1 # Unix SMB/CIFS implementation. Tests for NT and posix ACL manipulation
2 # Copyright (C) Matthieu Patou <mat@matws.net> 2009-2010
3 # Copyright (C) Andrew Bartlett 2012
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
19 """Tests for the Samba3 NT -> posix ACL layer"""
21 from samba.ntacls import setntacl, getntacl, checkset_backend
22 from samba.dcerpc import xattr, security, smb_acl, idmap
23 from samba.param import LoadParm
24 from samba.tests import TestCaseInTempDir
25 from samba import provision
28 from samba.samba3 import smbd, passdb
29 from samba.samba3 import param as s3param
31 # To print a posix ACL use:
32 # for entry in posix_acl.acl:
33 # print "a_type: %d" % entry.a_type
34 # print "a_perm: %o" % entry.a_perm
35 # print "uid: %d" % entry.uid
36 # print "gid: %d" % entry.gid
38 class PosixAclMappingTests(TestCaseInTempDir):
40 def test_setntacl(self):
41 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
42 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
44 def test_setntacl_smbd_getntacl(self):
45 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
46 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
47 facl = getntacl(self.lp, self.tempf, direct_db_access=True)
48 anysid = security.dom_sid(security.SID_NT_SELF)
49 self.assertEquals(facl.as_sddl(anysid),acl)
51 def test_setntacl_smbd_setposixacl_getntacl(self):
52 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
53 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
55 # This will invalidate the ACL, as we have a hook!
56 smbd.set_simple_acl(self.tempf, 0640)
58 # However, this only asks the xattr
60 facl = getntacl(self.lp, self.tempf, direct_db_access=True)
61 self.assertTrue(False)
65 def test_setntacl_invalidate_getntacl(self):
66 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
67 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
69 # This should invalidate the ACL, as we include the posix ACL in the hash
70 (backend_obj, dbname) = checkset_backend(self.lp, None, None)
71 backend_obj.wrap_setxattr(dbname,
72 self.tempf, "system.fake_access_acl", "")
74 #however, as this is direct DB access, we do not notice it
75 facl = getntacl(self.lp, self.tempf, direct_db_access=True)
76 anysid = security.dom_sid(security.SID_NT_SELF)
77 self.assertEquals(acl, facl.as_sddl(anysid))
79 def test_setntacl_invalidate_getntacl_smbd(self):
80 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
81 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
83 # This should invalidate the ACL, as we include the posix ACL in the hash
84 (backend_obj, dbname) = checkset_backend(self.lp, None, None)
85 backend_obj.wrap_setxattr(dbname,
86 self.tempf, "system.fake_access_acl", "")
88 #the hash would break, and we return an ACL based only on the mode, except we set the ACL using the 'ntvfs' mode that doesn't include a hash
89 facl = getntacl(self.lp, self.tempf)
90 anysid = security.dom_sid(security.SID_NT_SELF)
91 self.assertEquals(acl, facl.as_sddl(anysid))
93 def test_setntacl_smbd_invalidate_getntacl_smbd(self):
94 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
95 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x001200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
96 os.chmod(self.tempf, 0750)
97 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
99 # This should invalidate the ACL, as we include the posix ACL in the hash
100 (backend_obj, dbname) = checkset_backend(self.lp, None, None)
101 backend_obj.wrap_setxattr(dbname,
102 self.tempf, "system.fake_access_acl", "")
104 #the hash will break, and we return an ACL based only on the mode
105 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
106 anysid = security.dom_sid(security.SID_NT_SELF)
107 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
109 def test_setntacl_smbd_dont_invalidate_getntacl_smbd(self):
110 # set an ACL on a tempfile
111 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
112 os.chmod(self.tempf, 0750)
113 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
115 # now influence the POSIX ACL->SD mapping it returns something else than
116 # what was set previously
117 # this should not invalidate the hash and the complete ACL should still
119 self.lp.set("profile acls", "yes")
120 # we should still get back the ACL (and not one mapped from POSIX ACL)
121 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
122 self.lp.set("profile acls", "no")
123 anysid = security.dom_sid(security.SID_NT_SELF)
124 self.assertEquals(acl, facl.as_sddl(anysid))
126 def test_setntacl_getntacl_smbd(self):
127 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
128 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
129 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
130 anysid = security.dom_sid(security.SID_NT_SELF)
131 self.assertEquals(facl.as_sddl(anysid),acl)
133 def test_setntacl_smbd_getntacl_smbd(self):
134 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
135 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
136 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
137 anysid = security.dom_sid(security.SID_NT_SELF)
138 self.assertEquals(facl.as_sddl(anysid),acl)
140 def test_setntacl_smbd_setposixacl_getntacl_smbd(self):
141 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
142 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
143 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
144 # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
145 smbd.set_simple_acl(self.tempf, 0640)
146 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
147 anysid = security.dom_sid(security.SID_NT_SELF)
148 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
150 def test_setntacl_smbd_setposixacl_group_getntacl_smbd(self):
151 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
152 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
153 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
154 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
155 # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
156 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
157 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
158 smbd.set_simple_acl(self.tempf, 0640, BA_gid)
160 # This should re-calculate an ACL based on the posix details
161 facl = getntacl(self.lp,self.tempf, direct_db_access=False)
162 anysid = security.dom_sid(security.SID_NT_SELF)
163 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
165 def test_setntacl_smbd_getntacl_smbd_gpo(self):
166 acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
167 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
168 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
169 domsid = security.dom_sid("S-1-5-21-2212615479-2695158682-2101375467")
170 self.assertEquals(facl.as_sddl(domsid),acl)
172 def test_setntacl_getposixacl(self):
173 acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
174 setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
175 facl = getntacl(self.lp, self.tempf)
176 anysid = security.dom_sid(security.SID_NT_SELF)
177 self.assertEquals(facl.as_sddl(anysid),acl)
178 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
180 def test_setposixacl_getposixacl(self):
181 smbd.set_simple_acl(self.tempf, 0640)
182 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
183 self.assertEquals(posix_acl.count, 4)
185 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
186 self.assertEquals(posix_acl.acl[0].a_perm, 6)
188 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
189 self.assertEquals(posix_acl.acl[1].a_perm, 4)
191 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
192 self.assertEquals(posix_acl.acl[2].a_perm, 0)
194 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
195 self.assertEquals(posix_acl.acl[3].a_perm, 6)
197 def test_setposixacl_getntacl(self):
199 smbd.set_simple_acl(self.tempf, 0750)
201 facl = getntacl(self.lp, self.tempf)
202 self.assertTrue(False)
204 # We don't expect the xattr to be filled in in this case
207 def test_setposixacl_getntacl_smbd(self):
208 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
209 group_SID = s4_passdb.gid_to_sid(os.stat(self.tempf).st_gid)
210 user_SID = s4_passdb.uid_to_sid(os.stat(self.tempf).st_uid)
211 smbd.set_simple_acl(self.tempf, 0640)
212 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
213 acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
214 anysid = security.dom_sid(security.SID_NT_SELF)
215 self.assertEquals(acl, facl.as_sddl(anysid))
217 def test_setposixacl_dir_getntacl_smbd(self):
218 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
219 user_SID = s4_passdb.uid_to_sid(os.stat(self.tempdir).st_uid)
220 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
221 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
222 (BA_id,BA_type) = s4_passdb.sid_to_id(BA_sid)
223 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
224 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
225 (SO_id,SO_type) = s4_passdb.sid_to_id(SO_sid)
226 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
227 smbd.chown(self.tempdir, BA_id, SO_id)
228 smbd.set_simple_acl(self.tempdir, 0750)
229 facl = getntacl(self.lp, self.tempdir, direct_db_access=False)
230 acl = "O:BAG:SOD:(A;;0x001f01ff;;;BA)(A;;0x001200a9;;;SO)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001f01ff;;;CG)(A;OICIIO;0x001f01ff;;;WD)"
232 anysid = security.dom_sid(security.SID_NT_SELF)
233 self.assertEquals(acl, facl.as_sddl(anysid))
235 def test_setposixacl_group_getntacl_smbd(self):
236 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
237 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
238 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
239 group_SID = s4_passdb.gid_to_sid(os.stat(self.tempf).st_gid)
240 user_SID = s4_passdb.uid_to_sid(os.stat(self.tempf).st_uid)
241 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
242 smbd.set_simple_acl(self.tempf, 0640, BA_gid)
243 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
244 domsid = passdb.get_global_sam_sid()
245 acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;BA)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
246 anysid = security.dom_sid(security.SID_NT_SELF)
247 self.assertEquals(acl, facl.as_sddl(anysid))
249 def test_setposixacl_getposixacl(self):
250 smbd.set_simple_acl(self.tempf, 0640)
251 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
252 self.assertEquals(posix_acl.count, 4)
254 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
255 self.assertEquals(posix_acl.acl[0].a_perm, 6)
257 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
258 self.assertEquals(posix_acl.acl[1].a_perm, 4)
260 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
261 self.assertEquals(posix_acl.acl[2].a_perm, 0)
263 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
264 self.assertEquals(posix_acl.acl[3].a_perm, 7)
266 def test_setposixacl_dir_getposixacl(self):
267 smbd.set_simple_acl(self.tempdir, 0750)
268 posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
269 self.assertEquals(posix_acl.count, 4)
271 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
272 self.assertEquals(posix_acl.acl[0].a_perm, 7)
274 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
275 self.assertEquals(posix_acl.acl[1].a_perm, 5)
277 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
278 self.assertEquals(posix_acl.acl[2].a_perm, 0)
280 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
281 self.assertEquals(posix_acl.acl[3].a_perm, 7)
283 def test_setposixacl_group_getposixacl(self):
284 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
285 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
286 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
287 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
288 smbd.set_simple_acl(self.tempf, 0670, BA_gid)
289 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
291 self.assertEquals(posix_acl.count, 5)
293 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
294 self.assertEquals(posix_acl.acl[0].a_perm, 6)
296 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
297 self.assertEquals(posix_acl.acl[1].a_perm, 7)
299 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
300 self.assertEquals(posix_acl.acl[2].a_perm, 0)
302 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_GROUP)
303 self.assertEquals(posix_acl.acl[3].a_perm, 7)
304 self.assertEquals(posix_acl.acl[3].info.gid, BA_gid)
306 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_MASK)
307 self.assertEquals(posix_acl.acl[4].a_perm, 7)
309 def test_setntacl_sysvol_check_getposixacl(self):
310 acl = provision.SYSVOL_ACL
311 domsid = passdb.get_global_sam_sid()
312 setntacl(self.lp, self.tempf,acl,str(domsid), use_ntvfs=False)
313 facl = getntacl(self.lp, self.tempf)
314 self.assertEquals(facl.as_sddl(domsid),acl)
315 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
317 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
318 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
319 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
320 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
321 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
323 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
325 # These assertions correct for current plugin_s4_dc selftest
326 # configuration. When other environments have a broad range of
327 # groups mapped via passdb, we can relax some of these checks
328 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
329 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
330 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
331 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
332 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
333 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
334 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
335 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
336 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
337 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
339 self.assertEquals(posix_acl.count, 9)
341 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
342 self.assertEquals(posix_acl.acl[0].a_perm, 7)
343 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
345 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
346 self.assertEquals(posix_acl.acl[1].a_perm, 6)
347 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
349 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
350 self.assertEquals(posix_acl.acl[2].a_perm, 0)
352 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
353 self.assertEquals(posix_acl.acl[3].a_perm, 6)
355 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
356 self.assertEquals(posix_acl.acl[4].a_perm, 7)
358 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
359 self.assertEquals(posix_acl.acl[5].a_perm, 5)
360 self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
362 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
363 self.assertEquals(posix_acl.acl[6].a_perm, 7)
364 self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
366 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
367 self.assertEquals(posix_acl.acl[7].a_perm, 5)
368 self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
370 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_MASK)
371 self.assertEquals(posix_acl.acl[8].a_perm, 7)
374 # check that it matches:
376 # user:root:rwx (selftest user actually)
378 # group:Local Admins:rwx
386 # This is in this order in the NDR smb_acl (not re-orderded for display)
393 # uid: 0 (selftest user actually)
427 def test_setntacl_sysvol_dir_check_getposixacl(self):
428 acl = provision.SYSVOL_ACL
429 domsid = passdb.get_global_sam_sid()
430 setntacl(self.lp, self.tempdir,acl,str(domsid), use_ntvfs=False)
431 facl = getntacl(self.lp, self.tempdir)
432 self.assertEquals(facl.as_sddl(domsid),acl)
433 posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
435 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
436 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
437 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
438 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
439 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
441 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
443 # These assertions correct for current plugin_s4_dc selftest
444 # configuration. When other environments have a broad range of
445 # groups mapped via passdb, we can relax some of these checks
446 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
447 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
448 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
449 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
450 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
451 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
452 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
453 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
454 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
455 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
457 self.assertEquals(posix_acl.count, 9)
459 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
460 self.assertEquals(posix_acl.acl[0].a_perm, 7)
461 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
463 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
464 self.assertEquals(posix_acl.acl[1].a_perm, 7)
465 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
467 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
468 self.assertEquals(posix_acl.acl[2].a_perm, 0)
470 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
471 self.assertEquals(posix_acl.acl[3].a_perm, 7)
473 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
474 self.assertEquals(posix_acl.acl[4].a_perm, 7)
476 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
477 self.assertEquals(posix_acl.acl[5].a_perm, 5)
478 self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
480 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
481 self.assertEquals(posix_acl.acl[6].a_perm, 7)
482 self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
484 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
485 self.assertEquals(posix_acl.acl[7].a_perm, 5)
486 self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
488 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_MASK)
489 self.assertEquals(posix_acl.acl[8].a_perm, 7)
492 # check that it matches:
494 # user:root:rwx (selftest user actually)
504 def test_setntacl_policies_dir_check_getposixacl(self):
505 acl = provision.POLICIES_ACL
506 domsid = passdb.get_global_sam_sid()
507 setntacl(self.lp, self.tempdir,acl,str(domsid), use_ntvfs=False)
508 facl = getntacl(self.lp, self.tempdir)
509 self.assertEquals(facl.as_sddl(domsid),acl)
510 posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
512 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
513 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
514 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
515 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
516 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
517 PA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_POLICY_ADMINS))
519 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
521 # These assertions correct for current plugin_s4_dc selftest
522 # configuration. When other environments have a broad range of
523 # groups mapped via passdb, we can relax some of these checks
524 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
525 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
526 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
527 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
528 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
529 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
530 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
531 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
532 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
533 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
534 (PA_gid,PA_type) = s4_passdb.sid_to_id(PA_sid)
535 self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
537 self.assertEquals(posix_acl.count, 10)
539 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
540 self.assertEquals(posix_acl.acl[0].a_perm, 7)
541 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
543 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
544 self.assertEquals(posix_acl.acl[1].a_perm, 7)
545 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
547 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
548 self.assertEquals(posix_acl.acl[2].a_perm, 0)
550 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
551 self.assertEquals(posix_acl.acl[3].a_perm, 7)
553 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
554 self.assertEquals(posix_acl.acl[4].a_perm, 7)
556 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
557 self.assertEquals(posix_acl.acl[5].a_perm, 5)
558 self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
560 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
561 self.assertEquals(posix_acl.acl[6].a_perm, 7)
562 self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
564 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
565 self.assertEquals(posix_acl.acl[7].a_perm, 5)
566 self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
568 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_GROUP)
569 self.assertEquals(posix_acl.acl[8].a_perm, 7)
570 self.assertEquals(posix_acl.acl[8].info.gid, PA_gid)
572 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_MASK)
573 self.assertEquals(posix_acl.acl[9].a_perm, 7)
576 # check that it matches:
578 # user:root:rwx (selftest user actually)
590 def test_setntacl_policies_check_getposixacl(self):
591 acl = provision.POLICIES_ACL
593 domsid = passdb.get_global_sam_sid()
594 setntacl(self.lp, self.tempf, acl, str(domsid), use_ntvfs=False)
595 facl = getntacl(self.lp, self.tempf)
596 self.assertEquals(facl.as_sddl(domsid),acl)
597 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
599 LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
600 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
601 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
602 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
603 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
604 PA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_POLICY_ADMINS))
606 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
608 # These assertions correct for current plugin_s4_dc selftest
609 # configuration. When other environments have a broad range of
610 # groups mapped via passdb, we can relax some of these checks
611 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
612 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
613 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
614 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
615 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
616 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
617 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
618 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
619 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
620 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
621 (PA_gid,PA_type) = s4_passdb.sid_to_id(PA_sid)
622 self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
624 self.assertEquals(posix_acl.count, 10)
626 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
627 self.assertEquals(posix_acl.acl[0].a_perm, 7)
628 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
630 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
631 self.assertEquals(posix_acl.acl[1].a_perm, 6)
632 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
634 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
635 self.assertEquals(posix_acl.acl[2].a_perm, 0)
637 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
638 self.assertEquals(posix_acl.acl[3].a_perm, 6)
640 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
641 self.assertEquals(posix_acl.acl[4].a_perm, 7)
643 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
644 self.assertEquals(posix_acl.acl[5].a_perm, 5)
645 self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
647 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
648 self.assertEquals(posix_acl.acl[6].a_perm, 7)
649 self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
651 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
652 self.assertEquals(posix_acl.acl[7].a_perm, 5)
653 self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
655 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_GROUP)
656 self.assertEquals(posix_acl.acl[8].a_perm, 7)
657 self.assertEquals(posix_acl.acl[8].info.gid, PA_gid)
659 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_MASK)
660 self.assertEquals(posix_acl.acl[9].a_perm, 7)
663 # check that it matches:
665 # user:root:rwx (selftest user actually)
667 # group:Local Admins:rwx
676 # This is in this order in the NDR smb_acl (not re-orderded for display)
683 # uid: 0 (selftest user actually)
721 super(PosixAclMappingTests, self).setUp()
722 s3conf = s3param.get_context()
723 s3conf.load(self.get_loadparm().configfile)
724 s3conf.set("xattr_tdb:file", os.path.join(self.tempdir,"xattr.tdb"))
726 self.tempf = os.path.join(self.tempdir, "test")
727 open(self.tempf, 'w').write("empty")
730 smbd.unlink(self.tempf)
731 os.unlink(os.path.join(self.tempdir,"xattr.tdb"))
732 super(PosixAclMappingTests, self).tearDown()