git.samba.org / metze / samba / wip.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
selftest: Cover one more NT ACL invalidation case and improve comments
[metze/samba/wip.git] / source4 / scripting / python / samba / tests / posixacl.py
1 # Unix SMB/CIFS implementation. Tests for NT and posix ACL manipulation
2 # Copyright (C) Matthieu Patou <mat@matws.net> 2009-2010
3 # Copyright (C) Andrew Bartlett 2012
4 #
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
9 #
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13 # GNU General Public License for more details.
14 #
15 # You should have received a copy of the GNU General Public License
16 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
17 #
18
19 """Tests for the Samba3 NT -> posix ACL layer"""
20
21 from samba.ntacls import setntacl, getntacl, checkset_backend
22 from samba.dcerpc import xattr, security, smb_acl, idmap
23 from samba.param import LoadParm
24 from samba.tests import TestCase
25 from samba import provision
26 import random
27 import os
28 from samba.samba3 import smbd, passdb
29 from samba.samba3 import param as s3param
30
31 # To print a posix ACL use:
32 #        for entry in posix_acl.acl:
33 #            print "a_type: %d" % entry.a_type
34 #            print "a_perm: %o" % entry.a_perm
35 #            print "uid: %d" % entry.uid
36 #            print "gid: %d" % entry.gid
37
38 class PosixAclMappingTests(TestCase):
39
40     def test_setntacl(self):
41         random.seed()
42         lp = LoadParm()
43         path = os.environ['SELFTEST_PREFIX']
44         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
45         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
46         open(tempf, 'w').write("empty")
47         setntacl(lp, tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
48         os.unlink(tempf)
49
50     def test_setntacl_smbd_getntacl(self):
51         random.seed()
52         lp = LoadParm()
53         path = None
54         path = os.environ['SELFTEST_PREFIX']
55         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
56         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
57         open(tempf, 'w').write("empty")
58         setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
59         facl = getntacl(lp,tempf, direct_db_access=True)
60         anysid = security.dom_sid(security.SID_NT_SELF)
61         self.assertEquals(facl.as_sddl(anysid),acl)
62         os.unlink(tempf)
63
64     def test_setntacl_smbd_setposixacl_getntacl(self):
65         random.seed()
66         lp = LoadParm()
67         path = None
68         path = os.environ['SELFTEST_PREFIX']
69         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
70         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
71         open(tempf, 'w').write("empty")
72         setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
73
74         # This will invalidate the ACL, as we have a hook!
75         smbd.set_simple_acl(tempf, 0640)
76
77         # However, this only asks the xattr
78         try:
79             facl = getntacl(lp,tempf, direct_db_access=True)
80             self.assertTrue(False)
81         except TypeError:
82             pass
83         os.unlink(tempf)
84
85     def test_setntacl_invalidate_getntacl(self):
86         random.seed()
87         lp = LoadParm()
88         path = None
89         path = os.environ['SELFTEST_PREFIX']
90         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
91         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
92         open(tempf, 'w').write("empty")
93         setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
94
95         # This should invalidate the ACL, as we include the posix ACL in the hash
96         (backend_obj, dbname) = checkset_backend(lp, None, None)
97         backend_obj.wrap_setxattr(dbname,
98                                   tempf, "system.fake_access_acl", "")
99
100         #however, as this is direct DB access, we do not notice it
101         facl = getntacl(lp,tempf, direct_db_access=True)
102         anysid = security.dom_sid(security.SID_NT_SELF)
103         self.assertEquals(acl, facl.as_sddl(anysid))
104         os.unlink(tempf)
105
106     def test_setntacl_invalidate_getntacl_smbd(self):
107         random.seed()
108         lp = LoadParm()
109         path = None
110         path = os.environ['SELFTEST_PREFIX']
111         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
112         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
113         open(tempf, 'w').write("empty")
114         setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
115
116         # This should invalidate the ACL, as we include the posix ACL in the hash
117         (backend_obj, dbname) = checkset_backend(lp, None, None)
118         backend_obj.wrap_setxattr(dbname,
119                                   tempf, "system.fake_access_acl", "")
120
121         #the hash would break, and we return an ACL based only on the mode, except we set the ACL using the 'ntvfs' mode that doesn't include a hash
122         facl = getntacl(lp,tempf)
123         anysid = security.dom_sid(security.SID_NT_SELF)
124         self.assertEquals(acl, facl.as_sddl(anysid))
125         os.unlink(tempf)
126
127     def test_setntacl_getntacl_smbd(self):
128         random.seed()
129         lp = LoadParm()
130         path = None
131         path = os.environ['SELFTEST_PREFIX']
132         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
133         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
134         open(tempf, 'w').write("empty")
135         setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
136         facl = getntacl(lp,tempf, direct_db_access=False)
137         anysid = security.dom_sid(security.SID_NT_SELF)
138         self.assertEquals(facl.as_sddl(anysid),acl)
139         os.unlink(tempf)
140
141     def test_setntacl_smbd_getntacl_smbd(self):
142         random.seed()
143         lp = LoadParm()
144         path = None
145         path = os.environ['SELFTEST_PREFIX']
146         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
147         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
148         open(tempf, 'w').write("empty")
149         setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
150         facl = getntacl(lp,tempf, direct_db_access=False)
151         anysid = security.dom_sid(security.SID_NT_SELF)
152         self.assertEquals(facl.as_sddl(anysid),acl)
153         os.unlink(tempf)
154
155     def test_setntacl_smbd_setposixacl_getntacl_smbd(self):
156         random.seed()
157         lp = LoadParm()
158         path = None
159         path = os.environ['SELFTEST_PREFIX']
160         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
161         simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
162         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
163         open(tempf, 'w').write("empty")
164         setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
165         # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
166         smbd.set_simple_acl(tempf, 0640)
167         facl = getntacl(lp,tempf, direct_db_access=False)
168         anysid = security.dom_sid(security.SID_NT_SELF)
169         self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
170         os.unlink(tempf)
171
172     def test_setntacl_smbd_setposixacl_group_getntacl_smbd(self):
173         random.seed()
174         lp = LoadParm()
175         path = None
176         path = os.environ['SELFTEST_PREFIX']
177         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
178         BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
179         simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
180         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
181         open(tempf, 'w').write("empty")
182         setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
183         # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
184         s3conf = s3param.get_context()
185         s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
186         (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
187         smbd.set_simple_acl(tempf, 0640, BA_gid)
188
189         # This should re-calculate an ACL based on the posix details
190         facl = getntacl(lp,tempf, direct_db_access=False)
191         anysid = security.dom_sid(security.SID_NT_SELF)
192         self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
193         os.unlink(tempf)
194
195     def test_setntacl_smbd_getntacl_smbd_gpo(self):
196         random.seed()
197         lp = LoadParm()
198         path = None
199         path = os.environ['SELFTEST_PREFIX']
200         acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
201         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
202         open(tempf, 'w').write("empty")
203         setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
204         facl = getntacl(lp,tempf, direct_db_access=False)
205         domsid = security.dom_sid("S-1-5-21-2212615479-2695158682-2101375467")
206         self.assertEquals(facl.as_sddl(domsid),acl)
207         os.unlink(tempf)
208
209     def test_setntacl_getposixacl(self):
210         random.seed()
211         lp = LoadParm()
212         path = None
213         path = os.environ['SELFTEST_PREFIX']
214         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
215         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
216         open(tempf, 'w').write("empty")
217         setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
218         facl = getntacl(lp,tempf)
219         anysid = security.dom_sid(security.SID_NT_SELF)
220         self.assertEquals(facl.as_sddl(anysid),acl)
221         posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
222         os.unlink(tempf)
223
224     def test_setposixacl_getposixacl(self):
225         random.seed()
226         lp = LoadParm()
227         path = None
228         path = os.environ['SELFTEST_PREFIX']
229         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
230         open(tempf, 'w').write("empty")
231         smbd.set_simple_acl(tempf, 0640)
232         posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
233         self.assertEquals(posix_acl.count, 4)
234
235         self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
236         self.assertEquals(posix_acl.acl[0].a_perm, 6)
237
238         self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
239         self.assertEquals(posix_acl.acl[1].a_perm, 4)
240
241         self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
242         self.assertEquals(posix_acl.acl[2].a_perm, 0)
243
244         self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
245         self.assertEquals(posix_acl.acl[3].a_perm, 6)
246         os.unlink(tempf)
247
248     def test_setposixacl_getntacl(self):
249         random.seed()
250         lp = LoadParm()
251         acl = ""
252         path = os.environ['SELFTEST_PREFIX']
253         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
254         open(tempf, 'w').write("empty")
255         smbd.set_simple_acl(tempf, 0750)
256         try:
257             facl = getntacl(lp,tempf)
258         except TypeError:
259             # We don't expect the xattr to be filled in in this case
260             pass
261
262     def test_setposixacl_getntacl_smbd(self):
263         random.seed()
264         lp = LoadParm()
265         path = os.environ['SELFTEST_PREFIX']
266         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
267         open(tempf, 'w').write("empty")
268         s3conf = s3param.get_context()
269         s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
270         group_SID = s4_passdb.gid_to_sid(os.stat(tempf).st_gid)
271         user_SID = s4_passdb.uid_to_sid(os.stat(tempf).st_uid)
272         smbd.set_simple_acl(tempf, 0640)
273         facl = getntacl(lp, tempf, direct_db_access=False)
274         domsid = passdb.get_global_sam_sid()
275         acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;%s)(A;;WO;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
276         anysid = security.dom_sid(security.SID_NT_SELF)
277         self.assertEquals(acl, facl.as_sddl(anysid))
278
279     def test_setposixacl_group_getntacl_smbd(self):
280         random.seed()
281         lp = LoadParm()
282         path = os.environ['SELFTEST_PREFIX']
283         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
284         open(tempf, 'w').write("empty")
285         BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
286         s3conf = s3param.get_context()
287         s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
288         (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
289         group_SID = s4_passdb.gid_to_sid(os.stat(tempf).st_gid)
290         user_SID = s4_passdb.uid_to_sid(os.stat(tempf).st_uid)
291         self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
292         smbd.set_simple_acl(tempf, 0640, BA_gid)
293         facl = getntacl(lp, tempf, direct_db_access=False)
294         domsid = passdb.get_global_sam_sid()
295         acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;BA)(A;;0x00120089;;;%s)(A;;WO;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
296         anysid = security.dom_sid(security.SID_NT_SELF)
297         self.assertEquals(acl, facl.as_sddl(anysid))
298
299     def test_setposixacl_getposixacl(self):
300         random.seed()
301         lp = LoadParm()
302         path = os.environ['SELFTEST_PREFIX']
303         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
304         open(tempf, 'w').write("empty")
305         smbd.set_simple_acl(tempf, 0640)
306         posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
307         self.assertEquals(posix_acl.count, 4)
308
309         self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
310         self.assertEquals(posix_acl.acl[0].a_perm, 6)
311
312         self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
313         self.assertEquals(posix_acl.acl[1].a_perm, 4)
314
315         self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
316         self.assertEquals(posix_acl.acl[2].a_perm, 0)
317
318         self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
319         self.assertEquals(posix_acl.acl[3].a_perm, 6)
320         os.unlink(tempf)
321
322     def test_setposixacl_group_getposixacl(self):
323         random.seed()
324         lp = LoadParm()
325         path = os.environ['SELFTEST_PREFIX']
326         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
327         open(tempf, 'w').write("empty")
328         BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
329         s3conf = s3param.get_context()
330         s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
331         (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
332         self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
333         smbd.set_simple_acl(tempf, 0670, BA_gid)
334         posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
335
336         self.assertEquals(posix_acl.count, 5)
337
338         self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
339         self.assertEquals(posix_acl.acl[0].a_perm, 6)
340
341         self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
342         self.assertEquals(posix_acl.acl[1].a_perm, 7)
343
344         self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
345         self.assertEquals(posix_acl.acl[2].a_perm, 0)
346
347         self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_GROUP)
348         self.assertEquals(posix_acl.acl[3].a_perm, 7)
349         self.assertEquals(posix_acl.acl[3].info.gid, BA_gid)
350
351         self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_MASK)
352         self.assertEquals(posix_acl.acl[4].a_perm, 6)
353         os.unlink(tempf)
354
355     def test_setntacl_sysvol_check_getposixacl(self):
356         random.seed()
357         lp = LoadParm()
358         s3conf = s3param.get_context()
359         path = None
360         path = os.environ['SELFTEST_PREFIX']
361         acl = provision.SYSVOL_ACL
362         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
363         open(tempf, 'w').write("empty")
364         domsid = passdb.get_global_sam_sid()
365         setntacl(lp,tempf,acl,str(domsid), use_ntvfs=False)
366         facl = getntacl(lp,tempf)
367         self.assertEquals(facl.as_sddl(domsid),acl)
368         posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
369
370         LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
371         BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
372         SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
373         SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
374         AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
375
376         s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
377
378         # These assertions correct for current plugin_s4_dc selftest
379         # configuration.  When other environments have a broad range of
380         # groups mapped via passdb, we can relax some of these checks
381         (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
382         self.assertEquals(LA_type, idmap.ID_TYPE_UID)
383         (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
384         self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
385         (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
386         self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
387         (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
388         self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
389         (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
390         self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
391
392         self.assertEquals(posix_acl.count, 9)
393
394         self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
395         self.assertEquals(posix_acl.acl[0].a_perm, 7)
396         self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
397
398         self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
399         self.assertEquals(posix_acl.acl[1].a_perm, 6)
400         self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
401
402         self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
403         self.assertEquals(posix_acl.acl[2].a_perm, 0)
404
405         self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
406         self.assertEquals(posix_acl.acl[3].a_perm, 6)
407
408         self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
409         self.assertEquals(posix_acl.acl[4].a_perm, 7)
410
411         self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
412         self.assertEquals(posix_acl.acl[5].a_perm, 5)
413         self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
414
415         self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
416         self.assertEquals(posix_acl.acl[6].a_perm, 7)
417         self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
418
419         self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
420         self.assertEquals(posix_acl.acl[7].a_perm, 5)
421         self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
422
423         self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_MASK)
424         self.assertEquals(posix_acl.acl[8].a_perm, 7)
425
426
427 # check that it matches:
428 # user::rwx
429 # user:root:rwx (selftest user actually)
430 # group::rwx
431 # group:Local Admins:rwx
432 # group:3000000:r-x
433 # group:3000001:rwx
434 # group:3000002:r-x
435 # mask::rwx
436 # other::---
437
438 #
439 # This is in this order in the NDR smb_acl (not re-orderded for display)
440 # a_type: GROUP
441 # a_perm: 7
442 # uid: -1
443 # gid: 10
444 # a_type: USER
445 # a_perm: 6
446 # uid: 0 (selftest user actually)
447 # gid: -1
448 # a_type: OTHER
449 # a_perm: 0
450 # uid: -1
451 # gid: -1
452 # a_type: USER_OBJ
453 # a_perm: 6
454 # uid: -1
455 # gid: -1
456 # a_type: GROUP_OBJ
457 # a_perm: 7
458 # uid: -1
459 # gid: -1
460 # a_type: GROUP
461 # a_perm: 5
462 # uid: -1
463 # gid: 3000020
464 # a_type: GROUP
465 # a_perm: 7
466 # uid: -1
467 # gid: 3000000
468 # a_type: GROUP
469 # a_perm: 5
470 # uid: -1
471 # gid: 3000001
472 # a_type: MASK
473 # a_perm: 7
474 # uid: -1
475 # gid: -1
476
477 #
478
479         os.unlink(tempf)
480
481     def test_setntacl_policies_check_getposixacl(self):
482         random.seed()
483         lp = LoadParm()
484         s3conf = s3param.get_context()
485         path = None
486         path = os.environ['SELFTEST_PREFIX']
487         acl = provision.POLICIES_ACL
488         tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
489         open(tempf, 'w').write("empty")
490         domsid = passdb.get_global_sam_sid()
491         setntacl(lp,tempf,acl,str(domsid), use_ntvfs=False)
492         facl = getntacl(lp,tempf)
493         self.assertEquals(facl.as_sddl(domsid),acl)
494         posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
495
496         LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
497         BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
498         SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
499         SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
500         AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
501         PA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_POLICY_ADMINS))
502
503         s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
504
505         # These assertions correct for current plugin_s4_dc selftest
506         # configuration.  When other environments have a broad range of
507         # groups mapped via passdb, we can relax some of these checks
508         (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
509         self.assertEquals(LA_type, idmap.ID_TYPE_UID)
510         (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
511         self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
512         (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
513         self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
514         (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
515         self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
516         (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
517         self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
518         (PA_gid,PA_type) = s4_passdb.sid_to_id(PA_sid)
519         self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
520
521         self.assertEquals(posix_acl.count, 10)
522
523         self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
524         self.assertEquals(posix_acl.acl[0].a_perm, 7)
525         self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
526
527         self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
528         self.assertEquals(posix_acl.acl[1].a_perm, 6)
529         self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
530
531         self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
532         self.assertEquals(posix_acl.acl[2].a_perm, 0)
533
534         self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
535         self.assertEquals(posix_acl.acl[3].a_perm, 6)
536
537         self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
538         self.assertEquals(posix_acl.acl[4].a_perm, 7)
539
540         self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
541         self.assertEquals(posix_acl.acl[5].a_perm, 5)
542         self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
543
544         self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
545         self.assertEquals(posix_acl.acl[6].a_perm, 7)
546         self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
547
548         self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
549         self.assertEquals(posix_acl.acl[7].a_perm, 5)
550         self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
551
552         self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_GROUP)
553         self.assertEquals(posix_acl.acl[8].a_perm, 7)
554         self.assertEquals(posix_acl.acl[8].info.gid, PA_gid)
555
556         self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_MASK)
557         self.assertEquals(posix_acl.acl[9].a_perm, 7)
558
559
560 # check that it matches:
561 # user::rwx
562 # user:root:rwx (selftest user actually)
563 # group::rwx
564 # group:Local Admins:rwx
565 # group:3000000:r-x
566 # group:3000001:rwx
567 # group:3000002:r-x
568 # group:3000003:rwx
569 # mask::rwx
570 # other::---
571
572 #
573 # This is in this order in the NDR smb_acl (not re-orderded for display)
574 # a_type: GROUP
575 # a_perm: 7
576 # uid: -1
577 # gid: 10
578 # a_type: USER
579 # a_perm: 6
580 # uid: 0 (selftest user actually)
581 # gid: -1
582 # a_type: OTHER
583 # a_perm: 0
584 # uid: -1
585 # gid: -1
586 # a_type: USER_OBJ
587 # a_perm: 6
588 # uid: -1
589 # gid: -1
590 # a_type: GROUP_OBJ
591 # a_perm: 7
592 # uid: -1
593 # gid: -1
594 # a_type: GROUP
595 # a_perm: 5
596 # uid: -1
597 # gid: 3000020
598 # a_type: GROUP
599 # a_perm: 7
600 # uid: -1
601 # gid: 3000000
602 # a_type: GROUP
603 # a_perm: 5
604 # uid: -1
605 # gid: 3000001
606 # a_type: GROUP
607 # a_perm: 7
608 # uid: -1
609 # gid: 3000003
610 # a_type: MASK
611 # a_perm: 7
612 # uid: -1
613 # gid: -1
614
615 #
616
617         os.unlink(tempf)
618
619     def setUp(self):
620         super(PosixAclMappingTests, self).setUp()
621         s3conf = s3param.get_context()
622         s3conf.load(self.get_loadparm().configfile)
Work in progress branches