2 Unix SMB/CIFS implementation.
3 Set NT and POSIX ACLs and other VFS operations from Python
5 Copyrigyt (C) Andrew Bartlett 2012
6 Copyright (C) Jeremy Allison 1994-2009.
7 Copyright (C) Andreas Gruenbacher 2002.
8 Copyright (C) Simo Sorce <idra@samba.org> 2009.
9 Copyright (C) Simo Sorce 2002
10 Copyright (C) Eric Lorimer 2002
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #include "smbd/smbd.h"
29 #include "libcli/util/pyerrors.h"
30 #include "librpc/rpc/pyrpc_util.h"
32 #include "system/filesys.h"
34 extern const struct generic_mapping file_generic_mapping;
37 #define DBGC_CLASS DBGC_ACLS
39 static int conn_free_wrapper(connection_struct *conn)
45 static connection_struct *get_conn(TALLOC_CTX *mem_ctx, const char *service)
47 connection_struct *conn;
48 TALLOC_CTX *frame = talloc_stackframe();
49 if (!posix_locking_init(false)) {
57 int snum = lp_servicenumber(service);
60 PyErr_SetString(PyExc_RuntimeError, "unknown service");
63 status = create_conn_struct(mem_ctx, NULL, NULL, &conn, snum, "/",
65 PyErr_NTSTATUS_IS_ERR_RAISE(status);
67 conn = talloc_zero(mem_ctx, connection_struct);
69 DEBUG(0, ("talloc failed\n"));
75 if (!(conn->params = talloc(conn, struct share_params))) {
77 DEBUG(0,("get_conn: talloc() failed!\n"));
81 conn->params->service = -1;
83 set_conn_connectpath(conn, "/");
88 conn->read_only = false;
89 talloc_set_destructor(conn, conn_free_wrapper);
93 static NTSTATUS set_sys_acl_conn(const char *fname,
94 SMB_ACL_TYPE_T acltype,
95 SMB_ACL_T theacl, connection_struct *conn)
97 NTSTATUS status = NT_STATUS_OK;
101 TALLOC_CTX *frame = talloc_stackframe();
103 /* we want total control over the permissions on created files,
104 so set our umask to 0 */
105 saved_umask = umask(0);
107 ret = SMB_VFS_SYS_ACL_SET_FILE( conn, fname, acltype, theacl);
109 status = map_nt_error_from_unix_common(ret);
110 DEBUG(0,("set_sys_acl_conn: SMB_VFS_SYS_ACL_SET_FILE "
111 "returned zero.\n"));
120 static NTSTATUS set_nt_acl_conn(const char *fname,
121 uint32 security_info_sent, const struct security_descriptor *sd,
122 connection_struct *conn)
124 TALLOC_CTX *frame = talloc_stackframe();
125 NTSTATUS status = NT_STATUS_OK;
127 struct smb_filename *smb_fname = NULL;
131 fsp = talloc_zero(frame, struct files_struct);
134 return NT_STATUS_NO_MEMORY;
136 fsp->fh = talloc(fsp, struct fd_handle);
137 if (fsp->fh == NULL) {
139 return NT_STATUS_NO_MEMORY;
143 /* we want total control over the permissions on created files,
144 so set our umask to 0 */
145 saved_umask = umask(0);
147 status = create_synthetic_smb_fname_split(fsp, fname, NULL,
149 if (!NT_STATUS_IS_OK(status)) {
155 fsp->fsp_name = smb_fname;
158 flags = O_RDONLY|O_DIRECTORY;
160 /* POSIX allows us to open a directory with O_RDONLY. */
164 fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, O_RDWR, 00400);
165 if (fsp->fh->fd == -1 && errno == EISDIR) {
166 fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, 00400);
168 if (fsp->fh->fd == -1) {
169 printf("open: error=%d (%s)\n", errno, strerror(errno));
172 return NT_STATUS_UNSUCCESSFUL;
175 ret = SMB_VFS_FSTAT(fsp, &smb_fname->st);
177 /* If we have an fd, this stat should succeed. */
178 DEBUG(0,("Error doing fstat on open file %s "
180 smb_fname_str_dbg(smb_fname),
184 return map_nt_error_from_unix(errno);
187 fsp->file_id = vfs_file_id_from_sbuf(conn, &smb_fname->st);
188 fsp->vuid = UID_FIELD_INVALID;
190 fsp->can_lock = True;
191 fsp->can_read = True;
192 fsp->can_write = True;
193 fsp->print_file = NULL;
194 fsp->modified = False;
195 fsp->sent_oplock_break = NO_BREAK_SENT;
196 fsp->is_directory = S_ISDIR(smb_fname->st.st_ex_mode);
198 status = SMB_VFS_FSET_NT_ACL( fsp, security_info_sent, sd);
199 if (!NT_STATUS_IS_OK(status)) {
200 DEBUG(0,("set_nt_acl_no_snum: fset_nt_acl returned %s.\n", nt_errstr(status)));
212 static NTSTATUS get_nt_acl_conn(TALLOC_CTX *mem_ctx,
214 connection_struct *conn,
215 uint32 security_info_wanted,
216 struct security_descriptor **sd)
218 TALLOC_CTX *frame = talloc_stackframe();
219 NTSTATUS status = SMB_VFS_GET_NT_ACL( conn, fname, security_info_wanted,
221 if (!NT_STATUS_IS_OK(status)) {
222 DEBUG(0,("get_nt_acl_conn: get_nt_acl returned %s.\n", nt_errstr(status)));
231 static SMB_ACL_T make_simple_acl(gid_t gid, mode_t chmod_mode)
233 TALLOC_CTX *frame = talloc_stackframe();
235 mode_t mode = SMB_ACL_READ|SMB_ACL_WRITE|SMB_ACL_EXECUTE;
237 mode_t mode_user = (chmod_mode & 0700) >> 6;
238 mode_t mode_group = (chmod_mode & 070) >> 3;
239 mode_t mode_other = chmod_mode & 07;
240 SMB_ACL_ENTRY_T entry;
241 SMB_ACL_T acl = sys_acl_init(frame);
247 if (sys_acl_create_entry(&acl, &entry) != 0) {
252 if (sys_acl_set_tag_type(entry, SMB_ACL_USER_OBJ) != 0) {
257 if (sys_acl_set_permset(entry, &mode_user) != 0) {
262 if (sys_acl_create_entry(&acl, &entry) != 0) {
267 if (sys_acl_set_tag_type(entry, SMB_ACL_GROUP_OBJ) != 0) {
272 if (sys_acl_set_permset(entry, &mode_group) != 0) {
277 if (sys_acl_create_entry(&acl, &entry) != 0) {
282 if (sys_acl_set_tag_type(entry, SMB_ACL_OTHER) != 0) {
287 if (sys_acl_set_permset(entry, &mode_other) != 0) {
293 if (sys_acl_create_entry(&acl, &entry) != 0) {
298 if (sys_acl_set_tag_type(entry, SMB_ACL_GROUP) != 0) {
303 if (sys_acl_set_qualifier(entry, &gid) != 0) {
308 if (sys_acl_set_permset(entry, &mode_group) != 0) {
314 if (sys_acl_create_entry(&acl, &entry) != 0) {
319 if (sys_acl_set_tag_type(entry, SMB_ACL_MASK) != 0) {
324 if (sys_acl_set_permset(entry, &mode) != 0) {
332 set a simple ACL on a file, as a test
334 static PyObject *py_smbd_set_simple_acl(PyObject *self, PyObject *args, PyObject *kwargs)
336 const char * const kwnames[] = { "fname", "mode", "gid", "service", NULL };
338 char *fname, *service = NULL;
342 connection_struct *conn;
344 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "si|iz",
345 discard_const_p(char *, kwnames),
346 &fname, &mode, &gid, &service))
349 acl = make_simple_acl(gid, mode);
351 frame = talloc_stackframe();
353 conn = get_conn(frame, service);
358 status = set_sys_acl_conn(fname, SMB_ACL_TYPE_ACCESS, acl, conn);
363 PyErr_NTSTATUS_IS_ERR_RAISE(status);
371 static PyObject *py_smbd_chown(PyObject *self, PyObject *args, PyObject *kwargs)
373 const char * const kwnames[] = { "fname", "uid", "gid", "service", NULL };
374 connection_struct *conn;
375 NTSTATUS status = NT_STATUS_OK;
378 char *fname, *service = NULL;
383 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "sii|z",
384 discard_const_p(char *, kwnames),
385 &fname, &uid, &gid, &service))
388 frame = talloc_stackframe();
390 conn = get_conn(frame, service);
395 /* we want total control over the permissions on created files,
396 so set our umask to 0 */
397 saved_umask = umask(0);
399 ret = SMB_VFS_CHOWN( conn, fname, uid, gid);
401 status = map_nt_error_from_unix_common(errno);
402 DEBUG(0,("chown returned failure: %s\n", strerror(errno)));
409 PyErr_NTSTATUS_IS_ERR_RAISE(status);
417 static PyObject *py_smbd_unlink(PyObject *self, PyObject *args, PyObject *kwargs)
419 const char * const kwnames[] = { "fname", "service", NULL };
420 connection_struct *conn;
421 NTSTATUS status = NT_STATUS_OK;
423 struct smb_filename *smb_fname = NULL;
424 char *fname, *service = NULL;
427 frame = talloc_stackframe();
429 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "s|z",
430 discard_const_p(char *, kwnames),
436 conn = get_conn(frame, service);
442 status = create_synthetic_smb_fname_split(frame, fname, NULL,
444 if (!NT_STATUS_IS_OK(status)) {
446 PyErr_NTSTATUS_IS_ERR_RAISE(status);
449 ret = SMB_VFS_UNLINK(conn, smb_fname);
451 status = map_nt_error_from_unix_common(errno);
452 DEBUG(0,("unlink returned failure: %s\n", strerror(errno)));
457 PyErr_NTSTATUS_IS_ERR_RAISE(status);
463 check if we have ACL support
465 static PyObject *py_smbd_have_posix_acls(PyObject *self)
467 #ifdef HAVE_POSIX_ACLS
468 return PyBool_FromLong(true);
470 return PyBool_FromLong(false);
475 set the NT ACL on a file
477 static PyObject *py_smbd_set_nt_acl(PyObject *self, PyObject *args, PyObject *kwargs)
479 const char * const kwnames[] = { "fname", "security_info_sent", "sd", "service", NULL };
481 char *fname, *service = NULL;
482 int security_info_sent;
484 struct security_descriptor *sd;
485 connection_struct *conn;
488 frame = talloc_stackframe();
490 if (!PyArg_ParseTupleAndKeywords(args, kwargs,
491 "siO|z", discard_const_p(char *, kwnames),
492 &fname, &security_info_sent, &py_sd, &service)) {
497 if (!py_check_dcerpc_type(py_sd, "samba.dcerpc.security", "descriptor")) {
502 conn = get_conn(frame, service);
508 sd = pytalloc_get_type(py_sd, struct security_descriptor);
510 status = set_nt_acl_conn(fname, security_info_sent, sd, conn);
512 PyErr_NTSTATUS_IS_ERR_RAISE(status);
518 Return the NT ACL on a file
520 static PyObject *py_smbd_get_nt_acl(PyObject *self, PyObject *args, PyObject *kwargs)
522 const char * const kwnames[] = { "fname", "security_info_wanted", "service", NULL };
523 char *fname, *service = NULL;
524 int security_info_wanted;
526 struct security_descriptor *sd;
527 TALLOC_CTX *tmp_ctx = talloc_new(NULL);
528 connection_struct *conn;
531 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "si|z", discard_const_p(char *, kwnames),
532 &fname, &security_info_wanted, &service)) {
533 TALLOC_FREE(tmp_ctx);
537 conn = get_conn(tmp_ctx, service);
539 TALLOC_FREE(tmp_ctx);
543 status = get_nt_acl_conn(tmp_ctx, fname, conn, security_info_wanted, &sd);
544 PyErr_NTSTATUS_IS_ERR_RAISE(status);
546 py_sd = py_return_ndr_struct("samba.dcerpc.security", "descriptor", sd, sd);
548 TALLOC_FREE(tmp_ctx);
554 set the posix (or similar) ACL on a file
556 static PyObject *py_smbd_set_sys_acl(PyObject *self, PyObject *args, PyObject *kwargs)
558 const char * const kwnames[] = { "fname", "acl_type", "acl", "service", NULL };
559 TALLOC_CTX *frame = talloc_stackframe();
561 char *fname, *service = NULL;
563 struct smb_acl_t *acl;
565 connection_struct *conn;
567 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "siO|z",
568 discard_const_p(char *, kwnames),
569 &fname, &acl_type, &py_acl, &service)) {
574 if (!py_check_dcerpc_type(py_acl, "samba.dcerpc.smb_acl", "t")) {
579 conn = get_conn(frame, service);
585 acl = pytalloc_get_type(py_acl, struct smb_acl_t);
587 status = set_sys_acl_conn(fname, acl_type, acl, conn);
588 PyErr_NTSTATUS_IS_ERR_RAISE(status);
595 Return the posix (or similar) ACL on a file
597 static PyObject *py_smbd_get_sys_acl(PyObject *self, PyObject *args, PyObject *kwargs)
599 const char * const kwnames[] = { "fname", "acl_type", "service", NULL };
602 struct smb_acl_t *acl;
604 TALLOC_CTX *frame = talloc_stackframe();
605 TALLOC_CTX *tmp_ctx = talloc_new(NULL);
606 connection_struct *conn;
607 NTSTATUS status = NT_STATUS_OK;
608 char *service = NULL;
614 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "si|z",
615 discard_const_p(char *, kwnames),
616 &fname, &acl_type, &service)) {
618 TALLOC_FREE(tmp_ctx);
622 conn = get_conn(frame, service);
625 TALLOC_FREE(tmp_ctx);
629 acl = SMB_VFS_SYS_ACL_GET_FILE( conn, fname, acl_type, tmp_ctx);
632 TALLOC_FREE(tmp_ctx);
633 status = map_nt_error_from_unix_common(errno);
634 DEBUG(0,("sys_acl_get_file returned NULL: %s\n", strerror(errno)));
635 PyErr_NTSTATUS_IS_ERR_RAISE(status);
638 py_acl = py_return_ndr_struct("samba.dcerpc.smb_acl", "t", acl, acl);
641 TALLOC_FREE(tmp_ctx);
646 static PyMethodDef py_smbd_methods[] = {
648 (PyCFunction)py_smbd_have_posix_acls, METH_NOARGS,
651 (PyCFunction)py_smbd_set_simple_acl, METH_VARARGS|METH_KEYWORDS,
654 (PyCFunction)py_smbd_set_nt_acl, METH_VARARGS|METH_KEYWORDS,
657 (PyCFunction)py_smbd_get_nt_acl, METH_VARARGS|METH_KEYWORDS,
660 (PyCFunction)py_smbd_get_sys_acl, METH_VARARGS|METH_KEYWORDS,
663 (PyCFunction)py_smbd_set_sys_acl, METH_VARARGS|METH_KEYWORDS,
666 (PyCFunction)py_smbd_chown, METH_VARARGS|METH_KEYWORDS,
669 (PyCFunction)py_smbd_unlink, METH_VARARGS|METH_KEYWORDS,
679 m = Py_InitModule3("smbd", py_smbd_methods,
680 "Python bindings for the smbd file server.");