s4:python/ntacl: add fsacl_child_sd() function

Signed-off-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source4/scripting/python/samba/ntacls.py b/source4/scripting/python/samba/ntacls.py
index 65cafc056a34578fb0e3cd3de37e16aac839074a..f0573de13a23d548a2c3ee9ba493519b5d4e0598 100644 (file)
--- a/source4/scripting/python/samba/ntacls.py
+++ b/source4/scripting/python/samba/ntacls.py
@@ -247,3 +247,86 @@ def dsacl2fsacl(dssddl, sid, as_sddl=True):
         return fdescr
 
     return fdescr.as_sddl(sid)
+
+def fsacl_child_sd(parent_sddl, domain_sid, owner_sid, group_sid, container=True, as_sddl=True):
+    """
+
+    This function takes an the SDDL representation of a filesystem
+    ACL and return the SDDL representation of this ACL adapted
+    for child files/directories. It's used for Policy object provision
+    """
+    parent_sd = security.descriptor.from_sddl(parent_sddl, domain_sid)
+    fdescr = security.descriptor()
+    fdescr.owner_sid = owner_sid
+    fdescr.group_sid = group_sid
+    fdescr.type = parent_sd.type
+    fdescr.type |= security.SEC_DESC_DACL_AUTO_INHERITED
+    fdescr.revision = parent_sd.revision
+    aces = parent_sd.dacl.aces
+    for i in range(0, len(aces)):
+        ace = aces[i]
+        ace2 = None
+
+        if ace.type == security.SEC_ACE_TYPE_ACCESS_ALLOWED:
+            pass
+        elif ace.type == security.SEC_ACE_TYPE_ACCESS_DENIED:
+            pass
+        else:
+            continue
+
+        inherit_ace = False
+        if not container:
+            if ace.flags & security.SEC_ACE_FLAG_OBJECT_INHERIT:
+                inherit_ace = True
+        else:
+            if ace.flags & security.SEC_ACE_FLAG_CONTAINER_INHERIT:
+                inherit_ace = True
+            if ((ace.flags & security.SEC_ACE_FLAG_OBJECT_INHERIT) and \
+               not (ace.flags & security.SEC_ACE_FLAG_NO_PROPAGATE_INHERIT)):
+                inherit_ace = True
+
+        if not inherit_ace:
+            continue
+
+        if not container:
+            ace.flags = 0;
+        else:
+            ace.flags &= ~security.SEC_ACE_FLAG_INHERIT_ONLY
+            if not (ace.flags & security.SEC_ACE_FLAG_CONTAINER_INHERIT):
+                ace.flags |= security.SEC_ACE_FLAG_INHERIT_ONLY
+            ace.flags &= ~security.SEC_ACE_FLAG_INHERIT_ONLY
+            if ace.flags & security.SEC_ACE_FLAG_NO_PROPAGATE_INHERIT:
+                ace.flags = 0;
+
+        ace.flags |= security.SEC_ACE_FLAG_INHERITED_ACE
+
+        if str(ace.trustee) == security.SID_CREATOR_OWNER:
+            ace2 = ace
+
+            ace = security.ace()
+            ace.type = ace.type
+            ace.flags = ace.flags
+            ace.access_mask = ace.access_mask
+            ace.trustee = owner_sid
+
+            ace2.flags |= security.SEC_ACE_FLAG_INHERIT_ONLY
+
+        if str(ace.trustee) == security.SID_CREATOR_GROUP:
+            ace2 = ace
+
+            ace = security.ace()
+            ace.type = ace.type
+            ace.flags = ace.flags
+            ace.access_mask = ace.access_mask
+            ace.trustee = group_sid
+
+            ace2.flags |= security.SEC_ACE_FLAG_INHERIT_ONLY
+
+        fdescr.dacl_add(ace)
+        if container and ace2 is not None:
+            fdescr.dacl_add(ace2)
+
+    if not as_sddl:
+        return fdescr
+
+    return fdescr.as_sddl(domain_sid)