1 # Unix SMB/CIFS implementation. Tests for NT and posix ACL manipulation
2 # Copyright (C) Matthieu Patou <mat@matws.net> 2009-2010
3 # Copyright (C) Andrew Bartlett 2012
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
19 """Tests for the Samba3 NT -> posix ACL layer"""
21 from samba.ntacls import setntacl, getntacl, checkset_backend
22 from samba.dcerpc import xattr, security, smb_acl, idmap
23 from samba.param import LoadParm
24 from samba.tests import TestCase
25 from samba import provision
28 from samba.samba3 import smbd, passdb
29 from samba.samba3 import param as s3param
31 # To print a posix ACL use:
32 # for entry in posix_acl.acl:
33 # print "a_type: %d" % entry.a_type
34 # print "a_perm: %o" % entry.a_perm
35 # print "uid: %d" % entry.uid
36 # print "gid: %d" % entry.gid
38 class PosixAclMappingTests(TestCase):
40 def test_setntacl(self):
43 path = os.environ['SELFTEST_PREFIX']
44 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
45 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
46 open(tempf, 'w').write("empty")
47 setntacl(lp, tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
50 def test_setntacl_smbd_getntacl(self):
54 path = os.environ['SELFTEST_PREFIX']
55 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
56 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
57 open(tempf, 'w').write("empty")
58 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
59 facl = getntacl(lp,tempf, direct_db_access=True)
60 anysid = security.dom_sid(security.SID_NT_SELF)
61 self.assertEquals(facl.as_sddl(anysid),acl)
64 def test_setntacl_smbd_setposixacl_getntacl(self):
68 path = os.environ['SELFTEST_PREFIX']
69 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
70 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
71 open(tempf, 'w').write("empty")
72 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
74 # This will invalidate the ACL, as we have a hook!
75 smbd.set_simple_acl(tempf, 0640)
77 # However, this only asks the xattr
79 facl = getntacl(lp,tempf, direct_db_access=True)
80 self.assertTrue(False)
85 def test_setntacl_invalidate_getntacl(self):
89 path = os.environ['SELFTEST_PREFIX']
90 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
91 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
92 open(tempf, 'w').write("empty")
93 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
95 # This should invalidate the ACL, as we include the posix ACL in the hash
96 (backend_obj, dbname) = checkset_backend(lp, None, None)
97 backend_obj.wrap_setxattr(dbname,
98 tempf, "system.fake_access_acl", "")
100 #however, as this is direct DB access, we do not notice it
101 facl = getntacl(lp,tempf, direct_db_access=True)
102 anysid = security.dom_sid(security.SID_NT_SELF)
103 self.assertEquals(acl, facl.as_sddl(anysid))
106 def test_setntacl_invalidate_getntacl_smbd(self):
110 path = os.environ['SELFTEST_PREFIX']
111 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
112 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
113 open(tempf, 'w').write("empty")
114 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
116 # This should invalidate the ACL, as we include the posix ACL in the hash
117 (backend_obj, dbname) = checkset_backend(lp, None, None)
118 backend_obj.wrap_setxattr(dbname,
119 tempf, "system.fake_access_acl", "")
121 #the hash would break, and we return an ACL based only on the mode, except we set the ACL using the 'ntvfs' mode that doesn't include a hash
122 facl = getntacl(lp,tempf)
123 anysid = security.dom_sid(security.SID_NT_SELF)
124 self.assertEquals(acl, facl.as_sddl(anysid))
127 def test_setntacl_getntacl_smbd(self):
131 path = os.environ['SELFTEST_PREFIX']
132 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
133 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
134 open(tempf, 'w').write("empty")
135 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
136 facl = getntacl(lp,tempf, direct_db_access=False)
137 anysid = security.dom_sid(security.SID_NT_SELF)
138 self.assertEquals(facl.as_sddl(anysid),acl)
141 def test_setntacl_smbd_getntacl_smbd(self):
145 path = os.environ['SELFTEST_PREFIX']
146 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
147 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
148 open(tempf, 'w').write("empty")
149 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
150 facl = getntacl(lp,tempf, direct_db_access=False)
151 anysid = security.dom_sid(security.SID_NT_SELF)
152 self.assertEquals(facl.as_sddl(anysid),acl)
155 def test_setntacl_smbd_setposixacl_getntacl_smbd(self):
159 path = os.environ['SELFTEST_PREFIX']
160 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
161 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
162 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
163 open(tempf, 'w').write("empty")
164 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
165 # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
166 smbd.set_simple_acl(tempf, 0640)
167 facl = getntacl(lp,tempf, direct_db_access=False)
168 anysid = security.dom_sid(security.SID_NT_SELF)
169 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
172 def test_setntacl_smbd_setposixacl_group_getntacl_smbd(self):
176 path = os.environ['SELFTEST_PREFIX']
177 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
178 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
179 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
180 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
181 open(tempf, 'w').write("empty")
182 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
183 # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
184 s3conf = s3param.get_context()
185 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
186 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
187 smbd.set_simple_acl(tempf, 0640, BA_gid)
189 # This should re-calculate an ACL based on the posix details
190 facl = getntacl(lp,tempf, direct_db_access=False)
191 anysid = security.dom_sid(security.SID_NT_SELF)
192 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
195 def test_setntacl_smbd_getntacl_smbd_gpo(self):
199 path = os.environ['SELFTEST_PREFIX']
200 acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
201 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
202 open(tempf, 'w').write("empty")
203 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
204 facl = getntacl(lp,tempf, direct_db_access=False)
205 domsid = security.dom_sid("S-1-5-21-2212615479-2695158682-2101375467")
206 self.assertEquals(facl.as_sddl(domsid),acl)
209 def test_setntacl_getposixacl(self):
213 path = os.environ['SELFTEST_PREFIX']
214 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
215 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
216 open(tempf, 'w').write("empty")
217 setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
218 facl = getntacl(lp,tempf)
219 anysid = security.dom_sid(security.SID_NT_SELF)
220 self.assertEquals(facl.as_sddl(anysid),acl)
221 posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
224 def test_setposixacl_getposixacl(self):
228 path = os.environ['SELFTEST_PREFIX']
229 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
230 open(tempf, 'w').write("empty")
231 smbd.set_simple_acl(tempf, 0640)
232 posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
233 self.assertEquals(posix_acl.count, 4)
235 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
236 self.assertEquals(posix_acl.acl[0].a_perm, 6)
238 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
239 self.assertEquals(posix_acl.acl[1].a_perm, 4)
241 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
242 self.assertEquals(posix_acl.acl[2].a_perm, 0)
244 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
245 self.assertEquals(posix_acl.acl[3].a_perm, 6)
248 def test_setposixacl_getntacl(self):
252 path = os.environ['SELFTEST_PREFIX']
253 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
254 open(tempf, 'w').write("empty")
255 smbd.set_simple_acl(tempf, 0750)
257 facl = getntacl(lp,tempf)
259 # We don't expect the xattr to be filled in in this case
262 def test_setposixacl_getntacl_smbd(self):
265 path = os.environ['SELFTEST_PREFIX']
266 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
267 open(tempf, 'w').write("empty")
268 s3conf = s3param.get_context()
269 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
270 group_SID = s4_passdb.gid_to_sid(os.stat(tempf).st_gid)
271 user_SID = s4_passdb.uid_to_sid(os.stat(tempf).st_uid)
272 smbd.set_simple_acl(tempf, 0640)
273 facl = getntacl(lp, tempf, direct_db_access=False)
274 domsid = passdb.get_global_sam_sid()
275 acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;%s)(A;;WO;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
276 anysid = security.dom_sid(security.SID_NT_SELF)
277 self.assertEquals(acl, facl.as_sddl(anysid))
279 def test_setposixacl_group_getntacl_smbd(self):
282 path = os.environ['SELFTEST_PREFIX']
283 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
284 open(tempf, 'w').write("empty")
285 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
286 s3conf = s3param.get_context()
287 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
288 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
289 group_SID = s4_passdb.gid_to_sid(os.stat(tempf).st_gid)
290 user_SID = s4_passdb.uid_to_sid(os.stat(tempf).st_uid)
291 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
292 smbd.set_simple_acl(tempf, 0640, BA_gid)
293 facl = getntacl(lp, tempf, direct_db_access=False)
294 domsid = passdb.get_global_sam_sid()
295 acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;BA)(A;;0x00120089;;;%s)(A;;WO;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
296 anysid = security.dom_sid(security.SID_NT_SELF)
297 self.assertEquals(acl, facl.as_sddl(anysid))
299 def test_setposixacl_getposixacl(self):
302 path = os.environ['SELFTEST_PREFIX']
303 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
304 open(tempf, 'w').write("empty")
305 smbd.set_simple_acl(tempf, 0640)
306 posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
307 self.assertEquals(posix_acl.count, 4)
309 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
310 self.assertEquals(posix_acl.acl[0].a_perm, 6)
312 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
313 self.assertEquals(posix_acl.acl[1].a_perm, 4)
315 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
316 self.assertEquals(posix_acl.acl[2].a_perm, 0)
318 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
319 self.assertEquals(posix_acl.acl[3].a_perm, 6)
322 def test_setposixacl_group_getposixacl(self):
325 path = os.environ['SELFTEST_PREFIX']
326 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
327 open(tempf, 'w').write("empty")
328 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
329 s3conf = s3param.get_context()
330 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
331 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
332 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
333 smbd.set_simple_acl(tempf, 0670, BA_gid)
334 posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
336 self.assertEquals(posix_acl.count, 5)
338 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
339 self.assertEquals(posix_acl.acl[0].a_perm, 6)
341 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
342 self.assertEquals(posix_acl.acl[1].a_perm, 7)
344 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
345 self.assertEquals(posix_acl.acl[2].a_perm, 0)
347 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_GROUP)
348 self.assertEquals(posix_acl.acl[3].a_perm, 7)
349 self.assertEquals(posix_acl.acl[3].info.gid, BA_gid)
351 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_MASK)
352 self.assertEquals(posix_acl.acl[4].a_perm, 6)
355 def test_setntacl_sysvol_check_getposixacl(self):
358 s3conf = s3param.get_context()
360 path = os.environ['SELFTEST_PREFIX']
361 acl = provision.SYSVOL_ACL
362 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
363 open(tempf, 'w').write("empty")
364 domsid = passdb.get_global_sam_sid()
365 setntacl(lp,tempf,acl,str(domsid), use_ntvfs=False)
366 facl = getntacl(lp,tempf)
367 self.assertEquals(facl.as_sddl(domsid),acl)
368 posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
370 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
371 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
372 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
373 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
374 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
376 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
378 # These assertions correct for current plugin_s4_dc selftest
379 # configuration. When other environments have a broad range of
380 # groups mapped via passdb, we can relax some of these checks
381 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
382 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
383 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
384 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
385 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
386 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
387 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
388 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
389 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
390 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
392 self.assertEquals(posix_acl.count, 9)
394 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
395 self.assertEquals(posix_acl.acl[0].a_perm, 7)
396 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
398 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
399 self.assertEquals(posix_acl.acl[1].a_perm, 6)
400 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
402 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
403 self.assertEquals(posix_acl.acl[2].a_perm, 0)
405 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
406 self.assertEquals(posix_acl.acl[3].a_perm, 6)
408 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
409 self.assertEquals(posix_acl.acl[4].a_perm, 7)
411 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
412 self.assertEquals(posix_acl.acl[5].a_perm, 5)
413 self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
415 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
416 self.assertEquals(posix_acl.acl[6].a_perm, 7)
417 self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
419 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
420 self.assertEquals(posix_acl.acl[7].a_perm, 5)
421 self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
423 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_MASK)
424 self.assertEquals(posix_acl.acl[8].a_perm, 7)
427 # check that it matches:
429 # user:root:rwx (selftest user actually)
431 # group:Local Admins:rwx
439 # This is in this order in the NDR smb_acl (not re-orderded for display)
446 # uid: 0 (selftest user actually)
481 def test_setntacl_policies_check_getposixacl(self):
484 s3conf = s3param.get_context()
486 path = os.environ['SELFTEST_PREFIX']
487 acl = provision.POLICIES_ACL
488 tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
489 open(tempf, 'w').write("empty")
490 domsid = passdb.get_global_sam_sid()
491 setntacl(lp,tempf,acl,str(domsid), use_ntvfs=False)
492 facl = getntacl(lp,tempf)
493 self.assertEquals(facl.as_sddl(domsid),acl)
494 posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
496 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
497 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
498 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
499 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
500 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
501 PA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_POLICY_ADMINS))
503 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
505 # These assertions correct for current plugin_s4_dc selftest
506 # configuration. When other environments have a broad range of
507 # groups mapped via passdb, we can relax some of these checks
508 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
509 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
510 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
511 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
512 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
513 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
514 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
515 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
516 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
517 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
518 (PA_gid,PA_type) = s4_passdb.sid_to_id(PA_sid)
519 self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
521 self.assertEquals(posix_acl.count, 10)
523 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
524 self.assertEquals(posix_acl.acl[0].a_perm, 7)
525 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
527 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
528 self.assertEquals(posix_acl.acl[1].a_perm, 6)
529 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
531 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
532 self.assertEquals(posix_acl.acl[2].a_perm, 0)
534 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
535 self.assertEquals(posix_acl.acl[3].a_perm, 6)
537 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
538 self.assertEquals(posix_acl.acl[4].a_perm, 7)
540 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
541 self.assertEquals(posix_acl.acl[5].a_perm, 5)
542 self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
544 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
545 self.assertEquals(posix_acl.acl[6].a_perm, 7)
546 self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
548 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
549 self.assertEquals(posix_acl.acl[7].a_perm, 5)
550 self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
552 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_GROUP)
553 self.assertEquals(posix_acl.acl[8].a_perm, 7)
554 self.assertEquals(posix_acl.acl[8].info.gid, PA_gid)
556 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_MASK)
557 self.assertEquals(posix_acl.acl[9].a_perm, 7)
560 # check that it matches:
562 # user:root:rwx (selftest user actually)
564 # group:Local Admins:rwx
573 # This is in this order in the NDR smb_acl (not re-orderded for display)
580 # uid: 0 (selftest user actually)
620 super(PosixAclMappingTests, self).setUp()
621 s3conf = s3param.get_context()
622 s3conf.load(self.get_loadparm().configfile)