2 Unix SMB/CIFS implementation.
3 Set NT and POSIX ACLs and other VFS operations from Python
5 Copyrigyt (C) Andrew Bartlett 2012
6 Copyright (C) Jeremy Allison 1994-2009.
7 Copyright (C) Andreas Gruenbacher 2002.
8 Copyright (C) Simo Sorce <idra@samba.org> 2009.
9 Copyright (C) Simo Sorce 2002
10 Copyright (C) Eric Lorimer 2002
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
28 #include "python/py3compat.h"
29 #include "python/modules.h"
30 #include "smbd/smbd.h"
31 #include "libcli/util/pyerrors.h"
32 #include "librpc/rpc/pyrpc_util.h"
34 #include "system/filesys.h"
39 extern const struct generic_mapping file_generic_mapping;
42 #define DBGC_CLASS DBGC_ACLS
45 #define DIRECTORY_FLAGS O_RDONLY|O_DIRECTORY
47 /* POSIX allows us to open a directory with O_RDONLY. */
48 #define DIRECTORY_FLAGS O_RDONLY
52 static connection_struct *get_conn_tos(
54 const struct auth_session_info *session_info)
56 struct conn_struct_tos *c = NULL;
60 struct smb_filename cwd_fname = {0};
63 if (!posix_locking_init(false)) {
69 snum = lp_servicenumber(service);
71 PyErr_SetString(PyExc_RuntimeError, "unknown service");
76 status = create_conn_struct_tos(NULL,
81 PyErr_NTSTATUS_IS_ERR_RAISE(status);
83 /* Ignore read-only and share restrictions */
84 c->conn->read_only = false;
85 c->conn->share_access = SEC_RIGHTS_FILE_ALL;
87 /* Provided by libreplace if not present. Always mallocs. */
88 cwd = get_current_dir_name();
94 cwd_fname.base_name = cwd;
96 * We need to call vfs_ChDir() to initialize
97 * conn->cwd_fsp correctly. Change directory
98 * to current directory (so no change for process).
100 ret = vfs_ChDir(c->conn, &cwd_fname);
102 status = map_nt_error_from_unix(errno);
104 PyErr_NTSTATUS_IS_ERR_RAISE(status);
112 static int set_sys_acl_conn(const char *fname,
113 SMB_ACL_TYPE_T acltype,
114 SMB_ACL_T theacl, connection_struct *conn)
117 struct smb_filename *smb_fname = NULL;
119 TALLOC_CTX *frame = talloc_stackframe();
121 smb_fname = synthetic_smb_fname_split(frame,
123 lp_posix_pathnames());
124 if (smb_fname == NULL) {
129 ret = SMB_VFS_SYS_ACL_SET_FILE( conn, smb_fname, acltype, theacl);
136 static NTSTATUS init_files_struct(TALLOC_CTX *mem_ctx,
138 struct connection_struct *conn,
140 struct files_struct **_fsp)
142 struct smb_filename *smb_fname = NULL;
145 struct files_struct *fsp;
147 fsp = talloc_zero(mem_ctx, struct files_struct);
149 return NT_STATUS_NO_MEMORY;
151 fsp->fh = talloc(fsp, struct fd_handle);
152 if (fsp->fh == NULL) {
153 return NT_STATUS_NO_MEMORY;
157 smb_fname = synthetic_smb_fname_split(fsp,
159 lp_posix_pathnames());
160 if (smb_fname == NULL) {
161 return NT_STATUS_NO_MEMORY;
164 fsp->fsp_name = smb_fname;
167 * we want total control over the permissions on created files,
168 * so set our umask to 0 (this matters if flags contains O_CREAT)
170 saved_umask = umask(0);
172 fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, 00644);
176 if (fsp->fh->fd == -1) {
179 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
181 return NT_STATUS_INVALID_PARAMETER;
184 ret = SMB_VFS_FSTAT(fsp, &smb_fname->st);
186 /* If we have an fd, this stat should succeed. */
187 DEBUG(0,("Error doing fstat on open file %s (%s)\n",
188 smb_fname_str_dbg(smb_fname),
190 return map_nt_error_from_unix(errno);
193 fsp->file_id = vfs_file_id_from_sbuf(conn, &smb_fname->st);
194 fsp->vuid = UID_FIELD_INVALID;
196 fsp->can_lock = True;
197 fsp->can_read = True;
198 fsp->can_write = True;
199 fsp->print_file = NULL;
200 fsp->modified = False;
201 fsp->sent_oplock_break = NO_BREAK_SENT;
202 fsp->is_directory = S_ISDIR(smb_fname->st.st_ex_mode);
209 static NTSTATUS set_nt_acl_conn(const char *fname,
210 uint32_t security_info_sent, const struct security_descriptor *sd,
211 connection_struct *conn)
213 TALLOC_CTX *frame = talloc_stackframe();
214 struct files_struct *fsp = NULL;
215 NTSTATUS status = NT_STATUS_OK;
217 /* first, try to open it as a file with flag O_RDWR */
218 status = init_files_struct(frame,
223 if (!NT_STATUS_IS_OK(status) && errno == EISDIR) {
224 /* if fail, try to open as dir */
225 status = init_files_struct(frame,
232 if (!NT_STATUS_IS_OK(status)) {
233 DBG_ERR("init_files_struct failed: %s\n",
242 status = SMB_VFS_FSET_NT_ACL(fsp, security_info_sent, sd);
243 if (!NT_STATUS_IS_OK(status)) {
244 DEBUG(0,("set_nt_acl_no_snum: fset_nt_acl returned %s.\n", nt_errstr(status)));
253 static NTSTATUS get_nt_acl_conn(TALLOC_CTX *mem_ctx,
255 connection_struct *conn,
256 uint32_t security_info_wanted,
257 struct security_descriptor **sd)
259 TALLOC_CTX *frame = talloc_stackframe();
261 struct smb_filename *smb_fname = synthetic_smb_fname(talloc_tos(),
265 lp_posix_pathnames() ?
266 SMB_FILENAME_POSIX_PATH : 0);
268 if (smb_fname == NULL) {
270 return NT_STATUS_NO_MEMORY;
273 status = SMB_VFS_GET_NT_ACL(conn,
275 security_info_wanted,
278 if (!NT_STATUS_IS_OK(status)) {
279 DEBUG(0,("get_nt_acl_conn: get_nt_acl returned %s.\n", nt_errstr(status)));
287 static int set_acl_entry_perms(SMB_ACL_ENTRY_T entry, mode_t perm_mask)
289 SMB_ACL_PERMSET_T perms = NULL;
291 if (sys_acl_get_permset(entry, &perms) != 0) {
295 if (sys_acl_clear_perms(perms) != 0) {
299 if ((perm_mask & SMB_ACL_READ) != 0 &&
300 sys_acl_add_perm(perms, SMB_ACL_READ) != 0) {
304 if ((perm_mask & SMB_ACL_WRITE) != 0 &&
305 sys_acl_add_perm(perms, SMB_ACL_WRITE) != 0) {
309 if ((perm_mask & SMB_ACL_EXECUTE) != 0 &&
310 sys_acl_add_perm(perms, SMB_ACL_EXECUTE) != 0) {
314 if (sys_acl_set_permset(entry, perms) != 0) {
321 static SMB_ACL_T make_simple_acl(TALLOC_CTX *mem_ctx,
325 mode_t mode = SMB_ACL_READ|SMB_ACL_WRITE|SMB_ACL_EXECUTE;
327 mode_t mode_user = (chmod_mode & 0700) >> 6;
328 mode_t mode_group = (chmod_mode & 070) >> 3;
329 mode_t mode_other = chmod_mode & 07;
330 SMB_ACL_ENTRY_T entry;
331 SMB_ACL_T acl = sys_acl_init(mem_ctx);
337 if (sys_acl_create_entry(&acl, &entry) != 0) {
342 if (sys_acl_set_tag_type(entry, SMB_ACL_USER_OBJ) != 0) {
347 if (set_acl_entry_perms(entry, mode_user) != 0) {
352 if (sys_acl_create_entry(&acl, &entry) != 0) {
357 if (sys_acl_set_tag_type(entry, SMB_ACL_GROUP_OBJ) != 0) {
362 if (set_acl_entry_perms(entry, mode_group) != 0) {
367 if (sys_acl_create_entry(&acl, &entry) != 0) {
372 if (sys_acl_set_tag_type(entry, SMB_ACL_OTHER) != 0) {
377 if (set_acl_entry_perms(entry, mode_other) != 0) {
383 if (sys_acl_create_entry(&acl, &entry) != 0) {
388 if (sys_acl_set_tag_type(entry, SMB_ACL_GROUP) != 0) {
393 if (sys_acl_set_qualifier(entry, &gid) != 0) {
398 if (set_acl_entry_perms(entry, mode_group) != 0) {
404 if (sys_acl_create_entry(&acl, &entry) != 0) {
409 if (sys_acl_set_tag_type(entry, SMB_ACL_MASK) != 0) {
414 if (set_acl_entry_perms(entry, mode) != 0) {
423 set a simple ACL on a file, as a test
425 static PyObject *py_smbd_set_simple_acl(PyObject *self, PyObject *args, PyObject *kwargs)
427 const char * const kwnames[] = { "fname", "mode", "gid", "service", NULL };
428 char *fname, *service = NULL;
433 connection_struct *conn;
435 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "si|iz",
436 discard_const_p(char *, kwnames),
437 &fname, &mode, &gid, &service))
440 frame = talloc_stackframe();
442 acl = make_simple_acl(frame, gid, mode);
448 conn = get_conn_tos(service, NULL);
454 ret = set_sys_acl_conn(fname, SMB_ACL_TYPE_ACCESS, acl, conn);
459 return PyErr_SetFromErrno(PyExc_OSError);
470 static PyObject *py_smbd_chown(PyObject *self, PyObject *args, PyObject *kwargs)
472 const char * const kwnames[] = { "fname", "uid", "gid", "service", NULL };
473 connection_struct *conn;
476 char *fname, *service = NULL;
479 struct smb_filename *smb_fname = NULL;
481 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "sii|z",
482 discard_const_p(char *, kwnames),
483 &fname, &uid, &gid, &service))
486 frame = talloc_stackframe();
488 conn = get_conn_tos(service, NULL);
494 smb_fname = synthetic_smb_fname(talloc_tos(),
498 lp_posix_pathnames() ?
499 SMB_FILENAME_POSIX_PATH : 0);
500 if (smb_fname == NULL) {
503 return PyErr_SetFromErrno(PyExc_OSError);
506 ret = SMB_VFS_CHOWN(conn, smb_fname, uid, gid);
510 return PyErr_SetFromErrno(PyExc_OSError);
521 static PyObject *py_smbd_unlink(PyObject *self, PyObject *args, PyObject *kwargs)
523 const char * const kwnames[] = { "fname", "service", NULL };
524 connection_struct *conn;
526 struct smb_filename *smb_fname = NULL;
527 char *fname, *service = NULL;
530 frame = talloc_stackframe();
532 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "s|z",
533 discard_const_p(char *, kwnames),
539 conn = get_conn_tos(service, NULL);
545 smb_fname = synthetic_smb_fname_split(frame,
547 lp_posix_pathnames());
548 if (smb_fname == NULL) {
550 return PyErr_NoMemory();
553 ret = SMB_VFS_UNLINK(conn, smb_fname);
557 return PyErr_SetFromErrno(PyExc_OSError);
566 check if we have ACL support
568 static PyObject *py_smbd_have_posix_acls(PyObject *self,
569 PyObject *Py_UNUSED(ignored))
571 #ifdef HAVE_POSIX_ACLS
572 return PyBool_FromLong(true);
574 return PyBool_FromLong(false);
579 set the NT ACL on a file
581 static PyObject *py_smbd_set_nt_acl(PyObject *self, PyObject *args, PyObject *kwargs)
583 const char * const kwnames[] = {
584 "fname", "security_info_sent", "sd",
585 "service", "session_info", NULL };
588 char *fname, *service = NULL;
589 int security_info_sent;
591 struct security_descriptor *sd;
592 PyObject *py_session = Py_None;
593 struct auth_session_info *session_info = NULL;
594 connection_struct *conn;
597 frame = talloc_stackframe();
599 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "siO|zO",
600 discard_const_p(char *, kwnames),
601 &fname, &security_info_sent, &py_sd,
602 &service, &py_session)) {
607 if (!py_check_dcerpc_type(py_sd, "samba.dcerpc.security", "descriptor")) {
612 if (py_session != Py_None) {
613 if (!py_check_dcerpc_type(py_session,
619 session_info = pytalloc_get_type(py_session,
620 struct auth_session_info);
622 PyErr_Format(PyExc_TypeError,
623 "Expected auth_session_info for session_info argument got %s",
624 pytalloc_get_name(py_session));
629 conn = get_conn_tos(service, session_info);
635 sd = pytalloc_get_type(py_sd, struct security_descriptor);
637 status = set_nt_acl_conn(fname, security_info_sent, sd, conn);
639 PyErr_NTSTATUS_IS_ERR_RAISE(status);
645 Return the NT ACL on a file
647 static PyObject *py_smbd_get_nt_acl(PyObject *self, PyObject *args, PyObject *kwargs)
649 const char * const kwnames[] = { "fname",
650 "security_info_wanted",
654 char *fname, *service = NULL;
655 int security_info_wanted;
657 struct security_descriptor *sd;
658 TALLOC_CTX *frame = talloc_stackframe();
659 PyObject *py_session = Py_None;
660 struct auth_session_info *session_info = NULL;
661 connection_struct *conn;
665 ret = PyArg_ParseTupleAndKeywords(args,
668 discard_const_p(char *, kwnames),
670 &security_info_wanted,
678 if (py_session != Py_None) {
679 if (!py_check_dcerpc_type(py_session,
685 session_info = pytalloc_get_type(py_session,
686 struct auth_session_info);
690 "Expected auth_session_info for "
691 "session_info argument got %s",
692 pytalloc_get_name(py_session));
697 conn = get_conn_tos(service, session_info);
703 status = get_nt_acl_conn(frame, fname, conn, security_info_wanted, &sd);
704 PyErr_NTSTATUS_IS_ERR_RAISE(status);
706 py_sd = py_return_ndr_struct("samba.dcerpc.security", "descriptor", sd, sd);
714 set the posix (or similar) ACL on a file
716 static PyObject *py_smbd_set_sys_acl(PyObject *self, PyObject *args, PyObject *kwargs)
718 const char * const kwnames[] = { "fname", "acl_type", "acl", "service", NULL };
719 TALLOC_CTX *frame = talloc_stackframe();
721 char *fname, *service = NULL;
723 struct smb_acl_t *acl;
725 connection_struct *conn;
727 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "siO|z",
728 discard_const_p(char *, kwnames),
729 &fname, &acl_type, &py_acl, &service)) {
734 if (!py_check_dcerpc_type(py_acl, "samba.dcerpc.smb_acl", "t")) {
739 conn = get_conn_tos(service, NULL);
745 acl = pytalloc_get_type(py_acl, struct smb_acl_t);
747 ret = set_sys_acl_conn(fname, acl_type, acl, conn);
751 return PyErr_SetFromErrno(PyExc_OSError);
759 Return the posix (or similar) ACL on a file
761 static PyObject *py_smbd_get_sys_acl(PyObject *self, PyObject *args, PyObject *kwargs)
763 const char * const kwnames[] = { "fname", "acl_type", "service", NULL };
766 struct smb_acl_t *acl;
768 TALLOC_CTX *frame = talloc_stackframe();
769 connection_struct *conn;
770 char *service = NULL;
771 struct smb_filename *smb_fname = NULL;
773 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "si|z",
774 discard_const_p(char *, kwnames),
775 &fname, &acl_type, &service)) {
780 conn = get_conn_tos(service, NULL);
786 smb_fname = synthetic_smb_fname_split(frame,
788 lp_posix_pathnames());
789 if (smb_fname == NULL) {
793 acl = SMB_VFS_SYS_ACL_GET_FILE( conn, smb_fname, acl_type, frame);
796 return PyErr_SetFromErrno(PyExc_OSError);
799 py_acl = py_return_ndr_struct("samba.dcerpc.smb_acl", "t", acl, acl);
806 static PyObject *py_smbd_mkdir(PyObject *self, PyObject *args, PyObject *kwargs)
808 const char * const kwnames[] = { "fname", "service", NULL };
809 char *fname, *service = NULL;
810 TALLOC_CTX *frame = talloc_stackframe();
811 struct connection_struct *conn = NULL;
812 struct smb_filename *smb_fname = NULL;
816 if (!PyArg_ParseTupleAndKeywords(args,
819 discard_const_p(char *,
827 conn = get_conn_tos(service, NULL);
833 smb_fname = synthetic_smb_fname(talloc_tos(),
837 lp_posix_pathnames() ?
838 SMB_FILENAME_POSIX_PATH : 0);
840 if (smb_fname == NULL) {
845 /* we want total control over the permissions on created files,
846 so set our umask to 0 */
847 saved_umask = umask(0);
849 ret = SMB_VFS_MKDIRAT(conn,
857 DBG_ERR("mkdirat error=%d (%s)\n", errno, strerror(errno));
870 static PyObject *py_smbd_create_file(PyObject *self, PyObject *args, PyObject *kwargs)
872 const char * const kwnames[] = { "fname", "service", NULL };
873 char *fname, *service = NULL;
874 TALLOC_CTX *frame = talloc_stackframe();
875 struct connection_struct *conn = NULL;
876 struct files_struct *fsp = NULL;
879 if (!PyArg_ParseTupleAndKeywords(args,
882 discard_const_p(char *,
890 conn = get_conn_tos(service, NULL);
896 status = init_files_struct(frame,
899 O_CREAT|O_EXCL|O_RDWR,
901 if (!NT_STATUS_IS_OK(status)) {
902 DBG_ERR("init_files_struct failed: %s\n",
911 static PyMethodDef py_smbd_methods[] = {
913 (PyCFunction)py_smbd_have_posix_acls, METH_NOARGS,
916 PY_DISCARD_FUNC_SIG(PyCFunction, py_smbd_set_simple_acl),
917 METH_VARARGS|METH_KEYWORDS,
920 PY_DISCARD_FUNC_SIG(PyCFunction, py_smbd_set_nt_acl),
921 METH_VARARGS|METH_KEYWORDS,
924 PY_DISCARD_FUNC_SIG(PyCFunction, py_smbd_get_nt_acl),
925 METH_VARARGS|METH_KEYWORDS,
928 PY_DISCARD_FUNC_SIG(PyCFunction, py_smbd_get_sys_acl),
929 METH_VARARGS|METH_KEYWORDS,
932 PY_DISCARD_FUNC_SIG(PyCFunction, py_smbd_set_sys_acl),
933 METH_VARARGS|METH_KEYWORDS,
936 PY_DISCARD_FUNC_SIG(PyCFunction, py_smbd_chown),
937 METH_VARARGS|METH_KEYWORDS,
940 PY_DISCARD_FUNC_SIG(PyCFunction, py_smbd_unlink),
941 METH_VARARGS|METH_KEYWORDS,
944 PY_DISCARD_FUNC_SIG(PyCFunction, py_smbd_mkdir),
945 METH_VARARGS|METH_KEYWORDS,
948 PY_DISCARD_FUNC_SIG(PyCFunction, py_smbd_create_file),
949 METH_VARARGS|METH_KEYWORDS,
956 static struct PyModuleDef moduledef = {
957 PyModuleDef_HEAD_INIT,
959 .m_doc = "Python bindings for the smbd file server.",
961 .m_methods = py_smbd_methods,
964 MODULE_INIT_FUNC(smbd)
968 m = PyModule_Create(&moduledef);