2 Unix SMB/CIFS implementation.
3 Set NT and POSIX ACLs and other VFS operations from Python
5 Copyrigyt (C) Andrew Bartlett 2012
6 Copyright (C) Jeremy Allison 1994-2009.
7 Copyright (C) Andreas Gruenbacher 2002.
8 Copyright (C) Simo Sorce <idra@samba.org> 2009.
9 Copyright (C) Simo Sorce 2002
10 Copyright (C) Eric Lorimer 2002
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
28 #include "python/py3compat.h"
29 #include "python/modules.h"
30 #include "smbd/smbd.h"
31 #include "libcli/util/pyerrors.h"
32 #include "librpc/rpc/pyrpc_util.h"
34 #include "system/filesys.h"
39 extern const struct generic_mapping file_generic_mapping;
42 #define DBGC_CLASS DBGC_ACLS
45 #define DIRECTORY_FLAGS O_RDONLY|O_DIRECTORY
47 /* POSIX allows us to open a directory with O_RDONLY. */
48 #define DIRECTORY_FLAGS O_RDONLY
52 static connection_struct *get_conn_tos(
54 const struct auth_session_info *session_info)
56 struct conn_struct_tos *c = NULL;
60 struct smb_filename cwd_fname = {0};
63 if (!posix_locking_init(false)) {
69 snum = lp_servicenumber(service);
71 PyErr_SetString(PyExc_RuntimeError, "unknown service");
76 status = create_conn_struct_tos(NULL,
81 PyErr_NTSTATUS_IS_ERR_RAISE(status);
83 /* Ignore read-only and share restrictions */
84 c->conn->read_only = false;
85 c->conn->share_access = SEC_RIGHTS_FILE_ALL;
87 /* Provided by libreplace if not present. Always mallocs. */
88 cwd = get_current_dir_name();
94 cwd_fname.base_name = cwd;
96 * We need to call vfs_ChDir() to initialize
97 * conn->cwd_fsp correctly. Change directory
98 * to current directory (so no change for process).
100 ret = vfs_ChDir(c->conn, &cwd_fname);
102 status = map_nt_error_from_unix(errno);
104 PyErr_NTSTATUS_IS_ERR_RAISE(status);
112 static int set_sys_acl_conn(const char *fname,
113 SMB_ACL_TYPE_T acltype,
114 SMB_ACL_T theacl, connection_struct *conn)
117 struct smb_filename *smb_fname = NULL;
119 TALLOC_CTX *frame = talloc_stackframe();
121 smb_fname = synthetic_smb_fname_split(frame,
123 lp_posix_pathnames());
124 if (smb_fname == NULL) {
129 ret = SMB_VFS_SYS_ACL_SET_FILE( conn, smb_fname, acltype, theacl);
136 static NTSTATUS init_files_struct(TALLOC_CTX *mem_ctx,
138 struct connection_struct *conn,
140 struct files_struct **_fsp)
142 struct smb_filename *smb_fname = NULL;
145 struct files_struct *fsp;
147 fsp = talloc_zero(mem_ctx, struct files_struct);
149 return NT_STATUS_NO_MEMORY;
151 fsp->fh = talloc(fsp, struct fd_handle);
152 if (fsp->fh == NULL) {
153 return NT_STATUS_NO_MEMORY;
157 smb_fname = synthetic_smb_fname_split(fsp,
159 lp_posix_pathnames());
160 if (smb_fname == NULL) {
161 return NT_STATUS_NO_MEMORY;
164 fsp->fsp_name = smb_fname;
167 * we want total control over the permissions on created files,
168 * so set our umask to 0 (this matters if flags contains O_CREAT)
170 saved_umask = umask(0);
172 fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, 00644);
176 if (fsp->fh->fd == -1) {
179 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
181 return NT_STATUS_INVALID_PARAMETER;
184 ret = SMB_VFS_FSTAT(fsp, &smb_fname->st);
186 /* If we have an fd, this stat should succeed. */
187 DEBUG(0,("Error doing fstat on open file %s (%s)\n",
188 smb_fname_str_dbg(smb_fname),
190 return map_nt_error_from_unix(errno);
193 fsp->file_id = vfs_file_id_from_sbuf(conn, &smb_fname->st);
194 fsp->vuid = UID_FIELD_INVALID;
196 fsp->can_lock = True;
197 fsp->can_read = True;
198 fsp->can_write = True;
199 fsp->print_file = NULL;
200 fsp->modified = False;
201 fsp->sent_oplock_break = NO_BREAK_SENT;
202 fsp->is_directory = S_ISDIR(smb_fname->st.st_ex_mode);
209 static NTSTATUS set_nt_acl_conn(const char *fname,
210 uint32_t security_info_sent, const struct security_descriptor *sd,
211 connection_struct *conn)
213 TALLOC_CTX *frame = talloc_stackframe();
214 struct files_struct *fsp = NULL;
215 NTSTATUS status = NT_STATUS_OK;
217 /* first, try to open it as a file with flag O_RDWR */
218 status = init_files_struct(frame,
223 if (!NT_STATUS_IS_OK(status) && errno == EISDIR) {
224 /* if fail, try to open as dir */
225 status = init_files_struct(frame,
232 if (!NT_STATUS_IS_OK(status)) {
233 DBG_ERR("init_files_struct failed: %s\n",
242 status = SMB_VFS_FSET_NT_ACL(fsp, security_info_sent, sd);
243 if (!NT_STATUS_IS_OK(status)) {
244 DEBUG(0,("set_nt_acl_no_snum: fset_nt_acl returned %s.\n", nt_errstr(status)));
253 static NTSTATUS get_nt_acl_conn(TALLOC_CTX *mem_ctx,
255 connection_struct *conn,
256 uint32_t security_info_wanted,
257 struct security_descriptor **sd)
259 TALLOC_CTX *frame = talloc_stackframe();
261 struct smb_filename *smb_fname = synthetic_smb_fname(talloc_tos(),
265 lp_posix_pathnames() ?
266 SMB_FILENAME_POSIX_PATH : 0);
268 if (smb_fname == NULL) {
270 return NT_STATUS_NO_MEMORY;
273 status = SMB_VFS_GET_NT_ACL(conn,
275 security_info_wanted,
278 if (!NT_STATUS_IS_OK(status)) {
279 DEBUG(0,("get_nt_acl_conn: get_nt_acl returned %s.\n", nt_errstr(status)));
287 static int set_acl_entry_perms(SMB_ACL_ENTRY_T entry, mode_t perm_mask)
289 SMB_ACL_PERMSET_T perms = NULL;
291 if (sys_acl_get_permset(entry, &perms) != 0) {
295 if (sys_acl_clear_perms(perms) != 0) {
299 if ((perm_mask & SMB_ACL_READ) != 0 &&
300 sys_acl_add_perm(perms, SMB_ACL_READ) != 0) {
304 if ((perm_mask & SMB_ACL_WRITE) != 0 &&
305 sys_acl_add_perm(perms, SMB_ACL_WRITE) != 0) {
309 if ((perm_mask & SMB_ACL_EXECUTE) != 0 &&
310 sys_acl_add_perm(perms, SMB_ACL_EXECUTE) != 0) {
314 if (sys_acl_set_permset(entry, perms) != 0) {
321 static SMB_ACL_T make_simple_acl(TALLOC_CTX *mem_ctx,
325 mode_t mode = SMB_ACL_READ|SMB_ACL_WRITE|SMB_ACL_EXECUTE;
327 mode_t mode_user = (chmod_mode & 0700) >> 6;
328 mode_t mode_group = (chmod_mode & 070) >> 3;
329 mode_t mode_other = chmod_mode & 07;
330 SMB_ACL_ENTRY_T entry;
331 SMB_ACL_T acl = sys_acl_init(mem_ctx);
337 if (sys_acl_create_entry(&acl, &entry) != 0) {
342 if (sys_acl_set_tag_type(entry, SMB_ACL_USER_OBJ) != 0) {
347 if (set_acl_entry_perms(entry, mode_user) != 0) {
352 if (sys_acl_create_entry(&acl, &entry) != 0) {
357 if (sys_acl_set_tag_type(entry, SMB_ACL_GROUP_OBJ) != 0) {
362 if (set_acl_entry_perms(entry, mode_group) != 0) {
367 if (sys_acl_create_entry(&acl, &entry) != 0) {
372 if (sys_acl_set_tag_type(entry, SMB_ACL_OTHER) != 0) {
377 if (set_acl_entry_perms(entry, mode_other) != 0) {
383 if (sys_acl_create_entry(&acl, &entry) != 0) {
388 if (sys_acl_set_tag_type(entry, SMB_ACL_GROUP) != 0) {
393 if (sys_acl_set_qualifier(entry, &gid) != 0) {
398 if (set_acl_entry_perms(entry, mode_group) != 0) {
404 if (sys_acl_create_entry(&acl, &entry) != 0) {
409 if (sys_acl_set_tag_type(entry, SMB_ACL_MASK) != 0) {
414 if (set_acl_entry_perms(entry, mode) != 0) {
423 set a simple ACL on a file, as a test
425 static PyObject *py_smbd_set_simple_acl(PyObject *self, PyObject *args, PyObject *kwargs)
427 const char * const kwnames[] = {
434 char *fname, *service = NULL;
439 connection_struct *conn;
441 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "si|iz",
442 discard_const_p(char *, kwnames),
449 frame = talloc_stackframe();
451 acl = make_simple_acl(frame, gid, mode);
457 conn = get_conn_tos(service, NULL);
463 ret = set_sys_acl_conn(fname, SMB_ACL_TYPE_ACCESS, acl, conn);
468 return PyErr_SetFromErrno(PyExc_OSError);
479 static PyObject *py_smbd_chown(PyObject *self, PyObject *args, PyObject *kwargs)
481 const char * const kwnames[] = { "fname", "uid", "gid", "service", NULL };
482 connection_struct *conn;
485 char *fname, *service = NULL;
488 struct files_struct *fsp = NULL;
490 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "sii|z",
491 discard_const_p(char *, kwnames),
492 &fname, &uid, &gid, &service))
495 frame = talloc_stackframe();
497 conn = get_conn_tos(service, NULL);
503 /* first, try to open it as a file with flag O_RDWR */
504 status = init_files_struct(frame,
509 if (!NT_STATUS_IS_OK(status) && errno == EISDIR) {
510 /* if fail, try to open as dir */
511 status = init_files_struct(frame,
518 if (!NT_STATUS_IS_OK(status)) {
519 DBG_ERR("init_files_struct failed: %s\n",
526 * The following macro raises a python
527 * error then returns NULL.
529 PyErr_NTSTATUS_IS_ERR_RAISE(status);
532 ret = SMB_VFS_FCHOWN(fsp, uid, gid);
534 int saved_errno = errno;
538 return PyErr_SetFromErrno(PyExc_OSError);
550 static PyObject *py_smbd_unlink(PyObject *self, PyObject *args, PyObject *kwargs)
552 const char * const kwnames[] = { "fname", "service", NULL };
553 connection_struct *conn;
555 struct smb_filename *smb_fname = NULL;
556 char *fname, *service = NULL;
559 frame = talloc_stackframe();
561 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "s|z",
562 discard_const_p(char *, kwnames),
568 conn = get_conn_tos(service, NULL);
574 smb_fname = synthetic_smb_fname_split(frame,
576 lp_posix_pathnames());
577 if (smb_fname == NULL) {
579 return PyErr_NoMemory();
582 ret = SMB_VFS_UNLINKAT(conn,
589 return PyErr_SetFromErrno(PyExc_OSError);
598 check if we have ACL support
600 static PyObject *py_smbd_have_posix_acls(PyObject *self,
601 PyObject *Py_UNUSED(ignored))
603 #ifdef HAVE_POSIX_ACLS
604 return PyBool_FromLong(true);
606 return PyBool_FromLong(false);
611 set the NT ACL on a file
613 static PyObject *py_smbd_set_nt_acl(PyObject *self, PyObject *args, PyObject *kwargs)
615 const char * const kwnames[] = {
616 "fname", "security_info_sent", "sd",
617 "service", "session_info", NULL };
620 char *fname, *service = NULL;
621 int security_info_sent;
623 struct security_descriptor *sd;
624 PyObject *py_session = Py_None;
625 struct auth_session_info *session_info = NULL;
626 connection_struct *conn;
629 frame = talloc_stackframe();
631 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "siO|zO",
632 discard_const_p(char *, kwnames),
633 &fname, &security_info_sent, &py_sd,
634 &service, &py_session)) {
639 if (!py_check_dcerpc_type(py_sd, "samba.dcerpc.security", "descriptor")) {
644 if (py_session != Py_None) {
645 if (!py_check_dcerpc_type(py_session,
651 session_info = pytalloc_get_type(py_session,
652 struct auth_session_info);
654 PyErr_Format(PyExc_TypeError,
655 "Expected auth_session_info for session_info argument got %s",
656 pytalloc_get_name(py_session));
661 conn = get_conn_tos(service, session_info);
667 sd = pytalloc_get_type(py_sd, struct security_descriptor);
669 status = set_nt_acl_conn(fname, security_info_sent, sd, conn);
671 PyErr_NTSTATUS_IS_ERR_RAISE(status);
677 Return the NT ACL on a file
679 static PyObject *py_smbd_get_nt_acl(PyObject *self, PyObject *args, PyObject *kwargs)
681 const char * const kwnames[] = { "fname",
682 "security_info_wanted",
686 char *fname, *service = NULL;
687 int security_info_wanted;
689 struct security_descriptor *sd;
690 TALLOC_CTX *frame = talloc_stackframe();
691 PyObject *py_session = Py_None;
692 struct auth_session_info *session_info = NULL;
693 connection_struct *conn;
697 ret = PyArg_ParseTupleAndKeywords(args,
700 discard_const_p(char *, kwnames),
702 &security_info_wanted,
710 if (py_session != Py_None) {
711 if (!py_check_dcerpc_type(py_session,
717 session_info = pytalloc_get_type(py_session,
718 struct auth_session_info);
722 "Expected auth_session_info for "
723 "session_info argument got %s",
724 pytalloc_get_name(py_session));
729 conn = get_conn_tos(service, session_info);
735 status = get_nt_acl_conn(frame, fname, conn, security_info_wanted, &sd);
736 PyErr_NTSTATUS_IS_ERR_RAISE(status);
738 py_sd = py_return_ndr_struct("samba.dcerpc.security", "descriptor", sd, sd);
746 set the posix (or similar) ACL on a file
748 static PyObject *py_smbd_set_sys_acl(PyObject *self, PyObject *args, PyObject *kwargs)
750 const char * const kwnames[] = { "fname", "acl_type", "acl", "service", NULL };
751 TALLOC_CTX *frame = talloc_stackframe();
753 char *fname, *service = NULL;
755 struct smb_acl_t *acl;
757 connection_struct *conn;
759 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "siO|z",
760 discard_const_p(char *, kwnames),
761 &fname, &acl_type, &py_acl, &service)) {
766 if (!py_check_dcerpc_type(py_acl, "samba.dcerpc.smb_acl", "t")) {
771 conn = get_conn_tos(service, NULL);
777 acl = pytalloc_get_type(py_acl, struct smb_acl_t);
779 ret = set_sys_acl_conn(fname, acl_type, acl, conn);
783 return PyErr_SetFromErrno(PyExc_OSError);
791 Return the posix (or similar) ACL on a file
793 static PyObject *py_smbd_get_sys_acl(PyObject *self, PyObject *args, PyObject *kwargs)
795 const char * const kwnames[] = { "fname", "acl_type", "service", NULL };
798 struct smb_acl_t *acl;
800 TALLOC_CTX *frame = talloc_stackframe();
801 connection_struct *conn;
802 char *service = NULL;
803 struct smb_filename *smb_fname = NULL;
805 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "si|z",
806 discard_const_p(char *, kwnames),
807 &fname, &acl_type, &service)) {
812 conn = get_conn_tos(service, NULL);
818 smb_fname = synthetic_smb_fname_split(frame,
820 lp_posix_pathnames());
821 if (smb_fname == NULL) {
825 acl = SMB_VFS_SYS_ACL_GET_FILE( conn, smb_fname, acl_type, frame);
828 return PyErr_SetFromErrno(PyExc_OSError);
831 py_acl = py_return_ndr_struct("samba.dcerpc.smb_acl", "t", acl, acl);
838 static PyObject *py_smbd_mkdir(PyObject *self, PyObject *args, PyObject *kwargs)
840 const char * const kwnames[] = { "fname", "service", NULL };
841 char *fname, *service = NULL;
842 TALLOC_CTX *frame = talloc_stackframe();
843 struct connection_struct *conn = NULL;
844 struct smb_filename *smb_fname = NULL;
848 if (!PyArg_ParseTupleAndKeywords(args,
851 discard_const_p(char *,
859 conn = get_conn_tos(service, NULL);
865 smb_fname = synthetic_smb_fname(talloc_tos(),
869 lp_posix_pathnames() ?
870 SMB_FILENAME_POSIX_PATH : 0);
872 if (smb_fname == NULL) {
877 /* we want total control over the permissions on created files,
878 so set our umask to 0 */
879 saved_umask = umask(0);
881 ret = SMB_VFS_MKDIRAT(conn,
889 DBG_ERR("mkdirat error=%d (%s)\n", errno, strerror(errno));
902 static PyObject *py_smbd_create_file(PyObject *self, PyObject *args, PyObject *kwargs)
904 const char * const kwnames[] = { "fname", "service", NULL };
905 char *fname, *service = NULL;
906 TALLOC_CTX *frame = talloc_stackframe();
907 struct connection_struct *conn = NULL;
908 struct files_struct *fsp = NULL;
911 if (!PyArg_ParseTupleAndKeywords(args,
914 discard_const_p(char *,
922 conn = get_conn_tos(service, NULL);
928 status = init_files_struct(frame,
931 O_CREAT|O_EXCL|O_RDWR,
933 if (!NT_STATUS_IS_OK(status)) {
934 DBG_ERR("init_files_struct failed: %s\n",
943 static PyMethodDef py_smbd_methods[] = {
945 (PyCFunction)py_smbd_have_posix_acls, METH_NOARGS,
948 PY_DISCARD_FUNC_SIG(PyCFunction, py_smbd_set_simple_acl),
949 METH_VARARGS|METH_KEYWORDS,
952 PY_DISCARD_FUNC_SIG(PyCFunction, py_smbd_set_nt_acl),
953 METH_VARARGS|METH_KEYWORDS,
956 PY_DISCARD_FUNC_SIG(PyCFunction, py_smbd_get_nt_acl),
957 METH_VARARGS|METH_KEYWORDS,
960 PY_DISCARD_FUNC_SIG(PyCFunction, py_smbd_get_sys_acl),
961 METH_VARARGS|METH_KEYWORDS,
964 PY_DISCARD_FUNC_SIG(PyCFunction, py_smbd_set_sys_acl),
965 METH_VARARGS|METH_KEYWORDS,
968 PY_DISCARD_FUNC_SIG(PyCFunction, py_smbd_chown),
969 METH_VARARGS|METH_KEYWORDS,
972 PY_DISCARD_FUNC_SIG(PyCFunction, py_smbd_unlink),
973 METH_VARARGS|METH_KEYWORDS,
976 PY_DISCARD_FUNC_SIG(PyCFunction, py_smbd_mkdir),
977 METH_VARARGS|METH_KEYWORDS,
980 PY_DISCARD_FUNC_SIG(PyCFunction, py_smbd_create_file),
981 METH_VARARGS|METH_KEYWORDS,
988 static struct PyModuleDef moduledef = {
989 PyModuleDef_HEAD_INIT,
991 .m_doc = "Python bindings for the smbd file server.",
993 .m_methods = py_smbd_methods,
996 MODULE_INIT_FUNC(smbd)
1000 m = PyModule_Create(&moduledef);