1 # Unix SMB/CIFS implementation. Tests for NT and posix ACL manipulation
2 # Copyright (C) Matthieu Patou <mat@matws.net> 2009-2010
3 # Copyright (C) Andrew Bartlett 2012
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
19 """Tests for the Samba3 NT -> posix ACL layer"""
21 from samba.ntacls import setntacl, getntacl, checkset_backend
22 from samba.dcerpc import security, smb_acl, idmap
23 from samba.tests import TestCaseInTempDir
24 from samba import provision
26 from samba.samba3 import smbd, passdb
27 from samba.samba3 import param as s3param
28 from samba import auth
29 from samba.samdb import SamDB
31 DOM_SID = "S-1-5-21-2212615479-2695158682-2101375467"
32 ACL = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
35 class PosixAclMappingTests(TestCaseInTempDir):
38 super(PosixAclMappingTests, self).setUp()
39 s3conf = s3param.get_context()
40 s3conf.load(self.get_loadparm().configfile)
41 s3conf.set("xattr_tdb:file", os.path.join(self.tempdir, "xattr.tdb"))
43 self.tempf = os.path.join(self.tempdir, "test")
44 open(self.tempf, 'w').write("empty")
45 self.samdb = SamDB(lp=self.lp, session_info=auth.system_session())
48 smbd.unlink(self.tempf)
49 os.unlink(os.path.join(self.tempdir, "xattr.tdb"))
50 super(PosixAclMappingTests, self).tearDown()
52 def get_session_info(self, domsid=DOM_SID):
54 Get session_info for setntacl.
56 This test case always return None, to run tests without session_info
57 like before. To be overrided in derived class.
61 def print_posix_acl(self, posix_acl):
63 for entry in posix_acl.acl:
64 aclstr += "a_type: %d\n" % entry.a_type
65 aclstr += "a_perm: %o\n" % entry.a_perm
66 if entry.a_type == smb_acl.SMB_ACL_USER:
67 aclstr += "uid: %d\n" % entry.info.uid
68 if entry.a_type == smb_acl.SMB_ACL_GROUP:
69 aclstr += "gid: %d\n" % entry.info.gid
72 def test_setntacl(self):
74 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
75 session_info=self.get_session_info())
77 def test_setntacl_smbd_getntacl(self):
79 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True,
80 session_info=self.get_session_info())
81 facl = getntacl(self.lp, self.tempf, direct_db_access=True)
82 anysid = security.dom_sid(security.SID_NT_SELF)
83 self.assertEquals(facl.as_sddl(anysid), acl)
85 def test_setntacl_smbd_setposixacl_getntacl(self):
87 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True,
88 session_info=self.get_session_info())
90 # This will invalidate the ACL, as we have a hook!
91 smbd.set_simple_acl(self.tempf, 0o640)
93 # However, this only asks the xattr
95 TypeError, getntacl, self.lp, self.tempf, direct_db_access=True)
97 def test_setntacl_invalidate_getntacl(self):
99 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True,
100 session_info=self.get_session_info())
102 # This should invalidate the ACL, as we include the posix ACL in the hash
103 (backend_obj, dbname) = checkset_backend(self.lp, None, None)
104 backend_obj.wrap_setxattr(dbname,
105 self.tempf, "system.fake_access_acl", b"")
107 # however, as this is direct DB access, we do not notice it
108 facl = getntacl(self.lp, self.tempf, direct_db_access=True)
109 anysid = security.dom_sid(security.SID_NT_SELF)
110 self.assertEquals(acl, facl.as_sddl(anysid))
112 def test_setntacl_invalidate_getntacl_smbd(self):
114 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
115 session_info=self.get_session_info())
117 # This should invalidate the ACL, as we include the posix ACL in the hash
118 (backend_obj, dbname) = checkset_backend(self.lp, None, None)
119 backend_obj.wrap_setxattr(dbname,
120 self.tempf, "system.fake_access_acl", b"")
122 # the hash would break, and we return an ACL based only on the mode, except we set the ACL using the 'ntvfs' mode that doesn't include a hash
123 facl = getntacl(self.lp, self.tempf)
124 anysid = security.dom_sid(security.SID_NT_SELF)
125 self.assertEquals(acl, facl.as_sddl(anysid))
127 def test_setntacl_smbd_invalidate_getntacl_smbd(self):
129 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x001200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
130 os.chmod(self.tempf, 0o750)
131 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
132 session_info=self.get_session_info())
134 # This should invalidate the ACL, as we include the posix ACL in the hash
135 (backend_obj, dbname) = checkset_backend(self.lp, None, None)
136 backend_obj.wrap_setxattr(dbname,
137 self.tempf, "system.fake_access_acl", b"")
139 # the hash will break, and we return an ACL based only on the mode
140 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
141 anysid = security.dom_sid(security.SID_NT_SELF)
142 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
144 def test_setntacl_getntacl_smbd(self):
146 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True,
147 session_info=self.get_session_info())
148 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
149 anysid = security.dom_sid(security.SID_NT_SELF)
150 self.assertEquals(facl.as_sddl(anysid), acl)
152 def test_setntacl_smbd_getntacl_smbd(self):
154 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
155 session_info=self.get_session_info())
156 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
157 anysid = security.dom_sid(security.SID_NT_SELF)
158 self.assertEquals(facl.as_sddl(anysid), acl)
160 def test_setntacl_smbd_setposixacl_getntacl_smbd(self):
162 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
163 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
164 session_info=self.get_session_info())
165 # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
166 smbd.set_simple_acl(self.tempf, 0o640)
167 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
168 anysid = security.dom_sid(security.SID_NT_SELF)
169 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
171 def test_setntacl_smbd_setposixacl_group_getntacl_smbd(self):
173 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
174 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
175 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
176 session_info=self.get_session_info())
177 # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
178 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
179 (BA_gid, BA_type) = s4_passdb.sid_to_id(BA_sid)
180 smbd.set_simple_acl(self.tempf, 0o640, BA_gid)
182 # This should re-calculate an ACL based on the posix details
183 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
184 anysid = security.dom_sid(security.SID_NT_SELF)
185 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
187 def test_setntacl_smbd_getntacl_smbd_gpo(self):
188 acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
189 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
190 session_info=self.get_session_info())
191 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
192 domsid = security.dom_sid(DOM_SID)
193 self.assertEquals(facl.as_sddl(domsid), acl)
195 def test_setntacl_getposixacl(self):
197 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
198 session_info=self.get_session_info())
199 facl = getntacl(self.lp, self.tempf)
200 anysid = security.dom_sid(security.SID_NT_SELF)
201 self.assertEquals(facl.as_sddl(anysid), acl)
202 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
204 def test_setposixacl_getntacl(self):
205 smbd.set_simple_acl(self.tempf, 0o750)
206 # We don't expect the xattr to be filled in in this case
207 self.assertRaises(TypeError, getntacl, self.lp, self.tempf)
209 def test_setposixacl_getntacl_smbd(self):
210 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
211 group_SID = s4_passdb.gid_to_sid(os.stat(self.tempf).st_gid)
212 user_SID = s4_passdb.uid_to_sid(os.stat(self.tempf).st_uid)
213 smbd.set_simple_acl(self.tempf, 0o640)
214 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
215 acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
216 anysid = security.dom_sid(security.SID_NT_SELF)
217 self.assertEquals(acl, facl.as_sddl(anysid))
219 def test_setposixacl_dir_getntacl_smbd(self):
220 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
221 user_SID = s4_passdb.uid_to_sid(os.stat(self.tempdir).st_uid)
222 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
223 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
224 (BA_id, BA_type) = s4_passdb.sid_to_id(BA_sid)
225 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
226 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
227 (SO_id, SO_type) = s4_passdb.sid_to_id(SO_sid)
228 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
229 smbd.chown(self.tempdir, BA_id, SO_id)
230 smbd.set_simple_acl(self.tempdir, 0o750)
231 facl = getntacl(self.lp, self.tempdir, direct_db_access=False)
232 acl = "O:BAG:SOD:(A;;0x001f01ff;;;BA)(A;;0x001200a9;;;SO)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)"
234 anysid = security.dom_sid(security.SID_NT_SELF)
235 self.assertEquals(acl, facl.as_sddl(anysid))
237 def test_setposixacl_group_getntacl_smbd(self):
238 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
239 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
240 (BA_gid, BA_type) = s4_passdb.sid_to_id(BA_sid)
241 group_SID = s4_passdb.gid_to_sid(os.stat(self.tempf).st_gid)
242 user_SID = s4_passdb.uid_to_sid(os.stat(self.tempf).st_uid)
243 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
244 smbd.set_simple_acl(self.tempf, 0o640, BA_gid)
245 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
246 domsid = passdb.get_global_sam_sid()
247 acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;BA)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
248 anysid = security.dom_sid(security.SID_NT_SELF)
249 self.assertEquals(acl, facl.as_sddl(anysid))
251 def test_setposixacl_getposixacl(self):
252 smbd.set_simple_acl(self.tempf, 0o640)
253 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
254 self.assertEquals(posix_acl.count, 4, self.print_posix_acl(posix_acl))
256 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
257 self.assertEquals(posix_acl.acl[0].a_perm, 6)
259 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
260 self.assertEquals(posix_acl.acl[1].a_perm, 4)
262 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
263 self.assertEquals(posix_acl.acl[2].a_perm, 0)
265 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
266 self.assertEquals(posix_acl.acl[3].a_perm, 7)
268 def test_setposixacl_dir_getposixacl(self):
269 smbd.set_simple_acl(self.tempdir, 0o750)
270 posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
271 self.assertEquals(posix_acl.count, 4, self.print_posix_acl(posix_acl))
273 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
274 self.assertEquals(posix_acl.acl[0].a_perm, 7)
276 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
277 self.assertEquals(posix_acl.acl[1].a_perm, 5)
279 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
280 self.assertEquals(posix_acl.acl[2].a_perm, 0)
282 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
283 self.assertEquals(posix_acl.acl[3].a_perm, 7)
285 def test_setposixacl_group_getposixacl(self):
286 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
287 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
288 (BA_gid, BA_type) = s4_passdb.sid_to_id(BA_sid)
289 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
290 smbd.set_simple_acl(self.tempf, 0o670, BA_gid)
291 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
293 self.assertEquals(posix_acl.count, 5, self.print_posix_acl(posix_acl))
295 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
296 self.assertEquals(posix_acl.acl[0].a_perm, 6)
298 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
299 self.assertEquals(posix_acl.acl[1].a_perm, 7)
301 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
302 self.assertEquals(posix_acl.acl[2].a_perm, 0)
304 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_GROUP)
305 self.assertEquals(posix_acl.acl[3].a_perm, 7)
306 self.assertEquals(posix_acl.acl[3].info.gid, BA_gid)
308 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_MASK)
309 self.assertEquals(posix_acl.acl[4].a_perm, 7)
311 def test_setntacl_sysvol_check_getposixacl(self):
312 acl = provision.SYSVOL_ACL
313 domsid = passdb.get_global_sam_sid()
314 session_info = self.get_session_info(domsid)
315 setntacl(self.lp, self.tempf, acl, str(domsid), use_ntvfs=False,
316 session_info=session_info)
317 facl = getntacl(self.lp, self.tempf)
318 self.assertEquals(facl.as_sddl(domsid), acl)
319 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
321 nwrap_module_so_path = os.getenv('NSS_WRAPPER_MODULE_SO_PATH')
322 nwrap_module_fn_prefix = os.getenv('NSS_WRAPPER_MODULE_FN_PREFIX')
324 nwrap_winbind_active = (nwrap_module_so_path != "" and
325 nwrap_module_fn_prefix == "winbind")
327 LA_sid = security.dom_sid(str(domsid) + "-" + str(security.DOMAIN_RID_ADMINISTRATOR))
328 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
329 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
330 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
331 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
333 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
335 # These assertions correct for current ad_dc selftest
336 # configuration. When other environments have a broad range of
337 # groups mapped via passdb, we can relax some of these checks
338 (LA_uid, LA_type) = s4_passdb.sid_to_id(LA_sid)
339 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
340 (BA_gid, BA_type) = s4_passdb.sid_to_id(BA_sid)
341 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
342 (SO_gid, SO_type) = s4_passdb.sid_to_id(SO_sid)
343 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
344 (SY_gid, SY_type) = s4_passdb.sid_to_id(SY_sid)
345 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
346 (AU_gid, AU_type) = s4_passdb.sid_to_id(AU_sid)
347 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
349 self.assertEquals(posix_acl.count, 13, self.print_posix_acl(posix_acl))
351 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
352 self.assertEquals(posix_acl.acl[0].a_perm, 7)
353 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
355 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
356 if nwrap_winbind_active or session_info:
357 self.assertEquals(posix_acl.acl[1].a_perm, 7)
359 self.assertEquals(posix_acl.acl[1].a_perm, 6)
360 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
362 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
363 self.assertEquals(posix_acl.acl[2].a_perm, 0)
365 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
366 if nwrap_winbind_active or session_info:
367 self.assertEquals(posix_acl.acl[3].a_perm, 7)
369 self.assertEquals(posix_acl.acl[3].a_perm, 6)
371 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
372 self.assertEquals(posix_acl.acl[4].a_perm, 7)
373 self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)
375 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
376 self.assertEquals(posix_acl.acl[5].a_perm, 7)
378 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
379 self.assertEquals(posix_acl.acl[6].a_perm, 5)
380 self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)
382 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
383 self.assertEquals(posix_acl.acl[7].a_perm, 5)
384 self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)
386 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
387 self.assertEquals(posix_acl.acl[8].a_perm, 7)
388 self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)
390 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
391 self.assertEquals(posix_acl.acl[9].a_perm, 7)
392 self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)
394 self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
395 self.assertEquals(posix_acl.acl[10].a_perm, 5)
396 self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)
398 self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
399 self.assertEquals(posix_acl.acl[11].a_perm, 5)
400 self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)
402 self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_MASK)
403 self.assertEquals(posix_acl.acl[12].a_perm, 7)
406 # check that it matches:
408 # user:root:rwx (selftest user actually)
410 # group:Local Admins:rwx
418 # This is in this order in the NDR smb_acl (not re-orderded for display)
425 # uid: 0 (selftest user actually)
458 def test_setntacl_sysvol_dir_check_getposixacl(self):
459 acl = provision.SYSVOL_ACL
460 domsid = passdb.get_global_sam_sid()
461 session_info = self.get_session_info(domsid)
462 setntacl(self.lp, self.tempdir, acl, str(domsid), use_ntvfs=False,
463 session_info=session_info)
464 facl = getntacl(self.lp, self.tempdir)
465 self.assertEquals(facl.as_sddl(domsid), acl)
466 posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
468 LA_sid = security.dom_sid(str(domsid) + "-" + str(security.DOMAIN_RID_ADMINISTRATOR))
469 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
470 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
471 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
472 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
474 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
476 # These assertions correct for current ad_dc selftest
477 # configuration. When other environments have a broad range of
478 # groups mapped via passdb, we can relax some of these checks
479 (LA_uid, LA_type) = s4_passdb.sid_to_id(LA_sid)
480 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
481 (BA_gid, BA_type) = s4_passdb.sid_to_id(BA_sid)
482 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
483 (SO_gid, SO_type) = s4_passdb.sid_to_id(SO_sid)
484 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
485 (SY_gid, SY_type) = s4_passdb.sid_to_id(SY_sid)
486 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
487 (AU_gid, AU_type) = s4_passdb.sid_to_id(AU_sid)
488 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
490 self.assertEquals(posix_acl.count, 13, self.print_posix_acl(posix_acl))
492 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
493 self.assertEquals(posix_acl.acl[0].a_perm, 7)
494 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
496 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
497 self.assertEquals(posix_acl.acl[1].a_perm, 7)
498 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
500 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
501 self.assertEquals(posix_acl.acl[2].a_perm, 0)
503 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
504 self.assertEquals(posix_acl.acl[3].a_perm, 7)
506 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
507 self.assertEquals(posix_acl.acl[4].a_perm, 7)
508 self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)
510 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
511 self.assertEquals(posix_acl.acl[5].a_perm, 7)
513 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
514 self.assertEquals(posix_acl.acl[6].a_perm, 5)
515 self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)
517 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
518 self.assertEquals(posix_acl.acl[7].a_perm, 5)
519 self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)
521 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
522 self.assertEquals(posix_acl.acl[8].a_perm, 7)
523 self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)
525 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
526 self.assertEquals(posix_acl.acl[9].a_perm, 7)
527 self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)
529 self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
530 self.assertEquals(posix_acl.acl[10].a_perm, 5)
531 self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)
533 self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
534 self.assertEquals(posix_acl.acl[11].a_perm, 5)
535 self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)
537 self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_MASK)
538 self.assertEquals(posix_acl.acl[12].a_perm, 7)
541 # check that it matches:
543 # user:root:rwx (selftest user actually)
552 def test_setntacl_policies_dir_check_getposixacl(self):
553 acl = provision.POLICIES_ACL
554 domsid = passdb.get_global_sam_sid()
555 session_info = self.get_session_info(domsid)
556 setntacl(self.lp, self.tempdir, acl, str(domsid), use_ntvfs=False,
557 session_info=session_info)
558 facl = getntacl(self.lp, self.tempdir)
559 self.assertEquals(facl.as_sddl(domsid), acl)
560 posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
562 LA_sid = security.dom_sid(str(domsid) + "-" + str(security.DOMAIN_RID_ADMINISTRATOR))
563 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
564 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
565 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
566 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
567 PA_sid = security.dom_sid(str(domsid) + "-" + str(security.DOMAIN_RID_POLICY_ADMINS))
569 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
571 # These assertions correct for current ad_dc selftest
572 # configuration. When other environments have a broad range of
573 # groups mapped via passdb, we can relax some of these checks
574 (LA_uid, LA_type) = s4_passdb.sid_to_id(LA_sid)
575 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
576 (BA_gid, BA_type) = s4_passdb.sid_to_id(BA_sid)
577 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
578 (SO_gid, SO_type) = s4_passdb.sid_to_id(SO_sid)
579 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
580 (SY_gid, SY_type) = s4_passdb.sid_to_id(SY_sid)
581 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
582 (AU_gid, AU_type) = s4_passdb.sid_to_id(AU_sid)
583 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
584 (PA_gid, PA_type) = s4_passdb.sid_to_id(PA_sid)
585 self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
587 self.assertEquals(posix_acl.count, 15, self.print_posix_acl(posix_acl))
589 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
590 self.assertEquals(posix_acl.acl[0].a_perm, 7)
591 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
593 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
594 self.assertEquals(posix_acl.acl[1].a_perm, 7)
595 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
597 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
598 self.assertEquals(posix_acl.acl[2].a_perm, 0)
600 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
601 self.assertEquals(posix_acl.acl[3].a_perm, 7)
603 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
604 self.assertEquals(posix_acl.acl[4].a_perm, 7)
605 self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)
607 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
608 self.assertEquals(posix_acl.acl[5].a_perm, 7)
610 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
611 self.assertEquals(posix_acl.acl[6].a_perm, 5)
612 self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)
614 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
615 self.assertEquals(posix_acl.acl[7].a_perm, 5)
616 self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)
618 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
619 self.assertEquals(posix_acl.acl[8].a_perm, 7)
620 self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)
622 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
623 self.assertEquals(posix_acl.acl[9].a_perm, 7)
624 self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)
626 self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
627 self.assertEquals(posix_acl.acl[10].a_perm, 5)
628 self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)
630 self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
631 self.assertEquals(posix_acl.acl[11].a_perm, 5)
632 self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)
634 self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_USER)
635 self.assertEquals(posix_acl.acl[12].a_perm, 7)
636 self.assertEquals(posix_acl.acl[12].info.uid, PA_gid)
638 self.assertEquals(posix_acl.acl[13].a_type, smb_acl.SMB_ACL_GROUP)
639 self.assertEquals(posix_acl.acl[13].a_perm, 7)
640 self.assertEquals(posix_acl.acl[13].info.gid, PA_gid)
642 self.assertEquals(posix_acl.acl[14].a_type, smb_acl.SMB_ACL_MASK)
643 self.assertEquals(posix_acl.acl[14].a_perm, 7)
646 # check that it matches:
648 # user:root:rwx (selftest user actually)
658 def test_setntacl_policies_check_getposixacl(self):
659 acl = provision.POLICIES_ACL
661 domsid = passdb.get_global_sam_sid()
662 session_info = self.get_session_info(domsid)
663 setntacl(self.lp, self.tempf, acl, str(domsid), use_ntvfs=False,
664 session_info=session_info)
665 facl = getntacl(self.lp, self.tempf)
666 self.assertEquals(facl.as_sddl(domsid), acl)
667 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
669 nwrap_module_so_path = os.getenv('NSS_WRAPPER_MODULE_SO_PATH')
670 nwrap_module_fn_prefix = os.getenv('NSS_WRAPPER_MODULE_FN_PREFIX')
672 nwrap_winbind_active = (nwrap_module_so_path != "" and
673 nwrap_module_fn_prefix == "winbind")
675 LA_sid = security.dom_sid(str(domsid) + "-" + str(security.DOMAIN_RID_ADMINISTRATOR))
676 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
677 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
678 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
679 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
680 PA_sid = security.dom_sid(str(domsid) + "-" + str(security.DOMAIN_RID_POLICY_ADMINS))
682 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
684 # These assertions correct for current ad_dc selftest
685 # configuration. When other environments have a broad range of
686 # groups mapped via passdb, we can relax some of these checks
687 (LA_uid, LA_type) = s4_passdb.sid_to_id(LA_sid)
688 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
689 (BA_gid, BA_type) = s4_passdb.sid_to_id(BA_sid)
690 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
691 (SO_gid, SO_type) = s4_passdb.sid_to_id(SO_sid)
692 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
693 (SY_gid, SY_type) = s4_passdb.sid_to_id(SY_sid)
694 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
695 (AU_gid, AU_type) = s4_passdb.sid_to_id(AU_sid)
696 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
697 (PA_gid, PA_type) = s4_passdb.sid_to_id(PA_sid)
698 self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
700 self.assertEquals(posix_acl.count, 15, self.print_posix_acl(posix_acl))
702 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
703 self.assertEquals(posix_acl.acl[0].a_perm, 7)
704 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
706 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
707 if nwrap_winbind_active or session_info:
708 self.assertEquals(posix_acl.acl[1].a_perm, 7)
710 self.assertEquals(posix_acl.acl[1].a_perm, 6)
711 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
713 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
714 self.assertEquals(posix_acl.acl[2].a_perm, 0)
716 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
717 if nwrap_winbind_active or session_info:
718 self.assertEquals(posix_acl.acl[3].a_perm, 7)
720 self.assertEquals(posix_acl.acl[3].a_perm, 6)
722 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
723 self.assertEquals(posix_acl.acl[4].a_perm, 7)
724 self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)
726 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
727 self.assertEquals(posix_acl.acl[5].a_perm, 7)
729 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
730 self.assertEquals(posix_acl.acl[6].a_perm, 5)
731 self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)
733 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
734 self.assertEquals(posix_acl.acl[7].a_perm, 5)
735 self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)
737 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
738 self.assertEquals(posix_acl.acl[8].a_perm, 7)
739 self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)
741 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
742 self.assertEquals(posix_acl.acl[9].a_perm, 7)
743 self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)
745 self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
746 self.assertEquals(posix_acl.acl[10].a_perm, 5)
747 self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)
749 self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
750 self.assertEquals(posix_acl.acl[11].a_perm, 5)
751 self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)
753 self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_USER)
754 self.assertEquals(posix_acl.acl[12].a_perm, 7)
755 self.assertEquals(posix_acl.acl[12].info.uid, PA_gid)
757 self.assertEquals(posix_acl.acl[13].a_type, smb_acl.SMB_ACL_GROUP)
758 self.assertEquals(posix_acl.acl[13].a_perm, 7)
759 self.assertEquals(posix_acl.acl[13].info.gid, PA_gid)
761 self.assertEquals(posix_acl.acl[14].a_type, smb_acl.SMB_ACL_MASK)
762 self.assertEquals(posix_acl.acl[14].a_perm, 7)
765 # check that it matches:
767 # user:root:rwx (selftest user actually)
769 # group:Local Admins:rwx
778 # This is in this order in the NDR smb_acl (not re-orderded for display)
785 # uid: 0 (selftest user actually)
820 class SessionedPosixAclMappingTests(PosixAclMappingTests):
822 Run same test suite with session enabled.
825 def get_session_info(self, domsid=DOM_SID):
827 Get session_info for setntacl.
829 if str(domsid) != str(self.samdb.get_domain_sid()):
830 # fake it with admin session as domsid is not in local db
831 return auth.admin_session(self.lp, str(domsid))
833 dn = '<SID={}-{}>'.format(domsid, security.DOMAIN_RID_ADMINISTRATOR)
834 flags = (auth.AUTH_SESSION_INFO_DEFAULT_GROUPS |
835 auth.AUTH_SESSION_INFO_AUTHENTICATED |
836 auth.AUTH_SESSION_INFO_SIMPLE_PRIVILEGES)
837 return auth.user_session(self.samdb, lp_ctx=self.lp, dn=dn,
838 session_info_flags=flags)
841 class UnixSessionedPosixAclMappingTests(PosixAclMappingTests):
843 Run same test suite with session enabled.
846 def get_session_info(self, domsid=DOM_SID):
848 Get session_info for setntacl.
850 if str(domsid) != str(self.samdb.get_domain_sid()):
851 # fake it with admin session as domsid is not in local db
852 return auth.admin_session(self.lp, str(domsid))
854 dn = '<SID={}-{}>'.format(domsid, security.DOMAIN_RID_ADMINISTRATOR)
855 flags = (auth.AUTH_SESSION_INFO_DEFAULT_GROUPS |
856 auth.AUTH_SESSION_INFO_AUTHENTICATED |
857 auth.AUTH_SESSION_INFO_SIMPLE_PRIVILEGES)
859 session = auth.user_session(self.samdb, lp_ctx=self.lp, dn=dn,
860 session_info_flags=flags)
861 auth.session_info_fill_unix(session,
863 user_name="Administrator")