1 # Unix SMB/CIFS implementation. Tests for NT and posix ACL manipulation
2 # Copyright (C) Matthieu Patou <mat@matws.net> 2009-2010
3 # Copyright (C) Andrew Bartlett 2012
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
19 """Tests for the Samba3 NT -> posix ACL layer"""
21 from samba.ntacls import setntacl, getntacl, checkset_backend
22 from samba.dcerpc import xattr, security, smb_acl, idmap
23 from samba.param import LoadParm
24 from samba.tests import TestCase
25 from samba import provision
28 from samba.samba3 import smbd, passdb
29 from samba.samba3 import param as s3param
31 # To print a posix ACL use:
32 # for entry in posix_acl.acl:
33 # print "a_type: %d" % entry.a_type
34 # print "a_perm: %o" % entry.a_perm
35 # print "uid: %d" % entry.uid
36 # print "gid: %d" % entry.gid
38 class PosixAclMappingTests(TestCase):
40 def test_setntacl(self):
43 path = os.environ['SELFTEST_PREFIX']
44 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
45 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
46 open(tempf, 'w').write("empty")
47 setntacl(lp, tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
50 def test_setntacl_smbd_getntacl(self):
54 path = os.environ['SELFTEST_PREFIX']
55 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
56 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
57 open(tempf, 'w').write("empty")
58 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
59 facl = getntacl(lp,tempf, direct_db_access=True)
60 anysid = security.dom_sid(security.SID_NT_SELF)
61 self.assertEquals(facl.as_sddl(anysid),acl)
64 def test_setntacl_smbd_setposixacl_getntacl(self):
68 path = os.environ['SELFTEST_PREFIX']
69 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
70 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
71 open(tempf, 'w').write("empty")
72 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
74 # This will invalidate the ACL, as we have a hook!
75 smbd.set_simple_acl(tempf, 0640)
77 # However, this only asks the xattr
79 facl = getntacl(lp,tempf, direct_db_access=True)
80 self.assertTrue(False)
85 def test_setntacl_invalidate_getntacl(self):
89 path = os.environ['SELFTEST_PREFIX']
90 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
91 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
92 open(tempf, 'w').write("empty")
93 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
95 # This should invalidate the ACL, as we include the posix ACL in the hash
96 (backend_obj, dbname) = checkset_backend(lp, None, None)
97 backend_obj.wrap_setxattr(dbname,
98 tempf, "system.fake_access_acl", "")
100 #however, as this is direct DB access, we do not notice it
101 facl = getntacl(lp,tempf, direct_db_access=True)
102 anysid = security.dom_sid(security.SID_NT_SELF)
103 self.assertEquals(acl, facl.as_sddl(anysid))
106 def test_setntacl_invalidate_getntacl_smbd(self):
110 path = os.environ['SELFTEST_PREFIX']
111 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
112 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
113 open(tempf, 'w').write("empty")
114 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
116 # This should invalidate the ACL, as we include the posix ACL in the hash
117 (backend_obj, dbname) = checkset_backend(lp, None, None)
118 backend_obj.wrap_setxattr(dbname,
119 tempf, "system.fake_access_acl", "")
121 #the hash would break, and we return an ACL based only on the mode, except we set the ACL using the 'ntvfs' mode that doesn't include a hash
122 facl = getntacl(lp,tempf)
123 anysid = security.dom_sid(security.SID_NT_SELF)
124 self.assertEquals(acl, facl.as_sddl(anysid))
127 def test_setntacl_smbd_invalidate_getntacl_smbd(self):
131 path = os.environ['SELFTEST_PREFIX']
132 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
133 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x001200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
134 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
135 open(tempf, 'w').write("empty")
136 os.chmod(tempf, 0750)
137 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
139 # This should invalidate the ACL, as we include the posix ACL in the hash
140 (backend_obj, dbname) = checkset_backend(lp, None, None)
141 backend_obj.wrap_setxattr(dbname,
142 tempf, "system.fake_access_acl", "")
144 #the hash will break, and we return an ACL based only on the mode
145 facl = getntacl(lp,tempf, direct_db_access=False)
146 anysid = security.dom_sid(security.SID_NT_SELF)
147 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
150 def test_setntacl_getntacl_smbd(self):
154 path = os.environ['SELFTEST_PREFIX']
155 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
156 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
157 open(tempf, 'w').write("empty")
158 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
159 facl = getntacl(lp,tempf, direct_db_access=False)
160 anysid = security.dom_sid(security.SID_NT_SELF)
161 self.assertEquals(facl.as_sddl(anysid),acl)
164 def test_setntacl_smbd_getntacl_smbd(self):
168 path = os.environ['SELFTEST_PREFIX']
169 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
170 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
171 open(tempf, 'w').write("empty")
172 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
173 facl = getntacl(lp,tempf, direct_db_access=False)
174 anysid = security.dom_sid(security.SID_NT_SELF)
175 self.assertEquals(facl.as_sddl(anysid),acl)
178 def test_setntacl_smbd_setposixacl_getntacl_smbd(self):
182 path = os.environ['SELFTEST_PREFIX']
183 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
184 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
185 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
186 open(tempf, 'w').write("empty")
187 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
188 # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
189 smbd.set_simple_acl(tempf, 0640)
190 facl = getntacl(lp,tempf, direct_db_access=False)
191 anysid = security.dom_sid(security.SID_NT_SELF)
192 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
195 def test_setntacl_smbd_setposixacl_group_getntacl_smbd(self):
199 path = os.environ['SELFTEST_PREFIX']
200 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
201 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
202 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
203 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
204 open(tempf, 'w').write("empty")
205 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
206 # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
207 s3conf = s3param.get_context()
208 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
209 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
210 smbd.set_simple_acl(tempf, 0640, BA_gid)
212 # This should re-calculate an ACL based on the posix details
213 facl = getntacl(lp,tempf, direct_db_access=False)
214 anysid = security.dom_sid(security.SID_NT_SELF)
215 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
218 def test_setntacl_smbd_getntacl_smbd_gpo(self):
222 path = os.environ['SELFTEST_PREFIX']
223 acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
224 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
225 open(tempf, 'w').write("empty")
226 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
227 facl = getntacl(lp,tempf, direct_db_access=False)
228 domsid = security.dom_sid("S-1-5-21-2212615479-2695158682-2101375467")
229 self.assertEquals(facl.as_sddl(domsid),acl)
232 def test_setntacl_getposixacl(self):
236 path = os.environ['SELFTEST_PREFIX']
237 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
238 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
239 open(tempf, 'w').write("empty")
240 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
241 facl = getntacl(lp,tempf)
242 anysid = security.dom_sid(security.SID_NT_SELF)
243 self.assertEquals(facl.as_sddl(anysid),acl)
244 posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
247 def test_setposixacl_getposixacl(self):
251 path = os.environ['SELFTEST_PREFIX']
252 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
253 open(tempf, 'w').write("empty")
254 smbd.set_simple_acl(tempf, 0640)
255 posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
256 self.assertEquals(posix_acl.count, 4)
258 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
259 self.assertEquals(posix_acl.acl[0].a_perm, 6)
261 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
262 self.assertEquals(posix_acl.acl[1].a_perm, 4)
264 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
265 self.assertEquals(posix_acl.acl[2].a_perm, 0)
267 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
268 self.assertEquals(posix_acl.acl[3].a_perm, 6)
271 def test_setposixacl_getntacl(self):
275 path = os.environ['SELFTEST_PREFIX']
276 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
277 open(tempf, 'w').write("empty")
278 smbd.set_simple_acl(tempf, 0750)
280 facl = getntacl(lp,tempf)
282 # We don't expect the xattr to be filled in in this case
285 def test_setposixacl_getntacl_smbd(self):
288 path = os.environ['SELFTEST_PREFIX']
289 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
290 open(tempf, 'w').write("empty")
291 s3conf = s3param.get_context()
292 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
293 group_SID = s4_passdb.gid_to_sid(os.stat(tempf).st_gid)
294 user_SID = s4_passdb.uid_to_sid(os.stat(tempf).st_uid)
295 smbd.set_simple_acl(tempf, 0640)
296 facl = getntacl(lp, tempf, direct_db_access=False)
297 domsid = passdb.get_global_sam_sid()
298 acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;%s)(A;;WO;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
299 anysid = security.dom_sid(security.SID_NT_SELF)
300 self.assertEquals(acl, facl.as_sddl(anysid))
302 def test_setposixacl_group_getntacl_smbd(self):
305 path = os.environ['SELFTEST_PREFIX']
306 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
307 open(tempf, 'w').write("empty")
308 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
309 s3conf = s3param.get_context()
310 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
311 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
312 group_SID = s4_passdb.gid_to_sid(os.stat(tempf).st_gid)
313 user_SID = s4_passdb.uid_to_sid(os.stat(tempf).st_uid)
314 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
315 smbd.set_simple_acl(tempf, 0640, BA_gid)
316 facl = getntacl(lp, tempf, direct_db_access=False)
317 domsid = passdb.get_global_sam_sid()
318 acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;BA)(A;;0x00120089;;;%s)(A;;WO;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
319 anysid = security.dom_sid(security.SID_NT_SELF)
320 self.assertEquals(acl, facl.as_sddl(anysid))
322 def test_setposixacl_getposixacl(self):
325 path = os.environ['SELFTEST_PREFIX']
326 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
327 open(tempf, 'w').write("empty")
328 smbd.set_simple_acl(tempf, 0640)
329 posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
330 self.assertEquals(posix_acl.count, 4)
332 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
333 self.assertEquals(posix_acl.acl[0].a_perm, 6)
335 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
336 self.assertEquals(posix_acl.acl[1].a_perm, 4)
338 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
339 self.assertEquals(posix_acl.acl[2].a_perm, 0)
341 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
342 self.assertEquals(posix_acl.acl[3].a_perm, 6)
345 def test_setposixacl_group_getposixacl(self):
348 path = os.environ['SELFTEST_PREFIX']
349 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
350 open(tempf, 'w').write("empty")
351 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
352 s3conf = s3param.get_context()
353 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
354 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
355 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
356 smbd.set_simple_acl(tempf, 0670, BA_gid)
357 posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
359 self.assertEquals(posix_acl.count, 5)
361 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
362 self.assertEquals(posix_acl.acl[0].a_perm, 6)
364 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
365 self.assertEquals(posix_acl.acl[1].a_perm, 7)
367 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
368 self.assertEquals(posix_acl.acl[2].a_perm, 0)
370 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_GROUP)
371 self.assertEquals(posix_acl.acl[3].a_perm, 7)
372 self.assertEquals(posix_acl.acl[3].info.gid, BA_gid)
374 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_MASK)
375 self.assertEquals(posix_acl.acl[4].a_perm, 6)
378 def test_setntacl_sysvol_check_getposixacl(self):
381 s3conf = s3param.get_context()
383 path = os.environ['SELFTEST_PREFIX']
384 acl = provision.SYSVOL_ACL
385 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
386 open(tempf, 'w').write("empty")
387 domsid = passdb.get_global_sam_sid()
388 setntacl(lp,tempf,acl,str(domsid), use_ntvfs=False)
389 facl = getntacl(lp,tempf)
390 self.assertEquals(facl.as_sddl(domsid),acl)
391 posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
393 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
394 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
395 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
396 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
397 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
399 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
401 # These assertions correct for current plugin_s4_dc selftest
402 # configuration. When other environments have a broad range of
403 # groups mapped via passdb, we can relax some of these checks
404 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
405 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
406 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
407 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
408 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
409 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
410 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
411 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
412 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
413 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
415 self.assertEquals(posix_acl.count, 9)
417 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
418 self.assertEquals(posix_acl.acl[0].a_perm, 7)
419 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
421 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
422 self.assertEquals(posix_acl.acl[1].a_perm, 6)
423 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
425 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
426 self.assertEquals(posix_acl.acl[2].a_perm, 0)
428 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
429 self.assertEquals(posix_acl.acl[3].a_perm, 6)
431 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
432 self.assertEquals(posix_acl.acl[4].a_perm, 7)
434 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
435 self.assertEquals(posix_acl.acl[5].a_perm, 5)
436 self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
438 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
439 self.assertEquals(posix_acl.acl[6].a_perm, 7)
440 self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
442 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
443 self.assertEquals(posix_acl.acl[7].a_perm, 5)
444 self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
446 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_MASK)
447 self.assertEquals(posix_acl.acl[8].a_perm, 7)
450 # check that it matches:
452 # user:root:rwx (selftest user actually)
454 # group:Local Admins:rwx
462 # This is in this order in the NDR smb_acl (not re-orderded for display)
469 # uid: 0 (selftest user actually)
504 def test_setntacl_policies_check_getposixacl(self):
507 s3conf = s3param.get_context()
509 path = os.environ['SELFTEST_PREFIX']
510 acl = provision.POLICIES_ACL
511 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
512 open(tempf, 'w').write("empty")
513 domsid = passdb.get_global_sam_sid()
514 setntacl(lp,tempf,acl,str(domsid), use_ntvfs=False)
515 facl = getntacl(lp,tempf)
516 self.assertEquals(facl.as_sddl(domsid),acl)
517 posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
519 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
520 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
521 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
522 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
523 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
524 PA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_POLICY_ADMINS))
526 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
528 # These assertions correct for current plugin_s4_dc selftest
529 # configuration. When other environments have a broad range of
530 # groups mapped via passdb, we can relax some of these checks
531 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
532 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
533 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
534 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
535 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
536 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
537 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
538 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
539 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
540 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
541 (PA_gid,PA_type) = s4_passdb.sid_to_id(PA_sid)
542 self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
544 self.assertEquals(posix_acl.count, 10)
546 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
547 self.assertEquals(posix_acl.acl[0].a_perm, 7)
548 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
550 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
551 self.assertEquals(posix_acl.acl[1].a_perm, 6)
552 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
554 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
555 self.assertEquals(posix_acl.acl[2].a_perm, 0)
557 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
558 self.assertEquals(posix_acl.acl[3].a_perm, 6)
560 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
561 self.assertEquals(posix_acl.acl[4].a_perm, 7)
563 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
564 self.assertEquals(posix_acl.acl[5].a_perm, 5)
565 self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
567 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
568 self.assertEquals(posix_acl.acl[6].a_perm, 7)
569 self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
571 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
572 self.assertEquals(posix_acl.acl[7].a_perm, 5)
573 self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
575 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_GROUP)
576 self.assertEquals(posix_acl.acl[8].a_perm, 7)
577 self.assertEquals(posix_acl.acl[8].info.gid, PA_gid)
579 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_MASK)
580 self.assertEquals(posix_acl.acl[9].a_perm, 7)
583 # check that it matches:
585 # user:root:rwx (selftest user actually)
587 # group:Local Admins:rwx
596 # This is in this order in the NDR smb_acl (not re-orderded for display)
603 # uid: 0 (selftest user actually)
643 super(PosixAclMappingTests, self).setUp()
644 s3conf = s3param.get_context()
645 s3conf.load(self.get_loadparm().configfile)