1 # Unix SMB/CIFS implementation. Tests for NT and posix ACL manipulation
2 # Copyright (C) Matthieu Patou <mat@matws.net> 2009-2010
3 # Copyright (C) Andrew Bartlett 2012
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
19 """Tests for the Samba3 NT -> posix ACL layer"""
21 from samba.ntacls import setntacl, getntacl, checkset_backend
22 from samba.dcerpc import security, smb_acl, idmap
23 from samba.tests.smbd_base import SmbdBaseTests
24 from samba import provision
26 from samba.samba3 import smbd, passdb
27 from samba.samba3 import param as s3param
28 from samba import auth
29 from samba.samdb import SamDB
30 from samba.auth_util import system_session_unix
32 DOM_SID = "S-1-5-21-2212615479-2695158682-2101375467"
33 ACL = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
36 class PosixAclMappingTests(SmbdBaseTests):
39 super(PosixAclMappingTests, self).setUp()
40 s3conf = s3param.get_context()
41 s3conf.load(self.get_loadparm().configfile)
42 s3conf.set("xattr_tdb:file", os.path.join(self.tempdir, "xattr.tdb"))
44 self.tempf = os.path.join(self.tempdir, "test")
45 open(self.tempf, 'w').write("empty")
46 self.samdb = SamDB(lp=self.lp, session_info=auth.system_session())
49 smbd.unlink(self.tempf)
50 os.unlink(os.path.join(self.tempdir, "xattr.tdb"))
51 super(PosixAclMappingTests, self).tearDown()
53 def get_session_info(self, domsid=DOM_SID):
55 Get session_info for setntacl.
57 return system_session_unix()
59 def print_posix_acl(self, posix_acl):
61 for entry in posix_acl.acl:
62 aclstr += "a_type: %d\n" % entry.a_type +\
63 "a_perm: %o\n" % entry.a_perm
64 if entry.a_type == smb_acl.SMB_ACL_USER:
65 aclstr += "uid: %d\n" % entry.info.uid
66 if entry.a_type == smb_acl.SMB_ACL_GROUP:
67 aclstr += "gid: %d\n" % entry.info.gid
70 def test_setntacl(self):
72 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
73 session_info=self.get_session_info())
75 def test_setntacl_smbd_getntacl(self):
77 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True,
78 session_info=self.get_session_info())
79 facl = getntacl(self.lp, self.tempf, direct_db_access=True)
80 anysid = security.dom_sid(security.SID_NT_SELF)
81 self.assertEquals(facl.as_sddl(anysid), acl)
83 def test_setntacl_smbd_setposixacl_getntacl(self):
85 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True,
86 session_info=self.get_session_info())
88 # This will invalidate the ACL, as we have a hook!
89 smbd.set_simple_acl(self.tempf, 0o640, self.get_session_info())
91 # However, this only asks the xattr
93 TypeError, getntacl, self.lp, self.tempf, direct_db_access=True)
95 def test_setntacl_invalidate_getntacl(self):
97 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True,
98 session_info=self.get_session_info())
100 # This should invalidate the ACL, as we include the posix ACL in the hash
101 (backend_obj, dbname) = checkset_backend(self.lp, None, None)
102 backend_obj.wrap_setxattr(dbname,
103 self.tempf, "system.fake_access_acl", b"")
105 # however, as this is direct DB access, we do not notice it
106 facl = getntacl(self.lp, self.tempf, direct_db_access=True)
107 anysid = security.dom_sid(security.SID_NT_SELF)
108 self.assertEquals(acl, facl.as_sddl(anysid))
110 def test_setntacl_invalidate_getntacl_smbd(self):
112 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
113 session_info=self.get_session_info())
115 # This should invalidate the ACL, as we include the posix ACL in the hash
116 (backend_obj, dbname) = checkset_backend(self.lp, None, None)
117 backend_obj.wrap_setxattr(dbname,
118 self.tempf, "system.fake_access_acl", b"")
120 # the hash would break, and we return an ACL based only on the mode, except we set the ACL using the 'ntvfs' mode that doesn't include a hash
121 facl = getntacl(self.lp, self.tempf)
122 anysid = security.dom_sid(security.SID_NT_SELF)
123 self.assertEquals(acl, facl.as_sddl(anysid))
125 def test_setntacl_smbd_invalidate_getntacl_smbd(self):
127 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x001200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
128 os.chmod(self.tempf, 0o750)
129 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
130 session_info=self.get_session_info())
132 # This should invalidate the ACL, as we include the posix ACL in the hash
133 (backend_obj, dbname) = checkset_backend(self.lp, None, None)
134 backend_obj.wrap_setxattr(dbname,
135 self.tempf, "system.fake_access_acl", b"")
137 # the hash will break, and we return an ACL based only on the mode
138 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
139 anysid = security.dom_sid(security.SID_NT_SELF)
140 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
142 def test_setntacl_getntacl_smbd(self):
144 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True,
145 session_info=self.get_session_info())
146 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
147 anysid = security.dom_sid(security.SID_NT_SELF)
148 self.assertEquals(facl.as_sddl(anysid), acl)
150 def test_setntacl_smbd_getntacl_smbd(self):
152 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
153 session_info=self.get_session_info())
154 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
155 anysid = security.dom_sid(security.SID_NT_SELF)
156 self.assertEquals(facl.as_sddl(anysid), acl)
158 def test_setntacl_smbd_setposixacl_getntacl_smbd(self):
160 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
161 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
162 session_info=self.get_session_info())
163 # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
164 smbd.set_simple_acl(self.tempf, 0o640, self.get_session_info())
165 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
166 anysid = security.dom_sid(security.SID_NT_SELF)
167 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
169 def test_setntacl_smbd_setposixacl_group_getntacl_smbd(self):
171 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
172 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
173 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
174 session_info=self.get_session_info())
175 # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
176 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
177 (BA_gid, BA_type) = s4_passdb.sid_to_id(BA_sid)
178 smbd.set_simple_acl(self.tempf, 0o640, self.get_session_info(), BA_gid)
180 # This should re-calculate an ACL based on the posix details
181 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
182 anysid = security.dom_sid(security.SID_NT_SELF)
183 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
185 def test_setntacl_smbd_getntacl_smbd_gpo(self):
186 acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
187 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
188 session_info=self.get_session_info())
189 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
190 domsid = security.dom_sid(DOM_SID)
191 self.assertEquals(facl.as_sddl(domsid), acl)
193 def test_setntacl_getposixacl(self):
195 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
196 session_info=self.get_session_info())
197 facl = getntacl(self.lp, self.tempf)
198 anysid = security.dom_sid(security.SID_NT_SELF)
199 self.assertEquals(facl.as_sddl(anysid), acl)
200 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
202 def test_setposixacl_getntacl(self):
203 smbd.set_simple_acl(self.tempf, 0o750, self.get_session_info())
204 # We don't expect the xattr to be filled in in this case
205 self.assertRaises(TypeError, getntacl, self.lp, self.tempf)
207 def test_setposixacl_getntacl_smbd(self):
208 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
209 group_SID = s4_passdb.gid_to_sid(os.stat(self.tempf).st_gid)
210 user_SID = s4_passdb.uid_to_sid(os.stat(self.tempf).st_uid)
211 smbd.set_simple_acl(self.tempf, 0o640, self.get_session_info())
212 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
213 acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
214 anysid = security.dom_sid(security.SID_NT_SELF)
215 self.assertEquals(acl, facl.as_sddl(anysid))
217 def test_setposixacl_dir_getntacl_smbd(self):
218 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
219 user_SID = s4_passdb.uid_to_sid(os.stat(self.tempdir).st_uid)
220 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
221 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
222 (BA_id, BA_type) = s4_passdb.sid_to_id(BA_sid)
223 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
224 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
225 (SO_id, SO_type) = s4_passdb.sid_to_id(SO_sid)
226 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
227 smbd.chown(self.tempdir, BA_id, SO_id, self.get_session_info())
228 smbd.set_simple_acl(self.tempdir, 0o750, self.get_session_info())
229 facl = getntacl(self.lp, self.tempdir, direct_db_access=False)
230 acl = "O:BAG:SOD:(A;;0x001f01ff;;;BA)(A;;0x001200a9;;;SO)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)"
232 anysid = security.dom_sid(security.SID_NT_SELF)
233 self.assertEquals(acl, facl.as_sddl(anysid))
235 def test_setposixacl_group_getntacl_smbd(self):
236 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
237 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
238 (BA_gid, BA_type) = s4_passdb.sid_to_id(BA_sid)
239 group_SID = s4_passdb.gid_to_sid(os.stat(self.tempf).st_gid)
240 user_SID = s4_passdb.uid_to_sid(os.stat(self.tempf).st_uid)
241 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
242 smbd.set_simple_acl(self.tempf, 0o640, self.get_session_info(), BA_gid)
243 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
244 domsid = passdb.get_global_sam_sid()
245 acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;BA)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
246 anysid = security.dom_sid(security.SID_NT_SELF)
247 self.assertEquals(acl, facl.as_sddl(anysid))
249 def test_setposixacl_getposixacl(self):
250 smbd.set_simple_acl(self.tempf, 0o640, self.get_session_info())
251 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
252 self.assertEquals(posix_acl.count, 4, self.print_posix_acl(posix_acl))
254 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
255 self.assertEquals(posix_acl.acl[0].a_perm, 6)
257 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
258 self.assertEquals(posix_acl.acl[1].a_perm, 4)
260 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
261 self.assertEquals(posix_acl.acl[2].a_perm, 0)
263 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
264 self.assertEquals(posix_acl.acl[3].a_perm, 7)
266 def test_setposixacl_dir_getposixacl(self):
267 smbd.set_simple_acl(self.tempdir, 0o750, self.get_session_info())
268 posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
269 self.assertEquals(posix_acl.count, 4, self.print_posix_acl(posix_acl))
271 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
272 self.assertEquals(posix_acl.acl[0].a_perm, 7)
274 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
275 self.assertEquals(posix_acl.acl[1].a_perm, 5)
277 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
278 self.assertEquals(posix_acl.acl[2].a_perm, 0)
280 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
281 self.assertEquals(posix_acl.acl[3].a_perm, 7)
283 def test_setposixacl_group_getposixacl(self):
284 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
285 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
286 (BA_gid, BA_type) = s4_passdb.sid_to_id(BA_sid)
287 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
288 smbd.set_simple_acl(self.tempf, 0o670, self.get_session_info(), BA_gid)
289 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
291 self.assertEquals(posix_acl.count, 5, self.print_posix_acl(posix_acl))
293 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
294 self.assertEquals(posix_acl.acl[0].a_perm, 6)
296 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
297 self.assertEquals(posix_acl.acl[1].a_perm, 7)
299 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
300 self.assertEquals(posix_acl.acl[2].a_perm, 0)
302 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_GROUP)
303 self.assertEquals(posix_acl.acl[3].a_perm, 7)
304 self.assertEquals(posix_acl.acl[3].info.gid, BA_gid)
306 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_MASK)
307 self.assertEquals(posix_acl.acl[4].a_perm, 7)
309 def test_setntacl_sysvol_check_getposixacl(self):
310 acl = provision.SYSVOL_ACL
311 domsid = passdb.get_global_sam_sid()
312 session_info = self.get_session_info(domsid)
313 setntacl(self.lp, self.tempf, acl, str(domsid), use_ntvfs=False,
314 session_info=session_info)
315 facl = getntacl(self.lp, self.tempf)
316 self.assertEquals(facl.as_sddl(domsid), acl)
317 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
319 nwrap_module_so_path = os.getenv('NSS_WRAPPER_MODULE_SO_PATH')
320 nwrap_module_fn_prefix = os.getenv('NSS_WRAPPER_MODULE_FN_PREFIX')
322 nwrap_winbind_active = (nwrap_module_so_path != "" and
323 nwrap_module_fn_prefix == "winbind")
324 is_user_session = not session_info.security_token.is_system()
326 LA_sid = security.dom_sid(str(domsid) + "-" + str(security.DOMAIN_RID_ADMINISTRATOR))
327 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
328 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
329 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
330 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
332 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
334 # These assertions correct for current ad_dc selftest
335 # configuration. When other environments have a broad range of
336 # groups mapped via passdb, we can relax some of these checks
337 (LA_uid, LA_type) = s4_passdb.sid_to_id(LA_sid)
338 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
339 (BA_gid, BA_type) = s4_passdb.sid_to_id(BA_sid)
340 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
341 (SO_gid, SO_type) = s4_passdb.sid_to_id(SO_sid)
342 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
343 (SY_gid, SY_type) = s4_passdb.sid_to_id(SY_sid)
344 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
345 (AU_gid, AU_type) = s4_passdb.sid_to_id(AU_sid)
346 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
348 self.assertEquals(posix_acl.count, 13, self.print_posix_acl(posix_acl))
350 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
351 self.assertEquals(posix_acl.acl[0].a_perm, 7)
352 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
354 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
355 if nwrap_winbind_active or is_user_session:
356 self.assertEquals(posix_acl.acl[1].a_perm, 7)
358 self.assertEquals(posix_acl.acl[1].a_perm, 6)
359 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
361 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
362 self.assertEquals(posix_acl.acl[2].a_perm, 0)
364 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
365 if nwrap_winbind_active or is_user_session:
366 self.assertEquals(posix_acl.acl[3].a_perm, 7)
368 self.assertEquals(posix_acl.acl[3].a_perm, 6)
370 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
371 self.assertEquals(posix_acl.acl[4].a_perm, 7)
372 self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)
374 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
375 self.assertEquals(posix_acl.acl[5].a_perm, 7)
377 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
378 self.assertEquals(posix_acl.acl[6].a_perm, 5)
379 self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)
381 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
382 self.assertEquals(posix_acl.acl[7].a_perm, 5)
383 self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)
385 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
386 self.assertEquals(posix_acl.acl[8].a_perm, 7)
387 self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)
389 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
390 self.assertEquals(posix_acl.acl[9].a_perm, 7)
391 self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)
393 self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
394 self.assertEquals(posix_acl.acl[10].a_perm, 5)
395 self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)
397 self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
398 self.assertEquals(posix_acl.acl[11].a_perm, 5)
399 self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)
401 self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_MASK)
402 self.assertEquals(posix_acl.acl[12].a_perm, 7)
404 # check that it matches:
406 # user:root:rwx (selftest user actually)
408 # group:Local Admins:rwx
415 # This is in this order in the NDR smb_acl(not re-orderded for display)
422 # uid: 0 (selftest user actually)
453 def test_setntacl_sysvol_dir_check_getposixacl(self):
454 acl = provision.SYSVOL_ACL
455 domsid = passdb.get_global_sam_sid()
456 session_info = self.get_session_info(domsid)
457 setntacl(self.lp, self.tempdir, acl, str(domsid), use_ntvfs=False,
458 session_info=session_info)
459 facl = getntacl(self.lp, self.tempdir)
460 self.assertEquals(facl.as_sddl(domsid), acl)
461 posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
463 LA_sid = security.dom_sid(str(domsid) + "-" + str(security.DOMAIN_RID_ADMINISTRATOR))
464 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
465 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
466 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
467 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
469 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
471 # These assertions correct for current ad_dc selftest
472 # configuration. When other environments have a broad range of
473 # groups mapped via passdb, we can relax some of these checks
474 (LA_uid, LA_type) = s4_passdb.sid_to_id(LA_sid)
475 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
476 (BA_gid, BA_type) = s4_passdb.sid_to_id(BA_sid)
477 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
478 (SO_gid, SO_type) = s4_passdb.sid_to_id(SO_sid)
479 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
480 (SY_gid, SY_type) = s4_passdb.sid_to_id(SY_sid)
481 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
482 (AU_gid, AU_type) = s4_passdb.sid_to_id(AU_sid)
483 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
485 self.assertEquals(posix_acl.count, 13, self.print_posix_acl(posix_acl))
487 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
488 self.assertEquals(posix_acl.acl[0].a_perm, 7)
489 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
491 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
492 self.assertEquals(posix_acl.acl[1].a_perm, 7)
493 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
495 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
496 self.assertEquals(posix_acl.acl[2].a_perm, 0)
498 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
499 self.assertEquals(posix_acl.acl[3].a_perm, 7)
501 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
502 self.assertEquals(posix_acl.acl[4].a_perm, 7)
503 self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)
505 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
506 self.assertEquals(posix_acl.acl[5].a_perm, 7)
508 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
509 self.assertEquals(posix_acl.acl[6].a_perm, 5)
510 self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)
512 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
513 self.assertEquals(posix_acl.acl[7].a_perm, 5)
514 self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)
516 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
517 self.assertEquals(posix_acl.acl[8].a_perm, 7)
518 self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)
520 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
521 self.assertEquals(posix_acl.acl[9].a_perm, 7)
522 self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)
524 self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
525 self.assertEquals(posix_acl.acl[10].a_perm, 5)
526 self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)
528 self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
529 self.assertEquals(posix_acl.acl[11].a_perm, 5)
530 self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)
532 self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_MASK)
533 self.assertEquals(posix_acl.acl[12].a_perm, 7)
535 # check that it matches:
537 # user:root:rwx (selftest user actually)
546 def test_setntacl_policies_dir_check_getposixacl(self):
547 acl = provision.POLICIES_ACL
548 domsid = passdb.get_global_sam_sid()
549 session_info = self.get_session_info(domsid)
550 setntacl(self.lp, self.tempdir, acl, str(domsid), use_ntvfs=False,
551 session_info=session_info)
552 facl = getntacl(self.lp, self.tempdir)
553 self.assertEquals(facl.as_sddl(domsid), acl)
554 posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
556 LA_sid = security.dom_sid(str(domsid) + "-" + str(security.DOMAIN_RID_ADMINISTRATOR))
557 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
558 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
559 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
560 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
561 PA_sid = security.dom_sid(str(domsid) + "-" + str(security.DOMAIN_RID_POLICY_ADMINS))
563 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
565 # These assertions correct for current ad_dc selftest
566 # configuration. When other environments have a broad range of
567 # groups mapped via passdb, we can relax some of these checks
568 (LA_uid, LA_type) = s4_passdb.sid_to_id(LA_sid)
569 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
570 (BA_gid, BA_type) = s4_passdb.sid_to_id(BA_sid)
571 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
572 (SO_gid, SO_type) = s4_passdb.sid_to_id(SO_sid)
573 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
574 (SY_gid, SY_type) = s4_passdb.sid_to_id(SY_sid)
575 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
576 (AU_gid, AU_type) = s4_passdb.sid_to_id(AU_sid)
577 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
578 (PA_gid, PA_type) = s4_passdb.sid_to_id(PA_sid)
579 self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
581 self.assertEquals(posix_acl.count, 15, self.print_posix_acl(posix_acl))
583 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
584 self.assertEquals(posix_acl.acl[0].a_perm, 7)
585 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
587 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
588 self.assertEquals(posix_acl.acl[1].a_perm, 7)
589 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
591 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
592 self.assertEquals(posix_acl.acl[2].a_perm, 0)
594 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
595 self.assertEquals(posix_acl.acl[3].a_perm, 7)
597 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
598 self.assertEquals(posix_acl.acl[4].a_perm, 7)
599 self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)
601 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
602 self.assertEquals(posix_acl.acl[5].a_perm, 7)
604 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
605 self.assertEquals(posix_acl.acl[6].a_perm, 5)
606 self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)
608 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
609 self.assertEquals(posix_acl.acl[7].a_perm, 5)
610 self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)
612 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
613 self.assertEquals(posix_acl.acl[8].a_perm, 7)
614 self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)
616 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
617 self.assertEquals(posix_acl.acl[9].a_perm, 7)
618 self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)
620 self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
621 self.assertEquals(posix_acl.acl[10].a_perm, 5)
622 self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)
624 self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
625 self.assertEquals(posix_acl.acl[11].a_perm, 5)
626 self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)
628 self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_USER)
629 self.assertEquals(posix_acl.acl[12].a_perm, 7)
630 self.assertEquals(posix_acl.acl[12].info.uid, PA_gid)
632 self.assertEquals(posix_acl.acl[13].a_type, smb_acl.SMB_ACL_GROUP)
633 self.assertEquals(posix_acl.acl[13].a_perm, 7)
634 self.assertEquals(posix_acl.acl[13].info.gid, PA_gid)
636 self.assertEquals(posix_acl.acl[14].a_type, smb_acl.SMB_ACL_MASK)
637 self.assertEquals(posix_acl.acl[14].a_perm, 7)
639 # check that it matches:
641 # user:root:rwx (selftest user actually)
651 def test_setntacl_policies_check_getposixacl(self):
652 acl = provision.POLICIES_ACL
654 domsid = passdb.get_global_sam_sid()
655 session_info = self.get_session_info(domsid)
656 setntacl(self.lp, self.tempf, acl, str(domsid), use_ntvfs=False,
657 session_info=session_info)
658 facl = getntacl(self.lp, self.tempf)
659 self.assertEquals(facl.as_sddl(domsid), acl)
660 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
662 nwrap_module_so_path = os.getenv('NSS_WRAPPER_MODULE_SO_PATH')
663 nwrap_module_fn_prefix = os.getenv('NSS_WRAPPER_MODULE_FN_PREFIX')
665 nwrap_winbind_active = (nwrap_module_so_path != "" and
666 nwrap_module_fn_prefix == "winbind")
667 is_user_session = not session_info.security_token.is_system()
669 LA_sid = security.dom_sid(str(domsid) + "-" + str(security.DOMAIN_RID_ADMINISTRATOR))
670 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
671 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
672 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
673 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
674 PA_sid = security.dom_sid(str(domsid) + "-" + str(security.DOMAIN_RID_POLICY_ADMINS))
676 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
678 # These assertions correct for current ad_dc selftest
679 # configuration. When other environments have a broad range of
680 # groups mapped via passdb, we can relax some of these checks
681 (LA_uid, LA_type) = s4_passdb.sid_to_id(LA_sid)
682 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
683 (BA_gid, BA_type) = s4_passdb.sid_to_id(BA_sid)
684 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
685 (SO_gid, SO_type) = s4_passdb.sid_to_id(SO_sid)
686 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
687 (SY_gid, SY_type) = s4_passdb.sid_to_id(SY_sid)
688 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
689 (AU_gid, AU_type) = s4_passdb.sid_to_id(AU_sid)
690 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
691 (PA_gid, PA_type) = s4_passdb.sid_to_id(PA_sid)
692 self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
694 self.assertEquals(posix_acl.count, 15, self.print_posix_acl(posix_acl))
696 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
697 self.assertEquals(posix_acl.acl[0].a_perm, 7)
698 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
700 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
701 if nwrap_winbind_active or is_user_session:
702 self.assertEquals(posix_acl.acl[1].a_perm, 7)
704 self.assertEquals(posix_acl.acl[1].a_perm, 6)
705 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
707 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
708 self.assertEquals(posix_acl.acl[2].a_perm, 0)
710 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
711 if nwrap_winbind_active or is_user_session:
712 self.assertEquals(posix_acl.acl[3].a_perm, 7)
714 self.assertEquals(posix_acl.acl[3].a_perm, 6)
716 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
717 self.assertEquals(posix_acl.acl[4].a_perm, 7)
718 self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)
720 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
721 self.assertEquals(posix_acl.acl[5].a_perm, 7)
723 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
724 self.assertEquals(posix_acl.acl[6].a_perm, 5)
725 self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)
727 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
728 self.assertEquals(posix_acl.acl[7].a_perm, 5)
729 self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)
731 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
732 self.assertEquals(posix_acl.acl[8].a_perm, 7)
733 self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)
735 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
736 self.assertEquals(posix_acl.acl[9].a_perm, 7)
737 self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)
739 self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
740 self.assertEquals(posix_acl.acl[10].a_perm, 5)
741 self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)
743 self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
744 self.assertEquals(posix_acl.acl[11].a_perm, 5)
745 self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)
747 self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_USER)
748 self.assertEquals(posix_acl.acl[12].a_perm, 7)
749 self.assertEquals(posix_acl.acl[12].info.uid, PA_gid)
751 self.assertEquals(posix_acl.acl[13].a_type, smb_acl.SMB_ACL_GROUP)
752 self.assertEquals(posix_acl.acl[13].a_perm, 7)
753 self.assertEquals(posix_acl.acl[13].info.gid, PA_gid)
755 self.assertEquals(posix_acl.acl[14].a_type, smb_acl.SMB_ACL_MASK)
756 self.assertEquals(posix_acl.acl[14].a_perm, 7)
758 # check that it matches:
760 # user:root:rwx (selftest user actually)
762 # group:Local Admins:rwx
770 # This is in this order in the NDR smb_acl(not re-orderded for display)
777 # uid: 0 (selftest user actually)
813 class SessionedPosixAclMappingTests(PosixAclMappingTests):
815 Run same test suite with session enabled.
818 def get_session_info(self, domsid=DOM_SID):
820 Get session_info for setntacl.
822 if str(domsid) != str(self.samdb.get_domain_sid()):
823 # fake it with admin session as domsid is not in local db
824 return auth.admin_session(self.lp, str(domsid))
826 dn = '<SID={0}-{1}>'.format(domsid, security.DOMAIN_RID_ADMINISTRATOR)
827 flags = (auth.AUTH_SESSION_INFO_DEFAULT_GROUPS |
828 auth.AUTH_SESSION_INFO_AUTHENTICATED |
829 auth.AUTH_SESSION_INFO_SIMPLE_PRIVILEGES)
830 return auth.user_session(self.samdb, lp_ctx=self.lp, dn=dn,
831 session_info_flags=flags)
834 class UnixSessionedPosixAclMappingTests(PosixAclMappingTests):
836 Run same test suite with session enabled.
839 def get_session_info(self, domsid=DOM_SID):
841 Get session_info for setntacl.
843 if str(domsid) != str(self.samdb.get_domain_sid()):
844 # fake it with admin session as domsid is not in local db
845 return auth.admin_session(self.lp, str(domsid))
847 dn = '<SID={0}-{1}>'.format(domsid, security.DOMAIN_RID_ADMINISTRATOR)
848 flags = (auth.AUTH_SESSION_INFO_DEFAULT_GROUPS |
849 auth.AUTH_SESSION_INFO_AUTHENTICATED |
850 auth.AUTH_SESSION_INFO_SIMPLE_PRIVILEGES)
852 session = auth.user_session(self.samdb, lp_ctx=self.lp, dn=dn,
853 session_info_flags=flags)
854 auth.session_info_fill_unix(session,
856 user_name="Administrator")