a_perm, 7)
 548         self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
 549
 550         self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
 551         self.assertEquals(posix_acl.acl[1].a_perm, 6)
 552         self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
 553
 554         self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
 555         self.assertEquals(posix_acl.acl[2].a_perm, 0)
 556
 557         self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
 558         self.assertEquals(posix_acl.acl[3].a_perm, 6)
 559
 560         self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
 561         self.assertEquals(posix_acl.acl[4].a_perm, 7)
 562
 563         self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
 564         self.assertEquals(posix_acl.acl[5].a_perm, 5)
 565         self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
 566
 567         self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
 568         self.assertEquals(posix_acl.acl[6].a_perm, 7)
 569         self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
 570
 571         self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
 572         self.assertEquals(posix_acl.acl[7].a_perm, 5)
 573         self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
 574
 575         self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_GROUP)
 576         self.assertEquals(posix_acl.acl[8].a_perm, 7)
 577         self.assertEquals(posix_acl.acl[8].info.gid, PA_gid)
 578
 579         self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_MASK)
 580         self.assertEquals(posix_acl.acl[9].a_perm, 7)
 581
 582
 583 # check that it matches:
 584 # user::rwx
 585 # user:root:rwx (selftest user actually)
 586 # group::rwx
 587 # group:Local Admins:rwx
 588 # group:3000000:r-x
 589 # group:3000001:rwx
 590 # group:3000002:r-x
 591 # group:3000003:rwx
 592 # mask::rwx
 593 # other::---
 594
 595 #
 596 # This is in this order in the NDR smb_acl (not re-orderded for display)
 597 # a_type: GROUP
 598 # a_perm: 7
 599 # uid: -1
 600 # gid: 10
 601 # a_type: USER
 602 # a_perm: 6
 603 # uid: 0 (selftest user actually)
 604 # gid: -1
 605 # a_type: OTHER
 606 # a_perm: 0
 607 # uid: -1
 608 # gid: -1
 609 # a_type: USER_OBJ
 610 # a_perm: 6
 611 # uid: -1
 612 # gid: -1
 613 # a_type: GROUP_OBJ
 614 # a_perm: 7
 615 # uid: -1
 616 # gid: -1
 617 # a_type: GROUP
 618 # a_perm: 5
 619 # uid: -1
 620 # gid: 3000020
 621 # a_type: GROUP
 622 # a_perm: 7
 623 # uid: -1
 624 # gid: 3000000
 625 # a_type: GROUP
 626 # a_perm: 5
 627 # uid: -1
 628 # gid: 3000001
 629 # a_type: GROUP
 630 # a_perm: 7
 631 # uid: -1
 632 # gid: 3000003
 633 # a_type: MASK
 634 # a_perm: 7
 635 # uid: -1
 636 # gid: -1
 637
 638 #
 639
 640         os.unlink(tempf)
 641
 642     def setUp(self):
 643         super(PosixAclMappingTests, self).setUp()
 644         s3conf = s3param.get_context()
 645         s3conf.load(self.get_loadparm().configfile)