1 # Unix SMB/CIFS implementation. Tests for NT and posix ACL manipulation
2 # Copyright (C) Matthieu Patou <mat@matws.net> 2009-2010
3 # Copyright (C) Andrew Bartlett 2012
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
19 """Tests for the Samba3 NT -> posix ACL layer"""
21 from samba.ntacls import setntacl, getntacl, checkset_backend
22 from samba.dcerpc import xattr, security, smb_acl, idmap
23 from samba.param import LoadParm
24 from samba.tests import TestCaseInTempDir
25 from samba import provision
28 from samba.samba3 import smbd, passdb
29 from samba.samba3 import param as s3param
31 # To print a posix ACL use:
32 # for entry in posix_acl.acl:
33 # print "a_type: %d" % entry.a_type
34 # print "a_perm: %o" % entry.a_perm
35 # if entry.a_type == smb_acl.SMB_ACL_USER:
36 # print "uid: %d" % entry.uid
37 # if entry.a_type == smb_acl.SMB_ACL_GROUP:
38 # print "gid: %d" % entry.gid
40 class PosixAclMappingTests(TestCaseInTempDir):
42 def test_setntacl(self):
43 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
44 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
46 def test_setntacl_smbd_getntacl(self):
47 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
48 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
49 facl = getntacl(self.lp, self.tempf, direct_db_access=True)
50 anysid = security.dom_sid(security.SID_NT_SELF)
51 self.assertEquals(facl.as_sddl(anysid),acl)
53 def test_setntacl_smbd_setposixacl_getntacl(self):
54 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
55 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
57 # This will invalidate the ACL, as we have a hook!
58 smbd.set_simple_acl(self.tempf, 0640)
60 # However, this only asks the xattr
62 facl = getntacl(self.lp, self.tempf, direct_db_access=True)
63 self.assertTrue(False)
67 def test_setntacl_invalidate_getntacl(self):
68 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
69 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
71 # This should invalidate the ACL, as we include the posix ACL in the hash
72 (backend_obj, dbname) = checkset_backend(self.lp, None, None)
73 backend_obj.wrap_setxattr(dbname,
74 self.tempf, "system.fake_access_acl", "")
76 #however, as this is direct DB access, we do not notice it
77 facl = getntacl(self.lp, self.tempf, direct_db_access=True)
78 anysid = security.dom_sid(security.SID_NT_SELF)
79 self.assertEquals(acl, facl.as_sddl(anysid))
81 def test_setntacl_invalidate_getntacl_smbd(self):
82 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
83 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
85 # This should invalidate the ACL, as we include the posix ACL in the hash
86 (backend_obj, dbname) = checkset_backend(self.lp, None, None)
87 backend_obj.wrap_setxattr(dbname,
88 self.tempf, "system.fake_access_acl", "")
90 #the hash would break, and we return an ACL based only on the mode, except we set the ACL using the 'ntvfs' mode that doesn't include a hash
91 facl = getntacl(self.lp, self.tempf)
92 anysid = security.dom_sid(security.SID_NT_SELF)
93 self.assertEquals(acl, facl.as_sddl(anysid))
95 def test_setntacl_smbd_invalidate_getntacl_smbd(self):
96 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
97 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x001200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
98 os.chmod(self.tempf, 0750)
99 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
101 # This should invalidate the ACL, as we include the posix ACL in the hash
102 (backend_obj, dbname) = checkset_backend(self.lp, None, None)
103 backend_obj.wrap_setxattr(dbname,
104 self.tempf, "system.fake_access_acl", "")
106 #the hash will break, and we return an ACL based only on the mode
107 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
108 anysid = security.dom_sid(security.SID_NT_SELF)
109 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
111 def test_setntacl_smbd_dont_invalidate_getntacl_smbd(self):
112 # set an ACL on a tempfile
113 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
114 os.chmod(self.tempf, 0750)
115 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
117 # now influence the POSIX ACL->SD mapping it returns something else than
118 # what was set previously
119 # this should not invalidate the hash and the complete ACL should still
121 self.lp.set("profile acls", "yes")
122 # we should still get back the ACL (and not one mapped from POSIX ACL)
123 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
124 self.lp.set("profile acls", "no")
125 anysid = security.dom_sid(security.SID_NT_SELF)
126 self.assertEquals(acl, facl.as_sddl(anysid))
128 def test_setntacl_getntacl_smbd(self):
129 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
130 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
131 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
132 anysid = security.dom_sid(security.SID_NT_SELF)
133 self.assertEquals(facl.as_sddl(anysid),acl)
135 def test_setntacl_smbd_getntacl_smbd(self):
136 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
137 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
138 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
139 anysid = security.dom_sid(security.SID_NT_SELF)
140 self.assertEquals(facl.as_sddl(anysid),acl)
142 def test_setntacl_smbd_setposixacl_getntacl_smbd(self):
143 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
144 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
145 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
146 # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
147 smbd.set_simple_acl(self.tempf, 0640)
148 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
149 anysid = security.dom_sid(security.SID_NT_SELF)
150 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
152 def test_setntacl_smbd_setposixacl_group_getntacl_smbd(self):
153 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
154 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
155 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
156 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
157 # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
158 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
159 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
160 smbd.set_simple_acl(self.tempf, 0640, BA_gid)
162 # This should re-calculate an ACL based on the posix details
163 facl = getntacl(self.lp,self.tempf, direct_db_access=False)
164 anysid = security.dom_sid(security.SID_NT_SELF)
165 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
167 def test_setntacl_smbd_getntacl_smbd_gpo(self):
168 acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
169 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
170 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
171 domsid = security.dom_sid("S-1-5-21-2212615479-2695158682-2101375467")
172 self.assertEquals(facl.as_sddl(domsid),acl)
174 def test_setntacl_getposixacl(self):
175 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
176 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
177 facl = getntacl(self.lp, self.tempf)
178 anysid = security.dom_sid(security.SID_NT_SELF)
179 self.assertEquals(facl.as_sddl(anysid),acl)
180 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
182 def test_setposixacl_getposixacl(self):
183 smbd.set_simple_acl(self.tempf, 0640)
184 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
185 self.assertEquals(posix_acl.count, 4)
187 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
188 self.assertEquals(posix_acl.acl[0].a_perm, 6)
190 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
191 self.assertEquals(posix_acl.acl[1].a_perm, 4)
193 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
194 self.assertEquals(posix_acl.acl[2].a_perm, 0)
196 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
197 self.assertEquals(posix_acl.acl[3].a_perm, 6)
199 def test_setposixacl_getntacl(self):
201 smbd.set_simple_acl(self.tempf, 0750)
203 facl = getntacl(self.lp, self.tempf)
204 self.assertTrue(False)
206 # We don't expect the xattr to be filled in in this case
209 def test_setposixacl_getntacl_smbd(self):
210 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
211 group_SID = s4_passdb.gid_to_sid(os.stat(self.tempf).st_gid)
212 user_SID = s4_passdb.uid_to_sid(os.stat(self.tempf).st_uid)
213 smbd.set_simple_acl(self.tempf, 0640)
214 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
215 acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
216 anysid = security.dom_sid(security.SID_NT_SELF)
217 self.assertEquals(acl, facl.as_sddl(anysid))
219 def test_setposixacl_dir_getntacl_smbd(self):
220 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
221 user_SID = s4_passdb.uid_to_sid(os.stat(self.tempdir).st_uid)
222 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
223 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
224 (BA_id,BA_type) = s4_passdb.sid_to_id(BA_sid)
225 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
226 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
227 (SO_id,SO_type) = s4_passdb.sid_to_id(SO_sid)
228 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
229 smbd.chown(self.tempdir, BA_id, SO_id)
230 smbd.set_simple_acl(self.tempdir, 0750)
231 facl = getntacl(self.lp, self.tempdir, direct_db_access=False)
232 acl = "O:BAG:SOD:(A;;0x001f01ff;;;BA)(A;;0x001200a9;;;SO)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)"
234 anysid = security.dom_sid(security.SID_NT_SELF)
235 self.assertEquals(acl, facl.as_sddl(anysid))
237 def test_setposixacl_group_getntacl_smbd(self):
238 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
239 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
240 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
241 group_SID = s4_passdb.gid_to_sid(os.stat(self.tempf).st_gid)
242 user_SID = s4_passdb.uid_to_sid(os.stat(self.tempf).st_uid)
243 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
244 smbd.set_simple_acl(self.tempf, 0640, BA_gid)
245 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
246 domsid = passdb.get_global_sam_sid()
247 acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;BA)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
248 anysid = security.dom_sid(security.SID_NT_SELF)
249 self.assertEquals(acl, facl.as_sddl(anysid))
251 def test_setposixacl_getposixacl(self):
252 smbd.set_simple_acl(self.tempf, 0640)
253 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
254 self.assertEquals(posix_acl.count, 4)
256 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
257 self.assertEquals(posix_acl.acl[0].a_perm, 6)
259 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
260 self.assertEquals(posix_acl.acl[1].a_perm, 4)
262 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
263 self.assertEquals(posix_acl.acl[2].a_perm, 0)
265 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
266 self.assertEquals(posix_acl.acl[3].a_perm, 7)
268 def test_setposixacl_dir_getposixacl(self):
269 smbd.set_simple_acl(self.tempdir, 0750)
270 posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
271 self.assertEquals(posix_acl.count, 4)
273 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
274 self.assertEquals(posix_acl.acl[0].a_perm, 7)
276 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
277 self.assertEquals(posix_acl.acl[1].a_perm, 5)
279 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
280 self.assertEquals(posix_acl.acl[2].a_perm, 0)
282 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
283 self.assertEquals(posix_acl.acl[3].a_perm, 7)
285 def test_setposixacl_group_getposixacl(self):
286 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
287 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
288 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
289 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
290 smbd.set_simple_acl(self.tempf, 0670, BA_gid)
291 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
293 self.assertEquals(posix_acl.count, 5)
295 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
296 self.assertEquals(posix_acl.acl[0].a_perm, 6)
298 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
299 self.assertEquals(posix_acl.acl[1].a_perm, 7)
301 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
302 self.assertEquals(posix_acl.acl[2].a_perm, 0)
304 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_GROUP)
305 self.assertEquals(posix_acl.acl[3].a_perm, 7)
306 self.assertEquals(posix_acl.acl[3].info.gid, BA_gid)
308 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_MASK)
309 self.assertEquals(posix_acl.acl[4].a_perm, 7)
311 def test_setntacl_sysvol_check_getposixacl(self):
312 acl = provision.SYSVOL_SUBFOLDER_SD
313 domsid = passdb.get_global_sam_sid()
314 setntacl(self.lp, self.tempf,acl,str(domsid), use_ntvfs=False)
315 facl = getntacl(self.lp, self.tempf)
316 self.assertEquals(facl.as_sddl(domsid),acl)
317 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
319 nwrap_module_so_path = os.getenv('NSS_WRAPPER_MODULE_SO_PATH')
320 nwrap_module_fn_prefix = os.getenv('NSS_WRAPPER_MODULE_FN_PREFIX')
322 nwrap_winbind_active = (nwrap_module_so_path != "" and
323 nwrap_module_fn_prefix == "winbind")
325 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
326 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
327 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
328 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
329 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
331 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
333 # These assertions correct for current ad_dc selftest
334 # configuration. When other environments have a broad range of
335 # groups mapped via passdb, we can relax some of these checks
336 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
337 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
338 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
339 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
340 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
341 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
342 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
343 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
344 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
345 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
347 self.assertEquals(posix_acl.count, 13)
349 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
350 self.assertEquals(posix_acl.acl[0].a_perm, 7)
351 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
353 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
354 if nwrap_winbind_active:
355 self.assertEquals(posix_acl.acl[1].a_perm, 7)
357 self.assertEquals(posix_acl.acl[1].a_perm, 6)
358 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
360 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
361 self.assertEquals(posix_acl.acl[2].a_perm, 0)
363 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
364 if nwrap_winbind_active:
365 self.assertEquals(posix_acl.acl[3].a_perm, 7)
367 self.assertEquals(posix_acl.acl[3].a_perm, 6)
369 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
370 self.assertEquals(posix_acl.acl[4].a_perm, 7)
371 self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)
373 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
374 self.assertEquals(posix_acl.acl[5].a_perm, 7)
376 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
377 self.assertEquals(posix_acl.acl[6].a_perm, 5)
378 self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)
380 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
381 self.assertEquals(posix_acl.acl[7].a_perm, 5)
382 self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)
384 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
385 self.assertEquals(posix_acl.acl[8].a_perm, 7)
386 self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)
388 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
389 self.assertEquals(posix_acl.acl[9].a_perm, 7)
390 self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)
392 self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
393 self.assertEquals(posix_acl.acl[10].a_perm, 5)
394 self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)
396 self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
397 self.assertEquals(posix_acl.acl[11].a_perm, 5)
398 self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)
400 self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_MASK)
401 self.assertEquals(posix_acl.acl[12].a_perm, 7)
404 # check that it matches:
406 # user:root:rwx (selftest user actually)
408 # group:Local Admins:rwx
416 # This is in this order in the NDR smb_acl (not re-orderded for display)
423 # uid: 0 (selftest user actually)
457 def test_setntacl_sysvol_dir_check_getposixacl(self):
458 acl = provision.SYSVOL_SUBFOLDER_SD
459 domsid = passdb.get_global_sam_sid()
460 setntacl(self.lp, self.tempdir,acl,str(domsid), use_ntvfs=False)
461 facl = getntacl(self.lp, self.tempdir)
462 self.assertEquals(facl.as_sddl(domsid),acl)
463 posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
465 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
466 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
467 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
468 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
469 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
471 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
473 # These assertions correct for current ad_dc selftest
474 # configuration. When other environments have a broad range of
475 # groups mapped via passdb, we can relax some of these checks
476 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
477 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
478 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
479 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
480 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
481 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
482 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
483 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
484 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
485 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
487 self.assertEquals(posix_acl.count, 13)
489 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
490 self.assertEquals(posix_acl.acl[0].a_perm, 7)
491 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
493 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
494 self.assertEquals(posix_acl.acl[1].a_perm, 7)
495 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
497 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
498 self.assertEquals(posix_acl.acl[2].a_perm, 0)
500 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
501 self.assertEquals(posix_acl.acl[3].a_perm, 7)
503 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
504 self.assertEquals(posix_acl.acl[4].a_perm, 7)
505 self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)
507 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
508 self.assertEquals(posix_acl.acl[5].a_perm, 7)
510 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
511 self.assertEquals(posix_acl.acl[6].a_perm, 5)
512 self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)
514 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
515 self.assertEquals(posix_acl.acl[7].a_perm, 5)
516 self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)
518 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
519 self.assertEquals(posix_acl.acl[8].a_perm, 7)
520 self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)
522 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
523 self.assertEquals(posix_acl.acl[9].a_perm, 7)
524 self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)
526 self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
527 self.assertEquals(posix_acl.acl[10].a_perm, 5)
528 self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)
530 self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
531 self.assertEquals(posix_acl.acl[11].a_perm, 5)
532 self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)
534 self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_MASK)
535 self.assertEquals(posix_acl.acl[12].a_perm, 7)
538 # check that it matches:
540 # user:root:rwx (selftest user actually)
550 def test_setntacl_policies_dir_check_getposixacl(self):
551 acl = provision.POLICIES_FOLDER_SD
552 domsid = passdb.get_global_sam_sid()
553 setntacl(self.lp, self.tempdir,acl,str(domsid), use_ntvfs=False)
554 facl = getntacl(self.lp, self.tempdir)
555 self.assertEquals(facl.as_sddl(domsid),acl)
556 posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
558 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
559 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
560 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
561 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
562 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
563 PA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_POLICY_ADMINS))
565 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
567 # These assertions correct for current ad_dc selftest
568 # configuration. When other environments have a broad range of
569 # groups mapped via passdb, we can relax some of these checks
570 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
571 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
572 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
573 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
574 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
575 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
576 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
577 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
578 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
579 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
580 (PA_gid,PA_type) = s4_passdb.sid_to_id(PA_sid)
581 self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
583 self.assertEquals(posix_acl.count, 15)
585 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
586 self.assertEquals(posix_acl.acl[0].a_perm, 7)
587 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
589 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
590 self.assertEquals(posix_acl.acl[1].a_perm, 7)
591 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
593 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
594 self.assertEquals(posix_acl.acl[2].a_perm, 0)
596 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
597 self.assertEquals(posix_acl.acl[3].a_perm, 7)
599 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
600 self.assertEquals(posix_acl.acl[4].a_perm, 7)
601 self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)
603 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
604 self.assertEquals(posix_acl.acl[5].a_perm, 7)
606 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
607 self.assertEquals(posix_acl.acl[6].a_perm, 5)
608 self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)
610 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
611 self.assertEquals(posix_acl.acl[7].a_perm, 5)
612 self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)
614 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
615 self.assertEquals(posix_acl.acl[8].a_perm, 7)
616 self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)
618 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
619 self.assertEquals(posix_acl.acl[9].a_perm, 7)
620 self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)
622 self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
623 self.assertEquals(posix_acl.acl[10].a_perm, 5)
624 self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)
626 self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
627 self.assertEquals(posix_acl.acl[11].a_perm, 5)
628 self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)
630 self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_USER)
631 self.assertEquals(posix_acl.acl[12].a_perm, 7)
632 self.assertEquals(posix_acl.acl[12].info.uid, PA_gid)
634 self.assertEquals(posix_acl.acl[13].a_type, smb_acl.SMB_ACL_GROUP)
635 self.assertEquals(posix_acl.acl[13].a_perm, 7)
636 self.assertEquals(posix_acl.acl[13].info.gid, PA_gid)
638 self.assertEquals(posix_acl.acl[14].a_type, smb_acl.SMB_ACL_MASK)
639 self.assertEquals(posix_acl.acl[14].a_perm, 7)
642 # check that it matches:
644 # user:root:rwx (selftest user actually)
656 def test_setntacl_policies_check_getposixacl(self):
657 acl = provision.POLICIES_FOLDER_SD
659 domsid = passdb.get_global_sam_sid()
660 setntacl(self.lp, self.tempf, acl, str(domsid), use_ntvfs=False)
661 facl = getntacl(self.lp, self.tempf)
662 self.assertEquals(facl.as_sddl(domsid),acl)
663 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
665 nwrap_module_so_path = os.getenv('NSS_WRAPPER_MODULE_SO_PATH')
666 nwrap_module_fn_prefix = os.getenv('NSS_WRAPPER_MODULE_FN_PREFIX')
668 nwrap_winbind_active = (nwrap_module_so_path != "" and
669 nwrap_module_fn_prefix == "winbind")
671 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
672 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
673 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
674 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
675 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
676 PA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_POLICY_ADMINS))
678 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
680 # These assertions correct for current ad_dc selftest
681 # configuration. When other environments have a broad range of
682 # groups mapped via passdb, we can relax some of these checks
683 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
684 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
685 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
686 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
687 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
688 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
689 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
690 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
691 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
692 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
693 (PA_gid,PA_type) = s4_passdb.sid_to_id(PA_sid)
694 self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
696 self.assertEquals(posix_acl.count, 15)
698 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
699 self.assertEquals(posix_acl.acl[0].a_perm, 7)
700 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
702 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
703 if nwrap_winbind_active:
704 self.assertEquals(posix_acl.acl[1].a_perm, 7)
706 self.assertEquals(posix_acl.acl[1].a_perm, 6)
707 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
709 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
710 self.assertEquals(posix_acl.acl[2].a_perm, 0)
712 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
713 if nwrap_winbind_active:
714 self.assertEquals(posix_acl.acl[3].a_perm, 7)
716 self.assertEquals(posix_acl.acl[3].a_perm, 6)
718 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
719 self.assertEquals(posix_acl.acl[4].a_perm, 7)
720 self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)
722 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
723 self.assertEquals(posix_acl.acl[5].a_perm, 7)
725 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
726 self.assertEquals(posix_acl.acl[6].a_perm, 5)
727 self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)
729 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
730 self.assertEquals(posix_acl.acl[7].a_perm, 5)
731 self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)
733 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
734 self.assertEquals(posix_acl.acl[8].a_perm, 7)
735 self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)
737 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
738 self.assertEquals(posix_acl.acl[9].a_perm, 7)
739 self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)
741 self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
742 self.assertEquals(posix_acl.acl[10].a_perm, 5)
743 self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)
745 self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
746 self.assertEquals(posix_acl.acl[11].a_perm, 5)
747 self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)
749 self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_USER)
750 self.assertEquals(posix_acl.acl[12].a_perm, 7)
751 self.assertEquals(posix_acl.acl[12].info.uid, PA_gid)
753 self.assertEquals(posix_acl.acl[13].a_type, smb_acl.SMB_ACL_GROUP)
754 self.assertEquals(posix_acl.acl[13].a_perm, 7)
755 self.assertEquals(posix_acl.acl[13].info.gid, PA_gid)
757 self.assertEquals(posix_acl.acl[14].a_type, smb_acl.SMB_ACL_MASK)
758 self.assertEquals(posix_acl.acl[14].a_perm, 7)
761 # check that it matches:
763 # user:root:rwx (selftest user actually)
765 # group:Local Admins:rwx
774 # This is in this order in the NDR smb_acl (not re-orderded for display)
781 # uid: 0 (selftest user actually)
819 super(PosixAclMappingTests, self).setUp()
820 s3conf = s3param.get_context()
821 s3conf.load(self.get_loadparm().configfile)
822 s3conf.set("xattr_tdb:file", os.path.join(self.tempdir,"xattr.tdb"))
824 self.tempf = os.path.join(self.tempdir, "test")
825 open(self.tempf, 'w').write("empty")
828 smbd.unlink(self.tempf)
829 os.unlink(os.path.join(self.tempdir,"xattr.tdb"))
830 super(PosixAclMappingTests, self).tearDown()