1 # Unix SMB/CIFS implementation. Tests for NT and posix ACL manipulation
2 # Copyright (C) Matthieu Patou <mat@matws.net> 2009-2010
3 # Copyright (C) Andrew Bartlett 2012
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
19 """Tests for the Samba3 NT -> posix ACL layer"""
21 from samba.ntacls import setntacl, getntacl, checkset_backend
22 from samba.dcerpc import xattr, security, smb_acl, idmap
23 from samba.param import LoadParm
24 from samba.tests import TestCaseInTempDir
25 from samba import provision
28 from samba.samba3 import smbd, passdb
29 from samba.samba3 import param as s3param
31 # To print a posix ACL use:
32 # for entry in posix_acl.acl:
33 # print "a_type: %d" % entry.a_type
34 # print "a_perm: %o" % entry.a_perm
35 # print "uid: %d" % entry.uid
36 # print "gid: %d" % entry.gid
38 class PosixAclMappingTests(TestCaseInTempDir):
40 def test_setntacl(self):
41 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
42 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
44 def test_setntacl_smbd_getntacl(self):
45 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
46 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
47 facl = getntacl(self.lp, self.tempf, direct_db_access=True)
48 anysid = security.dom_sid(security.SID_NT_SELF)
49 self.assertEquals(facl.as_sddl(anysid),acl)
51 def test_setntacl_smbd_setposixacl_getntacl(self):
52 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
53 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
55 # This will invalidate the ACL, as we have a hook!
56 smbd.set_simple_acl(self.tempf, 0640)
58 # However, this only asks the xattr
60 facl = getntacl(self.lp, self.tempf, direct_db_access=True)
61 self.assertTrue(False)
65 def test_setntacl_invalidate_getntacl(self):
66 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
67 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
69 # This should invalidate the ACL, as we include the posix ACL in the hash
70 (backend_obj, dbname) = checkset_backend(self.lp, None, None)
71 backend_obj.wrap_setxattr(dbname,
72 self.tempf, "system.fake_access_acl", "")
74 #however, as this is direct DB access, we do not notice it
75 facl = getntacl(self.lp, self.tempf, direct_db_access=True)
76 anysid = security.dom_sid(security.SID_NT_SELF)
77 self.assertEquals(acl, facl.as_sddl(anysid))
79 def test_setntacl_invalidate_getntacl_smbd(self):
80 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
81 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
83 # This should invalidate the ACL, as we include the posix ACL in the hash
84 (backend_obj, dbname) = checkset_backend(self.lp, None, None)
85 backend_obj.wrap_setxattr(dbname,
86 self.tempf, "system.fake_access_acl", "")
88 #the hash would break, and we return an ACL based only on the mode, except we set the ACL using the 'ntvfs' mode that doesn't include a hash
89 facl = getntacl(self.lp, self.tempf)
90 anysid = security.dom_sid(security.SID_NT_SELF)
91 self.assertEquals(acl, facl.as_sddl(anysid))
93 def test_setntacl_smbd_invalidate_getntacl_smbd(self):
94 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
95 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x001200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
96 os.chmod(self.tempf, 0750)
97 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
99 # This should invalidate the ACL, as we include the posix ACL in the hash
100 (backend_obj, dbname) = checkset_backend(self.lp, None, None)
101 backend_obj.wrap_setxattr(dbname,
102 self.tempf, "system.fake_access_acl", "")
104 #the hash will break, and we return an ACL based only on the mode
105 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
106 anysid = security.dom_sid(security.SID_NT_SELF)
107 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
109 def test_setntacl_getntacl_smbd(self):
110 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
111 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
112 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
113 anysid = security.dom_sid(security.SID_NT_SELF)
114 self.assertEquals(facl.as_sddl(anysid),acl)
116 def test_setntacl_smbd_getntacl_smbd(self):
117 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
118 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
119 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
120 anysid = security.dom_sid(security.SID_NT_SELF)
121 self.assertEquals(facl.as_sddl(anysid),acl)
123 def test_setntacl_smbd_setposixacl_getntacl_smbd(self):
124 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
125 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
126 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
127 # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
128 smbd.set_simple_acl(self.tempf, 0640)
129 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
130 anysid = security.dom_sid(security.SID_NT_SELF)
131 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
133 def test_setntacl_smbd_setposixacl_group_getntacl_smbd(self):
134 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
135 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
136 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
137 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
138 # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
139 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
140 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
141 smbd.set_simple_acl(self.tempf, 0640, BA_gid)
143 # This should re-calculate an ACL based on the posix details
144 facl = getntacl(self.lp,self.tempf, direct_db_access=False)
145 anysid = security.dom_sid(security.SID_NT_SELF)
146 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
148 def test_setntacl_smbd_getntacl_smbd_gpo(self):
149 acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
150 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
151 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
152 domsid = security.dom_sid("S-1-5-21-2212615479-2695158682-2101375467")
153 self.assertEquals(facl.as_sddl(domsid),acl)
155 def test_setntacl_getposixacl(self):
156 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
157 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
158 facl = getntacl(self.lp, self.tempf)
159 anysid = security.dom_sid(security.SID_NT_SELF)
160 self.assertEquals(facl.as_sddl(anysid),acl)
161 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
163 def test_setposixacl_getposixacl(self):
164 smbd.set_simple_acl(self.tempf, 0640)
165 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
166 self.assertEquals(posix_acl.count, 4)
168 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
169 self.assertEquals(posix_acl.acl[0].a_perm, 6)
171 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
172 self.assertEquals(posix_acl.acl[1].a_perm, 4)
174 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
175 self.assertEquals(posix_acl.acl[2].a_perm, 0)
177 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
178 self.assertEquals(posix_acl.acl[3].a_perm, 6)
180 def test_setposixacl_getntacl(self):
182 smbd.set_simple_acl(self.tempf, 0750)
184 facl = getntacl(self.lp, self.tempf)
185 self.assertTrue(False)
187 # We don't expect the xattr to be filled in in this case
190 def test_setposixacl_getntacl_smbd(self):
191 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
192 group_SID = s4_passdb.gid_to_sid(os.stat(self.tempf).st_gid)
193 user_SID = s4_passdb.uid_to_sid(os.stat(self.tempf).st_uid)
194 smbd.set_simple_acl(self.tempf, 0640)
195 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
196 acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
197 anysid = security.dom_sid(security.SID_NT_SELF)
198 self.assertEquals(acl, facl.as_sddl(anysid))
200 def test_setposixacl_dir_getntacl_smbd(self):
201 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
202 user_SID = s4_passdb.uid_to_sid(os.stat(self.tempdir).st_uid)
203 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
204 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
205 (BA_id,BA_type) = s4_passdb.sid_to_id(BA_sid)
206 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
207 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
208 (SO_id,SO_type) = s4_passdb.sid_to_id(SO_sid)
209 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
210 smbd.chown(self.tempdir, BA_id, SO_id)
211 smbd.set_simple_acl(self.tempdir, 0750)
212 facl = getntacl(self.lp, self.tempdir, direct_db_access=False)
213 acl = "O:BAG:SOD:(A;;0x001f01ff;;;BA)(A;;0x001200a9;;;SO)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001f01ff;;;CG)(A;OICIIO;0x001f01ff;;;WD)"
215 anysid = security.dom_sid(security.SID_NT_SELF)
216 self.assertEquals(acl, facl.as_sddl(anysid))
218 def test_setposixacl_group_getntacl_smbd(self):
219 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
220 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
221 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
222 group_SID = s4_passdb.gid_to_sid(os.stat(self.tempf).st_gid)
223 user_SID = s4_passdb.uid_to_sid(os.stat(self.tempf).st_uid)
224 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
225 smbd.set_simple_acl(self.tempf, 0640, BA_gid)
226 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
227 domsid = passdb.get_global_sam_sid()
228 acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;BA)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
229 anysid = security.dom_sid(security.SID_NT_SELF)
230 self.assertEquals(acl, facl.as_sddl(anysid))
232 def test_setposixacl_getposixacl(self):
233 smbd.set_simple_acl(self.tempf, 0640)
234 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
235 self.assertEquals(posix_acl.count, 4)
237 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
238 self.assertEquals(posix_acl.acl[0].a_perm, 6)
240 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
241 self.assertEquals(posix_acl.acl[1].a_perm, 4)
243 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
244 self.assertEquals(posix_acl.acl[2].a_perm, 0)
246 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
247 self.assertEquals(posix_acl.acl[3].a_perm, 7)
249 def test_setposixacl_dir_getposixacl(self):
250 smbd.set_simple_acl(self.tempdir, 0750)
251 posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
252 self.assertEquals(posix_acl.count, 4)
254 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
255 self.assertEquals(posix_acl.acl[0].a_perm, 7)
257 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
258 self.assertEquals(posix_acl.acl[1].a_perm, 5)
260 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
261 self.assertEquals(posix_acl.acl[2].a_perm, 0)
263 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
264 self.assertEquals(posix_acl.acl[3].a_perm, 7)
266 def test_setposixacl_group_getposixacl(self):
267 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
268 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
269 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
270 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
271 smbd.set_simple_acl(self.tempf, 0670, BA_gid)
272 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
274 self.assertEquals(posix_acl.count, 5)
276 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
277 self.assertEquals(posix_acl.acl[0].a_perm, 6)
279 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
280 self.assertEquals(posix_acl.acl[1].a_perm, 7)
282 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
283 self.assertEquals(posix_acl.acl[2].a_perm, 0)
285 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_GROUP)
286 self.assertEquals(posix_acl.acl[3].a_perm, 7)
287 self.assertEquals(posix_acl.acl[3].info.gid, BA_gid)
289 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_MASK)
290 self.assertEquals(posix_acl.acl[4].a_perm, 7)
292 def test_setntacl_sysvol_check_getposixacl(self):
293 acl = provision.SYSVOL_ACL
294 domsid = passdb.get_global_sam_sid()
295 setntacl(self.lp, self.tempf,acl,str(domsid), use_ntvfs=False)
296 facl = getntacl(self.lp, self.tempf)
297 self.assertEquals(facl.as_sddl(domsid),acl)
298 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
300 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
301 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
302 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
303 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
304 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
306 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
308 # These assertions correct for current plugin_s4_dc selftest
309 # configuration. When other environments have a broad range of
310 # groups mapped via passdb, we can relax some of these checks
311 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
312 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
313 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
314 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
315 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
316 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
317 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
318 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
319 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
320 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
322 self.assertEquals(posix_acl.count, 9)
324 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
325 self.assertEquals(posix_acl.acl[0].a_perm, 7)
326 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
328 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
329 self.assertEquals(posix_acl.acl[1].a_perm, 6)
330 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
332 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
333 self.assertEquals(posix_acl.acl[2].a_perm, 0)
335 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
336 self.assertEquals(posix_acl.acl[3].a_perm, 6)
338 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
339 self.assertEquals(posix_acl.acl[4].a_perm, 7)
341 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
342 self.assertEquals(posix_acl.acl[5].a_perm, 5)
343 self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
345 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
346 self.assertEquals(posix_acl.acl[6].a_perm, 7)
347 self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
349 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
350 self.assertEquals(posix_acl.acl[7].a_perm, 5)
351 self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
353 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_MASK)
354 self.assertEquals(posix_acl.acl[8].a_perm, 7)
357 # check that it matches:
359 # user:root:rwx (selftest user actually)
361 # group:Local Admins:rwx
369 # This is in this order in the NDR smb_acl (not re-orderded for display)
376 # uid: 0 (selftest user actually)
410 def test_setntacl_sysvol_dir_check_getposixacl(self):
411 acl = provision.SYSVOL_ACL
412 domsid = passdb.get_global_sam_sid()
413 setntacl(self.lp, self.tempdir,acl,str(domsid), use_ntvfs=False)
414 facl = getntacl(self.lp, self.tempdir)
415 self.assertEquals(facl.as_sddl(domsid),acl)
416 posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
418 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
419 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
420 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
421 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
422 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
424 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
426 # These assertions correct for current plugin_s4_dc selftest
427 # configuration. When other environments have a broad range of
428 # groups mapped via passdb, we can relax some of these checks
429 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
430 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
431 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
432 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
433 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
434 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
435 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
436 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
437 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
438 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
440 self.assertEquals(posix_acl.count, 9)
442 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
443 self.assertEquals(posix_acl.acl[0].a_perm, 7)
444 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
446 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
447 self.assertEquals(posix_acl.acl[1].a_perm, 7)
448 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
450 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
451 self.assertEquals(posix_acl.acl[2].a_perm, 0)
453 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
454 self.assertEquals(posix_acl.acl[3].a_perm, 7)
456 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
457 self.assertEquals(posix_acl.acl[4].a_perm, 7)
459 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
460 self.assertEquals(posix_acl.acl[5].a_perm, 5)
461 self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
463 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
464 self.assertEquals(posix_acl.acl[6].a_perm, 7)
465 self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
467 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
468 self.assertEquals(posix_acl.acl[7].a_perm, 5)
469 self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
471 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_MASK)
472 self.assertEquals(posix_acl.acl[8].a_perm, 7)
475 # check that it matches:
477 # user:root:rwx (selftest user actually)
487 def test_setntacl_policies_dir_check_getposixacl(self):
488 acl = provision.POLICIES_ACL
489 domsid = passdb.get_global_sam_sid()
490 setntacl(self.lp, self.tempdir,acl,str(domsid), use_ntvfs=False)
491 facl = getntacl(self.lp, self.tempdir)
492 self.assertEquals(facl.as_sddl(domsid),acl)
493 posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
495 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
496 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
497 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
498 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
499 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
500 PA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_POLICY_ADMINS))
502 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
504 # These assertions correct for current plugin_s4_dc selftest
505 # configuration. When other environments have a broad range of
506 # groups mapped via passdb, we can relax some of these checks
507 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
508 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
509 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
510 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
511 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
512 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
513 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
514 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
515 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
516 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
517 (PA_gid,PA_type) = s4_passdb.sid_to_id(PA_sid)
518 self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
520 self.assertEquals(posix_acl.count, 10)
522 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
523 self.assertEquals(posix_acl.acl[0].a_perm, 7)
524 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
526 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
527 self.assertEquals(posix_acl.acl[1].a_perm, 7)
528 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
530 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
531 self.assertEquals(posix_acl.acl[2].a_perm, 0)
533 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
534 self.assertEquals(posix_acl.acl[3].a_perm, 7)
536 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
537 self.assertEquals(posix_acl.acl[4].a_perm, 7)
539 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
540 self.assertEquals(posix_acl.acl[5].a_perm, 5)
541 self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
543 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
544 self.assertEquals(posix_acl.acl[6].a_perm, 7)
545 self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
547 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
548 self.assertEquals(posix_acl.acl[7].a_perm, 5)
549 self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
551 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_GROUP)
552 self.assertEquals(posix_acl.acl[8].a_perm, 7)
553 self.assertEquals(posix_acl.acl[8].info.gid, PA_gid)
555 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_MASK)
556 self.assertEquals(posix_acl.acl[9].a_perm, 7)
559 # check that it matches:
561 # user:root:rwx (selftest user actually)
573 def test_setntacl_policies_check_getposixacl(self):
574 acl = provision.POLICIES_ACL
576 domsid = passdb.get_global_sam_sid()
577 setntacl(self.lp, self.tempf, acl, str(domsid), use_ntvfs=False)
578 facl = getntacl(self.lp, self.tempf)
579 self.assertEquals(facl.as_sddl(domsid),acl)
580 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
582 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
583 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
584 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
585 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
586 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
587 PA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_POLICY_ADMINS))
589 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
591 # These assertions correct for current plugin_s4_dc selftest
592 # configuration. When other environments have a broad range of
593 # groups mapped via passdb, we can relax some of these checks
594 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
595 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
596 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
597 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
598 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
599 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
600 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
601 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
602 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
603 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
604 (PA_gid,PA_type) = s4_passdb.sid_to_id(PA_sid)
605 self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
607 self.assertEquals(posix_acl.count, 10)
609 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
610 self.assertEquals(posix_acl.acl[0].a_perm, 7)
611 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
613 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
614 self.assertEquals(posix_acl.acl[1].a_perm, 6)
615 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
617 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
618 self.assertEquals(posix_acl.acl[2].a_perm, 0)
620 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
621 self.assertEquals(posix_acl.acl[3].a_perm, 6)
623 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
624 self.assertEquals(posix_acl.acl[4].a_perm, 7)
626 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
627 self.assertEquals(posix_acl.acl[5].a_perm, 5)
628 self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
630 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
631 self.assertEquals(posix_acl.acl[6].a_perm, 7)
632 self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
634 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
635 self.assertEquals(posix_acl.acl[7].a_perm, 5)
636 self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
638 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_GROUP)
639 self.assertEquals(posix_acl.acl[8].a_perm, 7)
640 self.assertEquals(posix_acl.acl[8].info.gid, PA_gid)
642 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_MASK)
643 self.assertEquals(posix_acl.acl[9].a_perm, 7)
646 # check that it matches:
648 # user:root:rwx (selftest user actually)
650 # group:Local Admins:rwx
659 # This is in this order in the NDR smb_acl (not re-orderded for display)
666 # uid: 0 (selftest user actually)
704 super(PosixAclMappingTests, self).setUp()
705 s3conf = s3param.get_context()
706 s3conf.load(self.get_loadparm().configfile)
707 s3conf.set("xattr_tdb:file", os.path.join(self.tempdir,"xattr.tdb"))
709 self.tempf = os.path.join(self.tempdir, "test")
710 open(self.tempf, 'w').write("empty")
713 smbd.unlink(self.tempf)
714 os.unlink(os.path.join(self.tempdir,"xattr.tdb"))
715 super(PosixAclMappingTests, self).tearDown()