2 Unix SMB/CIFS implementation.
3 Set NT and POSIX ACLs and other VFS operations from Python
5 Copyrigyt (C) Andrew Bartlett 2012
6 Copyright (C) Jeremy Allison 1994-2009.
7 Copyright (C) Andreas Gruenbacher 2002.
8 Copyright (C) Simo Sorce <idra@samba.org> 2009.
9 Copyright (C) Simo Sorce 2002
10 Copyright (C) Eric Lorimer 2002
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
28 #include "python/py3compat.h"
29 #include "python/modules.h"
30 #include "smbd/smbd.h"
31 #include "libcli/util/pyerrors.h"
32 #include "librpc/rpc/pyrpc_util.h"
34 #include "system/filesys.h"
39 extern const struct generic_mapping file_generic_mapping;
42 #define DBGC_CLASS DBGC_ACLS
45 #define DIRECTORY_FLAGS O_RDONLY|O_DIRECTORY
47 /* POSIX allows us to open a directory with O_RDONLY. */
48 #define DIRECTORY_FLAGS O_RDONLY
52 static connection_struct *get_conn_tos(
54 const struct auth_session_info *session_info)
56 struct conn_struct_tos *c = NULL;
60 struct smb_filename cwd_fname = {0};
63 if (!posix_locking_init(false)) {
69 snum = lp_servicenumber(service);
71 PyErr_SetString(PyExc_RuntimeError, "unknown service");
76 status = create_conn_struct_tos(NULL,
81 PyErr_NTSTATUS_IS_ERR_RAISE(status);
83 /* Ignore read-only and share restrictions */
84 c->conn->read_only = false;
85 c->conn->share_access = SEC_RIGHTS_FILE_ALL;
87 /* Provided by libreplace if not present. Always mallocs. */
88 cwd = get_current_dir_name();
94 cwd_fname.base_name = cwd;
96 * We need to call vfs_ChDir() to initialize
97 * conn->cwd_fsp correctly. Change directory
98 * to current directory (so no change for process).
100 ret = vfs_ChDir(c->conn, &cwd_fname);
102 status = map_nt_error_from_unix(errno);
104 PyErr_NTSTATUS_IS_ERR_RAISE(status);
112 static int set_sys_acl_conn(const char *fname,
113 SMB_ACL_TYPE_T acltype,
114 SMB_ACL_T theacl, connection_struct *conn)
117 struct smb_filename *smb_fname = NULL;
119 TALLOC_CTX *frame = talloc_stackframe();
121 smb_fname = synthetic_smb_fname_split(frame,
123 lp_posix_pathnames());
124 if (smb_fname == NULL) {
129 ret = SMB_VFS_SYS_ACL_SET_FILE( conn, smb_fname, acltype, theacl);
136 static NTSTATUS init_files_struct(TALLOC_CTX *mem_ctx,
138 struct connection_struct *conn,
140 struct files_struct **_fsp)
142 struct smb_filename *smb_fname = NULL;
145 struct files_struct *fsp;
147 fsp = talloc_zero(mem_ctx, struct files_struct);
149 return NT_STATUS_NO_MEMORY;
151 fsp->fh = talloc(fsp, struct fd_handle);
152 if (fsp->fh == NULL) {
153 return NT_STATUS_NO_MEMORY;
157 smb_fname = synthetic_smb_fname_split(fsp,
159 lp_posix_pathnames());
160 if (smb_fname == NULL) {
161 return NT_STATUS_NO_MEMORY;
164 fsp->fsp_name = smb_fname;
167 * we want total control over the permissions on created files,
168 * so set our umask to 0 (this matters if flags contains O_CREAT)
170 saved_umask = umask(0);
172 fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, 00644);
176 if (fsp->fh->fd == -1) {
179 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
181 return NT_STATUS_INVALID_PARAMETER;
184 ret = SMB_VFS_FSTAT(fsp, &smb_fname->st);
186 /* If we have an fd, this stat should succeed. */
187 DEBUG(0,("Error doing fstat on open file %s (%s)\n",
188 smb_fname_str_dbg(smb_fname),
190 return map_nt_error_from_unix(errno);
193 fsp->file_id = vfs_file_id_from_sbuf(conn, &smb_fname->st);
194 fsp->vuid = UID_FIELD_INVALID;
196 fsp->fsp_flags.can_lock = true;
197 fsp->fsp_flags.can_read = true;
198 fsp->fsp_flags.can_write = true;
199 fsp->print_file = NULL;
200 fsp->fsp_flags.modified = false;
201 fsp->sent_oplock_break = NO_BREAK_SENT;
202 fsp->fsp_flags.is_directory = S_ISDIR(smb_fname->st.st_ex_mode);
209 static NTSTATUS set_nt_acl_conn(const char *fname,
210 uint32_t security_info_sent, const struct security_descriptor *sd,
211 connection_struct *conn)
213 TALLOC_CTX *frame = talloc_stackframe();
214 struct files_struct *fsp = NULL;
215 NTSTATUS status = NT_STATUS_OK;
217 /* first, try to open it as a file with flag O_RDWR */
218 status = init_files_struct(frame,
223 if (!NT_STATUS_IS_OK(status) && errno == EISDIR) {
224 /* if fail, try to open as dir */
225 status = init_files_struct(frame,
232 if (!NT_STATUS_IS_OK(status)) {
233 DBG_ERR("init_files_struct failed: %s\n",
242 status = SMB_VFS_FSET_NT_ACL(fsp, security_info_sent, sd);
243 if (!NT_STATUS_IS_OK(status)) {
244 DEBUG(0,("set_nt_acl_no_snum: fset_nt_acl returned %s.\n", nt_errstr(status)));
253 static NTSTATUS get_nt_acl_conn(TALLOC_CTX *mem_ctx,
255 connection_struct *conn,
256 uint32_t security_info_wanted,
257 struct security_descriptor **sd)
259 TALLOC_CTX *frame = talloc_stackframe();
261 struct smb_filename *smb_fname = synthetic_smb_fname(talloc_tos(),
266 lp_posix_pathnames() ?
267 SMB_FILENAME_POSIX_PATH : 0);
269 if (smb_fname == NULL) {
271 return NT_STATUS_NO_MEMORY;
274 status = SMB_VFS_GET_NT_ACL(conn,
276 security_info_wanted,
279 if (!NT_STATUS_IS_OK(status)) {
280 DEBUG(0,("get_nt_acl_conn: get_nt_acl returned %s.\n", nt_errstr(status)));
288 static int set_acl_entry_perms(SMB_ACL_ENTRY_T entry, mode_t perm_mask)
290 SMB_ACL_PERMSET_T perms = NULL;
292 if (sys_acl_get_permset(entry, &perms) != 0) {
296 if (sys_acl_clear_perms(perms) != 0) {
300 if ((perm_mask & SMB_ACL_READ) != 0 &&
301 sys_acl_add_perm(perms, SMB_ACL_READ) != 0) {
305 if ((perm_mask & SMB_ACL_WRITE) != 0 &&
306 sys_acl_add_perm(perms, SMB_ACL_WRITE) != 0) {
310 if ((perm_mask & SMB_ACL_EXECUTE) != 0 &&
311 sys_acl_add_perm(perms, SMB_ACL_EXECUTE) != 0) {
315 if (sys_acl_set_permset(entry, perms) != 0) {
322 static SMB_ACL_T make_simple_acl(TALLOC_CTX *mem_ctx,
326 mode_t mode = SMB_ACL_READ|SMB_ACL_WRITE|SMB_ACL_EXECUTE;
328 mode_t mode_user = (chmod_mode & 0700) >> 6;
329 mode_t mode_group = (chmod_mode & 070) >> 3;
330 mode_t mode_other = chmod_mode & 07;
331 SMB_ACL_ENTRY_T entry;
332 SMB_ACL_T acl = sys_acl_init(mem_ctx);
338 if (sys_acl_create_entry(&acl, &entry) != 0) {
343 if (sys_acl_set_tag_type(entry, SMB_ACL_USER_OBJ) != 0) {
348 if (set_acl_entry_perms(entry, mode_user) != 0) {
353 if (sys_acl_create_entry(&acl, &entry) != 0) {
358 if (sys_acl_set_tag_type(entry, SMB_ACL_GROUP_OBJ) != 0) {
363 if (set_acl_entry_perms(entry, mode_group) != 0) {
368 if (sys_acl_create_entry(&acl, &entry) != 0) {
373 if (sys_acl_set_tag_type(entry, SMB_ACL_OTHER) != 0) {
378 if (set_acl_entry_perms(entry, mode_other) != 0) {
384 if (sys_acl_create_entry(&acl, &entry) != 0) {
389 if (sys_acl_set_tag_type(entry, SMB_ACL_GROUP) != 0) {
394 if (sys_acl_set_qualifier(entry, &gid) != 0) {
399 if (set_acl_entry_perms(entry, mode_group) != 0) {
405 if (sys_acl_create_entry(&acl, &entry) != 0) {
410 if (sys_acl_set_tag_type(entry, SMB_ACL_MASK) != 0) {
415 if (set_acl_entry_perms(entry, mode) != 0) {
424 set a simple ACL on a file, as a test
426 static PyObject *py_smbd_set_simple_acl(PyObject *self, PyObject *args, PyObject *kwargs)
428 const char * const kwnames[] = {
436 char *fname, *service = NULL;
437 PyObject *py_session = Py_None;
438 struct auth_session_info *session_info = NULL;
443 connection_struct *conn;
445 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "siO|iz",
446 discard_const_p(char *, kwnames),
454 if (!py_check_dcerpc_type(py_session,
459 session_info = pytalloc_get_type(py_session,
460 struct auth_session_info);
461 if (session_info == NULL) {
462 PyErr_Format(PyExc_TypeError,
463 "Expected auth_session_info for session_info argument got %s",
464 pytalloc_get_name(py_session));
468 frame = talloc_stackframe();
470 acl = make_simple_acl(frame, gid, mode);
476 conn = get_conn_tos(service, session_info);
482 ret = set_sys_acl_conn(fname, SMB_ACL_TYPE_ACCESS, acl, conn);
487 return PyErr_SetFromErrno(PyExc_OSError);
498 static PyObject *py_smbd_chown(PyObject *self, PyObject *args, PyObject *kwargs)
500 const char * const kwnames[] = {
508 connection_struct *conn;
511 char *fname, *service = NULL;
512 PyObject *py_session = Py_None;
513 struct auth_session_info *session_info = NULL;
516 struct files_struct *fsp = NULL;
518 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "siiO|z",
519 discard_const_p(char *, kwnames),
527 if (!py_check_dcerpc_type(py_session,
532 session_info = pytalloc_get_type(py_session,
533 struct auth_session_info);
534 if (session_info == NULL) {
535 PyErr_Format(PyExc_TypeError,
536 "Expected auth_session_info for session_info argument got %s",
537 pytalloc_get_name(py_session));
541 frame = talloc_stackframe();
543 conn = get_conn_tos(service, session_info);
549 /* first, try to open it as a file with flag O_RDWR */
550 status = init_files_struct(frame,
555 if (!NT_STATUS_IS_OK(status) && errno == EISDIR) {
556 /* if fail, try to open as dir */
557 status = init_files_struct(frame,
564 if (!NT_STATUS_IS_OK(status)) {
565 DBG_ERR("init_files_struct failed: %s\n",
572 * The following macro raises a python
573 * error then returns NULL.
575 PyErr_NTSTATUS_IS_ERR_RAISE(status);
578 ret = SMB_VFS_FCHOWN(fsp, uid, gid);
580 int saved_errno = errno;
584 return PyErr_SetFromErrno(PyExc_OSError);
596 static PyObject *py_smbd_unlink(PyObject *self, PyObject *args, PyObject *kwargs)
598 const char * const kwnames[] = {
604 connection_struct *conn;
606 struct smb_filename *smb_fname = NULL;
607 PyObject *py_session = Py_None;
608 struct auth_session_info *session_info = NULL;
609 char *fname, *service = NULL;
612 frame = talloc_stackframe();
614 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "sO|z",
615 discard_const_p(char *, kwnames),
623 if (!py_check_dcerpc_type(py_session,
629 session_info = pytalloc_get_type(py_session,
630 struct auth_session_info);
631 if (session_info == NULL) {
632 PyErr_Format(PyExc_TypeError,
633 "Expected auth_session_info for session_info argument got %s",
634 pytalloc_get_name(py_session));
639 conn = get_conn_tos(service, session_info);
645 smb_fname = synthetic_smb_fname_split(frame,
647 lp_posix_pathnames());
648 if (smb_fname == NULL) {
650 return PyErr_NoMemory();
653 ret = SMB_VFS_UNLINKAT(conn,
660 return PyErr_SetFromErrno(PyExc_OSError);
669 check if we have ACL support
671 static PyObject *py_smbd_have_posix_acls(PyObject *self,
672 PyObject *Py_UNUSED(ignored))
674 #ifdef HAVE_POSIX_ACLS
675 return PyBool_FromLong(true);
677 return PyBool_FromLong(false);
682 set the NT ACL on a file
684 static PyObject *py_smbd_set_nt_acl(PyObject *self, PyObject *args, PyObject *kwargs)
686 const char * const kwnames[] = {
688 "security_info_sent",
696 char *fname, *service = NULL;
697 int security_info_sent;
699 struct security_descriptor *sd;
700 PyObject *py_session = Py_None;
701 struct auth_session_info *session_info = NULL;
702 connection_struct *conn;
705 frame = talloc_stackframe();
707 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "siOO|z",
708 discard_const_p(char *, kwnames),
718 if (!py_check_dcerpc_type(py_sd, "samba.dcerpc.security", "descriptor")) {
723 if (!py_check_dcerpc_type(py_session,
729 session_info = pytalloc_get_type(py_session,
730 struct auth_session_info);
731 if (session_info == NULL) {
732 PyErr_Format(PyExc_TypeError,
733 "Expected auth_session_info for session_info argument got %s",
734 pytalloc_get_name(py_session));
738 conn = get_conn_tos(service, session_info);
744 sd = pytalloc_get_type(py_sd, struct security_descriptor);
746 status = set_nt_acl_conn(fname, security_info_sent, sd, conn);
748 PyErr_NTSTATUS_IS_ERR_RAISE(status);
754 Return the NT ACL on a file
756 static PyObject *py_smbd_get_nt_acl(PyObject *self, PyObject *args, PyObject *kwargs)
758 const char * const kwnames[] = {
760 "security_info_wanted",
765 char *fname, *service = NULL;
766 int security_info_wanted;
768 struct security_descriptor *sd;
769 TALLOC_CTX *frame = talloc_stackframe();
770 PyObject *py_session = Py_None;
771 struct auth_session_info *session_info = NULL;
772 connection_struct *conn;
776 ret = PyArg_ParseTupleAndKeywords(args,
779 discard_const_p(char *, kwnames),
781 &security_info_wanted,
789 if (!py_check_dcerpc_type(py_session,
795 session_info = pytalloc_get_type(py_session,
796 struct auth_session_info);
797 if (session_info == NULL) {
800 "Expected auth_session_info for "
801 "session_info argument got %s",
802 pytalloc_get_name(py_session));
806 conn = get_conn_tos(service, session_info);
812 status = get_nt_acl_conn(frame, fname, conn, security_info_wanted, &sd);
813 PyErr_NTSTATUS_IS_ERR_RAISE(status);
815 py_sd = py_return_ndr_struct("samba.dcerpc.security", "descriptor", sd, sd);
823 set the posix (or similar) ACL on a file
825 static PyObject *py_smbd_set_sys_acl(PyObject *self, PyObject *args, PyObject *kwargs)
827 const char * const kwnames[] = {
835 TALLOC_CTX *frame = talloc_stackframe();
837 char *fname, *service = NULL;
839 PyObject *py_session = Py_None;
840 struct auth_session_info *session_info = NULL;
841 struct smb_acl_t *acl;
843 connection_struct *conn;
845 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "siOO|z",
846 discard_const_p(char *, kwnames),
856 if (!py_check_dcerpc_type(py_acl, "samba.dcerpc.smb_acl", "t")) {
861 if (!py_check_dcerpc_type(py_session,
867 session_info = pytalloc_get_type(py_session,
868 struct auth_session_info);
869 if (session_info == NULL) {
870 PyErr_Format(PyExc_TypeError,
871 "Expected auth_session_info for session_info argument got %s",
872 pytalloc_get_name(py_session));
877 conn = get_conn_tos(service, session_info);
883 acl = pytalloc_get_type(py_acl, struct smb_acl_t);
885 ret = set_sys_acl_conn(fname, acl_type, acl, conn);
889 return PyErr_SetFromErrno(PyExc_OSError);
897 Return the posix (or similar) ACL on a file
899 static PyObject *py_smbd_get_sys_acl(PyObject *self, PyObject *args, PyObject *kwargs)
901 const char * const kwnames[] = {
910 PyObject *py_session = Py_None;
911 struct auth_session_info *session_info = NULL;
912 struct smb_acl_t *acl;
914 TALLOC_CTX *frame = talloc_stackframe();
915 connection_struct *conn;
916 char *service = NULL;
917 struct smb_filename *smb_fname = NULL;
919 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "siO|z",
920 discard_const_p(char *, kwnames),
929 if (!py_check_dcerpc_type(py_session,
935 session_info = pytalloc_get_type(py_session,
936 struct auth_session_info);
937 if (session_info == NULL) {
938 PyErr_Format(PyExc_TypeError,
939 "Expected auth_session_info for session_info argument got %s",
940 pytalloc_get_name(py_session));
945 conn = get_conn_tos(service, session_info);
951 smb_fname = synthetic_smb_fname_split(frame,
953 lp_posix_pathnames());
954 if (smb_fname == NULL) {
958 acl = SMB_VFS_SYS_ACL_GET_FILE( conn, smb_fname, acl_type, frame);
961 return PyErr_SetFromErrno(PyExc_OSError);
964 py_acl = py_return_ndr_struct("samba.dcerpc.smb_acl", "t", acl, acl);
971 static PyObject *py_smbd_mkdir(PyObject *self, PyObject *args, PyObject *kwargs)
973 const char * const kwnames[] = {
979 char *fname, *service = NULL;
980 PyObject *py_session = Py_None;
981 struct auth_session_info *session_info = NULL;
982 TALLOC_CTX *frame = talloc_stackframe();
983 struct connection_struct *conn = NULL;
984 struct smb_filename *smb_fname = NULL;
988 if (!PyArg_ParseTupleAndKeywords(args,
991 discard_const_p(char *,
1000 if (!py_check_dcerpc_type(py_session,
1001 "samba.dcerpc.auth",
1006 session_info = pytalloc_get_type(py_session,
1007 struct auth_session_info);
1008 if (session_info == NULL) {
1009 PyErr_Format(PyExc_TypeError,
1010 "Expected auth_session_info for session_info argument got %s",
1011 pytalloc_get_name(py_session));
1016 conn = get_conn_tos(service, session_info);
1022 smb_fname = synthetic_smb_fname(talloc_tos(),
1027 lp_posix_pathnames() ?
1028 SMB_FILENAME_POSIX_PATH : 0);
1030 if (smb_fname == NULL) {
1035 /* we want total control over the permissions on created files,
1036 so set our umask to 0 */
1037 saved_umask = umask(0);
1039 ret = SMB_VFS_MKDIRAT(conn,
1047 DBG_ERR("mkdirat error=%d (%s)\n", errno, strerror(errno));
1058 Create an empty file
1060 static PyObject *py_smbd_create_file(PyObject *self, PyObject *args, PyObject *kwargs)
1062 const char * const kwnames[] = {
1068 char *fname, *service = NULL;
1069 PyObject *py_session = Py_None;
1070 struct auth_session_info *session_info = NULL;
1071 TALLOC_CTX *frame = talloc_stackframe();
1072 struct connection_struct *conn = NULL;
1073 struct files_struct *fsp = NULL;
1076 if (!PyArg_ParseTupleAndKeywords(args,
1079 discard_const_p(char *,
1088 if (!py_check_dcerpc_type(py_session,
1089 "samba.dcerpc.auth",
1094 session_info = pytalloc_get_type(py_session,
1095 struct auth_session_info);
1096 if (session_info == NULL) {
1097 PyErr_Format(PyExc_TypeError,
1098 "Expected auth_session_info for session_info argument got %s",
1099 pytalloc_get_name(py_session));
1104 conn = get_conn_tos(service, session_info);
1110 status = init_files_struct(frame,
1113 O_CREAT|O_EXCL|O_RDWR,
1115 if (!NT_STATUS_IS_OK(status)) {
1116 DBG_ERR("init_files_struct failed: %s\n",
1125 static PyMethodDef py_smbd_methods[] = {
1126 { "have_posix_acls",
1127 (PyCFunction)py_smbd_have_posix_acls, METH_NOARGS,
1130 PY_DISCARD_FUNC_SIG(PyCFunction, py_smbd_set_simple_acl),
1131 METH_VARARGS|METH_KEYWORDS,
1134 PY_DISCARD_FUNC_SIG(PyCFunction, py_smbd_set_nt_acl),
1135 METH_VARARGS|METH_KEYWORDS,
1138 PY_DISCARD_FUNC_SIG(PyCFunction, py_smbd_get_nt_acl),
1139 METH_VARARGS|METH_KEYWORDS,
1142 PY_DISCARD_FUNC_SIG(PyCFunction, py_smbd_get_sys_acl),
1143 METH_VARARGS|METH_KEYWORDS,
1146 PY_DISCARD_FUNC_SIG(PyCFunction, py_smbd_set_sys_acl),
1147 METH_VARARGS|METH_KEYWORDS,
1150 PY_DISCARD_FUNC_SIG(PyCFunction, py_smbd_chown),
1151 METH_VARARGS|METH_KEYWORDS,
1154 PY_DISCARD_FUNC_SIG(PyCFunction, py_smbd_unlink),
1155 METH_VARARGS|METH_KEYWORDS,
1158 PY_DISCARD_FUNC_SIG(PyCFunction, py_smbd_mkdir),
1159 METH_VARARGS|METH_KEYWORDS,
1162 PY_DISCARD_FUNC_SIG(PyCFunction, py_smbd_create_file),
1163 METH_VARARGS|METH_KEYWORDS,
1168 void initsmbd(void);
1170 static struct PyModuleDef moduledef = {
1171 PyModuleDef_HEAD_INIT,
1173 .m_doc = "Python bindings for the smbd file server.",
1175 .m_methods = py_smbd_methods,
1178 MODULE_INIT_FUNC(smbd)
1182 m = PyModule_Create(&moduledef);