2 Unix SMB/CIFS implementation.
3 Set NT and POSIX ACLs and other VFS operations from Python
5 Copyrigyt (C) Andrew Bartlett 2012
6 Copyright (C) Jeremy Allison 1994-2009.
7 Copyright (C) Andreas Gruenbacher 2002.
8 Copyright (C) Simo Sorce <idra@samba.org> 2009.
9 Copyright (C) Simo Sorce 2002
10 Copyright (C) Eric Lorimer 2002
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
28 #include "smbd/smbd.h"
29 #include "libcli/util/pyerrors.h"
30 #include "librpc/rpc/pyrpc_util.h"
32 #include "system/filesys.h"
34 extern const struct generic_mapping file_generic_mapping;
37 #define DBGC_CLASS DBGC_ACLS
39 static int conn_free_wrapper(connection_struct *conn)
45 static connection_struct *get_conn(TALLOC_CTX *mem_ctx, const char *service)
47 connection_struct *conn;
48 TALLOC_CTX *frame = talloc_stackframe();
52 if (!posix_locking_init(false)) {
59 snum = lp_servicenumber(service);
62 PyErr_SetString(PyExc_RuntimeError, "unknown service");
67 status = create_conn_struct(mem_ctx, NULL, NULL, &conn, snum, "/",
69 PyErr_NTSTATUS_IS_ERR_RAISE(status);
72 /* Ignore read-only and share restrictions */
73 conn->read_only = false;
74 conn->share_access = SEC_RIGHTS_FILE_ALL;
75 talloc_set_destructor(conn, conn_free_wrapper);
79 static int set_sys_acl_conn(const char *fname,
80 SMB_ACL_TYPE_T acltype,
81 SMB_ACL_T theacl, connection_struct *conn)
84 struct smb_filename *smb_fname = NULL;
87 TALLOC_CTX *frame = talloc_stackframe();
89 /* we want total control over the permissions on created files,
90 so set our umask to 0 */
91 saved_umask = umask(0);
93 smb_fname = synthetic_smb_fname_split(frame,
95 lp_posix_pathnames());
96 if (smb_fname == NULL) {
102 ret = SMB_VFS_SYS_ACL_SET_FILE( conn, smb_fname, acltype, theacl);
110 static NTSTATUS set_nt_acl_conn(const char *fname,
111 uint32_t security_info_sent, const struct security_descriptor *sd,
112 connection_struct *conn)
114 TALLOC_CTX *frame = talloc_stackframe();
115 NTSTATUS status = NT_STATUS_OK;
117 struct smb_filename *smb_fname = NULL;
121 fsp = talloc_zero(frame, struct files_struct);
124 return NT_STATUS_NO_MEMORY;
126 fsp->fh = talloc(fsp, struct fd_handle);
127 if (fsp->fh == NULL) {
129 return NT_STATUS_NO_MEMORY;
133 /* we want total control over the permissions on created files,
134 so set our umask to 0 */
135 saved_umask = umask(0);
137 smb_fname = synthetic_smb_fname_split(fsp,
139 lp_posix_pathnames());
140 if (smb_fname == NULL) {
143 return NT_STATUS_NO_MEMORY;
146 fsp->fsp_name = smb_fname;
149 flags = O_RDONLY|O_DIRECTORY;
151 /* POSIX allows us to open a directory with O_RDONLY. */
155 fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, O_RDWR, 00400);
156 if (fsp->fh->fd == -1 && errno == EISDIR) {
157 fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, 00400);
159 if (fsp->fh->fd == -1) {
160 printf("open: error=%d (%s)\n", errno, strerror(errno));
163 return NT_STATUS_UNSUCCESSFUL;
166 ret = SMB_VFS_FSTAT(fsp, &smb_fname->st);
168 /* If we have an fd, this stat should succeed. */
169 DEBUG(0,("Error doing fstat on open file %s "
171 smb_fname_str_dbg(smb_fname),
175 return map_nt_error_from_unix(errno);
178 fsp->file_id = vfs_file_id_from_sbuf(conn, &smb_fname->st);
179 fsp->vuid = UID_FIELD_INVALID;
181 fsp->can_lock = True;
182 fsp->can_read = True;
183 fsp->can_write = True;
184 fsp->print_file = NULL;
185 fsp->modified = False;
186 fsp->sent_oplock_break = NO_BREAK_SENT;
187 fsp->is_directory = S_ISDIR(smb_fname->st.st_ex_mode);
189 status = SMB_VFS_FSET_NT_ACL( fsp, security_info_sent, sd);
190 if (!NT_STATUS_IS_OK(status)) {
191 DEBUG(0,("set_nt_acl_no_snum: fset_nt_acl returned %s.\n", nt_errstr(status)));
203 static NTSTATUS get_nt_acl_conn(TALLOC_CTX *mem_ctx,
205 connection_struct *conn,
206 uint32_t security_info_wanted,
207 struct security_descriptor **sd)
209 TALLOC_CTX *frame = talloc_stackframe();
211 struct smb_filename *smb_fname = synthetic_smb_fname(talloc_tos(),
215 lp_posix_pathnames() ?
216 SMB_FILENAME_POSIX_PATH : 0);
218 if (smb_fname == NULL) {
220 return NT_STATUS_NO_MEMORY;
223 status = SMB_VFS_GET_NT_ACL(conn,
225 security_info_wanted,
228 if (!NT_STATUS_IS_OK(status)) {
229 DEBUG(0,("get_nt_acl_conn: get_nt_acl returned %s.\n", nt_errstr(status)));
238 static SMB_ACL_T make_simple_acl(gid_t gid, mode_t chmod_mode)
240 TALLOC_CTX *frame = talloc_stackframe();
242 mode_t mode = SMB_ACL_READ|SMB_ACL_WRITE|SMB_ACL_EXECUTE;
244 mode_t mode_user = (chmod_mode & 0700) >> 6;
245 mode_t mode_group = (chmod_mode & 070) >> 3;
246 mode_t mode_other = chmod_mode & 07;
247 SMB_ACL_ENTRY_T entry;
248 SMB_ACL_T acl = sys_acl_init(frame);
254 if (sys_acl_create_entry(&acl, &entry) != 0) {
259 if (sys_acl_set_tag_type(entry, SMB_ACL_USER_OBJ) != 0) {
264 if (sys_acl_set_permset(entry, &mode_user) != 0) {
269 if (sys_acl_create_entry(&acl, &entry) != 0) {
274 if (sys_acl_set_tag_type(entry, SMB_ACL_GROUP_OBJ) != 0) {
279 if (sys_acl_set_permset(entry, &mode_group) != 0) {
284 if (sys_acl_create_entry(&acl, &entry) != 0) {
289 if (sys_acl_set_tag_type(entry, SMB_ACL_OTHER) != 0) {
294 if (sys_acl_set_permset(entry, &mode_other) != 0) {
300 if (sys_acl_create_entry(&acl, &entry) != 0) {
305 if (sys_acl_set_tag_type(entry, SMB_ACL_GROUP) != 0) {
310 if (sys_acl_set_qualifier(entry, &gid) != 0) {
315 if (sys_acl_set_permset(entry, &mode_group) != 0) {
321 if (sys_acl_create_entry(&acl, &entry) != 0) {
326 if (sys_acl_set_tag_type(entry, SMB_ACL_MASK) != 0) {
331 if (sys_acl_set_permset(entry, &mode) != 0) {
339 set a simple ACL on a file, as a test
341 static PyObject *py_smbd_set_simple_acl(PyObject *self, PyObject *args, PyObject *kwargs)
343 const char * const kwnames[] = { "fname", "mode", "gid", "service", NULL };
344 char *fname, *service = NULL;
349 connection_struct *conn;
351 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "si|iz",
352 discard_const_p(char *, kwnames),
353 &fname, &mode, &gid, &service))
356 acl = make_simple_acl(gid, mode);
358 frame = talloc_stackframe();
360 conn = get_conn(frame, service);
365 ret = set_sys_acl_conn(fname, SMB_ACL_TYPE_ACCESS, acl, conn);
371 return PyErr_SetFromErrno(PyExc_OSError);
382 static PyObject *py_smbd_chown(PyObject *self, PyObject *args, PyObject *kwargs)
384 const char * const kwnames[] = { "fname", "uid", "gid", "service", NULL };
385 connection_struct *conn;
388 char *fname, *service = NULL;
392 struct smb_filename *smb_fname = NULL;
394 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "sii|z",
395 discard_const_p(char *, kwnames),
396 &fname, &uid, &gid, &service))
399 frame = talloc_stackframe();
401 conn = get_conn(frame, service);
406 /* we want total control over the permissions on created files,
407 so set our umask to 0 */
408 saved_umask = umask(0);
410 smb_fname = synthetic_smb_fname(talloc_tos(),
414 lp_posix_pathnames() ?
415 SMB_FILENAME_POSIX_PATH : 0);
416 if (smb_fname == NULL) {
420 return PyErr_SetFromErrno(PyExc_OSError);
423 ret = SMB_VFS_CHOWN(conn, smb_fname, uid, gid);
428 return PyErr_SetFromErrno(PyExc_OSError);
441 static PyObject *py_smbd_unlink(PyObject *self, PyObject *args, PyObject *kwargs)
443 const char * const kwnames[] = { "fname", "service", NULL };
444 connection_struct *conn;
446 struct smb_filename *smb_fname = NULL;
447 char *fname, *service = NULL;
450 frame = talloc_stackframe();
452 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "s|z",
453 discard_const_p(char *, kwnames),
459 conn = get_conn(frame, service);
465 smb_fname = synthetic_smb_fname_split(frame,
467 lp_posix_pathnames());
468 if (smb_fname == NULL) {
470 return PyErr_NoMemory();
473 ret = SMB_VFS_UNLINK(conn, smb_fname);
477 return PyErr_SetFromErrno(PyExc_OSError);
486 check if we have ACL support
488 static PyObject *py_smbd_have_posix_acls(PyObject *self)
490 #ifdef HAVE_POSIX_ACLS
491 return PyBool_FromLong(true);
493 return PyBool_FromLong(false);
498 set the NT ACL on a file
500 static PyObject *py_smbd_set_nt_acl(PyObject *self, PyObject *args, PyObject *kwargs)
502 const char * const kwnames[] = { "fname", "security_info_sent", "sd", "service", NULL };
504 char *fname, *service = NULL;
505 int security_info_sent;
507 struct security_descriptor *sd;
508 connection_struct *conn;
511 frame = talloc_stackframe();
513 if (!PyArg_ParseTupleAndKeywords(args, kwargs,
514 "siO|z", discard_const_p(char *, kwnames),
515 &fname, &security_info_sent, &py_sd, &service)) {
520 if (!py_check_dcerpc_type(py_sd, "samba.dcerpc.security", "descriptor")) {
525 conn = get_conn(frame, service);
531 sd = pytalloc_get_type(py_sd, struct security_descriptor);
533 status = set_nt_acl_conn(fname, security_info_sent, sd, conn);
535 PyErr_NTSTATUS_IS_ERR_RAISE(status);
541 Return the NT ACL on a file
543 static PyObject *py_smbd_get_nt_acl(PyObject *self, PyObject *args, PyObject *kwargs)
545 const char * const kwnames[] = { "fname", "security_info_wanted", "service", NULL };
546 char *fname, *service = NULL;
547 int security_info_wanted;
549 struct security_descriptor *sd;
550 TALLOC_CTX *tmp_ctx = talloc_new(NULL);
551 connection_struct *conn;
554 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "si|z", discard_const_p(char *, kwnames),
555 &fname, &security_info_wanted, &service)) {
556 TALLOC_FREE(tmp_ctx);
560 conn = get_conn(tmp_ctx, service);
562 TALLOC_FREE(tmp_ctx);
566 status = get_nt_acl_conn(tmp_ctx, fname, conn, security_info_wanted, &sd);
567 PyErr_NTSTATUS_IS_ERR_RAISE(status);
569 py_sd = py_return_ndr_struct("samba.dcerpc.security", "descriptor", sd, sd);
571 TALLOC_FREE(tmp_ctx);
577 set the posix (or similar) ACL on a file
579 static PyObject *py_smbd_set_sys_acl(PyObject *self, PyObject *args, PyObject *kwargs)
581 const char * const kwnames[] = { "fname", "acl_type", "acl", "service", NULL };
582 TALLOC_CTX *frame = talloc_stackframe();
584 char *fname, *service = NULL;
586 struct smb_acl_t *acl;
588 connection_struct *conn;
590 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "siO|z",
591 discard_const_p(char *, kwnames),
592 &fname, &acl_type, &py_acl, &service)) {
597 if (!py_check_dcerpc_type(py_acl, "samba.dcerpc.smb_acl", "t")) {
602 conn = get_conn(frame, service);
608 acl = pytalloc_get_type(py_acl, struct smb_acl_t);
610 ret = set_sys_acl_conn(fname, acl_type, acl, conn);
614 return PyErr_SetFromErrno(PyExc_OSError);
622 Return the posix (or similar) ACL on a file
624 static PyObject *py_smbd_get_sys_acl(PyObject *self, PyObject *args, PyObject *kwargs)
626 const char * const kwnames[] = { "fname", "acl_type", "service", NULL };
629 struct smb_acl_t *acl;
631 TALLOC_CTX *frame = talloc_stackframe();
632 TALLOC_CTX *tmp_ctx = talloc_new(NULL);
633 connection_struct *conn;
634 char *service = NULL;
635 struct smb_filename *smb_fname = NULL;
642 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "si|z",
643 discard_const_p(char *, kwnames),
644 &fname, &acl_type, &service)) {
646 TALLOC_FREE(tmp_ctx);
650 conn = get_conn(frame, service);
653 TALLOC_FREE(tmp_ctx);
657 smb_fname = synthetic_smb_fname_split(frame,
659 lp_posix_pathnames());
660 if (smb_fname == NULL) {
662 TALLOC_FREE(tmp_ctx);
665 acl = SMB_VFS_SYS_ACL_GET_FILE( conn, smb_fname, acl_type, tmp_ctx);
668 TALLOC_FREE(tmp_ctx);
669 return PyErr_SetFromErrno(PyExc_OSError);
672 py_acl = py_return_ndr_struct("samba.dcerpc.smb_acl", "t", acl, acl);
675 TALLOC_FREE(tmp_ctx);
680 static PyMethodDef py_smbd_methods[] = {
682 (PyCFunction)py_smbd_have_posix_acls, METH_NOARGS,
685 (PyCFunction)py_smbd_set_simple_acl, METH_VARARGS|METH_KEYWORDS,
688 (PyCFunction)py_smbd_set_nt_acl, METH_VARARGS|METH_KEYWORDS,
691 (PyCFunction)py_smbd_get_nt_acl, METH_VARARGS|METH_KEYWORDS,
694 (PyCFunction)py_smbd_get_sys_acl, METH_VARARGS|METH_KEYWORDS,
697 (PyCFunction)py_smbd_set_sys_acl, METH_VARARGS|METH_KEYWORDS,
700 (PyCFunction)py_smbd_chown, METH_VARARGS|METH_KEYWORDS,
703 (PyCFunction)py_smbd_unlink, METH_VARARGS|METH_KEYWORDS,
713 m = Py_InitModule3("smbd", py_smbd_methods,
714 "Python bindings for the smbd file server.");