tests/posixacl: move setUp and tearDown to top
[amitay/samba.git] / python / samba / tests / posixacl.py
1 # Unix SMB/CIFS implementation. Tests for NT and posix ACL manipulation
2 # Copyright (C) Matthieu Patou <mat@matws.net> 2009-2010
3 # Copyright (C) Andrew Bartlett 2012
4 #
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
9 #
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13 # GNU General Public License for more details.
14 #
15 # You should have received a copy of the GNU General Public License
16 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
17 #
18
19 """Tests for the Samba3 NT -> posix ACL layer"""
20
21 from samba.ntacls import setntacl, getntacl, checkset_backend
22 from samba.dcerpc import security, smb_acl, idmap
23 from samba.tests import TestCaseInTempDir
24 from samba import provision
25 import os
26 from samba.samba3 import smbd, passdb
27 from samba.samba3 import param as s3param
28
29 DOM_SID = "S-1-5-21-2212615479-2695158682-2101375467"
30 ACL = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
31
32
33 class PosixAclMappingTests(TestCaseInTempDir):
34
35     def setUp(self):
36         super(PosixAclMappingTests, self).setUp()
37         s3conf = s3param.get_context()
38         s3conf.load(self.get_loadparm().configfile)
39         s3conf.set("xattr_tdb:file", os.path.join(self.tempdir, "xattr.tdb"))
40         self.lp = s3conf
41         self.tempf = os.path.join(self.tempdir, "test")
42         open(self.tempf, 'w').write("empty")
43
44     def tearDown(self):
45         smbd.unlink(self.tempf)
46         os.unlink(os.path.join(self.tempdir, "xattr.tdb"))
47         super(PosixAclMappingTests, self).tearDown()
48
49     def print_posix_acl(self, posix_acl):
50         aclstr = ""
51         for entry in posix_acl.acl:
52             aclstr += "a_type: %d\n" % entry.a_type
53             aclstr += "a_perm: %o\n" % entry.a_perm
54             if entry.a_type == smb_acl.SMB_ACL_USER:
55                 aclstr += "uid: %d\n" % entry.info.uid
56             if entry.a_type == smb_acl.SMB_ACL_GROUP:
57                 aclstr += "gid: %d\n" % entry.info.gid
58         return aclstr
59
60     def test_setntacl(self):
61         acl = ACL
62         setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False)
63
64     def test_setntacl_smbd_getntacl(self):
65         acl = ACL
66         setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True)
67         facl = getntacl(self.lp, self.tempf, direct_db_access=True)
68         anysid = security.dom_sid(security.SID_NT_SELF)
69         self.assertEquals(facl.as_sddl(anysid),acl)
70
71     def test_setntacl_smbd_setposixacl_getntacl(self):
72         acl = ACL
73         setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True)
74
75         # This will invalidate the ACL, as we have a hook!
76         smbd.set_simple_acl(self.tempf, 0o640)
77
78         # However, this only asks the xattr
79         self.assertRaises(
80             TypeError, getntacl, self.lp, self.tempf, direct_db_access=True)
81
82     def test_setntacl_invalidate_getntacl(self):
83         acl = ACL
84         setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True)
85
86         # This should invalidate the ACL, as we include the posix ACL in the hash
87         (backend_obj, dbname) = checkset_backend(self.lp, None, None)
88         backend_obj.wrap_setxattr(dbname,
89                                   self.tempf, "system.fake_access_acl", b"")
90
91         #however, as this is direct DB access, we do not notice it
92         facl = getntacl(self.lp, self.tempf, direct_db_access=True)
93         anysid = security.dom_sid(security.SID_NT_SELF)
94         self.assertEquals(acl, facl.as_sddl(anysid))
95
96     def test_setntacl_invalidate_getntacl_smbd(self):
97         acl = ACL
98         setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False)
99
100         # This should invalidate the ACL, as we include the posix ACL in the hash
101         (backend_obj, dbname) = checkset_backend(self.lp, None, None)
102         backend_obj.wrap_setxattr(dbname,
103                                   self.tempf, "system.fake_access_acl", b"")
104
105         #the hash would break, and we return an ACL based only on the mode, except we set the ACL using the 'ntvfs' mode that doesn't include a hash
106         facl = getntacl(self.lp, self.tempf)
107         anysid = security.dom_sid(security.SID_NT_SELF)
108         self.assertEquals(acl, facl.as_sddl(anysid))
109
110     def test_setntacl_smbd_invalidate_getntacl_smbd(self):
111         acl = ACL
112         simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x001200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
113         os.chmod(self.tempf, 0o750)
114         setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False)
115
116         # This should invalidate the ACL, as we include the posix ACL in the hash
117         (backend_obj, dbname) = checkset_backend(self.lp, None, None)
118         backend_obj.wrap_setxattr(dbname,
119                                   self.tempf, "system.fake_access_acl", b"")
120
121         #the hash will break, and we return an ACL based only on the mode
122         facl = getntacl(self.lp, self.tempf, direct_db_access=False)
123         anysid = security.dom_sid(security.SID_NT_SELF)
124         self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
125
126     def test_setntacl_getntacl_smbd(self):
127         acl = ACL
128         setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True)
129         facl = getntacl(self.lp, self.tempf, direct_db_access=False)
130         anysid = security.dom_sid(security.SID_NT_SELF)
131         self.assertEquals(facl.as_sddl(anysid),acl)
132
133     def test_setntacl_smbd_getntacl_smbd(self):
134         acl = ACL
135         setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False)
136         facl = getntacl(self.lp, self.tempf, direct_db_access=False)
137         anysid = security.dom_sid(security.SID_NT_SELF)
138         self.assertEquals(facl.as_sddl(anysid),acl)
139
140     def test_setntacl_smbd_setposixacl_getntacl_smbd(self):
141         acl = ACL
142         simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
143         setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False)
144         # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
145         smbd.set_simple_acl(self.tempf, 0o640)
146         facl = getntacl(self.lp, self.tempf, direct_db_access=False)
147         anysid = security.dom_sid(security.SID_NT_SELF)
148         self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
149
150     def test_setntacl_smbd_setposixacl_group_getntacl_smbd(self):
151         acl = ACL
152         BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
153         simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
154         setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False)
155         # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
156         s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
157         (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
158         smbd.set_simple_acl(self.tempf, 0o640, BA_gid)
159
160         # This should re-calculate an ACL based on the posix details
161         facl = getntacl(self.lp,self.tempf, direct_db_access=False)
162         anysid = security.dom_sid(security.SID_NT_SELF)
163         self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
164
165     def test_setntacl_smbd_getntacl_smbd_gpo(self):
166         acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
167         setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False)
168         facl = getntacl(self.lp, self.tempf, direct_db_access=False)
169         domsid = security.dom_sid(DOM_SID)
170         self.assertEquals(facl.as_sddl(domsid),acl)
171
172     def test_setntacl_getposixacl(self):
173         acl = ACL
174         setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False)
175         facl = getntacl(self.lp, self.tempf)
176         anysid = security.dom_sid(security.SID_NT_SELF)
177         self.assertEquals(facl.as_sddl(anysid),acl)
178         posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
179
180     def test_setposixacl_getntacl(self):
181         smbd.set_simple_acl(self.tempf, 0o750)
182         # We don't expect the xattr to be filled in in this case
183         self.assertRaises(TypeError, getntacl, self.lp, self.tempf)
184
185     def test_setposixacl_getntacl_smbd(self):
186         s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
187         group_SID = s4_passdb.gid_to_sid(os.stat(self.tempf).st_gid)
188         user_SID = s4_passdb.uid_to_sid(os.stat(self.tempf).st_uid)
189         smbd.set_simple_acl(self.tempf, 0o640)
190         facl = getntacl(self.lp, self.tempf, direct_db_access=False)
191         acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
192         anysid = security.dom_sid(security.SID_NT_SELF)
193         self.assertEquals(acl, facl.as_sddl(anysid))
194
195     def test_setposixacl_dir_getntacl_smbd(self):
196         s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
197         user_SID = s4_passdb.uid_to_sid(os.stat(self.tempdir).st_uid)
198         BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
199         s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
200         (BA_id,BA_type) = s4_passdb.sid_to_id(BA_sid)
201         self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
202         SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
203         (SO_id,SO_type) = s4_passdb.sid_to_id(SO_sid)
204         self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
205         smbd.chown(self.tempdir, BA_id, SO_id)
206         smbd.set_simple_acl(self.tempdir, 0o750)
207         facl = getntacl(self.lp, self.tempdir, direct_db_access=False)
208         acl = "O:BAG:SOD:(A;;0x001f01ff;;;BA)(A;;0x001200a9;;;SO)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)"
209
210         anysid = security.dom_sid(security.SID_NT_SELF)
211         self.assertEquals(acl, facl.as_sddl(anysid))
212
213     def test_setposixacl_group_getntacl_smbd(self):
214         BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
215         s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
216         (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
217         group_SID = s4_passdb.gid_to_sid(os.stat(self.tempf).st_gid)
218         user_SID = s4_passdb.uid_to_sid(os.stat(self.tempf).st_uid)
219         self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
220         smbd.set_simple_acl(self.tempf, 0o640, BA_gid)
221         facl = getntacl(self.lp, self.tempf, direct_db_access=False)
222         domsid = passdb.get_global_sam_sid()
223         acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;BA)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
224         anysid = security.dom_sid(security.SID_NT_SELF)
225         self.assertEquals(acl, facl.as_sddl(anysid))
226
227     def test_setposixacl_getposixacl(self):
228         smbd.set_simple_acl(self.tempf, 0o640)
229         posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
230         self.assertEquals(posix_acl.count, 4, self.print_posix_acl(posix_acl))
231
232         self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
233         self.assertEquals(posix_acl.acl[0].a_perm, 6)
234
235         self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
236         self.assertEquals(posix_acl.acl[1].a_perm, 4)
237
238         self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
239         self.assertEquals(posix_acl.acl[2].a_perm, 0)
240
241         self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
242         self.assertEquals(posix_acl.acl[3].a_perm, 7)
243
244     def test_setposixacl_dir_getposixacl(self):
245         smbd.set_simple_acl(self.tempdir, 0o750)
246         posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
247         self.assertEquals(posix_acl.count, 4, self.print_posix_acl(posix_acl))
248
249         self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
250         self.assertEquals(posix_acl.acl[0].a_perm, 7)
251
252         self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
253         self.assertEquals(posix_acl.acl[1].a_perm, 5)
254
255         self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
256         self.assertEquals(posix_acl.acl[2].a_perm, 0)
257
258         self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
259         self.assertEquals(posix_acl.acl[3].a_perm, 7)
260
261     def test_setposixacl_group_getposixacl(self):
262         BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
263         s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
264         (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
265         self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
266         smbd.set_simple_acl(self.tempf, 0o670, BA_gid)
267         posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
268
269         self.assertEquals(posix_acl.count, 5, self.print_posix_acl(posix_acl))
270
271         self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
272         self.assertEquals(posix_acl.acl[0].a_perm, 6)
273
274         self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
275         self.assertEquals(posix_acl.acl[1].a_perm, 7)
276
277         self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
278         self.assertEquals(posix_acl.acl[2].a_perm, 0)
279
280         self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_GROUP)
281         self.assertEquals(posix_acl.acl[3].a_perm, 7)
282         self.assertEquals(posix_acl.acl[3].info.gid, BA_gid)
283
284         self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_MASK)
285         self.assertEquals(posix_acl.acl[4].a_perm, 7)
286
287     def test_setntacl_sysvol_check_getposixacl(self):
288         acl = provision.SYSVOL_ACL
289         domsid = passdb.get_global_sam_sid()
290         setntacl(self.lp, self.tempf,acl,str(domsid), use_ntvfs=False)
291         facl = getntacl(self.lp, self.tempf)
292         self.assertEquals(facl.as_sddl(domsid),acl)
293         posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
294
295         nwrap_module_so_path = os.getenv('NSS_WRAPPER_MODULE_SO_PATH')
296         nwrap_module_fn_prefix = os.getenv('NSS_WRAPPER_MODULE_FN_PREFIX')
297
298         nwrap_winbind_active = (nwrap_module_so_path != "" and
299                 nwrap_module_fn_prefix == "winbind")
300
301         LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
302         BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
303         SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
304         SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
305         AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
306
307         s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
308
309         # These assertions correct for current ad_dc selftest
310         # configuration.  When other environments have a broad range of
311         # groups mapped via passdb, we can relax some of these checks
312         (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
313         self.assertEquals(LA_type, idmap.ID_TYPE_UID)
314         (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
315         self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
316         (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
317         self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
318         (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
319         self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
320         (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
321         self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
322
323         self.assertEquals(posix_acl.count, 13, self.print_posix_acl(posix_acl))
324
325         self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
326         self.assertEquals(posix_acl.acl[0].a_perm, 7)
327         self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
328
329         self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
330         if nwrap_winbind_active:
331             self.assertEquals(posix_acl.acl[1].a_perm, 7)
332         else:
333             self.assertEquals(posix_acl.acl[1].a_perm, 6)
334         self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
335
336         self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
337         self.assertEquals(posix_acl.acl[2].a_perm, 0)
338
339         self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
340         if nwrap_winbind_active:
341             self.assertEquals(posix_acl.acl[3].a_perm, 7)
342         else:
343             self.assertEquals(posix_acl.acl[3].a_perm, 6)
344
345         self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
346         self.assertEquals(posix_acl.acl[4].a_perm, 7)
347         self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)
348
349         self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
350         self.assertEquals(posix_acl.acl[5].a_perm, 7)
351
352         self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
353         self.assertEquals(posix_acl.acl[6].a_perm, 5)
354         self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)
355
356         self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
357         self.assertEquals(posix_acl.acl[7].a_perm, 5)
358         self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)
359
360         self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
361         self.assertEquals(posix_acl.acl[8].a_perm, 7)
362         self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)
363
364         self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
365         self.assertEquals(posix_acl.acl[9].a_perm, 7)
366         self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)
367
368         self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
369         self.assertEquals(posix_acl.acl[10].a_perm, 5)
370         self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)
371
372         self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
373         self.assertEquals(posix_acl.acl[11].a_perm, 5)
374         self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)
375
376         self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_MASK)
377         self.assertEquals(posix_acl.acl[12].a_perm, 7)
378
379
380 # check that it matches:
381 # user::rwx
382 # user:root:rwx (selftest user actually)
383 # group::rwx
384 # group:Local Admins:rwx
385 # group:3000000:r-x
386 # group:3000001:rwx
387 # group:3000002:r-x
388 # mask::rwx
389 # other::---
390
391 #
392 # This is in this order in the NDR smb_acl (not re-orderded for display)
393 # a_type: GROUP
394 # a_perm: 7
395 # uid: -1
396 # gid: 10
397 # a_type: USER
398 # a_perm: 6
399 # uid: 0 (selftest user actually)
400 # gid: -1
401 # a_type: OTHER
402 # a_perm: 0
403 # uid: -1
404 # gid: -1
405 # a_type: USER_OBJ
406 # a_perm: 6
407 # uid: -1
408 # gid: -1
409 # a_type: GROUP_OBJ
410 # a_perm: 7
411 # uid: -1
412 # gid: -1
413 # a_type: GROUP
414 # a_perm: 5
415 # uid: -1
416 # gid: 3000020
417 # a_type: GROUP
418 # a_perm: 7
419 # uid: -1
420 # gid: 3000000
421 # a_type: GROUP
422 # a_perm: 5
423 # uid: -1
424 # gid: 3000001
425 # a_type: MASK
426 # a_perm: 7
427 # uid: -1
428 # gid: -1
429
430 #
431
432
433     def test_setntacl_sysvol_dir_check_getposixacl(self):
434         acl = provision.SYSVOL_ACL
435         domsid = passdb.get_global_sam_sid()
436         setntacl(self.lp, self.tempdir,acl,str(domsid), use_ntvfs=False)
437         facl = getntacl(self.lp, self.tempdir)
438         self.assertEquals(facl.as_sddl(domsid),acl)
439         posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
440
441         LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
442         BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
443         SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
444         SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
445         AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
446
447         s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
448
449         # These assertions correct for current ad_dc selftest
450         # configuration.  When other environments have a broad range of
451         # groups mapped via passdb, we can relax some of these checks
452         (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
453         self.assertEquals(LA_type, idmap.ID_TYPE_UID)
454         (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
455         self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
456         (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
457         self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
458         (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
459         self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
460         (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
461         self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
462
463         self.assertEquals(posix_acl.count, 13, self.print_posix_acl(posix_acl))
464
465         self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
466         self.assertEquals(posix_acl.acl[0].a_perm, 7)
467         self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
468
469         self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
470         self.assertEquals(posix_acl.acl[1].a_perm, 7)
471         self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
472
473         self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
474         self.assertEquals(posix_acl.acl[2].a_perm, 0)
475
476         self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
477         self.assertEquals(posix_acl.acl[3].a_perm, 7)
478
479         self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
480         self.assertEquals(posix_acl.acl[4].a_perm, 7)
481         self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)
482
483         self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
484         self.assertEquals(posix_acl.acl[5].a_perm, 7)
485
486         self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
487         self.assertEquals(posix_acl.acl[6].a_perm, 5)
488         self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)
489
490         self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
491         self.assertEquals(posix_acl.acl[7].a_perm, 5)
492         self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)
493
494         self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
495         self.assertEquals(posix_acl.acl[8].a_perm, 7)
496         self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)
497
498         self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
499         self.assertEquals(posix_acl.acl[9].a_perm, 7)
500         self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)
501
502         self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
503         self.assertEquals(posix_acl.acl[10].a_perm, 5)
504         self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)
505
506         self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
507         self.assertEquals(posix_acl.acl[11].a_perm, 5)
508         self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)
509
510         self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_MASK)
511         self.assertEquals(posix_acl.acl[12].a_perm, 7)
512
513
514 # check that it matches:
515 # user::rwx
516 # user:root:rwx (selftest user actually)
517 # group::rwx
518 # group:3000000:rwx
519 # group:3000001:r-x
520 # group:3000002:rwx
521 # group:3000003:r-x
522 # mask::rwx
523 # other::---
524
525
526     def test_setntacl_policies_dir_check_getposixacl(self):
527         acl = provision.POLICIES_ACL
528         domsid = passdb.get_global_sam_sid()
529         setntacl(self.lp, self.tempdir,acl,str(domsid), use_ntvfs=False)
530         facl = getntacl(self.lp, self.tempdir)
531         self.assertEquals(facl.as_sddl(domsid),acl)
532         posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
533
534         LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
535         BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
536         SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
537         SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
538         AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
539         PA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_POLICY_ADMINS))
540
541         s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
542
543         # These assertions correct for current ad_dc selftest
544         # configuration.  When other environments have a broad range of
545         # groups mapped via passdb, we can relax some of these checks
546         (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
547         self.assertEquals(LA_type, idmap.ID_TYPE_UID)
548         (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
549         self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
550         (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
551         self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
552         (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
553         self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
554         (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
555         self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
556         (PA_gid,PA_type) = s4_passdb.sid_to_id(PA_sid)
557         self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
558
559         self.assertEquals(posix_acl.count, 15, self.print_posix_acl(posix_acl))
560
561         self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
562         self.assertEquals(posix_acl.acl[0].a_perm, 7)
563         self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
564
565         self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
566         self.assertEquals(posix_acl.acl[1].a_perm, 7)
567         self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
568
569         self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
570         self.assertEquals(posix_acl.acl[2].a_perm, 0)
571
572         self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
573         self.assertEquals(posix_acl.acl[3].a_perm, 7)
574
575         self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
576         self.assertEquals(posix_acl.acl[4].a_perm, 7)
577         self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)
578
579         self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
580         self.assertEquals(posix_acl.acl[5].a_perm, 7)
581
582         self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
583         self.assertEquals(posix_acl.acl[6].a_perm, 5)
584         self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)
585
586         self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
587         self.assertEquals(posix_acl.acl[7].a_perm, 5)
588         self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)
589
590         self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
591         self.assertEquals(posix_acl.acl[8].a_perm, 7)
592         self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)
593
594         self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
595         self.assertEquals(posix_acl.acl[9].a_perm, 7)
596         self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)
597
598         self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
599         self.assertEquals(posix_acl.acl[10].a_perm, 5)
600         self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)
601
602         self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
603         self.assertEquals(posix_acl.acl[11].a_perm, 5)
604         self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)
605
606         self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_USER)
607         self.assertEquals(posix_acl.acl[12].a_perm, 7)
608         self.assertEquals(posix_acl.acl[12].info.uid, PA_gid)
609
610         self.assertEquals(posix_acl.acl[13].a_type, smb_acl.SMB_ACL_GROUP)
611         self.assertEquals(posix_acl.acl[13].a_perm, 7)
612         self.assertEquals(posix_acl.acl[13].info.gid, PA_gid)
613
614         self.assertEquals(posix_acl.acl[14].a_type, smb_acl.SMB_ACL_MASK)
615         self.assertEquals(posix_acl.acl[14].a_perm, 7)
616
617
618 # check that it matches:
619 # user::rwx
620 # user:root:rwx  (selftest user actually)
621 # group::rwx
622 # group:3000000:rwx
623 # group:3000001:r-x
624 # group:3000002:rwx
625 # group:3000003:r-x
626 # group:3000004:rwx
627 # mask::rwx
628 # other::---
629
630
631
632     def test_setntacl_policies_check_getposixacl(self):
633         acl = provision.POLICIES_ACL
634
635         domsid = passdb.get_global_sam_sid()
636         setntacl(self.lp, self.tempf, acl, str(domsid), use_ntvfs=False)
637         facl = getntacl(self.lp, self.tempf)
638         self.assertEquals(facl.as_sddl(domsid),acl)
639         posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
640
641         nwrap_module_so_path = os.getenv('NSS_WRAPPER_MODULE_SO_PATH')
642         nwrap_module_fn_prefix = os.getenv('NSS_WRAPPER_MODULE_FN_PREFIX')
643
644         nwrap_winbind_active = (nwrap_module_so_path != "" and
645                 nwrap_module_fn_prefix == "winbind")
646
647         LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
648         BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
649         SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
650         SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
651         AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
652         PA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_POLICY_ADMINS))
653
654         s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
655
656         # These assertions correct for current ad_dc selftest
657         # configuration.  When other environments have a broad range of
658         # groups mapped via passdb, we can relax some of these checks
659         (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
660         self.assertEquals(LA_type, idmap.ID_TYPE_UID)
661         (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
662         self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
663         (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
664         self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
665         (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
666         self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
667         (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
668         self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
669         (PA_gid,PA_type) = s4_passdb.sid_to_id(PA_sid)
670         self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
671
672         self.assertEquals(posix_acl.count, 15, self.print_posix_acl(posix_acl))
673
674         self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
675         self.assertEquals(posix_acl.acl[0].a_perm, 7)
676         self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
677
678         self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
679         if nwrap_winbind_active:
680             self.assertEquals(posix_acl.acl[1].a_perm, 7)
681         else:
682             self.assertEquals(posix_acl.acl[1].a_perm, 6)
683         self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
684
685         self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
686         self.assertEquals(posix_acl.acl[2].a_perm, 0)
687
688         self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
689         if nwrap_winbind_active:
690             self.assertEquals(posix_acl.acl[3].a_perm, 7)
691         else:
692             self.assertEquals(posix_acl.acl[3].a_perm, 6)
693
694         self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
695         self.assertEquals(posix_acl.acl[4].a_perm, 7)
696         self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)
697
698         self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
699         self.assertEquals(posix_acl.acl[5].a_perm, 7)
700
701         self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
702         self.assertEquals(posix_acl.acl[6].a_perm, 5)
703         self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)
704
705         self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
706         self.assertEquals(posix_acl.acl[7].a_perm, 5)
707         self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)
708
709         self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
710         self.assertEquals(posix_acl.acl[8].a_perm, 7)
711         self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)
712
713         self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
714         self.assertEquals(posix_acl.acl[9].a_perm, 7)
715         self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)
716
717         self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
718         self.assertEquals(posix_acl.acl[10].a_perm, 5)
719         self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)
720
721         self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
722         self.assertEquals(posix_acl.acl[11].a_perm, 5)
723         self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)
724
725         self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_USER)
726         self.assertEquals(posix_acl.acl[12].a_perm, 7)
727         self.assertEquals(posix_acl.acl[12].info.uid, PA_gid)
728
729         self.assertEquals(posix_acl.acl[13].a_type, smb_acl.SMB_ACL_GROUP)
730         self.assertEquals(posix_acl.acl[13].a_perm, 7)
731         self.assertEquals(posix_acl.acl[13].info.gid, PA_gid)
732
733         self.assertEquals(posix_acl.acl[14].a_type, smb_acl.SMB_ACL_MASK)
734         self.assertEquals(posix_acl.acl[14].a_perm, 7)
735
736
737 # check that it matches:
738 # user::rwx
739 # user:root:rwx (selftest user actually)
740 # group::rwx
741 # group:Local Admins:rwx
742 # group:3000000:r-x
743 # group:3000001:rwx
744 # group:3000002:r-x
745 # group:3000003:rwx
746 # mask::rwx
747 # other::---
748
749 #
750 # This is in this order in the NDR smb_acl (not re-orderded for display)
751 # a_type: GROUP
752 # a_perm: 7
753 # uid: -1
754 # gid: 10
755 # a_type: USER
756 # a_perm: 6
757 # uid: 0 (selftest user actually)
758 # gid: -1
759 # a_type: OTHER
760 # a_perm: 0
761 # uid: -1
762 # gid: -1
763 # a_type: USER_OBJ
764 # a_perm: 6
765 # uid: -1
766 # gid: -1
767 # a_type: GROUP_OBJ
768 # a_perm: 7
769 # uid: -1
770 # gid: -1
771 # a_type: GROUP
772 # a_perm: 5
773 # uid: -1
774 # gid: 3000020
775 # a_type: GROUP
776 # a_perm: 7
777 # uid: -1
778 # gid: 3000000
779 # a_type: GROUP
780 # a_perm: 5
781 # uid: -1
782 # gid: 3000001
783 # a_type: GROUP
784 # a_perm: 7
785 # uid: -1
786 # gid: 3000003
787 # a_type: MASK
788 # a_perm: 7
789 # uid: -1
790 # gid: -1