1 # Unix SMB/CIFS implementation. Tests for NT and posix ACL manipulation
2 # Copyright (C) Matthieu Patou <mat@matws.net> 2009-2010
3 # Copyright (C) Andrew Bartlett 2012
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
19 """Tests for the Samba3 NT -> posix ACL layer"""
21 from samba.ntacls import setntacl, getntacl, checkset_backend
22 from samba.dcerpc import security, smb_acl, idmap
23 from samba.tests import TestCaseInTempDir
24 from samba import provision
26 from samba.samba3 import smbd, passdb
27 from samba.samba3 import param as s3param
28 from samba import auth
29 from samba.samdb import SamDB
31 DOM_SID = "S-1-5-21-2212615479-2695158682-2101375467"
32 ACL = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
35 class PosixAclMappingTests(TestCaseInTempDir):
38 super(PosixAclMappingTests, self).setUp()
39 s3conf = s3param.get_context()
40 s3conf.load(self.get_loadparm().configfile)
41 s3conf.set("xattr_tdb:file", os.path.join(self.tempdir, "xattr.tdb"))
43 self.tempf = os.path.join(self.tempdir, "test")
44 open(self.tempf, 'w').write("empty")
45 self.samdb = SamDB(lp=self.lp, session_info=auth.system_session())
48 smbd.unlink(self.tempf)
49 os.unlink(os.path.join(self.tempdir, "xattr.tdb"))
50 super(PosixAclMappingTests, self).tearDown()
52 def get_session_info(self, domsid=DOM_SID):
54 Get session_info for setntacl.
56 This test case always return None, to run tests without session_info
57 like before. To be overrided in derived class.
61 def print_posix_acl(self, posix_acl):
63 for entry in posix_acl.acl:
64 aclstr += "a_type: %d\n" % entry.a_type
65 aclstr += "a_perm: %o\n" % entry.a_perm
66 if entry.a_type == smb_acl.SMB_ACL_USER:
67 aclstr += "uid: %d\n" % entry.info.uid
68 if entry.a_type == smb_acl.SMB_ACL_GROUP:
69 aclstr += "gid: %d\n" % entry.info.gid
72 def test_setntacl(self):
74 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
75 session_info=self.get_session_info())
77 def test_setntacl_smbd_getntacl(self):
79 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True,
80 session_info=self.get_session_info())
81 facl = getntacl(self.lp, self.tempf, direct_db_access=True)
82 anysid = security.dom_sid(security.SID_NT_SELF)
83 self.assertEquals(facl.as_sddl(anysid),acl)
85 def test_setntacl_smbd_setposixacl_getntacl(self):
87 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True,
88 session_info=self.get_session_info())
90 # This will invalidate the ACL, as we have a hook!
91 smbd.set_simple_acl(self.tempf, 0o640)
93 # However, this only asks the xattr
95 TypeError, getntacl, self.lp, self.tempf, direct_db_access=True)
97 def test_setntacl_invalidate_getntacl(self):
99 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True,
100 session_info=self.get_session_info())
102 # This should invalidate the ACL, as we include the posix ACL in the hash
103 (backend_obj, dbname) = checkset_backend(self.lp, None, None)
104 backend_obj.wrap_setxattr(dbname,
105 self.tempf, "system.fake_access_acl", b"")
107 #however, as this is direct DB access, we do not notice it
108 facl = getntacl(self.lp, self.tempf, direct_db_access=True)
109 anysid = security.dom_sid(security.SID_NT_SELF)
110 self.assertEquals(acl, facl.as_sddl(anysid))
112 def test_setntacl_invalidate_getntacl_smbd(self):
114 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
115 session_info=self.get_session_info())
117 # This should invalidate the ACL, as we include the posix ACL in the hash
118 (backend_obj, dbname) = checkset_backend(self.lp, None, None)
119 backend_obj.wrap_setxattr(dbname,
120 self.tempf, "system.fake_access_acl", b"")
122 #the hash would break, and we return an ACL based only on the mode, except we set the ACL using the 'ntvfs' mode that doesn't include a hash
123 facl = getntacl(self.lp, self.tempf)
124 anysid = security.dom_sid(security.SID_NT_SELF)
125 self.assertEquals(acl, facl.as_sddl(anysid))
127 def test_setntacl_smbd_invalidate_getntacl_smbd(self):
129 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x001200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
130 os.chmod(self.tempf, 0o750)
131 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
132 session_info=self.get_session_info())
134 # This should invalidate the ACL, as we include the posix ACL in the hash
135 (backend_obj, dbname) = checkset_backend(self.lp, None, None)
136 backend_obj.wrap_setxattr(dbname,
137 self.tempf, "system.fake_access_acl", b"")
139 #the hash will break, and we return an ACL based only on the mode
140 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
141 anysid = security.dom_sid(security.SID_NT_SELF)
142 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
144 def test_setntacl_getntacl_smbd(self):
146 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=True,
147 session_info=self.get_session_info())
148 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
149 anysid = security.dom_sid(security.SID_NT_SELF)
150 self.assertEquals(facl.as_sddl(anysid),acl)
152 def test_setntacl_smbd_getntacl_smbd(self):
154 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
155 session_info=self.get_session_info())
156 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
157 anysid = security.dom_sid(security.SID_NT_SELF)
158 self.assertEquals(facl.as_sddl(anysid),acl)
160 def test_setntacl_smbd_setposixacl_getntacl_smbd(self):
162 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
163 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
164 session_info=self.get_session_info())
165 # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
166 smbd.set_simple_acl(self.tempf, 0o640)
167 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
168 anysid = security.dom_sid(security.SID_NT_SELF)
169 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
171 def test_setntacl_smbd_setposixacl_group_getntacl_smbd(self):
173 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
174 simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
175 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
176 session_info=self.get_session_info())
177 # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
178 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
179 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
180 smbd.set_simple_acl(self.tempf, 0o640, BA_gid)
182 # This should re-calculate an ACL based on the posix details
183 facl = getntacl(self.lp,self.tempf, direct_db_access=False)
184 anysid = security.dom_sid(security.SID_NT_SELF)
185 self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
187 def test_setntacl_smbd_getntacl_smbd_gpo(self):
188 acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
189 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
190 session_info=self.get_session_info())
191 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
192 domsid = security.dom_sid(DOM_SID)
193 self.assertEquals(facl.as_sddl(domsid),acl)
195 def test_setntacl_getposixacl(self):
197 setntacl(self.lp, self.tempf, acl, DOM_SID, use_ntvfs=False,
198 session_info=self.get_session_info())
199 facl = getntacl(self.lp, self.tempf)
200 anysid = security.dom_sid(security.SID_NT_SELF)
201 self.assertEquals(facl.as_sddl(anysid),acl)
202 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
204 def test_setposixacl_getntacl(self):
205 smbd.set_simple_acl(self.tempf, 0o750)
206 # We don't expect the xattr to be filled in in this case
207 self.assertRaises(TypeError, getntacl, self.lp, self.tempf)
209 def test_setposixacl_getntacl_smbd(self):
210 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
211 group_SID = s4_passdb.gid_to_sid(os.stat(self.tempf).st_gid)
212 user_SID = s4_passdb.uid_to_sid(os.stat(self.tempf).st_uid)
213 smbd.set_simple_acl(self.tempf, 0o640)
214 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
215 acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
216 anysid = security.dom_sid(security.SID_NT_SELF)
217 self.assertEquals(acl, facl.as_sddl(anysid))
219 def test_setposixacl_dir_getntacl_smbd(self):
220 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
221 user_SID = s4_passdb.uid_to_sid(os.stat(self.tempdir).st_uid)
222 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
223 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
224 (BA_id,BA_type) = s4_passdb.sid_to_id(BA_sid)
225 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
226 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
227 (SO_id,SO_type) = s4_passdb.sid_to_id(SO_sid)
228 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
229 smbd.chown(self.tempdir, BA_id, SO_id)
230 smbd.set_simple_acl(self.tempdir, 0o750)
231 facl = getntacl(self.lp, self.tempdir, direct_db_access=False)
232 acl = "O:BAG:SOD:(A;;0x001f01ff;;;BA)(A;;0x001200a9;;;SO)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)"
234 anysid = security.dom_sid(security.SID_NT_SELF)
235 self.assertEquals(acl, facl.as_sddl(anysid))
237 def test_setposixacl_group_getntacl_smbd(self):
238 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
239 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
240 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
241 group_SID = s4_passdb.gid_to_sid(os.stat(self.tempf).st_gid)
242 user_SID = s4_passdb.uid_to_sid(os.stat(self.tempf).st_uid)
243 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
244 smbd.set_simple_acl(self.tempf, 0o640, BA_gid)
245 facl = getntacl(self.lp, self.tempf, direct_db_access=False)
246 domsid = passdb.get_global_sam_sid()
247 acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;BA)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
248 anysid = security.dom_sid(security.SID_NT_SELF)
249 self.assertEquals(acl, facl.as_sddl(anysid))
251 def test_setposixacl_getposixacl(self):
252 smbd.set_simple_acl(self.tempf, 0o640)
253 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
254 self.assertEquals(posix_acl.count, 4, self.print_posix_acl(posix_acl))
256 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
257 self.assertEquals(posix_acl.acl[0].a_perm, 6)
259 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
260 self.assertEquals(posix_acl.acl[1].a_perm, 4)
262 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
263 self.assertEquals(posix_acl.acl[2].a_perm, 0)
265 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
266 self.assertEquals(posix_acl.acl[3].a_perm, 7)
268 def test_setposixacl_dir_getposixacl(self):
269 smbd.set_simple_acl(self.tempdir, 0o750)
270 posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
271 self.assertEquals(posix_acl.count, 4, self.print_posix_acl(posix_acl))
273 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
274 self.assertEquals(posix_acl.acl[0].a_perm, 7)
276 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
277 self.assertEquals(posix_acl.acl[1].a_perm, 5)
279 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
280 self.assertEquals(posix_acl.acl[2].a_perm, 0)
282 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_MASK)
283 self.assertEquals(posix_acl.acl[3].a_perm, 7)
285 def test_setposixacl_group_getposixacl(self):
286 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
287 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
288 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
289 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
290 smbd.set_simple_acl(self.tempf, 0o670, BA_gid)
291 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
293 self.assertEquals(posix_acl.count, 5, self.print_posix_acl(posix_acl))
295 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_USER_OBJ)
296 self.assertEquals(posix_acl.acl[0].a_perm, 6)
298 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
299 self.assertEquals(posix_acl.acl[1].a_perm, 7)
301 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
302 self.assertEquals(posix_acl.acl[2].a_perm, 0)
304 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_GROUP)
305 self.assertEquals(posix_acl.acl[3].a_perm, 7)
306 self.assertEquals(posix_acl.acl[3].info.gid, BA_gid)
308 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_MASK)
309 self.assertEquals(posix_acl.acl[4].a_perm, 7)
311 def test_setntacl_sysvol_check_getposixacl(self):
312 acl = provision.SYSVOL_ACL
313 domsid = passdb.get_global_sam_sid()
314 session_info = self.get_session_info(domsid)
315 setntacl(self.lp, self.tempf, acl, str(domsid), use_ntvfs=False,
316 session_info=session_info)
317 facl = getntacl(self.lp, self.tempf)
318 self.assertEquals(facl.as_sddl(domsid),acl)
319 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
321 nwrap_module_so_path = os.getenv('NSS_WRAPPER_MODULE_SO_PATH')
322 nwrap_module_fn_prefix = os.getenv('NSS_WRAPPER_MODULE_FN_PREFIX')
324 nwrap_winbind_active = (nwrap_module_so_path != "" and
325 nwrap_module_fn_prefix == "winbind")
327 LA_sid = security.dom_sid(str(domsid) + "-" + str(security.DOMAIN_RID_ADMINISTRATOR))
328 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
329 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
330 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
331 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
333 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
335 # These assertions correct for current ad_dc selftest
336 # configuration. When other environments have a broad range of
337 # groups mapped via passdb, we can relax some of these checks
338 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
339 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
340 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
341 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
342 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
343 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
344 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
345 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
346 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
347 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
349 self.assertEquals(posix_acl.count, 13, self.print_posix_acl(posix_acl))
351 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
352 self.assertEquals(posix_acl.acl[0].a_perm, 7)
353 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
355 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
356 if nwrap_winbind_active or session_info:
357 self.assertEquals(posix_acl.acl[1].a_perm, 7)
359 self.assertEquals(posix_acl.acl[1].a_perm, 6)
360 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
362 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
363 self.assertEquals(posix_acl.acl[2].a_perm, 0)
365 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
366 if nwrap_winbind_active or session_info:
367 self.assertEquals(posix_acl.acl[3].a_perm, 7)
369 self.assertEquals(posix_acl.acl[3].a_perm, 6)
371 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
372 self.assertEquals(posix_acl.acl[4].a_perm, 7)
373 self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)
375 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
376 self.assertEquals(posix_acl.acl[5].a_perm, 7)
378 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
379 self.assertEquals(posix_acl.acl[6].a_perm, 5)
380 self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)
382 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
383 self.assertEquals(posix_acl.acl[7].a_perm, 5)
384 self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)
386 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
387 self.assertEquals(posix_acl.acl[8].a_perm, 7)
388 self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)
390 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
391 self.assertEquals(posix_acl.acl[9].a_perm, 7)
392 self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)
394 self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
395 self.assertEquals(posix_acl.acl[10].a_perm, 5)
396 self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)
398 self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
399 self.assertEquals(posix_acl.acl[11].a_perm, 5)
400 self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)
402 self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_MASK)
403 self.assertEquals(posix_acl.acl[12].a_perm, 7)
406 # check that it matches:
408 # user:root:rwx (selftest user actually)
410 # group:Local Admins:rwx
418 # This is in this order in the NDR smb_acl (not re-orderded for display)
425 # uid: 0 (selftest user actually)
459 def test_setntacl_sysvol_dir_check_getposixacl(self):
460 acl = provision.SYSVOL_ACL
461 domsid = passdb.get_global_sam_sid()
462 session_info = self.get_session_info(domsid)
463 setntacl(self.lp, self.tempdir, acl, str(domsid), use_ntvfs=False,
464 session_info=session_info)
465 facl = getntacl(self.lp, self.tempdir)
466 self.assertEquals(facl.as_sddl(domsid),acl)
467 posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
469 LA_sid = security.dom_sid(str(domsid) + "-" + str(security.DOMAIN_RID_ADMINISTRATOR))
470 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
471 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
472 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
473 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
475 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
477 # These assertions correct for current ad_dc selftest
478 # configuration. When other environments have a broad range of
479 # groups mapped via passdb, we can relax some of these checks
480 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
481 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
482 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
483 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
484 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
485 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
486 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
487 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
488 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
489 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
491 self.assertEquals(posix_acl.count, 13, self.print_posix_acl(posix_acl))
493 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
494 self.assertEquals(posix_acl.acl[0].a_perm, 7)
495 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
497 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
498 self.assertEquals(posix_acl.acl[1].a_perm, 7)
499 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
501 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
502 self.assertEquals(posix_acl.acl[2].a_perm, 0)
504 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
505 self.assertEquals(posix_acl.acl[3].a_perm, 7)
507 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
508 self.assertEquals(posix_acl.acl[4].a_perm, 7)
509 self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)
511 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
512 self.assertEquals(posix_acl.acl[5].a_perm, 7)
514 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
515 self.assertEquals(posix_acl.acl[6].a_perm, 5)
516 self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)
518 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
519 self.assertEquals(posix_acl.acl[7].a_perm, 5)
520 self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)
522 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
523 self.assertEquals(posix_acl.acl[8].a_perm, 7)
524 self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)
526 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
527 self.assertEquals(posix_acl.acl[9].a_perm, 7)
528 self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)
530 self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
531 self.assertEquals(posix_acl.acl[10].a_perm, 5)
532 self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)
534 self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
535 self.assertEquals(posix_acl.acl[11].a_perm, 5)
536 self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)
538 self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_MASK)
539 self.assertEquals(posix_acl.acl[12].a_perm, 7)
542 # check that it matches:
544 # user:root:rwx (selftest user actually)
554 def test_setntacl_policies_dir_check_getposixacl(self):
555 acl = provision.POLICIES_ACL
556 domsid = passdb.get_global_sam_sid()
557 session_info = self.get_session_info(domsid)
558 setntacl(self.lp, self.tempdir, acl, str(domsid), use_ntvfs=False,
559 session_info=session_info)
560 facl = getntacl(self.lp, self.tempdir)
561 self.assertEquals(facl.as_sddl(domsid),acl)
562 posix_acl = smbd.get_sys_acl(self.tempdir, smb_acl.SMB_ACL_TYPE_ACCESS)
564 LA_sid = security.dom_sid(str(domsid) + "-" + str(security.DOMAIN_RID_ADMINISTRATOR))
565 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
566 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
567 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
568 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
569 PA_sid = security.dom_sid(str(domsid) + "-" + str(security.DOMAIN_RID_POLICY_ADMINS))
571 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
573 # These assertions correct for current ad_dc selftest
574 # configuration. When other environments have a broad range of
575 # groups mapped via passdb, we can relax some of these checks
576 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
577 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
578 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
579 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
580 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
581 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
582 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
583 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
584 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
585 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
586 (PA_gid,PA_type) = s4_passdb.sid_to_id(PA_sid)
587 self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
589 self.assertEquals(posix_acl.count, 15, self.print_posix_acl(posix_acl))
591 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
592 self.assertEquals(posix_acl.acl[0].a_perm, 7)
593 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
595 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
596 self.assertEquals(posix_acl.acl[1].a_perm, 7)
597 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
599 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
600 self.assertEquals(posix_acl.acl[2].a_perm, 0)
602 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
603 self.assertEquals(posix_acl.acl[3].a_perm, 7)
605 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
606 self.assertEquals(posix_acl.acl[4].a_perm, 7)
607 self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)
609 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
610 self.assertEquals(posix_acl.acl[5].a_perm, 7)
612 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
613 self.assertEquals(posix_acl.acl[6].a_perm, 5)
614 self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)
616 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
617 self.assertEquals(posix_acl.acl[7].a_perm, 5)
618 self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)
620 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
621 self.assertEquals(posix_acl.acl[8].a_perm, 7)
622 self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)
624 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
625 self.assertEquals(posix_acl.acl[9].a_perm, 7)
626 self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)
628 self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
629 self.assertEquals(posix_acl.acl[10].a_perm, 5)
630 self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)
632 self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
633 self.assertEquals(posix_acl.acl[11].a_perm, 5)
634 self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)
636 self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_USER)
637 self.assertEquals(posix_acl.acl[12].a_perm, 7)
638 self.assertEquals(posix_acl.acl[12].info.uid, PA_gid)
640 self.assertEquals(posix_acl.acl[13].a_type, smb_acl.SMB_ACL_GROUP)
641 self.assertEquals(posix_acl.acl[13].a_perm, 7)
642 self.assertEquals(posix_acl.acl[13].info.gid, PA_gid)
644 self.assertEquals(posix_acl.acl[14].a_type, smb_acl.SMB_ACL_MASK)
645 self.assertEquals(posix_acl.acl[14].a_perm, 7)
648 # check that it matches:
650 # user:root:rwx (selftest user actually)
662 def test_setntacl_policies_check_getposixacl(self):
663 acl = provision.POLICIES_ACL
665 domsid = passdb.get_global_sam_sid()
666 session_info = self.get_session_info(domsid)
667 setntacl(self.lp, self.tempf, acl, str(domsid), use_ntvfs=False,
668 session_info=session_info)
669 facl = getntacl(self.lp, self.tempf)
670 self.assertEquals(facl.as_sddl(domsid),acl)
671 posix_acl = smbd.get_sys_acl(self.tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
673 nwrap_module_so_path = os.getenv('NSS_WRAPPER_MODULE_SO_PATH')
674 nwrap_module_fn_prefix = os.getenv('NSS_WRAPPER_MODULE_FN_PREFIX')
676 nwrap_winbind_active = (nwrap_module_so_path != "" and
677 nwrap_module_fn_prefix == "winbind")
679 LA_sid = security.dom_sid(str(domsid) + "-" + str(security.DOMAIN_RID_ADMINISTRATOR))
680 BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
681 SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
682 SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
683 AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
684 PA_sid = security.dom_sid(str(domsid) + "-" + str(security.DOMAIN_RID_POLICY_ADMINS))
686 s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
688 # These assertions correct for current ad_dc selftest
689 # configuration. When other environments have a broad range of
690 # groups mapped via passdb, we can relax some of these checks
691 (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
692 self.assertEquals(LA_type, idmap.ID_TYPE_UID)
693 (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
694 self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
695 (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
696 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
697 (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
698 self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
699 (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
700 self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
701 (PA_gid,PA_type) = s4_passdb.sid_to_id(PA_sid)
702 self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
704 self.assertEquals(posix_acl.count, 15, self.print_posix_acl(posix_acl))
706 self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
707 self.assertEquals(posix_acl.acl[0].a_perm, 7)
708 self.assertEquals(posix_acl.acl[0].info.gid, BA_gid)
710 self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
711 if nwrap_winbind_active or session_info:
712 self.assertEquals(posix_acl.acl[1].a_perm, 7)
714 self.assertEquals(posix_acl.acl[1].a_perm, 6)
715 self.assertEquals(posix_acl.acl[1].info.uid, LA_uid)
717 self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
718 self.assertEquals(posix_acl.acl[2].a_perm, 0)
720 self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
721 if nwrap_winbind_active or session_info:
722 self.assertEquals(posix_acl.acl[3].a_perm, 7)
724 self.assertEquals(posix_acl.acl[3].a_perm, 6)
726 self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
727 self.assertEquals(posix_acl.acl[4].a_perm, 7)
728 self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)
730 self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
731 self.assertEquals(posix_acl.acl[5].a_perm, 7)
733 self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
734 self.assertEquals(posix_acl.acl[6].a_perm, 5)
735 self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)
737 self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
738 self.assertEquals(posix_acl.acl[7].a_perm, 5)
739 self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)
741 self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
742 self.assertEquals(posix_acl.acl[8].a_perm, 7)
743 self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)
745 self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
746 self.assertEquals(posix_acl.acl[9].a_perm, 7)
747 self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)
749 self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
750 self.assertEquals(posix_acl.acl[10].a_perm, 5)
751 self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)
753 self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
754 self.assertEquals(posix_acl.acl[11].a_perm, 5)
755 self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)
757 self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_USER)
758 self.assertEquals(posix_acl.acl[12].a_perm, 7)
759 self.assertEquals(posix_acl.acl[12].info.uid, PA_gid)
761 self.assertEquals(posix_acl.acl[13].a_type, smb_acl.SMB_ACL_GROUP)
762 self.assertEquals(posix_acl.acl[13].a_perm, 7)
763 self.assertEquals(posix_acl.acl[13].info.gid, PA_gid)
765 self.assertEquals(posix_acl.acl[14].a_type, smb_acl.SMB_ACL_MASK)
766 self.assertEquals(posix_acl.acl[14].a_perm, 7)
769 # check that it matches:
771 # user:root:rwx (selftest user actually)
773 # group:Local Admins:rwx
782 # This is in this order in the NDR smb_acl (not re-orderded for display)
789 # uid: 0 (selftest user actually)
824 class SessionedPosixAclMappingTests(PosixAclMappingTests):
826 Run same test suite with session enabled.
829 def get_session_info(self, domsid=DOM_SID):
831 Get session_info for setntacl.
833 if str(domsid) != str(self.samdb.get_domain_sid()):
834 # fake it with admin session as domsid is not in local db
835 return auth.admin_session(self.lp, str(domsid))
837 dn = '<SID={}-{}>'.format(domsid, security.DOMAIN_RID_ADMINISTRATOR)
838 flags = (auth.AUTH_SESSION_INFO_DEFAULT_GROUPS |
839 auth.AUTH_SESSION_INFO_AUTHENTICATED |
840 auth.AUTH_SESSION_INFO_SIMPLE_PRIVILEGES)
841 return auth.user_session(self.samdb, lp_ctx=self.lp, dn=dn,
842 session_info_flags=flags)
844 class UnixSessionedPosixAclMappingTests(PosixAclMappingTests):
846 Run same test suite with session enabled.
849 def get_session_info(self, domsid=DOM_SID):
851 Get session_info for setntacl.
853 if str(domsid) != str(self.samdb.get_domain_sid()):
854 # fake it with admin session as domsid is not in local db
855 return auth.admin_session(self.lp, str(domsid))
857 dn = '<SID={}-{}>'.format(domsid, security.DOMAIN_RID_ADMINISTRATOR)
858 flags = (auth.AUTH_SESSION_INFO_DEFAULT_GROUPS |
859 auth.AUTH_SESSION_INFO_AUTHENTICATED |
860 auth.AUTH_SESSION_INFO_SIMPLE_PRIVILEGES)
862 session = auth.user_session(self.samdb, lp_ctx=self.lp, dn=dn,
863 session_info_flags=flags)
864 auth.session_info_fill_unix(session,
866 user_name="Administrator")